You are on page 1of 107

Getting Started Guide

revision 3.0

McAfee IntruShield IPS System


IntruShield Security Management System
version 3.1

McAfee
Network Protection
Industry-leading intrusion prevention solutions

COPYRIGHT
Copyright 2001 - 2006 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without
the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION
PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET
TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS
DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA)
are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION


License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES
YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT
CD, OR A FILE AVAILABL
E ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE
AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A
FULL REFUND.

License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made
available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that
McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over
the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by
Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation
(http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for
Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C)
2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001
Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark
Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989,
1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C)
2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C)
1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by
Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by
Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software
copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. *
Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of
Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the
Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003.
* Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C)
2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by
Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M.
Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison
and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. *
Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by
Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. *
Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C)
2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted
by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001,
2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software
copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. *
Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software
Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990,
1993, with code derived from software contributed to Berkeley by Chris Torek..

Issued JANUARY 2007 / Getting Started Guide


700-1246-00 / 3.0 English

Contents
Preface ........................................................................................................... v
Introducing the McAfee IntruShield IPS System ........................................................................... v

1 Intrusion Prevention and IntruShield...................................................... 1


What is an attack?......................................................................................................................... 1
What is an Intrusion Detection System (IDS)? .............................................................................. 3
What is an Intrusion Prevention System (IPS)? ............................................................................ 4
Detection and prevention with IntruShield..................................................................................... 6

2 IntruShield System Basics ....................................................................... 7


IntruShield system components .................................................................................................... 7
The IntruShield Security Management system.............................................................................. 8
IPS Update Server ...................................................................................................................... 11
Modes of sensor deployment ...................................................................................................... 12
Manager Disaster Recovery (MDR) ............................................................................................ 17
Entercept Integration ................................................................................................................... 19

3 Basics of Using IntruShield ................................................................... 21


Deciding where to deploy sensors and in what operating mode................................................. 21
Setting up your sensors............................................................................................................... 22
Establish sensor-to-Manager communication ............................................................................. 23
Viewing and working with data generated by IntruShield............................................................ 24
Configuring your deployment using the Manager ....................................................................... 25
Updating your signatures and software....................................................................................... 26
Tuning your deployment.............................................................................................................. 27

4 Pre-Installation Considerations ............................................................. 28


Pre-deployment questions........................................................................................................... 28

5 IntruShield Sensor Deployment Modes ................................................ 33


Flexible deployment options........................................................................................................ 33
Deploying sensors in in-line mode .............................................................................................. 35
Deploying sensors in tap mode ................................................................................................... 38
SPAN port and hub monitoring.................................................................................................... 41
High-Availability........................................................................................................................... 43
Interface groups .......................................................................................................................... 44

6 Working with IntruShield Resources .................................................... 46


IntruShield resources .................................................................................................................. 46
Relationship between sensors and resources in the Resource Tree.......................................... 49

7 Administrative Domains ......................................................................... 53


What is an administrative domain? ............................................................................................. 53
Admin domain hierarchy.............................................................................................................. 55
Alert and fault notification and forwarding ................................................................................... 56

8 Working with Security Policies.............................................................. 58

iii

What are security policies? ......................................................................................................... 58


Policy application......................................................................................................................... 58
Pre-configured policies................................................................................................................ 62
Configuring policies in IntruShield ............................................................................................... 64
Exporting and importing policies ................................................................................................. 67
Policy inheritance ........................................................................................................................ 67
Response management .............................................................................................................. 68
Denial of Service (DoS) modes ................................................................................................... 72
Countering SYN floods with SYN cookies................................................................................... 73
Access control lists...................................................................................................................... 74
IP spoofing detection................................................................................................................... 75
ARP spoofing detection............................................................................................................... 76
Decrypting SSL for IPS inspection .............................................................................................. 76
Vulnerability assessment............................................................................................................. 78

9 Managing Users in IntruShield .............................................................. 79


User management in IntruShield................................................................................................. 79
Roles within IntruShield............................................................................................................... 80

10 Working with Alerts .............................................................................. 83


What are alerts? .......................................................................................................................... 83
About the Incident Generator ...................................................................................................... 89
About Reports ............................................................................................................................. 90
Alert and packet log archival ....................................................................................................... 91

11 Deployment for Beginner, Intermediate, and Advanced Users........ 93


Deployment flexibility................................................................................................................... 93
Deployment scenario for beginners............................................................................................. 93
Deployment scenario for intermediate users............................................................................... 94
Deployment scenario for advanced users ................................................................................... 94

Index ............................................................................................................. 96

iv

Preface
This preface introduces the material covered in this Guide.

Introducing the McAfee IntruShield IPS System


McAfee IntruShield delivers the most comprehensive, accurate, and scalable network
IPS solution for mission-critical enterprise, carrier, and service provider networks,
while providing unmatched protection against spyware and known, zero-day, and
encrypted attacks.
The IntruShield system combines real-time detection and prevention for the most
comprehensive and effective network security system on the market.
What do you want to do?

Learn more about McAfee IntruShield system components (on page 7)


Learn how to get started
Learn about the Home page and interaction with the IntruShield Manager
interface

Related documentation
The following documents and on-line help are companions to this guide. Some
documents are in PDF format, some printed, and others are integrated with the
Manager user interface.

McAfee IntruShield IPS System 3.1


Getting Started Guide

Introducing the McAfee IntruShield IPS System

Document

Type of Information

Location

Quick Start Guides

System setup and installation


overview

Printed, located in product


boxes

INTR_(<sensornum>
Quick_Guide.pdf)
Getting Started Guide
(INTR_Getting_Started_31.pdf)
Sensor Product Guides
(<sensornum> Prod_Guide_31.pdf)

Product overview
Product concepts
Deployment best practices

Adobe Acrobat format,


located on the product
CDs

Sensor description
Sensor setup
Cabling the sensor

Adobe Acrobat format,


located on the product
CDs

System troubleshooting

Adobe Acrobat format,


located on the product
CDs

e.g., INTR_I1200_Prod_Guide_31.pdf
IntruShield Troubleshooting Guide
INTR_Troubleshooting_31.pdf
System requirements
Installing and initializing a
sensor
Upgrading or replacing a
sensor
Removing a sensor
Sensor Command Line
Interface (CLI) reference
System requirements
Resolved issues
Known issues
Technical support
Last-minute additions or
changes to the product or
documentation.

Sensor Configuration Guide


(INTR_Sensor_Config_31.pdf)

Release Notes

Conventions used in this guide


This document uses the following typographical conventions:

vi

Adobe Acrobat format,


located on the product
CDs

Printed, located in the


product box

McAfee IntruShield IPS System 3.1


Getting Started Guide

Introducing the McAfee IntruShield IPS System

Convention

Example

Procedures are presented as a series of numbered


steps.

1. On the Configuration tab, click Backup.

Terms that identify elements, options, selections, and The Service field on the Properties tab specifies
commands on the screen are shown in bold.
the name of the requested service.
Menu or action group selections are indicated using a Select Sensors > Configuration > Add/Delete Sensor.
right angle bracket.
Characters that you must type exactly are shown in a Type: setup and then press ENTER.
typewriter font.
Keywords and values that you must type exactly as
printed are shown in a typewriter font.

exit

Variable values are shown in italics.

set sensor name <WORD>

Parameters that you must supply are shown enclosed set sensor ip <A.B.C.D>
in angle brackets.
Caution:
Information that you must read before beginning a
procedure or that alerts you to negative
consequences of certain actions, such as loss of data
is denoted using this notation.
Information that you must read to prevent injury,
accidents from contact with electricity, or other
serious consequences is denoted using this notation.

Warning:

Notes that provide related, but non-critical,


information are denoted using this notation.

Note:

Contacting Technical Support


If you have any questions, contact McAfee for assistance:

On-line
Contact McAfee Technical Support (http://mysupport.nai.com).
Registered customers can obtain up-to-date documentation, technical bulletins, and
quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers
can also resolve technical issues with the online case submit, software downloads,
and signature updates.

Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended
24x7 Technical Support is available for customers with Gold or Platinum service
contracts. Global phone contact numbers can be found at
http://mysupport.nai.com/priority_contacts.asp
(http://mysupport.nai.com/priority_contacts.asp).

vii

McAfee IntruShield IPS System 3.1


Getting Started Guide

Introducing the McAfee IntruShield IPS System

Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided
with a user name and password for the online case submission.

viii

CHAPTER 1

Intrusion Prevention and IntruShield


In the early days of computers, information stored on a computer was very difficult to
get to without physical access to the computer itself. In those days, you hired security
guards to deter intruders, put a sturdy lock on the door, turned on the security alarm,
and your data was safe and sound. Attacks on the data was expensive, usually
physical, and required great planning and technical savvy.
Unfortunately, the many advances in technology changed all that. Back then,
intrusion or attacks on computers was viewed as something unlikely, infeasible.
These days a corporate network is prey even to pre-teens sitting in their bedrooms at
home. The Internet is crawling with people from all walks of life who are continuously
trying to test the security of various systems and networks. Some are simply seeking
some sort of intellectual high, while others are fueled by more treacherous motives,
such as revenge or stealing for profit.
It is now much more important to make sure all of the doors and windows to your
network are locked, the alarm is turned on, and that your security system knows what
to look for. Because these days the question of intrusion is no longer if it will happen,
but when.

What is an attack?
An attack is any unauthorized action taken with the intent of hindering, damaging,
incapacitating, or breaching the security of a network. An attack typically prepares for
or carries out threats to your critical assets.
Some attempts to infiltrate a network are relatively harmless, but others can bring the
network to a grinding halt and cripple a business. Individuals who intrude on or attack
a system are known by a number of names, but are generally referred to as crackers,
or more popularly, hackers. In this documentation set, these individuals are referred
to as attackers.
Intrusion detection is the discovery of an attack or intrusion. Intrusion prevention is
blocking an attack before it reaches its target. Attacks are actions performed by an
attacker that pose a threat to the security state of a protected entity in terms of
confidentiality, integrity, authenticity, availability, authorization, and access policies.
Attacks can be active, wherein the goal is to directly exploit some vulnerability in a
system or software package. In contrast, passive attacks generally consist of
monitoring or eavesdropping on traffic with the intention of viewing or capturing
sensitive data. The result of a successful active attack is an intrusiondisruption of
the normal services, unauthorized access, and/or some form of tampering with the
system.
Intrusion detection can also identify security-related events in a system that may not
be triggered by an attack, such as server malfunctions.

McAfee IntruShield IPS System 3.1

Intrusion Prevention and IntruShield

Getting Started Guide

What is an attack?

When attackers attack


When attackers attack a network, they abuse rules established by the network. The
rules are broken in a way that makes the attack appear to be a normal transmission.
Active attacks can generally be divided into the following categories:

ExploitsAn exploit is an attempt by an attacker to take advantage of hidden

features or bugs in a system in order to gain unauthorized access. Examples


include buffer overflows, directory traversal, and DNS cache poisoning.
Denial-of-service (DoS) and Distributed Denial-of-service (DDoS) attacksIn a DoS attack,
the attacker attempts to crash a service (or the machine), overload network links,
overload the CPU, or fill up the disk. The attacker does not always try to gain
information, but to simply act as a vandal to prevent you from making use of your
machine. Ping floods and Smurf attacks are examples of DoS attacks. DDoS
attacks usually consist of DoS attacks orchestrated by attackers covertly
controlling many, sometimes hundreds, of different machines.
ReconnaissanceThese include host sweeps, TCP or UDP port scans, e-mail
recons, brute force password guessing, and possibly indexing of public Web
servers to find CGI holes or other system vulnerabilities that might later be
exploited.
Policy ViolationsAll activities for which the underlying traffic content may not be
malicious by itself, but are explicitly forbidden by the usage policies of the
network as defined by a security policy. These can include protocol violations
wherein packets do not conform to network protocol standards. (For example,
they are incorrectly structured, have an invalid combination of flags set, or
contain incorrect values.) Examples might include TCP packets with their SYN
and RST flags enabled, or an IP packet whose specified length doesnt match its
actual length. A protocol violation can be an indication of a possible attack, but
can also be triggered by buggy software or hardware.
Some attackers are looking for specific information or targeting a specific company.
Others are simply seeking an easy target. Some are advanced users who develop
their own tools and leave behind sophisticated backdoors. Others have no idea
what they are doing and only know how to start the script theyre playing with.
Regardless of their skill level, they all share a common strategy: use tools to search
the entire Internet for a specific weakness, then exploit that weakness. Sooner or
later they find someone vulnerable. Anyone can be a target in a search, at any time
from established companies with networks developed over decades, to companies
whose network has been up for two days. Sooner or later, you will be probed.
Because networks are typically running 24 hours a day, attacks can occur at any
time. Attacks often occur at night when domestic attackers who have day jobs, go to
school, or do other things during the day that preclude attacking. Attacks can also
occur during the day when it is evening in other parts of the world, such as Eastern
Europe and Korea, which have become origins of numerous attacks.

Detecting attacks
Early intrusion detection was performed strictly using pattern matching schemes.
Most attackers implement techniques that are tried, true, and well known in the
security community. Unless the attacker is writing his own tools, she/he must rely on
available, existing tools, each of which has limitations peculiar to its particular design.
Thus, from the victim's point of view, all attacks using such tools will look basically the

McAfee IntruShield IPS System 3.1

Intrusion Prevention and IntruShield

Getting Started Guide

What is an Intrusion Detection System (IDS)?

same. For example, seeing default.ida in the URL field of an HTTP packet along
with a specific pattern in the URL argument name field implies a Code Red attack and
thus fits a standardor signatureattack pattern.
Pattern matching relies upon knowing all of the ways the rules can be broken, and
works by comparing network traffic to a database of attack patterns, which are called
signatures. Signature-based detection, also known as misuse detection or rule-based
detection, attempts to capture the manifestation of attacks in signatures and, if
configured to do so, apply specific countermeasures based on each signature. This is
very effective for known attacks with well-known signatures.
However, this method of detection is flawed in three ways: first, it works only for
known attacks. Attackers tend to be clever, and they continuously create new ways to
hack a system, which quickly outdates the pattern-matching database. Second,
pattern matching uses significant computing cycles to work effectively, and this can
be exploited by hackers through overloading, which obscures the pattern-matching
systems visibility. Relying on signature detection alone leaves you unprotected
against new or especially complex attacks.
Anomaly detection is another detection method, used to more effectively protect
against unknown, or first-strike attacks. Anomaly detection attempts to capture the
long-term normal behavior of the protected system in profiles (specifications of the
behavior of traffic over a short- or long-term), and sends an alarm when significant
deviation from the normal behavior is discovered. Profiles are created using statistical
measures or other behavior specifications that can be applied to multiple platforms
and operating systems. There are multiple learning disciplines that make it possible to
create and maintain profiles statistical, neural nets, fuzzy logic, genetic, and so
forth. Anomaly detection is particularly useful when confronted with distributed denial
of service (DDoS) and slow-scans attacks, which can affect a system over an
extended period of time.
Another special method of detection is denial of service (DoS) detection. A DoS
attack disrupts service to a network or computer, and often occurs at the firewall or in
the DMZ, particularly DMZ Web and mail servers. There are two ways to detect DoS
attacks. First, there is threshold-based detection, wherein the IDS monitors for traffic
volumes exceeding a threshold pre-configured by a network administrator. (This
method requires you to fully understand your typical traffic pattern in order to pick
good threshold values, otherwise it can produce a lot of false alarms due to traffic
fluctuations, such as flash crowdse.g., everyone logging on the network at 9
a.m.or other legitimate increased traffic.) The second method is by learned
behaviorlearning long-term normal behavior and comparing it to short-term
observed behavior. Combining the methods greatly improves the reliability of
detection.

What is an Intrusion Detection System (IDS)?


An Intrusion Detection System (IDS) is software or a hardware/software combination
that attempts to detect and respond to attempted intrusions into a system or network.
An IDS complements firewalls or anti-virus software by providing thorough network
packet content inspection and protecting against attacks embedded within what a
firewall might perceive as seemingly benign network traffic.
There are several classifications of IDS.

McAfee IntruShield IPS System 3.1

Intrusion Prevention and IntruShield

Getting Started Guide

What is an Intrusion Prevention System (IPS)?

Host- or Network-based. A host-based IDS is concerned with what is happening on


each individual computer or host and is able to detect such things as repeated
failed access attempts or changes to critical system files. A network-based IDS
(NIDS) examines all of the packets flowing through your network. A NIDS is able
to understand all of the details of many protocols such as headers or protocol
fields within a packet and can thus detect maliciously crafted traffic content.
There are various types of network-based IDSthese can take the form of
software agents running at various points throughout the network, or hardware
sensors placed at strategic locations to examine network traffic.
Signature, Anomaly, and Denial of Service detection. Another classification describes the
types of misuse that an IDS detects. As described in the section Detecting
attacks (on page 2), signature detection techniques systematically scan network
traffic looking for signature patterns of known attacks, comparing these patterns
against an extensive database of signatures. Anomaly detection determines a
baseline of normal behavior of network traffic, and then attempts to detect
intrusions by noting significant departures from normal behavior. Signaturebased detection concentrates on known attack patterns, while anomaly detection
is best at picking up new or unknown attacks. Denial of Service (DoS) attack
detection characterizes normal traffic using pre-programmed thresholds or realtime, self-learning distributions, and then using this data to detect what might
constitute a maliciously excessive consumption of network bandwidth, host
processing cycles or other resources.
Passive, reactive, or preventive IDS. Passive intrusion detection systems sniff packets
as they traverse your network. They can detect the potential security breach, log
the information about the attack, and raise an alert. Reactive systems are
designed to respond to the intrusionfor example, by logging off a user or by
reprogramming the firewall to disallow network traffic from a suspected hostile
source. Both types of technology enable you to respond only after the attack has
occurred. A preventive system sits in the path of your network traffic and thus is
able to detect and drop hostile packets before they reach their target.

What is an Intrusion Prevention System (IPS)?


The IntruShield system is a network-based Intrusion Prevention System (IPS) that
combines network sensor appliances and management software for the accurate
detection and prevention of known attacks using signature detection, unknown (first
strike) attacks using anomaly detection, denial of service (DoS) attacks, and
distributed denial of service (DDoS) attacks. The IntruShield IPS couples real-time
IDS with preventionthe ability to block attacks before they reach their targetto
offer the most powerful, comprehensive and effective network security system in the
market.
IntruShield offers multi-gigabit performance, flexible deployment, robust scalability,
and easy-to-use intrusion detection and prevention.

McAfee IntruShield IPS System 3.1

Intrusion Prevention and IntruShield

Getting Started Guide

What is an Intrusion Prevention System (IPS)?

Comprehensive Intrusion Detection. IntruShield is the only comprehensive network-

based IPS solution available. Only IntruShield encompasses all of todays


applicable IPS technologies to allow customers to detect known (using
signatures), new/unknown (using anomaly techniques) and Denial-of-Service
(DoS) attacks (using hybrid algorithms employing statistical and heuristic
methods). The combination of these techniques significantly increases the
capability and accuracy of the IPS. The majority of current products are
exclusively signature-based and have little to no anomaly or DoS detection
capabilities. No product on the market has the breadth or depth of coverage of
IntruShield. For example, IntruShield can inspect SSL traffic and HTTP response
traffic. In addition, IntruShield also detects attacks with unprecedented accuracy
thanks to:
Full protocol analysis and state tracking
Multi-trigger, multi-field pattern matching

Hardware acceleration to deliver wire-speed detection

IntruShields ability to see all of the traffic in a variety of deployment modes,


including active/active, active/passive, and asymmetrically-routed traffic
environments.
Intrusion Prevention. IntruShield can run in-line, so you can mediate the traffic flow
and block malicious traffic before reaching its target. Current IDS products
operate in a monitoring-only mode (operating as a sniffer) and cannot
effectively and reliably block the malicious traffic before the damage is done. In
sniffing mode, you see the attack at the same time it hits the target. You can
apply some countermeasures, like TCP resets and firewall rule reconfiguration,
but these are reactive actions. When running in-line, IntruShield can proactively
drop malicious packets and not pass them through the network, so they never
reach their target.
In addition to dropping malicious traffic, IntruShield provides packet scrubbing
functionality to remove protocol inconsistencies resulting from varying
interpretations of the TCP/IP specification, which can be used by hackers to
evade IDS systems and other security devices.
Flexible Deployment Options. Existing products were designed when shared media
networks were common and are not easy to deploy in today's switched
environments. Furthermore, the IntruShield product line allows customers to
protect today's higher speed network segments ranging from 100Mbps up to
multi-Gbps, whereas current products are primarily limited to sub-100Mpbs
environments. IntruShield provides wire-speed monitoring and analysis up to
multi-Gbps network segments in three flexible modes of deployment, enabling
you to easily integrate it into your network and adapt to any network or security
changes that you may encounter in the future.
Some IntruShield sensor models contains built-in 10/100Mbps Ethernet taps,
thus making it extremely easy to switch between tap and in-line modes through
software reconfiguration; no physical rewiring is required.
The multi-port configuration of all IntruShield sensors empowers comprehensive
network-wide IDS deployment with significantly fewer sensors.
Virtual IPS. Most products enable you to implement a single security policy per
sensor. IntruShields Virtualization feature (called VIDS or VIPS) enables you to
segment an IntruShield sensor into a large number of virtual sensors with each
implementing a custom security policy, including individualized attack selection
and associated response actions. This capability allows you to implement and
enforce a heterogeneous set of security policies with a single sensor, better
serving the differing security needs within an organization. It further reduces the
number of sensors required for a network-wide IPS deployment, and it reduces
the number of irrelevant alerts.

McAfee IntruShield IPS System 3.1

Intrusion Prevention and IntruShield

Getting Started Guide

Detection and prevention with IntruShield

High-Availability. Sensors support high-availability deployment, using stateful

sensor failover between two hot-standby sensors. The sensors are


interconnected, copy traffic between themselves, and maintain synchronization.
If one sensor fails, the standby sensor automatically takes over and continues to
monitor the traffic with no loss of session state or degradation of protection level.
IntruShield also supports Manager disaster recovery. If, for any reason, the
primary Manager goes off-line, its secondary can automatically take its place,
processing alerts and managing sensor configuration.
Scalable IPS Management. A scalable Web-based architecture allows customers to
efficiently manage their IPS deployment while reducing operational costs. The
configurable IntruShield real-time signature and software update mechanism
automates the process of keeping the complete system current with little or no
human intervention, thus reducing on-going operating costs.

Detection and prevention with IntruShield


Detection with the IntruShield IPS goes beyond the simple string matching used in
many current IDS signature engines. IntruShield sensors analyze and validate the
traffic to its basic protocol elements and inspect specific protocol fields to improve
accuracy, while maintaining full flow and application state. The sensors perform IP
fragment reassembly and TCP stream reassembly, and perform thorough protocol
analysis all the way up to the Application Layer. The signature engine searches in a
flow for multiple triggers (that is, sub-signatures) in multiple fields of a protocol using
IntruShields embedded signature files to increase the precision by which an attack
can be unambiguously detected.
Once the packet is captured, it is analyzed into its corresponding protocol fields. The
sensor analyzes a frame completely and thoroughly from Layers two through seven,
and understands the semantics of the protocol fields even at the Application Layer.
After it analyzes the protocols, it verifies that the packet conforms to the protocol
specification. IntruShield then passes the parsed packet through its DoS, Signature,
and Anomaly detection engines. This enables IntruShield to be very efficient in terms
of packet processing because the packet is peeled only once and then fed to the
corresponding detection engines. All these processes are hardware-accelerated to
provide the required wire-speed performance.
If the detection engines detect something, they pass an alert and corresponding data
to the Management process that is running on the sensor. The Management process
can then trigger the appropriate response, based on policy, and send alerts to the
central IntruShield Manager platform. This response can include averting the attack
entirely. If an IntruShield sensor is running in in-line mode on the network, you can
enable blocking, which causes the sensor to drop the attack so that the attack never
reaches its goal.

CHAPTER 2

IntruShield System Basics


This section provides an overview of the system and its components.

IntruShield system components


The IntruShield system consists of the following major components:

IntruShield sensor appliances. (on page 7)


the IntruShield Security Management System (on page 8), with its Web-based
graphical user interface.
the IntruShield Update Server (on page 11).

IntruShield sensors
IntruShield sensors are high-performance, scalable, and flexible content processing
appliances built for the accurate detection and prevention of intrusions, misuse,
denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks.
IntruShield sensors are specifically designed to handle traffic at wire-speed, efficiently
inspect and detect intrusions with a high degree of accuracy, and flexible enough to
adapt to the security needs of any enterprise environment. When deployed at key
network access points, an IntruShield sensor provides real-time traffic monitoring to
detect malicious activity and respond to the malicious activity as configured by the
administrator.
Once deployed and once communication is established, sensors are configured and
managed via the central IntruShield Manager server, described in the section The
IntruShield Security Management system (on page 8).

Sensor functionality
The primary function of an IntruShield sensor is to analyze traffic on selected network
segments and to respond when an attack is detected. The sensor examines the
header and data portion of every network packet, looking for patterns and behavior in
the network traffic that indicate malicious activity. The sensor examines packets
according to user-configured policies, or rule sets, which determine what attacks to
watch for, and how to react with countermeasures if an attack is detected.
If an attack is detected, the sensor raises an alert to describe the event, and
responds according to its configured policy. Sensors can perform many types of
attack responses, including generating alerts and packet logs, resetting TCP
connections, blocking traffic at firewalls, scrubbing malicious packets, and even
dropping packets entirely before they reach their target.

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

The IntruShield Security Management system

McAfee offers several types of sensor platforms providing different bandwidth and
deployment strategies. These are the IntruShield 1200,1400, 2600, 2700, 3000,
4000, and 4010 sensors.
Each sensor is described in its own Sensor Product Guide.

IntruShield Sensor Information


Monitoring Ports

Sensor

Aggregate
Performance

10/100
Base-T

I-1200

100Mbps

I-1400

GBIC

Response
Ports
SFP
GBIC

Failover Port(s)

Internal
Taps

10/100 Base-T Posts Used

Yes

Response port

200Mbps

Yes

Response port

I-2600

600Mbps

Yes

4A

I-2700

600Mbps

Yes

4A

I-3000

1Gbps

No

HA1 and HA2


(6A and 6B)

I-4000

2Gbps

No

2A and 2B

I-4010

2Gbps

No

HA1 and HA2


(6A and 6B)

12
4
12

4 Fail-open Control Ports (I-3000 and I-4010 only)


1 10/100 Base-T Management Port
1 Console Port and 1 Auxiliary Port
Redundant power supply (I-2700, I-3000, I-4000, I-4010)

The IntruShield Security Management system


The IntruShield Security Management (ISM) system consists of the hardware and
software resources that are used to configure and manage your IntruShield
deployment.
There are three software versions of the ISM system:

McAfee IntruShield Global Managerbest suited for global IPS deployments of more
than six sensors. The Global Manager is supported on Windows Server 2003
(Standard Edition).
McAfee IntruShield Managercan support large or distributed deployments of up to
six sensors. IntruShield Manager is supported on Windows Server 2003
(Standard Edition).
McAfee IntruShield Manager Startercan support two sensors. IntruShield Manager
Starter is supported on Windows Server 2003 (Standard Edition).

Note: This document uses the term Manager to describe either version.

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

The IntruShield Security Management system

Functionally, the products are otherwise identical. The license file provided to you by
McAfee determines which version of ISM you install.

Manager components
The IntruShield Manager is a term that represents the hardware and software
resources that are used to configure and manage the IntruShield system. The
Manager consists of the following components:

a hardware/OS server platform (Microsoft Windows Server 2003, Standard


Edition).
the Manager software (on page 8).
a backend database (on page 10) to persist data (MySQL or Oracle9i).
a connection to the IntruShield Update Server (on page 11).

The Manager server platform


The IntruShield Manager server is a dedicated Windows Server 2003 system running
the Manager software. You remotely access the Manager interface from a Windows
XP system using an Internet Explorer browser session.
IntruShield sensors use a built-in 10/100 Management port to communicate with the
Manager server. You can connect a segment from a sensor Management port directly
to the Manager; however, this means you can only receive information from one
sensor (typically, your server has only one 10/100 network port). McAfee
recommends using a separate, dedicated management subnet to interconnect the
sensors and the Manager to isolate and protect your management traffic. During
sensor configuration, described in the Sensor Configuration Guide, you will establish
communication between your sensor(s) and your Manager server.

The IntruShield Manager Software


The IntruShield Manager software has a Web-based user interface for configuring
and managing the IntruShield system. IntruShield users connect to the Manager
server from a Windows XP system using the Internet Explorer browser program. The
Manager interface runs with Internet Explorer version 5.5 or later. The Manager
functions are configured and managed through a GUI application, the Manager
interface, which includes complementary interfaces for system status, system
configuration, report generation, and fault management. All interfaces are logically
parts of the Manager program.
The Manager has five components:

Manager Home page. The Manager Home page is the first screen displayed after the
user logs on to the system. The Manager Home page displays system health-i.e.,
whether all components of the system are functioning properly, the number of
unacknowledged alerts in the system, and the configuration options available to
the current user. Options available within the Manager Home page are
determined by the current user's assigned role(s).
System Health. The System Health page displays the status of the Manager,
database, and any deployed sensors; including all system faults.

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

The IntruShield Security Management system

Configuration page. The Configuration page provides all system configuration

options, and facilitates the configuration of your sensors, failover pairs of


sensors, administrative domains, users, roles, attack policies and responses,
user-created signatures, and system reports. Access to various activities, such
as user management, system configuration, or policy management is based on
the current user's role(s) and privileges.
Alert Manager. The Alert Manager page displays detected security events that
violate your configured security policies. The Alert Manager provides powerful
drill-down capabilities to enable you to see all of the details on a particular alert,
including its type, source and destination addresses, and packet logs where
applicable.
Reports. Users can generate reports for the security events detected by the
system and reports on system configuration. Reports can be generated manually
or automatically, saved for later viewing, and/or emailed to specific individuals.
Other key features of the Manager include:

The Incident Generator: The Incident Generator enables creation of attack incident
conditions, which, when met, provide real-time correlative analysis of attacks.
Once incidents are generated, view them using the Incident Viewer, which is within
the Alert Manager tool.
Note: For more detailed information on IntruShield Manager components, see
the Manager Configuration Guide.

Integration with third-party products: IntruShield enables the use of multiple thirdparty products for analyzing faults, alerts, and generated packet logs.

Fault/Alert forwarding and viewing: You have the option to forward all fault
management events and actions, as well as IPS alerts to a third-party
application. This enables you to integrate with third-party products that
provide trouble ticketing, messaging, or any other response tools you may
wish to incorporate. Fault and/or alert forwarding can be sent to the following
ways:
-Syslog Server: forward IPS alerts and system faults
-SNMP Server (NMS): forward IPS alerts and system faults
-Java API: forward IPS alerts
-Crystal Reports: view alert data from database via email, email pager, or
script

Packet log viewing: view logged packets/flows using third-party software,


such as Ethereal.

The Manager database


The IntruShield Manager server operates with an RDBMS (relational database
management system) for storing persistent configuration information and event data.
The compatible databases are as follow:

MySQL: The IntruShield Manager for Windows (only) includes a MySQL database

that can be installed (embedded) on the target Windows server during Manager
software installation.
Your MySQL database can be tuned on-demand or by a set schedule via
Manager interface configuration. Tuning promotes optimum performance by
defragmenting split tables, re-sorting and updating indexes, computing query
optimizer statistics, and checking and repairing tables.

10

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

IPS Update Server

To graphically administrate and view your MySQL database, you can download
the MySQL administrator at the http://dev.mysql.com/downloads/administrator.
http://dev.mysql.com/downloads/administrator
Oracle9i: You can use an Oracle9i database that is running on a remote Solaris
server with IntruShield Global Manager only.
McAfee recommends that you employ an Oracle DBA for all database-related
maintenance and management.
For recommendations on deploying an Oracle database for IntruShield, see the
Oracle9i Deployment Guide, available on the product CD.

IPS Update Server


For your IntruShield IPS to properly detect and protect against malicious activity, the
Manager and sensors must be frequently updated with the latest signatures and
software patches available. Thus, the IntruShield team constantly researches and
develops performance-enhancing software and attack-detecting signatures that
combat the latest in hacking, misuse, and denials of service (DoS). When a severeimpact attack happens that cannot be detected with the current signatures, a new
signature update is developed and released. Since new vulnerabilities are discovered
regularly, signature updates are released frequently.
New signatures and patches are made available to customers via the IntruShield
Update Server. The IPS Update Server is a McAfee-owned and -operated file server
that houses updated signature and software files for IntruShield Managers and
sensors in customer installations. The IPS Update Server securely provides fully
automated, real-time signature updates without requiring any manual intervention.
Note: Communication between the Manager and the Update Server is SSLsecured.
You have the following options for obtaining updates from the IPS Update Server:
Tip: To configure Update Server settings from the Manager interface, refer to the
Manager Configuration Guide.
1

Connecting directly from your Manager server (via Manager interface action).

Connecting via proxy server (via Manager interface action). You will then
authenticate as in option 1.

Connecting from any Windows XP system via browser, downloading updates to


that system, and then importing the update to the Manager. This method can
provide your Manager server with the safest defense against Internet attacks
since no Internet connection is used by your Manager server. The import feature
is a Manager interface action.

Connecting from any Windows XP system via browser, downloading software


updates to a TFTP server, and then loading the updates directly onto the sensor
using the sensors command line interface (CLI). This is for sensor software
updates only. Refer to the Sensor Configuration Guide.

11

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Modes of sensor deployment

Configuring software and attack signature updates


You configure interaction with the IPS Update Server using the Managers
Configuration page. You can pull updates from the Update Server on demand or you can
schedule update downloads. With scheduled downloads, the Manager polls the
Update Server (over the Internet) at the desired frequency. If an update has been
posted, that update is registered as Available in the Manager interface for ondemand downloaded. Once downloaded to the Manager, you can immediately
download (via an encrypted connection) the update to deployed sensors or deploy
the update based on a sensor update schedule you define. Acceptance of a
download is at the discretion of the administrator.
You have a total of five update options:

Automatic update to the Manager, manual update from the Manager to sensors. This option

enables the Manager server to receive updates automatically, but allows the
administrator to selectively apply the updates to the sensors.
Manual update to the Manager, automatic update from the Manager to sensors. This option
enables the administrator to select updates manually, but once the update is
selected, it is applied to the sensors automatically, without reboot.
Fully manual update. This option allows the security manager to determine per
update which signature update to apply and when to push the update out to the
sensor(s); in essence, the management system is completely customizable. You
may wish to manually update the system when you make some configuration
change, such as updating a policy or response.
Fully automatic update. This option enables every update to pass directly from the
Update Server to the IntruShield Manager, and from the IntruShield Manager to
the IntruShield sensor(s) without any intervention by the security administrator.
Note that fully automatic updating still happens according to scheduled intervals.
Real-time update. This option is similar to fully automatic updating. However, rather
than wait for a scheduled interval, the update is pushed directly from Update
Server to Manager to sensor. No device needs to be rebooted; the sensor does
not stop monitoring traffic during the update, and the update is active as soon as
it is applied to the sensor.

Modes of sensor deployment


With todays complex network configurations, deploying sensors at all of the
necessary points of protection in your network can become both very complex and
very expensive. The IntruShield system makes deployment easy and cost-effective
by requiring fewer sensors and offering several flexible modes of sensor deployment:
In-line mode (on page 13)
Tap mode (on page 13)
SPAN operating mode (on page 13)
Failover (high-availability) via in-line mode (on page 15)
Port clustering (interface groups) (on page 16)
IntruShield sensors, by default, are configured to operate in in-line mode. The
operating mode can be changed via the Manager interface.
Each of these modes is described briefly below and in more detail in IntruShield
Sensor Deployment Modes (on page 33).

12

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Modes of sensor deployment

Note: Although the sensors are configured to run in-line by default, many new
IntruShield users choose to operate in SPAN mode initially, and then move to tap or
in-line mode later as they become more familiar with the product and are ready to
tune their deployments.

In-line mode
In-line Mode, illustrated in the following figure, places a sensor directly in the network
traffic path, inspecting all traffic at wire-speed as it passes through the sensor. In-line
mode enables you to run the sensor in a protection/prevention mode, where packet
inspection is performed in real time, and intrusive packets can be dealt with
immediately; you can actively drop malicious packets because the sensor is
physically in the path of all network traffic. This enables you to actually prevent an attack from
reaching its target. You cannot prevent attacks from reaching their target in any other deployment
mode.

All IntruShield sensor ports are configured to run in-line by default; when a sensor
comes online for the first time, it is in in-line mode. IntruShield sensors are also
configured to block certain attacks by default. Thus an IntruShield system can begin
blocking attacks right out-of-the-box.
All IntruShield sensor models can be deployed in In-line Mode, and all offer the option
of operating in fail-open or fail-closed mode when monitoring traffic in-line.
Note: Fail-open and fail-close refer to whether or not the sensor will allow traffic to
continue to pass in the event of port or sensor failure. For more information on
these options, refer to Fail-open versus fail-closed (on page 37).

Figure 1: In-line mode

For more information about deploying sensors, see the section IntruShield Sensor
Deployment Modes (on page 33).

SPAN operating mode


Most current IDS products are deployed in SPAN mode. An advantage of deploying
sensors in SPAN mode is that it merely requires connecting the sensor and
reconfiguring a setting on the switchthus it is also the operating mode chosen by
most beginning IntruShield users. Other modes of sensor deploymentin-line mode
or tap modeinvolve connecting the sensors within the flow of traffic, which requires
brief network downtime. Thus most beginners prefer to get used to IntruShield while
operating in SPAN mode, to tweak and tune their systems, and move to tap or in-line
mode later.

13

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Modes of sensor deployment

The Switch Port Analyzer (SPAN) port on a switch is designed specifically for
security monitoring so that an attached network analyzerlike a sensor or a sniffer
can receive a copy of every single packet that is sent from one host to another
through the switch. The SPAN port forwards all incoming and outgoing traffic within
the switch to a predetermined port where the sensor or a sniffer is connected. This is
called port forwarding or port mirroring, and it allows an attached device to monitor all
traffic of that switch.
The downside of monitoring via a SPAN port is that it is very easy to saturate a SPAN
port. A SPAN port really only operates in a half-duplex mode (transmit to the sensor
only), so the maximum bandwidth the port can handle is 100Mbps (when using a Fast
Ethernet port), and when you exceed the 100Mbps limit of the port, you are not
copying all the packets seen on the switch. When all packets are not copied to the
IDS, the IDS can report false alarms or miss real attacks. In addition, most switches
only support one or two SPAN ports and there is a lot of competition for them (e.g.,
for RMON probes, sniffers, etc.).
SPAN mode is also a sniffing mode, whichunlike in-line modedoes not enable
you to prevent attacks from reaching their targets.

Figure 2: SPAN Port Monitoring

Tap mode
Note: While the figure in SPAN operating mode (on page 13) demonstrates that
you can issue response packets via the sensors response ports, some switches
allow response packets to be injected by an IPS back through the SPAN port.
Tap mode, illustrated in the following figure, works through installation of an external
fiber tap (for GBIC ports) or built-in internal taps (for 10/100 Monitoring ports). An
IntruShield sensor deployed in tap mode monitors or sniffs the packet information as
it traverses the full-duplex network segment.

14

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Modes of sensor deployment

Full-duplex taps split a link into separate transmit and receive channels. IntruShield
sensors provide multiple sensor ports, wired in pairs to accommodate full-duplex
taps.
The downside of tapped mode is that, unlike in-line mode, you cannot prevent
attacks. Like SPAN mode, Tap mode is passive; the sensor essentially sees
malicious traffic as it passes.

Figure 3: Full-duplex Tap Mode

Note: You cannot inject response packets back through an external tap, so
IntruShield sensors offer Response ports through which a response packet (such as
a TCP reset) can be injected to close a malicious connection. Sometimes the
attacker can succeed in causing the intended damage when the attack packet
reaches its intended victim host before the TCP reset closes the connection. Hence,
in-line mode is more effective in preventing an attack.

About taps
A tap is a device that permits unimpeded traffic flow while simultaneously copying all
the traffic from a full-duplex link and sending the information to a sensor for analysis.
Taps are used to monitor full-duplex links, and they split the link into separate
transmit and receive channels. To monitor the two channels that the tap produces,
you use two monitoring interfaces on the sensor; one interface monitors the transmit
channel, one monitors the receive channelneither monitoring interface transmits
back to the tap.
Note: You cannot inject response packets back through a tap; you must connect a
sensor response port to another device, namely a switch or router, to respond to
malicious packets.
Taps are hardwired to the sensor. One sensor can monitor traffic from multiple taps
without degradation or overloading up to the specified maximums.

15

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Modes of sensor deployment

Failover (high-availability) via in-line mode


Enterprises often deploy fully redundant networks to maintain high network
availability. In a redundant network, also known as an active/passive or
active/standby configuration, two identical machines are deployed; one is designated
as the active machine that performs the task while the other(s) is in standby in case
of the active machines failure. If the active machine fails, it fails over to the standby
machine. System redundancy ensures the network is always available even if the
hardware fails.
This reduces lapses in service to employees and customers that may lead to loss of
productivity and revenue. IntruShield sensors are built to meet the needs of
redundant networks. When running sensors in-line, the option is available to you to
use one sensor as an active unit, with an identical sensor standing by, should the
active sensor fail. Both sensors share full state, so that the information on the standby
sensor is always current. Latency is very minimal; less, in fact, than many other
devices providing failover, such as firewalls.
For more information on deploying sensors for high availability, see the section HighAvailability (on page 43).

Port clustering (interface groups)


Port clustering, referred to as Interface Groups in the IntruShield Manager interface,
enables multiple ports on a single sensor to be grouped together for effective traffic
monitoring, particularly useful for asymmetrically routed networks. You cluster ports
when you want the traffic across multiple interfaces to be analyzed as if it were a
single interface. Asymmetric networks are common in load balancing and
active/passive configurations, and a complete transmission may be received on one
segment, but depart on another. Thus keeping state of asymmetric transmissions is
essential for successfully monitoring the traffic. Interface groups normalize the impact
of traffic flows split across multiple interfaces, thus maintaining state to avoid
information loss.
Once configured, an interface group appears in the Configuration pages Resource
Tree as a single interface node (icon) under the sensor where the ports are located.
All of the ports that make up the interface are configured as one logical entity,
keeping the configuration consistent.

16

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Manager Disaster Recovery (MDR)

When is clustering used?


If a company has two different active paths to and from the Internet passing through
two different sensor interfaces, for example, the traffic on each path will be analyzed
independently. If a single communication flow is divided across paths, each interface
will receive and analyze part of the conversation and therefor be susceptible to false
positives and false negatives. When you create an interface group that contains both
interfaces, you allow the sensor to receive and properly analyze the entire
communication.

Figure 4: Port Clustering

Manager Disaster Recovery (MDR)


Sometimes the worst happens. In this age, where outages to IT systems can cost
millions of dollars in lost revenue, lost productivity, and legal issues, every
organization must face the near certainty of a system failure occurring at a future
date. Anticipating these events and planning corrective courses of action is now a
prerequisite to business success. Most organizations now employ some manner of
business continuity planning (BCP), a subset of which is disaster recovery planning
(DRP). To this end, IntruShield has long provided a sensor high-availability
configuration; but what if the worst should happen to your Manager server? Most
companies are not willing to rely on the manual method of Manager data archival,
restoration of backups, and importing of exported policies to recover their Manager as
part of their IPS DRP.
Enter the MDR feature. With MDR, two Manager servers are deployed as part of the
overall IntruShield system. One host is configured as the Primary system; the other
as the Secondary. Each uses the same major release Manager software with
mirrored databases; however, the two hosts hardware configuration does not need to

17

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Manager Disaster Recovery (MDR)

be identical. The Secondary Manager can be deployed anywherefor example, at a


disaster recovery site, far from the Primary Manager.
The Primary Manager is the active Manager by default; this Manager communicates
with the IPS Update Server, pushes configuration data to the sensors, and receives
alerts from the sensors.
The Secondary Manager remains in a standby state by default. While in standby
mode it monitors the health status of the Primary Manager and retrieves sensor
configuration information from the Primary Manager at configured intervals of time.
Note: The standby Manager receives no data from the sensors while in standby
mode.
The Secondary Manager is a warm standby system; it will not guarantee state
synchronization with the Primary Manager. It does update configuration information
at regular intervals (every 15 minutes), but it does not maintain state. (You can also
manually update Secondary Manager configuration rather than waiting for the
automatic update.)
The sensor, for its part, maintains a connection with both Managers; however, only
the active Manager can control sensors and receive alert data, and sensors can only
be added to an active Manager. (A new sensor added to the active Manager in an
MDR pair establishes trust first with the Primary Sensor, and then attempts on its own
to establish trust with the Secondary.)

Secondary
(Standby)
Manager

Primary
(Active)
Manager
Alert, packet log
connections
with data

Alert, packet log


connections
without data

Sensors in the deployment

Figure 5: An MDR pairs communication with sensors

Switchover
Switchover, or failover from the Primary to the Secondary, can be manual/voluntary
or involuntary.
Note: In a situation where you have planned manual downtime and the downtime is
expected to be brief, McAfee recommends that you manually suspend MDR,

18

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Entercept Integration

preventing the Secondary sensor from taking over and becoming active. You can
then resume MDR when the downtime period is over.
The Secondary Manager performs regular health checks on the Primary Manager. If
the Primary Manager is found to be unavailable during a health check by the
Secondary Manager, the Secondary Manager waits for a configurable time interval. If
the Primary Manager is still unavailable after that time period elapses, control then
switches over to the Secondary Manager.
Note: You can switch over the Secondary manually, as well.
Once the Secondary Manager is active, the Primary moves to standby. The sensors
are made aware of the switchover, communicate with the Secondary Manager, and
the system continues to function without interruption.
All in-flight transactions are lost upon failover from Primary to Secondary Manager.
For instance, if the Primary Manager failed while a user was in the middle of a policy
edit, the Secondary Manager will not be able to resume the policy edit.
Note: The MDR feature, in fact, assumes that the Secondary Manager is a standby
system, and that it will NOT assume control indefinitely. The Primary Manager
should be diagnosed and repaired, and be brought back online.
While the Secondary Manager is active, McAfee recommends against making any
configuration modifications on the Secondary Manager, as these modifications could
cause potential data synchronization problems when the Primary Manager is
resurrected.
Once the Primary Manager has recovered, you can switch control back to the Primary
system. During this switch back, if you have made configuration changes on the
Secondary, you have a choice whether to retain the configuration on the Primary or
overwrite with changes made on the Secondary. Data is re-synchronized, the sensors
return to communicating with the Primary, and the system is restored with the Primary
Manager active and the Secondary Manager in standby mode.
Note: You can easily dissolve the MDR relationship between the two Managers and
return either Manager to stand-alone mode.
For more information on MDR, see the Manager Configuration Guide.

Entercept Integration
McAfee Entercept is a host-based intrusion prevention system (HIPS). IntruShield
can accept alerts forwarded by an Entercept Management Server, thereby
centralizing management of both products.
Within the IntruShield context, the Entercept Manager functions like an IntruShield
sensor. That is, it forwards events to the Manager, which the Manager incorporates
into its database. Entercept events can therefore be viewed and manipulated like any
other IntruShield alert in the Alert Manager.
Entercept provides a software development kit (SDK) for Java called the Entercept
Integration Framework, for sending alert information to third-party products, in this
case, IntruShield. The Manager formats Entercept alert information automatically for
viewing in the Alert Manager and Reports.

19

McAfee IntruShield IPS System 3.1

IntruShield System Basics

Getting Started Guide

Entercept Integration

The Entercept Integration Framework, or Integrator, can be run as a service or


standalone Java application on the Entercept Management Server system. If run as a
service, no interface is presented for the Integrator after communication is
established between Entercept and the Manager. The service runs as long as the
Entercept Management Server system is up. If run as an application, a Java
application window displays the up-time, number of alerts sent, and so forth. If the
application window is closed, alerts are not sent until the application is restarted.
Each time a new Entercept event occurs, the Manager passes the alert to the
Integrator, which forwards selected information in real time or in batches.
To configure Entercept integration, refer to Chapter 9: Sensors, Failover Pair,&
Entercept Nodes of the Manager Configuration Guide.

20

CHAPTER 3

Basics of Using IntruShield


This section provides a high-level overview of system usage.
The tasks described in this chapter provide pointers to more detailed information in
the other books of the McAfee IntruShield IPS System documentation set.
Note: Most of your interaction with the IntruShield system is via the IntruShield
Manager.
The process of setting up and running an IntruShield system falls into these basic
stages:
1

Deciding where to deploy sensors and in what operating mode

Setting up your sensors

Installing the Manager software and establishing sensor-to-Manager


communication

Configuring your deployment using the Manager

Updating your signatures and software

Viewing and working with data generated by IntruShield

7 Tuning your deployment


Each of these stages consists of a number of tasks; some are simple, some are
complex. You will generally perform steps 1 through 3 only once per sensor.

Deciding where to deploy sensors and in what operating mode


Where you deploy your sensors and which sensor model to use depends on your
network topology, the amount of traffic on the network, and your security goals, which
ideally are specified in your companys security policy.

Determine where you will place the sensors. This is an individual decision your company
will need to make. Questions to ask yourself in making this decision are covered
at a high level in Pre-Installation Considerations (on page 28). Some things to
consider are what assets you want to protect, the configuration of your network,
the location of your aggregation points, the type of traffic, how the traffic is
routed, and so on.
Establish a naming convention for your sensors. The sensor name is used to identify the
sensor in the Manager interface, in certain reports, and in the alert data
generated by the sensor. McAfee recommends you establish a naming
convention that is easy to interpret by anyone working with the IntruShield
deployment. Once you name a sensor, you cannot rename it without de-installing
and reinstalling it.

21

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Setting up your sensors

Setting up your sensors


The process of setting up a sensor is described below at a high level. You perform
these tasks on the sensor.
Note: For detailed instructions on these tasks, see the Sensor Configuration Guide.
1

Position the sensor.

Unpack the sensor and place on a sturdy, level counter top.

Attach the provided rack mounting ears to the sensor.

Install the sensor in a rack. The I-1200, I-1400 and I-2600 are 1-RU boxes;
the I-2700, I-3000, I-4000 and I-4010 are 2-RU boxes.

Install any additional hardware.


Install GBICs or SFP GBICs (not included) in the GBIC slots.

GBIC slots per sensor mode


Sensor model

Number of slots

I-2600

I-2700

I-3000

12 (SFP slots)

I-4000

I-4010

12 (SFP slots)

Note: To ensure compatibility, McAfee supports only those GBIC or SFP GBIC
modules purchased through McAfee or from a McAfee-approved vendor. For a
list of approved vendors, see the on-line KnowledgeBase
https://mysupport.nai.com.

(Optional) If you have purchased a redundant power supply for the I-4000 or
I-4010, install the power supply.

22

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Establish sensor-to-Manager communication

Models supporting a redundant power supply


Sensor model

Power supply

I-1200

1 internal

I-1400

1 internal

I-2600

1 internal

I-2700

1 included
1 redundant available separately

I-3000

1 included
1 redundant available separately

I-4000

1 included
1 redundant available separately

I-4010

1 included
1 redundant available separately

Cable the sensor for configuration.

Attach network cables to the sensor as described in each sensors Product


Guide. You must cable the sensor Management and Console ports,
respectively, to communicate with the Manager server and the console
machine you will use to configure the sensor. You can cable the sensor
Monitoring and Response ports at a later time.

Power on the sensor to initialize it.

Establish sensor-to-Manager communication


The process of setting up a sensor is described below at a high level.
1

Set up the Manager software on the server machine.

Install the Manager software on the server machine. This process is


described in detail in the Manager Installation Guide.

Start the Manager software as described in the Manager Configuration


Guide. You can establish communication with a sensor via the Manager
server or from a browser on a client machine that can connect to the
Manager server.

McAfee recommends you connect to the Manager server via browser


session from a separate client machine to perform your configuration tasks.

You can choose a specific policy to apply by default to the Root Admin
Domain (and thus all monitoring interfaces on the sensor). By default, the
provided Default policy is applied to all of your sensor ports upon sensor
addition.

Note: For a description of admin domains, see Administrative Domains (on


page 53). For a discussion of policies, see Working with Security Policies (on
page 58).

23

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Viewing and working with data generated by IntruShield

Whatever policy youve specified will apply until you make specific changes;
the Default policy gets you up and running quickly. Most users tune their
policies over time, in conjunction with VIPS, to best suit their environments
and reduce the number of irrelevant alerts.

Open the System Configuration tool and add the sensor, providing the
sensor with a name and a shared secret key value. This process is
described in detail in Chapter 8 of the Manager Configuration Guide.

Configure the sensor.

From a serial console connected physically or logically to the sensor,


configure the sensor with network identification information (i.e., IP address,
IP address of the Manager server, and so on), and configure it with the
same case-sensitive name and shared secret key value you provided in the
Manager.

Note: For detailed instructions on configuring the sensor using the sensor CLI,
see the Sensor Configuration Guide.
3

Verify communication between the sensor and the Manager.

Verify on the sensor CLI the health of the sensor and that sensor has
established communication with the Manager. Use the status command.

Verify in the Manager interface that a node representing the sensor appears
in the Resource Tree under the Sensors node. Viewing the Resource Tree is
described in The Resource Tree (on page 47).

Troubleshoot any problems you run into.

If you run into any problems, check your configuration settings, and ensure
that theyre correct. For some troubleshooting tips, see the Troubleshooting
chapter of the Sensor Configuration Guide.

Verify the operating mode of the ports on your sensor.

Your IntruShield sensor ports are configured by default for monitoring in inline mode; that is, connected via a port pair on the sensor to a segment of
your network. If youve cabled the sensor to monitor in in-line mode, check
your settings to make sure everything is correct.
Verifying port configuration is described in detail in Chapter 9: Sensors,
Failover Pair,& Entercept Nodes of the Manager Configuration Guide.

Viewing and working with data generated by IntruShield


Once youve completed the steps in the previous sections, youre up and running.
While actively monitoring network traffic, your sensor will generate alerts for traffic
that is in violation of the set security policy.
IntruShield displays a summary view of the count of alerts in the Manager Home
page, organized by severity (High, Medium, Low, and Informational). IntruShield
provides two tools for examining and viewing the alerts:

The Alert Manager enables you to drill down to the details of an alert such as
what triggered the alert, when, what sensor detected it, the source IP address of
the attack that triggered the alert, the destination IP address of the attack, and so
on. You use the Alert Manager to perform forensic analysis on the alert to help
you tune the IntruShield system, provide better responses to attacks, and
otherwise shore up your defenses.

24

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Configuring your deployment using the Manager

The Reports Main page provides you detailed reports based on your alerts, and
reports on your IntruShield configuration. You can use these reports to
communicate incidents to other members of your team and to your management.

Note: Both tools are described in detail in the Manager Configuration Guide.

Configuring your deployment using the Manager


Once youre up and running and reviewing the data generated by the system, you
can further configure and maintain your system. For example, you can do the
following:

Apply security policies to each interface of your multi-port IntruShield sensor (instead of
applying one policy to all interfaces, as when you chose the default policy in
Establish sensor-to-Manager communication (on page 22)). You can ensure all
of your interfaces use policies specifically for the areas of your network they are
monitoring. For example, you can apply the Web Server policy to one interface, a
Mail Server policy to another, the Internal Segment policy to another, and so on. For
more on the provided policies, see IntruShield policies (on page 58).
Configure responses to alerts. Developing a system of actions, alerts, and logs based
on impact severity is recommended for effective network security. For example,
you can configure IntruShield to send a page or an email notification, execute a
script, disconnect a TCP connection, send an ICMP Host Not Reachable
message to the attack source for ICMP transmissions, or send address-blocking
filters to a firewall.
For more information on response actions, see Response management (on page
68). For information on configuring pager, email, or script notification, or
configuring a firewall response, see Chapter 5: Administrative Domain Nodes of
the Manager Configuration Guide.
Filter alerts. An alert filter limits the number of alerts generated by the system by
excluding certain Source and Destination IP address parameters. If these
address parameters are detected in a packet, the packet is not analyzed further
(and is automatically forwarded when in In-line Mode). For more information on
alert filters, see Chapter 7: Policies Node of the Manager Configuration Guide.
View the systems health. The System Health page details the functional status for all
of your installed IntruShield system components. Messages are generated to
detail system faults experienced by your IntruShield Manager, sensors, or
database. For more information, see Chapter 13: System Health of the Manager
Configuration Guide.
View a ports performance. The Performance Statistics action enables you to view
performance data for a port on a sensor. The data collected is a reflection of the
traffic that has passed through the port. For more information, see Chapter 10:
Sensors_Name Node of the Manager Configuration Guide.
Back up all or part of your Manager configuration information to your server or
other location. IntruShield provides three backup options:

All Tables: all IntruShield data (configuration, audit, and alert).

Config Tables: all information related to system configuration, such as port

configuration, users, admin domains, policies for all IntruShield resources in


all domains.

Audit and Alert Tables: all information related to user activity and alerts.

25

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Updating your signatures and software

Note: The All Tables and Audit and Alert Tables options can be rather large in size,
depending upon the amount of alert data in your database. McAfee
recommends saving these types of backups to an alternate location.
For information on how to back up your data, see Chapter 6: Manager Node of
the Manager Configuration Guide.

Updating your signatures and software


An essential element to a reliable IPS is updating the system signature and software
images. McAfee periodically releases new Manager software and sensor signature
and software images, and makes these updates available via the IntruShield Update
Server to registered support customers.

Figure 6: Update Options

Note: Manager software installation includes a default signature set image.


There are several options for loading updates to your Manager and sensors.

26

McAfee IntruShield IPS System 3.1

Basics of Using IntruShield

Getting Started Guide

Tuning your deployment

Download images from the update server to your Manager.

You can use the Manager interface to download sensor software and
signature updates from the Update Server to the Manager server, and then
download the sensor image to the sensor. These actions are explained in
the Manager Configuration Guide.

Import image files from a remote workstation to your Manager.

If your Manager server is not connected to the Internet, you can download
the updates from the Update Server to any host, then do one of the
following:
-Download the image to a remote host, then log in to the Manager via
browser session on the remote host and import the image to the Manager
server. You can then download the sensor image to the sensor. See
Chapter 6 of the Manager Configuration Guide.
-Similar to above, download the image from the Update Server to any host,
put it on a disk, take the disk to the Manager server, and then import the
image and download it to the sensor.

Download sensor software from the Update Server to a TFTP client then to a sensor.

You can download the software image from the Update Server onto a TFTP
server, and then download the image directly to the sensor using commands
on the sensor CLI. This is useful if you prefer not to update sensor software
via the Manager, or you may encounter a situation wherein you cannot do
so. This method is described in the Sensor Configuration Guide.

Tuning your deployment


Once you become familiar with the basics of the IntruShield Manager program, you
can further enhance your deployment by utilizing some of the more advanced
features. These features include:

Cloning and modifying an IntruShield-provided policy. See Working with Security Policies

(on page 58).

Deploying your sensor to monitor traffic in Tap mode or, ultimately, in In-line mode. See

IntruShield Sensor Deployment Modes (on page 33).


Adding users and assigning management roles. See Managing Users in IntruShield (on
page 79).
Adding admin domains for resource management. See Administrative Domains (on page
53).
Changing your interface type to CIDR or VLAN depending on your network configuration. See
Chapter 11: Interface and Sub-Interface Node of the Manager Configuration
Guide.
Using Access Control Lists (ACLs) to block traffic or pass traffic without sending it through the
IDS engine. See Chapter 10: Sensor_Name Node of the Manager Configuration

Guide.

27

CHAPTER 4

Pre-Installation Considerations
This section discusses the considerations and pre-installment steps that require
planning and completion before you deploy the IntruShield IPS.
Tip: If you are a beginner and want some strategies for deploying IntruShield, you
should also read Deployment for Beginner, Intermediate, and Advanced Users (on
page 93).

Pre-deployment questions
Deployment of an IntruShield IPS requires specific knowledge of your networks
security needs. Answering these questions will determine which sensor model will
best suit your environment, and what in what operating mode youll need to employ
each sensor port.
Consider the following questions as you plan your IntruShield deployment:

What is the size of your network?


How many access points are there between your network and the extranets or
Internet?
Where are the critical servers that require protection within your network?
How complex is your network topology?
How much traffic typically crosses your network?
Where are your security operations located?
Where should I deploy sensors?

What is the size of your network?


The size of your network will determine the number of sensors you will require to
successfully and efficiently protect your network. A large network with many access
points, file servers, and machines in use may require a larger level of IPS deployment
than a small office with just a single access point and few machines.
Knowing how your business will grow can help determine the amount of equipment
you will require and the proper strategy for network placement. IntruShield products
are built with growth in mind. The IntruShield Security Management system can
manage multiple sensors, and IntruShield sensors can scale in performance from 100
Mbps to multi gigabits per second for monitoring network segments.

28

McAfee IntruShield IPS System 3.1

Pre-Installation Considerations

Getting Started Guide

Pre-deployment questions

How many access points are there between your network and
the extranets or Internet?
Large corporations have several points of access that can be exploited by parties with
malicious intent. Protecting the various points of access to your network is key to any
successful IDS install. Youre only as strong as your weakest link.
Intrusions coming in from the Internet are important to combat, but misuse and
intrusions attempted through the extranets or inside the corporate network are equally
as critical to defend against. In fact, research statistics show that insiders are the
most common source of attacks.

Where are the critical servers that require protection within


your network?
File servers containing financial, personnel, and other confidential information need
protection from those people wishing to exploit your critical information. These
machines are extremely appealing targets. And, as discussed in the previous section,
insiders pose a threat that must be addressed.
You should also consider whether you need different levels of security for different
parts of the organization. Assess how much of your sensitive material is on-line,
where it is located, and who has access to that material.

How complex is your network topology?


Asymmetrically routed networks are complex environments that require careful
planning and execution.
The following figure shows a network protected by an IntruShield sensor in tap
operating mode. Since both links are monitored by the same sensor, the state
machine remains in sync. An IntruShield sensor can support an Active-Active
configuration as long as the aggregate bandwidth does not exceed the total
processing capacity of the sensor.

29

McAfee IntruShield IPS System 3.1

Pre-Installation Considerations

Getting Started Guide

Pre-deployment questions

Furthermore, a sensor can also monitor asymmetrically routed traffic where the traffic
comes in on one link and goes out another link, because the state machine on the
sensor associates the inbound and outbound traffic efficiently. For more information
on monitoring asymmetrically routed traffic, see the section Interface groups (on page
43).

Figure 7: Tap Monitoring of Active-Passive Links

How much traffic typically crosses your network?


Bandwidth and traffic flow are crucial to running a successful enterprise network.
Bandwidth requirements will vary in an enterprise network, as different applications
and business functions have different needs. Bandwidth utilization on the network
segments that you need to monitor will determine what type of sensor will work best
for you. IntruShield offers multiple sensors providing different bandwidths:

IntruShield sensor bandwidth


Sensor

Aggregate Performance

I-1200

100Mbps

I-1400

200Mbps

I-2600

600Mbps

I-2700

600Mbps

I-3000

1Gbps

I-4000

2Gbps

I-4010

2Gbps

30

McAfee IntruShield IPS System 3.1

Pre-Installation Considerations

Getting Started Guide

Pre-deployment questions

Where are your security operations located?


To successfully defend against intrusions, McAfee recommends dedicated monitoring
of the security system. Network intrusions can happen at any given moment, so
having a dedicated 24-hour-a-day prevention system will make the security solution
complete and effective.
Where are your security personnel? How many users are involved? Knowing who will
be configuring your policies, monitoring events, running reports, and performing other
configuration tasks will help you manage your users and determine where you locate
your Manager server. The Manager should be placed in a physically secure location,
should be logically accessible to users, and must have reliable connectivity so as to
be able to communicate with all deployed sensors.

Where should I deploy sensors?


Should you deploy sensors at the perimeter of your network, in front of the servers
you want to protect, or at a convenient nexus where all traffic passes?
Deployment at the perimeter does not protect you from internal attacks, which are
some of the most common source of attacks. Perimeter monitoring is also useless if a
network has multiple ISP connections at multiple locations (such as one Internet
connection in New York and one in San Jose) and if you expect to see asymmetric
traffic routing (i.e., incoming traffic comes through New York and outgoing traffic goes
out through San Jose). The IPS simply will not see all the traffic to maintain state and
detect attacks. Deployment in front of the servers that you want to protect both
detects attacks from internal users and deals effectively with the geographically
diverse asymmetric routing issue.
An illustration of the advantage of IntruShield sensors multiple segment monitoring is
to consider the question of installing IPS sensors with respect to firewalls. It is very
common to deploy IPS sensors around firewalls to inspect the traffic that is permitted
by the firewall. A common question when installing sensors around the firewall is, do
you put the sensors on the inside (Private and DMZ) or put them outside (Public) the
firewall? There are benefits to both scenarios, and the more complete solution
includes both. For example, if you detect an attack on the outside of the firewall and
you detect the same attack on the inside of the firewall, then you know your firewall
has been breached. This is obviously a much higher severity event than if you were
just to see the attack on the outside and not on the inside, which means that your
firewall blocked the attack.
When using the existing, single monitoring port products available today, you would
have to deploy multiple sensors to get the required coverage (as shown on the left
side of the following figure). Furthermore, youd need to figure out how to connect
them to the segments that you want to monitor, and only via a SPAN or hub port.

31

McAfee IntruShield IPS System 3.1

Pre-Installation Considerations

Getting Started Guide

Pre-deployment questions

Consider the same scenario using the I-2600 sensor (as shown on the right side of the
following figure). You can simultaneously monitor all three segments with one sensor,
and, with the integrated taps, you can easily monitor the full-duplex uplinks between
your routers and the firewall. You can also run the inside connections in in-line mode,
which provides intrusion protection/prevention, while running the outside connection
in tapped mode.

Other Vendors Sensor Deployment

Figure 8: Comparing IDS Sensor Deployment Scenarios

32

IntruShield Sensor Deployment

CHAPTER 5

IntruShield Sensor Deployment Modes


This section presents suggestions for implementing IntruShield products in a variety
of network environments.

Flexible deployment options


IntruShield offers unprecedented flexibility in sensor deployment. IntruShield sensors
can be deployed in a variety of topologies and network security applications,
providing industry-leading flexibility and scalability. Most PC-based IDS sensors on
the market today can monitor only one network segment at a time, and only via the
SPAN port on a switch. Thus, to monitor a switched environment with multiple
segments and multiple switches deployed in a high-availability environment, you
would need multiple sensors.

Multi-port sensor deployment


Unlike single-port sensors, a single multi-port IntruShield sensor can monitor many
network segments (up to twelve, in the case of the I-3000 or I-4010) in any
combination of operating modesthat is, the monitoring or deployment mode for the
sensorSPAN, Tap, or In-line mode. Additionally, IntruShields Virtual IPS (VIPS)
feature enables you to further segment a port on a sensor into many virtual sensors.
This makes deployment easy; not only can you use one sensor to monitor multiple
network segments, but you also can configure the sensor to run whatever mode best
suits each network segment.

Supported deployment modes


Every port on an IntruShield sensor supports the following deployment modes:
SPAN or Hub
Tap
In-line, fail-closed
In-line, fail-open
Additionally, IntruShield provides features vital to todays complex networks: interface
groups (also called port clustering), and high-availability.

33

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Flexible deployment options

In the following example, a single IntruShield I-2600 sensor is deployed to monitor the
several external and internal points of exposure of an enterprise network. This
includes the Web Presence, Corporate Internet Access for employees, employee
Remote Access, Extranet connections, and internal attacks on critical department
servers such as Finance and HR.

Figure 9: Intrushield IPS protecting enterprise network

In this example, the ports on this I-2600 sensor might be configured as such:

Tap 1: Ports 1A and 1B run in Tap mode and respond to attacks via Response
port R1.
Tap 2: Ports 2A and 2B run in Tap mode and respond to attacks via Response
port R2.
SPAN from Switch A: Port 3B runs in SPAN mode and inject response packets
back to the switch through the SPAN port.
SPAN from Switch B: Port 3A runs in SPAN mode and responds to attacks via
Response port R3.

Full-duplex and half-duplex monitoring


IntruShield sensors are equipped with multiple Monitoring and Response ports. By
default, the sensor ports are internally wire matched (i.e., 1A and 1B) to monitor traffic
in full-duplex pairs, that is, two detection ports work together to monitor traffic flowing
in both directions.

34

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in in-line mode

To monitor a full-duplex segment in In-line or Tap mode, you use two sensor ports
(one port for transmit, one for receive). SPAN port monitoring receives on one port
and can respond via the same port (if the switch supports this feature).
Sensor Model

Supported number of
full-duplex links

Supported number of
half-duplex links

I-1200

I-1400

I-2700

I-3000

12

I-4000

I-4010

6
12
In-line mode and tap mode both can both monitor full-duplex links.
SPAN monitoring works in either half- or full-duplex mode (depending on the
switch).
Hub monitoring works in half-duplex mode.

Deploying sensors in in-line mode


In-line mode is achieved when an IntruShield sensor is placed directly in the path of a
network segment, becoming, essentially, a bump in the wire, with packets flowing
through the sensor. In this mode, the sensor can prevent network attacks by dropping
malicious traffic in real time. Preventative actions can be at a highly granular level,
including the automated dropping of DoS traffic intended for a specific Web server.
Note: IntruShield sensors are configured by default to run in in-line mode.
When running in in-line mode, network segments are connected to two matched ports
of the sensor (e.g., ports 1A and 1B), and packets are examined in real time as they
pass through the sensor.
The benefits to using IntruShield sensors in in-line mode are:

Protection/Prevention. Prevention is a feature unique to in-line mode. Basically, if


youre running in any sniffing mode, there is no way for the IPS to prevent
malicious packets from reaching their intended target. In a sniffing mode, the
sensor sees the attack at the same time it hits the target. You can apply some
countermeasures, like TCP Resets and reconfiguring firewall rules, but these are
post-detection actions. The only way to prevent the malicious packets from
reaching the target is to mediate the traffic flow.

35

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in in-line mode

When running in-line, an IntruShield sensor can drop malicious packets and not
pass them through the network. This acts sort of like an adaptive firewall, with
your detection policy dictating what is dropped. Furthermore, when dropping
packets, IntruShield is very precise and granular. The sensor can drop only those
packets it identifies as malicious or all of the packets related to that flow (a
choice that is user configurable).
One of the problems with using firewall reconfiguration actions with current IDS
products is that an attacker can spoof large address ranges and mislead you into
blocking legitimate traffic with the firewall, creating your own denial of service
condition. IntruShield only drops the malicious packets, so spoofed traffic doesnt
have the same effect.
Packet scrubbing. In addition to dropping malicious traffic, IntruShield can scrub
or normalizetraffic to take out any ambiguities in protocols that the attacker
may be using to try to evade detection. Current IDS products are susceptible to
these techniques, and an example of this attempt is IP fragment and TCP
segment overlaps. The sensor can reassemble the IP fragments and TCP
segments and enforce a reassembly mode of the users choice to accept either
the old or the new data.
Processing at wire-speed. An obvious requirement with running in-line is to avoid
dropping packets and your IDS sensor becoming a bottleneck. IntruShield
sensors are able to process packets at wire rates.
High-availability. In in-line mode, the sensor does become a single point of failure,
so the sensors support complete stateful fail-over, delivering the industry's first
true high-availability IPS deployment, similar to what youd find with firewalls. If
youre running in-line, McAfee recommends that you deploy two sensors
redundantly for failover protection.

Figure 10: In-line mode

In in-line mode (seen in the previous figure), the IntruShield sensor logically acts as a
transparent repeater with minimal latency for packet processing. Unlike bridges,

36

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in in-line mode

routers, or switches, the sensor does not need to learn MAC addresses or keep an
ARP cache or a routing table.
When deployed in-line, you must specify whether the sensor port is monitoring inside
or outside of the network it is protecting. For example, the sensor shown in the figure
in How complex is your network topology? (on page 29) is monitoring links both
inside and outside the network.

Fail-open versus fail-closed


IntruShield sensor ports deployed in In-line Mode have the option of failing open or
closed. Similar in terminology to firewall operation, ports failing open allow traffic to
continue to flow. Thus, even if the ports fail, your sensor does not become a
bottleneck; however, monitoring ceases which may allow bad traffic to impact
systems in your network. When ports are configured to fail closed, the sensor does
not allow traffic to continue to flow, thus the failed ports become a bottleneck,
stopping all traffic at the sensor.

Fail-open option for GE ports


Gigabit Ethernet ports on IntruShield sensors require the connection of an optional
optical bypass switch and controller card for In-line Fail-open functionality; no extra
hardware is required for In-line Fail-closed mode. This hardware is contained in the
Optical Bypass Gigabit Fail-open Kit, sold separately.
Refer to the Optical Bypass Gigabit Fail-open Kit Quick Guide for hardware
connection information. Then see the Manager Configuration Guide for port
configuration information.

Fail-open option for FE ports


Fast Ethernet ports require the use of fail-closed dongles for fail-closed mode; no
extra hardware is required for In-line Fail-open mode for FE ports.

Layer 2 Passthru mode


Fail-open operation provides a measure of network integrity when a sensor fails.
When a sensor with ports operating in In-line Fail-Open Mode experiences a critical
fault, the sensor reboots; during the reboot, the sensor goes into fail-open mode until
it restarts. If a critical fault occurs again, another reboot cycle is initiated. This can
continue until acted upon through human intervention.
You can enable a failure threshold to automatically initiate fail-open, or passthru,
mode by configuring the Layer 2 Passtrhu (L2) feature from the Manager interface. This
feature enables you to set a threshold on the number of critical failures within a
configured period of time that the sensor can experience before being forced into
passthru mode at Layer 2.

37

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in tap mode

For example, you configure Layer 2 Passthru mode to enable if there are three critical
faults in any 10-minute period. At minutes 1, 3, and 7, faults occur; L2 mode is
enabled. Here is another scenario: at minutes 1, 4, 11, and 13, faults occur. In this
case, the last three faults occurred within 10 minutes of each other, thus the sensor
enters L2 mode.
Sensor reboot may take a few minutes to complete. This downtime is not counted
against the L2 duration; only sensor uptime is counted.
The L2 feature is supported by all models of sensor. For enabling Layer 2 Passthru
Mode, refer to Chapter 10: Sensors_Name Node of the Manager Configuration
Guide.

Deploying sensors in tap mode


A tapinternal or externalis a passive wiring device that copies traffic on fullduplex Ethernet segments, and sends this copied traffic information to the sensor
processors for analysis.
Full-duplex taps split a link into separate transmit and receive channels. IntruShield
sensors provide multiple monitoring interfaces to monitor the two channels, and
sensor ports are wired in pairs in order to accommodate full-duplex taps. Two
monitoring ports are used to monitor one full-duplex link using a tap.
Tap monitoring (Figure Tap mode) can work in one of two ways for the 10/100
Monitoring ports on the I-1200 and I-2600 sensors: the internal tap can be enabled, or
the interface can be connected to an external tap. Sensor GBIC ports must use an
external tap.
The benefits to using IntruShield sensors in tap mode are:

Monitor uplinks passively. Taps cause no latency in your network traffic. You
essentially sniff traffic as it passes.
No need for SPAN ports. On most switches, the SPAN port operates in half-duplex
mode, so the maximum bandwidth a Fast Ethernet port can handle is 100Mbps
before it begins dropping packets. If the uplink is running at more than 100Mbps
aggregate, a Fast Ethernet SPAN port cant handle it; a full-duplex tap can.
Another issue is that there are a limited number of SPAN ports supported on
most switches, and there is typically a lot of competition for them (e.g., for RMON
probes, sniffers, etc.).
Traffic continues to flow if the tap fails. Completely passive and fault tolerant, taps
provide fail-safe operation with no impact on network connectivity or
performance. Taps fail open, meaning that a failed sensor permits traffic to
continue to flow unimpeded.

38

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in tap mode

The downside of tapped mode is that, unlike in-line mode, you cannot prevent
attacks. Tap mode is passive; the sensor essentially sees malicious traffic as it
passes, so sensing an attack in tap mode triggers a response post-attack. You also
cannot inject response packets back through a tap; the sensor provides Response
ports to inject response packets.

Figure 11: Tap mode

Deploying the sensors with FE ports in internal tap mode


The 10/100 (FE) monitoring ports can process network traffic in full-duplex stealth
mode by enabling internal taps. in this mode, network segments are connected as in
in-line mode, but the sensor handles the traffic differently. The enabled internal tap
receives the traffic, makes a copy of the incoming packets, and sends the copy to the
sensors detection processor as it forwards the packets.
By sensor default, the ports (xA and xB, illustrated with 1A and 1B in the following
illustration) are matched for full-duplex tap mode monitoring. Data is looped back
within the tap and a copy is forwarded to the rest of the sensor per port. Responses
are sent through a Response port to a switch or router.
The internal taps of these three sensors fail open; thus if the sensor should fail, data
will continue to flow unimpeded.

39

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Deploying sensors in tap mode

You can easily reconfigure the 10/100 monitoring ports of the I-1200, I-1400 and I2600 to disable the internal tap and monitor in In-line Mode at any time via the
Manager. This process is described in the section, Shifting from tap mode to in-line
mode (on page 41). When in-line, the sensor can block malicious traffic from reaching
its intended target host.

Figure 12: I-2600 Sensor: Internal Tap Mode

40

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

SPAN port and hub monitoring

Deploying sensors with GE ports in external tap mode


Sensors with GE monitoring ports require external taps. The external taps are fullduplex; they connect in-line with the network segment, copy the traffic, and send the
copies to the sensor for analysis.

Figure 13: I-4000 sensor deployed in tap mode

Shifting from tap mode to in-line mode


You can easily shift from tapped to in-line mode. If you are running a sensor with
built-in taps in internal tap mode, you can toggle between tap and in-line mode with a
simple software configuration command from the Managers System Configuration
tool. Thus, you can run in tap mode until you feel comfortable with the sensors
reliability, and then shift into in-line mode without needing to touch the sensor. You
can also mix modes with the ports on the I-2600. You can run one pair in In-line Mode
and others in Tap mode. With the GE port-sensors, youll have to do some minimal
re-cabling to convert from tap to in-line mode.

SPAN port and hub monitoring


IntruShield sensors can connect to the SPAN port of a switch or to a port on a hub.
Most vendors IDS sensors are deployed in this manner, and many beginning
IntruShield users choose to deploy in this mode. The Switch Port Analyzer (SPAN)
port is designed for troubleshooting and network analysis so that an attached network
analyzer can receive a copy of every single packet that is sent from one host to

41

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

SPAN port and hub monitoring

another through the switch. The SPAN port forwards all incoming and outgoing traffic
within the switch to a predetermined port where a sensor or a sniffer is connected.
This is called port forwarding or port mirroring, and it allows an attached device to
monitor all traffic of that switch.
When monitoring SPAN ports and hubs, traffic is typically half-duplex. Only one
monitoring port is required to monitor each SPAN or hub port. You can send a
response back through a hub; if you choose to send a response back through the
SPAN port, you can do so if the switch supports transmit back through the SPAN
port.
Note: If the switch does not support transmit back through the SPAN, you can send
a response via a sensor response port.

SPAN port and hub monitoring


When monitoring a SPAN or hub port, sensors with internal taps disabled.
Note: McAfee recommends cabling your Fast Ethernet ports with fail-closed
dongles if deploying in SPAN or Hub mode.
In Figure SPAN Port Monitoring which shows an I-4000 sensor, Port 1A receives data
from the SPAN port of SwitchA. Port 1B gets data from the SPAN port of SwitchB.
Two distinct network links from two separate switches are monitored by the one
active I-4000 sensor with a 1Gbps rate per link to the sensor, allowing a total of
2Gbps traffic to the IPS engine.

Figure 14: SPAN Port Monitoring

42

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

High-Availability

High-Availability
Redundancy is a key element for any network requiring 24x7 uptime. Using an
identical pair of sensors (same model, software image, signature set) deployed
redundant in In-line Mode, IntruShield can provide high availability with no
administrator intervention.

Understanding failover in IntruShield


In typical failover configurations, one device is the Active device while the other is
the Standby. As its name implies, the active device performs normal network
functions while the standby monitors, ready to take control should the active device
fail.
In IntruShield, because both failover sensors must be ready to process packets on
their monitoring ports at all times, both sensors are actually active at all times; neither
sensor is inoperative, or standing by unless the unit has failed. Instead, both sensors
operate normally.
In Figure Two I-4000s in a High-Availability configuration for example, two sensors are
placed in-line, connected to each other via cables, and configured to act as a Failover
Pair. All traffic is copied and shared between them in order to maintain state. Sensor
A copies the packets received on its monitoring ports to Sensor B using the
interconnection ports and vice versa. Since both sensors see all traffic and build state
based on it, their state information is synchronized at all times.
All packets are seen by both sensors (when both are operational); however, only one
sensor in the pair raises an alert whenever an attack is detected.

Figure 15: Two I-4000s in a High-Availability configuration

"Primary" versus "active"


You configure a Failover Pair using the Managers Configuration page. You designate
one sensor as the Primary sensor and the other as Secondary. This designation is
used purely for configuration purposes and has no bearing on which sensor considers
itself active.

43

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Interface groups

Once configured, the two sensors exchange information to determine their respective
roles; the sensor that has been online the longest becomes the active sensor. If they
have been online for exactly the same amount of time, the sensor with the higher
serial number takes the active role. The sensors communicate every second to
determine if their peer is available. If the failover pair cannot communicate with each
other, each sensor will assume its peer sensor is down, and both will issue alerts. If
communication is re-established, the two sensors communicate to determine their
respective failover roles.
When one sensor is brought up well after the other, the new sensor synchronizes
state with the old sensor and builds on the synchronized state based on the packets
received on its monitoring and interconnect ports.
This Active-Active configuration provides the added benefit of supporting asymmetric
traffic flows (i.e., when packets belonging to the same TCP/UDP flow are divided
across sensors). Thus, an IntruShield failover pair will detect attacks even when the
traffic is asymmetric. This topic is discussed below, in the section Interface groups
(on page 44).

Interface groups
An interface group, also known as port clustering in networking parlance, combines
the traffic processed on separate sensor interfacesor, in the case of a Failover Pair,
on separate sensorsinto a single logical interface for state and intrusion analysis.
Asymmetric routing is a good example of where an interface group is recommended.
In asymmetric routing, a TCP connection does not always send and receive along the
same network path. Therefore, a single-interface sensor monitoring this transmission
may only see the traffic received, not the traffic sent in response; thus not seeing all
data from a transmission.

44

McAfee IntruShield IPS System 3.1

IntruShield Sensor Deployment Modes

Getting Started Guide

Interface groups

IntruShield sensors multiple interfaces make the monitoring of asymmetric traffic


possible. For example, as shown in Figure Interface groups in an asymmetric network , an
I-4000 has four ports that are wired in pairs by default, and therefore two interfaces.
Peer ports 1A and 1B can monitor one direction of an asymmetric transmission, while
peer ports 2A and 2B can monitor the other direction. By making an interface group of
1A-1B and 2A-2B, the sensor is able to see all the traffic for all sessions in the
asymmetrically routed network and still is able to maintain state and accurately detect
all attacks.

Figure 16: Interface groups in an asymmetric network

Note: For more information on creating interface groups, see Chapter 9: Sensors,
Failover Pair,& Entercept Nodes of the Manager Configuration Guide.

45

CHAPTER 6

Working with IntruShield Resources


This section describes the relationships between IntruShield resource components.

IntruShield resources
An IntruShield deployment consists of the following resources and relationships
between resources.
Note: The resources described here are documented in later chapters of this
Guide, and in more detail in the Manager Configuration Guide.

Admin Domains. Administrative Domains, or admin domains for short, are optional
organizational tools that enable you to logically partition your IPS into discrete
portions and delegate their management to specific users. (For example, your
company might have a New York office and a San Jose office. You can create a
NY admin domain, organize all of the resources protecting the New York office in
that domain, and delegate its management to the New York administrator.)
The entire IntruShield deployment is organized under the Root Admin Domain,
which is represented in the Resource Tree illustrations in this chapter as My
Company.
For more information on Admin Domains, see Administrative Domains (on page
53).
The Manager. The Manager is the overall system orchestrator.
You use the Manager to add, configure, administer, and manage the physical
resources (hardware and software server, OS, and software components running
on the server) that comprise the IntruShield system. Within the Manager
resource, you can also configure global properties, such as update schedules,
data backups, proxy server settings, and so forth. You can also deploy two
Managers for a high-availability configuration.
For more information on Manager HA, see Manager Disaster Recovery (MDR)
(on page 17).
Users and Roles. You can specify users of the system, and then assign them
roles in an admin domain that permit them to perform the management and/or
configuration tasks available to the role within that admin domain. For finegrained customization of user roles, you can create custom roles and assign
specific abilities to each role.
For more information on users and roles, see Managing Users in IntruShield (on
page 79).
Sensors. Sensors are the monitoring devices you configure to detect attacks. Each
sensor resource enables a variety of actions. Sensors are represented logically
in the Manager by a user-given name with all corresponding interfaces and subinterfaces displayed as hierarchical children. Sensor interfaces and subinterfaces are the manifestation of the IntruShields Virtual IPS (VIPS) feature.
Two sensors of the same model can also be grouped into failover pairs, to
provide high network availability.

46

McAfee IntruShield IPS System 3.1

Working with IntruShield Resources

Getting Started Guide

IntruShield resources

Sensor node actions include exporting and importing of individual sensor


configuration files, correspondence with a firewall, configuration of sensor ports,
and updating of a sensors configuration.
Interfaces. An interface has both physical and logical attributes.
An interface is represented as a single physical port on the sensor (i.e., port 1A)
or a pair or ports (i.e., ports 1A and 1B).
An interface also has a logical connotation in that it allows the user to describe
how they wish to segment the traffic flowing through it. A logical interface allows
the user to configure it to be dedicated (unspecified, undefined traffic), VLAN
(traffic marked with specific VLAN tags), or CIDR (traffic within a block of specific
IP addresses). You can also logically group interfaces into an interface group to
monitor an asymmetric traffic flow.
Interface nodes enable application of IPS policy, creation of sub-interfaces for
more granular policy application, as well as creation of granular Denial of Service
policies.
Sub-Interfaces. Sub-interfaces are logical subdivisions of interfaces. If an interface
is connected to a segment that is transmitting VLAN or CIDR traffic, the interface
can be segmented into several smaller groupings called sub-interfaces. One
would normally configure a sub-interface for the purpose of applying a different
policy than what is applied to the rest of the interface or to group various unique
traffic instances with others that have common characteristics. Sub-interface
node actions are a subset of the interface node actions.
Policies. Policies are the rule sets that instruct the sensor on what events to detect
and what to do when the event occurs. You can apply separate policies to an
admin domain (wherein it would be applied to all interfaces on any sensors in
that domain), to interfaces, and to sub-interfaces.
Policy node actions include creation of alert filters, rule sets, policies, and userdefined signatures, viewing of applied policy(ies), and export/importing of policy
from/to the Manager.
For more information on policies, see Working with Security Policies (on page
58).

The Resource Tree


The Resource Tree, which is located in the IntruShield Managers Configuration page, is a
hierarchical view of all your physical and virtual IntruShield resources reporting to the
Manager. (The Manager is also depicted in the Resource Tree).
When you first log in, the Configuration page displays four primary nodes on the
Resource Tree: the Root Admin Domain node (which displays a user-configured name
representing the overall systemin the following illustration, the name is My Company),
the Manager node, the Policies node, and the Sensors node.
Note: The hierarchical view within the Resource Tree applies to the way the nodes
are managed by IntruShield users and not necessarily to any networking or physical
relationship between the resources. Nodes and the inheritance relationship
between nodes are described in Nodes (on page 56) and Inheritance (on page 56).

47

McAfee IntruShield IPS System 3.1

Working with IntruShield Resources

Getting Started Guide

IntruShield resources

Figure 17: The Resource Tree with the basic nodes displayed
Item

Description

Root Admin Domain node

Manager node

Policies node

4
Sensors node
As you configure your deployment, additional resourcessuch as sensorswill
appear in the tree. Multiple new nodes may display as you leverage their features
within IntruShield: the Failover Pairs node, the Interface node, and the Sub-Interface node.
User-configured resources are represented with the same or a similar icon as one of
the primary nodes, but labeled with the name you specified when you created the
resource. For example, if you add a sensor to the Manager, and name the sensor
Bldg1Sensor, the sensor appears in the list labeled as Bldg1Sensor.
The resource tree can also be viewed in the Split tree mode. Right-clicking on any of
the nodes and enabling Split tree divides the resource tree into two tabs - Domain and
Device tabs. The Domain tab lists Root Admin Domain node, the Manager node, the Child
Admin domains and Policies node of each domain. The Device tab lists the IntruShield
resources configured in each domain.
Resources are described in more detail in the chapter 4: Using the Configuration
page in the Manager Configuration Guide.

Working with the Resource Tree


To configure your system, you click on one of the nodes in the Resource Tree.
Configuration options specific to that resource appear in the right pane of the
Configuration page.
Note: As you make configuration changes to resources, bear in mind that many
configuration changes do not take effect until you push the changes to the sensor.
For more information on configuring your resources, see Chapter 4 : Using the
Configuration page of the Manager Configuration Guide.

48

McAfee IntruShield IPS System 3.1


Getting Started Guide

Working with IntruShield Resources


Relationship between sensors and resources in the Resource Tree

Relationship between sensors and resources in the Resource


Tree
Several icons in the Resource Tree reflect the sensors deployed in your network. This
section describes the relationship between the sensor and the icons that visually
reflect the sensors configuration.
As described in the section IntruShield resources (on page 46), multiple nodes reflect
aspects of a sensor: Sensors, Sensor_Name, Failover Pairs, Interface, and Sub-Interface.

Sensors icon
This node represents the available IntruShield sensor(s).
The Sensors node is a logical parent: all of the actions (configuring non-standard ports,
updating all sensors at once) configured at this level logically apply to every sensor
managed by this node, including any sensors configured to act as a Failover Pair.
Sensors nodes are admin-domain specific, that is, configured Sensors rules only apply
to the sensors of a single admin domain.

Sensor_Name icons
The Sensor_Name icons represent the sensors you add to the system. These sensors
are labeled with the names you specify when you create them.
Sensors have multiple ports, or interfaces. These interfaces can be allocated to
multiple admin domains in the system, meaning that while the sensor may have been
added to one admin domain, the allocated interface is controlled within the domain to
which it was allocated.
A single sensor can thus appear by name in several places in the Resource Tree;
however, its icon varies depending in which domain the sensor was added.

Physical Sensors
The Physical Sensor icon represents the sensor itself in the admin domain to which it
was added. For example, if SensorA was added to Admin Domain A, then SensorA appears
in the Resource Tree represented with a physical sensor icon under the Admin Domain
A node.

Virtual Sensors
The Virtual Sensors icon represents a parent domain sensor that has had one or more
interfaces allocated to the child domain under whose node it appears. For example, if
SensorA was added to Admin Domain A, but has allocated two interfaces to Admin Domain
B, then SensorA appears in the Resource Tree represented with a virtual sensor icon
under the Admin Domain B node. A Virtual Sensors node is not selectable. You can
configure the real sensor from its Physical Sensor node.

49

McAfee IntruShield IPS System 3.1


Getting Started Guide

Working with IntruShield Resources


Relationship between sensors and resources in the Resource Tree

Failover Pair_Name
The Failover Pair_Name icon appears under the Sensors icon and represents two physical
sensors you configured to behave as one Failover Pair. A Failover Pair is labeled with
the name you specify when you create it; for example, FailoverPair1. A Failover Pair
consists of two identical sensors (same model, same software, same configuration)
running entirely in In-line Mode.
Below the failover pair will display the interfaces configured for the sensor pair. For I4000 sensors, this will be interface pair 1A and 1B. For I-2600 sensors, this can be
1A and B, 2A and B, and/or 3A and B. Interfaces are described below.

Member Sensors
The Member Sensors icon appears under the Failover Pair_Name icon, and lists the
sensors comprising the Failover Pair. The Member Sensors node is not selectable;
configuration is performed at the Failover Pair_Name node.

Failover Sensor
Once you designate a sensor to be part of a Failover Pair, its icon changes to show it
is a Failover Sensor. A Failover Sensor is represented by the name you gave the sensor
when you created it.

Interfaces
Expanding the view of a sensor displays the ports/interfaces available. An Interface is a
representation of a single physical port on the sensor (i.e., 1A), a port pair (i.e., 1A
and 1B), orfor asymmetrically routed trafficlogically grouped ports (i.e., 1A & 1B
and 2A & 2B, or 1A and 2A).
Sensor interfaces are represented in the Resource Tree by their port number, and
can be named by the user in VLAN or CIDR scenarios; however, the port number still
appears.

Sub-interfaces
If an interface is connected to a segment that is transmitting VLAN or CIDR traffic, the
interface can be segmented into several smaller groupings called sub-interfaces. One
would normally configure a sub-interface to apply a different policy than what is
applied at the interface level, or to group various unique traffic instances with others
that have common characteristics (namely VLAN or CIDR traffic). You could also
create a sub-interface to protect a specific host that is the target of a DoS/DDoS
attack. The sub-interfaces are listed under the interface they constitute.
Thus interface 1A could, for example, be subdivided into 5 sub-interfaces. Subinterfaces are represented in the Resource Tree by their user-specified names or
numbers.
The following graphic illustrates failover pair nodes in the Configuration page
Resource Tree.

50

McAfee IntruShield IPS System 3.1


Getting Started Guide

Working with IntruShield Resources


Relationship between sensors and resources in the Resource Tree

Figure 18: Resource Tree with user-configured resources displayed

51

McAfee IntruShield IPS System 3.1


Getting Started Guide

Working with IntruShield Resources


Relationship between sensors and resources in the Resource Tree

Item

Description

Sensor_Name Node(physical sensor)

Interface node

Failover Pair_Name node

Sub-Interface node

Member Sensors node

Failover Sensor node

Child Admin Domain node

Sensor_Name Node(virtual sensor)

9
Allocated interface node
The following graphic illustrates how this organization relates to an I-2600 sensor
named 2600A.

Figure 19: Relationship between a sensor and the resources

52

CHAPTER 7

Administrative Domains
This section explains the concept of administrative domains and how domains are
represented in the IntruShield Manager. For specific instructions on how to configure
admin domains, see the Manager Configuration Guide.

What is an administrative domain?


An administrative domain, or admin domain for short, is an organizational tool used
specifically to group IntruShield resources so that management of the resources can
be delegated to specific IntruShield users.
An admin domain can contain other admin domains, sensors, sensor interfaces, and
sensor sub-interfaces. This administrative domain concept enables enterprises to
create a central authority that is responsible for the overall IntruShield IPS, and to
allow this central authority to delegate day-to-day operations of IntruShield security
resources to appropriate entitiesbusiness units, geographic regions, IT
departments, individual security personnel, and so on.

Root Admin Domain


The top level admin domain is called the Root Admin Domain. (The icon used to
depict it in the Resource Tree is shown at left.) Users with Super User access to the
Root Admin Domain have complete control over the entire administrative domain and
all resources within it, including any child domains, and thus all security resources in
the system.
For example, suppose your company (which well call My Company) is headquartered
in London, and has satellite offices in New York, Paris, and San Francisco. If your
IntruShield deployment monitors the entire company, your Root Admin Domain could
encompass all four sites and all of the IntruShield system components within the
environment, and you could manage the entire system from London.

53

McAfee IntruShield IPS System 3.1

Administrative Domains

Getting Started Guide

What is an administrative domain?

The following graphic shows this arrangement in the Resource Tree in the
Configuration page of the Manager. The root admin domain is labeled My Company.

Figure 20: The Root Administrative Domain for My Company

Parent and child admin domains


Perhaps managing My Companys entire IntruShield deployment from London is
impractical. It might make more sense to delegate management of the IntruShield
resources protecting various geographical locations to entities in those locations. To
delegate management functions to each of the four offices, you would create a
subdomain representing each office. These subdomains are called child admin
domains or child domains.
Creating child domains enables you to delegate entities more familiar with the
subdomains environment to monitor and/or configure the IPS devices in that
subdomain. You are not required to subdivide your admin domains into child
domains; however, if you want to delegate responsibilities for managing IntruShield
resources among multiple individuals within your organization, you do so by creating
child domains.
Note: To delegate responsibilities, you create user accounts and give each user a
role that defines how the user can interact with the resources in the child admin
domain. For more information on roles, see Managing Users in IntruShield (on page
79).
You can further break child domains into smaller subdomains. Any domain with child
domains is a parent. A child domain can be parent to other child domains.
You can subdivide your Root Admin Domain into child domains that are large, from a
resource perspective, delegating management of all the IntruShield resources
protecting multiple geographic regions. Or you can create domains that are very
smalla few interfaces on a single sensor, or even a VLAN tag or CIDR address
within a segment of traffic transmitting between two hosts in the protected network.

54

McAfee IntruShield IPS System 3.1

Administrative Domains

Getting Started Guide

Admin domain hierarchy

Admin domain hierarchy


Administrative domains are graphically represented in the Resource Tree as a
hierarchical tree structure. Resources in the IntruShield system are represented as
nodes on the Resource Tree, as illustrated in the following graphic.

Figure 21: Resource Tree Elements


Item

Description

Root Admin Domain. parent domain of QA, Finance and HR

Child domain of My Company

Child domain of My Company, parent domain of Payroll and Accounts Payable

Child domain of Finance

Child domain of Finance

6
Child domain of My Company
In this figure, the node at the top of the tree represents the Root Admin Domain.

55

McAfee IntruShield IPS System 3.1

Administrative Domains

Getting Started Guide

Alert and fault notification and forwarding

Note: The structure of the Resource Tree applies to the way the nodes are
managed by system users and not necessarily to any networking or physical
relationship between the resources.
A users role determines his/her view of the Resource Tree. Only resources the user
is permitted to view are displayed in the tree. If, using the example in the above
figure, a user is a Super User of the Finance admin domain, the Resource Tree
shows the Finance domain at the top of the tree and all of its children; it does not
display any other child domains, nor the Root Admin Domain.

Nodes
Each item in the Resource Tree is a node and represents an IntruShield resource. A
node can represent a logical entity, like a child domain, or a physical entity, like an
interface on a sensor. A single Admin Domain node can be a parent or child. It can be a
parent to nodes under it, while being a child to a node above it. There might be
several levels of child nodes.

Inheritance
It is important to understand the relationship between parent and child admin
domains because (by default) child admin domains inherit policies from parent admin
domains, and because users are automatically granted the same privileges in the
child domains as those enabled by their roles in the parent domain.
Policy inheritance means that a child takes policies, or inherits them, from the parent.
If you do not specify a policy when you create the child, the child automatically
inherits the policies of its parent. To override policy inheritance from parent, you
assign a policy to the child admin domain that is specific to that child domain.
For more information on policies, see Working with Security Policies (on page 58).
User roles work similarly, but with a slight difference. Roles apply within the current
domain and any of its children. Because child domains are essentially contained
within parent domains, if a user is given, for example, a Super User role for a parent
domain, that role also applies to all children of the parent. Thus, to use the domain
hierarchy shown in the figure in Admin domain hierarchy (on page 55) as an example,
a user assigned a System Administrator role for the Finance department has that role
for the Payroll and Accounts Payable domains as well.
Note that additional roles can be granted to the user at the child level, but a role
granted at a parent cannot be overridden at a child level.
For more information on roles, see Managing Users in IntruShield (on page 79).

Alert and fault notification and forwarding


From the Admin Domain resource you can configure notification and forwarding of
alerts and system faults. Notification enables the IntruShield Management System to
send an email, page an individual, or execute a script upon detection of alert or fault

56

McAfee IntruShield IPS System 3.1

Administrative Domains

Getting Started Guide

Alert and fault notification and forwarding

settings you have configured. Alert and fault forwarding enables you to configure the
Manager to send alert and/or fault data to a specified syslog and/or SNMP server.

57

CHAPTER 8

Working with Security Policies


This section provides information on developing and applying IPS policies for
IntruShield.

What are security policies?


A security policy, or IPS policy, is a set of rules that governs what traffic is permitted
across your network, and how to respond to misuse of the network. An effective
policy is one that is customized to the network environment being monitored.
Security policies can set rules for protocols (HTTP, UDP), operating systems (NT,
Solaris), and other types of information transmitted across your network. Knowing
what types of traffic cross your different segments will help you determine the types of
policies you will require to efficiently and successfully protect your network against
intrusions and misuse.

IntruShield policies
An IntruShield policy is a set of rules/instructions defining the malicious activity you
want your sensor(s) to detect and how you want to respond if the activity is detected.
Creating a policy enables you to define a set of rules that define the different
services, protocols, and/or product implementations in your network.
The best practice for protecting against misuse is not to apply a one-size-fits-all policy
to the entire network, but to create multiple specific policies which focus on the
specific needs of unique segments of your network. IntruShield enables you to create
policies for your network resources right down to individual sub-flows of network
traffic.
Imagine a network that has Windows and Linux hosts interspersed across it. The best
approach here is to apply a policy that includes attacks for both Windows and Linux
on all ports through which their traffic will flow.
If this network happens to be controlled in such a way that the traffic from all
Windows hosts is flowing through one segment of the network and the traffic from all
Linux hosts is flowing through a different segment, you could connect these different
segments to different monitoring ports. You could then apply Windows-specific and
Linux-specific policies to the respective ports. In doing so, you would minimize the
chance of false positives and reduce the quantity of scanning required on each port.

Policy application
Current sensor-based IPS products permit you to apply only one security policy for
the entire sensor. Typically these one-policy sensors also have only one port which

58

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Policy application

cannot be segmented for more granular policy application. However, if you have
multiple segments to monitor or you need to monitor aggregated trafficlike on
Gigabit uplinksa multi-port box and more granularity in the inspection process
makes for a much more cost effective and efficient security solution. IntruShield
sensor appliances have multiple ports coupled with multiple policy application
options. Thus, IntruShield offers its Virtualization feature (known as VIDS or VIPS).

VIPS--applying policies at the Interface and sub-interface


level
The VIPS feature enables you to configure multiple policies for multiple unique
environments and traffic directions all monitored with a single IntruShield sensor. The
goal of virtualization is scanning granularity. Virtualization allows you to apply multiple
policies to traffic flowing through a single interface. In this way, a unique scanning
policy can be applied to a single host or group of hosts, when their traffic will not
travel through a unique sensor port.
For example, suppose port 1A of an I-2600 sensor is connected to the SPAN port on
a switch. Port 1A is configured with a specific environment detection policy. The rest
of the ports on the sensor can have policies completely different than the policy on
1A, or they can use the same policy. Or, each port can be segmented by multiple
VLAN tags or CIDR addresses, each customized with its own security policy.

Sensors
Policy can be applied at the sensor level; however, this policy application is intended
to be inherited by those interfaces of a sensor whose custom-applied policy has been
deleted. For example, you have created a custom policy called Custom1. You apply it
to interfaces 1B, 2A, and 4B on a single I-2600 sensor. After some time, you
determine Custom1 does not work effectively, and you want to delete it. You can
apply a different policy to the sensor that will allow you to delete the custom policy
without having to change the policy at each interface where it has been applied.
When you delete the custom policy, all of the interfaces (1B, 2A, and 4B) enforcing
the policy will inherit the policy applied to the sensor.

Interfaces
Networking professionals often interchange the terms port and interface. In the
IntruShield context, however, there is an important distinction to be made; a port
actually represents the physical component, whereas an interface represents the
logical abstraction of one or more physical monitoring ports on a sensor and all traffic
flowing through the port(s). All sensor interfaces are represented by FE or GE
monitoring ports connected directly or through an external tap, hub, or SPAN port to
network segments.
A simple, yet effective example of the difference between port and interface is with
regard to a port pair. When you configure a sensor to run inline, you combine and
manage the two physical ports as a single logical interface.
To use an example, suppose you have a Finance parent domain, and it has two child
domainsPayroll and Accounts Payable. Now suppose that the Payroll department

59

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Policy application

network is comprised entirely of Windows machines, and Accounts Payable is


predominantly Solaris. You have a single I-2600 sensor that is running in internal tap
mode with two peer ports, port pair 1A and 1B, monitoring traffic in the Payroll
department and port pair 2A and 2B monitoring Accounts Payable. You can use the
supplied Windows Server policy and apply it to the Payroll interface and the Solaris Server
policy to apply to the Accounts Payable interface.

Figure 22: Deploying security policies

Sub-interfaces
The terms VIDS and VIPS reinforce the idea that virtualization allows you to tailor a
single sensor solution as if it were a multiple-sensor solution. The IntruShield user
interface uses the term sub-interface, and this term better describes the process by
which virtualization is implemented.

60

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Policy application

IntruShield sensors take port monitoring deeper than the interface-level: you can
segment the security management of an interface and apply policies at a traffic subflow level within the interface. A sub-flow, or sub-interface, is a segment of data within
a traffic flow. This sub-interface is also a VIPS. A VIPS can be defined based one or
more blocks of CIDR-based IP addresses or one or more VLAN tags. IntruShield
sensors can process these data segments and apply multiple traffic policies for the
multiple subnets transmitting across a single wire, right down to policies protecting
individual hosts.

Figure 23: Policies on sub-interfaces

In the above figure, a gigabit uplink between a router and a switch is monitored in
external tap mode by an I-4000. Behind the switch is a corporate network with five
departments: HR, Sales, Payroll, Engineering, and Marketing. The traffic for each of
these departments has been segmented using VLANs with each departments traffic
tagged with a distinct VLAN ID, represented by the numbers 1-5 in the illustration.
Using peer ports 1A and 1B to tap the full-duplex uplink, the I-4000 can analyze and
process the VLAN IDs in the traffic transmitted between the router and switch. The
security administrator can configure unique policies for each VLAN ID (representing
traffic from the different departments) within the uplink, rather than apply a single
policy across the entire interface. In this scenario, each of the five VLAN IDs from
each of the five departments can have a distinct policy assigned to it, or different
combinations of the VLAN IDs within the uplink can have the same policy applied.
Policy application simply depends on assigning a policy to an interface or subinterface resource as you see fit.

DoS policies
It is also worth noting that each interface and sub-interface maintains a unique
Denial-of-Service (DoS) profile. DoS policies can be applied to subsets of a subinterface for even more granular security monitoring. These DoS profile instances are
known as DoS IDs. You can monitor DoS attacks to the granularity of individual
hosts. Any deviation from the established normal traffic behavior flags a DoS
condition, even a situation wherein a single host/subnet downstream to a gigabit

61

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Pre-configured policies

network link comes under attackwith even a couple of Mbps of traffic. The sensors
granular DoS detection can spot the attack.
Another reason to consider creating a sub-interface for a single host is when that host
tends to have traffic patterns that are significantly different from the rest of the hosts
sharing the interface. An example is an e-commerce Web server as compared to
internal file and print servers; the Web server will no doubt have a different traffic
pattern than the file and print servers. If not isolated from the file and print servers,
that one Web server is potentially skewing the calculations for the entire interface and
therefore creating false positives, or even false negatives, in the DoS analysis
process. By isolating that one host, you allow the sensor to analyze the traffic
destined to and originating from the file and print servers independently of the traffic
to and from the Web server, and therefore increase the likelihood the analysis will be
accurate.

Pre-configured policies
McAfee supplies a set of pre-configured policies for immediate application in a
number of different network environments. These policies are available in the IPS
Policy Editor, which is located under the Policies node in the Resource Tree of the
System Configuration tool.
These policies are starting points, designed to help you get your system up and
running quickly. You can use any of the default scenarios initially, or you can clone
and modify these and apply your new policies. In fact, the Default Inline IPS policy,
applied by default when you add your first sensor, enables you to begin monitoring
your network immediately, and actually begin blocking attacks right out of the box (if
you deployed your sensor in in-line mode). As you tune your IPS, you will modify
these policies to best suit your particular environment.
Each pre-configured policy is designed to address the most common attacks
targeting specific network environments. To provide the most efficient attack
detection options, these policies take into account distinct factors such as protocols
(HTTP, SMTP), services (email, FTP, Web), and implementations (Apache, IIS).
Attacks are classified into four general categories:

Denial of Service (DoS) and Distributed Denial of Service (DDoS): all of the conditions

indicative of activities that lead to service disruption, including the slowing down
or crashing of applications, servers, or networks.
Exploit: all malicious activities, other than DoS and Reconnaissance, carried out
through specific traffic content. This includes buffer overflows, viruses, and
worms.
Reconnaissance: all of the conditions indicative of probing, scanning, and OS
fingerprinting activities. These activities are generally in preparation for more
targeted attacks.
Policy Violation: all activities for which the underlying traffic content may not be
malicious by itself, but are explicitly forbidden by the usage policies of the
administrative domain. This includes application protocol behaviors that violate
common usage practices.
The pre-formatted policies and their descriptions are listed below.
Note: All provided policies, except for the two All-Inclusive policies, enable attacks
with a minimum Severity of 2 (Low) and a maximum Benign Trigger Probability of 3

62

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Pre-configured policies

(Medium). The Severity and Benign Trigger Probability settings exclude known
noisy signatures in an effort to limit spurious alerts.
Policy

Designed to Protect Against

Default Inline IPS

All attacks of Low severity or greater, below a Medium benign trigger


probability, with a blocking sensor action enabled for all McAfee
Recommended for Blocking (RFB) attacks.

Default IDS

All attacks of Low severity or greater, below a Medium benign trigger


probability.

Outside Firewall

All attacks except for Reconnaissance category.

DMZ

All attack types except for those Exploits using TFTP, Telnet, RIP,
NETBIOS, NFS, and WINS.

Inside Firewall

All attack types except for those Exploits using TFTP, Telnet, and RIP.

Internal Segment

All attacks except for Exploits using RIP and routing protocol attacks.

Web Server

All Reconnaissance and DoS attacks, generic backdoors, and Exploits


using DNS, HTTP, and FTP protocols.

Mail Server

All Reconnaissance and DoS attacks, generic backdoors, and Exploits


using DNS, SMTP, POP3, and IMAP protocols.

DNS Server

All Reconnaissance and DoS attacks, generic backdoors, and Exploits


using the DNS protocol.

File Server

All Reconnaissance and DoS attacks, generic backdoors, and Exploits


using DNS, NFS/RPC, and NETBIOS/SMB protocols.

Windows Server

All attacks where the impacted OS includes Windows.

Solaris Server

All attacks where the impacted OS includes Solaris.

UNIX Server

All attacks where the impacted OS includes UNIX.

Linux Server

All attacks where the impacted OS includes Linux.

Windows and UNIX Server

All attacks where the impacted OS includes Windows or UNIX.

Windows and Solaris Server

All attacks where the impacted OS includes Windows or Solaris.

Windows, Linux, and Solaris


Server

All attacks where the impacted OS includes Windows, Linux, or Solaris.

All-Inclusive without Audit

All attacks, including those with known noisy signatures, but omitting
Informational severity attacks. This policy differs from Default as it alerts
for every attack in the IntruShield database, including those with noisy
signatures. This enables expert security personnel to fully analyze their
network traffic. Informational attacks are not enabled.

All-Inclusive with Audit

Similar to above, with the exception that Informational-level alerts are


included.

Null

All signatures are disabled by default.This policy is provided for the


scenario where a substream of traffic needs to be ignored by the IPS.

For example, in the following figure, an IntruShield 2600 sensor protects three
network areas: outside the firewall, inside the firewall, and the DMZ. You can enforce
a single policy across all three areas, or you can configure individual policies
specifically for each zone.

63

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Configuring policies in IntruShield

In this example, the area outside the firewall is best protected by the default Outside
Firewall policy (or one similar to it created by an admin) provided with IntruShield. For
the DMZ area, the provided DMZ policy is the most efficient for that segment. Similarly,
for the area inside the firewall, the provided Inside Firewall policy is best suited for the
traffic in that zone.

Figure 24: Deploying security policies

Configuring policies in IntruShield


You configure policies using the IPS Policy Editor in the Configuration page, apply them
to a resource (e.g., an admin domain, an interface, or a sub-interface) and these
policies are then propagated to sensors for enforcement. Although policies are
inherently complex, the Policy Editor facilitates the configuration process with
straightforward, step-by-step configuration screens.

About rule-based policies


IntruShield policies are rule-based. A rule-based policy consists of an ordered list of
attack selection rules, and is somewhat similar to an Access Control List (ACL). A set
of ordered rules are used to determine what attacks or conditions are of interest, and
thus should be monitored. A rule set is configured based on attack category,
operating system, protocol, application, severity, and benign trigger probability
options. Each rule in a set is either an include rule or an exclude rule. An include rule
(which should always start a rule set) is a set of parameters that encompass a broad
range of well-known attacks for detection. An exclude rule removes elements from
the include rule in order to focus the policys rule set. By this process of broadening
(includes) and narrowing (excludes), you can enable detection of just the attacks that
impact the intended environment.
For example, if you view the Default IDS policy rule set, the rule set includes all DoS
and Reconnaissance attacks, includes all Exploit attacks above a level 2 (low)

64

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Configuring policies in IntruShield

severity, below a level 3 (medium) benign trigger probability, thus excluding a specific
list of attacks that are not critical enough or contain signatures that are inherently
noisy.

Attacks vs. signatures in IntruShield


Note that as you interact with IntruShield policies, you encounter the term attack, not
signature. IntruShield defines an attack as being comprised of one or more
signatures, thresholds, anomaly profiles, or correlation rules, where each method is
used to detect an attempt to exploit a particular vulnerability in a system. These
signatures and checks may contain very specific means for identifying a specific
known exploit of the vulnerability, or more generic detection methods that aid in
detecting unknown exploits for the vulnerability. Combined in an attack, the
signatures provide for maximum accuracy and coverage in attack detection.

The IntruShield Policy Editor


The IPS Policy Editor is a tool that enables you to view, create, edit, clone, and delete
security policies. The tool appears in the Resource Tree as the Policies node (shown at
left). You can use IntruShields pre-configured policies as is, or use them as a
template for creating custom policies, or you can create new policies.
The following options are available to you in the Policy Editor:

Add/create your own policy.


Edit a policy you created. (You cannot directly edit provided policies.)
Clone an existing policy; that is, copy and customize any existing policy

Delete any policy you created. (You cannot delete provided policies. You cannot

including provided policiesunder a new name.


delete a policy that is currently applied to a resource.)

Creating or customizing a policy


The following steps describe policy creation at a high level.

65

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Configuring policies in IntruShield

Create a named policy. You can clone (copy) a default policy to use as a
template, edit an existing policy, or create a new one. Your policy should specify
all the attacks you want to detect and the responses to take when a particular
attack is detected.

Save the policy.

Apply the policy to a resourcean admin domain, sensor, an interface on a


sensor, or a sub-interface of a sensor interface. (A newly added sensor will
inherit the policy from its admin domain; thus, all interfaces on the sensor will be
protected by the policy of the domain by default.)

If an intrusion event is detected, the sensor sends an alert to the Manager


describing the event, and issues a response if you have configured it to do so.
Types of responses are described in the section Response types (on page 69).
Examine the alerts in the Alert Manager, or in an IPS Report.

Over time, you can tune the policy based on the alert data generated. If you see
a lot of alerts that you dont want to see (i.e., alerts that dont apply to your
environment, such as Windows attacks against a Solaris environment or other
instances of alerts on events that you do not consider noteworthy), then you
might want to tune your policy rules to see only impacting attacks.

Sensor response without alerting


By default, all of the attacks detected by a policy send an alert upon detection. In
cases were you see the same alert time and time again in your Alert Manager and
wish you could automatically send a response without having to see the alert again,
IntruShield provides the sensor response without alert feature. For Exploit attacks, you
can disable alerting for any attack while still being able to activate a sensor response
upon detection of the attack. When the attack is detected, the configured response is
executed and no alert is sent to the database.
Note: If you disable alerting for an attack, packet logging is also turned off for that
attack. You must enable the alert to enable packet logging.

Automatic acknowledgement of alerts


Dependent upon the number of attacks a day you experience, you may notice that
several of the same attacks consistently target your network. With your Alert Manager
open to a Real-time View, you are constantly acknowledging instances of the same
alert over and over, which can take productive time away from analyzing the other
alerts.
IntruShield policy customization enables the automatic acknowledgement of alerts for
any attack in the database. The Notification option Auto. Acknowledge automatically
marks the attack as Acknowledged in the database, thus detection of the attack is
not counted in the Unacknowledged Alert Summary (of the Manager Home page), and can
only be viewed in the Alert Manager via Historical View queries.

66

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Exporting and importing policies

Reassigning policies across sensors


You can easily easily reassign policies applied to sensors within the current admin
domain or any child admin domains this action without having to search extensively
throughout IntruShield. If you need to reassign a policy on several sensors, you can
search by policy. If instead you want to reassign policies on selected sensors, you
can search by sensor.
For more information, see Chapter 7: Policies Node of the Manager Configuration
Guide.

Exporting and importing policies


The ISM system enables you to export and import your custom policies. Exporting
allows you to save a copy of a custom policy from the Manager to your client or other
location. Importing allows you to copy an exported policy back to the Manager.
Note: Exported policies are saved as XML files. Do not attempt to customize the
XML output, or you may have problems when importing the policy back to the
system.
The following three scenarios detail situations where exporting and/or importing policy
is beneficial to your security strategy:

Scenario 1: Creating and archiving a policy


You created a custom policy, and you want to back up that single policy for later
reference, editing, or availability. You export the file to your client. You can import
to a test environment to edit the policy, then import back to your live system.
Also, you can import the original policy back to the Manager overwriting the
current record of the policy in the event you arent satisfied with changes made to
the policy since a previous export.
Scenario 2: Utilize a test environment to create a policy, then import
If you have set up a Manager server in a test or non-live environment, you can
create multiple policies on your test Manager for use in your live system. Once
policy creation is complete, export the custom policy to a client machine. Then
connect remotely to your live Manager, and import the custom policy. Once
imported, you can apply the policy to IntruShield resources.
Scenario 3: Copying a policy from one live manager to another live manager
If you have a large number of IntruShield sensors deployed, you may decide to
split the sensors between two or more Managers. For the custom policies you
create, you can export the policies from one Manager to a client, then import the
policies to the other Manager(s).

Policy inheritance
A policy defined at the admin domain level is inherited by its child admin domains,
and the resourcessensor interfaces and sub-interfaceswithin the child domains
unless the policy is explicitly set during resource configuration. If you want to set
another policy for a specific resource, you can select or create a different policy.
The policy inheritance order is shown below.

67

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Response management

Resource/
Node

Type of Policy

Policies node

Any Admin Domain


nodes

Exploit Policy

Sensor_Name
nodes

Interface nodes

DoS
Learning Mode

DoS
Threshold Mode

Reconnaissance

(Is turned off


by default)

n/a

Assign policy defined Assign policy


at Policies node
defined at Policies
node
Same policy as that
Same policy as
of the Admin Domain
that of the Admin
Domain

(Is turned off


by default)

n/a

Inherit policy from


Admin Domain
Assign new policy
Enforce policy

Define policy
Enforce policy

n/a

Define policy
Enforce policy

n/a

Inherit from

Admin Domain

Modify inherited
policy
Enforce policy

Define policy
Enforce policy

n/a

Define policy

Inherit from
policy Admin
Domain
Modify inherited
policy
Enforce policy
Inherit policy
from Interface
Modify inherited
policy
Enforce policy

Inherit policy from


Interface
Assign new policy
Enforce policy

Sub-interface nodes

Individual VLAN ID,


CIDR bock within
interface or subinterface

Define policy

n/a

Same policy as Define/Enforce Recon.


that of the Admin
policy (defined for all the
Domain
sensors interfaces)

Suppose you create a policy for use with an admin domain you plan to create. You
can define the policy at the Policies level. Its then available for any admin domain, and
any sensor in the domain.
When you allocate sensor interfaces to an admin domain (a process that is part of
child admin domain creation), all of the interfaces automatically inherit the admin
domains policy. So, as part of the process of creating an admin domain, you assign
the policy to be inherited by the allocated interfaces. If you want, you can then go into
each allocated interface and assign a different policy.
Changing policies at higher levels (e.g., admin domain level) once they have been
applied at a lower level has no effect on the lower levels (e.g., interface level).
Note: A custom policy defined at a child admin domain level cant be applied to a
resource at the parent admin domain level.

Response management
When an IntruShield sensor detects activity to be in violation of a configured policy, a
preset response from the sensor is integral to the protection or prevention process.

68

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Response management

Proper configuration of responses is crucial to maintaining effective protection.


Critical attacks like buffer overflows and DoS attacks require responses in real time,
while scans and probes can be logged and researched to determine compromise
potential and the source of the attack. Developing a system of actions, alerts, and
logs based on specific attacks or attack parameters (such as severity) is
recommended for effective network security.
For example, since IntruShield can be customized protect any zone in a network,
knowing what needs to be protected can help to determine the response type. If
monitoring outside of the firewall in In-line Mode, preventing DoS attacks and attacks
against the firewall is crucial. Most other suspicious traffic intended for the internal
network, including scans and low-impact well-known exploits, are best logged and
analyzed as the impact is not immediate and a better understanding of the potential
attack purpose can be determined. Thus, if you are monitoring outside of a firewall in
In-line Mode, it is important to not set the policies and responses so fine that they
disrupt the flow of traffic and slow down the system; rather, prevent the crippling
traffic from disrupting your network.

Response types
The response types offered by IntruShield sensors and the Manager are as follows:

Sensor response actions


IntruShield sensor actions are responses your sensor enacts or sends through the
network to prevent or deter further attacks.

Drop further packets (In-line mode only) Dropping the specific attack packets is a

key advantage of in-line mode. When detecting in-line (real time), the packets
that trigger signatures and (optionally) all subsequent packets related to that
connection can be dropped before they reach the intended target system. This
capability provides true intrusion prevention. This action is also known as
blocking.
Send an alert (default) When traffic violates a sensor policy, an alert is
generated and sent to the Manager to be viewed using the Alert Manager. Alerts
can be examined for content and sorted by key fields such as severity level,
source and destination IPs, and so forth. Refer to the Manager Configuration
Guide for more information on the Alert Manager.
Firewall action sensor coordinates with a configured firewall, sending a deny rule
to the firewall for specific source and destination address parameters.
Packet log Sends a log, or copy, of the packet information to the database; this
information acts as a record of the actual flow of traffic that triggered the attack
and can be used for detailed packet analysis. When the data is viewed in the Alert
Manager, the data is converted to libpcap format for presentation. Tools like
Ethereal can be used to examine the packet log data for more detailed analysis
of attack packet data. The user can specify how many packets should be logged
or for what duration. You can also choose to encrypt the packet log channel via
SSL to protect the packet log data.
TCP reset For TCP connections only. TCP uses the RST (Reset) bit in the TCP
header to reset a TCP connection. Resets are sent in response to a connection
that carries traffic which violates the security policy of the domain. The user can
configure reset packets to be sent to the source and/or destination IP address.

69

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Response management

Alert filters Alert filtering enables you to filter out alerts based on the source or
the destination of the security event. For example, if you know that your IT
department executes vulnerability scans from a particular IP address, you can
filter events originating from that address. The Alert Filter Editor provides a
convenient interface for creating alert filters.
ICMP host unreachable ICMP Host Unreachable packets can be sent in response
to the source of UDP or ICMP attacks.

Recommended For Blocking (RFB)


IntruShield attack definitions contain an attribute that indicates whether an attack is
considered Recommended for Blocking (RFB) by McAfee. A flag may be set in any
cloned policy to block on the RFB attacks within the policy.

Manager response actions


There are three notification responses that can be configured to alert users of
malicious activity: email, pager, or script notification. These responses are sent
directly to admins based on either a configured severity levelrepresented as Low,
Medium, or High severityor based on the occurrence of a particular attack,
regardless of the severity level.

The Global Attack Response Editor (GARE)


The GARE is essentially a shortcut to customizing a particular attacks response
across all policies containing that attack. Responses configured at the GARE level
are then available for that attack at the rule set and policy level.
Weve discussed policy inheritance and response actions. To fully understand GARE,
consider a concept that we will loosely call response inheritance.
A new signature set straight from the Update Server contains some default actions
associated with particular attacks. For example, certain attacks are configured to log
packets, and others are configured not to log packets.
When you open an attack in the GARE editor, GARE displays the default attack
values specified by the signature set. GARE thus inherits the response actions from
the signature set. Customizing these values in the GARE overrides the signature
sets values. Regardless of what the signature set suggested as the attacks
response, the attack now has a custom response as specified in GARE.
The GARE values are then available for customization at the Rule set level. For
example, at the Rule Set level, you inherit all the customizations from the GARE
level, but can set a response action of blocking for certain attacks. Now the attack
can have the GARE customization plus the Rule set customization.
Finally, you have the Policy level. All the customizations made at the Rule set level or
at the GARE level are inherited at the Policy level.
As shown in the following figure, each level inherits response attribute values from
previous level. At each level you can either retain the inherited value for an attack or
customize it by explicitly setting or removing a value.

70

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Response management

A signature set cont ains attacks with


certain pre-defined values for
response.

Signa ture se t

Changes made in the GARE override


default signature set behavior.

GARE

The rule set editor inherits GARE


changes; changes made in the Rule
set editor o verride GARE
customizations.

Rule se t edit or

The Policy editor inherits all changes


made at the GARE and u
r le set levels;
responses can be changed at the
policy level, as well.

Polic y edit or

The IPS Policy Editor now displays labels showing at what level an attack was
customized:
D Default IntruShield-supplied
G GARE Global attack response editor
R Rule Set Editor (only blocking action)
P IPS Policy Editor
For example, suppose you want to create 3 policies that detect the attack FTP:
Attack Example, which happens to be a Recommended For Blocking (RFB) attack.
Your requirements are as follows:

Policy1: block FTP: Attack Example and log packets


Policy2: do not block FTP: Attack Example; log packets.
Policy3: block FTP: Attack Example; do not log packets
For all three policies, you want to be notified by email if FTP: Attack Example is
discovered.

How to accomplish this?

At the GARE level for FTP: Attack Example, configure packet logging and email
notification.

At the Rule Set level, enable blocking for RFB attacks.

At the Policy Editor level, create your three policies. When you choose FTP:
Attack Example for Policy2, disable blocking. For Policy3, disable packet logging.

Note: GARE customization can be imported/exported using the Policy


Import/Export feature.

71

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Denial of Service (DoS) modes

Denial of Service (DoS) modes


Denial of service (DoS) attacks interrupt network services by flooding a system or host

with spurious traffic, which can overflow your system buffers and force you to take the
system offline for repairs. IntruShield sensors support both learning- and thresholdbased capabilities for combatting DoS attacks. Since the sensors maintain full TCP
state, it is easy to differentiate the bad DoS packets from good traffic packets, and
drop the bad packets when running in In-line mode.
DoS policy applies to inbound, outbound, and bidirectional traffic. Inbound traffic is
that traffic received on the port marked Outside (that is, originating from outside the
network) in In-line or Tap mode. When using SPAN or Hub Mode, all traffic is
considered inbound unless distinguished by creation of CIDR blocks; traffic destined to
a specified CIDR block is considered inbound on a SPAN port. Typically inbound
traffic is destined to the protected network, such as an enterprise intranet.
Outbound traffic is that traffic sent a system in your intranet, and is on the port
marked Inside (that is, originating from inside the network) in In-line or Tap mode.
There are also Learning Mode attacks that do not have a directional association,
specifically ICMP ECHO Anomaly and TCP Control Anomaly. Due to the nature of
these attacks, the sensor is unable to determine whether the attack occurred inbound
versus outbound. Thus, these attacks are classified as bidirectional.
Note: The ICMP Echo Anomaly and TCP Control Anomaly attacks cannot be
blocked, even when the sensor is in In-line Mode.
When configuring with the Policy Editor, you can customize severities and enable
an admin notification for a number of statistical categories. Report generation and
the Alert Manager can help to determine the types of statistical information that are
affecting your networks performance.

Learning mode
In Learning Mode, the sensor monitors the network traffic and develops a normal
baseline profile, called a long-term profile, by collecting statistics on a number of
traffic measures over time. The initial learning time for the profile is typically two days.
After that time, the sensor constantly updates these profiles (typically you will have
multiple profiles being processed at a given time), which are kept on the internal
sensor flash, to keep an updated picture of the network. In real time, the sensor
develops a short-term profile, which is essentially a snapshot of the network traffic.
The short-term profile is compared to the long-term profile and an alert is raised if the
short-term statistics indicates a traffic surge that deviates from the long-term
behavior. The learning and detection algorithms take into account regular traffic
surges that are caused by flash crowds or the like: normally there are no alerts for
such surges. (Flash crowds are surges in traffic due to benign conditions, such as
everyone logging in at 9:00am on a Monday.)
Response sensitivity determines how much (volume and duration) a traffic surge is
considered abnormal and if an alert should be raised. Setting the response sensitivity
to Low tells the detection algorithm to be tolerant of traffic spikes (that is, because
the network has abundant bandwidth and/or the server has adequate capacity) before
raising alerts, while setting it to High makes the system more sensitive to any traffic
surge. The implications of setting a High sensitivity are ambiguous: High makes it

72

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Countering SYN floods with SYN cookies

possible to detect even small-scale DDoS attacks while at the same time making the
system more prone to false positivesthe opposite can be said for Low sensitivity.
DoS learning mode is configured during policy creation and is enforced at the
interface and sub-interface levels. Customizations to learning mode profiles can be
performed at these resource levels, and Learning Mode profiles can be reset (relearned) or reloaded at the sensor level. This is all performed in the Configuration
page.
Sub-interfaces and individual CIDR hosts within a VLAN tag or CIDR block being hit
with a denial of service attack can be created and protected with specific learning
mode settings. This is useful in preventing a server in your DMZ or other location
from being shut down by a DoS attack. A separate profile is created for each
resource.

Threshold mode
In Threshold Mode, the sensor monitors the network traffic for packet floods, such as
SYN attacks and too many IP fragments, transmitting through from a source to a
destination as detected within a sensor interface or sub-interface. When configuring
with the IPS Policy Editor or customizing at the interface or sub-interface level, you
must specify the count and interval (rate in seconds) for the threshold attacks you
want to detect. The sensor sends an alert when the traffic exceeds the customized
thresholds for an enabled (sought after) attack. You can also enable a notification for
an attack if it warrants special attention.
Note: You must configure the actual thresholds and intervals for each DoS
Threshold Mode attack you want to detect. Default thresholds are not provided
since the packet rates in every network are different. Customization of DoS
thresholds works best after researching the current levels each DoS Threshold
attack defends against in order to determine exactly what counts and intervals best
protect your network.

Countering SYN floods with SYN cookies


A SYN flood attack is a series of SYN packets from forged IP addresses targeted at a
specific server. When a server is attacked in this manner, the SYN queue in the
server fills and all new connection requests are dropped. The SYN cookie feature is a
mechanism to counter SYN flood attacks. This feature is an adjunct to the existing
statistical anomaly-based Denial of Service detection. In cases where a DoS attack is
already underway and there is no time for learning a long term profile, IntruShield
provides the ability for the sensor to proxy all inbound three-way handshakes.
With SYN cookies, whenever a new connection request arrives at a server, the server
does not maintain any information about the connection request. Instead it sends
back a SYN+ACK with an ISN uniquely generated using the information present in
the incoming SYN packet and a secret key. If the connection request is from a
legitimate host, the server gets back an ACK from the host.
The sensor will support a configurable threshold for SYN arrival rate, above which the
sensor will begin using SYN cookies to avoid having to maintain state during the
three-way handshake. ISM provides an interface to the user to enable/disable the

73

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Access control lists

SYN cookie feature. It also provides user the ability to configure the threshold values
for the SYN cookies.
For more information, see the Manager Configuration Guide.

Access control lists


IntruShield enables the creation of an access control list (ACL) with ordered rules for
permitting and denying traffic from reaching a sensors inspection engine and
continuing on through the network. A sensor ACL is useful for maximizing a sensors
detection and prevention capabilities by preventing, that is dropping or rejecting,
specified traffic without requiring full inspection.
Most commonly deployed in firewalls, an ACL is a set of ordered rules that governs
what traffic is permitted to pass and what traffic is denied access beyond the device
where the ACL resides. In the case of IntruShield, a sensor ACL checks all traffic to
determine what traffic is allowed to pass to a sensors inspection engine and beyond,
and which should be denied, that is either dropped from the network or rejected (TCP
traffic only). Thus, an IntruShield ACL can preemptively drop any traffic by denying
access to the inspection engine and beyond.
IntruShield provides two permit options: permit and inspect and permit and pass
without inspection. Permit and inspect passes traffic to a sensors inspection engine
to check for violations of applied IPS policy. Permit and pass without inspection
passes the traffic back into the network without checking for IPS policy violations.
Note: McAfee recommends permit and inspect rules for complete protection from
potentially harmful traffic.
If you configure multiple ACL rules, note the order as ACLs are executed in top-down
sequence: the rule at the top of the list is checked first, followed in order by
subsequent rules down to the bottommost rule. IntruShield employs a first-match
process; the first ACL rule matched in sequence is enforced.
At the sensor level, you can create rules for the entire sensor as well as those for
specific ports/port pairs of the sensor. Rules created at the sensor level for a specific
port/port pair are inherited by the corresponding interface and, if applicable, subinterface(s). In the case of ACLs, an interface is a subset of the corresponding port or
port pair. That is, ACL rules configured for a port/port pair at the sensor level are
inherited by the corresponding interface as well as any sub-interfaces. However, ACL
rules created at the interface level are not inherited by corresponding sub-interfaces
due to the rule of separating interface traffic flows from sub-interface traffic flows
based on the following policy application rule:
If you apply a policy to a sub-interface that is different than the inherited policy, the
policy enforced at the interface level protects all traffic not specific to the subinterface.
Thus, for ACL rules, the rule of inheritance requires you to create global rules at the
sensor or physical port/port pair level: interface rules only apply to interfaces, and
sub-interface rules only apply to sub-interfaces.
You cannot set explicit ACL permit rules for protocols that negotiate ports dynamically
with the exception of the following:

FTP

74

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

IP spoofing detection

TFTP
RPC services
Multimedia protocols such as H.323 and services such as instant messaging and
peer-to-peer communication either negotiate the data channel separate from the
control channel or negotiate ports that do not follow a standard. However, you
can configure ACLs to explicitly deny these dynamic protocol instances by
denying the fixed control port.

Note: For RPC services, you can configure explicit allow and deny rules for RPC as
a whole, but not its constituents, such as statd and mountd.
Tip: Another option for denying protocols that use dynamic negotiation is to
configure policies to drop the attacks that are detected in such transmissions.
IntruShield detects use of and attacks in such programs as Yahoo Messenger,
KaZaA, IRC, and so forth.

ACL logging
IntruShield provides an optional ACL log feature that will log packets that are dropped
or permitted based on your ACL rule(s). The sensor forwards ACL logs to the
Manager, where they are formatted and converted to Syslog messages and sent to
the configured Syslog server. You can then view the log from a 3rd-party Syslog
application.
You can enable logging on a granular level. For example, you can enable logging for
particular rules, or particular Admin Domains. For more information on ACL logging,
see Chapter 5: Administrative Domain Nodes of the Manager Configuration Guide.

IP spoofing detection
The Anti-Spoofing action enables the detection of attacks that either originate from
sources external to your network (inbound) that use your internal addresses as the
attacking source IP addresses, or those attacks that originate from your internal
network (outbound) which use IP addresses not defined in your customized list of
"good" addresses. You can apply IP address spoofing detection to any interfaces that
have been previously segmented by CIDR-based addressing.
IntruShield sensors can detect IP spoofing attacks; that is, attacks that originate from
sources external to your network, but which use your internal addresses as the
attacking source IP addresses. You can apply IP address spoofing detection to any
interfaces that have been previously segmented by CIDR-based addressing. Your
IntruShield sensor keeps a table with your protected CIDR-based addresses; thus,
when a sensor detects an attack that originated from outside your network but
contains an identified internal address, an alert is generated for that traffic.
Any port pair in In-line Mode that has been segmented by CIDR addressing is eligible
for IP spoofing detection. This includes any CIDR-segmented sub-interfaces of an
eligible port pair. For example, port pair 1A-1B protects the 192.168.1.0/24 and
192.168.2.0/24 networks in In-line Mode. You create the sub-interface "PayrollServer to protect host 192.168.1.1/32. When you enable and configure IP spoofing
detection for
1A-1B, you will see all three of these addresses available for protection against IP
spoofing attacks.

75

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

ARP spoofing detection

If you have segmented 1A-1B by VLAN tagging, and you configured a DoS policy for
a CIDR within a VLAN, that CIDR instance can have IP spoofing detection enabled.
You enable IP spoofing detection for the interface (e.g., 1A-1B) during configuration;
an alert is raised if an attack is detected that contains both the VLAN tag and the
CIDR address. The rest of the interface segmented by VLANs does not have this
option, only the CIDR within the VLAN.
Note: For more on CIDR-based addressing for IntruShield sensor interfaces, refer
to Managing an Interface: Changing the Traffic Type and Naming the Interface.
Once enabled, open the Alert Manager to check for IP spoofing attacks. When you
see an internal IP address in the Source IP column during Alert Manager use, check
the packet log associated with that attack to determine whether the attack originated
internally, or whether the transmission originated outside of your network, the latter
being a case of IP spoofing.
For enabling IP spoofing detection on a sensor, see Chapter 10: Sensors_Name
Node of Manager Configuration Guide.

ARP spoofing detection


ARP (Address Resolution Protocol) Spoofing detection is accomplished by mapping a
table of IP address to corresponding MAC addresses. The detection of multiple ARP
reply packets with a different sender MAC address than its mapped IP results in an
alert. Check the Alert Viewer for ARP spoofing-related alerts.
In ARP spoofing, the MAC address of a spoofed ARP packet is the real MAC address
of the host attempting the spoofing.
Sometimes misconfiguration (two different machines are using the same IP address)
and occasionally system malfunction (host or switch) may result in such ARP
spoofing packets.
Detection of ARP Spoofing results in the triggering of ARP Spoofing alerts. These
alerts display in the Alert Manager component of IntruShield Manager. Their names
are prefaced with ARP: (for example, ARP: ARP Spoofing with Different MAC
Addresses).
For more information, see Sensor Configuration Guide.

Decrypting SSL for IPS inspection


A disadvantage often cited for NIDS systems is the inability to analyze encrypted
traffic. Encrypted traffic prevents nearly all NIDS from inspecting the packets for
attacks or other unauthorized activity. IntruShield sensors, however, are equipped to
decrypt Secure Socket Layer (SSL) packets for inspection and response in cases of
attack.
IntruShield SSL functionality allows a sensor to maintain a copy of a server's private
key, thereby allowing the sensor to properly determine the session key for SSL
sessions terminating on that server. From a client, you download your SSL keys
through the Manager interface to a sensor. The sensor keeps the server key in
volatile memory after receiving it from the Manager. The key is stored on the

76

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Decrypting SSL for IPS inspection

Manager, encrypted with a key only the sensor knows. This prevents a single point of
compromise.
When a sensor boots up, it requests all of the private keys that the Manager has for
that sensor.
The Manager provides a passthru interface for importing a set of public/private keys
to the sensor. The Manager stores an escrow of the imported keys for sensor
recovery purpose. However, the Manager does not interpret the escrowed keys, nor
does it attempt to recover the keys themselves in case a sensor has lost its key
encryption key. In order to protect the imported keys both in transit and in escrow, the
Manager uses the public key of the sensors public/private key pair. The Manager can
also push down new keys when they are imported.
IntruShield supports the PKCS12 formatfile suffixes .pkcs12, .p12, or .pfx
with an RSA private key no longer than 2048 bits. Up to 64 keys can be loaded into a
sensor, and the keys work across all of a sensors Virtual IPS (VIPS) instances. The
private key must be a part of the PKCS12 file.
SSL functionality is described in Chapter 10: Sensors_Name Node of the Manager
Configuration Guide.
Note: Note that there is a performance impact when using the SSL detection
feature. Performance information per sensor can be found in the IntruShield
Release Notes.

Supported Web Servers


SSL decryption is supported for the following web servers:

Microsoft Internet Information Server (IIS)


Apache

Supported Cipher Suites


The following SSL cipher suites (as named in their respective RFCs) are supported:
SSLv2 cipher suites
SSL_CK_RC4_128_WITH_MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SSLv3/TLS cipher suites

DES_CBC3_SHA
TLS_NULL_WITH_NULL_NULL
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA

77

McAfee IntruShield IPS System 3.1

Working with Security Policies

Getting Started Guide

Vulnerability assessment

TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Unsupported SSL Functionality


The following SSL functionality is not supported:

iPlanet Web servers


Diffie-Hellman ciphers
Compression in the SSL records (a negotiable option in SSLv3 and TLS)
PCT (Microsoft's extension to SSLv2)

Vulnerability assessment
ISM now has the ability to load vulnerability data from the McAfee Foundstone
product and the Nessus opensource vulnerability scanner. The IntruShield Manager
will perform correlation based on common CVE and/or Bugtraq ID. IntruShield can
then display correlations with imported scan data in a separate column in the Alert
Manager column entitled Vulnerability Relevance.
If an IntruShield alert shares the same exploit/vulnerability combination as is found in
the Foundstone data, AND the target IP has also been cited by Foundstone as being
vulnerable, the alert will be tagged with a value of '1', indicating that it is relevant. This
information will help prioritize alert data.
You manage the vulnerability assessment feature from the Configuration page, and
the view the data from within the Alert Manager.
For more information, see the Manager Configuration Guide.

78

CHAPTER 9

Managing Users in IntruShield


This section explains the user management capabilities of the IntruShield Manager.
The IntruShield Manager Configuration page enables users with Super User
privileges to delegate configuration and monitoring responsibilities of the various
components of the IntruShield system to specific users. This section describes user
management and roles at a high level, and describes the application of user roles in
developing a safe and efficient security management environment.
For specific instructions on how to create users and assign roles, see the Manager
Configuration Guide.

User management in IntruShield


Security organizations usually are comprised of multiple individuals, and
management of the overall system is generally delegated to different people
according to some logical categorizationby department, by geographic location, by
system (i.e., the email servers, the Web servers), and so on. In IntruShield, you
delegate the management of system components by organizing the components
logically into admin domains and then granting various management privileges for the
domains to your IntruShield users.
The IntruShield Manager enables the creation of multiple users within the system,
and enables Super Users to grant specific privilege rules, called roles, to those users
to allow them to manage an admin domain and any of its children. Within each admin
domain, permission to carry out tasks is limited to only those users with appropriate
roles.
For example, recall that a child admin domain can consist of something as granular
as an interface on a sensor. You use roles to specify who can do what with that
interface in that child domain.

What is a role?
A role is defined as a group of actions that a user is allowed to perform within a given
domain. Roles determine the users authorized activities, ensuring the users have
access to only the functions necessary to complete their particular operational
responsibilities.
IntruShield implements role-based authorization, wherein users can perform only
those activities permitted by their role. Roles are always domain based, that is, a role
governs what activities a user can perform within a particular domain. Users never
have roles that are not tied to managing a resource within a specific domain and its
children, although users can exist in the database without being assigned a role.
Roles promote the integrity of security configuration by not allowing universal access
to every security resource deployed in the system. Thus you can create a user with

79

McAfee IntruShield IPS System 3.1

Managing Users in IntruShield

Getting Started Guide

Roles within IntruShield

privileges to manage and configure a single child domain, perform user management
tasks within that domain, generate reports, manage sensors, and so on. You can
assign the least privileges necessary for a user to perform his/her specific job
function, and no more. The user is limited to the specific role functions within the
assigned child domain and its children, and prevents the user from manipulating other
domains.
For example, only the Root Admin Domain System Administrator sees the Manager
node in the Resource Tree. System Administrators without privileges at the Root
Admin Domain level are allowed to configure and maintain their child domains within
the system, but do not see the Manager resource.
Note: The Root Admin Domain Super User is able to override the roles of any user.

Creating a user
You create a user from the Managers Configuration page , and you can assign the
user roles for a particular domain at the time the user is created, or you can assign
roles at a later time. Only users who have Super User privileges can assign or modify
the assignment of user roles, and then only for the domains permitted by their role(s).
Users are stored in the database with their username, an MD5 hash of their
password, their role(s), and their roles in various domains. When the user logs in, the
Manager makes available only those activities permitted by the users role.
As most companies now centralize their user management and authentication, the
Manager also supports RADIUS and LDAP (Active Directory) authentication for users.
For either authentication method, you configure the authentication server information,
and then when creating a user, you can choose whether the user is a RADIUS, LDAP
or ISM Local user.
User accounts for the sensor can be centrally stored and authenticated with a
TACACS+ (Terminal Access Controller Access Control System plus) server.

Roles within IntruShield


IntruShield provides five categories of roles. The section Role descriptions (on page
81), lists the five role types with the applicable description and activities available to
each.
All role types can view the Manager Home page, and all role types have read-only access
to most actions available in the Configuration page. Restricted Users and No Role users
as their names implyhave the most limited read-only privileges within the system.
In addition to IntruShield-provided roles, custom roles can added in order to assign
specific abilities to certain members of an organization.

Role relationships between parent and child domains


Roles apply within the current domain and any of its children. Because child domains
are essentially contained within parent domains, if a user is given, for example,

80

McAfee IntruShield IPS System 3.1

Managing Users in IntruShield

Getting Started Guide

Roles within IntruShield

Operator role for a parent domain, that role also applies to all children of the parent.
Note that additional roles can be granted to the user at the child level, but a role
granted at a parent cannot be overridden at a child level. Using the example above of
a user granted an Operator role at the Root Admin Domain level, suppose you create
a child admin domain. The user with the Operator role inherits that role at the child
level; however, if you wanted the user to have Super User status at the child level,
you can assign the Super User role within that child domain.
IntruShield roles provide a granular level of access within the system. This enables
you to provide very limited responsibilities to a number of individuals, or to assign a
single user multiple roles so the user can accomplish multiple administrative tasks
(e.g., grant System Administrator and Security Expert roles) within the system.

Role descriptions
The following section summarizes the IntruShield-provided user roles.

Super User role


The Super User role (not represented by an icon) enjoys all privileges. Each shipped
IntruShield Manager is configured with one built-in Super User account including a
default password.
Note: The default Super User account username is admin and password is admin123.
McAfee strongly recommends that you change the default password for security
purposes. (In the Configuration page, while logged in as admin, go to Root Admin
Domain > Users > Manage My Account and change the password.
The Super User role provides:
all the privileges possible in the current domain
all the privileges a Super User has in all the children of the current domain
the special privilege to assign (or remove) the Super User role for a user in the
current domain
A Super User can be defined at any level, and the role applies to the current domain
and all of its children, but not for its parent domain or any other sibling domains.

System Administrator role


The System Administrator role pertains strictly to administration of the system itself.
Tasks permitted to the System Administrator include managing software and system
performance; creating users and granting roles; adding, deleting, or configuring
sensors; and handling system faults.

Security Expert role


The Security Expert role largely pertains to managing intrusion policies. The Security
Expert can create, edit, and delete policies, view alerts, manage software and

81

McAfee IntruShield IPS System 3.1

Managing Users in IntruShield

Getting Started Guide

Roles within IntruShield

signature update downloads, generate reports, manage system faults, and handle
security alerts.

Restricted User role


Restricted Users (not represented by an icon) can view the Manager Home page, and

are limited to read-only access to most areas of the Configuration page.

No role
The No Role user cannot perform any actions. This is the state when a user is first
created.

82

CHAPTER 10

Working with Alerts


This section describes alerts, and the tools available for analyzing them.

What are alerts?


Alerts are asynchronous notifications sent when a system event or attack triggers the
IPS. When a packet violating your enforced security policies is detected by a sensor,
the sensor compiles information about the offending packet and sends the
information to the Manager in the form of an alert. An alert contains a variety of
information on the incident that triggered itsuch as the type of attack, its source and
destination IP addresses, its source and destination ports, as well as security analysis
information (performed by the sensor) such as attack severity and type. You can use
this information to perform forensic analysis on the alertthat is, careful investigation
to determine its cause and how to prevent others of its kind.
An attack is a violation of set policy parameters. An alert is one or more attack
instances. In many cases, an alert represents a single detected attack. A multi-attack
alert is generated when multiple instances of identical attacks (same source IP,
destination IP, and specific attack) are detected within a two minute period; data for
all attacks is throttled into one alert instance, however, you can also choose to
configure for how many of each throttled attacks you want to see an individual alert.
IntruShield stores alerts in the Manager server database until you delete them. You
can view your alerts in the Manager using the Alert Manager or the Reports Main page. You
can also correlate of large number of identical alerts into a small number of incidents
using the Incident Generator.

The lifecycle of an alert


Alerts exist in one of three states: unacknowledged/acknowledged, and marked for
deletion. When an alert is raised, it appears in the Manager in an unacknowledged
state. Unacknowledged means that you have not officially recognized its presence by
marking it acknowledged. An alert remains in an unacknowledged state until you
either acknowledge or delete it. Alerts are backed up to the database and archived in
order of occurrence. Deleted alerts are removed from the database.

83

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

What are alerts?

Unacknowledged alerts display in the Unacknowledged Alert Summary section of the


Manager Home page and the Real-time view in the Alert Manager. Acknowledging
alerts dismisses them from these views. Acknowledged alerts display only in the
Historical view in the Alert Manager and in reports.

Figure 25: Unacknowledged Alert Summary Display on the Manager home page
Item

Description

Current Monitored Domain

Acknowledge alerts by severity

Click to open Alert Manager

Deleting an alert both acknowledges it and marks it for deletion. The alert is not
actually deleted until a scheduled Disk Space Maintenance takes place. At that time,
IntruShield deletes those alerts marked for deletion and those alerts meeting the
deletion criteria specified in the schedulerolder than 30 days, for examplewhether
or not theyve been manually marked for deletion.
Note: For more information on Disk Space Maintenance, see the Manager
COnfiguration Guide.
To put an acknowledged alert back into an unacknowledged state or un-delete an
alert, you can use the Historical view in Alert Manager to show all alerts from the time
period in which the acknowledged /deleted alert took place. You can then locate the
alert and unacknowledge or un-delete it. This alert will not display in the Real-time
Alert Manager until you have closed and re-opened the Alert Manager.

Suppressing alerts
Over the course of time, you will become very familiar with your IntruShield alert data
as you perform forensic analysis using the Alert Manager. At some point, you may
even become tired of seeing some of the same alerts time and again. IntruShield
provides multiple options for suppressing alerts, that is, lessening the number of
alerts in either the Alert Manager and/or database, so that you can work on your
higher priority issues.
The following alert suppression options are available using various actions within the
Manager interface:

84

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

What are alerts?

Disable alerting: During policy creation/modification, you can disable the alert for
one or more attacks. This is not attack detection disabling, just alert disabling. The
sensor still detects the attack and can send an automatic responseif
configured. (If no response is configured, then nothing is done when the attack is
detected.)
Auto Acknowledge: Also during policy creation, you have the option of automatically
acknowledging a detected attack. The Auto Acknowledge feature suppresses the
alert from the Real-time View of the Alert Viewer by marking the alert as
acknowledged, thus making the alert viewable only in an Historical View query.
Alert throttling: Alert throttling (seen as Response Action Settings in the Manager
interface) enables you to set a suppression limit for a singular Exploit attack,
which originates from one source, targets a single destination IP, and is detected
by the same VIPS (interface or sub-interface) multiple times within a limited time
frame. Exploit throttling limits the number of duplicate alerts that are sent to the
Manager from a sensor. Throttling is very effective against repetitive Exploit
attacks where a source IP address is spoofed and generates a high number of
alerts.
Send alert to
Manager

Send sensor
response action

Display alert in
Real-time View

Save alert to
database

Normal behavior

Yes

Yes

Yes

Yes

Detection on,
disable alerting

No

Yes

No

No

Auto Acknowledge

Yes

Yes

No

Yes

Alert throttling

Yes

Yes

Yes

Yes

About the Alert Manager


The Alert Manager is a powerful forensic analysis tool you can use to examine the alerts
detected by your IntruShield sensors.
The Alert Manager can be opened from the Manager Home page by selecting the
Real-time Alert Manager or Historical Alert Manager from the list and clicking the Launch
button. The Alert Manager opens the Alert Manager Summary page in a separate
browser window from that of the Manager Home page, providing a concentrated view
for alert analysis. You need to specify a time frame to open the Historical Alert
Manager. The Manager retrieves the alerts that occurred in the specified time frame
and displays them in the Alert Manager for your analysis. By examining the alerts,
you can use the information your analysis provides to determine your system
weaknesses and modify your defenses.

Real-time View. The Real-time View opens the Alert Manager Summary page. Once

opened, the Real-time View refreshes frequently to display the alerts that are
being detected by your sensors, thus you can view the alerts as they happen in
real time.

85

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

What are alerts?

Historical View. The Historical View sets the filter to retrieve information for both
acknowledged and unacknowledged alerts archived in the database within a
specified time frame. The Historical View does not refresh with new alerts; thus
you can focus on analyzing all alerts within the time you requested.

Figure 26: Selecting Alerts to View


Item

Description

Current Monitored Domain

Acknowledge alerts by severity

3
Click to open Alert Manager
Once youve retrieved alerts either from a particular time period or in real time, the
Alert Manager Summary page is displayed. The Summary page is logically divided
into 2 sections: the top menu bar and the lower display summary area.

Figure 27: Alert Manager Summary Window

86

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

What are alerts?

Item

Description

Menu bar area

Display area

Menu Bar Area: The menu bar of the Alert manager Home page presents you with

navigation options.

Detail tab: links to the Detail view window

Incident Viewer tab: links to the incident viewer window.

Preferences tab: links to the Preferences window


Display Area: The display area presents the summary of System Health and Alerts

Manager Analysis views.

System Health:You can view the System Health page from the Alert Manager Summary
page. This System Health Status view cannot be operated in the same manner
as the System Health Status available from the Home page: faults are not
selectable. This view is available for quick glance usage so that you do not have
to leave the Alert Manager to get an update on possible system faults. THe
System Health displays the status of the sensor and the Manager.The Update
button updates the sensor configuration.
Alerts Manager Analysis Views:The Alerts consolidated view has two panes: Time
View and Consolidated View.
1 Time View: This pane displays the number of attacks in time intervals that
have been detected either in the last two hours (Real-Time) or within a
specific time frame (Historical). The Time View displays as a bar graph.
Each bar contains information related to the number of attacks and a time
frame in which the attacks were detected. Clicking on a bar displays
information on the attacks it represents in the status bar at the bottom of the
Time View pane. The Severity level in the Time View displays the alerts as
High, Medium, Low, or Informational. The Zoom In and Zoom out options
changes the time level of alerts to be displayed.

Consolidated View: The Consolidated view is below the Time View pane . Its

display is split into four panes (categories) for statistical review. Each pane
is a bar graph, and each bar represents several alerts (Alert Result Status) or
attack (Top 5 panes) instances grouped by a specific parameter. An
alert/attack may appear in a bar in more than one pane if that alert/attack
has met the statistical parameters of multiple categories. The categories are
described as follows:
Attack: lists the top detected 5 attacks by count.

Note: Blocking activated applies to DoS traffic and indicates that the sensor
has discovered traffic suspicious in nature and blocking has started, though not
all traffic may be blocked. This is by design; blocking is taking place on packets
that are perceived as bad by the sensor. The sensor works to allow legitimate
traffic to flow, while blocking the traffic that is exceeding its learned threshold or
is not recognized based on its DoS profile. The sensor makes this
determination on a packet-by-packet basis. See the IntruShield Special Topics
document on Denial of Service for more information.

87

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

What are alerts?

Result Status: shows the probable result of all attacks corresponding to


the alerts: successful, unknown, failed, suspicious, blocked, or blocking
activated.
Source IP : lists the 5 most common source IP addresses by number of
detected attacks.
Target IP : lists the 5 most-targeted destination IP addresses by number
of detected attacks.

Drilling down--sorting alerts by categories


The Drilldown option offers several categorical views for all or selected alerts. Drilling
down enables you to focus your view of particular alerts; for example, you might see
from looking in the Consolidated View pane that most High Severity attacks are
issuing from a particular Source IP address, and perhaps you want to see which
attacks are being sent. You can select that source IP, then drill down to see the
attacks and destinations have been issued from the address.

Figure 28: Drilling Down Through Alert Categories

Show the details of a specific alert


You can view the details of a specific alert for a clearer picture of the key information
related to the attack. Different types of attacks produce different alert details. For
example, a Port Scan attacks alert details show the Source and Destination IP
information, as well as the destination ports scanned in the attack.
The information you learn in the Alert Details can then be used to augment your
policy settings and/or to initiate a response action, such as a TCP Reset. By rightclicking an alert, you can perform certain actions on the alert, such as viewing or
editing a response, running a script, saving an evidence report, and so on.

88

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

About the Incident Generator

About the Incident Generator


IntruShield provides real-time alert correlation with the Incident Generator and UserGenerated Incident tools. Performing analysis can be quite a task when it means
looking through thousands, tens of thousands, and even hundreds of thousands of
alerts to determine what is happening to your network. IntruShields alert suppression
feature helps reduce the number of alerts to wade through, but having an intelligent
resource to correlate and group related alertsin real-timegreatly facilitates the
task.
For example, suppose an attacker, looking for weaknesses, initiates a port scan
against your network. If the attacker successfully locates a vulnerability on a
particular machine, he or she may next perform an exploit against the vulnerability. If
the exploit is successful, the attacker might then compromise the machine and use it
as a tool for initiating other attacks. This one servers compromise, occurring amidst
all the other alerts indicating other attacks on your network, could go unnoticed for too
long because of the sheer number of alerts to examine.
Imagine, however, if you could see instead that a single incident had occurredthat a
particular server had received too many alerts in a short period of time, that alerts
related to its compromise were being seen, and that attacks were now being initiated
from that server.

Utilizing the Incident Generator


The Incident Generator tool enables you to define how to group a large number of
related alerts into a small number of incidents. An incident is a pre-configured number
of related alerts with commonalities matching a particular scenario.
Using the Incident Generator, you define a scenario, which by default is more than
100 alerts in fifteen minutes from one source. A scenario is a sequence of
conditions, that, when met, cause IntruShield to raise an incident. If a situation
matching the scenario is detected followed by a period of inactivity equal to or greater
than two minutes, IntruShield raises multiple occurrences of the incident. For
example, the system detects 100 alerts from the same source in a 10 minute period.
There is no activity for three (3) minutes from the source, but then attacks start again
from the noted source that surpass the 100 alerts threshold in under 15 minutes.
Instead of seeing 200+ related alerts from the same source as two incidents, you
instead see two occurrences of a single incident matching the defined scenario.

Configuring Incident Generator scenarios


The Incident Generator tool, which is defined by the configuration of an XML file, runs
on a separate host than the Manager server. Configuring Incident Generator involves
specifying scenarios and customizing parameters in the XML file.
Note: For more information on starting the Incident Generator, see Chapter 6:
Manager Node of the Manager Configuration Guide.

89

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

About Reports

Creating user-generated incidents


The IntruShield Management System also enables you to create your own incidents
as you perform forensic analysis in the Alert Manager. The User-Generated Incidents
option provides you the ability to select individual alerts from an Attack Details View
for inclusion in a custom incident. No scenario settings need to be met; rather, you
select each alert to include in your incident. Since this feature is independent from the
Incident Generator configuration scenario, you can create an incident with alerts from
multiple source IPs, to multiple destinations, and so forth. There is no minimum
number of alerts to meet, thus you can start an incident with just one alert, and more
alerts, as well as custom occurrences, over time. Once satisfied with an incident, you
export it to the Incident Viewer for further analysis.
Note: For more information on working with the User-Generated Incidents tool, see
Chapter 12: Using the Alert Manager of the Manager Configuration Guide.

Viewing an incident
Whether you started the IG service or created your own incidents via the UserGenerated Incidents tool, you view the incidents in the Incident Viewer tool, which is
located within the Alert Manager. Within this tool, you can analyze and manage
incidents, including alert analysis, user assignment, and workflow commentary for
maintaining an incidents status.
Note: For more information on working with the Incident Viewer, see Chapter 12:
Using the Alert Manager of the Manager Configuration Guide.

About Reports
You can generate a range of reports for both the alert information reported to your
Manager, as well as information pertaining to your IntruShield configuration settings.

IPS reports are summaries of alert information, such as severity, impact category,

Configuration reports detail information such as the current Manager and sensor

Scheduled reports generate reports at a configured time, and optionally email the

source/destination IP, time of alert, alert trends, and so forth.


software versions, proxy server settings, policy configuration, and so forth.
reports to specific individuals and/or save them for later viewing.
Note: For more information on the Reports, see the Manager Configuration Guide.

IPS reports
The Report Generators IPS reports detail the network alerts generated by your
IntruShield sensors. Alert reports are summaries based on specific types of
information such as the source/destination IP of an attack, attack name, or time of
alert. IntruShield includes several pre-formatted reports for simple information
gathering, including an Executive Summary report, which provides a high-level view of
alert activity.

90

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

Alert and packet log archival

These IPS reports provide information on the alerts generated from your installed
sensors. The generated alert information can include source and destination IP of the
attack, time when attack occurred, the sensor that detected the attack, and so forth.
The multiple reports in this category provide various, concentrated views according to
the specific parameters of each report. Each report lists alerts from most to least
common detected.
All IPS reports can be viewed in either HTML or PDF format. The Top N Report can also
be viewed in bar graph or pie chart format.

Configuration reports
Configuration reports provide information on the settings configured using the
Configuration page. You can generate reports to view your current software and
signature versions, the status of a sensor, policy and rule set configurations, or your
proxy server settings. These reports provide a snapshot of the systems current
configuration.

Scheduled reports
Scheduled reports automate IPS report generation for convenient forensic analysis of
the alerts generated by your IntruShield sensors. You can schedule reports to be
generated and emailed on a daily or weekly basis. You create a report template
consisting of the information you wish to be included, save the template, and
configure the scheduler to run either weekly (on a particular day) or daily (at a
particular time each day). You can also specify recipients for the reports. When the
scheduled time arrives, a report is generated based on the template and mailed to
specified individuals. Each report is saved for later review.

Alert and packet log archival


You can copy alerts and packet logs from the database and archive them for later
retrieval and analysis without impacting the performance of your database. Using the
Archival actions provided in the Manager interface, you can archive your alerts and
packet logs on-demand or by a schedule, then restore the archivals on a different
Manager-database instance for further historical analysis.
The archival process copies alerts and packet logs from the database into a zip file
on the source Manager. From the Manager interface, You provide a time range within
which all corresponding alerts and packet logs in the database are copied into the
archival file.
Note: Archived files are saved locally to the Manager, but can be exported to your
client.
The scheduled archival process is an incremental process. The process preserves
the last archival time and uses it as the start date for the next (current) archival. The
end date is always the current time. You can clear the preserved start date or set it to
any date in the past. If it is cleared, the first process cycle archives all alerts and
packet logs up to the current time, then the incremental process executes.

91

McAfee IntruShield IPS System 3.1

Working with Alerts

Getting Started Guide

Alert and packet log archival

Note: An archival cannot be executed when database tuning is in process.


The restoration process requires the archival file to be copied over to a directory on
the target Manager or a network directory which the target Manager can access. The
restoration process enables you to filter through the alerts in the archival by severity
of alert, the result status, and start and end times.
To configure the archival process, refer to Chapter 6: Manager Node of the Manager
Configuration Guide.

92

CHAPTER 11

Deployment for Beginner, Intermediate, and Advanced


Users
This section provides some guidance on how to deploy IntruShield using the most
simple, or out-of-the-box method, and then gear up to more complex scenarios.

Deployment flexibility
IPS deployment can be daunting, and a complex product can be difficult to integrate
initially. IntruShield, while complex, provides great flexibility in deployment so you can
start monitoring your network even while you familiarize yourself with its features and
capabilities and tune your security policies.
IntruShield deployment can be simple or complex, depending on your needs and your
skill with the product. If youre a Beginner, you can use IntruShield straight out of the
box and get your entire deployment up and monitoring in an extremely short period of
time. An Intermediate approach might be to customize your policies a bit and shift to
another operating mode, such as Tap mode. An Advanced user might use all of the
features available, tracking traffic at extremely granular levels, creating multiple
administrative domains managed by a variety of users with various privileges, tailored
policies and custom responses to detected attacks, and so on.

Deployment scenario for beginners


IntruShield includes a variety of pre-configured security policies targeting different
environments. These policies (defined in Working with IntruShield Resources (on
page 46)) enable you to start monitoring your network right away. Details on how to
accomplish these tasks, unless otherwise specified, are described in the Manager
Configuration Guide.
1

Install the Manager as described in the Manager Installation Guide.

The Default Inline IPS policy is specified by default. You can leave this policy in
place or pick the policy that best matches your needs. Sensors you add will
inherit this policy and pass it along to all interfaces of the sensor.
Note: This policy enables blocking for certain attacks; immediately upon in-line
deployment sensors will begin blocking these attacks when they are detected.

93

McAfee IntruShield IPS System 3.1

Deployment for Beginner, Intermediate, and Advanced Users

Getting Started Guide

Deployment scenario for intermediate users

Configure the sensor and add it to the Manager as described in the Sensor
Configuration Guide.

On the Manager, check the sensors port configuration to be sure that it matches
the way you have deployed the sensor. Make changes as necessary.

Download and apply the latest sensor software and signature file from the
Update Server.

Send all configuration changes to the sensor.

If you want, set up alert notification to email or pager by attack severity.

Using the Report Generator and the Alert Manager, examine the resulting alerts
for patterns, to help you tune your policies.

Back up your data.

Deployment scenario for intermediate users


The pre-configured policies have an umbrella effectyoure protected from all attacks
defined in the policy. This enables you to get up and running quickly, but it also may
protect you against attacks you do not care about. For example, if you have an
entirely Solaris environment, you may not care if someone is initiating IIS attacks
against the network, because these attacks are irrelevant to you. Some
administrators prefer to see all network activity, including unsuccessful attacks, to get
a complete picture of what is occurring on the network. Others want to reduce the
noise generated by irrelevant attacks. Tuning your policies to delete attacks that do
not apply to your environment reduces the amount of unimportant alerts generated by
your sensors.
To tune your deployment, you might do the following:

Try a more advanced deployment mode. If you were running in SPAN mode, you
may choose to try another deployment mode, such as tap mode.
Take advantage of the sensors ability to apply multiple policies to multiple
interfaces. Instead of applying a single policy to the entire sensor, you may try
applying different policies to dedicated interfaces of the sensor. You can go a
step further and segment your traffic into VLAN tags or CIDR blocks, create subinterfaces, and apply policies to the sensors sub-interfaces.
Tune your policies. Pick the policy that best matches your needs and clone the
policy (or create a policy from scratch). Then remove any irrelevant attacks, add
any additional attacks, and configure appropriate response actions to respond to
detected attacks.
Generate reports and view alerts. Look at the data generated by the system to
help you further tune your policies, and if necessary, implement more granular
monitoring or delegation of monitoring activities to others.

Deployment scenario for advanced users


An advanced deployment of IntruShield utilizes more of IntruShields features to best
tune your system. Once you are more familiar with IntruShield, you might do the
following:

94

McAfee IntruShield IPS System 3.1

Deployment for Beginner, Intermediate, and Advanced Users

Getting Started Guide

Deployment scenario for advanced users

Try running in in-line mode. In-line mode enables you to drop malicious traffic and
thus prevent attacks from ever reaching their targets.
Split your deployment into multiple Admin Domains. You may want to organize your
deployment by geographical location, business unit, or functional area (i.e., HR,
Finance).
Segment your network traffic into VLAN tags and CIDR blocks. You can then monitor
various traffic with distinct policies using the sub-interfaces feature.
Create (or clone) policies on a sub-interface basis. Create policies tuned for specific
traffic flows within a network segment, and apply them on an extremely granular
level.
Define user roles. Delegate the day-to-day management of the IPS to specific
individuals, providing each person with only enough access to the system to
carry out his/her responsibilities.
Define DoS policies. Configure DoS policies for specific hosts or a subset of your
network.

95

overview
intrusion ..................................................... 1

Index

types of;........................................................................ 2
authorization
role-based authorization
A

role-based authorization....................................... 90

admin domains
parent domains

child domains

cabling

overview

dongles

parent domains

SPAN or Hub mode

overview
child domains; ..............................62
overview

dongles, use of ............................................... 48


Configuration tool
Resource Tree

admin domains; ....................................................61

overview of

administrative domains

overview

See admin domains;....................................................61


Alert Filter editor .............................................................78
alerts

resources; ................................................. 54
conventions
typographical conventions in this document ............. vii

lifecycle of
acknowledged;unacknowledged
alerts;acknowledged alerts; ............................94
details of an alert; .....................................................100
drilling down
details of an alert; .................................................99

D
database
how users are stored;.................................................. 91
deployment
for beginners

overview
alerts; ....................................................................94

deploying IntruShield; ....................................... 104


pre-deployment considerations

anomaly detection
overview
anomaly detection; ................................................3
attacks

pre-deployment considerations;........................... 32
documentation
conventions used........................................................ vii
DoS

detecting
methods of
detection methods;............................................3

DoS modes
learning mode
DoS modes

detecting with IntruShield

threshold mode

methods IntruShield uses

about

IntruShield detection methods; ........................6


overview
attack

DoS modes................................... 82
DoS detection
overview

inheritance................................................ 64

DoS detection; ........................................................3


roles

relationship between parent and child domains .. 64

in-line mode

fail-open functionality

overview

cabling

about, in-line mode

optical bypass switch

deploying in in-line mode

fail-open

in-line mode deployment

cabling

in-line mode

about

preventing .................................... 14

optical bypass switch, about ........43


interface groups

about
about .....................................................................42

about

about; fail-open vs. fail-closed

about
monitoring with interface groups; ................. 51

about .....................................................................42
interfaces

failover protection

creating policies to monitor

about

assigning policies to

deploying redundantly

overview

redundant deployment for failover protection

defining

about; ........................................................40
Fast Ethernet

for use with sub-interfaces

fail-closed

for use with sub-interfaces; ......... 69


IntruShield

cabling, about

system components

dongles, about

components of IntruShield

cabling

of the IntruShield IPS ...................................... 8

dongles
fail-closed .....................................43

roles;........................................................................... 91
IntruShield 1200 sensor

full duplex connection

See I-1200 sensor;........................................................ 8

overview
full duplex connection ..........................................16

intrusion detection
overview
intrusion detection; ................................................ 1

I
I-1200 sensor
device specifics
available on the I-1200
ports on the I-1200 sensor; ...............................8
inheritance
overview
inheritance
inheritance from parent

IPS
overview
IPS
See IPS ............................................................ 5
IDS
See IPS ............................................................ 4

policy inheritance................................................. 64

privileges

Manager

See roles

Alert Viewer

See roles ............................................................... 90

overview
alerts
Alert Viewer tool;.....................................96

R
Recommended for blocking

Incident Generator

description

overview

description............................................................ 79

Incident Generator tool


overview .................................................100

Restricted User role


description

components of

Restricted User..................................................... 93

overview
roles

Manager
See Manager;.............................................9
Report Generator

overview
roles
privileges of; .................................................. 90

overview

relationship between parent and child domains

overview

assigning roles to users

overview

user roles; ....................................................... 92

overview ...........................................102

types of

Manager server
hardware description

description of; ...................................................... 92

Manager server
communicating with the Manager
communicating with the Manager............10

S
Security Expert role
description

N
nodes

Security Expert..................................................... 93
security policies

of Resource Tree

overview

nodes.....................................................................64

security policies; .................................................. 66


Sensors

P
policies
configuring
policies;.................................................................73
overview
policies;.................................................................66
policy creation; ...........................................................74
policy inheritance
overview

modes of deployment
Sensor deployment
modes of Sensor deployment;........................ 14
overview
Sensors
See Sensors ..................................................... 8
responsibilities of
Sensor responsibilities; .......................................... 8
signature updates

overview

scheduling

tap mode

signature updates

deploying in tap mode

scheduling

tap mode deployment

scheduling updates of

tap mode;............................................ 44

updating;.............................................13

shifting from tap mode to in-line mode

signature-based detection
overview

shifting to in-line mode from


shifting to, from tap mode

signature-based detection; ......................................3


SPAN port

shifting to in-line mode from;.................. 47


taps

overview
SPAN port ............................................................15

overview

SPAN/hub operating mode

taps ....................................................................... 17
typographical conventions .............................................. vii

overview
SPAN/hub operating mode
deploying in SPAN/hub operating mode
SPAN/hub operating mode deployment
SPAN/hub operating mode

U
Update Server
overview
Update Server

overview .......................................48

overview

SPAN/hub operating mode; ...............15


deploying the I-1200 in

signature updates
about the Update Server .................... 12

deploying in SPAN/hub operating mode


deploying, I-1200 ...........................................48

users
creating

Super User
description

users
users

Super User ............................................................92

creating users; .......................................... 91


T

managing in IntruShield; ........................................... 90

tap mode
external, deploying the I-2600
deploying the I-2600, external tap mode
deploying, in external tap mode
tap mode deployment, external
external tap mode; ..............................47
internal, deploying the I-2600
deploying the I-2600, internal tap mode
deploying, in internal tap mode
tap mode deployment, internal
internal tap mode
deploying the I-2600 in ................45

V
VIPS
description
description............................................................ 67