Scalable and Effective IPS Technology

Soft IPS is ground-breaking Software-based Intrusion Prevention technology that shuts down threats with zero impact on performance or reliability. Soft IPS does this by injecting spoofed TCP packets into the network to disrupt unwanted communications. This idea is coupled with a proprietary algorithm that will safely predict which traffic to block based on observed communication patterns. Soft IPS has the following benefits:

Passive Configuration

A diagram demonstrating a Metaflows sensor configured to run as a passive device.

Unique Benefits of SoftIPS

  • Runs entirely in software and can scale to 10 Gbps of network traffic on commodity hardware.
  • Runs in passive mode (not inline). This can be a huge advantage because traditional, inline IPS configurations pose a higher risk to a network's availability.
  • Uses powerful active response technology to block unwanted traffic (bots, spyware, P2P, etc.) and actively learns which flows need to be blocked proactively.

Architecture

Soft IPS Architecture

Detection

The sensor software detects unwanted traffic using a variety of functional elements which include IPS signature detection, Network Antivirus and other user defined block classifications (which my include Multi-session rules). Any of these components can trigger a block signal to the Soft IPS subsystem. The block signal is a flow specification of the form:

 <srca/mask> <srcp> <dsta/mask> <dstp> 

Each of the fields sent over from the detection components can be a wildcard. Wildcards are specified as 0 or 0.0.0.0/0 if they are a protocol/port or address respectively.

Each of the block signals is then processed by an invariant extraction algorithm that identifies repeated attempts to block similar flows. Once a certain threshold is reached (for example there are more than 5 attempts to block the same 2 IP addresses and the same source port), the invariant extraction will automatically change one or more fields of the block signal to a wildcard.

Comparison with traditional IPS

Inline IPS Soft IPS
Blocks TCP
Blocks UDP and ICMP
Partial
Software Failure All Traffic Stops All Traffic Through
Hardware Failure All Traffic Stops All Traffic Through
Power Loss Depends on Device All Traffic Through
Performance Impact ~200 µs latency None