There are many possible places for an enterprise to place the IDS. Three of the most common and effective include the following:
Network perimeter - Includes all that is internal to the network against all that is external. The perimeter equipment includes:
Figure 15-4 illustrates the network perimeter.
In this scenario, a network-based IDS should be placed at every entry point on the network perimeter; in this case, at the Access Server and firewall points.
Server farms - The server farms are the segments of the network that host the servers; no client workstations exist in the server farm environment.
Figure 15-5 illustrates a server farm layout.
The server farm is a network concentration of servers providing resources to users, such as World Wide Web hosting, FTP servers, organization file servers, e-commerce servers, etc.
In this scenario, a network-based IDS should be placed at the entry point for both dedicated and dial-in users, as well as the entry point to the server farm. Further protection is afforded by placing host-based IDS systems on each server in the server farm.
- The network backbone provides access to various network areas. They can be low- or high-bandwidth, depending on the implementation. Avoiding backbone links may eliminate some network delay. Intruders would be looking for important systems on this type of network. Anomalous traffic such as port scanning and IP spoofing attempts should
Figure 15-6 illustrates regional network connections, with all traffic
In this scenario, a network-based IDS should be placed at the entry point for each regional network in the network backbone.
The goal of network security is to provide users with access to necessary network resources, while preventing access against known and unknown, internal and external, threats. Network or system threats are categorized as
- The attacker sends more
- The attacker
Illicit Command Execution - Unauthorized persons executing commands on an organization's servers.
- Access to certain,
Destructive Behavior - There are two types destructive attacks: changing the data and destroying the data
There are many ways that
Firewalls are an effective solution against most network attacks because they can stop an attacker outside the network from logging into a computer inside the network and wreaking havoc on network resources. Intrusion Detection Systems (IDSs) are another effective solution against most network attacks. IDSs detect the inappropriate, incorrect, or anomalous activity
IDSs are implemented in one of two ways:
Host-based - Detection software is loaded on the host the IDS will be monitoring.
- Packets on the network and audit data from several hosts are
Firewalls and IDSs can be placed