4.5.2 IDS/IPS & Web Filter
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are automated security appliances designed to monitor, identify, and address malicious unauthorized activity on a network.
Detection and Prevention Mechanisms - Intrusion Detection System (IDS): Operates "out-of-band" via a TAP or SPAN port. It monitors traffic copies and generates alerts but does not physically stop the traffic flow. - Intrusion Prevention System (IPS): Placed "in-line" between the source and destination. It has the authority to drop malicious packets or reset connections in real-time. - Signature-based Detection: Matches traffic patterns against a database of known threats. It is highly effective for known malware but ineffective against zero-day exploits. - Anomaly-based Detection: Establishes a baseline of "normal" behavior. Anything deviating from this baseline (e.g., a sudden spike in outgoing traffic) triggers an alert. - Heuristic/Behavioral Detection: Uses AI or algorithmic logic to identify suspicious intent or characteristics of code rather than specific signatures.
Indicators of Compromise (IoC) Automated systems look for specific artifacts that suggest a breach has occurred. - Network IoCs: Unusual traffic patterns, connections to known malicious IP addresses, or unauthorized encrypted tunnels. - System IoCs: Unexpected changes to file permissions, unauthorized registry modifications, or the presence of malware signatures. - Forensic Evidence: IoCs serve as primary data points during incident response and post-breach investigations.
Web Filtering and Content Control - URL Filtering: Restricts access to specific websites based on a blocklist or whitelist. This prevents users from visiting high-risk areas like the Dark Web, which is composed of unindexed sites often associated with criminal activity. - Content Categorization: Automatically blocks entire groups of sites (e.g., gambling, social media, or adult content) to preserve bandwidth and maintain productivity. - Reputation Filtering: Denies access to domains known for hosting phishing pages or command-and-control (C2) servers.
Endpoint and Hybrid Solutions - EDR (Endpoint Detection and Response): Focused on monitoring individual hosts rather than just network traffic. It provides deep visibility into process execution and memory. - HTTPS Inspection: Security appliances often require a Certificate to decrypt and inspect encrypted traffic. Admin-generated Certificate Signing Requests (CSR) are sent to a Certificate Authority (CA) to facilitate this deep packet inspection.
Quick Recall - Out-of-band: IDS (Detection only). - In-line: IPS (Active prevention). - Dark Web: Unindexed by search engines; high risk for malware and illegal trade. - Signatures: Effective for known threats; requires constant updates. - Anomalies: Identifies deviations from established baselines.