Intrusion detection and prevention

You can use the intrusion detection system to prevent intrusions and extrusions from occurring.

Intrusion prevention is a system that attempts to deny potentially malicious activity. The denial mechanisms could involve filtering packets, variable dynamic throttling, or using Quality of Service (QoS) to vary connection rates and burst limits.

The following graphic shows how IDS detects and prevents intrusions and extrusions from occurring.

Intrusion detection and prevention
  1. The TCP/IP service and production stacks detect intrusions from systems in the network and extrusions from the host system.
  2. If you have variable dynamic throttling enabled, IDS limits or discards the intrusion or extrusion.

You can configure variable dynamic throttling for each IDS policy. Throttling detects all types of intrusions and extrusions. Variable dynamic throttling is a prevention method that automatically starts if certain intrusion event thresholds are met. Throttling stays active until thresholds are no longer exceeded for an interval of time. You can choose to throttle network traffic from all or specific ports and IP addresses. You also can specify the slow and fast scan thresholds, the maximum event message thresholds, or use the default values for those thresholds in your IDS policies. Throttling is activated once a threshold for that policy has been exceeded, and stays active for either a user-defined or system-defined time interval. If the threshold is exceeded at any time during the interval, the throttling is increased immediately and the time interval is reset. Throttling could eventually lead to denying all packets from a given interface. This process continues until the number of offending packets no longer exceeds the thresholds for an entire time interval. When the number of packets drop below the thresholds, throttling is deactivated and normal packet flow resumes.

You also can specify in the ICMP tab of the IDS Properties page whether or not to allow Internet Control Message Protocol (ICMP) redirect messages. ICMP is a protocol that is used to send error or informational messages. ICMP is used by some utilities, such as traceroute, and the ping tool to determine if a host is reachable. Examples of ICMP messages include: echo replies, echo requests, redirect, destination unreachable, and time exceeded.