Passive device; detects intrusions and sets off an alert
. Actively prevents intrusions - you can set it to detect some types of things, and prevent others
. The NIPS just examines a copy of the traffic, it doesn't sit in the middle
. Goes along with passive monitoring, and sends out a TCP reset to close the session and not let it back in; but again, it's after the fact and it doesn't work with UDP, it's TCP only
. More common and effective, actually sits in the middle of the traffic flow
. To ID attacks, the IPS device looks for exact signatures of problems and prevents based on matching
. Commonly uses artificial intelligence and data mining to identify malicious network traffic
. To ID attacks, the IPS looks for strange behavior
. To ID attacks, the IPS reviews based on defined characteristics obtained through AI - very sophisticated method - relies on "known" or previously identified viruses
. What to let in, what to keep out - could be thousands of rules defined in the IPS - configure carefully or you'll get bombed with false positives and alerts
. Mistaken identity - it's really not a problem
. Malicious traffic was allowed - this is much more of a problem, obviously - antivirus should then catch it
.
|