TippingPoint's ASIC-based intrusion detection and defense engine
UnityOne's unparalleled performance, stability and accuracy are all developed through patented technology developed by engineers and scientists at TippingPoint. These advantages are shown in TippingPoint's TSE Threat Suppression Engine. UnityOne is a highly specialized hardware-based intrusion detection and defense platform composed of the latest network processor technology. TippingPoint has a complete set of self-developed FPGA (Layer 7) and Layer 4 (ASIC) modules. TSE (Threat Defense Engine) is a hardware line-speed engine that can realize all the functions needed for intrusion detection and defense. Its main functions include IP fragmentation reassembly, TCP flow reassembly, statistical analysis of attack behavior, network traffic bandwidth management, malicious packet blocking, traffic status tracking and analysis of more than 17 application-layer network communication protocols.
TSE reassembles and detects the contents of packets and analyzes them to the application layer of the network. When each new data packet arrives at TSE with the data stream, it will re-detect whether the data stream contains harmful content. If the data stream contains harmful content in real time, the data packet and the subsequent data packets belonging to the data stream will be blocked. This can correctly ensure that the attack will not reach the attack destination.
this leading IPS technology can only be realized by combining high-speed network processors and customized ASIC chips. This highly professional traffic classification technology can make IPS have gigabit processing speed and processing delay less than one microsecond, and it has high detection and blocking accuracy. Unlike software-based intrusion prevention systems or other competitors who claim to have gigabit processing speed, their processing performance will be seriously affected by the number of Filter installed, while the processing delay is as high as several seconds or even dozens of seconds. UnityOne's highly scalable hardware protection engine can allow tens of thousands of Filter to run at the same time without affecting their performance and accuracy.
UnityOne uses TSE's breakthrough scalability and high performance to detect communication protocol anomalies and traffic statistics anomalies in real time, protect against DDoS attacks and block or limit the bandwidth of unauthorized applications.
Three intrusion prevention functions of p>TippingPoint
UnityOne provides the most complete intrusion detection and prevention functions in the industry, far exceeding the capabilities of traditional IPS. The three major intrusion detection and defense functions defined by TippingPoint include application protection, network architecture protection and performance protection. These three functions can provide the most powerful and complete protection against various forms of network attacks, such as viruses, worms, denial of service attacks and illegal intrusion and access.
application protection -UnityOne provides protection against network-based attacks, such as viruses, worms and trojans, extending to clients, servers and the second to seventh layers. Using the technology of deep detection of application layer packets, UnityOne can distinguish legal and harmful packet contents. The latest attacks can easily penetrate the firewall through technologies disguised as legitimate applications. UnityOne uses the method of reorganizing TCP traffic to examine the contents of application layer packets to identify legitimate and malicious data streams. Most intrusion prevention systems defend against known attacks. However, UnityOne uses vulnerability-based filtering mechanism to prevent all known and unknown attacks.
network architecture protection-routers, switches, DNS servers and firewalls are all network devices that may be attacked. If these network devices are attacked and cause downtime, all key applications in the enterprise will also be shut down. UnityOne's network architecture protection mechanism provides a series of network vulnerability filters to protect network devices from attacks. In addition, UnityOne also provides a filter for abnormal traffic statistics mechanism. For normal network traffic exceeding the "baseline", actions such as warning, traffic restriction or blocking can be taken according to its communication protocol or application characteristics. In this way, the network disconnection or blocking caused by DDoS and other overflow traffic attacks can be prevented.
performance protection-it is used to protect the network bandwidth and host performance from being occupied by illegal applications. If the network link is congested, important application data will not be transmitted on the network. Non-commercial applications, such as peer-to-peer document sharing (P2P) applications or instant messaging software (IM), will quickly exhaust the network bandwidth, so UnityOne provides the function of Traffic/Rate Shaping to help enterprises carefully identify the illegally used application traffic and reduce or limit its bandwidth usage.
three intrusion detection and defense mechanisms of tipping point
UnityOne IPS product line of tipping point can operate three independent but complementary intrusion detection and defense mechanisms at the same time: vulnerability filter, attack feature filter and traffic anomaly filter. The ability of TippingPoint to operate these three mechanisms at the same time comes from this specially developed ASIC.
vulnerability filters are mainly used to protect operating systems and applications. This filter behavior is like a network-based virtual software patch, which protects the host from network-based attacks using unpatched vulnerabilities. Once a new vulnerability is discovered and started to be exploited by hackers, the vulnerability filter will be started in real time to protect the vulnerability. The operation mode of this filtering mechanism is to reorganize the information of the seventh layer, so that the traffic of the application layer can be completely detected. Filtering rules can specify special conditions, such as detecting the operation process of an application (for example, application exception of buffer overflow) or specification of a communication protocol (for example, RFC exception).
the traffic anomaly filter is used to detect changes in traffic patterns. These filtering mechanisms can adjust and learn the pattern of "normal traffic" in the special environment where UnityOne is located. Once the normal traffic is set as the benchmark, these filtering mechanisms will detect statistically abnormal network traffic according to the adjustable threshold. Traffic anomaly filtering mechanism can effectively block distributed denial of service attacks (DDOS), unknown worms, abnormal application traffic and other zero-day lightning attacks. In addition, an important special function of UnityOne is that it can allocate the most suitable network traffic according to the types of applications, communication protocols and IP.
the attack feature filter is mainly aimed at attacks that do not need to exploit security vulnerabilities, such as viruses or trojans. This filtering method must fully understand the characteristics of known attacks, and can detect and make a defense feature database. At present, TippingPoint has a professional team 7X24 to analyze all kinds of attack threats from all over the world all year round, and cooperates with well-known information security teams such as SANS, CERT, SECURITEAM, etc., so that UnityOne in every corner of the world can be equipped with the latest attack feature database through online update at the first time.
online updating mechanism of p>TippingPoing digital vaccine
Suzhou Zhongli Digital Association and HP are working together on enterprise information security. While providing SANS vulnerability analysis every week, the security team of TippingPoint also makes a database of filters for vulnerabilities and mixes it into Digital Vaccines. Digital vaccines not only make filters for specific attacks, but also block mutation attacks and zero-day lightning attacks. In order to have the largest security coverage, digital vaccine not only updates the filter database online regularly every week, but also generates new filters for vulnerabilities or attacks with serious threats at any time. Digital vaccine will also automatically deploy new filters to UnityOne IPS around the world.
in order to defend against the latest vulnerabilities and attacks, the latest filters will be continuously updated to IPS. Each filter can be regarded as a virtual software patch on the network to protect the internal host from being attacked. Any harmful traffic that attempts to apply to a specific vulnerability will be detected and blocked in real time. In other words, this way is to use a virtual patch program to protect thousands of unpatched systems.
TippingPoint's security experts are recognized by the world, and more than 25, security managers and experts around the world have subscribed to the SAN @RISK analysis report edited by TippingPoint. The same analysis is also applied to the development of digital vaccine, giving priority to making the best filter to protect TippingPoint customers.
TippingPoint has the most complete reliability mechanism
The design concept of p>UnityOne is to ensure that the network will never be disconnected and the line speed will be maintained no matter what happens to the network, what happens to the internal equipment and the system, or even the equipment completely loses power. UnityOne uses the internal backup mechanism of the system and the network state backup mechanism, which complement each other to ensure the maximum network availability.
UnityOne has a variety of built-in backup mechanisms: first, all devices have two power adapters that are mutually backed up and hot-swappable. Second, watchdog timers will continuously monitor the security and management engine. Once a system error is detected, UnityOne can automatically or manually switch to a Layer 2 device to ensure that the network is not disconnected. In addition, TippingPoint also provides an external power adapter (Zero Power High Availability). When the whole computer room or data center loses power, all traffic will be automatically switched by this device.