I have just worked with Mcafee Network security platform for a month. I have some questions about deployment of Sensor IPS .
1) what happen if you deploy Port in In-line mode , Interface type Dedicated , but your sesor connect between two trunking Portsof Switch ? Sothat , what is purpuse of of Sub-interface VLan ?
2) when deploying sensor at firstntime, does sensor not blocking or droping any traffic, it just drop when i comfigure Response action. ??
Asume that I create new Rule-set with all signature $ not using RFSB.?
3) when monitoring traffic with Threat Analyzer , i saw some signatures is in " Block Zone ", is it realy is blocked or just Mcafee recommend to block this attack ?
I got some Mcafee documents but i still confuse about that. Please help me , thanks a lot.
1) The sensor will scan the traffic going across the physical port regardless of whether it is vlan tagged or trunked. If you would like to individually identify which vlan is triggering the alert you can configure a sub interface for each vlan, but this is not required.
2) You are correct that the rule-set of the policy determines the default options for blocking. If you use the default IDS policy the sensor is doing inspection and auditing/alerting only. If you choose default IPS then the sensor has recommended for safe blocking enabled and will block high confidence attacks.
You can create your own or clone one of the default if you wish, or use one of the defaults.
3) The 'block zone' is an overview that McAfee Labs uses to give a recommendation of what attacks should be blocked. The ruleset determines whether or not blocking is enabled by default for attacks that have the RFSB option.
thank for your answer. That is very helpful for me. But i still confuse , asume that IPS sensor doesn't block any traffic match Attack, but how about DoS/DDoS prevention, it automatically learning, after 48 hours, it changes to Detection and begin block traffic which is DoS Attack. Sothat, how to know when it block & configure to permit any any traffic. Because , I think DoS/DDoS prevention of Mcafee IPS sensor is automatically working without any configuration.
Please help me, thank a lot . I want to make surre because I am doing PoC IPS for my customer , but my customer's traffic is so complex, with many traffic type, many source address..