Passive device; detects intrusions and sets off an alert
.
Actively prevents intrusions - you can set it to detect some types of things, and prevent others
.
The NIPS just examines a copy of the traffic, it doesn't sit in the middle
.
Goes along with passive monitoring, and sends out a TCP reset to close the session and not let it back in; but again, it's after the fact and it doesn't work with UDP, it's TCP only
.
More common and effective, actually sits in the middle of the traffic flow
.
To ID attacks, the IPS device looks for exact signatures of problems and prevents based on matching
.
Commonly uses artificial intelligence and data mining to identify malicious network traffic
.
To ID attacks, the IPS looks for strange behavior
.
To ID attacks, the IPS reviews based on defined characteristics obtained through AI - very sophisticated method - relies on "known" or previously identified viruses
.
What to let in, what to keep out - could be thousands of rules defined in the IPS - configure carefully or you'll get bombed with false positives and alerts
.
Mistaken identity - it's really not a problem
.
Malicious traffic was allowed - this is much more of a problem, obviously - antivirus should then catch it
.
|
