- Runs entirely in software and can scale to 10 Gbps of network traffic on commodity hardware.
- Runs in passive mode (not inline). This is can be a huge advantage because traditional, inline IPS configurations pose a higher risk to a network’s availability.
- Uses powerful active response technology to block unwanted traffic (bots, spyware, P2P, etc.) and actively learns which flows need to be blocked proactively.
The sensor software detects unwanted traffic using a variety of functional elements which include IPS signature detection, Network Antivirus and other user defined block classifications (which my include Multi-session rules). Any of these components can trigger a block signal to the Soft IPS subsystem. The block signal is a flow specification of the form:
<srca/mask> <srcp> <dsta/mask> <dstp>
Each of the fields sent over from the detection components can be a wildcard. Wildcards are specified as 0 or 0.0.0.0/0 if they are a protocol/port or address respectively.
Each of the block signals is then processed by an invariant extraction algorithm that identifies repeated attempts to block similar flows. Once a certain threshold is reached (for example there are more than 5 attempts to block the same 2 IP addresses and the same source port), the invariant extraction will automatically change one or more fields of the block signal to a wildcard.
Once the flow has been processed by the invariant extraction and optionally modified, it is passed to pcap filter module which will capture all packets matching the flow specification. The pcap filter also takes care of aging the block signals which are not triggering according to the following aging table:
|Number of Invariants||Examples in bpf format||Expires after|
|1||host 126.96.36.199||1 Year|
|2||host 188.8.131.52 and port 80||10 minutes|
|3||host 12.3.4 and host 184.108.40.206 and port 80||100 seconds|
|4||host 220.127.116.11 and host 18.104.22.168 and port 80 and port 11111||100 seconds|
As long an expression keeps triggering within the expiration period, the expression is kept active. Any administrative Soft IPS expression not derived from the invariant extraction is never aged; it must be explicitly deleted by the administrator by removing the associated policy.
If a packet is captured by the pcap filter, it is then used to extract the TCP sequence numbers as well as the addresses and ports. This information is used to force active response packets that spoof the source destination addresses/ports. The spoofed packets are sent out through the sensor’s management interface. The normal routing infrastructure is then expected to properly route the spoofed packets to the source and destination addresses.
Comparison with traditional “hard” IPS
|Inline IPS (with bypass)||Soft IPS (passive mode)|
|Extracts Attacker Invariants Dynamically||No||Yes|
|Block IP Addresses from Console||No||Yes|
|Blocks UDP and ICMP||Yes||No|
|Software/Hardware Failure||All Traffic Stops||All Traffic Through|
|Power Loss||All Traffic Through||All Traffic Through|
|Performance Impact||>200 µs Latency||None|
The table above summarizes the advantages and disadvantages of Soft IPS as compared to a traditional inline deployment. The reader should appreciate the significant advantages of Soft IPS having no impact in performance or availability at the expense of not being able to block UDP and ICMP packets (which practically speaking is of little importance on most networks).