McAfee M-1250 Network Protection - Page 9
What is inline mode?, Benefits of running inline
![]() |
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 9 highlights
CHAPTER 1 What is inline mode? Inline monitoring mode provides prevention of attacks by enabling Security Administrators to select the types of attacks/traffic to drop, thus preventing the negative end-system impact common with today's network attacks. Inline mode is achieved when Network Security Sensor is placed directly in the path of a network segment, becoming, essentially, a "bump in the wire," with packets flowing through Sensor. In this mode, the Sensor inspects all traffic at wire-speed and can prevent network attacks by dropping malicious traffic in real time-the Sensor actually ends the attacking transmission before it can reach and impact the target. Preventative actions can operate at a highly granular level, including the automated dropping of DoS traffic intended for a specific host. When operating in inline mode, network segments are connected to two wire-matched Sensor ports (For example: peer ports 1A and 1B), and packets are examined in real time as they pass through the Sensor. In this mode, a packet comes in through the first interface of the pair of the Sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature. As of release 2.1.7, Sensor ports are configured by default for monitoring in inline mode; that is, connected inline on a network segment (For example: between a switch and a router or two switches). A Sensor with 2.1.7 or later software will initially come online with its peer ports configured in pairs and in inline mode. Note: This change will not override user-configured settings. Deployed Sensors upgraded to 2.1.7 or later and will retain their user-configured settings. Benefits of running inline The benefits to using Sensors in inline mode are: • Protection/Prevention. Prevention is a feature unique to inline mode. When running inline, a Sensor can drop malicious packets and not pass them through the network. This acts sort of like an "adaptive firewall," with your detection policy dictating what is dropped. Furthermore, when dropping packets, Network Security Platform is very precise and granular. The Sensor can drop only those packets it identifies as malicious or all of the packets related to that flow (a choice that is user configurable). • Packet "scrubbing." In addition to dropping malicious traffic, Network Security Platform can scrub-or normalize-traffic to take out any ambiguities in protocols that the attacker may be using to try to evade detection. Current IDS products are susceptible to these techniques, and an example of this attempt is IP fragment and TCP segment overlaps. The Sensor can reassemble the IP fragments and TCP segments and enforce a reassembly mode of the user's choice to accept either the old or the new data. • Processing at wire-speed. Sensors are able to process packets at wire rates. 1
![](/manual_guide/products/mcafee-m1250-network-protection-260e040/9.png)