Network Security: Intrusion Prevention and Intrusion Detection
Network administrators should implement intrusion-detection systems (IDS) and intrusion-prevention systems (IPS) to provide a network-wide security strategy. IDS and IPS both offer a similar suite of options. In fact, you can think of IPS as an extension of IDS because an IPS system actively disconnects devices or connections that are deemed as being used for an intrusion.
IDS devices can be network-based devices, running as appliances or separate servers running software, which is performing the IDS role, but they can also be installed on client or network computers. The later is often referred to as host-based intrusion detection system (HIDS).
These devices can reside inside your network, behind your firewall, detecting abnormalities there, and/or they can be placed outside your firewall. When they are outside your firewall, they are typically targeted for the same attacks that run against the firewall, thereby alerting you to attacks being run against your firewall.
Cisco offers several options for IDS and IPS systems and offers these as standalone systems or as add-ons for your existing security products. The following are two such options:
Cisco ASA Advanced Inspection and Prevention Security Services Module
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module
IDS and IPS have several methods for working with detection. Similar to viruses on your network, intrusions and attacks have features that are recorded as a signature or behavior. So when the IPS system sees this type of data or behavior, the IPS system can swing into action.
Suspicious behavior can also trigger these systems. This behavior can include a remote system attempting to ping every address on your subnet in sequential order, and other activity that is considered to be abnormal. When the IPS system sees this activity, the IPS can be configured to blacklist or block the source device, either indefinitely or for a period of time.
The other way these systems can identify suspicious traffic on your network is to have them run in a Learning mode for a period of time. Over the course of weeks, they can classify regular traffic patterns on your network and then limit traffic to those established patterns.
If you introduce new software to your network, you may need to manually add appropriate rules or run a learning period and then put the system back into Prevention mode. This necessity is even true of the host-based systems because they update their rules from the management or policy server that is running on the network.
These systems help prevent the spread of Day Zero attacks, which are new viruses or network attacks that are different from all the previous network intrusions. Because these Day Zero attacks are new, you do not have a specific signature for the attack; but the attack still needs to perform the same suspicious behaviors, which can be detected and blocked.