McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

Overview

4

Host and network IPS signature rules

Attacks can follow a signature pattern of characters. This signature can identify and prevent malicious activity. For example, a signature is set to look for the string ../ in a web URL. If the signature is enabled and the system encounters this string, an event is triggered.

A signature-based approach, with both host and network IPS signatures, accounts for the majority of detection schemes used in intrusion detection and is one mechanism that Host Intrusion Prevention uses. A database of signature rules is installed with every client and is updated as new attacks types are discovered.

Signatures are categorized by severity level and by description of the danger an attack poses. They are designed for specific applications and for specific operating systems. The majority protect the entire operating system, while some protect specific applications.

Host Intrusion Prevention offers mostly host IPS signatures with a few additional network IPS signatures

HIPS

HIPS protection resides on individual systems such as servers, workstations or notebooks. The Host Intrusion Prevention client delivers protection by inspecting traffic flowing into or out of a system and examining the behavior of the applications and operating system for attacks. When an attack is detected, the client can block it at the network segment connection, or can issue commands to the application or operating system to stop the behavior initiated by the attack. For example, buffer overflow is prevented by blocking malicious programs inserted into the address space exploited by an attack. Installation of back door programs with applications like Internet Explorer is blocked by intercepting and denying the application’s “write file” command.

Benefits of Host IPS

„Protects against an attack as well as the results of an attack, such as blocking a program from writing a file.

„Protects laptops against attack when they are outside the protected network.

„Protects against local attacks introduced by CDs, memory sticks, or floppy disks. These attacks often focus on escalating the user’s privileges to “root” or “administrator” to compromise other systems in the network.

„Provides a last line of defense against attacks that have evaded other security tools.

„Prevents internal attack or misuse on devices located on the same network segment.

„Protects against attacks where the encrypted data stream terminates at the system being protected by examining the decrypted data and behavior.

„Independent of network architecture; allows for protection of systems on obsolete or unusual network architectures such as Token Ring or FDDI.

34

Page 34
Image 34
McAfee 6.1 manual Host and network IPS signature rules, Benefits of Host IPS