Filter
Top Products
34
McAfee
®
Host Intrusion Prevention 6.1 Product Guide IPS Policies
Overview
4
Host and network IPS signature rules
Attacks can follow a signature pattern of characters. This signature can identify and
prevent malicious activity. For example, a signature is set to look for the string
../ in a
web URL. If the signature is enabled and the system encounters this string, an event
is triggered.
A signature-based approach, with both host and network IPS signatures, accounts for
the majority of detection schemes used in intrusion detection and is one mechanism
that Host Intrusion Prevention uses. A database of signature rules is installed with
every client and is updated as new attacks types are discovered.
Signatures are categorized by severity level and by description of the danger an attack
poses. They are designed for specific applications and for specific operating systems.
The majority protect the entire operating system, while some protect specific
applications.
Host Intrusion Prevention offers mostly host IPS signatures with a few additional
network IPS signatures
HIPS
HIPS protection resides on individual systems such as servers, workstations or
notebooks. The Host Intrusion Prevention client delivers protection by inspecting traffic
flowing into or out of a system and examining the behavior of the applications and
operating system for attacks. When an attack is detected, the client can block it at the
network segment connection, or can issue commands to the application or operating
system to stop the behavior initiated by the attack. For example, buffer overflow is
prevented by blocking malicious programs inserted into the address space exploited by
an attack. Installation of back door programs with applications like Internet Explorer is
blocked by intercepting and denying the application’s “write file” command.
Benefits of Host IPS
Protects against an attack as well as the results of an attack, such as blocking a
program from writing a file.
Protects laptops against attack when they are outside the protected network.
Protects against local attacks introduced by CDs, memory sticks, or floppy disks.
These attacks often focus on escalating the user’s privileges to “root” or
“administrator” to compromise other systems in the network.
Provides a last line of defense against attacks that have evaded other security tools.
Prevents internal attack or misuse on devices located on the same network
segment.
Protects against attacks where the encrypted data stream terminates at the system
being protected by examining the decrypted data and behavior.
Independent of network architecture; allows for protection of systems on obsolete
or unusual network architectures such as Token Ring or FDDI.