C613-22104-00 REV B Intrusion Prevention System (IPS) | Page 10
Feature Overview Advanced Network Protection
URL Filtering
Stream-based URL filtering provides a fast, efficient method of controlling access to websites
that are known to be undesirable. It acts on a global basis and should be used when traffic is to
be blocked for everyone on the blacklist, or allowed for selective URLs as configured in a
whitelist.
For more information about how it works, see "URL filtering" on page 20. To configure this
feature, see "Configuring URL filtering" on page 45.
Updating
service files
Some of these features involve a partnership with a third-party security specialist. These specialists
provide algorithmic engines and pattern files to match signatures of known viruses, attack
sequences and the like. The pattern files are frequently updated (some are updated multiple times a
day) and made available for download on the Allied Telesis update server. The AR-Series UTM
firewalls automatically checks the Allied Telesis download server for new updates to pull down.
Perform-
ance
Enabling advanced network protection features significantly increases traffic processing and
therefore CPU load. For information and guidance about the performance and security implications
of enabling these features, and of stream and proxy processing methods, see "Selecting a Security
Solution" on page 24.
On the AR4050S, the UTM Offload feature can improve network forwarding performance by
offloading some of the advanced security feature processing to another virtual or physical machine.
This is automatically managed by the AR4050S. See "UTM Offload" on page 22.
Intrusion Prevention System (IPS)
This feature is supported from AlliedWare Plus version 5.4.5 or later.
AlliedWare Plus Intrusion Prevention System (IPS) inspects inbound and outbound traffic to identify
and log suspicious network activity; it proactively counteracts malicious threats. IPS uses the
Suricata IDS/IPS engine to monitor and compare threats against an IDS database of known threat
signatures.
This section describes how IPS works. To configure this feature, see "Configuring Intrusion
Prevention System (IPS)" on page 34.
AlliedWare Plus IPS monitors inbound and outbound traffic and identifies suspicious or malicious
traffic which may bypass your firewall or could be originating from inside your network.
AlliedWare Plus IPS enhances your network visibility and allows you to control the network by
enforcing compliance with security policy.
AlliedWare Plus IPS is stream-based and there is no delay in detection and prevention. The IPS
engine monitors network traffic and detects malicious activity in real-time by comparing the threat's
characteristics and patterns against known malicious threats stored in a signature database.