Inline IPS Whitepaper
(requires Adobe Acrobat)

IntruPro™ IPS

Next-Generation Intrusion Prevention

Home Technology Products Partners F.A.Q.Contact

IntruPro™ Inline IPS Overview

Example network protected by IntruPro™ Inline IPS

IntruPro™ Inline IPS Network Architecture Diagram

Inline IPS Technology Overview

Intoto's Inline IPS technology is based on highly sophisticated intrusion detection techniques. It uses a proprietary application-aware architecture, reducing false positives to near zero. The Inline IPS architecture leverages the benefits of both a signature based techniques and anomaly based detection. The application intelligence enables classification of traffic based on state, service and direction. Packet processing load is minimized because only relevant rules are checked. This dramatically boosts the performance of the intrusion prevention system over the traditional pattern matching/anomaly correlation techniques.

Stateful Protocol Analysis

The Inline IPS architecture tracks the state of the session by employing network, transport and application protocol engines. It enables high accuracy of detection with minimum to zero false alarms. In addition to detecting buffer overflows, the technology detects anomalies based on the configured profile (which includes application protocol parameters). IP de-fragmentation and TCP stream reassembly are performed before the data is sent to application engines. The Inline IPS technology employs anti-NIDS techniques and protects from 'fragrouter', 'whisker‘ and 'ADMutate' techniques. URL unicode processing is also performed by the technology, thereby reducing the need to have multiple signatures for a single exploit.

Customization and Tuning

The Inline IPS technology also includes a language to create rules. Rules can be uploaded in real time and are effective immediately when updated. The language defines multiple protocol keywords and possible values. When an intrusion is detected, the Inline IPS solution is configured to drop the packets causing the intrusion, terminate the session and generate an alert. Optionally an administrator can also create a rule for reporting only. Due to the application awareness, intelligent processing and flexible configuration, the number of false positives is almost zero.

Inline IPS Technologies

Inline Intrusion Prevention

Sniffer IDS

Detection and prevention in the line of traffic
Provides active response
- Drops packets or the connection
- Configurable to ignore and report only
Improved performance using intelligent detection mechanisms
Detects and prevents the attacks in progress before it reaches the network

Passive packet listener, intended for logging and reporting intrusions
No active response to intrusions
- Firewall signaling is the only limited response
- Useful for forensic and traffic analysis
Limited capability to detect intrusions in large traffic volumes
Vulnerable to anti-NIDS attacks such as TCP checksum and IP reassembly

Inline IPS Technology Advantages

Reduced False Alarms

Stateful application engine
- Application awareness narrows search criteria
- Key words search based on application state
Active feedback mechanism
- Users can deselect the rules that may not be applicable to the network being protected
Time window based rate limiting
- Rate limiting rules can be configured based on traffic expected in a given time window
User-defined rules and signature
- Users can add new rules and new signature patterns in the rules with other selectors such as, source, destination, protocol and time window to narrow the search criterion

Performance Optimization

Stateful application engine
- Fewer rules to search
- Rule key words are based on state of the application
Indexed rule search
- Application search
- Direction search
Protocol anomaly detection
- CyberDefense Engine
Content search engine
- Boyer Moore algorithm
- Hardware assisted acceleration support