TMS zl Management and Configuration Guide ST.1.1.100226
6-5
Intrusion Detection and Prevention
IDS/IPS Concepts
External Unintentional Attacks. External unintentional attacks are those
that originate outside your network but that are not necessarily intended to
harm the network. Most external unintentional attacks—such as a sudden
flood of time requests to an overwhelmed NTP server, which results in
network devices losing synch—can be easily prevented through sturdy soft-
ware and a good network design, but some external unintentional attacks are
impossible to predict or prevent. An example of this is the “Slashdot effect,”
which occurs when a Web site suddenly becomes too popular for the band-
width and hosting devices to handle. This creates an unintentional DoS attack.
Internal Attacks
An internal attack, again as the name suggests, is an attack that originates
within your trusted network. Attacks from inside the network are becoming
much more prevalent—employee misuse of company resources, the installa-
tion of unauthorized software, limited access control, and scam email are a
few examples. In addition, dissatisfied or recently terminated employees may
seek to gain access to sensitive information on the network just to wreak
havoc. And although internal attacks such as virus and worm infections are
usually immediately noticeable, not all network intrusions are so obvious.
For example, an attacker may successfully divert the security that protects
your server by targeting a backup server. You can predict certain attacks, but
you cannot always predict the method of the attack. Unless you are specifi-
cally looking for these problems, the unauthorized retrieval of restricted files
or the misuse of network resources can go unnoticed for long periods of time.
The resulting damage can be devastating.
Internal Intentional Attacks. Internal intentional attacks are caused by
someone who already has some trusted access to your network. Perpetrators
might include disgruntled employees, partners, or administrators who abuse
their network access privileges to wreak havoc or deliberately open perimeter
network security holes.
Internal Unintentional Attacks. Internal attacks are largely the effect of
uninformed users or administrators. For example, less-than-savvy network
users may inadvertently release a virus or worm onto the network by using an
unsecure laptop or workstation to access the network or by downloading
infected software while accessing the Internet through the network. Or, as
another example, company policy might dictate that if the internal email
server receives an email infected with a virus or worm, it will send a warning
to every email box on the network. Although a warning is a good idea, if the
email server is slammed with infected emails, it may generate hundreds or
even thousands of warning emails that can quickly clog the network.