Intrusion Detection And Prevention; Overview - D-Link NetDefendOS User Manual

6.6. Intrusion Detection and Prevention

6.6.1. Overview

Intrusion Definition
Computer servers can sometimes have vulnerabilities which leave them exposed to attacks
carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks
which, if successful, can potentially compromise or take control of a server. A generic term that
can be used to describe these server orientated threats are intrusions.
Intrusion Detection
Intrusions differ from viruses in that a virus is normally contained in a single file download and
this is normally downloaded to a client system. An intrusion manifests itself as a malicious
pattern of Internet data aimed at bypassing server security mechanisms. Intrusions are not
uncommon and they can constantly evolve as their creation can be automated by the attacker.
NetDefendOS IDP provides an important line of defense against these threats.
Intrusion Detection and Prevention (IDP) is a NetDefendOS subsystem that is designed to protect
against these intrusion attempts. It operates by monitoring network traffic as it passes through
the NetDefend Firewall, searching for patterns that indicate an intrusion is being attempted.
Once detected, NetDefendOS IDP allows steps to be taken to neutralize both the intrusion
attempt as well as its source.
The Terms IDP, IPS and IDS
Note that the terms Intrusion Detection and Prevention (IDP), Intrusion Prevention System (IDP) and
Intrusion Detection System (IDS) may be used interchangeably in D-Link literature. They all refer to
the same feature, which is known as IDP within NetDefendOS.
IDP Issues
In order to have an effective and reliable IDP system, the following issues have to be addressed:
• What kinds of traffic should be analyzed?
• What should we search for in that traffic?
• What action should be carried out when an intrusion is detected?
NetDefendOS IDP Components
NetDefendOS IDP addresses the above issues with the following mechanisms:
• IDP Rules are configured by the administrator to determine what traffic should be scanned.
• Pattern Matching is applied by NetDefendOS IDP to the traffic that matches an IDP Rule as it
streams through the firewall.
• If NetDefendOS IDP detects an intrusion then the Action specified for the triggering IDP Rule
is taken.
552
Chapter 6: Security Mechanisms