Chapter 8. NIPS Components

Network-based Intrusion Prevention products use sensors to analyze network traffic at numerous locations throughout your network. These sensors are deployed in various form factors, such as the following:

• Standalone appliance sensors

• Blade-based sensors

• Intrusion Prevention System (IPS) software integrated into the operating system (OS) on infrastructure devices

Regardless of the form factor of your sensors, your sensors must receive the network traffic that needs to be analyzed. Capturing network traffic varies depending on whether you are using inline mode or promiscuous mode. After your sensors have captured network traffic, their analysis of the traffic falls into the following categories based on the way that the signatures used to analyze the network traffic:

• Atomic operations

• Stateful operations

• Protocol decode operations

• Anomaly operations

• Normalizing operations

After it analyzes network traffic, the sensor uses one or more of the following types of actions to respond to the identified traffic:

• Alerting actions

• Logging actions

• Blocking actions

• Dropping actions

The results of the traffic analysis performed by your IPS sensors are usually monitored via a centralized monitoring console. Similarly, a centralized management application enables you to effectively configure a large number of IPS sensors across your network.

This chapter provides an in-depth explanation of the various Network Intrusion Prevention System (NIPS)/Network Intrusion Detection System (NIDS) components. It divides the major elements into subcomponents and illustrates implementation approaches for each of these subcomponents. Cisco IPS sensors are used as a practical example throughout this chapter to provide real examples of the various NIPS components.