McAfee Network Security Platform Configuration manual

Category
Network management software
Type
Configuration manual

This manual is also suitable for

McAfee®
Network Protection
Industry-leading network security solutions
IPS Configuration Guide
McAfee® Network Security Platform
Network Security Manager
version 5.1
revision 10.0
COPYRIGHT
Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (greg[email protected]), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
Issued JUNE 2010 / IPS Configuration Guide
700-1810-00/ 10.0 - English
iii
Contents
Preface ...........................................................................................................
v
Introducing McAfee Network Security Platform............................................................................. v
About the guide............................................................................................................................. v
Audience ....................................................................................................................................... v
Conventions used in this guide .....................................................................................................vi
Related documentation ................................................................................................................vii
Contacting Technical Support.....................................................................................................viii
Chapter 1 Overview of IPS settings ............................................................ 1
Configuring and setting rule-based policies ..................................................................................1
Responding to detected attacks....................................................................................................2
Packet logging........................................................................................................................2
Sensor actions .......................................................................................................................3
Setting notification for attacks .......................................................................................................3
How Network Security Platform calculates severity level.............................................................. 4
Attack categories and severity range.....................................................................................4
Chapter 2 Managing IPS settings................................................................ 6
Viewing assigned policies .............................................................................................................6
Configuring and managing policies...............................................................................................7
Managing policies with IPS Policy Editor...............................................................................8
Managing policies with Reconnaissance Policy Editor ........................................................38
Policy Assignment................................................................................................................46
Managing HTTP response scanning....................................................................................48
Configuring Advanced Policies....................................................................................................50
Configuring non-standard ports............................................................................................51
Managing rule sets with the Rule Set Editor........................................................................53
Managing attack responses using GARE ............................................................................65
User-Defined Signatures action...........................................................................................65
Setting up Global Auto Acknowledgement...........................................................................66
Using the Incident Generator service...................................................................................67
Exporting and importing policies..........................................................................................74
Managing alert filters and attack responses................................................................................78
Using the Alert Filter Editor..................................................................................................78
Alert filter assignments.........................................................................................................82
Exporting Alert Filters...........................................................................................................84
Importing alert filters.............................................................................................................84
Setting up ACLs ..........................................................................................................................85
Configuring ACL rules..........................................................................................................85
ACL Syslog Forwarder.........................................................................................................99
XML converter tool for ACL rules.......................................................................................101
Using L3 ACLs for fragmented traffic.................................................................................102
Enabling Secure Socket Layer (SSL) Decryption ..................................................................... 104
Enabling SSL decryption in IPS Settings node..................................................................105
Importing SSL keys to the Sensors....................................................................................106
Managing the imported SSL keys of Sensors....................................................................107
IPS Quarantine settings ............................................................................................................108
IPS Quarantine configuration in Policy Editors ..................................................................109
IPS Quarantine configuration in Admin Domain.................................................................115
IPS Quarantine settings in the Threat Analyzer.................................................................123
Archiving data............................................................................................................................128
Viewing scheduled actions.................................................................................................128
Archiving alerts and packet logs ........................................................................................128
Scheduling automatic archival ...........................................................................................130
iv
Restoring an archive ..........................................................................................................131
Exporting an archive ..........................................................................................................133
Archiving alerts using dbadmin.bat....................................................................................133
Restoring alerts using dbadmin.bat....................................................................................134
Manager database maintenance...............................................................................................136
Capacity planning...............................................................................................................136
Alert Data Pruning..............................................................................................................140
Manager Pruning................................................................................................................142
Setting up alert notifications......................................................................................................143
Viewing alert notification details.........................................................................................143
Forwarding alerts to an SNMP server................................................................................144
Forwarding alerts to a Syslog server..................................................................................146
Specifying email or pager parameters ...............................................................................150
Specifying script parameters..............................................................................................152
Updating the configuration of all Sensors..................................................................................154
Chapter 3 The IPS Sensor_Name node................................................... 156
IPS Sensor settings................................................................................................................... 156
Policies at Sensor_Name level ..........................................................................................156
Alert filter assignments.......................................................................................................157
Managing HTTP response scanning..................................................................................160
Viewing the DoS detection status of a Sensor...................................................................162
Configuring advanced scanning................................................................................................163
Managing Non-standard Ports ...........................................................................................164
Creating an interface group................................................................................................164
Managing DoS Learning Mode profiles..............................................................................165
Managing DoS filters..........................................................................................................168
Configuring TCP settings ...................................................................................................169
Configuring IP settings for IPv4 and IPv6 traffic.................................................................172
Configuring alert suppression with packet log response....................................................176
OS Fingerprinting...............................................................................................................178
Configuring ACL rules in the IPS Sensor..................................................................................180
Assigning ACL rules in the IPS Sensor..............................................................................181
Editing ACL Log settings....................................................................................................186
Enabling IP Address spoofing detection ............................................................................188
Traffic Management ..................................................................................................................190
Configuring Traffic Management........................................................................................191
Precedence in Traffic Management...................................................................................199
Considerations in rate limiting............................................................................................200
Network scenarios for Traffic Management .......................................................................203
Enabling SSL decryption...........................................................................................................204
Configuring SSL decryption in the IPS Sensor ..................................................................205
Managing the imported SSL keys of a Sensor...................................................................206
Configuring at the interface level........................................................................................208
IPS Quarantine settings in the IPS Sensor ...............................................................................209
Summary of Sensor configurations for IPS Quarantine.....................................................209
NAC ACL Logging in the Sensor for IPS Quarantine.........................................................210
Sensor port settings for IPS quarantine.............................................................................211
Setting policy for interfaces and sub-interfaces ........................................................................ 213
Using Virtualization for policy application.................................................................................. 213
The IPS Sensor interface node.................................................................................................213
Configuring general interface settings................................................................................214
Scanning policies at the interface level..............................................................................221
Adding ACLs on the interface ............................................................................................233
IPS Sensor sub-interface node..........................................................................................234
Chapter 4 Understanding attack descriptions....................................... 242
Impact categories......................................................................................................................243
Impact subcategories................................................................................................................244
Index........................................................................................................... 250
v
Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC) and network
Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service
provider networks, while providing unmatched protection against spyware and known,
zero-day, and encrypted attacks.
McAfee Network Security Platform combines real-time detection and prevention to provide
the most comprehensive and effective network IPS in the market.
About the guide
This guide provides conceptual and procedural information on how to use the McAfee
®
Network Security Manager [formerly McAfee
®
IntruShield
®
Security Manager] to manage
security policies in Network Security Platform. You need to apply policies to your McAfee
®
Network Security Sensors [formerly McAfee
®
IntruShield
®
Sensors] for the system to
generate alerts. For an overview of security policies in Network Security Platform, see the
Getting Started Guide. For detailed information on User-Defined Signatures, see User-Defined
Signatures Guide.
The following are some of the tasks discussed in this guide:
Viewing the policies currently applied to the McAfee Network Security Sensors
(Sensors) and interfaces in an admin domain.
Assigning policies to Sensors.
Managing rule sets using the Rule Set Editor.
Managing attack responses at a global level using GARE.
Managing policies using the IPS Policy Editor.
Using Global Auto ACK to automatically acknowledge alerts.
This guide explains how to perform the above-mentioned tasks using the Configuration
page of the McAfee Network Security Manager (Manager). For a detailed description of
the Configuration page and information on how to use this page, see Manager Configuration
Basics Guide.
Audience
This guide is intended for use by network technicians and maintenance personnel
responsible for installing, configuring, and maintaining the Manager and Sensors, but is
McAfee® Network Security Platform 5.1
Preface
vi
not necessarily familiar with NAC or IPS-related tasks, the relationship between tasks, or
the commands necessary to perform particular tasks.
Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial N3arrow bold
font.
The
Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > Summary.
Procedures are presented as a
series of numbered steps.
1. On the Configuration tab, click Backup.
Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, keywords,
and values that you must type
exactly are denoted using
Courier New font.
Type: setup and then press ENTER.
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Type: sensor-IP-address and then press ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set Sensor ip <A.B.C.D>
Information that you must read
before beginning a procedure or
that you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
McAfee® Network Security Platform 5.1
Preface
vii
Related documentation
The following documents and on-line help are companions to this guide. Refer to Quick
Tour for more information on these guides.
Quick Tour
Manager Installation Guide
4.1 to 5.1 Upgrade Guide
Getting Started Guide
IPS Deployment Guide
Manager Configuration Basics Guide
Administrative Domain Configuration Guide
Manager Server Configuration Guide
Sensor CLI Guide
Sensor Configuration Guide
NAC Configuration Guide
Integration Guide
System Status Monitoring Guide
Reports Guide
User-Defined Signatures Guide
Central Manager Administrator's Guide
Best Practices Guide
Troubleshooting Guide
I-1200 Sensor Product Guide
I-1400 Sensor Product Guide
I-2700 Sensor Product Guide
I-3000 Sensor Product Guide
I-4000 Sensor Product Guide
I-4010 Sensor Product Guide
M-8000 Sensor Product Guide
M-6050 Sensor Product Guide
M-3050/M-4050 Sensor Product Guide
M-2750 Sensor Product Guide
M-1250/M-1450 Sensor Product Guide
N-450 Sensor Product Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Gigabit Copper Fail-Open Bypass Kit Guide
Special Topics Guide—In-line Sensor Deployment
Special Topics Guide—Sensor High Availability
Special Topics Guide—Virtualization
Special Topics Guide—Denial-of-Service
McAfee® Network Security Platform 5.1
Preface
viii
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
http://www.mcafee.com/us/about/contact/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.
1
C HAPTER 1
Overview of IPS settings
The IPS Settings node in each admin domain facilitates actions related to configuration and
management of IPS related policies configuration on the McAfee
®
Network Security
Sensor [formerly McAfee
®
IntruShield
®
Sensor]. Policy configuration is available to users
with a Security Expert or Super User role. When policies are applied, McAfee
®
Network
Security Platform [formerly McAfee
®
IntruShield
®
] generates alerts; you can then use the
Threat Analyzer to view the resulting alerts.
For an overview of security policies, see
Getting Started Guide.
Policies in McAfee Network Security Platform
A security policy, or IPS policy, is a set of rules that governs what traffic is permitted
across your network, and how to respond to misuse of the network. An effective policy is
one that is customized to the network environment being monitored.
A Network Security Platform policy is a set of rules/instructions defining the malicious
activity you want to detect and how you want to respond if the malicious activity is
detected. Creating a policy enables you to define an environment to protect by the different
operating systems (OSs), applications, and protocols in your network. These parameters,
or rules, relate to all of the attacks defended against by Network Security Platform.
The best practice is to create multiple, specific policies that focus on the specific needs of
unique zones in your network, rather than a one-size-fits-all policy for the entire network.
Network Security Platform enables you to create rule-based policies for your network
resources, including individual sub-flows of network traffic. Several pre-configured policies
(Pre-configured rule sets and policies (on page
63)) are supplied for immediate application
in various unique network environments.
Configuring and setting rule-based policies
A rule-based policy is very similar to an Access Control List (ACL) - a set of ordered rules
used to determine which attacks or conditions are of interest, and thus should be
monitored. A rule set is configured based on attack category, operating system, protocol,
application, severity, and benign trigger probability options. Each rule in a set is either an
include rule or an exclude rule. An include rule—which should always start a rule set—is a
set of parameters that encompasses a broad range of well-known attacks for detection. An
exclude rule removes elements from the include rule in order to focus the policy’s rule set.
By broadening (includes) and narrowing (excludes) the rules, you can enable detection for
the attacks that impact the intended environment.
Note: If you start a rule set with an exclude rule, an include rule added afterwards
may negate the exclusion; thus, this rule-based approach is not exactly the same as
an ACL. For example, if you specify an exclude rule for the DNS protocol, then later
include multiple protocols including DNS, the exclusion rule is negated.
McAfee® Network Security Platform 5.1
Overview of IPS settings
2
In the McAfee® Network Security Policy Editor [formerly IPS Policy Editor], there are
several provided rule sets which match the pre-configured policies. You can view, clone
(copy), and customize these rule sets for your own use.
McAfee recommends two approaches to creating rule sets. The first method is general to
specific. You start with an include rule that covers a broad range of OSs, applications,
protocols. You then create one or more exclude rules to strip away specific OSs, protocols,
et cetera, thus focusing your rule set on the environment where it will be enforced. For
example, you start with an include rule for all Exploit category attacks. You follow this with
multiple exclusion rules that strip away protocols, applications, severities, et cetera, that
will have no impact in a specific zone of your network.
The second method is collaboration. You create multiple include rules within one rule set
for each category, OS, et cetera, combination you want to detect. Each criterion must be
matched in order for an alert to be triggered. For example, your first rule in the set includes
the Exploit category, Unix as the OS, Sendmail as the application, and SMTP as the
protocol. Next, you create another include rule for Exploit, Windows 2000, WindMail, and
SMTP. Each include rule you add broadens the scope of your detection.
Responding to detected attacks
When a McAfee Network Security Sensor (Sensor) detects activity to be in violation of a
configured policy, a preset response from the Sensor is integral to the protection or
prevention process. Proper configuration of responses is crucial to maintaining effective
protection. Critical attacks like buffer overflows and denial of service (DoS) require
responses in real-time, while scans and probes can be logged and researched to
determine compromise potential and the source of the attack. Developing a system of
actions, alerts, and logs based on impact severity is recommended for effective network
security.
Since the Sensors can be installed anywhere in a network, knowing what area a Sensor
protects is important for determining the response type. If installed outside of the firewall,
alerting with response is best used for DoS and other attacks against the firewall. Most
other suspicious traffic types that are not recognized by known signatures intended for the
internal network, including scans and CGI data, are best logged without response, then
analyzed as the impact is not immediate and a better understanding of the potential attack
purpose can be determined.
Note: Setting a response type during policy configuration is critical for an effective
intrusion management system. A list of response options can be seen and
configured at Customizing responses for an exploit attack (on page
19).
Packet logging
Logging attack packets for analysis is an effective means of preparing for future attacks. A
packet log is created by a Network Security Sensor capturing the network traffic around an
offending transmission. An expert in protocol analysis can use the log information to
determine what caused the alert and what can be done to prevent future alerts of the same
nature. Packet logs are retrieved from the database via the Threat Analyzer and can be
opened and examined using a program called Ethereal. By default, UDP and TCP protocol
attacks generate a packet log for the attack plus the previous 128 bytes in the flow.
McAfee® Network Security Platform 5.1
Overview of IPS settings
3
Tip: McAfee recommends using Wireshark( formerly known as Ethereal) for packet
log viewing. Ethereal is a network protocol analyzer for Unix and Windows servers
that enables you to examine the data captured by your Network Security Sensor.
For information on downloading and use of Ethereal, go to www.wireshark.com
http://www.wireshark.org.
Sensor actions
Network Security Sensor actions are responses your Sensor enacts to prevent or deter
further attacks. The most effective of these is
Drop Further Packets, which is only available in
In-line mode—this is the first true implementation of real-time prevention. In most cases,
attack packets reach the intended target before a preventative action can be enforced.
Drop Further Packets drops the offending transmission during Sensor inspection. This option
must be enabled in the
Response section of any Exploit or Denial of Service (DoS) attack
during policy creation/cloning.
The other Sensor actions available are:
IPS Quarantine: Based on the configuration, quarantine and remediation is performed by
the Sensor. For more information, see IPS Quarantine settings (on page
108).
Block DoS Packets: blocks further packets for a detected DoS attack. In this case, you
have not configured the
Drop Further Packets response; however, the Threat Analyzer
allows you to drop further packets of an ongoing DoS attack.
Enable TCP Reset: disconnects a TCP connection at the source, destination, or both
ends of the transmission.
Send ICMP Host Not Reachable to Intruder: sends this message to attack source for ICMP
transmissions.
Alert Filtering: limits the alerts generated by excluding certain Source and Destination IP
address parameters.
Setting notification for attacks
Attack detection, alerting, and Sensor response is a very effective process for managing
your network’s security. Network Security Platform also provides administrator notification
for selected attacks. A notification is a message sent via email, email pager, or script for
any attack you regard as high priority. A message is sent with information pertaining to the
attack name, severity, detected time, and so on. Notification is configured on a per-attack
basis; you can enable this feature within the customization of any Exploit, Denial of
Service (DoS), or Reconnaissance attack. Details for enabling notification for Exploit and
DoS attacks are presented in this chapter.
You also have the option to automatically acknowledge any attack within the Notification
category. The
Auto. Acknowledge option marks an alert as Acknowledged for the purposes of
alert viewing and report generation. For more information on acknowledgement of alerts,
see Acknowledging alerts,
System Status Monitoring Guide.
Email, pager, and script lists, as well as message contents, are configured on a per-admin
domain basis (see Setting up alert notifications (on page
143)). For email and pager
notifications, you must set up a mail server for sending the messages (see Specifying a
mail server for notifications, Manager Server Configuration Guide ).
McAfee® Network Security Platform 5.1
Overview of IPS settings
4
How Network Security Platform calculates severity level
Network Security Platform assigns a default severity (high, medium, or low) to every attack
in its attack database. Severity is based on the immediate effect, or impact, on the target
system.
Severity numbering scheme
Network Security Platform uses a numeric mapping scheme to indicate Informational, Low,
Medium, and High severity for a more intuitive display. The numbering scheme is as
follows:
INFORMATIONAL LOW MEDIUM HIGH
0 1-3 4-6 7-9
The guidelines in assigning severity levels are very similar to those used in many open
security forums. You can customize these severity levels to meet the needs of your system
based on the worth of your protected assets—an attack whose severity might be
considered Low to one company might be High to another.
Attack categories and severity range
Network Security Platform categorizes attacks into four groups: Reconnaissance, Exploits,
Volume DoS, and Policy Violation (for descriptions of these categories, see Pre-configured
rule sets and policies (on page 63)). The following table illustrates how severity levels are
assigned for attacks in different categories:
Category Threat Type Range Used in Network
Security Platform
Host sweep 4-4
Port scan 4-4
Brute force 4-6
Service sweep 6-6
Reconnaissance
OS Fingerprinting 6-6
McAfee® Network Security Platform 5.1
Overview of IPS settings
5
Category Threat Type Range Used in Network
Security Platform
Protocol Violation 3-5
Buffer Overflow 7-9
Shellcode Execution 7-9
Remote Access 5-9
Privileged Access 8-9
Probe 2-2
DoS 3-5
Evasion Attempt 7-7
Arbitrary Command
Execution
8-8
Code/Script Execution 7-7
Bot 7-9
Trojan 3-9
DDoS Agent Activity 7-9
Backdoor 7-9
Worm 6-9
Virus 3-5
Read Exposure 3-5
Exploits
Write Exposure 5-7
Statistical Deviation 7-7 Volume DoS
Over Threshold 6-6
Audit 0-0
Restricted Access 4-5
Restricted Application 4-5
Unauthorized IP 5-5
Sensitive Content 5-7
Covert Channel 5-5
Command Shell 4-4
Non-standard Port 4-4
Phishing 1-5
Policy Violation
Potentially Unwanted
Program
1-3
6
C HAPTER 2
Managing IPS settings
The IPS Settings resource node facilitates the following actions:
Summary
Policies
Advanced Policies
Alert Filters
ACL
SSL decryption
IPS Quarantine
Alert Notification
Malware detection
Configuration Update
Figure 1: IPS Settings Tab
Viewing assigned policies
The Summary action allows you to view the IPS policy and Reconnaissance policies that
have been assigned to the various resources of your McAfee
®
Network Security Platform.
Policies are listed per Sensor, interface, and sub-interface. From the root domain, you can
see policies assigned to all child domains. For non-root parent domains, you only see the
assigned policies in your parent and child domains. For child domains, you only see the
policies assigned to the resources in your domain. Select
<Domain_name> / IPS Settings > IPS
Settings > Summary
to view the applied policy.
McAfee® Network Security Platform 5.1
Managing IPS settings
7
Figure 2: IPS Settings - Summary Page
Configuring and managing policies
The Policies tab contains the major actions for policy configuration and management. The
provided, pre-configured rule sets and policies are included for immediate application—the
Default Inline IPS
policy operates by default when McAfee Network Security Platform is
initialized. You can use a provided rule set/policy in its existing state, clone and customize
it to fit your needs, or you can create new rule sets/policies then apply to the resources in
your protected network.
The
Policies tab contains the following actions:
IPS Policy Editor (on page
8): Add, clone, view, edit or customize IPS policies.
Reconnaissance Policy Editor (on page
38): View, create, and customize
Reconnaissance policies.
Policy Assignment (on page
46) : Easily assign / reassign policies that have been
applied to various resources.
HTTP response scanning (on page
48): Configure Network Security Platform to
inspect HTTP responses for exploits on a per-Sensor basis.
McAfee® Network Security Platform 5.1
Managing IPS settings
8
Managing policies with IPS Policy Editor
The IPS Policy Editor action enables the use of the ultimate refining tool for IPS policy
management. The Policy Editor brings together defining alert filters and rule sets for final
customization before deployment. Using this editor, you can select the exact Exploit and
Denial of Service (DoS) attacks you want to protect against, the types of automatic
responses you need to block current or further impacts, and the methods of notification
that will help your team respond to malicious use of your network in the most expeditious
time.
The Policy Editor provides the following actions:
Adding an IPS policy (on page
8)
Cloning an IPS policy (on page
33)
Viewing/editing an IPS policy (on page
34)
Modifying selected IPS policies using Bulk Edit (on page
34)
Deleting an IPS policy (on page 37)
Version Control (on page 37)
Tip: If setting the same responses for several attacks serves your policy
customization best (for example, enabling the Drop Packets response for all High
severity attacks once you have enabled In-line mode), try the
Bulk Edit feature within
Exploit attack customization. This procedure is detailed in Modifying selected IPS
policies using Bulk Edit (on page
34).
Adding an IPS policy
Adding a new policy using the Policy Editor takes you through the process of refining the
parameters for securing your network. The following checklist explains the essential
elements of a complete policy configuration:
Applying rule sets for inbound and outbound traffic (on page
10)
Customizing exploit attack enforcement (on page 11)
Modifying selected IPS policies using Bulk Edit (on page 34)
Customizing Denial of Service (DoS) modes (on page
23)
Note: When working within the Policy Editor, the task of creating or modifying
settings opens up to four separate Java windows. Each window has either a Commit
Changes
or OK button as well as a Cancel button. Clicking Commit Changes saves the
information to the database and closes all policy configuration actions. Clicking
OK
closes the sub-window that has been opened from within policy configuration,
saving any changes made in that sub-window. Clicking Cancel aborts any operation
and closes the window. If you want to continue creating or modifying a policy, do not
click either
Commit Changes or OK until you have completed every tab, step, or action
available in a window.
To add a new policy for attack monitoring in a specific network environment:
1 Select
IPS Settings > Policies > IPS Policy Editor.
2 Click
Add.
McAfee® Network Security Platform 5.1
Managing IPS settings
9
Figure 3: IPS Policy List
The Add an IPS Policy window opens with the Policy tab selected.
3 Type a name for your policy. If you want this policy to be applicable in all created child
admin domains, select the
Visible to Child Admin Domains check box.
Figure 4: Step1: Add an IPS Policy Dialog
4 Apply the Inbound and Outbound rule set. See Applying Rule Sets for Inbound and
Outbound Traffic (on page
10).
5 From the
Exploit tab, customize exploit attack. See Customizing exploit attack
enforcement. (on page
11)
a. Customize responses for an exploit attack. See Customizing responses for an
exploit attack (on page
19).
b. Customize attack Notifications. See Exploit Attack Notification (on page 21).
6 Configure the Denial of Service (
DoS) tab. See Customizing Denial of Service (DoS)
modes (on page
23).
a. Customize Denial of Service notification. See Denial of Service attack notification
(on page
25).
7 Commit the changes, and save the IPS policy. See Audit Log Comments (on page
27).
McAfee® Network Security Platform 5.1
Managing IPS settings
10
Applying rule sets for inbound and outbound traffic
Inbound and outbound refer to the direction that traffic is flowing in regards to the network.
Inbound refers to traffic destined for the internal network, and outbound refers to traffic
destined for the external network. McAfee recommends applying different rule sets for
inbound and outbound traffic for the following reason: traffic coming into a network area,
such as the DMZ, may only require the DMZ rule set, while traffic leaving the DMZ may be
headed for external networks, thus a more generic rule set such as the Default rule set
better protects the outbound traffic. For more information on the steps in applying the
inbound and outbound rule sets, see Steps for applying a rule set (on page
10).
Note: Although Inbound and Outbound rule sets can be applied to Sensors in SPAN
mode, only Inbound rule sets are enforceable.
Steps for applying a rule set
To apply a rule set, in an IPS policy do the following:
1 Go to
IPS Settings > Policies > IPS Policy Editor. The IPS Policy List window displays.
2 Click
Add. The Add a Policy window displays.
Figure 5: Applying a Rule Set
3 Enter Policy Name.
4 Check the box to specify whether the policy will be visible to Child Admin Domains.
Otherwise, leave the box unchecked.
5 Click
Apply Inbound Rule Set to apply an inbound rule set of Exploit Attacks to the Policy.
A window displays titled
Apply an Inbound Rule Set of Exploit Attacks to This Policy.
6 Specify the rule set in the
Select Inbound Rule Set to Be Applied or select Copy from and then
Replace Outbound Rule Set
and click OK. A message is displayed that the attack
categories are retrieved from the attack database.
7 Click Apply Outbound Rule Set to apply an outbound rule set of Exploit Attacks to the
Policy. A window displays titled
Apply an Outbound Rule Set of Exploit Attacks to This Policy.
McAfee® Network Security Platform 5.1
Managing IPS settings
11
8 Specify the rule set in the Select Outbound Rule Set to Be Applied or select Use Inbound Rule
set of Exploit Attacks
and click OK. A message is displayed that the attack categories are
retrieved from the attack database.
9 Click
OK, once the attack categories are retrieved.
Note: Before you make the inbound policy the same as the outbound policy,
see About Inbound Policy Same As Outbound Policy (on page 11).
10 Save the changes by selecting Commit Changes.
Specifying the Inbound Policy the same as Outbound Policy
You can create or modify a policy to specify that the outbound rule for an operating
system, protocol, application, and so forth is the same as the inbound rule for the same
item.
McAfee recommends applying different rule sets for inbound and outbound traffic for the
following reason: traffic coming into a network area, such as the DMZ, may only require
DMZ rule set, while traffic leaving the DMZ may be headed for external networks, thus a
more generic rule set such as the Default rule set better protects the outbound traffic.
Note: Although Inbound and Outbound rule sets can be applied to Sensors in SPAN
mode, only Inbound rule sets are enforceable.
To verify that the outbound and inbound rules are the same, go to IPS Settings > Policies > IPS
Policy Editor
and view Outbound Rule Set column.
Customizing exploit attack enforcement
1 In the Add an IPS Policy window, click the Exploit tab. This section contains the attacks
that match the parameters in your selected rule set—all attacks are categorized by
protocol (that is, the application protocol they impact). From here, you can drill down
to customize individual attack settings such as alert filters, Sensor responses, and
notifications to be sent. These customization are optional, but McAfee recommends
that you become familiar with them.
The table columns are as follow:
Protocol: the protocols that were chosen as a result of the rule set configuration.
Attacks are grouped under the application protocol which they impact.
No. of Available Attacks: number of attacks for each protocol.
No. of Enabled Attacks: number of attacks enabled for detection. All attacks are
enabled
by default.
Note: The “No. of Available Attacks” and “No. of Enabled Attacks” may display
a discrepancy if an enabled attack is disabled during user customization.
McAfee® Network Security Platform 5.1
Managing IPS settings
12
Figure 6: Add An IPS Policy Dialog - Exploit Tab
2 View the attacks for a protocol by selecting a row and clicking View / Edit.
You can sort the attacks by clicking any of the following topic columns:
Attack Enabled: enforcement status of attack. A check mark in the Attack Enabled
field means the attack is actively being sought.
Alert Enabled: alert status of attack. A check mark in the Alert Enabled field means
that an alert is raised for this attack.
Attack Name: the Network Security Platform-designated name for the attack.
Attack ID: the Network Security Platform-designated ID for the attack.
Severity: the potential impact represented by the attack.
Customized: a check denotes that an attack has been user-customized.
Packet Logging: a check denotes that an attack has packet logging enabled.
Sensor Actions: type of Sensor action performed on an attack followed by the level
at which the Sensor action was indicated.
Blocking: a check denotes that an attack has blocking enabled.
Notifications: a check denotes that an attack has notifications enabled followed by
the level at which the notification was indicated.
Sensor Software Versions: Two columns with the current and previous Sensor
software version names are either checked or unchecked indicating whether the
attack relates to the current or previous software versions or both.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259

McAfee Network Security Platform Configuration manual

Category
Network management software
Type
Configuration manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI