About Me
Cisco Certified Internetwork Expert (CCIE) - Enterprise Infrastructure
1 Network Architecture and Design
1-1 Enterprise Network Design Principles
1-2 Network Segmentation and Micro-Segmentation
1-3 High Availability and Redundancy
1-4 Scalability and Performance Optimization
1-5 Network Automation and Programmability
1-6 Network Security Design
1-7 Network Management and Monitoring
2 IP Routing
2-1 IPv4 and IPv6 Addressing
2-2 Static Routing
2-3 Dynamic Routing Protocols (RIP, EIGRP, OSPF, IS-IS, BGP)
2-4 Route Redistribution and Filtering
2-5 Route Summarization and Aggregation
2-6 Policy-Based Routing (PBR)
2-7 Multi-Protocol Label Switching (MPLS)
2-8 IPv6 Routing Protocols (RIPng, EIGRP for IPv6, OSPFv3, IS-IS for IPv6, BGP4+)
2-9 IPv6 Transition Mechanisms (Dual Stack, Tunneling, NAT64DNS64)
3 LAN Switching
3-1 Ethernet Technologies
3-2 VLANs and Trunking
3-3 Spanning Tree Protocol (STP) and Variants (RSTP, MSTP)
3-4 EtherChannelLink Aggregation
3-5 Quality of Service (QoS) in LANs
3-6 Multicast in LANs
3-7 Wireless LANs (WLAN)
3-8 Network Access Control (NAC)
4 WAN Technologies
4-1 WAN Protocols and Technologies (PPP, HDLC, Frame Relay, ATM)
4-2 MPLS VPNs
4-3 VPN Technologies (IPsec, SSLTLS, DMVPN, FlexVPN)
4-4 WAN Optimization and Compression
4-5 WAN Security
4-6 Software-Defined WAN (SD-WAN)
5 Network Services
5-1 DNS and DHCP
5-2 Network Time Protocol (NTP)
5-3 Network File System (NFS) and Common Internet File System (CIFS)
5-4 Network Address Translation (NAT)
5-5 IP Multicast
5-6 Quality of Service (QoS)
5-7 Network Management Protocols (SNMP, NetFlow, sFlow)
5-8 Network Virtualization (VXLAN, NVGRE)
6 Security
6-1 Network Security Concepts
6-2 Firewall Technologies
6-3 Intrusion Detection and Prevention Systems (IDSIPS)
6-4 VPN Technologies (IPsec, SSLTLS)
6-5 Access Control Lists (ACLs)
6-6 Network Address Translation (NAT) and Port Address Translation (PAT)
6-7 Secure Shell (SSH) and Secure Copy (SCP)
6-8 Public Key Infrastructure (PKI)
6-9 Network Access Control (NAC)
6-10 Security Monitoring and Logging
7 Automation and Programmability
7-1 Network Programmability Concepts
7-2 RESTful APIs and NETCONFYANG
7-3 Python Scripting for Network Automation
7-4 Ansible for Network Automation
7-5 Cisco Model Driven Programmability (CLI, NETCONF, RESTCONF, gRPC)
7-6 Network Configuration Management (NCM)
7-7 Network Automation Tools (Cisco NSO, Ansible, Puppet, Chef)
7-8 Network Telemetry and Streaming Telemetry
8 Troubleshooting and Optimization
8-1 Network Troubleshooting Methodologies
8-2 Troubleshooting IP Routing Issues
8-3 Troubleshooting LAN Switching Issues
8-4 Troubleshooting WAN Connectivity Issues
8-5 Troubleshooting Network Services (DNS, DHCP, NTP)
8-6 Troubleshooting Network Security Issues
8-7 Performance Monitoring and Optimization
8-8 Network Traffic Analysis (Wireshark, tcpdump)
8-9 Network Change Management
9 Emerging Technologies
9-1 Software-Defined Networking (SDN)
9-2 Network Function Virtualization (NFV)
9-3 Intent-Based Networking (IBN)
9-4 5G Core Network
9-5 IoT Network Design and Management
9-6 Cloud Networking (AWS, Azure, Google Cloud)
9-7 Edge Computing
9-8 AI and Machine Learning in Networking
6-3 Intrusion Detection and Prevention Systems (IDS/IPS) Explained

6-3 Intrusion Detection and Prevention Systems (IDS/IPS) Explained

Key Concepts

Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a security technology that monitors network or system activities for malicious activities or policy violations. IDS systems analyze network traffic and system logs to detect suspicious behavior. Once an intrusion is detected, the IDS generates an alert to notify administrators, but it does not take any action to prevent the intrusion.

Intrusion Prevention System (IPS)

An Intrusion Prevention System (IPS) is a security technology that not only monitors network or system activities but also takes proactive measures to prevent intrusions. IPS systems can block or mitigate attacks by dropping malicious packets, resetting connections, or taking other corrective actions. IPS is often deployed inline with the network traffic, allowing it to actively intervene in real-time.

Signature-Based Detection

Signature-Based Detection is a method used by IDS/IPS systems to identify known threats by comparing network traffic or system activities against a database of known attack signatures. These signatures are patterns or characteristics of known malicious activities. Signature-based detection is effective against known threats but may miss new or unknown threats that do not match any existing signatures.

Anomaly-Based Detection

Anomaly-Based Detection is a method used by IDS/IPS systems to identify potential threats by detecting deviations from normal behavior. This method involves creating a baseline of normal network or system activity and then monitoring for any deviations from this baseline. Anomaly-based detection can identify new or unknown threats but may generate false positives if the baseline is not accurately defined.

Network-Based IDS/IPS

Network-Based IDS/IPS systems monitor network traffic to detect and prevent intrusions. These systems are typically deployed on network segments or at critical points in the network, such as firewalls or routers. Network-based IDS/IPS can monitor all traffic passing through the network segment, providing comprehensive coverage for detecting and preventing network-based attacks.

Host-Based IDS/IPS

Host-Based IDS/IPS systems monitor activities on individual hosts, such as servers or workstations, to detect and prevent intrusions. These systems analyze system logs, file integrity, and process activities to identify suspicious behavior. Host-based IDS/IPS provide detailed insights into the security status of individual hosts and can detect attacks that originate from within the host or target the host specifically.

Examples and Analogies

Consider a large office building where an Intrusion Detection System (IDS) is like a security guard who monitors the building's security cameras and logs for any suspicious activities. If the guard sees something unusual, they notify the building manager (administrator) but do not take any action to stop the activity.

An Intrusion Prevention System (IPS) is like a security guard who not only monitors the building but also has the authority to take immediate action, such as calling the police or blocking an unauthorized entry. The guard can prevent intrusions in real-time by intervening directly.

Signature-Based Detection is like a security system that uses a database of known threats (e.g., known criminals' faces) to identify intruders. If the system recognizes a known threat, it alerts the guard. However, it may miss new threats that are not in the database.

Anomaly-Based Detection is like a security system that learns the normal behavior of the building (e.g., typical patterns of movement) and alerts the guard if anything deviates from this norm. This system can detect new threats but may also raise false alarms if the normal behavior is not accurately defined.

Network-Based IDS/IPS is like a security system that monitors all traffic entering and leaving the building, providing comprehensive coverage for detecting and preventing intrusions. Host-Based IDS/IPS is like a security system installed in each office, monitoring activities within the office and providing detailed insights into the security status of each room.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.