In the first two articles, we introduced to readers of the IT168 Security Channel How to Use the IPS intrusion defense system to immediately discover and analyze the host vulnerabilities of connected devices, today, we will continue to explain the behavior processing method, a major feature of the intrusion defense system IPS. Through the behavior processing method, we can more flexibly choose the measures and actions taken after the intrusion defense system discovers the intrusion data packets, this feature is also the biggest difference between the IPS intrusion defense system and the IDS intrusion detection system.
Security Device User Guide to protect Intranet Security
Use IPS to track intruders in security device User Guide
I. Purpose of the action processing method:
Action processing is to adopt different forwarding and processing policies for different types of network communication data packets. For example, normal communication data packets can pass through, vulnerability attack data packets are directly prohibited from passing through or forwarded to a fixed server for analysis. Some unconventional data packets are first allowed, but are recorded and monitored. If they affect normal network services, they are immediately disabled.
Through the action processing method, we can easily deal with the useful, illegal, and uncertain data packets in enterprise network communication. Different Processing policies can be adopted based on different protocol functions, different ports, and different destination addresses. Every time, we can analyze various types of data packets through the logs of the IPS intrusion defense system, and then formulate new behavior processing rules based on statistics to make the enterprise network more stable.