Skip navigation.

TOP Intrusion Detection Systems Interview Questions and FAQs - Part III

What are zero day attacks?

Zero-day exploits occur when an exploit for vulnerability is created before, or on the same day that a vulnerability becomes known to the world at large. IT organizations are constantly fighting to keep their systems patched and updated, but the reality is it takes time to adequately test a patch against all applications running on the servers. This leaves organizations exposed to the narrowing of the time between discovering a vulnerability and the time an exploit is launched. As such, an attacker can effectively compromise unprotected servers at will.

What are the essential characteristics of an IPS?

These are the essential characteristics of a good IPS device:
a. Block known and unknown (including zero-day) attacks.
b. Never block legitimate traffic even when under attack.
c. Since it operates inline, it must be a resilient hardware solution that will not be a single point of network failure.
d. Not reliant on signatures as the primary form of defense (a method adopted by IPS products that spawned from IDS technologies that are susceptible to false positives).
e. Not add any discernable latency under extreme load or attack, since this will negatively impact business users.
f. Rapid configuration for immediate protection with minimal ongoing operational maintenance.
g. Access to a centralized management solution that has meaningful reporting capabilities.
h. As network capacity and performance increases over time, the IPS solution must be scaleable inline with those requirements.
i. Cope with new advanced types of security threats in the future.
j. Provide relevant data for forensic analysis purposes and alert reporting.
k. Offer fine-grained granularity to decide what type of malicious traffic is to be blocked (for instance Web servers and email servers need to be configured differently).
l. Combine rate-based and content-based protection on one device.
m. Post sales support to provide updates on newly discovered vulnerabilities and advice (signatures, patches or configuration updates) on how to protect against the exploits.

What are the different types of IPS devices?

The IPS devices can be signature based or stateful inspection based.

What are the disadvantages for using signature based IPS devices?

Signatures, or pattern matching is one of a number of methods that are used in an IPS to detect and block exploits of vulnerabilities. However, if used as the primary protection mechanism, you will face limitations in what will be successfully blocked. Signatures are prone for generating false positives, which means that on their own, legitimate traffic will be blocked. In addition, attackers have found ways around pattern matching methods by making relatively small changes to the attack code that renders the detection useless; and therefore, not successfully blocked by the IPS. Another trick commonly used is to send packets out of order or through asymmetrical traffic routes. Unless the IPS has a packet reorder engine and is fully Stateful, the attack will never be recognized and will simply pass through to the ultimate target.

Where can I find updates about new security holes?

You can find updates on new security holes in security advisory websites. It is important that a security administrator is updated about new security holes, as the saying goes prevention is better than cure.
Some of the security advisories are as listed below:
CERT (Computer Emergency Response Team) was set up by a number of universities and DARPA in response to the Morris Worm of 1988.
CIAC publishes security bulletins and virus and hoax information.
This is another good advisory from

What questions should be asked to the IDS vendor?

The basic questions include the following:

How good is the reporting architecture?
How easy is it to manage false positives?
How long does it take to track down alerts and identify the situation? How much manpower is needed to use this product?
How many signatures does the system support?
What intrusion response features does the product have?
What does it cost?

What would be the Return on Investment?
The security administrator would need to calculate this along with other departments in the organization and also the security vendor.

What do signature updates and maintanance cost?
Intrusion detection is much like virus protection, a system that hasn't been updated for a year will miss common new attacks.

At what real-world traffic levels does the product become blind, in packets/second?

First, what segments do you plan on putting the IDS onto? If you have only a 1.5-mbps connection to the Internet that you want to monitor, you don't need the fastest performing system. On the other hand, if you are trying to monitor a server farm in your corporation in order to detect internal attacks, a hacker could easily smurf the segment in order to blind the sensor. The most important metric is packets/second.

How easy is the product to evade?
Try to get in-depth information about this part. Some of the simple evasion tactics to fool IDS include fragmentation, avoiding defaults, slow scans, coordinated low bandwidth attacks, address spoofing/proxying, and pattern change evasion.

How scalable is the IDS system?
How many sensors does the system support? How big can the database be? What are the traffic levels when forwarding information to the management console? What happens when the management console is overloaded? These are some questions you might want to be answered.

How are intrusions detected?

Anomaly detection
The most common way people approach network intrusion detection is to detect statistical anomalies. The idea behind this approach is to measure a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline.
The benefit of this approach is that it can detect the anomalies without having to understand the underlying cause behind the anomalies.
For example, let's say that you monitor the traffic from individual workstations. Then, the system notes that at 12am, a lot of these workstations start logging into the servers and carrying out tasks. This is something interesting to note and possibly take action on.

Signature recognition
The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. This means that for every hacker technique, the engineers code something into the system for that technique.
This can be as simple as a pattern match. The classic example is to example every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server.