McAfee M-1250 Network Protection - Page 24

Block attacks, Methods for blocking attacks, Block exploit traffic - pro am

Get McAfee M-1250 - Network Security Platform PDF manuals and user guides View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 24 highlights

CHAPTER 7 Block attacks The ability to drop and deny is available only with a Sensor running in inline mode. The most efficient way to block exploits is to customize one or more of McAfee® Network Security Platform's IPS Policies to pro-actively drop malicious traffic. One of McAfee Network Security Platform's pre-configured policies includes this functionality by default. The Default Inline IPS policy is automatically applied to Sensor interfaces when the Sensor is first added to the Manager. This policy contains a number of attacks that Network Security Platform has categorized as "Recommended For Smart Blocking" (RFSB), and which are preconfigured with the "Drop attack packets" response. With other provided policies, the default Sensor response is to send alerts and log packets. The first step towards prevention is typically to block attacks that have not caused false positives, have a high severity level, and have a low benign trigger probability. When you know which attacks you want to block, you can configure your policy to perform the "Drop attack packets" response for those attacks. Methods for blocking attacks The Network Security Platform IPS offers a variety of ways to block malicious traffic. These options include the following: • Block exploit traffic (based on policy configuration) • Block DoS traffic (behavior-based detection) • Block using ACLs (based on configured ACL rules) • Utilize Network Security Platform's traffic normalization feature-block based on configured TCP flow violation (out-of-order packets, deny...) • Block IP-spoofed packets (configured) Tip: Attack filters can be configured to override the blocking criteria-to permit particular source IPs, for example. Note: Each of the options listed is described at a high-level in this document. For step-by-step procedures on how to perform the tasks described, see the IPS Configuration Guide. Block exploit traffic Exploit refers to attacks that are discovered through a set of parameters, or rules, that are matched against data within a packet. Signatures, specific strings used to match data in 16

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
C
HAPTER
7
Block attacks
The ability to drop and deny is available only with a Sensor running in inline mode. The
most efficient way to block exploits is to customize one or more of McAfee
®
Network
Security Platform’s
IPS Policies
to pro-actively drop malicious traffic. One of McAfee Network
Security Platform’s pre-configured policies includes this functionality by default. The
Default
Inline IPS policy
is automatically applied to Sensor interfaces when the Sensor is first added
to the Manager. This policy contains a number of attacks that Network Security Platform
has categorized as “Recommended For Smart Blocking” (RFSB), and which are pre-
configured with the “Drop attack packets” response.
With other provided policies, the default Sensor response is to send alerts and log
packets.
The first step towards prevention is typically to block attacks that have not caused false
positives, have a high severity level, and have a low benign trigger probability. When you
know which attacks you want to block, you can configure your policy to perform the “Drop
attack packets” response for those attacks.
Methods for blocking attacks
The Network Security Platform IPS offers a variety of ways to block malicious traffic.
These options include the following:
Block exploit traffic (based on policy configuration)
Block DoS traffic (behavior-based detection)
Block using ACLs (based on configured ACL rules)
Utilize Network Security Platform’s traffic normalization feature—block based on
configured TCP flow violation (out-of-order packets, deny…)
Block IP-spoofed packets (configured)
Tip:
Attack filters can be configured to override the blocking criteria—to permit
particular source IPs, for example.
Note:
Each of the options listed is described at a high-level in this document. For
step-by-step procedures on how to perform the tasks described, see the
IPS
Configuration Guide
.
Block exploit traffic
Exploit
refers to attacks that are discovered through a set of parameters, or rules, that are
matched against data within a packet.
Signatures
, specific strings used to match data in
16