ZyXEL Communications ZyWALL 1000 User Manual
ZyWALL USG 1000 User’s Guide
445
C
H A P T E R
30
ADP
This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and
binding an ADP profile to a traffic direction. See
binding an ADP profile to a traffic direction. See
for related
information on these screens.
30.1 Introduction to ADP
An ADP system can detect malicious or suspicious packets and respond instantaneously. It can
detect:
detect:
• Anomalies based on violations of protocol standards (RFCs – Requests for Comments)
• Abnormal flows such as port scans.
• Abnormal flows such as port scans.
30.1.1 Host Intrusions
The goal of host-based intrusions is to infiltrate files on an individual computer or server in
with the goal of accessing confidential information or destroying information on a computer.
You must install a host ADP directly on the system being protected. It works closely with the
operating system, monitoring and intercepting system calls to the kernel or APIs in order to
prevent attacks as well as log them.
Disadvantages of host ADPs are that you have to install them on each device (that you want to
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
with the goal of accessing confidential information or destroying information on a computer.
You must install a host ADP directly on the system being protected. It works closely with the
operating system, monitoring and intercepting system calls to the kernel or APIs in order to
prevent attacks as well as log them.
Disadvantages of host ADPs are that you have to install them on each device (that you want to
protect) in your network and due to the necessarily tight integration with the host operating
system, future operating system upgrades could cause problems.
30.1.2 Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised. Host-based intrusions may be used to cause network-
based intrusions when the goal of the host virus is to propagate attacks on the network, or
attack computer/server operating system vulnerabilities with the goal of bringing down the
computer/server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda
MyDoom etc.
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised. Host-based intrusions may be used to cause network-
based intrusions when the goal of the host virus is to propagate attacks on the network, or
attack computer/server operating system vulnerabilities with the goal of bringing down the
computer/server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda
MyDoom etc.