IDS devices can be network appliances or they can be software solutions. An example of a software-based IDS is BlackIce Defender, which serves as an IDS device for a PC. Another example would be Snort, a software-based IDS using the GNU General Public License for both Linux and Windows 2000.

An appliance would be a combination of hardware and software, like the 4200 series IDS sensors by Cisco.

Firewalls can keep out undesirable packets based on lots of criteria, but they only go so far. If you have a DMZ interface configured on a PIX, and you’re allowing HTTP traffic to come from the outside to go to the DMZ because that's where your Web server is, then you're allowing all sorts of Web traffic. Your firewall isn't going to look inside the packet and determine that just because a certain character string exists, the packet should be denied. The PIX doesn't subscribe to any of the security newsletters letting it know what the latest IIS exploits are.

An IDS is going to be able to look inside those HTTP packets and compare the contents to all of the strings for HTTP. If the next exploit says, "Hackers can take down a Web server by typing http://www.target.com/crashme!" then you can have your IDS look for HTTP packets that contain the text string of "crashme!"

Even better, the Cisco IDS sensor can be configured to talk to a Cisco router and configure an extended access list to keep out that traffic. In the case of a text string inside an HTTP packet, the router would filter out all HTTP traffic from the source to the destination.

Cisco has three IDS products, the 4210, the 4230 and the 6000 IDS blade. The 4200s are network appliances; there are no user-upgradeable parts. The 4210 can monitor up to 45mbps worth of traffic and is suited for monitoring WAN connections after they pass through the perimeter router. The 4230 can monitor 100mbps worth of traffic. Both have two interfaces, one for monitoring and one for control. Cisco used to make a token ring version called the 4220 but it was "End of Life'd" (EOL) late last year. The IDS blade for the 6000 series switch can monitor VLAN traffic within the 6000/6500 as long as the switch is equipped with a policy feature card (PFC).

A 4200 IDS sensor will be configured to monitor traffic on the monitor port, which doesn’t have an IP address. The control port has an IP address and is how the sensor communicates with the management GUI as well as any router it needs to talk to. While the GUI isn't absolutely necessary since the sensor runs on Solaris and everything can be configured through the command line, many people are much more comfortable using the GUI since they get reports. A GUI is available for Solaris, HP-UX and Windows NT. One for Windows 2000 should be released soon.

The GUI allows you to receive information regarding what's going on on your network. You can configure the sensor to do several things when it detects an unwanted packet (although if you’re using the IDS blade, you lose several abilities). One of the better functions of the GUI is report writing. It can generate several types of reports -- ranging from deeply technical to executive overview -- about the packets it has seen on the network.

The down side to the Cisco IDS product line is the amount of data it can deal with. None of Cisco's products can handle more than 100mbps. This isn't much of a problem with the 6000 switch blade because you can be very particular about the type of traffic the blade looks at; but if you have a fabric-enabled switch, you can easily flood out the blade. Other vendors have products that support much higher throughput and it’s my hope that Cisco IDS devices soon will as well. Finally, if you want to monitor a gigabit connection, you can only do so with the blade. Cisco doesn’t make gigabit ports with the 4200 series devices.

Do you have IDS tips to share? Questions about this topic? Post your comments below!