1.Overview
Against the backdrop of accelerated growth of networks, application-layer attacks represented by worms, Trojan horses, spyware, DDoS attacks and bandwidth abuse keep popping up. Traditional network layer-based protection checks and matches the packet headers. Given that a great number of application layer attacks are currently hidden in normal packets, or even across several packets, it is far from enough to make analysis on a single packet header.
In response, IPS provides in-depth detection of packets to perform real-time defense against application-layer threats. However, most IPS systems are restructured from the original IDS platforms, resulting in low performance, high false positives and false negatives, and poor reliability. The growing number of new applications and signature libraries raises higher requirements on system performance, which can only be met by reducing or closing some signature libraries. In this case, IPS will do little for security defense; what’s more, it might become a point of failure in the network.
How to ensure that IPS can provide wire-speed processing capabilities and microsecond delays in deep detection? It is apparent that traditional hardware and software architectures based on serial designs, including X86, ASIC or NP, fail to support thousands of vulnerabilities that are constantly being updated, let alone add virus databases or application protocol libraries…….
2.Product Introduction
With the innovative concurrent hardware architecture and the unique APP-X hardware architecture, the DPtech IPS2000 enables full deployment of all security policies at a time, independent of the size of signature library and the number of policies. The expansion of signature library will neither affect the performance nor increase network latency. What’s more, DPtech IPS also boasts of a dual channel design for separation of data plane from the management plane, which not only helps eliminate the inter-coupling influence between the management channel and the data channel, but also greatly improves the robustness of the system. Besides, the data channel is provided with a unique large-scale concurrent processing mechanism to substantially reduce packet processing delays and optimize user experience.
The effectiveness of IPS systems also depends on the comprehensiveness, professionalism and timeliness of the vulnerability database. Based on the APP-ID (application identification and detection) technology and on the strength of a professional team specialized in vulnerability research, DPtech keeps track of security bulletins published by other well-known security organizations and manufacturers, and continues to analyze, mine, and verify all sorts of new threats and vulnerabilities. DPtech’s IPS virus database is released on a regularly (weekly) basis and upon emergency (when a major security signature is found), and is automatically distributed to the IPS systems on user devices, helping the latter prevent from Zero-day Attacks and protect their own security. Currently, DPtech has become one of the main providers of China's national vulnerability database. professional team specialized in vulnerability research as well as the constant upgrade of the vulnerability database, the IPS systems have become more usable, lowering IPS false positives and false negatives.
The DPtech IPS2000 is a leading IPS product with a professional virus database and application protocol library in addition to the traditional vulnerability database. It is an integrated application-layer deep defense platform for threats such as system vulnerabilities, protocol weaknesses, virus and worms, DDoS attacks, web page tampering, spyware, malicious attacks and abnormal traffic. Easy to deploy, the IPS2000 provides the plug and play feature, which can fully address the requirements of various complex network environments on the application layer when used in conjunction with high reliability designs such as Bypass. With high performance, high reliability, and easy management, it is ideal for security protection at the application layer.
3.Technical Introduction
3.1 Advanced Extraction Technology of Features
3.1.1 Formal Modeling of Protocol Features
Formal Analysis of Protocols
Make analysis on the telecommunication environment of the protocol and services provided by the protocol.
Acquire Network Traffic Data
Capture data packets to perform layer-by-layer analysis. Make statistics of network traffic composition according to the TCP/IP protocol stacks, and display the analysis results in a tree structure.
Data mining
With data mining methods such as classification analysis, cluster analysis, association analysis, and sequence pattern analysis, make analysis of network traffic and perform cluster analysis on protocol rules according to association rules.
3.1.2 Data Mining Algorithms of Features
Fig. 1 Data Mining Algorithms
♦ Symbolization of time series: Segmentation of time series is used to form symbolization of time series that can be easily processed by data mining tools.
♦ Data mining: Classic algorithms are used to obtain association rules featuring minimum support and minimum confidence.
♦ Clustering of rules: Obtain protocol rules, or the grammar and semantics of the protocol, based on the telecommunication environments and the services provided.
3.2 Attack Prevention Technologies
3.2.1 Detection Technologies based on Fingerprint Features
Detection technologies based on fingerprint features are mainly used for vulnerabilities detection and defense. Based on an in-depth analysis of vulnerabilities released by the DPtech vulnerability research team and the security risks detected by these technologies, the corresponding features are extracted. Using efficient matching algorithms, high-speed and accurate matching of the packet is enabled to block such attacks. Meanwhile, the signature libraries are constantly updated automatically or manually to ensure in-time detection of attacks. The basic functions and principles of the attack detection and defense module are shown in the figure below.
Fig. 6 IPS attack detection and defense
A number of logs and reports are available to help address various attacks, including attack source, destination IP and port, attack time, detailed description of attacks, and corresponding vulnerability numbers such as CVE. Multi-dimensional reports can be output and viewed per attack level, frequency, and address, providing administrators with real-time threats on network security.
3.2.1.1 Worm attack prevention
As a common network attack, worm viruses disperse in the network by itself via port 1434. Common viruses include Nimya, Conficker, and Panda Burning Incense.
DPtech IPS2000 boasts a comprehensive signature library against worms, which helps detect and block any possible worms in the host to ensure effective protection.
Keeping an eye on various new vulnerabilities and extracting signatures upon analysis, the DPtech IPS2000 system can automatically upgrade the signature library to prevent unknown worms in time.
3.2.1.2 Protection against SQL Injection
By exploiting program loopholes, the SQL injection constructs special statements and submits them to get sensitive information, including:
♦ System permissions
♦ Unauthorized operation of data in databases
♦ Malicious tampering of web pages
♦ Adding system accounts or database user accounts without consent
DPtech IPS2000 analyzes the syntax and semantics of SQL, detects the URL part of the GET packet and the load part of the POST packet, conducts accurate identification, and performs feature extraction on known SQL injection attacks to effectively prevent SQL injection attacks.
3.2.1.3 Protection against XSS
Given loose controls on data manipulation on websites, attackers often inserts malicious data into the Web HTML codes, making it seem trustworthy to users. When a user is browsing the Web page, the embedded malicious codes/scripts will be executed to launch an attack to the user.
DPtech IPS2000 analyzes the syntax and semantics of XSS, detects the URL part of the GET packet and the load part of the POST packet,
and conducts accurate identification to effectively prevent XSS attacks.
3.2.1.4 Protection against Buffer Overflow
Buffer overflow occurs when an attack writes content into the buffer areain a length exceeding the latter’s, which results in buffer overflow and destroys the stacks of the program, thus causing it to fail or forcing it to execute other commands.
Through protocol identification, feature matching and planning processing, the IPS2000 provides effective protection against buffer overflow attacks.
3.2.1.5 Protection against System Vulnerabilities
Vulnerability exploit/exploitation occurs when an attacker implants Trojan horses and viruses to control the computer by operating system software or exploiting software defects, thereby stealing important information from the computer or even destroying the system.
DPtech IPS2000 analyzes various security vulnerabilities through a professional vulnerability analysis team, expands the IPS signature library by collecting the vulnerabilities released by software providers and the signatures of known vulnerabilities on the network, and keeps an eye on the latest vulnerabilities in real time to effectively prevent attacks.
3.2.1.6 Protection against Fragmentation Attacks
As we know, IP packets have a maximum length of 65,535 bytes. IP fragments with a total length exceeding 65,535 sent to a system on purpose will result in system kernel failures, such as crash or denial of service. On the other hand, carefully constructed offsets between fragments cannot be handled by some systems, resulting in a crash.
When a fragmented packet is found, DPtech's IPS2000 quickly copies the content of the packet by using the DMA hardware copy technology based on the ID of the IP protocol layer of the network packet, without affecting the rapid transmission of network data. Integrated analysis of information about fragmented packets, such as the generation speed of fragmented packets, source IP and destination IP of fragmented packets, restrictions of relevant protocols, etc., helps provide reliable protection against fragmentation attacks based on preset rules.
3.2.1.7 Detection of and Protection against Unknown Threats
With built-in protocol protection policies and integrated protocol normalization rules, DPtech IPS2000 provides detection of and protection against network data that violates the protocol rules.
Unknown threat detection, designed for normalization at the application layer, mainly applies to mainstream application layer protocols, such as HTTP protocol, SMTP protocol, POP3 protocol, and FTP protocol. For example, assume the HTTP protocol is adopted for a network data stream, and the HTTP request fails to meet the specifications of RFC standard documents. With built-in protocol normalization rules, the system will provide protection against the data stream to make sure abnormal traffic is eliminated in the stream or the classification and quantity of abnormal traffic is under control.
3.2.2 Anti-DDoS Detection System
UDP Flood、ICMP Flood、DNS Query Flood、HTTP Get Flood、CC 攻击等各种攻击。
Diverse technologies including dynamic rule filtering, abnormal traffic control and the advanced “intelligent traffic detection” are adopted to provide multi-level security protection and accurately detect and block various network-layer and application-layer DoS/DDoS attacks and unknown malicious traffic, such as SYN Flood, UDP Flood, ICMP Flood, DNS Query Flood, HTTP Get Flood, and CC attack.
A wide array of logs and reports regarding abnormal traffic are provided to address DNS abnormal traffic in anti-DDoS products. Information available includes the traffic before attacks and after cleaning, the size, duration and sorting of traffic, attack trend analysis, and other detailed reports to offer users a full understanding of traffic status.
3.3 Virus Filtering Technology
With an integrated professional virus signature library, DPtech IPS2000 provides users with powerful anti-virus services, which can detect a great number of viruses transmitted on HTTP, FTP, SMTP, POP3, IMAP, RAR, and ZIP. The anti-virus module can be deployed on the network in online, bypass, bridge, and hybrid modes, and automatically detect, block, or redirect virus-carrying packets and abnormal traffic based on real-time analysis. Functions provided by the anti-virus module include:
♦ Anti-virus rules management
♦ Anti-virus signature queries
♦ Anti-virus logs
Thanks to its defense capabilities against various types of viruses such as file, network, and hybrid type, it can accurately detect and kill various variants of viruses and unknown viruses through a new generation of virtual shell and behavior judgment technology. Three levels of antivirus protection are enabled, through which users can configure different levels of antivirus protection based on the popularity of viruses. The antivirus signature library is regularly updated to ensure timely response to new viruses. The basic functions and principles of the antivirus module are shown in the figure below.
Fig. 7 Virus detection and protection
Traditional virus detection methods fall into the following four types: feature code, checksum, activity detection, and software simulation. A good way to enable anti-virus function on a network device is through feature codes. Network data stream passing through the device is accurately scanned by the DPtech IPS2000 with an integrated professional virus database. If any similar signature is found in the stream, it is deemed to be a virus. Different protection measures are available and logs are generated based on signatures and virus prevalence. DPtech anti-virus technology enjoys accurate and rapid detection, recognition capability of virus name, and low false positives.
DPtech’s antivirus logs provide abundant reporting features, including all kinds of query conditions, such as virus source IP, destination IP, virus type, and various time periods. Logs can be sent remotely or backed up. DPtech’s IPS virus database is released on a regularly (weekly) basis and upon emergency (when a major security signature is found), and is automatically distributed to user devices.
3.4 Network Bandwidth Limitation Technology
3.4.1 Bandwidth Management based on Users
DPtech IPS2000 classifies IP addresses from intranet and external network as single user or user groups and performs bandwidth management by allocating the average uplink and downlink bandwidth to prevent bandwidth abuse and misuse by the user.
3.4.2 Bandwidth Management based on Services
DPtech IPS2000 is capable of providing different traffic control policies for different services of different users in accordance with the application layer protocols or services of the traffic, such as IM, P2P, internet protocol television and online games. In this way, it enables service-based and refined traffic management and network traffic optimization to avoid bandwidth abuse and misuse.
3.5 Network Access Control Technology
Deep detection and fingerprint analysis technologies are adopted in DPtech IPS2000 to enable effective UAG control and management based on comprehensive analysis of P2P download, instant messaging, remote management, online games, internet protocol television, proxy, agency services, finance and securities, etc.
3.6 URL Filtering
URL filtering consists of advanced and classified URL filtering.
As shown in the following figure, over 10 million URL addresses are available, which are subject to customized updates every day. Flexible classification information facilitates product configuration and provides automatic update of unknown URL addresses.
Fig. 8 Professional URL filtering
1. Classified URL filtering
It is based on DPtech’s own database of address signatures. Policies are configured to filter the pages accessed by users based on the URL address in the signature library to protect users from illegal websites. The URL database can be rapidly updated based on actual situations to provide long-term protection for users.
2. Advanced URL filtering
In addition to DPtech’s own database of address signatures aiming at filtering accessed web pages, users can also define URL links to be filtered according to needs and network environments in order to meet their diversified needs.
For example, an IP address and a host name can be defined to perform URL filtering. Regular expressions can also be used by experienced users to define URL addresses, meeting the requirement of configuring one policy to filter multiple URL addresses.
3.7 High reliability and security
3.7.1 Sound HA Deployments
DPtech IPS2000 supports HA deployments to enable information synchronization of state and configuration. In case of an outage, it can ensure uninterrupted network operations and the continuity of protection service by master/backup switching and other measures.
3.7.2 Power supply redundancy
Dual power supply redundancy helps avoid system breakdown due to power failure and achieve high availability.
3.7.3 Rich Bypass Functions
DPtech IPS2000 provides the following two types of Bypass.
Application Bypass
On the strength of a secure and reliable software platform, DPtech IPS2000 can automatically switch to Bypass state after it finds out device abnormality, without affecting network services.
When the network traffic increases abnormally to the extent of exceeding the estimated traffic when the device is deployed, it can automatically calculate the difference between the network data traffic and the device processing performance and activate the Bypass state to ensure uninterrupted network operations. When the traffic returns to normal level, the device can also deactivate the Bypass state to make sure that the system services work properly.
Hardware Bypass
DPtech IPS2000 has a highly reliable hardware platform with a built-in power fail module, which helps ensure uninterrupted network even in case of power failure. For optical modules, an external Power Fault Protector can be used as an expansion of Bypass function to complement the Bypass solution. For frame-type devices, a dedicated optical protection board can be fully built into the device. Acting like a PFP, it is more convenient and reliable.
Fig. 9 Diagram of traffic forwarding in normal situations
In normal situations, the PFP host, which monitors the working status of IPS through the IPS USB port, is connected in series between the IPS and the switch. In case of power failure of IPS or other hardware faults, the IPS is directly bypassed, and the traffic is forwarded through the PFP to ensure the network is working properly.
Fig. 10 PFP forwarding in case of IPS power failure
