McAfee IntruShield 4000
March 25, 2004
Network Associates, Inc.Product:
McAfee IntruShield 4000 Appliance - $99,995 McAfee IntruShield Starter Manager Software - $0 PC for McAfee IntruShield Starter Manager - $3,000 (approximate cost) Optional redundant hot-swappable power-supply for IntruShield 4000 - $2,495
: Up to 2Gbps throughput ; Virtual IDS provides incredible flexibility ; Powerful analysis capabilities n Flexible deployment
: Better search facility required in the Policy Editor
: The admin domains and user roles make it easy to delegate the most fine-grained control across the largest organization. The rule-based policy definition makes it easy to define complex policies, which can then be rolled out to a single sensor or the entire network by simply allocating the policies at the appropriate level in the Resource Tree. And once the policies have been applied, the alert handling and forensic analysis capabilities are incredibly powerful and flexible.
Based on standard and custom-designed processors, the NAI IntruShield system is a high-performance appliance that offers real-time network intrusion detection and prevention against known and unknown, denial-of-service (DoS) attacks for enterprise networks.
IntruShield enables network attack detection and prevention at up to 2Gbps, and is capable of operating in-line, or as a passive IDS, or both at the same time using different ports in the same appliance.
Overall, the performance of the I-4000 is very impressive, combining near-perfect security effectiveness with excellent latency under normal traffic loads. With the latest software update, we found the IntruShield handled our demanding extended false positive, false-negative and evasion tests easily, and without blocking any legitimate traffic or succumbing to common evasion techniques.
Management of the IntruShield system benefits from the company being a relative newcomer to the IDS/IPS market place and therefore learning from the mistakes of others. The admin domains and user roles make it easy to delegate the most fine-grained control across the largest organization, while the rule-based policy definition makes it easy to define complex policies that can be rolled out to a single sensor or the entire network at the click of a mouse. Once the policies have been applied, the alert handling and forensic analysis capabilities are incredibly powerful and flexible.
One unique feature is the Virtual IDS capability, which enables the administrator to apply separate policies down to the individual host level if required.
Performance at all levels of our load tests was impeccable, with 100 percent of attacks being detected and blocked under all load conditions. For normal network conditions, we rate the IntruShield I-4000 as a true 1Gbps device (the device actually supports up to 2Gbps).
Latency figures were excellent under normal network conditions, and always under one millisecond. A significant increase in latency figures was noted when the device was under heavy SYN flood attack, though the attack was mitigated successfully. During eight hours of extended attack, it passed legitimate traffic while blocking attack traffic consistently.
Signature recognition and blocking performance was excellent. Accuracy was high in terms of the types of alerts raised, although the descriptions are sometimes "generic," with several alerts raised for the same exploit. This can necessitate some investigation to determine the exact exploit detected.
The IntruShield I-4000 also performed extremely well in all of our evasion tests. It was one of the few products to have a clean sheet in this section of the test plan following the signature pack update.
The Manager Server and Console have been designed to handle large distributed deployments, and they contain several useful features to make this type of deployment easier to handle. To begin with, the ability to define up to 1,000 Virtual IDS across the four ports and assign an individual policy to each of them makes this one of the most flexible systems we have seen. That flexibility is boosted by the fact that each port or port pair can be configured in different ways – in "traditional" SPAN mode, in tap mode, or in in-line mode for ultimate protection. Ports can be grouped together as a port cluster and the traffic aggregated across them. The Virtual IDS capability is unique and impressive in operation.
The GUI and Manager Server needs work – the product still needs a seamless alert archiving facility (in development) and there are bugs in its incident generation and viewing tools. The Policy Editor can also be improved to provide a search facility within it to make it easier to find multiple signatures to apply bulk changes.
In general, the GUI is attractive and relatively easy to use. The alert handling capabilities are extremely comprehensive and easy to use once the interface has been mastered. The latest release has included a window manager to help control the numerous windows that can be spawned when mining data in the Alert Viewer.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry