Firewall
Dlink DRO-210i User Guide 46
7.2 Intrusion Detection
An Intrusion is a deliberate, unauthorized attempt to access or manipulate information or
system and to render them unreliable or unusable. The security architecture that detects
and prevents these types of intrusion is called Intrusion Detection and Prevention System.
Intrusion Detection S ystems (IDS) detect unwanted access to devices on the private
network mainly from the public Internet. The manipulations may take the form of attacks
by skilled malicious hackers or by using automated tools. IDS detect all types of
malicious network traffic and computer usage that can not be detected by a conventional
firewall. So Intrusion Detection is an important technology for routers to identify and
prevent these threats from affecting the devices on the network.
IDS and Firewall both are ways to enhance security in a networking environment but they
function differently. Firewall limits the flow of packets between networks to prevent
intrusion and do not look for a pattern that signifies an attack. An IDS detects a potential
security breach, logs the information and signals an alert to the operator. It matches the
packets against a ‘signature’. A signature is a pattern observed in a previous intrusion
attack by examining the network communications and identifying heuristics of that
attack.
In order to make IDS effective and reliable, the router implements three levels of
processing:
Intrusion Detection Rules: An Intrusion Detection Rule defines the kind of
traffic should be analyzed. Filtering fields regarding source and destination
interfaces, networks, ports, and protocols are also defined here. Only traffic
matching this rule is passed on to the next processing level of IDS, where actual
analysis takes place.
Pattern Matching: In order to correctly identify an attack, pre-defined patterns
called “signatures”, are created that describe certain attacks. The network traffic is
then analyzed by the IDS, searching for these patterns. This is also known as
“misuse detection” or “signature detection”.
Action: If an intrusion or attack has been detected, the router logs the attack and
takes an action or response. Depending on the severity of the attack, traffic can be
blacklisted to prevent further attacks, or just dropped.

7.2.1 IDS Configuration

Certain sessions between computers on your LAN and the WAN have the potential to
cause a disruption the functioning of your LAN computers and are blocked by the
Router's IDS Engine. The signatures for these attacks are pre-defined by t he factory and
are the commonly used intrusion methods. The IDS feature in this router can detect and
block these well-known network attacks.