401d8 read14 - carlosjorr/reading-notes GitHub Wiki

Intrusion Detection and Prevention Systems (IDS/IPS

List 2 differences between firewalls and an IDS?

Firewalls primarily act as a barrier between networks, controlling incoming and outgoing network traffic based on predefined rules. They determine which packets are allowed to pass through and which are blocked based on port numbers, IP addresses, protocols, etc. The main goal of a firewall is to enforce access control policies and protect the network from unauthorized access and potential threats.

Intrusion Detection Systems (IDS) monitor network or system activities to detect suspicious or malicious behavior. They analyze network traffic or host activities and compare them against known attack patterns or abnormal behavior. The primary function of an IDS is to identify potential security breaches, alert administrators about suspicious events, and provide insights into the security status of the network or host.

Under what circumstances would you choose a network-based IDS over a host-based IDS?

When you want to monitor the entire network's traffic from a centralized location and don't want to install agents on individual hosts. When you have a complex network environment with numerous hosts and devices, and you want a cost-effective way to monitor multiple network segments. When you need a passive monitoring solution that doesn't introduce any additional overhead on individual hosts.

Name 3 major drawbacks of a NIDS?

Blind Spots: Network-based IDS operates based on the data that passes through the network. If an attacker can successfully carry out attacks without sending traffic over the network (e.g., directly targeting a host through USB or other local means), the NIDS will not be able to detect such attacks.

Encryption: Encrypted traffic poses a challenge for NIDS since it cannot fully inspect the payload of encrypted packets. Modern encrypted communication protocols protect data privacy, but they also make it difficult for NIDS to analyze the contents of the traffic for potential threats.

False Positives and Negatives: NIDS may generate false positives when legitimate traffic triggers its alerts due to the complexity of modern networks. Conversely, NIDS can miss sophisticated attacks, leading to false negatives, which can result in security breaches if not detected by other means.