The audit rule is applied to an
interface on the router specifying a traffic direction (in or out) in much the
same way that ACLs are applied. As with ACLs, in or out is referenced to the
center of the router, not to the connected network. An inbound
rule is auditing traffic coming into the router from the specified
interface. In deciding which interfaces to use and whether to apply the audits
in or out, consider the following information.
Inbound Audits
When an audit rule is applied to the in direction on an
interface, packets are audited before the inbound ACL has a chance to discard
them. This order allows the administrator, Syslog server, and/or IDS Director to
be alerted if an attack or information-gathering activity is underway, even if
the router would normally reject the activity.
Outbound Audits
When an audit rule is applied to the out direction on an
interface, an outbound rule, packets are audited after
they enter the router through another interface. In this case, an inbound ACL on
the other interface might discard packets before they’re audited, meaning the
administrator, Syslog server, and/or IDS Director won’t be alerted of an attack
or information- gathering activity that’s occurring. Even though the attack or
information-gathering activity was thwarted, the network is unaware of it, and
so, while the attacker is preparing their next assault, the administrator
doesn’t even know to prepare for it.
Sections
Comments (0 posted)
Syndication
