Installation guide

ManualsBrandsMcafee ManualsOtherFIREWALL 2.1-GETTING STARTED

Chapter 2 Planning the Installation

Introduction to McAfee IPS and Layer 2 Firewall

A McAfee IPS or Layer 2 Firewall system consists of the McAfee Security Management Center

(SMC) and one or more IPS engines and/or Layer 2 Firewall engines, and one or more Master

Engines, Virtual IPS engines and/or Virtual Layer 2 Firewall engines. IPS engines, Layer 2

Firewalls, Virtual IPS engines, and Virtual Layer 2 Firewalls pick up network traffic, inspect it,

and create event data for further processing by the Log Server.

The following table describes the installation modes for IPS engines, Layer 2 Firewalls, and

Master Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls.

Table 2.1 Installation Modes for IPS Engines and Layer 2 Firewalls

NGFW Role Mode Description

IPS

Inline

In an inline installation, the traffic flows through the IPS engine.

The IPS engine has full control over the traffic flow and can be

used to automatically block any traffic. An inline IPS engine can

also enforce blacklisting commands received from other

components. Fail-open network cards can be used to ensure

traffic flow is not disrupted when the IPS engine is offline. An

inline IPS engine also provide access control and logging for any

Ethernet traffic (layer 2).

Capture

In a capture installation, external equipment duplicates the

traffic flow for inspection, and the IPS engine just “listens in”.

The IPS engine does not have direct control over the traffic flow,

but it can respond to selected threats by sending packets that

reset the connections. An IDS-only IPS engine can send

blacklisting requests to other IPS engines, Layer 2 Firewalls, or

Firewalls, but it cannot enforce blacklisting requests from other

components.

Layer 2 Firewall

Inline

In an inline installation, the traffic flows through the Layer 2

Firewall. The Layer 2 Firewall has full control over the traffic flow

and can be used to automatically block any traffic. An inline

Layer 2 Firewall can also enforce blacklisting commands received

from other components. An inline Layer 2 Firewall also provides

access control and logging for any Ethernet traffic (layer 2).

Capture

(Passive

Firewall)

In a capture (Passive Firewall) installation, external equipment

duplicates the traffic flow for inspection to the Layer 2 Firewall,

and the Layer 2 Firewall just “listens in”. The Layer 2 Firewall

does not have direct control over the traffic flow, but it can

respond to selected threats by sending packets that reset the

connections. A Layer 2 Firewall in Passive Firewall mode can

send blacklisting requests to other Layer 2 Firewalls, IPS

engines, or Firewalls, but it cannot enforce blacklisting requests

from other components.