Tài liệu Intrusion Detection and Prevention ppt

Intrusion Detection and Prevention

Because network traffic must cross the firewall to reach the end systems, the firewall has

also become a point where the inspection of this traffic is appropriate. For many years,

firewall vendors such as Cisco Systems, Inc. and Check Point have been including

intrusion detection system (IDS) capabilities to their firewalls. These devices were the

first "in-line" IDS systems long before in-line IDS-dedicated appliances ever existed.

Overview of IDS

Intrusion detection is an aspect of security whereby a device detects the fingerprint of an

attack within the network. Modern IDSs use a variety of techniques to ensure that the

alarms they raise are of actual attacks being conducted rather than a false alarm. Many

IDSs connect to the network through a port on a switch, and the interface that connects to

that port captures traffic to a particular system or subnet, as shown in Figure 14-2.

Figure 14-2. Intrusion Detection

[View full size image]

The Firewall as an IDS Sensor

As firewall hardware has become more and more powerful, vendors have sought to use

the additional computing power by adding features to the firewall code. Many vendors

have offered IDS capabilities in their firewalls for quite some time and have made the

firewalls the first true in-line intrusion prevention systems (IPSs). However, the IDS code

in the firewall was, until recently, not on par with the IDS code used in the dedicated IDS

appliance. For example, the Cisco PIX Firewall integrated IDS capability was really an

incredibly small subset of the capabilities of their dedicated IDS/IPS offerings. The IDS

capabilities of the firewall did not fully mimic those of the dedicated appliance because