Network Intrusion Prevention Benefits


Forwarding traffic at Layer 2, the IPS devices on your network can inspect traffic from numerous protocols to identify attacks against your network. By not forwarding malicious traffic, your Network IPS solution can stop this traffic before it reaches the target system. Your IPS also provides the following benefits:

  • Traffic normalization

  • Security policy enforcement

Traffic Normalization

Besides stopping malicious traffic, your IPS devices can prevent various IDS evasion techniques by normalizing the traffic reaching the systems on your network. Some of the attacks that normalizing TCP traffic can prevent include the following:

  • Time to Live (TTL) manipulation

  • URG pointer manipulation

  • Out of order RST of FIN

  • Out of order packets

  • TCP window size manipulation

Normalizing Traffic

Stateful protocols, such as TCP, operate by a predefined set of rules and states. Some attacks, such as TTL manipulation, utilize the rules to try to evade detection. Normalizing traffic involves manipulating the traffic, such as a TCP stream, to prevent these anomalies. For example, to nullify the TTL manipulation attack, the normalizer engine can force all the outgoing TCP packets to use the smallest TTL observed during the TCP connection.


Normalizing traffic has been initially focused on mitigating various TCP-based attacks. This concept, however, can be applied to numerous protocols. As IPS software evolves, the normalizing capability will grow and incorporate a larger suite of protocols, making it more difficult for an attacker to evade detection and successfully attack systems on your network.

Security Policy Enforcement

Your IPS has the capability to enforce your security policy because your IPS has the capability to modify and drop traffic entering your network. For example, many applications, such as peer-to-peer software, use a destination port of TCP port 80 because this traffic is usually allowed by most firewall policies. The firewall might not be able to distinguish between HTTP traffic going to TCP port 80 and another program, such as Kazaa, using the same port. With an IPS, you can monitor traffic to TCP port 80 and verify its compliance with RFC 2616, "Hypertext Transfer ProtocolHTTP 1.1," thus ensuring that your firewall is allowing only HTTP traffic through for TCP port 80.




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net