Severity Levels of IPS Protections
At least one of the following points should be true for an IPS Protection's severity level to be defined as low, medium, high, or critical.
Critical
- Vulnerability may lead to remote code execution or administrative level compromise and may affect network infrastructure.
- The vulnerable software is from a major enterprise vendor.
- An exploit for the vulnerability exists.
- The vulnerability is unpatched at the time the protection is released.
- The vulnerable application or protocol is very common in corporate environments.
High
- Vulnerability may lead to non-privileged remote code execution.
- Vulnerability may affect important company assets.
- Vulnerability can be easily exploited.
- The vulnerable software is significantly deployed in corporate environments.
Medium
- Vulnerability may lead to denial of service.
- Vulnerability exists in a general availability release of the product.
- Vulnerability exists in the default configuration of the product.
- The vulnerable software is partially deployed in some enterprises
Low
- Vulnerability may lead to information disclosure.
- Vulnerability impact can be easily contained or mitigated.
- Vulnerability exists only in customized configurations of the product.
- Exploit code and vulnerability details are not widely available.
- The vulnerability is already patched when the protection is released.
- There is no apparent way to create an effective exploit.
- The vulnerable software is only moderately deployed.
In addition, a protection's severity level can be raised to fit one or more of the following parameters:
- Severity of the exploit according to its CVSS score
- Severity rating of the vulnerability according to the vendor
- Severity rating of the vulnerability according to the entity that discovered it
Severity Levels of Anti-Virus and Anti-Bot Protections
Severity is currently only set to distinguish between adware (assigned low severity) and malware (assigned medium or high severity).
Performance of Protections
The performance impact is derived from the complexity of the protection and the amount of traffic inspected due to the nature of the traffic blend. For example, HTTP has a large amount of traffic, Telnet very little.
At least one of the following points should be true for a Protection to be defined as very low, low, medium, high, or critical.
- Very Low (not relevant to Anti-Bot)
- All protections that do not cause any performance degradation.
- New protections are not added to this category without performance tests.
- Low
- All simple signatures over any protocol that have unique traffic patterns.
- Medium
- ALL HTTP Client protections that use complex detection logic.
- All protocol parsers that perform protocol anomaly over PSL.
- All signatures executed on HTTP responses.
- High
- Protections that are executed on all ports.
- Performs extremely heavy and complex detection logic. For example, decoding of RC4 encryption.
- Critical
- Requires deep inspection of a significant portion of the traffic
Confidence of Protections
Confidence levels are the same across all threat prevention blades:
- Low: Protections that can produce false positive events in high probability.
- Medium: Protections that produce false positive events in low probability.
- High: Protections that are reliable in detecting attacks and do not produce any false positives.
|
Category
Number
|
Severity |
Performance Impact |
Confidence Level |
| 0 |
|
Not Available |
N/A |
| 1 |
Very Low |
Very Low |
Low |
| 2 |
Low |
Low |
Low-Medium |
| 3 |
Medium |
Medium |
Medium |
| 4 |
High |
High |
Medium-High |
| 5 |
Critical |
Critical |
High |
