It was announced today that Intel will buy Mcafee for over $7 billion dollars in cash. There had been rumors that HP was looking to buy Mcafee which would have been interesting to see how they would have combined the Tippingpoint and Mcaffe intrusion prevention systems. At first glance the Intel merger does seem odd until you begin to look at some of the benefits.

Intel is developing processors with AES instructions sets included. In many ways this allows Intel to provide hardware based encryption and they now own a product to directly integrate with this processor. They could also develop AV solutions running on chips which would dramatically increase the scanning speed.

If  handled correctly this could dramatically change the availability of these products. Why buy another solution if your hardware already has one.

Well ISACA was not kidding when they said it takes 6-8 weeks to get the results. I received my email at 4:00pm exactly 8 weeks after taking the exam. The good news is that I passed the exam! I am now beginning the process of  verification of my work experience. ISACA says it takes 6-8 weeks for this as well and I am sure it will probably take the full 8 weeks.

So I took the CISM exam in June 12th. I have not received the results back yet, it generally takes 6-8 weeks. The test was tough and I thought the practice database from ISACA was a good representation of the type of questions to expect. I do think though that they could reduce the number of questions from 200. There were many repetitive questions and for only 5 domains they should either add more unique questions or reduce the number.

I have decided to sit for the CISM exam. The exam is scheduled for June 12th. ISACA only offers the exam two times per year so I figured this was the best time to take it. The CISM is growing in popularity and is becoming more common in job requirements, although it is still not as popular as the CISSP. The CISM is more focused to those in management positions around Information Security and requires three years of actual management experience in Information Security.

The exam is 200 questions and you can take up to 4 hours to complete. It is considered very rigorous and at least as difficult as the CISSP. I am very excited to take this exam and will post some information in subsequent posts. More information on the CISM exam can be found below.

http://bit.ly/a2Xclj

While not related directly to IPS it is still news worthy. Symantec announce today they are buying PGP and GuardianEdge for $370 million dollars! Symantec has somewhat languished over the last few years without alot of truly innovative security products. This now places Symantec as a major player in the encryption space. They can now compete with other companies such as Mcaffe, Sophos and Checkpoint in the encryption space.

Interesting note: Mcafee previously owned PGP and sold it. They then later purchased Safeboot and now Symantec owns PGP. I guess Mcafee should have just kept PGP.

http://www.theregister.co.uk/2010/04/29/symantec_buys_pgp/

Virtualization is a top priority for most organizations today. Security of these virtualized environments should also be a top priority and in the Intrusion Prevention market most vendors are developing or have developed virtual or virtualized solutions.

The terms virtual IPS and virtualized IPS have different meanings and I want to take some time to attempt to differentiate these terms. Most vendors have had virtual IPS for many years. Virtual IPS is the ability to apply different polices to certain types of traffic. This could be done using VLAN tags or physical interfaces. IBM does this using the Protection Domains feature which allows a different policy to be deployed to different VLAN’s. Mcafee does this by allowing different policies to be assigned to physical interfaces and can also support policies to be applied based no VLAN tags.

Virtualized IPS is what most of us think of today when we discuss virtualization. Virtualized IPS is an IPS appliance that runs in a virtual environment such as VmWare, Zen or Microsoft’s Hyper-V. The IPS is installed as a virtual server and can be configured so that all server to server traffic inside and outside the virtual environment can be monitored by an IPS.

It is important to be clear on these differences in terminology because not all vendors have virtualized IPS and most sales people will not know enough to properly answer the question, Do you support virtualization? Most will say yes, because they have heard their support teams talk about virtual IPS not virtualized IPS. Virtualized IPS will continue to grow in importance and eventually all the major Intrusion Prevention vendors will have these offerings. Until then do your homework and hold the vendors accountable.

I have a client that is deploying Mcafee Endpoint Encryption, formerly known as Safeboot. The product integrates with Active Directory and the newest version can be managed through the ePO management console. Overall the product has experienced a number of problems. Most of these problems are documented and can be mitigated by defragmenting the disk or removing software that replaces the MSGINA, such as the HP Protect Tools.

The one problem that they have not been able to correct though is the Sector Chain is Invalid error. This error generally happens right after installation but can happen at any time.  According to the support engineers I have spoken to the machine is generally unable to be recovered! This is a serious problem that Mcafee seems to not be addressing. They have said they are unable to replicate the problem but this issue has been brought up multiple times in different forums going back to 2008.

Come on Mcafee you need to fix this problem. You supposedly have hundreds of thousands of customers and you make the encryption used by the HP Protect Tools. You can fix this and need to ASAP.

HP Forums

http://bit.ly/dalIDD

Mcafee Knowledgebase Article

http://bit.ly/dCeL2q

As a follow up on my previous post on cabling an IPS I have attached an example that I have seen successful.This example is specific to a Mcafee M2750 device and assumes interfaces that are hard set. Note that the actual firewall and LAN switch are using Straight cables and not cross-over. The only cross-over is placed between the Fail-open kit and the IPS.

I have added Fortinet Visio Stencils. Fortinet is a company of great interest. The products range from the client security to database security to traditional UTM type devices and even vulnerability management. Originally they focused on small to mid-size companies but they have expanded into much larger enterprises including the U.S. Government. Based in Sunnyvale, CA they have offices all around EMEA and APAC. They seem to be gaining market share and should definitely be reviewed when considering IPS or UTM devices.

I have added Cisco Visio Icons. This includes most of the Cisco products and not just the security related icons. There are several .vss files as well as a PowerPoint document with lots of icons. Enjoy!