ZyXEL Communications 70 Series User Manual
ZyWALL 5/35/70 Series User’s Guide
241
Chapter 12 Intrusion Detection and Prevention (IDP)
Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are
launched from within an organization. Virtual private networks (VPN), removable storage
devices and wireless networks may all provide access to the internal network without going
through the firewall.
launched from within an organization. Virtual private networks (VPN), removable storage
devices and wireless networks may all provide access to the internal network without going
through the firewall.
12.1.2 IDS and IDP
An Intrusion Detection System (IDS) can detect suspicious activity, but does not take action
against attacks. On the other hand an IDP is a proactive defense mechanisms designed to
detect malicious packets within normal network traffic and take an action (block, drop, log,
send an alert) against the offending traffic automatically before it does any damage. An IDS
only raises an alert after the malicious payload has been delivered. Worms such as Slammer
and Blaster have such fast proliferation speeds that by the time an alert is generated, the
damage is already done and spreading fast.
against attacks. On the other hand an IDP is a proactive defense mechanisms designed to
detect malicious packets within normal network traffic and take an action (block, drop, log,
send an alert) against the offending traffic automatically before it does any damage. An IDS
only raises an alert after the malicious payload has been delivered. Worms such as Slammer
and Blaster have such fast proliferation speeds that by the time an alert is generated, the
damage is already done and spreading fast.
There are two main categories of IDP; Host IDP and Network IDP.
12.1.3 Host IDP
The goal of host-based intrusions is to infiltrate files on an individual computer or server in
with the goal of accessing confidential information or destroying information on a computer.
with the goal of accessing confidential information or destroying information on a computer.
You must install Host IDP directly on the system being protected. It works closely with the
operating system, monitoring and intercepting system calls to the kernel or APIs in order to
prevent attacks as well as log them.
operating system, monitoring and intercepting system calls to the kernel or APIs in order to
prevent attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that you want to
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
12.1.4 Network IDP
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service
(DoS) attack. Host-based intrusions may be used to cause network-based intrusions when the
goal of the host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/server. Typical
“network-based intrusions” are SQL slammer, Blaster, Nimda, MyDoom etc.
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service
(DoS) attack. Host-based intrusions may be used to cause network-based intrusions when the
goal of the host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/server. Typical
“network-based intrusions” are SQL slammer, Blaster, Nimda, MyDoom etc.
A Network IDP has at least two network interfaces, one internal and one external. As packets
appear at an interface they are passed to the detection engine, which determines whether they
are malicious or not. If a malicious packet is detected, an action is taken. The remaining
packets that make up that particular TCP session are also discarded.
appear at an interface they are passed to the detection engine, which determines whether they
are malicious or not. If a malicious packet is detected, an action is taken. The remaining
packets that make up that particular TCP session are also discarded.