Views: 3836

Intrusion Prevention System

Product code : dnips

The Extreme Networks Intrusion Prevention System (IPS) is unique in its ability to gather evidence of an attacker’s activity, remove the attacker’s access to the network, and reconfigure the network to resist the attacker’s penetration technique.



    The Extreme Networks Intrusion Prevention System (IPS) is unique in its ability to gather evidence of an attacker’s activity, remove the attacker’s access to the network, and reconfigure the network to resist the attacker’s penetration technique. The IPS stops attacks at the source of the threat and can proactively protect against future threats and vulnerabilities. Offering an extensive range of detection capabilities, host-based and network-based deployment options, a portfolio of IPS appliances, and seamless integration with the Extreme Networks Secure Networks™ architecture, our IPS utilizes a state-of-the-art high-performance, multi-threaded architecture with virtual sensor technology that scales to protect even the largest enterprise networks.
    The Intrusion Prevention System is a core component of the Extreme Networks Secure Networks architecture. When deployed in combination with Extreme Networks SIEM and NMS Automated Security Manager (ASM), it facilitates the automatic identification, location, isolation, and remediation of security threats. Extreme Networks IPS also integrates seamlessly with Extreme Networks Network Access Control (NAC) for post-connect monitoring of behavior once network access has been granted.
    Extreme Networks advanced in-line Intrusion Prevention is designed to block attackers, mitigate Denial of Service (DoS) attacks, prevent information theft, and ensure the security of Voice over IP (VoIP) communications - while remaining transparent to the network. Built upon our award-winning intrusion prevention technology, Extreme Networks IPS can alert on the attack, drop the offending packets, terminate the session for TCP and UDP-based attacks, and dynamically establish firewall or Secure Networks™ policy rules. Extreme Networks IPS leverages a comprehensive library of vulnerability and exploit-based signatures.
    Extreme Networks’ Distributed Intrusion Prevention (US Patent 7581249) and threat containment can block attackers at the source physical port for most multi-vendor edge switches. More granular business-oriented visibility and control based on user and application policy is provided when Extreme Networks switching products are deployed at the network edge. Effective threat containment requires the removal of the attacker’s ability to continue the attack or to mount a new attack. The Extreme Networks Distributed Intrusion Prevention System identifies a threat or security event, locates the exact physical source of the event, and mitigates the threat through the use of enforceable bandwidth rate limiting policies, quarantine policies, or other port level controls.
    Extreme Networks out-of-band Intrusion Detection is unmatched in detecting and reporting security events, including external intrusions, network misuse, system exploits, and virus propagations. It utilizes the industry’s most sophisticated multimethod detection technologies by integrating vulnerability pattern matching, protocol analysis, and anomaly-based detection with specific support for VoIP environments. Application-based event detection detects non-signature-based attacks against commonly targeted applications such as HTTP, RPC, and FTP.
    Intrusion Prevention sensors come ready to use “out-of-the-box” and easily integrate with your existing network infrastructure and security appliances. Extreme Networks Intrusion Prevention ships with a comprehensive set of pre-installed signatures, VoIP protocol decoders for SIP, MGCP, and H.323 protocols, and advanced detection of malformed messages to help prevent DoS attacks. Extreme Networks IPS supports both IPv4 and IPv6 networks.
    Network Sensors are security appliances that offer marketleading deep forensics capabilities, including flexible packet capture and complete session reconstruction. Network Sensors are centrally managed via the Enterprise Management Server (EMS). EMS provides configuration management, status monitoring, live security updates, and a secure encrypted communications channel.
    Network Sensors utilize an adaptive match engine and multithreaded application execution to significantly enhance performance. Sensors support the use of multiple detection algorithms simultaneously, thereby optimizing traffic analysis to match the prevalent traffic type.
    Security Administrators have broad flexibility in deploying Network Sensors. For example, a single sensor may operate as multiple “virtual sensors”, each associated with a particular VLAN, Layer 3 network, physical switch port or TCP / UDP level application. Each virtual sensor can be configured with unique policies that define the analysis techniques used and alerts generated. Network Sensors are available at 1 Gbps and Multi-Gigabit deep packet inspection throughput rates.

    Extreme Networks Host Sensors are security applications used to detect attacks on a network server in real time. Extreme Networks Host Sensors monitor individual systems running today’s most common operating systems for evidence of malicious or suspicious activity in real time. Host Sensors use a variety of techniques to detect attacks and misuse, including analyzing the security event log, and checking the integrity of critical configuration files. This hybrid approach helps organizations meet compliance requirements mandated by regulations including PCI, HIPAA and Sarbanes-Oxley.
    Extreme Networks Host Sensors perform the following functions:
    • Monitor file attributes such as file permission, owner, group, value, size increase, truncated and modification date
    • Check file integrity to determine whether content of critical files was changed
    • Continuously analyze log files using signature policies to detect attacks and/or compromises
    • Monitor Windows event logs for misuse or attack
    • Analyze Windows registry for attributes that should not be accessed and/or modified
    • Perform TCP/UDP service detection for protection against backdoor services
    Extreme Networks Host Sensors support custom module development using Microsoft’s .NET Framework. This allows users to leverage the power and flexibility of the .NET framework to customize Extreme Networks functionality to meet their needs. The optional Host Sensor Web Intrusion Prevention System (Web IPS) module protects against common attacks on web servers running Microsoft IIS and Apache. The Web IPS module works in conjunction with the Host Sensor to provide protection while operating with minimal overhead on the system. The Web IPS provides threat prevention for a large array of attacks and can terminate individual malicious sessions.

    Extreme Networks Enterprise Management Server (EMS), with its client-server architecture, offers efficient, centralized management for all of the components offered with Extreme Networks IPS. The EMS provides reporting and management services for all deployed network and host sensors. Management services include remote sensor upgrades, signature updates, configuration updates and event alerting via email, Syslog, OPSEC, SNMPv1/v3 and custom scripting. Reporting services include real-time alerting, forensics, trend analysis and executive reporting. Distributed IPS is available via Extreme Networks NMS Automated Security Manager.
    EMS configuration wizards and group policy rules simplify the configuration of network and host sensors. The EMS aggregates event reporting from individual network and host sensors. It can execute firewall rule changes, switch/router configurations, or other mitigation actions in response to attacks. The EMS provides in-depth reporting and archiving of security event and network activity. This information may be used for regulatory compliance, audit trail analysis, forensics, and realtime trending. It is also tightly integrated with the Extreme Networks Security Information & Event Manager solution for more advanced reporting capabilities.

    Extreme Networks IDS network sensor and Enterprise Management Server (EMS) can be deployed on VMware ESX™ servers. With these virtual machine options, enterprises gain additional, cost-efficient, network threat protection and the ability to monitor both the physical and virtual network. Leverage the enterprise’s virtual environment for added security with the benefits of cost savings from using existing hardware, and reduced time to value.

    Extreme Networks is a partner in the Microsoft Active Protection Program (MAPP). This program, from the Microsoft Security Response Center (MSRC), provides detailed vulnerability information in advance of any public disclosure. This enables our research team to synchronize the availability of appropriate signatures with Microsoft vulnerability announcements, thereby bridging the gap between those announcements and security patch installation for IT departments.

    Appliance Specifications

    System Requirements
    The EMS and Network Sensor virtual appliances are packaged in the OVA file format, which is a one-file alternative to the Open Virtualization Format, an ANSI standard. Extreme Networks fully supports these virtual appliances when run on a VMware ESX or ESXi version 4.1 and higher with sufficient resources.
    The EMS virtual appliance requires 4 GB of memory, two CPU cores, and 60 GB of thick provisioned hard drive space. The Network Sensor virtual appliance requires 2 GB of memory, two CPU cores, and 20 GB of thick provisioned hard drive space. Additional CPU and memory resources may enhance the performance of some configurations.

    System Requirement
    Extreme Networks Host Based Sensors offer broad platform support including Microsoft® Windows, Solaris, Red Hat Enterprise Linux, HP-UX, Fedora Core, SUSE and AIX. Extreme Networks IPS Host Sensors are also supported when installed on any supported O/S that is itself running on a virtual machine of a VMware ESX Server, AIX 5.3 and 6.1 running in logical partitions (LPARS), and on Solaris 10 running in logical domains (LDOMS) on supported platforms.
    Web IPS supports Apache with Linux servers, plus Microsoft IIS 5 and IIS 6 for Microsoft Windows 2000, Windows XP, and Windows 2003 servers.

Related Products