Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Analysis<br />
The Analysis screen allows users to enable and configure traffic analysis settings on all or selected<br />
Computers.<br />
Detection Enabled: Turn traffic analysis on or off.<br />
Computers/Networks on which to perform traffic analysis: Choose from the drop-down list<br />
the IPs to protect. Choose from existing IP Lists. (You can use the Components > IP Lists<br />
screen to create an IP List specifically for this purpose.)<br />
Do not analyze traffic coming from : Select from a set of IP Lists which Computers and<br />
networks to ignore. (As above, you can use the Components > IP Lists screen to create an IP<br />
List specifically for this purpose.)<br />
For each type of attack, the Client Plug-in can be instructed to send the information to the IDF Server<br />
Plug-in where an alert will be triggered. You can configure the Server Plug-in to send an email notification<br />
when the alerts are triggered. (See System > System Settings > Notifications. The Alerts are:<br />
"Network or Port Scan Detected", "Computer OS Fingerprint Probe Detected", "TCP Null Scan Detected",<br />
"TCP FIN Scan Detected", and "TCP Xmas Scan Detected.") Select Notify IDF Server Immediately for<br />
this option.<br />
Once an attack has been detected, you can instruct the client plug-ins to block traffic from the source IPs<br />
for a period of time. Use the Block Traffic drop-down lists to set the number of minutes.<br />
Computer OS Fingerprint Probe: The Client Plug-ins will recognize and react to active TCP<br />
stack OS fingerprinting attempts.<br />
Network or Port Scan: The Client Plug-ins will recognize and react to port scans.<br />
TCP Null Scan: The Client Plug-ins will refuse packets with no flags set.<br />
TCP SYNFIN Scan: The Client Plug-ins will refuse packets with only the SYN and FIN flags set.<br />
TCP Xmas Scan: The Client Plug-ins will refuse packets with only the SYN, URG, and PSH flags<br />
set.<br />
"Computer OS Fingerprint Probe" and "Network or Port Scans" differ from the other three types of<br />
reconnaissance in that they cannot be recognized by a single packet.<br />
The Client Plug-in reports a Computer or port scan if it detects that a remote IP is visiting an abnormal<br />
ratio of IPs to ports. Normally a client plug-in computer will only see traffic destined for itself, so a port<br />
scan is by far the most common variation that will be detected. If a computer however is acting as a<br />
router or bridge it could see traffic for a number of other computers, making it possible for the client<br />
plug-in to detect a Computer scan (ex. scanning a whole subnet for computers with port 80 open).<br />
Detecting these scans can take several seconds since the client plug-in needs to be able to track failed<br />
connections and decide that there are an abnormal number of failed connections coming from a single<br />
Computer in a relatively short period of time.<br />
The statistical analysis method used in Computer/port scan detection is derived from the "TAPS"<br />
algorithm proposed in the paper "Connectionless Port Scan Detection on the Backbone" published by<br />
Sprint/Nextel and presented at the Malware workshop, held in conjunction with IPCCC, Phoenix, AZ,<br />
USA in April, 2006.<br />
For the "Notify IDF Server Immediately" option to work, the Client Plug-ins must be configured for<br />
Client Plug-in initiated or bi-directional communication. (See System > System Settings ><br />
Computers.) If enabled, the Client Plug-in will initiate a heartbeat to the IDF Server Plug-in<br />
immediately upon detecting the attack or probe.<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 65 -