Related Topics:
IPS, the abbreviation for Intrusion Prevention System, is designed to monitor various network attacks in real time and take appropriate actions (like block) against the attacks according to your configuration. System supports license-controlled IPS, i.e., the IPS function will not work unless an IPS license has been installed on the security device that supports IPS.
IPS can implement a complete state-based detection which significantly reduces the false positive rate. Even if the device is enabled with multiple application layer detections, enabling IPS will not cause any noticeable performance degradation. Besides, system will update the signature database automatically everyday to assure its integrity and accuracy.
The protocol detection procedure of IPS consists of two stages: protocol parsing and engine matching. During the protocol parsing stage, system analyzes the protocol and will process the packets (log only, reset, block) according to the configuration so that it can generate logs for the administrator if any anomaly has been detected; all the interesting protocol elements abstracted during the parsing stage will be submitted to the engine for accurate and quick signature matching. If the packets are matched to any item in the signature database, system will process the packets (log only, reset, block) according to the configuration and generate logs for the administrator. Each IPS log contains an error information ID, i.e., the signature ID in the signature database. You can view detailed information about the error according to the ID in IPS online help pages.
System supports two IPS working modes: Log only mode and IPS mode. In log only mode, system only generates protocol anomaly alarms and attacking behavior logs, but will not block attackers or reset connections; while in IPS mode, system not only generates protocol anomaly alarms and attacking behavior logs, but also blocks attackers or resets connections. By default system is working in IPS mode.
The IPS signature database of the latest version contains nearly 3000 signatures. These signatures are categorized by protocols, and identified by a unique signature ID. The signature ID consists of two parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature ID (the last 5 bits). For example, in ID 600120, "6" identifies a Telnet protocol, and "00120" is the attacking signature ID. Signature IDs larger than 60000 identify protocol anomaly signatures, and those smaller than 60000 identify attacking signatures. The mappings between IDs and protocols are shown in the table below:
| ID | Protocol | ID | Protocol | ID | Protocol | ID | Protocol |
|---|---|---|---|---|---|---|---|
| 1 | DNS | 7 | Other-TCP | 13 | TFTP | 19 | NetBIOS |
| 2 | FTP | 8 | Other-UDP | 14 | SNMP | 20 | DHCP |
| 3 | HTTP | 9 | IMAP | 15 | My SQL | 21 | LDAP |
| 4 | POP3 | 10 | Finger | 16 | MSSQL | 22 | VoIP |
| 5 | SMTP | 11 | SUNRPC | 17 | Oracle | - | - |
| 6 | Telnet | 12 | NNTP | 18 | MSRPC | - | - |
In the above table, Other-TCP identifies all the TCP protocols other than the standard TCP protocols listed in the table, and Other-UDP identifies all the UDP protocols other than the standard UDP protocols listed in the table.
According to the severity, signatures can be divided into 3 security levels: critical, warning and informational. Each level is described as follows:
