McAfee M-1250 - Network Security Platform User manual

Category
General utility software
Type
User manual

This manual is also suitable for

Special Topics GuideIn-line Sensor Deployment
revision 1.0
McAfee®
Network Protection
Industry-leading network security solutions
McAfee® Network Security Platform
Network Security Sensor
version 6.0
COPYRIGHT
Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (greg[email protected]), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
700-2381-00/ 1.0 - English
Issued DECEMBER 2009 / Special Topics GuideIn-line Sensor Deployment
Contents
Preface ........................................................................................................... v
Introducing McAfee Network Security Platform............................................................................. v
About this Guide............................................................................................................................ v
Conventions used in this guide ..................................................................................................... v
Related Documentation.................................................................................................................vi
Contacting Technical Support......................................................................................................vii
Chapter 1 What is inline mode?................................................................... 1
Benefits of running inline...............................................................................................................1
Chapter 2 Inline deployment walkthrough ................................................. 3
Chapter 3 Determine your high availability strategy................................. 4
Failover, or High-Availability..........................................................................................................4
Fail-open or fail-closed functionality..............................................................................................5
Chapter 4 Install and cable the Sensor....................................................... 6
Cable the Fast Ethernet monitoring ports...................................................................................... 7
Cable the Gigabit Ethernet monitoring ports................................................................................. 7
Cable a failover pair ......................................................................................................................7
Configure the Sensor monitoring ports.......................................................................................... 8
About Sensor port configuration.............................................................................................8
Chapter 5 Failover: configure two Sensors in inline mode .................... 11
Create a Failover Pair .................................................................................................................11
Download configuration, signature set, and software updates to the Sensor......................12
Chapter 6 Configure policies..................................................................... 13
Tune your policies.......................................................................................................................13
About false positives and "noise"................................................................................................14
Incorrect identification..........................................................................................................14
Correct identification; significance subject to usage policy..................................................14
Correct identification; significance subject to user sensitivity (also known as noise)...........14
Chapter 7 Block attacks ............................................................................. 16
Methods for blocking attacks....................................................................................................... 16
Block exploit traffic ......................................................................................................................16
How blocking works for exploit traffic...................................................................................17
Verify dropped exploit attacks using the Threat Analyzer....................................................17
Block DoS traffic.......................................................................................................................... 17
How blocking works for DoS traffic ......................................................................................18
Verify blocked DoS attacks using the Threat Analyzer........................................................18
Drop DoS Attacks from the Threat Analyzer........................................................................18
Block using ACLs........................................................................................................................18
Utilize traffic normalization ..........................................................................................................19
Blocking based on configured TCP & IP Settings.......................................................................20
Blocking of IP-spoofed packets...................................................................................................20
Chapter 8 Troubleshooting........................................................................ 21
iii
Verify that traffic is flowing through the Sensor...........................................................................21
Verify failover pair creation success............................................................................................ 21
show.....................................................................................................................................21
status....................................................................................................................................21
show failover-status .............................................................................................................22
downloadstatus ....................................................................................................................22
Index............................................................................................................. 23
iv
Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as, the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion
Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical
enterprise, carrier, and service provider networks, while providing unmatched protection
against spyware and known, zero-day, and encrypted attacks.
McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring
network traffic by analyzing NetFlow information flowing through the network in real time,
thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network
Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a
single Manager.
About this Guide
This guide describes the process of deploying Network Security Sensors (Sensors) in inline
mode
. The information in this guide details best practices for inline mode configuration,
information on attack blocking, and inline troubleshooting options.
This guide assumes that the reader has a working understanding of McAfee Network
Security Platform products, including McAfee Network Security Manager (nsm) and
McAfee Network Security Sensors (Sensors).
Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
The
Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > Summary.
v
McAfee® Network Security Platform 6.0
Preface
Convention Example
Procedures are presented as a
series of numbered steps.
1. On the Configuration tab, click Backup.
Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, key words,
and values that you must type
exactly are denoted using
Courier New
font.
Type:
setup and then press ENTER.
Variable information that you must
type based on your specific
situation or environment is shown
in
italics.
Type: S
ensor-IP-address and then press
ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set Sensor ip <A.B.C.D>
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick
Tour for more information on these guides
Quick Tour
Installation Guide
Upgrade Guide
Getting Started Guide
IPS Deployment Guide
Manager Configuration Basics Guide
I-1200 Sensor Product Guide
I-1400 Sensor Product Guide
I-2700 Sensor Product Guide
I-3000 Sensor Product Guide
vi
McAfee® Network Security Platform 6.0
Preface
I-4000 Sensor Product Guide
I-4010 Sensor Product Guide
M-1250/M-1450 Sensor Product Guide
M-1250/M-1450 Quick Start Guide
M-2750 Sensor Product Guide
M-2750 Quick Start Guide
M-3050/M-4050 Sensor Product Guide
M-3050/M-4050 Quick Start Guide
M-6050 Sensor Product Guide
M-6050 Quick Start Guide
M-8000 Sensor Product Guide
M-8000 Quick Start Guide
Gigabit Optical Fail-Open Bypass Kit Guide
Gigabit Copper Fail-Open Bypass Kit Guide
10 Gigabit Fail-Open Bypass Kit Guide
M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure
M-2750 Slide Rail Assembly Procedure
M-series DC Power Supply Installation Procedure
Administrative Domain Configuration Guide
Manager Server Configuration Guide
CLI Guide
Device Configuration Guide
IPS Configuration Guide
NAC Configuration Guide
Integration Guide
System Status Monitoring Guide
Reports Guide
Custom Attack Definitions Guide
Central Manager Administrator's Guide
Best Practices Guide
Troubleshooting Guide
Special Topics Guide—Sensor High Availability
Special Topics Guide—Virtualization
Special Topics Guide—Denial-of-Service
NTBA Appliance Administrator's Guide
NTBA Monitoring Guide
NTBA Appliance T-200 Quick Start Guide
NTBA Appliance T-500 Quick Start Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
vii
McAfee® Network Security Platform 6.0
Preface
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee
Contact Information
http://www.mcafee.com/us/about/contact/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.
viii
C HAPTER 1
What is inline mode?
Inline monitoring mode provides prevention of attacks by enabling Security Administrators
to select the types of attacks/traffic to drop, thus preventing the negative end-system
impact common with today's network attacks. Inline mode is achieved when Network
Security Sensor is placed directly in the path of a network segment, becoming,
essentially, a “bump in the wire,” with packets flowing through Sensor. In this mode, the
Sensor inspects all traffic at wire-speed and can prevent network attacks by dropping
malicious traffic in real time—the Sensor actually ends the attacking transmission before it
can reach and impact the target. Preventative actions can operate at a highly granular
level, including the automated dropping of DoS traffic intended for a specific host.
When operating in inline mode, network segments are connected to two wire-matched
Sensor ports (For example: peer ports 1A and 1B), and packets are examined in real time
as they pass through the Sensor. In this mode, a packet comes in through the first
interface of the pair of the Sensor and out the second interface of the pair. The packet is
sent to the second interface of the pair unless that packet is being denied or modified by a
signature.
As of release 2.1.7, Sensor ports are configured by default for monitoring in inline mode;
that is, connected inline on a network segment (For example: between a switch and a
router or two switches). A Sensor with 2.1.7 or later software will initially come online with
its peer ports configured in pairs and in inline mode.
Note: This change will not override user-configured settings. Deployed Sensors
upgraded to 2.1.7 or later and will retain their user-configured settings.
Benefits of running inline
The benefits to using Sensors in inline mode are:
Protection/Prevention. Prevention is a feature unique to inline mode. When running inline,
a Sensor can drop malicious packets and not pass them through the network. This
acts sort of like an “adaptive firewall,” with your detection policy dictating what is
dropped. Furthermore, when dropping packets, Network Security Platform is very
precise and granular. The Sensor can drop only those packets it identifies as
malicious or all of the packets related to that flow (a choice that is user configurable).
Packet “scrubbing.” In addition to dropping malicious traffic, Network Security Platform
can
scrub—or normalize—traffic to take out any ambiguities in protocols that the
attacker may be using to try to evade detection. Current IDS products are susceptible
to these techniques, and an example of this attempt is IP fragment and TCP segment
overlaps. The Sensor can reassemble the IP fragments and TCP segments and
enforce a reassembly mode of the user’s choice to accept either the old or the new
data.
Processing at wire-speed. Sensors are able to process packets at wire rates.
1
McAfee® Network Security Platform 6.0
What is inline mode?
In inline mode, the Sensor logically acts as a transparent repeater with minimal
latency for packet processing. Unlike bridges, routers, or switches, the Sensor does
not need to learn MAC addresses or keep an ARP cache or a routing table.
2
C HAPTER 2
Inline deployment walkthrough
Deploying your Sensor inline consists of the following steps:
1 Determine the optimal high availability strategy for the Sensor. This indicates how you
would like the Sensor to behave when it fails (i.e., fail-open, fail-closed, or support a
failover/high-availability configuration).
2 Physically install the Sensor on your network, and cable the Sensor for the
deployment mode of your choice. For example, cable one Sensor standalone (to fail-
open, if applicable, or configure two Sensors as part of a failover pair).
3 Configure the Sensor monitoring ports.
4 Configure one or more policies for the inline ports.
5 Understand how blocking works, and configure blocking.
Note: You must use McAfee
®
Network Security Manager (Manager) to configure
most aspects of your Sensor(s), including port configuration, pairing two Sensors for
failover operation, and configuring and applying policies to detect and drop
malicious traffic.
3
C HAPTER 3
Determine your high availability strategy
Before you move your McAfee
®
Network Security Sensor (Sensor) inline, consider the
impact of a Sensor outage and its effect on your network. In inline mode, the Sensor does
become a single point of failure. McAfee
®
Network Security Platform provides a variety of
options to minimize network downtime in the event of Sensor failure. For example,
Sensors support complete stateful failover, delivering the industry's first true high-
availability IPS deployment, similar to what you’d find with firewalls. If you’re running the
Sensor in inline mode, McAfee recommends that you deploy two Sensors redundantly for
failover protection.
The following deployment options are available:
Failover, or High-Availability.
Fail-open or fail-closed functionality.
Fail-open with external hardware.
Fail-open with the Layer 2 Passthru (L2) feature
Failover, or High-Availability
Where redundancy is an essential requirement, it is best practice to implement Network
Security Platform 'high-availability' configuration. When running Sensors inline, this option
is available to an identical pair of Sensors (same model, software image, signature set)
deployed redundantly in inline mode. Both Sensors in the pair are active and share full
state, so that the information on both Sensors is always current. Latency is very minimal;
than other devices providing failover, such as, firewalls.
The keys to the Network Security Platform failover architecture are as follows:
Sensors configured for failover confirm a “heartbeat” once each second.
Sensors configured for failover share flow information in real time.
Sensors are invisible at Layer 2 and above; the monitoring ports do not have MAC
addresses.
As a result, you do not have to worry about Layer 2 and 3 topology changes when you
introduce Network Security Platform failover into the environment, and in the unlikely event
of a Sensor failure, failover is instantaneous and connection state is maintained.
All Sensor models support failover.
This subject is discussed in detail in the document
Special Topics Guide—Sensor High
Availability
.
4
McAfee® Network Security Platform 6.0
Determine your high availability strategy
Fail-open or fail-closed functionality
Sensor ports deployed in inline mode have the option of failing open or closed. Similar in
terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus,
even if the ports fail, your Sensor does not become a bottleneck. However, monitoring
ceases, allowing all traffic to continue to flow through the network, which can allow attacks
to impact systems in your network. When ports are configured to fail-closed, the Sensor
does not allow traffic to continue to flow, thus the failed ports become a bottleneck,
stopping all traffic at the Sensor.
Note: There are security consequences when the Sensor is in bypass mode. When
bypass mode is on, the traffic bypasses the Sensor and is not inspected; therefore,
the Sensor cannot prevent malicious attacks.
There are two fail-open options available:
Fail-open with external hardware
Inline fail-open mode, available for both 10/100 and GE links, guarantees that data will be
forwarded over a monitored link in the event that the Sensor's processes are temporarily
stopped for upgrades or when the Sensor fails. This guarantee is delivered for 10/100 port
pairs using an internal mechanical tap that connects the monitoring ports when hardware
failure is detected. The 10/100 configurations is a choice made per port pair. The Gigabit
fail-open implementation involves the use of the external Gigabit Fail-Open Kit, which
includes a Bypass Switch.
Caution 1: Note that Sensor outage breaks the link connecting the devices on
either side of the Sensor and requires the renegotiation of the network link
between the two peer devices connected to the Sensor.
Caution 2: Depending on the network equipment, this disruption introduced by
the renegotiation of the link layer between the two peer devices may range from
a couple of seconds to more than a minute with certain vendors’ devices.
Caution 3: A very brief link disruption may also occur while the links between
the Sensor and each of the peer devices are renegotiated to place the Sensor
back in inline mode. This outage, again, varies depending on the device, and
can range from a few seconds to more than a minute.
Fail-open with the Layer 2 Passthru (L2) feature
Layer 2 Passthru is also known as “software fail-open.” The L2 feature, when triggered,
causes traffic to flow through the Sensor without being copied to the detection engine.
Note: The Layer 2 Passthru option is provided specifically to handle internal
Sensor errors; it is not provided as an alternative to other HA options, such as
the Fail-Open kit.
5
C HAPTER 4
Install and cable the Sensor
Each McAfee
®
Network Security Sensor (Sensor) model are shipped with documentation
on how to set up the Sensor and configure it to communicate with the McAfee
®
Network
Security Manager Manager. This documentation consists of model-specific Product
Guides and Quick Start Guides and a model-generic Sensor Configuration Guide. These
documents provide detailed installation, configuration and cabling instructions for your
Sensor.
You may need special equipment depending on your deployment strategy. Certain Sensor
models have Fast Ethernet (FE) ports. Each FE port requires a Network Security Platform
dongles for In-line Fail-closed mode. Dongles are included with FE-port Sensors. Gigabit
Ethernet (GE) port Sensors require the optional Gigabit Fail-Open Bypass Kit (Optical
Single-mode, Optical Multimode, or Copper), sold separately, for In-line Fail-Open mode.
The following table shows the monitoring port types for each Network Security Sensor
model.
Sensor Monitoring port
type
Fail-open behavior
I-4010 GE ports Fail-closed; require external Fail-Open Kit
I-4000 GE ports Fail-closed; require external Fail-Open Kit
I-3000 GE ports Fail-closed; require external Fail-Open Kit
I-2700 FE ports
GE ports
Fail-open; require no extra hardware
Fail-closed; require external Fail-Open Kit
I-1400 FE ports Fail-open; require no extra hardware
I-1200 FE ports Fail-open; require no extra hardware
Sensor Monitoring port
type
Fail-open behavior
M-8000 GE ports Fail-closed; require external Fail-Open Kit
M-6050 GE ports Fail-closed; require external Fail-Open Kit
M-4050 GE ports Fail-closed; require external Fail-Open Kit
M-3050 GE ports Fail-closed; require external Fail-Open Kit
M-2750 GE ports Fail-closed; require external Fail-Open Kit
M-1450 GE ports Fail-closed and Fail-Open built-in
M-1250 GE ports Fail-closed and Fail-Open built-in
N-450 GE ports Fail-closed; require external Fail-Open Kit
6
McAfee® Network Security Platform 6.0
Install and cable the Sensor
Cable the Fast Ethernet monitoring ports
The FE ports available on some Sensor models fail-open and require no extra hardware;
simply connect your cables to a port pair (For example: 1A-1B).
Fail-closed mode for FE ports requires use of the fail-closed dongles on each connecting
cable of the port pair. The fail-closed dongles provided with the Sensor are designed to
complement 10/100 monitoring port functionality. You plug the dongles into a Sensor’s
10/100 monitoring port, and then connect a Cat 5/Cat 5e cable to the dongles.
Cable the Gigabit Ethernet monitoring ports
Fail-Open mode for Gigabit Ethernet (GE) ports requires use of the external Gigabit Fail-
open Kit. This kit includes a Gigabit Bypass Switch and an adaptor that connects the
switch to the Sensor.
Note: Fail-closed mode for GE ports requires no extra hardware; simply connect
your fiber cables to the GE port pair (For example: 1A-1B).
For information on how to cable the Sensor with a Gigabit Fail-Open Kit, see the
documentation that accompanies the kit. For example, the Gigabit Copper Kit includes the
Gigabit Copper Fail-Open Kit Guide.
Cable a failover pair
Failover requires connecting the paired Sensors via an interconnection cable or cables.
Communication between paired Sensors maintains the failover heartbeat and state
information.
There is no standard heartbeat port across all the Sensor models. The port or ports you
use to connect the two Sensors depends on the Sensor model. The Sensor models and
their failover interconnection ports are described below.
Sensor Failover port
I-4010 HA1 and HA2 (6A and 6B)
I-4000 2A and 2B
I-3000 HA1 and HA2 (6A and 6B)
I-2700 4A
I-1400 Response port 1 (R1)
I-1200 Response port 1 (R1)
7
McAfee® Network Security Platform 6.0
Install and cable the Sensor
Sensor Failover port
M-8000 HA1 and HA2 (3A and 3B)
M-6050 HA1 (4A). Note that HA2 (4B)
remains unused
M-4050 2A
M-3050 2A
M-2750 10A
M-1450 4A
M-1250 4A
N-450 10A and 10B
The following is a quick summary of the rules for cabling:
Cabling for the heartbeat connection must be direct; you may not cable the heartbeat
through another network device, such as a switch.
When 2 ports are used on each Sensor for the heartbeat connection, always cable
between identical port names. For example, port 2A on Sensor 1 must be cabled to
port 2A on Sensor 2 (not 2B).
Configure the Sensor monitoring ports
Once you have installed and cabled the Sensor(s), you must configure the Sensor’s ports.
The following list summarizes the port configuration requirements:
The port configuration must match the Sensor cabling; for example, if you cable the
port with no Fail-Open Kit, the port must be configured as In-line, Fail-closed, not Fail-
open.
The ports must be set to “In-line,” AND to “Fail-open” or “Fail-closed” as appropriate
The ports must be enabled.
About Sensor port configuration
Before you configure the Sensor ports, you must have installed the Sensor and added to
the Manager interface as described in the
Sensor Configuration Guide.
Configure inline mode for a single Sensor
This section contains recommendations for deploying a single Network Security Sensor in
inline mode.
Note: Configuration for a fail-open kit is described in the fail-open kit documentation.
For example, to configure the Sensor to work with the copper fail-open kit, see the
Gigabit Copper Fail-Open Bypass Kit Guide.
To view/configure the settings of your monitoring ports, do the following:
8
McAfee® Network Security Platform 6.0
Install and cable the Sensor
1 In the Manager interface, select / My Company / Device List / Sensor_Name > Physical Device >
Port Settings
.
2 Click a numbered port (For example: 4A) from
Monitoring Ports. View Monitoring Port
window displays current port settings.
Figure 1: Verifying Ports and Bypass Switch Status for GE In-line Fail-Open Mode
3 Set the Administrative Status to Disable (off).
4 Select the Port
Speed.
5 Do one of the following:
For inline fail-closed operation, select
In-line Fail-closed (Port Pair) as the Operating Mode.
For inline fail-open operation, select
In-line Fail-open (Port Pair) as the Operating Mode.
C
onfirm (Yes) that you have already connected the bypass switch and controller or
control cable
Figure 2: GE Interface Optical Bypass Switch connection confirmation
9
McAfee® Network Security Platform 6.0
Install and cable the Sensor
6 Select the area of your network to which the current port is connected: Inside (traffic
initiating internally, destined for the external network) or
Outside (traffic initiating
externally, destined for the internal network).
7 Set the
Administrative Status to Enable (on).
8 Click
OK.
9 Click
Commit Changes.
10 Repeat for any other ports you need to configure.
11 Download the changes to your Sensor as described in
Download configuration,
signature set, and software updates to the Sensor.
(on page 12)
10
C HAPTER 5
Failover: configure two Sensors in inline mode
In a failover configuration, the two Sensors are placed inline, connected to each other via
cables, and configured to act as a
Failover Pair. All traffic is copied and shared between
them in order to maintain state. Sensor A copies the packets received on its monitoring
ports to Sensor B using the interconnection ports and vice versa. Since both Sensors see
all traffic and build state based on it, their state information is synchronized at all times.
All packets are seen by both Sensors (when both are operational); however, only one
Sensor in the pair raises an alert whenever an attack is detected.
When deploying the two Sensors in failover mode, you must ensure the following:
The Sensor interconnection ports must be cabled appropriately so the two Sensors
can communicate.
Both Sensors must be of the identical model type, and have the same signature set
and software loaded. (One of the two Sensors may be a “Fail-over (FO)” Sensor
model, which is a fully functional Sensor limited to operation as part of a failover pair;
it cannot operate standalone.)
Additionally, all ports on both the Sensors must be configured to run in inline mode.
Note: The exceptions are the ports that will be used for the heartbeat. For example,
on the I-2700, you do not need to explicitly configure ports 4A/4B to run in inline
mode because 4A will be automatically configured for the heartbeat and 4B will be
disabled when the failover pair is created.
Create a Failover Pair
You can create a Failover Pair using McAfee
®
Network Security Manager (Manager)
System Configuration tool. Failover Pair creation happens in real time; there is no need to
explicitly update the configuration.
Note 1: By design, the configuration of the primary Sensor is copied to the
secondary Sensor, overwriting the original configuration on the secondary. If you
intend to configure both Sensors to fail-closed or fail open, you need only configure
the ports on the Sensor you intend to designate as the primary during the Failover
Pair creation.
Note 2: If you intend to have one Sensor fail-closed and the other fail open,
however, you must revisit the Port Configuration page of each Sensor after Failover
Pair creation and make the appropriate changes.
11
McAfee® Network Security Platform 6.0
Failover: configure two Sensors in inline mode
1 Click / My Company / Device List > Device List > Failover Pairs.
2 Click
New. The Add a Failover Pair dialog opens.
3 Select the Sensor
Model type. Both Sensors in a failover pair must be the same model.
4 Type a failover pair
Name that will uniquely identify the grouping.
5 Select the Primary Sensor Template Device from the drop-down menu.
6 Select the Secondary Sensor
Peer Device from the drop-down menu.
7 Click
Create. Upon saving, a message informs you that the failover pair creation will
take a few moments.
8 Click
OK. The new failover pair appears as a child node of the Sensors node under
which it was created. That node contains icons for each interface taking part in the
failover process. Also within the Failover Pair node is a list of its member Sensors.
Most configuration options are hereafter done at the Failover Pair node level. For example,
you can now apply a policy, update the configuration, or even create an ACL rule at the
Failover Pair node level and it will automatically propagate to each of the member
Sensors. On the other hand, you still configure the port settings, view interface statistics,
and upgrade the Sensor software at the Sensor node level. The easiest way to get a feel
for the Failover Pair configuration process is to examine the user interface once the Pair
has been created.
Note: The Sensors must be running the same software version to run in a failover
configuration. However, you upgrade software at a Sensor level, even those that are
part of a Failover Pair. The recommended upgrade procedure is to therefore
upgrade the software version on both Sensors, and then reboot them sequentially.
That is, once the upgrade process is complete on both, reboot (for example) the
secondary, confirm that it has rebooted without error, and reboot the primary.
Download configuration, signature set, and software updates
to the Sensor
After configuring your ports for inline mode, setting the TCP/IP parameters, and
customizing and applying policy, you will need to download this configuration to the Sensor
in order for all of your changes to be active. This process is described in detail in the
section
Updating the Configuration of a Sensor in the Sensor Configuration Guide.
Configuration changes, including port configuration, policy, and signature set updates:
/ My Company / Device List / Sensor_Name> Physical Device > Configuration Update
Software updates only: / My Company / Device List / Sensor_Name > Physical Device > Software
Upgrade
12
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32

McAfee M-1250 - Network Security Platform User manual

Category
General utility software
Type
User manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI