WEBVTT 1 00:00:00.090 --> 00:00:01.500 In this lesson, 2 00:00:01.500 --> 00:00:06.120 we will learn about intrusion prevention system or IPS 3 00:00:06.120 --> 00:00:10.980 and intrusion detection system or IDS issues. 4 00:00:10.980 --> 00:00:15.210 IPS and IDS issues involve challenges 5 00:00:15.210 --> 00:00:18.840 related to the correct deployment, configuration, 6 00:00:18.840 --> 00:00:22.680 and effectiveness of these security systems. 7 00:00:22.680 --> 00:00:27.680 IPS and IDS issues include poor placement, lack of rules, 8 00:00:28.500 --> 00:00:31.320 and a rule misconfigurations. 9 00:00:31.320 --> 00:00:36.150 Placement refers to where the IPS or IDS is located 10 00:00:36.150 --> 00:00:38.100 within the network. 11 00:00:38.100 --> 00:00:42.570 An incorrect placement can lead to either missed threats 12 00:00:42.570 --> 00:00:45.420 or unnecessary alerts. 13 00:00:45.420 --> 00:00:47.820 Next, a lack of rules 14 00:00:47.820 --> 00:00:51.660 means that the IPS or IDS is not equipped 15 00:00:51.660 --> 00:00:55.080 with the necessary policies or signatures 16 00:00:55.080 --> 00:00:57.990 to identify potential threats. 17 00:00:57.990 --> 00:01:01.470 Finally, rule misconfigurations occur 18 00:01:01.470 --> 00:01:03.060 when the rules that define 19 00:01:03.060 --> 00:01:07.440 what the IPS or IDS should flag as suspicious 20 00:01:07.440 --> 00:01:09.780 are set incorrectly. 21 00:01:09.780 --> 00:01:13.800 Rule misconfigurations can lead to either too many 22 00:01:13.800 --> 00:01:16.110 or too few alerts. 23 00:01:16.110 --> 00:01:19.770 Let's learn more about placement, lack of rules, 24 00:01:19.770 --> 00:01:22.290 and rule misconfigurations. 25 00:01:22.290 --> 00:01:24.780 First, we have placement. 26 00:01:24.780 --> 00:01:27.570 The placement of an intrusion detection system 27 00:01:27.570 --> 00:01:31.320 or intrusion prevention system within a network 28 00:01:31.320 --> 00:01:33.450 determines its effectiveness 29 00:01:33.450 --> 00:01:36.480 and intrusion detection system or IDS 30 00:01:36.480 --> 00:01:40.080 is designed to passively monitor network traffic 31 00:01:40.080 --> 00:01:44.640 and generate alerts when it detects suspicious activity. 32 00:01:44.640 --> 00:01:47.580 The key to effective IDS placement 33 00:01:47.580 --> 00:01:50.520 is ensuring that it monitors the traffic 34 00:01:50.520 --> 00:01:54.990 that is most relevant to the organization's security goals 35 00:01:54.990 --> 00:01:59.400 without overloading the system with excess data. 36 00:01:59.400 --> 00:02:04.350 Because its goal is to monitor traffic and not affect it, 37 00:02:04.350 --> 00:02:07.650 an IDS does not need to be in-line 38 00:02:07.650 --> 00:02:10.290 with the traffic that it is monitoring. 39 00:02:10.290 --> 00:02:13.200 This means that an IDS can be placed 40 00:02:13.200 --> 00:02:17.550 on a switch mirror port or switch port analyzer port, 41 00:02:17.550 --> 00:02:20.490 where it can receive a copy of the traffic 42 00:02:20.490 --> 00:02:25.380 to analyze without affecting the flow of that traffic. 43 00:02:25.380 --> 00:02:30.380 In contrast, an IPS, intrusion prevention system, 44 00:02:30.450 --> 00:02:33.390 not only monitors and generates alert 45 00:02:33.390 --> 00:02:35.790 when it detects suspicious activity, 46 00:02:35.790 --> 00:02:38.160 but it is also an active system 47 00:02:38.160 --> 00:02:43.110 that blocks or prevents malicious traffic in real-time. 48 00:02:43.110 --> 00:02:44.400 For this reason, 49 00:02:44.400 --> 00:02:48.210 an IPS must be placed directly in-line 50 00:02:48.210 --> 00:02:51.630 with the network traffic it needs to affect. 51 00:02:51.630 --> 00:02:54.810 In line, an IPS can take action 52 00:02:54.810 --> 00:02:58.710 by dropping packets or terminating connections. 53 00:02:58.710 --> 00:03:02.010 An effective placement strategy for an IPS 54 00:03:02.010 --> 00:03:06.330 ensures it monitors high traffic or sensitive areas 55 00:03:06.330 --> 00:03:10.800 such as the connection between a company's internal network 56 00:03:10.800 --> 00:03:12.900 and external partners 57 00:03:12.900 --> 00:03:17.850 preventing unauthorized access attempts at these key points. 58 00:03:17.850 --> 00:03:22.350 The wrong placement of either IDS or IPS 59 00:03:22.350 --> 00:03:27.060 can lead to network inefficiencies or security gaps. 60 00:03:27.060 --> 00:03:32.060 An improperly placed IDS may detect irrelevant traffic, 61 00:03:32.160 --> 00:03:36.120 overloading the security team with false positives. 62 00:03:36.120 --> 00:03:40.020 While an IPS placed in a less critical area 63 00:03:40.020 --> 00:03:42.120 may allow harmful traffic 64 00:03:42.120 --> 00:03:45.120 to bypass its protective mechanisms. 65 00:03:45.120 --> 00:03:47.790 So to optimize the placement, 66 00:03:47.790 --> 00:03:51.480 a thorough understanding of network traffic flow 67 00:03:51.480 --> 00:03:53.700 and identifying the most sensitive 68 00:03:53.700 --> 00:03:56.640 and higher risk points is essential. 69 00:03:56.640 --> 00:03:59.670 Second, we have lack of rules. 70 00:03:59.670 --> 00:04:03.090 A lack of IDS or IPS rules 71 00:04:03.090 --> 00:04:05.460 could severely limit their ability 72 00:04:05.460 --> 00:04:08.910 to detect or prevent malicious activity. 73 00:04:08.910 --> 00:04:11.670 Both systems rely on sets 74 00:04:11.670 --> 00:04:15.000 of predefined policies or signatures 75 00:04:15.000 --> 00:04:19.260 that identify specific patterns of malicious behavior, 76 00:04:19.260 --> 00:04:22.350 such as known malware signatures, 77 00:04:22.350 --> 00:04:24.360 suspicious traffic flows, 78 00:04:24.360 --> 00:04:27.450 or unusual login attempts. 79 00:04:27.450 --> 00:04:30.870 Without comprehensive or updated rules, 80 00:04:30.870 --> 00:04:35.760 an IDS may fail to alert security teams of threats. 81 00:04:35.760 --> 00:04:39.840 Furthermore, an IDS with an incomplete rule set 82 00:04:39.840 --> 00:04:42.960 might detect common well-known attacks, 83 00:04:42.960 --> 00:04:45.390 but miss more sophisticated ones, 84 00:04:45.390 --> 00:04:47.580 leading the network vulnerable. 85 00:04:47.580 --> 00:04:49.980 For example, without rules 86 00:04:49.980 --> 00:04:52.320 that cover the newer attack vectors 87 00:04:52.320 --> 00:04:54.390 like advanced persistent threat, 88 00:04:54.390 --> 00:04:56.820 tactics, techniques, and procedures, 89 00:04:56.820 --> 00:05:00.810 an IDS might miss complex intrusions. 90 00:05:00.810 --> 00:05:04.110 IPS or intrusion prevention systems 91 00:05:04.110 --> 00:05:06.750 also depend heavily on rules 92 00:05:06.750 --> 00:05:09.240 for proactive threat prevention. 93 00:05:09.240 --> 00:05:12.720 An IPS without a sufficient set of rules 94 00:05:12.720 --> 00:05:14.850 might allow malicious traffic 95 00:05:14.850 --> 00:05:17.700 to pass through without detection, 96 00:05:17.700 --> 00:05:20.400 failing to block potential attacks. 97 00:05:20.400 --> 00:05:23.820 For example, if an IPS is deployed 98 00:05:23.820 --> 00:05:28.140 in an environment with complex or evolving traffic patterns, 99 00:05:28.140 --> 00:05:30.000 but lacks the right rule set 100 00:05:30.000 --> 00:05:33.180 to understand what is considered normal 101 00:05:33.180 --> 00:05:34.950 and what is abnormal, 102 00:05:34.950 --> 00:05:38.400 it could allow attackers to exfiltrate data 103 00:05:38.400 --> 00:05:41.550 or exploit vulnerabilities unchecked. 104 00:05:41.550 --> 00:05:45.870 So keeping the rule set of an IPS updated 105 00:05:45.870 --> 00:05:47.910 ensures that an organization 106 00:05:47.910 --> 00:05:50.400 can recognize the latest threats 107 00:05:50.400 --> 00:05:53.160 and prevent them in real time. 108 00:05:53.160 --> 00:05:57.510 Third and last, we have misconfigurations. 109 00:05:57.510 --> 00:06:00.990 Misconfigurations in intrusion detection systems 110 00:06:00.990 --> 00:06:03.330 and intrusion prevention systems 111 00:06:03.330 --> 00:06:04.770 are a common challenge 112 00:06:04.770 --> 00:06:08.280 that can lead to either too many false alerts 113 00:06:08.280 --> 00:06:10.740 or worse, missed threats. 114 00:06:10.740 --> 00:06:13.800 Misconfigurations can take many forms 115 00:06:13.800 --> 00:06:16.770 such as incorrect threshold settings, 116 00:06:16.770 --> 00:06:19.950 overly broad or overly narrow rules, 117 00:06:19.950 --> 00:06:21.990 or outdated signatures 118 00:06:21.990 --> 00:06:25.650 that fail to reflect the current threat landscape. 119 00:06:25.650 --> 00:06:29.250 For an IDS or intrusion detection system, 120 00:06:29.250 --> 00:06:34.140 misconfigured rules can lead to a flood of false positives 121 00:06:34.140 --> 00:06:38.160 where legitimate traffic is flagged as suspicious. 122 00:06:38.160 --> 00:06:41.070 This can overwhelm security teams, 123 00:06:41.070 --> 00:06:45.630 making it difficult to distinguish real threats from noise. 124 00:06:45.630 --> 00:06:50.160 For example, if an IDS is configured too aggressively 125 00:06:50.160 --> 00:06:52.890 to alert on every minor deviation 126 00:06:52.890 --> 00:06:54.810 from normal traffic patterns, 127 00:06:54.810 --> 00:06:57.690 the security team may spend valuable time 128 00:06:57.690 --> 00:07:00.180 investigating harmless activities 129 00:07:00.180 --> 00:07:04.950 like routine software updates or routine file transfers. 130 00:07:04.950 --> 00:07:06.420 On the other hand, 131 00:07:06.420 --> 00:07:08.850 overly lenient configurations 132 00:07:08.850 --> 00:07:12.150 such as overly high thresholds for alerts 133 00:07:12.150 --> 00:07:17.150 or two general filtering rules can result in false negatives 134 00:07:17.310 --> 00:07:20.490 where actual threats like data exfiltration 135 00:07:20.490 --> 00:07:24.300 or malware communications go unnoticed. 136 00:07:24.300 --> 00:07:29.300 IPS or intrusion prevention systems face similar challenges, 137 00:07:29.430 --> 00:07:33.060 but with potentially more severe consequences. 138 00:07:33.060 --> 00:07:38.060 Since an IPS actively blocks traffic based on its rule set, 139 00:07:38.640 --> 00:07:40.470 misconfigurations can lead 140 00:07:40.470 --> 00:07:44.940 to legitimate business critical applications being blocked, 141 00:07:44.940 --> 00:07:47.790 resulting in network disruption. 142 00:07:47.790 --> 00:07:51.420 For instance, if an IPS is configured 143 00:07:51.420 --> 00:07:53.670 with overly aggressive rules, 144 00:07:53.670 --> 00:07:58.050 it might block encrypted traffic that appears unusual 145 00:07:58.050 --> 00:08:01.650 but is actually part of a financial application 146 00:08:01.650 --> 00:08:04.680 or a secure file transfer process. 147 00:08:04.680 --> 00:08:07.740 In this case, the misconfiguration 148 00:08:07.740 --> 00:08:10.800 could disrupt essential business operations 149 00:08:10.800 --> 00:08:13.500 causing frustration for end users 150 00:08:13.500 --> 00:08:16.500 and potential operational downtime. 151 00:08:16.500 --> 00:08:20.310 Additionally, misconfigured IPS systems 152 00:08:20.310 --> 00:08:23.640 that lack appropriate rules for modern threats 153 00:08:23.640 --> 00:08:26.730 may fail to block sophisticated attacks 154 00:08:26.730 --> 00:08:30.930 such as advanced persistent threats or encrypted malware, 155 00:08:30.930 --> 00:08:33.870 leaving the network vulnerable to attack. 156 00:08:33.870 --> 00:08:36.450 Another common misconfiguration issue 157 00:08:36.450 --> 00:08:39.840 in both IDS and IPS systems 158 00:08:39.840 --> 00:08:42.450 involves signature updates. 159 00:08:42.450 --> 00:08:46.650 If an IDS or IPS is not regularly updated 160 00:08:46.650 --> 00:08:49.920 with the latest signatures or threat intelligence, 161 00:08:49.920 --> 00:08:53.040 it may fail to detect emerging threats. 162 00:08:53.040 --> 00:08:56.010 For example, if a system is relying 163 00:08:56.010 --> 00:08:58.470 on outdated malware signatures, 164 00:08:58.470 --> 00:09:02.070 new variants will slip through undetected. 165 00:09:02.070 --> 00:09:06.060 So ensuring that rules are updated regularly 166 00:09:06.060 --> 00:09:07.890 and accurately aligned 167 00:09:07.890 --> 00:09:10.770 with the network specific traffic patterns 168 00:09:10.770 --> 00:09:15.090 is key to maintaining the effectiveness of these systems. 169 00:09:15.090 --> 00:09:19.350 Overall, misconfigurations can often be avoided 170 00:09:19.350 --> 00:09:23.100 through regular audits, automated rule updates, 171 00:09:23.100 --> 00:09:25.170 and tailored configurations 172 00:09:25.170 --> 00:09:29.820 that balance security needs with operational requirements. 173 00:09:29.820 --> 00:09:34.680 So remember, issues with intrusion prevention systems 174 00:09:34.680 --> 00:09:37.110 and intrusion detection systems 175 00:09:37.110 --> 00:09:41.490 often arise from improper placement, lack of rules, 176 00:09:41.490 --> 00:09:43.920 or rule misconfigurations. 177 00:09:43.920 --> 00:09:47.130 Placing these systems incorrectly in a network 178 00:09:47.130 --> 00:09:51.750 can lead to missed threats or overwhelming false alerts. 179 00:09:51.750 --> 00:09:56.040 Next, without comprehensive or updated rules, 180 00:09:56.040 --> 00:09:58.230 these systems might fail to detect 181 00:09:58.230 --> 00:10:01.740 or prevent certain types of malicious activity. 182 00:10:01.740 --> 00:10:04.410 And finally, misconfigurations, 183 00:10:04.410 --> 00:10:07.170 such as setting incorrect thresholds 184 00:10:07.170 --> 00:10:09.510 or using outdated signatures, 185 00:10:09.510 --> 00:10:12.030 can either trigger too many alerts 186 00:10:12.030 --> 00:10:14.820 or let real threats slip through. 187 00:10:14.820 --> 00:10:18.660 So regular rule updates and careful placement 188 00:10:18.660 --> 00:10:23.660 are important to ensuring IPS and IDS effectiveness.