0 Replies Latest reply: Feb 27, 2013 10:17 AM by svyazist2005 RSS

    Can McAfee NTBA T200 detect bot nets, worm attacks, or apply any other counter measures working only with Cisco ASA 5520 Netflow  source


      Hi Colleagues


      Please share with me your expirience on the listed topic


      Can McAfee NTBA T200 detect bot nets, worm attacks, or apply any other counter measures working only with Cisco ASA 5520 Netflow  source(without NSP sensor)?


      Also what features among the listed below will work for the described configuration?


      ∙ Detection of volume and threshold traffic anomalies in normal traffic within the network, and in

      incoming traffic after establishing a threshold profile. If traffic is attack traffic and the burst size

      exceeds the threshold, an alert is raised.

      ∙ Detection of behavioral anomaly and checks for generic behavioral violations.

      ∙ Detection of communication between hosts.

      ∙ Detection of worms, and SMTP botnets based on behavior analysis. The NTBA Appliance maintains profiles of cardinality for hosts, establishes the baseline for each parameter during a given period, and updates the average of parameters regularly. Worm outbreak detection is done by comparing the sample parameters with the baseline parameters.

      ∙ Detection of SMTP mail domain for mail sent from internal hosts and comparison of the same

      against configured mail domains.

      ∙ Detection of services, ports, protocols, and IP addresses.

      ∙ Detection of port scan/host sweep attacks through inspection of NetFlow packets. A mix of the

      source host address and destination port is used to key the scan entry. A scan entry times out after 5 seconds by default (configurable). Detection happens when the scan weight crosses a configured threshold. Monitoring and reporting unusual network behavior by analyzing the NetFlow traffic from NetFlow enabled switches/routers of vendors such as Cisco. Processing of enhanced NetFlow packets from IPS with Layer7 (L7) data without requiring SPAN traffic feed. IPS sends L7 data to the NTBA Appliance. The types of L7 data handled by the NTBA Appliance are FTP (Action, Banner, File Name, and User Name), HTTP (CLSID, Host Header, Request URI,  request User.Agent Header, and Server Type), NetBios (Action, and Filename), and SMTP (Attachment, Banner, From, and To). These are used in rules and are stored in the embedded database for forensic analysis. . Perform deduplication. User can choose to enable deduplication through the Manager. The NTBA Appliance checks each new flow and determines if it is a duplicate of an already existing conversation. The flow is processed based on the User setting. User can enable or disable Deduplication.

      • Allow security investigation and forensic analysis seamlessly for IPS events.
      • Check for compliance to the configured NTBA policies.
      • Provide an automated means through alerts and notifications of enforcing policies relating to
      • anomalies, worms, and botnets. This provides real.time protection in areas not covered by signature.based detection.
      • Perform forensic analysis based on past NetFlow data.
      • Identify hosts running non.standard applications and laptop users that generate the most IDS
      • events.
      • Answer many specific queries through various monitors in the Threat Analyzer of the Manager. For example, top N hosts, top N services, top N files, top N URLs, top N hosts, and host threat factor.
      • Apply communication rules to flows through policies. Communication rules for a policy can be

      applied to inbound, outbound, or bidirectional flows. They can match specific combination of

      application, service, CIDR block, file, and URL.

      • Maintain destination, services, and application information for every internal host.
      • Maintain Host Threat Factor with the following threat ranges:
      • Less than six (low/medium threat)
      • Greater or equal to six (high threat)
      • Greater or equal to nine (critical threat)
      • Keep track of the host name changes by refreshing host names at a specific time every day. If the
      • host name is changed, the NTBA Appliance automatically updates the host name to the new host name.
      • Do Application finger printing. Upto 134 applications can be detected.
      • Store data in an embedded database. The NTBA Appliance has an internal MySQL database, which is used to save NetFlow processed data. The database has different tables for capturing various types of NetFlow processed data such as conversation traffic, service traffic, traffic per host, per exporter, per service, per application, and per zone. The database is updated with NetFlow processed data by calling certain welldefined stored procedures.

      Provide realtime information through default, drill down, and custom monitors in the Threat Analyzer of the Manager