IBM Proventia Network Intrusion Prevention System (IPS) GX5108

GX5108 Overview:

IBM Proventia Network Intrusion Prevention System (IPS) GX5108 extends Proventia technology’s industry-leading protection to the network perimeter, where it can help block external threats before they affect your business. With 1.2 Gbps of throughput across four flexibly configured network segments, Proventia Network IPS GX5108 can deliver comprehensive security, performance and reliability in a solution that is simple to deploy and manage.

Description:

The IBM Proventia Network Intrusion Prevention System (IPS) stops Internet threats before they impact your business and delivers protection to all three layers of the network: core, perimeter and remote segments. Preemptive protection, or protection that works ahead of the threat, is available from IBM Internet Security Systems through its proprietary combination of line-speed performance, security intelligence and a modular protection engine that enables security convergence.

Highlights:

The IBM Proventia Network Intrusion Prevention System (IPS) delivers network protection that is designed to:

• Stop threats before impact without sacrificing high-speed network performance
• Provide a platform for security convergence that helps reduce the cost of deploying and managing point solutions
• Protect networks, servers, desktops and revenue-generating applications from malicious threats
• Conserve network bandwidth and prevents network misuse/abuse from instant messaging and peer-to-peer file sharing
• Prevent data loss and aids compliance efforts

The Proventia protection engine employs multiple intrusion prevention technologies working in tandem to monitor, detect or block these classes of network threats:

Application attacks Attack obfuscation Cross-site scripting attacks Data leakage Database attacks DoS and DDoS attacks Drive-by downloads Insider threats Instant messaging

Malicious document types Malicious media files Malware Operating system attacks Peer-to-peer Protocol tunneling SQL injection attacks Web browser attacks Web server attacks

Blocking network threats and delivering security convergence at the core, perimeter and remote segments
By consolidating network security demands for data loss prevention and protection for Web applications, IBM Proventia Network IPS serves as the security platform that reduces the costs and complexity of deploying and managing point solutions for the network core, perimeter and remote segments.

When evaluating intrusion prevention technology, businesses often struggle to balance and optimize the following six areas:

• Performance
• Security
• Reliability
• Deployment
• Management
• Confidence

Proventia Network IPS delivers on all six counts, with performance, preemptive protection, high availability, simple deployment and management, and excellent customer support. Organizations that want to transfer the burden of protecting their network to a trusted security partner can rely on IBM to manage the Proventia product family. Proventia customers also benefit from a range of complementary consulting services for assessment, design, deployment, management and education.

Consolidating network security with preemptive protection
With its modular product architecture, IBM Proventia Network IPS drives security convergence by adding entirely new modules of protection as threats evolve. From worms to botnets to data security to Web applications, Proventia Network IPS delivers the protection demanded for business continuity, data security and compliance.

The IBM Internet Security Systems X-Force research and development team designed the Proventia IPS protection engine and provide the content updates that maintain ahead of the threat protection. X-Force also designed the protection modules, which include:

• Virtual Patch® Management
• Threat Detection & Prevention
• Data Loss Protection
• Web Application Protection
• Network Security Enforcement

The IBM Protocol Analysis Modular Technology (PAM) drives security convergence to deliver network protection that goes beyond traditional IPS to now include data security, Web application protection and network policy enforcement.

Monthly security effectiveness testing by NSS Labs
IBM is the first vendor to conduct monthly product testing to measure the security effectiveness across its entire product portfolio. These monthly tests are conducted by NSS Labs, a leading global independent testing lab that focuses on security product testing and certification, through its Security Update Monitor (SUM) program, a recurring monthly test of security effectiveness. IBM Internet Security Systems began measuring the effectiveness of its security products in 2002 to ensure that its strong research and development arm was keeping up with the ever-evolving threat landscape. In late 2008, the company chose to test its entire portfolio of products, from its unified threat management tool to host and network security, for third-party validation across its product portfolio.

Intrusion prevention at every layer
Learn how IBM Proventia Network IPS protects your network from unwanted traffic at every layer.

• Perimeter: IBM Proventia Network IPS blocks external threats at your network perimeter, before they affect your business.
• Core: IBM Proventia Network IPS delivers high throughput, maximum scalability and low latency to help secure the network core.
• Remote and Branch Office: IBM Proventia Network IPS extends IBM ISS' industry-leading intrusion prevention technology to the remote segments of your network.

Features & Benefits:

Key Features:

Deployed inline and operating at line speeds, Proventia Network IPS blocks intrusions, denial of service attacks, malicious code, backdoors and hybrid threats.

Protection Features:

• IBM Proventia Content Analyzer
  The IBM Proventia Content Analyzer comprises a collection of new data inspection capabilities designed to inspect and identify unencrypted personally identifiable information (PII) such as name, credit card information, telephone numbers and other potentially confidential information.
• Multi-faceted Protection
  Proventia's multi-faceted protection engine combines multiple analysis and detection methodologies for optimum accuracy.
• Automatic Security Content Updates
  Updated security content can be automatically activated and applied to Proventia Network IPS.
• Virtual Patch Protection
  ISS' Virtual Patch technology allows you to regain control over ad-hoc and emergency patching by shielding vulnerabilities at the network level.
• Spyware Installation Blocking
  Proventia automatically blocks spyware applications at the network level, preventing installation and download to clients.
• Spyware Communication Blocking
  For clients already infected with spyware applications, Proventia prevents spyware intelligence reporting by automatically blocking active spyware application communication.
• VoIP Security
  Proventia parses and analyzes the family of VoIP protocols to identify anomalous traffic. This unique type of analysis allows Proventia to block threats targeting your VoIP services.
• Quarantine Capabilities
  Proventia enables an immediate and reliable quarantine of traffic from infected hosts and network segments, while allowing legitimate traffic to pass unhindered.
• Corporate Network Access Control
  The Proventia Network IPS is part of the Proventia Access Control solution to assure that computer systems connecting to the corporate network through a Virtual Private Network, wireless access point, or from another network segment are protected by up-to-date desktop security agents.

Performance Features:

• Line-speed Performance
  Deployed in-line and operating at inspected throughput up to 6 Gigabits per second, Proventia maintains network performance without requiring network reconfiguration.
• In-line Simulation Mode
  Proventia is the only intrusion prevention system available with an inline simulation mode, giving you the ability to determine blocking behavior before activating blocking.
• Active/Active Stateful High Availability (HA)
  In addition to redundant internal components, multiple Proventia appliances deployed in an active/active HA configuration provide the highest redundancy possible while maintaining full session state between devices.
• Flexible Deployment Options
  Proventia can be deployed at the gateway/perimeter as well as within the core of your high-speed networking infrastructure to secure network assets.
• Operating Modes
  Proventia is capable of operating in three modes:
  • Prevention: inline, active blocking
  • Simulation: inline, no blocking
  • Monitoring: passive, no blocking

Management Features:

• Flexible Policy Management
  Proventia supports diverse usage scenarios, allowing policy control at the device, port, VLAN and IP address levels.
• Web-based Local Management
  Proventia's web-based local management interface (LMI) simplifies device management and monitoring.
• Front Panel Management
  Proventia's LCD controller on the front of the unit simplifies initial device configuration and allows convenient restart and shutdown options.
• SNMP Management
  Proventia integrates with 3rd-party network management products to provide key operational status indicators to network operations and security operations groups.
• Centralized Management System Integration
  Proventia can be centrally managed using the SiteProtector security management system. SiteProtector is a scalable system that allows your staff to control, monitor and analyze events efficiently.

Protection Engine:

As a result, Proventia’s protection engine can stop entire classes of attack – including new and unknown threats – without updates. Other solutions can only hope to match individual protection signatures with exploits – a process that is too slow to stop evolving threats and results in higher rates of false positives and false negatives.

The Proventia protection engine employs multiple intrusion prevention technologies working in tandem to monitor, detect or block these classes of network threats:

Application attacks Attack obfuscation Cross-site scripting attacks Data leakage Database attacks DoS and DDoS attacks Drive-by downloads Insider threats Instant messaging

Malicious document types Malicious media files Malware Operating system attacks Peer-to-peer Protocol tunneling SQL injection attacks Web browser attacks Web server attacks

In order to address these attack categories, Proventia’s protection engine employs multiple intrusion prevention technologies working in tandem, including:

Port assignment Port following Protocol analysis Protocol tunneling Pattern matching IBM Proventia Content Analyzer

Injection Logic Engine Heuristics RFC compliance checking Statistical analysis TCP reassembly Flow assembly

Primary Network Threats Stopped by the Proventia Protection Engine
While Internet threats continue to evolve, older attack methods cannot be discounted and many attackers build upon known intrusion techniques to evade detection. The Proventia protection engine is dedicated to stopping the following list of Internet threats:

	Backdoors Provide system entry points that bypass traditional login verification.		Peer-to-peer (P2P) networks Facilitate the transfer of files infected with Trojans and viruses designed to introduce denial of service attacks and corrupt data.
	Botnets Collections of compromised computers that perform tasks at the behest of a controller – usually with malicious intent to spread spam and/or malware.		Protocol tunneling Layers malicious data usually within a higher level protocol, allowing it to traverse network segments where lower level protocols might be blocked.
	Client side attacks Web browser exploits used to install drive-by downloads and suspicious browser obfuscation.		Reconnaissance A collection of threats including brute force, enumeration, password guessing and port scans.
	Cross-site scripting (XSS) A Web-based exploit used to embed malicious code into a supposedly legitimate link that can execute on a user’s computer, typically in an attempt to steal information.		Rootkits A collection of tools or programs that provide hackers with administrator level privileges or root access to a network or system.
	Distributed Denial of service (DDoS) Utilizes a multitude of compromised systems to attack a single target with a flood of messages to shut the target system down.		Malicious Content Malicious multimedia and shellcode embedded in documents.
	Insider threats Can introduce viruses, worms and Trojans into a network, or attempt to steal proprietary data.		SQL injection Piggybacks malicious SQL code on intended commands through the dynamic logic layer of a Web application in order to trick the application into providing database access.
	Instant messaging Can be used to introduce Trojans, viruses and other malware into the network.		Trojans Harbor dangerous code inside apparently harmless programming or data.
	Malicious Email A common carrier for spyware and phishing scams that entice users to visit malicious Web sites, and then potentially introduce malware to the network.		Worms A virus that self-replicates by resending itself as an e-mail attachment or part of a network message.

Multi-layered prevention technologies within the Proventia protection engine
The Proventia protection engine combines the power of multiple threat prevention technologies – all working in concert to stop Internet threats. The Proventia protection engine utilizes the following attack prevention methods:

IBM Proventia Content Analyzer – inspects and blocks unencrypted data in your network using predefined and custom signatures. This technology provides the ability to create compound data-set search inspections and inspect compound documents including Microsoft Office documents, PDFs and Zip files over ten different protocols.

• Port assignment – IPS’ should not assume that a particular type of traffic will appear on a particular TCP/IP port. If they do and the traffic type matches the assumed port, and is allowed through, attackers could gain access. Proventia inspects all traffic regardless of the port that traffic is destined to.
• Port following – tracks communication sessions to ensure that the port initially used to establish a connection is the only one used. This prevents hackers who access an open port with authentic credentials from connecting to another open port to transfer data unnoticed. Proventia’s port following works in conjunction with other port-aware protection technologies to stop information theft.
• Injection Logic Engine – heuristically identifies malicious injection attempts such as SQL injection and shell command injection. Covers current and future vulnerabilities without signature updates.
• Protocol analysis – examines network traffic for deviant behavior that does not match accepted norms and can decode protocols down to Layer 2 of the OSI model. Protocol analysis enables Proventia to detect anomalous behavior without relying on signatures.
• Protocol tunneling – sometimes used in conjunction with port assignment, Proventia detects and prevents protocol tunneling to find malicious and/or proprietary data embedded in higher level protocols that could be allowed to traverse network segments where lower level protocols might be blocked. Protocol tunneling prevents hackers from bypassing firewalls to gain uncontested network access and prevents both insiders and hackers from establishing and using tunnels to extract data from within a corporation.
• Stateful pattern matching – uses advanced algorithms to detect attack patterns – but only in particular portions of traffic where an attack could actually exist – greatly reducing false positives. Proventia uses stateful pattern matching in conjunction with heuristics to prevent evolving threats that change their patterns to evade detection.
• Heuristics – identifies and stops malicious code based on its behavior, rather than matching a particular attack signature or pattern. Heuristics can prevent evolving threats which will change minor aspects of their signatures to bypass traditional IPS solutions.
• RFC compliance checking – compares traffic against RFC standards for network communications between hosts, and between applications and the network stack. If the traffic does not conform, Proventia blocks it.
• Statistical analysis – creates a baseline of network activity over time and then constantly compares current activity to the baseline to identify and prevent deviations. Proventia uses statistical analysis to stop attacks without breaking down network traffic.
• TCP reassembly – reassembles network packets, examining them for potential threats.
• Flow assembly – analyzes the entire network connection – not just the individual packets – to block malicious traffic that may have been inserted into the communication stream to take advantage of an open connection. Flow assembly complements TCP reassembly by analyzing traffic at a higher level to prevent advanced threats.

The Proventia Protection Engine Advantage – Multi-layered Prevention Technologies Working in Concert
The protection engine within the Proventia IPS technologies is the result of continuous research into the nature of vulnerabilities and attack methods. As threats continue to evolve, but older exploits never truly become extinct, IBM ISS constantly strengthens the Proventia protection engine with technologies designed to block entire classes of threat – both new and old.

Technical Specifications:

Proventia IPS Comparison Matrix:

Uncompromising Protection for Every Layer of Your Network

With a comprehensive line of models, the IBM Proventia Network IPS family delivers uncompromising protection for every layer of the network, protecting your business from both internal and external threats.

Documentation:

Download the IBM Proventia Network Intrusion Prevention System (IPS) Datasheet (PDF).

Download the IBM Proventia Network Intrusion Prevention System GX5108 Datasheet (PDF).

Download the IBM Proventia Intrusion Prevention System Protection Engine Datasheet (PDF).