Table of Contents
Advertisement
Firewall menu options
Advanced Intrusion Detection and Prevention
Table 17 UDP services settings <Comment>(continued)
Service
filenet-rmi
mdqs
mpm-flags
nfs
ntalk
repcmd
rlzdbase
snmp
snmptrap
sometimes-rpc10
sometimes-rpc12
sometimes-rpc8
ssh
sql*net
sunrpc
talk
tcpmux
tftp
who
Advanced Intrusion Detection and Prevention
The SG565, SG580, SG640, and SG720 models provide Advanced Intrusion Detection and Blocking in
addition to basic IDB.
Advanced Intrusion Detection and Prevention is based on two variants of the tried and tested intrusion
detection and prevention system Snort v2. Snort in IDS (Intrusion Detection System) mode resides in front
of the firewall, and detects and logs a very wide range of attacks. Snort in IPS (Intrusion Prevention
System) mode resides behind the firewall, and detects and blocks a wide range of attacks.
The primary advantage of running Snort IDS (Snort) in front of the firewall is that it sees unfiltered network
traffic, and is therefore able to detect a wider range of attacks. The primary advantage of running Snort IPS
(IPS) behind the firewall is that suspicious network traffic can be disallowed rather than simply being
flagged as suspicious and allowed to pass.
Snort uses a combination of methods to perform extensive ad hoc network traffic analysis. These include
protocol analysis, inconsistency detection, historical analysis, and rule-based inspection engines. Snort can
detect many attacks by checking destination port number, TCP flags, and doing a simple search through
the packet's data payload. Rules can be quite complex; allowing a trigger if one criterion matches but
another fails and so forth. Snort can also detect malformed network packets and protocol anomalies.
Snort can detect attacks and probes such as buffer overflows, stealth port scans, CGI attacks, NetBIOS
SMB probes, OS finger printing attempts, and many other common and uncommon exploits.
You can use Snort in IDS and IPS mode simultaneously if you choose; however, it consumes much of the
memory on the UTM Firewall appliance. If you run both modes, make sure you enable the user less
memory feature in the IPS configuration. See
About rule sets
The snort detection uses rule sets that can be individually enabled or disabled. Rule sets are sets of defined
patterns or rules used for the detection of attacks. These are grouped by type such as ddos, exploit,
backdoor, and netbios. Each group encompasses many attack signatures. The full list of signatures can be
viewed at the Snort Web site (http://www.snort.org).
McAfee UTM Firewall 4.0.4 Administration Guide
Basic
Standard
X
X
—
—
—
—
—
—
—
—
—
X
—
X
X
X
X
X
X
X
X
X
X
X
X
X
—
—
—
—
—
—
X
X
X
X
X
X
Configuring Snort in IPS
Strict
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
mode.
201
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
