Practical Network Scanning E-Book

BIRMINGHAM - MUMBAI

Practical Network Scanning

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:  Shrilekha InaniContent Development Editor: Ronn KurienTechnical Editor: Manish ShanbhagLanguage Support Editor: Storm MannProject Coordinator: Judie JoseProofreader: Safis EditingIndexer: Mariammal ChettiyarGraphics: Tom ScariaProduction Coordinator: Nilesh Mohite

First published: May 2018

Production reference: 1220518

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78883-923-5

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

About the author

Ajay Singh Chauhan is an experienced network and security architect, and he has been working extensively in the IT industry for 15 years. During his career, he has had varied responsibilities, ranging from looking after an entire IT infrastructure to providing network operations, implementation, and network design solutions.  

Ajay works almost exclusively with large-scale cloud data center multivendor technologies. He contributes to the Cisco blogging platform by providing IT professionals with troubleshooting tips and tricks.

About the reviewer

Kuldeep Vilas Sonar is a cyber security expert with almost 8 years' comprehensive experience in various vertical fields of cyber security. His domain expertise is mainly in cybercrime investigations, vulnerability assessment, and penetration testing. He holds a master's degree in computer applications and several industry-recognized certifications, including CCNA, CCNA Security, CEH, IoT Security Essentials, and Cyber Security for IoT. He has delivered training and consultation for organizations in India, the U.S., and Singapore.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Practical Network Scanning

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Fundamental Security Concepts

Why security?

Building blocks of information security

Computer security

Network security

Firewalls

Intrusion detection systems / intrusion prevention systems

Multitier topology

Internet security

Password

System upgrade and updates

Phishing

Beware of phishing phone calls

Phishing protection

Security issues, threats, and attacks

IoT security risk

Computer security risk

Security Risk-Border Gateway Protocol

Security and threats

Natural disasters

Human threats

Security vulnerabilities

Technology weaknesses

Configuration weaknesses 

Security policy weaknesses

Using unencrypted or weak encryption for a website

Summary

Questions

Further reading

Secure Network Design

Access control 

Asset classification and physical security

Authentication, authorization, and accounting

Network management and security design

Network segmentation

Segmentation strategy steps

Network protection consideration and design

Hardening your TCP/IP stack

DoS and DDoS attacks 

Volume-based attacks

Application layer attacks

Low-rate attacks

IP spoofing

Anti-spoofing using access lists

Encryption

Anti-spoofing using RPF checks

Ping sweeps and Port scans

Mitigation

DNS vulnerabilities 

How does DNS work?

DNS protocol attacks

Mitigation

Two factor authentication

Summary 

Questions

Further reading

Server-Level Security

Classification of data

Physical security 

Disk encryption

Full-disk encryption

Bitlocker

Virtual Trusted Platform Module – vTPM 

Encrypt your Hyper-V Guest VMs 

Cloud VM disk encryption

What is encryption at rest?

Hardening server security

Check for open ports or services

System firewall configuration

System update

Disable USB

Hard disk encryption

BIOS protection

Check the installed packages

Password policies

Secure and encrypt remote access

Implement activity logging

Document the host information

Authentication NTLM versus Kerberos

Password policies

Server-level permissions

Server antivirus and malware protection

Local security policies

Summary

Questions

Further reading

Cloud Security Design

Cloud offerings

IaaS

PaaS

SaaS

Public versus private

Public IaaS versus private IaaS

Public PaaS versus private PaaS

Public SaaS versus private SaaS

Shared technology and shared danger

Security approach for cloud computing

Traditional enterprise network model

Hybrid data center and cloud network

Network security devices for IaaS

Firewall Virtual Appliance

Virtual TAP vTAP

Virtual Router

Virtual web application firewalls

DDoS attack protection

Data loss prevention

Exploited system vulnerabilities

Summary 

Questions

Further reading

Application Security Design

GDPR

Getting consent

Access to data

Encryption

SQL Injection

Prevention of SQL Injection attack on web applications

Employing comprehensive data sanitization

Deploying a Web Application Firewall

Limit database privileges

Finding vulnerabilities

WAFs

WAF protection against common web attacks

Blacklisting and whitelisting

What is blacklisting?

Benefit and disadvantage of blacklisting

What is whitelisting?

Benefit and disadvantage of whitelisting

Which is better?

Using HTTPS for everything

HTTP versus HTTPS

Web application security

SSL/TLS deployment

SSL/TLS key size

Signing algorithm

Secure protocol

Preventing an authentication hacking attack

Use cookies securely

Vulnerabilities scan

Server security

Introduce a bug bounty program

Summary

Questions

Further reading

Threat Detection and Response

Network threat detection

Detection methods

Intrusion detection system

Types of IDSs

Network capture solution 

Threat detection with Netflow/IPFIX

NetFlow vs. IPFIX

Endpoint threat detection

What’s an endpoint

Endpoint Detection and Response (EDR) system

Case Study – Why EDR system is required?

Security policy 

How to choose an EDR solution ?

Security information and event management

SIEM—Event versus incident and data breach

What is an event?

What is a security incident?

What is a data breach?

How do SIEM systems work?

Event generator sensors

Event and log collection or data aggregation

Correlation

Reporting and Alerting

Dashboards

Automation

Log management

SIEM commercial products 

Summary

Questions

Further reading

Vulnerability Assessment

Infrastructure concerns

What is vulnerability assessment?

Plan

Network discovery

Vulnerability scan

Report

Remediation

Why do we need vulnerability assessment?

Types of vulnerability assessment

Network-based assessment

Host-based assessment

Nessus installation, configuration, and vulnerability assessment methodology

Installation

Policies

Sample report

Summary

Questions

Further reading

Remote OS Detection

Reasons for OS detection 

Network operating system inventory – trace your infrastructure 

Determining vulnerability of target hosts

Tailoring exploits

OS detection technique with Nmap

Nmap tool

Operating system detection

TCP/IP fingerprinting methods supported by Nmap

TCP/UDP/IP basic

The FIN probe

TCP ISN sampling

TCP initial window

Type of service

Time-to-live (TTL)

Don't Fragment (DF) bit

Understanding an Nmap fingerprint

OS matching algorithms

Defense against port scans

Summary

Questions

Further reading

Public Key Infrastructure-SSL

Foundation of SSL

How do I know that SSL is working?

Why no PadLock?

SSL certificate

The evolution of SSL and TLS

Current Supported Standard

Why hasn't TLS 1.3 been implemented yet?

Time to say goodbye to SSL and early TLS

SSL certificate component 

Root certificate

Intermediate certificate

SSL certificates classes 

TLS versus SSL

Public Key Infrastructure

Symmetric encryption

Asymmetric encryption

Hash function

Attacks against PKI

Microsoft Windows and IIS

OpenSSL

SSL Management tools

Summary 

Questions

Further reading

Firewall Placement and Detection Techniques

Technical requirements

Firewall and design considerations

Firewall terminology

Firewall generations

Firewall performance

Firewall placement  and design network topology

Single firewall architecture

Single firewall architecture with a single IP subnet

Single firewall architecture with multiple IP subnets

Multilayer firewall architecture

Firewall sandwich design

Demilitarized Zone

DMZ to Internal Access Policy 

OSI model versus TCP/IP model

Firewall performance, capabilities, and function

Firewall management

Application proxies

Detecting firewalls

Debugging tools

Summary

Questions

Further Reading

VPN and WAN Encryption

Overview

Classes of VPN

Type of VPN protocol

Point-to-Point tunneling protocol

Layer 2 Tunneling Protocol

Secure Socket Tunneling protocol

Internet Protocol Security

SSL VPN

MPLS VPN

VPN Design

IKE V1 versus IKE V2

WAN Encryption technique

IPsec Layer-3 encryption

MACsec—Layer-2 Encryption

Optical Network—Layer-1 Encryption

Summary 

Questions

Further Reading

Summary and Scope of Security Technologies

DDoS protection

Remotely triggered black hole routing (RTBH)

Black hole traffic from the source of the attack

Black hole traffic to the destination of the attack

BGP FlowSpec

DDoS scrubbing

Blockchain Technology for Fighting DDoS Attacks

AI in cyber security 

Next Gen SIEM

Software Defined Networking Firewall

Bring-Your-Own-Identity (BYOI)

Summary

Further reading 

Assessment

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Other Books you may enjoy

Leave a review - let other readers know what you think

Preface

Network scanning is the process of building an inventory of IT infrastructure assets by identifying an active host on a network. Similar methods can be used by an attacker or network administrator to assess security. This procedure plays a vital role in risk assessment programs and the preparation of a security plan for your organization.Practical Network Scanning starts with the concept of network scanning and how organizations can benefit from it. Then, going forward, we delve into the different steps involved in scanning, such as service detection, firewall detection, TCP/IP port detection, and OS detection. We also implement these concepts using a few of the most prominent tools on the market, such as Nessus and Nmap. In the concluding chapters, we prepare a complete vulnerability assessment plan for your organization. By the end of this book, you will have hands-on experience of performing network scanning using different tools and in choosing the best tools of your system.

Who this book is for

If you are a network and security professional who is responsible for securing an organization's network infrastructure, then this book is for you.

What this book covers

Chapter 1, Fundamental Security Concepts, explains the necessity for network security and covers a step-by-step approach to keep in mind for securing a network. You will also learn how to identify the need for security and the factors involved in network security.

Chapter 2, Secure Network Design, explains the security threats that exist in modern networks and how to design a secure network by keeping them in mind. It also explains network segmentation, defining a network boundary, and the importance of encryption, things to consider, and the benefits of implementing security on different network layers.

Chapter 3, Server-Level Security,  gives us a basic understanding of protecting a server's infrastructure, including aspects such as hardening the server, the use of various authentication methods, password policies, and protection against viruses and malware.

Chapter 4, Cloud Security Design, explains the security aspects that you will need to keep in mind before migrating your critical data information to the cloud.

Chapter 5, Application Security Design, explains how to identify the common risks involved in designing and launching an application. You will also learn common safeguard methods from a user's point of view to surf an application in a secure way.

Chapter 6, Threat Detection and Response, explains various aspects of security IT infrastructure, from monitoring to responding to incidents and diverting attackers.

Chapter 7, Vulnerability Assessment, explains the vulnerability assessment methodology and generating reports based on assessment metrics for scoring.

Chapter 8, Remote OS Detection, explains methods for detecting a target's operating system with an Nmap application.

Chapter 9, Public Key Infrastructure – SSL, explains PKI and the implementation steps for securing an application using SSL.

Chapter 10, Firewall Placement and Detection Techniques, explains the aspects of designing a firewall to build secure network. It also explains the techniques and tools to detect firewall.

Chapter 11, VPN and WAN Encryption, explains how to design and secure a WAN infrastructure.

Chapter 12, Summary and Scope of Security Technologies, explains security trends and possible future security technologies. 

To get the most out of this book

To understand the content of this book, it is recommended that you have basic knowledge of computer networks. If you are certified with CCNA network and security, that will be a good foundation for you to advance your knowledge about computer networks by reading this book.

As you know, it does not make sense to learn about computer networks without doing any practical work. Therefore, it is suggested that you practice TCP/IP, IP Packet Flow, Basic network design and setting up a LAN with at least a Cisco switch and router. Download emulators and simulators such as PuTTY and Tera Term, Packet Tracer and GNS3, Wireshark, Nmap, Nessus. All of the download links are included in the book.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/PracticalNetworkScanning_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "For Linux, sudo iptables -L lists your current rules in iptables."

Any command-line input or output is written as follows:

netstat -antp | grep "LISTEN"

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example:

Most of us share our personal information on many web portals by clicking I Agree or I Accept the Terms and Conditions

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Fundamental Security Concepts

In  an ever-evolving world of technology, security and data privacy are of paramount importance. This chapter will address some of the basic concepts of IT infrastructure security. In order to secure a system, the key task is to identify and classify the information assets and define a security framework.

This chapter will cover what security means to network and system administrators. It will also explore how to build a secure network, incorporating the security principles defined in your framework. 

Let's get started with network infrastructure security. We will cover the following topics in this chapter:

Why security?

Building blocks of information security

Computer security

Network security

Internet security

Security issues, threats, and attacks

Why security?

As the internet grows and technology evolves for modern computer networks, network security has become one of the most crucial factors for everyone. This includes everyone from end users and small and medium-sized businesses (SMBs) to cloud service providers.

Due to a growing volume of network attacks, network security should be a priority when designing network architecture. To understand the importance of this, imagine what could happen if there was a network integrity breach at a bank, stock exchange, or other financial database.

The importance of network security is not just limited to the IT industry. It is also important within industries such as health care. Health records contain some of the most valuable information available, including Social Security numbers, home addresses, and patient health histories. If this data is accessed by unauthorized persons, it can be stolen or sold to the black market.

Security awareness is important for everybody and not just the IT department. If you work with internet enabled devices, it's your responsibility too. However, you can only control information security once you know how to secure it.

No one can get into your system until something is compromised. Similarly, if your door is locked from the outside, nobody can enter your house unless they gain access to a duplicate key or have a similar key built by getting physical access to the lock. A few examples of how a system might be compromised are as follows:

A targeted email could be sent to random users with an attachment (Drive by Download). If a user opened that attachment, their system would be compromised.

An email is received which poses as a domain such as banking and asks you to change your password through a provided link. Once you do this, your username and password can be stolen.

If a small typo is made when typing a website address into a browser, a similar page may open (

Phishing

) which is not genuine, and your credentials can be stolen.

Features provided by websites for resetting forgotten passwords can also be very risky. Let's say somebody knows my email ID and attempts to access my account by selecting a

forgotten password

option. If the security question asks for my date of birth, this can easily be found on my resume.

A password for an Excel file can easily be broken by a brute-force attack.

The most widespread types of ransomware encrypt all or some of the data on your PC, and then ask for a large payment (the ransom) in order to restore access to your data.

During DNS hijacking, an online attacker will override your computer's TCP/IP settings so that the DNS translation gets altered. For example, typing in 

abc.com

will translate it into this IP: 

140.166.226.26

. However, a DNS hijacker will alter the translation so that 

abc.com

 will now send you the IP address of a different website.

Denial of Service network attacks disrupt the normal volume of traffic sent to targeted services with excessive amounts of traffic. This can be damaging in various ways. One example could be if a company has a Friday sale, and a competitor launches an attack on them in order to shut their services down and consequently increase their own sales.

According to research by British insurance company Lloyd's, the damage from hacks cost businesses $400 billion a year.

To further explore the cost of cybercrimes, visit the following webpage:  https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#612db25c3a91.

The market research firm Gartner estimates that global spending on cybersecurity is somewhere around $96 billion in 2018. By 2020, companies around the world are expected to spend around $170 billion—a growth rate of nearly ten percent in the next five years.

Building blocks of information security

Your data can be easily separated into the following three categories. This is especially important to know in order to determine the value of your data before planning for security:

Low Business Impact 

(

LBI

): If LBI data is disclosed, limited information loss could occur. Examples of this kind of data include name, gender, and/or the country of residence.

Moderate Business Impact 

(

MBI

): If MBI data is disclosed, disastrous information loss could occur, which directly damages the reputation of an organization. Examples of MBI data include first and last name, email ID, mailing address, and phone number.

High Business Impact 

(

HBI

): If HBI data is disclosed, serious information loss could occur. Access and permission must be controlled and limited to a need-to-know basis. Examples of HBI data include government IDs, credit card information, medical health records, passwords, and real-time location.

Proper security control measures are required to ensure tight security. The following flowchart helps us to understand the security process:

Risk Management Process

: This is particularly important when designing a secure network. Risk management analysis must be done in advance as this aids designing secure infrastructure. Steps should include risk identification, risk analysis, risk ranking, and mitigation plans. For example, an ISP link can be a public or private 

Wide Area Network

 (

WAN

) connection. Data transfer between two sites over public infrastructure can be secured by implementing VPNs. Data transfer between two sites over private links can be future encrypted by link device. The purpose and funding of connection must be identified, and a proper risk assessment must be carried out before installing or activating any links.

InfoSec Design Process

: Perimeter boundaries must be defined and documented. For example, connecting to WAN internet or connecting to another location over WAN must be defined. When I say

boundaries

, we should always take a layered approach. There is no ideal situation to ensure 100% security, but by implementing security on every layer, you can ensure tight security. A layered security method encompasses both technological and non-technological safety measures.

For example, perimeter security can be protected by firewalls. Infrastructure details, such as server type and services running on the system, must be identified. Software and operating system bugs should be documented. IP space and security zones should be defined. System admin access should be controlled by security groups.

Verification process

: The purpose of the verification process for each extranet/intranet connection is to generate all audit evidence documented in the compliance procedures of the security design. This will have information about users, remote IP, and tasks performed by them. Network scanning, penetration testing, and scorecard reporting provide an in-depth view of infrastructure security.

A periodic audit is always required in order to know if there is unexpected activity.  Firewall logs, TCP/IP headers from load balancers on IIS, and two-factor authentications are examples of a verification process.

Security implementation process

: At this stage you should have the following items ready to be implemented:

Security policies—password policies and access control

Disaster recovery plan

Backup and recovery plan

WAN recovery plan

Network security zones

Database security

IIS or web security

Data and asset classification

Data encryption

Resource control for application users

Operating system security

Incident management and response

Change management and version control

Computer security

Computer security is not all about end user computing, it also includes server/application infrastructure. For any data transfer between server and client, both ends should be secure. Even the communication channel should be secure enough to avoid data theft.

We know that professionals understand network security, but how about end users? We can force users to implement security strategies, but is that enough? For better security, awareness is key. Security issues are constantly being found with the software we use every day, including common and reliable programs such as Windows, Internet Explorer, and Adobe's PDF Reader. It is therefore very important that we take some simple steps towards becoming more secure.

People often think of computer security as something technical and complicated, but that is not strictly the case. In the following, we will explore the most basic and important things you should do in order to make yourself safer online:

Use antivirus and antimalware and know which links are safe to click in emails

Be careful about programs you download and run; don't trust your pop-up notifications

On the server level, encryption chips can be used just to avoid physical theft of hardware

Most computer facilities continue to protect their physical assets far better than their data, even when the value of the data is several times greater than the value of the hardware.

Since awareness is especially important, we should also consider how much awareness we have within the organization. This can simply be achieved by sending a few emails that look genuine and getting the statistics of how many users opened such an email. Activities can be tracked in terms of number. For example, the statistics can be viewed for how many users shared their password and how many downloaded an attachment.

Network security

With today's complex network architecture and constantly growing networks, protecting data and maintaining confidentiality play a very important role. Complex networks consist of network traffic flowing between enterprise networks, data center networks and, of course, the cloud as well. A secure network helps us to protect against data loss, cyber-attacks and unauthorized access, thus providing a better user experience. Network security technologies equip multiple platforms with the ability to deal with the exact protection requirements.

Firewalls

A firewall is a network security appliance that accepts or rejects traffic flow based on configured rules and preconfigured policies. Placement of a firewall totally depends on the network architecture, which includes protection for network perimeters, subnets, and zones. Perimeter firewalls are always placed on a network's edge to filter packets entering the network. Perimeter firewalls are the first layer of security, and if malicious traffic has managed to bypass, host-based firewalls provide another layer of protection by allowing or denying packets coming into the end host device. This is called the multilayer security approach. Multiple firewalls can be set up to design a highly secure environment.

Firewalls are often deployed in other parts of the network to provide proper segmentation and data protection within enterprise infrastructure, on access layers and also in data centers.

Firewalls can be further classified as the following:

Simple packet filtering

Application proxy

Stateful inspection firewalls

Next-Generation Firewall

A traditional firewall provides functions such as Packet Address Translation (PAT), Network Address Translation (NAT), and Virtual Private Network (VPN). The basic characteristic of a traditional firewall is that it works according to the rules. For example, a user from subnet (10.10.10.0/24) wants to access Google DNS 8.8.8.8 on a UDP port 53.

A typical firewall rule will look like this:

Source IP

Destination IP

Protocol

Port

Action

10.10.10.0/24

8.8.8.8/32

UDP

53

Permit

However, Next-Generation Firewall works based on application and user-aware policies. Application-level control allows you to set policies depending on the user and the application.

For example, you can block peer-to-peer (P2P) downloads completely or disable Facebook chat without even blocking Facebook.

We will discuss firewalls in detail in upcoming chapters. The following diagram reflects zones and connectivity, which shows how firewall zones connect to multiple businesses:

Demilitarized zone (DMZ)

:

Internet-facing applications are located in DMZ. Other services on other zones remain inaccessible to the internet. The most common services placed in DMZ include email services, FTP servers, and web servers.

Inside zone

: The inside zone is known as the trusted zone to users. Applications in that area are considered highly secure. In the trusted area, security is maintained by denying all traffic from less trusted zones in any given firewall by default.

Cloud and internet zone

: Let's not focus on naming these. They are standard segments we see on an enterprise network. These zones are considered to be below security zones.

Intrusion detection systems / intrusion prevention systems

There is a high chance that attacks may enter a network. Intrusion prevention system (IPS) / Intrusion detection system (IDS) is a proactive measure to detect and identify suspicious or undesirable activities that indicate intrusion. In IDS, deployment can be online or offline, and the basic idea is to redirect traffic you wish to monitor. There are multiple methods like switch port SPAN or fiber optic TAP solution, which can be used to redirect traffic. Pattern matching is used to detect known attacks by their signature and anomalies. Based on the activity, monitoring alerts can be set up to notify the network administrator.

As the following diagram shows, SPAN port is configured on a switch in order to redirect traffic to the IDS sensor. An actual SPAN port creates a copy of data flowing for a specific interface and redirects it to another port on the switch: