|
NetScreen-IDP
At a glance
- Attack prevention
First in-line device capable of dropping the malicious traffic as soon as the attack is detected, eliminating the impact of an intrusion
- Multi-Method Detection (MMD)™
Combines multiple detection methods in a single device to maximize the types of attacks accurately detected
- Centralized, rule-based management
Quick and easy to set up, manage and maintain, providing granular control over exactly how the system behaves with visibility into network threats that make it easy to thread through attack information and quickly make policy adjustments to ensure the network is effectively protected
- Enterprise network integration
Support for advanced networking features, such as VLANs for logical interfaces and SNMP for network monitoring systems, to integrate seamlessly into the network
How do you protect your network?
Most people think network intrusions happen to other people. The reality is they affect everyone. It is inevitable your network will be attacked, and the attackers will try all sorts of tricks to compromise your systems. Are you prepared?
You need the NetScreen-IDP appliance for effective protection
The NetScreen Intrusion Detection and Prevention (NetScreen-IDP) system effectively identifies and stops attacks on your  network, minimizing the time and costs associated with intrusions. It compliments your firewall, providing the next layer of security by looking deep into the network traffic to accurately identify intrusions and stop the attacks from ever reaching their destination. NetScreen-IDP implements a high-speed Multi-Method Detection (MMD) mechanism, combining eight different detection methods in a single product to provide the most comprehensive attack coverage available on the market. More importantly, it is the first device capable of operating in-line, so it can drop malicious traffic during the intrusion detection process, completely eliminating the impact of an attack. Combined with a centralized, rule-based management approach, which offers granular control over the system's behavior and easy access to its information, it is easy to see why NetScreen-IDP is the best way to keep your information assets safe.
Accurate attack detection
You need comprehensive and accurate detection
No single detection mechanism can detect all attacks. To eliminate the necessity of purchasing multiple intrusion detection products for comprehensive attack coverage, NetScreen-IDP was built from the ground up to combine multiple detection methods in a single solution. The NetScreen-IDP MMD mechanism integrates Stateful Signature, Protocol Anomaly, Backdoor, Traffic Anomaly, IP Spoofing, Layer 2 and SYNFlood Detection, as well as a Network Honeypot, to provide the broadest attack detection coverage available. MMD leverages the strength of each method, using the most appropriate mechanism to accurately and efficiently detect intrusions.
Stateful Signature Detection
The best-known detection mechanism is signature detection. Once network attacks are discovered and understood, security vendors will characterize them as an attack pattern, called a signature. These signatures are then compiled into a database and matched against the flow of traffic to identify attacks.
NetScreen developed an advanced signature form, called Stateful Signatures™, to produce the most accurate signature-based detection mechanism available. While other products typically use packet signatures, which blindly search for signature matches in all traffic, producing many false alarms, NetScreen-IDP uses Stateful Signatures, which intelligently look for attack patterns in only the relevant portions of traffic where the attack can be perpetrated. NetScreen- IDP does this by tracking the state of all communications to pinpoint exactly where to look for an attack. This reduces irrelevant pattern matching within benign traffic to significantly reduce false alarms. With NetScreen-IDP, you can trust the attacks being detected are real.
Protocol Anomaly Detection
The second most used detection mechanism is Protocol Anomaly Detection. This method detects attacks that cannot be characterised, do not have a pattern or have yet to be discovered. It works by comparing traffic to the published protocol specifications that "normal" traffic would follow. Any deviations from these protocols indicate that someone is trying to do something they probably shouldn't be doing, constituting an attack. There are cases where a product used in your company has implemented a protocol incorrectly. In this instance, you can selectively exclude the detection of specific protocol anomalies for specific systems.
NetScreen-IDP supports an extensive list of protocols and is the first to support SNMP (protecting you from tens of thousands of exploits) and NetBIOS (Windowsbased vulnerabilities running on internal systems).
Backdoor Detection
NetScreen developed a new detection mechanism designed to identify intrusions that give an attacker complete control over a network resource. These attacks, called backdoor attacks, enable the perpetrator to take control over a target system and often result in a significant financial impact and loss. For example, an attacker can exploit a vulnerability to load a Worm onto a network resource and then interact with that system to take control of it. Once that system is compromised, the attacker continues to interact with it, trying different commands in an effort to launch attacks from that system or compromise other systems.
NetScreen is the first to offer a detection mechanism capable of identifying backdoors. This detection method enables NetScreen-IDP to identify the unique characteristics of interactive traffic and take appropriate action. Backdoor Detection can also identify some unknown attacks that don't deviate from protocol specifications and, therefore, would not be picked up by Protocol Anomaly Detection.
Signature database and updates
NetScreen has a team of security experts dedicated to creating the signatures you need to combat the latest threats. In addition to the extensive signature database that is shipped with NetScreen-IDP, customers with a support contract will receive updates as frequently as once a week. Plus, NetScreen-IDP offers a Signature Editor to make it easy for you to write your own custom Stateful Signatures to quickly integrate your specific enterprise needs into your Security Policy. When uploading the NetScreen signature updates, NetScreen-IDP gives you the flexibility to either pick and choose the signatures you want or do a batch update. It can also reconcile signature updates with your custom signatures to make sure that they are not overridden or lost. The NetScreen-IDP centralized management approach allows you to easily download any Security Policy changes to the Sensors with the click of a button.
 |
Simplified management
NetScreen-IDP was designed to minimise the amount of time needed to manage the system, lowering your total cost of ownership and maximising the effectiveness of your security team. By taking a centralized, rule-based management approach, NetScreen-IDP makes it simple for you to configure, maintain and manage your network security. The NetScreen-IDP three-tier architecture allows multiple distributed administrative endpoints (User Interface) to access the centralized management server (Data Storage) and control geographically dispersed Sensors (Enforcement Points).
Centralized, policy-based management
The entire NetScreen-IDP system can be controlled using a single, enterprise-wide Security Policy. With the push of a button, NetScreen-IDP will distribute the single, logical Security Policy to manage distributed Sensors, installing each rule on the appropriate Sensor(s). When you make changes to your Security Policy, all relevant configuration and signature information is automatically sent to the appropriate Sensors as an authenticated and encrypted communication. NetScreen-IDP tracks Security Policy revisions that have been installed, so you can always go back and see a history of the Policies you created. In addition to centralized control, NetScreen-IDP provides centralized log collection, storage and presentation, as well as centralized status monitoring of all components in your installation. These capabilities maximize the productivity of you and your team.
Rulebase provides granular control
NetScreen-IDP enables you to dictate the system's behavior, without introducing complexity. The rule-based approach allows you to create individual rules that control what traffic NetScreen-IDP examines, the attacks it looks for, the action you want it to take when an attack is identified, and the Sensors to which you want that rule to apply. You decide how NetScreen- IDP responds to an attack, choosing from multiple options, ranging from sending an e-mail alarm to dropping the connection to protect your most sensitive resources. Advanced packet logging options allow you to specify how many packets to capture before and after the intrusion for forensic and investigative purposes.
Advanced forensics
Investigating intrusions is an important and often time-consuming element of security. The NetScreen-IDP system simplifies the investigative process, providing closed loop investigation capabilities that enable you to link directly from summary information in the reports to the log record to the packet data and/or the Security Policy rule that triggered the alarm. This helps you follow the course of events related to any particular attack. NetScreen-IDP also provides advanced incident tracking capabilities, including customisable annotation flags and user comment fields to ensure everyone knows what is happening with each incident.
Reports
NetScreen-IDP provides several levels of reporting capabilities, including dashboard reports, investigative reports and management reports. This way, you can identify and present key security information at the appropriate level for everyone in your company—from the security administrator to the CIO. The dashboard aggregates information to give you a complete toplevel picture of which hosts are being targeted, by whom and what attacks they are using against your network. By identifying these key trends in the network, you can ensure you stay on top of the most important events in your network. You can also visually correlate the host, attack source and attack type to quickly identify what is at risk in your network, so that you can set your priorities and respond quickly. This unique ability to drill into specific events significantly aids in forensic investigations. The management reports are designed to help you justify all of your security activities, providing easily understood graphs that offer a complete picture of your network security and the actions you have taken to protect your network.
Customisable display
You control how you want to see and interact with the information captured by NetScreen-IDP to help you quickly extract the information most pertinent to you. For example, you can easily filter the logs and conduct searches for a specific attack. You can then save your customised views and preferences to ensure your interactions with NetScreen-IDP are consistent and intuitive. NetScreen-IDP facilitates data analysis for all members of your team and brings closure to each security incident.
Quick deployment and configuration
NetScreen-IDP is delivered as a hardware appliance for quick installation, making it easy for you to start deriving value immediately. For example, there are templates to help you build your first Security Policy, and when you add a Sensor, NetScreen-IDP automatically authenticates and builds a secure communication channel between it and the Management Server.
Prevention
Stop the attack during the detection process
Not only do you need to know about the attacks in your network, but you also need to stop them. IDSes are passive and cannot directly stop an attack, so you need to spend a lot of time and money investigating the impact of an attack and recovering from the resulting damage.
The only way to secure your network is to stop an attack from ever impacting its destination, by dropping the offending traffic during the attack detection process. Any device that tries to stop the attack after it has been identified is too late.
Only an in-line device capable of detecting attacks and dropping the malicious packets itself, as soon as it is detected, can effectively stop an attack.
Passive responses don't protect
Passive IDSes can only alert the administrator or send a message to another device and hope that device can end the attack.
One option is to send a TCP reset message to the client (attacker) and/or server (victim) associated with the attack. Unfortunately, due to the nature of TCP transmissions, it is highly unreliable and doesn't work for non-TCP-based attacks. Even when successful, the reset terminates the connection after the attack reaches its " victim."
Another passive response option is to send a message to the firewall to block future communications from the IP address of the attack source. This also comes after the attack has reached the " victim." Plus, it can potentially form the basis for a Denial-of-Service (DoS) attack, which is a catastrophic side effect. An attacker using or spoofing the IP address of a business partner, customer or service provider for an attack can cause you to block that IP address and stop legitimate traffic from accessing your system. Simply putting a firewall and a passive IDS on the same box doesn't change the reaction ability of the IDS. A passive IDS, whether implemented independently or on a platform with other devices, can only respond passively, which means the attack always reaches its victim.
Only active responses eliminate the impact of the attack
The NetScreen-IDP system is the first in-line device capable of keeping your network safe by detecting and dropping the malicious traffic itself, so attacks never reach their victim. NetScreen-IDP uses a powerful rulebase that enables you to choose the exact conditions and attacks that warrant dropping the connection. Once you tell NetScreen-IDP to drop a specific connection, you no longer need to worry about that attack. You can also run NetScreen-IDP 100 and 500 in a High Availability configuration, giving you an extra measure of security when NetScreen-IDP operates as a gateway. If you prefer passive mode operation, you can run the NetScreen-IDP system as a sniffer and still derive the benefits of accurate detection and simple enterprise-wide management. However, NetScreen believes that once you have used NetScreen-IDP to prevent intrusions, you will never want to implement a passive mode IDS again. A firewall and an in-line NetScreen-IDP is a powerful combination, offering comprehensive protection for your most critical assets.
 |
NetScreen product warranty and services
Every NetScreen product includes standard warranty features that assure the customer can deploy them confidently. E-mail based technical assistance is available on NetScreen appliances, systems and management products for one year. Hardware products come with a full year of standard RMA coverage in the unlikely event of failure. Both hardware and software products come with a short-term software service that provides any software feature releases or maintenance releases within 90 days of purchase.
|
