Traditional IPS systems fail to combat threats for 3 main reasons as they:

1. Passively watch for threats without proactively disabling them

2. Fail to detect threats in 'Smart' applications with security evasion tactics. Evasive applications will dynamically hop ports, re-use other ports, and emulate other applications or tunnel inside SSL. These are more commonplace and include applications such as IM, P2P, Skype & Webmail

3. Adversely affect network performance - typically as the quality of IPS goes up, the performance and throughput go down.

The solution... Next generation intrusion prevention

Enable full IPS protection while maintaining performance

Predictable IPS performance is achieved through hardware acceleration, uniform signature format and a single pass software architecture.

Dedicated processing and memory for content inspection as well as networking, security and management provides the hardware acceleration necessary for predictable IPS performance. Dedicated processing means that key functions are not competing for processing cycles with other security functions, as is the case in a single CPU or ASIC/CPU hardware architecture. A uniform signature format eliminates many redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.), while the single pass software means that the traffic is touched only once, no matter how many policy elements are in use.

Block a wide range of known and unknown vulnerability exploits

A rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms:

• Protocol decoder-based analysis decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
• Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
• Pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
• Statistical anomaly detection prevents rate-based DoS flooding attacks.
• Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
• Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly are utilized for protection against evasion and obfuscation methods employed by attackers.
• Custom vulnerability or spyware phone home signatures that can be used in the either the anti-spyware or vulnerability protection profiles.

Denial of Service DoS/DDoS attack protection

A policy-based approach that ensures accurate detection of denial of service (DoS) attacks.

DoS protection policies can be deployed based on a combination of elements including type of attack, by volume both aggregate and classified with response options can include allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:

• Flood Protection-Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
• Reconnaissance detection-Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.
• Packet-based attack protection-Protects against large ICMP packets and ICMP fragment attacks.