report unauthorized or unapproved network activity. The intrusion detection part of the name is a bit of a misnomer, as



an IDS does not actually detect intrusions'it detects activity in traffic that may or may not be an intrusion. Intrusion

detection is typically one part of an overall protection system that is installed around a system or device'it is not a

stand-alone protection measure.

You can loosely compare firewalls to locked doors, intrusion detection to alarm systems, and intrusion prevention to

guard dogs. Let's say that you have a warehouse full of secret documents that you want to protect with a fence around

the perimeter, an alarm system, locked doors, and security cameras. The locked doors will stop unauthorized

individuals from entering the warehouse. By themselves, they do nothing to alert you of an intrusion, but they deter

unauthorized access. The alarm system will warn you in case an intruder tries to get into the warehouse. By itself, it

does nothing to prevent an intrusion, but it alerts you to the potential of an intrusion. The guard dog, in some

instances, is able to prevent an intrusion by taking measures to thwart the attack from happening by biting intruders

before they can enter the protected perimeter, thereby stopping the intrusion.

As you can see, the door locks, alarm system, and guard dog play separate but complementary roles in the protection

of this warehouse. This is also true of firewalls and IDSs and IPSs. All of these are different technologies that can work

together to alert you and can prevent intrusions into a network. In addition, how these technologies are implemented

determines whether or not they increase security. For instance, in the warehouse example, the most effective strategy

may be to place alarms and locks on all the windows and doors, as well as motion detectors inside the warehouse. You

may also want several dogs deployed within the perimeter to watch for possible intruders. Implementing IDSs and IPSs

is no different?the placement of the technology makes all the difference between a secure network and an unsecured

one.

It is also important to note that IDSs and IPSs are just two of many methods that should be employed in a strong

security program. Using a layered approach, or defense in depth, based on careful risk analysis is critical in any

information protection program because a network is only as secure as its weakest link. This means that a network

should have multiple layers of security, each with its own function, to complement the overall security strategy of the

organization. Figure 1-1 illustrates a defense-in-depth approach that will protect a network on many levels.

IDSs work at the network layer of the OSI model, and passive network sensors are typically positioned

at choke points on the network. They analyze packets to find specific patterns in network traffic'if they find such a

pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus

software in that they use known signatures to recognize traffic patterns thatmaybe malicious in intent.

Layer Function Protocols

Application (user interface) This layer is used for applications, DNS, FTP, TFTP, BOOTP, SNMP,

such as HTTP, specifically written to RLOGIN, SMTP, MIME, NFS, FINGER,

run over the network and allows TELNET, APPC, AFP, ccesses to network services. It handles issues like network

transparency, resource allocation,and problem partitioning. The application layer is concerned with the user's view of the network, like formatting. In addition, this layer allows access to services that

support applications and handle network access, flow, and recovery.

Presentation (translation)

The presentation layer helps to Named Pipes, Mail Slots, RPC, NCP,

translate between the application and SMB the network formats. This is also

where protocol conversion takes place.

Session

The session layer helps to establish,NetBios maintain, and end sessions across

the network.

Transport (packets; flow control and The transport layer manages the flow TCP, ARP, RARP, SPX, NWLink, ATP, error-handling) control of data between parties NetBEUI across the network.

Network (addressing; routing)

The network layer translates logical IP, ARP, RARP,

network addresses and names to ICMP, RIP, OSFP, IGMP, IPX, their physical addresses and is NWLink, OSI, DDP, DECnet responsible for addressing and managing network problems such as

packet switching, data congestion, and routing.

Data link (data frames to bits)

The data-link layer turns packets into raw bits on the sending end, and at

the receiving end turns bits into packets. It handles data framesbetween the network and physical layers.

Physical (hardware; raw bit stream) The physical layer transmits the raw IEEE 802, IEEE 802.2, ISO 2110,

bit stream over the physical cable or ISDNairwaves (when dealing with wireless). It defines cables, cards,and other physical aspects.

Physical (hardware; raw bit stream)

The physical layer transmits the raw IEEE 802, IEEE 802.2, ISO 2110,

bit stream over the physical cable or ISDN

airwaves (when dealing with

wireless). It defines cables, cards,

and other physical aspects.