TMS zl Management and Configuration Guide ST.1.0.090213
1-33
Overview
IDS/IPS
IDS/IPS
The TMS zl Module can act as an IDS, which detects worms, denial of service
(DoS) attacks, and other threats. In routing mode, the TMS zl Module can also
function as an IPS, which mitigates these threats as well as detects them.
Threat Detection
When it functions as either an IDS or an IDS/IPS, the TMS zl Module detects
threats in all traffic received on its data port (port 1).
The TMS zl Module detects threats with:
■ Signature-based detection
■ Protocol-anomaly detection
Signature-Based Threat Detection
A signature is a preset definition that specifies characteristics that are indic-
ative of a particular attack. When you enable a particular signature, the TMS zl
Module checks all traffic for the characteristics that are defined in that
signature. The module supports deep-packet inspection; it examines traffic at
all layers of the OSI model—that is, the packet payload as well as the frame
and packet headers. For example, the signature for a virus might define the
port that the virus targets, which the module checks in the TCP or UDP header.
The signature might also specify the commands that the virus executes, which
the module checks in the packet payload.
By default, the TMS zl Module inspects only the first few kilobytes sent over
a connection in each direction. However, you can enable full session inspec-
tion in which the module inspects every packet in every connection. Full
session inspection increases security but consumes more system resources.
Signature-based detection detects known threats with a high degree of cer-
tainty. However, because a signature must be developed for each new threat,
signature-based detection does not detect new or undocumented threats.
IPS Subscription. The TMS zl Module requires a subscription to download
and update IDS/IPS signatures. The module supports these subscriptions:
■ HP ProCurve Threat Management Services 1-year IDS/IPS Subscription
(J9157A)