D-Link DRO-210i 7.2 Intrusion Detection

Firewall

Dlink DRO-210i User Guide 46

7.2 Intrusion Detection

An Intrusion is a deliberate, unauthorized attempt to access or manipulate information or

system and to render them unreliable or unusable. The security architecture that detects

and prevents these types of intrusion is called Intrusion Detection and Prevention System.

Intrusion Detection S ystems (IDS) detect unwanted access to devices on the private

network mainly from the public Internet. The manipulations may take the form of attacks

by skilled malicious hackers or by using automated tools. IDS detect all types of

malicious network traffic and computer usage that can not be detected by a conventional

firewall. So Intrusion Detection is an important technology for routers to identify and

prevent these threats from affecting the devices on the network.

IDS and Firewall both are ways to enhance security in a networking environment but they

function differently. Firewall limits the flow of packets between networks to prevent

intrusion and do not look for a pattern that signifies an attack. An IDS detects a potential

security breach, logs the information and signals an alert to the operator. It matches the

packets against a ‘signature’. A signature is a pattern observed in a previous intrusion

attack by examining the network communications and identifying heuristics of that

attack.

In order to make IDS effective and reliable, the router implements three levels of

processing:

 Intrusion Detection Rules: An Intrusion Detection Rule defines the kind of

traffic should be analyzed. Filtering fields regarding source and destination

interfaces, networks, ports, and protocols are also defined here. Only traffic

matching this rule is passed on to the next processing level of IDS, where actual

analysis takes place.

 Pattern Matching: In order to correctly identify an attack, pre-defined patterns

called “signatures”, are created that describe certain attacks. The network traffic is

then analyzed by the IDS, searching for these patterns. This is also known as

“misuse detection” or “signature detection”.

 Action: If an intrusion or attack has been detected, the router logs the attack and

takes an action or response. Depending on the severity of the attack, traffic can be

blacklisted to prevent further attacks, or just dropped.

Certain sessions between computers on your LAN and the WAN have the potential to

cause a disruption the functioning of your LAN computers and are blocked by the

Router's IDS Engine. The signatures for these attacks are pre-defined by t he factory and

are the commonly used intrusion methods. The IDS feature in this router can detect and

block these well-known network attacks.