Cato’s Intrusion Prevention System (IPS) inspects inbound and outbound, WAN and Internet traffic, including SSL traffic. IPS can operate in monitor mode (IDS) with no blocking action taking place. In IDS mode, all traffic is evaluated and security events are generated.
The Cato IPS is comprised of several layers of protection:
Behavioral Signatures: Cato IPS looks for deviation from normal or expected behavior of the system or the user. Normal behavior is identified by using Cato’s big data analytics and our deep traffic visibility across many networks. For example, an outgoing HTTP connection to an unknown URL containing a suspicious TLD. Following research that was conducted by Cato Research Labs, such traffic is likely to be malicious.
Reputation Feeds: Leveraging both in-house and external intelligence feeds, the Cato IPS can detect or prevent inbound or outbound communication with compromised or malicious resources. Cato Research Labs analyzes many different feeds, validates them against traffic in the Cato Cloud, and sanitizes them to reduce false positives before applying them to production customer traffic. Feeds are updated on an hourly basis without any involvement of the customer.
Protocol Validation: Cato IPS validates packet conformance to the protocol, reducing attack surface from exploits using anomalous traffic. Known Vulnerabilities: Cato IPS protects against known CVEs, and rapidly adapts to incorporate new vulnerabilities into the IPS DPI engine. An example of this capability is how Cato IPS blocks the Eternal-Blue exploit used extensively to spread ransomware within organizations.
Malware Communication: Cato IPS can stop outbound traffic to C&C servers based on reputation feeds, and network behavioral analysis.
Geolocation: Cato IPS enforces a customer-specific geo-protection policy, optionally stopping traffic based on the source and/or destination country.
Network Behavioural Analysis: Cato IPS can detect and prevent inbound/outbound network scans.