Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
1-39
Overview
IDS/IPS
Unlike signature-based detection, protocol anomaly detection does not
require a specific signature for each attack. Therefore, it can detect undocu-
mented or zero-day attacks, which helps to eliminate the window of vulnera-
bility during the first hours or days after an exploit is launched. In addition,
signature-based detection can miss threats when an attacker varies the threat
from the known pattern, using polymorphism or other evasion techniques.
Protocol anomaly detection helps the TMS zl Module to catch these variant
attacks. Finally, protocol anomaly detection does not require signature
updates or subscription licenses, thus lowering the administrative overhead.
Port Maps. In order to check for protocol anomalies, the TMS zl Module
must know with which application a particular session is associated. The
module receives this information from its port maps. For example, traffic for
an HTTP (Web) session is typically destined to TCP port 80. Therefore, the
module’s default port map matches TCP port 80 to HTTP. The module applies
the HTTP protocol anomaly checks to traffic in a session with a TCP destina-
tion port of 80.
The TMS zl Module’s port map is user-customizable. If your servers use non-
traditional ports for particular applications, you must specify the correct port
for that application in your network. For example, your Web servers use TCP
destination port 50680. Map this port to HTTP; otherwise, the TMS zl Module
will treat the traffic destined to 50680 as generic TCP traffic and will not screen
it for HTTP protocol anomalies.