Idp Rules - D-Link NetDefendOS User Manual

Updating in High Availability Clusters
Updating the IDP databases for both the units in an HA Cluster is performed automatically by
NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only the active unit
in the cluster will perform regular checking for new database updates. If a new database update
becomes available the sequence of events will be as follows:
1. The active unit determines there is a new update and downloads the required files for the
update.
2. The active unit performs an automatic reconfiguration to update its database.
3. This reconfiguration causes a failover so the passive unit becomes the active unit.
4. When the update is completed, the newly active unit also downloads the files for the update
and performs a reconfiguration.
5. This second reconfiguration causes another failover so the passive unit reverts back to being
active again.
These steps result in both NetDefend Firewalls in a cluster having updated databases and with
the original active/passive roles. For more information about HA clusters refer to Chapter 11, High
Availability.

6.6.3. IDP Rules

Rule Components
An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. IDP Rules are constructed like other security policies in NetDefendOS such
as IP Rules. An IDP Rule specifies a given combination source/destination interfaces/addresses as
well as being associated with a service object which defines the IDP rules that will be used during
traffic scanning. A time schedule can also be associated with an IDP Rule. Most importantly, an
IDP Rule specifies the Action to take on detecting an intrusion in the traffic targeted by the rule.
Action Options
After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action
associated with that Rule is taken. The administrator can associate one of three Action options
with an IDP Rule:
• Ignore - Do nothing if an intrusion is detected and allow the connection to stay open.
• Audit - Allow the connection to stay open but log the event.
• Protect - This option drops the connection and logs the event. The additional option exists to
blacklist the source of the connection or switching on the NetDefendOS ZoneDefense feature
as described below.
Associating IDP Signatures with an IDP Rule
In the Web Interface, associating signatures with an IDP rule is achieved by selecting the Action
for an IDP rule. A screenshot of selecting signatures in the Web Interface is shown below.
554
Chapter 6: Security Mechanisms