If you’re planning to take the SY0-401 or the SY0-501 Security+ exam, you should have a basic understanding of how to analyze and interpret output from security technologies such as IDSs and IPSs.
For example, can you answer this question?
Q. A HIDS reported a vulnerability on a system based on a known attack. After researching the alert from the HIDS, you identify the recommended solution and begin applying it. What type of HIDS is in use?
A. Network-based
B. Signature-based
C. Heuristic-based
D. Anomaly-based
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Comparing IDSs and IPSs
Intrusion detection systems (IDSs) monitor a network and send alerts when they detect suspicious events on a system or network. Intrusion prevention systems (IPSs) react to attacks in progress and prevent them from reaching systems and networks.
As an introduction, administrators use protocol analyzers, or sniffers to capture and analyze network traffic sent between hosts. IDSs and IPSs have the same capability. They capture the traffic and analyze it to detect potential attacks or anomalies.
Both IDSs and IPSs have the ability of detecting attacks using similar detection methods. The biggest difference is in their responses to an attack. It’s worth remembering that IDSs and IPSs can implement the same monitoring and detection methods.
HIDS
A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or server. It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC).
Many host-based IDSs have expanded to monitor application activity on the system. As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.
It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional antivirus software might miss. Because of this, many organizations install a HIDS on every workstation as an extra layer of protection in addition to traditional antivirus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is primarily used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files.
In other organizations, administrators only install a HIDS when there’s a perceived need. For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.
NIDS
A network-based intrusion detection system (NIDS) monitors activity on the network. An administrator installs NIDS sensors or collectors on network devices such as routers and firewalls. These sensors gather information and report to a central monitoring server hosting a NIDS console.
A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic. Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.
NIDS sensors
The figure shows an example of a NIDS configuration. In the figure, sensors are located before the firewall, after the firewall, and on routers. These sensors collect and monitor network traffic on subnets within the network and report to the NIDS console. The NIDS provides overall monitoring and analysis and can detect attacks on the network.
NIDS sensors
The figure also shows a tap or port mirror on the internal switch. Most switches support port mirroring, allowing administrators to configure the switch to send all traffic received by the switch to a single port. After configuring a port mirror, you can use it as a tap to send all switch data to a sensor or collector, and forward this to a NIDS. Similarly, it’s possible to configure taps on routers to capture all traffic sent through the switch and send it to the IDS.
Detection Methods
An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target. An attack is any attempt to compromise confidentiality, integrity, or availability.
The two primary methods of detection are signature-based and heuristic- or behavioral- based (also called anomaly-based). Any type of IDS can detect attacks based on signatures, anomalies, or both. The HIDS monitors the network traffic reaching its NIC and the NIDS monitors the traffic on the network.
Q. A HIDS reported a vulnerability on a system based on a known attack. After researching the alert from the HIDS, you identify the recommended solution and begin applying it. What type of HIDS is in use?
A. Network-based
B. Signature-based
C. Heuristic-based
D. Anomaly-based
Answer is B. If the host-based intrusion detection system (HIDS) identified a known issue, it is using signature-based detection.
A HIDS is not network-based.
Heuristic-based or anomaly- based (sometimes called behavioral-based) detection systems identify issues by comparing current activity against a baseline. They can identify issues that are not previously known.
See Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
or
Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
for more information on securing a network.