TOP Intrusion Detection Systems Interview Questions and FAQs -Part II
What are events?
Events are actions that take place on the network. Examples of events might be a failed connection attempt, a connection established between two computers, a successful authentication and login, a Web browser requesting a URL, or the response sent back by the a Web server.
What are policy scripts?
Policy scripts are programs written to detect events. They contain the rules that describe what sorts of activities are deemed troublesome. They analyze the network events and initiate actions based on the analysis.
Can the scripts take action?
Yes. Scripts generate a number of output files recording the activity seen on the network (including normal, non-attack activity). They also can generate alerts signifying that a problem has been seen. In addition, scripts can execute programs, which can terminate existing connections, block traffic from hostile hosts (by inserting blocks into a router access control list), send e-mail messages, or page the on-call staff.
What is a false positive?
Most IDS use signatures to compare against attacks. Sometimes normal activity triggers the IDS. The IDS detects an attack signature during normal activity. Part of maintaining the IDS is knowing when what you are dealing with is a false positive and tuning the IDS to avoid them.
What is a false negative?
Most IDS use signatures to compare against attacks. Sometimes attack activity doesn't trigger the IDS to cut alerts. This would mean that a real attack is happening and the IDS are not sending an alert.
How can I test my IDS?
We suggest the following steps:
1) Place the NIDS on a test network with a hub/switch and a separate server.
2) Run a tool like Nessus against this server.
3) When Nessus is done, what attacks did it detect? If it did not detect all the attacks does the NIDS have the latest signatures? Can you write your own rules for the NIDS to catch the attack?
4) After the tests with Nessus, then run the packet building tools. Make various illegal packets and aim them at the server. Does it detect the packets?
5) Repeat steps 2 - 4 against the NIDS machine.
6) Harden the NIDS to help prevent it from being compromised.
7) Place it on the production network and see how many false positives it gets.
8) Tune it down from the false positives.
9) As new vulnerabilities occur, update the Nessus signatures and test to see if the NIDS catches them.
What are some personal IDS/firewalls?
These are softwares that are designed to be used on a single user or PC. While they don't fit into the enterprise class of IDS, there are several programs that can provide firewall and IDS services for a single user/pc. Here are a few:
What tools can be used for building packets?
These are some tools that can be used for building packets:
What is network Intrusion Prevention?
Intrusion Prevention Systems (IPS) automatically detect and block malicious network and application traffic, while allowing legitimate traffic to continue through to its destination. An IPS must operate inline with minimal impact on network latency and be scaleable to cope with the demands of a multi-gigabit network environment.
Why do I need an Intrusion Prevention System (IPS) if I currently have a Firewall and an Intrusion Detection System (IDS)?
Firewalls are typically deployed at the network perimeter. However, many attacks can easily bypass the perimeter and many are launched, sometimes inadvertently, from within the organization. For example, consider the following situations:
• An employee who logs on to the corporate network with a laptop computer that became infected while using it at home.
• A consultant who downloads malware from their corporate network, while working at your facility and inadvertently spreads it onto your network.
• Remote users who log on using a virtual private network.
• Disgruntled employees.
An IDS might be effective at detecting suspicious activity, but it does not provide adequate protection against attacks. Worm attacks, such as Slammer and Blaster, spread so rapidly that by the time an alert is generated, the damage has already been done.
To be effective, an intrusion prevention solution must be inline and able to automatically detect and block malicious packets within normal network traffic before the malicious payload causes any damage. This prevention must occur under extreme traffic loads and more importantly, good traffic must never be blocked, even while under an attack. Finally, the IPS device must operate with switch-like latency at all times.
Given these parameters for defining an effective intrusion prevention solution, it is simple to see why simply adding blocking capabilities to existing security infrastructure, such as firewalls and IDS, is not an effective intrusion prevention solution.
The concept of blocking malicious network traffic before it reaches its intended targets is simple. However, given the increasing sophistication of attacks and the sheer brut force, security managers need an IPS solution that can cope with these demands.
What are the essential characteristics of an IPS?
These are the essential characteristics of a good IPS device:
a. Block known and unknown (including zero-day) attacks.
b. Never block legitimate traffic even when under attack.
c. Since it operates inline, it must be a resilient hardware solution that will not be a single point of network failure.
d. Not reliant on signatures as the primary form of defense (a method adopted by IPS products that spawned from IDS technologies that are susceptible to false positives).
e. Not add any discernable latency under extreme load or attack, since this will negatively impact business users.
f. Rapid configuration for immediate protection with minimal ongoing operational maintenance.
g. Access to a centralized management solution that has meaningful reporting capabilities.
h. As network capacity and performance increases over time, the IPS solution must be scaleable inline with those requirements.
i. Cope with new advanced types of security threats in the future.
j. Provide relevant data for forensic analysis purposes and alert reporting.
k. Offer fine-grained granularity to decide what type of malicious traffic is to be blocked (for instance Web servers and email servers need to be configured differently).
l. Combine rate-based and content-based protection on one device.
m. Post sales support to provide updates on newly discovered vulnerabilities and advice (signatures, patches or configuration updates) on how to protect against the exploits.