Manualshelf

User`s guide

ManualsBrandsZyXEL Communications ManualsComputer equipmentZyWALL 10/10
111112113114115116117118119120
ZyWALL IDP 10 User’s Guide
117 Appendix B Intrusion Protection
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example,
then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service
(DoS) attack. Host-based intrusions may be used to cause network-based intrusions when the
goal of the host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/server. Typical
“network-based intrusions” are SQL slammer, Blaster, Nimda, MyDoom etc. See the
appendices for more details.
A Network IDP has at least two network interfaces, one internal and one external. As packets
appear at an interface they are passed to the detection engine, which determines whether they
are malicious or not. If a malicious packet is detected, an action is taken. The remaining
packets that make up that particular TCP session are also discarded.
Detection Methods
An IDP system employs a mix of detection methods to identify attacks.
Pattern Matching
Pattern matching identifies a fixed sequence of bytes in a single packet. In addition to the
signature byte sequence, the IDP should also be able to match various combinations of the
source and destination IP addresses or ports and the protocol.
This method does not apply well to network streams such as HTTP sessions as it inspects
single packets at a time.
Stateful Pattern Matching
Stateful pattern matching operates based on the established session, rather than on a single
packet. It considers arrival order of packets in a TCP stream and handles matching patterns
across packets. For example, if an exploit is split across two packets, Stateful pattern matching
will reassemble the traffic stream and make the complete string available to the detection
engine. This requires large amounts of memory and processing power to track a potentially
large number of open sessions for as long as possible.
Protocol Decode
Protocol decode is also known as Protocol Anomaly Detection or Protocol Validation. The
detection engine performs a full protocol analysis, decoding and processing the packet in order
to highlight anomalies in packet contents. This is quicker than doing a search of a signature
database. It is more flexible in capturing attacks that would be very difficult to catch using
pattern-matching techniques, as well as new variations of old attacks, which would require a
new signature in the database.