McAfee M-1250 Network Protection - Page 28

Blocking based on con d TCP & IP Settings, Blocking of IP-spoofed packets

Page 28 highlights

McAfee® Network Security Platform 6.0 Block attacks Blocking based on configured TCP & IP Settings Network Security Sensors have the intelligence to keep a number of TCP/IP connection parameters, as well as complete state information. The / My Company / IPS Settings / Sensor_Name > Advanced Scanning > TCP Settings and / My Company / IPS Settings / Sensor_Name > Advanced Scanning > IP Settings action enables you to configure 16 TCP/IP parameters, such as the number of supported UDP flows, the TCB inactivity timer length, and accepting old data or new data for TCP or IP overlaps. All of the TCP/IP Settings parameters relate to the handling of monitored transmissions while in inline mode. You can use these settings to deny or drop certain traffic. Two of the more notable parameters are as follows: • Cold Start Drop Action: When starting a Sensor for the first time, you can decide to allow (forward) or drop all packets that do not have a flow control block recognized by the Sensor. You have the choice to Forward Flows or Drop Flows. • TCP Flow Violation: How to handle a packet received for a connection that doesn't exist, such as an ACK packet when no SYN for a connection has been received. Choices are: Permit: reassembles out-of-order packets and processes them. It forwards traffic if strict TCP protocol violations and if State Not Established on Sensor fails. Permit out-of-order: allows out of order packets to continue to transmit without processing. Note: 'Permit out-of-order' should be selected if your Sensor is deployed in an asymmetrical environment in order to avoid session dropping. Deny: checks the flow for strict TCP protocol violations; if it discovers violations, it drops the packet and reassembles out-of-order packets. Deny no TCB (Deny if State Not Established): drops the session only if state has not been established. It forwards traffic only if strict TCP protocol violations fails. Blocking of IP-spoofed packets When enabled, the anti-spoofing option will drop packets containing invalid source IP addresses. Network Security Platform determines the validity of a source IP by comparing it against a configured list of internal networks. Thus, as a pre-requisite, you must define CIDR blocks for each and every internal network that will send traffic through the Sensor interface in question. Without a comprehensive set of CIDR blocks defined, especially if outbound anti-spoofing is enabled, Network Security Platform may block valid packets. Anti-spoofing is available only for Sensors in inline mode. The way in which Network Security Platform determines the validity of a packet depends directly on the direction of that packet, as follows: • Inbound: When a packet arrives on the outside interface, its source IP is compared to the CIDR blocks associated with the interface. If the source IP of the inbound packet matches one of the CIDR blocks, the packet is considered spoofed and dropped. • Outbound: When a packet arrives on the inside interface, its source IP is compared to the CIDR blocks associated with the interface. If the source IP of the outbound packet does not match one of the CIDR blocks, the packet is considered spoofed and dropped. 20

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32

McAfee® Network Security Platform 6.0
Block attacks
Blocking based on configured TCP & IP Settings
Network Security Sensors have the intelligence to keep a number of TCP/IP connection
parameters, as well as complete state information. The
/ My Company / IPS Settings /
Sensor_Name
> Advanced Scanning > TCP Settings
and
/ My Company /
IPS Settings / Sensor_Name >
Advanced Scanning > IP Settings
action enables you to configure 16 TCP/IP parameters, such
as the number of supported UDP flows, the TCB inactivity timer length, and accepting old
data or new data for TCP or IP overlaps. All of the TCP/IP Settings parameters relate to
the handling of monitored transmissions while in inline mode. You can use these settings
to deny or drop certain traffic.
Two of the more notable parameters are as follows:
Cold Start Drop Action
: When starting a Sensor for the first time, you can decide to allow
(forward) or drop all packets that do not have a flow control block recognized by the
Sensor. You have the choice to Forward Flows or Drop Flows.
TCP Flow Violation
: How to handle a packet received for a connection that doesn't exist,
such as an ACK packet when no SYN for a connection has been received. Choices
are:
±
Permit
: reassembles out-of-order packets and processes them. It forwards traffic if
strict TCP protocol violations and if State Not Established on Sensor fails.
±
Permit out-of-order
: allows out of order packets to continue to transmit without
processing.
Note:
'Permit out-of-order' should be selected if your Sensor is deployed in an
asymmetrical environment in order to avoid session dropping.
±
Deny
: checks the flow for strict TCP protocol violations; if it discovers violations, it
drops the packet and reassembles out-of-order packets.
±
Deny no TCB
(Deny if State Not Established): drops the session only if state has not
been established. It forwards traffic only if strict TCP protocol violations fails.
Blocking of IP-spoofed packets
When enabled, the anti-spoofing option will drop packets containing invalid source IP
addresses. Network Security Platform determines the validity of a source IP by comparing
it against a configured list of internal networks. Thus, as a pre-requisite, you must define
CIDR blocks for each and every internal network that will send traffic through the Sensor
interface in question. Without a comprehensive set of CIDR blocks defined, especially if
outbound anti-spoofing is enabled, Network Security Platform may block valid packets.
Anti-spoofing is available only for Sensors in inline mode.
The way in which Network Security Platform determines the validity of a packet depends
directly on the direction of that packet, as follows:
Inbound
: When a packet arrives on the outside interface, its source IP is compared to
the CIDR blocks associated with the interface.
If the source IP of the inbound packet
matches one of the CIDR blocks, the packet is considered spoofed and dropped.
Outbound
: When a packet arrives on the inside interface, its source IP is compared to
the CIDR blocks associated with the interface.
If the source IP of the outbound
packet does not match one of the CIDR blocks, the packet is considered spoofed and
dropped.
20