No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of IPS

Overview of IPS


An intrusion prevention system (IPS) is a security mechanism. IPS detects intrusion behaviors (such as buffer overflow attacks, Trojan horses, and worms) by analyzing network traffic, and terminates the intrusion behaviors in real time through certain response methods. This protects enterprise information systems and network architectures against intrusions.


With the network development, increasing new applications bring more conveniences to people's network life, but also cause more security risks. When users access the Internet, worms, Trojan horses, and other viruses may be introduced accidentally from the Internet and cause confidential data leakage and huge losses to enterprises. Therefore, traffic contents must be identified and monitored in enterprises' network security management on the basis of controlling traffic sources and destinations.

IPS can prevent attacks or intrusions at the application layer such as buffer overflow attacks, Trojan horses, and worms.


Intrusion prevention on the NGFW detects and automatically discards the intrusion packets or blocks the attack sources. Intrusion prevention on the NGFW has the following benefits:
  • Real-time attack blocking: Deployed in in-line mode, the NGFW blocks the attack traffic in real time.
  • In-depth protection: The NGFW examines the application-layer contents of packets, reassembles packets to analyze the protocols and detect threats, and blocks the attack packets based on the attack type and policy.
  • All-round protection: Intrusion prevention defends against such attacks as worms, viruses, Trojan horses, botnets, spyware, adware, Common Gateway Interface (CGI), cross-site scripting, injection, directory traversal, information leaks, remote file inclusion, overflow, code execution, denial of service, scanning, and backdoors.
  • Internal and external prevention: Intrusion prevention on the NGFW protects the intranet against both internal and external attacks. The system detects traffic that passes through, protecting both servers and clients.
  • Constant update for up-to-date protection: The intrusion prevention signature database is constantly updated to identify the latest threats. You can periodically update the signature database from the update center.

Difference from the IDS

Intrusion Detection System (IDS) detects abnormal traffic and suspicious traffic, generates alarms to notify the administrator of the network condition, and provides solutions accordingly. The IDS is a security function for risk management. Compared with the IDS, intrusion prevention not only detects attacks and malicious behavior to networks and data but also quickly terminates them. It is a security function for risk control.

Intrusion prevention provides advanced defense functions based on the traditional IDS.

  • The IDS cannot defend against application-layer attacks, whereas the intrusion prevention device can.

    The IDS has high false negative and false positive ratios and generates a considerable number of logs and alarms, making it difficult to locate real attacks. The intrusion prevention device can remove outer layers of packets, identify protocols, resolve packets, classify the resolved packets, and match the packets with signatures to ensure the detection accuracy.

  • The IDS device can detect attacks, but cannot prevent them. To prevent attacks, the IDS device must interwork with a firewall.

    However, the intrusion prevention device can detect and block attacks. When detecting any attack, the intrusion prevention device automatically discards the attack packets or blocks the attack source.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128246

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next