Page 1221 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1221
and the internet server. While the traffic is transmitted using
HTTPS, it is decrypted on the TLS decryptor.
There is a weakness with TLS decryptors, though. APTs often
encrypt traffic before exfiltrating it out of a network. The
encryption is typically performed on a host before establishing a
connection with a remote system and sending it. Because the
traffic is encrypted on the client, and not within a TLS session, the
TLS decryptor cannot decrypt it. Similarly, an IDPS may be able to
detect that this traffic is encrypted, but it won’t be able to decrypt
the traffic so that it can inspect it.
Switches are often used as a preventive measure against
rogue sniffers. If the IDS is connected to a normal port on the
switch, it will capture only a small portion of the network traffic,
which isn’t very useful. Instead, the switch can be configured to
mirror all traffic to a specific port (commonly called port
mirroring) used by the IDS. On Cisco switches, the port used for
port mirroring is referred to as a Switched Port Analyzer (SPAN)
port.
The central console is often installed on a single-purpose computer
that is hardened against attacks. This reduces vulnerabilities in the
NIDS and can allow it to operate almost invisibly, making it much
harder for attackers to discover and disable it. A NIDS has very little
negative effect on the overall network performance, and when it is
deployed on a single-purpose system, it doesn’t adversely affect
performance on any other computer. On networks with large volumes
of traffic, a single NIDS may be unable to keep up with the flow of
data, but it is possible to add additional systems to balance the load.
Often, a NIDS can discover the source of an attack by performing
Reverse Address Resolution Protocol (RARP) or reverse Domain
Name System (DNS) lookups. However, because attackers often spoof
IP addresses or launch attacks by zombies via a botnet, additional
