McAfee Network Security Platform Configuration manual

McAfee®

Network Protection

Industry-leading network security solutions

IPS Configuration Guide

McAfee® Network Security Platform

Network Security Manager

version 5.1

revision 10.0

COPYRIGHT

any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH

THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,

PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE

FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL

THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software

contributed to Berkeley by Chris Torek.

Issued JUNE 2010 / IPS Configuration Guide

700-1810-00/ 10.0 - English

iii

Contents

Preface ...........................................................................................................

v

Introducing McAfee Network Security Platform............................................................................. v

About the guide............................................................................................................................. v

Audience ....................................................................................................................................... v

Conventions used in this guide .....................................................................................................vi

Related documentation ................................................................................................................vii

Contacting Technical Support.....................................................................................................viii

Chapter 1 Overview of IPS settings ............................................................ 1

Configuring and setting rule-based policies ..................................................................................1

Responding to detected attacks....................................................................................................2

Packet logging........................................................................................................................2

Sensor actions .......................................................................................................................3

Setting notification for attacks .......................................................................................................3

How Network Security Platform calculates severity level.............................................................. 4

Attack categories and severity range.....................................................................................4

Chapter 2 Managing IPS settings................................................................ 6

Viewing assigned policies .............................................................................................................6

Configuring and managing policies...............................................................................................7

Managing policies with IPS Policy Editor...............................................................................8

Managing policies with Reconnaissance Policy Editor ........................................................38

Policy Assignment................................................................................................................46

Managing HTTP response scanning....................................................................................48

Configuring Advanced Policies....................................................................................................50

Configuring non-standard ports............................................................................................51

Managing rule sets with the Rule Set Editor........................................................................53

Managing attack responses using GARE ............................................................................65

User-Defined Signatures action...........................................................................................65

Setting up Global Auto Acknowledgement...........................................................................66

Using the Incident Generator service...................................................................................67

Exporting and importing policies..........................................................................................74

Managing alert filters and attack responses................................................................................78

Using the Alert Filter Editor..................................................................................................78

Alert filter assignments.........................................................................................................82

Exporting Alert Filters...........................................................................................................84

Importing alert filters.............................................................................................................84

Setting up ACLs ..........................................................................................................................85

Configuring ACL rules..........................................................................................................85

ACL Syslog Forwarder.........................................................................................................99

XML converter tool for ACL rules.......................................................................................101

Using L3 ACLs for fragmented traffic.................................................................................102

Enabling Secure Socket Layer (SSL) Decryption ..................................................................... 104

Enabling SSL decryption in IPS Settings node..................................................................105

Importing SSL keys to the Sensors....................................................................................106

Managing the imported SSL keys of Sensors....................................................................107

IPS Quarantine settings ............................................................................................................108

IPS Quarantine configuration in Policy Editors ..................................................................109

IPS Quarantine configuration in Admin Domain.................................................................115

IPS Quarantine settings in the Threat Analyzer.................................................................123

Archiving data............................................................................................................................128

Viewing scheduled actions.................................................................................................128

Archiving alerts and packet logs ........................................................................................128

Scheduling automatic archival ...........................................................................................130

iv

Restoring an archive ..........................................................................................................131

Exporting an archive ..........................................................................................................133

Archiving alerts using dbadmin.bat....................................................................................133

Restoring alerts using dbadmin.bat....................................................................................134

Manager database maintenance...............................................................................................136

Capacity planning...............................................................................................................136

Alert Data Pruning..............................................................................................................140

Manager Pruning................................................................................................................142

Setting up alert notifications......................................................................................................143

Viewing alert notification details.........................................................................................143

Forwarding alerts to an SNMP server................................................................................144

Forwarding alerts to a Syslog server..................................................................................146

Specifying email or pager parameters ...............................................................................150

Specifying script parameters..............................................................................................152

Updating the configuration of all Sensors..................................................................................154

Chapter 3 The IPS Sensor_Name node................................................... 156

IPS Sensor settings................................................................................................................... 156

Policies at Sensor_Name level ..........................................................................................156

Alert filter assignments.......................................................................................................157

Managing HTTP response scanning..................................................................................160

Viewing the DoS detection status of a Sensor...................................................................162

Configuring advanced scanning................................................................................................163

Managing Non-standard Ports ...........................................................................................164

Creating an interface group................................................................................................164

Managing DoS Learning Mode profiles..............................................................................165

Managing DoS filters..........................................................................................................168

Configuring TCP settings ...................................................................................................169

Configuring IP settings for IPv4 and IPv6 traffic.................................................................172

Configuring alert suppression with packet log response....................................................176

OS Fingerprinting...............................................................................................................178

Configuring ACL rules in the IPS Sensor..................................................................................180

Assigning ACL rules in the IPS Sensor..............................................................................181

Editing ACL Log settings....................................................................................................186

Enabling IP Address spoofing detection ............................................................................188

Traffic Management ..................................................................................................................190

Configuring Traffic Management........................................................................................191

Precedence in Traffic Management...................................................................................199

Considerations in rate limiting............................................................................................200

Network scenarios for Traffic Management .......................................................................203

Enabling SSL decryption...........................................................................................................204

Configuring SSL decryption in the IPS Sensor ..................................................................205

Managing the imported SSL keys of a Sensor...................................................................206

Configuring at the interface level........................................................................................208

IPS Quarantine settings in the IPS Sensor ...............................................................................209

Summary of Sensor configurations for IPS Quarantine.....................................................209

NAC ACL Logging in the Sensor for IPS Quarantine.........................................................210

Sensor port settings for IPS quarantine.............................................................................211

Setting policy for interfaces and sub-interfaces ........................................................................ 213

Using Virtualization for policy application.................................................................................. 213

The IPS Sensor interface node.................................................................................................213

Configuring general interface settings................................................................................214

Scanning policies at the interface level..............................................................................221

Adding ACLs on the interface ............................................................................................233

IPS Sensor sub-interface node..........................................................................................234

Chapter 4 Understanding attack descriptions....................................... 242

Impact categories......................................................................................................................243

Impact subcategories................................................................................................................244

Index........................................................................................................... 250

v

Preface

This preface provides a brief introduction to the product, discusses the information in this

document, and explains how this document is organized. It also provides information such

as the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee

®

Network Security Platform [formerly McAfee

®

IntruShield

®

] delivers the most

comprehensive, accurate, and scalable Network Access Control (NAC) and network

Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service

provider networks, while providing unmatched protection against spyware and known,

zero-day, and encrypted attacks.

McAfee Network Security Platform combines real-time detection and prevention to provide

the most comprehensive and effective network IPS in the market.

About the guide

This guide provides conceptual and procedural information on how to use the McAfee

®

Network Security Manager [formerly McAfee

®

IntruShield

®

Security Manager] to manage

security policies in Network Security Platform. You need to apply policies to your McAfee

®

Network Security Sensors [formerly McAfee

®

IntruShield

®

Sensors] for the system to

generate alerts. For an overview of security policies in Network Security Platform, see the

Getting Started Guide. For detailed information on User-Defined Signatures, see User-Defined

Signatures Guide.

The following are some of the tasks discussed in this guide:

• Viewing the policies currently applied to the McAfee Network Security Sensors

(Sensors) and interfaces in an admin domain.

• Assigning policies to Sensors.

• Managing rule sets using the Rule Set Editor.

• Managing attack responses at a global level using GARE.

• Managing policies using the IPS Policy Editor.

• Using Global Auto ACK to automatically acknowledge alerts.

This guide explains how to perform the above-mentioned tasks using the Configuration

page of the McAfee Network Security Manager (Manager). For a detailed description of

the Configuration page and information on how to use this page, see Manager Configuration

Basics Guide.

Audience

This guide is intended for use by network technicians and maintenance personnel

responsible for installing, configuring, and maintaining the Manager and Sensors, but is

McAfee® Network Security Platform 5.1

Preface

vi

not necessarily familiar with NAC or IPS-related tasks, the relationship between tasks, or

the commands necessary to perform particular tasks.

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons,

tabs, options, selections, and

commands on the User Interface

(UI) are shown in

Arial N3arrow bold

font.

The

Service field on the Properties tab specifies the

name of the requested service.

Menu or action group selections

are indicated using a right angle

bracket.

Select My Company > Admin Domain > Summary.

Procedures are presented as a

series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard

are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, keywords,

and values that you must type

exactly are denoted using

Courier New font.

Type: setup and then press ENTER.

Variable information that you must

type based on your specific

situation or environment is shown

in italics.

Type: sensor-IP-address and then press ENTER.

Parameters that you must supply

are shown enclosed in angle

brackets.

set Sensor ip <A.B.C.D>

Information that you must read

before beginning a procedure or

that you to negative

consequences of certain actions,

such as loss of data is denoted

using this notation.

Caution:

Information that you must read to

prevent injury, accidents from

contact with electricity, or other

serious consequences is denoted

using this notation.

Warning:

Notes that provide related, but

non-critical, information are

denoted using this notation.

Note:

McAfee® Network Security Platform 5.1

Preface

vii

Related documentation

The following documents and on-line help are companions to this guide. Refer to Quick

Tour for more information on these guides.

• Quick Tour

• Manager Installation Guide

• 4.1 to 5.1 Upgrade Guide

• Getting Started Guide

• IPS Deployment Guide

• Manager Configuration Basics Guide

• Administrative Domain Configuration Guide

• Manager Server Configuration Guide

• Sensor CLI Guide

• Sensor Configuration Guide

• NAC Configuration Guide

• Integration Guide

• System Status Monitoring Guide

• Reports Guide

• User-Defined Signatures Guide

• Central Manager Administrator's Guide

• Best Practices Guide

• Troubleshooting Guide

• I-1200 Sensor Product Guide

• I-1400 Sensor Product Guide

• I-2700 Sensor Product Guide

• I-3000 Sensor Product Guide

• I-4000 Sensor Product Guide

• I-4010 Sensor Product Guide

• M-8000 Sensor Product Guide

• M-6050 Sensor Product Guide

• M-3050/M-4050 Sensor Product Guide

• M-2750 Sensor Product Guide

• M-1250/M-1450 Sensor Product Guide

• N-450 Sensor Product Guide

• Gigabit Optical Fail-Open Bypass Kit Guide

• Gigabit Copper Fail-Open Bypass Kit Guide

• Special Topics Guide—In-line Sensor Deployment

• Special Topics Guide—Sensor High Availability

• Special Topics Guide—Virtualization

• Special Topics Guide—Denial-of-Service

McAfee® Network Security Platform 5.1

Preface

viii

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

Registered customers can obtain up-to-date documentation, technical bulletins, and quick

tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also

resolve technical issues with the online case submit, software downloads, and signature

updates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7

Technical Support is available for customers with Gold or Platinum service contracts.

Global phone contact numbers can be found at McAfee Contact Information

http://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of

your system when opening a ticket with Technical Support. You will be provided with

a user name and password for the online case submission.

1

C HAPTER 1

Overview of IPS settings

The IPS Settings node in each admin domain facilitates actions related to configuration and

management of IPS related policies configuration on the McAfee

®

Network Security

Sensor [formerly McAfee

®

IntruShield

®

Sensor]. Policy configuration is available to users

with a Security Expert or Super User role. When policies are applied, McAfee

®

Network

Security Platform [formerly McAfee

®

IntruShield

®

] generates alerts; you can then use the

Threat Analyzer to view the resulting alerts.

For an overview of security policies, see

Getting Started Guide.

Policies in McAfee Network Security Platform

A security policy, or IPS policy, is a set of rules that governs what traffic is permitted

across your network, and how to respond to misuse of the network. An effective policy is

one that is customized to the network environment being monitored.

A Network Security Platform policy is a set of rules/instructions defining the malicious

activity you want to detect and how you want to respond if the malicious activity is

detected. Creating a policy enables you to define an environment to protect by the different

operating systems (OSs), applications, and protocols in your network. These parameters,

or rules, relate to all of the attacks defended against by Network Security Platform.

The best practice is to create multiple, specific policies that focus on the specific needs of

unique zones in your network, rather than a one-size-fits-all policy for the entire network.

Network Security Platform enables you to create rule-based policies for your network

resources, including individual sub-flows of network traffic. Several pre-configured policies

(Pre-configured rule sets and policies (on page

63)) are supplied for immediate application

in various unique network environments.

Configuring and setting rule-based policies

A rule-based policy is very similar to an Access Control List (ACL) - a set of ordered rules

used to determine which attacks or conditions are of interest, and thus should be

monitored. A rule set is configured based on attack category, operating system, protocol,

application, severity, and benign trigger probability options. Each rule in a set is either an

include rule or an exclude rule. An include rule—which should always start a rule set—is a

set of parameters that encompasses a broad range of well-known attacks for detection. An

exclude rule removes elements from the include rule in order to focus the policy’s rule set.

By broadening (includes) and narrowing (excludes) the rules, you can enable detection for

the attacks that impact the intended environment.

Note: If you start a rule set with an exclude rule, an include rule added afterwards

may negate the exclusion; thus, this rule-based approach is not exactly the same as

an ACL. For example, if you specify an exclude rule for the DNS protocol, then later

include multiple protocols including DNS, the exclusion rule is negated.

McAfee® Network Security Platform 5.1

Overview of IPS settings

2

In the McAfee® Network Security Policy Editor [formerly IPS Policy Editor], there are

several provided rule sets which match the pre-configured policies. You can view, clone

(copy), and customize these rule sets for your own use.

McAfee recommends two approaches to creating rule sets. The first method is general to

specific. You start with an include rule that covers a broad range of OSs, applications,

protocols. You then create one or more exclude rules to strip away specific OSs, protocols,

et cetera, thus focusing your rule set on the environment where it will be enforced. For

example, you start with an include rule for all Exploit category attacks. You follow this with

multiple exclusion rules that strip away protocols, applications, severities, et cetera, that

will have no impact in a specific zone of your network.

The second method is collaboration. You create multiple include rules within one rule set

for each category, OS, et cetera, combination you want to detect. Each criterion must be

matched in order for an alert to be triggered. For example, your first rule in the set includes

the Exploit category, Unix as the OS, Sendmail as the application, and SMTP as the

protocol. Next, you create another include rule for Exploit, Windows 2000, WindMail, and

SMTP. Each include rule you add broadens the scope of your detection.

Responding to detected attacks

When a McAfee Network Security Sensor (Sensor) detects activity to be in violation of a

configured policy, a preset response from the Sensor is integral to the protection or

prevention process. Proper configuration of responses is crucial to maintaining effective

protection. Critical attacks like buffer overflows and denial of service (DoS) require

responses in real-time, while scans and probes can be logged and researched to

determine compromise potential and the source of the attack. Developing a system of

actions, alerts, and logs based on impact severity is recommended for effective network

security.

Since the Sensors can be installed anywhere in a network, knowing what area a Sensor

protects is important for determining the response type. If installed outside of the firewall,

alerting with response is best used for DoS and other attacks against the firewall. Most

other suspicious traffic types that are not recognized by known signatures intended for the

internal network, including scans and CGI data, are best logged without response, then

analyzed as the impact is not immediate and a better understanding of the potential attack

purpose can be determined.

Note: Setting a response type during policy configuration is critical for an effective

intrusion management system. A list of response options can be seen and

configured at Customizing responses for an exploit attack (on page

19).

Packet logging

Logging attack packets for analysis is an effective means of preparing for future attacks. A

packet log is created by a Network Security Sensor capturing the network traffic around an

offending transmission. An expert in protocol analysis can use the log information to

determine what caused the alert and what can be done to prevent future alerts of the same

nature. Packet logs are retrieved from the database via the Threat Analyzer and can be

opened and examined using a program called Ethereal. By default, UDP and TCP protocol

attacks generate a packet log for the attack plus the previous 128 bytes in the flow.

McAfee® Network Security Platform 5.1

Overview of IPS settings

3

Tip: McAfee recommends using Wireshark( formerly known as Ethereal) for packet

log viewing. Ethereal is a network protocol analyzer for Unix and Windows servers

that enables you to examine the data captured by your Network Security Sensor.

For information on downloading and use of Ethereal, go to www.wireshark.com

http://www.wireshark.org.

Sensor actions

Network Security Sensor actions are responses your Sensor enacts to prevent or deter

further attacks. The most effective of these is

Drop Further Packets, which is only available in

In-line mode—this is the first true implementation of real-time prevention. In most cases,

attack packets reach the intended target before a preventative action can be enforced.

Drop Further Packets drops the offending transmission during Sensor inspection. This option

must be enabled in the

Response section of any Exploit or Denial of Service (DoS) attack

during policy creation/cloning.

The other Sensor actions available are:

•

IPS Quarantine: Based on the configuration, quarantine and remediation is performed by

the Sensor. For more information, see IPS Quarantine settings (on page

108).

• Block DoS Packets: blocks further packets for a detected DoS attack. In this case, you

have not configured the

Drop Further Packets response; however, the Threat Analyzer

allows you to drop further packets of an ongoing DoS attack.

•

Enable TCP Reset: disconnects a TCP connection at the source, destination, or both

ends of the transmission.

•

Send ICMP Host Not Reachable to Intruder: sends this message to attack source for ICMP

transmissions.

•

Alert Filtering: limits the alerts generated by excluding certain Source and Destination IP

address parameters.

Setting notification for attacks

Attack detection, alerting, and Sensor response is a very effective process for managing

your network’s security. Network Security Platform also provides administrator notification

for selected attacks. A notification is a message sent via email, email pager, or script for

any attack you regard as high priority. A message is sent with information pertaining to the

attack name, severity, detected time, and so on. Notification is configured on a per-attack

basis; you can enable this feature within the customization of any Exploit, Denial of

Service (DoS), or Reconnaissance attack. Details for enabling notification for Exploit and

DoS attacks are presented in this chapter.

You also have the option to automatically acknowledge any attack within the Notification

category. The

Auto. Acknowledge option marks an alert as Acknowledged for the purposes of

alert viewing and report generation. For more information on acknowledgement of alerts,

see Acknowledging alerts,

System Status Monitoring Guide.

Email, pager, and script lists, as well as message contents, are configured on a per-admin

domain basis (see Setting up alert notifications (on page

143)). For email and pager

notifications, you must set up a mail server for sending the messages (see Specifying a

mail server for notifications, Manager Server Configuration Guide ).

McAfee® Network Security Platform 5.1

Overview of IPS settings

4

How Network Security Platform calculates severity level

Network Security Platform assigns a default severity (high, medium, or low) to every attack

in its attack database. Severity is based on the immediate effect, or impact, on the target

system.

Severity numbering scheme

Network Security Platform uses a numeric mapping scheme to indicate Informational, Low,

Medium, and High severity for a more intuitive display. The numbering scheme is as

follows:

INFORMATIONAL LOW MEDIUM HIGH

0 1-3 4-6 7-9

The guidelines in assigning severity levels are very similar to those used in many open

security forums. You can customize these severity levels to meet the needs of your system

based on the worth of your protected assets—an attack whose severity might be

considered Low to one company might be High to another.

Attack categories and severity range

Network Security Platform categorizes attacks into four groups: Reconnaissance, Exploits,

Volume DoS, and Policy Violation (for descriptions of these categories, see Pre-configured

rule sets and policies (on page 63)). The following table illustrates how severity levels are

assigned for attacks in different categories:

Category Threat Type Range Used in Network

Security Platform

Host sweep 4-4

Port scan 4-4

Brute force 4-6

Service sweep 6-6

Reconnaissance

OS Fingerprinting 6-6

McAfee® Network Security Platform 5.1

Overview of IPS settings

5

Category Threat Type Range Used in Network

Security Platform

Protocol Violation 3-5

Buffer Overflow 7-9

Shellcode Execution 7-9

Remote Access 5-9

Privileged Access 8-9

Probe 2-2

DoS 3-5

Evasion Attempt 7-7

Arbitrary Command

Execution

8-8

Code/Script Execution 7-7

Bot 7-9

Trojan 3-9

DDoS Agent Activity 7-9

Backdoor 7-9

Worm 6-9

Virus 3-5

Read Exposure 3-5

Exploits

Write Exposure 5-7

Statistical Deviation 7-7 Volume DoS

Over Threshold 6-6

Audit 0-0

Restricted Access 4-5

Restricted Application 4-5

Unauthorized IP 5-5

Sensitive Content 5-7

Covert Channel 5-5

Command Shell 4-4

Non-standard Port 4-4

Phishing 1-5

Policy Violation

Potentially Unwanted

Program

1-3

6

C HAPTER 2

Managing IPS settings

The IPS Settings resource node facilitates the following actions:

• Summary

• Policies

• Advanced Policies

• Alert Filters

• ACL

• SSL decryption

• IPS Quarantine

• Alert Notification

• Malware detection

• Configuration Update

Figure 1: IPS Settings Tab

Viewing assigned policies

The Summary action allows you to view the IPS policy and Reconnaissance policies that

have been assigned to the various resources of your McAfee

®

Network Security Platform.

Policies are listed per Sensor, interface, and sub-interface. From the root domain, you can

see policies assigned to all child domains. For non-root parent domains, you only see the

assigned policies in your parent and child domains. For child domains, you only see the

policies assigned to the resources in your domain. Select

<Domain_name> / IPS Settings > IPS

Settings > Summary

to view the applied policy.

McAfee® Network Security Platform 5.1

Managing IPS settings

7

Figure 2: IPS Settings - Summary Page

Configuring and managing policies

The Policies tab contains the major actions for policy configuration and management. The

provided, pre-configured rule sets and policies are included for immediate application—the

Default Inline IPS

policy operates by default when McAfee Network Security Platform is

initialized. You can use a provided rule set/policy in its existing state, clone and customize

it to fit your needs, or you can create new rule sets/policies then apply to the resources in

your protected network.

The

Policies tab contains the following actions:

• IPS Policy Editor (on page

8): Add, clone, view, edit or customize IPS policies.

• Reconnaissance Policy Editor (on page

38): View, create, and customize

Reconnaissance policies.

• Policy Assignment (on page

46) : Easily assign / reassign policies that have been

applied to various resources.

• HTTP response scanning (on page

48): Configure Network Security Platform to

inspect HTTP responses for exploits on a per-Sensor basis.

McAfee® Network Security Platform 5.1

Managing IPS settings

8

Managing policies with IPS Policy Editor

The IPS Policy Editor action enables the use of the ultimate refining tool for IPS policy

management. The Policy Editor brings together defining alert filters and rule sets for final

customization before deployment. Using this editor, you can select the exact Exploit and

Denial of Service (DoS) attacks you want to protect against, the types of automatic

responses you need to block current or further impacts, and the methods of notification

that will help your team respond to malicious use of your network in the most expeditious

time.

The Policy Editor provides the following actions:

• Adding an IPS policy (on page

8)

• Cloning an IPS policy (on page

33)

• Viewing/editing an IPS policy (on page

34)

• Modifying selected IPS policies using Bulk Edit (on page

34)

• Deleting an IPS policy (on page 37)

• Version Control (on page 37)

Tip: If setting the same responses for several attacks serves your policy

customization best (for example, enabling the Drop Packets response for all High

severity attacks once you have enabled In-line mode), try the

Bulk Edit feature within

Exploit attack customization. This procedure is detailed in Modifying selected IPS

policies using Bulk Edit (on page

34).

Adding an IPS policy

Adding a new policy using the Policy Editor takes you through the process of refining the

parameters for securing your network. The following checklist explains the essential

elements of a complete policy configuration:

• Applying rule sets for inbound and outbound traffic (on page

10)

• Customizing exploit attack enforcement (on page 11)

• Modifying selected IPS policies using Bulk Edit (on page 34)

• Customizing Denial of Service (DoS) modes (on page

23)

Note: When working within the Policy Editor, the task of creating or modifying

settings opens up to four separate Java windows. Each window has either a Commit

Changes

or OK button as well as a Cancel button. Clicking Commit Changes saves the

information to the database and closes all policy configuration actions. Clicking

OK

closes the sub-window that has been opened from within policy configuration,

saving any changes made in that sub-window. Clicking Cancel aborts any operation

and closes the window. If you want to continue creating or modifying a policy, do not

click either

Commit Changes or OK until you have completed every tab, step, or action

available in a window.

To add a new policy for attack monitoring in a specific network environment:

1 Select

IPS Settings > Policies > IPS Policy Editor.

2 Click

Add.

McAfee® Network Security Platform 5.1

Managing IPS settings

9

Figure 3: IPS Policy List

The Add an IPS Policy window opens with the Policy tab selected.

3 Type a name for your policy. If you want this policy to be applicable in all created child

admin domains, select the

Visible to Child Admin Domains check box.

Figure 4: Step1: Add an IPS Policy Dialog

4 Apply the Inbound and Outbound rule set. See Applying Rule Sets for Inbound and

Outbound Traffic (on page

10).

5 From the

Exploit tab, customize exploit attack. See Customizing exploit attack

enforcement. (on page

11)

a. Customize responses for an exploit attack. See Customizing responses for an

exploit attack (on page

19).

b. Customize attack Notifications. See Exploit Attack Notification (on page 21).

6 Configure the Denial of Service (

DoS) tab. See Customizing Denial of Service (DoS)

modes (on page

23).

a. Customize Denial of Service notification. See Denial of Service attack notification

(on page

25).

7 Commit the changes, and save the IPS policy. See Audit Log Comments (on page

27).

McAfee® Network Security Platform 5.1

Managing IPS settings

10

Applying rule sets for inbound and outbound traffic

Inbound and outbound refer to the direction that traffic is flowing in regards to the network.

Inbound refers to traffic destined for the internal network, and outbound refers to traffic

destined for the external network. McAfee recommends applying different rule sets for

inbound and outbound traffic for the following reason: traffic coming into a network area,

such as the DMZ, may only require the DMZ rule set, while traffic leaving the DMZ may be

headed for external networks, thus a more generic rule set such as the Default rule set

better protects the outbound traffic. For more information on the steps in applying the

inbound and outbound rule sets, see Steps for applying a rule set (on page

10).

Note: Although Inbound and Outbound rule sets can be applied to Sensors in SPAN

mode, only Inbound rule sets are enforceable.

Steps for applying a rule set

To apply a rule set, in an IPS policy do the following:

1 Go to

IPS Settings > Policies > IPS Policy Editor. The IPS Policy List window displays.

2 Click

Add. The Add a Policy window displays.

Figure 5: Applying a Rule Set

3 Enter Policy Name.

4 Check the box to specify whether the policy will be visible to Child Admin Domains.

Otherwise, leave the box unchecked.

5 Click

Apply Inbound Rule Set to apply an inbound rule set of Exploit Attacks to the Policy.

A window displays titled

Apply an Inbound Rule Set of Exploit Attacks to This Policy.

6 Specify the rule set in the

Select Inbound Rule Set to Be Applied or select Copy from and then

Replace Outbound Rule Set

and click OK. A message is displayed that the attack

categories are retrieved from the attack database.

7 Click Apply Outbound Rule Set to apply an outbound rule set of Exploit Attacks to the

Policy. A window displays titled

Apply an Outbound Rule Set of Exploit Attacks to This Policy.

McAfee® Network Security Platform 5.1

Managing IPS settings

11

8 Specify the rule set in the Select Outbound Rule Set to Be Applied or select Use Inbound Rule

set of Exploit Attacks

and click OK. A message is displayed that the attack categories are

retrieved from the attack database.

9 Click

OK, once the attack categories are retrieved.

Note: Before you make the inbound policy the same as the outbound policy,

see About Inbound Policy Same As Outbound Policy (on page 11).

10 Save the changes by selecting Commit Changes.

Specifying the Inbound Policy the same as Outbound Policy

You can create or modify a policy to specify that the outbound rule for an operating

system, protocol, application, and so forth is the same as the inbound rule for the same

item.

McAfee recommends applying different rule sets for inbound and outbound traffic for the

following reason: traffic coming into a network area, such as the DMZ, may only require

DMZ rule set, while traffic leaving the DMZ may be headed for external networks, thus a

more generic rule set such as the Default rule set better protects the outbound traffic.

Note: Although Inbound and Outbound rule sets can be applied to Sensors in SPAN

mode, only Inbound rule sets are enforceable.

To verify that the outbound and inbound rules are the same, go to IPS Settings > Policies > IPS

Policy Editor

and view Outbound Rule Set column.

Customizing exploit attack enforcement

1 In the Add an IPS Policy window, click the Exploit tab. This section contains the attacks

that match the parameters in your selected rule set—all attacks are categorized by

protocol (that is, the application protocol they impact). From here, you can drill down

to customize individual attack settings such as alert filters, Sensor responses, and

notifications to be sent. These customization are optional, but McAfee recommends

that you become familiar with them.

The table columns are as follow:



Protocol: the protocols that were chosen as a result of the rule set configuration.

Attacks are grouped under the application protocol which they impact.



No. of Available Attacks: number of attacks for each protocol.



No. of Enabled Attacks: number of attacks enabled for detection. All attacks are

enabled

by default.

Note: The “No. of Available Attacks” and “No. of Enabled Attacks” may display

a discrepancy if an enabled attack is disabled during user customization.

McAfee® Network Security Platform 5.1

Managing IPS settings

12

Figure 6: Add An IPS Policy Dialog - Exploit Tab

2 View the attacks for a protocol by selecting a row and clicking View / Edit.

You can sort the attacks by clicking any of the following topic columns:

 Attack Enabled: enforcement status of attack. A check mark in the Attack Enabled

field means the attack is actively being sought.



Alert Enabled: alert status of attack. A check mark in the Alert Enabled field means

that an alert is raised for this attack.



Attack Name: the Network Security Platform-designated name for the attack.



Attack ID: the Network Security Platform-designated ID for the attack.



Severity: the potential impact represented by the attack.



Customized: a check denotes that an attack has been user-customized.



Packet Logging: a check denotes that an attack has packet logging enabled.



Sensor Actions: type of Sensor action performed on an attack followed by the level

at which the Sensor action was indicated.



Blocking: a check denotes that an attack has blocking enabled.



Notifications: a check denotes that an attack has notifications enabled followed by

the level at which the notification was indicated.



Sensor Software Versions: Two columns with the current and previous Sensor

software version names are either checked or unchecked indicating whether the

attack relates to the current or previous software versions or both.

Page is loading ...

McAfee Network Security Platform Configuration manual

This manual is also suitable for

McAfee Network Security Platform Configuration manual

Related papers

Other documents