New McAfee focuses on intrusion prevention

Network Associates Inc becomes McAfee Inc on July 1, and shortly afterwards the company will start shipping the latest versions of its host and network intrusion prevention systems, beefing up the firewall features and making them work together better.

The company is changing its name after the closing of its spin-off of Sniffer Technologies, a business unit that previously marketed the IntruShield network IPS appliances. IntruShield will now be sold alongside the Entercept host IPS software.

We’re still selling them separately, but we’re seeing a need for an intrusion prevention solution, said Vimal Solanki, director of product marketing for McAfee IPS Solutions, explaining the move away from separate business units.

IntruShield is a network appliance that comes in four models and employs signatures and anomaly detection to identify attacks. It can look for protocol anomalies, statistical anomalies, and application message anomalies, Solanki said.

The new IntruShield 2.1 has the ability to examine SSL encrypted traffic, Solanki said. The capability, which requires administrators put a copy of their web server certificate on the device, has been in the hardware for some time, but is now being added to the software.

The devices do not terminate the SSL traffic. Rather, they stall the encrypted messages, decrypt a copy and examine it for violations of security policy before either dropping or sending on the original encrypted packets, Solanki said.

Also in 2.1 is a layer-7 firewall that can block ports or applications and do stateful inspection. This is designed for the network interior, rather than perimeter. Up to 1,000 virtual firewalls can be implemented on each device.

Entercept, also updated, is agent software that is deployed on each host that is to be protected. It sits between the application and the operating system kernel, monitoring system calls and blocking anything that looks like an attack such as a buffer overflow or privilege escalation.

Version 5.0 of Entercept has mainly had its management features updated, but it also has had a process firewall feature added, which allows security policies relating to application network access to be enforced on the endpoint.

McAfee’s strategy is to make its products more effective at stopping unknown and zero-day attacks than signature-based systems like conventional IDS and antivirus. In marketing-speak, that means proactive, rather than reactive prevention.

The strategy extends as far as the company’s core antivirus business. NAI recently launched VirusScan 8.0i, which incorporates network firewall and intrusion prevention principles to complement frequently inadequate file-based virus scanning.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing