124 CHAPTER 8 Security Standards and Services Systems or devices used as lures often also contain deliberately tantalizing objects or resources to attract and hold an attacker's interest long enough to give a backtrace a chance of identifying the attack's point of origin. Systems or devices used as lures also include or are monitored by passive applications that can detect and report on attacks or intrusions as soon as they start, so the process of backtracing and identification can begin as soon as possible. Honeynets A honeynet is a network that is set up to attract potential attackers and distract them from your production network. In a honeynet, attackers will not only find vulnerable services or servers but also find vulnerable routers, firewalls, and other network boundary devices, security applications, and so forth. The following characteristics are typical of honeynets: Network devices used as lures are set up with only "out of the box" default installations so that they are deliberately made subject to all known vulnerabilities, exploits, and attacks. The devices used as lures do not include sensitive information, so these lures can be compromised, or even destroyed, without causing damage, loss, or harm to the organization that presents them to be attacked. Devices used as lures also include or are monitored by passive applications that can detect and report on attacks or intrusions as soon as they start, so the process of backtracing and identification can begin as soon as possible. Content filtering is the process used by various applications to examine content and make a decision based on the analysis of the content and the resulting actions can result in block or allow. Protocol analyzer takes a capture of each packet for later analysis, as traffic moves across the network from machine-to-machine. They are called by many names such as packet analyzer, network analyzer, and sniffer. Characteristics of protocol analyzers are as follows: Capture data is essentially a photocopy, and the original packet is not harmed or altered. All broadcast traffic will be captured. To capture traffic addressed to/from another machine on the network, the sniffer should be run in promiscuous mode. If a hub exists on the network, this allows the capturing of all packets on the network regardless of their source or destination. EXAM WARNING Remember that an IPS is designed to be a preventive control. When an IDS identifies patterns that may indicate suspicious activities or attacks, an IPS can take immediate action that can block traffic, blacklist an IP address, or even segment an infected host to a separate virtual local area network (VLAN) that can only access an antivirus server.