Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
A 1U appliance, 10 Gbps line rate, that drops in inline at perimeter or core. Reputation-based blocking on the wire, sub-ms, autonomous. Syslog forwarding to your existing SIEM. The hardware is the answer when cloud-native is not.
For the network architect whose datacenter is not going to AWS in this budget cycle, but whose outbound C2 problem is.
The appliance sits inline at perimeter or core. Reputation-flagged connections terminate at sub-ms. Everything else passes through unchanged. Syslog forwarding for SIEM ingestion is configured per deployment. No appliance trade-off between throughput and decision speed.
10 Gbps inline throughput per appliance. Sub-ms decision latency. Autonomous, no human in the loop. For higher cumulative throughput, deploy multiple appliances rather than oversubscribing.
Deploy on a SPAN port for Observe Mode validation. Log every decision without enforcing. Validate the policy against your environment, then move inline.
Forward blocked event records via Syslog for SIEM ingestion and long-term retention. Configured per deployment. The path to your existing SIEM is built in.
| Specification | Detail |
|---|---|
| Deployment | 1U rack-mount appliance |
| Throughput | 10 Gbps line rate per appliance |
| Decision latency | Sub-ms reputation lookup and decision |
| Threat intelligence | 8.5 billion IP and DNS records, built since 2001 |
| Modes | Inline enforcement; Observe Mode on SPAN port |
| Placement | Inline at perimeter or core; SPAN for Observe Mode |
| Console | Command Hub (web console) |
| Evidence retention | 72 hours on-platform; Syslog forwarding for long-term |
| SIEM integration | Syslog forwarding |
| Export | CSV and Excel from Command Hub |
Inline at the perimeter between core router and edge firewall. Blocks outbound C2 before it leaves the network.
Inline at the core for control between segments. Catches reputation-flagged lateral traffic.
Start on a SPAN port in Observe Mode. Validate the policy against real traffic. Move inline once validated.
For environments where cloud-native enforcement is not an option. Hardware appliance, no cloud dependency.
The list, in plain English.
Switch between platforms without going back to the overview.
7 to 14 day POV. SPAN port validation, then inline enforcement.
RECOMMENDED NEXT STEP