Chapter 7 Block Attacks; Methods For Blocking Attacks; Block Exploit Traffic - McAfee M-1250 - Network Security Platform Manual
Network protection
Hide thumbs
Also See for M-1250 - Network Security Platform:
- Configuration manual (259 pages) ,
- Upgrade manual (58 pages) ,
- Deployment manual (36 pages)
Table of Contents
Advertisement
C
7
H A P T E R
Block attacks
The ability to drop and deny is available only with a Sensor running in inline mode. The
most efficient way to block exploits is to customize one or more of McAfee
Security Platform's
Security Platform's pre-configured policies includes this functionality by default. The
Inline IPS policy
to the Manager. This policy contains a number of attacks that Network Security Platform
has categorized as "Recommended For Smart Blocking" (RFSB), and which are pre-
configured with the "Drop attack packets" response.
With other provided policies, the default Sensor response is to send alerts and log
packets.
The first step towards prevention is typically to block attacks that have not caused false
positives, have a high severity level, and have a low benign trigger probability. When you
know which attacks you want to block, you can configure your policy to perform the "Drop
attack packets" response for those attacks.
Methods for blocking attacks
The Network Security Platform IPS offers a variety of ways to block malicious traffic.
These options include the following:
•
Block exploit traffic (based on policy configuration)
•
Block DoS traffic (behavior-based detection)
•
Block using ACLs (based on configured ACL rules)
•
Utilize Network Security Platform's traffic normalization feature—block based on
configured TCP flow violation (out-of-order packets, deny...)
•
Block IP-spoofed packets (configured)
Tip:
Attack filters can be configured to override the blocking criteria—to permit
particular source IPs, for example.
Note:
Each of the options listed is described at a high-level in this document. For
step-by-step procedures on how to perform the tasks described, see the
Configuration Guide
Block exploit traffic
Exploit refers to attacks that are discovered through a set of parameters, or rules, that are
matched against data within a packet. Signatures, specific strings used to match data in
IPS Policies
to pro-actively drop malicious traffic. One of McAfee Network
is automatically applied to Sensor interfaces when the Sensor is first added
.
16
®
Network
Default
IPS
Advertisement
Table of Contents
