Sites:
Home > Technical Library > Networking and Communication Equipment > Chapter 2: Packet Inspection for Intrusion Analysis

Chapter 2: Packet Inspection for Intrusion Analysis

By et al.
From Intrusion Prevention and Active Response: Deploying Network and Host IPS

Introduction

Network devices have been inspecting packets for as long as packets have existed. Traditionally, routers and firewalls look at headers and protocol information to make forwarding decisions, Intrusion Detection Systems (IDS ) look at the headers and content to match them against signatures, and sniffers help watch and analyze what the packets are doing. Perimeter devices such as routers, firewalls, and IDS are combined to form a layered defense against attacks known as defense in depth. However, new attacks such as application layer attacks, are evading traditional perimeter defenses. The application layer has become a focal point of the cyber-criminal, because it holds the actual user data. The application layer also supports numerous, often unsecured, protocols, opening up many more channels of attack. The recent increase in worm activity targeting application-level vulnerabilities such as MyDoom, Slammer, and Blaster, has been successful largely due to the deficiencies in traditional perimeter device technologies. Among these deficiencies are the packet inspection methods used to detect attacks. Application-based attacks are evading traditional perimeter defenses that mainly focus on packet header information, protocols, and signature matching on packet content. In addition, the abundance of zero-day attacks for which signatures and blocking methods do not exist (i.e., new worms), are wreaking havoc on networks and systems. To handle these new types of attacks, firewalls, IDS , and Intrusion Prevention Systems (IPS) are utilizing different methods of packet inspection and attack detection.

Over the last few years, networks have grown dramatically with an exponential increase in speed. The...

Copyright Syngress Publishing, Inc. 2005 under license agreement with Books24x7
Products & Services
Network Firewalls
Network firewalls protect computer networks against unauthorized use or attack. They permit or deny access to private network devices and applications, and represent an important part of an organization's overall security policy. Firewalls may be software applications, hardware devices (such as routers), or a combination of both. They include turnkey products that are relatively easy to install as well as complex, multi-layer installations that require the expertise of a certified network administrator. 
Network Security Services
Network security services determine vulnerability of networks to outside intruders, as well as maintain anti-viral and firewall updates and usage.
Network Gateways
Network gateways interconnect networks with different, incompatible communication protocols. They perform a Layer-7 protocol-conversion to translate one set of protocols into another (for example, from TCP/IP to SNA or from TCP/IP to X.25).
Network Appliances
Network appliances are inexpensive personal computers (PC) or computer boards that provide Internet access and promote network security. They lack many of the features of fully-equipped PCs, however.
Network Bridges
Network bridges connect network segments so that devices on both segments can communicate as if they were part of the same network. The centralize network administration and are easier to configure than network routers, which require IP addressing for each computer on each segment.
Topics of Interest

Introduction This chapter discusses a pervasive two-pronged problem that plagues nearly all intrusion detection systems (IDS ) false positives and false negatives and shows that this problem can...

Introduction SmartDefense is a new product that was first available for FireWall-1 NG FP2 and was designed to be part of Check Point s new line of Active Defense security solutions. The new active...

Introduction Intrusion prevention systems (IPS ) combine the best features of a firewall and an Intrusion Detection System (IDS) not only to detect attacks, but also to prevent them. One important...

Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Traditional Firewalls are simple stateful filtering devices, sometimes referred to as stateful packet...

Introduction An IDS is the high-tech equivalent of a burglar alarm, one that is configured to monitor information gateways, hostile activities, and known intruders. An IDS is a specialized tool that...