Neusoft NetEye

Product Overview

Product Advantage

Network security is drawing more and more attention in this Internet era. Firewall products have become indispensable network devices for all trades. In the meanwhile, network intruders are getting cleverer and cleverer. They often attack networks through common service ports, such as HTTP, SMTP, POP3 and DNS in a highly skilled manner, causing a great deal of destruction to networks. Firewall products are limited in function and hence may not be able to prevent such intrusions effectively. Therefore, there is a pressing need for a more effective intrusion prevention method.

As a security device deployed at gateways, IPS can thoroughly examine network data and behaviors by utilizing information about attacks so that it can prevent application-layer attacks much more effectively. The inline deployment of IPS enables the device to directly block harmful traffic (such as probes and attacks) and prevent it from intruding into the network where IPS is utilized. IPS can also be deployed behind a firewall, protecting crucial servers and ensuring the security of common open services such as Web, SMTP and DNS. This FW+IPS deployment integrates the technological advantages of firewall and IPS, so the previous investment in firewall is not wasted.

Combined Security, Purified Applications

To tackle issues such as Web application security, mail server security, database security and worms, Neusoft has launched a highly effective intrusion prevention product which is based on a multi-core-processor architecture---NetEye IPS. NetEye IPS can implement analysis and attack prevention at protocol level. It can define protocol anomalies, vulnerability rules, attack signatures and statistical characteristics in order to detect and prevent intrusions. Furthermore, its rule base can be updated and upgraded easily. NetEye IPS also provides the user with an open declarative language platform (NetEye event language) so that the user or a third party can customize rules whenever necessary. Thus, NetEye IPS is applicable to many trades for the purpose of protecting application servers and intranets.

Unique ‘Application Purification’ Technology

To ensure the security of applications such as Web, a unique technology named ‘application purification’ is adopted in NetEye IPS and it is this very technology that distinguishes NetEye IPS from other IPS products in the market. Traditional IPS products are mainly concerned with ‘What is an attack?’, i.e., they detect what types of traffic are attacks, anomalies, or misuses, then block them. However, in most cases, attack traffic only takes up a very small percentage of the total traffic. Nevertheless, attacks emerge from time to time and they seem endless. As a result, the rate of failure in reporting attacks is relatively high, which in turn influences network performance. Having adopted a distinctive technology ‘application purification’, NetEye IPS focuses more on ‘What is a normal application?’, i.e., only those types of traffic which abide by standard protocols and conform to security policies for a specific application environment are allowed to go through NetEye IPS. This measure significantly improves application security and hence the overall performance of IPS.

Highly Effective Multi-Core-Processor Architecture

NetEye IPS adopts a multi-core computing platform which has an enormous computing capability in order to meet the requirements of a network environment and applications. A large amount of protocol analysis and computation need to be done by IPS for the purpose of intrusion detection and prevention. The amount and complexity of computation in IPS far exceed those in firewalls. Therefore, the performance of the processors on the hardware platform is crucial. NetEye IPS is based on a multi-core-processor architecture. In this architecture, two or more core computing units are integrated in one processor, with each core having its own execution units. Multi-core processors make parallel processing possible, thus a single multi-core CPU like this can be as efficient as two or four or eight traditional CPUs. In the meanwhile, the hardware platform of NetEye IPS can support multi-CPU architecture. Hence, the performance and efficiency of IPS will be enhanced. There should be no doubt that IPS can fully meet the deployment requirements of the Gigabits Ethernet.

It can accurately and effectively detect and prevent attacks

NetEye IPS uses a novel attack declarative language to develop detection and prevention rules. Thereby, the rules are accurate and highly efficient. For example, NetEye IPS can use just one rule to block CAN-1999-0098, CAN-1999-0284, CAN-1999-1529, CVE-2000-0042, CVE-2000-0488, CVE-2000-0507, CAN-2000-0657, CAN-2003-0264, CAN-2004-1291 and several other attacks targeted at SMTP servers.

It can define rules based on a vulnerability in a protocol, an operating system or an application

When a vulnerability is published, attacks aiming at this vulnerability and their variants will emerge endlessly. For this reason, it would be a waste of time and effort if one only defines attack signatures to detect and prevent intrusions. NetEye IPS defines vulnerability rules to detect and prevent attacks. NetEye IPS blocks attacks simply by using one rule regardless of the tools or techniques used by the attacker. This blocking means is also effective against novel attack techniques. Besides, if vulnerability rules AND attack signatures are both defined, NetEye IPS will combine the two types of rule so that the system administrator will understand what attack methods are used as well as obtaining some basic information about the vulnerability that is used by the attacker (the vulnerability might be a potential hazard in the system). In the end, the administrator will make better judgments about the seriousness of the incident and take measures to trace it.

It provides finely granular rules so that it can detect attacks at protocol level

A set of rigid criteria and restrictions for protocol state transitions and interactions are specified in the RFCs. Any deviation from standards or protocols in the process of protocol interactions would be considered a protocol anomaly, which often means there is an attack. NetEye IPS can effectively prevent and detect attacks by checking protocol anomalies. For example, according to RFC 2821, in a normal SMTP connecting process, only when a client-side ‘RCPT TO’ request command has been submitted, is a client-side ‘DATA’ request command legal. So, by keeping a log of client-side ‘RCPT TO’ request commands, NetEye IPS can block all “DATA” commands that are not in compliance with SMTP protocols and all attacks which attempt to intrude via such request command. Besides, NetEye IPS can detect invalid parameters in commands in the process of protocol state transitions.

Users can customize rules according to their own protocols or applications

Taking Web applications for example, the user can work together with engineers from Neusoft to customize NEL rules by introducing information related to their application environment (e.g. the version of HTTP protocol, type of servers, types of data, language used on web pages, etc.) so as to improve the flexibility and accuracy of the rules. By so doing, NetEye IPS can defend various attacks including buffer overflow attacks, SQL injections and URL attacks more effectively. The partnerships with many trades like telecommunication, social security, e-government, financing, electricity and education over the years have enabled Neusoft to take a lead in developing rules which are user-friendly and easy to customize.

It can detect and prevent application-layer DoS/DDoS attacks

As explained before, NetEye IPS can prevent and detect intrusions by defining attack signature-based and statistical characteristics-based rules. Therefore, it can effectively prevent application-level DoS/DDoS attacks which are aimed at key serves, such as Web servers, DNS servers and SMTP servers.

It will stay available even if there is a hardware or software breakdown

NetEye’s high availability enables the device to keep working even if there is power cut-off or software breakdown, so it ensures the stability and security of business applications.

It can be easily deployed in a network without altering configuration of the network
NetEye IPS can be easily embedded in any part of an existing network or one that is under construction without affecting the network’s topology or applications.