From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Securing the network from attacks

From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Securing the network from attacks

- [Instructor] Network intrusions can be done silently in the background while a hacker waits for the best time to strike. Or very quickly bringing down a network within a matter of minutes, as computers are infected as fast as possible to avoid any single computer from being shut down from the network. As a CIS admin, it will be your job to prevent intrusions when possible and detect them before they do much harm if they do get through your defenses. A network-based intrusion detection system, or IDS, detects malicious traffic on a network. IDS usually requires promiscuous network access in order to analyze all traffic, including all unicast traffic. Promiscuous mode basically means that it can read or sniff every packet coming in from another network interface. IDS are passive devices that do not interfere with the traffic they monitor. The IDS sniffs the internal interface of the firewall in read only mode and sends alerts to an IDS management server from a different network interface. Here's an IDS setup showing the traffic passively going through the firewall to the protected device. It won't stop anything, but it will report on any known attacks that may try to come through. This can be an alert sent by email, text, or other means to let the CIS admin know an attack is happening. An intrusion prevention service, or IPS, installed on a device is very different from an IDS. An IPS will listen for normal traffic on all configured devices. When it sees traffic that isn't normal, it stops the traffic and alerts the CIS admin. As an example, let's say that you have a file and print server. The IPS detects that email is being sent out from the server which has never been done before. The IPS has an agent on the box and will use it to stop the traffic and let the CIS admin know it has likely been compromised. The IPS device sits outside the server being monitored, unlike the passive IDS device. The agent will report back to the IPS server that there's an issue where the traffic will be stopped until the server is analyzed and released. Some devices claim to be both IDS and IPS. But as you can see, they're very different from each other. It is possible to combine the two, but it would be more effective to have them stay separate. IDS and IPS have been around a long time and used very effectively against network intrusions.

Contents