McAfee IPS Beefs Up Reputation-Based Detection, Adds Virtualization Traffic Visibility

The latest version of McAfee's Network Security Platform intrusion prevention system (IPS) features enhanced reputation-based threat detection and the ability to analyze traffic between virtual machines. The new virtualization capability is enabled through a partnership with Reflex Systems, which provides products for traffic monitoring, policy enforcement and configuration management within virtual environments.

The improved reputation capability is particularly valuable for botnet detection, McAfee says, and incorporates IP address assessment based on more than 2 billion monthly queries. In the face of the explosive growth in unique malware, reputation evaluation based on Websites, files and IP addresses helps security vendors keep pace across their product lines, including anti-virus, e-mail, Web security gateway appliances, and services and intrusion prevention.

Perhaps even more important, reputation filtering reduces performance issues by offloading traffic that would otherwise undergo deep packet inspection on the IPS appliance. "The challenge of IPS is to do reputation-based detection before deep inspection to get its full benefit," says Gartner analyst Greg Young. "Ask your vendor if they are using reputation so it unloads IPS in addition to finding threats."

This approach is particularly valuable for companies with older IPS hardware that can't meet the performance requirements of inspecting heavy traffic loads, he says. In addition, larger security vendors have the advantage over smaller competitors because they can draw intelligence from a huge user base and have the resources to rapidly evaluate threats and provide up-to-date information on the current state of compromised Websites.

The new version also allows a port to be dedicated to redirect traffic for inspection and analysis by McAfee and third-party products, including data loss prevention, network forensics and advanced malware analysis tools. The partnership with Reflex Systems gives Network Security Platform access to virtual machines and the traffic between them while retaining the performance advantages of a hardware-based appliance. The new release uses a Reflex agent on the hypervisor to monitor VMs and feed traffic information to the McAfee appliance."We're trying to move as much as we can to a virtualized environment for ease of deployment and management," says Ken Owens, technical VP for security and virtualization at Savvis, provider of cloud, managed hosting, network and security services. "But, we realize that things like IPS and Web application firewalls require pretty advanced computational power."

He says the McAfee-Reflex approach is "state of the art" now for directing traffic from the VM layer to the IPS appliance, but he expects eventually to leverage the hosts in clusters to a more powerful solution." Savvis uses Reflex products to manage its virtual environment and is evaluating Network Security Platform because of the new virtualization capabilities.

Except for a handful of specialty vendors such as Reflex, Catbird, HyTrust and Altor Networks
(acquired by Juniper), security products have generally had very limited visibility inside virtual environments. Organizations that are concerned about unintentional movement of protected data can address most problems with good configuration control, says Gartner's Young, but that can become difficult.

"There's pressure to virtualize, but new servers can be spun up, and it's so easy to make changes," he says. "Being able to see the changes that compromise security policy can be really valuable for most complex data centers."

See more on this topic by subscribing to Network Computing Pro Reports Research: WAN Security (subscription required).