Security protection system is a multi-level protection mechanism, which includes both the security policy of the enterprise and the solutions of many products, such as firewall, anti-virus, intrusion protection and so on. Traditional, we will only use a firewall or antivirus wall to fight back, but because they are mainly defensive direct suspicious traffic, face the increasing level of hacker attacks, and internal because of computer operations and other security risks such as the development of mixed threats, such a single protection measures have become powerless.
The most obvious flaws of IDs are:
Passive defense of the listening mode limit blocking. At present, IDs can only block packets to interrupt the attack based on TCP, and the intrusion based on UDP is powerless;
Feature-based intrusion detection technology is outdated. Because of lack of information management, it is difficult to resist the attack and infiltration of deception tools such as canvas and Metasploit;
False positives and false negatives are higher than customer expectations. Some IDs products produce a large number of abnormal reports every day, most of them are not aggressive behavior, need to have a fairly professional level of network security administrators to discriminate, and sometimes even to the customer caused unbearable burden;
dependencies for the instrumentation host. Because HIDs is installed on the test host, not only consumes some resources of the detection object, affects the efficiency of the host being detected, but also must design and install the respective HIDs for different host and its system environment.
IDS intrusion detection system has been playing an important role in the security protection system, and IDs technology is to analyze the data packets from the network so as to detect and identify the unauthorized or abnormal phenomena in the system. IDS focus on the network monitoring, audit tracking, inform the network is safe, found abnormal behavior, not as it, but through the firewall and other security equipment linkage of the way to protect. IDS is currently a popular solution for businesses, but there are several notable drawbacks:
One is the network flaw (use the switch instead of can share to monitor the hub to make the Network Monitor of IDs bring trouble, and in the complex network under the careful contract can also bypass the monitoring of IDs);
Second, a large number of false positives (as long as a boot, alarm non-stop);
Third, the ability of their own defense is poor, so, IDS is still insufficient to complete the task of network security protection.
IDs defects, achievements of the development of IPs, IPS technology to the network multi-layer, deep, active protection to effectively ensure the enterprise network security, the emergence of IPs is a corporate network security revolutionary innovation. Simply understood, IPs equals firewalls plus intrusion detection systems, but does not mean that IPs can replace firewalls or IDs. Firewall in the TCP/IP protocol filtering performance is very good, IDS provides comprehensive audit data for attack reduction, intrusion forensics, abnormal event recognition, network troubleshooting and so on have a very important role.
Next, we analyze the market mainstream IPs manufacturers, to see how they design IPs products, is how to effectively implement IPs active intrusion prevention function.
From the security vendors, the foreign brands of McAfee, ISS, Juniper, Symantec, Huawei 3Com, domestic brands such as Bingfeng Network, NSFocus and many other manufacturers have a variety of hundred megabytes and gigabit IPs products, domestic brands (such as Bingfeng Network) of the performance of the gigabit IPs products relative to the past, has made considerable progress, the adaptability of the large flow network significantly enhanced.
Judging from the evaluation of these mainstream IPs products, a stable and efficient IPs product needs the following capabilities:
Detection mechanism
Due to the need for active blocking capabilities, detection accuracy of the level of IPs is critical. IPS vendors use a variety of detection mechanisms to improve the detection accuracy of IPs. According to Juniper's engineers, "multiple detection techniques" including status signatures, protocol exceptions, backdoor detection, traffic anomalies, and hybrid attack detection are used in juniper products to improve the accuracy of detection and blocking. McAfee has intensified its research and tracking of overflow vulnerabilities in its own laboratories, pushing the corresponding precautions against overflow attacks to the policy libraries of IPs devices. Domestic brand Bingfeng Network in the IPS device using the vulnerability interdiction technology, through the study of vulnerability features, to add it to the filtering rules, IPs can find the characteristics of the attack with the vulnerability of all attacks, in the shock wave and its variants of large-scale outbreaks, the direct blocking, so as to win the key time to patch.
Vulnerability Analysis
The development prospect of IPs products depends on the improvement of attack interdiction function. The introduction of vulnerability analysis is a more basis for IPs to improve attack interdiction capabilities, enabling IPs to proactively protect vulnerable systems by analyzing system vulnerabilities, collecting and analyzing attack code or worm code, describing attack features or flaw characteristics.
Since software vulnerabilities are the main targets of criminals, almost all IPs vendors are strengthening the research of system fragility. ISS, Symantec set up the vulnerability analysis mechanism respectively. McAfee also recently acquired Foundstone companies engaged in vulnerability research to integrate vulnerability analysis technology with intrusion prevention technology, Juniper has a dedicated security team, closely monitoring the new system vulnerabilities and worms, domestic IPs manufacturers, such as NSFocus, Bingfeng network, etc. Although there is no independent weakness analysis agencies, but also closely concerned about the authorities issued a vulnerability analysis report, timely update the filtering mechanism.
Application environment
The detection accuracy rate of IPS also depends on the application environment. Some traffic may be malicious for some users, but for other users is normal traffic, which requires IPs to be able to target the specific needs of users flexible and easy to use the strategy of tuning to improve detection accuracy. Companies such as McAfee, Juniper, ISS, Bingfeng network also provide tuning mechanisms in IPs that enable IPs to improve detection accuracy through self-learning.
Fully compatible
All users want to build a most secure and manageable network environment with relatively little input. IPs if need to achieve comprehensive protection work, then also want to integrate other network management functions, such as network management, load balancing, log management, the respective division of labor, but close collaboration.