 |
|
|
Vulnerability Filters: The Virtual Software PatchVulnerability filters in TippingPoint's Intrusion Prevention Systems (IPS) are designed to detect and block traffic that violates application protocols and/or satisfies conditions known to compromise implementation flaws (e.g., a buffer overflow).
Intrusion Prevention Systems and Vulnerability FiltersThe implementation challenge in creating a vulnerability filter for intrusion prevention systems is threefold. First, the vulnerability filters must be designed to avoid false positives, since blocking legitimate traffic will cause a denial of service. Second, the vulnerability filters must be resistant to evasion techniques, since a missed attack may lead to network compromise. Third, and most importantly, the detection engine must be powerful enough to support the necessary test criteria, while operating in-line at practical network speeds and latencies. TippingPoint's IPS Threat Suppression Engine (TSE) is designed for precisely this purpose. Effective network security protection cannot be obtained with weak, software-based engines that often are forced to forego precise vulnerability filters in favor of simpler exploit specific and policy-type filters. Simpler IPS filters place a minimal performance burden on the engine, but also give rise to false positives and false negatives. In general, the weaker the engine, the more often IPS filter development reduces to a choice between either (a) implementing simple filters and having acceptable performance, or (b) implementing precision filters and having unacceptable performance, assuming the filter logic can be supported at all. Some vendors try to avoid the choice altogether by implementing filter logic that pushes the computational limits of the engine, and then handling individual customer performance problems through site-specific IPS configuration and tuning. Vulnerability Assessment and Vulnerability ManagementIn order for an intrusion prevention system to provide widely applicable vulnerability assessment and vulnerability management real-world value, the device must perform well on all fronts simultaneously. That is, the IPS must implement high precision vulnerability filters, must be able to handle a heavily loaded gigabit network with a full IPS filter suite enabled (no dropped packets), and must be able to perform a useful virtual patching function without requiring the administrator to perform tedious tuning and configuration tasks. For more information, download our white paper: The Science of Vulnerability Filters: A Virtual Software Patch. |
