Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
453 Views 3 Replies Latest reply: Aug 27, 2013 1:13 PM by gfergus1 RSS
Tuan Doan Newcomer 9 posts since
Jul 31, 2013
Currently Being Moderated

Aug 26, 2013 6:57 AM

Some basic questions about NSP 7.5 !!!

I have just worked with Mcafee Network security platform for a month. I have some questions about deployment of Sensor IPS .

1) what happen if you deploy Port in In-line mode , Interface type Dedicated , but your sesor connect between two trunking Portsof Switch ? Sothat , what is purpuse of of Sub-interface VLan ?

 

2) when deploying sensor at firstntime, does sensor not blocking or droping any traffic, it just drop when i comfigure Response action. ??

Asume that I create new Rule-set with all signature $ not using RFSB.?

 

3) when monitoring traffic with Threat Analyzer , i saw some signatures is in " Block Zone ",  is it realy is blocked or just Mcafee recommend to block this attack ?

 

I got some Mcafee documents but i still confuse about that. Please help me , thanks a lot.

  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Aug 26, 2013 12:26 PM (in response to Tuan Doan)
    Re: Some basic questions about NSP 7.5 !!!

    1)  The sensor will scan the traffic going across the physical port regardless of whether it is vlan tagged or trunked.  If you would like to individually identify which vlan is triggering the alert you can configure a sub interface for each vlan, but this is not required.

     

    2)  You are correct that the rule-set of the policy determines the default options for blocking.  If you use the default IDS policy the sensor is doing inspection and auditing/alerting only.  If you choose default IPS then the sensor has recommended for safe blocking enabled and will block high confidence attacks.

     

    You can create your own or clone one of the default if you wish, or use one of the defaults.

     

    3)  The 'block zone' is an overview that McAfee Labs uses to give a recommendation of what attacks should be blocked.  The ruleset determines whether or not blocking is enabled by default for attacks that have the RFSB option.

  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    3. Aug 27, 2013 1:13 PM (in response to Tuan Doan)
    Re: Some basic questions about NSP 7.5 !!!

    by default the DoS detection is in an audit/alert only setup.  If you wish to have blocking for DoS attacks that must be turned on.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points