next generation intrusion detection systems (ids)

Next Generation Intrusion Detection Systems (IDS)

McAfee Network Protection

November 2003White Paper

www.mcafeesecurity.com

Next Generation Intrusion Detection Systems (IDS)White Paper 2

Table of Contents

I. Introduction 3

II. The Need for IDS 3

III. Understanding IDS 4

Signature Detection 4Anomaly Detection 4Denial of Service (DoS) Detection 4

IV. IDS Challenges Today 5

V. Introducing McAfee IntruShield Security Architecture 6

Capture 7

VI. Stateful Analysis 8

IP Defragmentation and TCP Stream Reassembly 8Protocol Analysis 8Traffic Normalization 8

VII. Signature, Anomaly, and Denial of Service Detection 8

1. Signature Detection 92. Anomaly Detection 93. Denial of Service Detection 10

VIII. Detection Correlation 10

IX. Intrusion Prevention 10

X. Virtual IDS (VIDS) 11

XI. Hardware Acceleration 12

XII. Management and Control 12

XIII. Summary 12

XIV.About the Author 13

XV. About McAfee Network Protection Solutions 13

McAfee IntruShield 13

XVI. About Network Associates 13

1


I. Introduction

Today, the network is the business. Driven by busi-ness needs, enterprises and government agencieshave developed sophisticated, complex informationnetworks, incorporating technologies as diverse asdistributed data storage systems; encryption tech-niques; Voice over IP (VoIP); remote and wirelessaccess; and Web services. These networks havebecome more permeable as business partners accessservices via extranets; customers interact with thenetwork through e-commerce transactions or CustomerRelationship Management (CRM) processes; andemployees tap into company systems through VirtualPrivate Networks (VPN).

For hackers, these well-traveled paths make networksmore vulnerable than ever before and—with relativelylittle expertise—hackers have significantly impactedthe networks of leading brands or government agen-cies. Cyber crime is also no longer the prerogative oflone hackers or random attackers. Today disgruntledemployees, unethical corporations, even terroristorganizations all look to the Internet as a portal togather sensitive data and instigate economic and political disruption.

With networks more vulnerable and hackers equippedto cause havoc, it’s no surprise that network attacksare on the rise.

According to a 2001 report by Computer SecurityInstitute (CSI) and the FBI, 70 percent of respondentsacknowledged that their networks were attacked overthe previous twelve months and 30 percent didn’tknow whether their networks were attacked andcouldn’t be sure! In addition, Denial of Service attacksincreased by an astonishing 33 percent over the sameperiod. And all this took place across networks, wherefirewalls had been installed in 90 percent of instances.

It’s clear that enterprises and government agenciesneed security vendors to step up and deliver innova-tive solutions that effectively protect their networksfrom malicious attacks and misuse.

Being introduced is the industry’s first realtimenetwork intrusion prevention platform that takesIntrusion Detection Systems (IDS) to a new level. Thisintegrated hardware and software platform is based on

the company’s McAfee® IntruShield® architecture,which delivers comprehensive protection from known,first strike (unknown), and Denial of Service (DoS)attacks—at multi-gigabit speeds. IntruShield alsoprovides the flexible management capabilities neededto administer the varied security policies required forthe individual departments, diverse geographies, andseparate functions that make up global businesses andvital government agencies.

This paper discusses the benefits of IDS products andthe technologies that a next generation IDS mustprovide to deliver effective protection and presents thecapabilities of the IntruShield architecture.

II. The Need for IDS

When most people think of network security, theythink “Firewall.” Firewalls are widely deployed as a firstlevel of protection in a multi-layer security architecture,primarily acting as an access control device by permit-ting specific protocols (such as HTTP, DNS, SMTP) topass between a set of source and destinationaddresses. Integral to access policy enforcement, firewalls usually inspect data-packet headers to maketraffic-flow decisions. In general, they do not inspectthe entire content of the packet and can’t detect orthwart malicious code embedded within normal traffic.It should be noted that routers also offer some rudi-mentary protection through packet-filtering processes.

While firewalls and router-based packet filtering arenecessary components of an overall network securitytopology, they are insufficient on their own.

Network IDS products inspect the entire content ofevery packet traversing the network to detect maliciousactivity. This content inspection technique providesdeeper packet analysis compared to a firewall or arouter. Intrusion Detection Systems are effective whensophisticated attacks are embedded in familiar protocols,such as an HTTP session, which would normally passundetected by a firewall. It’s not surprising that theprocessing power required for an Intrusion DetectionSystem is an order of magnitude higher, whencompared to a firewall product.

Permeable modern networks have made IDS productsessential tools as security engineers strive to detect,



analyze, and protect networks against maliciousattack. As a result, IDS products are being deployedoutside and inside firewalls and are quickly becoming mainstays in “best practice” securenetwork implementations.

III. Understanding IDS

IDS products can be split into broad categories—HostIDS and Network IDS products. Host IDS productsprotect an end system or network application by auditing system and event logs. Network IDS productscan be deployed on the network, monitoring networktraffic for attacks. A Network IDS can sit outside thefirewall, on the demilitarized zone (DMZ), or anywhereinside the private network.

Typically Network IDS products focus their effortsaround one of three areas—Signature Detection,Anomaly Detection, or Denial of Service (DoS) Detection.

Signature Detection

Protecting against known threats.

Hackers often attack networks through tried and testedmethods from previously successful assaults. Theseattacks have been analyzed by network securityvendors and a detailed profile, or attack signature, hasbeen created. Signature detection techniques identifynetwork assaults by looking for the attack “fingerprint”within network traffic and matching against an internaldatabase of known threats. Once an attack signatureis identified, the security system delivers an attackresponse, in most cases a simple alarm or alert.Success in preventing these attacks depends on anup-to-the-minute database of attack signatures,compiled from previous strikes. The drawback tosystems that rely mainly, or only, on signature detec-tion is clear: they can only detect attacks for whichthere is a released signature. If signature detectiontechniques are employed in isolation to protectnetworks, infrastructure remains vulnerable to any variants of known signatures, first-strike attacks, andDenial of Service attacks.

Anomaly Detection

Protecting against first strike or unknown threats.

Anomaly detection techniques are required whenhackers discover new security weaknesses and rushto exploit the new vulnerability. When this happensthere are no existing attack signatures. The “Code Red”virus is an example of a new attack, or first strike, whichcould not be detected through an available signature.In order to identify these first strikes, IDS products can use anomaly detection techniques, where networktraffic is compared against a baseline to identify abnormal—and potentially harmful—behavior. Theseanomaly techniques are looking for statistical abnor-malities in the data traffic, as well as protocolambiguities and atypical application activity. Today’sIDS products do not generally provide enough specificanomaly information to prevent sophisticated attacksand if used in isolation, anomaly detection techniquescan miss attacks that are only identifiable throughsignature detection.

Denial of Service (DoS) Detection

Protecting against network and system overload.

The objective of DoS and Distributed DoS attacks is to deny legitimate users access to critical networkservices. Hackers achieve this by launching attacksthat consume excessive network bandwidth or hostprocessing cycles or other network infrastructureresources. DoS attacks have caused some of the world’sbiggest brands to disappoint customers and investorsas Web sites became inaccessible to customers, partners, and users—sometimes for up to twenty-fourhours. IDS products often compare current trafficbehavior with acceptable normal behavior to detectDoS attacks, where normal traffic is characterized by aset of pre-programmed thresholds. This can lead tofalse alarms or attacks being missed because theattack traffic is below the configured threshold.



No single technique or technology is the “magic bullet”

to guarantee protection against current or future attacks.

In order to robustly protect enterprise and governmentnetworks against the complete spectrum of threatsand vulnerabilities, all three methodologies must beemployed—Signature Detection, Anomaly Detection,and Denial of Service Detection and Prevention.

Also, a next generation IDS must do more than detectattacks: it should enable accurate detection to preventattacks from reaching and damaging critical networkresources and data. Without this range of detectionmethods—and the performance to accurately preventattacks—many IDS products are no more than a digitalMaginot Line: while they may offer the illusion ofprotection, when real attacks come, defenses can becircumvented or overrun.

IV. IDS Challenges Today

Most of today’s IDS products are focused on SignatureDetection and are designed for sub-100Mbps sharedmedia network environments, employing detectioncapabilities introduced three to four years ago. IDSproducts have failed to keep up with the rapidadvancement in switching and bandwidth growth andthe increased sophistication of attacks—as well astheir sheer volume. Current IDS products often oper-ate in a monitoring-only mode, “sniffers,” which candetect attacks but cannot effectively and reliably blockmalicious traffic before the damage is done.

Network security managers deploying IDS productstoday face a number of challenges:

Incomplete attack coverage: IDS products typicallyfocus on Signature, Anomaly, or Denial of Service

detection. Network security managers have topurchase and integrate point solutions from separatevendors or leave networks vulnerable to attack.

Inaccurate detection: IDS products’ detection capabilities can be characterized in terms of accuracyand specificity. Accuracy is often measured in “truedetection rate”—sometimes referred to as the “false-negative rate”—and the “false-positive rate.” The truedetection rate specifies how successful a system is indetecting attacks when they happen. The false-posi-tive rate tells us the likelihood that a system willmisidentify benign activity as attacks. Specificity is ameasure of how much detailed information about anattack is discovered when it is detected. IDS productstoday are lacking in both accuracy and specificity andgenerate too many “false-positives,” alerting securityengineers of attacks, when nothing malicious is takingplace. In some cases, IDS products have deliveredtens of thousands of “false-positive” alerts a day.There is nothing more corrosive to network vigilancethan a jumpy security system, which is continuallyissuing false alarms.

Detection, not prevention: Systems concentrate onattack detection. Preventing attacks is a reactive activ-ity, often too late to thwart the intrusion.

Designed primarily for sub-100Mbps networks:Solutions have simply not kept up with the speed andsophistication of network infrastructure and cannotaccurately monitor higher-speed or switched networks.

Performance challenged: Software applicationsrunning on general purpose PC/server hardware do nothave the processing power required to perform thor-ough analysis. These underpowered products result ininaccurate detection and packet dropping, even on lowbandwidth networks.

Lack of high-availability deployment: Single portproducts are not able to monitor asymmetric trafficflows. Also, with networks becoming a primary mech-anism to interact with customers and partners,forward-thinking organizations have developed back-upsystems should their current infrastructure fail in anyway. The inability of current IDS products to cope withserver failovers renders them virtually useless for anymission-critical network deployment.



Poor scalability: Primarily designed for low-enddeployments, today’s IDS products do not scale formedium and large enterprise or government networks.Here monitored bandwidth, the number of networksegments monitored, the number of sensors needed,alarm rates, and the geographical spread of thenetwork exceed system limits.

No multiple policy enforcement: Current productsgenerally support the selection of only one securitypolicy for the entire system, even though the productmay monitor traffic belonging to multiple administra-tive domains—in an enterprise this could be thefinance, marketing, or HR functions. This “one size fitsall” approach is no longer acceptable for organizations

that require different security policies for each func-tion, business unit, or geography.

Require significant IT resources: IDS products todayrequire substantial hands-on management—for exam-ple, the simple task of frequent signature updates cantake up a lot of time and skilled engineering resources,delivering a very high total cost of ownership.

In response to these limitations, a new architecturethat detects and prevents known, unknown, andDenial of Service attacks was developed for even themost demanding enterprise and governmentnetworks. The remainder of this paper will discuss theinnovative technologies and capabilities of theIntruShield architecture.



V. Introducing McAfee IntruShield Security Architecture

The IntruShield architecture delivers realtime network intrusion prevention at multi-gigabit speeds. Comprehensiveprotection is delivered on an integrated, purpose-built platform that can scale across highly-available networks. Theschematic below describes how IntruShield delivers the industry’s most robust Intrusion Detection System and rede-fines the network IDS space.

The IntruShield architecture consists of three major components: sensor system, management software, and theupdate server. Let’s look more closely at how the IntruShield architecture enables new functionality to be delivered ineach of these components.



Capture

The IntruShield architecture enables sensor systems tocapture network attacks in a number of ways:

Switched Port Analyzer (SPAN) and Hub Monitoring:Hub ports or SPAN ports from one or more network switches can be connected to the IntruShield system’sdetection ports. Response actions such as resetting aTCP connection can often be injected by the sensorsusing the same port.

Tap Mode: Network communication is monitored inboth directions of a full duplex Ethernet network link.By fully capturing all of the traffic on a link, a clearerunderstanding of the source and nature of the networkattack can be delivered—and can provide the detailedinformation needed to thwart future attacks. This full-duplex monitoring capability allows IntruShieldsystems to maintain complete state information.Response actions include firewall reconfiguration orinitiating a TCP reset through dedicated response ports.

In-Line Mode: IntruShield systems sit in the data path, with active traffic passing through them. TheIntruShield system prevents network attacks by dropping malicious traffic in real time. Preventativeaction can be custom-defined at a highly granular level,including automated dropping of DoS traffic intendedfor a specific Web server. Wire speed prevention andhighly available operation enable IntruShield systemdeployment in mission-critical environments.

Port Clustering allows traffic monitored by multipleports on a single IntruShield system to be “aggregated”into one traffic stream for state and intrusion analysis.This feature is especially useful in environments withasymmetric routing, where request and response packets may traverse separate links. A singleIntruShield system can monitor multiple links and maintain accurate and complete state information.

A single IntruShield system with multiple interfacescan offer comprehensive Perimeter Protection bymonitoring all segments connected to the firewall ineither full-duplex tap mode or in-line mode.

The IntruShield architecture also enables IDS systemsto become integral to High Availability topologies(active-active or active-passive) and asymmetricallyrouted deployments. Here IntruShield systems can failover to a hot standby.

VI. Stateful Analysis

With the IntruShield architecture delivering a rich setof capture capabilities, let’s look at the in-depth andintelligent analysis of the captured data. IntruShieldsystems enable for stateful analysis of network trafficand packet reassembly.

IntruShield systems maintain complete state informa-tion—inspecting the entire content of the datapacket—as it traverses the monitored network links.State information is captured and updated in real time.Maintaining state information enables sensors to gaincontext for attack detection, delivering higher accuracyof attack detection.

IP Defragmentation and TCP Stream Reassembly

Within this analysis IntruShield performs full IP defragmentation and TCP stream reassembly, emulatingthe traffic received by the end-systems being protected.This is important because hackers utilize attack tech-niques that fragment malicious code across multipledata packets and often reorder these packets to furtherevade detection. Once these packets reach their targetthe host reassembles the data and the malicious codedoes its damage. IntruShield reassembles these pack-ets before they hit the intended target, providing newlevels of protection.

Protocol Analysis

The IntruShield architecture enables detailed analysisof all major protocols, ensuring highly accurate attackdetection rates. In addition to leveraging protocolanalysis for buffer overflow detection—a major classof recent attacks—protocol parameters are also made available to write powerful and accurate user-defined signatures.

Traffic Normalization

In addition, the IntruShield architecture’s TrafficNormalization functionality—available when thesystem is operating in in-line mode—removes any traffic protocol ambiguities; meaning that the trafficbeing interpreted by IntruShield systems and the traf-fic received at the protected end-system are identical.IntruShield systems remove any traffic protocol ambiguities, protecting the end systems by cleaningup potentially harmful traffic in real time. Trafficnormalization thwarts any attempts to evade theIntrusion Detection System while boosting attackdetection accuracy. While operating in tap mode,IntruShield systems issue alerts when uncoveringprotocol ambiguities.

VII. Signature, Anomaly, and Denial of Service

Detection

IntruShield’s architecture builds on its thorough attackanalysis methodologies by adding the industry’s mostcomprehensive Signature, Anomaly, and Denial of



Service detection techniques. This section looks indetail at how the IntruShield platform approaches eachdetection method.

1. Signature Detection

For Signature Detection, the IntruShield architecture’sinnovative and patented technology combines aStateful Signature Detection Engine, a sophisticatedSignature Specification Language, "User-definedSignatures," and Realtime Signature Updates.

The architecture outlined below enables the deliveryand the maintenance of the industry’s most completeand up-to-date Attack Signature Database.

Signature Specification Language

IntruShield’s architecture is bolstered by a proprietaryhigh-level Signature Specification Language.IntruShield decouples signatures from application soft-ware and, in this unique architecture, signaturessimply become table entries, which can be updated inreal time using an intuitive user interface and usedimmediately by the Signature Engine.

Today’s IDS products often deliver new signatures viaa software “patch”; slow to develop because it mustbe quality-assured against the entire IDS softwareapplication, and cumbersome to install because thesystem must be re-booted. On the other hand,IntruShield ensures that high-quality new signaturescan be deployed quickly—without requiring systemreset—by separating signatures from the sensor soft-ware. Decoupling signatures from sensor applicationcode also allows signature writers to focus on the“art” of signature writing, rather than worry aboutbuilding their signatures into an updated application patch.

Stateful Signature Detection Engine

The IntruShield architecture’s Signature DetectionEngine employs powerful context-sensitive detectiontechniques that leverage state information within datapackets, utilize multiple token matches, and huntdown attack signatures that span packet boundaries orare in out-of-order packet stream.

User-Defined Signatures

IntruShield empowers network security engineers towrite custom signatures through an innovative GraphicalUser Interface (GUI) that can utilize specific fields anddata obtained through the system’s protocol analysiscapabilities, or state information gathered viaIntruShield’s Analysis mechanisms.

Realtime Signature Updates

The IntruShield architecture powers management software that offers an innovative realtime SignatureUpdate process, where new signatures made availableby an Update Server can be pushed out across thenetwork in a policy-controlled automated fashion,ensuring that networks are protected as soon as anew signature is created. The IntruShield architecturealso allows the network engineers to make the decisionon when and if to deploy the new signature acrosstheir networks. Because the IntruShield system doesnot require any hardware reset or reboot to leveragenew signatures, they automatically kick-in in real time.

2. Anomaly Detection

The IntruShield architecture’s comprehensiveSignature Detection processes are complemented bya set of Anomaly Detection techniques that allownetwork engineers to thwart emerging threats or first-strike attacks and create a far-reaching set of Anomalyprofiles, protecting the network against current threatsand future attacks.

The IntruShield architecture delivers the industry’smost advanced and complete anomaly detectionmethodology—encompassing statistical, protocol, andapplication anomaly detection techniques. Examplecategories of anomaly/unknown attacks are new worms,intentionally stealthy assaults, and variants of existingattacks in new environments. Anomaly detection techniques can also help in thwarting denial of serviceattacks, where changes in service quality can beobserved; and distributed DoS attacks, where trafficpattern changes (such as TCP control packet statistics)can be used by the IntruShield system to determinewhether a data deluge is on the way. We’ll discussDenial of Service attacks more in the following section.



Other areas that the IntruShield architecture’s anomalydetection techniques help guard against are bufferoverflow attacks; backdoor malicious attacks installedvia a Trojan or by an insider; stealthy scanning attacksthat use low frequency, multiple launch points on thenetwork and deliver normal looking packets; andinsider violation of security policies, such as installing a game server or a music archive on the network.

3. Denial of Service Detection

The third pillar in IntruShield’s detection architecture is its sophisticated Denial of Service protection technologies.

Self-Learning and Threshold-Based Detection

The IntruShield architecture employs a combination ofthreshold-based detection and patented self-learningprofile-based detection techniques that delivers intelli-gence to Denial of Service detection. With threshold-based detection, network security managers canutilize pre-programmed limits on data traffic to ensureservers will not become unavailable due to overload.

Meanwhile, self-learning methodologies enable theIntruShield architecture to study the patterns ofnetwork usage and traffic, understanding the widevariety of lawful, though unusual, usage patterns thatmay take place during legitimate network operations.

The combination of the two yields the highest accuracyof detection for a full spectrum of DoS attacks—including distributed Denial of Service attacks, whenhundreds or even thousands of servers are co-optedby a malicious programmer to strike against an enter-prise or government network.

IntruShield’s accurate DoS detection techniques areimportant because popular Web sites and networks doexperience legitimate—and sometimes unexpected—

traffic surges for a particularly compelling newprogram, service, or application.

VIII. Detection Correlation

As we have seen, the IntruShield architecture enablesnumerous modes of operation that allow the system tocapture malicious traffic; provides thorough attackanalysis methodologies; and implements a completeset of intelligent Signature Detection, AnomalyDetection, and Denial of Service protection techniques.

The IntruShield architecture’s Detection Correlation layerconnects the system’s Signature, Anomaly, and Denialof Service detection functionality—and this interdepend-ence and cross-checking of suspicious traffic yieldhighly accurate attack detection.

A single IntruShield system—providing comprehensiveprotection by monitoring public, private, and DMZsegments of the firewall—can offer correlation amongthese segments to yield an accurate picture ofnetwork attacks that were either blocked by the firewall or made it into the private network.

IX. Intrusion Prevention

IntruShield’s architecture delivers the industry’s most accurate attack detection capabilities, formingthe basis for the system’s attack response mechanisms.An IDS without adequate response capacity is oflimited utility to network security managers. ModernIDS products must detect attacks and provide themeans to deflect and stop malicious traffic.

The IntruShield architecture supplies network securitymanagers with a full spectrum of manual and auto-matic response actions that can form the basis of anenterprise’s or government agency’s information tech-nology security policies.



Upon detecting an attack, the IntruShield architectureenables the system to:

A. Drop Packets—Because the IntruShield architec-ture allows the IDS to work in in-line mode, it is ableto drop or block a single packet, single session, or traf-fic flow between the attack source and destination inrealtime, thwarting an attack in progress withoutaffecting any other traffic.

B. Terminate Session—The IntruShield architectureallows for the initiation of TCP resets to targetedsystems, attackers, or both. The network securityengineer can configure reset packets to be sent to the source and/or destination IP address.

C. Modify Firewall Policies—The IntruShield architec-ture allows users to reconfigure network firewalls asan attack occurs by temporarily changing the user-specified access control policy while alerting thesecurity manager.

D. Genertate Alerts—The IntruShield architectureenables an Alert Filter that allows network securityengineers to sift out alerts based on the source or thedestination of the security event. For example, if the ITdepartment executes vulnerability scans from one ofits own IP addresses, events originating from thataddress can be filtered out.

E. Log Packets—Systems based on the IntruShieldarchitecture capture and log packets prior, during, orsubsequent to the attack and can redirect traffic to aspare system port for detailed forensic analysis. Thispacket information acts as a record of the actual flow

of traffic that triggered the attack. When the data isviewed it is converted to libpcap format for presenta-tion. Tools like Ethereal, a network protocol analyzerfor UNIX and Windows, can be used to examine thepacket log data for more detailed analysis of thedetected event.

The IntruShield architecture’s response mechanismswill provide the basis for the product platforms thatsecurity managers need to develop a system ofactions, alerts, and logs that provide optimum protec-tion for complex contemporary networks.

X. Virtual IDS (VIDS)

In recognition of the complexity of today’s networks,IntruShield’s architecture allows for the creation ofmultiple Virtual Intrusion Detection Systems (VIDS™).Virtual IDS domains can be set up for specific depart-ments, geographic locations, or functions within anorganization. Security policies can then be set for eachVirtual IDS, providing the flexibility modern organizationsneed when managing a diverse set of network users.

The IntruShield architecture’s Virtual IDS functionalitycan be implemented in three ways. Firstly, by attributingVirtual Local Area Network (VLAN) tag(s) to a set ofnetwork resources; secondly, by protecting a block of IPaddresses utilizing Classless Inter-Domain Routing(CIDR) tags; and thirdly, by dedicating IntruShield systeminterfaces to protect the network resources in particulardepartment, geography, or organizational function.



CIDR-based VIDS implementation allows granularitydown to an individual host level with /32 mask. Forexample, DoS attacks can be identified and respondedto with unique policies for individual hosts.

XI. Hardware Acceleration

The powerful functionality of the IntruShield architec-ture—from Capture through to the implementation ofVirtual IDS—is made possible by dedicated, purpose-built, proprietary hardware that provides theperformance required to accurately detect and thenprevent network intrusions at wire-speed withoutpacket loss. To be effective, IDS products must haveat least an order of magnitude higher performancethan even the most cutting-edge firewall systems.

Almost every task undertaken by IntruShield systemsbenefits from hardware acceleration. For example,IntruShield’s Signature Processing capabilities requirehardware to accelerate repetitive signature detectiontasks, such as string matches. As a result theIntruShield architecture can support thousands ofattack signatures at multi-gigabit data rates—and atthe same time continue to detect and prevent firststrike and Denial of Service assaults.

It’s clear that today’s IDS products, many of which rely on software running on generic PC or server hardware, are not up to the task of detecting andpreventing network intrusions.

The system architecture outlined above delivers thecore technology needed by network security engi-neers to protect network resources. As can be seenfrom the architecture diagram, the management andcontrol features enabled by IntruShield allow engi-neers to impact and administer policies for all areas ofattack detection and prevention.

XII. Management and Control

The IntruShield architecture makes management andcontrol functions available via a secure, Web-based,highly-graphical administration tool. Role-based accesscontrols allow network professionals within an organi-zation to be granted different access privileges. Thepowerful, yet easy-to-use graphical tools provide scala-

ble management—from performing routine administra-tive and reporting tasks to establishing network-widesecurity policies and administrative domains.

Environment Configuration allows network engineersto control security policies across the network, accessenvironment profiles to understand the technology mixat a particular location, and set the best security regimefor each administrative domain. Users can also controland add to the constantly updated Threat Database,where the latest attack signatures sit, along with thosefrom previous known attacks as well as other attackprofiles. Thanks to IntruShield’s architecture, engineersare able to perform Forensic Analysis by logging trafficand examining alerts. Attacks can be dissected for hardinformation on their source, capabilities, and intendedtarget—and new signatures can be created from thisvaluable data. In addition, the IntruShield architecture’sData Fusion functionality aggregates and correlatesinformation from a wide variety of network assaults to provide managers withmeaningful attack summaries, discerning the broadpatterns of attack activity and providing a basis for anorganization’s security policies. And lastly, IntruShieldenables network engineers to have full control over acomprehensive Response System, allowing detailed management of alerts, user-definedactions, SNMP traps, and attack reports.

Completing the IntruShield architecture is the UpdateServer. The Update Server, a high-availability server,automatically pushes out new signatures and systemupdates to the management systems at customerlocations. Signature and system updates are thendeployed within customer networks by securityprofessionals using advanced tools provided within theIntruShield Management platform.

XIII. Summary

As we have seen, the threats against enterprise andgovernment networks are real and growing. IDS prod-ucts have been gaining ground as an appropriateresponse to known, first-strike, and denial of serviceattacks and have become an important tool comple-menting network firewalls. However, the permeablenature of complex and sophisticated networks—thatbring customers, employees, business partners, andthe general public in direct contact with network



resources—has made networks more vulnerable toattack. The current generation of IDS products doesnot provide the breadth of detection techniques, or theaccuracy and performance, to prevent network attacksfrom reaching their intended targets.

XIV. About the Author

Dr. Fengmin Gong is the Chief Scientist for theMcAfee Network Security Technologies Group, wherehe is responsible for driving the continued innovationof IntruShield’s security architecture—leveraging hisexpertise in areas such as signature, anomaly, and denialof service detection. Before his work on IntruShield,Dr. Gong was Director of Advanced NetworkingResearch at MCNC, a provider of sophisticated elec-tronic and information technologies and servicesaimed at businesses and government agencies.

While at MCNC and earlier at Washington University,he was involved in advanced security and networkingprojects for agencies such as DARPA, NSA, NSF,NLM, and NASA. During his time at MCNC he wasalso Adjunct Assistant Professor of Computer Scienceat North Carolina State University.

In a distinguished academic and research career,Dr. Gong has written and contributed to nearly fortyresearch papers on network intrusion, anomaly detection, secure collaboration, multi-media contentdelivery, and network quality of service. Dr. Gong haspresented his research at industry events such asIEEE technical forums, as well as SIGGRAPH, DISCEX, NOMS, and ISCEX.

XV. About McAfee Network Protection Solutions

McAfee Network Protection Solutions keeps both largeand smaller distributed networks up and protected fromattacks. Best-of-breed network protection solutions inthe portfolio include the Sniffer® Network ProtectionPlatform for performance management and faultidentification, InfiniStream™ performing securityforensics on network activity, Network PerformanceOrchestrator™ (nPO™) for centralizing and managingnetwork activity, and IntruShield delivering network-based intrusion prevention.

IntruShield

IntruShield, a part of Network Associates® McAfeeNetwork Protection Solutions family of products, is aunique cutting-edge technology that prevents intrusions“on the wire” before they hit critical systems. Highlyautomated and easily managed, IntruShield is designedwith such flexibility that it can be implemented in aphased approach—that overcomes the false-positivesinherent with today’s legacy intrusion detectionsystems—and thus enables you to develop the rightpolicy for blocking in your unique IT infrastructure. Forexample, you can deploy in-line to notify and blockknown attacks, and to notify-only on unknown attacks.

Or you can implement complete blocking, but just forbusiness-critical network segments. IntruShield isdelivered in a high-speed appliance which is able toscan traffic and assess threat levels with blindingspeed, even on gigabit networks. It can be used at theedge or in front of key “core” resources. IntruShieldhas been crafted to satisfy both the security andnetwork administrators as it stops a wide range ofnetwork attacks but does so with network latenciestypically less than 10 milliseconds. IntruShield alsolooks for anomalous behavior and includes specializedanalysis to find new denial of service “mass attacks.”

XVI.About Network Associates

With headquarters in Santa Clara, Calif., NetworkAssociates, Inc. (NYSE: NET) creates best-of-breedcomputer security solutions that prevent intrusions onnetworks and protect computer systems from thenext generation of blended attacks and threats.Offering two families of products—McAfee SystemProtection Solutions, securing desktops and servers,and McAfee Network Protection Solutions, ensuringthe protection and performance of the corporatenetwork—Network Associates offers computer security to large enterprises, governments, small andmedium sized businesses, and consumers. These twoproduct portfolios incorporate Network Associates’leading McAfee, Sniffer, and Magic Solutions® productlines. For more information, Network Associates canbe reached at 972-963-8000 or on the Internet athttp://www.networkassociates.com/





McAfee Security 3965 Freedom Circle, Santa Clara, CA 95054, 408.988.3832 main

All Network Associates® products are backed by our PrimeSupport® program and Network Associates Laboratories. Tailored to fit your company’s needs,

PrimeSupport service offers essential product knowledge and rapid, reliable technical solutions to keep you up and running. Network Associates Laboratories, a

world leader in information systems and security, is your guarantee of the ongoing development and refinement of all our technologies.

Network Associates, Sniffer, McAfee, Magic Solutions, IntruShield, VIDS, and PrimeSupport are registered trademarks or trademarks of Network Associates,

Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregis-

tered trademarks herein are the sole property of their respective owners. ©2003 Networks Associates Technology, Inc. All Rights Reserved.

6-avd-ins-ids-002-1103

next generation intrusion detection systems (ids)

Documents