Firewall Intrusion Detection and Prevention

WatchGuard® Fireware and the policies you create in Policy Manager give you strict control over access to your network. A strict access policy helps to keep hackers out of your network. But, there are other types of attacks that a strict policy cannot defeat.

An Intrusion Prevention System (IPS) is a device that detects attacks from hackers. Network-based intrusion detection systems examine the traffic on a network for signs of unauthorized access or attacks in progress, while host-based systems look at processes running on a local computer for activity an administrator has defined as "bad." With Fireware, you can use your Firebox as an IPS device to detect and prevent attacks automatically. There are two categories of IPS defenses:

Firewall-based IPS

The Firebox combines protocol anomaly detection in the proxy policies with traffic analysis to proactively block many common attacks. Protocol anomaly detection is the examination of a packet for compliance with RFC guidelines. Attackers can make packets which are different from RFC standards in ways that allow them to bypass standard packet filters and get access to your network. If you block non-compliant packets, you can also block the attack. This enables your Firebox to proactively protect you against attacks which are as yet unknown.

Traffic pattern analysis examines a series of packets over time and matches them against known patterns of attack. For example, when an attacker launches a port space probe, they attempt to send packets through each port number until they identify which ports your firewall allows. If you can identify this pattern, you can block the source of the probe.

Signature-based IPS

Fireware options such as the Gateway AntiVirus/Intrusion Prevention Service compare packets against a database of character strings which are known to appear in attacks. Each unique character string is known as a signature. When there is a match, the Firebox blocks the traffic and notifies the network administrator. To remain current, you must set the Firebox to regularly update the signature database.

Signature-based approaches use less computer processing time than firewall-based IPS measures. However, they need to have a database update before they are current. As a result, signature-based IPS is good for maintaining efficient, high performance protection while firewall-based IPS catches the "zero-day" threats.


This rest of this training module focuses on the firewall-based IPS measures available with Fireware.



Return to Top

Copyright © 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use