WHITE PAPER
Intrusion Prevention: Myths, Challenges, and Requirements April 2003
networkassociates.com
WHITE PAPER
Table of Contents I.
Introduction ......................................................................................................................... 3
II. Myths About Intrusion Prevention .............................................................................................. 4 MYTH 1æIntrusion Detection and Intrusion Prevention Are Two Separate Solutions ..................................... 4 MYTH 2æIntrusion Prevention Is ALL or NOTHING .............................................................................. 4 MYTH 3æIntrusion Prevention Is TCP Kills/Resets or Modify Firewall Rules by IDS ....................................... 5 MYTH 4æIntrusion Prevention Is Losing Control Over Intrusion Detection and Response ................................ 5 III. Implementation Challenges ...................................................................................................... 5 IV. Requirements for Effective Prevention ....................................................................................... 6 V. Path to Prevention................................................................................................................. 7 VI. McAfee IntruShield Approach.................................................................................................... 8 VII. About McAfee Network Protection Services.................................................................................10 McAfee IntruSheild................................................................................................................... 10 VIII. About Network Associates ......................................................................................................10
2
© 2003 Network Associates
WHITE PAPER
I. Introduction In a recent survey commissioned by VanDyke Software, some 66 percent of the companies said that they perceive system penetration to be the largest threat to their enterprises. The survey revealed that the top eight threats experienced by those surveyed were viruses (78 percent of respondents), system penetration (50 percent), DoS (40 percent), insider abuse (29 percent), spoofing (28 percent), data/network sabotage (20 percent), and unauthorized insider access (16 percent). Although 86 percent of respondents use firewalls (a disturbingly low figure in this day and age, to be honest!), it is clear that firewalls are not always effective against many intrusion attempts. The average firewall is designed to deny clearly suspicious trafficæsuch as an attempt to telnet to a device when corporate security policy forbids telnet access completelyæbut is also designed to allow some traffic throughæWeb traffic to an internal Web server, for example. The problem is that many exploits attempt to take advantage of weaknesses in the very protocols that are allowed through our perimeter firewalls, and once the Web server has been compromised, this can often be used as a springboard to launch additional attacks on other internal servers. Once a “rootkit” or “back door” has been installed on a server, the hacker has ensured that he will have unfettered access to that machine at any point in the future. The case has never been clearer for Intrusion Detection Systems (IDS). The computer world’s equivalent to the burglar alarm, the IDS provides valuable backup to the beleaguered firewall system (the equivalent of the locked door). As in the physical world, our logical burglar alarm provides valuable notification that someone has managed to breach our perimeter security measures, and should allow us to determine exactly what happened during the attack, and hopefully provide indications of how the security weakness might be addressed. However, most IDS systems tend to be reactive rather than proactiveæthat is, they often have to wait until something has actually happened before they can raise the alarm. The Intrusion Prevention System (IPS), however, attempts to be proactive, and is designed to stop intrusions dead, blocking the offending traffic before it does any damage rather than simply raising an alert as, or after, the malicious payload has been delivered. It achieves this by sitting directly in-line with the network trafficæone network port accepts traffic from the external system, and another port transmits it to the internal system after it has been checked for anomalies or suspicious content. Thus, problem packetsæand all subsequent packets from the same data flowæcan simply be discarded within the IPS appliance. As with IDS systems, IPS products tend to fall into two categories: Host IPS (HIPS) and Network IPS (NIPS). Host IPS products rely on agents installed directly on the host system being protected, and which interacts closely with the underlying operating system and resident services in order to detect and prevent rogue system calls. The Network IPS (sometimes known as an In-line IDS or Gateway IDS (GIDS)), however, could be thought of a something of a hybrid system, combining features of a standard IDS and a firewall. Like a firewall, the IPS appliance will sport at least two network interfacesæone designated as external and one as internal. Some appliances may have more than two in order to monitor multiple network paths, but the basic requirement is for two interfaces for data and one for management. Placed in-line in a critical data path, the IPS detection engine examines packets as they pass through the device and processes them in a similar manner to an IDS so as to determine which packets are suspicious in nature. If a suspicious packet is detected, that packet can be dropped immediately, and all subsequent packets from that particular data stream can be discarded without further processing. Naturally, an IPS will also raise an alert in the same manner as an IDS, and this allows the IPS to operate in traditional “IDS mode” also, useful to enable the administrator to tune the system before placing it in full-blown “prevention mode.” Legitimate packets are naturally passed straight through to the internal interface and on to their intended destination. A useful side effect of some NIPS products is that as a matter of courseæin fact as part of the initial detection processæthey will provide “packet scrubbing” functionality to remove protocol inconsistencies resulting from varying interpretations of the TCP/IP specification (or intentional packet manipulation). Thus any fragmented packets or packets with IP fragment overlaps will be “cleaned up” before being passed to the destination host. 3
© 2003 Network Associates
WHITE PAPER
II. Myths About Intrusion Prevention There are numerous myths about Intrusion Prevention, most fostered by IDS marketing spin or ignorance of the way a welldesigned in-line IPS device is capable of operating. Let’s look at a few of the most common myths:
MYTH 1æIntrusion Detection and Intrusion Prevention Are Two Separate Solutions At the moment, this is often the case. However, it need notæand should notæbe. Because of inherent performance limitations, many IPS products have been designed with a very restrictive signature set on board and little scope to expand it without seriously impacting performance. This means that they can be used only for prevention of a limited number of exploits, and while these are usually the most serious, admittedly, it does mean that there is little scope for the security administrator to tweak the product for his own environment. It also means that because the detection capabilities of the IPS product are so limited, an additional IDS product is required behind it to alert on those exploits that are not covered. Intrusion Prevention products that are designed from the ground up, however, should be capable of providing an extensive signature set that allows them to operate in either or both IDS and IPS modes. The most flexible IPS appliance will provide the ability to start off in passive IDS modeæperhaps attached to a SPAN port or network tap deviceæto allow the administrator to determine how effectively it can detect a wide range of exploits and (just as importantly in the case of an IPS) how susceptible it is to false positives. Once the signature set has been tuned, it is a simple matter for the administrator to switch to in-line mode and start blocking someæor allæsuspicious packets and flows detected. Good Intrusion Prevention is actually an extension of IDS, not something completely separate.
MYTH 2æIntrusion Prevention Is ALL or NOTHING As we have seen with the previous myth, this is patently untrue when the right kind of appliance is deployed. Even where an IPS product can only operate in in-line mode, it is possible to have it block only a subset of exploits, while the majority of packets are passed through as normal. Behind the IPS device, you then have a traditional passive-mode IDS, which does the bulk of the detection and alerting on suspicious traffic. Clearly this is not an all-or-nothing situation, although the use of two separate devices will certainly cause deployment and management headaches. This can be improved considerably with an appliance that has been designed from the ground up as an IDS as well as an IPS. As we have already seen in Myth #1, it is possible to design an appliance that offers both IDS and IPS functionality in the same box, providing an almost seamless migration path from pure detection to prevention. Now imagine an appliance with multiple network ports, and with each port capable of supporting SPAN, tap or in-line mode. Now you move way beyond the “all or nothing” approach and into a truly integrated IDS/IPS solution in a single box. One pair of ports can be combined to provide an in-line prevention capability (say on the private LAN), while another pair of ports can be designated as a passive-mode IDS (say on the DMZ), providing full detection and alerting capabilities. Now the administrator can deploy both technologies using a single appliance and controlled by a single management interface. The management and configuration capabilities are also critical if we are to avoid the “all or nothing” tag. In the past, network sensors have often employed a monolithic approach to setting intrusion policy and response, with the response being fixed according to the signature. The current generation of IDS/IPS sensors, however, should be capable of allowing the administrator to modify the response depending on a per-signature or per-signature group basis—perhaps port scans are given an extremely low priority in one particular environment, while IIS Web server exploits are blocked and the administrator paged. Every deployment is different, and so the IDS/IP device should incorporate enough flexibility to allow the administrator to configure the alerts and responses to his or her exact requirements.
4
© 2003 Network Associates
WHITE PAPER
MYTH 3æIntrusion Prevention Is TCP Kills/Resets or Modify Firewall Rules by IDS It is not hard to see where this myth came from. Take a look at the marketing literature of many traditional IDS products today and you may well see claims that they offer “Intrusion Prevention” features. Well the only kind of prevention that can be provided by a passive IDS device is to send TCP Resets to both ends of the connection once a suspicious packet has been detected, or perhaps to reconfigure an external firewall or router device to ensure that the remainder of the flow is blocked at the network perimeter. The problem here is that unless the attacker is operating on a 2400 baud modem, the likelihood is that by the time the IDS has detected the offending packet, raised an alert, and transmitted the TCP Resets, and especially by the time the two ends of the connection have received the Reset packets and acted on them (or the firewall or router has had time to activate new rules to block the remainder of the flow), the payload of the exploit has long since been delivered. Our guess is that there are not many crackers using 2400 baud modems these days. A true IPS device, however, is sitting in-lineæall the packets have to pass through it. Therefore, as soon as a suspicious packet has been detectedæand before it is passed to the internal interface and on to the protected network, it can be dropped. Not only that, but now that flow has been flagged as suspicious, all subsequent packets that are part of that session can also be dropped with very little additional processing. Oh, and for good measure, it is also possible to send TCP Resets or ICMP Unreachable messages to the attacking host.
MYTH 4æIntrusion Prevention Is Losing Control Over Intrusion Detection and Response By now, hopefully we have explained enough to show that this is simply not true. Providing the IPS device has been designed properly, it should actually offer more in the way of intrusion detection and response than any basic IDS product. With careful designæusually involving custom hardware and ASICS for the highest levels of performance when operating in in-line modeæthe IPS device can provide detection capabilities that are every bit as good as the best passive IDS. In addition, only an in-line IDS can block all IP/ICMP/TCP/UDP based malicious traffic from reaching the intended target hosts with complete reliability and/or scrub non-conforming packets to defeat many DoS or reconnaissance attempts. Most customers wish to deploy the IDS in the Intrusion Detection Mode (sniffing mode) initially and then migrate to the Intrusion Prevention mode (in-line mode).
III. Implementation Challenges There are a number of challenges to implementing an IPS device that do not have to be faced when deploying passive-mode IDS products. These challenges all stem from the fact that the IPS device is designed to work in-line, presenting a potential choke point and single point of failure. If a passive IDS fails, the worst that can happen is that some attempted attacks may go undetected. If an in-line device fails, it can seriously impact the performance of the network. Perhaps latency rises to unacceptable values, or perhaps the device fails closed, in which case you have a self-inflicted Denial of Service condition on your hands. On the bright side, there will be no attacks getting through! But that is of little consolation if none of your customers can reach your e-commerce site. Even if the IPS device does not fail altogether, it still has the potential to act as a bottleneck, increasing latency and reducing throughput as it struggles to keep up with up to a Gigabit or more of network traffic. Devices using off-the-shelf hardware will certainly struggle to keep up with a heavily loaded Gigabit network, especially if there is a substantial signature set loaded, and this could be a major concern for both the network administratoræwho could see his carefully crafted network response times go through the roof when a poorly designed IPS device is placed in-lineæas well as the security administrator who will have to fight tooth-and-nail to have the network administrator allow him to place this unknown quantity amongst his high performance routers and switches. Dropped packets are also an issue, since if even one of those dropped packets is one of those used in the exploit data stream it is possible that the entire exploit could be missed. Most high-end IPS vendors will get around this problem by using custom hardware, populated with advanced FPGAs 5
© 2003 Network Associates
WHITE PAPER and ASICsæindeed, it is necessary to design the product to operate as much as a switch as an intrusion detection and prevention device. It is very difficult for any security administrator to be able to characterize the traffic on his network with a high degree of accuracy. What is the average bandwidth? What are the peaks? Is the traffic mainly one protocol or a mix? What is the average packet size and level of new connections established every secondæboth critical parameters that can have detrimental effects on some IDS engines? If your IPS hardware is operating “on the edge,” all of these are questions that need to be answered as accurately as possible to prevent performance degradation. However, if the IPS device is rated at Gigabit wire speeds and beyond, none of this mattersæsimply drop the device in-line, safe in the knowledge that all normal traffic will pass through transparently. Another potential problem is the good old false positive. The bane of the security administrator’s life (apart from the script kiddie, of course!), the false positive rears its ugly head when an exploit signature is not crafted carefully enough, such that legitimate traffic can cause it to fire accidentally. While merely annoying in a passive IDS device, consuming time and effort on the part of the security administrator, the results can be far more serious and far reaching in an in-line IPS appliance. Once again, the result is a self-inflicted Denial of Service condition, as the IPS device first drops the “offending” packet, and then blocks the entire data flow from the suspected hacker. If the traffic that triggered the false positive alert was part of a customer order, you can bet that the customer will not wait around for long as his entire session is torn down and all subsequent attempts to reconnect to your e-commerce site (if he decides to bother retrying at all, that is) are blocked by the well-meaning IPS. In some respects, performance and detection capabilities are the least of the problems facing the administrator tasked with deploying these devices. The problem with any Gigabit IPS/IDS product is, by its very nature and capabilities, the amount of alert data it is likely to generate. On such a busy network, how many alerts will be generated in one working day? Or even one hour? Even with relatively low alert rates of ten per second, you are talking about 36,000 alerts every hour. That is 864,000 alerts each and every day. The ability to tune the signature set accurately is essential in order to keep the number of alerts to an absolute minimum. Once the alerts have been raised, however, it then becomes essential to be able to process them effectively. Advanced alert handling and forensic analysis capabilitiesæincluding detailed exploit information and the ability to examine packet contents and data streamsæcan make or break a Gigabit IDS/IPS product.
IV. Requirements for Effective Prevention OKæhaving pointed out the potential pitfalls facing anyone deploying these devices, what features are we looking for that will help us to avoid such pitfalls? •
In-line operationæOnly by operating in-line can an IPS device perform true protection, discarding all suspect packets immediately and blocking the remainder of that flow.
•
Fine-grained granularity and controlæFine-grained granularity is required in terms of deciding exactly which malicious traffic is blocked. The ability to specify traffic to be blocked by attack, by policy, or right down to individual host level is vital. In addition, it may be necessary to only alert on suspicious traffic for further analysis and investigation.
•
Unquestionable detection accuracyæIt is imperative that the quality of the signatures is beyond question, since false positives can lead to a Denial of Service condition. The user MUST be able to trust that the IDS is blocking only the user selected malicious traffic. New signatures should be made available on a regular basis, and applying them should be quick (applied to all sensors in one operation via a central console) and seamless (no sensor reboot required).
•
Advanced alert handling and forensic analysis capabilitiesæOnce the alerts have been raised at the sensor and passed to a central console, someone has to examine them, correlate them where necessary, investigate them, and eventually decide on an action. The capabilities offered by the console in terms of alert viewing (real time and historic) and reporting are key in determining the effectiveness of the IPS product.
6
© 2003 Network Associates
WHITE PAPER •
Reliability and availabilityæShould an in-line device fail, it has the potential to close a vital network path and thus, once again, cause a DoS condition. An extremely low failure rate is thus very important in order to maximize up-time, and if the worst should happen, the device should provide the option to fail open or support fail-over to another sensor operating in a fail-over group (see below). In addition, to reduce downtime for signature and protocol coverage updates, an IPS must support the ability to receive these updates without requiring a device reboot. When operating in-line, sensors rebooting across the enterprise effectively translate into network downtime for the duration of the reboot.
•
High performanceæPacket processing rates must be at wire speed under real-life traffic conditions, and the device must meet the stated performance with all signatures enabled. Headroom should be built into the performance capabilities to enable the device to handle any increases in size of signature packs that may occur over the next 3 years.
•
Low latencyæWhen a device is placed in-line, it is essential that its impact on overall network performance is minimal. Packets should be processed quickly enough such that the overall latency of the device is as close as possible to that offered by a layer 4 device such as a firewall or load-balancer.
•
ResilienceæActive-Active stateful fail-over with cooperating in-line sensors in a fail-over group will ensure that the IPS device does not become a single point of failure in a critical network deployment.
V. Path to Prevention As we mentioned earlier in this paper, a well-designed IPS appliance would allow an administrator to progress from working in pure IDS mode to pure IPS mode in a number of easy-to-handle phases: •
Phase IæDetection/No Prevention: The device operates in passive IDS mode connected to a switch SPAN port or tap device in order to monitor traffic. Multiple ports on the IPS appliance would allow it to monitor multiple segments with a single device, simplifying deployment and management. This stage offers intrusion detection only, with no prevention.
•
Phase IIæIn-line Detection/No Prevention: One pair of ports is combinedæone designated internal and one externalæin order to provide an in-line capability. Although the device is in-line, we are still operating in pure detection mode, with none of the policies configured to block traffic. This offers little practical advantage over phase one in terms of detection/prevention capabilities, though it does provide a degree of comfort to the administrator that normal traffic is being passed unmolested. The one advantage that is offered by this mode of deployment is that all traffic passing through the device is protocol-scrubbed, ensuring that it complies with the relevant RFCs and acceptable practices and that no strange evasion or obfuscation techniques are being used. In addition, the security and the networking teams build confidence about the device’s ability to support network and business applications without introducing new troubleshooting issues or failure.
•
Phase IIIæDetection and Selective Prevention: Once in-line mode has been verified to be working correctly, the administrator can monitor the alert logs to determine the effectiveness of the intrusion detection policies. Initially, he may wish to select a subset of the most serious signaturesæthose which he is sure are not subject to false positive triggersæand enable blocking on those signatures alone. The device can be run for some time in this mode, with prevention being provided on the most serious exploits, and full detection capabilities operating on all others. If the product has been designed correctly, it should continue to offer complete intrusion detection capabilities even when operating in partial IPS mode. Further, the administrator can also flexibly configure selective blocking for incoming exploits before proceeding to block outgoing attacks.
•
Phase IVæDetection and Broad Prevention: Having proved the effectiveness of the device and tuned the security policies over time, the administrator can feel confident in switching on blocking for all signatures except for those which have proven to be susceptible to false positives. These remaining signatures will either be disabled completely or will remain in detection-only state where it is deemed that there is still sufficient risk of genuine attack traffic, which may trigger those signatures. In all other respect, the device is operating in full prevention mode, discarding all suspicious packets immediately and blocking the subsequent data flows.
7
© 2003 Network Associates
WHITE PAPER
Once the administrator has gained the confidence to switch on the broadest possible blocking in in-line mode there are a number of benefits to be gained: •
The attack is prevented from reaching the target host, which not only avoids the inconvenience of down-time on the target host, but also avoids the need for post-attack incident analysis and clean-up.
•
The administrator can immediately turn on in-line blocking for a newly discovered attack, thus giving the security staff enough time to patch the vulnerable hosts.
•
Minimize down time for mission critical hosts and applicationsæpotential attacks and DoS attempts will never actually reach the target hosts.
•
Prevent IDS evasion and OS fingerprinting through Protocol Scrubbing (Protocol Normalization)æthe administrator can be sure that all traffic which passes through the IPS device onto the internal network conforms exactly to the appropriate RFCs or acceptable practices for that protocol.
•
With prevention in place, administrators can perform further trend and forensic analysis on various alerts on forensic logs to continuously enhance the security posture of the organization.
VI. McAfee IntruShield Approach In order to handle multiple segments of traffic at Gigabit wire speeds the McAfee‚ IntruShield‚ sensors make extensive use of dedicated, purpose-built, proprietary hardware that provides the performance required to accurately detect and then prevent network intrusions at wire-speed without packet loss. IntruShield has been designed and built from the ground up as an Intrusion Prevention System. Almost every task undertaken by IntruShield systems benefits from hardware acceleration. For example, IntruShield’s signature processing capabilities require hardware to accelerate repetitive signature detection tasks, such as string matches. As a result, the IntruShield architecture can theoretically support thousands of attack signatures at multi-gigabit data ratesæand at the same time continue to detect and prevent first-strike and Denial of Service assaults. Unlike most IDS sensors, which work purely in promiscuous mode (100Mbit) or which are designed to be connected directly to a SPAN port or tap (Gigabit), the IntruShield offers multiple methods of monitoring traffic: •
8
SPAN or Hub ModeæIntruShield sensors can connect to the SPAN port of a switch or to a port on a hub, thus operating in port mirroring mode. When monitoring through use of SPAN or a hub, the I-2600’s internal tap is disabled. The I-2600 can monitor up to eight SPAN connections, while the I-4000 can monitor up to four. © 2003 Network Associates
WHITE PAPER •
Tap ModeæThe I-2600 has six 10/100 ports, each with internal full-duplex taps. The I-2600 also has two GBIC ports, which require external taps. Two wire-matched ports, called a port pair, operate together to enable full-duplex transmission, and the internal taps fail-openæthat is, traffic continues to flow if the sensor fails. The I-2600 can process up to 600 Mbps of aggregate traffic. The I-4000 sensor in external tap mode works the same way as the I-2600 in external tap mode, and the sensor can receive 1Gbps of traffic from each tap port. Up to 2 Gbps of aggregate traffic can be processed by the IDS engine.
•
Port ClusteringæThis allows traffic monitored by multiple ports on a single IntruShield system to be “aggregated” into one traffic stream for state and intrusion analysis. This feature is especially useful in environments with asymmetric routing, where request and response packets may traverse separate network paths. A single IntruShield system can monitor multiple links and maintain accurate and complete state information.
•
In-line ModeæWhen placed directly in the path of a network segment, the I-4000 sensor processes up to 2Gbps of aggregate traffic for security violations in real time. Traffic passes through the detection engine, is checked, and is then sent back to the network. The four-port I-4000 can monitor two full-duplex segments in in-line mode.
A single appliance can also support hybrid deployment modes. For example, an I-2600 deployed at the network perimeter, could be in full-duplex tap mode and alerting on two pairs of ports (outside firewall and DMZ) and configured to be in-line and selectively blocking worms inside the private LAN. Multiple ports can be combined or configured to perform different tasks, providing unprecedented deployment flexibility and allowing the IntruShield sensors to easily handle multiple Gigabit segments. Another area which demonstrates the unparalleled flexibility of IntruShield is in the use of Virtual IDS (VIDS‰). Up to 1000 VIDS can be defined across all the ports on the device, and each one can be assigned a unique policy if required. VIDS can be defined based on a block of IP addresses (a CIDR block), or on one or more VLAN tags. IntruShield sensors can process these segments of data and apply multiple traffic policies for the multiple subnets transmitting across a single wire, right down to policies protecting individual hosts. IntruShield supports fail-open, Active-Active stateful failover to deliver high reliability and availability. The IntruShield sensors can also take advantage of new signature updates without the need for a sensor reboot without losing state or terminating existing flows. Attack coverage has been proven in several independent tests to be one of the broadest and most accurate available in an IPS device, allowing IntruShield to function as a pure IDS device if required, with an extremely high recognition rate. The accuracy and scope of the signatures also enables the security administrator to have a high degree of confidence in IntruShield’s operation in IPS mode. With DoS attacks, the sensor is automatically in learning mode by default, allowing it to monitor the normal network traffic for a period of time so that it is able to determine what constitutes an abnormal flood. For those administrators who would prefer to have more manual control over the DoS detection process, it is also possible to switch to threshold mode, where he can set the threshold level and interval for individual DoS attacks. Sophisticated administrators can also enable learningbased and threshold-based detections simultaneously to achieve the best trade-off between accuracy and coverage. Management is extremely flexible and scalable, and the Admin Domains and User Roles features make it easy to delegate the most fine-grained control across the largest organization. Policy definition is also flexible, with a rule-based system allowing for definition of extremely complex policies, which can then be deployed to all sensors across a corporate network in a single operation. Once policies have been activated, the Java-based console provides advanced alert handling and forensic analysis capabilities too. The IntruShield IDS system supports wire-speed performance in high-speed networks without packet loss. Several independent IDS tests have validated the ability of the IntruShield 4000 to sustain multi-gigabit data throughput. In addition, the IntruShield sensors have very low latency (in the order of microseconds) when deployed in real-life networks.
9
© 2003 Network Associates
WHITE PAPER IntruShield also provides a solution for every budget. Starting with the I-2600 at just $5,000 per port, the ability to support multiple ports and monitor multiple 100Mbit or Gigabit segments using a single device brings the per-port cost down to prices which rival that of almost any competing product in this market place. In Summary, the award-winning next-generation IntruShield IDS: •
Dispels the myths about intrusion prevention and provides a pragmatic approach to intrusion detection and prevention
•
Overcomes the implementation challenges with a purpose-built appliance designed to address the limitations of legacy IDS
•
Delivers on the effective requirements for intrusion prevention with accurate detection, comprehensive attack coverage, fine-grained policy control per attack and target
•
Uniquely provides a seamless path to intrusion prevention in multiple phases to enable administrators to obtain a security ROI with ease and confidence.
VII. About McAfee Network Protection Services McAfee Network Protection Solutions keep both large and smaller distributed networks up and protected from attacks. Best-ofbreed network protection solutions in the portfolio include the Sniffer® Network Protection Platform for performance management and fault identification, InfiniStream™ performing security forensics on network activity, Network Performance Orchestrator™ (nPO) for centralizing and managing network activity, and McAfee IntruShield delivering network-based intrusion prevention.
McAfee IntruShield McAfee IntruShield, a part of Network Associates’ McAfee Network Protection Solutions family of products, is a unique cuttingedge technology that prevents intrusions “on the wire” before they hit critical systems. Highly automated and easily managed, McAfee IntruShield is designed with such flexibility that it can be implemented in a phased approach - that overcomes the false positives inherent with today’s legacy intrusion detection systems - and thus enables you to develop the right policy for blocking in your unique IT infrastructure. For example, you can deploy in-line to notify and block known attacks, and to notify-only on unknown attacks. Or you can implement complete blocking but just for business-critical network segments. IntruShield is delivered in a high-speed appliance which is able to scan traffic and assess threat levels with blinding speed, even on gigabit networks. It can be used at the edge or in front of key “core” resources. IntruShield has been crafted to satisfy both the security and network administrators as it stops a wide range of network attacks but does so with network latencies typically less than 10 milliseconds. IntruShield also looks for anomalous behavior and includes specialized analysis to find new denial of service “mass attacks”.
VIII. About Network Associates With headquarters in Santa Clara, Calif., Network Associates, Inc (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. These two product portfolios incorporate Network Associates’ leading McAfee, Sniffer and Magic® product lines. For more information, Network Associates can be reached at 972-963-8000 or on the Internet at http://www.networkassociates.com/.
10
© 2003 Network Associates
WHITE PAPER
Comment by Bob Walder, Director, The NSS Group This is a very interesting market place and things are moving very quickly indeed. No sooner have we started to notice a broader adoption of Intrusion Detection Systems (IDS) than we are already seeing them referred to as “legacy” systems. IDS vendors are fighting back, of course, by claiming intrusion prevention capabilities of their own, and the resulting marketing spin put on by both parties can only serve to muddy the waters for the poor security administrator tasked with determining which is the best product for his or her environment. It is important to remember, however, that IDS devices were never designed with IPS in mind—they are detection mechanisms, not prevention. It is a little harsh to beat them up over an inability to prevent attacks—that’s like buying a pair of Wellington boots and then moaning that they don’t prevent your head from getting wet in the rain! Unless a device is placed in-line, it is extremely difficult to perform any kind of guaranteed prevention. In most cases, sending TCP resets or reconfiguring firewalls are ineffective prevention mechanisms—by the time the response has been completed the exploit payload has probably been delivered. The only way to stop a packet (and the rest of the data flow to which it belongs) dead in its tracks is to operate in-line. There are a number of features that we would consider essential in a true IPS product. Probably the most important is the ability to operate in in-line mode. This may seem like a superfluous requirement given the nature of the product, but since some IDS vendors are claiming “intrusion prevention capability” in their marketing campaigns—which turns out to be nothing more than sending TCP reset commands across the wire or reconfiguring a perimeter firewall—then it is an important distinction to make up front. The problem with working in-line, of course, is that there is always the potential to affect performance and reliability of the rest of the network. If the IPS device fails open, the worst that can happen is that you miss an exploit—if it fails closed, you could cut off all external access to and from your network completely. Reliability is therefore essential. The IPS appliance must offer the maximum up-time possible, and should not require a reboot to apply signature updates. Given that it can represent a single point of failure, it would be nice if it offered some form of failover mechanism for those sites that need guaranteed 100% availability. As far as performance is concerned, the wish list would have “zero packet loss” and “zero latency” at the top. Zero packet loss under all normal loads is essential, of course, if the device is not to run the risk of missing exploit packets. Unfortunately, given the amount of processing that these devices have to perform for the majority of the packets passing through them, increased latency is something we will have to live with—but at least it should be kept to a minimum. Finally, broad and accurate signature coverage is also essential. Bear in mind that if you are going to place your IPS device in-line and turn on the blocking mechanism, you had better be pretty confident that the signatures you have deployed are not prone to false positives. If you do not want to run in blocking mode, or if you want to block only a selected subset of signatures, then you still require a signature set that is comprehensive enough to allow the device to operate as an effective IDS. There are other key requirements which are common to both IPS and IDS devices of course—a good alert handling and reporting mechanism, centralized management and configuration, flexible policy definition and deployment, and regularly updated signature sets, to name but a few. The NSS Group has produced a number of independent group test reports on IDS and IPS technologies which can be obtained via their Web site at www.nss.co.uk
11
© 2003 Network Associates
WHITE PAPER
All Network Associates® products are backed by our PrimeSupport® program and Network Associates Laboratories. Tailored to fit your company’s needs, PrimeSupport service offers essential product knowledge and rapid, reliable technical solutions to keep you up and running. Network Associates Laboratories, a world leader in information systems and security, is your guarantee of the ongoing development and refinement of all our technologies. Network Associates, Sniffer, Network Performance Orchestrator (nPO), nPO Manager, nPO Visualizer, and PrimeSupport are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ©2003 Networks Associates Technology, Inc. All Rights Reserved. 6-av-ins-inp-001/0603
12
© 2003 Network Associates