TMS zl Management and Configuration Guide ST.1.0.090213
6-7
Intrusion Detection and Prevention
Overview
SQL Injection
Similar to XSS attacks, an SQL attack is launched when a user injects mali-
cious SQL code when accessing Web page that uses an SQL database. For
example, Web pages using improperly secured ASP.NET applications are
vulnerable to SQL injection attacks. A successful SQL injection can endanger
data stored in these databases and possibly execute remote code. Users that
access a compromised SQL database can become unwitting victims of attacks
that install malicious software onto their workstations.
Viruses and Worms
Viruses and worms can spread rampant through an unprotected network and
cause enormous amounts of damage to vital files and network resources. Two
categories of viruses and worms are listed below:
■ Zero-day viruses and worms
Worm and virus attacks initially took days or weeks to spread over a
geographical area, which gave developers time to distribute warnings and
signature files across the Internet. However, in 2003 and 2004, worms such
as SQLSlammer and Sasser aggressively propagated throughout the world
in a matter of hours, before anyone had time to create a signature to detect
them. These “zero-day” attacks consume incredible amounts of network
resources as they propagate and can use unique code that may not be
detected by most antivirus software. Without a way to detect the new
worm or virus, most networks are left completely vulnerable.
■ Polymorphic/Metamorphic viruses and worms
Some viruses and worms are designed to use self-encryption and self-
alteration to disguise themselves to antivirus software. This is done using
metamorphic code: the code changes itself so that no part remains the
same after the worm or virus replicates. Because the code continually
changes, it is impossible to develop a signature file that can recognize the
mutated virus or worm.
Malware
This broad, general term describes software that is at best a nuisance and at
worst destructive to your network devices. Any software designed to use
network resources or infiltrate network devices without the knowledge or
consent of the device owner is considered malware. You must protect your
network against several types of malware.