I met a lot of users this question: Since we have a firewall, IDS Why do I need it? In fact, IDS and firewall role of a drastic change.
Although there are some simple firewall attack detection capabilities, but a firewall can detect attacks based mainly on flood types of attacks, can detect other types of attacks is very limited. IDS suggests that it is specialized in intrusion detection equipment, it should exist on the network, all attacks are detected. Figuratively speaking, air passenger carry-on baggage (like network traffic) need to meet the requirements, if the firewall as a security check, then the excess baggage, luggage or luggage exceeding the number of risk itself is not passed, would not luggage inspection of specific items; the IDS is similar to X-ray or open packages inspected for detection of contents, the depth of Canton. Also the firewall is in-band (from which all traffic is passed) device, there are too many checks on the flow will form a network bottlenecks; IDS is a bypass device, the normal form will not be any impact on network traffic.
IDS come forward to attack rampant
According to rough statistics, means of attack are about 23 thousands of people, and the all the time are likely to experience new types of attacks. At the same time, various types of escape in the continuous development of the type of attacks have been deformed IDS may also escape detection. The face of numerous threats of attacks, to maximize the role of the IDS is our current test equipment, and, very importantly, the networks can really only play a role in detection of IDS, irreplaceable.
BLADE software can simulate the attack about 600 species, from which we selected 100 species of attacks carried out on the Shencechanpin attack detection rate of testing, results were quite satisfactory, IDS device can detect most types of attacks. We also designed a number of false positives, to avoid detection technology, most attacks can also be detected. Therefore, we can conclude that: Although there can not perfect, IDS device can detect most of the attacks, as the user's network to provide a higher level of security protection.
In addition, IDS is not only a passive device, some blocking attacks by its own features, as well as firewalls, vulnerability scanning (Scanner) and other products of the interaction, IDS also offers a wealth of active safety measures. For example, IDS detect attacks automatically change the firewall policy to block the attack packets; IDS can also be generally under the attack of the statistical analysis of the protection by the host of possible loopholes in the scope of vulnerability scanning products used for further tracking to find vulnerabilities in a timely manner to take protective measures.
The positive role of IDS is a good IDS is a good helper to learn safety. IDS equipment, documentation or online Help file describes a number of attacks on the principle of harm, how to avoid such knowledge that targeted, high availability, security administrator to provide a good help. Manufacturers in dealing with various security issues and accumulated rich experience, users can take full advantage of this experience, providing network security overall.
Misrepresentation, omission, performance - a lot of issues that must be improved
Through testing, we found that IDS play an important role in the same time, indeed there are still some issues to resolve:
First, the present condition, false, false negative is the IDS can not completely solve the problem. The face of numerous types of attacks, IDS can not do 100% detection rate, this is the omission of the problem. We are in the testing process, often such a situation, for example, we initiated an Backdoor types of attacks, some equipment will be produced Duozhong IDS attack alarm, and some very strange that such alarms are SYN Flood attacks, despite the detection of We launched the attack out, but if a few or dozens of warning issued on the administrator's interference is very clear. False positive rate is the number of users most complain about IDS products.
Second, detection technology is also essential to progress. Type of attack itself in a gradual increase in hacker detection of the IDS knowledge so that they can study more to avoid technology, the face of this situation has been in a passive detection technology, it needs constantly progress, users need a new type of attack can be detected The technology to get more active.
Also, to improve detection performance. The current IDS devices also very difficult to achieve wire-speed detection performance. Through scientific deployment and management, the user equipment using the IDS can get better results. For example, due to false positives and performance reasons, many users use multiple IDS core network division collaborative manner to achieve high-level security protection for the network.