Protocol Anomaly Detection - Watchguard Firebox X1000 User Manual

Chapter 9: Configuring Proxied Services
catch dangerous content types in ways that packet filters
cannot.
To add or configure a proxied service, use the procedures
for filtered services in the previous chapter, "Configuring
Filtered Services." For more information on proxies, see the
following collection of FAQs:
https://support.watchguard.com/advancedfaqs/proxy_main.asp

Protocol Anomaly Detection

As attackers become more sophisticated, new tools are nec-
essary to counter their threats. Anomaly detection is a
powerful new technology for protecting your network
from attacks.
An anomaly–in the context of network security–is data,
action, or behavior that deviates from what is expected for
a given user, network, or system. Because network proto-
cols are normally very restrictive, strict models of expected
behavior can be constructed and deviations easily noted.
Protocol anomaly detection (PAD) can detect a wide range
of anomalies within the protocol space.
Using protocol anomaly detection, you can automatically
add originators of malformed packets to the auto-blocked
sites list. You can specify the rules that determine whether
a packet is malformed, such as "non-allowed query type"
or "question length too long for DNS request."
Protocol anomaly detection is supported by the SMTP, FTP,
and DNS proxies.
136 WatchGuard Firebox System