White Paper

September 2003

McAfee Network Protection

Intrusion Prevention:
Myths, Challenges, and Requirements
By Dr. Fengmin Gong, Chief Scientist

www.mcafeesecurity.com

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

Table of Contents

I.

Introduction

II.

Myths About Intrusion Prevention

III. Implementation Challenges

IV. Requirements for Effective Prevention

V.

Path to Prevention

VI. McAfee IntruShield Approach

VII. About McAfee Network Protection Services

VIII. About Network Associates

10

www.mcafeesecurity.com

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

I.

Introduction
In a recent survey commissioned by VanDyke
Software, some 66 percent of the companies said that
they perceive system penetration to be the largest
threat to their enterprises. The survey revealed that
the top eight threats experienced by those surveyed
were viruses (78 percent of respondents), system
penetration (50 percent), DoS (40 percent), insider
abuse (29 percent), spoofing (28 percent),
data/network sabotage (20 percent), and unauthorized
insider access (16 percent).
Although 86 percent of respondents use firewalls (a
disturbingly low figure in this day and age, to be
honest!), it is clear that firewalls are not always effective against many intrusion attempts. The average
firewall is designed to deny clearly suspicious traffic
such as an attempt to telnet to a device when
corporate security policy forbids telnet access
completelybut is also designed to allow some traffic
throughWeb traffic to an internal Web server, for
example. The problem is that many exploits attempt to
take advantage of weaknesses in the very protocols
that are allowed through our perimeter firewalls, and
once the Web server has been compromised, this can
often be used as a springboard to launch additional
attacks on other internal servers. Once a rootkit or
backdoor has been installed on a server, the hacker
has ensured that he will have unfettered access to
that machine at any point in the future.
The case has never been clearer for Intrusion
Detection Systems (IDS). The computer worlds equivalent to the burglar alarm, the IDS provides valuable
backup to the beleaguered firewall system (the equivalent of the locked door). As in the physical world, our
logical burglar alarm provides valuable notification that
someone has managed to breach our perimeter security measures, and should allow us to determine
exactly what happened during the attack, and hopefully provide indications of how the security weakness
might be addressed.
However, most IDS systems tend to be reactive rather
than proactivethat is, they often have to wait until
something has actually happened before they can raise
the alarm. The Intrusion Prevention System (IPS),
however, attempts to be proactive, and is designed to
stop intrusions dead, blocking the offending traffic
before it does any damage rather than simply raising an

www.mcafeesecurity.com

alert as, or after, the malicious payload has been delivered. It achieves this by sitting directly in-line with the
network trafficone network port accepts traffic from
the external system, and another port transmits it to the
internal system after it has been checked for anomalies
or suspicious content. Thus, problem packetsand all
subsequent packets from the same data flowcan
simply be discarded within the IPS appliance.
As with IDS systems, IPS products tend to fall into
two categories: Host IPS (HIPS) and Network IPS
(NIPS). Host IPS products rely on agents installed
directly on the host system being protected, and
which interacts closely with the underlying operating
system and resident services in order to detect and
prevent rogue system calls.
The Network IPS (sometimes known as an In-line IDS
or Gateway IDS (GIDS)), however, could be thought of
as something of a hybrid system, combining features
of a standard IDS and a firewall. Like a firewall, the IPS
appliance will sport at least two network interfaces
one designated as external and one as internal. Some
appliances may have more than two in order to monitor multiple network paths, but the basic requirement
is for two interfaces for data and one for management.
Placed in-line in a critical data path, the IPS detection
engine examines packets as they pass through the
device and processes them in a similar manner to an
IDS so as to determine which packets are suspicious
in nature. If a suspicious packet is detected, that packet
can be dropped immediately, and all subsequent packets from that particular data stream can be discarded
without further processing. Naturally, an IPS will also
raise an alert in the same manner as an IDS, and this
allows the IPS to operate in traditional IDS mode also,
useful to enable the administrator to tune the system
before placing it in full-blown prevention mode.
Legitimate packets are naturally passed straight
through to the internal interface and on to their
intended destination. A useful side effect of some
NIPS products is that as a matter of coursein fact as
part of the initial detection processthey will provide
packet scrubbing functionality to remove protocol
inconsistencies resulting from varying interpretations
of the TCP/IP specification (or intentional packet
manipulation). Thus any fragmented packets or packets with IP fragment overlaps will be cleaned up
before being passed to the destination host.

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

II.

Myths About Intrusion Prevention

There are numerous myths about Intrusion Prevention,
most fostered by IDS marketing spin or ignorance of
the way a well-designed in-line IPS device is capable
of operating. Lets look at a few of the most common
myths:
MYTH 1Intrusion Detection and Intrusion
Prevention Are Two Separate Solutions
At the moment, this is often the case. However, it
need notand should notbe. Because of inherent
performance limitations, many IPS products have been
designed with a very restrictive signature set on board
and little scope to expand it without seriously impacting performance. This means that they can be used
only for prevention of a limited number of exploits, and
while these are usually the most serious, admittedly, it
does mean that there is little scope for the security
administrator to tweak the product for his own environment. It also means that because the detection
capabilities of the IPS product are so limited, an additional IDS product is required behind it to alert on
those exploits that are not covered.
Intrusion Prevention products that are designed from
the ground up, however, should be capable of providing an extensive signature set that allows them to
operate in either or both IDS and IPS modes. The
most flexible IPS appliance will provide the ability to
start off in passive IDS modeperhaps attached to a
SPAN port or network tap deviceto allow the administrator to determine how effectively it can detect a
wide range of exploits and (just as importantly in the
case of an IPS) how susceptible it is to false-positives.
Once the signature set has been tuned, it is a simple
matter for the administrator to switch to in-line mode
and start blocking someor allsuspicious packets and
flows detected. Good Intrusion Prevention is actually an
extension of IDS, not something completely separate.
MYTH 2Intrusion Prevention Is ALL or NOTHING
As we have seen with the previous myth, this is
patently untrue when the right kind of appliance is
deployed. Even where an IPS product can only operate
in in-line mode, it is possible to have it block only a
subset of exploits, while the majority of packets are
passed through as normal. Behind the IPS device, you

www.mcafeesecurity.com

then have a traditional passive-mode IDS, which does

the bulk of the detection and alerting on suspicious
traffic. Clearly this is not an all-or-nothing situation,
although the use of two separate devices will certainly
cause deployment and management headaches.
This can be improved considerably with an appliance
that has been designed from the ground up as an IDS
as well as an IPS. As we have already seen in Myth 1,
it is possible to design an appliance that offers both
IDS and IPS functionality in the same box, providing an
almost seamless migration path from pure detection
to prevention. Now imagine an appliance with multiple
network ports, and with each port capable of supporting SPAN, tap or in-line mode. Now you move way
beyond the all or nothing approach and into a truly
integrated IDS/IPS solution in a single box. One pair of
ports can be combined to provide an in-line prevention
capability (say on the private LAN), while another pair
of ports can be designated as a
passive-mode IDS (say on the DMZ), providing full
detection and alerting capabilities.
Now the administrator can deploy both technologies
using a single appliance and controlled by a single
management interface. The management and configuration capabilities are also critical if we are to avoid the
all or nothing tag. In the past, network sensors have
often employed a monolithic approach to setting intrusion policy and response, with the response being
fixed according to the signature. The current generation of IDS/IPS sensors, however, should be capable of
allowing the administrator to modify the response
depending on a per-signature or per-signature group
basisperhaps port scans are given an extremely low
priority in one particular environment, while IIS Web
server exploits are blocked and the administrator
paged. Every deployment is different, and so the
IDS/IP device should incorporate enough flexibility to
allow the administrator to configure the alerts and
responses to his or her exact requirements.
MYTH 3Intrusion Prevention Is TCP Kills/Resets
or Modify Firewall Rules by IDS
It is not hard to see where this myth came from. Take
a look at the marketing literature of many traditional
IDS products today and you may well see claims that
they offer Intrusion Prevention features. Well the
only kind of prevention that can be provided by a
passive IDS device is to send TCP Resets to both

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

ends of the connection once a suspicious packet has

been detected, or perhaps to reconfigure an external
firewall or router device to ensure that the remainder
of the flow is blocked at the network perimeter.
The problem here is that unless the attacker is operating on a 2400 baud modem, the likelihood is that by
the time the IDS has detected the offending packet,
raised an alert, and transmitted the TCP Resets, and
especially by the time the two ends of the connection
have received the Reset packets and acted on them
(or the firewall or router has had time to activate new
rules to block the remainder of the flow), the payload
of the exploit has long since been delivered. Our
guess is that there are not many crackers using 2400
baud modems these days.
A true IPS device, however, is sitting in-lineall the
packets have to pass through it. Therefore, as soon as
a suspicious packet has been detectedand before it
is passed to the internal interface and on to the
protected network, it can be dropped. Not only that,
but now that flow has been flagged as suspicious, all
subsequent packets that are part of that session can
also be dropped with very little additional processing.
Oh, and for good measure, it is also possible to send
TCP Resets or ICMP Unreachable messages to the
attacking host.
MYTH 4Intrusion Prevention Is Losing Control
Over Intrusion Detection and Response
By now, hopefully we have explained enough to show
that this is simply not true. Providing the IPS device
has been designed properly, it should actually offer
more in the way of intrusion detection and response
than any basic IDS product. With careful design
usually involving custom hardware and ASICs for the
highest levels of performance when operating in in-line
modethe IPS device can provide detection capabilities that are every bit as good as the best passive IDS.
In addition, only an in-line IDS can block all
IP/ICMP/TCP/UDP-based malicious traffic from reaching the intended target hosts with complete reliability
and/or scrub non-conforming packets to defeat many
DoS or reconnaissance attempts.
Most customers wish to deploy the IDS in the Intrusion
Detection Mode (sniffing mode) initially and then
migrate to the Intrusion Prevention mode (in-line mode).

www.mcafeesecurity.com

III. Implementation Challenges

There are a number of challenges to implementing an
IPS device that do not have to be faced when deploying passive-mode IDS products. These challenges all
stem from the fact that the IPS device is designed to
work in-line, presenting a potential choke point and
single point of failure. If a passive IDS fails, the worst
that can happen is that some attempted attacks may
go undetected. If an in-line device fails, it can seriously
impact the performance of the network. Perhaps
latency rises to unacceptable values, or perhaps the
device fails closed, in which case you have a selfinflicted Denial of Service condition on your hands. On
the bright side, there will be no attacks getting
through! But that is of little consolation if none of your
customers can reach your e-commerce site.
Even if the IPS device does not fail altogether, it still
has the potential to act as a bottleneck, increasing
latency and reducing throughput as it struggles to
keep up with up to a Gigabit or more of network traffic. Devices using off-the-shelf hardware will certainly
struggle to keep up with a heavily loaded Gigabit
network, especially if there is a substantial signature
set loaded, and this could be a major concern for both
the network administratorwho could see his carefully crafted network response times go through the
roof when a poorly designed IPS device is placed inlineas well as the security administrator who will
have to fight tooth-and-nail to have the network administrator allow him to place this unknown quantity
amongst his high performance routers and switches.
Dropped packets are also an issue, since if even one
of those dropped packets is one of those used in the
exploit data stream it is possible that the entire exploit
could be missed. Most high-end IPS vendors will get
around this problem by using custom hardware, populated with advanced FPGAs and ASICsindeed, it is
necessary to design the product to operate as much as a
switch as an intrusion detection and prevention device.
It is very difficult for any security administrator to be
able to characterize the traffic on his network with a
high degree of accuracy. What is the average bandwidth? What are the peaks? Is the traffic mainly one
protocol or a mix? What is the average packet size and
level of new connections established every second
both critical parameters that can have detrimental
effects on some IDS engines? If your IPS hardware is

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

operating on the edge, all of these are questions

that need to be answered as accurately as possible to
prevent performance degradation. However, if the IPS
device is rated at Gigabit wire speeds and beyond,
none of this matterssimply drop the device in-line,
safe in the knowledge that all normal traffic will pass
through transparently.
Another potential problem is the good old false-postive.
The bane of the security administrators life (apart from
the script kiddie, of course!), the false-positive rears its
ugly head when an exploit signature is not crafted
carefully enough, such that legitimate traffic can cause
it to fire accidentally. While merely annoying in a
passive IDS device, consuming time and effort on the
part of the security administrator, the results can be far
more serious and far reaching in an in-line IPS appliance. Once again, the result is a self-inflicted Denial of
Service condition, as the IPS device first drops the
offending packet, and then blocks the entire data
flow from the suspected hacker. If the traffic that triggered the false-positive alert was part of a customer
order, you can bet that the customer will not wait
around for long as his entire session is torn down and
all subsequent attempts to reconnect to your ecommerce site (if he decides to bother retrying at all,
that is) are blocked by the well-meaning IPS.
In some respects, performance and detection capabilities are the least of the problems facing the
administrator tasked with deploying these devices.
The problem with any Gigabit IPS/IDS product is, by its
very nature and capabilities, the amount of alert data it
is likely to generate. On such a busy network, how
many alerts will be generated in one working day? Or
even one hour? Even with relatively low alert rates of
ten per second, you are talking about 36,000 alerts
every hour. That is 864,000 alerts each and every day.
The ability to tune the signature set accurately is
essential in order to keep the number of alerts to an
absolute minimum. Once the alerts have been raised,
however, it then becomes essential to be able to
process them effectively. Advanced alert handling and
forensic analysis capabilitiesincluding detailed exploit
information and the ability to examine packet contents
and data streamscan make or break a Gigabit
IDS/IPS product.

www.mcafeesecurity.com

IV. Requirements for Effective Prevention

OKhaving pointed out the potential pitfalls facing
anyone deploying these devices, what features are we
looking for that will help us to avoid such pitfalls?
In-line operationOnly by operating in-line can an
IPS device perform true protection, discarding all
suspect packets immediately and blocking the
remainder of that flow.
Fine-grained granularity and controlFinegrained granularity is required in terms of deciding
exactly which malicious traffic is blocked. The ability
to specify traffic to be blocked by attack, by policy,
or right down to individual host level is vital. In addition, it may be necessary to only alert on suspicious
traffic for further analysis and investigation.
Unquestionable detection accuracyIt is imperative that the quality of the signatures is beyond
question, since false-positives can lead to a Denial
of Service condition. The user MUST be able to
trust that the IDS is blocking only the user selected
malicious traffic. New signatures should be made
available on a regular basis, and applying them
should be quick (applied to all sensors in one
operation via a central console) and seamless (no
sensor reboot required).
Advanced alert handling and forensic analysis
capabilitiesOnce the alerts have been raised at
the sensor and passed to a central console, someone has to examine them, correlate them where
necessary, investigate them, and eventually decide
on an action. The capabilities offered by the console
in terms of alert viewing (realtime and historic) and
reporting are key in determining the effectiveness
of the IPS product.
Reliability and availabilityShould an in-line device
fail, it has the potential to close a vital network path
and thus, once again, cause a DoS condition. An
extremely low failure rate is thus very important in
order to maximize up-time, and if the worst should
happen, the device should provide the option to fail
open or support fail-over to another sensor operating in a fail-over group (see below). In addition, to
reduce downtime for signature and protocol coverage updates, an IPS must support the ability to
receive these updates without requiring a device
reboot. When operating in-line, sensors rebooting
across the enterprise effectively translate into
network downtime for the duration of the reboot.

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

High performancePacket processing rates must

be at wire speed under real-life traffic conditions,
and the device must meet the stated performance
with all signatures enabled. Headroom should be
built into the performance capabilities to enable the
device to handle any increases in size of signature
packs that may occur over the next three years.
Low latencyWhen a device is placed in-line, it
is essential that its impact on overall network
performance is minimal. Packets should be
processed quickly enough such that the overall
latency of the device is as close as possible to that
offered by a Layer 4 device such as a firewall or
load-balancer.
ResilienceActive-Active stateful fail-over with
cooperating in-line sensors in a fail-over group will
ensure that the IPS device does not become a single
point of failure in a critical network deployment.

V.

Path to Prevention
As we mentioned earlier in this paper, a well-designed
IPS appliance would allow an administrator to progress
from working in pure IDS mode to pure IPS mode in a
number of easy-to-handle phases.
Phase IDetection/No Prevention: The device operates in passive IDS mode connected to a switch SPAN
port or tap device in order to monitor traffic. Multiple
ports on the IPS appliance would allow it to monitor

www.mcafeesecurity.com

multiple segments with a single device, simplifying

deployment and management. This stage offers intrusion detection only, with no prevention.
Phase IIIn-line Detection/No Prevention: One pair of
ports is combinedone designated internal and one
externalin order to provide an in-line capability.
Although the device is in-line, we are still operating in
pure detection mode, with none of the policies configured to block traffic. This offers little practical
advantage over phase one in terms of
detection/prevention capabilities, though it does
provide a degree of comfort to the administrator that
normal traffic is being passed unmolested. The one
advantage that is offered by this mode of deployment
is that all traffic passing through the device is protocolscrubbed, ensuring that it complies with the relevant
RFCs and acceptable practices and that no strange
evasion or obfuscation techniques are being used. In
addition, the security and the networking teams build
confidence about the devices ability to support
network and business applications without introducing
new troubleshooting issues or failure.
Phase IIIDetection and Selective Prevention: Once
in-line mode has been verified to be working correctly,
the administrator can monitor the alert logs to determine the effectiveness of the intrusion detection
policies. Initially, he may wish to select a subset of the
most serious signaturesthose which he is sure are
not subject to false-positive triggersand enable

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

blocking on those signatures alone. The device can be

run for some time in this mode, with prevention being
provided on the most serious exploits, and full detection capabilities operating on all others. If the product
has been designed correctly, it should continue to
offer complete intrusion detection capabilities even
when operating in partial IPS mode. Further, the
administrator can also flexibly configure selective
blocking for incoming exploits before proceeding to
block outgoing attacks.
Phase IVDetection and Broad Prevention: Having
proved the effectiveness of the device and tuned the
security policies over time, the administrator can feel
confident in switching on blocking for all signatures
except for those which have proven to be susceptible
to false-positives. These remaining signatures will
either be disabled completely or will remain in detection-only state where it is deemed that there is still
sufficient risk of genuine attack traffic, which may trigger those signatures. In all other respect, the device is
operating in full prevention mode, discarding all suspicious packets immediately and blocking the
subsequent data flows.
Once the administrator has gained the confidence to
switch on the broadest possible blocking in in-line
mode there are a number of benefits to be gained:
The attack is prevented from reaching the target
host, which not only avoids the inconvenience of
downtime on the target host, but also avoids the
need for post-attack incident analysis and clean-up.
The administrator can immediately turn on in-line
blocking for a newly discovered attack, thus giving
the security staff enough time to patch the vulnerable hosts.
Minimize downtime for mission-critical hosts and
applicationspotential attacks and DoS attempts
will never actually reach the target hosts.
Prevent IDS evasion and OS fingerprinting through
Protocol Scrubbing (Protocol Normalization)the
administrator can be sure that all traffic which
passes through the IPS device onto the internal
network conforms exactly to the appropriate RFCs
or acceptable practices for that protocol.
With prevention in place, administrators can
perform further trend and forensic analysis on various alerts on forensic logs to continuously enhance
the security posture of the organization.

www.mcafeesecurity.com

VI. McAfee IntruShield Approach

In order to handle multiple segments of traffic at
Gigabit wire speeds the McAfee IntruShield sensors
make extensive use of dedicated, purpose-built, proprietary hardware that provides the performance required
to accurately detect and then prevent network intrusions at wire-speed without packet loss. IntruShield
has been designed and built from the ground up as an
Intrusion Prevention System.
Almost every task undertaken by IntruShield systems
benefits from hardware acceleration. For example,
IntruShields signature processing capabilities require
hardware to accelerate repetitive signature detection
tasks, such as string matches. As a result, the
IntruShield architecture can theoretically support thousands of attack signatures at multi-gigabit data
ratesand at the same time continue to detect and
prevent first-strike and Denial of Service assaults.
Unlike most IDS sensors, which work purely in
promiscuous mode (100Mbit) or which are designed to
be connected directly to a SPAN port or tap (Gigabit),
IntruShield offers multiple methods of monitoring traffic:
SPAN or Hub ModeIntruShield sensors can
connect to the SPAN port of a switch or to a port
on a hub, thus operating in port mirroring mode.
When monitoring through use of SPAN or a hub,
the I-2600s internal tap is disabled. The I-2600 can
monitor up to eight SPAN connections, while the
I-4000 can monitor up to four.
Tap ModeThe I-2600 has six 10/100 ports, each
with internal full-duplex taps. The I-2600 also has
two GBIC ports, which require external taps. Two
wire-matched ports, called a port pair, operate
together to enable full-duplex transmission, and the
internal taps fail-openthat is, traffic continues to
flow if the sensor fails. The I-2600 can process up
to 600 Mbps of aggregate traffic. The I-4000 sensor
in external tap mode works the same way as the
I-2600 in external tap mode, and the sensor can
receive 1Gbps of traffic from each tap port. Up to 2
Gbps of aggregate traffic can be processed by the
IDS engine.
Port ClusteringThis allows traffic monitored by
multiple ports on a single IntruShield system to be
aggregated into one traffic stream for state and
intrusion analysis. This feature is especially useful in

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

By Dr. Fengmin Gong, Chief Scientist

environments with asymmetric routing, where

request and response packets may traverse separate network paths. A single IntruShield system can
monitor multiple links and maintain accurate and
complete state information.
In-line ModeWhen placed directly in the path of a
network segment, the I-4000 sensor processes up
to 2Gbps of aggregate traffic for security violations
in realtime.Traffic passes through the detection
engine, is checked, and is then sent back to the
network. The four-port I-4000 can monitor two fullduplex segments in in-line mode.

With DoS attacks, the sensor is automatically in learning mode by default, allowing it to monitor the normal
network traffic for a period of time so that it is able to
determine what constitutes an abnormal flood. For
those administrators who would prefer to have more
manual control over the DoS detection process, it is
also possible to switch to threshold mode, where he
can set the threshold level and interval for individual
DoS attacks. Sophisticated administrators can also
enable learning-based and threshold-based detections
simultaneously to achieve the best trade-off between
accuracy and coverage.

A single appliance can also support hybrid deployment

modes. For example, an I-2600 deployed at the
network perimeter could be in full-duplex tap mode
and alerting on two pairs of ports (outside firewall and
DMZ) and configured to be in-line and selectively
blocking worms inside the private LAN.

Management is extremely flexible and scalable, and

the Admin Domains and User Roles features make it
easy to delegate the most fine-grained control across
the largest organization. Policy definition is also flexible, with a rule-based system allowing for definition of
extremely complex policies, which can then be
deployed to all sensors across a corporate network in
a single operation. Once policies have been activated,
the Java-based console provides advanced alert
handling and forensic analysis capabilities too.

Multiple ports can be combined or configured to

perform different tasks, providing unprecedented
deployment flexibility and allowing the IntruShield
sensors to easily handle multiple Gigabit segments.
Another area which demonstrates the unparalleled
flexibility of IntruShield is in the use of Virtual IDS
(VIDS). Up to 1000 VIDS can be defined across all the
ports on the device, and each one can be assigned a
unique policy if required. VIDS can be defined based
on a block of IP addresses (a CIDR block), or on one or
more VLAN tags. IntruShield sensors can process these
segments of data and apply multiple traffic policies for
the multiple subnets transmitting across a single wire,
right down to policies protecting individual hosts.
IntruShield supports fail-open, Active-Active stateful
failover to deliver high reliability and availability. The
IntruShield sensors can also take advantage of new
signature updates without the need for a sensor reboot
without losing state or terminating existing flows.
Attack coverage has been proven in several independent tests to be one of the broadest and most accurate
available in an IPS device, allowing IntruShield to function as a pure IDS device if required, with an
extremely high recognition rate. The accuracy and
scope of the signatures also enable the security
administrator to have a high degree of confidence in
IntruShields operation in IPS mode.

www.mcafeesecurity.com

The IntruShield IDS system supports wire-speed

performance in high-speed networks without packet
loss. Several independent IDS tests have validated the
ability of the IntruShield 4000 to sustain multi-gigabit
data throughput. In addition, the IntruShield sensors
have very low latency (in the order of microseconds)
when deployed in real-life networks.
IntruShield also provides a solution for every budget.
Starting with the I-2600 at just $5,000 per port, the
ability to support multiple ports and monitor multiple
100Mbit or Gigabit segments using a single device
brings the per-port cost down to prices which rival that
of almost any competing product in this marketplace.
In summary, the award-winning next-generation
IntruShield IDS:
Dispels the myths about intrusion prevention and
provides a pragmatic approach to intrusion detection and prevention
Overcomes the implementation challenges with a
purpose-built appliance designed to address the
limitations of legacy IDS
Delivers on the effective requirements for intrusion
prevention with accurate detection, comprehensive

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

10

By Dr. Fengmin Gong, Chief Scientist

attack coverage, fine-grained policy control per

attack and target
Uniquely provides a seamless path to intrusion
prevention in multiple phases to enable administrators to obtain a security ROI with ease and
confidence

VIII. About Network Associates

McAfee Network Protection Solutions keep both large

and smaller distributed networks up and protected
from attacks. Best-of-breed network protection solutions in the portfolio include the Sniffer Network
Protection Platform for performance management and
fault identification, InfiniStream performing security
forensics on network activity, Network Performance
Orchestrator (nPO) for centralizing and managing
network activity, and McAfee IntruShield delivering
network-based intrusion prevention.

With headquarters in Santa Clara, Calif., Network

Associates, Inc. (NYSE: NET) creates best-of-breed
computer security solutions that prevent intrusions on
networks and protect computer systems from the
next generation of blended attacks and threats.
Offering two families of productsMcAfee System
Protection Solutions, securing desktops and servers,
and McAfee Network Protection Solutions, ensuring
the protection and performance of the corporate
networkNetwork Associates offers computer security to large enterprises, governments, small and
medium sized businesses, and consumers. These two
product portfolios incorporate Network Associates
leading McAfee, Sniffer, and Magic Solutions product
lines. For more information, Network Associates can
be reached at 972-963-8000 or on the Internet at
http://www.networkassociates.com/

McAfee IntruShield

Comment by Bob Walder, Director, The NSS Group

McAfee IntruShield, a part of Network Associates

McAfee Network Protection Solutions family of products, is a unique cutting-edge technology that prevents
intrusions on the wire before they hit critical
systems. Highly automated and easily managed,
McAfee IntruShield is designed with such flexibility
that it can be implemented in a phased approachthat
overcomes the false-positives inherent with todays
legacy intrusion detection systemsand thus enables
you to develop the right policy for blocking in your
unique IT infrastructure. For example, you can deploy
in-line to notify and block known attacks, and to notifyonly on unknown attacks. Or you can implement
complete blocking but just for business-critical
network segments. IntruShield is delivered in a highspeed appliance which is able to scan traffic and
assess threat levels with blinding speed, even on gigabit networks. It can be used at the edge or in front of
key core resources. IntruShield has been crafted to
satisfy both the security and network administrators as
it stops a wide range of network attacks but does so
with network latencies typically less than 10 milliseconds. IntruShield also looks for anomalous behavior
and includes specialized analysis to find new denial of
service mass attacks.

This is a very interesting marketplace and things are

moving very quickly indeed. No sooner have we
started to notice a broader adoption of Intrusion
Detection Systems (IDS) than we are already seeing
them referred to as legacy systems.

VII. About McAfee Network Protection Services

www.mcafeesecurity.com

IDS vendors are fighting back, of course, by claiming

intrusion prevention capabilities of their own, and the
resulting marketing spin put on by both parties can
only serve to muddy the waters for the poor security
administrator tasked with determining which is the
best product for his or her environment. It is important
to remember, however, that IDS devices were never
designed with IPS in mindthey are detection
mechanisms, not prevention. It is a little harsh to beat
them up over an inability to prevent attacksthats
like buying a pair of Wellington boots and then moaning
that they dont prevent your head from getting wet
in the rain!
Unless a device is placed in-line, it is extremely difficult to perform any kind of guaranteed prevention. In
most cases, sending TCP resets or reconfiguring firewalls are ineffective prevention mechanismsby the
time the response has been completed the exploit
payload has probably been delivered. The only way to

White Paper

Intrusion Prevention: Myths, Challenges, and Requirements

11

By Dr. Fengmin Gong, Chief Scientist

stop a packet (and the rest of the data flow to which it

belongs) dead in its tracks is to operate in-line.
There are a number of features that we would consider
essential in a true IPS product. Probably the most
important is the ability to operate in in-line mode. This
may seem like a superfluous requirement given the
nature of the product, but since some IDS vendors are
claiming intrusion prevention capability in their
marketing campaignswhich turns out to be nothing
more than sending TCP reset commands across the
wire or reconfiguring a perimeter firewallthen it is an
important distinction to make up front.
The problem with working in-line, of course, is that
there is always the potential to affect performance and
reliability of the rest of the network. If the IPS device
fails open, the worst that can happen is that you miss an
exploitif it fails closed, you could cut off all external
access to and from your network completely. Reliability
is therefore essential. The IPS appliance must offer the
maximum up-time possible, and should not require a
reboot to apply signature updates. Given that it can
represent a single point of failure, it would be nice if it
offered some form of failover mechanism for those
sites that need guaranteed 100 percent availability.
As far as performance is concerned, the wish list
would have zero packet loss and zero latency at

the top. Zero packet loss under all normal loads is

essential, of course, if the device is not to run the risk
of missing exploit packets. Unfortunately, given the
amount of processing that these devices have to
perform for the majority of the packets passing through
them, increased latency is something we will have to
live withbut at least it should be kept to a minimum.
Finally, broad and accurate signature coverage is also
essential. Bear in mind that if you are going to place
your IPS device in-line and turn on the blocking mechanism, you had better be pretty confident that the
signatures you have deployed are not prone to falsepositives. If you do not want to run in blocking mode,
or if you want to block only a selected subset of signatures, then you still require a signature set that is
comprehensive enough to allow the device to operate
as an effective IDS.
There are other key requirements which are common
to both IPS and IDS devices of coursea good alert
handling and reporting mechanism, centralized management and configuration, flexible policy definition and
deployment, and regularly updated signature sets, to
name but a few.
The NSS Group has produced a number of independent
group test reports on IDS and IPS technologies which
can be obtained via their Web site at www.nss.co.uk

All Network Associates products are backed by our PrimeSupport program and Network Associates Laboratories. Tailored to fit your companys needs,
PrimeSupport service offers essential product knowledge and rapid, reliable technical solutions to keep you up and running. Network Associates Laboratories, a
world leader in information systems and security, is your guarantee of the ongoing development and refinement of all our technologies.

Network Associates, Sniffer, McAfee, Magic Solutions, Network Performance Orchestrator, nPO, InfiniStream, IntruShield, VIDS, and PrimeSupport are registered
trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer brand products are made only by Network
Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2003 Networks Associates
Technology, Inc. All Rights Reserved.

www.mcafeesecurity.com

6-avd-ins-ids-002-1003