Intrusion Prevention versus Active Response

While similar in their goals, there are significant differences between Intrusion Detection systems with active response capability and true Intrusion Prevention systems (such as that provided by the Network Box). The difference is summed up as "active response systems experience latency delays, and cannot 100% guarantee to stop an attack (they can merely mitigate the effects of the attack), while an Intrusion Prevention system can both stop an attack with suitable counter-measures and also prevent an attack from compromising a system". Intrusion Detection systems operate in parallel to, but separate from, a firewall. When operating in "active response" mode, they tell the firewall to close down connections and optionally to block future attacks from that source IP address. It is this latency of communication between the IDS and firewall that permit the initial attack packets through, and compromise of the target. Intrusion Prevention systems operate in-line and are tightly-coupled to the firewall. These systems (such as that provided in the Network Box) operate with zero latency, and are capable of blocking even single packet attacks (such as SQL Slammer).

Intrusion Detection and Prevention

Integrated with the firewall, the Network Box IDP (Intrusion Detection and Prevention) module scans network traffic at the application level, and seamlessly blocks malicious behavior with zero latency.

A comprehensive database of IDP signatures precisely matches and actively blocks known exploits. Protection against newly emerging threats is provided by a database of vulnerability-class based signatures and heuristic (expert system) anomaly-based behavioral analysis.

The Network Box IDP system is updated in real-time, using high speed PUSH technology, from the global network of Network Box Operation Centers.

Features

• Intrusion detection engine: Zero latency, hybrid, multi-level, tightly integrated with firewall.
• Action: Active (blocks network traffic) and/or passive (logs intrusion attempts)
• Reporting: Real time (on demand), and periodic (summary) by SMTP e-mail
• Types of intrusion detected:ICMP/IP, Denial of Service (DoS), portscans, protocol level, application level.
• Just-In-time and heuristic engines: Used to block uncharacterized attacks before they have a signature.
• Signatures: Depends on configuration, but normally in excess of 2,500 (IDS) / 350 (IDP)