TMS zl Management and Configuration Guide ST.1.2.100916
6-5
Intrusion Detection and Prevention
IDS/IPS Concepts
However, some external attacks use perfectly legitimate traffic to infiltrate,
overwhelm, rob, cripple, or destroy your network. Because attackers use
legitimate traffic, attacks cannot always be easily distinguished and stopped
by perimeter protection methods, such as a traditional firewall.
External Intentional Attacks. In most cases, external attackers will aim
attacks at well-known network vulnerabilities. These attacks are usually
stopped by a good perimeter defense. However, not every external intentional
attack is preventable. For example, some zero-day attacks might be unpre-
ventable because they are designed to exploit vulnerabilities your security
solutions are not configured to manage. One hundred percent protection from
external attacks cannot be guaranteed without disconnecting your network
from the Internet. However, a well-planned solution will eliminate the majority
of attacks.
External Unintentional Attacks. External unintentional attacks are those
that originate outside your network but that are not necessarily intended to
harm the network. Most external unintentional attacks—such as a sudden
flood of time requests to an overwhelmed NTP server, which results in
network devices losing synch—can be easily prevented through sturdy soft-
ware and a good network design, but some external unintentional attacks are
impossible to predict or prevent. An example of this is the “Slashdot effect,”
which occurs when a Web site suddenly becomes too popular for the band-
width and hosting devices to handle. This creates an unintentional DoS attack.
Internal Attacks
An internal attack, again as the name suggests, is an attack that originates
within your trusted network. Attacks from inside the network are becoming
much more prevalent—employee misuse of company resources, the installa-
tion of unauthorized software, limited access control, and scam email are a
few examples. In addition, dissatisfied or recently terminated employees may
seek to gain access to sensitive information on the network just to wreak
havoc. And although internal attacks such as virus and worm infections are
usually immediately noticeable, not all network intrusions are so obvious.
For example, an attacker may successfully divert the security that protects
your server by targeting a backup server. You can predict certain attacks, but
you cannot always predict the method of the attack. Unless you are specifi-
cally looking for these problems, the unauthorized retrieval of restricted files
or the misuse of network resources can go unnoticed for long periods of time.
The resulting damage can be devastating.