7.1. IPS/IDS

IPS/IDS is a service that detects and blocks unauthorized access and cyber-attacks.


  • IPS/IDS is used via Service Interconnectivity. You need to apply separately for Service Interconnectivity.

7.1.1. Available Features

The following features are available for IPS/IDS.
Feature Overview
IPS/IDS A feature that detects and blocks unauthorized access and cyber-attacks on the Virtual Machine.

7.1.2. IPS/IDS Feature

You can choose either IPS mode or IDS mode.
Mode Overview
Unauthorized access and cyber-attacks are detected.
When unauthorized access and cyber-attacks are detected, traffic is blocked.
Unauthorized access and cyber-attacks are detected.
However, traffic is not blocked even though unauthorized access and cyber-attacks are detected.


  • If NTT Communications judges it necessary, we will notify you via email, etc. of detection and blocking status (blocking notification will be sent only in IPS mode).
Routing Settings
Only communication via IPS/IDS is targeted for detection. When you use IPS/IDS, please set the following routing.
  • The communication addressed to Server Segments targeted for detection is set so that it is routed by vFirewall/Integrated Network Appliance to the Service Interconnect Gateway used for IPS/IDS.
  • The communication from the Virtual Machine is set so that it is routed by the Virtual Machine on the Server Segment targeted for detection to the Service Interconnect Gateway used for IPS/IDS.
  • If you perform Ping monitoring on the Virtual Machine, you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance and the Virtual Machine.


  • Please do not connect the Server Segments targeted for detection directly to vFirewall/Integrated Network Appliance.
Analysis Capacity
The traffic volume that can be analyzed by IPS/IDS is shown below.
Item Performance Remarks
Per service Maximum (5 services used)
Traffic Processing Capacity 200 Mbps 1 Gbps The total value of uplink and downlink.
Number of concurrent sessions 40,000 200,000 The number of sessions that can be connected simultaneously.


  • You can increase the traffic volume up to 1 Gbps, 200,000 sessions (when 5 services are used) by applying additional services. When using more than 2 of service, please contact each NTT Communications affiliate beforehand.
IPS Mode Simulation
Simulation is a process for improving the accuracy of IPS mode for detecting and blocking unauthorized access and cyber-attacks. You can choose whether to implement a simulation at the time of application for IPS/IDS. We recommend implementing it in order to reduce the amount of false positive detections.
If simulation is implemented, a simulation time period is set (approximately 1 - 4 weeks after you start using IPS mode) during which only detection of unauthorized access and attack traffic is performed and traffic is not blocked. After the simulation time period, please check to see whether the traffic that IPS/IDS detects as being targeted for blocking is normal traffic. Based on the results of the check, the IPS/IDS settings will be adjusted.

7.1.3. Important Points

Used IP Addresses
  • In order to connect the Service Interconnect Gateway with IPS/IDS, you must have two IP address blocks available. If the IP address block is already being used, we might ask you to change it.
  • NTT Communications will manage the assigned IP address blocks, and assign IP addresses to the devices that require them.
  • When the actual traffic volume exceeds the contracted traffic volume, the excess traffic might be discarded.

  • Encrypted communication is not targeted for detection or blocking.

  • Packets which break TCP/UDP/IP protocol rules or abnormal packets are discarded as a standard function regardless of customer’s configuration.


    • When the IP header is cut off in the middle
    • When the Port number is 0 (zero)
    • When the TCP flag combination is abnormal and others
  • If devices making up this feature are replaced due to malfunction etc., you will not be able to check device logs or event reports from prior to the replacement via the Security Web Portal. In addition, if the regular server and the standby server are switched for a redundantly configured device and they are restored without replacing the device, you cannot check the log or the event reports for the period during which the switching occurred from the Security Web Portal.

  • IPS/IDS do not guarantee that the IPS/IDS feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the unauthorized/attack traffic detection algorithms provided by the developers or distributors of the devices making up the IPS/IDS feature is not guaranteed.

  • The following information might be provided to the developers or distributors of the devices making up the IPS/IDS feature.

    • Configuration information obtained from providing IPS/IDS
    • Information concerning controls etc. for IPS/IDS
  • We cannot guarantee recovery from failures that might occur due to incompatibility between IPS/IDS and your environment, or failures that occur due to your operations other than those specified by NTT Communications.

  • There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.