Intrusion Detection System (IDS)
76
Models 2603, 2621, and 2635 User Manual
7
• Security
1.
To enable IDS, click on Enabled for “Intrusion Detection Enabled” on the “Security Interface Configura-
tion” page. Then click on
Change State
.
2.
Click on
Configure Intrusion Detection...
3.
You may choose which of the parameters to configure and for which value.
– Use Blacklist: Default = 10 minutes when enabled.
If IDS has detected an intrusion an external host, access to the network is denied for ten minutes.
– Use Victim Protection: Default = Disabled.
Victim Protection. When enabled, Victim Protection protects the victim from an attempted spoofing attack.
Web spoofing allows an attacker to create a ‘shadow’ copy of the world wide web (WWW). All access to the
shadow Web goes through the attacker’s machine, so the attacker can monitor all of the victim’s activities and
send false data to or from the victim’s machine. When enabled, packets destined for the victim host of a spook-
ing style attack are blocked.
– Victim Protection Block Duration: Default = 600 seconds
– DOS Attack Block Duration:Default = 1800 seconds (30 minutes).
A Denial of Service (DOS) attack is an attempt by an attacker to prevent legitimate users from using a service.
If a DOS attack is detected, all suspicious hosts are blocked by the firewall for a set time limit
– Scan Attack Block Duration:Default = 86400 seconds
Sets the duration for blocking all suspicious hosts. The firewall detects when the system is being scanned by a
suspicious host attempting to identify any open ports.
– Victim Protection Block Duration:Default = 600 seconds (10 minutes).
Sets the duration of the block in seconds.
– Maximum TCP Open Handshaking Count:Default = 100
Sets the maximum number of unfinished TCP handshaking sessions per second that are allowed by a firewall
before a SYN Flood is detected. SYN Flood is a DOS attack. When establishing normal TCP connections,
three packets are exchanged: (1) A SYN (synchronize) packet is sent from the host to the network server. (2) A
SYN/ACK packet is sent from the network server to the host. (3) An Ack (acknowledge) packet is sent from the
host to the network server. If the host sends unreachable source addresses in the SYN packet, the server sends
the SYN/ACK packets to the unreachable addresses and keeps resending them. This creates a backlog queue of
WinNuke
TCP
yes
Xmas Tree Scan
TCP
yes
IMAP SYN/FIN Scan TCP
yes
Smurf
ICMP
If victim protection set
SYN/FIN/RST Flood TCP
If scanning threshold
exceeded
Net Bus Scan
TCP
yes
Back Orifice Scan
UDP
yes
Attack Name
Protocol Attacking Host Blacklisted?
Содержание OnSite 2603
Страница 23: ...23 Chapter 2 Product Overview Chapter contents Introduction 24 Applications Overview 25...
Страница 38: ...38 Chapter 4 Ethernet LAN Port Chapter contents Introduction 39 LAN Connections 39 Ethernet Port 39...
Страница 120: ...120 Appendix C Cable Recommendations Chapter contents Ethernet Cable 121 Adapter 121...