42
In accordance with the Intrusion Detection and Prevention text book [1], data or
information that flows internally through IPS will be processed through several ways:
•
Raw
packet
capture.
In
this
step,
packets
that
are
passed
on
are
about
to
be
captured
for
further audit and analysis. Transmitted raw packets are picked
up by
a
network
interface
card
(NIC) and
those
will be stored
or saved
at
the
memory
so
that
they
can
be
processed and
analyzed.
IPS
generally
has
two
modes
in
capturing raw packets before
it passes them
to the
next component of the system.
Promiscuous
mode
is
where
NIC
captures every packet
that
crosses
point
with
network
media.
It
is
suitable
for
network-based IPS.
Non-promiscuous
mode
is
said to be raw packets capture regarding
to MAC address of NIC [1]. It fits to the
host-based
IPS.
As
for
network-based
IPS,
it
usually
uses
two
NICs
–
one
for
raw
packet
capture
and
the
other
for
the
host
that
administers network
connectivity.
•
Filtering.
Capturing
raw
packet
in
IPS
is
not
necessarily
needed.
Especially
in
fast
network traffic,
filtering every
flowed packet
is
more enviable than catching
all every packets. IPS can bypass some packets based on certain logic conditions
or
characteristics
of
the
packets,
such
as
type
of
packet,
IP
addresses,
etc.
In
filtering process, NIC can be also
usually used
while packets are passing
through.
The
driver
that
is
used
for
the
NIC can
provide
the
configuration
used
for
filtering rules. Filtering can also be done by using packet
filters configured to
filter certain particular packets, based on the configuration itself. Packets that are
suspicious or not of interest will be dropped.
 |