McAfee M-1250 Network Protection - Page 24
Block attacks, Methods for blocking attacks, Block exploit traffic - pro am
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 24 highlights
CHAPTER 7 Block attacks The ability to drop and deny is available only with a Sensor running in inline mode. The most efficient way to block exploits is to customize one or more of McAfee® Network Security Platform's IPS Policies to pro-actively drop malicious traffic. One of McAfee Network Security Platform's pre-configured policies includes this functionality by default. The Default Inline IPS policy is automatically applied to Sensor interfaces when the Sensor is first added to the Manager. This policy contains a number of attacks that Network Security Platform has categorized as "Recommended For Smart Blocking" (RFSB), and which are preconfigured with the "Drop attack packets" response. With other provided policies, the default Sensor response is to send alerts and log packets. The first step towards prevention is typically to block attacks that have not caused false positives, have a high severity level, and have a low benign trigger probability. When you know which attacks you want to block, you can configure your policy to perform the "Drop attack packets" response for those attacks. Methods for blocking attacks The Network Security Platform IPS offers a variety of ways to block malicious traffic. These options include the following: • Block exploit traffic (based on policy configuration) • Block DoS traffic (behavior-based detection) • Block using ACLs (based on configured ACL rules) • Utilize Network Security Platform's traffic normalization feature-block based on configured TCP flow violation (out-of-order packets, deny...) • Block IP-spoofed packets (configured) Tip: Attack filters can be configured to override the blocking criteria-to permit particular source IPs, for example. Note: Each of the options listed is described at a high-level in this document. For step-by-step procedures on how to perform the tasks described, see the IPS Configuration Guide. Block exploit traffic Exploit refers to attacks that are discovered through a set of parameters, or rules, that are matched against data within a packet. Signatures, specific strings used to match data in 16