IBM Proventia Network Intrusion Prevention System (IPS) GX4004

GX4004 Overview:

IBM Proventia Network Intrusion Prevention System (IPS) GX4004 extends Proventia technology’s industry-leading protection to the network perimeter, where it can help block external threats before they affect your business. With 200 Mbps of throughput across two network segments, Proventia Network IPS GX4004 can deliver comprehensive security, performance and reliability in a solution that’s simple to deploy and manage.

Description:

The IBM Proventia Network Intrusion Prevention System (IPS) stops Internet threats before they impact your business and delivers protection to all three layers of the network: core, perimeter and remote segments. Preemptive protection, or protection that works ahead of the threat, is available from IBM Internet Security Systems through its proprietary combination of line-speed performance, security intelligence and a modular protection engine that enables security convergence.

Highlights:

The IBM Proventia Network Intrusion Prevention System (IPS) delivers network protection that is designed to:

• Stop threats before impact without sacrificing high-speed network performance
• Provide a platform for security convergence that helps reduce the cost of deploying and managing point solutions
• Protect networks, servers, desktops and revenue-generating applications from malicious threats
• Conserve network bandwidth and prevents network misuse/abuse from instant messaging and peer-to-peer file sharing
• Prevent data loss and aids compliance efforts

The Proventia protection engine employs multiple intrusion prevention technologies working in tandem to monitor, detect or block these classes of network threats:

Blocking network threats and delivering security convergence at the core, perimeter and remote segments
By consolidating network security demands for data loss prevention and protection for Web applications, IBM Proventia Network IPS serves as the security platform that reduces the costs and complexity of deploying and managing point solutions for the network core, perimeter and remote segments.

When evaluating intrusion prevention technology, businesses often struggle to balance and optimize the following six areas:

• Performance
• Security
• Reliability
• Deployment
• Management
• Confidence

Proventia Network IPS delivers on all six counts, with performance, preemptive protection, high availability, simple deployment and management, and excellent customer support. Organizations that want to transfer the burden of protecting their network to a trusted security partner can rely on IBM to manage the Proventia product family. Proventia customers also benefit from a range of complementary consulting services for assessment, design, deployment, management and education.

Consolidating network security with preemptive protection
With its modular product architecture, IBM Proventia Network IPS drives security convergence by adding entirely new modules of protection as threats evolve. From worms to botnets to data security to Web applications, Proventia Network IPS delivers the protection demanded for business continuity, data security and compliance.

The IBM Internet Security Systems X-Force research and development team designed the Proventia IPS protection engine and provide the content updates that maintain ahead of the threat protection. X-Force also designed the protection modules, which include:

• Virtual Patch® Management
• Threat Detection & Prevention
• Data Loss Protection
• Web Application Protection
• Network Security Enforcement

The IBM Protocol Analysis Modular Technology (PAM) drives security convergence to deliver network protection that goes beyond traditional IPS to now include data security, Web application protection and network policy enforcement.

Monthly security effectiveness testing by NSS Labs
IBM is the first vendor to conduct monthly product testing to measure the security effectiveness across its entire product portfolio. These monthly tests are conducted by NSS Labs, a leading global independent testing lab that focuses on security product testing and certification, through its Security Update Monitor (SUM) program, a recurring monthly test of security effectiveness. IBM Internet Security Systems began measuring the effectiveness of its security products in 2002 to ensure that its strong research and development arm was keeping up with the ever-evolving threat landscape. In late 2008, the company chose to test its entire portfolio of products, from its unified threat management tool to host and network security, for third-party validation across its product portfolio.

Intrusion prevention at every layer
Learn how IBM Proventia Network IPS protects your network from unwanted traffic at every layer.

• Perimeter: IBM Proventia Network IPS blocks external threats at your network perimeter, before they affect your business.
• Core: IBM Proventia Network IPS delivers high throughput, maximum scalability and low latency to help secure the network core.
• Remote and Branch Office: IBM Proventia Network IPS extends IBM ISS' industry-leading intrusion prevention technology to the remote segments of your network.

Features & Benefits:

Key Features:

Deployed inline and operating at line speeds, Proventia Network IPS blocks intrusions, denial of service attacks, malicious code, backdoors and hybrid threats.

Protection Features:

• IBM Proventia Content Analyzer
  The IBM Proventia Content Analyzer comprises a collection of new data inspection capabilities designed to inspect and identify unencrypted personally identifiable information (PII) such as name, credit card information, telephone numbers and other potentially confidential information.
• Multi-faceted Protection
  Proventia's multi-faceted protection engine combines multiple analysis and detection methodologies for optimum accuracy.
• Automatic Security Content Updates
  Updated security content can be automatically activated and applied to Proventia Network IPS.
• Virtual Patch Protection
  ISS' Virtual Patch technology allows you to regain control over ad-hoc and emergency patching by shielding vulnerabilities at the network level.
• Spyware Installation Blocking
  Proventia automatically blocks spyware applications at the network level, preventing installation and download to clients.
• Spyware Communication Blocking
  For clients already infected with spyware applications, Proventia prevents spyware intelligence reporting by automatically blocking active spyware application communication.
• VoIP Security
  Proventia parses and analyzes the family of VoIP protocols to identify anomalous traffic. This unique type of analysis allows Proventia to block threats targeting your VoIP services.
• Quarantine Capabilities
  Proventia enables an immediate and reliable quarantine of traffic from infected hosts and network segments, while allowing legitimate traffic to pass unhindered.
• Corporate Network Access Control
  The Proventia Network IPS is part of the Proventia Access Control solution to assure that computer systems connecting to the corporate network through a Virtual Private Network, wireless access point, or from another network segment are protected by up-to-date desktop security agents.

Performance Features:

• Line-speed Performance
  Deployed in-line and operating at inspected throughput up to 6 Gigabits per second, Proventia maintains network performance without requiring network reconfiguration.
• In-line Simulation Mode
  Proventia is the only intrusion prevention system available with an inline simulation mode, giving you the ability to determine blocking behavior before activating blocking.
• Active/Active Stateful High Availability (HA)
  In addition to redundant internal components, multiple Proventia appliances deployed in an active/active HA configuration provide the highest redundancy possible while maintaining full session state between devices.
• Flexible Deployment Options
  Proventia can be deployed at the gateway/perimeter as well as within the core of your high-speed networking infrastructure to secure network assets.
• Operating Modes
  Proventia is capable of operating in three modes:
  • Prevention: inline, active blocking
  • Simulation: inline, no blocking
  • Monitoring: passive, no blocking

Management Features:

• Flexible Policy Management
  Proventia supports diverse usage scenarios, allowing policy control at the device, port, VLAN and IP address levels.
• Web-based Local Management
  Proventia's web-based local management interface (LMI) simplifies device management and monitoring.
• Front Panel Management
  Proventia's LCD controller on the front of the unit simplifies initial device configuration and allows convenient restart and shutdown options.
• SNMP Management
  Proventia integrates with 3rd-party network management products to provide key operational status indicators to network operations and security operations groups.
• Centralized Management System Integration
  Proventia can be centrally managed using the SiteProtector security management system. SiteProtector is a scalable system that allows your staff to control, monitor and analyze events efficiently.

Protection Engine:

As a result, Proventia’s protection engine can stop entire classes of attack – including new and unknown threats – without updates. Other solutions can only hope to match individual protection signatures with exploits – a process that is too slow to stop evolving threats and results in higher rates of false positives and false negatives.

The Proventia protection engine employs multiple intrusion prevention technologies working in tandem to monitor, detect or block these classes of network threats:

In order to address these attack categories, Proventia’s protection engine employs multiple intrusion prevention technologies working in tandem, including:

Primary Network Threats Stopped by the Proventia Protection Engine
While Internet threats continue to evolve, older attack methods cannot be discounted and many attackers build upon known intrusion techniques to evade detection. The Proventia protection engine is dedicated to stopping the following list of Internet threats:

	Backdoors Provide system entry points that bypass traditional login verification.
	Botnets Collections of compromised computers that perform tasks at the behest of a controller – usually with malicious intent to spread spam and/or malware.
	Client side attacks Web browser exploits used to install drive-by downloads and suspicious browser obfuscation.
	Cross-site scripting (XSS) A Web-based exploit used to embed malicious code into a supposedly legitimate link that can execute on a user’s computer, typically in an attempt to steal information.
	Distributed Denial of service (DDoS) Utilizes a multitude of compromised systems to attack a single target with a flood of messages to shut the target system down.
	Insider threats Can introduce viruses, worms and Trojans into a network, or attempt to steal proprietary data.
	Instant messaging Can be used to introduce Trojans, viruses and other malware into the network.
	Malicious Email A common carrier for spyware and phishing scams that entice users to visit malicious Web sites, and then potentially introduce malware to the network.
	Peer-to-peer (P2P) networks Facilitate the transfer of files infected with Trojans and viruses designed to introduce denial of service attacks and corrupt data.
	Protocol tunneling Layers malicious data usually within a higher level protocol, allowing it to traverse network segments where lower level protocols might be blocked.
	Reconnaissance A collection of threats including brute force, enumeration, password guessing and port scans.
	Rootkits A collection of tools or programs that provide hackers with administrator level privileges or root access to a network or system.
	Malicious Content Malicious multimedia and shellcode embedded in documents.
	SQL injection Piggybacks malicious SQL code on intended commands through the dynamic logic layer of a Web application in order to trick the application into providing database access.
	Trojans Harbor dangerous code inside apparently harmless programming or data.
	Worms A virus that self-replicates by resending itself as an e-mail attachment or part of a network message.

Multi-layered prevention technologies within the Proventia protection engine
The Proventia protection engine combines the power of multiple threat prevention technologies – all working in concert to stop Internet threats. The Proventia protection engine utilizes the following attack prevention methods:

IBM Proventia Content Analyzer – inspects and blocks unencrypted data in your network using predefined and custom signatures. This technology provides the ability to create compound data-set search inspections and inspect compound documents including Microsoft Office documents, PDFs and Zip files over ten different protocols.

• Port assignment – IPS’ should not assume that a particular type of traffic will appear on a particular TCP/IP port. If they do and the traffic type matches the assumed port, and is allowed through, attackers could gain access. Proventia inspects all traffic regardless of the port that traffic is destined to.
• Port following – tracks communication sessions to ensure that the port initially used to establish a connection is the only one used. This prevents hackers who access an open port with authentic credentials from connecting to another open port to transfer data unnoticed. Proventia’s port following works in conjunction with other port-aware protection technologies to stop information theft.
• Injection Logic Engine – heuristically identifies malicious injection attempts such as SQL injection and shell command injection. Covers current and future vulnerabilities without signature updates.
• Protocol analysis – examines network traffic for deviant behavior that does not match accepted norms and can decode protocols down to Layer 2 of the OSI model. Protocol analysis enables Proventia to detect anomalous behavior without relying on signatures.
• Protocol tunneling – sometimes used in conjunction with port assignment, Proventia detects and prevents protocol tunneling to find malicious and/or proprietary data embedded in higher level protocols that could be allowed to traverse network segments where lower level protocols might be blocked. Protocol tunneling prevents hackers from bypassing firewalls to gain uncontested network access and prevents both insiders and hackers from establishing and using tunnels to extract data from within a corporation.
• Stateful pattern matching – uses advanced algorithms to detect attack patterns – but only in particular portions of traffic where an attack could actually exist – greatly reducing false positives. Proventia uses stateful pattern matching in conjunction with heuristics to prevent evolving threats that change their patterns to evade detection.
• Heuristics – identifies and stops malicious code based on its behavior, rather than matching a particular attack signature or pattern. Heuristics can prevent evolving threats which will change minor aspects of their signatures to bypass traditional IPS solutions.
• RFC compliance checking – compares traffic against RFC standards for network communications between hosts, and between applications and the network stack. If the traffic does not conform, Proventia blocks it.
• Statistical analysis – creates a baseline of network activity over time and then constantly compares current activity to the baseline to identify and prevent deviations. Proventia uses statistical analysis to stop attacks without breaking down network traffic.
• TCP reassembly – reassembles network packets, examining them for potential threats.
• Flow assembly – analyzes the entire network connection – not just the individual packets – to block malicious traffic that may have been inserted into the communication stream to take advantage of an open connection. Flow assembly complements TCP reassembly by analyzing traffic at a higher level to prevent advanced threats.

The Proventia Protection Engine Advantage – Multi-layered Prevention Technologies Working in Concert
The protection engine within the Proventia IPS technologies is the result of continuous research into the nature of vulnerabilities and attack methods. As threats continue to evolve, but older exploits never truly become extinct, IBM ISS constantly strengthens the Proventia protection engine with technologies designed to block entire classes of threat – both new and old.

Technical Specifications:

GX4004 Specifications:
Performance Characteristics
Throughput	200 Mbps
Latency	< 150 microseconds
Concurrent sessions	1,200,000
Connections per second	21,000
Operating Modes
Active protection	Yes
Passive detection	Yes
Inline simulation	Yes
Scalability
Protected segments	2
Monitoring interfaces	4 x 10/100/1000 copper
High availability
Active-active	No
Active-passive	Yes
Hardware-level bypass	Integrated bypass
Redundant power supplies	No
Redundant storage	No
Dimensions
Form Factor	1-RU
Height (in/mm)	1.73/44
Width (in/mm)	16.9/429
Depth (in/mm)	15/382
Weight (lb/kg)	24.5/11.1
Power Dissipation
Units	AC
Amps	4.96/2.48
Voltage (V)	115/220
Input range (V)	100-127/200-240
Environment
Operating Temperature	50°F - 95°F (10°C - 35°C)
Non-Operating Temperature	-4°F - 158°F (-20°C - 70°C)
Relative Humidity (Non-Operating)	90% @ 86°F (30°C)
Safety and Compliance
Safety Certifications	UL EN 60950-1
Emissions certification	FCC Class A EN 55022 EN 55024 EN 61000-3-2 EN 61000-3-3 VCCI Class A
Environmental certification	RoHS

Proventia IPS Comparison Matrix:

Uncompromising Protection for Every Layer of Your Network

With a comprehensive line of models, the IBM Proventia Network IPS family delivers uncompromising protection for every layer of the network, protecting your business from both internal and external threats.

Proventia Network Intrusion Prevention System
Model:	Remote Segments		Perimeter			Core
	GX3002	GX4002	GX4004	GX5008	GX5108	GX5208	GX6116
Performance Characteristics
Throughput	10 Mbps	200 Mbps	200 Mbps	400 Mbps	1.2 Gbps	2 Gbps	5 Gbps
Latency	< 1 millisecond	< 150 microseconds	< 150 microseconds	< 200 microseconds	< 200 microseconds	< 200 microseconds	TBD
Concurrent sessions	220,000	1,200,000	1,200,000	1,200,000	1,450,000	1,800,000	TBD
Connections per second	3,750	21,000	21,000	35,000	40,000	60,000	TBD
Operating Modes
Active protection	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Passive detection	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Inline simulation	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Scalability
Protected segments	1	1	2	4	4	4	8
Monitoring interfaces	2 x 10/100/1000 copper	2 x 10/100/1000 copper	4 x 10/100/1000 copper	8 x 10/100/1000 Copper or 4 x 10/100/1000 Copper + 4 x SFP/Mini-GBIC Ports (1000 TX/SX/LX)	8 x 10/100/1000 Copper or 4 x 10/100/1000 Copper + 4 x SFP/Mini-GBIC Ports (1000 TX/SX/LX)	8 x 10/100/1,000 copper or 8 x SFP/mini- GBIC ports (1,000 TX/SX/LX)	16 x SFP/Mini-GBIC Ports (1000 TX/SX/LX)
High availability
Active-active	No	No	No	Yes	Yes	Yes	Yes
Active-passive	No	Yes	Yes	Yes	Yes	Yes	Yes
Hardware-level bypass	Integrated Bypass	Integrated Bypass	Integrated Bypass	External Bypass (optional)	External Bypass (optional)	External bypass (optional)	External Bypass (optional)
Redundant power supplies	No	No	No	Yes	Yes	Yes	Yes
Redundant storage	No	No	No	Yes	Yes	Yes	Yes
Dimensions
Form Factor	Desktop	1-RU	1-RU	2-RU	2-RU	2-RU	2-RU
Height (in/mm)	1.97/50	1.73/44	1.73/44	3.5/88	3.5/88	3.5/88	3.5/88
Width (in/mm)	8.86/225	16.9/429	16.9/429	16.9/429	16.9/429	16.9/429	16.9/429
Depth (in/mm)	8.07/205	15/382	15/382	20.5/520	20.5/520	21.5/546	20.5/520
Weight (lb/kg)	2.6/1.2	24.5/11	24.5/11	40/18	40/18	37.5/17	TBD
Power Dissipation
Units	AC	AC	AC	AC	AC	AC	AC
Amps	1.5/1.0	4.96/2.48	4.96/2.48	8.4/4.2	8.4/4.2	8.9/5.4	TBD
Voltage (V)	115/220	115/220	115/220	115/220	115/220	115/220	TBD
Input range (V)	100-127/200-240	100-127/200-240	100-127/200-240	100-127/200-240	100-127/200-240	100-127/200-240	TBD
Environment
Operating Temperature	41°F - 104°F (5°C - 40°C)	50°F - 86°F (10°C - 30°C)	50°F - 86°F (10°C - 30°C)	50°F - 86°F (10°C - 30°C)	50°F - 86°F (10°C - 30°C)	50°F - 95°F (10°C - 35°C)	TBD
Non-Operating Temperature	58°F - 184°F (0°C - 70°C)	-4°F - 158°F (-20°C - 70°C)	-4°F - 158°F (-20°C - 70°C)	-4°F - 158°F (-20°C - 70°C)	-4°F - 158°F (-20°C - 70°C)	-4°F - 158°F (-20°C - 70°C)	TBD
Relative Humidity (Non-Operating)	90% @ 86°F (30°C)	90% @ 86°F (30°C)	90% @ 86°F (30°C)	90% @ 86°F (30°C)	90% @ 86°F (30°C)	20% - 90% RH	TBD
Safety and Compliance
Safety Certifications	• UL • EN 60950-1	• UL • EN 60950-1	• UL • EN 60950-1	• UL • EN 60950-1	• UL • EN 60950-1	• UL 60950-1 • CAN/CSA C22.2 No. 60950-1 • EN 60950-1 (CE Mark) • IEC 60950-1	• UL • EN 60950-1
Emissions certification	• FCC Class B • EN 55022 Class B • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • AS/NZS CISPR 22 • VCCI Class A	• FCC Class A • EN 55022 • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • VCCI Class A	• FCC Class A • EN 55022 • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • VCCI Class A	• FCC Class A • EN 55011 Class A • EN 55022 Class A • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • EN 6100-6-2 • VCCI Class A	• FCC Class A • EN 55011 Class A • EN 55022 Class A • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • EN 6100-6-2 • VCCI Class A	• FCC Part 15, Class A • Canada ICES-003, Class A • EN 55022 Class A • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • EN 6100-6-2 • VCCI Class A	• FCC Class A • EN 55011 Class A • EN 55022 Class A • EN 55024 • EN 61000-3-2 • EN 61000-3-3 • EN 6100-6-2 • VCCI Class A
Environmental certification	RoHS	RoHS	RoHS	RoHS	RoHS	RoHS	RoHS

Documentation:

Download the IBM Proventia Network Intrusion Prevention System (IPS) Datasheet (PDF).

Download the IBM Proventia Network Intrusion Prevention System GX4004 Datasheet (PDF).

Download the IBM Proventia Intrusion Prevention System Protection Engine Datasheet (PDF).