Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Clement Dupuis
Good day to all,

Today I have received a good question about IDS where someone (in BCC) was telling me IDS are ONLY a passive mechanism and as such they cannot do any blocking or take any action.   This is just a misconception.

The answer presented within the quiz is correct, I have researched this topic within the latest version of the CISSP books that I have access to and ISC2 is very clear on this topic.

Many people have the misconception that an IDS can only record events and has no ability to react.   This is NOT true.  An IDS could reset a connection when an attack is detected.  An IDS could change a rule on the firewall to block the attacker.  An IDS could change a rule on a router to block offending traffic as well.   IDS do have the ability to take actions and this is not reserved only for IPS.

The second misconception is that within the ISC2 CBK an IDS is always a detective only system and does not take any blocking actions, this is not true.    The IDS is more limited than IPS but they do have the ability to block some of the attacks or traffic.   Here is a quote from the ISC2 Official Book Version 3 on the subject:

Intrusion detection and prevention systems are used to identify and respond to suspected security-related events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts but also block the attack from reaching its intended target.

NOTE:  This is the formal position of ISC2 and having done Intrusion Detection a long time ago I also agree.  In this case the question (see below) is specifically referring to the Land Attack which is never legitimate traffic.   To answer this question some knowledge of the old Land Attack is required along with IDS knowledge.

Best regards

Clement


Question number: 2445

Question: Which of the following is a reasonable response from the intrusion detection system when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?

Comment from the test taker:
The question refers to IDS, not IPS. So, given that IDS is passive and has no ability to block packets, it\'s seems that the given answer is incorrect.


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler
Where is the dividing line between IDS and IPS?  I don't believe this distinction would holds true when talking about WIDS and WIPS.  Which makes me wonder, if an WIDS is an IDS shouldn't the exam material be updated as a WIPS would never transmit.




On Feb 20, 2013, at 4:48 AM, Clement Dupuis <[hidden email]> wrote:

Good day to all,

Today I have received a good question about IDS where someone (in BCC) was telling me IDS are ONLY a passive mechanism and as such they cannot do any blocking or take any action.   This is just a misconception.

The answer presented within the quiz is correct, I have researched this topic within the latest version of the CISSP books that I have access to and ISC2 is very clear on this topic.

Many people have the misconception that an IDS can only record events and has no ability to react.   This is NOT true.  An IDS could reset a connection when an attack is detected.  An IDS could change a rule on the firewall to block the attacker.  An IDS could change a rule on a router to block offending traffic as well.   IDS do have the ability to take actions and this is not reserved only for IPS.

The second misconception is that within the ISC2 CBK an IDS is always a detective only system and does not take any blocking actions, this is not true.    The IDS is more limited than IPS but they do have the ability to block some of the attacks or traffic.   Here is a quote from the ISC2 Official Book Version 3 on the subject:

Intrusion detection and prevention systems are used to identify and respond to suspected security-related events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts but also block the attack from reaching its intended target.

NOTE:  This is the formal position of ISC2 and having done Intrusion Detection a long time ago I also agree.  In this case the question (see below) is specifically referring to the Land Attack which is never legitimate traffic.   To answer this question some knowledge of the old Land Attack is required along with IDS knowledge.

Best regards

Clement


Question number: 2445

Question: Which of the following is a reasonable response from the intrusion detection system when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?

Comment from the test taker:
The question refers to IDS, not IPS. So, given that IDS is passive and has no ability to block packets, it\'s seems that the given answer is incorrect.

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim White

Doug,

 

Thank you for asking the question that all of us were thinking. In the test center, how do we differentiate between “limited response capabilities” and “block the attack from reaching its intended target”?

 

Seems to me that we’re reduced to the equivalent of SCOTUS Justice Potter Stewart; “Stewart wrote in his short concurrence that "hard-core pornography" was hard to define, but that "I know it when I see it."” (http://en.wikipedia.org/wiki/Potter_Stewart)

 

Apparently we are supposed to “know it when we see it” concerning the diffuse line between IPS and IDS. Throw in your example of wireless, plus HIDS/NIDS, HIPS/NIPS, and we’ve got another fine kettle of fish.

 

Another “Close your eyes and pick one” (ISC)2 question? Hopefully, very close reading of the question(s) in the test center will provide some guidance, as is often the case.

 

Jim

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug Spindler
Sent: Wednesday, February 20, 2013 11:11 AM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Where is the dividing line between IDS and IPS?  I don't believe this distinction would holds true when talking about WIDS and WIPS.  Which makes me wonder, if an WIDS is an IDS shouldn't the exam material be updated as a WIPS would never transmit.

 

 


On Feb 20, 2013, at 4:48 AM, Clement Dupuis <[hidden email]> wrote:

Good day to all,

Today I have received a good question about IDS where someone (in BCC) was telling me IDS are ONLY a passive mechanism and as such they cannot do any blocking or take any action.   This is just a misconception.

The answer presented within the quiz is correct, I have researched this topic within the latest version of the CISSP books that I have access to and ISC2 is very clear on this topic.

Many people have the misconception that an IDS can only record events and has no ability to react.   This is NOT true.  An IDS could reset a connection when an attack is detected.  An IDS could change a rule on the firewall to block the attacker.  An IDS could change a rule on a router to block offending traffic as well.   IDS do have the ability to take actions and this is not reserved only for IPS.

The second misconception is that within the ISC2 CBK an IDS is always a detective only system and does not take any blocking actions, this is not true.    The IDS is more limited than IPS but they do have the ability to block some of the attacks or traffic.   Here is a quote from the ISC2 Official Book Version 3 on the subject:

Intrusion detection and prevention systems are used to identify and respond to suspected security-related events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts but also block the attack from reaching its intended target.

NOTE:  This is the formal position of ISC2 and having done Intrusion Detection a long time ago I also agree.  In this case the question (see below) is specifically referring to the Land Attack which is never legitimate traffic.   To answer this question some knowledge of the old Land Attack is required along with IDS knowledge.

Best regards

Clement

 

Question number: 2445

Question: Which of the following is a reasonable response from the intrusion detection system when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?

Comment from the test taker:
The question refers to IDS, not IPS. So, given that IDS is passive and has no ability to block packets, it\'s seems that the given answer is incorrect.

 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler

Jim I’m in complete agreement with you.  In my opinion this cheapens the exam and certification.  The following is from Wikipedia.  “Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.” 

 

Seems to this discrepancy should be reported to ISC and Shon so it can be corrected.  If not then this exam becomes a matter of knowing the answers ISC is expecting rather than learning and knowing the material which cheapens the certification.

 

Doug Spindler

 

 

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.[1]

IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall), or changing the attack's content.[1]

 

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Jim White
Sent: Wednesday, February 20, 2013 9:31 AM
To: 'The CISSP Study Mailing list'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Doug,

 

Thank you for asking the question that all of us were thinking. In the test center, how do we differentiate between “limited response capabilities” and “block the attack from reaching its intended target”?

 

Seems to me that we’re reduced to the equivalent of SCOTUS Justice Potter Stewart; “Stewart wrote in his short concurrence that "hard-core pornography" was hard to define, but that "I know it when I see it."” (http://en.wikipedia.org/wiki/Potter_Stewart)

 

Apparently we are supposed to “know it when we see it” concerning the diffuse line between IPS and IDS. Throw in your example of wireless, plus HIDS/NIDS, HIPS/NIPS, and we’ve got another fine kettle of fish.

 

Another “Close your eyes and pick one” (ISC)2 question? Hopefully, very close reading of the question(s) in the test center will provide some guidance, as is often the case.

 

Jim

 

From: CISSPstudy [[hidden email]] On Behalf Of Doug Spindler
Sent: Wednesday, February 20, 2013 11:11 AM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Where is the dividing line between IDS and IPS?  I don't believe this distinction would holds true when talking about WIDS and WIPS.  Which makes me wonder, if an WIDS is an IDS shouldn't the exam material be updated as a WIPS would never transmit.

 

 


On Feb 20, 2013, at 4:48 AM, Clement Dupuis <[hidden email]> wrote:

Good day to all,

Today I have received a good question about IDS where someone (in BCC) was telling me IDS are ONLY a passive mechanism and as such they cannot do any blocking or take any action.   This is just a misconception.

The answer presented within the quiz is correct, I have researched this topic within the latest version of the CISSP books that I have access to and ISC2 is very clear on this topic.

Many people have the misconception that an IDS can only record events and has no ability to react.   This is NOT true.  An IDS could reset a connection when an attack is detected.  An IDS could change a rule on the firewall to block the attacker.  An IDS could change a rule on a router to block offending traffic as well.   IDS do have the ability to take actions and this is not reserved only for IPS.

The second misconception is that within the ISC2 CBK an IDS is always a detective only system and does not take any blocking actions, this is not true.    The IDS is more limited than IPS but they do have the ability to block some of the attacks or traffic.   Here is a quote from the ISC2 Official Book Version 3 on the subject:

Intrusion detection and prevention systems are used to identify and respond to suspected security-related events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts but also block the attack from reaching its intended target.

NOTE:  This is the formal position of ISC2 and having done Intrusion Detection a long time ago I also agree.  In this case the question (see below) is specifically referring to the Land Attack which is never legitimate traffic.   To answer this question some knowledge of the old Land Attack is required along with IDS knowledge.

Best regards

Clement

 

Question number: 2445

Question: Which of the following is a reasonable response from the intrusion detection system when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?

Comment from the test taker:
The question refers to IDS, not IPS. So, given that IDS is passive and has no ability to block packets, it\'s seems that the given answer is incorrect.

 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

clementdupuis
Administrator
In reply to this post by Doug Spindler
Good day Doug,

Good comment.

Most IDS are sniffing on an interface that does not allow any
transmission of packets.  They are hidden this way and cannot be
identified easily by a remote attacker that could attack the IDS
directly.  Many vulnerabilities related to Libpcap and Winpcap comes
to mind, at multiple occasions vulnerabilities were found where the
packet capture engine could be attacked directly by sending specially
crafted packets.

However, most IDS have a second interface for management where they
have full transmit abilities.  This is how they can interact with
tools such as Router and Firewalls and change rules that will block
the attacker and stop the attack that is ongoing or send resets on the
connection where the attack is coming.

A WIDS is not a passive device,  a good Wireless Intrusion Detection
system has the ability to block unauthorized hosts on the network,
quarantine them, allow only specific type of devices, and more.
They do take action when needed.

I think the definition of Passive versus Active is very clear within
most reference out there.  Yes, IDS can be passive but they can also
be active if the administration wish to let them take action.

An IPS has at least two network interface card,  the traffic has to be
routed from one interface to the other one by the IPS.  Many Intrusion
Detection Systems such as sensors have a single interface to monitor
the traffic,  a copy of the packets is sent to the IDS and the other
copy is sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or
other packet capture library do.


Best regards

Clement




On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]> wrote:

> Where is the dividing line between IDS and IPS?  I don't believe this
> distinction would holds true when talking about WIDS and WIPS.  Which makes
> me wonder, if an WIDS is an IDS shouldn't the exam material be updated as a
> WIPS would never transmit.
>
>
>
>
> On Feb 20, 2013, at 4:48 AM, Clement Dupuis <[hidden email]>
> wrote:
>
> Good day to all,
>
> Today I have received a good question about IDS where someone (in BCC) was
> telling me IDS are ONLY a passive mechanism and as such they cannot do any
> blocking or take any action.   This is just a misconception.
>
> The answer presented within the quiz is correct, I have researched this
> topic within the latest version of the CISSP books that I have access to and
> ISC2 is very clear on this topic.
>
> Many people have the misconception that an IDS can only record events and
> has no ability to react.   This is NOT true.  An IDS could reset a
> connection when an attack is detected.  An IDS could change a rule on the
> firewall to block the attacker.  An IDS could change a rule on a router to
> block offending traffic as well.   IDS do have the ability to take actions
> and this is not reserved only for IPS.
>
> The second misconception is that within the ISC2 CBK an IDS is always a
> detective only system and does not take any blocking actions, this is not
> true.    The IDS is more limited than IPS but they do have the ability to
> block some of the attacks or traffic.   Here is a quote from the ISC2
> Official Book Version 3 on the subject:
>
> Intrusion detection and prevention systems are used to identify and respond
> to suspected security-related events in real-time or near-real-time.
> Intrusion Detection Systems (IDS) will use available information to
> determine if an attack is underway, send alerts, and provide limited
> response capabilities. Intrusion Prevention Systems (IPS) will use available
> information to determine if an attack is underway, send alerts but also
> block the attack from reaching its intended target.
>
> NOTE:  This is the formal position of ISC2 and having done Intrusion
> Detection a long time ago I also agree.  In this case the question (see
> below) is specifically referring to the Land Attack which is never
> legitimate traffic.   To answer this question some knowledge of the old Land
> Attack is required along with IDS knowledge.
>
> Best regards
>
> Clement
>
>
>> Question number: 2445
>>
>> Question: Which of the following is a reasonable response from the
>> intrusion detection system when it detects Internet Protocol (IP) packets
>> where the IP source address and port is the same as the destination IP
>> address and port?
>>
>> Comment from the test taker:
>> The question refers to IDS, not IPS. So, given that IDS is passive and has
>> no ability to block packets, it\'s seems that the given answer is incorrect.
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler
Clement,
There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
clearly state IDS's are focused on identifying possible incidents, logging
information about them, and reporting.  Why is ISC and Shon blurring this
line between an IDS and IPS?  It would be more accurate to say an IPS is an
IDS than to say an IDS is an IPS.

Doug Spindler



-----Original Message-----
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
Dupuis
Sent: Wednesday, February 20, 2013 11:38 AM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Good day Doug,

Good comment.

Most IDS are sniffing on an interface that does not allow any transmission
of packets.  They are hidden this way and cannot be identified easily by a
remote attacker that could attack the IDS directly.  Many vulnerabilities
related to Libpcap and Winpcap comes to mind, at multiple occasions
vulnerabilities were found where the packet capture engine could be attacked
directly by sending specially crafted packets.

However, most IDS have a second interface for management where they have
full transmit abilities.  This is how they can interact with tools such as
Router and Firewalls and change rules that will block the attacker and stop
the attack that is ongoing or send resets on the connection where the attack
is coming.

A WIDS is not a passive device,  a good Wireless Intrusion Detection system
has the ability to block unauthorized hosts on the network, quarantine them,
allow only specific type of devices, and more.
They do take action when needed.

I think the definition of Passive versus Active is very clear within most
reference out there.  Yes, IDS can be passive but they can also be active if
the administration wish to let them take action.

An IPS has at least two network interface card,  the traffic has to be
routed from one interface to the other one by the IPS.  Many Intrusion
Detection Systems such as sensors have a single interface to monitor the
traffic,  a copy of the packets is sent to the IDS and the other copy is
sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
capture library do.


Best regards

Clement




On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
wrote:

> Where is the dividing line between IDS and IPS?  I don't believe this
> distinction would holds true when talking about WIDS and WIPS.  Which
> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
> updated as a WIPS would never transmit.
>
>
>
>
> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
> <[hidden email]>
> wrote:
>
> Good day to all,
>
> Today I have received a good question about IDS where someone (in BCC)
> was telling me IDS are ONLY a passive mechanism and as such they cannot do
any

> blocking or take any action.   This is just a misconception.
>
> The answer presented within the quiz is correct, I have researched
> this topic within the latest version of the CISSP books that I have
> access to and
> ISC2 is very clear on this topic.
>
> Many people have the misconception that an IDS can only record events and
> has no ability to react.   This is NOT true.  An IDS could reset a
> connection when an attack is detected.  An IDS could change a rule on
> the firewall to block the attacker.  An IDS could change a rule on a
router to
> block offending traffic as well.   IDS do have the ability to take actions
> and this is not reserved only for IPS.
>
> The second misconception is that within the ISC2 CBK an IDS is always
> a detective only system and does not take any blocking actions, this is
not
> true.    The IDS is more limited than IPS but they do have the ability to
> block some of the attacks or traffic.   Here is a quote from the ISC2
> Official Book Version 3 on the subject:
>
> Intrusion detection and prevention systems are used to identify and
> respond to suspected security-related events in real-time or
near-real-time.

> Intrusion Detection Systems (IDS) will use available information to
> determine if an attack is underway, send alerts, and provide limited
> response capabilities. Intrusion Prevention Systems (IPS) will use
> available information to determine if an attack is underway, send
> alerts but also block the attack from reaching its intended target.
>
> NOTE:  This is the formal position of ISC2 and having done Intrusion
> Detection a long time ago I also agree.  In this case the question
> (see
> below) is specifically referring to the Land Attack which is never
> legitimate traffic.   To answer this question some knowledge of the old
Land

> Attack is required along with IDS knowledge.
>
> Best regards
>
> Clement
>
>
>> Question number: 2445
>>
>> Question: Which of the following is a reasonable response from the
>> intrusion detection system when it detects Internet Protocol (IP)
>> packets where the IP source address and port is the same as the
>> destination IP address and port?
>>
>> Comment from the test taker:
>> The question refers to IDS, not IPS. So, given that IDS is passive
>> and has no ability to block packets, it\'s seems that the given answer is
incorrect.

>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

clementdupuis
Administrator
In reply to this post by Doug Spindler
Good day Doug and Jim,

I would not claim that Wikipedia is the authoritative answer in such case.

As far as I can remember, IDS always had the ability to take action if
an attack was detected even years before Gartner came out and
published their paper entitled "IDS are obsolete" which made a lot of
noise about 7 years ago by claiming IPS's would be the way of the
future.

If you look back in history, the first ever IDS was an open source IDS
from the Naval Surface Warfare Centre called SHADOW.    To my
knowledge, the developers where mainly Stephen Northcutt, Bill Ralph
and other people from the Naval Surface Warfare Center.  Shadow was
then modified to become Dragon as one of the first ever commercial IDS
product from Ron Gula who later on sold it.   These early tools had
very basic ability to reset a connection if an attack was ongoing or
they could change a rule on the firewall by changing an IPChains rule
at the time on a Linux computer.

IPS are defintively the big brother of IDS.    Many vendors simply
added a second interface and force the traffic to flow through the
device inspection engine and started calling themselves IPS instead of
IDS.

Today, the issue is largely a moot point as IPS products on the market
— which typically rely on IDS detection techniques to flag a problem —
tend to operate in a mixed mode, allowing managers to boldly block
malicious traffic or passively monitor, or both, depending on the
configuration.

It seems ISC2 is treating Intrusion Detection the same as they treat
firewall.  One generation at the time and they do not talk much about
the blending we see today where a single product could act as an IPS
first, IDS second, or a mix of both modes at the same time.

I totally agree with Doug conclusion that an IDS cannot be an IPS but
an IPS can certainly be dumb down  to act as an IDS.

Unfortunately there is NOBODY at ISC2 you can talk to about specific
like this.  They will simply refer you to their book or their CIB
which does not tell you much.

In any case I doubt very much the exam would even get into that level
of details.   It may ask a question about which of the following would
be most adept at preventing attacking on a live network for example.
In such case as it was already mentioned, the choice would be clear.

Fun, Fun, Fun

Clement



On Wed, Feb 20, 2013 at 2:24 PM, Doug Spindler <[hidden email]> wrote:

> Jim I’m in complete agreement with you.  In my opinion this cheapens the
> exam and certification.  The following is from Wikipedia.  “Some systems may
> attempt to stop an intrusion attempt but this is neither required nor
> expected of a monitoring system.”
>
>
>
> Seems to this discrepancy should be reported to ISC and Shon so it can be
> corrected.  If not then this exam becomes a matter of knowing the answers
> ISC is expecting rather than learning and knowing the material which
> cheapens the certification.
>
>
>
> Doug Spindler
>
>
>
>
>
> An intrusion detection system (IDS) is a device or software application that
> monitors network or system activities for malicious activities or policy
> violations and produces reports to a management station. Some systems may
> attempt to stop an intrusion attempt but this is neither required nor
> expected of a monitoring system. Intrusion detection and prevention systems
> (IDPS) are primarily focused on identifying possible incidents, logging
> information about them, and reporting attempts. In addition, organizations
> use IDPSes for other purposes, such as identifying problems with security
> policies, documenting existing threats and deterring individuals from
> violating security policies. IDPSes have become a necessary addition to the
> security infrastructure of nearly every organization.[1]
>
> IDPSes typically record information related to observed events, notify
> security administrators of important observed events, and produce reports.
> Many IDPSes can also respond to a detected threat by attempting to prevent
> it from succeeding. They use several response techniques, which involve the
> IDPS stopping the attack itself, changing the security environment (e.g.
> reconfiguring a firewall), or changing the attack's content.[1]
>
>
>
>
>
>
>
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Jim
> White
> Sent: Wednesday, February 20, 2013 9:31 AM
>
>
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
>
>
> Doug,
>
>
>
> Thank you for asking the question that all of us were thinking. In the test
> center, how do we differentiate between “limited response capabilities” and
> “block the attack from reaching its intended target”?
>
>
>
> Seems to me that we’re reduced to the equivalent of SCOTUS Justice Potter
> Stewart; “Stewart wrote in his short concurrence that "hard-core
> pornography" was hard to define, but that "I know it when I see it."”
> (http://en.wikipedia.org/wiki/Potter_Stewart)
>
>
>
> Apparently we are supposed to “know it when we see it” concerning the
> diffuse line between IPS and IDS. Throw in your example of wireless, plus
> HIDS/NIDS, HIPS/NIPS, and we’ve got another fine kettle of fish.
>
>
>
> Another “Close your eyes and pick one” (ISC)2 question? Hopefully, very
> close reading of the question(s) in the test center will provide some
> guidance, as is often the case.
>
>
>
> Jim
>
>
>
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 11:11 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
>
>
> Where is the dividing line between IDS and IPS?  I don't believe this
> distinction would holds true when talking about WIDS and WIPS.  Which makes
> me wonder, if an WIDS is an IDS shouldn't the exam material be updated as a
> WIPS would never transmit.
>
>
>
>
>
>
> On Feb 20, 2013, at 4:48 AM, Clement Dupuis <[hidden email]>
> wrote:
>
> Good day to all,
>
> Today I have received a good question about IDS where someone (in BCC) was
> telling me IDS are ONLY a passive mechanism and as such they cannot do any
> blocking or take any action.   This is just a misconception.
>
> The answer presented within the quiz is correct, I have researched this
> topic within the latest version of the CISSP books that I have access to and
> ISC2 is very clear on this topic.
>
> Many people have the misconception that an IDS can only record events and
> has no ability to react.   This is NOT true.  An IDS could reset a
> connection when an attack is detected.  An IDS could change a rule on the
> firewall to block the attacker.  An IDS could change a rule on a router to
> block offending traffic as well.   IDS do have the ability to take actions
> and this is not reserved only for IPS.
>
> The second misconception is that within the ISC2 CBK an IDS is always a
> detective only system and does not take any blocking actions, this is not
> true.    The IDS is more limited than IPS but they do have the ability to
> block some of the attacks or traffic.   Here is a quote from the ISC2
> Official Book Version 3 on the subject:
>
> Intrusion detection and prevention systems are used to identify and respond
> to suspected security-related events in real-time or near-real-time.
> Intrusion Detection Systems (IDS) will use available information to
> determine if an attack is underway, send alerts, and provide limited
> response capabilities. Intrusion Prevention Systems (IPS) will use available
> information to determine if an attack is underway, send alerts but also
> block the attack from reaching its intended target.
>
> NOTE:  This is the formal position of ISC2 and having done Intrusion
> Detection a long time ago I also agree.  In this case the question (see
> below) is specifically referring to the Land Attack which is never
> legitimate traffic.   To answer this question some knowledge of the old Land
> Attack is required along with IDS knowledge.
>
> Best regards
>
> Clement
>
>
>
> Question number: 2445
>
> Question: Which of the following is a reasonable response from the intrusion
> detection system when it detects Internet Protocol (IP) packets where the IP
> source address and port is the same as the destination IP address and port?
>
> Comment from the test taker:
> The question refers to IDS, not IPS. So, given that IDS is passive and has
> no ability to block packets, it\'s seems that the given answer is incorrect.
>
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim White
In reply to this post by Doug Spindler
So...

I'm still not hearing/seeing any definitive differentiator between an IDS
and an IPS that we can take into the test center and apply with confidence
that we can differentiate unequivocally between an IPS and an IDS.
Apparently, it's not the number of interfaces, nor the "active" or "passive"
status of the device. So what can we use to decide if we're discussing an
IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
"I know one when I see one"?

Help, anyone?

Thanks,

Jim

-----Original Message-----
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
Spindler
Sent: Wednesday, February 20, 2013 1:51 PM
To: 'The CISSP Study Mailing list'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Clement,
There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
clearly state IDS's are focused on identifying possible incidents, logging
information about them, and reporting.  Why is ISC and Shon blurring this
line between an IDS and IPS?  It would be more accurate to say an IPS is an
IDS than to say an IDS is an IPS.

Doug Spindler



-----Original Message-----
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
Dupuis
Sent: Wednesday, February 20, 2013 11:38 AM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Good day Doug,

Good comment.

Most IDS are sniffing on an interface that does not allow any transmission
of packets.  They are hidden this way and cannot be identified easily by a
remote attacker that could attack the IDS directly.  Many vulnerabilities
related to Libpcap and Winpcap comes to mind, at multiple occasions
vulnerabilities were found where the packet capture engine could be attacked
directly by sending specially crafted packets.

However, most IDS have a second interface for management where they have
full transmit abilities.  This is how they can interact with tools such as
Router and Firewalls and change rules that will block the attacker and stop
the attack that is ongoing or send resets on the connection where the attack
is coming.

A WIDS is not a passive device,  a good Wireless Intrusion Detection system
has the ability to block unauthorized hosts on the network, quarantine them,
allow only specific type of devices, and more.
They do take action when needed.

I think the definition of Passive versus Active is very clear within most
reference out there.  Yes, IDS can be passive but they can also be active if
the administration wish to let them take action.

An IPS has at least two network interface card,  the traffic has to be
routed from one interface to the other one by the IPS.  Many Intrusion
Detection Systems such as sensors have a single interface to monitor the
traffic,  a copy of the packets is sent to the IDS and the other copy is
sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
capture library do.


Best regards

Clement




On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
wrote:

> Where is the dividing line between IDS and IPS?  I don't believe this
> distinction would holds true when talking about WIDS and WIPS.  Which
> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
> updated as a WIPS would never transmit.
>
>
>
>
> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
> <[hidden email]>
> wrote:
>
> Good day to all,
>
> Today I have received a good question about IDS where someone (in BCC)
> was telling me IDS are ONLY a passive mechanism and as such they
> cannot do
any

> blocking or take any action.   This is just a misconception.
>
> The answer presented within the quiz is correct, I have researched
> this topic within the latest version of the CISSP books that I have
> access to and
> ISC2 is very clear on this topic.
>
> Many people have the misconception that an IDS can only record events and
> has no ability to react.   This is NOT true.  An IDS could reset a
> connection when an attack is detected.  An IDS could change a rule on
> the firewall to block the attacker.  An IDS could change a rule on a
router to
> block offending traffic as well.   IDS do have the ability to take actions
> and this is not reserved only for IPS.
>
> The second misconception is that within the ISC2 CBK an IDS is always
> a detective only system and does not take any blocking actions, this
> is
not
> true.    The IDS is more limited than IPS but they do have the ability to
> block some of the attacks or traffic.   Here is a quote from the ISC2
> Official Book Version 3 on the subject:
>
> Intrusion detection and prevention systems are used to identify and
> respond to suspected security-related events in real-time or
near-real-time.

> Intrusion Detection Systems (IDS) will use available information to
> determine if an attack is underway, send alerts, and provide limited
> response capabilities. Intrusion Prevention Systems (IPS) will use
> available information to determine if an attack is underway, send
> alerts but also block the attack from reaching its intended target.
>
> NOTE:  This is the formal position of ISC2 and having done Intrusion
> Detection a long time ago I also agree.  In this case the question
> (see
> below) is specifically referring to the Land Attack which is never
> legitimate traffic.   To answer this question some knowledge of the old
Land

> Attack is required along with IDS knowledge.
>
> Best regards
>
> Clement
>
>
>> Question number: 2445
>>
>> Question: Which of the following is a reasonable response from the
>> intrusion detection system when it detects Internet Protocol (IP)
>> packets where the IP source address and port is the same as the
>> destination IP address and port?
>>
>> Comment from the test taker:
>> The question refers to IDS, not IPS. So, given that IDS is passive
>> and has no ability to block packets, it\'s seems that the given
>> answer is
incorrect.

>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

clementdupuis
Administrator
Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:
> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.

>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Leif Palmer
Jim,
 
Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.
 
Simple answer is; one is more proactive than the other-plain and simple.
Keep your wits about you and use common sense (past experience and exposure is a good guide here).
 
Respectfully,

Leif
 
From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.
 
Doug Spindler
 
 
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <jwhite@...> wrote:

> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <doug.spindler@...>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <clement.dupuis@...>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler

Thanks

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Leif Palmer
Sent: Wednesday, February 20, 2013 3:24 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment



I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <jwhite@...> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <doug.spindler@...>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <clement.dupuis@...>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim White
In reply to this post by Leif Palmer

Leif,

 

Agreed. I passed the exam back in ’09, but had to let my cert lapse; I am preparing to re-test shortly. I agree that we are splitting hairs in this discussion and going into far greater detail than the (ISC)2 exam is likely to go. I found the actual exam to be both fair and (mostly) unambiguous. Remember, what we’re discussing here is not the quality of an actual exam question, but instead a practice question, from a pool of thousands, that (ISC)2 is not in any way responsible for.

 

Jim

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Leif Palmer
Sent: Wednesday, February 20, 2013 5:24 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment



I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <jwhite@...> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <doug.spindler@...>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <clement.dupuis@...>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Richard Rieben
In reply to this post by Leif Palmer
Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

Also, thanks to Clement for this great forum.

R-
 
* * * * * * * *
Richard Rieben, CISSP, PMP, FITSP-M
http://www.linkedin.com/in/rrieben
* * * * * * * *


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim,
 
Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.
 
Simple answer is; one is more proactive than the other-plain and simple.
Keep your wits about you and use common sense (past experience and exposure is a good guide here).
 
Respectfully,

Leif
 
From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.
 
Doug Spindler
 
 
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <jwhite@...> wrote:

> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <doug.spindler@...>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <clement.dupuis@...>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler
In reply to this post by Jim White

If it’s not questions on the exam why is there a practice test question on it?

Doug Spindler

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Jim White
Sent: Wednesday, February 20, 2013 3:43 PM
To: 'Leif Palmer'; 'The CISSP Study Mailing list'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Leif,

 

Agreed. I passed the exam back in ’09, but had to let my cert lapse; I am preparing to re-test shortly. I agree that we are splitting hairs in this discussion and going into far greater detail than the (ISC)2 exam is likely to go. I found the actual exam to be both fair and (mostly) unambiguous. Remember, what we’re discussing here is not the quality of an actual exam question, but instead a practice question, from a pool of thousands, that (ISC)2 is not in any way responsible for.

 

Jim

 

From: CISSPstudy [[hidden email]] On Behalf Of Leif Palmer
Sent: Wednesday, February 20, 2013 5:24 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <jwhite@...> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:cisspstudy-bounces@...] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <doug.spindler@...>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <clement.dupuis@...>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> CISSPstudy@...
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> CISSPstudy@...
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler
In reply to this post by Richard Rieben

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.


Doug

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim White

Somehow, I’m reminded of this fairly recent moment in American history: https://www.youtube.com/watch?v=j4XT-l-_3y0

 

Jim

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug Spindler
Sent: Wednesday, February 20, 2013 7:03 PM
To: 'Richard Rieben'; 'The CISSP Study Mailing list'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.


Doug

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <
[hidden email]> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <
[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>>
http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>>
[hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>>
http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>>
[hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler

Not quite the same thing I don’t think he was paying $600 to take an exam.

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Jim White
Sent: Wednesday, February 20, 2013 5:11 PM
To: 'The CISSP Study Mailing list'; 'Richard Rieben'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Somehow, I’m reminded of this fairly recent moment in American history: https://www.youtube.com/watch?v=j4XT-l-_3y0

 

Jim

 

From: CISSPstudy [[hidden email]] On Behalf Of Doug Spindler
Sent: Wednesday, February 20, 2013 7:03 PM
To: 'Richard Rieben'; 'The CISSP Study Mailing list'
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.


Doug

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <
[hidden email]> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <
[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>>
http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>>
[hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>>
http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>>
[hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
>
[hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Jim White
In reply to this post by Richard Rieben

Richard,

 

I agree wholeheartedly that all that matters on the exam is the CBK. With that in mind, can you please post a page reference from the CBK to support your statement that “IDS is a PASSIVE device and an IPS is an ACTIVE device “? Not that I disagree,  but I would like to have some reinforcement from (ISC)2.

 

Thank you,

 

Jim

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 5:57 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:


> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Richard Rieben
In reply to this post by Doug Spindler
We can probably find 357 different sources, and even some within the CISSP CBK that contradict each other (remember, the OIG is not the CISSP CBK, it is simply a guide to it.) Even the various responses in this email chain contain directly conflicting descriptions of the capabilities of an IDS vs. an IPS.

My opinion: If you approach the exam with the general mentality that IPS does not equal IDS and realize that IPS is considered a more responsive (and more "active") solution than IDS than I think you're on the right track.

Remember - this is a management-level exam, not a technical one in which you're going to be plopped in front of a device and asked "What is it? IDS or IPS?"

R-
 
* * * * * * * *
Richard Rieben, CISSP, PMP, FITSP-M
http://www.linkedin.com/in/rrieben
* * * * * * * *


From: Doug Spindler <[hidden email]>
To: 'Richard Rieben' <[hidden email]>; 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 8:02 PM
Subject: RE: [CCCure CISSP] CISSP OSG Online Quiz Comment

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.

Doug
 
 
From: CISSPstudy [mailto:[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM
To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.
 
On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.
 
Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.
 
Also, thanks to Clement for this great forum.
 
R-
 
* * * * * * * *
Richard Rieben, CISSP, PMP, FITSP-M
* * * * * * * *
 

From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
Jim,
 
Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.
 
Simple answer is; one is more proactive than the other-plain and simple.
Keep your wits about you and use common sense (past experience and exposure is a good guide here).
 
Respectfully,

Leif
 
From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.
 
Doug Spindler
 
 
From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
 
Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:

> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.
>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org




_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
12