In this chapter, we discussed the requirement to build an IDS/IPS capability in our range architecture. We discussed how to deploy a network-based IDS and the configuration of a sensor placed on each network segment. We deployed the Snort IDS and detected a number of attacks once we deployed it. Additionally, we installed and deployed the Security Onion Network Security Monitor.

We closed the chapter with a discussion on the topic of evasion. We explained that this is rarely asked for in a professional testing scope, but there is a chance that it could be. As discussed in the chapter, there are no guarantees when it comes to this, because we will only be as successful as the administrator who has configured the devices allows us to be. Having said that, one of the highest rates of success is found when we use ports that are known for containing encrypted data. Furthermore, we verified this by scanning the Network Security Toolkit virtual machine on port 9943 without being detected, but when we ran the attack on port 80, we were detected.

This concludes the chapter. You have now deployed IDS/IPS into your range environment and you have seen methods to evade detection. In the next chapter, we will look at adding web servers and web applications to our range architecture.