1. NIDS and NIPS
   1. Network Intrusion Detection System (NIDS):
      1. A type of IDS that attempts to detect malicious network activities—for example, port scans and DoS attacks—by constantly monitoring network traffic.
   2. Network Intrusion Prevention System (NIPS):
      1. A type of network hardware security device designed to inspect traffic and, based on its configuration or security policy, remove, detain, or redirect malicious traffic.
   3. Comparison
      1. NIDS:
         1. Detects malicious network activities
         2. Pro:
            1. Only a limited number of NIDS are necessary on a network.
         3. Con:
            1. Only detects malicious activities.
            2. Other controls must be put in place to prevent malicious activities.
      2. NIPS:
         1. Detects, removes, detains, and redirects traffic
         2. Pros:
            1. Detects and mitigates malicious activity.
            2. Can act as a protocol analyzer.
         3. Cons:
            1. Possibility of false positives and false negatives.
            2. Uses more resources.
2. Inline vs Passive
   1. Promiscuous (Inline) Mode:
      1. In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.
      2. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis
   2. Non-Promiscuous (Passive) Mode:
      1. Promiscuous mode is the opposite of non-promiscuous mode.
      2. When a data packet is transmitted in non-promiscuous mode, all the LAN devices "listen to" the data to determine if the network address included in the data packet is theirs.
      3. If it isn't, the data packet is passed onto the next LAN device until the device with the correct network address is reached.
      4. That device then receives and reads the data.
3. In-Band vs Out-of-Band
   1. In-Band:
      1. Network management is performed from within the local network, using SSH, SNMP, or OpenFlow.
      2. In-band is the most common (and the default) way to manage a network.
   2. Out-of-Band:
      1. Network management is performed from outside the local network.
      2. In large organizations, network dependent organizations, and/or organizations that highly value redundancy and resiliency, out-of-band network management may be deployed in parallel to in-band management as a failsafe or secondary system.
      3. In systems that do not have access to a direct (local) network connection, such as SCADA, PLC, and other embedded systems used in critical infrastructure and manufacturing, out-of-band network management is also an option.
4. Operation
   1. Rules
      1. Manual Monitoring:
         1. Manually viewing log files, policies, and permissions
      2. Automatic Monitoring:
         1. Using a program to sift through logs and files for specific information, and using anti-virus, IDS and IPS programs to automatically scan for errors, attacks, and anomalies.
         2. Three Types:
            1. Signature-Based Monitoring:
            2. Network traffic is analyzed for predetermined attack patterns, known as signatures.
            3. Anomaly-Based Monitoring:
            4. Establishes a performance baseline based on a set of normal network traffic evaluations. Requires a baseline.
            5. Behavior-Based Monitoring:
            6. Looks at the previous behavior of applications, executables, and/or the operating system and compares that to current activity on the system.
            7. If an application later behaves improperly, the monitoring system will attempt to stop the behavior. Requires a baseline.
            8. Heuristic:
            9. A process that:
            10. Meets a minimum threshold of competence
            11. Uses a defined set of rules
            12. Reaches an immediate set of goals
            13. Heuristic Algorithm:
            14. An algorithm that quickly finds a practical solution or set of solutions for a given problem, though perhaps not the best solution.
            15. In situations where finding the best solution is impossible or impractical, heuristic algorithms are used to find an acceptable (practical) solution.
         3. Comparison:
            1. Because the number of potential threats to a network is so large, signature-based and anomaly-based systems are much more computationally expensive, and require more updates, than behavior-based monitoring systems.
            2. However, if the heuristic is not carefully configured, this monitoring system may lead to considerably more false positives than the other two types.
   2. Analytics
      1. False Positive
         1. The IDS identifies legitimate activity as something malicious.
         2. Wastes resources tracking down a non-existent threat.
      2. False Negative
         1. The IDS identifies an attack as legitimate activity.
         2. Allows a threat to enter the trusted network.