Intrusion DetectionandPrevention
Because network traffic must cross the firewall to reach the end systems, the firewall has
also become a point where the inspection of this traffic is appropriate. For many years,
firewall vendors such as Cisco Systems, Inc. and Check Point have been including
intrusion detection system (IDS) capabilities to their firewalls. These devices were the
first "in-line" IDS systems long before in-line IDS-dedicated appliances ever existed.
Overview of IDS
Intrusion detection is an aspect of security whereby a device detects the fingerprint of an
attack within the network. Modern IDSs use a variety of techniques to ensure that the
alarms they raise are of actual attacks being conducted rather than a false alarm. Many
IDSs connect to the network through a port on a switch, and the interface that connects to
that port captures traffic to a particular system or subnet, as shown in Figure 14-2
.
Figure 14-2. IntrusionDetection
[View full size image]
The Firewall as an IDS Sensor
As firewall hardware has become more and more powerful, vendors have sought to use
the additional computing power by adding features to the firewall code. Many vendors
have offered IDS capabilities in their firewalls for quite some time and have made the
firewalls the first true in-line intrusionprevention systems (IPSs). However, the IDS code
in the firewall was, until recently, not on par with the IDS code used in the dedicated IDS
appliance. For example, the Cisco PIX Firewall integrated IDS capability was really an
incredibly small subset of the capabilities of their dedicated IDS/IPS offerings. The IDS
capabilities of the firewall did not fully mimic those of the dedicated appliance because
of concerns about the impact of those capabilities on firewall performance. However, the
firewall does make an excellent sensor in that it is directly in-line with the traffic flow
and has the capability to capture all traffic destined for target hosts located behind the
firewall.
Combined with other IDS devices, such as dedicated appliances, the firewall makes an
effective line of defense with these capabilities. In addition to the use of dedicated IDS
appliances, the use of host IPS agents helps significantly improve the deterrent
capabilities and the defenses of a network. With alarms from firewalls, dedicated IDS
appliances, and host IPS agents, a strong correlation can be made in identifying a real
attack versus a false positive. This, in turn, can allow the administrator to better conduct
countermeasures such as having the dedicated appliance issue TCP resets or use shunning
or even allow the firewall to drop the offending traffic. Overall, the role of firewalls in
intrusion detection is still being defined as vendors migrate more and more IDS code into
the firewall appliance.
The Firewall as the IPS
With the increased market desire to go beyond simple intrusion detection to intrusion
prevention, more vendors have begun using the firewall not just as an IDS sensor but as
an actual IPS device in and of itself (particularly true of devices such as the Cisco
Adaptive Security Appliance [ASA]).
The logic behind this is relatively sound. Because the firewall is a natural control point
for network traffic, and because all traffic entering or exiting a network through a firewall
must be processed by the firewall anyway, with added IPS functionality the firewall can
not only detect intrusion attempts on its own, it can also then block the traffic without
requiring any other devices to be involved in the processing decision. This functionality
is relatively new and is largely the result of the increased processing power of today's
microprocessors, which allow a firewall to perform this more intensive data processing
with a minimal impact on network performance.
. simple intrusion detection to intrusion
prevention, more vendors have begun using the firewall not just as an IDS sensor but as
an actual IPS device in and.
Intrusion Detection and Prevention
Because network traffic must cross the firewall to reach