Summary


In this chapter, we covered some of the more advanced features of Snort. We began by discussing policy-based intrusion detection. With policy-based intrusion detection, all acceptable traffic on the network is defined in advance by the security administrator, and a network policy is developed. This network policy is then translated into Snort rules, and Snort is configured to monitor the network for traffic that does not comply with the network policy. Policy-based intrusion detection can be used in smaller networks or in very high security environments to ensure that all traffic flowing across the network complies with the approved network policy.

Next, we reviewed the concepts behind an inline IDS. An inline IDS is an IDS that functions between two portions of the network by bridging traffic between two interfaces. This allows the IDS to take action on traffic flowing between its interfaces before the traffic gets to its destination. Using Snort in inline mode allows you to selectively drop individual packets based on their intended host, port, or content. By using a combination of several different pieces of software working together, Snort can actively protect your network from attack rather than just alert you to attacks in progress.

The PIX firewall supports the same set of atomic intrusion detection signatures as the Cisco IOS firewall. This set is a subset of signatures supported by the Cisco Secure IDS product. These signatures are divided into two sets: informational and attack. It is possible to configure different response options for each set of signatures. The responses range from simple alerting via syslog to blocking the connection in which a signature was detected.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net