1
00:00:00,090 --> 00:00:00,990
Now, in this lesson,

2
00:00:00,990 --> 00:00:03,840
we're going to talk about IDSs and IPSs.

3
00:00:03,840 --> 00:00:05,460
Now, when we talk about an IDS

4
00:00:05,460 --> 00:00:06,870
or an intrusion detection system,

5
00:00:06,870 --> 00:00:09,450
or an IPS, an intrusion prevention system,

6
00:00:09,450 --> 00:00:11,550
these can recognize network attacks.

7
00:00:11,550 --> 00:00:13,950
And in the case of an intrusion prevention system,

8
00:00:13,950 --> 00:00:15,900
they can actually respond appropriately.

9
00:00:15,900 --> 00:00:18,030
It's going to analyze all the incoming data

10
00:00:18,030 --> 00:00:19,650
for any attacks it knows about

11
00:00:19,650 --> 00:00:21,330
using different detection mechanisms,

12
00:00:21,330 --> 00:00:23,640
like a signature or behavioral-based model.

13
00:00:23,640 --> 00:00:24,690
And we'll talk about more of those

14
00:00:24,690 --> 00:00:26,670
as we go through this video too.

15
00:00:26,670 --> 00:00:29,340
Now, one of the most common ones is known as Snort,

16
00:00:29,340 --> 00:00:32,820
S-N-O-R-T, which you can see here on the screen.

17
00:00:32,820 --> 00:00:35,190
Snort is a software-based intrusion detection

18
00:00:35,190 --> 00:00:36,870
and intrusion prevention system.

19
00:00:36,870 --> 00:00:40,110
It is open sourced and it is widely used in the industry.

20
00:00:40,110 --> 00:00:42,420
Now, when you're dealing with an intrusion detection system,

21
00:00:42,420 --> 00:00:44,550
this is considered a passive device.

22
00:00:44,550 --> 00:00:46,590
It's going to operate in parallel to your network.

23
00:00:46,590 --> 00:00:47,940
And you can see it here in the diagram

24
00:00:47,940 --> 00:00:50,940
hanging off just below the switch in this diagram.

25
00:00:50,940 --> 00:00:52,500
Now, it's going to monitor all the traffic

26
00:00:52,500 --> 00:00:54,240
going across the network and it's going to log it.

27
00:00:54,240 --> 00:00:56,340
And it's going to alert anytime it sees something

28
00:00:56,340 --> 00:00:57,630
that it thinks is bad.

29
00:00:57,630 --> 00:00:59,370
So, if it thinks it sees something bad,

30
00:00:59,370 --> 00:01:01,050
like there might be an attack going on,

31
00:01:01,050 --> 00:01:02,550
it might see something like a port scan

32
00:01:02,550 --> 00:01:04,080
or denial of service attack

33
00:01:04,080 --> 00:01:06,930
or anything else that matches its database of signatures,

34
00:01:06,930 --> 00:01:09,270
then it's going to alert the system administrator.

35
00:01:09,270 --> 00:01:11,280
But because it's a detection system,

36
00:01:11,280 --> 00:01:13,140
it's not going to respond.

37
00:01:13,140 --> 00:01:14,730
All it's going to do is log it.

38
00:01:14,730 --> 00:01:16,470
It might capture some packet data on it

39
00:01:16,470 --> 00:01:18,060
if you've configured it to do that,

40
00:01:18,060 --> 00:01:20,160
and then it's going to send the alert to the administrator

41
00:01:20,160 --> 00:01:22,470
who's going to go ahead and investigate it further.

42
00:01:22,470 --> 00:01:24,570
Now, on the other hand, if you have it configured

43
00:01:24,570 --> 00:01:26,490
as an intrusion prevention system,

44
00:01:26,490 --> 00:01:28,470
this is considered an active device,

45
00:01:28,470 --> 00:01:30,660
and so it has to operate in-line.

46
00:01:30,660 --> 00:01:32,910
Notice how it's now placed here between the firewall

47
00:01:32,910 --> 00:01:35,460
and the switch, so all the traffic from the attacker

48
00:01:35,460 --> 00:01:38,190
and from the internet has to go through this device

49
00:01:38,190 --> 00:01:39,810
as it goes through the router and the firewall

50
00:01:39,810 --> 00:01:41,100
into your network.

51
00:01:41,100 --> 00:01:43,830
This way, by using this intrusion prevention system,

52
00:01:43,830 --> 00:01:45,840
it can actually have all the data going through it,

53
00:01:45,840 --> 00:01:48,930
and it can stop and block any data that it thinks is bad.

54
00:01:48,930 --> 00:01:51,060
Now, again, this is going to be based off the signatures

55
00:01:51,060 --> 00:01:52,290
you have programmed.

56
00:01:52,290 --> 00:01:55,080
It's going to monitor all the traffic, send all the alerts,

57
00:01:55,080 --> 00:01:57,150
do all the logging, do the packet capture,

58
00:01:57,150 --> 00:01:59,340
all the stuff like an IDS would.

59
00:01:59,340 --> 00:02:01,470
But because it's a prevention system,

60
00:02:01,470 --> 00:02:04,380
it can also drop or block offending traffic.

61
00:02:04,380 --> 00:02:07,440
Therefore, it can actually stop an attack in progress.

62
00:02:07,440 --> 00:02:09,870
Now, if you're worried about a denial of service attack,

63
00:02:09,870 --> 00:02:11,730
an IPS is one of the best ways

64
00:02:11,730 --> 00:02:13,290
to prevent this from happening.

65
00:02:13,290 --> 00:02:16,620
Now, why will we use an IDS versus an IPS

66
00:02:16,620 --> 00:02:18,960
because it sounds like an IPS is awesome?

67
00:02:18,960 --> 00:02:20,130
Well, one of the problems

68
00:02:20,130 --> 00:02:24,090
is IPSs and IDSs are not always tuned properly,

69
00:02:24,090 --> 00:02:26,010
and so if you have a false positive,

70
00:02:26,010 --> 00:02:28,170
you can actually drop legitimate traffic

71
00:02:28,170 --> 00:02:29,850
if you're using an IPS.

72
00:02:29,850 --> 00:02:31,920
So that's one of the reasons why a lot of organizations

73
00:02:31,920 --> 00:02:34,740
operate these detection systems in detection mode

74
00:02:34,740 --> 00:02:36,420
and not prevention mode.

75
00:02:36,420 --> 00:02:39,750
Speaking of detection, how can we detect different things?

76
00:02:39,750 --> 00:02:42,150
Well, there are really three main methods.

77
00:02:42,150 --> 00:02:43,890
We have signature-based detection,

78
00:02:43,890 --> 00:02:45,060
policy-based detection,

79
00:02:45,060 --> 00:02:47,010
and anomaly-based detection.

80
00:02:47,010 --> 00:02:48,930
When you're dealing signature-based detection,

81
00:02:48,930 --> 00:02:51,270
this is where a signature contains a string of bytes

82
00:02:51,270 --> 00:02:54,210
that acts as a unique fingerprint or some sort of pattern

83
00:02:54,210 --> 00:02:56,400
that's going to be triggering that detection.

84
00:02:56,400 --> 00:02:58,080
Think of it like a signature for malware

85
00:02:58,080 --> 00:02:59,460
or your hand signature.

86
00:02:59,460 --> 00:03:00,397
I can look at it and say,

87
00:03:00,397 --> 00:03:02,850
"Ah, I know this is John Smith's signature.

88
00:03:02,850 --> 00:03:04,260
I've seen it before."

89
00:03:04,260 --> 00:03:05,640
That's essentially what we're doing here

90
00:03:05,640 --> 00:03:07,440
with the data flowing through the network.

91
00:03:07,440 --> 00:03:09,840
Now, these signatures have to be created by yourself,

92
00:03:09,840 --> 00:03:12,690
or you can download them from a central repository.

93
00:03:12,690 --> 00:03:14,790
Now, if you find a signature that matches something

94
00:03:14,790 --> 00:03:16,800
that isn't threatening, but you have your device

95
00:03:16,800 --> 00:03:18,840
in prevention mode, guess what?

96
00:03:18,840 --> 00:03:20,040
That's going to cause issues for you

97
00:03:20,040 --> 00:03:21,390
because it's going to block it.

98
00:03:21,390 --> 00:03:22,800
And this again is why people tend

99
00:03:22,800 --> 00:03:26,310
to lean towards an IDS instead of an IPS.

100
00:03:26,310 --> 00:03:28,530
Next, we have policy-based detection,

101
00:03:28,530 --> 00:03:30,600
and this is going to rely on a specific declaration

102
00:03:30,600 --> 00:03:32,190
of a security policy.

103
00:03:32,190 --> 00:03:34,800
You may say something like, "No telnet allowed."

104
00:03:34,800 --> 00:03:37,200
And if we see anybody trying to talk on port 23,

105
00:03:37,200 --> 00:03:38,580
we know that's a policy issue

106
00:03:38,580 --> 00:03:40,170
and we're going to flag it in the logs

107
00:03:40,170 --> 00:03:41,580
and we're going to alert on it.

108
00:03:41,580 --> 00:03:44,010
That's the idea of a policy-based detection.

109
00:03:44,010 --> 00:03:46,740
Now, the third one we have is an anomaly-based detection,

110
00:03:46,740 --> 00:03:48,660
and this is either going to be done through a statistical

111
00:03:48,660 --> 00:03:50,670
or non-statistical anomaly.

112
00:03:50,670 --> 00:03:52,770
Now, if it's using a statistical anomaly,

113
00:03:52,770 --> 00:03:54,330
it's going to watch for traffic patterns

114
00:03:54,330 --> 00:03:55,710
and build a baseline up,

115
00:03:55,710 --> 00:03:57,120
and then anytime it sees something it thinks

116
00:03:57,120 --> 00:03:59,730
is outside the normal, it's going to flag it.

117
00:03:59,730 --> 00:04:01,740
Again, if you're using an IPS,

118
00:04:01,740 --> 00:04:03,690
this can be very, very dangerous

119
00:04:03,690 --> 00:04:06,150
because something that is completely normal in routine

120
00:04:06,150 --> 00:04:08,580
that's just a little bit outside the normal baseline

121
00:04:08,580 --> 00:04:11,370
could be flagged and cause issues for your end users.

122
00:04:11,370 --> 00:04:13,800
Now, when you use a non-statistical anomaly,

123
00:04:13,800 --> 00:04:15,960
this is based on a pattern or baseline

124
00:04:15,960 --> 00:04:17,820
that the administrator is going to define.

125
00:04:17,820 --> 00:04:19,207
So I might go in and configure and say,

126
00:04:19,207 --> 00:04:22,560
"Hey, anytime I see more than some amount of downloads,

127
00:04:22,560 --> 00:04:24,600
it's over a gigabyte per user per day,

128
00:04:24,600 --> 00:04:26,580
I want you to flag that because that might be something

129
00:04:26,580 --> 00:04:27,870
that's not right."

130
00:04:27,870 --> 00:04:29,250
These are the kind of things that we're going to set

131
00:04:29,250 --> 00:04:30,300
by the administrator,

132
00:04:30,300 --> 00:04:32,940
and they would then be a non-statistical anomaly.

133
00:04:32,940 --> 00:04:35,220
In addition to having an intrusion detection system,

134
00:04:35,220 --> 00:04:36,840
an intrusion prevention system,

135
00:04:36,840 --> 00:04:38,520
we could also have either host-based

136
00:04:38,520 --> 00:04:41,430
or network-based, IDSs and IPSs.

137
00:04:41,430 --> 00:04:44,070
And this is another way we distinguish these systems.

138
00:04:44,070 --> 00:04:45,900
When we deal with a network-based one,

139
00:04:45,900 --> 00:04:47,310
we're talking about a network device

140
00:04:47,310 --> 00:04:49,560
that's going to protect the entire network.

141
00:04:49,560 --> 00:04:51,180
The diagrams I showed you earlier

142
00:04:51,180 --> 00:04:54,600
were an example of a network-based IDS and IPS

143
00:04:54,600 --> 00:04:55,950
were either hung off the switch

144
00:04:55,950 --> 00:04:58,230
or was between the switch and the firewall.

145
00:04:58,230 --> 00:05:00,210
Now, if I wanted to have this as software installed

146
00:05:00,210 --> 00:05:02,610
on a host like your Windows or your Mac machine,

147
00:05:02,610 --> 00:05:04,410
this would be a piece of software we install

148
00:05:04,410 --> 00:05:07,440
and it can serve as an IDS or an IPS as well.

149
00:05:07,440 --> 00:05:09,270
Those are considered host-based

150
00:05:09,270 --> 00:05:11,760
because it's sitting on a host or a server.

151
00:05:11,760 --> 00:05:13,380
This would be your clients, your servers,

152
00:05:13,380 --> 00:05:15,030
your phones, your tablets.

153
00:05:15,030 --> 00:05:17,010
Now, these network and host-based systems

154
00:05:17,010 --> 00:05:19,860
can be used together to give you even more protection.

155
00:05:19,860 --> 00:05:21,210
For example, you might have

156
00:05:21,210 --> 00:05:23,010
a network intrusion prevention system

157
00:05:23,010 --> 00:05:25,050
that's going to be used in-line to protect you

158
00:05:25,050 --> 00:05:26,760
from a denial of service attack.

159
00:05:26,760 --> 00:05:27,960
But then you might also have

160
00:05:27,960 --> 00:05:30,150
a host-based intrusion prevention system

161
00:05:30,150 --> 00:05:32,310
on your Windows server that can prevent people

162
00:05:32,310 --> 00:05:33,870
from installing and running software

163
00:05:33,870 --> 00:05:35,520
that you don't authorize.

164
00:05:35,520 --> 00:05:37,440
This is going to help protect you from malware attacks

165
00:05:37,440 --> 00:05:39,030
and other things like that.

166
00:05:39,030 --> 00:05:41,490
Now, what does all this look like when you put it together?

167
00:05:41,490 --> 00:05:43,320
Well, it looks kind of like this.

168
00:05:43,320 --> 00:05:46,050
Notice here I have two switches hanging off that router.

169
00:05:46,050 --> 00:05:48,480
I have my administrative and my management network.

170
00:05:48,480 --> 00:05:49,650
And I also have my users

171
00:05:49,650 --> 00:05:51,360
who are sitting there off to the left.

172
00:05:51,360 --> 00:05:54,510
Now in my user domain, I have an intrusion detection system

173
00:05:54,510 --> 00:05:57,210
that is network based and it's hanging off that switch.

174
00:05:57,210 --> 00:05:59,370
Then I have an intrusion prevention system

175
00:05:59,370 --> 00:06:01,440
sitting between the firewall and the router

176
00:06:01,440 --> 00:06:04,320
to protect myself from denial of service attacks.

177
00:06:04,320 --> 00:06:05,730
Then I might have a screen subnet

178
00:06:05,730 --> 00:06:07,710
and I might need another IPS there

179
00:06:07,710 --> 00:06:09,870
that's going to be set between the switch and the firewall,

180
00:06:09,870 --> 00:06:11,280
and that's going to protect my web servers

181
00:06:11,280 --> 00:06:12,660
and my email servers.

182
00:06:12,660 --> 00:06:15,060
In addition to all that network-based defenses,

183
00:06:15,060 --> 00:06:18,990
I can actually install software on PC1, PC2, and PC3

184
00:06:18,990 --> 00:06:22,110
that acts as a host IDS or a host IPS.

185
00:06:22,110 --> 00:06:23,520
Now, all of that is going to be connected

186
00:06:23,520 --> 00:06:26,190
back up to the management PC, up in the top,

187
00:06:26,190 --> 00:06:27,600
which is going to take and correlate

188
00:06:27,600 --> 00:06:29,190
all of these logs and alerts,

189
00:06:29,190 --> 00:06:31,980
and that way I can investigate them as I see them.

190
00:06:31,980 --> 00:06:33,870
You can see how all of this starts working together

191
00:06:33,870 --> 00:06:35,280
to give us layers of security

192
00:06:35,280 --> 00:06:37,030
and a lot more additional security.