Understanding IDSs and IPSs:
• Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) inspect traffic using the same functionality as a protocol analyzer.
• A host-based IDS (HIDS) can detect attacks on local systems such as workstations and servers. The HIDS protects local resources on the host and can detect some malware that isn’t detected by traditional antivirus software.
• A network-based IDS (NIDS) detects attacks on networks.
• A signature-based IDS uses signatures to detect known attacks or vulnerabilities. Vendors create a number to identify each signature, or use the number in the Common Vulnerabilities and Exposures (CVE) list.
• An anomaly-based (also called heuristic-based or behavior-based) IDS requires a baseline and detects attacks based on anomalies or when traffic is outside expected boundaries.
• A false positive sends an alert indicating an attack when an attack is not active. False positives increase the workload of administrators. A false negative is when an attack is active, but not reported.
• Honeypots and honeynets appear to have valuable data and attempt to divert attackers away from live networks. Security personnel use them to observe current attack methodologies and gather intelligence on attacks.
• An intrusion prevention system (IPS) is similar to an active IDS except that it’s placed in-line with the traffic, and can stop attacks before they reach the internal network. An IPS can actively monitor data streams, detect malicious content, and mitigate the effect of malicious activity.
• IDSs and IPSs can also protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks.