Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
NETSEC IPS IDS | Johnbert Estroga | YouTubeToText
YouTube Transcript: NETSEC IPS IDS
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
[Music]
Hello, good day. Uh, welcome to another
session for our subject IT 3834 network security.
security.
And our topic for this session is all
about IDS and IPS.
Okay, this are the lesson targets that
we we will try to achieve this for this
session. We will try to understand the
importance of IDS and IPS technologies.
We so we'll also discuss some IPS
signature characteristics
and then you'll demonstrate how to
manage and monitor IPS.
So what's an IPS or IDS I mean so IDS is
an intrusion detection system?
This is a system or a solution that
monitors network traffic and events for
suspicious behavior.
Its aim is to detect intrusions and
security breaches so that organizations
can swiftly respond to potential
threats. So if ever there will be
malicious entities that will try to access
access
your network,
this ids hopefully can detect
the technologies, the uh protocols, the
the ways that these malicious entities uh
So there are three types of IDs namely
networkbased, hostbased and hybrid ids.
The first one is the networkbased ids.
These IDs are deployed at strategic
points within a computer network examining
examining
incoming and outgoing traffic. Okay,
this is an example of an NIDS. It is
at strategic points. Okay. So this uh
The first ids networkbased NIDS
could cater to this host.
host.
Number two, NIDS could cater to this host.
And the third NIDS could cater to this
This networkbased ids focuses on
monitoring network protocols,
traffic patterns and packet headers.
They try to distinguish if this network
is it doing something good? I mean is it
normal? Is this traffic normal?
So this NIDS that are deployed in the network
network
will decide if the traffic is normal or abnormal.
Another type of IDS is host base. this
are installed on individual machines or
servers within your network within the
in uh infrastructure. Okay, it could be
there is an HIDS here
or here here here.
So from the word hostbased
the IDS could be installed on the server itself
itself
the workstation itself
This type of IDS focuses on monitoring
to detect events such as unauthorized
access attempts.
Let's say someone tried to access abnormally
to your web server or through your to
Let's say uh
a hacker try to access your server
and if there is an HIDS installed on
your web server
and it detects that it is an abnormal
change to the system then the IDS will record
Another type of an IDS is the hybrid IDs.
IDs.
Okay, this is a combination of the NIDS
in the network and HIDS on some critical host.
host.
So the purpose of this hybrid H I mean
hybrid ids is it will monitor both
network traffic and host activities. So
look this is just basically the same on
the network ids but the purpose now is
It will also monitor
from the networkbased IDS that we
discussed a while ago. The NIDS only
while this hybrid monitors both the traffic
traffic and
and
So in short, HIDS
and the hybrid IDS combines both host
and network
for a more wider and more accurate detection.
What are the benefits of IDS?
You can detect threat early.
You can proactively defend against cyber
attacks by detecting potential threats
at an early stage of the intrusion.
So an IDS can already detect hopefully
hopefully
that someone is trying to maliciously
enter or maliciously maliciously do
something bad to your network to your infrastructure.
You will also have the benefit of
greater visibility.
This will enhance the organization's
It can help the security teams respond
to attacks more quickly and effectively
the IT team will have
the capability
to determine ah someone is trying to
access our network and doing some things
that are seemed not normal.
If there will be benefits, there will
also be limitations.
And one of the limitations of IDS is it
can give out false positives and false negatives.
Anything in the world, anyone, anything
is not perfect.
An ids can generate false positives
wherein it is a true connection or I
mean through normal traffic but it
detected it as a abnormal traffic.
It can also do it can also detect as a
false negative
Another limitation of an ID is its
inability to prevent attacks.
So even if uh you have an ideas
uh in your premises in your organization,
organization,
id solutions can detect attacks once
they occur but they are unable to
prevent them from occurring in the first place.
So for IPS,
this is a security system that monitors,
detects and blocks malicious traffic in
real time
before it can cause harm to your
network, can cause harm to your organization.
organization.
So think of it as a firewall with
intelligence. It doesn't just detect
threats like like an IDS, the one that
we we discussed a while ago.
It also actively stops them. So the IDS
into your organization
and that's it. That is its only job. An
IPS or intrusion prevention system
monitors, it detects
So the same with an IDS, it also has the
same prevention types, networkbased,
hostbased, and then hybrid. Well,
basically the same same
same
same configuration, same installation.
But the only difference between them is
that IPS can prevent this attacks by
blocking that attack.
So the benefits of an IDS is it can
provide you real time threat prevention.
So if let's say
uh at 12 midnight
an attack occurred go inside your
organization go inside your network and
you have an ids present in your organization
organization
then because of the IDS automated protection
protection
it will it provides a 24 by7
by7
24 hours 7 days a week protection to
your organization.
It can block or mitigate.
Here's the keyword. Identified threats
in real time.
Okay, identify threats in real time.
Why I emphasize identified threats?
Because an IDS
installed and configured on the IDS.
If that specific signature is related to
that attack,
then it can detect it. If it is not
available in its stored signatures in
the IDS then an IDS cannot detect it.
It will also enhance your network
defense. An IDS is not only able to
detect the threats but it can take action.
action.
It will defend against them by blocking
the malicious and suspicious traffic.
So there are benefits there are also
limitations for an IDS.
Uh an ids must examine all outgoing
incoming and outgoing traffic which can
introduce latency and slow down network
performance. Instead of your network
flow goes like this.
without an ids.
in the center then your network network
flow will becomes like this
because it will still check the IDS will
still check the incoming and outgoing
traffic to your network.
So on this part of the network it may
slow down. It can introduce latency or
the slowness in the uh connection
between devices into your network in
your network.
Though this limitation can be
automatically done by the system network administrators.
administrators.
This IPS solutions needs to be regularly
updated with the latest information
about that sign signatures
and this can require significant time
investment and expertise. So if ever you
will become network administrators in
the near future, security uh system administrators
administrators then
then
uh this can be not uh this can't be a
So what are the difference between IDS
and IPS? Functionality. First one, first difference,
difference,
an ids
are restricted
to detecting threats only while IPS
tools can both detect and
prevent them. Okay. So once again, an
IDS can only detect detect
An IDS can send alerts when a threat is
detected while it is trying to get
While an IPS can automatically block threats
threats
based on the predefined
security policies or rules.
So there's what you call a zero day threats.
This means that this threat has not yet
been distinguished, has not yet been
identified by uh
uh
security appliances, security experts
that this is a threat, then there's a
possibility that this zero day threat
will get inside your network.
If your IPS
is not updated
then there's a possibility that this
zero zero day threat will be successful
malicious connection to your network.
your workflow.
ID is passively monitor data flow.
Passively like um
um
like you did not know that it is there.
Well, an IPS actively inspect network
packets and take action to prevent or
mitigate the threats.
An IPS will do something in the network flow.
ID same network.
So some common misconceptions about IDS
and IPS
that if you have this IDS and IPS in
your network you are totally protected
from any threat and that is not true.
This IDS and IPS cannot offer 100%
protection against any cyber attack.
So they can only detect suspicious based
on the predefined rules and signatures
which limits them to known attack patterns.
patterns.
So as what I've told you if there is a
attack then probably you this attack can
get inside your network.
No other defenses required. Ah, I have
an IDS. I have an IPS in my network.
Um, and that is enough. I am totally
protected. No,
it is effective. They are effective.
But this tools, the IDS and IPS is only
one piece of the cyber security puzzle.
You also need some other tools to
protect you
or this can work with the IDS and IPS to
offer more protection to your network.
These tools could be some uh such as
So if you have an IDS IPS in your
network firewall and IT antimmalware software
software
for applications for dist um
um
devices doing different jobs each has
its own uh task then probably there's a
higher chance that you will uh survive I
have zero the attacks probably I'm not
They say that
uh if if uh they say that only large
enterprises, large businesses can only
implement ideas and IPS
or it is only useful to large
enterprises. No, even if you're just a
sar store or a convenience store,
you need this technology
for your protection. Okay, it does not
matter if you have a if you are a small
medium enterprise, if you are a small
medium business,
you need this tools
for prevention, for detection and prevention.
prevention.
So in short,
an IDS monitors traffic, detects
suspicious activity and alerts. Think of
an IDS as a C security camera or CCTV. Okay.
Okay.
Um it's like uh if you are watching a
recording from a CCTV or live view CCTV
if there is something wrong of there if
there is someone who is acting suspiciously
suspiciously
Okay.
This is passive.
This is passive security. CCTVs are
passive security. especially
when there's no one monitoring it. Uh it
could be someone is monitoring it but
does not have the capacity to to prevent
that malicious entity from doing
something in your organization.
An IPS
meanwhile monitors traffic,
detects suspicious activity and blocks
or prevents it in real time.
with a
the one who monitors the CCTV. Let's say
uh that the guard
uh let's say some person is trying or
doing something suspiciously
then the security guard who monitors the
CCTV can
confront this person [Music]
[Music]
why are you acting suspiciously
Okay. So, the guard is preventing
in whatever uh suspicious plan that it
will be doing.
So, an IDS detects only an IPS detects
So what is the importance of an IDS when
an IPS can do better?
I've asked I've also asked this question
a couple of times
and here are some answers.
Visibility without interference
and IDS works in passive mode. It won't
block legitimate traffic by mistake.
There's a tendency that an IPS can block
normal traffic and that might affect your
your
network flow, might affect your business operations
if IPS is in line.
Yeah, a false positive can block
business critical traffic. An IDS gives
safer visibility.
an an ids
let's say
there's uh
then it will detect it
and do nothing with it. it just reports
to its uh ids server that this abnormal
traffic is abnormal.
Forensics and monitoring is another
importance of an IDS.
So it provides detailed logs and alerts
useful for investigation,
auditing and compliance.
An IPS focuses on real time blocking not
deep historical analysis.
So an IPS does not do this. What is
that? What is does what it does is it
just blocks prevents
and maybe just a small log on what it did.
did.
An ideas is the other way around. It
and this detailed log is useful for the
investigation, auditing and for
compliance especially in government rules
testing and tuning. You can deploy an
IDS first to understand normal versus
abnormal traffic and fine-tune this
signatures before enabling IPS blocking.
So uh pro probably this is a trial and
This will help you prevent
misconfiguration that could disrupt your
network especially if
it is a business critical application
Another importance of an IDS is it is
its layered security. An IDS acts as a
second opinion. It may detect attacks
the IPS missed or confirm what the IPS
If you're asking for a second opinion,
then an ID can do it. Um, backup.
Some organizations nowadays run IDs
alongside for redundancy
or for backup. Say the IPS did not
detect this abnormal abnormal traffic
created the logs dated logs and it could
be used for further creation of a new
rule in which that abnormal abnormal
traffic can be used as a new signature. So
So
uh let's now configure a Cisco IOS IPS
within using the CLI. This is our
test network I mean network topology
network diagram. We these are the
objectives. We enable the IOS IPS. We
configure the logging wherein this is
uh done on the this R1 router will be
logged to this syslog server. We also
modify an IPS signature later
and verify an IPS if it is working.
So to check if there will be
uh to check connectivity
we do first
uh connectivity test from PC
uh A to C
and C to A. Okay.
Okay.
So here is our network.
Let's check
3.2.
If we go to PCA and
let's check if it is this two PCs are
connected. So from PCA to PCC uh yes it
Let's now configure the IOS IPS. Let's
We'll do show version to view the
technology package license information
here on the security. It is disabled.
Okay, disabled.
We will enable this using the command
license boot modium C1900
technology package security K9. Okay,
this command will activate
the security K9 package and this package
includes IPS, VPN and firewall features.
copy the running config
start config
so that after rebooting our R1
the running configuration
and the
Security security package will be activated.
Okay. So if you can see it is now enabled
enabled
So to verify again if we still have
Okay, we still have connection. Okay,
Okay,
We'll make a directory ipsd
ipsd enter.
enter.
um the location
of all the configuration and files signatures
signatures
location IPSR.
IPSR.
So this will tell the router to store
and read the IPS configuration from the directory
directory ipsdir.
So we'll now create
an IPS rule set called
called
The name of the rule set is IOS IPS
and this is the rule set that we will
We configure the IPS
to send alerts
or logs to the router's logging system.
And then before we set the logging server,
server,
we set first our clock,
clock,
I mean the clock of the router.
So time
uh 14 16
16 39
39 0
0 to
to September.
we need to set our clock
to the exact time. So that in order for
historical analysis the clock is
synchronized to the uh sys log server
and it will also show it will also be
and then we configure our logging host
Okay.
signature category. So what I am doing
now is I will be disabling
all the old signatures that are
currently installed
The next set of commands will deactivate
the basic iOS IPS signature category
basic. So this is just some basic uh signatures
and only essential and common attack
signatures are enabled. Now there's no
And then we will apply that policy into
So IPOS IPS
now.
So we apply the IPS IOPS
IOPS
to the outbound direction of gigabit Ethernet01.
Ethernet01.
So this means the traffic leaving GI01
will be inspected. Okay, once again
Next, this set of commands will enable a
And this is the ID of the custom
signature 2004
revision zero.
And then we will make it as
and then we exit.
And then
we define what will the router do.
Does it
produce an alert
or does it block the malicious connection?
connection?
Okay. So this next set of commands event action
action will
will
do that specific uh configuration. This
one will produce an alert. It will send
an alert and then send a log
event the moment it detects
Okay.
So the moment there is a malicious attack,
attack,
it produces an alert, sends to the log
server and then denies that malicious
attack or drops that malicious attack.
Exit and then exit again. Then
exit again and then save. [Music]
this is our uh
uh
We have one total active signature active.
and we
uh implemented it
to the outgoing interface. So I mean outgoing
outgoing
connections of the gigabit Ethernet01 interface.
this is our internal network. Okay, this
is your organization.
This is
outside of your network. Okay, comes
from the outside.
It's probably an internet uh PC.
So, let's ping
this IP. We can still ping this IP address.
address.
If we go to PCC,
[Music]
R1. It detected that someone is pinging
an IP inside the network.
Let's go to the SIS log server to double
check if it was uh the logs are
It's the message.
Okay, from
configuration for the Cisco IPS
is now complete.
These are the commands that I used just
a while ago. Feel free to uh test it and then
then
review the purpose of this command so
that you will be familiarized
with this the commands that I've entered
Okay. So if you have that's I mean
that's the end of our session. If you
have further questions, you can feel
free to message me in our communication
channels or feel free to approach me
during our face toface class. Um,
that's all.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
Chrome Extension