29

IDP

This chapter introduces IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic direction, custom signatures and updating signatures. See Section

5.4.15on page 120 for related information on these screens.

29.1Introduction to IDP

An IDP system can detect malicious or suspicious packets and respond instantaneously. It is designed to detect pattern-based attacks.

29.1.1 Host Intrusions

The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.

You must install a host IDP directly on the system being protected. It works closely with the operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.

29.1.2 Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network- based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda MyDoom etc.

29.1.3 IDP on the ZyWALL

IDP on the ZyWALL protects against network-based intrusions. See Section 29.8.2 on page 427 for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.

 

417

ZyWALL USG 300 User’s Guide