Cisco Cisco IPS 4255 Sensor 产品宣传册
Solution Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 9
●
Vulnerability exploitations—Cisco IPS solutions stop exploitation of known vulnerabilities
in a wide array of operating systems, network services, applications, and protocols, and
provide protection from new worms and viruses prior to their vulnerabilities becoming
known or published.
●
Anomalous activity—Cisco’s best-in-class anomaly detection feature detects worms by
learning the “normal” traffic patterns of the network, and then scanning for anomalous
behavior. Fast-propagating network worms scan the network in order to infect other hosts.
For each protocol or service, the anomaly detection program studies what is normal
scanning activity, and accumulates this information in a threshold histogram and an
absolute scanner threshold. The scanner threshold specifies the absolute scanning rate
above which any source is considered malicious.
●
Behavioral analysis—Cisco IPS solutions detect infection characteristics based on
dynamic learning capabilities of network usage.
Multivector Threat Identification
Cisco IPS solutions employ numerous methods for the inspection and analysis of traffic in Layers
2 through 7. These methods provide comprehensive threat identification, often supporting the
development of vulnerability signatures prior to the release of an exploit. These multivector threat
identification methods include:
●
Rate limiting—Allows the IPS device to limit certain types of traffic by preventing it from
using an excessive amount of bandwidth. This feature can also signal external devices,
such as Cisco IOS
®
Software-based routers, to perform rate limiting to accomplish
the same function.
●
IPv6 detection—Enhanced visibility into IPv6 traffic makes it easier to identify malicious
traffic.
●
IP in IP detection—Identifies malicious traffic within mobile IP traffic.
●
Stateful pattern recognition—Identifies vulnerability-based attacks through the use of
multipacket inspection across all protocols, thwarting attacks that hide within a data stream.
●
Protocol analysis—Cisco IPS solutions provide protocol decoding and validation for
network traffic. Cisco IPS Sensor Software Version 6.0 monitors all major TCP/IP protocols,
including but not limited to IP, Internet Control Message Protocol (ICMP), TCP, and User
Datagram Protocol (UDP). It also provides stateful decoding of application-layer protocols
such as FTP, Simple Mail Transfer Protocol (SMTP), HTTP, SMB, Domain Name System
(DNS), remote procedure call (RPC), NetBIOS, Network News Transfer Protocol (NNTP),
generic routing encapsulation (GRE), and Telnet.
●
Traffic anomaly detection—Provides anomaly identification for attacks that may cover
multiple sessions and connections, using techniques based on identifying changes in
normal network traffic patterns (for example, an ICMP flood with a predefined number of
ICMP packets within a certain amount of time).
●
Protocol anomaly detection—Identifies attacks based on observed deviations in the
normal RFC behavior of a protocol or service (an HTTP response without an HTTP request,
for example).
●
Layer 2 detection—Identifies Layer 2 Address Resolution Protocol (ARP) attacks and
man-in-the-middle attacks, which are prevalent in switched environments.