RE: Mcafee Intrushield Reviews

["Gary Freeman" <Gary.Freeman () rci rogers com>]

Hi Stephane,

Albeit that the Intrushield probes and Intrushield Management software
is a bit pricey, they get the job done.

Our telecommunications enterprise environment consists of a national WAN
with 2x45 Mb pipes from our main datacenter to each large geographic
region (8 in total) to which smaller satellite sites connect via
redundant T1's to each of those regions.  We are a Cisco shop and use
EIGRP to route between all of the WAN sites.  Next we have another 50+
sites connecting back to the datacenter via VPN and about 20 3rd party
call-centers connecting directly via T1s.  Within the corporate WAN we
have roughly 10,000 workstations running Windows XP, 200 Windows 2000
servers, 150 Unix servers and then a mix of rogues and development
environments that our desktop team doesn't manage.

Given the number of PCs and the number of rogue devices (where viruses
usually originate) we have had containment issues in the past whereby an
outbreak has taken down essential WAN routers and rendered our satellite
sites unreachable to enforce containment.  The viruses would continue to
propagate and those sites required manual intervention to recover
(reboot routers, disconnect LAN switches, push ACLs, QoS).

We have been looking into Intrusion Prevention quite seriously in the
last year and have just finished the evaluation of 3 top vendors (who,
except for McAfee, will remain anonymous).  During the evaluation period
we replaced our existing SNORT probes with passive mode vendor probes
for two weeks per vendor, enabled *ALL* of the vendor's signatures and
then did a baseline of our environment and after a week we turned on
"simulated" blocking in one of our blocks and chose certain events that
we would like to block.

The McAfee products were a breeze to install and manage throughout the
trial period and, unlike the other vendors, the hardware stayed up and
able to keep up with out gigabit core traffic without and packet loss.

Our final scoring of the product was quite high given the type of
testing the probes underwent during the evaluation.  Protocol analysis
from layers 4-7 was very accurate and this was great in creating 0-day
responses to new anomalies, worms or reactive blocking for bandwidth
hogs on the network (namely p2p users).

The configuration of the probes was simple, the management interface was
very intuitive and quite informative, and the update process was very
fast.

One of Intrushield's biggest advantages was the tuning of false
positives using CIDR blocks, interface grouping and the ability to
understand asynchronous traffic flows (through load-balanced firewalls).
Within a week of learning and base-lining our environment, I had all
probes tuned for our network and had grouped interfaces to capture and
re-assemble protocol streams through the asynchronous blocks.

Since McAfee scored well on the RFI and during the evaluations, we have
purchased the product. We are in the midst of deploying the smaller 1200
series probes inline at our 30 satellite WAN locations.  We are also
deploying various fiber 4000 series core probes inline as well as 100 Mb
copper inline. One thing I can say is that McAfee has some incredible
engineers that still continue to assist our deployment with as much
fervor as they did during the evaluation (which is surprising given that
a lot of vendors appease every whim during the eval of their products
and tend to forget you after you've purchased).

I hope that gives you some insight into the product from non-biased
source.

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: Stephane Auger [mailto:stephaneauger () pre2post com] 
Sent: Thursday, October 21, 2004 4:46 PM
To: security-basics () securityfocus com
Subject: Mcafee Intrushield Reviews

Hey everyone,
 
  I've been looking at many different network intrusion prevention
systems, and recently attended a conference by Mcafee on their
Intrushield product, which interests me a lot.  Does anyone have any
experience with them and can tell me if they're good/useful or not and
whether they're easy or impossible to manage?  With their price, I'd
love to have some feedback first... thanks!
 
Stephane Auger