Benefits Of Using An Ids; Basic Idb - McAfee SG310 Administration Manual

Firewall menu options
Intrusion Detection Systems
• Lightweight and simple-to-configure Basic IDB (Intrusion Detection and Blocking)
• Industrial-strength Advanced Intrusion Detection and Prevention
Note: The SG300 and SG560 provide Basic Intrusion Detection and Blocking only.
These two systems take quite different approaches. Basic Intrusion Detection offers a number of dummy
services to the outside world, which are monitored for connection attempts. Clients attempting to connect
to these dummy services can be blocked. Advanced Intrusion Detection uses complex rule sets to detect
known methods used by intruders to circumvent network security measures, which it either blocks or logs
to a remote database for analysis.

Benefits of using an IDS

External attackers attempting to access desktops and servers on the private network from the Internet are
the largest source of intrusions. Attackers exploiting known flaws in operating systems, networking
software, and applications compromise many systems through the Internet.
Generally firewalls are not granular enough to identify specific packet contents that signal an attack based
on a known system exploit. Firewalls act as a barrier analogous to a security guard screening anyone
attempting to enter and dismissing those deemed unsuitable, based on criteria such as identification.
However, identification can be forged. On the other hand, intrusion detection systems are more like
security systems with motion sensors and video cameras. Video screens can be monitored to identify
suspect behavior and help to deal with intruders.
Firewalls often easily bypassed through well-known attacks. The most problematic types of attacks are
tunneling-based and application-based. Tunneling-based attacks occur when an attacker masks traffic
normally screened by the firewall rules by encapsulating it within packets corresponding to another network
protocol. Application-based attacks occur when vulnerabilities in applications can be exploited by sending
suspect packets directly with those applications. These attacks can potentially be detected and prevented
using an intrusion detection system.

Basic IDB

Basic IDB operates by offering a number of services to the outside world that are monitored for connection
attempts. Remote machines attempting to connect to these services generate a system log entry providing
details of the access attempt, and the access attempt is denied. Since network scans often occur before an
attempt to compromise a host, you can also deny all access from hosts that have attempted to scan
monitored ports.
Note: An attacker can easily forge the source address of UDP or TCP requests. A host that automatically blocks
UDP or TCP probes might inadvertently restrict access from legitimate services. Proper firewall rules and ignored
hosts lists significantly reduce the risk of restricting legitimate services.
196 McAfee UTM Firewall 4.0.4 Administration Guide