Intrusion protection, Firewalls and intrusions, Intrusion detection and prevention (idp) – ZyXEL Communications ZyXEL ZyWALL IDP 10 User Manual

ZyWALL IDP10 User’s Guide

Intrusion Protection

B-1

Appendix B

Intrusion Protection

B.1 Firewalls and Intrusions

Firewalls are designed to block clearly suspicious traffic and forward other traffic through. Many
exploits take advantage of weaknesses in the protocols that are allowed through the firewall, so that
once an inside server has been compromised it can be used as a backdoor to launch attacks on other
servers.

Firewalls are usually deployed at the network outskirts. However, many attacks (inadvertently) are
launched from within an organization. Virtual private networks, laptops, memory sticks, floppy disks
and wireless networks all provide access to the internal network without going through the firewall.

B.2 Intrusion Detection and Prevention (IDP)

An Intrusion Detection and Prevention (IDP) system can detect suspicious activity, but do not take
action against attacks. IDPs are proactive defense mechanisms designed to detect malicious packets
within normal network traffic and take an action (block, drop, log, send an alert) against the offending
traffic automatically before it does any damage. An IDS only raises an alert after the malicious
payload has been delivered. Worms such as Slammer and Blaster (see the appendices) have such fast
proliferation speeds that by the time an alert is generated, the damage is already done and spreading
fast.

There are two main categories of IDP; Host IDP and Network IDP.

B.2.1 Host Intrusions

The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the
goal of accessing confidential information or destroying information on a computer.

You must install Host IDP directly on the system being protected. It works closely with the operating
system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as
well as log them.

Disadvantages of host IDPs are that you have to install them on each device (that you want to protect)
in your network and due to the necessarily tight integration with the host operating system, future
operating system upgrades could cause problems.

B.2.2 Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the
whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service (DoS) attack.
Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus
is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with
the goal of bringing down the computer/server. Typical “network-based intrusions” are SQL slammer,
Blaster, Nimda, MyDoom etc. See the appendices for more details.

A Network IDP has at least two network interfaces, one internal and one external. As packets appear at
an interface they are passed to the detection engine, which determines whether they are malicious or