iPolicy Networks delivers a comprehensive network security solution for protecting enterprise and service provider networks.

Network security enforcement in the past has focused on controlling access to the internal trusted network on the basis of source and destination IP address, type of service (port number) and time of day. This is the core functionality of a conventional firewalls which operate primarily at layer 3 and 4 of the protocol stack.

Threats have evolved. Security threats such as worms, viruses, Trojans, malicious mobile code and blended threats (e.g. Mydoom) operate at the application layer and will pass though traditional firewalls undetected. Some attacks take advantage of open ports, such as port 80 for http/Web communications; others may take the form of protocol anomalies that modify the action of allowed protocols; others may enter in a disquised fashion through email or IM attachments. The result is business disruption, lost productivity, system cleanup and restoration costs, or loss of sensitive digital assets.

The iPolicy Intrusion Prevention Firewall (IPF) builds on the concept of integrated security by including multiple detection and defense mechanisms, all intrinsically built into a single, high-performance security platform. Because it operates at high throughput – with peak performance of up to 4 Gigabits per second – the iPolicy Intrusion Prevention Firewall can protect networks at high speeds yet be transparent to end users.

The foundation of the Intrusion Prevention Firewall is iPolicy Networks’ patented Single Pass Architecture. In this unique architecture, the firewall performs a deep layer 3 to 7 inspection of each packet only once, then uses a single highly optimized decision tree that is the compilation of the security rules and corrective actions for all the security functions that have been enabled.

The distinctive benefit of this multi-function security architecture is much higher performance compared to implementations in which all security functions execute as separate processes running in parallel. Most competing all-in-one security solutions take a sequential approach: each function sequentially inspects each packet, makes an independent threat assessment, and takes isolated actions. This approach adds latency, and is ineffective against blended threats. In contrast to most such solutions, the performance of the iPolicy Intrusion Prevention Firewall is barely affected as additional security functions are activated.

Another benefit of the iPolicy Networks architecture is substantially enhanced security. This is because the single pass technology provides inherent correlation between the security functions: an IDS detection of a threat can instantly close a firewall port, for example. To implement this feature in competing solutions requires APIs and inter-process communications. Thus, malicious code may have entered the trusted network by the time the firewall port is slammed shut.

Finally, iPolicy Networks’ highly integrated multi-function security architecture lowers acquisition, configuration, management and maintenance costs.

Firewall
The iPolicy Networks Intrusion Prevention Firewall incorporates a high-performance stateful firewall that performs Layer 3-7 deep packet inspection. Packet-based firewalls simply parse packets for the header information without preserving the context information, while a stateful firewall keeps track of individual network connections and thus can be more efficient as it eliminates policy-matching on an individual packet basis. However, as threats have evolved, it no longer suffices to have firewalls which only perform packet header inspections. This is where deep packet inspection firewall technology comes to the fore, by allowing users to define true application-aware policies.

For example, an administrator would like to allow FTP for his partner companies on the shared server hosted in the DMZ, but would like to restrict individual partners to their respective folders. The iPolicy firewall defense mechanism incorporates a high-speed state classification engine which can store information for up to 1 million connections or concurrent flows. With this feature, the IPF can track dynamic protocol negotiations and analyze the data streams, and can predict and decode related traffic connecting on ephemeral ports. These streams are then inspected in the context of the existing packet flows and their policy rules. The preserved state information from the state engine is subsequently analyzed by the patented Single Pass Deep Packet Inspection engine. This technology provides the benefits of a high-speed application-aware firewall without the limitations of an application proxy or a stateless firewall. From the administrative point of view, the iPolicy firewall defense mechanism enables the security administrator to define user-based policies via easy integration with standard User Databases like Active Directory and RADIUS servers.

When deployed at the perimeter, in transparent or gateway mode, the iPolicy firewall performs both inbound and bidirectional Network Address Translation and Port Address Translation to allow enterprises using RFC 1918 IP addresses to map their traffic to their realm of assigned public addresses. The firewall policies can also be configured for different time intervals to deliver time-based policies.

Intrusion Detection and Prevention
The iPolicy Intrusion Prevention Firewall integrates an Intrusion Prevention and a Detection engine that provide comprehensive, high performance, real-time attack detection and prevention.

iPolicy Networks’ Intrusion Detection System (IDS) utilizes multiple detection techniques to identify attacks to form a comprehensive real-time high-speed detection engine. It employs signature-based detection to identify known network-based attacks. Signatures are the most accurate mechanism for positively identifying exploits and the iPolicy IDS/IPS signature database has over 2500 entries. In addition, an application-aware protocol anomaly engine detects RFC non-compliance type of attacks and a statistical traffic anomaly engine provides the ability to detect suspicious behavior and Distributed Denial of Service (DDoS) attacks. Furthermore, the iPolicy IDS engine overcomes many forms of attack obfuscation, such as attacks spread over several packets, normalization attacks, Unicode encoding, and other tricks used by hackers to foil detection.

The Intrusion Prevention capability builds on the Intrusion Detection by triggering a select set of protective actions when an intrusion or attack is detected. The dynamic nature of the iPolicy Intrusion Prevention Firewall IPS enables the network security administrator to configure proactive real-time responses to attacks. Multiple active response actions can be supported concurrently: silent drop of a malicious packet, reset of session, dynamic firewall configuration to close a port or to disallow all traffic from the offending source IP address for a defined duration ,and/or session and bandwidth rate limiting to mitigate DDoS attacks. For monitoring and reporting purposes, the system can do multiple levels of notification such as sending a high severity alarm or simply logging an event.

iPolicy Networks’ default IPS configuration is factory-set to automatically block attacks characterized with unambiguous signatures. Users may configure automated actions for any signature match or attack detection. To minimize false positives users should first assess their network vulnerabilities and fine tune intrusion detection to match their network and traffic environment.

URL Filtering
The URL filtering function allows users to control access to web sites and/or to limit web surfing. The URL filtering engine offers enterprises a flexible, cost-effective and powerful tool for managing Internet access, stopping unwanted content and ensuring a productive work environment.