Network Intrusion Detection and Prevention – CompTIA Security+ SY0-501 – 2.1

If you want to stop an unwanted attack, then you’ll want to include an IPS as part of your defense-in-depth strategy. In this video, you’ll learn about intrusion detection systems and intrusion prevention systems, and you’ll learn how they work in both out-of-band and in-band response configurations.

<< Previous Video: VPN Concentrators Next: Router and Switch Security >>


Many security professionals incorporate a network based intrusion detection system, or IDS. Or a network based intrusion prevention system, or IPS on their networks. This is designed to watch traffic going through the network and if this device identifies an exploit against an operating system, that identifies a buffer overflow, a database injection, a cross-site script, it’s either going to inform you that that happened if you’re using an IDS or block the traffic if you’re using an IPS.

And that is the most significant difference between an IDS and an IPS. With an intrusion detection system, you’ll simply receive an alarm or an alert. Whereas an intrusion prevention system has the capability to stop that intrusion before it gets onto your network.

There are many different ways to engineer your IPS into your network. One way is to configure it as a passive monitoring device. This means that the IPS will receive a copy of the traffic and be able to then make a decision on what to do once it’s received that information. Because it is acting as a passive monitor, it’s obviously not sitting in the middle of the communication and able to block traffic.

You might have traffic going from one device to another and as it’s passing through the switch, a copy is sent to the IPS. If something is identified in the middle of this communication, you may be able to have the IPS inform you that it saw the intrusion but obviously the traffic has already passed through your network to the other device.

The only possibility that you might have when you’re in a passive mode is to be able to send what’s called an out-of-band response. It’s an out-of-band response because the IPS is not part of the traffic flow, it’s sitting out of the band of the communication. If traffic does traverse the network and the IPS receives a copy and determines that that traffic is malicious, it can send a TCP reset frame to both the source of the communication and the destination.

This TCP reset will close the session between these two devices and they will no longer be able to send traffic to each other unless they set up another traffic flow between the two devices. This is obviously done after the fact. And you’re hoping that you’re able to stop this communication before much of the malicious state is able to traverse the network. This also has very limited capabilities if there are protocols other than TCP. For example, UDP doesn’t allow to perform a reset. If this is a UDP communication, there’s no way to stop this communication if you’re sitting in an out-of-band mode.

If a security professional is looking for more control over these traffic flows then they’ll probably configure their IPS for in-line monitoring. All traffic then is going to pass through the IPS and the IPS is going to make a decision on whether that traffic is allowed through the network or not.

Because the IPS is sitting inline, the response to any type of malicious traffic will be to drop this immediately at the IPS and not allow it to traverse the network. There are many different ways to look for malicious traffic going through your IPS and not all IPS’ will use all of these methods.

One of the most common is a signature based identification where a signature is predefined inside of the IPS and it’s watching for traffic to traverse the network that matches this signature exactly. And if it identifies traffic that matches exactly what we’re seeing, it will block that traffic at the IPS.

Another method of identification is through anomaly based. Your IPS will sit on the network and begin to understand what a normal traffic flow is for your network. If any traffic comes through that doesn’t match the normal flow of traffic, the anomaly based identification will block it at the IPS.

The IPS may have the capabilities to look for certain behaviors. If a user deletes a file or changes things on a server, the IPS may be configured to look for that behavior and if it occurs, it can block it at the IPS. And some of the more advanced intrusion prevention systems can identify attacks based on heuristics. Instead of using a specific set of signatures, the IPS could be configured with a set of characteristics that might define an attack. As traffic is coming through, the heuristics can then examine that traffic and make a determination on if an attack is taking place or not.

An IPS makes the decision on what vulnerabilities to look for and what to do if a vulnerability is found based on a series of rules. You define what the IPS is looking for based on up to thousands of different rules that might be in this rule base. The rules are usually grouped together by different characteristics and you can make some broad settings to say anything that’s a database injection, you may want to block. But anything that’s malware you may want to send an alert.

This can really take a lot of time to find exactly the right balance of what you’d like to do. An intrusion prevention system can create a number of false positives and create a large number of alerts. So you have to find exactly the right number of rules that you’d like to look for and be able to configure your IPS for the type of traffic that works for you.

Here’s a page of IPS rules I took from PF since firewall. You can see the signature 105 for example, uses TCP. If it identifies port 2589 over a source port that’s going to any destination port, then there is a signature that identifies that as a back door that is created by a malware called dagger. And you can see that this goes on and on. There are thousands of rules that you can configure. And it’s up to you to enable the rules that are important for you and then determine what the disposition of each one of these rules is going to be.

A significant challenge you have with intrusion prevention systems is that they’re going to give you a lot of alerts and a lot of messages. And unfortunately, a number of these messages are not going to be accurate. We call these false positives, where the system has told us that there has been an intrusion onto the network but in reality it’s a case of mistaken identity and there was not an intrusion at all.

If this is a signature based IPS, then these messages that you’re going to receive from the IPS are only going to be as good as those signatures. The more advanced and complex signatures are probably going to provide you with fewer false positives. Unfortunately, it can be very time consuming to go through every single alert and message you get through the IPS. But unless you have a way to research these, you’ll never know which of these alerts are legitimate and which ones are false positives.

Sometimes these false positives can create significant problems. For example, in April 2017, the Webroot anti-virus began marking certain operating system files in Windows as being malicious and it began quarantining parts of the operating system itself. It also marked Facebook and Bloomberg sites as phishing sites even though the Windows files and these sites were not malicious at all.

Perhaps, even worse than a false positive on an IPS is a false negative. This is when malicious traffic came through the IPS but the IPS did not identify it as malicious. If this malicious traffic did get through the firewall, then you probably have a machine that has been infected and you’ll ultimately see that whenever you perform an anti-virus scan.

But it sometimes can be difficult to know when this happens because you got no messages and no identification of anything malicious, you have no idea that it passed through the IPS. In some cases, you can find industry tests that are done with intrusion prevention systems and anti-virus and anti-malware where they will send traffic through the software and hardware to see what kind of catch rates they can get. So that you at least have some way to compare the differences between one IPS and another.