McAfee Network Security Platform, M-3050 Installation guide

  • Hello! I am an AI chatbot trained to assist you with the McAfee Network Security Platform Installation guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Installation Guide
revision 5.0
McAfee®
Network Protection
Industry-leading network security solutions
McAfee® Network Security Platform
version 6.0
COPYRIGHT
Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSIVELY, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html
for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected].edu), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (shammah@voyager.net
), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
Issued NOVEMBER 2010 / Installation Guide
700-2252-00/ 5.0 - English
Contents
Preface ........................................................................................................... v
Introducing McAfee Network Security Platform............................................................................. v
Conventions used in this book ...................................................................................................... v
Related Documentation.................................................................................................................vi
Contacting Technical Support ......................................................................................................vii
Chapter 1 About Network Security Platform.............................................. 1
Network Security Platform components ........................................................................................ 1
About McAfee Network Security Sensor ................................................................................1
Manager components ............................................................................................................4
McAfee Update Server...........................................................................................................6
Chapter 2 About Network Security Central Manager ................................ 8
Chapter 3 Preparing for the Manager installation...................................... 9
Pre-requisites ................................................................................................................................ 9
General settings .....................................................................................................................9
Other third-party applications ...............................................................................................10
Browser display settings (Windows) ....................................................................................10
Server requirements.............................................................................................................10
Manager installation with Local Service account privileges .................................................12
Client requirements ..............................................................................................................12
Java runtime engine requirements.......................................................................................12
Database requirements........................................................................................................13
Pre-installation recommendations............................................................................................... 13
Planning for installation ........................................................................................................13
Functional requirements.......................................................................................................14
Using anti-virus software with the Manager .........................................................................14
User interface responsiveness.............................................................................................15
Downloading the Manager/Central Manager executable ............................................................ 16
Chapter 4 Installing the Manager/Central Manager................................. 17
Installing the Manager ................................................................................................................. 17
Installing the Central Manager .................................................................................................... 28
Chapter 5 Starting the Manager/Central Manager ................................... 30
Accessing the Manager from a client machine............................................................................ 30
Java installation for client systems.............................................................................................. 31
Logging onto the Manager .......................................................................................................... 31
Logging onto the Central Manager.............................................................................................. 32
Authenticating Access to the Manager using CAC ..................................................................... 33
Shutting down the Manager/Central Manager services .............................................................. 35
Closing all client connections ...............................................................................................36
Shutting down using the Network Security Platform system tray icon .................................36
Shutting down using the Control Panel ................................................................................37
Chapter 6 Adding a Sensor........................................................................ 39
Before You Install Sensors.......................................................................................................... 39
Network topology considerations .........................................................................................39
Safety measures ..................................................................................................................39
Usage restrictions ................................................................................................................40
iii
iv
Unpacking the Sensor..........................................................................................................41
Cable Specifications.................................................................................................................... 41
Network Security Platform fail-closed dongle specification..................................................42
Console port pin-outs ...........................................................................................................42
Auxiliary port pin-outs...........................................................................................................42
Response port pin-outs ........................................................................................................43
Monitoring port pin-outs .......................................................................................................44
Configuring a Sensor................................................................................................................... 45
Configuration overview.........................................................................................................45
Establish a Sensor naming scheme.....................................................................................45
Communication between the Sensor and the Manager .......................................................46
Configuring the Sensor ........................................................................................................46
Adding a Sensor to the Manager .........................................................................................48
Verifying successful configuration........................................................................................49
Changing Sensor values ......................................................................................................50
Adding a secondary Manager IP..........................................................................................51
Removing a secondary Manager IP.....................................................................................51
Device Licenses .......................................................................................................................... 52
Importing a Device License..................................................................................................52
Manually assigning a device license ....................................................................................53
Chapter 7 Configuring the Update Server................................................ 55
Specifying the Update Server authentication .............................................................................. 55
Specifying a proxy server for Internet connectivity...................................................................... 56
Manually importing a software image or signature set................................................................ 57
Downloading software updates ................................................................................................... 57
Downloading signature set updates ............................................................................................ 60
Automating updates .................................................................................................................... 62
Automating signature set downloads from the Update Server.............................................62
Automatically deploy new signature sets to your devices....................................................63
Chapter 8 Uninstalling the Manager/Central Manager ............................ 65
Uninstalling using Add/Remove Programs.................................................................................. 65
Uninstalling via script................................................................................................................... 66
Index............................................................................................................. 68
v
Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as, the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
Intrushield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion
Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical
enterprise, carrier and service provider networks, while providing unmatched protection
against spyware; known, zero-day, and encrypted attacks.
McAfee
®
Network Threat Behavior Analysis Appliance provides the capability of monitoring
network traffic by analyzing NetFlow information flowing through the network in real time,
thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network
Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a
single Manager.
Conventions used in this book
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
The
Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > Summary.
Procedures are presented as a
series of numbered steps.
1. On the Configuration tab, click Backup.
Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, key words,
and values that you must type
exactly are denoted using
Courier New font.
Type: setup and then press ENTER.
McAfee® Network Security Platform 6.0
Preface
vi
Convention Example
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Type: Sensor-IP-address and then press
ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set Sensor ip <A.B.C.D>
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick
Tour for more information on these guides.
Quick Tour
Upgrade Guide
Getting Started Guide
IPS Deployment Guide
Manager Configuration Basics Guide
I-1200 Sensor Product Guide
I-1400 Sensor Product Guide
I-2700 Sensor Product Guide
I-3000 Sensor Product Guide
I-4000 Sensor Product Guide
I-4010 Sensor Product Guide
M-1250/M-1450 Sensor Product Guide
M-1250/M-1450 Quick Start Guide
M-2750 Sensor Product Guide
M-2750 Quick Start Guide
M-3050/M-4050 Sensor Product Guide
M-3050/M-4050 Quick Start Guide
M-6050 Sensor Product Guide
M-6050 Quick Start Guide
McAfee® Network Security Platform 6.0
Preface
M-8000 Sensor Product Guide
M-8000 Quick Start Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Gigabit Copper Fail-Open Bypass Kit Guide
10 Gigabit Fail-Open Bypass Kit Guide
M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure
M-2750 Slide Rail Assembly Procedure
M-series DC Power Supply Installation Procedure
Administrative Domain Configuration Guide
Manager Server Configuration Guide
CLI Guide
Device Configuration Guide
IPS Configuration Guide
NAC Configuration Guide
Integration Guide
System Status Monitoring Guide
Reports Guide
Custom Attack Definitions Guide
Central Manager Administrator's Guide
Best Practices Guide
Troubleshooting Guide
Special Topics Guide—In-line Sensor Deployment
Special Topics Guide—Sensor High Availability
Special Topics Guide—Virtualization
Special Topics Guide—Denial-of-Service
NTBA Appliance Administrator's Guide
NTBA Monitoring Guide
NTBA Appliance T-200 Quick Start Guide
NTBA Appliance T-500 Quick Start Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
vii
McAfee® Network Security Platform 6.0
Preface
viii
Global phone contact numbers can be found at McAfee Contact Information
http://www.mcafee.com/us/about/cont
act/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.
1
C HAPTER 1
About Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] is a combination of
network appliances and software built for the accurate detection and prevention of
intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks,
and network misuse. Network Security Platform provides comprehensive network intrusion
detection and can block, or prevent, attacks in real time, making it truly an intrusion
prevention system (IPS).
Network Security Platform components
Network Security Platform consists of the following major components:
McAfee
®
Network Security Sensor (Sensor) (on page 1)
McAfee
®
Network Security Manager (Manager), with its Web-based graphical user
interface
McAfee Update Server (on page 6
)
About McAfee Network Security Sensor
A McAfee
®
Network Security Sensor is a content-processing appliance built for accurate
detection and prevention of intrusions, misuse, and distributed denial of service (DDoS)
attacks. McAfee Network Security Sensor (Sensor) are specifically designed to handle
traffic at wire speed, inspect and detect intrusions with a high degree of accuracy, and
flexible enough to adapt to the security needs of any enterprise environment.
When deployed at key network access points, a Sensor provides real-time traffic
monitoring to detect malicious activity and respond to the malicious activity as configured
by the administrator.
Sensors are configured and managed using McAfee Network Security Manager
(Manager). The process of configuring a Sensor and establishing communication with the
Manager is described in later chapters of this guide. The Manager server is described in
detail in the
Getting Started Guide.
Sensor functionality
The primary function of a device is to analyze traffic on selected network segments and to
respond when an attack is detected. The device examines the header and data portion of
every network packet, looking for patterns and behavior in the network traffic that indicate
malicious activity. The device examines packets according to user-configured policies, or
rule sets, which determine what attacks to watch for, and how to respond with
countermeasures if an attack is detected.
McAfee® Network Security Platform 6.0
About Network Security Platform
If an attack is detected, a Sensor responds according to its configured policy. Sensor can
perform many types of attack responses, including generating alerts and packet logs,
resetting TCP connections, “scrubbing” malicious packets, and even blocking attack
packets entirely before they reach the intended target.
Sensor platforms
Network Security Platform offers several types of Sensor platforms providing different
bandwidth and deployment strategies.
I-series Sensors
I-4010 I-4000 I-3000 I-2700 I-1400 I-1200
10/100 Base-T
Monitoring Port
Nil Nil Nil 6 4 2
10/100/1000
Gigabit Ethernet
Monitoring Port
12
10/100/100
0 only with
Copper
SFP
4 12
10/100/100
0 only with
Copper
SFP
2 Nil Nil
RJ-45 Response
Port
2 2 2 3 1 1
Ports Used for
Failover
6A and 6B 2A and 2B 6A and 6B 4A Response
port
Response
port
Internal Taps Nil Nil Nil Yes Yes Yes
Fail-open Control
Ports
6 2 6 Nil Nil Nil
10/100
Management port
1 1 1 1 1 1
Console Port 1 1 1 1 1 1
Auxiliary Port 1 1 1 1 1 1
Redundant power
supply
Yes Yes Yes Yes Nil Nil
Fail-closed dongles Nil Nil Nil 6 4 2
2
McAfee® Network Security Platform 6.0
About Network Security Platform
M-series and N-450 Sensors
M-8000 M-6050 M-4050 M-3050 M-2750 M-1450 M-1250 N-450
10/100
Base-T
Monitoring
Port
Nil Nil Nil Nil Nil 8 built-in
10/100/1000
RJ-45 ports
8 built-in
10/100/1000
RJ-45 ports
Nil
Interface
Module
16 One
Gigabit
SFP
ports
12 Ten
Gigabit
XFP
ports
8 SFP
ports
8 XFP
ports
4 XFP
ports
8 SFP
ports
4 XFP
ports
8 SFP
ports
20 SFP
ports
20 SFP
ports
RJ-45
Response
Port
1 1 1 1 1 1 1 0
Ports Used
for failover
3A and
3B
4A
Note
that 4B
remains
unused.
2A 2A 10A
Note
that 10B
is
unused.
4A
Note that 4B
is unused.
4A
Note that 4B
is unused.
10A and
10B
Internal Taps Nil Nil Nil Nil Nil Yes Yes Nil
Fail-open
Control Ports
14 8 6 6 10 Nil Nil 10
Interconnect
ports
4 Ten
Gigabit
XFPs
2 RJ-45
ports
Nil Nil Nil Nil Nil Nil Nil
10/100/1000
Management
port
1 1 1 1 1 1 1 1
Console Port 2 1 1 1 1 1 1 1
Auxiliary
Port
2 1 1 1 1 1 1 1
Redundant
power
supply
Yes Yes Yes Yes Yes Nil Nil Yes
Fail-closed
dongles
Nil Nil Nil Nil Nil Nil Nil Nil
3
McAfee® Network Security Platform 6.0
About Network Security Platform
Each device is described in the corresponding Sensor Product Guide.
Manager components
The Manager is a term that represents the hardware and software resources that are used
to configure and manage the Network Security Platform. The Manager consists of the
following components:
Either of the following hardware/OS server platform (on page 4
)
Microsoft Windows Server 2003 - SP2, Standard Edition, English or Japanese
Microsoft Windows Server 2008 - R2, Standard Edition, English or Japanese
the Manager software (on page 4
)
a back end database (on page 6
) to persist data (MySQL version 5.1.47)
a connection to McAfee Update Server (on page 6)
Manager server platform
The Manager server is a dedicated Windows Server 2003 SP2 / Windows 2008 R2 system
hosting the Manager software. You can remotely access the Network Security Platform
user interface from a Windows XP or Windows 7 system using an Internet Explorer 7.0 or
8.0.
Sensors use a built-in 10/100 Management port to communicate with the Manager server.
You can connect a segment from a Sensor Management port directly to the Manager
server; however, this means you can only receive information from one Sensor (typically,
your server has only one 10/100 network port). During the Sensor configuration, you will
establish communication between your Sensor(s) and your Manager server.
Manager software
The Manager software has a Web-based user interface for configuring and managing the
Network Security Platform. Network Security Platform users connect to the Manager
server from a Windows XP system using the Internet Explorer browser program. The
Network Security Platform user interface runs with Internet Explorer versions 7.0 and 8.0.
The Manager functions are configured and managed through a GUI application, the
Network Security Platform user interface, which includes complementary interfaces for
system status, system configuration, report generation, and fault management. All
interfaces are logically parts of the Manager program.
The Manager has five components:
Manager Home. The Manager Home page is the first screen displayed after the user logs
on to the system. The Manager Home page displays Operational Status-that is,
whether all components of the system are functioning properly, the number of
unacknowledged alerts in the system, and the configuration options available to the
current user. Options available within the Manager Home page are determined by the
current user's assigned role(s). The Manager Home page is refreshed every 5
seconds by default.
Operational Status. The Operational Status page displays the status of Manager,
database, and any deployed Sensors; including all system faults.
4
McAfee® Network Security Platform 6.0
About Network Security Platform
Configure. The Configure page provides all system configuration options, and facilitates
the configuration of your devices - Sensors and NTBA Appliances, failover pairs of
Sensors, administrative domains, users, roles, Network Access Control (NAC), attack
policies and responses, user-created signatures, and system reports. Access to
various activities, such as user management, system configuration, or policy
management is based on the current user's role(s) and privileges.
Threat Analyzer. The Threat Analyzer page displays the hosts detected on your network
as well as the detected security events that violate your configured security policies.
The Threat Analyzer provides powerful drill-down capabilities to enable you to see all
of the details on a particular alert, including its type, source and destination
addresses, and packet logs where applicable.
Reports. You can generate reports for the security events detected by the system and
reports on system configuration. Reports can be generated manually or automatically,
saved for later viewing, and/or e-mailed to specific individuals.
Other key features of Manager include:
The
Incident Generator: The Incident Generator enables creation of attack incident
conditions, which, when met, provide real-time correlative analysis of attacks. Once
incidents are generated, view them using the Incident Viewer, which is within the Threat
Analyzer.
For more information on Manager components, see
Manager Server Configuration Guide.
Integration with other McAfee products: You can integrate Network Security Platform
with other McAfee products to provide you with a comprehensive network security
solution.
McAfee ePolicy Orchestrator: McAfee ePolicy Orchestrator (ePO) is a scalable
platform for centralized policy management and enforcement of your system
security products such as, anti-virus, desktop firewall, and anti-spyware
applications. You can integrate McAfee Network Security Platform with ePO 4.0.
The integration enables you to query the ePO server from the Manager for viewing
details of a network host.
McAfee Host Intrusion Prevention: McAfee Host Intrusion Prevention (HIP) is a host-
based intrusion prevention system that prevents external and internal attacks on the
hosts in the network, thus protecting services and applications running on them.
Network Security Platform integrates with McAfee Host Intrusion Prevention version
7.0.
McAfee Network Access Control: Using Network Security Sensors, you can enforce
network access control (NAC) based on system health, user identity, or both. For
system-health-based NAC, the Sensors depend on McAfee Network Access
Control (McAfee NAC) for posture assessment. You need to configure ePO
configuration details at the admin domain level and then install the trust between a
Sensor and the ePO Server on which McAfee NAC is installed. This enables the
Sensor to communicate with McAfee NAC to get host details and also to notify
McAfee NAC about hosts sending unwanted traffic on the network.
McAfee Vulnerability Manager: Vulnerability assessment is an automated process of
pro-actively identifying vulnerabilities of computing systems in a network to
determine security threats in the network. Network Security Platform integrates with
McAfee Vulnerability Manager to enable import of the Vulnerability Manager scan
data into the Manager, to provide automated updating of IPS-event data relevancy.
You can also initiate a Vulnerability Manager on-demand scan of a single or group
of IP addresses directly from the Threat Analyzer console. This provides a simple
way for security administrators to access near real-time updates of host vulnerability
details, and improved focus on critical events.
5
McAfee® Network Security Platform 6.0
About Network Security Platform
McAfee Artemis: Network Security Platform integrates with McAfee Artemis
technology, which is an Internet-based service that provides active malware
detection in an Internet cloud. Network Security Sensors use McAfee Artemis to
provide real-time malware detection and protection for users during file downloads
from the Internet. Network Security Platform also provides users the option to
upload Custom Fingerprints that can be used for malware detection.
McAfee Global Threat Intelligence: McAfee Global Threat Intelligence (GTI) is a global
threat correlation engine and intelligence base of global messaging and
communication behavior; including reputation, volume, trends, email, web traffic
and malware. By having McAfee Global Threat Intelligence integration, you can
report, filter, and sort hosts involved in attacks based on their network reputation
and the country of the attack origin.
For more information on all the above mentioned integration options, see
Integration Guide.
Integration with third-party products: Network Security Platform enables the use of
multiple third-party products for analyzing faults, alerts, and generated packet logs.
Fault/Alert forwarding and viewing: You have the option to forward all fault
management events and actions, as well as IPS alerts to a third-party application.
This enables you to integrate with third-party products that provide trouble ticketing,
messaging, or any other response tools you may wish to incorporate. Fault and/or
alert forwarding can be sent to the following ways:
- Syslog Server: forward IPS alerts and system faults
- SNMP Server (NMS): forward IPS alerts and system faults
- Java API: forward IPS alerts
- Crystal Reports: view alert data from database via email, pager, or script
Packet log viewing: view logged packets/flows using third-party software, such as
Ethereal.
Manager database
The Manager server operates with an RDBMS (relational database management system)
for storing persistent configuration information and event data. The compatible database is
MySQL (current version 5.1.47).
The Manager server for Windows (only) includes a MySQL database that can be installed
(embedded) on the target Windows server during Manager software installation.
Your MySQL database can be tuned on-demand or by a set schedule via Manager user
interface configuration. Tuning promotes optimum performance by defragmenting split
tables, re-sorting and updating indexes, computing query optimizer statistics, and checking
and repairing tables.
To graphically administrate and view your MySQL database, you can download the
MySQL administrator from the MySQL Web site http://dev.mysql.com/downloads/gui-tools.
McAfee Update Server
For your Network Security Platform to properly detect and protect against malicious
activity, the Manager and Sensors must be frequently updated with the latest signatures
and software patches available. Thus, the Network Security Platform team constantly
researches and develops performance-enhancing software and attack-detecting
6
McAfee® Network Security Platform 6.0
About Network Security Platform
7
signatures that combat the latest in hacking, misuse, and denials of service (DoS). When a
severe-impact attack happens that cannot be detected with the current signatures, a new
signature update is developed and released. Since new vulnerabilities are discovered
regularly, signature updates are released frequently.
New signatures and patches are made available to customers via McAfee
®
Network
Security Update Server (Update Server). The Update Server is a McAfee owned and
operated file server that houses updated signature and software files for Managers and
Sensors in customer installations. The Update Server securely provides fully automated,
real-time signature updates without requiring any manual intervention.
Note: Communication between the Manager and the Update Server is SSL-
secured.
Configuring software and attack signature updates
You configure interaction with the Update Server using the Manager Configure > Update Server
page. You can pull updates from the Update Server on demand or you can schedule
update downloads. With scheduled downloads, the Manager polls the Update Server (over
the Internet) at the desired frequency. If an update has been posted, that update is
registered as “Available” in the Manager interface for on-demand downloaded. Once
downloaded to the Manager, you can immediately download (via an encrypted connection)
the update to deployed Sensors or deploy the update based on a Sensor update schedule
you define. Acceptance of a download is at the discretion of the administrator.
You have a total of five update options:
Automatic update to Manager, manual update from Manager to Sensors. This option enables
Manager server to receive updates automatically, but allows the administrator to
selectively apply the updates to the Sensors.
Manual update to Manager, automatic update from Manager to Sensors. This option enables the
administrator to select updates manually, but once the update is selected, it is applied
to the Sensors automatically, without reboot.
Fully manual update. This option allows the security administrator to determine which
signature update to apply per update, and when to push the update out to the
Sensor(s). You may wish to manually update the system when you make some
configuration change, such as updating a policy or response.
Fully automatic update. This option enables every update to pass directly from the Update
Server to the Manager, and from the Manager to the Sensor(s) without any
intervention by the security administrator. Note that fully automatic updating still
happens according to scheduled intervals.
Real-time update. This option is similar to fully automatic updating. However, rather than
wait for a scheduled interval, the update is pushed directly from Update Server to
Manager to Sensor. No device needs to be rebooted; the Sensor does not stop
monitoring traffic during the update, and the update is active as soon as it is applied to
the Sensor.
8
C HAPTER 2
About Network Security Central Manager
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] provides a centralized,
“manager of managers” capability, named McAfee
®
Network Security Central Manager.
McAfee Network Security Central Manager (Central Manager) allows users to create a
management hierarchy that centralizes policy creation, management, and distribution
across multiple McAfee
®
Network Security Managers. For example, a policy can be
created in the Central Manager and synchronized across all McAfee Network Security
Managers (Managers) added to that Central Manager. This avoids manual customization
of policy at every Manager.
The Central Manager provides you with a single sign-on mechanism to manage the
authentication of global users across all Managers. McAfee
®
Network Security Sensor
configuration and threat analysis tasks are performed at the Manager level.
9
C HAPTER 3
Preparing for the Manager installation
This section describes the McAfee
®
Network Security Manager (Manager) hardware and
software requirements and pre-installation tasks you should perform prior to installing the
software.
Unless explicitly stated, the information in this chapter applies to both the McAfee
®
Network Security Central Manager and Manager though the sections refer to Manager.
Pre-requisites
The following sections list the Manager installation and functionality requirements for your
operating system, database, and browser.
Caution: We strongly recommend that you also check the corresponding Release
Notes. If you are installing the Manager as part of an upgrade to the latest version of
Network Security Platform, refer to
Network Security Platform 6.0 Upgrade Guide.
General settings
McAfee recommends you use a dedicated server, hardened for security, and placed
on its own subnet. This server should not be used for programs like instant messaging
or other non-secure Internet functions.
You must have
Administrator/root privileges on your Windows server to properly install
the Manager software, as well as the installation of an embedded MySQL database
for Windows Managers during Manager installation.
It is essential that you synchronize the time on the Manager server with the current
time. To keep time from drifting, use a timeserver. If the time is changed on the
Manager server, the Manager will lose connectivity with all McAfee
®
Network Security
Sensors (Sensors) and the McAfee
®
Network Security Update Server [formerly IPS
Update Server] because SSL is time sensitive.
If Manager Disaster Recovery (MDR) is configured, ensure that the time difference
between the Primary and Secondary Managers is less than 60 seconds. (If the spread
between the two exceeds more than two minutes, communication with the Sensors
will be lost.
Tip: For more information about setting up a time server on Windows Server 2003
SP2, see the following Microsoft KnowledgeBase article:
http://support.microsoft.com/kb/816042
http://support.microsoft.com/kb/816042//.
Note: Once you have set your server time and installed the Manager, do not change
the time on the Manager server for any reason. Changing the time may result in
errors that could lead to loss of data.
McAfee® Network Security Platform 6.0
Preparing for the Manager installation
Other third-party applications
Install a packet log viewing program to be used in conjunction with the Threat Analyzer
interface. Your packet log viewer, also known as a protocol analyzer, must support library
packet capture (libpcap) format. This viewing program must be installed on each client you
intend to use to remotely log onto the Manager to view packet logs.
Wireshark (formerly known as Ethereal) is recommended for packet log viewing. WireShark is a
network protocol analyzer for Windows servers that enables you to examine the data
captured by your Sensors. For information on downloading and using Ethereal, go to
www.wireshark.com
. http://www.wireshark.org
Browser display settings (Windows)
The Manager is viewed via a client browser. Only Windows XP SP2 and Windows 7
clients are supported using Internet Explorer 7.0 or 8.0.
Set your display to 32-bit or higher by selecting
Start > Settings > Control Panel > Display >
Setting
, and configuring the “Colors” field to True Color (32bit).
McAfee recommends setting your monitor’s “Screen Area” to
1024 x 768 pixels. This can be done by changing the display settings at:
Start > Settings > Control Panel > Display > Settings.
When working with the Manager using Internet Explorer, your browser should check
for newer versions of stored pages. By default, Internet Explorer is set to automatically
check for newer stored page versions. To check this function, open your IE browser
and go to
Tools > Internet Options > General, click the Settings button under “Temporary
Internet files,” and under “Check for newer versions of stored pages:” select any of the
four choices except for Never. Selecting Never will cache Manager interface pages that
require frequent updating, and not refreshing these pages may lead to system errors.
Server requirements
The following are the system requirements for a Manager server running with a MySQL
database.
Component Minimum Recommended
OS
Any one of the following:
Windows Server 2003 Standard Edition,
SP2 (32 or 64 bit), English OS
Windows Server 2008 R2 Standard
Edition, (64 bit), English OS
Windows Server 2003 R2 (Standard
Edition), Japanese OS (32 or 64 bit)
Windows Server 2008 R2 (Standard
Edition), Japanese OS (64 bit)
Note: For 64-bit, only X64 architecture is
supported.
Windows Server 2008
R2 Standard Edition,
English or Japanese OS,
(64 bit)
Memory
2GB or higher for 32-bit
4GB or higher for 64-bit
4GB
10
McAfee® Network Security Platform 6.0
Preparing for the Manager installation
11
Component Minimum Recommended
CPU
Server model processor such as Intel Xeon Same
Disk space
40GB 80GB disk with 8MB
memory cache
Network
100Mbps card 10/100/1000Mbps card
Monitor
32-bit color, 1024 x 768 display setting 1280 x 1024
Hosting the Manager on a VMware platform
The following are the system requirements for hosting Manager server on a VMware
platform.
Component Minimum Recommended
OS
Any one of the following:
Windows Server 2003 Standard Edition,
SP2 (32 or 64 bit), English OS
Windows Server 2008 R2 Standard Edition,
(64 bit), English OS
Windows Server 2003 R2 (Standard
Edition), Japanese OS (32 or 64 bit)
Windows Server 2008 R2 (Standard
Edition), Japanese OS (64 bit)
Note: For 64-bit, only X64 architecture is
supported.
Same as the minimum
requirement
Memory
2GB 2GB or higher
Virtual CPUs
2 2 or more
Disk Space
40GB 80GB
The following are the system requirements for hosting Manager server on a VMware
platform such as Dell Powered Edge 1950.
Component Minimum
Virtualization software VMWare ESX Server Version 3.5.0 Update 3 Build
123630
Virtual Infrastructure
Client
Version 2.5.0 Build 19826
CPU Intel Xeon ® CPU ES 5335 @ 2.00GHz; Physical
Processors – 2; Logical Processors – 8; Processor
Speed – 2.00GHz.
Memory Physical Memory: 16GB
Internal Disks 364.25 GB
McAfee® Network Security Platform 6.0
Preparing for the Manager installation
Manager installation with Local Service account privileges
The Manager installs the following services as a Local Service:
McAfee Network Security Manager
McAfee Network Security Manager Database
McAfee Network Security Manager User Interface (Apache)
Note: McAfee Network Security Manager Watchdog runs as a
Local System to
facilitate restart of the Manager in case of abrupt shutdown.
The Local Service account has fewer privileges on accessing directories and resources than
the
Local System. By default, the Manager installation directory and database directory are
granted full permission to the
Local Service account during installation or upgrade of
Manager.
Set the permissions to a
Local Service as needed in the following scenarios:
Backup directory location: If the backup directory was different from the Network
Security Manager installed directory before upgrade to the current release, full
permission on these directories for a
Local Service should be granted.
Notification script execution: If a user uses a script that accesses directories or
resources located in directories other than in Network Security Manager installed
directories for notifications like alerts, faults etc.,full permission on these directories for
a
Local Service should be granted.
Database configuration: If a user has a MySQL database configured for using a
directory for temporary files other than the one provided during installation, then those
directories should be given full permissions for a Local Service.
Client requirements
The following are the system requirements for client systems connecting to the Manager
application.
Component Minimum
OS Any one of the following:
Windows XP (Standard Edition) SP2
Windows 7
Memory 1GB. Recommended is 2GB.
Browser Internet Explorer (IE) 7.0 or 8.0 (only 32 bit IE is supported)
Monitor 32-bit color, 1024x768 display
Java runtime engine requirements
When you first log onto the Manager, a version of JRE is automatically installed on the
client machine (if it is not already installed). This version of the JRE software is required for
operation of various components within Manager including the Threat Analyzer and the
Custom Attack Editor.
12
/