If you’re planning to take the SY0-601 version of the Security+ exam, you should understand how to implement secure network designs. This includes using advanced security devices to secure networks.
For example, can you answer this practice test question?
Q. Lenny noticed a significant number of logon failures for administrator accounts on the organization’s public website. After investigating it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?
A. Implement a passive NIDS.
B. Block all traffic from foreign countries.
C. Implement an inline NIPS.
D. Disable the administrator accounts.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
IPS Versus IDS—Inline Versus Passive
Intrusion prevention systems (IPSs) are an extension of IDSs. Just as you can have both a HIDS and a NIDS, you can also have a HIPS and a NIPS, but a network-based IPS (NIPS) is more common. There are some primary distinctions of an IPS when compared with an IDS:
- An IPS can detect, react to, and prevent attacks.
- In contrast, an IDS monitors and will respond after detecting an attack, but it doesn’t prevent attacks.
- An IPS is inline with the traffic. In other words, all traffic passes through the IPS, and the IPS can block malicious traffic.
- In contrast, an IDS is out-of-band. It monitors the network traffic, but the traffic doesn’t go through the IDS.
- Because an IPS is inline with the traffic, it is sometimes referred to as active. In contrast, an IDS is referred to as passive because it is not inline with the traffic. Instead, it is out-of-band with the network traffic.
Most IDSs will only respond by raising alerts. For example, an IDS will log the attack and send a notification. The notification can come in many forms, including an email to a group of administrators, a text message, a pop-up window, or a notification on a central monitor.
Some IDSs have additional capabilities allowing them to change the environment in addition to sending a notification. For example, an IDS might be able to modify access control lists (ACLs) on firewalls to block offending traffic, close processes on a system that were caused by the attack, or divert the attack to a safe environment, such as a honeypot or honeynet.
Both IDSs and IPSs have protocol analyzer capabilities. This allows them to monitor data streams looking for malicious behavior. An IPS can inspect packets within these data streams and block malicious packets before they enter the network.
In contrast, a NIDS has sensors or data collectors that monitor and report the traffic. An active NIDS can take steps to block an attack, but only after the attack has started. The inline configuration of the IPS allows an IPS to prevent attacks from reaching the internal network. As an example, the figure shows the location of two network-based IPSs (NIPS 1 and NIPS 2). All Internet traffic flows through NIPS 1, giving it an opportunity to inspect incoming traffic. NIPS 1 protects the internal network by detecting malicious traffic and preventing attacks from reaching the internal network.

NIPS used to detect and prevent attacks
NIPS 2 is protecting an internal private network. As an example, imagine that Homer needs to manage some equipment within a supervisory control and data acquisition (SCADA) network in the nuclear power plant. The SCADA equipment is in the private network. The firewall next to NIPS 2 can have rules that allow traffic from Homer’s computer into the network, but block all other traffic. NIPS 2 will then inspect all the incoming traffic and block malicious traffic.
This might seem like overkill, but many advanced persistent threats (APTs) have successfully installed remote access Trojans (RATs) onto internal systems through phishing or malware attacks. Once the RAT is installed, attackers can now attack from within. If an attacker began launching attacks on the private network from Homer’s system, the firewall wouldn’t block it. However, the NIPS will prevent this attack from reaching the private network. Notice that each IPS is placed on the edge of the protected network. NIPS 1 is placed on the edge of the network between the Internet and the screened subnet. NIPS 2 is on the edge of the SCADA network between it and the intranet. This placement ensures that the NIPS can inspect all traffic going into the network.
Q. Lenny noticed a significant number of logon failures for administrator accounts on the organization’s public website. After investigating it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?
A. Implement a passive NIDS.
B. Block all traffic from foreign countries.
C. Implement an inline NIPS.
D. Disable the administrator accounts.
Answer is C. An inline network-based intrusion prevention system (NIPS) can dynamically detect, react to, and prevent attacks. An inline system is placed inline with the traffic, and in this scenario, it can be configured to detect the logon attempts and block the traffic from the offending IP addresses before it reaches the internal network.
A passive network-based intrusion detection system (NIDS) is not placed inline with the traffic and can only detect the traffic after it has reached the internal network, so it cannot prevent the attack.
If you block all traffic from foreign countries, you will likely block legitimate traffic.
You should disable administrator accounts if they’re not needed. However, if you disable all administrator accounts, administrators won’t be able to do required work.
See Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on securing network.