Each
security policy can specify an intrusion protection profile that determines the level
of
protection against buffer overflows, illegal code execution, and other attempts to
exploit system
vulnerabilities. The default profile protects clients and servers from all known critical-,
high-, and medium-severity threats.
Intrusion prevention integrates a high-performance Deep Packet Inspection architecture
and
dynamically updated signature database to deliver complete network protection from
application
exploits, worms and malicious traffic. In addition, Intrusion Prevention provides
access control
for Instant Messenger (IM) and Peer to Peer (P2P) applications.
Customized profiles can be used to minimize vulnerability checking for traffic between
trusted
security zones, and to maximize protection for traffic received from untrusted zones,
such as the
Internet, as well as the traffic sent to highly sensitive destinations, such as server
farms.
Categories for which the block or monitor action can be set include:
- Miscellaneous—such as SIP Foundry sipiXtapi Buffer Overflow
- File transfer server—such as NetTerm NetFTPF User Buffer Command or
3Com 3CDaemon FTP server overflow
- Web server—such as Microsoft Windows Explorer Drag and Drop Remote
Code Execution, Microsoft IIS WebDAV Long Request Buffer Overflow, and others
- General server—Microsoft SSL PCT Buffer Overflow Vulnerability,
Solaris Telnetd User Authentication Bypass Vulnerability, and others
- Client—such as Microsoft Visual Studio WMI Object Broker Unspecified
Code Execution, Microsoft Internet Explorer XMLHTTP ActiveX Control setRequestHeader
Code
Execution, and others
- IM—IBM Lotus Sametime Multiplexer Buffer Overflow, MSN MSNP2P Message
Integer Overflow, and others
- Message server—Sendmail Signal Race Vulnerability, Microsoft Exchange
SMTP Service Extended Verb Request Buffer Overflow, and others.
