Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

clementdupuis
Administrator
OK, OK,

Criticizing the validity of any question and its answer out of context without looking at the 4 choices presented is always an easy task to do.   I realize the initial poster who sent me the question did not include all 4 choices which would have render this long discussion not as ambiguous.  

Let's get back to where this discussion all started:  
One specific question which is directly in line with what is being said by the latest version of the official ISC2 guide to the CISSP CBK.    Where they say very clearly that IDS can provide limited response capabilities.

What does this means:   In the jargon Intrusion Analyst would use, this is called Active Response. 

"It is defined by the SANS Institute IDS FAQ as:  a mechanism in intrusion detection systems (IDS) that provides the IDS with capability to respond to an attack when it has been detected. There are two methods that the IDS can take to circumvent an attack. The first method of circumventing attacks would be Session disruption, and the second is Filter rule manipulation.  The specific feature varies with each IDS product and each countermeasure method possesses its own strengths and weaknesses."

Marty Roach from the famous SNORT IDS mention this on multiple papers he has authored and it is within the SNORT documentation as well.  I do believe he calls it Flex Response.

In the context of the question the best choice presented out of the 4 is the correct one and it is the correct one according to the ISC2 view of the world and many other source that supports it. 

The question test your ability to recognize the question is about the Land Attack which is an old and very well known attack still covered within the CBK.   Then it test to see if you can pick which of the 4 choices would be the best choice according to this specific question. 

In the context of this question, the whole discussion about what is one versus the other is not even needed or required.  However, it was fun to see lots of talks and active discussions taking place.

LEXICON

Information Security has its own jargon and many people don't agree on many of the terms we use.  This will not change overnight.  We see this all the time talking with clients,   one client will talk to you about Penetration Testing when in fact they only want a Security Assessment for example.

As I always say: stay within the question context, look at the 4 choices presented, and select which of the 4 is the BEST according to the question presented.

We really got way outside of this one.

Best regards

Clement















Clement Dupuis, CD

Chief Learning Officer (CLO) and Security Evangelist
GCFW, GCIA, Security+ 301, CEH V7, CCSA, CCSE,  + 12 others

SecureNinja
Office : +<a href="tel:703%20535%208600" value="+17035358600" target="_blank">703 535 8600
Mobile: <a href="tel:%2B1%20407%20433%206444" value="+14074336444" target="_blank">+1 407 433 6444

Email: [hidden email]

Web: www.secureninja.com

Connect with me on LinkedIn | Follow me on Twitter


Description: Secure Ninja @ LinkedinDescription: See Us @ YoutubeDescription: Like us on FacebookDescription: Fallow us Twitter

901 N. Pitt Street, Suite 105
Alexandria, VA  22314

Description: Description: sn_logo

In Cyberspace:

[hidden email]
Clement Dupuis, CD
President/Founder/Chief Security Evangelist
The CCCure Family of Portals
----------------------------------------------------------------------------------------------
Maintainer of :

The CCCure Quiz Engine
https://www.freepracticetests.org/quiz/index.php?page=home

The CCCure Family of Portals
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org/

Knowledge sharing and giving back to the community

-------------------------------------------------------------------------------------------------------
>>  Call me to get the best CISSP, Security+, or other Security related training  <<
-------------------------------------------------------------------------------------------------------


On Wed, Feb 20, 2013 at 8:02 PM, Doug Spindler <[hidden email]> wrote:

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.


Doug

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM


To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:
> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.


>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

Doug Spindler
Thanks for your wise words.  Just to clarify SNORT is an IDS/NPS where as Hogwash is a NPS using SORT.

Doug




On Feb 20, 2013, at 6:11 PM, Clement Dupuis <[hidden email]> wrote:

OK, OK,

Criticizing the validity of any question and its answer out of context without looking at the 4 choices presented is always an easy task to do.   I realize the initial poster who sent me the question did not include all 4 choices which would have render this long discussion not as ambiguous.  

Let's get back to where this discussion all started:  
One specific question which is directly in line with what is being said by the latest version of the official ISC2 guide to the CISSP CBK.    Where they say very clearly that IDS can provide limited response capabilities.

What does this means:   In the jargon Intrusion Analyst would use, this is called Active Response. 

"It is defined by the SANS Institute IDS FAQ as:  a mechanism in intrusion detection systems (IDS) that provides the IDS with capability to respond to an attack when it has been detected. There are two methods that the IDS can take to circumvent an attack. The first method of circumventing attacks would be Session disruption, and the second is Filter rule manipulation.  The specific feature varies with each IDS product and each countermeasure method possesses its own strengths and weaknesses."

Marty Roach from the famous SNORT IDS mention this on multiple papers he has authored and it is within the SNORT documentation as well.  I do believe he calls it Flex Response.

In the context of the question the best choice presented out of the 4 is the correct one and it is the correct one according to the ISC2 view of the world and many other source that supports it. 

The question test your ability to recognize the question is about the Land Attack which is an old and very well known attack still covered within the CBK.   Then it test to see if you can pick which of the 4 choices would be the best choice according to this specific question. 

In the context of this question, the whole discussion about what is one versus the other is not even needed or required.  However, it was fun to see lots of talks and active discussions taking place.

LEXICON

Information Security has its own jargon and many people don't agree on many of the terms we use.  This will not change overnight.  We see this all the time talking with clients,   one client will talk to you about Penetration Testing when in fact they only want a Security Assessment for example.

As I always say: stay within the question context, look at the 4 choices presented, and select which of the 4 is the BEST according to the question presented.

We really got way outside of this one.

Best regards

Clement















Clement Dupuis, CD

Chief Learning Officer (CLO) and Security Evangelist
GCFW, GCIA, Security+ 301, CEH V7, CCSA, CCSE,  + 12 others

SecureNinja
Office : +<a href="tel:703%20535%208600" value="+17035358600" target="_blank">703 535 8600
Mobile: <a href="tel:%2B1%20407%20433%206444" value="+14074336444" target="_blank">+1 407 433 6444

Email: [hidden email]

Web: www.secureninja.com

Connect with me on LinkedIn | Follow me on Twitter


Description: Secure Ninja @ LinkedinDescription: See Us @ YoutubeDescription: Like us on FacebookDescription: Fallow us Twitter

901 N. Pitt Street, Suite 105
Alexandria, VA  22314

Description: Description: sn_logo

In Cyberspace:

[hidden email]
Clement Dupuis, CD
President/Founder/Chief Security Evangelist
The CCCure Family of Portals
----------------------------------------------------------------------------------------------
Maintainer of :

The CCCure Quiz Engine
https://www.freepracticetests.org/quiz/index.php?page=home

The CCCure Family of Portals
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org/

Knowledge sharing and giving back to the community

-------------------------------------------------------------------------------------------------------
>>  Call me to get the best CISSP, Security+, or other Security related training  <<
-------------------------------------------------------------------------------------------------------


On Wed, Feb 20, 2013 at 8:02 PM, Doug Spindler <[hidden email]> wrote:

“On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.”

This is the exact opposite of what Clement previous stated.


Doug

 

 

From: CISSPstudy [mailto:[hidden email]] On Behalf Of Richard Rieben
Sent: Wednesday, February 20, 2013 3:57 PM


To: The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Please allow me to toss my hat in the ring on this topic as well.  The only resource that matters is the CISSP CBK - that could be a number of source materials (ie. info security management handbook) but like Lief said, don't focus so much on the leaves that you can't see the tree on exam day.  If you sit there and beat yourself up and question the motives or the thought process behind the question, you're only hurting yourself.

 

On the exam, remember that IDS is a PASSIVE device and an IPS is an ACTIVE device - if you remember that simple fact you will probably do quite well on any questions that relate to that topic.

 

Remember, don't bury yourself in the weeds (going into too much detail) - it's easy to do, but try to not do it. - This applies to the entire CISSP CBK.

 

Also, thanks to Clement for this great forum.

 

R-

 

* * * * * * * *

Richard Rieben, CISSP, PMP, FITSP-M

* * * * * * * *

 


From: Leif Palmer <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>
Sent: Wednesday, February 20, 2013 6:23 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Jim,

 

Don't trip on these terms (technologies) and make it harder than it has to be. I just took the test and passed and didn't see anything that would confuse these terms on the test.

 

Simple answer is; one is more proactive than the other-plain and simple.

Keep your wits about you and use common sense (past experience and exposure is a good guide here).

 

Respectfully,

Leif

 

From: Doug Spindler <[hidden email]>
To: 'The CISSP Study Mailing list' <[hidden email]>
Sent: Wednesday, February 20, 2013 4:55 PM
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

I have to agree with Jim the definition is arbitrary but for the exam you need to know one answer ISC is expecting which may or may not reflect the name used in industry today.  I would have to say if I were interviewing a candidate for a security position and they didn’t know the precise difference between a WIDS and WIPS system won’t get the job.

 

Doug Spindler

 

 

From: CISSPstudy [[hidden email]] On Behalf Of Clement Dupuis
Sent: Wednesday, February 20, 2013 12:34 PM
To: [hidden email]; The CISSP Study Mailing list
Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

 

Good day Jim,

It seems that any device that can block an attack and prevent it should be called an IPS.

However, I guess I am getting too old.    The term IPS did not even exists at the time when I was using IDS with traffic blocking abilities.   I was using an IPS but I did not know at the time.   I guess we have to forward to 2013 and see what it would be called today.

I will attempt to get an official answer from ISC2, just to see if it can be done or not.  I will keep you posted of my results.

Search security has an interesting article with a lot of common sense in it, see it at:
http://searchsecurity.techtarget.com/tip/IDS-vs-IPS-How-to-know-when-you-need-the-technology

Here is an extract:
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.

Best regards

Clement


On Wed, Feb 20, 2013 at 3:21 PM, Jim White <[hidden email]> wrote:
> So...
>
> I'm still not hearing/seeing any definitive differentiator between an IDS
> and an IPS that we can take into the test center and apply with confidence
> that we can differentiate unequivocally between an IPS and an IDS.
> Apparently, it's not the number of interfaces, nor the "active" or "passive"
> status of the device. So what can we use to decide if we're discussing an
> IPS or an IDS? Is there a simple litmus test we can apply? Or are we back to
> "I know one when I see one"?
>
> Help, anyone?
>
> Thanks,
>
> Jim
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Doug
> Spindler
> Sent: Wednesday, February 20, 2013 1:51 PM
> To: 'The CISSP Study Mailing list'
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Clement,
> There are IDSs, IPSs and IDS/IPS systems.  Wikipedia and other sources
> clearly state IDS's are focused on identifying possible incidents, logging
> information about them, and reporting.  Why is ISC and Shon blurring this
> line between an IDS and IPS?  It would be more accurate to say an IPS is an
> IDS than to say an IDS is an IPS.
>
> Doug Spindler
>
>
>
> -----Original Message-----
> From: CISSPstudy [mailto:[hidden email]] On Behalf Of Clement
> Dupuis
> Sent: Wednesday, February 20, 2013 11:38 AM
> To: The CISSP Study Mailing list
> Subject: Re: [CCCure CISSP] CISSP OSG Online Quiz Comment
>
> Good day Doug,
>
> Good comment.
>
> Most IDS are sniffing on an interface that does not allow any transmission
> of packets.  They are hidden this way and cannot be identified easily by a
> remote attacker that could attack the IDS directly.  Many vulnerabilities
> related to Libpcap and Winpcap comes to mind, at multiple occasions
> vulnerabilities were found where the packet capture engine could be attacked
> directly by sending specially crafted packets.
>
> However, most IDS have a second interface for management where they have
> full transmit abilities.  This is how they can interact with tools such as
> Router and Firewalls and change rules that will block the attacker and stop
> the attack that is ongoing or send resets on the connection where the attack
> is coming.
>
> A WIDS is not a passive device,  a good Wireless Intrusion Detection system
> has the ability to block unauthorized hosts on the network, quarantine them,
> allow only specific type of devices, and more.
> They do take action when needed.
>
> I think the definition of Passive versus Active is very clear within most
> reference out there.  Yes, IDS can be passive but they can also be active if
> the administration wish to let them take action.
>
> An IPS has at least two network interface card,  the traffic has to be
> routed from one interface to the other one by the IPS.  Many Intrusion
> Detection Systems such as sensors have a single interface to monitor the
> traffic,  a copy of the packets is sent to the IDS and the other copy is
> sent to the TCP/IP Stack.  This is what Libpcap and Winpcap or other packet
> capture library do.


>
>
> Best regards
>
> Clement
>
>
>
>
> On Wed, Feb 20, 2013 at 12:10 PM, Doug Spindler <[hidden email]>
> wrote:
>> Where is the dividing line between IDS and IPS?  I don't believe this
>> distinction would holds true when talking about WIDS and WIPS.  Which
>> makes me wonder, if an WIDS is an IDS shouldn't the exam material be
>> updated as a WIPS would never transmit.
>>
>>
>>
>>
>> On Feb 20, 2013, at 4:48 AM, Clement Dupuis
>> <[hidden email]>
>> wrote:
>>
>> Good day to all,
>>
>> Today I have received a good question about IDS where someone (in BCC)
>> was telling me IDS are ONLY a passive mechanism and as such they
>> cannot do
> any
>> blocking or take any action.   This is just a misconception.
>>
>> The answer presented within the quiz is correct, I have researched
>> this topic within the latest version of the CISSP books that I have
>> access to and
>> ISC2 is very clear on this topic.
>>
>> Many people have the misconception that an IDS can only record events and
>> has no ability to react.   This is NOT true.  An IDS could reset a
>> connection when an attack is detected.  An IDS could change a rule on
>> the firewall to block the attacker.  An IDS could change a rule on a
> router to
>> block offending traffic as well.   IDS do have the ability to take actions
>> and this is not reserved only for IPS.
>>
>> The second misconception is that within the ISC2 CBK an IDS is always
>> a detective only system and does not take any blocking actions, this
>> is
> not
>> true.    The IDS is more limited than IPS but they do have the ability to
>> block some of the attacks or traffic.   Here is a quote from the ISC2
>> Official Book Version 3 on the subject:
>>
>> Intrusion detection and prevention systems are used to identify and
>> respond to suspected security-related events in real-time or
> near-real-time.
>> Intrusion Detection Systems (IDS) will use available information to
>> determine if an attack is underway, send alerts, and provide limited
>> response capabilities. Intrusion Prevention Systems (IPS) will use
>> available information to determine if an attack is underway, send
>> alerts but also block the attack from reaching its intended target.
>>
>> NOTE:  This is the formal position of ISC2 and having done Intrusion
>> Detection a long time ago I also agree.  In this case the question
>> (see
>> below) is specifically referring to the Land Attack which is never
>> legitimate traffic.   To answer this question some knowledge of the old
> Land
>> Attack is required along with IDS knowledge.
>>
>> Best regards
>>
>> Clement
>>
>>
>>> Question number: 2445
>>>
>>> Question: Which of the following is a reasonable response from the
>>> intrusion detection system when it detects Internet Protocol (IP)
>>> packets where the IP source address and port is the same as the
>>> destination IP address and port?
>>>
>>> Comment from the test taker:
>>> The question refers to IDS, not IPS. So, given that IDS is passive
>>> and has no ability to block packets, it\'s seems that the given
>>> answer is
> incorrect.
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> You can find the list archive at:
>> http://cissp-study.3965.n7.nabble.com/
>>
>> CISSPstudy mailing list
>> [hidden email]
>>
>> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> You can find the list archive at:
> http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSP OSG Online Quiz Comment

clementdupuis
Administrator
You are most welcome.

Doug said:  Just to clarify SNORT is an IDS/NPS where as Hogwash is a NPS using SORT.

This is correct.

As we have mentioned thing are getting blurry with tools that can act in either mode.

Take care

Clement



Linux Magazine had coverage of Hogwash, here is an extract:

Hogwash supports three distinct modes:  IDS, Scrubber and Bait-n-Switch.

In IDS mode, Hogwash monitors network traffic and alerts the admin in case of malevolent packets. Although it cannot intercept packets, it can cancel the connection by spoofing TCP resets. Hogwash
can be configured to monitor traffic on multiple interfaces.

In Scrub mode, Hogwash acts as a packet filter. It spoofs TCP resets, drops packets or modifies them to effectively repel any attack.  Hogwash can use up to 16 network adapters and can forward packets between these adapters, if required, working as a bridge rather than a router.  The software runs transparently in promiscuous mode at link level. The sysadmin can even disable the operating system’s IP stack, and will need to disable IP forwarding, as Hogwash assumes responsibility for this.

In the experimental Bait-n-Switch mode, Hogwash will protect production systems without repelling attacks. Instead, it forwards suspicious connections to a honeypot to allow for closer analysis: an attack on the honeypot will not impact the network.


On Thu, Feb 21, 2013 at 3:56 AM, Doug Spindler <[hidden email]> wrote:
Hogwash



Clement Dupuis, CD

Chief Learning Officer (CLO) and Security Evangelist
GCFW, GCIA, Security+ 301, CEH V7, CCSA, CCSE,  + 12 others

SecureNinja
Office : +703 535 8600
Mobile: +1 407 433 6444

Email: [hidden email]

Web: www.secureninja.com

Connect with me on LinkedIn | Follow me on Twitter


Description: Secure Ninja @ LinkedinDescription: See Us @ YoutubeDescription: Like us on FacebookDescription: Fallow us Twitter

901 N. Pitt Street, Suite 105
Alexandria, VA  22314

Description: Description: sn_logo

In Cyberspace:

[hidden email]
Clement Dupuis, CD
President/Founder/Chief Security Evangelist
The CCCure Family of Portals
----------------------------------------------------------------------------------------------
Maintainer of :

The CCCure Quiz Engine
https://www.freepracticetests.org/quiz/index.php?page=home

The CCCure Family of Portals
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org/

Knowledge sharing and giving back to the community

-------------------------------------------------------------------------------------------------------
>>  Call me to get the best CISSP, Security+, or other Security related training  <<
-------------------------------------------------------------------------------------------------------

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
12