Professional Documents
Culture Documents
attacks. While firewalls perform necessary first line of defense at the network perimeter,
intrusion prevention systems perform necessary deep inspection of traffic, blocking
unwanted threats.
The McAfee Network Security Platform (NSP) is an award-winning intrusion network
prevention system. The NSP goes beyond traditional intrusion protection, offering intuitive
security controls to protect against sophisticated, next-generation attacks.
On successful completion, you should be able to:
• Explain the evolution of network security, including the factors driving the need for
more advanced security solutions.
• Define the term network attack and identify attack types and detection methods.
• Describe common attack types.
• Explain the difference between an active and passive attack.
• Differentiate between a Network Intrusion Prevention System (NIPS) and a Host
Intrusion Prevention System (HIPS).
• Identify the key features of the McAfee Network Security Platform (NSP).
• Identify features and enhancements for this release.
• Identify the components in the NSP platform architecture, as well as the NSP Manager
architecture.
• Explain how NSP fits in the McAfee Security Connected model.
• Identify products with which NSP integrates for a next-generation security framework.
The network security landscape is ever-changing. In the early days of computing, networks
were proprietary, mostly local and outside. Access was connection-oriented and expensive.
Intruders required physical access or technical expertise to attack. The strategy to deter
intruders was to hire a security guard, put a sturdy lock on doors, and turn on an alarm.
Today, networks are open and span the globe. This is provides flexibility and new business
opportunities but also increased risk for destruction, theft, and malicious activities. You are
also challenged by a new generation of hackers, which can be broadly classified into
categories.
• State-sponsored hackers: These are hackers sponsored by corporations and nations
(not necessarily rogue). The purpose here is industrial or military espionage.
• Hacktivists: The purpose of these hackers is to retaliate against corporations or
government agencies; for example, for a policy, regulation, and so on.
• Cyber terrorists: These hackers are ideology-driven but sponsored by rogue nation
states.
• Cyber criminals: These hackers work for international organized crime with the sole
purpose of targeting financially sensitive data.
Traditional security solutions, such as firewalls, are not enough to protect the network
against the sophisticated cyber attacks of today. While firewalls serve as the first line of
defense at the network perimeter, they are not enough. We need technologies designed to
protect the systems and applications from next-generation attacks that can occur inside
and outside the network infrastructure.
Today's security threats are more sophisticated and targeted than ever, and they’re
growing at an unprecedented rate. Malicious URLs, viruses, and malware have grown
almost six-fold in the last two years, and last year saw more new viruses and malware than
all prior years combined. Businesses are at risk. Infection can be fast and widespread.
With the increased threat of criminals mining for consumer and corporate data, the
efficiency of Internet security must be a priority.
Source: McAfee Labs Threat Center, www.mcafee.com/us/mcafee-labs.aspx
Technological advancements have contributed to the growth of businesses. However, this
has also put security professionals in an unenviable position. Review some of the main
contributing factors to the current security threat environment.
• Internet-based business world: Across industries, organizations depend on the
Internet to run their business. Their network is open to their vendors, partners,
customers, and even the public.
• Mobile computing devices and BYOD: More and more organizations are encouraging
the Bring Your Own Device (BYOD) concept, where employees bring their personal
mobile devices to their offices and use them for official purposes as well. While it is
true that BYOD can save money and space for the organization, the flipside is that it is
a huge security threat.
• Social networking: Internet-based applications such as social networking sites and
multimedia-based applications come with their own set of vulnerabilities. More the
features, more are the chances for vulnerabilities. It is not just the recreational
applications, but business and productivity applications that users find to be more
powerful and capable compared to the equivalents approved by the organization.
• Storage devices: Over the years, storage devices have been increasing in capacity but
decreasing in size and cost. the security system must be capable of validating the data
coming from and going to such devices.
• Easy availability of hacking tools: You don’t need to be technical savvy to be a hacker.
One can buy the required hacking tools over the Internet.
An attack is any unauthorized action with the intent to compromise data in one or all of
these areas:
• Confidentiality: Privacy of information stored in electronic format on computer
system through unauthorized viewing or copying.
• Integrity: Completeness and accuracy of information stored in electronic format on
computer system through unauthorized destruction or modification.
• Availability: Access of computing resource, network, or system to legitimate and
authorized users through denial of service attacks.
• Authenticity: Validity of information or its source through redirection or spoofing.
Networks typically run 24-hours a day, 7 days a week. This means attacks can occur on any
day of the week and at any time. Without effective security measures, the network is
vulnerable.
Regardless of their skill level, intruders often share a common strategy: Use tools to search
the network for a weakness, then exploit that weakness. Some common attack types are:
• Reconnaissance: Gaining information for a future attack; for example, using sniffers,
web tools, custom scripts, social engineering, etc.
• Exploits: Taking advantage of hidden features, or bugs; i.e., buffer overflows.
• Advanced Persistent Threats (APTs): Unrelenting attacks against specific networks
over a long period of time.
• Denial-of-Service (DoS) from single point and Distributed DoS (DDoS) from multiple
points: Crashing a machine or service or overloading the network to prevent service or
data availability; for example, ping floods, Smurf attacks, access by thousands of
systems at once.
• Policy Violations: Exploiting packets that do not conform to network standards to
access denied web site. A packet is a unit of data as sent across a network.
• Advanced malware: Infecting system or network through downloaded from email
attachments, blogs, social networking sites, websites, chat messages, message boards,
and so on.
• Bots: Using web robots or zombie computers for a coordinated and automated attacks
on networked computers
• SQL injections: Inserting malicious code into data to compromise a web server or
application.
Attacks are categorized as passive and active. Passive attacks monitor or eavesdrop on
network traffic to capture/steal sensitive data. Active attacks take advantage of
vulnerability in software for intrusion or disruption of services or damage to critical assets.
Contemporary hackers have more resources at their disposal, especially when backed up
by rival corporations and nation states. The security system must be very dynamic,
intelligent, and able to defend against evolving technologies. It needs to meet the needs of
key stakeholders; for example: Legal, IT, Administrators/Users. It also should include a plan
to handle incidents; for example, how incidents are communicated, classified, prioritized,
escalated, and resolved.
Traffic normalization also thwarts any attempts to evade the system while boosting attack
detection accuracy. This feature, also known as protocol scrubbing or packet scrubbing lets
network systems prevent hackers from fingerprinting a host system. Often attackers send
abnormal traffic in the hope that the end system responds in a way that lets the attacker
determine what environments and technologies are deployed at a particular site. This
makes it easier to launch subsequent attacks against known vulnerabilities in host network
hardware or software resources.
In both cases, the network performs an incremental checksum of the TCP header and
regenerates the cyclic redundancy check (CRC) integrity value.
An Intrusion Protection System (IPS) provides an extra layer of protection for the network,
recognizing attacks that a firewall cannot see.
As an example, assume the firewall is configured to allow HTTP traffic. The firewall typically
relies on a destination port, such as Transmission Control Protocol (TCP) port 80, to judge
the nature of the content. Although the firewall can proxy network requests that implicitly
ensure legitimate HTTP traffic, the firewall does not scan the traffic for exploits.
The IPS inspects inbound and outbound traffic, application-specific headers and payloads,
for suspicious patterns and malicious code. It also validates traffic at multiple layers of the
Open Systems Interconnection (OSI).
Network intrusion prevention devices (NIPS) shall be placed in the network topology to
mitigate the risk of malicious ingress and egress traffic. At minimum, NIPS should reside on
the perimeter and internal network segments.
There are two type of intrusion protection systems. These devices work together, as part of
a total network security solution, but have different functions.
The Sensor is the core of the Network protection. It is the device appliance that monitors
the traffic crossing network segments and, using multiple forms of detection, determines if
an attack is being attempted. In the event of an attack, the Sensor responds according to
how it is configured, and sends an alert to the Manager providing notification of the attack
and what response was taken. The high-availability features of the Sensor may include
redundant power supplies, configuration of stateful failover between Sensor pairs, and
more.
The Manager, is the central management component that maintains the database of alerts
and packet logging generated by all of the Sensors. Configuration changes are performed
at the Manager. In turn, Sensors and other devices can be updated from the Manager. The
user interface to the Manager is achieved via a Secure Socket Layer (SSL) connection
through a web browser. The Manager also has a feature for pairing Managers called the
Manager Disaster Recovery (MDR).
The figure focuses on the Manager’s architecture. Key components are listed below.
• Environment Configuration: Covers the Manager and Sensor administrative
configuration, such as, port settings, administrative domains, security policies and
more.
• Threat Database: Stores the signature files used for packet inspection and analysis.
• Data Fusion: Involves the aggregation and correlation of threat information from other
sources such as Host Intrusion Protection, Vulnerability Manager, and Global Threat
Intelligence (GTI).
• Forensic Analysis: Handles the logging of traffic statistics, capture or host information,
and alerts, as well as alert analysis and graphical reporting.
• Response System: Handles e-mail alert delivery, log files, and configuration of the type
of operational metrics the Sensor is supposed to forward to the Manager.
Optionally, we can integrate NSP with other McAfee products, such as McAfee Advanced
Threat Defense, ePolicy Orchestrator (ePO), Host IPS, Network Threat Behavior Analysis,
and Vulnerability Manager, for a comprehensive enterprise security management
framework.
The McAfee Security Connected solution platform includes applications and tools to help
customers better understand the threat landscape, vulnerabilities, and relevant
countermeasures, translating in to more effective risk management.
Network Security
The network security framework provides maximum availability, security, integrity,
flexibility, and manageability with minimum overhead and risk.
• McAfee Next Generation Firewall, powered by Stonesoft provides evasion prevention,
centralized management, and built-in high availability and scalability meet the
complex, high-performance needs of demanding data centers and distributed
enterprises, both today and tomorrow.
• McAfee Network Security Platform (NSP) defends against stealthy attacks with
extreme accuracy at speeds of up to 80 Gbps, while providing rich contextual data
about users, devices, and applications for fast, accurate responses to network-borne
attacks.
Continued on next page
• McAfee Firewall Enterprise is a proxy-based network firewall security offers a range
of capabilities, including application visibility and deep application controls to defend
against network security threats.
• McAfee Network Threat Behavior Analysis analyzes traffic for network security
threats coming from inside the network, including malicious behavior and unusual
host interactions.
• McAfee Advanced Threat Defense finds advanced malware and zero-day threats, and
seamlessly integrates with McAfee network security solutions to freeze the threat
while Real Time for McAfee ePolicy Orchestrator initiates a fix or remediation actions.
• McAfee Network Threat Response is a framework of next-generation detection
engines specializing in thwarting advanced persistent threats (APTs), and prioritizes
and presents only those security threats that require investigation — cutting analysis
time from weeks to minutes.
Information Security
Information Security gives you insight so you can understand, classify, and protect
incoming and outgoing data, as well as within and as protect against inbound advanced
persistent threats.
• Solutions, such as McAfee Email Protection, McAfee Web Protection and McAfee
Content Security Suite, minimize risk with integrated threat protection, data loss
prevention, and advanced antimalware. With our Security Connected framework,
customer can gain confidence in their data going to and through the cloud, while
minimizing complexity and cost. Enable legitimate use, while implementing policy-
based inbound and outbound content security controls to support business goals and
compliance.
• McAfee Complete Data Protection Suites, McAfee Data Loss Prevention, and McAfee
Total Protection for Data Loss Prevention, provide multilayered protection for data
regardless of where it resides — on the network, in the cloud, or at the endpoint.
Security Management
Security Management provides a comprehensive approach to managing enterprise
security, with products such as:
• ePolicy Orchestrator (ePO) software provides powerful workflow capabilities to
increase administrators’ effectiveness so they can more quickly define and deploy
security, as well as respond to events and issues as they arise. McAfee delivers
complete integration between the McAfee ePO software, McAfee Risk Advisor, and
McAfee Endpoint solutions.
Endpoint Security
• McAfee Endpoint Protection solutions suites add defense in depth against the full
threat spectrum from zero-day exploits to hacker attacks, protecting Windows, Macs,
and Linux systems, as well as mobile devices such as iPhone, iPad, and Android
smartphones and tablets.
• McAfee Host Intrusion Prevention for Server helps maintain business uptime by
protecting critical corporate assets, including servers, applications, customer
information, and databases.
Partner Community
The McAfee Partner Community provides partners with access to sales and marketing
resources, partner sales and technical training, deal registration, technical support, sales
promotions, market development funds (MDF), and rebate programs—all they need to
attract new customers and build business.