IPS(Intrusion Prevention System(IPS)
1. IPS should be available as a plug-n-play appliance.
2. Should supports open source as the underlying operating system (not a proprietary
3. Monitoring interfaces should operate at layer 2, thus requiring no IP address or network
4. To get layered approach to security firewall and IPS should be of different brands
5. The appliance should have Layer 7 inspected throughput of 200 Mbps
6. Should not induce Latency into the Network more than 150 microseconds
7. The appliance monitors upto 1 inline segment and has 2 10/100/1000 monitoring
interfaces for the same.
8. IPS should have 21,000 new connections per second.
9. IPS should have 1, 200,000 concurrent sessions.
10. The appliance should have separate dedicated 10/100/1000 Mbps interface for
management console. None of the monitoring ports should be used for this purpose.
11. The IPS should be deployable in the following modes: Passive or IDS mode,Inline
Protection Inline Simulation
12. IPS vendor should have its own original threat intelligence analysis center and is not
overly dependent on information available in the public domain.
13. IPS should detect and block all known, high risk exploits along with their underlying
vulnerability (not just one exploit of that vulnerability).
14. IPS should detect and block zero-day attacks without requiring an update.
15. IPS should employ full seven-layer protocol analysis of over 190 internet protocols
and data file format.
16. IPS should operate effectively and protect against high risk, high impact malicious
traffic via default out of box configuration, should be able to block more than 1100 attacks
17. IPS should perform stateful packet inspection
18. IPS should detect and block malicious web traffic on any port.
19. Should support TCP stream reassembly.
20. Should support IP defragmentation.
21. Should support Protocol anomaly detection
22. Should support Bi- directional inspection
23. Should detect attacks within protocols independent of port used
24. Should support behavioral heuristics to detect security threat
25. Should support Shell Code Heuristic
26. Should support RFC Compliance
27. Should support protocol tunneling
28. IPS should do attack recognition inside IPv6 encapsulated packets
29. IPS should do active blocking of traffic based on pre-defined rules to thwart attacks
before any damage is done.
30. Accurately detects intrusion attempts and discerns between the various types and risk
levels including unauthorized access attempts, pre-attack probes,suspicious activity, DoS,
DDoS, vulnerability exploitation, brute force,hybrids, and zero-day attacks.
31. Allows full policy configuration and IPS sensor control via encrypted communications
with remote management system.
32. Can enable/disable each individual signature.
33. Each signature should allow granular tuning.
34. Supports assigning of ports to custom applications.
35. Filters traffic based on IP address or network range, protocol, and service in support
of organizational security policy to allow/disallow specific types of activity between hosts.
36. Should support Active/Passive and Active/Active for the appliance, the HA should be
out of the box solution and should not requires any third party or additional software for
37. HA solution should support High Protection that is should maintain state such that
there is no gap in protection during failure of one of the appliances.
38. IPS should fail open in case of power, software or hardware failure when deployed in
stand alone mode.
39. IPS should notify console of unit interruption. The console should receive alert and/or
provide additional notification to administrator should any component become non-
operational or experience a communications problem.
40. IPS should have built in ticketing system.
41. IPS should inspect and block unwanted PII and sensitive content disclosure across
multiple protocols. The IPS should have inbuilt signatures for this purpose
42. IPS management and reporting solution which shall be available in both options of
purpose built appliance and software.
43. IPS Management console should support high availability.
44. IPS should support granular management. Should allow policy to be assigned per
device, port ,VLAN tag, IP address/range
45. IPS centralized management console should manage all the products network,host
and Vulnerability Assessment solutions.
46. Management Console should be able to integrate and correlate with vulnerability
assessment solution of the same brand.
47. IPS should offer variety of built-in responses including console alerts,database
logging, email notifications, SNMP traps, offending packet captures,and packet captures.
48. IPS should offer Includes built-in reports. The console should be capable of producing
graphical metrics and time-based comparison reporting.
49. IPS vendor should have 24/7 security service update and should support real time
50. IPS vendor product models should have been tested/ certified for NSS, Tolly tested