Chapter 7 – Topologies and IDS

Publisher Summary This chapter discusses intrusion detection systems (IDS) and reveals that it is important to understand not only the concepts of intrusion detection, but also the use and placement of IDS within a network infrastructure. The placement of IDS is critical to deployment success. Intrusion detection is an important piece of security in that it acts as a detective control. It provides security but only deters attacks. IDS is a specialized tool that knows how to read and interpret the contents of log files from sensors placed on the network, routers, firewalls, servers, and other network devices. IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the logs it is monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automatic action ranging from shutting down Internet links or specific servers to launching back traces, and make other active attempts to identify attackers and actively collect evidence of their nefarious activities.