McAfee Adds Virtual Network Traffic Analysis to Intrusion Prevention System

 
 
By Fahmida Y. Rashid  |  Posted 2011-04-12
 
 
 

McAfee has updated its intrusion prevention system to add network analysis capabilities to virtual machines and to improve its botnet detection capabilities. With the latest version of the Network Security Platform, administrators can use a single platform to monitor network traffic, regardless of the environment.

The latest Network Security Platform, at version 6, allows administrators to inspect network traffic within the virtual environment, physical network infrastructure and the traffic between the virtual machine and the underlying physical hardware, McAfee said April 12. McAfee also added enhanced botnet control and reputation analysis to give IT teams increased visibility into the network threats.

The virtual network traffic inspection features are available for customers running VMware-based virtual environments, Tyler Carter, product marketing senior group manager for network security at McAfee, told eWEEK. Support for Microsoft and Citrix virtual environments is currently under consideration.

The platform uses an agent-based software that McAfee licensed from OEM partner Reflex Systems. The agent runs on the VMware hypervisor, mirrors and collects traffic information, and transmits the mirrored data outside of the VM onto the hardware platform, Carter said. Since the network analysis is performed on the hardware, the individual virtual machine's processing power is not diverted.

As companies move more applications into the virtual environment, security management continues to be critical. IT teams need visibility over the whole infrastructure, regardless of the actual environment, Carter said. Network administrators get information about both virtual and physical servers in one place and doesn't have to toggle between two monitoring systems, Carter said.

McAfee also enhanced how botnets are detected and blocked in the latest version of the Network Security Platform by improving its reputation analysis engine. The platform regularly receives feeds containing file and network connection reputation information from McAfee's Global Threat Intelligence service.

The cloud-based service gives up-to-date malware information culled from more than 60 million malware samples and reputation data based on two billion IP reputation queries each month, according to McAfee. With this information, the system has the necessary context to detect botnet traffic from already compromised machines within the network as well as to prevent potential infection attempts.

Competing services tend to rely on signature-based scanning for intrusion-prevention which means they are not as quick in detecting the newest threats, Carter said. While McAfee uses signature scanning to some extent, the focus is on reputation data to identify recently compromised systems that may be sending malware. Instead of just saying a particular IP address is malicious and adding it onto a blacklist, McAfee performs the analysis to determine that the system's reputation is worse than it used to be, or better than it used to be, Carter said.

The platform's traffic-redirect capabilities allow security administrators to inspect a subset of the network traffic using other third-party tools. The security platform may flag some suspicious activity on the network that require additional inspection, or the IT team may decide that some traffic should undergo extra analysis. Administrators can add on data loss prevention, network forensics or advanced malware analysis tools to glean additional insights.

McAfee Network Security Platform used to be called the IntruShield IPS.

Rocket Fuel