Page 1218 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1218

large-screen monitors providing data on different elements of the
               NOC. The IDS alerts can be displayed on one of these screens to

               ensure that personnel are aware of the event. These instant
               notifications help administrators respond quickly and effectively to
               unwanted behavior.

               Active Response Active responses can modify the environment
               using several different methods. Typical responses include modifying
               ACLs to block traffic based on ports, protocols, and source addresses,

               and even disabling all communications over specific cable segments.
               For example, if an IDS detects a SYN flood attack from a single IP
               address, the IDS can change the ACL to block all traffic from this IP
               address. Similarly, if the IDS detects a ping flood attack from multiple
               IP addresses, it can change the ACL to block all ICMP traffic. An IDS
               can also block access to resources for suspicious or ill-behaved users.
               Security administrators configure these active responses in advance
               and can tweak them based on changing needs in the environment.




                             An IDS that uses an active response is sometimes referred


                  to as an IPS (intrusion prevention system). This is accurate in
                  some situations. However, an IPS (described later in this section)
                  is placed in line with the traffic. If an active IDS is placed in line
                  with the traffic, it is an IPS. If it is not placed in line with the
                  traffic, it isn’t a true IPS because it can only respond to the attack
                  after it has detected an attack in progress. NIST SP 800-94
                  recommends placing all active IDSs in line with the traffic so that

                  they function as IPSs.



               Host- and Network-Based IDSs


               IDS types are commonly classified as host based and network based. A
               host-based IDS (HIDS) monitors a single computer or host. A
               network-based IDS (NIDS) monitors a network by observing network
               traffic patterns.

               A less-used classification is an application-based IDS, which is a
               specific type of network-based IDS. It monitors specific application
   1213   1214   1215   1216   1217   1218   1219   1220   1221   1222   1223