This article can also be found in the Premium Editorial Download "Information Security magazine: Is your data safe from next-generation attackers?."
Download it now to read this article plus other related content.
|McAfee's IntruShield 3000|
McAfee's IntruShield 3000 is an attractive value, featuring 12 gigabit monitoring ports and the ability to create up to 1,000 Virtual IPSes on a single appliance.
Inline intrusion prevention can be an expensive proposition, which is why organizations have often limited deployment to the enterprise perimeter and/or critical production servers. McAfee's response is the IntruShield 3000, which leverages high port density and Virtual IPS technology to greatly extend network detection capabilities for each appliance.
IntruShield's Virtual IPSes give you extensive coverage in a single box. While IPSes are typically restricted to a single policy for each monitored link, IntruShield can support multiple policies for, McAfee states, up to 1,000 Virtual IPSes per appliance. What's more, IntruShield has 12 gigabit monitoring ports to monitor six full duplex links.
IntruShield 3000 comes with a robust rules engine and a strong set of filters designed to block buffer overflows, spyware, shellcode attacks, bots and protocol anomalies. Its more innovative features include VoIP protection, vulnerability scanner integration, and the ability to decrypt and inspect SSL transactions.
Out of the box, McAfee's IPS signatures blocked a slew of attacks thrown by Metasploit and Core Impact, including RPC DCOM and LSASS buffer overflow attacks, and our attempt to infect a browser with the WMF vulnerability. We were particularly pleased to see IntruShield's ability to block bot command-and-control traffic.
Typical of IPSes, fewer than one-third of Intru-Shield's 1,524 attack rules are enabled to block by default, minimizing the risk of dropping legitimate traffic because of false positives. All will alert, leaving open the option to invoke blocking as needed. McAfee provides a full, easy-to-use client for creating user-defined rules. The rules editor comes with good documentation, and allows the analyst to search for strings and regular expressions within specific fields of protocols that McAfee can decode.
Attack responses are completely customizable. You can choose whether the devices should simply alert (via e-mail, pager or user-defined script) or block an attack, and by what action. The default blocking behavior is to drop the packet, but you can also choose TCP and ICMP resets or dropping all traffic to/from the attacker/victim.
On the other hand, the signatures themselves are closed to users, preventing analysts from customizing them. Sharp analysts may not like this black-box approach.
IntruShield's integration with VM scanner data from McAfee's Foundstone scanner, as well as Nessus, helps the IPS evaluate attacks based on actual vulnerabilities.
This was first published in June 2006