Chapter 12: Evading IDS, Firewall and Honeypots

Technology Brief
IDS, Firewall and Honeypot Concepts
As the awareness of cyber and network security is increasing day by day, it is very
important to understand the core concepts of Intrusion Detection/Defense System
(IDS) as well as Intrusion Prevention System(IPS). IDS and IPS often create confusion
as both modules are created by multiple vendors and different terminologies used to
define the technical concepts are also same. Sometimes the same technology may be
used for detection and prevention of some threat.
Just like other products, Cisco also has developed a number of solutions for
implementing IDS/IPS for the security of the network. In the first phase of this
section, different concepts will be discussed before moving to the different
implementation methodologies.
Intrusion Detection Systems (IDS)
The placement of sensor within a network differentiates the functionality of IPS over
the IDS. When sensor is placed in line with the network, i.e., the common in/out of
specific network segment terminates on a hardware or logical interface of the sensor
and goes out from second hardware or logical interface of the sensor, then every single
packet will be analyzed and pass through sensor only if does not contain anything
malicious. By dropping the traffic malicious traffic, the trusted network or a segment
of it can be protected from known threats and attacks. This is the basic working of
Intrusion Prevention System (IPS). However, the inline installation and inspection of
traffic may result in a slighter delay. IPS may also become a single point of failure for
the whole network. If ‘fail-open’ mode is used, the good and malicious traffic will be
allowed in case of any kind of failure within IPS sensor. Similarly, if ‘fail-close’ mode is
configured, the whole IP traffic will be dropped in case of sensor’s failure.

Figure 12-01. In-line Deployment of IPS Sensor

Page 360 of 503