Intrusion Detection System, Security+ question

Question

I'm studying to take the Security+ exam. I'm really having problems figuring out this chart. I understand most of it. Can someone explain the following?

1. Why are there 2 sensors in this picture which both point to analyzer?

2. Why is security policy not a block?

3. Why does "trending and reporting" have no inputs?

4. Can this picture be redrawn like this and have the same meaning?

This is really confusing to me.

Answer 1

I want to start out by saying that these kinds of diagrams are only really useful as high level overviews of what happens inside a system. Don't take them too literally. Why individual blocks are omitted or repeated is just going to be a mystery and probably not indicative of anything. That said, I'll try to look into my crystal ball and divine what the author might have been thinking:

1) There are two sensors to indicate that there is a 1:n relationship between analyzers and sensors. Meaning that in an IDS, there can be many sensors which all feed into a single analyzer.

2) Security Policy is the data which is supplied by an administrator. So the Administrator (a block) has an arrow (the policy) as an input to several other blocks. Think of it this way: you should always be able to label the arrows in a block diagram with exactly what data is being sent. In your blue diagram you made, what would the label be for the arrow between "Security Policy" and "Analyzer"? (It's the policy which is being sent)

3) "Trending and Reporting" is not a block (which would need an input). It is the label to the bidirectional arrow on the bottom. "Trending and Reporting" is the data which is being sent back and forth between the Administrator and Operator.

Hope that helps.