• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• Summary
  • Synchronize Licenses
  • Security Services Settings
  • Signature Downloads Through a Proxy Server
  • Security Services Information
• Configuring Content Filter
  • SonicWall CFS
    • CFS Status
    • Global Settings
    • CFS Exclusion
  • CFS Custom Category
  • Websense Enterprise
    • Websense Server Status
    • General Settings
    • Block Web Features
    • CFS Exclusion
    • Blocking Page
• Managing the SonicWall Gateway Anti-Virus Service
  • SonicWall GAV Multi-Layered Approach
    • Remote Site Protection
    • Internal Network Protection
    • HTTP File Downloads
    • Server Protection
    • Cloud Anti-Virus Database
  • SonicWall GAV Architecture
  • Activating the Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention License
  • Setting Up SonicWall Gateway Anti-Virus Protection
    • Viewing SonicWall Gateway Anti-Virus Status Information
      • Checking the SonicWall Gateway Anti-Virus Signature Database Status
      • Updating SonicWall Gateway Anti-Virus Signatures
    • Enabling SonicWall Gateway Anti-Virus
    • Applying SonicWall Gateway Anti-Virus Protection on Zones
    • Specifying Protocol Filtering
      • Enabling Inbound Inspection
      • Enabling Outbound Inspection
      • Restricting File Transfers
        • FTP Settings
        • Exclusion Settings
      • Resetting Gateway Anti-Virus Settings
    • Configuring Gateway Anti-Virus Settings
      • Configuring Gateway Anti-Virus Settings
      • Configuring HTTP Clientless Notification
      • Configuring a SonicWall GAV Exclusion List
    • Configuring Cloud Gateway Anti-Virus
  • Viewing SonicWall Gateway Anti-Virus Signatures
    • Displaying Signatures
    • Navigating the Gateway Anti-Virus Signatures Table
    • Searching the Gateway Anti-Virus Signature Database
• Anti-Spyware Service
  • Anti-Spyware Status
  • Anti-Spyware Global Settings
  • Signature Groups
  • Protocols
  • Anti-Spyware Signatures
• Intrusion Prevention Service
  • About Intrusion Prevention Service
  • Enabling Intrusion Prevention Services
  • IPS Status
  • IPS Global Settings
  • Intrusion Prevention Service Policies
• Configuring Geo-IP Filters
  • Configuring Geo-IP Filtering
  • Creating Custom Country Lists
  • Customizing Web Block Page Settings
  • Using Geo-IP Filter Diagnostics
    • Geo-IP Cache Statistics
    • Custom Countries Statistics
    • Show Resolved Locations
    • Check GEO Location Server Lookup
    • Incorrectly Marked Address
• Configuring Botnet Filters
  • Configuring Botnet Filtering
  • Creating Custom Botnet Lists
    • Creating a Custom Botnet List
    • Editing Custom Botnet List Entries
  • Configuring Dynamic HTTP Authentication
  • Customizing Web Block Page Settings
  • Using Botnet Filter Diagnostics
    • Botnet Cache Statistics
    • Botnets Statistics
    • Show Resolved Botnet Locations
    • Check Botnet Server Lookup
    • Incorrectly Marked Address
  • Displaying the Status of the Botnet Feature and Database
• Configuring App Control
  • About App Control Policy Creation
  • Viewing App Control Status
  • Enabling App Control
    • Enabling App Control Globally
    • Enabling App Control on Zones
    • Configuring Logging and Log Filter Interval
    • Enabling App Control Filename Logging
  • Configuring App Control Global Settings
    • About App Control Global Settings
  • Configuring App Control Advanced Settings
    • Configuring App Control Advanced by Category
    • Configuring App Control Advanced by Application
    • Configuring App Control Advanced by Signature
    • Viewing Signatures
      • Viewing by All Categories and All Applications by Applications
      • Viewing by All Categories and All Applications by Signatures
      • Viewing by All Categories and All Applications by Category
      • Viewing Just One Category
      • Viewing Just One Application
      • Displaying Details of Signature Applications
      • Displaying Details of Application Signatures
• SonicWall Support
  • About This Document

About Intrusion Prevention Service

SonicWall Intrusion Prevention Service (SonicWall IPS) delivers a configurable, high performance Deep Packet Inspection (DPI) engine for extended protection of key network services such as Web, email, file transfer, Windows services and DNS. SonicWall IPS is designed to protect against application vulnerabilities, as well as worms, Trojans, and peer-to-peer, spyware and back door exploits. The extensible signature language used in SonicWall’s Deep Packet Inspection engine also provides proactive defense against newly-discovered application and protocol vulnerabilities. SonicWall IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new attacks through SonicWall’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWall IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.

Deep Packet Inspection (DPI) looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds anomalies in the traffic and reacts, preventing the traffic from passing through.

Deep Packet Inspection is a technology that allows a SonicWall security appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet, as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWall network security appliance, as well as prevent them (such as dropping the packet or resetting the TCP connection). SonicWall’s DPI technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation had occurred.

Deep Packet Inspection (DPI) technology enables your SonicWall network firewall appliance to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWall Intrusion Prevention Service. SonicWall’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWall Distributed Enforcement Architecture.

SonicWall Deep Packet Inspection Architecture works like this:

1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits.
2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
3. Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request might be URL encoded and so the request is URL decoded in order to execute correct pattern matching on the payload.
4. Deep Packet Inspection engine post-processors execute actions that might either simply pass the packet without modification, or could drop a packet, or could even reset a TCP connection.
5. SonicWall’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without completing any reassembly (unless the packets are out of order). This results in a more efficient use of the processor and memory for greater performance.

If TCP packets arrive out of order, the SonicWall IPS engine reassembles them before inspection. However, SonicWall’s IPS framework supports complete signature matching across the TCP fragments without having to do a complete reassembly. SonicWall’s unique reassembly-free matching solution dramatically reduces CPU and memory resource requirements.