Intrusion Detection System (IDS)

I am so confused on this. IDS (Intrusion Detection System ) is designed to inspect and detect the kinds of traffic or network behavior patterns that match known attack signatures or that suggest potential unrecognized attack that may be incipient or in progress
What I am trying to understand is how do a Application fire wall differ from an IDS software package ?

Please advise, MY Network plus book does not do a good job in explaing the deiiference.

Find more posts tagged with

Comments

sprkymrk

You may be confised by the large number of "do-everything" appliances and firewalls out there today. Many firewalls have some IDS/IPS functions built in, and some IPS devices have firewalling functions that are activated upon bad traffic detection.

An application firewall handles traffic at layer 7 protocols (in general terms - I would like to avoid another lengthy discussion of the OSI model and things that cross layer boundaries) instead of just examining packet headers and port numbers, etc. An IDS can operate at the same layer (some do, some don't) but is looking, as you say, for signature matches and then alerts you based on your configuration settings in the IDS itself. A firewall that works at the application layer uses rules/acls based on the configuration to either allow or drop traffic.

Short answer:
Application firewall uses rules to allow or drop traffic.
IDS uses signatures or hueristics to log and alert.

mgmguy1

Thanks, The short answer did the trick.
I am going to google this to try to learn more about Intrusion Detection System. As it reads in my network plus book, Intrusion Detection System (I.D.S.) does not work along side an Application Layer firewall but it is rather a tool to monitior network traffic.

If anyone else has any thoughts on IDS, Pleasee share.

Patrick

bighornsheep

sprkymrk wrote:

You may be confised by the large number of "do-everything" appliances and firewalls out there today. Many firewalls have some IDS/IPS functions built in, and some IPS devices have firewalling functions that are activated upon bad traffic detection.

Agree! Lots of different terms being thrown around.....

My understanding is that IDS is a 'stronger' firewall.

keatron

bighornsheep wrote:

sprkymrk wrote:

You may be confised by the large number of "do-everything" appliances and firewalls out there today. Many firewalls have some IDS/IPS functions built in, and some IPS devices have firewalling functions that are activated upon bad traffic detection.

Agree! Lots of different terms being thrown around.....

My understanding is that IDS is a 'stronger' firewall.

Close spymark, but I wouldn't go so far as to say that. You were right on with your first short answer. By it's very definition, intrusion detection systems do just that, detect. A firewall in it's most basic form actually blocks, just like a physical firewall in a building, it's supposed to keep fire out. And yes you are correct that vendors are doing a lot to contribute to the confusion with all these all-in-one solutions (most of which simply don't work).

Keatron

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of