1
00:00:00,558 --> 00:00:02,510
<v ->NIDS versus NIPS.</v>

2
00:00:02,510 --> 00:00:04,630
Now, we've already spoken a little bit about

3
00:00:04,630 --> 00:00:07,090
intrusion detection and intrusion prevention systems

4
00:00:07,090 --> 00:00:08,750
earlier on in this course.

5
00:00:08,750 --> 00:00:10,690
In this lesson, though, we're going to focus

6
00:00:10,690 --> 00:00:13,280
on the differences between a network-based IDS

7
00:00:13,280 --> 00:00:14,733
and a network-based IPS.

8
00:00:15,730 --> 00:00:17,560
A Network Intrusion Detection System,

9
00:00:17,560 --> 00:00:20,240
or a NIDS, is a type of IDS that attempts

10
00:00:20,240 --> 00:00:22,410
to detect malicious network activities,

11
00:00:22,410 --> 00:00:26,060
for example, port scans and denial of service attacks.

12
00:00:26,060 --> 00:00:28,070
Now, this is a device that's usually placed

13
00:00:28,070 --> 00:00:29,950
either before the firewall, so that

14
00:00:29,950 --> 00:00:31,410
it can be directly exposed to all

15
00:00:31,410 --> 00:00:32,870
of the traffic that's coming in,

16
00:00:32,870 --> 00:00:35,070
or right behind the firewall.

17
00:00:35,070 --> 00:00:37,230
Personally, though, I like to have my NIDS

18
00:00:37,230 --> 00:00:39,300
placed behind the firewall, as this helps

19
00:00:39,300 --> 00:00:40,610
filter the amount of traffic that we'd

20
00:00:40,610 --> 00:00:42,690
have to see and review, since the firewall

21
00:00:42,690 --> 00:00:45,240
is already going to block a lot of it for us.

22
00:00:45,240 --> 00:00:47,830
Generally, your Network Intrusion Detection System

23
00:00:47,830 --> 00:00:50,280
will be placed into what's known as promiscuous mode.

24
00:00:50,280 --> 00:00:52,040
This allows it to see all of the traffic

25
00:00:52,040 --> 00:00:53,950
that crosses the network instead of just

26
00:00:53,950 --> 00:00:56,530
the traffic that's destined for its own Mac address.

27
00:00:56,530 --> 00:00:58,380
This is easily done through the configuration

28
00:00:58,380 --> 00:01:00,190
of the NIDS, and by placing your NIDS

29
00:01:00,190 --> 00:01:02,270
on a span port of your network switch

30
00:01:02,270 --> 00:01:03,940
so that it can receive all of the traffic

31
00:01:03,940 --> 00:01:05,790
moving through that switch, and not just

32
00:01:05,790 --> 00:01:07,820
the traffic on its own switch port.

33
00:01:07,820 --> 00:01:10,320
A NIDS can only detect, monitor, and alert

34
00:01:10,320 --> 00:01:13,870
on traffic based on signature-based rules or heuristics,

35
00:01:13,870 --> 00:01:15,860
and it won't do anything to actually stop

36
00:01:15,860 --> 00:01:17,170
an attack from occurring.

37
00:01:17,170 --> 00:01:18,560
When you're dealing with a NIDS,

38
00:01:18,560 --> 00:01:20,280
all it's going to do is log it

39
00:01:20,280 --> 00:01:22,030
and let you know about it.

40
00:01:22,030 --> 00:01:24,430
A Network Intrusion Prevention System, or NIPS

41
00:01:24,430 --> 00:01:26,510
on the other hand, is a type that's designed

42
00:01:26,510 --> 00:01:28,270
to inspect traffic and based on

43
00:01:28,270 --> 00:01:30,360
its configuration or security policy,

44
00:01:30,360 --> 00:01:33,120
it can also remove, detain, or redirect

45
00:01:33,120 --> 00:01:34,700
that malicious traffic.

46
00:01:34,700 --> 00:01:36,610
That means a NIPS can not only detect it

47
00:01:36,610 --> 00:01:38,580
and log it like an IDS does,

48
00:01:38,580 --> 00:01:41,230
but it can also stop that ongoing attack

49
00:01:41,230 --> 00:01:43,790
by blocking the IP address that's causing issues

50
00:01:43,790 --> 00:01:45,790
or shutting down the connection.

51
00:01:45,790 --> 00:01:48,520
But to be able to effectively take these actions,

52
00:01:48,520 --> 00:01:50,440
the NIPS has to be installed in-line

53
00:01:50,440 --> 00:01:51,510
in your network.

54
00:01:51,510 --> 00:01:53,950
Again, I like to place my NIPS in-line,

55
00:01:53,950 --> 00:01:55,550
just behind the firewall.

56
00:01:55,550 --> 00:01:57,660
This way it's just inside the network perimeter

57
00:01:57,660 --> 00:02:00,090
and it allows me to have a good vantage point for it.

58
00:02:00,090 --> 00:02:01,480
Remember, when you're using a NIPS

59
00:02:01,480 --> 00:02:02,910
to block an ongoing attack,

60
00:02:02,910 --> 00:02:04,070
you want to ensure that the NIPS

61
00:02:04,070 --> 00:02:05,540
is properly tuned.

62
00:02:05,540 --> 00:02:06,760
If you didn't tune it properly

63
00:02:06,760 --> 00:02:08,550
with the right signatures, you could have

64
00:02:08,550 --> 00:02:10,390
a lot of false positives, and since

65
00:02:10,390 --> 00:02:12,310
these would be terminated, it could cause

66
00:02:12,310 --> 00:02:14,490
an inadvertent denial of service for your network

67
00:02:14,490 --> 00:02:16,110
if it tries to prevent what it thinks

68
00:02:16,110 --> 00:02:19,090
is malicious traffic from flowing into the network.

69
00:02:19,090 --> 00:02:21,590
Now, because a NIPS is an in-line device,

70
00:02:21,590 --> 00:02:23,550
you also have to think about what's going to happen

71
00:02:23,550 --> 00:02:25,310
if that device fails.

72
00:02:25,310 --> 00:02:28,650
Should that device fail open, or should it fail shut?

73
00:02:28,650 --> 00:02:30,260
If you set the device to be configured

74
00:02:30,260 --> 00:02:32,170
to fail open, this means that the NIPS

75
00:02:32,170 --> 00:02:33,790
is going to simply let all of the traffic

76
00:02:33,790 --> 00:02:35,390
through it whenever it fails.

77
00:02:35,390 --> 00:02:37,000
This is less secure obviously,

78
00:02:37,000 --> 00:02:37,990
and so you have to think about

79
00:02:37,990 --> 00:02:39,610
if this is really what you want.

80
00:02:39,610 --> 00:02:41,850
Now, if you choose to fail shut, on the other hand,

81
00:02:41,850 --> 00:02:43,760
the device is going to block all the traffic

82
00:02:43,760 --> 00:02:45,770
if it fails for some reason.

83
00:02:45,770 --> 00:02:46,900
This means that it's going to create

84
00:02:46,900 --> 00:02:49,580
a denial of service condition for your entire network,

85
00:02:49,580 --> 00:02:51,540
which is also pretty bad.

86
00:02:51,540 --> 00:02:53,900
For this reason, most organizations choose

87
00:02:53,900 --> 00:02:55,610
to fail open with their Network Intrusion

88
00:02:55,610 --> 00:02:57,330
Prevention Systems, and rely on

89
00:02:57,330 --> 00:02:59,080
other defensive layers to provide

90
00:02:59,080 --> 00:03:01,410
some layer of protection, until the NIPS

91
00:03:01,410 --> 00:03:04,270
can be brought online again and fixed.

92
00:03:04,270 --> 00:03:06,480
Now, in addition to providing their NIDS

93
00:03:06,480 --> 00:03:08,300
and NIPS functions, these devices

94
00:03:08,300 --> 00:03:11,100
also can be used as a protocol analyzer.

95
00:03:11,100 --> 00:03:12,730
You may remember protocol analyzers

96
00:03:12,730 --> 00:03:14,880
being discussed in your Network+ studies.

97
00:03:14,880 --> 00:03:17,180
These are software products like Wireshark

98
00:03:17,180 --> 00:03:19,450
or Network Monitor, and they're usually installed

99
00:03:19,450 --> 00:03:21,700
on a machine and used to capture packets,

100
00:03:21,700 --> 00:03:23,400
allowing an administrator to conduct analysis

101
00:03:23,400 --> 00:03:25,470
on those packets and better troubleshoot

102
00:03:25,470 --> 00:03:27,310
and secure the network by seeing patterns

103
00:03:27,310 --> 00:03:29,040
in the packet captures.

104
00:03:29,040 --> 00:03:31,040
Now, a NIPS or a NIDS may have

105
00:03:31,040 --> 00:03:33,040
a built-in protocol analyzer embedded

106
00:03:33,040 --> 00:03:34,290
into their system.

107
00:03:34,290 --> 00:03:35,910
This is usually done to allow the device

108
00:03:35,910 --> 00:03:37,940
to decode application layer protocols

109
00:03:37,940 --> 00:03:42,940
like HTTP, SMTP, FTP, Telnet, and others.

110
00:03:43,060 --> 00:03:45,470
And then, it passes that data that's contained

111
00:03:45,470 --> 00:03:47,950
in those protocols, over to the signature engine

112
00:03:47,950 --> 00:03:51,070
of the NIDS or the NIPS for further analysis.

113
00:03:51,070 --> 00:03:52,380
This allows the devices to create

114
00:03:52,380 --> 00:03:54,380
their own baseline of what normal looks like

115
00:03:54,380 --> 00:03:55,810
for the network and also helps

116
00:03:55,810 --> 00:03:58,270
to identify what abnormal might be for its

117
00:03:58,270 --> 00:04:01,380
behavioral or anomalous traffic detection functions.

118
00:04:01,380 --> 00:04:02,820
This functionality does require

119
00:04:02,820 --> 00:04:04,730
additional processing resources though,

120
00:04:04,730 --> 00:04:06,750
and so this can decrease the overall performance

121
00:04:06,750 --> 00:04:09,230
of a NIDS or a NIPS when you utilize

122
00:04:09,230 --> 00:04:10,763
this deep packet inspection.