IDS/IPS, Network scanning and Network attacks
IDS/IPS, Network scanning and Network attacks

This course is the final module of Domain 4 of the CISSP, covering communication and network security.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • How to prevent or mitigate network attacks
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network scanning
  • Network attack techniques

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Here we have a graphic showing the architecture of two network subnets with IDS and IPS installed. Starting from the far right with a perimeter router going through a firewall, we have between the two firewalls making up the DMZ, we have a network intrusion prevention system. Notice that all the traffic is being passed through it. The intrusion prevention system, having programmed behavior patterns in a stored database of signatures to look, for will therefore block everything that it knows. It'll then hit the internal router and divided off goes to segment A and then goes to segment B. Now, note at the bottom of the picture is a financial server. This financial server's on segment B and all traffic coming in is going through the network intrusion prevention system to the financial server.

Now, assuming that there is any change in the traffic, having passed through the NIPS in the DMZ to the inside network, the internal NIPS protecting segment B again filters all traffic going to segment B. Going to segment A, the traffic then is distributed through a hub, and the network intrusion detection system is on a span port watching all the traffic, looking for much the same things (patterns, unwanted or unknown behaviors) and responding by sending alerts to say, "Hey, I saw this, what do I do?" or "Do you need to do something?" So the intrusion detection system is working on a segment that is of lower priority, lower criticality, and the financial server, being on segment B, makes segment B of a much higher protected value. So, in using the NIPS, two layers of NIPS, and one layer of NIPS and one of NIDS for segment A, reflects a combined or hybrid strategy that balances the performance, the sensitivity and the protective needs for the differences between segment A and segment B.

Now, intrusion detection and prevention systems obviously must have a scanners function built into them. And network scanners and scan types will be looking for a variety of things. In a simple network scanner, it typically will employ some form of template and this template is then used in a number of ways. One form would be a discovery of devices. In this discovery mode, it basically uses an open search pattern to find out any responsive device within the scope of its discovery area. It's not looking for a particular pattern, say a regulation and the various switches that may be in that particular pattern, but here it's going to tell the analyst, "Here's what I found," across the range of addresses that it's set to scan.

We have the test of compliance using a specific policy. This scanning profile is most often associated with a kind of regulation such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, FISMA, and GDPR. It's looking for specific points that make up each one of these unique templates and returning results based on its findings. And then, of course, we have testing for vulnerabilities. Based on the common vulnerability enumeration and other commercial sources, government sources such as DHS, these are also templates that look for specific vulnerabilities that may be published either by the government or by the vendor of specific products. Using a combination of these in various ways, an analyst can get a very clear look at first, the range of things that's out there, whether or not what is running complies with a specific standard, and whether or not any of the devices that are in that particular area possess any vulnerabilities. And it can be done before and after patching to make certain that we validate what we need to do on the before, what we need to fix, and then in the after, what has actually been fixed so that we know what we thought to do, we've actually accomplished. 

Another class of attacks is the IP fragmentation attacks making use of crafted packets. One form of infinite loop is the teardrop. Now, this attack is caused by infinite reassembly attempts on packet fragments sent to a target with overlapping offsets. The receiving computer can obviously not do this, but the receiving computer never seems to know when to stop and so it continues until it exhausts itself.

We have source routing exploitation that produces a spoofed communication session. We have a flooding style of attack; Smurf and Fraggle are common examples. These can result in Distributed Denial-of-Service (DDoS) attacks that result in flooding of a spoofed IP target using ICMP echo request and reply.

The infinite loop of the land attack is a crafted packet sent to a target with identical source and destination addresses. The infinite loop, then, is caused by the system receiving this packet trying to deliver a packet that is already at its destination but never knowing how to stop trying to deliver the newly arrived packet that needs to go right back here where it started. In general, the Denial-of-Service attack seeks to overload the network with excessive useless traffic. If it's a Denial-of-Service, in this definition, it means single source, single target. The traffic to cause this typically has been crafted in some way to confuse the network into shutting down or slowing to the point of being useless.

Now, the countermeasures that can be used to diminish the effects or stop the effects of a DDoS attempt can include multiple layers of firewalls, each one of those and other methods set to do very careful filtering on the inbound traffic, redundant network connections, and load balancing. Having reserved bandwidth and then, if it is known, blocking traffic from an attacker on an upstream router.

To expand the idea of a Denial-of-Service attack, we look at the Distributed Denial-of-Service attack. Now, Distributed Denial-of-Service attacks vary from traditional DoS in that there are multiple points of launch of the attacking packets and potentially multiple points of impact at the target. This uses a network of remote-controlled hosts known as botnets or zombified computers and the target is subjected to traffic from this wide range of sources and with so much inbound traffic, possibly of various types, it is very hard to block.

Now, the countermeasures would be similar to the Denial-of-Service attacks but simple IP or port filtering is very unlikely to work because of the sophistication in a Distributed Denial-of-Service attack. We have, of course, IP address spoofing and the SYN-ACK attacks. These packets are sent with a bogus source address so that the victim sends a response to a different host. Spoofed addresses can then be used to abuse the three-way handshake required to open or close the TCP session. Thus, this can be done with SYN-ACK or FIN-ACK.

The SYN flooding or the ACK storm are both Denial-of-Service attacks that use the initial handshake in a TCP connection but without a closing or completing return to set up or discard the session attempt. The flooding consumes all queue positions and prevents session set up or queue flush to clear and allow for some free space. Many new connections from faked, random IP addresses are opened in short order, overloading the target's connection table. Now, the countermeasures would include tuning of an operating system parameter set such as the size of the backlog table according to vendor specifications. A FIN flood seeks to achieve the same result by starting but not completing the session shutdown sequence; a FIN without any corresponding ACK. And an ACK storm, another style of flooding attack, is similar but starts with an ACK confusing the receiving system since there's no preceding SYN or FIN flagged packets.

A favorite attack is doing email spoofing. As SMTP does not possess an adequate authentication mechanism natively, email spoofing is extremely simple. In this particular case though, the most effective protection against this one is a social one. And what this means is, if you know the person who has sent you this email supposedly general, call the person on the phone, reply to the person who claims to have sent it and if it's someone you know well, you will probably find that they're not the person, especially if it reads totally out of character with your experience with that person. But as before, with all emails that are suspect, you should never click on links, you should never click on attachments because whether it's a mistake, whether it's legitimately from that person or, more likely, it comes from a spoofed source, you have no idea what those links or those attachments are going to do. It's always better not to take the risk.

In DNS spoofing, it seeks to resolve a name query such as mapping a web server to an IP address, the user's workstation undertakes a series of queries through the DNS server hierarchy. When this has been tampered with to change the resolutions and resolve an address to a manufactured or faked address, the DNS spoof succeeds by taking the person whose workstation is resolving this to an address that the attacker wants instead of the address that the genuine user seeks. And one of the steps to be able to do this is called pharming. This is the manipulation of DNS resolver cache on a workstation to change the resolutions and thus take the individuals on those workstations to destinations other than the ones that they actually seek. And that brings us to our domain summary, closing out our discussion of telecommunications security in Domain 4. We have looked at the various subjects of secure design principles and how to apply them, how to secure our network components, explained how to design and establish communication channels in a secure manner, and different ways to prevent or mitigate network attacks.

Well, that concludes our discussion of Domain 4. Thank you for joining us. Please be sure to join us again as we begin our discussion of Domain 5 in the Cloud Academy CISSP Examination Preparation Review Seminar. Thank you, see you next time.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics