Introduction

A properly configured firewall can do a good job at protecting servers, but if your server needs to be visible from a public network then total protection is impossible. From an attacker s view of your network, any visible services are likely to be chosen as the first ones to be probed and attacked. Also if the security policies applied on your firewall allow Web access to your public server, then that same service can be used to attack the server for known vulnerabilities.

A popular attack against public servers is called a Denial of Service (DoS) attack. This renders the service or server unavailable. Several other types of attacks and intrusions must be investigated in order to understand the role the intrusion detection system can play in your network.

Firewalls, workstation security, and well-written software all contribute to a secure network. Because we can never be completely sure that best practices have been followed, a detection system is a logical next step. The IDS is your best ally against intrusions.

An intrusion detection system gives the network or security manager a tool to detect and react rapidly to an attack on the network. This chapter will investigate the various types of attacks and intrusions as well as describe the tools available from Cisco to implement an intrusion detection system.

What Is Intrusion Detection?

Intrusion detection is the ongoing process of searching for security violations on your network; this includes proactive and reactive detection of vulnerabilities, analysis, and corresponding responses.