This chapter covers the following subjects:
-
Intrusion Detection Versus Intrusion Prevention: Understanding the ability to view and alert versus viewing, alerting, and performing an action.
-
Intrusion Prevention Terminology: The language and definition of the security control components and countermeasures.
-
Network Intrusion Prevention Approaches: The options available to security administrators when deploying a network IPS in their environment.
-
Endpoint Security Approaches: The options to protect various endpoints in a network infrastructure.
-
A Systems Approach to Security: Security has multiple layers, and each layer has vulnerabilities that need to be protected.
Networks have evolved rapidly over the last several years, and so have the methods with which we defend those networks. Traditionally, intrusion detection systems (IDS) have been deployed as a security control or countermeasure to monitor, detect, and notify any unauthorized access to, abuse of, or misuse of information systems or network resources. There is another security control method more commonly used today than in the past known as intrusion prevention systems (IPS). This chapter will cover evaluating and choosing approaches to intrusion prevention and detection.
This chapter begins with “Intrusion Detection Versus Intrusion Prevention,” which is a review of the core concept of defense-in-depth security. Following the review, the chapter examines intrusion prevention terminology and intrusion prevention approaches, including other security controls and approaches.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin. Table 1-1 lists the major topics discussed in this chapter and their corresponding quiz questions. The answers to the “Do I Know This Already?” quiz appear in Appendix A.
Table 1-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section |
Questions |
Intrusion Prevention Terminology |
1, 2 |
Intrusion Detection Versus Intrusion Prevention Systems |
3 |
Intrusion Prevention Approaches |
4, 5 |
Endpoint Security Controls |
6–9 |
A Systems Approach to Security |
10 |
1. Which security control is a consequence of nonmalicious activity generally representing an error?
- True positive
- False positive
- True negative
- False negative
2. Which of the following terms is a weakness that can allow a compromise of the security or the functionality of a system?
- Exploit
- Vulnerability
- Threat
- Risk
3. Which of the following capabilities does an IPS have that an IDS does not?
- Detect
- Alert
- Prevent
- Monitor
4. Which of the following is not a factor that influences the addition of sensors?
- Performance capabilities of the sensor
- Exceeded traffic capacity
- Network implementation
- Performance capabilities of the host
5. Which of the following network intrusion prevention approaches observes network traffic compared to a baseline and acts if a network event outside the normal network behavior is detected?
- Anomaly-based network IPS
- Signature-based network IPS
- Policy-based network IPS
- Host-based IPS
6. Which of the following are limitations of endpoint security controls?
- Controls are useless if the host is compromised before endpoint security is applied.
- All hosts require an agent.
- Operating system dependent (might not be supported).
- No correlation is possible if a single agent is deployed.
- All of the above.
7. Cisco Security Agent uses API interception to control access to all of the following except for which one?
- Host itself
- Files
- Process
- Windows Registry
8. Which of the following is designed to prevent file-based malware threats and uses content scanning to identify known patterns of malware?
- Heuristics antimalware
- File-based antimalware
- Code emulation
- Pattern matching
9. Which of the following are endpoint security controls?
- Cryptographic data protection
- Antimalware agents
- Host-based firewalls
- Native operating system access controls
- All of the above
10. Which of the following requires a network-focused technology to provide a defense-in-depth security solution?
- Protection of the operating systems
- Protection of applications and the data they handle
- Detection and prevention of DoS attacks
- Controlling access to local host process