Version 4.1 - 4.4 Generic network intrusion prevention concepts
The word "generic" gives you a hint that this section is looking at IDS/IPS from the 1000 foot level. Don't get wrapped around the axle on this one. The actual Cisco IDS/IPS is covered in sections 5.3 and 5.4. And again, my two study guides have different material for this section. This is why you never rely on one "Study Guide" for any test.
The difference between IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) is detecting a problem versus preventing one. There are some really funny "LifeLock" ads about "monitoring" a problem versus "fixing" a problem - bank robbers and cavities - which can help you remember this. In order to prevent a problem, the device needs to be inline. In order to just detect the problem, it should not be inline.
Types of attacks prevented using IPS:
* DoS
* DDoS
* Exploits (various types)
* Worms
* Viruses
Types of actions taken by the IPS include:
+ Sending an alarm to the administrator
+ Dropping the malicious packets
+ Blocking traffic from the source address
+ Resetting the connection
Note that these actions depend on traffic not being spoofed. Spoofed traffic should be filtered _before_ it reaches the IPS. Think about this - it automatically blocks traffic from the source address. If the source is spoofed, it will block legitimate traffic from the spoofed address. [Like an onion, security should be in layers.]
One other thing for this section relates to the alarms themselves.
True Positive : This is malicious traffic that is identified as malicious by the IDS/IPS.
False Positive: This is legitimate traffic that is identified as malicious by the IDS/IPS.
False Negative: This is malicious traffic that is not detected as malicious by the IDS/IPS.
True Negative : This is legitimate traffic that is not detected as malicious by the IDS/IPS.
You want your IDS/IPS to detect True Positives and True Negatives. This can only be done by constant tuning of the signatures from the initial (out-of-the-box) state. IDS/IPS is not a turnkey solution. You have to actually know this stuff to get it right and getting it wrong can put you in a vulnerable state. [This is why many companies outsource this service.]
False Positives can be overwhelming. There can be many of them and it can overwhelm the staff with verification (IDS) or block legitimate traffic. If you get a lot of these, not only can your sensor/staff be overwhelmed, it can also lead to ignoring valid alerts.
False Negatives are worse. This means malicious traffic is not being caught or identified. This can often happen when you don't update your signatures.
And that is all the bird said about Generic IDS and IPS.