NIDS VS NIPS Which is better device ?
b"
Hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 61 today we're going to discuss about NIDS versus NIPS.Now, we've already spoken a little bit about intrusion detection and intrusion prevention systems earlier on in this course.In this lesson though, we're going to focus on the differences between a network based IDS and a network based IPS.A Network Intrusion Detection System,or a NIDS, is a type of IDS that attempts to detect malicious network activities.For example, port scans and denial of service attacks.Now, this is a device that's usually placed either before the firewall, so that it can be directly exposed to all of the traffic that's coming in,or right behind the firewall.Personally though, I like to have my NIDS placed behind the firewall, as this helps filter the amount of traffic that we'd have to see and review, since the firewall is already going to block a lot of it for us.Generally, your Network Intrusion Detection System will be placed into what's known as promiscuous mode.This allows it to see all of the traffic that crosses the network instead of just the traffic that's destined for it's own Mac address This is easily done through the configuration of the NIDS, and by placing your NIDS on a span port of your network switch so that it can receive all of the traffic moving through that switch, and not just the traffic on it's own switch port.A NIDS can only detect, monitor, and alert on traffic based on signature base rules or heuristics,and, it won't do anything to actually stop an attack from occurring.When you're dealing with a NIDS,all it's going to do is log it,and let you know about it.A Network Intrusion Prevention System, or NIPS on the other hand, is a type that's designed to inspect traffic and based on it's configuration or security policy,it can also remove, detain, or redirect that malicious traffic.That means a NIPS can not only detect it and log it like an IDS does,but it can also stop that ongoing attack by blocking the IP address that's causing issues or shutting down the connection.But, to be able to effectively take these actions,the NIPS has to be installed in line,in your network.Again, I like to place my NIPS in line,just behind the firewall.This way it's just inside the network perimeter and it allows me to have a good vantage point for it.Remember, when you're using a NIPS to block an ongoing attack,you want to ensure that the NIPS is properly tuned.If you didn't tune it properly with the right signatures, you could have a lot of false positives, and since these would be terminated, it could cause an inadvertent denial of service for your network if it tries to prevent what it thinks is malicious traffic from flowing into the network.Now, because a NIPS is an in line device,you also have to think about what's going to happen if that device fails.Should that device fail open, or should it fail shut?If you set the device to be configured to fail open, this means that the NIPS is going to simply let all of the traffic through it whenever it fails.This is less secure obviously,and so you have to think about if this is really what you want.Now, if you choose to fail shut on the other hand,the device is going to block all the traffic if it fails for some reason.This means that it's going to create a denial of service condition for your entire network,which is also pretty bad.For this reason, most organizations choose to fail open with their Network Intrusion Prevention Systems, and rely on other defensive layers to provide some layer of protection, until the NIPS can be brought online again and fixed.Now, in addition to providing their NIDS and NIPS functions, these devicesalso can be used as a protocol analyzer.
"