Idp Actions - D-Link DFL-260E User Manual
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
6.5.7. IDP Actions
•
HTTP
3. Signature Group Sub-Category
The third level of naming further specifies the target of the group and often specifies the application,
for example MSSQL. The Sub-Category may not be necessary if the Type and Category are
sufficient to specify the group, for example APP_ITUNES.
Listing of IDP Groups
A listing of IDP groupings can be found in Appendix B, IDP Signature Groups. The listing shows
group names consisting of the Category followed by the Sub-Category, since the Type could be any
of IDS, IPS or POLICY.
Processing Multiple Actions
For any IDP rule, it is possible to specify multiple actions and an action type such as Protect can be
repeated. Each action will then have one or more signatures or groups associated with it. When
signature matching occurs it is done in a top-down fashion, with matching for the signatures for the
first action specified being done first.
IDP Signature Wildcarding
When selecting IDP signature groups, it is possible to use wildcarding to select more than one
group. The "?" character can be used to wildcard for a single character in a group name.
Alternatively, the "*" character can be used to wildcard for any set of characters of any length in a
group name.
6.5.7. IDP Actions
Action Options
After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action
associated with that Rule is taken. The administrator can associate one of three Action options with
an IDP Rule:
•
Ignore - Do nothing if an intrusion is detected and allow the connection to stay open.
•
Audit - Allow the connection to stay open but log the event.
•
Protect - This option drops the connection and logs the event (with the additional option to
blacklist the source of the connection or switching on ZoneDefense as described below).
Caution: Use the minimum IDP signatures necessary
Do not use the entire signature database and avoid using signatures and signature
groups unnecessarily. Instead, use only those signatures or groups applicable to the
type of traffic being protected.
For example, using only the IDP groups IDS_WEB*, IPS_WEB*, IDS_HTTP* and
IPS_HTTP* would be appropriate for protecting an HTTP server.
IDP traffic scanning creates an additional load on the hardware that, in most cases,
should not noticeably degrade performance. Using too many signatures during
scanning can make the load on the hardware unnecessarily high, adversely affecting
throughput.
327
Chapter 6. Security Mechanisms
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
