intrusion analysis. The underlying operating system of the platform on which the NIPS software is mounted is stripped of unnecessary network services, and essential services are secured. The hardware includes these components:

Network interface card (NIC): NIPS must be able to connect to any network (Ethernet, FastEthernet, and Gigabit Ethernet are common).
Processor: Intrusion detection requires CPU power to perform intrusion detection protocol analysis and pattern matching.
Memory: Intrusion detection analysis is memory-intensive. The amount of memory that is available directly affects the ability of a NIPS to detect an attack efficiently and accurately.

NIPS gives security managers real-time security insight into their networks regardless of network growth. Additional hosts can be added to protected networks without needing additional sensors. When new networks are added, additional sensors are easy to deploy. Additional sensors are only required when the rated traffic capacity of the sensor is exceeded, when a sensor’s performance does not meet current needs, or when a revision in security policy or network design requires additional sensors to help enforce security boundaries. NIDS and NIPS Deployment
Figure shows an example configuration of a network IDS (NIDS) and NIPS deployment. For NIPS and NIDS, the placement of sensors in the network is of crucial importance. You must deploy sensors at network entry points that protect critical network segments. The network segments have internal and external corporate resources. The sensors report to the Management Server that is located inside the corporate firewall.

Advantages of network IPS and IDS: A network-based monitoring system has the benefit of easily seeing attacks that are occurring across the entire network. Seeing attacks against the entire network gives a clear indication of the extent to which the network is being attacked. Furthermore, because the monitoring system is only examining traffic from the network, the system does not have to support every type of operating system that is used on the network.
Disadvantages of network IPS and IDS: Encryption of the network traffic stream can effectively blind the sensor. Reconstructing fragmented traffic can also be a difficult problem to solve. Possibly the biggest drawback to network-based monitoring is that as networks become increasingly larger (with respect to bandwidth), it becomes more difficult to place the sensor at a single location in the network and successfully capture all the traffic. Eliminating this problem requires the use of more sensors throughout the network, which increases costs.

Content 6.4 Introducing Cisco IOS IPS 6.4.5 Signature-Based IDS and IPS The signature-based pattern matching refers to searching for predefined content or a fixed sequence of bytes in a single packet. A signature-based approach is fairly rigid, but simple to employ. In most cases, the signature pattern is matched only if the suspect packet is associated with a particular service or, more precisely, destined to or from a particular port. This method decreases the amount of inspection that the network performs on every packet. However, this approach makes it more difficult for systems to deal with protocols that do not reside on well-defined ports and, in particular, Trojan horses and their associated traffic, which can usually be moved at will. Initially, this approach might send many alerts, many of which are associated with traffic that is not a threat for the network. After the system is tuned and adjusted to the specific network parameters, there will be fewer false alerts than with the policy-based approach. Figure shows and describes how signature-based IDS and IPS work. To determine an attack signature, which is usually a well-known pattern of attack, IDS and IPS inspect packet headers or data payloads and match them against a signature database. A signature is a sequence or a string of bytes in a certain context. The context may be the position of the sequence in the data flow, a part of a valid command in the application layer protocol, or a combination of options in the IP datagram. The following are some signature examples:

Attacks against a web server are usually in the form of specially crafted URLs, so the IDS and IPS look for the signature at the start of the data flow, which begins with an HTTP request from the client.
An attack against a Simple Mail Transfer Protocol (SMTP) server may be in the form of a buffer overflow in the mail from command of the SMTP session. IDS and IPS look for an attack signature in the SMTP session that starts with the mail from command and includes a particular pattern before the end of the line.
An attack on the mail client may be in the form of a buffer overflow in the Multipurpose Internet Mail Extension (MIME) header of the message itself. IPS or IDS will look for the sequence of bytes that identifies the start of a new MIME part in the message and a sequence of bytes that compose a buffer overflow following the message.

These examples illustrate that a signature-based IDS and IPS only detects attacks that have been entered into a database by the vendor or the administrator. Usually, IDS and IPS are unable to detect undiscovered or unreported attacks (day zero attacks). Therefore, all signature-based IDSs and IPSs place a certain amount of burden on the administrators, as the administrator must regularly update the signature database. Usually, the manufacturers publish database updates. If not, the administrator must create custom signatures that guard against these attacks.

Content 6.4 Introducing Cisco IOS IPS 6.4.6 Policy-Based IDS and IPS The policy-based approach uses an algorithm to base alarm decisions on. An example of this type of policy is a policy that is used to detect a port sweep. This policy looks for the presence of a threshold number of unique ports being scanned on a particular machine. The policy may further restrict itself through the specification of the types of packets that the policy is interested in (for example, SYN packets). Additionally, there may be a requirement that all the probes must originate from a single source. Policies of this type require some threshold manipulations to make them conform to the use patterns on the network that they are monitoring. This type of policy can be used to look for very simple statistical events or complex relationships. Figure shows and describes how policy-based IDS and IPS work. Policy-based IDS and IPS block the traffic or send an alarm if a violation of a configured policy occurs. A policy-based system is a popular method of detection, especially if unknown attacks need to be detected. Policy-based IDS and IPS must have a clear representation of what the security policy is. For example, you can write a network access policy in terms of permissions, listing which networks can communicate with which other networks using which protocols. Some security policies are hard to incorporate into IDS and IPS. For example, if browsing of pornographic, hacking, or “warez” (illegally copied, pirated software) sites is not allowed, the system must be able to communicate with some type of blacklist database to check if a policy violation has occurred.

Content 6.4 Introducing Cisco IOS IPS 6.4.7 Anomaly-Based IDS and IPS Anomaly-based signatures typically look for network traffic that deviates from what is considered “normal.” The main issue regarding this methodology is the definition of “normal.” Some systems have hard-coded definitions of normal traffic patterns. Other systems are designed to learn normal traffic behavior, but the challenge with these systems is to eliminate the possibility of improperly classifying abnormal behavior as normal. Consequently, while relatively easy to implement in small environments, the anomaly-based approach can be difficult to