McAfee M-1250 - Network Security Platform, Network Security Platform Deployment Manual

  • Hello! I am an AI chatbot trained to assist you with the McAfee M-1250 - Network Security Platform Deployment Manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
IPS Deployment Guide
revision 2.0
McAfee®
Network Protection
Industry-leading network security solutions
McAfee® Network Security Platform
version 6.0
COPYRIGHT
Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected].edu), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarv[email protected]), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
700-2366-00/ 2.0 - English
Issued NOVEMBER 2010 / IPS Deployment Guide
Contents
Preface .......................................................................................................... iv
Introducing McAfee Network Security Platform.............................................................................iv
About this Guide............................................................................................................................iv
Audience .......................................................................................................................................iv
Conventions used in this guide .....................................................................................................iv
Related Documentation................................................................................................................. v
Contacting Technical Support......................................................................................................vii
Chapter 1 Getting Started............................................................................ 1
Deciding where to deploy Sensors and in what operating mode ..................................................1
Setting up your Sensors................................................................................................................2
Establish Sensor-to-Manager communication............................................................................... 4
Viewing and working with data generated by Network Security Platform .....................................5
Configuring your deployment using the Manager ......................................................................... 5
Updating your signatures and software......................................................................................... 6
Tuning your deployment................................................................................................................7
Chapter 2 Planning Network Security Platform Installation..................... 8
Pre-deployment considerations.....................................................................................................8
What is the size of your network?..........................................................................................8
How many access points are there between your network and the extranets or Internet? ...9
Where are the critical servers that require protection within your network?...........................9
How complex is your network topology?................................................................................9
How much traffic typically crosses your network?................................................................10
Where are your security operations located?.......................................................................11
Where should I deploy Sensors?.........................................................................................11
Chapter 3 Sensor Deployment Modes ...................................................... 13
Flexible deployment options........................................................................................................13
Multi-port Sensor deployment..............................................................................................13
Supported deployment modes .............................................................................................13
Full-duplex and half-duplex monitoring ................................................................................15
Deploying Sensors in in-line mode.............................................................................................. 15
Fail-open versus fail-closed .................................................................................................17
Deploying Sensors in tap mode ..................................................................................................18
Deploying the Sensors with FE ports in internal tap mode ..................................................19
Deploying Sensors with GE ports in external tap mode.......................................................20
Shifting from tap mode to in-line mode ................................................................................21
SPAN port and hub monitoring....................................................................................................21
SPAN port and hub monitoring ............................................................................................22
High-Availability...........................................................................................................................22
Understanding failover in Network Security Platform...........................................................23
Interface groups ..........................................................................................................................24
Chapter 4 Deployment Scenarios.............................................................. 26
Deployment flexibility...................................................................................................................26
Deployment scenario for beginners............................................................................................. 26
Deployment scenario for intermediate users............................................................................... 27
Deployment scenario for advanced users................................................................................... 27
Index............................................................................................................. 29
iii
iv
Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as, the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion
Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical
enterprise, carrier, and service provider networks, while providing unmatched protection
against spyware and known, zero-day, and encrypted attacks.
McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring
network traffic by analyzing NetFlow information flowing through the network in real time,
thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network
Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a
single Manager.
About this Guide
This guide contains information to help you in determining your network security needs
and provides basic information about deployment. Included are various deployment
scenarios for network technicians with different experience levels. With this information,
you can determine which McAfee
®
Network Security Sensor model(s) will best suit your
environment and which operating mode you will need to employ each McAfee Network
Security Sensor (Sensor) port.
Audience
This guide is intended for use by network technicians responsible for planning and
deploying company>
®
Network Security Manager as you ensure your system architecture
meets your security requirements, develop security mechanisms within the software
architecture, and ensure the integrity of the architectures (such as data center, software,
hardware, and network).
Conventions used in this guide
This document uses the following typographical conventions:
McAfee® Network Security Platform 6.0
Preface
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
The
Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > Summary.
Procedures are presented as a
series of numbered steps.
1. On the Configuration tab, click Backup.
Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, key words,
and values that you must type
exactly are denoted using
Courier New font.
Type: setup and then press ENTER.
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Type: Sensor-IP-address and then press
ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set Sensor ip <A.B.C.D>
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick Tour
for more information on these guides.
Quick Tour
Installation Guide
v
McAfee® Network Security Platform 6.0
Preface
Upgrade Guide
Getting Started Guide
Manager Configuration Basics Guide
I-1200 Sensor Product Guide
I-1400 Sensor Product Guide
I-2700 Sensor Product Guide
I-3000 Sensor Product Guide
I-4000 Sensor Product Guide
I-4010 Sensor Product Guide
M-1250/M-1450 Sensor Product Guide
M-1250/M-1450 Quick Start Guide
M-2750 Sensor Product Guide
M-2750 Quick Start Guide
M-3050/M-4050 Sensor Product Guide
M-3050/M-4050 Quick Start Guide
M-6050 Sensor Product Guide
M-6050 Quick Start Guide
M-8000 Sensor Product Guide
M-8000 Quick Start Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Gigabit Copper Fail-Open Bypass Kit Guide
10 Gigabit Fail-Open Bypass Kit Guide
M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure
M-2750 Slide Rail Assembly Procedure
M-series DC Power Supply Installation Procedure
Administrative Domain Configuration Guide
Manager Server Configuration Guide
CLI Guide
Device Configuration Guide
IPS Configuration Guide
NAC Configuration Guide
Integration Guide
System Status Monitoring Guide
Reports Guide
Custom Attack Definitions Guide
Central Manager Administrator's Guide
Best Practices Guide
Troubleshooting Guide
Special Topics Guide—In-line Sensor Deployment
Special Topics Guide—Sensor High Availability
Special Topics Guide—Virtualization
Special Topics Guide—Denial-of-Service
NTBA Appliance Administrator's Guide
NTBA Monitoring Guide
NTBA Appliance T-200 Quick Start Guide
vi
McAfee® Network Security Platform 6.0
Preface
vii
NTBA Appliance T-500 Quick Start Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
http://www.mcafee.com/us/about/cont
act/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.
1
C HAPTER 1
Getting Started
This chapter provides a high-level overview of McAfee
®
Network Security Platform
[formerly McAfee
®
IntruShield
®
].
The tasks described in this chapter provide pointers to more detailed information in the
other books of the McAfee Network Security Platform documentation set.
Note: Most of your interaction with Network Security Platform is through McAfee
®
Network Security Manager. Some configuration can be done using the McAfee
®
Network Security Sensor Command Line interface.
The process of setting up and running Network Security Platform falls into these basic
stages:
1 Deciding where to deploy McAfee Network Security Sensors (Sensors) and in what
operating mode
2 Setting up your Sensors for the desired deployment mode(s)
3 Installing the Manager software and establishing Sensor-to-McAfee Network Security
Manager (Manager) communication
4 Configuring your deployment using the Manager
5 Updating your signatures and software
6 Viewing and working with data generated by Network Security Platform
7 Tuning your deployment
Each of these stages consists of a number of tasks; some are simple, some are complex.
You will generally perform steps 1 through 3 only once per Sensor.
Deciding where to deploy Sensors and in what operating mode
Where you deploy your Sensors and which Sensor model to use depends on your network
topology, the amount of traffic on the network, and your security goals, which, ideally, are
specified in your company’s security policy.
Determine where you will place the Sensors. This is an individual decision your company will
need to make. Questions to ask yourself in making this decision are covered at a high
level in Pre-Installation Considerations (on page 8). Some things to consider are what
assets
you want to protect, the configuration of your network, the location of your
aggregation points, the type of traffic, how the traffic is routed, and so on.
Establish a naming convention for your Sensors. The Sensor name is used to identify the
Sensor in the Manager interface, in certain reports, and in the alert data generated by
the Sensor. McAfee recommends you establish a naming convention that is easy to
interpret by anyone working with the Network Security Platform deployment. Once you
name a Sensor, you cannot rename it without de-installing and reinstalling it.
McAfee® Network Security Platform 6.0
Getting Started
Setting up your Sensors
The process of setting up a Sensor is described below at a high level. You perform these
tasks on the
Sensor.
For more information on these tasks, see
CLI Guide.
1 Position the Sensor.
Unpack the Sensor and place on a sturdy, level counter top.
Attach the provided rack mounting ears to the Sensor.
Install the Sensor in a rack.
Note: The I-1200 and I-1400 are 1-RU(rack unit) boxes; the I-2700, I-3000, I-
4000, and I-4010 are 2-RU boxes.
The M-8000 includes two 2-RU boxes; M-6050, M-4050, M-3050, and M-2750
are 2 RU boxes; and M-1450, and M-1250 are 1 RU boxes.
2 Install any additional hardware.
3 Install GBICs, SFP GBICs, or XFP GBICs (not included) in the GBIC slots. Note that
four XFP GBICs are included in the Accessory Kit of an M-8000 to use in the
Interconnect ports (XC2, XC3, XC5, and XC6).
Optical slots per Sensor model
Sensor model Number of slots
I-2700 2
I-3000 12 (SFP slots)
I-4000 4
I-4010 12 (SFP slots)
Optical slots per Sensor model
Sensor model Number of slots
M-8000 28 (16 SFP slots and 12 XFP slots)
M-6050 16 (8 SFP slots and 8 XFP slots)
M-4050 12 (8 SFP slots and 4 XFP slots)
M-3050 12 (8 SFP slots and 4 XFP slots)
M-2750 20 (20 SFP slots)
M-1450 8 (0 SFP slots)
M-1250 8 (0 SFP slots)
N-450 20 (20 SFP slots)
Note: To ensure compatibility, McAfee supports only those GBIC or SFP and
XFP GBIC modules purchased through McAfee or from a McAfee-approved
vendor. For a list of approved vendors, see the on-line KnowledgeBase
http://mysupport.mcafee.com
2
McAfee® Network Security Platform 6.0
Getting Started
4 (Optional) If you have purchased a redundant power supply, install the power supply.
Sensor models supporting redundant power supply are listed in the table below.
Models supporting a redundant power supply
Sensor Power supply
I-1200 1 internal
I-1400 1 internal
I-2700 1 included
1 redundant available separately
I-3000 1 included
1 redundant available separately
I-4000 1 included
1 redundant available separately
I-4010 1 included
1 redundant available separately
Models supporting a redundant power supply
Sensor Power supply
M-8000 2 included
2 redundant available separately
M-6050 1 included
1 redundant available separately
M-4050 1 included
1 redundant available separately
M-3050 1 included
1 redundant available separately
M-2750 1 included
1 redundant available separately
M-1450 1 internal
M-1250 1 internal
N-450 1 included
1 redundant available separately
5 Cable the Sensor for configuration.
Attach network cables to the Sensor as described in each Sensor model's
Sensor
Product Guide. You must cable the Sensor Management and Console ports,
respectively, to communicate with the Manager server and the console machine
you will use to configure the Sensor. You can cable the Sensor Monitoring and
Response ports at a later time.
Power on the Sensor to initialize it.
3
McAfee® Network Security Platform 6.0
Getting Started
Establish Sensor-to-Manager communication
The process of setting up a Sensor is described below at a high level.
1 Set up the Manager software on the server machine.
Install the Manager software on the server machine. For more information on this
process, see
Installation Guide.
Start the Manager software as described in Manager Server Configuration Guide. You
can establish communication with a Sensor via the Manager server or from a
browser on a client machine that can connect to the Manager server.
McAfee recommends you connect to the Manager server via browser session
from a separate client machine to perform your configuration tasks.
You can choose a specific policy to apply by default to the Root Admin Domain
(and thus all monitoring interfaces on the Sensor). By default, the provided Default
policy is applied to all of your Sensor ports upon Sensor addition.
For more information on admin domains, see Administrative Domains,
Getting
Started Guide
. For more information on policies, see Working with Security Policies,
Getting Started Guide.
Whatever policy you’ve specified will apply until you make specific changes; the
Default policy gets you up and running quickly. Most users tune their policies over
time, in conjunction with VIPS, to best suit their environments and reduce the
number of irrelevant alerts.
Open the System Configuration tool and add the Sensor, providing the Sensor
with a name and a shared secret key value. This process is described in
Device
Configuration Guide.
2 Configure the Sensor.
From a serial console connected physically or logically to the Sensor, configure
the Sensor with network identification information (that is, IP address, IP address of
the Manager server, and so on), and configure it with the same case-sensitive
name and shared secret key value you provided in the Manager.
For more information on configuring the Sensor using the Sensor CLI, see CLI
Guide
.
3 Verify communication between the Sensor and the Manager.
Verify on the Sensor CLI the health of the Sensor and that Sensor has
established communication with the Manager. Use the
status command.
Verify in the Manager interface that a node representing the Sensor appears in
the Resource Tree under the Sensors node. Viewing the Resource Tree is
described in The Resource Tree,
Getting Started Guide.
4 Troubleshoot any problems you run into.
If you run into any problems, check your configuration settings, and ensure that
they’re correct. For more troubleshooting tips, see
Troubleshooting Guide.
5 Verify the operating mode of the ports on your Sensor.
Your Sensor ports are configured by default for monitoring in in-line mode; that is,
connected via a port pair on the Sensor to a segment of your network. If you’ve
cabled the Sensor to monitor in in-line mode, check your settings to make sure
everything is correct.
For more information on verifying port configuration, see
Device Configuration Guide.
4
McAfee® Network Security Platform 6.0
Getting Started
Viewing and working with data generated by Network Security
Platform
Once you’ve completed the steps in the previous sections, you’re up and running. While
actively monitoring network traffic, your Sensor will generate alerts for traffic that is in
violation of the set security policy.
Network Security Platform displays a summary view of the count of alerts in the Manager
Home page, organized by severity (High, Medium, Low, and Informational). Network
Security Platform provides two tools for examining and viewing the alerts:
The Threat Analyzer enables you to drill down to the details of an alert such as what
triggered the alert, when, what Sensor detected it, the source IP address of the attack
that triggered the alert, the destination IP address of the attack, and so on. You use
the Threat Analyzer to perform forensic analysis on the alert to help you tune the
Network Security Platform system, provide better responses to attacks, and otherwise
shore up your defenses.
The Reports Main page provides you detailed reports based on your alerts, and
reports on your Network Security Platform configuration. You can use these reports to
communicate incidents to other members of your team and to your management.
Note: For more information on these tools, see
Manager Server Configuration Guide and
Reports Guide.
Configuring your deployment using the Manager
Once you’re up and running and reviewing the data generated by the system, you can
further configure and maintain your system. For example, you can do the following:
Apply security policies to each interface of your multi-port Sensor (instead of applying one policy
to all interfaces, as when you chose the default policy in Establish Sensor-to-Manager
communication (on page 2)). You can ensure all of your interfaces use policies
specifically for the areas of your network they are monitoring. For example, you can
apply the Web Server policy to one interface, a Mail Server policy to another, the Internal
Segment
policy to another, and so on. For more information on the provided policies,
see Network Security Platform policies,
Getting Started Guide.
Configure responses to alerts. Developing a system of actions, alerts, and logs based on
impact severity is recommended for effective network security. For example, you can
configure Network Security Platform to send a page or an email notification, execute a
script, disconnect a TCP connection, send an “ICMP Host Not Reachable”
message to
the attack source for ICMP transmissions, or send address-blocking for a host.
For more information on response actions, see Response management,
Getting Started
Guide
. For more information on configuring pager, email, or script notification, or
configuring an IPS quarantine response, see
Administrative Domain Configuration Guide and
Device Configuration Guide.
Filter alerts. An attack filter limits the number of alerts generated by the system by
excluding certain Source and Destination IP address parameters. If these address
parameters are detected in a packet, the packet is not analyzed further (and is
automatically forwarded when in In-line Mode). For more information on attack filters,
see Administrative Domain Configuration Guide.
5
McAfee® Network Security Platform 6.0
Getting Started
View the system’s health. The Operational Status page details the functional status for all
of your installed Network Security Platform system components. Messages are
generated to detail system faults experienced by your Manager, Sensors, or
database. For more information, see
System Status Monitoring Guide.
View a port’s performance. The Performance Statistics action enables you to view
performance data for a port on a Sensor. The data collected is a reflection of the
traffic that has passed through the port. For more information, see Device Configuration
Guide
.
Back up all or part of your Manager configuration information to your server or other
location. Network Security Platform provides three backup options:
All Tables: all Network Security Platform data (configuration, audit, and alert).
Config Tables: all information related to system configuration, such as port
configuration, users, admin domains, policies for all Network Security Platform
resources in all domains.
Audit and Alert Tables: all information related to user activity and alerts.
Note: The
All Tables and Audit and Alert Tables options can be rather large in size,
depending upon the amount of alert data in your database. McAfee
recommends saving these types of backups to an alternate location.
For more information on how to back up your data, see Manager Server Configuration
Guide
.
Updating your signatures and software
An essential element to a reliable IPS is updating the system signature and software
images. McAfee periodically releases new Manager software and Sensor signature and
software images, and makes these updates available via the McAfee
®
Network Security
Update Server to registered support customers.
Figure 1: Sensor software update methods
Field Description
1 Update Server
2 Internet
6
McAfee® Network Security Platform 6.0
Getting Started
7
Field Description
3 Manager Server
4 PC/tftp server
5 Import/disk
6 Sensor
Note: Manager software installation includes a default signature set image.
There are several options for loading updates to your Manager and Sensors.
1 Download images from the McAfee Network Security Update Server (Update Server) to your Manager.
You can use the Manager interface to download Sensor software and signature
updates from the Update Server to the Manager server, and then download the
Sensor image to the Sensor. For more information, see Manager Server Configuration
Guide
.
2
Import image files from a remote workstation to your Manager.
If your Manager server is not connected to the Internet, you can download the
updates from the Update Server to any host, then do one of the following:
Download the image to a remote host, then log in to the Manager via browser
session on the remote host and import the image to the Manager server. You can
then download the Sensor image to the Sensor. For more information, see
Manager
Server Configuration Guide
.
Similar to above, download the image from the Update Server to any host, put it
on a disk, take the disk to the Manager server, and then import the image and
download it to the Sensor.
3 Download Sensor software from the Update Server to a TFTP client then to a Sensor.
You can download the software image from the Update Server onto a TFTP server,
and then download the image directly to the Sensor using commands on the Sensor
CLI. This is useful if you prefer not to update Sensor software via the Manager, or you
may encounter a situation wherein you cannot do so. For more information on this
method, see CLI Guide.
Tuning your deployment
Once you become familiar with the basics of the Manager program, you can further
enhance your deployment by utilizing some of the more advanced features. These
features include:
Cloning and modifying the Network Security Platform-provided policy. For more information, see
Working with Security Policies,
Getting Started Guide.
Deploying your Sensor to monitor traffic in Tap mode or, ultimately, in In-line mode. For more
information, see Sensor Deployment Modes (on page 13).
Adding users and assigning management roles. For more information, see Managing Users in
Network Security Platform,
Getting Started Guide.
Adding admin domains for resource management. For more information, see Administrative
Domains,
Getting Started Guide.
Changing your interface type to CIDR or VLAN depending on your network configuration. For more
information, see Interface and Sub-Interface Node,
Device Configuration Guide.
Using Access Control Lists (ACLs) to block traffic or pass traffic without sending it through the IDS
engine.
For more information, see Device Configuration Guide.
8
C HAPTER 2
Planning Network Security Platform Installation
This section discusses the considerations and pre-installment steps that require planning
and completion before you deploy the McAfee
®
Network Security Platform.
Tip: If you are a beginner and want some strategies for deploying McAfee Network
Security Platform, you should also read Deployment Scenarios (on page 26).
Pre-deployment considerations
Deployment of Network Security Platform requires specific knowledge of your network’s
security needs. Answering these questions will determine which McAfee
®
Network Security
Sensor (Sensor) model will best suit your environment, and what in what operating mode
you’ll need to employ each Sensor port.
Consider the following questions as you plan your Network Security Platform deployment:
What is the size of your network?
How many access points are there between your network and the extranets or
Internet?
Where are the critical servers that require protection within your network?
How complex is your network topology?
How much traffic typically crosses your network?
Where are your security operations located?
Where should I deploy Sensors?
What is the size of your network?
The size of your network will determine the number of Sensors you will require to
successfully and efficiently protect your network. A large network with many access points,
file servers, and machines in use may require a larger level of IPS deployment than a
small office with just a single access point and few machines.
Knowing how your business will grow can help determine the amount of equipment you
will require and the proper strategy for network placement. Network Security Platform is
built with growth in mind. The Network Security Platform can manage multiple Sensors,
and Sensors can scale in performance from 100 Mbps to multi gigabits per second for
monitoring network segments.
McAfee® Network Security Platform 6.0
Planning Network Security Platform Installation
How many access points are there between your network
and the extranets or Internet?
Large corporations have several points of access that can be exploited by parties with
malicious intent. Protecting the various points of access to your network is the key to any
successful IDS installation. You’re only as strong as your weakest link.
Intrusions coming in from the Internet are important to combat, but misuse and intrusions
attempted through the extranets or inside the corporate network are equally as critical to
defend against. In fact, research statistics show that insiders are the most common source
of attacks.
Where are the critical servers that require protection within
your network?
File servers containing financial, personnel, and other confidential information need
protection from those people wishing to exploit your critical information. These machines
are extremely appealing targets. And, as discussed in the previous section, insiders pose
a threat that must be addressed.
You should also consider whether you need different levels of security for different parts of
the organization. Assess how much of your sensitive material is on-line, where it is
located, and who has access to that material.
How complex is your network topology?
Asymmetrically routed networks are complex environments that require careful planning
and execution.
The following figure shows a network protected by the Sensor in tap operating mode.
Since both links are monitored by the same Sensor, the state machine remains in sync.
The Sensor can support an Active-Active configuration as long as the aggregate
bandwidth does not exceed the total processing capacity of the Sensor.
Furthermore, a Sensor can also monitor asymmetrically routed traffic where the traffic
comes in on one link and goes out another link, because the state machine on the Sensor
associates the inbound and outbound traffic efficiently. For more information on monitoring
asymmetrically routed traffic, see Interface groups (on page 24).
9
McAfee® Network Security Platform 6.0
Planning Network Security Platform Installation
Figure 2: Tap Monitoring of Active-Passive Links
How much traffic typically crosses your network?
Bandwidth and traffic flow are crucial to running a successful enterprise network.
Bandwidth requirements will vary in an enterprise network, as different applications and
business functions have different needs. Bandwidth utilization on the network segments
that you need to monitor will determine what type of Sensor will work best for you. Network
Security Platform offers multiple Sensors providing different bandwidths:
Sensor bandwidth
Sensor Aggregate Performance
I-1200 100Mbps
I-1400 200Mbps
I-2700 600Mbps
I-3000 1Gbps
I-4000 2Gbps
I-4010 2Gbps
10
McAfee® Network Security Platform 6.0
Planning Network Security Platform Installation
Sensor Aggregate Performance
M-8000 10 Gbps
M-6050 5 Gbps
M-4050 3 Gbps
M-3050 1.5 Gbps
M-2750 600 Mbps
M-1450 200 Mbps
M-1250 100 Mbps
N-450 2 Gbps
Where are your security operations located?
To successfully defend against intrusions, McAfee recommends dedicated monitoring of
the security system. Network intrusions can happen at any given moment, so having a
dedicated 24-hour-a-day prevention system will make the security solution complete and
effective.
Where are your security personnel? How many users are involved? Knowing who will be
configuring your policies, monitoring events, running reports, and performing other
configuration tasks will help you manage your users and determine where you locate your
McAfee
®
Network Security Manager server. The Manager should be placed in a physically
secure location, should be logically accessible to users, and must have reliable
connectivity so as to be able to communicate with all deployed Sensors.
Where should I deploy Sensors?
Should you deploy Sensors at the perimeter of your network, in front of the servers you
want to protect, or at a convenient nexus where all traffic passes?
Deployment at the perimeter does not protect you from internal attacks, which are some of
the most common source of attacks. Perimeter monitoring is also useless if a network has
multiple ISP connections at multiple locations (such as one Internet connection in New
York and one in San Jose) and if you expect to see asymmetric traffic routing (that is,
incoming traffic comes through New York and outgoing traffic goes out through San Jose).
The IPS simply will not see all the traffic to maintain state and detect attacks. Deployment
in front of the servers that you want to protect both detects attacks from internal users and
deals effectively with the geographically diverse asymmetric routing issue.
An illustration of the advantage of Sensors’ multiple segment monitoring is to consider the
question of installing Sensors with respect to firewalls. It is very common to deploy
Sensors around firewalls to inspect the traffic that is permitted by the firewall. A common
question when installing Sensors around the firewall is: Do you put the Sensors on the
inside (Private and DMZ) or put them outside (Public) the firewall?. There are benefits to
both scenarios, and the more complete solution includes both. For example, if you detect
11
McAfee® Network Security Platform 6.0
Planning Network Security Platform Installation
12
an attack on the outside of the firewall and you detect the s
ame attack on the inside of the
firewall, then you know your firewall has been breached. This is obviously a much higher
severity event than if you were just to see the attack on the outside and not on the inside,
which means that your firewall blocked the attack.
When using the existing, single monitoring port products available today, you would have
to deploy multiple Sensors to get the required coverage (as shown on the left side of the
following figure). Furthermore, you’d need to figure out how to connect them to the
segments that you want to monitor, and only via a SPAN or hub port.
Consider the same scenario using the I-2700 Sensor (as shown on the right side of the
following figure). You can simultaneously monitor all three segments with one Sensor, and,
with the integrated taps, you can easily monitor the full-duplex uplinks between your
routers and the firewall. You can also run the inside connections in in-line mode, which
provides intrusion protection/prevention, while running the outside connection in tapped
mode.
Figure 3: Comparing IDS Sensor Deployment Scenarios
Figure 4: Comparing IDS Sensor Deployment Scenarios
13
C HAPTER 3
Sensor Deployment Modes
This section presents suggestions for implementing McAfee
®
Network Security Platform in
a variety of network environments.
Flexible deployment options
McAfee Network Security Platform offers unprecedented flexibility in McAfee
®
Network
Security Sensor (Sensor) deployment. Sensors can be deployed in a variety of topologies
and network security applications, providing industry-leading flexibility and scalability. Most
PC-based IDS Sensors on the market today can monitor only one network segment at a
time, and only via the SPAN port on a switch. Thus, to monitor a switched environment
with multiple segments and multiple switches deployed in a high-availability environment,
you would need multiple Sensors.
Multi-port Sensor deployment
Unlike single-port Sensors, a single multi-port Sensor can monitor many network
segments (up to twelve, in the case of the I-3000 or I-4010) in any combination of
operating modes—that is, the monitoring or deployment mode for the Sensor—SPAN,
Tap, or In-line mode. Additionally, Network Security Platform’s Virtual IPS (VIPS) feature
enables you to further segment a port on a Sensor into many “Virtual Sensors.”
This makes deployment easy; not only can you use one Sensor to monitor multiple
network segments, but you also can configure the Sensor to run whatever mode best suits
each network segment.
Supported deployment modes
Every port on the Sensor supports the following deployment modes:
SPAN or Hub
Tap
In-line, fail-closed
In-line, fail-open
Additionally, Network Security Platform provides features vital to today’s complex
networks: interface groups (also called port clustering), and high-availability.
/