TMS zl Management and Configuration Guide ST.1.1.100430
1-36
Overview
IDS/IPS
IDS/IPS
The TMS zl Module can act as an IDS, which detects worms, denial of service
(DoS) attacks, and other threats. In routing mode, the TMS zl Module can also
function as an IPS, which mitigates these threats as well as detects them.
Threat Detection
When it functions as either an IDS or an IDS/IPS, the TMS zl Module detects
threats in all traffic received on its data port (port 1).
The TMS zl Module detects threats with:
■ Signature-based detection
■ Protocol-anomaly detection
Signature-Based Threat Detection
A signature is a preset definition that specifies characteristics that are indic-
ative of a particular attack. When you enable a particular signature, the TMS zl
Module checks all traffic for the characteristics that are defined in that
signature.
The module supports deep-packet inspection; it examines traffic at all layers
of the OSI model—that is, the packet payload as well as the frame and packet
headers. For example, the signature for a virus might define the port that the
virus targets, which the module checks in the TCP or UDP header. The
signature might also specify the commands that the virus executes, which the
module checks in the packet payload.
By default, the TMS zl Module inspects only the first few kilobytes sent over
a connection in each direction. However, you can enable full session inspec-
tion in which the module inspects every packet in every connection. Full
session inspection increases security but consumes more system resources.
Signature-based detection detects known threats with a high degree of cer-
tainty. However, because a signature must be developed for each new threat,
signature-based detection does not detect new or undocumented threats.