> Threat Suppression Engine
> Filtering Technology
   > Vulnerability Filters:
      The Virtual Software Patch
   > Threshold Filters:
      Statistical Anomaly Control
> Phishing Protection
> Spyware Protection
> Quarantine Protection
> Advanced Denial of Service
   Protection
> VoIP Protection

QUICK LINKS
> TippingPoint Data Sheets
> TippingPoint White Papers
> How To Purchase

Vulnerability Filters: The Virtual Software Patch

Vulnerability filters are designed to detect and block traffic that violates application protocols and/or satisfies conditions known to compromise implementation flaws (e.g., a buffer overflow).

The implementation challenge in creating a vulnerability filter is threefold. First, the filters must be designed to avoid false positives, since blocking legitimate traffic will cause a denial of service. Second, the filters must be resistant to evasion techniques, since a missed attack may lead to network compromise. Third, and most importantly, the detection engine must be powerful enough to support the necessary test criteria, while operating in-line at practical network speeds and latencies. TippingPoint's Threat Suppression Engine (TSE) is designed for precisely this purpose.

Weak, software-based engines are often forced to forego precise vulnerability filters in favor of simpler exploit specific and policy-type filters. Simpler filters place a minimal performance burden on the engine, but also give rise to false positives and false negatives. In general, the weaker the engine, the more often IPS filter development reduces to a choice between either (a) implementing simple filters and having acceptable performance, or (b) implementing precision filters and having unacceptable performance, assuming the filter logic can be supported at all. Some vendors try to avoid the choice altogether by implementing filter logic that pushes the computational limits of the engine, and then handling individual customer performance problems through site-specific IPS configuration and tuning.

In order for an IPS to provide widely applicable real-world value, however, the device must perform well on all fronts simultaneously. That is, the IPS must implement high precision vulnerability filters, must be able to handle a heavily loaded gigabit network with a full filter suite enabled (no dropped packets), and must be able to perform a useful virtual patching function without requiring the administrator to perform tedious tuning and configuration tasks.

For more information, download our white paper: The Science of Vulnerability Filters: A Virtual Software Patch.