McAfee M-1250 Deployment Guide - Page 23

Protection/Prevention., Packet scrubbing., Processing at wire-speed.

Get McAfee M-1250 - Network Security Platform PDF manuals and user guides View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 23 highlights

McAfee® Network Security Platform 6.0 Sensor Deployment Modes Note: Sensors are configured by default to run in in-line mode. When running in in-line mode, network segments are connected to two matched ports of the Sensor (for example, ports 1A and 1B), and packets are examined in real time as they pass through the Sensor. The benefits to using Sensors in in-line mode are:  Protection/Prevention. Prevention is a feature unique to in-line mode. Basically, if you're running in any "sniffing" mode, there is no way for the IPS to prevent malicious packets from reaching their intended target. In a sniffing mode, the Sensor sees the attack at the same time it hits the target. You can apply some countermeasures, like TCP Resets, but these are post-detection actions. The only way to prevent the malicious packets from reaching the target is to mediate the traffic flow. When running in-line, the Sensor can drop malicious packets and not pass them through the network. This acts sort of like an "adaptive firewall," with your detection policy dictating what is dropped. Furthermore, when dropping packets, Network Security Platform is very precise and granular. The Sensor can drop only those packets it identifies as malicious or all of the packets related to that flow (a choice that is user configurable). One of the problems with using firewall reconfiguration actions with current IDS products is that an attacker can spoof large address ranges and mislead you into blocking legitimate traffic with the firewall, creating your own denial of service condition. Network Security Platform only drops the malicious packets, so spoofed traffic doesn't have the same effect.  Packet "scrubbing." In addition to dropping malicious traffic, Network Security Platform can scrub-or normalize-traffic to take out any ambiguities in protocols that the attacker may be using to try to evade detection. Current IDS products are susceptible to these techniques, and an example of this attempt is IP fragment and TCP segment overlaps. The Sensor can reassemble the IP fragments and TCP segments and enforce a reassembly mode of the user's choice to accept either the old or the new data.  Processing at wire-speed. An obvious requirement with running in-line is to avoid dropping packets and your IDS Sensor becoming a bottleneck. Sensors are able to process packets at wire rates. 16

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
McAfee® Network Security Platform 6.0
Sensor Deployment Modes
Note:
Sensors are configured by default to run in in-line mode.
When running in in-line mode, network segments are connected to two matched ports of
the Sensor (for example, ports 1A and 1B), and packets are examined in real time as they
pass through the Sensor.
The benefits to using Sensors in in-line mode are:
Protection/Prevention.
Prevention is a feature unique to in-line mode. Basically, if you’re
running in any “sniffing” mode, there is no way for the IPS to prevent malicious
packets from reaching their intended target. In a sniffing mode, the Sensor sees the
attack at the same time it hits the target. You can apply some countermeasures, like
TCP Resets, but these are post-detection actions. The only way to prevent the
malicious packets from reaching the target is to mediate the traffic flow.
When running in-line, the Sensor can drop malicious packets and not pass them
through the network. This acts sort of like an “adaptive firewall,” with your detection
policy dictating what is dropped. Furthermore, when dropping packets, Network
Security Platform is very precise and granular. The Sensor can drop only those
packets it identifies as malicious or all of the packets related to that flow (a choice that
is user configurable).
One of the problems with using firewall reconfiguration actions with current IDS
products is that an attacker can spoof large address ranges and mislead you into
blocking legitimate traffic with the firewall, creating your own denial of service
condition. Network Security Platform only drops the malicious packets, so spoofed
traffic doesn’t have the same effect.
Packet “scrubbing.”
In addition to dropping malicious traffic, Network Security Platform
can
scrub
—or normalize—traffic to take out any ambiguities in protocols that the
attacker may be using to try to evade detection. Current IDS products are susceptible
to these techniques, and an example of this attempt is IP fragment and TCP segment
overlaps. The Sensor can reassemble the IP fragments and TCP segments and
enforce a reassembly mode of the user’s choice to accept either the old or the new
data.
Processing at wire-speed.
An obvious requirement with running in-line is to avoid dropping
packets and your IDS Sensor becoming a bottleneck. Sensors are able to process
packets at wire rates.
16