White Paper February 2005

McAfee Network Protection Solutions

Host and Network Intrusion Prevention

Competitors or Partners

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 2

Introduction 3
The Need for IPS 3
Intrusion Prevention Overview 3
Host IPS 4
Benefits of Host IPS 4
Network IPS 4
Benefits of Network IPS 5
The Benefit of Overlapping and Integrated Technologies – Network Associates
Intrusion Prevention 5
Entercept Host IPS 6
Agents 6
Management System 6
Strengths of Entercept Host IPS 7
IntruShield Network IPS 7
IntruShield Manager 9
Strengths of IntruShield Network IPS 9
Key Selection Considerations 10
Threat Effectiveness 10
Implementation Considerations 10
Conclusion 11

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 3

Introduction
Intrusion Prevention Systems are designed to protect information systems from unauthorized access, damage or disruption.
Vendors have developed IPS to counteract the rapidly evolving threats presented by the latest generation of worms, software
and network exploits.
As the number and frequency of threats has increased, the increasing complexity of the network environment has made
mitigation of these threats harder to achieve. Modern networks have evolved for the purposes of distributing critical information
and services to an ever-expanding group of users. The need for access to these critical services has led to the development of
redundant communication links, wireless networks, mobile notebook computers, handheld digital devices, even internet-
enabled cellular phones. These new access technologies and links increase the value of the information systems they support,
but at the same time provide more paths for attack and compromise.
This paper will address the need for Intrusion Prevention Systems, will explore the two most popular IPS architectures and will
try to provide insight into the selection and use of these systems.

The Need for IPS

As hacker attacks and network worms began to appear in the late 1990s, Intrusion Detection systems were developed to
identify and report attacks to corporate Security personnel for manual remediation. Traditional Intrusion Detection
technologies do nothing to stop an attack—they simply detect hostile traffic and send alerts. As the level of threats and the
size of IDS deployments increased, it was found that the amount of time needed to analyze and respond to the IDS systems
was becoming prohibitively large. The evolution of new hybrid attacks that use multiple vectors to breech the security
infrastructure highlighted the need for the enterprise to defend itself against a constantly shifting threat. Organizations have
suffered catastrophic damage to their business confidentiality, integrity and availability as intrusions have become more
virulent. In a matter of minutes, Fortune 500 companies suffered millions of dollars of lost revenue as production lines went
dark and order taking and fulfillment processes came to a halt because of attacks like Sasser, SQL Slammer or Nimda.
Traditional Firewall and anti-virus solutions while valuable, cannot address the new generation of threats. A solution that
proactively protects vital information assets in a timely manner, without waiting for new signature creation and distribution was
needed.

Intrusion Prevention Overview

For the purposes of this paper, we will define an Intrusion Prevention System as a system that protects the following;

Confidentiality—The confidentiality of information stored in electronic format on a computer system from unauthorized
viewing or copying. Threats include the introduction of back-door programs, keyboard-logging programs etc. which are
designed to allow access to information to unauthorized personnel.

Integrity—The integrity of the information stored in electronic format on a computer system from unauthorized alteration or
modification. Threats include back door programs, network worms etc. that are designed to alter or erase information.

Availability—The availability of a computing resource, network, system etc. or information stored in electronic format on such
a system or network for use by authorized personnel. Threats include Denial of Service attacks, back-door programs that allow
the use of resources by non-authorized personnel for non-authorized purposes etc.

There are currently two basic approaches to achieving the goals outlined above.

Host Intrusion Prevention—A software system that loads directly on the computer system being protected.

Network Intrusion Prevention—A software or dedicated hardware system that connects directly to a network segment and
protects all of the systems attached to the same or downstream network segments.

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 4

Both of these approaches have their strengths and their weaknesses and are better at protecting against some types of
threats than others. Both architectures provide the protection features outlined above to varying degrees. Due to the dynamic
nature of network intrusion threats, deploying a mixture of both technologies will provide the greatest level of protection for
critical assets.

Host IPS
Host IPS is a software program that resides on individual systems such as servers, workstations or notebooks. Traffic flowing
into or out of that particular system is inspected and the behavior of the applications and operating system may be examined
for indications of an attack. These host system-specific programs or “agents” may protect just the operating system, or
applications running on the host as well (such as web servers). When an attack is detected, the Host IPS software either
blocks the attack at the Network Interface level, or issues commands to the application or operating system to stop the
behavior initiated by the attack. For example, Buffer overflow attacks may be prevented by prohibiting the execution of the
malicious program inserted into the address space exploited by the attack. Attempts to install back door programs via
applications like Internet Explorer are blocked by intercepting and denying the “write file” command issued by IE.

Benefits of Host IPS

• Software installed directly on the system protects against not just the attack, but against the results of an attack, such
as blocking a program from writing a file, blocking the escalation of a users privileges etc.

• Protects mobile systems from attack when attached outside the protected network. Roaming laptop computers are a
primary vector for introducing worms into a protected network. Carrying a Network IPS with the mobile system is not
a practical solution.

• Protects against local attacks. Personnel with physical access to a system can launch local attacks by executing
programs introduced via CD, Floppy disk etc. These attacks often focus on escalating the user’s privileges to “root” or
“administrator” to facilitate compromise of other systems in the network.

• Provides a “Last line of defense” against attacks that have evaded other security tools. The potential victim system
itself is the last defense point available to Security personnel to guard against system compromise.

• Prevents internal attack or misuse on devices located on the same network segment, Network IPS only provides
protection for data moving between different segments. Attacks launched between systems located on the same
segment can only be countered with Host IPS.

• Protects against encrypted attacks where the encrypted data stream terminates at the system being protected. Host
IPS examines data and/ or behavior after encrypted data has been decrypted on the host system.

• Independent of network architecture; allows for protection of systems located on obsolete or unusual network
architectures such as Token Ring, FDDI etc.

Network IPS
Network IPS devices are deployed in-line with the network segment being protected. All data that flows between the protected
segment and the rest of the network must pass through the Network IPS device. As the traffic passes through the device, it is
inspected for the presence of an attack. Attack detection mechanisms vary between systems, but the most accurate systems
integrate several techniques to achieve very high levels of confidence in the detection of attacks and mis-use. Extreme
accuracy and high levels of performance are crucial to an effective system as mis-identification of an attack can cause
legitimate traffic to be blocked, which would be, in essence a self-inflicted “Denial of Service” condition. High performance is
necessary to ensure that legitimate traffic is not delayed or disrupted as it flows through the device. When an attack is
identified, the Network IPS discards or blocks the offending data from passing through the system to the intended victim thus
blocking the attack.

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 5

Benefits of Network IPS

• A single control point for traffic can protect thousands of systems located “down stream” of the device. This allows an
organization to scale their solution quickly and provides the flexibility needed to responds to the constant changes in
network architecture.

• Easy deployment as a single sensor can protect hundreds on systems. Deploying a few, to a few dozen sensors
requires significantly less time and effort than distributing software to hundreds or thousands of systems.

• Provides a broader view of the threat environment such as scans, probes and attacks against non-system based
assets. Network IPS, by working at the network level provides a broader view of the threat environment than a host
based product. Having a strategic vision of the threat environment allows security management to proactively adapt
to a changing security landscape.

• Protects non-computer based network devices. Not all attacks are directed against systems that run operating
systems supported by Host based IPS, E.g. routers, firewalls, VPN concentrators; print servers etc. are all vulnerable
to attack and require protection.

• Platform Neutral. Protects legacy and unusual Operating Systems and applications Host IPS systems are not
available for all systems that might be present in an organization. Network IPS provides a measure of protection for
all devices, no matter what the operating system or application.

• Protects against network DoS, DDos attacks, bandwidth-oriented attacks, SYN flood etc. A common form of attack is
to flood a network with irrelevant traffic that denies or degrades the network for the use of the authorized personnel.
Working at the network level allows a Network IPS to protect against these types of attacks.

To summarize, Intrusion Prevention technology is the only proven protection for the sophisticated threats encountered in today
network environments. No organization today would consider running their networks and systems without perimeter and
personal firewalls. Intrusion Prevention technology is the logical successor and compliment to traditional network and host
firewalls and has been developed to provide the protection that simple firewalls can no longer deliver. Organizations that are
serious about security are rapidly adopting this latest tool to keep up with the frantic pace of change.

The Benefit of Overlapping and Integrated Technologies – Network Associates Intrusion Prevention
Combining “Best of Breed” Host and Network IPS technology Integrated IPS Deployment
results in a more comprehensive and robust defensive posture,
meaning fewer successful attacks, more efficient use of scarce
security resources and lower operating costs than simply
Remote Users
deploying one technology or the other. Web Server

Switch
An intrusion or compromise consists of multiple stages: Firewall DMZ
Reconnaissance, Scanning, Gaining Access, Maintaining Access, Public IntruShield
Global
and Clearing Tracks. Although both Host and Network IPS have Manager

the ability to prevent each stage, both technologies are not equally
Switch
adept at detecting and blocking each stage. Integrating the
strengths of each architecture provides a solution whose sum is
greater than its parts. By deploying complementary, integrated
“Protection-in-Depth” technologies like McAfee Network and Host Private File
Server
IPS, organizations can achieve superior protection at a Engineering
Servers

reasonable cost. Customer DB

A single, centralized console displays all alerts, both

HIPS and NIPS

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 6

Entercept Host IPS

McAfee® Entercept® delivers patented host intrusion prevention for critical servers, desktops, database servers and web
servers. It protects critical systems against the constantly evolving threats facing organizations today, detecting and blocking
known and unknown attacks with its award-winning technology. Centrally managed agents reside on each host and actively
enforce default or custom policies, preventing malicious activity from compromising the integrity and confidentiality of the
systems and the data that resides on those systems.

Agents
There are three versions of McAfee Entercept agents:

• Standard Edition—for critical servers and desktops

• Database Edition—for databases servers

• Web Server Edition—for web servers

Each agent utilizes a unique combination of behavioral rules, signatures and a process firewall to detect and block attacks with
unmatched accuracy:

Behavioral Rules—Evaluate requests to the operating system or applications before they are processed by the host,
thus protecting systems against unknown or zero day attacks that target new vulnerabilities for which there is no
patch

Signatures—Intercept known hostile content in the data and eliminate dangerous payloads before they are
processed the host, thus protecting systems

Process Firewall—Blocks requests for applications and services, into or out of the host; blocks specific attacks at
the network level before being processed by the host; blocks the IP address of an attacker inside or outside of the
perimeter

McAfee Entercept Database and Web Server agents are the only Host Intrusion Prevention solutions with application-specific
content interception engines that detect and block malicious activity before it can affect operating systems, applications or
data.

Management System
The McAfee Entercept Management System centrally manages up to 5,000 Standard, Database or Web Server agents per
management server. The Management System enables enterprises to import and export configurations across multiple
management servers and enforce security configurations and policies across applications, user groups and agents,
significantly decreasing the cost of installing and maintaining large deployments. McAfee Entercept enables deployment of
single set of policies across Windows, Solaris and HP-UX platforms, enabling consistent, reliable host security for today’s
heterogeneous server environments.

The Entercept Alert Management system is integrated with the IntruShield Management server and forwards alerts to
IntruShield for centralized integration and correlation of all security incidents detected by the Entercept Agents. Integrating
these two powerful systems enhances the productivity of the Security staff and provides unparalleled threat management
capability with the lowest investment of critical talent and resources.

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 7

Strengths of Entercept Host IPS

Application Shielding—McAfee Entercept Web Server Edition and Database Edition provide shielding for specific
applications like IIS, Apache and MS SQL 2000. Protection tailored to the specific application provides the most
comprehensive protection available.

Architectural Independence—Not all networks architectures allow for easy monitoring of all connections to and from
critical systems. McAfee Entercept resides on the critical hosts so that it can analyze threats to that machine,
regardless of the make up of the network or what route the attack took.

Local Attacks—Host IPS can block an attacker who has physical access to a server and is trying to perform a
privilege escalation or other type of attack on the machine. A Network IPS would never ‘see’ this type of attack.

Not evaded by encrypted attacks—Entercept defends critical systems when the attacks are contained within
encrypted protocols that terminate at the host itself. Entercept inspects data and behavior after it has been decrypted
on the system to guard against all types of encrypted attacks.

Protecting mobile machines—Entercept protects mobile users if they are communicating over a network that does
not have a Network IPS sensor or firewall. With the increase in mobile workers and home offices, security cannot be
restricted to the physical networks at the main organizational locations.

Optimized for unique host environments—Since Entercept is written for the specific platform and application, it
allows for more powerful and granular security policies, enabling unique policy configuration and enforcement for
every system.

Powerful Buffer Overflow Protection—Entercept’s powerful ‘generic’ buffer overflow protection provides
unsurpassed detection and blocking of unknown or zero-day attacks.

Last Line of Defense—Because it resides locally, Entercept is ideal for protecting applications and preventing them
from performing actions out of the bounds of their design. System shielding provides a protective envelope of
operation that prevents both outside penetration and malicious use of the system, preventing those attacks that have
bypassed other security tools from successfully executing.

Examples of attacks that only Host IPS can detect and block:

• Local Privilege Escalation Attacks- http://www.isec.pl/vulnerabilities/isec-0013-mremap.txt

• Client Side Attacks- http://archive.infoworld.com/articles/op/xml/00/07/17/000717opswatch.xml

IntruShield Network IPS

McAfee® IntruShield ® delivers “Best of Breed” Network Intrusion Prevention for all resources located on a network. It protects
network infrastructure and critical systems against the constantly evolving threats facing organizations today, detecting and
blocking known and unknown attacks with its award-winning technology. Centrally managed hardware sensors are deployed in
the network and actively enforce default or custom policies, preventing malicious activity from compromising the confidentiality,
integrity and availability of the network.

There are 3 models of IntruShield sensor available.

I4000: Provides protection for the Enterprise core with throughput of 2 Gbps with all protection features enabled. The sensor
protects two Gigabit network segments

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 8

I2600: Provides protection for the Enterprise perimeter with throughput of 600 Mbps with all protection features enabled.
Protects three 100 BaseT segments or one lightly loaded Gigabit network segment.

I1200: Protects the branch office or small business perimeter with 100 Mbps throughput and protection for (1) 100 BaseT
segment.

IntruShield sensors are designed from the ground up to provide the most accurate and powerful Network IPS functionality. The
sensor incorporates multiple, high performance processing elements and programmable gate arrays that work in concert to
provide unparallel accuracy with wire speed performance at up to 2 Gbps. IntruShield integrates advanced protocol
normalization and anomaly detection, multi-field stateful signature inspection and dynamic statistical anomaly detection
techniques to achieve the highest level of accuracy in the industry.

Protocol normalization and anomaly detection—Provides for the detection of potential attacks without the need for
a database of signatures. All packets entering the sensor are normalized or “scrubbed” to provide a view of the data
to the sensor identical to the view that the protected system will see when the packets are re-assembled at their
destination. This process is key to IntruShield's ability to detect attacks that have been specifically crafted to evade a
Network IPS. After the normalization process, the protocol is fully decoded and is compared against the rules that
pertain to that specific protocol. Any deviations from the norm in the construction of the packet is flagged as a
protocol anomaly and is forwarded to the Detection Correlation engine where it is integrated with the other detection
engines before a final attack detection decision is made.

The Signature detection engine—Within IntruShield provides highly detailed and accurate detection of attacks
flowing through the sensor for which a signature is available. Signatures are written to identify both specific attacks,
as well as unknown attacks that are targeted at a vulnerability within an operating system or application. IntruShield
signatures are capable of examining numerous different values within a packet or flow simultaneously. The sensor
monitors the validity of the TCP/IP session and tracks the state of each session in its state table. Tracking the state of
all flows through the sensor allows for “Stateful Inspection” via the signature engine. By tracking the connection state,
IntruShield can focus only on packets that may compromise a system, those that are part of a valid connection. By
understanding the connection state, IntruShield minimizes the potential for falsely detecting an attack. Correlating the
Signature engine with the Protocol Anomaly engine adds to accuracy by ensuring that a value within a packet that
matches a signature element is contained within the proper protocol, and is in the appropriate area of the flow as
defined by the specific protocol.

For example, if two security analysts are discussing a particular attack via Instant Messaging within a network, and
they include a portion of an HTTP attack within their Instant Messaging conversation. Most competing IPS devices
would generate an alarm on the HTTP attack code. IntruShield will recognize that although there is attack data within
the Instant Messaging packets flowing through the sensor, the data is not a valid attack, as an HTTP attack cannot
compromise an Instant Messaging process. A complete understanding of not only the data that comprises the attack,
but also the context within which the data is detected is required to provide this degree of accuracy. IntruShield is the
only system on the market that performs such advanced correlation functions and these processes are the key to
IntruShield accuracy. Competitive systems are based on general-purpose computer platforms, or on layer two traffic
switches that have been adapted to perform simple string matches of data patterns within a signature with data
patterns within a packet.

The Statistical anomaly detection engine—Within IntruShield detects and protects against Denial of Service and
Distributed Denial of Service attacks. This engine monitors and records information on all traffic passing into and out
of a protected segment. A dynamic “profile” incorporating over 100 different values is built and maintained by the
system for each segment. The system tracks things like the number and types of packets passing between
addresses one side of the senor and the other, the most common addresses and address ranges in the traffic flow,

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 9

the percentage of different types of traffic etc. This profile forms a “baseline” value for the typical activity seen on a
segment. DoS and DDoS attacks are detected as rapid variations in activity that is outside of the baseline maintained
by the sensor for a segment. When an attack is detected, the system is able to determine what packets belong to the
attack, and which packets belong to legitimate traffic. Packets that are identified as being part of the attack are
dropped; packets that are part of the legitimate traffic flow are passed to the destination. In contrast, competing
systems typically require the operator to manually set a value based merely on the number of packets per second
that should be allowed onto the segment. If this value is exceeded, their systems indiscriminately drop packets with
no ability to determine if they belong to the attack or to legitimate traffic.

With version 2.1 of the product, IntruShield now provides protection against SSL encrypted attacks for critical E-Commerce
infrastructure. The I4000 and I2600 sensors decrypt incoming SSL packets and provide full inspection and protection of the
traffic contained within the encrypted flow. This is achieved by securely caching a copy of the SSL servers’ private encryption
key on the sensor. This unique capability is indicative of the advanced design of the system and the forward thinking ability of
the IntruShield design team.

IntruShield Manager
The McAfee IntruShield Management System centrally manages all IntruShield sensors installed in an enterprise. The
Management System enables enterprises to import and export configurations across multiple sensor, significantly decreasing
the cost of installing and maintaining large deployments. The system provides centralized alert monitoring and provides an
enterprise wide view all events from both the IntruShield sensors and Entercept agents deployed throughout the network.
Powerful forensic analysis and reporting capabilities are provided to enable in-depth analysis and reporting of the global
security posture at the organization.

Strengths of IntruShield Network IPS

Accuracy and Performance—IntruShield's unique, purpose built hardware appliance and integrated detection
technology provides the most accurate Network detection and prevention of known and unknown attacks, whether
clear text or encrypted with SSL. Multi-gigabit performance supports the most demanding enterprise network core
protection needs.

Comprehensive Protection—IntruShield protects all assets connected to the protected network segment including
network infrastructure components like routers, switches, print servers etc. No Host IPS runs on every version of
every operating system, so IntruShield protects environments that are not running Windows, Solaris or HP-UX
platforms protected by McAfee Entercept. A single strategically placed IntruShield appliance can protect hundreds of
different systems and devices at the same time, minimizing installation and maintenance costs and maximizing staff
effectiveness.

Virtual Firewall Capability—IntruShield provides the full capabilities of a stateful firewall with advanced Access
Control capability between physical or virtual segments protected by the sensor. With this capability, IntruShield can
act as an interior firewall and previous product installed at or near the WAN interface could prevent an attack from
spreading into other regions. Alternatively, it could detect a buffer overflow for which there is an exploit or vulnerability
signature before it reaches the target host, preventing the attack from succeeding.

Comprehensive Forensic and Reporting Capabilities—The integration of Entercept Host and IntruShield Network
alerts provides the ability to correlate and integrate attack events network wide. Sophisticated forensic analysis and
reporting capabilities provide a powerful centralized view of the overall security environment.

Ease of Management and Deployment—An IntruShield network sensor can be deployed in a network in less than
one hour. The IntruShield management console provides centralized control of all software and hardware features of

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 10

the installed network sensors. Numerous security templates are provided to enable the system to be rapidly
configured and customized to suit the customers’ environment.

Network Reconnaissance Detection—Because of its network-wide view and ability to capture all of the packets off
the wire, IntruShield is able to detect network wide reconnaissance activities such as port sweeps and pings. It is
ideal for gathering forensic information detailing from where an attack came and what it is targeting. An example of a
reconnaissance technique is ‘SNMP Harvesting’ in which it is possible to obtain an entire user database or even
configuration details of a router by probing SNMP MIBs. This kind of reconnaissance activity places distinct traffic on
the network, which is detectible by IntruShield. A Host based IPS would not detect this activity.

Examples of attacks that only Network IPS can detect and block:

• ARP Poisoning - http://www.watchguard.com/infocenter/editorial/135324.asp

• Protocol Flooding - http://www.securiteam.com/exploits/5JP0R0K4AW.html

• Routing Protocol Attacks - http://www.securiteam.com/tools/5IP032K6AS.html

Key Selection Considerations

Determining where and when to use the appropriate IPS technologies requires an understanding of the strengths and
weaknesses of each product. Following is a summary of the critical issues to keep in mind with a brief description of each
technologies approach to addressing the issues.

Threat Effectiveness
Blocking Zero-Day Attacks—Entercept uses behavioral application protection rules to prevent exploits that use
unknown vulnerabilities (e.g., WebDAV using an attack vector other than HTTP), whereas IntruShield uses protocol
anomaly detection and general vulnerability signatures to prevent novel exploits (e.g., ASN.1 encoding errors in
SNMP and Kerberos). IntruShield can recognize worm propagation by detecting changes in network traffic
distribution with its statistical analysis capability. Entercept can block worm propagation with its process firewall
technology.

Mitigating the ‘Patching Emergency’—Both systems provide complementary help in reducing the urgency of patch
deployment. IntruShield can safeguard unpatched systems if anomaly-based protection is implemented and deployed
for the affected protocol (e.g., MS RPC DCOM buffer overflow). Entercept makes use of its generic buffer overflow
exploit prevention to deflect overflow exploits. This protection allows customers to test critical patches and schedule
their deployment in a controlled fashion.

Ensuring System Availability—Working in concert, Entercept and IntruShield provide effective remediation of
Denial of Service and Distributed Denial of Service attacks. IntruShields sophisticated Statistical Anomaly Detection
capability protects against traffic-oriented attacks while Entercepts leading edge buffer overflow and process firewall
technology ensures that hosts remain available for service at all times.

Implementation Considerations
Coverage—IntruShield protects types of computer systems as well as network infrastructure devices such as routers
and switches as long as it is deployed in the path between target and attacker (e.g., Cisco IOS vulnerabilities).
Entercept protects servers and desktops against local exploits and malicious operations that do not involve any
network access or traffic.

www.mcafee.com
 Host and Network Intrusion Prevention
Competitors or Partners 11

Deployment—Entercept is independent on how an exploit gets to a machine, but needs to be installed on every box
in order to protect it. IntruShield only requires a few devices for many servers and desktops, but needs to cover all
paths leading to an asset in order to be effective.

Conclusion
To the security administrator or CISO, the prospect of implementing both a Host and a Network IPS is problematic because of
one particular rationale: If one solution is so effective then why do I need to invest in both? Arguably, the overlap between
Network and Host IPS is very large. Nevertheless, this is more an argument in theory rather than practice. With the exception
of a local attack where the hacker has physical access to the target system, all attacks put traffic on the wire and so it is
theoretically possible to create a detection capability and block it. In practice, it is another matter. In many instances, a Host
IPS is better positioned to evaluate the intent of a particular action, which may appear innocuous on the wire. A single
prevention approach, based upon single or point-technologies, will continue to fail against these evolving blended attacks.

”Defense in depth” and “Protection-in-Depth” are philosophies, and security professionals that follow them build solutions on
the premise that any single security measure has limitations and will eventually fail. If the single technology approach were
correct, this argument would have ended long ago when firewalls were originally introduced as a technology. Technology often
fails through poor configuration. For example, intrusion detection and intrusion prevention technology can be used to simply
provide visibility (detection) into critical systems and the network rather than prevention. A firewall’s effectiveness is only as
good as its policy. Anti virus only detects known viruses if it is up to date. The list goes on.

If malicious code writing and hacking stood still then it might be harder to rationalize redundant security technology. However,
this is not the case. We can never predict all of the vulnerabilities that are yet to be discovered nor can we predict the exploits
that invariably will follow.

Host and Network Intrusion Prevention Systems are both targeted at the same goal, protecting critical assets from very
sophisticated threats. Two different approaches to achieving this goal are more powerful and effective than any single design
could possibly be.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners. © 2005 McAfee, Inc. All Rights Reserved.
6-NPS-NIP-002-0205

www.mcafee.com