Security+: Technologies And Tools – NIPS / NIDS


Network Intrusion Protection Systems (NIPS) and Network Intrusion Detection Systems (NIDS) are tested on the Technologies and Tools portion of the Security+ certification exam. This article details what is covered on the Security+ certification exam regarding these important network security devices. This article should not substitute for studying but rather serve as a brief review and guide for areas that you may need to look over again.


Below is an outline of the NIPS/NIDS material covered on the exam. Each section will be covered through the lenses of both NIPS and NIDS:

  1. Signature-based
  2. Heuristic/behavioral based
  3. Anomaly-based
  4. Inline vs. passive
  5. In-band vs. out-of-band
  6. Rules
  7. Analytics


Signatures refer to predetermined and preconfigured attack patterns/rules that identify attacks on web applications and their components. Both NIDS and NIPS can use signature-based detection but what follows if different for both.

NIDS operates by monitoring all traffic that comes in, and it looks for suspicious packets based upon the signatures it uses. Then, if a suspicious packet matches up to a signature, it will detect the threat. NIPS monitors and detects just like NIDS, but it will then take appropriate follow-up action to take care of the threat or mitigate it. It should be noted that zero-day attacks do not get detected because they are not made into signatures yet at that point in time.


Heuristic or Behavioral based NIPS and NIDS operate by comparing incoming traffic and packets against a pre-established baseline of normally experienced behavior for the respective organization. NIDS, being the passive system, will just detect suspicious behavior by comparing to the baseline. NIPS, which focuses on prevention, will go one step further and take some action to either stop or mitigate the potential threat.


Anomaly-based NIDS and NIPS are where a touch of artificial intelligence comes (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: