An intrusion-detection system (IDS) can be defined as the tools, methods, and resources to help identify, assess, and
report unauthorized or unapproved network activity. The intrusion detection part of the name is a bit of a misnomer, as
an IDS does not actually detect intrusions—it detects activity in traffic that may or may not be an intrusion. Intrusion
detection is typically one part of an overall protection system that is installed around a system or device—it is not a
stand-alone protection measure.

You can loosely compare firewalls to locked doors, intrusion detection to alarm systems, and intrusion prevention to
guard dogs. Let’s say that you have a warehouse full of secret documents that you want to protect with a fence around
the perimeter, an alarm system, locked doors, and security cameras. The locked doors will stop unauthorized
individuals from entering the warehouse. By themselves, they do nothing to alert you of an intrusion, but they deter
unauthorized access. The alarm system will warn you in case an intruder tries to get into the warehouse. By itself, it
does nothing to prevent an intrusion, but it alerts you to the potential of an intrusion. The guard dog, in some
instances, is able to prevent an intrusion by taking measures to thwart the attack from happening by biting intruders
before they can enter the protected perimeter, thereby stopping the intrusion.

As you can see, the door locks, alarm system, and guard dog play separate but complementary roles in the protection
of this warehouse. This is also true of firewalls and IDSs and IPSs. All of these are different technologies that can work
together to alert you and can prevent intrusions into a network. In addition, how these technologies are implemented
determines whether or not they increase security. For instance, in the warehouse example, the most effective strategy
may be to place alarms and locks on all the windows and doors, as well as motion detectors inside the warehouse. You
may also want several dogs deployed within the perimeter to watch for possible intruders. Implementing IDSs and IPSs
is no different—the placement of the technology makes all the difference between a secure network and an unsecured
one.

It is also important to note that IDSs and IPSs are just two of many methods that should be employed in a strong
security program. Using a layered approach, or defense in depth, based on careful risk analysis is critical in any
information protection program because a network is only as secure as its weakest link. This means that a network
should have multiple layers of security, each with its own function, to complement the overall security strategy of the
organization. Figure 1-1 illustrates a defense-in-depth approach that will protect a network on many levels.

IDSs work at the network layer of the OSI model, and passive network sensors are typically positioned
at choke points on the network. They analyze packets to find specific patterns in network traffic—if they find such a
pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus
software in that they use known signatures to recognize traffic patterns thatmaybe malicious in intent.

Layer Function Protocols

Application (user interface) This layer is used for applications, DNS, FTP, TFTP, BOOTP, SNMP,
such as HTTP, specifically written to RLOGIN, SMTP, MIME, NFS, FINGER,
run over the network and allows TELNET, APPC, AFP, ccesses to network services. It handles issues like network
transparency, resource allocation,and problem partitioning. The application layer is concerned with the user’s view of the network, like formatting. In addition, this layer allows access to services that
support applications and handle network access, flow, and recovery.

Presentation (translation)

The presentation layer helps to Named Pipes, Mail Slots, RPC, NCP,
translate between the application and SMB the network formats. This is also
where protocol conversion takes place.

Session

The session layer helps to establish,NetBios maintain, and end sessions across
the network.

Transport (packets; flow control and The transport layer manages the flow TCP, ARP, RARP, SPX, NWLink, ATP, error-handling) control of data between parties NetBEUI across the network.

Network (addressing; routing)

The network layer translates logical IP, ARP, RARP,
network addresses and names to ICMP, RIP, OSFP, IGMP, IPX, their physical addresses and is NWLink, OSI, DDP, DECnet responsible for addressing and managing network problems such as
packet switching, data congestion, and routing.

Data link (data frames to bits)

The data-link layer turns packets into raw bits on the sending end, and at
the receiving end turns bits into packets. It handles data framesbetween the network and physical layers.
Physical (hardware; raw bit stream) The physical layer transmits the raw IEEE 802, IEEE 802.2, ISO 2110,
bit stream over the physical cable or ISDNairwaves (when dealing with wireless). It defines cables, cards,and other physical aspects.

Physical (hardware; raw bit stream)

The physical layer transmits the raw IEEE 802, IEEE 802.2, ISO 2110,
bit stream over the physical cable or ISDN
airwaves (when dealing with
wireless). It defines cables, cards,
and other physical aspects.

Cris is a technical writer for Dictionary Attack

Article Source: http://www.therealarticles.com

Please Rate The Above Article From The Information Technology Category

5 out of 54 out of 53 out of 52 out of 51 out of 5 

Not yet Rated

Click the XML Icon Above to Receive Information Technology Articles Via RSS!