Data Sheet

McAfee Network Protection Solutions

McAfee IntruShield Network IPS Sensor

Pioneering and Industry-Leading, Next-Generation Network
Intrusion Prevention Solution
The Challenge office, and provides enterprise and carrier-class scalability in
The risks to enterprise and service provider security both large and small enterprise environments.
continue to grow, as the number of new vulnerabilities and The innovative IntruShield architecture integrates patented
the speed and sophistication of attacks seeking to exploit signature, anomaly, and Denial of Service (DoS) analysis
those vulnerabilities increase every year. The evolution of techniques, enabling highly accurate and intelligent attack
new hybrid attacks that use multiple vectors to breach the detection and prevention up to multi-gigabit speeds. This
security infrastructure means that enterprises must defend unprecedented harnessing of innovative technologies
themselves against a constantly shifting threat. protects even the most demanding networks from the
• Dynamic Security Risks—The dynamic nature of today’s threat of known, zero-day (unknown), and DoS attacks, as
security threats means that new, hybrid attacks are well as spyware. IntuShield’s next-generation technology
increasing at an unprecedented pace. Network security delivers industry-first encrypted attack prevention and
gaps leave critical assets vulnerable and increase enter- network IPS and internal network firewall integration,
prise and service provider security risks offering the most accurate and comprehensive protection
available in the industry.
• Inadequate Protection with Traditional Security
Technology—Despite significant security investments, The IntruShield product family includes the IntruShield 4010,
enterprises remain vulnerable to sophisticated and zero-day IntruShield 4000, IntruShield 3000, IntruShield 2600, IntruShield
attacks due to the inadequate ability of traditional technol- 1400, and IntruShield 1200—six powerful and purpose-built
ogy to provide proactive threat detection and prevention network IPS sensor appliances that provide the performance
and functionality required to protect high-availability networks—
• The Need for Proactive Risk Prevention—Unfortunately, and the IntruShield Security Management (ISM) system, a
there is no single product that protects against all threats. powerful and scalable security management solution.
To ensure comprehensive security, service providers and
enterprises need to adopt a layered approach that delivers Features and Benefits
proactive risk prevention to accurately detect and block
known and zero-day attacks before they inflict damage Comprehensive Protection
• Realtime Encrypted Attack Prevention—Industry’s
The pioneering and proven McAfee® network intrusion preven-
first and only network IPS to protect against both
tion (IPS) solution delivers the most comprehensive, accurate,
clear-text and encrypted attacks, as well as spyware
and scalable threat protection, helping enterprises and service
providers assure the availability and security of their critical • Signature, Anomaly, and DoS Analysis—Protects
network infrastructure through proactive risk prevention. against known, zero-day, and DoS attacks

• IPS and Internal Firewall—Unprecedented internal

The McAfee IntruShield Solution
system and network infrastructure threat protection
McAfee IntruShield® network IPS delivers advanced realtime and policy enforcement through converged network
protection against known, zero-day (unknown), and encrypted IPS and internal firewall capabilities
attacks, as well as spyware. IntruShield delivers the most
comprehensive, accurate, and scalable network IPS solution for • Integrated Network and Host IPS Protection—
a broad range of mission-critical environments. As part of the Provides breakthrough integration by enabling host
McAfee Protection-in-Depth™ Strategy, it delivers comprehen- (McAfee Entercept®) and network (IntruShield) IPS
sive and proactive intrusion prevention to protect business security event aggregation and coordination on a
availability and critical network infrastructure by detecting and single IntruShield Manager console
blocking attacks before they inflict damage. Through a full suite • High-Availability Deployment Options—Enables
of aggregated platforms and solutions that scale from hundreds virtualization and unmatched proactive IPS protection
of Mb/s to multi-gigabit bandwidth rates, its broad protection for broad range of high-availability environments
extends from the network core to the edge and the branch

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 2
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

Accurate Protection
The IntruShield 4010
• Depth-of-Analysis—IntruShield’s purpose-built platform
The IntruShield 4010 (I-4010) is suited for deployment at the
enables stateful traffic analysis by providing thorough core of large enterprise, data center, or service provider
parsing of more than one hundred protocols, over 3,000 networks. The high port-density Gigabit Ethernet interfaces
high-quality multi-token/multi-trigger signatures, and provide the performance and operational redundancy required to
secure a high-availability network infrastructure, along with
advanced evasion resistance to deliver unmatched economies-of-scale needed by large enterprises, data centers,
accuracy for mission-critical, in-line prevention and service providers.

• Virtual IPS and Internal Firewall—IntruShield’s unique

virtualization capability extends to both IPS and internal
firewall, enabling highly customized and granular security
policies for a dramatic reduction in false positives
• Twelve Gigabit Ethernet detection ports
• Intrusion Intelligence—Powerful capabilities provide
• One Fast Ethernet management port
detailed, accurate, and reliable information related to
• Optional redundant hot-swappable power supply
intrusion identification, relevancy, direction, impact,
and analysis • Purpose-built for high performance, high availability,
and low latency

Scalable and Manageable • Up to 2Gb/s performance

• Enterprise-Wide Scalability—Through a full suite of The IntruShield 4000

solutions that scale from hundreds of Mb/s to multi- The IntruShield 4000 (I-4000) is suited for deployment at the
gigabit bandwidth rates, IntruShield’s broad protection core of enterprise, data center, or service provider networks.
extends from the network core to the edge and the The Gigabit Ethernet interfaces provide the performance and
operational redundancy required to secure a high-availability
branch office and provides mission-critical solutions network infrastructure.
with proven scalability for all enterprise environments

• Flexible Deployment—Unprecedented flexibility of

IPS or IDS deployment—including In-Line, Port
Clustering, high-availability, Span, and Tap Modes—to
suit any network security architecture • Four Gigabit Ethernet detection ports
• Automated Realtime Threat Updates—Innovative, • One Fast Ethernet management port
automated process delivers realtime, enterprise-wide • Optional redundant hot-swappable power supply
signature updates without requiring sensor reboots • Purpose-built for high performance, high availability,
and provides protection against newly discovered and low latency
vulnerabilities while eliminating manual updates and • Up to 2Gb/s performance
network downtime
The IntruShield 3000
The IntruShield 3000 (I-3000) is suited for deployment at the
Comprehensive Threat Prevention core of large enterprise, data center, or service provider
As part of the McAfee Protection-in-Depth Strategy, networks. The high port-density Gigabit Ethernet interfaces
provide the performance and operational redundancy required to
IntruShield delivers comprehensive intrusion prevention solu- secure a high-availability network infrastructure, along with
tions that protect both internal and external network economies-of-scale needed by large enterprises, data centers,
infrastructure from a broad range of threats and attacks— and service providers.
spanning from the network core to the edge and the branch
office. By combining broad network environment protection
with unprecedented threat prevention technologies—includ-
ing encrypted attack prevention and internal firewall
integration—IntruShield redefines intrusion prevention with • Twelve Gigabit Ethernet detection ports
the most comprehensive protection from known, zero-day,
• One Fast Ethernet management port
and encrypted attacks, as well as spyware.
• Optional redundant hot-swappable power supply
Encrypted Attack Prevention • Purpose-built for high performance, high availability,
and low latency
Information that requires protection via SSL is critical by • Up to 1Gb/s performance
nature. In today’s dynamic threat environment, HTTP is

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 3
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

one of the most popular protocols for attackers due to its

open availability. Not only is it important to protect the The IntruShield 2600
sensitive data that resides on the Web server itself, but The IntruShield 2600 (I-2600) offers a flexible IPS for enterprise
perimeter deployment. Multiple Fast Ethernet and Gigabit
modern e-commerce sites typically access information Ethernet interfaces provide effective protection for multiple
stored on database servers that live at the very core of network segments.
the network.

Protecting SSL-enabled infrastructure is critical in order to

safeguard local Web server data and help prevent poten-
tial attack channels into the heart of the trusted network. • Two Gigabit Ethernet and six Fast Ethernet detection ports
IntruShield’s breakthrough intrusion prevention technol- • Built-in Fast Ethernet network taps
ogy provides comprehensive network protection against
• One Fast Ethernet management port
both clear-text and encrypted attacks. Its revolutionary
• Purpose-built for high performance, high availability, and low
ability to decrypt and inspect SSL traffic dramatically latency
increases network security coverage by proactively • Up to 600Mb/s performance
detecting and blocking encrypted threats.
The IntruShield 1400
• SSL Traffic Inspection—IntruShield’s hardware-accel-
The IntruShield 1400 (I-1400) offers a cost-effective IPS
erated SSL inspection technology allows the sensor to deployment for mid-size, remote/branch office networks, or at
copy, decrypt, and inspect the SSL data stream using the perimeter of enterprise networks. Centralized Web-based
the securely stored SSL private key. After converting management for enterprise-wide IPS deployments dramatically
reduces operational costs.
the SSL data stream into clear text within the sensor,
traffic is inspected by IntruShield’s protocol and appli-
cation anomaly, statistical DoS, and signature
matching engines. If an alert is not triggered, the origi-
nal encrypted packet is forwarded with minimal delay
• Four Fast Ethernet detection ports
• SSL Encrypted Attack Prevention—IntruShield’s
• Built-in Fast Ethernet network taps
encrypted threat protection proactively blocks
encrypted threats by dropping malicious packets upon • One Fast Ethernet management port
detection of an attack • Purpose-built for high performance, high availability,
and low latency
• SSL Security Forensics—The IntruShield sensor can • Up to 200Mb/s performance
be configured to capture and store clear text copies of
SSL alert packets on the IntruShield manager. The IntruShield 1200
Captured packets are transmitted between the sensor The IntruShield 1200 (I-1200) offers a cost-effective IPS
deployment for mid-size or remote/branch office networks.
and the manager via an encrypted connection Centralized Web-based management for enterprise-wide IPS
deployment dramatically reduces operational costs.
• Uncompromising SSL Key Security—Protection of
the SSL private key is vital. In order to ensure private
key confidentiality and integrity, the key is securely
exported to the IntruShield Manager in encrypted
format. The IntruShield Manager re-encrypts the private
key with the sensor’s public key for local storage. While • Two Fast Ethernet detection ports
performing SSL traffic inspection, the IntruShield sensor • Built-in Fast Ethernet network taps
securely stores the SSL private key in volatile memory, • One Fast Ethernet management port
ensuring that no unencrypted copies of the key are • Purpose-built for high performance, high availability,
permanently stored on the system and low latency
• Up to 100Mb/s performance
IPS and Internal Firewall
Today’s firewalls offer perimeter protection. IntruShield
pioneers next-generation technology by integrating internal
firewall capabilities and network IPS on a single purpose-
built platform to deliver industry-first internal network
protection. The integration of IPS and internal firewall allows

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 4
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

for a higher level of protection, while delivering unmatched known vulnerabilities. By focusing on vulnerabilities as
control, flexibility, and reduced cost of ownership. opposed to individual exploits, IntruShield can often detect
variations of attacks without requiring new signatures.
IntruShield’s virtualization technology extends to both
network IPS and internal firewall capabilities. This enables • Stateful Signature Detection Engine—IntruShield
customers for the first time to implement a virtual sensors employ a patented stateful signature detec-
perimeter around critical resources, delivering an added tion engine. This enables context-sensitive signature
layer of protection to guard against attacks that success- detection, leveraging state information within data
fully penetrate perimeter firewalls or that originate packets, utilizing multiple token matches, and detect-
internally. Highly granular virtual perimeters can protect a ing attack signatures that span packet boundaries or
network segment, a collection of hosts, or even a single are in an out-of-order packet stream
system with a unique policy.
• Signature Specification Language—IntruShield
Signature, Anomaly, and DoS Analysis sensors utilize a proprietary, high-level Signature
Specification Language. The IntruShield architecture
IntruShield’s patented and integrated signature, anomaly,
de-couples signatures from the sensor software,
and DoS analysis delivers anti-spyware and broad protection
enabling quality signatures to be made available with
against known, zero-day, and DoS attacks. The Depth-of-
a quicker turnaround
Analysis section provides additional details on this topic.
• Realtime Signature Updates—IntruShield sensors
Integrated Network and Host IPS Protection benefit from an innovative realtime signature update
McAfee’s IPS provides unprecedented integration of its process, where new signatures are automatically
IntruShield network IPS and Entercept host IPS products. pulled by the IntruShield Manager software at the
Integrated host and network IPSs provide the most customer site. Based on policy configuration, these
comprehensive IPS protection available in the industry, signatures can be pushed from the IntruShield
encompassing servers, desktops, and laptops, as well as Manager to sensors automatically in real time.
the network core and edge. IntruShield sensors dynamically utilize the latest signa-
tures without requiring reset or reboot for
Unprecedented Detection Accuracy uninterrupted attack protection
In today’s dynamic threat environment, detection accuracy is • User-Defined Signatures—Sensors also leverage
critical to network operators. Although false positives from a custom signatures that users can easily create through
network IDS may result in unnecessary alerts and create an IntruShield Manager’s intuitive graphical user interface
annoyance for operators, false positives from a network IPS
are more critical due to the fact they can result in the block- Anomaly Detection and Prevention
ing of legitimate network traffic. IntruShield’s highly accurate IntruShield’s anomaly detection functionality can identify
attack detection forms the foundation for the most accurate sophisticated zero-day and unknown attacks, significantly
attack prevention solution for today’s demanding, mission- improving attack detection rates.
critical, in-line IPS deployments.
• Statistical, Protocol, Application Anomalies—
Depth-of-Analysis Sensors offer comprehensive anomaly detection by
IntruShield delivers unparalleled protection against employing statistical, protocol, and application anomaly
spyware, as well as known, zero-day, and DoS attacks by detection techniques
integrating stateful signature, anomaly, and DoS statistical • Buffer Overflow Detection—More than half of new
analysis for both clear-text and encrypted malicious traf- exploits today are buffer overflow attacks. IntruShield’s
fic. IntruShield’s stateful traffic analysis and session state anomaly detection techniques are effective in protect-
maintenance for up to 1 million sessions, as well as its ing against this major threat source
thorough parsing for over one hundred protocols, form
the foundation for comprehensive signature, anomaly, Denial of Service Detection and Prevention
and DoS analysis. IntruShield offers unprecedented accuracy and granularity
for DoS detection and delivers the response actions
Signature Detection and Prevention
needed to proactively block attacks.
IntruShield sensors offer powerful signature analysis to
accurately guard against known attacks. Over 3,000 • Self-Learning Profiles and Threshold-Based
IntruShield signatures are written to protect against Detection—Sensors offer threshold-based detection

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 5
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

as well as self-learning, profile-based DoS detection for those internal networks that are often left vulnerable
that uses a patented algorithm to separate even low due to no or limited security policy enforcement.
volumes of attack traffic from large volumes of legiti-
Virtualization capability allows security professionals to
mate traffic
implement and enforce a heterogeneous set of security
• Highly Granular DoS Detection—Sensors deliver policies with a single IntruShield sensor. Such flexibility
unparalleled granularity in DoS detection using profile- allows organizations to effectively meet differing security
based techniques. A profile can be created for a range needs, or allows service providers to offer customized
of IP addresses or even an individual host, and the security solutions and SLAs to multiple customers. As
IntruShield architecture supports several hundred well, virtualization further reduces the total number of
profiles per sensor. Any deviation from normal traffic devices required for a network-wide deployment and
behavior flags a DoS condition. If a single host/subnet reduces total cost of ownership.
downstream to a gigabit network link comes under
attack—with even a couple of Mb/s of traffic—a Intrusion Intelligence
sensor’s granular DoS detection can spot the attack The dynamic nature of today’s security threats means
that new, hybrid attacks are increasing at an unprece-
Virtual IPS and Internal Firewall dented pace. In order to detect and block known and
IntruShield sensors support an innovative and powerful zero-day attacks before they inflict damage, enterprises
virtualization concept to segment a single IntruShield and service providers need to adopt a strategy of proac-
sensor into and up to 1,000 virtual sensors, each of which tive risk prevention. IntruShield’s Intrusion Intelligence™
can be completely customized with a granular security delivers unique features to analyze key characteristics of
policy—including individualized attack selection and asso- known and zero-day threats and intrusions. This unprece-
ciated response actions. A virtual sensor can be defined dented set of features delivers detailed, accurate, and
based on a block of IP addresses, one or multiple VLAN reliable information related to intrusion identification, rele-
tags, or by specific port(s) on a sensor. vancy, direction, impact, and analysis. This allows carriers
and enterprises to migrate from reactive intrusion detec-
Virtualization is available for both IPS and internal firewall
tion to proactive intrusion prevention to stop attacks
functionality. The breakthrough integration of virtual IPS
before they reach their intended targets.
and internal firewall capabilities empowers enterprises to
extend perimeter-grade protection internal to the network.
Enterprise-Wide, Carrier-Class Scalability
IntruShield enables highly granular security policies for
and Manageability
individual network segments, a collection of hosts, or
even singular hosts. This allows for the creation of a IntruShield provides unparalleled scalability and manageabil-
Virtual Perimeter for protected segments or hosts. ity to meet the needs of diverse enterprise, carrier, and
IntruShield’s Virtual Perimeter technology delivers the service provider environments. Through a full suite of aggre-
industry’s first internal network security solution. It miti- gated platforms and solutions that scale from hundreds of
gates security risks and delivers unprecedented protection Mb/s to multi-gigabit bandwidth rates, IntruShield’s broad
protection extends from the network core to the edge and
the branch office and provides mission-critical solutions with
proven scalability in all network environments.

Enterprise-Wide Protection
The multi-gigabit performance of the IntruShield 4010 and
4000 sensors makes them suitable for deployment at
logical traffic aggregation points at the core of the enter-
prise network, in data centers or at service provider
networks. By deploying sensors in front of the server
farm, users can leverage the IntruShield Virtual IPS capa-
bility to monitor each aggregation point with multiple
customized security policies. What’s more, the sensor’s
IntruShield delivers high-availability deployment option—using stateful failover
unprecedented virtual IPS between two sensors without requiring any external hard-
capabilities. ware—provides operational redundancy, prevents any
single point of failure, and offers uninterrupted IPS

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 6
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

protection. The IntruShield 3000, with up to 1Gb/s using stateful sensor failover between two sensors,
performance, also provides a compelling price-perform- avoiding a single point of failure
ance solution for core network, carrier, and service
• SPAN and Tap Modes—The sensor can monitor hubs
provider deployments. Both the IntruShield 3000 and
or the SPAN ports of multiple switches and can inject
IntruShield 4010 offer the industry’s highest Gigabit port-
several response actions, such as TCP resets to termi-
density network IPS appliance. The IntruShield 2600, with
nate malicious connections through the monitoring port
its Fast and Gigabit Ethernet interfaces, offers a flexible
itself. In Tap Mode, full-duplex monitoring allows a
solution for the perimeter of enterprise networks. The
complete direction-sensitive view of network traffic,
IntruShield 1400 delivers a scalable solution for mid-size,
enabling stateful analysis of traffic. Dedicated response
branch, and remote offices and the perimeter of enter-
ports enable indirect response actions, such as initiat-
prise networks. The IntruShield 1200 delivers a scalable
ing TCP resets to terminate malicious connections
solution for mid-size, branch, and remote offices of enter-
prise networks.

Multi-Gigabit Performance
IntruShield sensors are powered by programmable secu-
rity-focused hardware. Intrusion detection and prevention
are extremely computing-intensive applications, requiring
eight to ten times the processing power of a firewall.
Specialized silicon is used to speed up almost every func-
tion with orders of magnitude improvements in repetitive
tasks such as protocol analysis, statistical analysis, string
matching, and virtualization. As a result, IntruShield sensors
can support thousands of signatures at wire-speed traffic
rates without any packet loss, while protecting against
Realtime Intrusion Prevention
known, zero-day, and DoS attacks, as well as spyware.
IntruShield delivers compelling price/performance for band- No security solution is complete unless it can actually
width needs ranging from tens of Mb/s to 2Gb/s. stop attacks in real time. Accurate detection is the foun-
dation for the complete set of realtime intrusion
Flexible Deployment prevention options available with IntruShield sensors.
IntruShield’s flexible network deployment enables These attack response options enable IntruShield sensors
unmatched threat protection for a broad range of mission- to be integrated into network environments with a full
critical network environments, including In-Line, Port spectrum of security policies, ranging from realtime notifi-
Clustering, high-availability, SPAN, and TAP modes. In cation to complete blocking of attacks in progress. Upon
addition, IntuShield delivers comprehensive infrastructure detecting an attack, IntruShield sensors can: thwart an
protection for network routers, switches, VPNs, and gate- attack in progress by dropping or blocking a single packet
ways. or session; initiate TCP resets or ICMP unreachable
message through response ports; reconfigure firewalls to
• In-Line Mode—IntruShield sensors sit in the data path block offending traffic; trigger an alert to the IntruShield
with active traffic passing through them, mediating the Manager; notify security professionals via e-mail, pager,
flow of traffic, and dropping malicious packets—based and script alerts; and capture and log packets for detailed
on granular policy—before they reach their intended analysis. IntruShield offers a full spectrum of security poli-
targets. Wire-speed performance and highly reliable cies even from a single sensor.
operation prevent IntruShield sensors from becoming
bottlenecks Integrated detection and prevention in a single product
enable the flexibility to migrate from intrusion detection
• Port Clustering—Port Clustering, or interface group- to intrusion prevention at a user-selected pace, while
ing, enables traffic monitored by multiple ports on a preserving enterprise and service provider technology
single system to be aggregated into one traffic stream investments.
for stateful intrusion analysis

• High Availability with Stateful Failover—IntruShield

sensors support high-availability IPS deployments

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 7
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

IntruShield provides unprecedented

deployment flexibility and scalability.

McAfee PrimeSupport Network Protection Solutions. McAfee’s PrimeSupport team

McAfee has pursued a strategy of providing best-of-breed has all the right resources and is ready to deliver your
technology for each type of security and performance needed service solution. PrimeSupport resources include:
management application—but the Protection-in-Depth delivering authorization to access all available maintenance
Strategy is more than just deploying and implementing best- releases and product upgrades, access to a comprehensive
of-breed solutions today. Prevention is certainly our first suite of additional online self-support capabilities, live telephone
priority, but inevitably, you will have to react to a problem. support accessible 24/7/365, available assigned support
account managers, and a range of software and hardware
The McAfee PrimeSupport® program is essential for making support solutions that can be tailored to meet your needs.
the most of your investment in McAfee System and

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 8
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

IntruShield Sensor Specifications

Sensor Hardware Components I-4010 I-4000 I-3000 I-2600 I-1400 I-1200
Network Location Core Core Core Perimeter Branch Branch Office
Office/Perimeter
PerformanceThroughput Up to 2Gb/s Up to 2Gb/s Up to 1Gb/s Up to Up to Up to
600Mb/s 200Mb/s 100 Mb/s
Concurrent Session State Maintenance 1,000,000 1,000,000 1,000,000 250,000 80,000 40,000
Ports
Gigabit Ethernet Detection Ports 12 4 12 2 — —
Fast Ethernet Detection Ports —- —- — 6 4 2
Dedicated Fast Ethernet Response Ports 2 2 2 3 1 1
Dedicated Fast Ethernet Management Port Yes Yes Yes Yes Yes Yes
External Fail-Open Control Ports 6 2 6 1 — —
Console and Aux Ports Yes Yes Yes Yes Yes Yes
Built-in Network Taps No No No Yes Yes Yes
(for Fast
Ethernet
Ports)
Fail-Open Optional Optional Optional Yes Yes Yes
(for Fast
Ethernet
Ports)
Fail-Close Yes Yes Yes Yes Yes Yes
Mode of Operation
SPAN Port Monitoring Yes Yes Yes Yes Yes Yes
Tap Mode Optional Optional Optional Yes Yes Yes
(for Fast
Ethernet
Ports)
In-Line Mode Yes Yes Yes Yes Yes Yes
Port Clustering Yes Yes Yes Yes Yes Yes
No. of Virtual Systems 1,000 1,000 1,000 100 32 16
Traffic Monitoring on Active-Active Links Yes Yes Yes Yes Yes Yes
Traffic Monitoring on Active-Passive Links Yes Yes Yes Yes Yes Yes
Monitoring of Asymmetric Traffic Routing Yes Yes Yes Yes Yes Yes
High Availability
Redundant Power Yes Yes Yes No No No
(Optional) (Optional) (Optional)
Device Failure Detection Yes Yes Yes Yes Yes Yes
Link Failure Detection Yes Yes Yes Yes Yes Yes
Physical
Dimensions 2RU 2RU 2RU 1RU 1RU 1RU
Rack- Rack- Rack- Rack- Rack- Rack-
Mountable Mountable Mountable Mountable Mountable Mountable
17.44 (W) x 17.44 (W) x 17.44 (W) x 17.32 (W) x 17.32 (W) x 17.32 (W) x
3.44 (H) x 23.00 (D) 3.44 (H) x 23.00 (D) 3.44 (H) x 23.00 (D) 1.69 (H) x 17.64 (D) 1.65 (H) x10.5 (D) 1.65 (H) x10.5 (D)
Weight 47lbs. 47lbs. 47lbs. 28lbs. 17lbs. 15lbs.
Power 100-240VAC Same for Same for Same for Same for Same for
(50/60Hz) All Models All Models All Models All Models All Models
Power Consumption 350w 350w 350w 250w 100w 100w
Temperature 0° to 40° C (Operating) Same for Same for Same for Same for Same for
-40° to 70° C (Non-operating) All Models All Models All Models All Models All Models
Relative Humidity Operational: 10% to 90% Same for Same for Same for Same for Same for
(non-condensing) Non-operational: 5% to 95% All Models All Models All Models All Models All Models
Altitude 0 – 10,000 feet Same for Same for Same for Same for Same for
All Models All Models All Models All Models All Models
Safety Certification UL 1950, CSA-C22.2 Same for Same for Same for Same for Same for
No. 950, EN-60950, All Models All Models All Models All Models All Models
IEC 950, EN 60825,
IEC 60825, 21CFR1040
CB license and report covering
all national country deviations.
EMI Certification FCC Part 15, Class A Same for Same for Same for Same for Same for
(CFR 47) (USA) All Models All Models All Models All Models All Models
ICES-003 Class A (Canada),
EN55022 Class A (Europe),
CISPR22 Class A (Int’l)

www.mcafee.com
 Data Sheet McAfee IntruShield Network IPS Sensor Page 9
Pioneering and Industry-Leading, Next-Generation
Network Intrusion Prevention Solution

Sensor Software Components I-4010 I-4000 I-3000 I-2600 I-1400 I-1200

Stateful Traffic Inspection IP Defragmentation and TCP Stream Reassembly Yes Yes Yes Yes Yes Yes
Detailed Protocol Analysis Yes Yes Yes Yes Yes Yes
Asymmetric Traffic Monitoring Yes Yes Yes Yes Yes Yes
Protocol Normalization Yes Yes Yes Yes Yes Yes
Advanced Evasion Protection Yes Yes Yes Yes Yes Yes
Forensic Data Collection Yes Yes Yes Yes Yes Yes
Protocol Tunneling Yes Yes Yes Yes Yes Yes
Protocol Discovery Yes Yes Yes Yes Yes Yes
Signature Detection User-Defined Signatures Yes Yes Yes Yes Yes Yes
Realtime Signature Updates Yes Yes Yes Yes Yes Yes
Anomaly Detection Statistical Anomaly Yes Yes Yes Yes Yes Yes
Protocol Anomaly Yes Yes Yes Yes Yes Yes
Application Anomaly Yes Yes Yes Yes Yes Yes
DoS Detection Threshold-Based Detection Yes Yes Yes Yes Yes Yes
Self-Learning Profile-Based Detection Yes Yes Yes Yes Yes Yes
DoS Profiles 3,000 3,000 3,000 500 128 64
Intrusion Prevention Stop Attacks in Progress in Real Time Yes Yes Yes Yes Yes Yes
Drop Attack Packets/Sessions Yes Yes Yes Yes Yes Yes
Reconfigure Firewall Yes Yes Yes Yes No No
Initiate TCP Reset, ICMP Unreachable Yes Yes Yes Yes Yes Yes
Packet Logging Yes Yes Yes Yes Yes Yes
Automated and User-Initiated Prevention Yes Yes Yes Yes Yes Yes
Encrypted Attack Protection Stops Encrypted Attacks in Real Time Yes Yes Yes Yes No No
Internal Firewall Blocks Unwanted and Nuisance Traffic Yes Yes Yes Yes Yes Yes
Granular Security Policy Enforcement Yes Yes Yes Yes Yes Yes
High Availability Stateful Failover Yes Yes Yes Yes Yes Yes
(for Fast
Ethernet Ports)
Management Command Line Interface (Console) Yes Yes Yes Yes Yes Yes
Manager Communication Secure Channel Same for Same for Same for Same for Same for
All Models All Models All Models All Models All Models

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com

McAfee® products denote years of experience and commitment to customer satisfaction. The McAfee PrimeSupport® team of responsive, highly skilled support technicians provides tailored solu-
tions, delivering detailed technical assistance in managing the success of mission-critical projects—all with service levels to meet the needs of every customer organization. McAfee Research, a
world leader in information systems and security research, continues to spearhead innovation in the development and refinement of all our technologies.
McAfee, IntruShield, Protection-in-Depth, Entercept, Intrusion Intelligence, and PrimeSupport are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. The color red in connection with security is distinctive of McAfee® brand products. All other registered and unregistered trademarks herein are the sole property of their respective
owners. © 2005 McAfee, Inc. All Rights Reserved. 1-sps-ins-005-0105