An IDS usually uses specific signatures and compares them to the data passing through it in a non intrusive, transparent manner and takes no action, but just merely logs an event if it identifies one. Therefore it is reactive and it uses a negative enforcement model of identifying known "bad" traffic.
An application layer firewall will inspect traffic at layer 7 and determine whether the traffic is working within a given set of confines which is usually that of an RFC. If so then it allows the traffic. The argument here is that most attacks do not fall within the confines of RFCs. The question is does you web server comply to RFCs. If not its not worth much more to you then a packet filter. This is a positive enforcement model though as it only allows known "good" traffic. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
