It's incredibly important that we're aware when threat actors are attacking our networks. So to deal with this, we have network intrusion detection systems, and network intrusion prevention systems, better known as an IDS and an IPS. Now, first of all, let's make sure we understand the difference between the two. detection is not prevention, detection simply means I see something's happening. And I will tell somebody about it through an email or text message or something so that we can deal with it. Prevention means to actually detect that something's happening, but also to stop it in one way or another.
So we say an IDS is a passive type of system, whereas an IPS is a inline or active system that's actually doing something. The interesting thing about prevention is that in IPS systems, well, they certainly detect But more than that, they often have the ability for example, to go into a router dynamically start blocking ports or blocking an IP address or blocking a username or whatever it might be. And they can actually control devices to stop whoever is coming in and doing naughtiness. The trick, though, is detection. So we have four different methods for detection. First of all, we have behavioral or anomaly based, what we're talking about there is that we have some kind of baseline on a system.
We expect this many malformed packets coming in per second, or we expect that we see this amount of traffic coming from certain geographical areas. Over time, if we see changes from this baseline, we treat that as a detection of an attack and we set off a flag. Second is signature based signature files are kind of like anti malware. We have expectations of things that we're expecting to come in, and we do online checking of them and if we see If we consider that that is an attack, and we're dealing with it. Next, our rule rule simply means that it uses rule sets, sort of like a firewall. And that we have, if I see more than 273 ICMP packets per second, I will treat that as a denial of service attack, and I will detect a threat.
And then last is heuristic heuristics probably the most common today, it starts with signature files, but then it does the behavioral anomaly thing as well. So it will have a signature file, but also a baseline and it will learn over time. Most of the good an IDS and IPS systems today are heuristic. In fact, a lot of them do combinations of all four, and they protect how they do it very carefully, very proprietary information. So if we have all this Well, how do we set all this up? So to configure an IDS or an IPS, you start off with sensors.
A sensor is a little box like for example, Here's a picture of what we call a network tap. This network tap has two sets of connectors one for in and one for out. Literally, every packet that goes through this tap is being logged and checked. And that's his job is to look for that type of stuff. Secondly, is port mirroring, most any switch these days has the ability to be able to grab data from multiple other physical ports. It's a configuration thing that we do, and we can set it up so that we can do that.
In particular, if you have a lot of VLANs. It's very, very common to set port readers up that say I want to see everything happening on all the different VLANs at once. Now, with the sensors up and running, the next thing we're going to have to do is we have to set them up in the right way. With an IDS because it's a passive, it's often set up as out of band. So if we take a look at this diagram right here, you'll see that I have a n IDs sensor configured. Now, it's not really connected through anything.
It's just designed to pick up as much data as it can. And it probably has a Nic in there and promiscuous mode, that's just grabbing all the information that it possibly can. With an IPS, it's almost always going to be in band. So just like that Network tab we saw a moment ago, I will let's bring up another diagram. So in this diagram, what we have is a device where literally everything that is on the network has to go through the device, because it is the connection to the internet itself. So it's just behind the firewall.
So in band is almost always going to be for in IPS, and out of band is almost always going to be for an IDS, although there will be exceptions from time to time. So now that we have all these sensors, asking one little Network tab to keep track of all this might be tough, maybe for my little network here at total seminars. So on larger networks, what will have our collectors collectors are going to be computers whose jobs To take all this data that's coming from all these different sensors, and store it into a single database. And it just keeps building this up and building this up so that we have a single source that we can look at to see if there's any problems and to see if there's any problems. That's where the last part comes into. And this is where the big money runs to.
And that is correlation engines. A correlation engine is nothing more than the actual tool that does the behavioral anomaly. It does the signature checks. It does the rule checks. It does the heuristic checks, and that's the actual device that will set off the alarms and let us know or on if it's an IPS take care of itself to deal with the tax.