6.1.a Network-based IPS vs. host-based IPS

Get 30% off with promo code OSCAROGANDO2

Follow me on Twitter:

6.1.a Network-based IPS

Network IPS involves the deployment of monitoring devices, or sensors, throughout the network to capture and analyze the traffic. Sensors detect malicious and unauthorized activity in real time and can take action when required. Sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring, regardless of the location of the attack target.
Network IPS sensors are usually tuned for intrusion prevention analysis. The underlying operating system of the platform on which the IPS software is mounted is stripped of unnecessary network services, and essential services are secured (that is, hardened).

Host-based IPS

A host based systems protects a unique host by attaching itself closely to the operating system kernel and forming a layer which filters all system calls as well as application call and allows only call which are legitimate to go through. There can be four types of host based instruction detection systems namel.
The main advantage of using a host based prevention system is that since the protection system is integrated with the host itself, it is very easy to point out whether the actual attack has been successful or not. This is a very vital piece of information which is not easily obtained in the network based protection mode. Also it is very difficult for a hacker to get past the host based protection system by using fragmentation attacks. (Windows Firewall)

Tap vs SPAN

SPAN meaning “Switch Port Analyzer is the term that describes when you mirror a port or copy the contents of traffic heard on one specific port and copy it to another port so a program can analyze the traffic as in SolarWinds or WireShark
The difference between SPAN and TAP is as simple as SPAN is software based snooping and TAP is hardware based snooping of traffic. They both achieve the same goal

IPS Terminology

When deployed in real environments, security controls such as IPS may produce erroneous decisions,either because of their misconfiguration or because of the environment, in which legitimate activity may resemble malicious activity, and vice versa. All decisions made by security controls can be classified as one of the following:
True positive: The security control, such as an IPS sensor, acted as a consequence of malicious
activity. This represents normal and optimal operation.
True negative: The security control has not acted, because there was no malicious activity.
This represents normal and optimal operation.
False positive: The security control acted as a consequence of normal traffic or activity.
False negative: The security control has not acted, even though there was malicious activity.

Share the Post:

Related Posts

Help Us By Donating