Recognizing Unknown Threats
Attackers who build new intrusions often re-use older code. This means their new attacks can appear
"in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for
these reusable components, with pattern matching looking for building blocks rather than the entire
complete code patterns. This means that "known" threats as well as new, recently released,
"unknown" threats, built with re-used software components, can be protected against.
Signature Advisories
An advisory is a explanatory textual description of a signature. Reading a signature's advisory will
explain to the administrator what the signature will search for. Due to the changing nature of the
signature database, advisories are not included in D-Link documentation but instead, are available
on the D-Link website at:
http://security.dlink.com.tw
Advisories can be found under the "NetDefend IDS" option in the "NetDefend Live" menu.
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
•
Intrusion Protection Signatures (IPS) - These are highly accurate and a match is almost
certainly an indicator of a threat. Using the Protect action is recommended. These signatures
can detect administrative actions and security scanners.
•
Intrusion Detection Signatures (IDS) - These can detect events that may be intrusions- They
have lower accuracy than IPS and may give some false positives so that's recommended that the
Audit action is initially used before deciding to use Protect.
•
Policy Signatures - These detect different types of application traffic. They can be used to block
certain applications such as file sharing applications and instant messaging.
6.5.6. IDP Signature Groups
Using Groups
Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them at
the same time when analyzing network traffic. To do this, signatures related to a particular protocol
are grouped together. For example, all signatures that refer to the FTP protocol form a group. It is
best to specify a group that relates to the traffic being searched than be concerned about individual
signatures. For performance purposes, the aim should be to have NetDefendOS search data using the
least possible number of signatures.
Specifying Signature Groups
IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is
the signature Type, the second level the Category and the third level the Sub-Category. The
signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type,
DB is the Category and MSSQL is the Sub-Category. These 3 signature components are explained
below:
1. Signature Group Type
The group type is one of the values IDS, IPS or Policy. These types are explained above.
6.5.6. IDP Signature Groups
Chapter 6. Security Mechanisms
270
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...