Table of Contents
Advertisement
•
Simplified Deployment and Management - SonicWALL IPS allows network administrators to
quickly and easily manage the service within minutes. Administrator's can create global policies
between security zones and interfaces as well as group attacks by priority, simplifying deployment
and management across a distributed network.
•
Granular Policy Management - SonicWALL IPS provides administrators with a range of granular
policy tools to enforce IPS on a global, group, or individual signature level to enable more control and
reduce the number of false policies. SonicWALL IPS allows also allows administrators to choose
between detection, prevention, or both to tailor policies for their specific network environment.
•
Logging and Reporting - SonicWALL IPS offers comprehensive logging of all intrusion attempts with
the ability to filter logs based on priority level, enabling administrator's to highlight high priority attacks.
Granular reporting based on attack source, destination and type of intrusion is available through
SonicWALL ViewPoint and Global Management System. A hyperlink of the intrusion brings up the
signature window for further information from the SonicWALL appliance log.
•
Management by Risk Category - SonicWALL IPS allows you to enable/disable detection or
prevention based on the priority level of attack through High, Medium, or Low predefined priority
groups.
•
Detection Accuracy - SonicWALL IPS detection and prevention accuracy is achieved minimizing
both false positives and false negatives. Signatures are written around applications, such as Internet
Explorer or SQL Server rather than ports or protocols to ensure that malicious code targeting them
are correctly identified and prevented.
SonicWALL Deep Packet Inspection
Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology
includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and
alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing
the traffic from passing through.
Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify passing
traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as
well as the information that describes the contents of the packet's payload, including the application data
(for example, an FTP session, an HTTP Web browser session, or even a middleware database
connection). This technology allows the administrator to detect and log intrusions that pass through the
SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP
connection). SonicWALL's Deep Packet Inspection technology also correctly handles TCP fragmented
byte stream inspection as if no TCP fragmentation has occurred.
How SonicWALL's Deep Packet Inspection Architecture Works
Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine
information at the application layer and defend against attacks targeting application vulnerabilities. This
is the technology behind SonicWALL Intrusion Prevention Service. SonicWALL's Deep Packet Inspection
technology enables dynamic signature updates pushed from the SonicWALL Distributed Enforcement
Architecture.
The following steps describe how the SonicWALL Deep Packet Inspection Architecture works:
1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent
against known and unknown protocols, applications and exploits.
2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
3. Deep Packet Inspection engine preprocessing involves normalization of the packet's payload. For
example, a HTTP request may be URL encoded and thus the request is URL decoded in order to
perform correct pattern matching on the payload.
4. Deep Packet Inspection engine postprocessors perform actions which may either simply pass the
packet without modification, or could drop a packet or could even reset a TCP connection.
Security Services Page 155
Advertisement
Table of Contents
