Answer:
Your firewall acts as a gatekeeper. It permits or deniestraffic from entering your network based on itsconfiguration rules which are created to reflect yourinstitution's network access control policy.
The firewall typically sits at the "chokepoint" of aninternet-facing system. That means it is the device thatseparates your trusted internal network from the wild,untamed, and un-trusted internet.
All traffic coming in and out of your network has anelectronic envelope that specifies the source anddestination. Instead of street addresses, it usesinternet IP addresses. Additionally, each address has anassociated "port" number that tells each end what kind oftraffic is being sent.
For example, let's say you are hosting your ownwebserver. Webservers usually use port number 80 fortraffic. Your firewall will then be configured to permittraffic through 80. (If you don't run a server,envelopes addressed to 80 will be rejected.)
So, if someone on the internet use a web browser andpoints to your site, your firewall will receive therequest and based on the envelope, recognize it as webtraffic and let it through.
But what if that web surfer was actually launching any ofhundreds of known attacks against your webserver? Yourfirewall cannot catch this, because all it knows is"incoming port 80? Okay!"
An IDS system sits on your network and acts as a"sniffer" watching all the traffic going by. If it seesan envelope with a "port 80" destination, the IDS knowsit is web traffic and can look *inside* to examine theactual content. Using this ability, it can look at thespecific URL sent and determine if it is hostile. The IDSwill then generate an alert so you can take appropriateaction.
The IDS provides also provides an audit function for thefirewall. Some surveys show that up to 82% of allfirewalls are mis-configured. That means the accesscontrol policy is not being adequately implemented. AnIDS can be configured to detect and respond to thissituation.
Finally, an IDS has the ability to monitor traffic that neverleaves your network -- meaning it is never even seen by thefirewall. This internal traffic is generated by your trustedusers. An IDS monitoring this traffic will report onunauthorized access. Further, it can act as an early warningmechanism when it sees signs of an internal virus or worm.
To conclude, an IDS gives you another layer of security tocomplement that provided by the firewall. Its role as an auditcontrol for the firewall makes it essential and, in somecases, either legally mandated or recommended. If it fitswithin your budget, it is an excellent security measure.
print
share