McAfee Network Security Platform Deployment Manual

Brand: McAfee

Model: Network Security Platform

Type: Deployment Manual

This manual is also suitable for

M-1250 - Network Security Platform

IPS Deployment Guide

revision 2.0

McAfee®

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform

version 6.0

any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH

THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,

PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE

FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL

THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software

contributed to Berkeley by Chris Torek.

700-2366-00/ 2.0 - English

Issued NOVEMBER 2010 / IPS Deployment Guide

Contents

Preface .......................................................................................................... iv

Introducing McAfee Network Security Platform.............................................................................iv

About this Guide............................................................................................................................iv

Audience .......................................................................................................................................iv

Conventions used in this guide .....................................................................................................iv

Related Documentation................................................................................................................. v

Contacting Technical Support......................................................................................................vii

Chapter 1 Getting Started............................................................................ 1

Deciding where to deploy Sensors and in what operating mode ..................................................1

Setting up your Sensors................................................................................................................2

Establish Sensor-to-Manager communication............................................................................... 4

Viewing and working with data generated by Network Security Platform .....................................5

Configuring your deployment using the Manager ......................................................................... 5

Updating your signatures and software......................................................................................... 6

Tuning your deployment................................................................................................................7

Chapter 2 Planning Network Security Platform Installation..................... 8

Pre-deployment considerations.....................................................................................................8

What is the size of your network?..........................................................................................8

How many access points are there between your network and the extranets or Internet? ...9

Where are the critical servers that require protection within your network?...........................9

How complex is your network topology?................................................................................9

How much traffic typically crosses your network?................................................................10

Where are your security operations located?.......................................................................11

Where should I deploy Sensors?.........................................................................................11

Chapter 3 Sensor Deployment Modes ...................................................... 13

Flexible deployment options........................................................................................................13

Multi-port Sensor deployment..............................................................................................13

Supported deployment modes .............................................................................................13

Full-duplex and half-duplex monitoring ................................................................................15

Deploying Sensors in in-line mode.............................................................................................. 15

Fail-open versus fail-closed .................................................................................................17

Deploying Sensors in tap mode ..................................................................................................18

Deploying the Sensors with FE ports in internal tap mode ..................................................19

Deploying Sensors with GE ports in external tap mode.......................................................20

Shifting from tap mode to in-line mode ................................................................................21

SPAN port and hub monitoring....................................................................................................21

SPAN port and hub monitoring ............................................................................................22

High-Availability...........................................................................................................................22

Understanding failover in Network Security Platform...........................................................23

Interface groups ..........................................................................................................................24

Chapter 4 Deployment Scenarios.............................................................. 26

Deployment flexibility...................................................................................................................26

Deployment scenario for beginners............................................................................................. 26

Deployment scenario for intermediate users............................................................................... 27

Deployment scenario for advanced users................................................................................... 27

Index............................................................................................................. 29

iii

Preface

This preface provides a brief introduction to the product, discusses the information in this

document, and explains how this document is organized. It also provides information such

as, the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee

Network Security Platform [formerly McAfee

IntruShield

] delivers the most

comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion

Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical

enterprise, carrier, and service provider networks, while providing unmatched protection

against spyware and known, zero-day, and encrypted attacks.

McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring

network traffic by analyzing NetFlow information flowing through the network in real time,

thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network

Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a

single Manager.

About this Guide

This guide contains information to help you in determining your network security needs

and provides basic information about deployment. Included are various deployment

scenarios for network technicians with different experience levels. With this information,

you can determine which McAfee

Network Security Sensor model(s) will best suit your

environment and which operating mode you will need to employ each McAfee Network

Security Sensor (Sensor) port.

Audience

This guide is intended for use by network technicians responsible for planning and

deploying company>

Network Security Manager as you ensure your system architecture

meets your security requirements, develop security mechanisms within the software

architecture, and ensure the integrity of the architectures (such as data center, software,

hardware, and network).

Conventions used in this guide

This document uses the following typographical conventions:

McAfee® Network Security Platform 6.0

Preface

Convention Example

Terms that identify fields, buttons,

tabs, options, selections, and

commands on the User Interface

(UI) are shown in

Arial Narrow bold

font.

The

Service field on the Properties tab specifies the

name of the requested service.

Menu or action group selections

are indicated using a right angle

bracket.

Select My Company > Admin Domain > Summary.

Procedures are presented as a

series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard

are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, key words,

and values that you must type

exactly are denoted using

Courier New font.

Type: setup and then press ENTER.

Variable information that you must

type based on your specific

situation or environment is shown

in italics.

Type: Sensor-IP-address and then press

ENTER.

Parameters that you must supply

are shown enclosed in angle

brackets.

set Sensor ip <A.B.C.D>

Information that you must read

before beginning a procedure or

that alerts you to negative

consequences of certain actions,

such as loss of data is denoted

using this notation.

Caution:

Information that you must read to

prevent injury, accidents from

contact with electricity, or other

serious consequences is denoted

using this notation.

Warning:

Notes that provide related, but

non-critical, information are

denoted using this notation.

Note:

Related Documentation

The following documents and on-line help are companions to this guide. Refer to Quick Tour

for more information on these guides.

 Quick Tour

 Installation Guide

McAfee® Network Security Platform 6.0

Preface

 Upgrade Guide

 Getting Started Guide

 Manager Configuration Basics Guide

 I-1200 Sensor Product Guide

 I-1400 Sensor Product Guide

 I-2700 Sensor Product Guide

 I-3000 Sensor Product Guide

 I-4000 Sensor Product Guide

 I-4010 Sensor Product Guide

 M-1250/M-1450 Sensor Product Guide

 M-1250/M-1450 Quick Start Guide

 M-2750 Sensor Product Guide

 M-2750 Quick Start Guide

 M-3050/M-4050 Sensor Product Guide

 M-3050/M-4050 Quick Start Guide

 M-6050 Sensor Product Guide

 M-6050 Quick Start Guide

 M-8000 Sensor Product Guide

 M-8000 Quick Start Guide

 Gigabit Optical Fail-Open Bypass Kit Guide

 Gigabit Copper Fail-Open Bypass Kit Guide

 10 Gigabit Fail-Open Bypass Kit Guide

 M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure

 M-2750 Slide Rail Assembly Procedure

 M-series DC Power Supply Installation Procedure

 Administrative Domain Configuration Guide

 Manager Server Configuration Guide

 CLI Guide

 Device Configuration Guide

 IPS Configuration Guide

 NAC Configuration Guide

 Integration Guide

 System Status Monitoring Guide

 Reports Guide

 Custom Attack Definitions Guide

 Central Manager Administrator's Guide

 Best Practices Guide

 Troubleshooting Guide

 Special Topics Guide—In-line Sensor Deployment

 Special Topics Guide—Sensor High Availability

 Special Topics Guide—Virtualization

 Special Topics Guide—Denial-of-Service

 NTBA Appliance Administrator's Guide

 NTBA Monitoring Guide

 NTBA Appliance T-200 Quick Start Guide

McAfee® Network Security Platform 6.0

Preface

vii

 NTBA Appliance T-500 Quick Start Guide

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com

Registered customers can obtain up-to-date documentation, technical bulletins, and quick

tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also

resolve technical issues with the online case submit, software downloads, and signature

updates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7

Technical Support is available for customers with Gold or Platinum service contracts.

Global phone contact numbers can be found at McAfee Contact Information

http://www.mcafee.com/us/about/cont

act/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of

your system when opening a ticket with Technical Support. You will be provided with

a user name and password for the online case submission.

C HAPTER 1

Getting Started

This chapter provides a high-level overview of McAfee

Network Security Platform

[formerly McAfee

IntruShield

The tasks described in this chapter provide pointers to more detailed information in the

other books of the McAfee Network Security Platform documentation set.

Note: Most of your interaction with Network Security Platform is through McAfee

Network Security Manager. Some configuration can be done using the McAfee

Network Security Sensor Command Line interface.

The process of setting up and running Network Security Platform falls into these basic

stages:

1 Deciding where to deploy McAfee Network Security Sensors (Sensors) and in what

operating mode

2 Setting up your Sensors for the desired deployment mode(s)

3 Installing the Manager software and establishing Sensor-to-McAfee Network Security

Manager (Manager) communication

4 Configuring your deployment using the Manager

5 Updating your signatures and software

6 Viewing and working with data generated by Network Security Platform

7 Tuning your deployment

Each of these stages consists of a number of tasks; some are simple, some are complex.

You will generally perform steps 1 through 3 only once per Sensor.

Deciding where to deploy Sensors and in what operating mode

Where you deploy your Sensors and which Sensor model to use depends on your network

topology, the amount of traffic on the network, and your security goals, which, ideally, are

specified in your company’s security policy.



Determine where you will place the Sensors. This is an individual decision your company will

need to make. Questions to ask yourself in making this decision are covered at a high

level in Pre-Installation Considerations (on page 8). Some things to consider are what

assets

you want to protect, the configuration of your network, the location of your

aggregation points, the type of traffic, how the traffic is routed, and so on.



Establish a naming convention for your Sensors. The Sensor name is used to identify the

Sensor in the Manager interface, in certain reports, and in the alert data generated by

the Sensor. McAfee recommends you establish a naming convention that is easy to

interpret by anyone working with the Network Security Platform deployment. Once you

name a Sensor, you cannot rename it without de-installing and reinstalling it.

McAfee® Network Security Platform 6.0

Getting Started

Setting up your Sensors

The process of setting up a Sensor is described below at a high level. You perform these

tasks on the

Sensor.

For more information on these tasks, see

CLI Guide.

1 Position the Sensor.

 Unpack the Sensor and place on a sturdy, level counter top.

 Attach the provided rack mounting ears to the Sensor.

 Install the Sensor in a rack.

Note: The I-1200 and I-1400 are 1-RU(rack unit) boxes; the I-2700, I-3000, I-

4000, and I-4010 are 2-RU boxes.

The M-8000 includes two 2-RU boxes; M-6050, M-4050, M-3050, and M-2750

are 2 RU boxes; and M-1450, and M-1250 are 1 RU boxes.

2 Install any additional hardware.

3 Install GBICs, SFP GBICs, or XFP GBICs (not included) in the GBIC slots. Note that

four XFP GBICs are included in the Accessory Kit of an M-8000 to use in the

Interconnect ports (XC2, XC3, XC5, and XC6).

Optical slots per Sensor model

Sensor model Number of slots

I-2700 2

I-3000 12 (SFP slots)

I-4000 4

I-4010 12 (SFP slots)

Optical slots per Sensor model

Sensor model Number of slots

M-8000 28 (16 SFP slots and 12 XFP slots)

M-6050 16 (8 SFP slots and 8 XFP slots)

M-4050 12 (8 SFP slots and 4 XFP slots)

M-3050 12 (8 SFP slots and 4 XFP slots)

M-2750 20 (20 SFP slots)

M-1450 8 (0 SFP slots)

M-1250 8 (0 SFP slots)

N-450 20 (20 SFP slots)

Note: To ensure compatibility, McAfee supports only those GBIC or SFP and

XFP GBIC modules purchased through McAfee or from a McAfee-approved

vendor. For a list of approved vendors, see the on-line KnowledgeBase

http://mysupport.mcafee.com

McAfee® Network Security Platform 6.0

Getting Started

4 (Optional) If you have purchased a redundant power supply, install the power supply.

Sensor models supporting redundant power supply are listed in the table below.

Models supporting a redundant power supply

Sensor Power supply

I-1200 1 internal

I-1400 1 internal

I-2700 1 included

1 redundant available separately

I-3000 1 included

1 redundant available separately

I-4000 1 included

1 redundant available separately

I-4010 1 included

1 redundant available separately

Models supporting a redundant power supply

Sensor Power supply

M-8000 2 included

2 redundant available separately

M-6050 1 included

1 redundant available separately

M-4050 1 included

1 redundant available separately

M-3050 1 included

1 redundant available separately

M-2750 1 included

1 redundant available separately

M-1450 1 internal

M-1250 1 internal

N-450 1 included

1 redundant available separately

5 Cable the Sensor for configuration.

 Attach network cables to the Sensor as described in each Sensor model's

Sensor

Product Guide. You must cable the Sensor Management and Console ports,

respectively, to communicate with the Manager server and the console machine

you will use to configure the Sensor. You can cable the Sensor Monitoring and

Response ports at a later time.

 Power on the Sensor to initialize it.

McAfee® Network Security Platform 6.0

Getting Started

Establish Sensor-to-Manager communication

The process of setting up a Sensor is described below at a high level.

1 Set up the Manager software on the server machine.

 Install the Manager software on the server machine. For more information on this

process, see

Installation Guide.

 Start the Manager software as described in Manager Server Configuration Guide. You

can establish communication with a Sensor via the Manager server or from a

browser on a client machine that can connect to the Manager server.

 McAfee recommends you connect to the Manager server via browser session

from a separate client machine to perform your configuration tasks.

 You can choose a specific policy to apply by default to the Root Admin Domain

(and thus all monitoring interfaces on the Sensor). By default, the provided Default

policy is applied to all of your Sensor ports upon Sensor addition.

For more information on admin domains, see Administrative Domains,

Getting

Started Guide

. For more information on policies, see Working with Security Policies,

Getting Started Guide.

Whatever policy you’ve specified will apply until you make specific changes; the

Default policy gets you up and running quickly. Most users tune their policies over

time, in conjunction with VIPS, to best suit their environments and reduce the

number of irrelevant alerts.

 Open the System Configuration tool and add the Sensor, providing the Sensor

with a name and a shared secret key value. This process is described in

Device

Configuration Guide.

2 Configure the Sensor.

 From a serial console connected physically or logically to the Sensor, configure

the Sensor with network identification information (that is, IP address, IP address of

the Manager server, and so on), and configure it with the same case-sensitive

name and shared secret key value you provided in the Manager.

For more information on configuring the Sensor using the Sensor CLI, see CLI

Guide

3 Verify communication between the Sensor and the Manager.

 Verify on the Sensor CLI the health of the Sensor and that Sensor has

established communication with the Manager. Use the

status command.

 Verify in the Manager interface that a node representing the Sensor appears in

the Resource Tree under the Sensors node. Viewing the Resource Tree is

described in The Resource Tree,

Getting Started Guide.

4 Troubleshoot any problems you run into.

 If you run into any problems, check your configuration settings, and ensure that

they’re correct. For more troubleshooting tips, see

Troubleshooting Guide.

5 Verify the operating mode of the ports on your Sensor.

 Your Sensor ports are configured by default for monitoring in in-line mode; that is,

connected via a port pair on the Sensor to a segment of your network. If you’ve

cabled the Sensor to monitor in in-line mode, check your settings to make sure

everything is correct.

For more information on verifying port configuration, see

Device Configuration Guide.

McAfee® Network Security Platform 6.0

Getting Started

Viewing and working with data generated by Network Security

Platform

Once you’ve completed the steps in the previous sections, you’re up and running. While

actively monitoring network traffic, your Sensor will generate alerts for traffic that is in

violation of the set security policy.

Network Security Platform displays a summary view of the count of alerts in the Manager

Home page, organized by severity (High, Medium, Low, and Informational). Network

Security Platform provides two tools for examining and viewing the alerts:

 The Threat Analyzer enables you to drill down to the details of an alert such as what

triggered the alert, when, what Sensor detected it, the source IP address of the attack

that triggered the alert, the destination IP address of the attack, and so on. You use

the Threat Analyzer to perform forensic analysis on the alert to help you tune the

Network Security Platform system, provide better responses to attacks, and otherwise

shore up your defenses.

 The Reports Main page provides you detailed reports based on your alerts, and

reports on your Network Security Platform configuration. You can use these reports to

communicate incidents to other members of your team and to your management.

Note: For more information on these tools, see

Manager Server Configuration Guide and

Reports Guide.

Configuring your deployment using the Manager

Once you’re up and running and reviewing the data generated by the system, you can

further configure and maintain your system. For example, you can do the following:



Apply security policies to each interface of your multi-port Sensor (instead of applying one policy

to all interfaces, as when you chose the default policy in Establish Sensor-to-Manager

communication (on page 2)). You can ensure all of your interfaces use policies

specifically for the areas of your network they are monitoring. For example, you can

apply the Web Server policy to one interface, a Mail Server policy to another, the Internal

Segment

policy to another, and so on. For more information on the provided policies,

see Network Security Platform policies,

Getting Started Guide.

 Configure responses to alerts. Developing a system of actions, alerts, and logs based on

impact severity is recommended for effective network security. For example, you can

configure Network Security Platform to send a page or an email notification, execute a

script, disconnect a TCP connection, send an “ICMP Host Not Reachable”

message to

the attack source for ICMP transmissions, or send address-blocking for a host.

For more information on response actions, see Response management,

Getting Started

Guide

. For more information on configuring pager, email, or script notification, or

configuring an IPS quarantine response, see

Administrative Domain Configuration Guide and

Device Configuration Guide.



Filter alerts. An attack filter limits the number of alerts generated by the system by

excluding certain Source and Destination IP address parameters. If these address

parameters are detected in a packet, the packet is not analyzed further (and is

automatically forwarded when in In-line Mode). For more information on attack filters,

see Administrative Domain Configuration Guide.

McAfee® Network Security Platform 6.0

Getting Started

 View the system’s health. The Operational Status page details the functional status for all

of your installed Network Security Platform system components. Messages are

generated to detail system faults experienced by your Manager, Sensors, or

database. For more information, see

System Status Monitoring Guide.

 View a port’s performance. The Performance Statistics action enables you to view

performance data for a port on a Sensor. The data collected is a reflection of the

traffic that has passed through the port. For more information, see Device Configuration

Guide

 Back up all or part of your Manager configuration information to your server or other

location. Network Security Platform provides three backup options:



All Tables: all Network Security Platform data (configuration, audit, and alert).



Config Tables: all information related to system configuration, such as port

configuration, users, admin domains, policies for all Network Security Platform

resources in all domains.

 Audit and Alert Tables: all information related to user activity and alerts.

Note: The

All Tables and Audit and Alert Tables options can be rather large in size,

depending upon the amount of alert data in your database. McAfee

recommends saving these types of backups to an alternate location.

For more information on how to back up your data, see Manager Server Configuration

Guide

Updating your signatures and software

An essential element to a reliable IPS is updating the system signature and software

images. McAfee periodically releases new Manager software and Sensor signature and

software images, and makes these updates available via the McAfee

Network Security

Update Server to registered support customers.

Figure 1: Sensor software update methods

Field Description

1 Update Server

2 Internet

McAfee® Network Security Platform 6.0

Getting Started

Field Description

3 Manager Server

4 PC/tftp server

5 Import/disk

6 Sensor

Note: Manager software installation includes a default signature set image.

There are several options for loading updates to your Manager and Sensors.

1 Download images from the McAfee Network Security Update Server (Update Server) to your Manager.

You can use the Manager interface to download Sensor software and signature

updates from the Update Server to the Manager server, and then download the

Sensor image to the Sensor. For more information, see Manager Server Configuration

Guide

Import image files from a remote workstation to your Manager.

If your Manager server is not connected to the Internet, you can download the

updates from the Update Server to any host, then do one of the following:

 Download the image to a remote host, then log in to the Manager via browser

session on the remote host and import the image to the Manager server. You can

then download the Sensor image to the Sensor. For more information, see

Manager

Server Configuration Guide

 Similar to above, download the image from the Update Server to any host, put it

on a disk, take the disk to the Manager server, and then import the image and

download it to the Sensor.

3 Download Sensor software from the Update Server to a TFTP client then to a Sensor.

You can download the software image from the Update Server onto a TFTP server,

and then download the image directly to the Sensor using commands on the Sensor

CLI. This is useful if you prefer not to update Sensor software via the Manager, or you

may encounter a situation wherein you cannot do so. For more information on this

method, see CLI Guide.

Tuning your deployment

Once you become familiar with the basics of the Manager program, you can further

enhance your deployment by utilizing some of the more advanced features. These

features include:



Cloning and modifying the Network Security Platform-provided policy. For more information, see

Working with Security Policies,

Getting Started Guide.



Deploying your Sensor to monitor traffic in Tap mode or, ultimately, in In-line mode. For more

information, see Sensor Deployment Modes (on page 13).



Adding users and assigning management roles. For more information, see Managing Users in

Network Security Platform,

Getting Started Guide.



Adding admin domains for resource management. For more information, see Administrative

Domains,

Getting Started Guide.



Changing your interface type to CIDR or VLAN depending on your network configuration. For more

information, see Interface and Sub-Interface Node,

Device Configuration Guide.



Using Access Control Lists (ACLs) to block traffic or pass traffic without sending it through the IDS

engine.

For more information, see Device Configuration Guide.

C HAPTER 2

Planning Network Security Platform Installation

This section discusses the considerations and pre-installment steps that require planning

and completion before you deploy the McAfee

Network Security Platform.

Tip: If you are a beginner and want some strategies for deploying McAfee Network

Security Platform, you should also read Deployment Scenarios (on page 26).

Pre-deployment considerations

Deployment of Network Security Platform requires specific knowledge of your network’s

security needs. Answering these questions will determine which McAfee

Network Security

Sensor (Sensor) model will best suit your environment, and what in what operating mode

you’ll need to employ each Sensor port.

Consider the following questions as you plan your Network Security Platform deployment:

 What is the size of your network?

 How many access points are there between your network and the extranets or

Internet?

 Where are the critical servers that require protection within your network?

 How complex is your network topology?

 How much traffic typically crosses your network?

 Where are your security operations located?

 Where should I deploy Sensors?

What is the size of your network?

The size of your network will determine the number of Sensors you will require to

successfully and efficiently protect your network. A large network with many access points,

file servers, and machines in use may require a larger level of IPS deployment than a

small office with just a single access point and few machines.

Knowing how your business will grow can help determine the amount of equipment you

will require and the proper strategy for network placement. Network Security Platform is

built with growth in mind. The Network Security Platform can manage multiple Sensors,

and Sensors can scale in performance from 100 Mbps to multi gigabits per second for

monitoring network segments.

McAfee® Network Security Platform 6.0

Planning Network Security Platform Installation

How many access points are there between your network

and the extranets or Internet?

Large corporations have several points of access that can be exploited by parties with

malicious intent. Protecting the various points of access to your network is the key to any

successful IDS installation. You’re only as strong as your weakest link.

Intrusions coming in from the Internet are important to combat, but misuse and intrusions

attempted through the extranets or inside the corporate network are equally as critical to

defend against. In fact, research statistics show that insiders are the most common source

of attacks.

Where are the critical servers that require protection within

your network?

File servers containing financial, personnel, and other confidential information need

protection from those people wishing to exploit your critical information. These machines

are extremely appealing targets. And, as discussed in the previous section, insiders pose

a threat that must be addressed.

You should also consider whether you need different levels of security for different parts of

the organization. Assess how much of your sensitive material is on-line, where it is

located, and who has access to that material.

How complex is your network topology?

Asymmetrically routed networks are complex environments that require careful planning

and execution.

The following figure shows a network protected by the Sensor in tap operating mode.

Since both links are monitored by the same Sensor, the state machine remains in sync.

The Sensor can support an Active-Active configuration as long as the aggregate

bandwidth does not exceed the total processing capacity of the Sensor.

Furthermore, a Sensor can also monitor asymmetrically routed traffic where the traffic

comes in on one link and goes out another link, because the state machine on the Sensor

associates the inbound and outbound traffic efficiently. For more information on monitoring

asymmetrically routed traffic, see Interface groups (on page 24).

McAfee® Network Security Platform 6.0

Planning Network Security Platform Installation

Figure 2: Tap Monitoring of Active-Passive Links

How much traffic typically crosses your network?

Bandwidth and traffic flow are crucial to running a successful enterprise network.

Bandwidth requirements will vary in an enterprise network, as different applications and

business functions have different needs. Bandwidth utilization on the network segments

that you need to monitor will determine what type of Sensor will work best for you. Network

Security Platform offers multiple Sensors providing different bandwidths:

Sensor bandwidth

Sensor Aggregate Performance

I-1200 100Mbps

I-1400 200Mbps

I-2700 600Mbps

I-3000 1Gbps

I-4000 2Gbps

I-4010 2Gbps

McAfee® Network Security Platform 6.0

Planning Network Security Platform Installation

Sensor Aggregate Performance

M-8000 10 Gbps

M-6050 5 Gbps

M-4050 3 Gbps

M-3050 1.5 Gbps

M-2750 600 Mbps

M-1450 200 Mbps

M-1250 100 Mbps

N-450 2 Gbps

Where are your security operations located?

To successfully defend against intrusions, McAfee recommends dedicated monitoring of

the security system. Network intrusions can happen at any given moment, so having a

dedicated 24-hour-a-day prevention system will make the security solution complete and

effective.

Where are your security personnel? How many users are involved? Knowing who will be

configuring your policies, monitoring events, running reports, and performing other

configuration tasks will help you manage your users and determine where you locate your

McAfee

Network Security Manager server. The Manager should be placed in a physically

secure location, should be logically accessible to users, and must have reliable

connectivity so as to be able to communicate with all deployed Sensors.

Where should I deploy Sensors?

Should you deploy Sensors at the perimeter of your network, in front of the servers you

want to protect, or at a convenient nexus where all traffic passes?

Deployment at the perimeter does not protect you from internal attacks, which are some of

the most common source of attacks. Perimeter monitoring is also useless if a network has

multiple ISP connections at multiple locations (such as one Internet connection in New

York and one in San Jose) and if you expect to see asymmetric traffic routing (that is,

incoming traffic comes through New York and outgoing traffic goes out through San Jose).

The IPS simply will not see all the traffic to maintain state and detect attacks. Deployment

in front of the servers that you want to protect both detects attacks from internal users and

deals effectively with the geographically diverse asymmetric routing issue.

An illustration of the advantage of Sensors’ multiple segment monitoring is to consider the

question of installing Sensors with respect to firewalls. It is very common to deploy

Sensors around firewalls to inspect the traffic that is permitted by the firewall. A common

question when installing Sensors around the firewall is: Do you put the Sensors on the

inside (Private and DMZ) or put them outside (Public) the firewall?. There are benefits to

both scenarios, and the more complete solution includes both. For example, if you detect

McAfee® Network Security Platform 6.0

Planning Network Security Platform Installation

an attack on the outside of the firewall and you detect the s

ame attack on the inside of the

firewall, then you know your firewall has been breached. This is obviously a much higher

severity event than if you were just to see the attack on the outside and not on the inside,

which means that your firewall blocked the attack.

When using the existing, single monitoring port products available today, you would have

to deploy multiple Sensors to get the required coverage (as shown on the left side of the

following figure). Furthermore, you’d need to figure out how to connect them to the

segments that you want to monitor, and only via a SPAN or hub port.

Consider the same scenario using the I-2700 Sensor (as shown on the right side of the

following figure). You can simultaneously monitor all three segments with one Sensor, and,

with the integrated taps, you can easily monitor the full-duplex uplinks between your

routers and the firewall. You can also run the inside connections in in-line mode, which

provides intrusion protection/prevention, while running the outside connection in tapped

mode.

Figure 3: Comparing IDS Sensor Deployment Scenarios

Figure 4: Comparing IDS Sensor Deployment Scenarios

C HAPTER 3

Sensor Deployment Modes

This section presents suggestions for implementing McAfee

Network Security Platform in

a variety of network environments.

Flexible deployment options

McAfee Network Security Platform offers unprecedented flexibility in McAfee

Network

Security Sensor (Sensor) deployment. Sensors can be deployed in a variety of topologies

and network security applications, providing industry-leading flexibility and scalability. Most

PC-based IDS Sensors on the market today can monitor only one network segment at a

time, and only via the SPAN port on a switch. Thus, to monitor a switched environment

with multiple segments and multiple switches deployed in a high-availability environment,

you would need multiple Sensors.

Multi-port Sensor deployment

Unlike single-port Sensors, a single multi-port Sensor can monitor many network

segments (up to twelve, in the case of the I-3000 or I-4010) in any combination of

operating modes—that is, the monitoring or deployment mode for the Sensor—SPAN,

Tap, or In-line mode. Additionally, Network Security Platform’s Virtual IPS (VIPS) feature

enables you to further segment a port on a Sensor into many “Virtual Sensors.”

This makes deployment easy; not only can you use one Sensor to monitor multiple

network segments, but you also can configure the Sensor to run whatever mode best suits

each network segment.

Supported deployment modes

Every port on the Sensor supports the following deployment modes:

 SPAN or Hub

 Tap

 In-line, fail-closed

 In-line, fail-open

Additionally, Network Security Platform provides features vital to today’s complex

networks: interface groups (also called port clustering), and high-availability.

Page is loading ...

McAfee Network Security Platform Deployment Manual

Brand: McAfee

Model: Network Security Platform

Type: Deployment Manual

This manual is also suitable for

M-1250 - Network Security Platform

Download PDF

report

McAfee Network Security Platform Deployment Manual

This manual is also suitable for

McAfee Network Security Platform Deployment Manual

Related papers

Other documents