Welcome to the Cisco Networking Professionals Connection Security Forum. This conversation will provide you the opportunity to discuss issues surrounding Intrusion Detection Systems. We encourage everyone to share their knowledge and start conversations on issues such as detecting, reporting, terminating unauthorized activity, and any other topic concerning Intrusion Detection Systems.
Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.
We encourage you to tell your fellow networking professionals about the site.
If you would like us to send them a personal invitation simply send their names and e-mail addresses along with your name to us at firstname.lastname@example.org.
One difference: Firewalls look at incoming packets and attempt to apply a set of rules. The rules will result in a pass/drop decision that affects the setup of a channel. Once the pass decision has been made, subsequent packets for that channel are typically "fastpathed" through the firewall. Most Firewalls do not do inspection of the data in the packets...it would drop their throughput too much. Network IDS's generally are not a "bump in the wire". They watch the packets flying by and look at the data in the packet in an attempt to recognize attacks or other "bad things" going on. One very common (if not the most common) deployment location for and IDS is just behind a firewall. The idea is to use the firewall to controll access to your network (Drop/Pass decision) and the IDS to make sure that what you do pass isn't malicious.
Although an IDS will not replace your firewalls or other security devices for that matter it serves a very complementary role and addresses certain risks that firewalls cannot. The primary function of the firewall is to control access to services and hosts based on your site security policy. If a service or connection to a specific host is permitted, firewalls typically permit all such traffic, and they do not inspect the content of the permitted traffic.
Lets look at an example where you have a Web server on a DMZ behind your firewall. Your firewall will probably be configured to let HTTP traffic through to the Web server and block everything else inbound. The firewall will dutifully enforce the policy and bock all traffic to the Web server except for HTTP. Since HTTP traffic is permitted, any attacks that you can embed in HTTP traffic will also be permitted by the firewall. Examples of vulnerabilities that can be exploited this way include the Microsoft IIS unicode bug (see:
Note that the firewall is not misconfigured or malfunctioning.
Although most firewalls will not protect against data/content-driven attacks (like the example above), IDSs will because they inspect the content of the traffic (in addition to other things). Furthermore, firewalls typically will not protect you against attacks originating from inside your network or entering your environment from other ingress points not protected by firewalls (for example, remote access servers). IDSs can be strategically deployed to monitor activity from internal sources and other network ingress points without impacting your network. Deploying an IDS to complement your firewall(s)will significantly enhanceyour security posture.
There is an IDS feature set for IOS. It and the PIX have LIMITED IDS capabilities (about 10% of the signatures that the full IDS contains). Look for the "ip audit" command in release notes for how it works in IOS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...