Question

Firewall and IDS: What’s the difference between IDS and Firewall? What is promiscuous mode in IDS? What is in-line mode in IDS? When is appropriate to use one or the other in your network?

Visit some firewall & IDS vendors’ site such as Palo Alto Networks, Check Point, Cisco, etc., and select product(s) suitable for your project. Justify your selection.

Answer 1

Answer:

1. Difference between IDS(Intrusion Detection System) and Firewall:

Parameter	IDS	Firewall
Defination	It is a device or software application that monitors a traffic for malicious activities or policy violations and send alert on detection.	It is a network security device that filters incoming and outgoing network traffic based on predetermined rules.
Principle of working	Detects real time traffic and looks for traffic patterns or signatures of attack and then generates alerts.	Filter traffic based on IP address and port numbers.
Configuration mode	Inline or as end host for monitoring and detection.	Transparent mode
Placement	Non-Inline through port span	Inline at the perimeter of the network.
Traffic patterns	Analyzed	Not analyzed
Action on unauthorized traffic detection	Alerts/alarms on detection of anomaly	Block the traffic.
Technologies	Anomaly based detection Signature detection Zero day attacks Monitoring Alarms	Stateful packet filtering Permits and blocks traffic by port/protocol rules.

Promiscuous mode in IDS:

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive.

An Intrusion Detection System (IDS) passively monitors network traffic at multiple locations within your network by using IDS sensors. This monitoring is referred to as promiscuous mode because it involves placing a network interface into promiscuous mode and then examining all of the traffic through the interface. Promiscuous interfaces are virtually invisible on the network because they are associated with no IP address.

When malicious activity is detected, the IDS can generate an alarm.

Inline mode in IDS:

In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. When the sensor is on inline mode, traffic has to traverse the sensor's interfaces ( pair ).Traffic gets inspected, tested againts the signatures and then if OK then forwarded to the destination. This approach offers preventing protection because the sensor can stop an attack BEFORE it reaches the target.

When to work on one over another mode:

IDS sensors operate in promiscuous mode by default. This means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device is working with a copy of the traffic, the device is performing intrusion detection. It can detect an attack and send an alert (and take other actions), but it does not prevent the attack from entering the network or a network segment. It cannot prevent the attack, because it is not working on traffic “inline” in the working path. When an IPS is working in inline mode, it can do prevention as opposed to mere detection. It is because the IPS device is in the actual traffic path.

2. According to the network vendors, the study has proved that both the firewall and intrusion detection systems still need to be improved to ensure an unfailing security for a network. They are not reliable enough (especially in regard to false positives and false negatives) and they are difficult to administer. To assure an effective computerized security, it is strongly recommended to have a combination of several types of Intrusion detection system.

However, these technologies require to be developed in the coming years due to the increasing security needs of businesses and changes in technology that allows more efficient operation detection systems. This paper provided a new way of looking at network research including types of firewalls, types of intrusion detection that are necessary, complete, and mutually exclusive to aid in the fair comparison of firewall, intrusion detection system and to aid in focusing research in this area of new trends like Intrusion Prevention System.

Hope this will be helpful for you...............Thanks.