Idp Rules - D-Link NetDefend DFL-210 User Manual

6.5.3. IDP Rules

A new, updated signature database is downloaded automatically by NetDefendOS system at a
configurable interval. This is done via an HTTP connection to the D-Link server network which
delivers the latest signature database updates. If the server's signature database has a newer version
than the current local database, the new database will be downloaded, replacing the older version.
The Terms IDP, IPS and IDS
The terms Intrusion Detection and Prevention (IDP), Intrusion Prevention System (IDP) and
Intrusion Detection System (IDS) are used interchangeably in D-Link literature. They all refer to the
same feature, which is IDP.
Setting the Correct System Time
It is important that a NetDefendOS has the correct system time set if the auto-update feature in the
IDP module can function correctly. An incorrect time can mean the auto-updating is disabled.
The console command
> updatecenter -status
will show the current status of the auto-update feature. This can also be done through the WebUI.
Updating in High Availability Clusters
Updating the IDP databases for both the NetDefend Firewalls in an HA Cluster is performed
automatically by NetDefendOS. In a cluster there is always an active unit and an inactive unit. Only
the active unit in the cluster will perform regular checking for new database updates. If a new
database update becomes available the sequence of events will be as follows:
1. The active unit determines there is a new update and downloads the required files for the
update.
2. The active unit performs an automatic reconfiguration to update its database.
3. This reconfiguration causes a failover so the passive unit becomes the active unit.
4. When the update is completed, the newly active unit also downloads the files for the update
and performs a reconfiguration.
5. This second reconfiguration causes another failover so the passive unit reverts back to being
active again.
These steps result in both NetDefend Firewalls in a cluster having updated databases and with the
original active/passive roles. For more information about HA clusters refer to Chapter 11, High
Availability.
6.5.3. IDP Rules
Rule Components
An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. IDP Rules are constructed like other security policies in NetDefendOS such
as IP Rules. An IDP Rule specifies a given combination source/destination interfaces/addresses as
well as being associated with a service object which defines which protocols to scan. A time
schedule can also be associated with an IDP Rule. Most importantly, an IDP Rule specifies the
Action to take on detecting an intrusion in the traffic targeted by the rule.
280
Chapter 6. Security Mechanisms