NetScreen uses multi-method detection (MMD) in its IDS appliance, which also includes intrusion prevention options. MMD integrates stateful signature analysis with the detection of protocol anomalies, traffic anomalies, IP spoofing, layer 2 and SYN-flood attacks. Plus, it includes detection of 'backdoor' exploits and a network honeypot. The NetScreen IDP-100 is rated at 200Mbits/sec throughput, offering a choice of eight Fast Ethernet or two separate gigabit monitoring ports.
The stateful signature analysis engine is designed to minimize false alarms by looking for signatures in only the relevant parts of traffic where exploits are possible. Signatures can be updated weekly from NetScreen and there is a Signature Editor to help develop custom signatures, but you do not have to use all the signatures supplied.
The central console runs on Windows or Linux desktops in association with a Management Server that runs on Solaris 7/8 or Red Hat Linux. The Management Server does not need to be installed on a dedicated machine unless a large number of sensors are to be monitored. In smaller installations it can run on the same hardware as one of the IDP sensors. Together, these provide the centralized management capability to establish and deploy security policies to a large number of sensors. Each sensor can have a different policy or be grouped together for common policies. A history is kept for auditing purposes.
Communications between the distributed parts of the system are authenticated and encrypted. NetScreen can also be connected 'in-line,' to take advantage of its intrusion prevention features. When used in-line, you have the choice of configuring it to be completely transparent, with no visible IP addresses. Policies allow you to specify a response when an attack is identified, and actions range from sending an email alert to dropping the connection, when installed as an 'in-line' gateway, providing protection and prevention. Multiple IDP can be deployed in a high-availability configuration to provide failover and load balancing.
Reporting uses a 'dashboard' approach that combines information to give a quick overview of what attacks are being targeted at which hosts. You can drill down to obtain more detailed reports, as required. Features specifically designed to assist in forensic investigation offer the means to present results in an easily understood form.