Now for the differences between an IDS and an IPSAn IDS -- intrusion detection system --is out of band, and simply gets copies of network traffic.
现在,对于IDS和IPS之间的区别,IDS(入侵检测系统)是带外的,它只是获取网络流量的副本。
It can be as simple as a system getting copies of traffic to inspectthrough a switch configured to send all traffic to the IDS.
它可以简单到系统通过配置为将所有流量发送到IDS的交换机获取要检查的流量副本。
The IPS -- intrusion prevention system --is in-line, so original traffic must pass through the IPS.
入侵防御系统(IPS)是内联的,因此原始流量必须通过IPS。
Since the IDS is out-of-band, it doesn't add any latency.
由于IDS是带外的,所以不会增加任何延迟。
An IPS adds latency, since traffic is processed live.
ip会增加延迟,因为流量是实时处理的。
If the IDS sensor goes down, possibly after a target attack, traffic will still flow.
如果IDS传感器出现故障(可能是在目标受到攻击之后),流量仍将正常。
If an IPS is targeted, attacked, brought down, traffic might stop right there.
如果一个ip被瞄准、攻击、击落,交通可能就会在那里停止。
An IDS can alert an administrator and even automatically tell a firewallto block traffic based on what it observes.
IDS可以向管理员发出警报,甚至自动告诉防火墙根据其观察到的内容来阻塞流量。
While an IPS can do the same, the IPS can stop traffic dead in its tracks as well.
虽然ip可以做同样的事情,但ip也可以阻止死在其轨道上的交通。
The IPS will still report back to a firewall,so traffic could be filtered a lot earlier than where the IPS is located.
ip仍然会向防火墙报告,因此流量可以比ip所在的位置更早地过滤。
The obvious question is, if an IPS can do what an IDS can do, but better,why does an IDS still exist today?
显而易见的问题是,如果ip可以做IDS可以做的事情,但更好的是,为什么IDS今天仍然存在?
Well, and IDS can be like a window into your network traffic.
id就像一个窗口,可以看到你的网络流量。
It sits, listens, and collects data that can be used for forensics and analysis.
它坐着、监听和收集数据,这些数据可以用于取证和分析。
Think of an IPS as a control device and an IDS as a visibility device.
可以将IPS视为控制设备,将IDS视为可见设备。
Packets collected by the IDS can be subsequently analyzed to gain insight to pestsor even possible future violations when lots of events are linked together.
IDS收集的数据包随后可以进行分析,以便在大量事件链接在一起时了解害虫甚至可能的未来违规行为。
Both IDSs and IPSs are vulnerable to false-positives,which is when normal activities are flagged as malicious, and false-negatives,which is when malicious activities are flagged as normal.
IDSs和IPSs都容易出现误报,误报是指正常活动被标记为恶意活动,而误报是指恶意活动被标记为正常活动。
IDSs and IPSs need to be constantly tuned to minimize both false-positives,which will send out lots of incorrect alerts, and false-negatives which won't send out alertswhen something malicious is happening.
IDSs和IPSs需要不断地进行调整,以最小化误报(会发出大量错误警报)和误报(在发生恶意事件时不会发出警报)。
Since IDSs are out-of-band, a false-positive won't stop legitimate traffic in its tracks,which could be another reason why they're used together with IPSsto form a great defense, in-depth setup.
由于IDSs是带外的,假阳性不会阻止其轨道上的合法流量,这可能是它们与IPSs一起使用以形成强大的防御和深入设置的另一个原因。
IDSs could also be programmed to just alert an administrator,instead of telling a firewall to block certain traffic.
IDSs也可以被编程为只警告管理员,而不是告诉防火墙阻止某些流量。
This would be preferred by an administrator, who would want just the alert and the abilityto take action himself, instead of letting an IDS make a decision for him.
这是管理员的首选,他们只需要警报和自己采取行动的能力,而不是让id替他做决定。
IDSs and IPSs, like firewalls, can be either host-based or network-based.
与防火墙一样,IDSs和IPSs可以是基于主机的,也可以是基于网络的。
In fact, thus far, we've actually been talking about NIDS --Network-based IDSs -- and NIPS-- Network-based IPSs.
实际上,到目前为止,我们实际上一直在讨论NIDS——基于网络的IDSs——和NIPS——基于网络的IPSs。
A host-based IDS or a host-based IPS resides on a particular computerand monitors activity on just that host system.
基于主机的id或基于主机的ip驻留在特定的计算机上,仅监视该主机系统上的活动。
It bench-marks and monitors the access, creation, modification,and deletion of key system files as well as the Windows registry.
它标记并监视关键系统文件的访问、创建、修改和删除以及Windows注册表。
Unlike a network-based IDS or IPS, host-based ones can deal with encrypted trafficthat will have been decrypted on the host for processing.
与基于网络的id或ip不同,基于主机的id或ip可以处理已在主机上解密以供处理的加密流量。
It can also detect attacks that may elude a network-based IDS or IPS.
它还可以检测可能逃避基于网络的IDS或ip的攻击。
As you can imagine, this does slow a system down.
你可以想象,这会减慢系统的速度。
Generally speaking, a HIPS -- host-based IPS--will be looking more for anomalist system activity, while a HIDS -- host-based IDS --will be looking more for anomalist network activity.
一般来说,HIPS(基于主机的ip)更倾向于寻找异常系统活动,而HIDS(基于主机的IDS)更倾向于寻找异常网络活动。
But the lines have become very blurred.
但是界限变得非常模糊。
Just like a network-based IDS or IPS can catch malicious trafficthat either evaded the network-based firewall or originated from within the network,a host-based IDS or a host-based IPS can catch malicious trafficthat either evaded the host-based firewall or originated from the inside of the machine.
就像基于网络的IDS或ip可以捕获绕过基于网络的防火墙或源自网络内部的恶意流量一样,基于主机的IDS或基于主机的ip也可以捕获绕过基于主机的防火墙或源自计算机内部的恶意流量。
Signature-based IDSs and IPSs act just like anti-virus software, trying to detect attacksby looking for patterns, for example, with certain instructions on a host machineor usage of protocols or contents.
基于签名的IDSs和IPSs就像杀毒软件一样,试图通过查找模式(例如主机上的某些指令或协议或内容的使用)来检测攻击。
The obvious problem is that unknown patterns can't be detectedand adversaries are constantly changing their code to avoid simple signature detection.
显而易见的问题是,未知的模式无法被检测到,并且对手不断地更改代码以避免简单的签名检测。
Furthermore, the signature database needs to constantly be updated.
此外,签名数据库需要不断更新。
Anomaly-based IDSs and IPSs compare and establish baselineto something that might be malicious.
基于异常的IDSs和IPSs将基线与可能是恶意的东西进行比较和建立。
However, false-positives and false-negatives are big issues that need to be dealtwith through monitoring and tweaking.
然而,假阳性和假阴性是需要通过监视和调整来处理的大问题。
The latest anomaly-based IDSs and IPSs can detect malicious insiders as well as machinesor accounts that have been compromised from outsiders.
最新的基于异常的IDSs和IPSs可以检测恶意的内部人员,以及从外部入侵的机器或帐户。
In the video you just watched, you saw the switch send traffic out-of-band to an IDS. How can the switch do this?
在刚才的视频中,您看到交换机将带外流量发送到IDS。开关是如何做到这一点的?
As we learned in an earlier unit, the switch only sends known unicasts out of ports associated with the destination MAC address. How can the IDS get a copy of all network frames? There are two ways:
正如我们在前面的单元中学到的,交换机只从与目标MAC地址相关联的端口发送已知的单播。IDS如何获得所有网络帧的副本?有两种方法:
Port Mirroring/SPAN (Switched Port Analyzer): The original methodNetwork Tap: The most commonly deployed method today端口镜像/SPAN(切换端口分析器):原始方法
网络Tap:目前最常用的部署方法
The following links explore the differences between the two methods, and illustrate why network taps are preferred today.
下面的链接将探索这两种方法之间的差异,并说明为什么现在更喜欢使用网络监听。
Using IDS Sensors in Switched Networks, A. Lukatsky, flylib.com
SPAN Port or TAP? CSO Beware, Tim O’Neill, LoveMyTool.com
Implementing Networks Taps with Network Intrusion Detection Systems, Nathan Einwechter, Symantec
SPAN Port Or TAP? White Paper, Gigamon (pdf)
Port Mirror vs Network Tap, ntop
How to capture traffic? (SPAN vs TAP), Boris Rogier, PerformanceVision
Intrusion Detection System (IDS) Deployments with Network Taps and Network Packet Brokers, comintindia.com
Snort: Port Mirroring, OpenManiak
Switch Port Mirroring, SecurityWizardry
在您刚刚观看的视频中,您看到交换机将带外流量发送到IDS。交换机如何做到这一点?
正如我们在前面的单元中所了解到的,交换机仅从与目标MAC地址关联的端口发送已知的单播。IDS如何获得所有网络帧的副本?有两种方法:
端口镜像/ SPAN(交换端口分析器):原始方法网络点击:今天最常用的方法以下链接探讨了这两种方法之间的差异,并说明了为什么网络分流器如今是首选。
在交换网络中使用IDS传感器,A.Lukatsky,flylib.com
SPAN端口还是TAP?CSO Beware,Tim O'Neill,LoveMyTool.com
利用网络入侵检测系统实现网络攻击,赛门铁克Nathan Einwechter
SPAN端口还是TAP?白皮书,Gigamon(pdf)
端口镜像与网络Tap,ntop
如何捕获流量?(SPAN vs TAP),Boris Rogier,PerformanceVision
使用网络分路器和网络数据包代理的入侵检测系统(IDS)部署,comintindia.com
Snort:端口镜像,OpenManiak
交换机端口镜像,SecurityWizardry
转载于:https://www.cnblogs.com/sec875/articles/10420203.html
相关资源:JAVA上百实例源码以及开源项目