Intrusion Prevention (IDP and IDS)
Today’s threats increasingly use newer applications that are invisible to most firewalls and threat detection solutions. Applications such as IM, P2P, Skype, Webmail all use security evasion tactics of one type or another. Evasive applications will dynamically hop ports, re-use other ports, emulate other applications or tunnel inside SSL, thereby going undetected and therefore avoid inspection.
Existing Intrusion Prevention System's (IPS) do a relatively good job of looking for threats in traditional protocols like FTP and POP3, but fail at scanning the new class of applications because of their evasive tactics. The fact of the matter is most IPS still use port and protocol as the initial traffic classification mechanism and as such, may miss the threat carrying application. Intrusion Prevention Systems (IPS) detect and block attacks focused on vulnerabilities that exist in systems and applications. Unlike Intrusion Detection Systems (IDS) that focus only on alerting, IPS systems are intended to be deployed in-line to actively block attacks as they are detected. One of the core capabilities of an IPS is the ability to decode protocols to more accurately apply signatures. This allows IPS signatures to be applied to very specific portions of traffic, thereby reducing the percentage of false positives that were often experienced with signature-only systems. It is important to note that most IPS offerings will use port and protocol as the first pass of traffic classification, which, given the evasive characteristics of today’s applications, may lead to an erroneous identification of the application. And because an IPS is focused mainly on attacks, they are typically deployed in conjunction with a firewall as a separate appliance or as a combination FW+IPS.
NSS Labs tested the Palo Alto Networks solution against 1,179 live exploits in what was the industry's most comprehensive IPS test to date. The system was tested with a wide variety of traffic that varied by payload size, protocol, attack target and end-user delay time to ensure a reliable, real-world test bed.
Industry Leading IPS Effectiveness The results of the NSS tests referenced above found that Palo Alto Networks accurately detected and blocked 93.4% of all of the 1,179 attacks, putting Palo Alto Networks easily in the uppermost echelon of IPS solutions based on core functionality. Tests included all types of attack methodologies, applications and targets. As a reference, the 2009 IPS group test found IPS block rates ranging from 17% to 89%.
Performance and Scalability IPS systems are notoriously prone to degrading network performance in direct relation to the number of signatures that are enabled on the system, which almost invariably leads to a conflict between the security and network operations teams. In NSS lab tests, Palo Alto Networks delivered an industry-best 93.4% block rate, while maintaining 15% over stated datasheet IPS performance for the appliance.
Industry Leading IPS Effectiveness The results of the NSS tests referenced above found that Palo Alto Networks accurately detected and blocked 93.4% of all of the 1,179 attacks, putting Palo Alto Networks easily in the uppermost echelon of IPS solutions based on core functionality. Tests included all types of attack methodologies, applications and targets. As a reference, the 2009 IPS group test found IPS block rates ranging from 17% to 89%.
Performance and Scalability IPS systems are notoriously prone to degrading network performance in direct relation to the number of signatures that are enabled on the system, which almost invariably leads to a conflict between the security and network operations teams. In NSS lab tests, Palo Alto Networks delivered an industry-best 93.4% block rate, while maintaining 15% over stated datasheet IPS performance for the appliance.
Problems with other solutions
Another problem that a traditional or legacy IPS suffers from is one of performance. Searching out application vulnerability exploits means looking deep into the application traffic and the payload to find and remove the threat. This process is very computationally intensive, typically resulting in low throughput, high latency, or security for performance tradeoffs.The world of stand-alone IPS products will soon be gone, as IPS functionality becomes integrated as a standard feature of Next-Generation Firewalls. Threats target applications, and enterprises struggle to control modern applications with existing security infrastructure. The current web services based landscape dictates a new set of requirements for comprehensive intrusion prevention, and Palo Alto Networks next-generation firewalls deliver, where IPS products cannot:
Threat Prevention
A recent SANS Top 20 Threats list indicated that of the top 20 threats enterprise IT security groups should be concerned about, 80% were application-level threats. Further compounding the issue, threats come in more and more flavors, are multi-vector, and resist traditional definitions (e.g., virus, exploit, or worm).
Threats to an organization can take many forms. They can target an application, or can be carried by an application. The traditional defense mechanisms - firewalls and IPS/IDS – cannot effectively control applications, and can’t recognize the variety of threats targeting the applications anyway – since IPS/IDS only look at threats formally defined as "exploits".
Palo Alto Networks offers the best, fastest and simplest IDP capability for blocking threats, malware and viruses.
Another problem that a traditional or legacy IPS suffers from is one of performance. Searching out application vulnerability exploits means looking deep into the application traffic and the payload to find and remove the threat. This process is very computationally intensive, typically resulting in low throughput, high latency, or security for performance tradeoffs.The world of stand-alone IPS products will soon be gone, as IPS functionality becomes integrated as a standard feature of Next-Generation Firewalls. Threats target applications, and enterprises struggle to control modern applications with existing security infrastructure. The current web services based landscape dictates a new set of requirements for comprehensive intrusion prevention, and Palo Alto Networks next-generation firewalls deliver, where IPS products cannot:
- Control applications (not just ports)
- Scan allowed traffic for threats
- Real-world, multi-Gbps performance
- Current research and support
- Over 1,000 applications can be controlled by user or group access versus just a few "bad" applications from traditional IDPs.
- Since Palo Alto Networks is application aware, it can scan the allowed traffic for threats or entirely disallow unapproved applications regardless of payload.
- Includes 1,000s of signatures for scanning.
- Best in-house IPS research team discovered 3 Microsoft vulnerabilities in the last 6 months. Some competitors haven't done anything for two years.
- You get superior port density to cover multiple segments with an easier and more cost effective solution than traditional stand-alone IPS.
- Includes both server and client based protections and awareness.
Threat Prevention
A recent SANS Top 20 Threats list indicated that of the top 20 threats enterprise IT security groups should be concerned about, 80% were application-level threats. Further compounding the issue, threats come in more and more flavors, are multi-vector, and resist traditional definitions (e.g., virus, exploit, or worm).
Threats to an organization can take many forms. They can target an application, or can be carried by an application. The traditional defense mechanisms - firewalls and IPS/IDS – cannot effectively control applications, and can’t recognize the variety of threats targeting the applications anyway – since IPS/IDS only look at threats formally defined as "exploits".
Palo Alto Networks offers the best, fastest and simplest IDP capability for blocking threats, malware and viruses.
Additional documentation and information
Download platform specs>>
Download PA500 datasheet >>
Download PA2xxx datasheet >>
Download PA4xxx datasheet >>
Download Panorama datasheet >>
Download whitepaper about enabling applications >>
Download whitepaper the future of Intrusion Prevention >>
Download - What's new in PAN-OS3 >>
Download Threat Prevention datasheet >>
Download URL Filtering datasheet >>
Download Content ID datasheet >>
Download User ID datasheet >>
Download App ID datasheet >>
Download Protecting Microsoft SharePoint whitepaper >>
Download Preventing Data Leaks whitepaper >>
Download PA500 datasheet >>
Download PA2xxx datasheet >>
Download PA4xxx datasheet >>
Download Panorama datasheet >>
Download whitepaper about enabling applications >>
Download whitepaper the future of Intrusion Prevention >>
Download - What's new in PAN-OS3 >>
Download Threat Prevention datasheet >>
Download URL Filtering datasheet >>
Download Content ID datasheet >>
Download User ID datasheet >>
Download App ID datasheet >>
Download Protecting Microsoft SharePoint whitepaper >>
Download Preventing Data Leaks whitepaper >>
