Understanding Detection Engines And Interface Sets - Nortel 2050 Installation Manual

Understanding detection engines and interface sets

N TPS 3D S
ORTEL ENSOR AND
Integrating with proxy servers and NAT
Network address translation (NAT) devices or software may be employed across
a firewall, effectively hiding the IP addresses of internal hosts behind a firewall. If
3D Sensor with RNA are placed between these devices or software and the hosts
being monitored, RNA may incorrectly identify the hosts behind the proxy or NAT
device. In this case, Nortel recommends that you position 3D Sensors with RNA
inside the network segment protected by the proxy or NAT device to ensure that
hosts are correctly detected.
Integrating with load balancing methods
In some network environments, "round robin" DNS configurations are used to
perform network load balancing. In a round robin DNS system, IP addresses are
shared between two or more hosts with unique operating systems. In this case,
RNA will detect the operating system changes and will not be able to deliver a
static operating system identification with a high confidence value. Depending on
the number of different operating systems on the affected hosts, RNA may
generate a large number of operating system change events or present a static
operating system identification with a lower confidence value.
Other RNA detection considerations
If an alteration has been made to the TCP/IP stack of the host being identified,
RNA may not be able to accurately identify the host operating system. In some
cases, this is done to improve performance. For instance, administrators of
Windows hosts running the Internet Information Services (IIS) Web Server are
encouraged to increase the TCP window size to allow larger amounts of data to
be received, thereby improving performance. In other instances, TCP/IP stack
alteration may be used to obfuscate the true operating system to preclude
accurate identification and avoid targeted attacks. The likely scenario that this
intends to address is where an attacker conducts a reconnaissance scan of a
network to identify hosts with a given operating system followed by a targeted
attack of those hosts with an exploit specific to that operating system.
A detection engine is the mechanism on a 3D Sensor that is responsible for
analyzing the traffic on the network segment where the sensor is connected.
Depending on which components are licensed on the sensor, 3D Sensors can
support three types of detection engines: IPS, RNA, and RUA.
A detection engine has two main components:
• an interface set, which can include one or more sensing interfaces
• a detection resource, which is a portion of the sensor's computing resources
Depending on the model, some 3D Sensor with IPS can use multiple detection
resources per detection engine, which allows you to use more computing
resources when network traffic is high.
D C I
EFENSE ENTER NSTALLATION
Chapter 1: Before you begin
G R 4.7.0
UIDE ELEASE
18
PAGE