The working principle of IPS technology

Policy-Based Security defense

With the continuous improvement of network attack technology and the discovery of network security vulnerabilities, traditional firewall technology and traditional IDs technology have been unable to deal with some security threats. In this case, the IPs technology came into being, the IPs technology can deeply perceive and detect the data flow through, discard the malicious message to block the attack, and limit the flow of the abused message to protect the network bandwidth resources.

How IPs implements depth detection and intrusion resistance

For IPs deployed on the data forwarding path, according to the pre-set security policy, the depth of each message flows through the detection (Protocol analysis and tracking, feature matching, traffic statistics analysis, event correlation analysis, etc.), if once found hidden in the network attacks, can be based on the threat level of the attack to take immediate defensive measures , these measures include (according to the processing strength): Alarm to the central management, discard the message, cut off the application session, and sever the TCP connection.


Where to deploy

After the above analysis, we can conclude that the office network, at least in the following areas need to deploy IPs, that is, the connection between the office network and the External network (Import/export), the main server cluster front-end, office network internal access layer. Other areas can be deployed as appropriate, depending on the actual situation and importance.

How to Deploy

In the following cases, we can see a variety of network depth detection/real-time defense schemes with IPs as the core, and different scenarios can be expanded or simplified appropriately in different application scenarios.

First, policy-based Security defense

1. IPs located at the entrance of the office network, through the Application Layer protocol analysis tracking and feature matching, found that the destination for Business Server A's HTTP data stream hidden in the Windows operating system for the malicious use of DCOM vulnerabilities;

2.IPS escalate this security incident to the central administration;

3. The Management Center obtains the basic information of server A;

4. The central administration determines whether the access is harmful based on the information obtained from a, if a does not run the Windows operating system, or if a does run Windows but has already played a patch against the DCOM vulnerability, then a is safe;

5. According to the situation, the management center to the IPs issued by the development of security policy;

6.IPS Execute security Policy, release or block this connection request.

In fact, what we're describing here is the need for Management center intervention, and in some relatively simple cases, if we can confirm in advance that the server cluster is running the operating system (which is possible in 90%), then the rules against that network attack can be directly applied to IPs, You no longer need to interact with the central administration to reduce the complexity and efficiency of your deployment.

Ii. Application-aware intelligent defense

1. Office network users to access the WWW server on the Internet;

2.IPS detects the request, and determines that the request complies with the pre-set security policy and releases;

3. The connection between the user and the external server is established;

4. The user attempts to initiate a request for access to an illegal or objectionable Web site through an established connection, using two proxies;

5. Based on the depth analysis and content identification of the application layer protocol, IPS detects the attempt and blocks the HTTP connection;

6. Report the security incident to the management Center for future reference;

7.IPS According to the policy issued in the management, the user can be punished for a certain period of time (to deny the user subsequent Internet requests).

Third, behavioral analysis of intelligent defense, to prevent viruses, worms flooding

1. The user of a certain office network accesses the Business Server cluster through the public area network;

2. After the normal connection is established, the IPs located at the front-end of the server cluster detects the behavior characteristics of a virus hidden in the traffic from the user, immediately blocks the user's visit, and reports the security incident to the management center;

3. The management center analyzes the security incident, locates the user according to the message information, and make a new security policy;

4. Access management to change the user's security rating, issued an updated security policy to the relevant network equipment;

5. Network devices that have updated security policies isolate the user to a specific area, prevent the virus from infecting other network users, and follow up.

Key technologies of IPs depth detection and intrusion protection

High-performance, high-reliability hardware platform

Relying on a deep understanding of network equipment architecture and strong design and development capabilities, Huawei 3Com has designed a dedicated High-performance hardware platform for IPs products. The platform completely abandoned the current market of the common industrial computer architecture.

Protocol analysis and tracking technology

Through the previous analysis, we can see the importance of protocol analysis and tracking for IPs devices. Unlike traditional firewalls, IPs not only analyzes and tracks IP, ICMP, UDP, TCP, network layers, transport layer protocols, but also HTTP, HTTPS, FTP, TFTP, SNMP, Telnet, SMTP, POP, DNS, RPC, LDAP , ICQ, MSN, Yahoo Messenger and many other application layer protocols for analysis, tracking. Without a deep understanding of network protocols and operating systems, it is impossible to accomplish this task. Huawei 3Com already has the kernel level of the operating system to the application protocol for comprehensive tracking, in-depth analysis of the strength; Moreover, after the introduction of network processor, all the logic detection and protocol analysis, tracking will be moved down to the network processor, using microcode implementation, further improve system performance.

Performance of feature matching

In the field of computing, it is always a high computational and complex problem to look for certain characteristics from the massive data, and the IPS message content recognition is precisely based on this work. So, how to solve this CPU killer and improve the performance of the conflict between the device?

Huawei 3Com uses a dedicated hardware accelerator card to solve this problem. Based on the special content search chip design of the hardware accelerator card in the system with the CPU, network processor work together, in the need for content searching for the message, the CPU and network processor unloading burden, so that CPU and network processor can focus on message processing and logic detection, This minimizes the impact of content search on system efficiency. At present, Huawei 3Com design of the hardware accelerator card, can be in the gigabit environment of the fast processing flow.