cisco企业IDS解决方案精选.ppt

Advanced Enterprise IDS Deployment and Tuning The Challenge: Security in Modern Networks Mitigating the Risk: Defense in Depth Comprehensive security policy Pervasive security—end to end Security in layers Multiple technologies, working together Defense in Depth:The Role of Intrusion Detection Complementary technology to firewalls Been around for more than a decade, started coming into prominence in the late ’90s Performs deep packet inspection, gaining visibility into detail often missed by firewalls Advanced Enterprise IDS Deployment: Agenda Intrusion Protection Systems Network Sensors Host Agents Management Consoles Case Studies Intrusion Protection Systems Intrusion Protection Agenda Terminology and Technologies Complete Architecture: Sensors, Agents, Management Consoles Placement Strategies Where to Place Your Sensors, what Traffic to Watch, How to Get Traffic to Them Organization-Level Concerns Responding to Intrusions, Ownership and Organization, Outsourcing IDS Terminology: False Positives A False Alarm occurs when an IDS reports an attack even though noattack is underway Benign activity that the system mistakenly reports as malicious Typically due to improper tuning Can easily overwhelm alarm consoles creating enormous amount of background noise Can result in mistrust of the IDS by security personnel IDS Terminology False Negatives A False Negative occurs when an IDS fails to report an ongoing attack Malicious activity that the system does not detect or report Tend to be worse because the purpose of an IDS is to detect such events Can be due to a variety of events Can be the result of IDS evasion efforts by an attacker Can also be due to out-of-date signature knowledge base (misuse detection systems) Minor state transition that is below a detectable threshold (anomaly-based systems) IDS Terminology:Signatures and Anomalies Signatures explicitly define what activity should be considered malicious Simple pattern matching Stateful pattern matching Protocol