A company has proprietary mission critical devices connected to their network which are configured remotely by
both employees and approved customers. The administrator wants to monitor device security without changing
their baseline configuration. Which of the following should be implemented to secure the devices without risking
An intrusion detection system (IDS) is a device or software application that monitors network or system
activities for malicious activities or policy violations and produces reports to a management station. IDS come in
a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network
based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an
intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and
prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about
them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying
problems with security policies, documenting existing threats and deterring individuals from violating security
policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of important
observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to
prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack
itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack’s content.
A: The question states: The administrator wants to monitor device security without changing their baseline
configuration. Installing and configure host-based firewalls would change the baseline configuration. A hostbased or personal software firewall can often limit communications to only approved applications and protocols
and can usually prevent externally initiated connections. It will not monitor device security.
C: The question states: The administrator wants to monitor device security without changing their baseline
configuration. The word ‘monitor’ is an important distinction. It doesn’t say block or prevent. The main functions
of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to
block/stop it, and report it. The main differences are, unlike intrusion detection systems, intrusion prevention
systems are placed in-line and are able to actively prevent/block intrusions that are detected.
D: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack
to research current attack methodologies. A honeypot is not used to monitor device security.
http://en.wikipedia.org/wiki/Intrusion_detection_systemStewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 213, 246