The latest version of McAfee's Network Security Platform intrusion prevention system (IPS) features enhanced reputation-based threat detection and the ability to analyze traffic between virtual machines. The new virtualization capability is enabled through a partnership with Reflex Systems, which provides products for traffic monitoring, policy enforcement and configuration management within virtual environments.
The improved reputation capability is particularly valuable for botnet detection, McAfee says, and incorporates IP address assessment based on more than 2 billion monthly queries. In the face of the explosive growth in unique malware, reputation evaluation based on Websites, files and IP addresses helps security vendors keep pace across their product lines, including anti-virus, e-mail, Web security gateway appliances, and services and intrusion prevention.
Perhaps even more important, reputation filtering reduces performance issues by offloading traffic that would otherwise undergo deep packet inspection on the IPS appliance. "The challenge of IPS is to do reputation-based detection before deep inspection to get its full benefit," says Gartner analyst Greg Young. "Ask your vendor if they are using reputation so it unloads IPS in addition to finding threats."
This approach is particularly valuable for companies with older IPS hardware that can't meet the performance requirements of inspecting heavy traffic loads, he says. In addition, larger security vendors have the advantage over smaller competitors because they can draw intelligence from a huge user base and have the resources to rapidly evaluate threats and provide up-to-date information on the current state of compromised Websites.
The new version also allows a port to be dedicated to redirect traffic for inspection and analysis by McAfee and third-party products, including data loss prevention, network forensics and advanced malware analysis tools. The partnership with Reflex Systems gives Network Security Platform access to virtual machines and the traffic between them while retaining the performance advantages of a hardware-based appliance. The new release uses a Reflex agent on the hypervisor to monitor VMs and feed traffic information to the McAfee appliance.