Soft IPS is ground-breaking Software-based Intrusion Prevention technology that shuts down threats with zero impact on performance or reliability. Soft IPS does this by injecting spoofed TCP packets into the network to disrupt unwanted communications. This idea is coupled with a proprietary algorithm that will safely predict which traffic to block based on observed communication patterns. Soft IPS has the following benefits:
The sensor software detects unwanted traffic using a variety of functional elements which include IPS signature detection, Network Antivirus and other user defined block classifications (which my include Multi-session rules). Any of these components can trigger a block signal to the Soft IPS subsystem. The block signal is a flow specification of the form:
<srca/mask> <srcp> <dsta/mask> <dstp>
Each of the fields sent over from the detection components can be a wildcard. Wildcards are specified as 0 or 0.0.0.0/0 if they are a protocol/port or address respectively.
Each of the block signals is then processed by an invariant extraction algorithm that identifies repeated attempts to block similar flows. Once a certain threshold is reached (for example there are more than 5 attempts to block the same 2 IP addresses and the same source port), the invariant extraction will automatically change one or more fields of the block signal to a wildcard.
|Inline IPS||Soft IPS|
|Blocks UDP and ICMP||
|Software Failure||All Traffic Stops||All Traffic Through|
|Hardware Failure||All Traffic Stops||All Traffic Through|
|Power Loss||Depends on Device||All Traffic Through|
|Performance Impact||~200 µs latency||None|