TippingPoint Intrusion Prevention System

Quick Overview

TippingPoint History

What We Do
State-of-the-Art Intrusion Prevention Systems
Network-Based Security
Every form of user, device and traffic security possible should be provided
from within the network
Bump in the wire device that Classifies and Enforces policy-based action
Clean
Traffic

Dirty
Traffic

Worms
Trojans
Viruses
Spyware
DoS

Purpose-Built
Custom Hardware
High availability
Multi-gigabit Throughput
Switch-like latency
Millions of Sessions
Thousands of Filters
Signatures
Protocol anomalies
Vulnerability
Traffic anomaly

Intelligence Updates
Digital Vaccine

Automatic
Protection
Applications
Operating Systems
Clients, Servers
Network Performance
VoIP Infrastructure
Routers, Switches

Gartner Magic Quadrant for Network Intrusion

Prevention Systems Appliances 1H08
This Magic Quadrant graphic was published by
Gartner, Inc. as part of a larger research note
and should be evaluated in the context of the
entire report. The Gartner report is available
upon request from TippingPoint.
* Magic Quadrant Disclaimer
The Magic Quadrant is copyrighted February 14,
2008 by Gartner, Inc. and is reused with
permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a
specific time period. It depicts Gartners analysis
of how certain vendors measure against criteria
for that marketplace, as defined by Gartner.
Gartner does not endorse any vendor, product or
service depicted in the Magic Quadrant, and
does not advise technology users to select only
those vendors placed in the Leaders quadrant.
The Magic Quadrant is intended solely as a
research tool, and is not meant to be a specific
guide to action. Gartner disclaims all warranties,
express or implied, with respect to this research,
including any warranties of merchantability or
fitness for a particular purpose.

Source: Gartner (February 2008)

The Magic Quadrant for Network Intrusion Prevention System Appliances, 1H08 was authored by Greg Young and John Pescatore February 14, 2008.

Gartner Magic Quadrant for Network Intrusion

Prevention Systems Appliances 1H09
This Magic Quadrant graphic was published by
Gartner, Inc. as part of a larger research note
and should be evaluated in the context of the
entire report. The Gartner report is available
upon request from TippingPoint.
* Magic Quadrant Disclaimer
The Magic Quadrant is copyrighted April 14,
2009 by Gartner, Inc. and is reused with
permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a
specific time period. It depicts Gartners analysis
of how certain vendors measure against criteria
for that marketplace, as defined by Gartner.
Gartner does not endorse any vendor, product or
service depicted in the Magic Quadrant, and
does not advise technology users to select only
those vendors placed in the Leaders quadrant.
The Magic Quadrant is intended solely as a
research tool, and is not meant to be a specific
guide to action. Gartner disclaims all warranties,
express or implied, with respect to this research,
including any warranties of merchantability or
fitness for a particular purpose.

Source: Gartner (April 2009)

The Magic Quadrant for Network Intrusion Prevention Systems Appliances, 1H09 was authored by Greg Young and John Pescatore April 14, 2009.

Validated and Proven Expertise

NSS Gold Award

TippingPoints Intrusion
Prevention System is the
FIRST and ONLY product
to win the coveted NSS
Gold Award in the IPS
space.

Best Security Solution 2005

TippingPoint IPS Overall

Winner in SC Global
Awards
Over 1,000 products
nominated

TippingPoints Blue Chip Customer Base (1)

10

Automotive

Education

Financial

Government

Media

Healthcare

Retail

Technology

TippingPoints Blue Chip Customer Base (2)

Food & Bev / Leisure

Transportation

Energy

Service Provider

11

Biotech/Chemical

Closing the Gap with TippingPoint Intrusion

Prevention
In-line, Automated,
Evergreen
FROM
&
Worms/Walk-in Worms
Microsoft Applications
Prevention
Attack
PROTECTS

Viruses, Trojans
DDoS Attacks
Internal Attacks
Unauthorized Access
Spyware
High performance custom H/W

Operating Systems
Oracle Applications
Linux O/S
VoIP
In-line

5 Gbps throughput

FROM
PROTECTS
Switch-like latency

Worms/Walk-in Worms
Routers (e.g. Cisco IOS)
2M sessions; 250K
Viruses,sessions/sec
Trojans
Switches
DDoS Attacks
Total flow inspection
Firewalls (e.g. Netscreen,
SYNqueues
Floods
CheckPoint FW1)
64K rate shaping
Traffic Anomalies
VoIP

Automated

Advanced prevention filters

PROTECTS

FROM

Highly accurate
Peer-to-Peer Apps
Bandwidth
Unauthorized
Recommended
settings IM & other Apps
Server Capacity

DDoS
Attacks
Missions-Critical
Traffic
Vulnerability,
exploit,
anomaly, traffic control

Evergreen
Constant update protection service
In-line,
Automated, Evergreen
Bi-weekly Digital Vaccine
Attack Prevention

Automated Protection The Full Spectrum

WAN Perimeter
Interior Network

WAN Perimeter

Data
Center

Web Infrastructure

Attack Entry Point

Hacker sends
Microsoft
patch e-mail
Employee clicks link to
hacker- controlled Web site

Worms
Trojans
DDoS
Viruses

Hacker site tries to

exploit known or zeroday vulnerabilities,
dropping in spyware
or key-logger

Spyware

Non-Targeted
Attacks

Targeted
Infrastructure
Attack

Targeted
Application
Attacks

Spear Phishing

Modern
Blended / Targeted
Attacks

IPS vs. IDS

Similar on the Surface, Polar Opposites Underneath
IPS
Objective

IDS

In-line, Automatic Block

Priority

Stability

Crash is catastrophic network

goes down

#1

Crash is annoying to security

analysts who lose visibility but
no impact on network or apps

#4

Performance

Processing designed for peak

network load (Gbps)

#2

Processing designed for average

network loads

#3

Small memory buffers (secs of

latency)

Out-of-band, Human Alert

Priority

Large memory buffers to absorb

traffic bursts, creating seconds to
minutes of latency

Above required for interior

network deployment &
application transparency

Above ok since out-of-band and

well within human response time

Accuracy False Positives

False blocks @ Gbps rates &

thousands of filters kills
applications

#3

Burdens security analysts with

chasing false alarms

#2

Accuracy False Negatives

Preventing automatic blocking

of good traffic trumps failure to
detect anomalies

#4

Missed anomalies may be missed

attacks (information is power)

#1

Fundamental design of an IDS prevents it from ever being an

effective in-line, automatic blocking device at Gbps rates

IPS Priority #2 Performance (ICSA Labs)

Network IPS Development (NIPD)
Consortium Vendors

Test Results for Network IPS*

TippingPoint

ISS

Fortinet

BroadWeb

3 Gbps (84 sec latency)

350 Mbps (398 sec latency)
160 Mbps (375 sec latency)
100 Mbps (441 sec latency)

* Only 4 out of 13 tested vendors passed cert.

Test Results

Highest Throughput
Lowest Latency
100% Filter Accuracy
Depth and Breadth of
Coverage

IPS Priority #3 - Security Accuracy

Vulnerability Fingerprint
False Positive

Term

Definition

Vulnerability

A security flaw in a software

program

Exploit

A program that takes advantage

of a vulnerability to gain
unauthorized access or block
access to a network element,
compute element, O/S, or
application

Exploit Filter

Written only to a specific

exploit
Exploit B
Fingerprint
Filter developers are often
(missed
by coarse
forced to basic filter design due
Exploit
A
signature)
to engine performance
limitations
Impact: Missed attacks, false
positives and continued
Virtual Software Patch
vulnerability risk

Vulnerability
Filter

Vulnerability filter covers all

possible exploits associated
with a particular vulnerability

(coarse signature)

Simple
Exploit A
Filter
Exploit A
Fingerprint

TippingPoints vulnerability filter acts

as a Virtual Software Patch,
accurately covering the entire vulnerability

DVLabs Industry Leading Security

Accuracy, Coverage and Speed
Most comprehensive, accurate
and automatic protection
service available

30 security researchers
5 QA engineers
100% focused on IPS filter
development
Unparalleled security and
networking expertise
Digital Vaccine group
monitors cyber threats
Writes the SANS@ Risk
newsletter prioritizing
critical malicious threats

Digital Vaccine Overview

Raw Intelligence
Feeds

Vendor Advisories
Security Mailing Lists
Honeynet Activity
Underground chatter
TippingPoint Labs Research
Zero Day Initiative

@RISK
Digital Vaccine
Automatically
Delivered to
Customers

Vulnerability Analysis

Vaccine Creation

Weekly Report

Scalable distribution network using

Akamais 9,700 servers in 56 countries

Intelligence Collaboration

Voice over IP Security Alliance (VOIPSA)

TippingPoint Recruited, Formed, and Launched the
first industry group focused on VOIP Security
(http://www.voipsa.org) on Feb 7th, 2005
TippingPoint chairs the group, vendor neutral open
organization.
VOIPSA's mission is to promote the current state of
VoIP security research, VoIP security education and
awareness, and free VoIP testing methodologies and
tools.

VOIPSA
Some Current Members include:
Testing Tool Vendors

Agilent
Codenomicon
Spirent Communications

Consultants

Accenture
PriceWaterhouseCoopers
Miercom

Security Vendors/Providers

Borderware
Enterasys Networks
Foundstone
ICSA Labs
InfraVAST
Insightix
Internet Security Systems
nCircle
Qualys
Sonicwall
Sourcefire
Symantec
Tenable Network Security
The SANS Institute
TippingPoint
VeriSign

VoIP Providers

AT&T
Bell Canada
Cable and Wireless
Charter
Cox Communications
Level3
MCI
Qwest
SBC
Sprint
Telcordia
Time Warner
Verizon Communications

VoIP Vendors

3Com
Alcatel
Alltel
Avaya
Acme Packet
Arbor Networks
Enterasys Networks
Extreme Networks
Juniper
Mitel
NetCentrex
Nortel
Samsung Telecommunications America
SecureLogix
Siemens
Uniden

VoIP Attacks - Slice of VoIP Security Threats

VoIP Protocol and

Application Security
OS Security
Supporting Service Security
(web server, database, DHCP)

Toll Fraud, SPIT, Phishing

Malformed Messages (fuzzing)
INVITE/BYECANCEL Floods
CALL Hijacking
Call Eavesdropping
Call Modificaiton
Buffer Overflows, Worms, Denial of
Service (Crash), Weak Configuration

SQL Injection,
DHCP resource exhaustion

Network Security (IP, UDP , TCP, etc)

Syn Flood, ICMP unreachable,

trivial flooding attacks, DDoS, etc.

Physical Security

Total Call Server Compromise,

Reboot, Denial of Service

Policies and Procedures

Weak Voicemail Passwords

Abuse of Long Distance Privileges

Voice over IP Security Alliance

www.voipsa.org

Shameless Plug
We performed research for a book on VoIP Security
coming out in December
We released many new VoIP security tools at the
2006 Black Hat conference in Las Vegas
http://www.hackingvoip.com

Investigation Leadership

Timeline
ZDI portal online at www.zerodayinitiative.com

Zero Day Initiative Quick Statistics

The Zero Day Initiative was launched in August 2005

Over 400 registered researchers and growing from over 35 countries

including:

35% from the US

12% from the UK
10% from Germany
8% from Brazil
8% from Spain

Over 120 disclosures to date

Disclosure details at http://www.zerodayinitiative.com/advisories.html

2006 Microsoft Coverage - Completeness

100%

85%

77%

58%

58%

33%

2007 Microsoft Coverage

98%

81%

73%

62%

55%

45%

Microsoft Coverage in 2008 (through January 1, 2009)

Depth of Coverage

30

Responsiveness of Coverage

Average response times were calculated only on the vulnerabilities that the vendor covered

If an IPS vendor provided protection before a vulnerability was disclosed, this accounted for a
negative number of days in its response

For example with MS08-069, we provided DV filter protection on 11/11/2008. Microsoft

patched the issue on 12/09/2008. This is approximately a -28 day response for just this one
issue.

Manufacturer Recognitions

Manufacturer Recognitions

Digital Vaccine MS Vulnerability Coverage

% Total Microsoft Vuln. Discovered

Source: Frost & Sullivan, An Analysis of Vulnerability Discovery and Disclosure 1Q05-3Q06, January 2007

Digital Vaccine Vulnerability Coverage

Source: Frost & Sullivan, An Analysis of Vulnerability Discovery and Disclosure 2008

Digital Vaccine Vulnerability Coverage

Source: Frost & Sullivan, An Analysis of Vulnerability Discovery and Disclosure 2008

TippingPoint IPS Product Line

TippingPoint
10
Performance

Inspected
Throughput

TippingPoint
210E

TippingPoint
600E

TippingPoint
1200E

TippingPoint
2400E

TippingPoint
5000E

20 megabits per
second

200 megabits per

second

600 megabits per

second

1.2 gigabits per

second

2.0 gigabits per

second

5.0 gigabits per

second

< 500 microseconds

< 1 millisecond

< 84 microseconds

< 84 microseconds

< 84 microseconds

< 84 microseconds

250,000

1,000,000

2,000,000

2,000,000

2,000,000

2,000,000

Total Sessions

3,600+

7,500+

92,000

215,000

350,000

350,000

Connections Per
Second

n/a

150,000

1,170,000

2,344,000

3,000,000

3,000,000

Four 10/100/1000
Ethernet Ports
Copper Only
Total Segments - 2

Ten 10/100/1000
Ethernet Ports
Copper Only
Total Segments - 5

Eight 10/100/1000
Ethernet Ports
Fiber and Copper
Total Segments - 4

Eight 10/100/1000
Ethernet Ports
Fiber and Copper
Total Segments - 4

Eight 10/100/1000
Ethernet Ports
Fiber and Copper
Total Segments - 4

Eight 10/100/1000
Ethernet Ports
Fiber and Copper
Total Segments - 4

Typical Latency

Invalid
SYNs/Second Under
SYN Flood
POWER SUPPLY
Scalability

TippingPoints Core Controller Chassis

Three 10GbE segments

Long Range or Short Range

24x iLink segments

Interconnects to IPSs

48 1Gbps ports

Smart ZPHA modules (Optional)

Zero Power High Availability bypass

Dual hot-swappable power supplies

System health and status panel
Management Ports
1x 10/100/1000Base-T
RJ-45 console

NEW

TippingPoint Core Controller

True 10 Gbps Intrusion Prevention
Core Controller

10 Gbps

10 Gbps
TippingPoint IPS

1 Gbps

TippingPoint IPS
TippingPoint IPS

Core Controller

10 Gbps

10 Gbps

I/O + Throughput = True 10 Gbps IPS

Reuses Proven IPS Technology
Cost Effective Scalability
Ultra-High Redundancy
Path
Core Controller
N+1 IPS

Internal
Network

Comprehensive Service and Support

Professional Services
Installation & Advanced
Implementation Services
Comprehensive installation,
configuration, and tuning of
IPS and SMS security features

Managed Security Services

Outsource the
operations of security
monitoring and
device management

Security Posture
Assessments (SPA)
Comprehensive network
security evaluation to
identify internal and external
infrastructure vulnerabilities,
weaknesses, and exposures

Custom Digital Vaccine (DV)

Development of local
or specialized
security filters for a
particular geography
or environment

Training
Basic, advanced, and expert
level training courses
delivered globally by
experienced subject matter
experts

Global Technical Support

24 x 7 x 365
Next Day Ship H/W
replacement

Proactive Defense Through Intelligence and

Power
Attacks are detected
and blocked at full
network speed
TippingPoint IPS
functions as a network
patch or virtual
software patch

Attacks are stopped before they

can cause damage to your
infrastructure

Flexible Deployment Core to Edge

TippingPoint
Digital Vaccine
Service

Centralized Policy and

Configuration Management

INTERNAL ATTACKS AGAINST

WIRED / WIRELESS LAN
INFRASTRUCTURE
DATA CENTER

INTERNAL & EXTERNAL ATTACKS

MAJOR NETWORK SEGMENTS

EXTERNAL ATTACKS THROUGH

CORPORATE WAN PERIMETER

WEB APPLICATION INFRASTUCTURE
ROBO
SERVICE PROVIDER / PARTNER PERRING POINTS

Bottom Line - Why TippingPoint is the

Chosen Intrusion Prevention System (IPS)
Performance
ASIC-based Architecture
Fastest IPS on the market (5 Gbps)
Runs inline with switch like latency (<215 Microseconds)
Real time, in-line throughput at network perimeter and core
Ease of Use & Maintenance
Appliances plug and play with active blocking malicious traffic in
15 minutes
Simple and central management and reporting
Automatic, continuous Digital Vaccine filter updates
Accuracy
Protection Filters are written by experts
Protection of Infrastructure, Applications, Performance
Against Myriad of Threats
VoIP I Phishing I OS Vulnerabilities I DDoS I Worms I P2P I
Spyware I Viruses I Quarantine
Scalability
Bandwidths from 50 Mbps to 10 Gbps today
Centrally manageable, decentrally deployable

Thank You
www.tippingpoint.com
+1 888 TRUE IPS (+1 888 878 3477)