Security+: technologies and tools – NIPS / NIDS [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Network Intrusion Protection Systems (NIPS) and Network Intrusion Detection Systems (NIDS) are tested on the Technologies and Tools portion of the Security+ certification exam. This article details what is covered on the Security+ certification exam regarding these important network security devices. This article should not substitute for studying but rather serve as a brief review and guide for areas that you may need to look over again.
Below is an outline of the NIPS/NIDS material covered on the exam. Each section will be covered through the lenses of both NIPS and NIDS:
- Heuristic/behavioral based
- Inline vs. passive
- In-band vs. out-of-band
Signatures refer to predetermined and preconfigured attack patterns/rules that identify attacks on web applications and their components. Both NIDS and NIPS can use signature-based detection but what follows if different for both.
NIDS operates by monitoring all traffic that comes in, and it looks for suspicious packets based upon the signatures it uses. Then, if a suspicious packet matches up to a signature, it will detect the threat. NIPS monitors and detects just like NIDS, but it will then take appropriate follow-up action to take care of the threat or mitigate it. It should be noted that zero-day attacks do not get detected because they are not made into signatures yet at that point in time.
Heuristic or Behavioral based NIPS and NIDS operate by comparing incoming traffic and packets against a pre-established baseline of normally experienced behavior for the respective organization. NIDS, being the passive system, will just detect suspicious behavior by comparing to the baseline. NIPS, which focuses on prevention, will go one step further and take some action to either stop or mitigate the potential threat.
Anomaly-based NIDS and NIPS are where a touch of artificial intelligence comes into play. What anomaly-based NIDS and NIPS do is incoming monitor traffic and asks whether the incoming traffic acts like enemy traffic.
Anomaly-based NIDS and NIPS employ heuristics to help it determine whether what comes in as traffic is a threat. This is where artificial intelligence shows its face because your NIDS or NIPS can train itself by gradually changing filters and rules about what is acceptable and if needed it will adjust itself.
The major drawback of Anomaly-based detection and prevention is that there tends to be a high number of false positives. This could translate into good traffic being detected as bad or developer activity getting blocked because it seems abnormal.
Heuristic-based detection and prevention use a database of known attack types. This database contains signatures that get dynamically changed based upon the learned behavior of your network traffic.
NIDS and NIPS that employ a Heuristic based system use algorithms to analyze incoming traffic and can spot attacks more dynamically than other types of detection and prevention systems. The downside is that that to avoid high levels of false positives the system requires more fine-tuning than the other NIDS/NIPS system types covered on the Security+ exam.
Inline vs. passive
Aside from monitoring vs. protection as explained above, this portion of NIPS/NIDS highlights another major difference between the two security systems. That is, one is Inline, and the other is passive.
NIPS is considered an inline network security solution. Inline refers to being in between the firewall and the rest of the network environment. What this does is allow NIPS to monitor incoming traffic and if it spots a signature match or anomaly, then it can take proactive action to stop or mitigate the incoming threat. This inline positioning of NIPS is what gives it the opportunity for action before the incoming traffic hits the network.
NIDS, on the other hand, is a passive network security solution. It may sit on the inner network side of a firewall, on the DMZ, or on the WAN side. Placement on either the DMZ or inner network is preferable in that it will make less noise.
NIDS conducts purely passive monitoring. What this means is that that is a suspicious connection that matches a signature or anomaly comes in via incoming traffic it will alert the administrator or security team to the potential threat. Unlike NIPS, NIDS will not react to a suspicious connection.
Both NIDS and NIPS can rely upon rules, also known as rule-based detection, to help them detect and proactively stop suspicious connections (in the case of NIPS). The rules that NIDS and NIPS use allow them to differentiate between good traffic and suspicious traffic by comparing incoming traffic to the signatures that are known to be either suspicious or malicious. Rule-based detection is used heavily by most NIDS/NIPS but is increasingly having to compete with other detection methods, such as anomaly based, as time goes on.
The two major issues regarding analytics are false positives and false negatives. They are both different, yet undesirable, and can create problems for an organization.
False positives occur when a NIPS blocks legitimate incoming traffic. This is problematic in that it can create a sort of self-inflicted DDoS where service is denied to legitimate customers. False negatives occur when either the NIDS or NIPS allows incoming traffic in that is a threat. This occurs when the system does not have the signature of the threat in its signature database and unwittingly allows the traffic into the network, which highlights the zero-day weakness that both NIPS and NIDS suffer from.