tailieunhanh - Network Security Using Cisco IOS IPS

Packet snooping can be detected in certain instances, but it usually occurs without anyone knowing. For packet snooping to occur, a device must be inserted between the sending and receiving machines. This task is more difficult with point-to-point technologies such as serial line connections, but it can be fairly easy with shared media environments. If hubs or concentrators are used, it can be relatively easy to insert a new node. However, some devices are coming out with features that remember MAC addresses and can detect whether a new node is on the network. This feature can aid the network manager. | CHAPTER 6 Network Security Using Cisco IOS IPS Intrusion detection system IDS and intrusion prevention system IPS solutions form an integral part of a robust network defense solution. Maintaining secure network services is a key requirement of a profitable IP-based business. Using Cisco products and technologies as examples this chapter defines IDS and IPS and how these systems work. Introducing IDS and IPS IDS and IPS work together to provide a network security solution. An IDS captures packets in real time processes them and can respond to threats but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before the IDS can apply a response to stop the attack. An IDS often requires assistance from other networking devices such as routers and firewalls to respond to an attack. An IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their headers states and so on are those specified in the protocol suite. However the IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify stop and block attacks that would normally pass through a traditional firewall .