Idp Rules - D-Link NetDefend DFL-210 User Manual
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
6.5.3. IDP Rules
The console command
> updatecenter -status
will show the current status of the auto-update feature. This can also be done through the WebUI.
Updating in High Availability Clusters
Updating the IDP databases for both the D-Link Firewalls in an HA Cluster is performed
automatically by NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only
the active unit in the cluster will perform regular checking for new database updates. If a new
database update becomes available the sequence of events will be as follows:
1.
The active unit determines there is a new update and downloads the required files for the
update.
2.
The active unit performs an automatic reconfiguration to update its database.
3.
This reconfiguration causes a failover so the passive unit becomes the active unit.
4.
When the update is completed, the newly active unit also downloads the files for the update
and performs a reconfiguration.
5.
This second reconfiguration causes another failover so the passive unit reverts back to being
active again.
These steps result in both D-Link Firewalls in a cluster having updated databases and with the
original active/passive roles. For more information about HA clusters refer to Chapter 11, High
Availability.
6.5.3. IDP Rules
Rule Components
An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. IDP Rules are constructed like other security policies in NetDefendOS such
as IP Rules. An IDP Rule specifies a given combination source/destination interfaces/addresses as
well as being associated with a Service object which defines which protocols to scan. A time
schedule can also be associated with an IDP Rule. Most importantly, an IDP Rule specifies the
Action to take on detecting an intrusion in the traffic targeted by the rule.
HTTP Normalization
Each IDP rule has a section of settings for HTTP normalization. This allows the administrator to
choose the actions that should be taken when IDP finds inconsistencies in the URIs embedded in
incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can
exploit weaknesses in some HTTP server products.
The URI conditions which IDP can detect are:
•
Invalid UTF8
This looks for any invalid UTF8 characters in a URI.
•
Invalid hex encoding
A valid hex sequence is where a percentage sign is followed by two hexadecimal values to
represent a single byte of data. An invalid hex sequence would be percentage sign followed by
267
Chapter 6. Security Mechanisms
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
