"... the ability to reduce the time to true incident identification to a number that is measured in seconds, versus minutes, hours or even longer"
— Rocky DeStefano, CEO, Decurity
 

Nitro on linked in Foolow us on twitter NitroSecurity's YouTube channel

 
 

Intrusion Prevention

In daily security operations, intrusion prevention systems serve a dual purpose:

  1. Preventing intrusions and exploits through in-line monitoring and protection
  2. Providing network activity and event details for further analysis by SIEM such as NitroView ESM

This requires an intrusion prevention system (IPS) that provides deep packet inspection, and is able to take action:

  • Detect exploits, malware, and other threats using an easily tuned event taxonomy
  • Block malicious traffic by dropping suspect packets or resetting suspect sessions
  • Blacklist attackers to prevent them from obfuscating future attacks in order to bypass defenses
  • Provide detailed event and activity information to a SIEM such as NitroView ESM, for risk assessment and threat detection.
  • Provide detailed network flow activity, for the determination of attack vectors, and to track successful attacks as they propagate.

Detection Capability

The detection capability of an IPS is extremely important, which is why NitroSecurity's Network Threat Analysis Center (NTAC) continually develops new detection rules, with the full support of industry sources such as the SANS Internet Storm Center, CERT, McAfee's Security Innovator's Alliance, and the Microsoft Active Protections Program (MAPP).

New signatures are pushed automatically to NitroGaurd devices, with new rules being clearly identified within the IPS console, where they can be activated across one or all NitroGuard IPS devices—all from a single, central management system.

Performance

Intrusion detection and prevention also requires performance. The detection engine must be able to monitor a network connection at line rate, even when supporting an extensive signature set. NitroGuard support active protection at throughputs of up to 5Gbps, using the NitroGuard detection engine. Since NitroSecurity developed the first Snort® based intrusion prevention technology in 2001, we've continued to invest in the optimization of our IPS performance. The result? Full compatibility with Snort® syntax—making new rule creation simple and easy—while providing greater performance and fewer false-positives.

NitroSecurity invented SNORT® based Intrusion Protection: contributing a major advancement to Snort® IDS that allowed the popular detection engine to operate as an IPS. Since then, NitroSecurity has branched from Snort, developing a custom IPS engine that surpasses open-source Snort® in detection & prevention capabilities, as well as in performance.

Network Awareness

An inline intrusion detection and prevention device is ideally situated to provide important information about network activity. For this reason, NitroGuard also acts as a network flow collector. Now, network session detail is available on the same network connections being monitored for intrusions. This flow information is instantly analyzed and correlated against event activity to provide:

  • Correlation of events to network activity
  • Network anomaly detection capability
  • Event anomaly detection capability

In addition, NitroGuard IPS is able to provide valuable information about network conversations—including full packet captures—and pass that information to NitrOView ESM for full correlation and analysis.

Innovations in IPS


Innovative Intrusion Prevention from the creators of Snort® IPS

NitroSecurity created the first Snort-based IPS technology: Snort_Inline, which is widely used today. We've combined that experience with further innovations in IPS, as well in data collection, network flow, and security information analysis technology in order to provide a highly efficient, highly protective IPS. (Interested in Snort_Inline? Visit them at Snort_Inline's SourceForge page. )


Virtual IPS

snort_inlineNitroGuard is more than a powerful IPS — it's several powerful IPS's in one box. Using Virtual IPS technology, each NitroGuard can simultaneously operate individual IPS rule-sets across multiple physical gigabit Ethernet ports, or even by VLAN. Virtual IPS increases flexibility by applying specific rules to specific areas of the network, and also improves performance through multi-tasking.


Advanced Features

  • Virtual IPS support for signature flexibility and even greater performance. Virtual IPS allows each NitroGuard to run multiple simultaneous instances of the NitroGuard IPS engine, providing specific rule profiles to a network interface, a VLAN, or simply providing additional performance through multi-tasking.
  • Integrated Network flow collection for network / event correlation.
  • On-board event and flow storage using the super-high-performance NitroEDB database
  • NitroView ESM — the IPS manager that doubles as a full Security Information & Event Management system.

Purpose-Built Performance

NitroView&nsbp;ESMNitroGuard appliances are purpose-built, using high-performance memory, network I/O, and RAID controllers — all tuned to provide the best possible performance and reliability.

Ideal for high-performance networks, NitroGuard supports bandwidths of 250Mbps on the NS-IPS-1200, up to 1.5 Gbps on the NS-IPS-4200. Each IPS uses extensive "out of the box" anomaly rules, yet also allows enterprises to easily change or customize the response to various threats: use analytical capabilities to adjust anomaly rules to real network trends; easily edit rules or add new ones using standard SNORT syntax; or add NitroView ESM to provide post-event data correlation and processing, including contextual forensics and compliance reporting.

An IPS with a Brain

NitroView&nsbp;ESMNitroView&nsbp;ESM

NitroGuard has brawn, and brains too: each NitroGuard IPS comes with an installable version of NitroView ESM — for device management, event/flow correlation, and analytics "not typically seen in an IPS". Of course, for large networks, NitroView ESM is available as an appliance as well, offering the same performance advantages and reliability as NitroGuard IPS.

Using IPS within a larger security context

Intrusion Prevention Systems provide two important functions in your network:

  • to provide a solid line of defense, to detect and block attacks as they occur
  • to provide valuable data to a higher-level security management system such as NitroView ESM, for in depth forensic analysis

NitroSecurity's NitroGuard IPS is highly integrated with NitroView ESM. When used alone, it is a powerful intrusion prevention system. When used with NitroView, the total system provides:

  • Simple management of rules across all NitroGuard IPS devices
  • Precise network- and event- information collection
  • Forensic analysis
  • Network flow analysis
  • Physical event mapping, pinpointing events within your network topology
  • Correlation of NitroGuard flow & event data to other host, application, and third party event data collected by NitroView receivers
  • Automated remediation, including black-list capabilities
  • The extension of inline protection to other NitroView systems, such as NitroView DBM and NitroView ADM

NitroSecurity, NitroGuard and NitroView are trademarks of NitroSecurity, Inc. 'Snort' is a registered trademark of Sourcefire, Inc.





These icons link to social bookmarking sites to help share this content.
  • share this page:
  • bodytext
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • Propeller
  • TwitThis
 

Search NitroSecurity.com