TippingPoint IPS Filtering Technology

TippingPoint's Intrusion Prevention System (IPS) product line simultaneously employs four independent and complementary mechanisms to detect and prevent threats: vulnerability-based filters, attack signatures, and traffic and protocol anomaly filters. TippingPoint's purpose-built Threat Suppression Engine ASIC is able to apply all four mechanisms simultaneously.

Threat Suppression Engine and IPS Filters

TippingPoint's Threat Suppression Engine employs vulnerability-based filters to protect vulnerabilities in operating systems and applications that are not exploit specific. These filters behave like a network-based virtual software patch to protect downstream hosts from network-based attacks on unpatched vulnerabilities. Vulnerability filters are created as soon as new vulnerabilities are discovered to preempt any attacks. These intrusion prevention system filters operate on reassembled layer-7 information to fully inspect application flows. IPS filter rules can be specified to detect conditions that violate a particular application implementation flaw (e.g., buffer overflow application anomaly) or a protocol specification (e.g., RFC anomaly)and run simultaneously with other independent and complementary mechanisms.

At the same time TippingPoint's Threat Suppression Engine enables traffic anomaly filters used to detect changes in traffic patterns to also detect and prevent threats such as denial of service and peer to peer attacks. These IPS filters are adaptive and learn about "normal" traffic patterns for the particular environment the TippingPoint IPS is placed in. Once traffic is baselined, these IPS filters will detect statistical anomalies based on tunable thresholds. Traffic anomaly filters are effective against:

  • Distributed denial of service attacks
  • Peer to peer attacks
  • Unknown worms
  • Rogue applications
  • Zero-day exploits

Of particular importance is the TippingPoint's ability to rate-shape traffic flows based on application types, protocols, or IP addresses. Protocol anomaly filters, run simultaneously via the Threat Suppression Engine to detect out-of-spec network traffic. The anomaly filters detect conditions that are both necessary to an attack's success and guaranteed never to occur in normal traffic. These IPS filters can detect multiple attacks without false negatives and without false positives.

Attack signatures protect against attacks that do not necessarily exploit vulnerabilities such as viruses and Trojans. These filters assume knowledge of a given attack and are able to detect them in their executable form.

  • Out of the box security performance is only possible with all three types of prevention.
  • Zero-Day attack prevention and "unknown" attack prevention is predicated on vulnerability filters and anomaly-based detection.
  • Each form of protection can map to a variety of actions including: complete protection (blocking), rate limiting, email notification, syslog and full network management system support thru our SMS or a third party system. Our management API allows you to extend our product to monitor your network operations.
  • Anomaly-based prevention ensures that applications are behaving properly by automatically normalizing anomalous traffic according to security policy set in TippingPoint's management system.
  • TippingPoint's Traffic Thresholding features enable security policy implementation based on the number of bytes in a particular stream, connections and packets from particular hosts with user-defined time frames such from "per minute" to "per month."