6Putting in Place an Intrusion Prevention System (IPS)
This chapter will focus on the following topics:
- – the role played by a detector;
- – the differences between an IDS and an IPS;
- – the types of IPS:
- - host-based IPS,
- - network-based IPS;
- – modes of using an IPS:
- - promiscuous mode,
- - inline mode;
- - the types of alarms;
- – modes of detecting malicious traffic:
- - signature-based detection,
- - strategy-based detection,
- - anomaly-based detection,
- - reputation-based detection;
- – severity levels of signatures;
- – monitoring and management of alarms and alerts;
- – the list of actions to take during an attack;
- – the configuration of the IOS IPS.
6.1. Introduction to a detector
A detector is a network device that analyzes network traffic in order to classify it as normal or malicious, based on predefined rules.
An Intrusion Detection System (IDS) is a detector that can analyze packets travelling over one or more network connections in order to detect suspicious activity. Its role is limited to alerting the system administrator to the trace of any abnormal activity on a host or on the network. It does not prevent intrusion attempts.
An Intrusion Prevention System (IPS) is a detector that can detect and prevent any potential attack on a host or on the network.
6.2. The differences between an IDS and an IPS
The following table presents some characteristics of the two detectors: IPS and IDS.
| IDS | IPS |
| Processing packets | Receives only one copy of the original packets for processing. ... |
Get Computer Network Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
