A company has proprietary mission critical devices connected to their network which are configured
remotely by both employees and approved customers. The administrator wants to monitor device
security without changing their baseline configuration. Which of the following should be implemented to
secure the devices without risking availability?

A.
Host-based firewall

B.
IDS

C.
IPS

D.
Honeypot

Explanation:
An intrusion detection system (IDS) is a device or software application that monitors network or system
activities for malicious activities or policy violations and produces reports to a management station. IDS
come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways.
There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may
attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents,
logging information about them, and reporting attempts. In addition, organizations use IDPSes for other
purposes, such as identifying problems with security policies, documenting existing threats and deterring
individuals from violating security policies. IDPSes have become a necessary addition to the security
infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of
important observed events and produce reports. Many IDPSes can also respond to a detected threat by
attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS
stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing
the attack’s content.
Incorrect Answers:
A: The question states: The administrator wants to monitor device security without changing their
baseline configuration. Installing and configure host-based firewalls would change the baseline
configuration. A host-based or personal software firewall can often limit communications to only
approved applications and protocols and can usually prevent externally initiated connections. It will not
monitor device security.
C: The question states: The administrator wants to monitor device security without changing their
baseline configuration. The word ‘monitor’ is an important distinction. It doesn’t say block or prevent. The
main functions of intrusion prevention systems are to identify malicious activity, log information about
this activity, attempt to block/stop it, and report it. The main differences are, unlike intrusion detection
systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions
that are detected.
D: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the
attack to research current attack methodologies. A honeypot is not used to monitor device security.
http://en.wikipedia.org/wiki/Intrusion_detection_system
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 213, 246
http://en.wikipedia.org/wiki/Intrusion_prevention_system