Content-ID
Enterprise networks are rife with applications that can evade
detection. Common methods include dynamically hopping ports,
re-using other ports, emulating other applications or tunneling
inside SSL. The use of evasive applications has not gone unnoticed
by attackers as they increasingly use these invisible applications
to transport threats past the firewall. Content-ID melds a uniform
threat signature format, stream-based scanning and a comprehensive
URL database with elements of application visibility to detect and
block a wide range of threats, control non-work related web
surfing, and limit unauthorized file and data transfers.
- Stream-based Virus
Scanning: Virus and spyware prevention is performed
through stream-based scanning, a technique that begins scanning as
soon as the first packets of the file are received as opposed to
waiting until the entire file is loaded into memory to begin
scanning. This means that performance and latency issues are
minimized by receiving, scanning, and sending traffic to its
intended destination immediately without having to first buffer and
then scan the file. Key antivirus capabilities include:
- Protection against a wide range of
malware such as viruses, including HTML and Javascript viruses,
spyware downloads, spyware phone home, Trojans, etc.
- Inline stream-based detection and prevention of malware
embedded within compressed files and web content.
- Leverages SSL decryption within App-ID to block viruses
embedded in SSL traffic.
- Vulnerability attack
protection (IPS): Application vulnerability prevention is
enabled using a set of intrusion prevention features to block known
and unknown network and application-layer vulnerability exploits,
buffer overflows, DoS attacks and port scans from compromising and
damaging enterprise information resources. IPS mechanisms include:
- Protocol decoders and anomaly
detection
- Stateful pattern matching
- Statistical anomaly detection
- Heuristic-based analysis
- Block invalid or malformed packets
- IP defragmentation and TCP reassembly
- Custom vulnerability and spyware phone home signatures
Traffic is normalized to eliminate invalid and malformed packets,
while TCP reassembly and IP de-fragmentation is performed to ensure
the utmost accuracy and protection despite any attack evasion
techniques.
- URL Filtering:
Complementing the threat prevention and application control
capabilities is a fully integrated, on-box URL filtering database
consisting of 20 million URLs across 76 categories that enables IT
departments to monitor and control employee web surfing activities.
The on-box URL database can be augmented to suit the traffic
patterns of the local user community with a custom, 1 million URL
database. URLs that are not categorized by the local URL database
can be pulled into cache from a hosted, 180 million URL database.
In addition to database customization, administrators can
create custom URL categories to further tailor the URL controls to
suit their specific needs. URL filtering visibility and policy
controls can be tied to specific users through the transparent
integration with enterprise directory services (Active Directory,
LDAP, eDirectory) with additional insight provided through
customizable reporting and logging.
- Data leak prevention:
Administrators can implement several different types of data leak
prevention policies to reduce the risk associated with unauthorized
file and data transfer. The transfer of files can be controlled by
looking deep within the payload to identify the file type (as
opposed to looking only at the file extension) and allow or block
according to the policy. Loss of confidential data such as credit
card numbers or SSN can be controlled by detecting data patterns in
the application flow and responding according to the policy.
