Chapter 9

Question 1

Intrusion detection system (IDS) vs Intrusion prevention system (IPS)

Answer 1

IDS:
A passive system that identifies dangerous or suspicious traffic, it sends alerts but leaves the action to IPS.

IPS:
able to actively block or prevent intrusions.

Question 2

The IDPS process:

Answer 2

1- Inspection and investigation: analyzing suspicious packets.
2- Action: packets are dropped.
3- Log/report attack.

Question 3

2 types of of IDPS:

Answer 3

1- Network-based IDPS (NIDPS): monitors activity in an organization’s network.

2- Host-based IDPS (HIDPS): monitors activity only on a host (computer or server).

Question 4

Advantages of Network-based IDPS (NIDPS):

Answer 4

• Can enable an organization to monitor a large network with few devices.
• is passive and causes little disruption.

Question 5

Disadvantages of Network-based IDPS (NIDPS):

Answer 5

• Require access to all traffic to be monitored.
• Cannot analyze encrypted packets.

Question 6

Advantages of Host-based IDPS (HIDPS):

Answer 6

• Can access encrypted information and make decisions about attacks.
• Can detect local events on host systems

Question 7

Disadvantages of Host-based IDPS (HIDPS):

Answer 7

• Can use large amounts of disk space.
• Does not detect multi-host scanning.

Question 8

2 IDPS Detection Methods:

Answer 8

1- Signature-based detection: detects known attack signatures.

2- Anomaly-based detection: detects abnormal activity.