Intrusion Detection and Prevention Because network traffic must cross the firewall to reach the end systems, the firewall has also become a point where the inspection of this traffic is
Trang 1Intrusion Detection and Prevention
Because network traffic must cross the firewall to reach the end systems, the firewall has also become a point where the inspection of this traffic is appropriate For many years, firewall vendors such as Cisco Systems, Inc and Check Point have been including
intrusion detection system (IDS) capabilities to their firewalls These devices were the first "in-line" IDS systems long before in-line IDS-dedicated appliances ever existed
Overview of IDS
Intrusion detection is an aspect of security whereby a device detects the fingerprint of an attack within the network Modern IDSs use a variety of techniques to ensure that the alarms they raise are of actual attacks being conducted rather than a false alarm Many IDSs connect to the network through a port on a switch, and the interface that connects to that port captures traffic to a particular system or subnet, as shown in Figure 14-2
Figure 14-2 Intrusion Detection
[View full size image]
The Firewall as an IDS Sensor
As firewall hardware has become more and more powerful, vendors have sought to use the additional computing power by adding features to the firewall code Many vendors have offered IDS capabilities in their firewalls for quite some time and have made the firewalls the first true in-line intrusion prevention systems (IPSs) However, the IDS code
in the firewall was, until recently, not on par with the IDS code used in the dedicated IDS appliance For example, the Cisco PIX Firewall integrated IDS capability was really an incredibly small subset of the capabilities of their dedicated IDS/IPS offerings The IDS capabilities of the firewall did not fully mimic those of the dedicated appliance because
Trang 2of concerns about the impact of those capabilities on firewall performance However, the firewall does make an excellent sensor in that it is directly in-line with the traffic flow and has the capability to capture all traffic destined for target hosts located behind the firewall
Combined with other IDS devices, such as dedicated appliances, the firewall makes an effective line of defense with these capabilities In addition to the use of dedicated IDS appliances, the use of host IPS agents helps significantly improve the deterrent
capabilities and the defenses of a network With alarms from firewalls, dedicated IDS appliances, and host IPS agents, a strong correlation can be made in identifying a real attack versus a false positive This, in turn, can allow the administrator to better conduct countermeasures such as having the dedicated appliance issue TCP resets or use shunning
or even allow the firewall to drop the offending traffic Overall, the role of firewalls in intrusion detection is still being defined as vendors migrate more and more IDS code into the firewall appliance
The Firewall as the IPS
With the increased market desire to go beyond simple intrusion detection to intrusion prevention, more vendors have begun using the firewall not just as an IDS sensor but as
an actual IPS device in and of itself (particularly true of devices such as the Cisco
Adaptive Security Appliance [ASA])
The logic behind this is relatively sound Because the firewall is a natural control point for network traffic, and because all traffic entering or exiting a network through a firewall must be processed by the firewall anyway, with added IPS functionality the firewall can not only detect intrusion attempts on its own, it can also then block the traffic without requiring any other devices to be involved in the processing decision This functionality
is relatively new and is largely the result of the increased processing power of today's microprocessors, which allow a firewall to perform this more intensive data processing with a minimal impact on network performance