Innovative IPSes resist our attacks
McAfee IntruShield and NFR Sentivist bring useful extras to intrusion prevention
Follow @infoworldSee correction at end of article
There's more than one way to snare malicious network traffic, and the more methods your IPS uses to detect bad streams, the better your chances of keeping your network productive. McAfee IntruShield 2.1 and NFR Sentivist 5.0 each combine numerous forms of detection to thwart known and unknown threats, hidden exploits, and dangers such as worm outbreaks and DoS attacks.
McAfee and NFR have also incorporated unique features that should turn some heads. In McAfee's case, the ability to decrypt and inspect SSL-encrypted traffic will be useful to customers wanting to protect e-commerce sites, and virtual interfaces allow fine-tuning of security policies for specific assets. For its part, NFR offers an interface that is wonderfully effective at zeroing in on important events, as well as an intelligent threat-indexing technique that helps eliminate false positives and speeds the deployment of in-line blocking.
McAfee IntruShield 2.1
Unlike traditional intrusion detection and prevention offerings whose signatures are based on exploits, McAfee's IntruShield uses signatures based on vulnerabilities, an approach that should prevent new strains of known attacks from sneaking past its sensors. As a result of McAfee's extensive threat library, network-based attack events are remarkably well documented. Event descriptions include CVE (Common Vulnerabilities and Exposures) references, vendor patch references (Microsoft bulletins), and even steps to mitigate specific attacks.
Additionally, McAfee includes an interface and solid manual for advanced users to create their own signatures, which proves helpful for customizing filters to your specific environment. We found that after a few hours of studying we were able to create a simple signature that looked for the request of a Web page named "test.cgi," an indication that someone may be hacking your Web site. Although we would have liked the work to be easier, we were satisfied with the end results.
When it comes to fending off attacks, one of the key tools at IntruShield's disposal is protocol parsing. Because conventional detection engines such as Snort typically incorporate port numbers -- 80/tcp for HTTP, for instance -- into their signatures, they wouldn't look for IM traffic on port 80, for example, unless you explicitly created a signature to do it. Protocol parsing allows IntruShield to apply protocol-specific signatures to traffic on any port. This functionality enables the IPS not only to spot policy violations such as IM conversations being sent over HTTP but also to identify the application running a specific network service, allowing you to apply different rules to Apache and IIS traffic, for example. IntruShield maintains traffic profiles on network hosts, so if a host begins using abnormal amounts of bandwidth or spews excessive packets, the IPS can throttle the usage to prevent a DoS.
By combining buffer overflow protection, protocol anomaly detection, vulnerability-based signatures, and rate-limiting DoS protection, McAfee believes it has created a device that will protect against zero-day attacks. For good measure, IntruShield looks for shell code where it shouldn't be, a patented technique that enables the device to prevent attackers from executing malicious commands even if they manage to penetrate the network. IntruShield also includes a statistical anomaly profile engine that looks for unusual spikes in network traffic. Both these techniques will unearth many new types of attacks, including worm outbreaks.
| Test Center Scorecard | |||||||
|---|---|---|---|---|---|---|---|
 |  |  |  |  |  |  | |
| 30% | 20% | 15% | 15% | 10% | 10% | ||
| McAfee IntruShield 2.1 | 8 | 8 | 9 | 9 | 8 | 9 |
8.4
Very Good
|
| 30% | 20% | 15% | 15% | 10% | 10% | ||
| NFR Sentivist 5.0 | 8 | 8 | 9 | 8 | 6 | 8 |
8.0
Very Good
|
