1、1 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Advanced Enterprise IDS Deployment and Tuning2 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1The Potential Impact to the Bottom Line Is SignificantThe Number of Security Incidents Continues to Rise Exponent
2、iallyThe Complexity and Sophistication of Attacks and Vulnerabilities Continues to RiseThe Challenge: Security in Modern Networks3 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Mitigating the Risk: Defense in Depth Comprehensive security policy Pervasive securityend to end Sec
3、urity in layers Multiple technologies, working together4 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Defense in Depth:The Role of Intrusion Detection Complementary technology to firewalls Been around for more than a decade, started coming into prominence in the late 90s Perf
4、orms deep packet inspection, gaining visibility into detail often missed by firewallsInternet5 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Advanced Enterprise IDS Deployment: Agenda Intrusion Protection Systems Network Sensors Host Agents Management Consoles Case Studies6 20
5、03, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Intrusion Protection Systems7 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1Intrusion Protection Agenda Terminology and Technologies Complete Architecture:Sensors, Agents, Management Consoles Placement Strategi
6、esWhere to Place Your Sensors, what Traffic to Watch, How to Get Traffic to Them Organization-Level ConcernsResponding to Intrusions, Ownership and Organization, Outsourcing8 2003, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1IDS Terminology: False Positives A False Alarm occurs wh
7、en an IDS reports an attack even though noattack is underway Benign activity that the system mistakenly reports as malicious Typically due to improper tuning Can easily overwhelm alarm consoles creating enormous amount of background noise Can result in mistrust of the IDS by security personnel9 2003
8、, Cisco Systems, Inc. All rights reserved.SEC-20308175_05_2003_c1IDS Terminology False Negatives A False Negative occurs when an IDS fails to report an ongoing attack Malicious activity that the system does not detect or report Tend to be worse because the purpose of an IDS is to detect such events
9、Can be due to a variety of eventsCan be the result of IDS evasion efforts by an attackerCan also be due to out-of-date signature knowledge base (misuse detection systems)Minor state transition that is below a detectable threshold (anomaly-based systems)10 2003, Cisco Systems, Inc. All rights reserve
10、d.SEC-20308175_05_2003_c1IDS Terminology:Signatures and Anomalies Signatures explicitly define what activity should be considered maliciousSimple pattern matchingStateful pattern matchingProtocol decode-based analysisHeuristic-based analysis Anomaly detection involves defining “normal” activity and looking for deviations from this baseline
