Security Basics mailing list archives
RE: Mcafee Intrushield Reviews
From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Wed, 9 Feb 2005 09:55:08 -0500
Hi Stephane, Albeit that the Intrushield probes and Intrushield Management software is a bit pricey, they get the job done. Our telecommunications enterprise environment consists of a national WAN with 2x45 Mb pipes from our main datacenter to each large geographic region (8 in total) to which smaller satellite sites connect via redundant T1's to each of those regions. We are a Cisco shop and use EIGRP to route between all of the WAN sites. Next we have another 50+ sites connecting back to the datacenter via VPN and about 20 3rd party call-centers connecting directly via T1s. Within the corporate WAN we have roughly 10,000 workstations running Windows XP, 200 Windows 2000 servers, 150 Unix servers and then a mix of rogues and development environments that our desktop team doesn't manage. Given the number of PCs and the number of rogue devices (where viruses usually originate) we have had containment issues in the past whereby an outbreak has taken down essential WAN routers and rendered our satellite sites unreachable to enforce containment. The viruses would continue to propagate and those sites required manual intervention to recover (reboot routers, disconnect LAN switches, push ACLs, QoS). We have been looking into Intrusion Prevention quite seriously in the last year and have just finished the evaluation of 3 top vendors (who, except for McAfee, will remain anonymous). During the evaluation period we replaced our existing SNORT probes with passive mode vendor probes for two weeks per vendor, enabled *ALL* of the vendor's signatures and then did a baseline of our environment and after a week we turned on "simulated" blocking in one of our blocks and chose certain events that we would like to block. The McAfee products were a breeze to install and manage throughout the trial period and, unlike the other vendors, the hardware stayed up and able to keep up with out gigabit core traffic without and packet loss. Our final scoring of the product was quite high given the type of testing the probes underwent during the evaluation. Protocol analysis from layers 4-7 was very accurate and this was great in creating 0-day responses to new anomalies, worms or reactive blocking for bandwidth hogs on the network (namely p2p users). The configuration of the probes was simple, the management interface was very intuitive and quite informative, and the update process was very fast. One of Intrushield's biggest advantages was the tuning of false positives using CIDR blocks, interface grouping and the ability to understand asynchronous traffic flows (through load-balanced firewalls). Within a week of learning and base-lining our environment, I had all probes tuned for our network and had grouped interfaces to capture and re-assemble protocol streams through the asynchronous blocks. Since McAfee scored well on the RFI and during the evaluations, we have purchased the product. We are in the midst of deploying the smaller 1200 series probes inline at our 30 satellite WAN locations. We are also deploying various fiber 4000 series core probes inline as well as 100 Mb copper inline. One thing I can say is that McAfee has some incredible engineers that still continue to assist our deployment with as much fervor as they did during the evaluation (which is surprising given that a lot of vendors appease every whim during the eval of their products and tend to forget you after you've purchased). I hope that gives you some insight into the product from non-biased source. Gary Freeman ******************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, do not read the contents and delete it immediately. ******************************************** -----Original Message----- From: Stephane Auger [mailto:stephaneauger () pre2post com] Sent: Thursday, October 21, 2004 4:46 PM To: security-basics () securityfocus com Subject: Mcafee Intrushield Reviews Hey everyone, I've been looking at many different network intrusion prevention systems, and recently attended a conference by Mcafee on their Intrushield product, which interests me a lot. Does anyone have any experience with them and can tell me if they're good/useful or not and whether they're easy or impossible to manage? With their price, I'd love to have some feedback first... thanks! Stephane Auger
Current thread:
- RE: Mcafee Intrushield Reviews Gary Freeman (Feb 09)