D-Link DFL-2500 User Guide - Page 205
Signature Groups, Automatic Update of Signature, Database
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 205 highlights
186 Chapter 19. Intrusion Detection System (IDS) 3. The pattern-matching engine searches the payload of the packet for pre-defined signatures. If a match is found, the final level of IDS processing is carried out - the action. If not, the packet is dropped. 4. As this packet will not be accepted by the firewall, the only interesting action is to log the attempted intrusion. 19.3 Signature Groups Usually, several attacks exist for a specific protocol, and it would be most favorable to search for all of them at the same time when analyzing network traffic. To do this, signatures that refer to the same protocol are grouped together. For example, all signatures that refer to the FTP protocol are located in one group, while signatures that refer to POP3 are located in another group. In addition to this, signatures that originate from the same source are also grouped together. This means that signatures that are only valid when originating from the external network are grouped together, while signatures that are valid when originating from the internal network are located in another group. This is done in order to allow more effective processing for the IDS. 19.4 Automatic Update of Signature Database Discovering new attacks is an ongoing process. New attacks are sometimes discovered daily, so it is important to have an up-to-date signature database in order to protect the network from the latest threats. The signature database contains all signatures and signature groups currently recognized by the IDS. A new, updated signature database can be automatically downloaded by the firewall, at a configurable interval. This is done through a HTTP connection to a D-Link server, hosting the latest signature database file. If this signature database file has a newer version than the current, the new signature database will be downloaded, thus replacing the old version. This will ensure that the signature database is always up-to-date. Figure 19.3 is a simplified picture that describes the communication flow when a new signature database file is downloaded: D-Link Firewalls User's Guide