Which of the following devices typically sits inline? (Select the best answer.)
- a HIDS
- a HIPS
- a NIDS
- a NIPS
A Networkbased Intrusion Prevention System (NIPS) typically sits inline, which means that all traffic from the external network must flow through and be analyzed by the NIPS before the traffic can enter the internal network. Therefore, a NIPS can detect and drop malicious traffic, which prevents malicious traffic from infiltrating the internal network. A NIPS can work in conjunction with a network firewall? however, Cisco recommends deploying a NIPS on the inside interface of the firewall in order to prevent the NIPS from wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the NIPS to efficiently analyze the traffic that the firewall permits onto the network, rather than processing every inbound packet.
A Hostbased Intrusion Prevention System (HIPS) is software that is installed on a host device and analyzes traffic that enters the host. Any traffic that is suspected to be malicious is blocked before it can affect the host device. Many modern, hostbased firewall applications include components that provide HIPS functionality.
A Networkbased Intrusion Detection System (NIDS) typically does not sit inline in the flow of traffic. Instead, a NIDS merely sniffs the network traffic by using a promiscuous network interface. Because network traffic does not flow through a NIDS, the NIDS can detect malicious traffic but cannot prevent it from infiltrating the network. When a NIDS detects malicious traffic, it can alert other network devices in the traffic path so that further traffic can be blocked. In addition, a NIDS can be configured to send a Transmission Control Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP) unreachable message to the source and destination addresses.
A Hostbased Intrusion Detection System (HIDS) is software that is installed on a host device and analyzes changes made to the device. The primary difference between a HIDS and a HIPS is that a HIPS can detect and block malicious traffic before the traffic can affect the host? a HIDS can detect a threat only after it has already affected the host. Two examples of HIDS applications are Tripwire and OSSEC. Tripwire monitors the integrity of critical files and sends alerts if changes are made to them. OSSEC is an opensource application that monitors logs, registries, and critical files. In addition, OSSEC can detect rootkits, which are malware processes that actively hide their presence from the host operating system.