TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

471

472

473

474

475

476

477

478

479

480

6-8

Intrusion Detection and Prevention

IDS/IPS Concepts

■ Polymorphic/Metamorphic viruses and worms

Some viruses and worms are designed to use self-encryption and self-

alteration to disguise themselves to antivirus software. This is done using

metamorphic code: the code changes itself so that no part remains the

same after the worm or virus replicates. Because the code continually

changes, it is impossible to develop a signature file that can recognize the

mutated virus or worm.

Malware

This broad, general term describes software that is at best a nuisance and at

worst destructive to your network devices. Any software designed to use

network resources or infiltrate network devices without the knowledge or

consent of the device owner is considered malware. You must protect your

network against several types of malware.

■ Adware—software that displays unwanted pop-up ads on an infected

endpoint

■ Spyware—software that keeps a record of Web sites visited, keystrokes,

and other personal information.

■ Trojan horses—programs that offer desirable software enhancements

but that also include adware, spyware, or other malware as an implicit

part of the software package

■ Rootkits—programs that allow an attacker to open network backdoors,

which bypass normal authentication requirements in order to gain access

to a network (See “Backdoors” on page 6-12)

Reconnaissance

Reconnaissance attacks are internal or external and are intentional. Less

straightforward than brute force or other unauthorized access attacks, recon-

naissance attacks rely on several methods for detecting vulnerabilities in your

network so that any discovered vulnerabilities can be exploited.

For example, network administrators use network mapping and enumeration

software to verify their network security. However, this software, which is

freely available on the Internet, can also be used as part of an attack. Attackers

can use it to gain information about endpoints and applications on your

network before even attempting to breach the network perimeter security.

Attackers can quickly and quietly discover a large amount of information

about your network, including Service Pack and Hotfix information, ICMP and

DNS Resolution, the Operating System running on your network and many

other network vulnerabilities.