TMS zl Management and Configuration Guide ST.1.1.100430
6-18
Intrusion Detection and Prevention
Threat Detection and Prevention
Traffic that passes through ports not on this map will be assumed to be the
services that are associated with the IANA well-known ports. If no application
is assigned to the port by the TMS zl Module or IANA, the traffic will be treated
as generic TCP/UDP traffic.
Signature Detection
The IDS/IPS on the TMS zl Module can use signatures to detect known attacks
that have well-defined attack patterns. By comparing traffic to these signa-
tures, the IDS/IPS can identify patterns in the packet payload or header that
are known to indicate attacks.
Because hackers are constantly creating new attacks, the signature file must
be updated regularly to ensure your network is protected. To receive updated
signatures, you can purchase one of the following IDS/IPS signatures subscrip-
tions:
■ HP ProCurve Threat Management Services zl Module with 1-year IDS/IPS
Subscription (J9156A)
■ HP ProCurve Threat Management Services 1-year IDS/IPS Subscription
(J9157A)
■ HP ProCurve Threat Management Services 2-year IDS/IPS Subscription
(J9158A)
■ HP ProCurve Threat Management Services 3-year IDS/IPS Subscription
(J9159A)
To download signatures, you must register the IDS/IPS signature subscrip-
tion—a process that is described later in this chapter. (See “Configure Signa-
ture Detection” on page 6-28.)
When the IDS/IPS receives a packet for processing, it checks the application
protocol and scans for all enabled signatures for that protocol. This reduces
the amount of time it takes to check the packet because the IDS/IPS uses the
patterns that are specific to the application protocol that is being used.
The signatures are sorted into the following families, and a few examples of
the signatures in each family are shown:
■ Policy Violations
• FTP access using empty password
• McAfee Virus Scan Security Center vulnerability
•ISAKMP failed login