Virtualization is a top priority for most organizations today. Security of these virtualized environments should also be a top priority and in the Intrusion Prevention market most vendors are developing or have developed virtual or virtualized solutions.

The terms virtual IPS and virtualized IPS have different meanings and I want to take some time to attempt to differentiate these terms. Most vendors have had virtual IPS for many years. Virtual IPS is the ability to apply different polices to certain types of traffic. This could be done using VLAN tags or physical interfaces. IBM does this using the Protection Domains feature which allows a different policy to be deployed to different VLAN’s. Mcafee does this by allowing different policies to be assigned to physical interfaces and can also support policies to be applied based no VLAN tags.

Virtualized IPS is what most of us think of today when we discuss virtualization. Virtualized IPS is an IPS appliance that runs in a virtual environment such as VmWare, Zen or Microsoft’s Hyper-V. The IPS is installed as a virtual server and can be configured so that all server to server traffic inside and outside the virtual environment can be monitored by an IPS.

It is important to be clear on these differences in terminology because not all vendors have virtualized IPS and most sales people will not know enough to properly answer the question, Do you support virtualization? Most will say yes, because they have heard their support teams talk about virtual IPS not virtualized IPS. Virtualized IPS will continue to grow in importance and eventually all the major Intrusion Prevention vendors will have these offerings. Until then do your homework and hold the vendors accountable.

I have a client that is deploying Mcafee Endpoint Encryption, formerly known as Safeboot. The product integrates with Active Directory and the newest version can be managed through the ePO management console. Overall the product has experienced a number of problems. Most of these problems are documented and can be mitigated by defragmenting the disk or removing software that replaces the MSGINA, such as the HP Protect Tools.

The one problem that they have not been able to correct though is the Sector Chain is Invalid error. This error generally happens right after installation but can happen at any time.  According to the support engineers I have spoken to the machine is generally unable to be recovered! This is a serious problem that Mcafee seems to not be addressing. They have said they are unable to replicate the problem but this issue has been brought up multiple times in different forums going back to 2008.

Come on Mcafee you need to fix this problem. You supposedly have hundreds of thousands of customers and you make the encryption used by the HP Protect Tools. You can fix this and need to ASAP.

HP Forums

http://bit.ly/dalIDD

Mcafee Knowledgebase Article

http://bit.ly/dCeL2q

As a follow up on my previous post on cabling an IPS I have attached an example that I have seen successful.This example is specific to a Mcafee M2750 device and assumes interfaces that are hard set. Note that the actual firewall and LAN switch are using Straight cables and not cross-over. The only cross-over is placed between the Fail-open kit and the IPS.

I now have available for download the Mcaffe and IBM/ISS Visio Stencils. You can find them on my download page. I hope to post more over the next few weeks. If you have some please send them to me.

IBM

Device

GX4004

GX5008

GX5108

GX5208

# of 10/100/1000 Mbps Network Segments Protected Inline

2

4

4

4

Throughput

200Mbps

400Mbps

1.2Gbps

2Gbps

# of 10Gbps Networks Protected

0

0

0

0

# of Virtual IPS Systems

0

0

0

0

Anomaly Detection

Coming

Coming

Coming

Coming

Integration with McAfee ePO for Combined Protection with McAfee Virus Scan and Spyware Protection

No

No

No

No

NAC

No

No

No

No

The Mcafee devices offer a greater number of monitoring ports as well as faster throughput. They are also adding more capabilities to their devices such as their NAC solution. As we have begun evaluating the Mcafee offering we feel there is going to be more integration that will result in a more integrated security system.

I have been looking at 10 gig solutions for IPS and I have to say there is a wide difference in the way the different vendors are doing this.

IBM
Network Security Controller allows for two 10 giga-bit networks to be connected in an active/passive configuration. You would then connect the copper IPS devices to the controller and the controller spreads the load among the connected IPS devices. This would provide IPS with the ability to inspect up to 10 gigabit of traffic assuming the IPS devices connected to it can inspect up to 10 gig. The GX6116 has an inspected throughput of 6 Gbps. IBM has no native 10 giga-bit interfaces on their IPS devices.

Mcafee
Mcafee offers two devices with 10 giga-bit interfaces. The M8000 has 12 10 giga-bit Ethernet ports and a maximum throughput of 10 Gbps, the M6050 has 8 10 giga-bit Ethernet ports with a maximum throughout of 5 Gbps.

Sourcefire
Sourcefire has the 3D9800 with four Fiber 10 Gbps interfaces with up to 10 Gbps line speed and the 3D9900 with 4 10 Gbps SR interfaces. The line speed is up to 10 Gbps.

TippingPoint
The TippingPoint Core Controller has six 10 Gbps Ethernet interfaces(3 segments). This is similar in design to the IBM solution. The controller distributes the load across the connected backend IPS devices. The total inspected bandwidth is dependant on the backend IPS devices.