Page 1223 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1223
FIGURE 17.4 Intrusion prevention system
In contrast, an active IDS that is not placed in line can check the
activity only after it has reached the target. The active IDS can take
steps to block an attack after it starts but cannot prevent it.
An IPS can use knowledge-based detection and/or behavior-based
detection, just as any other IDS. Additionally, it can log activity and
provide notification to administrators just as an IDS would.
A current trend is the replacement of IDSs with IPSs.
Similarly, many appliances that include detection and prevention
capabilities focus their use on an IPS. Because an IPS is placed
inline with the traffic, it can inspect all traffic as it occurs.
Specific Preventive Measures
Although intrusion detection and prevention systems go a long way
toward protecting networks, administrators typically implement
additional security controls to protect their networks. The following
sections describe several of these as additional preventive measures.
Honeypots/Honeynets
Honeypots are individual computers created as a trap for intruders. A
honeynet is two or more networked honeypots used together to
simulate a network. They look and act like legitimate systems, but they
do not host data of any real value for an attacker. Administrators often
configure honeypots with vulnerabilities to tempt intruders into
attacking them. They may be unpatched or have security
vulnerabilities that administrators purposely leave open. The goal is to
grab the attention of intruders and keep the intruders away from the
legitimate network that is hosting valuable resources. Legitimate users
wouldn’t access the honeypot, so any access to a honeypot is most
likely an unauthorized intruder.
In addition to keeping the attacker away from a production
environment, the honeypot gives administrators an opportunity to
