Part IV: Security Monitoring
Chapter 20. Network Intrusion Prevention
Today, viruses, worms, and several other invading malicious codes and programs proliferate widely on the Internet. With the environment becoming increasingly hostile, networks are easy targets because the infection can spread across the network rapidly. With this growing threat, networks need to be designed and equipped with sophisticated intelligence to diagnose and mitigate threats in real-time.
Cisco Network Intrusion Prevention provides self-defending solutions that offer networkwide protection and mitigation techniques. It has the intelligence to accurately detect, analyze, classify, and mitigate malicious traffic in real-time, offering comprehensive protection for a wide range of network intrusions and attacks.
The chapter discusses various types of Cisco Network-based Intrusion Prevention solutions and takes a closer look at core concepts such as sensor architecture, packet analysis, signature and signature engines, deployment scenarios, and high availability and load-balancing techniques.
Intrusion System Terminologies
The following list outlines the major intrusion system technologies:
IDS (Intrusion Detection System): The term IDS is typically limited to sensors that employ promiscuous-only monitoring based on an out-of-packet stream.
IPS (Intrusion Prevention System): The term IPS is most commonly applied to sensors that reside inline within the packet stream and that can drop malicious packets, flows, or attackers.
IPS Feature versus IDS Feature: The IPS feature is specifically the inline monitoring with inline response action deny-packet capability, whereas the IDS feature is promiscuous-only monitoring with post attack response actions such as TCP reset or block/shun on an external device.
Note
The Cisco Intrusion Prevention System (IPS) Sensor Software supports both IPS and IDS technology combined in a single box. This chapter covers mainly the IPS technology features.
