Chapter 4
Summary of HIDS & NIDS
1. A HIDS can monitor all traffic on a single host system like a server/workstation. 2. In some cases, it can detect malicious activity missed by antivirus software. 3. A NIDS is installed on network devices, such as routers or firewalls, to monitor network traffic and detect network-based attacks. It can also use taps or port mirrors to capture traffic. 4. A NIDS cannot monitor encrypted traffic & cant monitor traffic on individual hosts.
Reporting Based on Rules
1. IDSs report on events of interest based on rules configured within the IDS. 2. All events aren't attacks or actual issues, but instead, they provide a report indicating an event might be an alert or an alarm. 3.Admin investigate to determine if it is valid. The actual reporting mechanism varies from system to system and in different organizations. eg: 1 IDS might write the event into a log as an alarm or alert, and then send an email to an administrator account. In a large network operations center (NOC), the IDS might send an alert to a monitor easily viewable by all personnel in the NOC. The point is that administrators configure the rules within the IDS based on the needs of Org.
Problems with NIDS
1. It cant detect anomalies on individual systems/workstations unless the anomaly causes a significant difference in network traffic 2. It cant decrypt encrypted traffic which is, it can only monitor and assess threats on the network from traffic sent in plaintext or unencrypted traffic.
Egs & IDS qualities
1. Most IDSs will only respond by raising alerts. For eg: an IDS will log the attack and send a notification. The notification can come in many forms, including an email to a group of administrators/a text message/a popup window /a notification on a central monitor. 2. Some IDSs have additional capabilities allowing them to change the environment in addition to sending a notification. For example, an IDS might be able to modify access control lists (ACLs) on firewalls to block offending traffic, close processes on a system that were caused by the attack, or divert the attack to a safe environment, such as a honeypot or honeynet. It is sometimes referred to as an active IDS, this phrase can be misleading.
Sensors
1. They r located before the firewall, after the firewall, and on routers. 2. They collect and monitor network traffic on subnets within the network and report to the NIDS console. 3. The NIDS provides overall monitoring & analysis & can detect attacks on the network.
HIDS monitor & pass through
1. traffic 2. application activity like server They pass traffic through NIC
Honeypots
1.A honeypot is a sweet-looking server— It's a server that is left open or appears to have been sloppily locked down, allowing an attacker relatively easy access. 2.The intent is for the server to look like an easy target so that the attacker spends his time in the honeypot instead of in a live network. 3.The honeypot diverts the attacker away from the live network. 4.Honeypots have two primary goals: • Divert attackers from the live network. If an attacker is spending time in the honeypot, he is not attacking live resources. • Allow observation of an attacker. While an attacker is in the honeypot, security professionals can observe the attack and learn from the attacker's methodologies. 5.Honeypots can also help security professionals learn about zero-day exploits, or previously unknown attacks.
Port monitorring
1.Tap or port mirror on the internal switch. 2.Most switches support port mirroring, allowing admin to configure the switch to send all traffic received by the switch to a single port. 3.After configuring a port mirror, you can use it as a tap to send all switch data to a sensor or collector, and forward this to a NIDS. 4.Similarly, it's possible to configure taps on routers to capture all traffic sent through the switch and send it to the IDS.
Ad hoc
In ad hoc mode, wireless devices connect to each other without an AP. For example, if you and another user have wireless laptops, you can create an ad hoc wireless network to connect your two computers.It can be But ,when you connect to a wireless network via an AP, you are using infrastructure mode.
IDS
Intrusion Detection System ; they detect and monitor traffic & alerts if any suspicious activity in the network; Detects attack.; like protocol analyzer They capture & analyze traffic to detect attacks
IPS Versus IDS—Inline Versus Passive
Intrusion prevention systems (IPSs) are an extension of IDSs. Like HIDS and a NIDS, there is also HIPS and a NIPS, but a network-based IPS (NIPS) is more common. the terms inline and in-band for - IPS passive and out-of-band for an IDS.
IPS
Intrusion prevention systems; They react to attacks in progress and prevent them from reaching systems and networks.
How to combine an 802.1x server with other network elements
It's possible to combine an 802.1x server with other network elements such as a virtual local area network (VLAN). For example 1.you want to provide visitors with Internet access, but prevent them from accessing internal network resources. You can configure the 802.1x server to grant full access to authorized clients, but redirect unauthorized clients to a guest area of the network via a VLAN. 2.You can implement 802.1x as a Remote Authentication Dial-In User Service (RADIUS) or Diameter server .This helps authenticate virtual private network (VPN) clients before they connect. 3. You can also implement 802.1x in wireless networks to force wireless clients to authenticate before they connect.
Workstation HIDS
Just like HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is primarily used to monitor network traffic reaching the workstation. But a HIDS can also monitor some applications and can protect local resources such as operating system files
Wireless.
Many organizations provide wireless networks for both employees and guests. Wireless networks for employees provide a bridge to a wired network, allowing employees access to all network resources just as if they were connected from a wired PC at their desk.
AP device & extras
Most APs include physical ports for wired access ("RJ-45) and a wireless transceiver for wireless clients. Some users can connect with regular twisted-pair cable, and other users can connect using wireless transmissions. The wired ports and wireless connections all connect through the switch component of the wireless router. The AP also includes extra services & capabilities, such as routing, Network Address Translation (NAT), Dynamic Host Configuration Protocol (DHCP), and more. These extra services reduce the setup time required for the WLAN. Because wireless networks broadcast on known frequency bands, other wireless users can often see them. This includes authorized users, curious neighbors, and attackers
Disable SSID Broadcasting or Not
One of the goals of 802.11 wireless networks is ease of use. The designers wanted wireless computers to be able to easily find each other and work together. They were successful with this goal. Unfortunately, attackers can also easily find your networks. By default, APs broadcast the SSID in cleartext, making it easy to locate wireless networks. At some point years ago, someone stated that the SSID was a password (not true!), and many information technology (IT) professionals latched onto the idea that you can increase security by disabling the SSID broadcast. Others say that the SSID has nothing to do with security and disabling the broadcast reduces usability but does not increase security. As background, APs must regularly send out a beacon frame to ensure interoperability with other devices in the wireless network. This beacon frame includes the SSID, and if the SSID broadcast is disabled, the SSID entry is blank. However, even if the SSID broadcast is disabled, the AP includes the SSID in Probe responses sent in response to Probe requests from authorized wireless clients. Because of this, it's easy for an attacker with a wireless protocol analyzer to listen for the Probe responses and detect the SSID. In other words, disabling the SSID makes it a little more difficult for attackers to find your network, but not much. It's almost like locking the front door of your house, but leaving the key in the lock. Steve Riley wrote in a security blog titled "Myth vs. Reality: Wireless SSIDs" that disabling the SSID for security "is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure." In case it isn't clear, Mr. Riley is in the camp that says you should not disable the SSID for security. For the record, I agree with him. For the CompTIA Security+ exam, you should know that it is possible to disable the SSID broadcast and hide the network from casual users. However, an attacker with a wireless protocol analyzer can easily discover the SSID even if SSID broadcast is disabled
SDN & routing protocols
Routing protocols such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) help routers determine the best path to route traffic on the control plane. Routers use these protocols to share information with each other, creating a map of the known network. An SDN can still use these routing protocols, but without the hardware routers.
SSL/TLS Accelerators
SSL/TLS accelerators refer to hardware devices focused on handling Transport Layer Security (TLS) traffic TLS is the designated replacement for Secure Sockets Layer (SSL) & TLS provides encryption for many different protocols, including HTTPS. HTTPS uses a certificate & asymmetric encryption The process of establishing the HTTPS session, negotiating the best security supported by both the client and the server, sharing encryption keys, and encrypting session data all take a lot of time and resources. By off-loading this to another hardware device, it frees up the primary computer's resources, such as CPU power & RAM. When using an SSL accelerator, it's best to place it as close as possible to related devices. For eg: if you're using an SSL accelerator to off-load HTTPS sessions for a web server, place the SSL accelerator close to the web server.
Signature-Based Detection
Signature-based IDSs/definition-based use a db of known vulnerabilities/known attack patterns. For eg: tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack. The attack tool then floods the target system with synchronize (SYN) packets, but never completes the three-way Transmission Control Protocol (TCP) handshake with the final acknowledge (ACK) packet. If the attack isn't blocked, it can consume resources on a system and ultimately cause it to crash.But this is a known attack with a specific pattern of successive SYN packets from one IP to another IP.
Detection methods review
Signature-based detection identifies issues based on known attacks or vulnerabilities & can detect known anomalies. Heuristic or behavior- based IDSs/anomaly-based) can detect unknown anomalies. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the IDS sends an alert.
SSL Decryptors
Some organizations use SSL decryptors to combat many threats. SSL decryptors are often used with a NIPS. The NIPS is inline but malicious traffic can get through if it's encrypted. The SSL decryptor allows the NIPS to inspect unencrypted traffic and prevent attacks
Alert & Alarm
Some systems consider an alarm and an alert as the same thing. An alarm for a potentially serious issue An alert as a relatively minor issue. The goal in these latter systems is to encourage admin to give a higher precedence to alarms than alerts.
Process of Signature based
The IDS can detect these patterns when the signature database includes the attack definitions. The process is very similar to what antivirus software uses to detect malware. You need to update both IDS signatures and antivirus definitions from the vendor on a regular basis to protect against current threats
Sensor and Collector Placement
The decision on what you want to measure. For eg: 1. The sensor on the Internet side of the firewall will see all the traffic. 2. The sensor on the internal side of the firewall will only see traffic that passes through the firewall which means the firewall will filter some attacks, and the internal sensor won't see them. 3. To view all attacks on your network, put a sensor on the Internet side. 4. To see what gets through, put sensors internally only. If you want to see both, put sensors in both places
Zones & topologies
There are several zones and topologies used within a network. These commonly provide separation for networks based on usage. Some additional zones and topologies are: • Wireless • Guest • Ad hoc
IDS vs IPS
There are some primary distinctions of an IPS when compared with an IDS: 1.An IPS can detect, react, and prevent attacks. An IDS monitors and will respond after detecting an attack, but it doesn't prevent them. 2.An IPS is inline with the traffic which means all traffic passes through the IPS & IPS can block malicious traffic. This is called in-band. 3. An IDS is out-of-band. It monitors the network traffic, but the traffic doesn't go through the IDS. This is called as passive.
Honeypots and honeynets
They attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks and gather intelligence on these attacks.They provide these professionals with some additional tools to use in cyberwar
IDS & IPS
They have the same capability. They capture the traffic and analyze it to detect potential attacks or anomalies. Both have the ability of detecting attacks using similar detection & monitoring methods The biggest difference is in their responses to an attack.
False Positives Versus False Negatives
While IDSs use advanced analytics to examine traffic, they are susceptible to both false positives and false negatives.Not possible to eliminate both. Most IDSs trigger an alert or alarm when an event exceeds a threshold. Admin configure rules within the IDS and set the threshold to a number between 1 and 1,000 to indicate an attack. They can configure many settings based on the analytics and capabilities of the IDS. Most admin want to know if their system is under attack. That's the primary purpose of the IDS. It's important to set the threshold high enough to reduce the number of false positives, but low enough to alert on any actual attacks. There is no perfect number for the threshold. Admin adjust thresholds in different networks based on the network's activity level & personal preferences.
Securing Wireless Networks
Wireless local area networks (WLANs) used in home and business networks. A wireless network is easy to set up and can quickly connect several computers without the need to run cables, which significantly reduces costs. The significant challenge with wireless networks is security. Wireless security has improved over the years, but wireless networks are still susceptible to vulnerabilities and many users just don't understand how to lock down a wireless network adequately.
Access Point SSID
Wireless networks are identified by a service set identifier (SSID), which is simply the name of the wireless network. Some APs still come with default SSIDs, though most vendors have moved away from this practice. For example, the default SSID of some older Linksys APs is "Linksys." Some newer APs force you to enter a name for the SSID when you first install it and do not include a default. From a defense-in-depth perspective, it's a good idea to change the name of the SSID if a default is used. It simply gives attackers less information. For example, if an attacker sees a wireless network with an SSID of Linksys, the attacker has a good idea that the network is using a Linksys AP. If the attacker knows about specific weaknesses with this AP, he can start exploiting these weaknesses. On the other hand, an AP with an SSID of "Success" doesn't give the attacker any clues about the AP
Band Selection and Channel Widths
Wireless networks use two primary radio bands: 2.4 GHz and 5 GHz. However, wireless devices don't transmit exactly on 2.4 GHz or 5 GHz. Instead, the two bands have multiple channels starting at about 2.4 GHz and 5 GHz. The Institute of Electrical and Electronics Engineers (IEEE) defines many standards, including the IEEE 802.11 group of wireless network protocols. Table 4.1 shows some common wireless standards along with the frequency band (or bands) they support. It also shows the channel widths supported by each. However, the channel widths are somewhat misleading. For example, 802.11n supports channel widths of both 20 MHz and 40 MHz. However, a 40 MHz channel is two combined 20 MHz channels. Table 4.1: Common wireless standards, frequencies, and channel widths Theoretically, wider channels allow you to transfer more data through the channel. Unfortunately, there are two challenges. First, when you increase the channel width, you decrease the distance of the radio transmissions. A device that connects with a 20 MHz channel at a specific distance away might not be able to connect at 40 MHz from the same location. Second, you increase the possibility of interference. Wider channels are more likely to overlap with other wireless devices and this interference affects overall performance. These challenges are much more prevalent in the 2.4 GHz band because there are more technologies operating in this band. For example, Bluetooth devices, microwave ovens, and cordless phones operate in this range. Additionally, the 2.4 GHz range has only three nonoverlapping channels. APs typically allow you to choose the frequency band (2.4 GHz and/or 5 GHz). Additionally, most APs allow you to manually select a channel or allow the AP to pick the best channel. The "PSK, Enterprise, and Open Modes" section (found later in this chapter) shows a screenshot of an AP with some of these selections.
Eg of honeynet
You can use a single powerful server with a significant amount of RAM and processing power. This server could host multiple virtual servers, where each virtual server is running an operating system and applications. A physical server hosting six virtual servers will appear as seven systems on a subnet. An attacker looking in will not be able to easily determine if the servers are physical or virtual. The purpose of this virtual network is to attract the attention of an attacker, just as a single honeypot tries to attract the attention of an attacker. If the attacker is in the honeynet, the live network isn't being attacked, and admin can observe the attacker's actions.
false negative
A false negative is when an attacker is actively attacking the network, but the system does not detect it.
Summary of false +ve and -ve
A false positive incorrectly indicates an attack is occurringwhen an attack is not active. A high incidence of false positives increases the administrator's workload. A false negative is when an attack is occurring, but the system doesn't detect and report it. Administrators often set the IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.
false positive
A false positive is an alert or alarm on an event that is nonthreatening, benign, or harmless
summary of fat & thin AP
A fat AP is also known as a stand-alone AP and is managed independently. A thin AP is also known as a controller-based AP and is managed by a wireless controller. The wireless controller configures the thin AP
Fat Versus Thin Access Points
A fat AP, also known as a stand-alone, intelligent/autonomous AP, includes everything needed to connect wireless clients to a wireless network. It typically includes features such as a routing component, NAT, DHCP, wireless security options, access control lists (ACLs), and more. If you're running a wireless network at your home or in a small office network,using a fat access point. Fat APs must be configured separately from each other, which isn't really a problem if you're only configuring a single AP. Consider a network that has a dozen APs spread around the organization.If these were all fat APs, administrators would need to configure each one separately, which is highly inefficient.
Guest
A guest network is typically a wireless network used to provide guests with Internet access. The guest network rarely gives guests access to network resources, but instead gives them a simple way to check their email or access web sites.
Honeynets
A honeynet is a group of honeypots within a separate network or zone, but accessible from an organization's primary network. Created using honeynets using multiple virtual servers contained within a single physical server. The servers within this network are honeypots and the honeynet mimics the functionality of a live network.
IEEE 802.1x Security
A method of port security is to use IEEE 802.1x, a port-based authentication protocol. It requires users or devices to authenticate when they connect to a specific wireless access point, or a specific physical port, and it can be implemented in both wireless and wired networks. It secures the authentication process prior to a client gaining access to a network and blocks network access if the client cannot authenticate. 802.1x can use simple usernames and passwords for authentication, or certificates for certificate-based authentication. The 802.1x server prevents rogue devices from connecting to a network. Consider open RJ- 45 wall jacks. Although disabling them is a good port security practice, you can also configure an 802.1x server to require authentication for these ports. If clients cannot authenticate, the 802.1x server blocks or restricts access to the network.
NIDS & NIDS console
A network-based intrusion detection system (NIDS) 1. Monitors activity on the network. 2. Installed NIDS sensors/collectors on network devices such as routers and firewalls. 3. These sensors gather info and report to a central monitoring server hosting a NIDS console.
SDN
A software defined network (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches. An SDN separates the data planes and control planes within a network & it separates the logic used to forward or block traffic (the data plane) and the logic used to identify the path to take (the control plane). Hardware routers use rules within an ACL to identify whether a router will forward or block traffic on the data plane. This is always proprietary because it's implemented on specific hardware routers. But an SDN implements the data plane with software and virtualization technologies, allowing an organization to move away from proprietary hardware. Attribute- based access control (ABAC), which is commonly used in SDNs. Instead of rules within ACLs, ABAC models allow admin to create data plane policies to route traffic. A huge benefit of these policies is that they typically use plain language statements instead of complex rules within an ACL
AP
A wireless access point (AP) connects wireless clients to a wired network. However, many APs also have routing capabilities. Vendors commonly market APs with routing capabilities as wireless routers. Two distinctions are: • All wireless routers are APs. These are APs with an extra capability—routing. • Not all APs are wireless routers. Many APs do not have any additional capabilities. They provide connectivity for wireless clients to a wired network, but do not have routing capabilities
summary of 802.1x
An 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network. It prevents rogue devices from connecting.
Detection Methods
An IDS can only detect an attack. It cannot prevent attacks. But an IPS prevents attacks by detecting them and stopping them before they reach the target. An attack is any attempt to compromise CIA. The two primary methods of detection are 1. signature-based 2. heuristic- or behavioral- based/anomaly-based Any type of IDS can detect attacks based on signatures, anomalies, or both. The HIDS monitors the network traffic reaching its NIC and the NIDS monitors the traffic on the network.
summary of in-band & out of band
An IPS can detect, react, and prevent attacks. It is placed inline with the traffic (also known as in-band). An IDS monitors and responds to an attack. It is not inline but instead collects data passively (also known as out-of-band).
summary of IPS
An intrusion prevention system (IPS) is a preventive control. It is placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can also be used internally to protect private networks.
Data Sources and Trends
Any type of IDS use -various raw data sources to collect information on activity. This includes a wide variety of logs, such as firewall logs, system Logs, and application logs. These logs can be analyzed to provide insight on trends & trends can detect a pattern of attacks and provide insight into how to better protect a network. Many IDSs have the capability to monitor logs in real time. Each time a system records a log entry, the IDS examines the log to determine if it is an item of interest or not. Other IDSs will periodically poll relevant logs and scan new entries looking for items of interest
Egs of SSL decryptors
Attackers are often using encryption to prevent inspection methods from detecting malware coming into a network. Eg: imagine Homer innocently goes to a malicious web site. The web site establishes a secure HTTPS connection, and then downloads malware to Homer's computer. Because the site is using HTTPS, the malware is encrypted while in transit. Even if an organization had the best content inspection methods and malware detection software, it wouldn't detect the malware while it's encrypted. An SSL decryptor solves this problem. You would place it in the DMZ, and redirect all traffic to and from the Internet through it. Unencrypted data goes through the device without any modification. But any attempts to establish an encrypted session prompt the SSL decryptor to create a separate SSL (or TLS) session. When Homer innocently goes to a malicious web site, the traffic goes though the SSL decryptor. The SSL decryptor establishes an HTTPS session between it and Homer's computer. It also establishes an HTTPS session between it and the web site. All data-in-transit is encrypted. However, the SSL decryptor can view the unencrypted data and inspect it.
Protocol Analyzer capabilities
Both IDSs and IPSs have protocol analyzer capabilities. This allows them to monitor data streams looking for malicious behavior. An IPS can inspect packets within these data streams and block malicious packets before they enter the network. An NIDS has sensors or data collectors that monitor and report the traffic. An active NIDS can take steps to block an attack, but only after the attack has started. The inline configuration of the IPS allows an IPS to prevent attacks from reaching the internal network. NIPS used to detect and prevent attacks
Zero day and IDS
Effective to find zero day attack as a zero-day vulnerability is usually defined as one that is unknown to the vendor.But zero-day exploit as one where the vendor has not released a patch which is the vendor might know about the vulnerability but has not written, tested, and released a patch to close the vulnerability yet. In both cases, the vulnerability exists and systems are unprotected. If attackers discover the vulnerabilities, they try to exploit them. But the attack has the potential to create abnormal traffic allowing an anomaly-based system to detect it. Any time administrators make any significant changes to a system or network that cause the normal behavior to change, they should re-create the baseline. Otherwise, the IDS will constantly alert on what is now normal behavior.
Egs of an event exceeding a threashhold
Eg of a SYN flood attack, where the attacker withholds the third part of the TCP handshake.But instead of completing the handshake with an ACK packet, the attacking host never sends the ACK, but continues to send more SYN packets. This leaves the server with open connections that can ultimately disrupt services. If a system receives 1 SYN packet without the accompanying ACK packet, is it an attack? Probably not. This can happen during normal operations. If a system receives over 1,000 SYN packets from a single IP address in less than 60 seconds, without the accompanying ACK packet, is it an attack? Absolutely.
Honeypots example
Eg: a honeypot could be a web server designed to look like a live web server. It would have bogus data such as files and folders containing fabricated credit card transaction data. 1. If an organization suspects it has a problem with a malicious insider, it can create an internal honeypot with bogus information on proprietary projects. 2. Honeypots typically have minimal protection that an attacker can easily bypass. If administrators don't use any security, the honeypot might look suspicious to experienced attackers and they might simply avoid it. 3. Security personnel often use honeypots as a tool to gather intelligence on the attacker. Attackers are constantly modifying their methods to take advantage of different types of attacks. 4.Some sophisticated attackers discover vulnerabilities before a patch is released (also known as a zero-day exploit or zero-day vulnerability. 5. In some cases, security professionals observe attackers launching zero-day vulnerability attacks against a honeypot. 6. Honeypots never hold any data that is valuable to the organization.The data may appear to be valuable to an attacker, but its disclosure is harmless.
Enable MAC Filtering
Enabling media access control (MAC) filtering provides a small measure of security to a wireless network. The MAC address (also called a physical address or hardware address) is a 48-bit address used to identify network interface cards (NICs). You will usually see the MAC address displayed as six pairs of hexadecimal characters such as 00-16-EA-DD-A6-60. Every NIC, including wireless NICs, has a MAC address. MAC filtering is a form of network access control. It's used with port security on switches and you can use it to restrict access to wireless networks. For example, Figure 4.4 shows the MAC filter on a NETGEAR Orbi AP. In the figure, you can see that the system is set to Permit PCs Listed Below to Access the Wireless Network. The MAC Address column shows the MAC addresses of the allowed devices. The Status column shows that each of these devices is set to Allows, granting them access. The Block all new devices from connecting setting prevents any other devices from connecting. It's also possible to select the check box for any device, and click on Block to change its status to Blocked. Figure 4.4: MAC filter on an AP Theoretically, MAC addresses are unique. The MAC filter in Figure 4.4 limits access to only the devices with these MAC addresses. This might sound secure, but an attacker with a wireless sniffer can easily identify the MAC addresses allowed in a wireless network. Additionally, it's very easy to change a MAC address. An attacker can launch a spoofing attack by changing the MAC address on his laptop to impersonate one of the allowed MAC addresses. Many operating systems include built-in functionality to change a NIC's MAC address. For example, in Windows 10 you can access the NIC's properties from Device Manager, click the Advanced tab, and configure the Network Address setting with a new MAC
Thin AP
Enter the thin AP. A thin AP is a controller-based AP, meaning that it isn't a stand-alone AP, but rather an AP managed by a controller. Administrators use a wireless controller to configure and manage thin-based APs. This streamlines the administration by consolidating it in one place. Thin APs are also making their way into small office and home networks.
Eg of fat & thin AP
For example, NETGEAR's Orbi wireless router includes one fat AP and one or more thin satellite APs. You configure the single AP and it then configures the satellite APs
HIDS detects what ?
HIDS can help detect malware that traditional antivirus software might miss. So many org install a HIDS on every workstation as an extra layer of protection + traditional antivirus software. Admini install a HIDS when there's a need like a specific server with proprietary data is at increased risk of an attack,admin might choose to install a HIDS on this system as an extra layer of protection.
Heuristic-based detection advantages
Heuristic-based detection is similar to heuristic-based antivirus software works. Although the internal methods are different, both examine activity and detect abnormal activity that is beyond the capability of signature based detection.
Heuristic/Behavioral Detection
Heuristic/behavioral-based detection/anomaly-based starts by identifying normal operation or normal behavior of the network. It does this by creating a performance baseline under normal operating conditions. The IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified in the baseline), it gives an alert indicating a potential attack.
HIDS
Host based IDS; 1. Additional software installed on sys like a server. 2. provides protection to a single host. 3. can detect attacks & prevent critical OS files 4. They monitor Application activity and can install HIDS on internet facing servers like web servers,mail & db servers
IDS ,IPS SYN flood attacks
IDSs and IPSs can detect a SYN flood attack and IPSs can prevent the attack. Also many firewalls include a SYN flood guard that can detect SYN flood attacks and take steps to close the open sessions. This is different than a flood guard on a switch designed to stop MAC flood attacks
Threshold level-low/high
If administrators set it too low-they will have too many false positives and a high workload as they spend their time chasing ghosts. If they set the threshold too high-actual attacks will get through without administrators knowing about them.
