Hi folks, Ed Amoroso here. I want to talk to you in this video about two basic techniques for doing detection and making some sort of security determination. We call these techniques, first, Intrusion Detection or Intrusion Detection System, IDS, and a corresponding capability called the Intrusion Prevention, or IPS, Intrusion Prevention System. So IDS, IPS, I want to explain the difference. An IDS is something that we think of as a passive device, in the sense that it collects data, but it will never climb in the middle of Alice and Bob or any interaction as our pure arbitrator. Meaning, it's going to observe, think of it as a camera. It's collecting data, it's collecting a video tape in some sense of what's going on. And there might be a whole bunch of processing going on. Think of it offline. Processing going on offline. And I might notify somebody. I might call the manager, I might call the system administrators. I might call all the users, based on what I say, and let them do what they're going to do, but the IDS itself doesn't do that negatively. Now, the late 90s, early 2000s, a lot of people noticed that a very common thing that would happen is that Alice would be attacking Bob. The Intrusion Detection System, IDS, would see Alice attacking Bob, the client attacking the server. Let's say it's a probe, and I know the IP address for the client is 192.1.2.3, and I see the probe, and the IDS sees it, and goes, [SOUND], something going on, this is not good. I need to do something about this, and what we all noticed is that these IDSs were resulting in a human-being being notified. The human being would then go to the firewall and manually key in a rule that would block IP address 192.1.2.3. And that might take minutes, hours, days, whatever, human-beings involved. So everybody went, if that's one of our big use cases, why don't we just automate it? So it's like this. The client, Alice, 192.1.2.3, is doing some scanning, it's a successful scan, a probe, whatever. The IDS detects it and thinks, well, why do I need to call a human and call the firewall to do all this stuff? Why don't I just block that IP address, and thus was born the concept of an IPS, we call that blocking a shun, it's an IP address shun, so what happens is the IDS becomes more actively involved in the engagement between the client and server, actively engaged, almost like a firewall. In fact, as a firewall, based on the detection component of the device. So you can think of it as kind of two states. The client and the server are connected through this IPS. The client is misbehaving, and the IPS has a component that's essentially an IDS. It sits in line now. We're not talking about clumping on with alligator clips and sitting passively offline. I'm talking about sitting actively in line now. Maybe right in front of your firewall. It's matching signatures, profile, whatever it's doing, probably signatures, sees that the probe is happening and State S sub i comes to the conclusion that there's too much probing going on, puts a rule into its own sort of pass through semantics. So its taking packets in and passing packets out. They have a rule very similar to firewall that'll shun, meaning, all right, if I see anymore coming from that source IP, I'm dropping it. I'm not allowing it to proceed. So it puts an auto shun. Now think about that. What are the pros and cons of that? The primary pro, well, I don't have to go call a guy, ring a bell, somebody changed the firewall. That whole loop is kind of lost. What's the con? That that loop is lost because, what do we know about the Internet? We know that you can spoof your source IP. So it's possible if you're doing something like a sin flood, where I don't need the return synac packet, so I can make believe, if I'm Alice, that I'm somebody else. And let's say I'm saying I'm George, and maybe I want to really make sure George can't connect to this server. I know George's IP address, so I change it to George's IP address. I start sending sync flood packet and traffic through the IPS. It gets annoyed with what it's seeing. Boom, it puts a rule in that will block George's source IP from hitting the server. Do you follow? It's a way of, in some sense, tricking the IPS shun mechanism into locking out a victim from gaining legitimate access to a server. It's a weakness in IPSs, in fact, it's such a significant weakness that if you talk to a lot of security teams, they'll tell you they run their IPS in passive mode, [LAUGH], so it's basically an IDS, and I'm laughing because you pay a lot more money for an IPS than IDS, you're paying, you got all these extra functionality, but a more expensive license, and you put it in place, and you're just running it on a mode that's essentially the cheap thing. It'd be like buying a car and never turning the radio on, [LAUGH], right? So, maybe that's okay because I do think in some sense is valid criticism about IPSs. It might be a little too dangerous to have these things just sort of willy nilly making decisions about traffic that should be dropped. But again, if you buy it and you like it, you probably should be using the thing if you paid the money for it, or just buy yourself an IDS. So I hope you get the difference of passive and active. The IPS is clearly vulnerable to this shun spoof problem. But it also, when it's working right, does save a lot of steps, some manual steps. It saves a lot of time. IDS versus IPS, something you should be very aware of if you want to be a cyber security expert. So I hope this has been helpful for you.
