2Basic Concepts

McAfee® Host Intrusion Prevention is a host-based intrusion protection system. It protects against known and unknown attacks, including worms, Trojan horses, buffer overflow, critical system file modification, and privilege escalation. Host Intrusion Prevention management is delivered through the ePolicy Orchestrator console and provides the ability to set and apply host intrusion prevention, firewall, application blocking, and general policies. Host Intrusion Prevention clients are deployed to servers and desktops and function as independent protective units. They report their activity to ePolicy Orchestrator and retrieve updates for new attack definitions.

This section describes the four features of Host Intrusion Prevention and how it works with ePolicy Orchestrator, and includes the following topics:

„IPS feature

„Firewall feature

„Application Blocking feature

„General feature

„Policy management

„Deployment and management

IPS feature

The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that might result in malicious activity. Host Intrusion Prevention determines which process is using a call, the security context in which the process runs, and the resource being accessed. A kernel-level driver, which receives redirected entries in the user-mode system call table, monitors the system call chain. When calls are made, the driver compares the call request against a database of combined signatures and behavioral rules to determine whether to allow, block, or log an action.

Signature rules

Signature rules are patterns of characters than can be matched against a traffic stream. For example, a signature rule might look for a specific string in an HTTP request. If the string matches one in a known attack, action is taken. These rules provide protection against known attacks.

15

Page 15
Image 15
McAfee 6.1 manual Basic Concepts, IPS feature, Signature rules