I am a new member to the community and have a question regarding McAfee's IPS. I will preface by saying that I have never deployed an IPS so I a not familiar with the behaviour. The question is, does the McAfee IPS Log ALL traffic that traverses the device. i.e would you be able to, similar to a firewall, see all traffic that traverses the device regardless of an active policy that premits or block.
The reason for my question is, I am currently evaluating a product and the only traffic that is seen in the log, is traffic that has a policy created for it and has been triggered. So you wont see any traffic that does not have an associated policy. Is this normal? is this how McAfee also handles traffic.
Any info that you can share to help would be appreciated.
this is the normal behaviour. Only traffic which triggers a policy which has "Send Alert to the manager" enabled will be logging. It is possible to add a custom attack which triggers on every traffic and enable alerting for that attack, but I don't know the performance impact on the sensors.
When you mention "custom attack" do you mean a rule that will match on ALL the predefined attacks on the McAfee IPS? If so, you will potentially miss traffic that don't fit into an attack category. i.e if someone is just pinging from endpoint to endpoint. The ping poses no threats, so wont be triggered and wont be logged.
I guess my thinking was to have the ability to see All the traffic (including policy matches) and if you wanted to create a policy based on what you see in your logs, then you could.
I understand the explanation of performance impact and it is a consideration.
I am curious why would a Firewall be able to log all traffic but the IPS not . Will have to read up more on IPS I guess.
you can add "custom attacks" in the policy section:
Clicking on "Custom Attack Editor" button will launch the editor where you can add ne rules:
Adding a "Snort Rule" you can make a new rule, which will trigger on every traffic:
e.g. "alert tcp any any -> any any"
This attack will alert on every tcp traffic and therefore you will have the logs for all the tcp traffic. As stated before, I don't know the performance impact and in addition I don't know if this has any impact on the other McAfee rules. I have never tried it myself, as we have other devices like firewalls which are directly connected to the IPS and therefore will log every traffic.
Thanks Cedric, I think that may be the answer. I understand the possible performance implications, but I had a curiousity to understand whether you can see All traffic in the logs if you wanted too and from your response it appears that McAfee has that capability.... using snort.
We will have a scenario where the IPS sits on a network segment that is not inline with the Firewall, so I would be interested in seeing what other types of traffic passes between those 2 sgements....which is why I posed the question.
I really appreaciate the time taken to answer.
In case it helps to complement the answers provided here, a Firewall and an IPS work differently in terms of the way they permit/deny traffic. A Firewall works with a positive security model, which means that by default it blocks everything and permits certain traffic (think whitelisting), whereas an IPS works with a negative security model, where it permits everything by default and blocks certain traffic (think blacklisting).
Based on this, Firewalls log all traffic that traverse them because they HAVE to check certain information on it in order to permit it or deny it (source, destination, service, etc) - that is the FUNCTION of a Firewall, whereas network IPS devices only check for specific traffic (malicious traffic) to block. This means that if a certain packet doesn't seem to be malicious (it doesn't match a signature for instance) the analysis ceases and it is allowed to pass through it, allowing other devices to do other checks on them, like a firewall or a web proxy for instance.
The Network IPS functionality is not to log all traffic on a network but to proactively block malicious traffic flowing through a network based on different engines like signatures or anomalies It could, sure, like cedricr points out, but surely it would have a performance impact on the device, because it wasn't specifically built to perform such functionality.
If you want to log all traffic you should look into other technologies like a network analyzer or a SIEM.
Hope this helps a bit.
Slight disagreement with the above, in that firewalls dont tend to log *all* traffic (ie in a TCP session, it will log the initiation of the session, and possibly the closing, but not every snigle packet in the stream). Definitely agree however that capturing all traffic is not the intended purpose of neither a firewall nor nIDS/nIPS.
If you really want to capture *all* traffic, then depending on your network connections, you could configure a SPAN port on the switch connected to the sensor, and configure a SPAN destination going to a simple PC running Wireshark. If you are capturing in order to evaluate (ie "I am sending this traffic through and it should trigger an alert"), then apply a filter on Wireshark also, as depending on the link monitored, you could see a LOT of traffic.
If this doesnt help, could you expand on your specific requirements, or the reason behind those requirements - depending on this, the answers and feedback may differ.