RESP5X

RESPOND TO THIS DISCUSSION POST BASED ON THE TOPIC “Compare and contrast the different types of IDPS technology and describe any prior experience using any of the tools.”

 1.VC).  I have found four different types of IDPS technologies but for this discussion board I decided to just compare two. The first IDPS technology is network-based. A network-based technology “monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.” (Scarfone, 2007) A network based system is used to capture and analyze packets from various IP addresses, websites, and TCP/UDP layers. One benefit of having a network-based detection system in place is getting real time alerts. Also, companies can decide which type of network based system they would like to go with. There are two major types: signature-based which compares attacks with previous attacks the system has seen. The second type is anomaly-based which compares packets with a baseline and then decides which steps should be taken. Overall, a network-based IDPS can be expensive and difficult to configure.

The second type of IDPS is known as a network behavior analysis system which “examines network traffic or statistics on traffic to identify unusual traffic slows, and policy violations.” (Scarfone, 2007) Unlike a network-based IDPS the NBA system is delayed in identifying attacks. Although an NBA system can analyze and reconstruct an attack in hopes to prevent the same type of attack from happening again.  Also, NBA systems are used to monitor the network flow or malware rather than monitoring the actual network itself.  Using Snort for this week’s lab will be my first time using an intrusion detection software.

2TD).  I really like this topic although it can be a very extensive one. There are many forms of IDPS systems. ". “Intrusion Detection System (IDS) is meant to be a software application which monitors the network or system activities and find if any malicious operations occur.” (1)  Unlike firewalls that block any connections that it finds harmful, this software alerts the administrator if any connections that were harmful still get passed through. There are three types of Intrusion Detection Systems: Network Based, Host Based and Application Based.

“Network-based intrusion detection systems monitor the network traffic and use these raw network packet’s content to analyze network, transport, and application protocols to identify suspicious activity.” (2) This system collects all the packets through the network and analyzes them for any malicious intent. One advantage of using this method is the “operating system independence.” The data packets “also independent on OS platform. This method is to provide faster notification and response…” (2)  

Another type of Intrusion Detection Systems is the Host based. “Host-based IDS monitors a single machine and audits data traced by the hosting operating system. When there is any file change, the IDS compare the new signatures by hashing new log entry to see whether there is a match.” (2) This is when the system alerts the administrator if there is a match as there can be a security issue.

Application Based IDS is to basically solve the “weakness of the Network IDS. One big advantage of this approach is to monitor the interaction between user and application, which traces activity to individual users.” (2) Since this IDS traces the actions back to individuals, it will be clear who tries to project harm.

I did find another site that I found useful as it tells the ways IDPS detects attacks. " A signature is a pattern that corresponds to a known attack or type of attack. Signature-based detection is the process of comparing signatures against observed events to identify possible attacks." (3) This is when something is labeled with known labels that are forms of malware. " Signature-based detection is very effective at detecting known attacks but largely ineffective at detecting previously unknown attacks, attacks disguised by the use of evasion techniques, and many variants of known attacks." (3) 

" Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. An IDPS using anomaly-based detection has profiles that represent the normal behavior of such things as users, hosts, network connections, or applications." (3) This is when monitoring changes happens. If something changes over time. it is detected this way. " The major benefit of anomaly-based detection methods is that they can be very effective at detecting previously unknown attacks." (3) 

" Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations." (3) This is when events that have happened are compared to those that are normal. It is then decided if they are normal deviations or abnormal. 

3. CHL).  According to NIST, there four primary types of IDPS technologies: Network based, wireless, network behavior analysis, and host based. 

• Network-Based,

o    Monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.

o    Identifies many different types of events of interest.

o    Most commonly deployed at a boundary between networks.

• Wireless,

o    Monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves.

o    Cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring.

o    deployed within range of an organization’s wireless network

o    Can also be deployed to locations where unauthorized wireless networking could be occurring.

• Network Behavior Analysis (NBA),

o    Examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing unauthorized network services to other systems).

o    Most often deployed to monitor flows on an organization’s internal networks, and are also sometimes deployed where they can monitor flows between an organization’s networks and external networks

• Host-Based

o    Monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

o    Most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information (NIST. n.d.).

I have used probably all but wireless, though I may have inadvertently used it.  I have not seen wireless IDPS much because most of my experience comes from non-wireless forms of networking.  As mentioned in the previous discussion, I would stay away from wireless unless I have to due to security concerns. 

NIST. (n.d.). Intrusion Detection and Prevention Systems [PDF].

PLEASE READ THIS.IT IS VERY IMPORTANT

Allow your discussion posts to be detailed and capable of sharing knowledge, ideas and points.  You must discuss the topic using your own words first.  Using your own words indicate you understand the topic of discussions.  Secondly, you must cite your sources in-text.  This is necessary to justify your points. Sources from several sources showed good research abilities.  Lastly, you must provide references at the bottom of your post.  A discussion post without justification with sources does not show proper research abilities. A terse and not detailed discussions represent post that would not provide enough sharing of knowledge or proper understanding of the topic. DO NOT just copy and paste a sentence from online with citation at the end as your own discussion. I have not asked for definitions, I asked for discussions and will not buy this.  You must show understanding of the discussion topic by using your own words to describe the topic and then justify that with sources.

www.citationmachine.net to format references into the APA style if necessary. Extremely important. Intext citations is very essential and highly needed as well.

use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA citation method (citation should be relevant and current). Page-length requirements:3 PAPARAGRAPHS FOR EACH PROMPT ANSWER. Make sure you cite if you take a piece of someone’s work, very important and your reference should relate to your writing (don’t cite a reference because it relates to the course and not this very paper) at least 2 current and relevant academic references. No heavy paraphrasing of others work.