Welcome to the CND 312-38 interactive scenario. In this simulation, you will practice network security architecture design. Understanding the distinct operational modes of detection versus prevention systems is vital when engineering controls for sensitive or high-availability environments like manufacturing (OT/ICS).

CND (312-38) Network Defense Simulation

Network Scenario

You are auditing a manufacturing company's converged IT/OT (Operational Technology) network. Management is highly risk-averse regarding operational downtime; any false positive that drops legitimate SCADA or PLC traffic could cause catastrophic manufacturing line failures.

To improve visibility across the core switches, they agree to implement network traffic analysis. However, they strictly mandate that the solution must only observe and alert the SOC, without any capability to interrupt the physical flow of packets.

Traffic & Logs

Proposed Configuration and Expected Output (Suricata Engine):

# Interface Configuration sensor_interface: eth1 (Connected via Core Switch SPAN port - Promiscuous Mode) # Expected Alert Output Example [10/24/2023-09:15:22] [**] [1:2010935:2] ET EXPLOIT Possible Modbus TCP Unauthorized Access [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.50.2.100:49211 -> 10.50.10.5:502 Action Taken: ALERT_ONLY (Inline dropping disabled by architecture)

Notice the architectural placement: The sensor receives a copy of the traffic via a SPAN port, meaning it cannot physically drop the packets even if an attack is detected.

Question

You are an IT security consultant working on a contract for a large manufacturing company to audit their entire network. After performing all the tests and building your report, you present a number of recommendations to the company and what they should implement to become more secure. One recommendation is to install a network-based device that notifies IT employees whenever malicious or questionable traffic is found. From your talks with the company, you know that they do not want a device that actually drops traffic completely, they only want notification. What type of device are you suggesting?

Defensive Hint: Break down the acronyms. "Network" vs "Host" dictates placement. "Detection" vs "Prevention" dictates action. The client asked for Network placement and Detection (notification only) actions.

Expert Analysis

1. What is happening in the network:
The organization is deploying a security monitoring solution to detect malicious traffic but is constrained by strict availability requirements common in manufacturing and ICS (Industrial Control Systems) environments.

2. Identify attack or behavior:
We are identifying the correct architectural deployment for security controls. An active prevention system could introduce latency or drop legitimate production traffic (false positives), disrupting the business.

3. Why the correct answer is correct:
A NIDS (Network Intrusion Detection System) operates out-of-band. It analyzes a copy of the network traffic (usually via a SPAN port or TAP) and generates alerts when questionable traffic matches a signature or anomaly rule. Because it is not inline, it physically cannot drop traffic, perfectly fulfilling the client's requirement.

4. Why others are wrong:

NIPS (Network Intrusion Prevention System): Sits inline in the network path and actively drops or blocks traffic it deems malicious. This violates the client's request.
HIDS (Host Intrusion Detection System): Only monitors the individual computer/server it is installed on, not the "entire network" as requested.
HIPS (Host Intrusion Prevention System): Is host-based and actively blocks activity, failing on both requirements.

5. Defensive action:
Deploy NIDS sensors (like Snort, Suricata, or Zeek) at strategic network chokepoints. Forward the generated alerts to a centralized SIEM for the SOC team to triage and respond to manually.

MINI LESSON: Fail-Open vs. Fail-Closed Design

When designing network defenses, understand the business impact. NIDS is a "fail-open" design; if the NIDS crashes, network traffic continues unimpeded. NIPS is typically "fail-closed" (unless specific hardware bypasses are used); if the NIPS crashes, network traffic stops. In OT/Manufacturing, availability often supersedes confidentiality, making NIDS the preferred initial deployment.

Ready for the next scenario?

Master network traffic analysis, IDS/IPS tuning, and defense-in-depth strategies.

Explore more CND simulations