Inline intrusion prevention can be an expensive proposition, which is why organizations have often limited deployment to the enterprise perimeter and/or critical production servers. McAfee's response is the IntruShield 3000, which leverages high port density and Virtual IPS technology to greatly extend network detection capabilities for each appliance.
IntruShield's Virtual IPSes give you extensive coverage in a single box. While IPSes are typically restricted to a single policy for each monitored link, IntruShield can support multiple policies for, McAfee states, up to 1,000 Virtual IPSes per appliance. What's more, IntruShield has 12 gigabit monitoring ports to monitor six full duplex links.
IntruShield 3000 comes with a robust rules engine and a strong set of filters designed to block buffer overflows, spyware, shellcode attacks, bots and protocol anomalies. Its more innovative features include VoIP protection, vulnerability scanner integration, and the ability to decrypt and inspect SSL transactions.
Out of the box, McAfee's IPS signatures blocked a slew of attacks thrown by Metasploit and Core Impact, including RPC DCOM and LSASS buffer overflow attacks, and our attempt to infect a browser with the WMF vulnerability. We were particularly pleased to see IntruShield's ability to block bot command-and-control traffic.
Typical of IPSes, fewer than one-third of Intru-Shield's 1,524 attack rules are enabled to block by default, minimizing the risk of dropping legitimate traffic because of false positives. All will alert, leaving open the option to invoke blocking as needed. McAfee provides a full, easy-to-use client for creating user-defined rules. The rules editor comes with good documentation, and allows the analyst to search for strings and regular expressions within specific fields of protocols that McAfee can decode.
Attack responses are completely customizable. You can choose whether the devices should simply alert (via e-mail, pager or user-defined script) or block an attack, and by what action. The default blocking behavior is to drop the packet, but you can also choose TCP and ICMP resets or dropping all traffic to/from the attacker/victim.
On the other hand, the signatures themselves are closed to users, preventing analysts from customizing them. Sharp analysts may not like this black-box approach.
IntruShield's integration with VM scanner data from McAfee's Foundstone scanner, as well as Nessus, helps the IPS evaluate attacks based on actual vulnerabilities.
The Java-based interface is feature-rich but clumsy to use. The management console seems to be just a panel that opens other windows. The interface is quite complex, and we spent a few days going through most of its available features. The management server client seemed sluggish and kept throwing certificate mismatch alerts.
The logging of event data is well thought out, with a number of options. IntruShield logs the first 128 bytes of application data by default, but the entire packet can also be tracked. You have the ability to track the subsequent flow of data from source and destination for specific attacks. Extracting the data is easy and flexible: Logs can be sent to syslog, CSV files and SNMP traps.
There are a number of useful canned reporting options, such as executive summaries and Top "X" reports, plus a full interface for creating custom reports. Reports can be exported in PDF or HTML formats.
If your organization is ready to add IPS to its defenses, the value proposition of the IntruShield 3000, with the flexibility of its Virtual IPS technology and high port density bring strong detection and a smooth rules engine to bear on your networks, making it a good choice for enterprise protection.
This article originally appeared in the June 2006 edition of Information Security magazine.