ADM rules

McAfee ADM is a series of network appliances powered by the ICE Deep Packet Inspection (DPI) Engine.

The ICE Engine is a software library and collection of protocol and content plug-in modules that can identify and extract content from raw network traffic in real time. It can fully reassemble and decode application level content, transforming cryptic network packet streams into easily readable content as if it were being read from a local file.

The ICE engine is capable of automatically identifying protocols and content types without the need to rely on fixed TCP port numbers or file extensions. ICE engine does not rely on signatures to perform its analysis and decoding, instead its modules implement full parsers for each protocol or content type. This results in extremely accurate identification and decoding of content and allows content to be identified and extracted even when that content is compressed or otherwise encoded and, therefore, doesn’t pass over the network in clear text.

As a result of this highly accurate identification and decoding, the ICE engine is able to offer a uniquely deep view of network traffic. For example, the ICE engine could receive a PDF document stream that traversed the network inside a .zip file, as a BASE-64 encoded attachment to an SMTP email from a SOCKS proxy server.

This application and document-awareness allow the ADM to provide invaluable security context. It can detect threats that can't be easily detected by a traditional IDS or Nitro IPS, such as:

  • Leak of sensitive information and documents or communication policy violations.
  • Unauthorized application traffic (for example, who’s using Gnutella?).
  • Applications being used in unexpected ways (for example, HTTPS on non-standard port).
  • Potentially malicious documents (for example, document does not match its extension).

  • New generation of exploits (for example, PDF document with an embedded executable).

The ADM also detects malicious traffic patterns by detecting anomalies in application and transport protocols (for example, an RPC connection is malformed or TCP destination port is 0).

Supported applications and protocols

There are more than 500 supported applications and protocols in which ADM can monitor, decode, and detect anomalies. Here is a sample list:

  • Low-level network protocols — TCP/IP, UDP, RTP, RPC, SOCKS, DNS, and others

  • Email — MAPI, NNTP, POP3, SMTP, Microsoft Exchange

  • Chat — MSN, AIM/Oscar, Yahoo, Jabber, IRC

  • Webmail — AOL Webmail, Hotmail, Yahoo! Mail, Gmail, Facebook, and MySpace email

  • P2P — Gnutella, bitTorrent

  • Shell — SSH (detection only), Telnet

  • Instant messaging — AOL,ICQ, Jabber, MSN, SIP, and Yahoo

  • File transfer protocols — FTP, HTTP, SMB, and SSL

  • Compression and extraction protocols — BASE64, GZIP, MIME, TAR, ZIP, and others

  • Archive files — RAR Archives, ZIP, BZIP, GZIP, Binhex, and UU-encoded archives

  • Installation packages — Linux packages, InstallShield cabinets, Microsoft cabinets

  • Image files — GIFs, JPEGs, PNGs, TIFFs, AutoCAD, Photoshop, Bitmaps, Visio, Digital RAW, and Windows icons

  • Audio files — WAV, MIDI, RealAudio, Dolby Digital AC-3, MP3, MP4, MOD, RealAudio, SHOUTCast, and more

  • Video files — AVI, Flash, QuickTime, Real Media, MPEG-4 , Vivo, Digital Video (DV), Motion JPEG, and more

  • Other applications and files — Databases, spreadsheets, faxes, web applications, fonts, executable files, Microsoft Office applications, games, and even software development tools

  • Other protocols — Network printer, shell access, VoIP, and peer-to-peer

Key concepts

Key to understanding how ADM works is an awareness of the following concepts:

  • Object — An object is an individual item of content. An email is an object but also an object container since it has a message body (or two) and attachments. An HTML page is an object which may contain additional objects such as images. A .zip file and each file within the .zip file are all objects. ADM unpacks the container and treats each object inside as its own object.

  • Transaction — A transaction is a wrapper around the transfer of an object (content). A transaction contains at least one object; however, if that object is a container, like a .zip file, then the single transaction might contain several objects.

  • Flow — A flow is the TCP or UDP network connection. A flow might contain many transactions.