Chapter 1 What Is Inline Mode; Benefits Of Running Inline - McAfee M-1250 - Network Security Platform Manual

C 1
H A P T E R
What is inline mode?
Inline monitoring mode provides prevention of attacks by enabling Security Administrators
to select the types of attacks/traffic to drop, thus preventing the negative end-system
impact common with today's network attacks. Inline mode is achieved when Network
Security Sensor is placed directly in the path of a network segment, becoming,
essentially, a "bump in the wire," with packets flowing through Sensor. In this mode, the
Sensor inspects all traffic at wire-speed and can prevent network attacks by dropping
malicious traffic in real time—the Sensor actually ends the attacking transmission before it
can reach and impact the target. Preventative actions can operate at a highly granular
level, including the automated dropping of DoS traffic intended for a specific host.
When operating in inline mode, network segments are connected to two wire-matched
Sensor ports (For example: peer ports 1A and 1B), and packets are examined in real time
as they pass through the Sensor. In this mode, a packet comes in through the first
interface of the pair of the Sensor and out the second interface of the pair. The packet is
sent to the second interface of the pair unless that packet is being denied or modified by a
signature.
As of release 2.1.7, Sensor ports are configured by default for monitoring in inline mode;
that is, connected inline on a network segment (For example: between a switch and a
router or two switches). A Sensor with 2.1.7 or later software will initially come online with
its peer ports configured in pairs and in inline mode.
Note: This change will not override user-configured settings. Deployed Sensors
upgraded to 2.1.7 or later and will retain their user-configured settings.

Benefits of running inline

The benefits to using Sensors in inline mode are:
•
Protection/Prevention.
a Sensor can drop malicious packets and not pass them through the network. This
acts sort of like an "adaptive firewall," with your detection policy dictating what is
dropped. Furthermore, when dropping packets, Network Security Platform is very
precise and granular. The Sensor can drop only those packets it identifies as
malicious or all of the packets related to that flow (a choice that is user configurable).
•
Packet "scrubbing."
can scrub—or normalize—traffic to take out any ambiguities in protocols that the
attacker may be using to try to evade detection. Current IDS products are susceptible
to these techniques, and an example of this attempt is IP fragment and TCP segment
overlaps. The Sensor can reassemble the IP fragments and TCP segments and
enforce a reassembly mode of the user's choice to accept either the old or the new
data.
•
Processing at wire-speed.
Prevention is a feature unique to inline mode. When running inline,
In addition to dropping malicious traffic, Network Security Platform
Sensors are able to process packets at wire rates.
1