cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
5
Replies

Welcome to the Intrusion Detection Discussion

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Connection Security Forum. This conversation will provide you the opportunity to discuss issues surrounding Intrusion Detection Systems. We encourage everyone to share their knowledge and start conversations on issues such as detecting, reporting, terminating unauthorized activity, and any other topic concerning Intrusion Detection Systems.

Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.

We encourage you to tell your fellow networking professionals about the site.

If you would like us to send them a personal invitation simply send their names and e-mail addresses along with your name to us at np-moderator@external.cisco.com.

5 Replies 5

chris-lau
Level 1
Level 1

What is the differentiation factor of IDS as compare to firewall?

One difference: Firewalls look at incoming packets and attempt to apply a set of rules. The rules will result in a pass/drop decision that affects the setup of a channel. Once the pass decision has been made, subsequent packets for that channel are typically "fastpathed" through the firewall. Most Firewalls do not do inspection of the data in the packets...it would drop their throughput too much. Network IDS's generally are not a "bump in the wire". They watch the packets flying by and look at the data in the packet in an attempt to recognize attacks or other "bad things" going on. One very common (if not the most common) deployment location for and IDS is just behind a firewall. The idea is to use the firewall to controll access to your network (Drop/Pass decision) and the IDS to make sure that what you do pass isn't malicious.

SC

Although an IDS will not replace your firewalls — or other security devices for that matter — it serves a very complementary role and addresses certain risks that firewalls cannot. The primary function of the firewall is to control access to services and hosts based on your site security policy. If a service or connection to a specific host is permitted, firewalls typically permit all such traffic, and they do not inspect the content of the permitted traffic.

Let’s look at an example where you have a Web server on a DMZ behind your firewall. Your firewall will probably be configured to let HTTP traffic through to the Web server and block everything else inbound. The firewall will dutifully enforce the policy and bock all traffic to the Web server except for HTTP. Since HTTP traffic is permitted, any attacks that you can embed in HTTP traffic will also be permitted by the firewall. Examples of vulnerabilities that can be exploited this way include the Microsoft IIS unicode bug (see:

http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1806 )

and the RedHat Piranha password vulnerability (see:

http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D1367 )

Note that the firewall is not misconfigured or malfunctioning.

Although most firewalls will not protect against data/content-driven attacks (like the example above), IDSs will because they inspect the content of the traffic (in addition to other things). Furthermore, firewalls typically will not protect you against attacks originating from inside your network or entering your environment from other ingress points not protected by firewalls (for example, remote access servers). IDSs can be strategically deployed to monitor activity from internal sources and other network ingress points without impacting your network. Deploying an IDS to complement your firewall(s)will significantly enhanceyour security posture.

I have heard that the newer versions of software for the routers and pix firewalls have IDS functionality. Is this true? If so, where can I find configuration examples and documentation?

There is an IDS feature set for IOS. It and the PIX have LIMITED IDS capabilities (about 10% of the signatures that the full IDS contains). Look for the "ip audit" command in release notes for how it works in IOS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: