Overview of Intrusion Prevention

This section describes intrusion prevention and its features.

Definition

Intrusion prevention detects intrusions, such as buffer overflow attacks, Trojan horses, and worms, by analyzing network traffic and takes actions to quickly terminate the intrusions. In this way, intrusion prevention protects the information system and network architecture of enterprises.

Highlights

Intrusion prevention on the FW detects and automatically discards the intrusion packets or blocks the attack sources. Intrusion prevention on the FW has the following benefits:

Real-time attack blocking: Deployed in in-line mode, the FW blocks the attack traffic in real time.
In-depth protection: The FW examines the application-layer contents of packets, reassembles packets to analyze the protocols and detect threats, and blocks the attack packets based on the attack type and policy.
All-round protection: Intrusion prevention defends against such attacks as worms, viruses, Trojan horses, botnets, spyware, adware, Common Gateway Interface (CGI), cross-site scripting, injection, directory traversal, information leaks, remote file inclusion, overflow, code execution, denial of service, and scanning.
Internal and external prevention: Intrusion prevention on the FW protects the intranet against both internal and external attacks. The system detects traffic that passes through, protecting both servers and clients.
Constant update for up-to-date protection: The intrusion prevention signature database is constantly updated to identify the latest threats. You can periodically update the signature database from the update center.

Difference from the IDS

Intrusion Detection System (IDS) detects abnormal traffic and suspicious traffic, generates alarms to notify the administrator of the network condition, and provides solutions accordingly. The IDS is a security function for risk management. Compared with the IDS, intrusion prevention not only detects attacks and malicious behavior to networks and data but also quickly terminates them. It is a security function for risk control.

Intrusion prevention provides advanced defense functions based on the traditional IDS.

The IDS cannot defend against application-layer attacks, whereas the intrusion prevention device can.

The IDS has high false negative and false positive ratios and generates a considerable number of logs and alarms, making it difficult to locate real attacks. The intrusion prevention device can remove outer layers of packets, identify protocols, resolve packets, classify the resolved packets, and match the packets with signatures to ensure the detection accuracy.
The IDS device can detect attacks, but cannot prevent them. To prevent attacks, the IDS device must interwork with a FW.

However, the intrusion prevention device can detect and block attacks. When detecting any attack, the intrusion prevention device automatically discards the attack packets or blocks the attack source.