Intrusion Detection and Prevention Systems (IDS/IPS)

Why does this topic matter?

• This topic matters because the implementation of Network Intrusion Detection Systems is essential for identifying and responding to threats in the network.

List 2 differences between firewalls and an IDS?

• Intrusion detection systems are used to identify and alert security teams of network activities. Firewalls actually keep potential malicious attacks out. All in all, IDS are a visibility tool and Firewalls are prevention tool.

Under what circumstances would you choose a network-based IDS over a host-based IDS?

• I would choose a network based IDS over host based IDS if I needed to monitor a large network, NIDS are great at analyzing traffic at the network layer.
• NIDS are also able to provide a comprehensive view of network traffic, since it monitors data in transit, and allows for centralized monitoring.

Name 3 major drawbacks of a NIDS?

• NIDS are so focused on network traffic and will not have detailed visibility into activities occurring on individual hosts.
• NIDS have a difficult time inspecting encrypted traffic. In this day in age where encryption is used more often, implementing NIDS in a network that utilizes encryption in its communicating will be difficult to detect malicious activities.
• NIDS (and IDS) are suspectable to false positives. Since NIDS analyzes network traffic patterns and signatures, some network activities that are legitimate might be flagged as suspicious.

Things I want to know more about.

• I would like to know how NIDS can integrate with SIEM. It would be of great interests to me to see how NIDS generated alerts contribute to a broader security monitoring environment.