How IPS (intrusion Prevention Services) Works?
12/20/2019 148 24867
SonicWall Intrusion Prevention Service (SonicWall IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services and DNS. SonicWall IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWall's Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWall IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWall's industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWall IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.
SonicWall Deep Packet Inspection
Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through. Deep Packet Inspection is a technology that allows a SonicWall Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet's payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWall Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWall's Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.
How SonicWall's Deep Packet Inspection Works
Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWall Intrusion Prevention Service. SonicWall's Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWall Distributed Enforcement Architecture. The following steps describe how the SonicWall Deep Packet Inspection Architecture works:
- Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits.
- TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
- Deep Packet Inspection engine preprocessing involves normalization of the packet's payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload.
- Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection.
- SonicWall Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance.
SonicWall IPS Terminology
Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol, and IP address.
Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology.
False Positive - a falsely identified attack traffic pattern.
Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it.
Signature - code written to detect and prevent intrusions, worms, application exploits, and Peer-to-Peer and Instant Messaging traffic.
Activating SonicWall Intrusion Prevention Service
Navigate to Security Service | Intrusion Prevention
IPS Status - This shows the status of IPS databases downloaded from SonicWall cloud, timestamp of the signature database last update, last automatic scan and expiration date of the IPS service as synchronized with the SonicWall License Manager server.
IPS Global Settings - This allows you to manage your network protection against attacks by simply selecting the class of attacks: High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks. Selecting the Prevent All and Detect All check boxes for High Priority Attacks and Medium Priority Attacks in the Signature Groups table, and then clicking Apply protects your network against the most dangerous and disruptive attacks.
High Priority Attacks - These attacks are the most dangerous to your network. They can take down your entire network or disable servers, such as various Backdoor, DDoS, and DOS attacks.
Medium Priority Attacks - These attacks can cause disruption to your network, such as increased network traffic that slows down performance. For example, various DNS, FTP, and Telnet attacks.
Low Priority Attacks - These attacks are characterized more as informational events, such as various Scan, RPC, and SMTP attacks.
Log Redundancy Filter
The Log Redundancy Filter (seconds) field allows you to define the time in seconds that the same attack is logged as a single entry in the SonicWall log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The default 60 seconds entry for Low Priority Attacks in the Log Redundancy Filter (seconds) field is recommended because the relatively high volume of these types of signature triggers. You can view and manage the SonicWall log events by clicking on the Log button in the Management Interface. The Log > View page displays the log contents.
Detection vs Prevention
SonicWall IPS provides two methods for managing global attack threats: detection (Detect All) and prevention (Prevent All). You must specify a Prevent All action in the Signature Groups table for intrusion prevention to occur on the SonicWall security appliance.
If Prevent All is enabled for a signature group in the IPS Settings table, the SonicWall security appliance automatically drops and resets the connection, to prevent the traffic from reaching its destination.
If Detect All is enabled for a signature group in the Signature Groups table, the SonicWall security appliance logs and alerts any traffic that matches any signature in the group, but does not take any action against the traffic. The connection proceeds to its intended destination. You view the SonicWall log on the Log | View page as well as configure how alerts are handled by the SonicWall security appliance in the Log | Automation page.