Powerful Intrusion Prevention
IPS analyzes network traffic to detect intrusions (such as buffer overflow attacks, Trojan horses, worms, and botnets) and provides protection for information systems and networks, as shown in Figure 12.23.
FIGURE 12.22 Firewall security policies.
The firewall detects attacks or intrusions at the application layer by monitoring or analyzing system events, and terminates intrusion behaviors in real time using the following measures:
1. Specific protection measures for various traffic types.
The administrator can define security policies for various traffic types, implementing protection at different levels based on network environments.
2. In-depth inspection on application-layer packets.
The firewall maintains a constantly updated application signature database and performs in-depth packet inspection on the traffic flows from thousands of applications in order to detect attacks and intrusions. Based on application-specific security policies, the firewall takes corresponding actions to traffic flows from different applications. In such cases, administrators can flexibly deploy the intrusion prevention function.
3. Threat detection on IP fragments and out-of-order TCP flows.
Certain attacks use IP packet fragments and out-of-order TCP packets to evade threat detection. To address this problem, the firewall reassembles the IP fragments into packets, or rearranges out-of- order packets, before performing threat detection.
4. Large-capacity signature database and user-defined signatures.
The firewall’s predefined signature database can identify thousands of application-layer attacks, while the constant update of the database ensures that application identification and attack defense capabilities are current. The administrator can define signatures based on traffic information to further enhance the firewall’s intrusion prevention function.
Refined Traffic Management
While network services continue to develop rapidly, the amount of available network bandwidth is limited. If required, resources can be managed to ensure sufficient bandwidth for high-priority services while reducing that used by low-priority services.
The following problems may be encountered during network bandwidth management:
- • Most bandwidth is consumed by the many connections established to transmit P2P traffic.
- • Common hosts cannot access services provided by enterprises due to DDoS attacks.
- • Stable bandwidth or connection resources cannot be guaranteed for specific services.
- • Traffic overloads deteriorate device performance and user experience.
To address these problems, firewalls provide the following traffic management solutions:
- • Bandwidth and connection resources are allocated based on IP addresses, users, applications, and time to reduce the bandwidth consumed by P2P traffic and grant specific users P2P download permissions.
- • Limits are placed on bandwidth based on security zones (through bandwidth management) or interfaces (through QoS) to protect intranet servers and network devices from DDoS attacks.
- • Powerful application identification capabilities enable firewalls to implement refined bandwidth management and allocate specific maximum bandwidths to applications as needed.
Firewalls flexibly allocate bandwidth based on traffic policies and profiles, with each traffic profile specifying a range of available bandwidth or connection resources. Each traffic policy assigns a profile to a specific traffic type. There are two bandwidth allocation methods:
• Multiple traffic policies share one traffic profile. Traffic flows that match existing traffic policies will preempt the bandwidth and connection resources defined in the traffic profile to improve the efficiency of network resources. The maximum per-IP or per-user bandwidth can also be set, preventing network congestion or bandwidth exhaustion by certain hosts. 
-  One traffic policy exclusively uses one traffic profile. This methodguarantees bandwidth for high-priority services or hosts.