McAfee M-1250 Network Protection - Page 25

How blocking works for exploit traffic, Verify dropped exploit attacks using the Threat Analyzer

Get McAfee M-1250 - Network Security Platform PDF manuals and user guides View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 25 highlights

McAfee® Network Security Platform 6.0 Block attacks offending packets, are the key method in discovering an exploit. An attack can have multiple signatures; thus, enabling more than one chance at attack detection. Using the Policy Editor, you can select a specific attack(s) to block by selecting Drop Packets from the / My Company / IPS Settings > Policies > IPS Policies section. For more information on this procedure, see IPS Configuration Guide. How blocking works for exploit traffic • The Sensor applies the configured inbound or outbound policy depending on the traffic direction, which is determined via the Sensor cabling and port configuration. • The Sensor analyzes the traffic and, based on the policy, determines whether the traffic is "good" (does not match an attack configured in the policy) or "bad" (matches an attack configured in the policy). If the traffic is bad, the Sensor then applies the configured "drop packets" action. When Network Security Platform identifies a malicious flow, it blocks only the flow; not all the traffic from the source IP (Sensor behavior is unlike that of a firewall). • For UDP and ICMP traffic, only the attack packet is blocked. With TCP traffic, the entire attack flow is blocked; we recommend that you also configure a TCP Reset action in the policy to reset the flow. Note: When inline, the TCP resets always go out the inline ports. Response ports are used when the device is configured for tap or span mode. Verify dropped exploit attacks using the Threat Analyzer The Alert Result Status graph within the Threat Analyzer's Consolidated View displays the results of detected attacks as determined by target response (i.e., Successful, Failed) or Network Security Platform action (i.e., Blocked). "Blocked" specifically refers to the attacks that have been dropped due to policy response settings. Within a Threat Analyzer query, you can see the number of attacks that have been blocked during the query's time period. • The result status "blocked" will increment for each blocked attack. • If you drill down by "Status" in a particular alert, the result status will show as "Blocked." Block DoS traffic Denial-of-Service (DoS) attacks interrupt network services by flooding a system or host with spurious traffic, which can overflow your system buffers and force you to take the system offline for repairs. Sensors support both Learning- and Threshold-based capabilities for combating DoS attacks. The Sensor uses complex algorithms to differentiate the bad DoS packets from good packets, and drop the bad packets when running in inline mode. Note: The Sensor must be in detection mode to detect and block attacks. 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
McAfee® Network Security Platform 6.0
Block attacks
offending packets, are the key method in discovering an exploit. An attack can have
multiple signatures; thus, enabling more than one chance at attack detection.
Using the Policy Editor, you can select a specific attack(s) to block by selecting Drop
Packets from the
/ My Company / IPS Settings > Policies > IPS Policies
section. For more
information on this procedure, see
IPS Configuration Guide
.
How blocking works for exploit traffic
The Sensor applies the configured inbound or outbound policy depending on the
traffic direction, which is determined via the Sensor cabling and port configuration.
The Sensor analyzes the traffic and, based on the policy, determines whether the
traffic is “good” (does not match an attack configured in the policy) or “bad” (matches
an attack configured in the policy). If the traffic is bad, the Sensor then applies the
configured “drop packets” action. When Network Security Platform identifies a
malicious flow, it blocks only the flow; not all the traffic from the source IP (Sensor
behavior is unlike that of a firewall).
For UDP and ICMP traffic, only the attack packet is blocked. With TCP traffic, the
entire attack flow is blocked; we recommend that you also configure a TCP Reset
action in the policy to reset the flow.
Note:
When inline, the TCP resets always go out the inline ports. Response ports
are used when the device is configured for tap or span mode.
Verify dropped exploit attacks using the Threat Analyzer
The Alert Result Status graph within the Threat Analyzer's Consolidated View displays the
results of detected attacks as determined by target response (i.e., Successful, Failed) or
Network Security Platform action (i.e., Blocked). “Blocked” specifically refers to the attacks
that have been dropped due to policy response settings. Within a Threat Analyzer query,
you can see the number of attacks that have been blocked during the query's time period.
The result status “blocked” will increment for each blocked attack.
If you drill down by “Status” in a particular alert, the result status will show as
“Blocked.”
Block DoS traffic
Denial-of-Service (DoS) attacks interrupt network services by flooding a system or host
with spurious traffic, which can overflow your system buffers and force you to take the
system offline for repairs. Sensors support both Learning- and Threshold-based
capabilities for combating DoS attacks. The Sensor uses complex algorithms to
differentiate the bad DoS packets from good packets, and drop the bad packets when
running in inline mode.
Note:
The Sensor must be in detection mode to detect and block attacks.
17