McAfee Network Security Platform User manual

Brand: McAfee

Model: Network Security Platform

Category: General utility software

Type: User manual

This manual is also suitable for

M-1250 - Network Security Platform

Special Topics Guide—In-line Sensor Deployment

revision 1.0

McAfee®

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform

Network Security Sensor

version 6.0

any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH

THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,

PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE

FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL

THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software

contributed to Berkeley by Chris Torek.

700-2381-00/ 1.0 - English

Issued DECEMBER 2009 / Special Topics Guide—In-line Sensor Deployment

Contents

Preface ........................................................................................................... v

Introducing McAfee Network Security Platform............................................................................. v

About this Guide............................................................................................................................ v

Conventions used in this guide ..................................................................................................... v

Related Documentation.................................................................................................................vi

Contacting Technical Support......................................................................................................vii

Chapter 1 What is inline mode?................................................................... 1

Benefits of running inline...............................................................................................................1

Chapter 2 Inline deployment walkthrough ................................................. 3

Chapter 3 Determine your high availability strategy................................. 4

Failover, or High-Availability..........................................................................................................4

Fail-open or fail-closed functionality..............................................................................................5

Chapter 4 Install and cable the Sensor....................................................... 6

Cable the Fast Ethernet monitoring ports...................................................................................... 7

Cable the Gigabit Ethernet monitoring ports................................................................................. 7

Cable a failover pair ......................................................................................................................7

Configure the Sensor monitoring ports.......................................................................................... 8

About Sensor port configuration.............................................................................................8

Chapter 5 Failover: configure two Sensors in inline mode .................... 11

Create a Failover Pair .................................................................................................................11

Download configuration, signature set, and software updates to the Sensor......................12

Chapter 6 Configure policies..................................................................... 13

Tune your policies.......................................................................................................................13

About false positives and "noise"................................................................................................14

Incorrect identification..........................................................................................................14

Correct identification; significance subject to usage policy..................................................14

Correct identification; significance subject to user sensitivity (also known as noise)...........14

Chapter 7 Block attacks ............................................................................. 16

Methods for blocking attacks....................................................................................................... 16

Block exploit traffic ......................................................................................................................16

How blocking works for exploit traffic...................................................................................17

Verify dropped exploit attacks using the Threat Analyzer....................................................17

Block DoS traffic.......................................................................................................................... 17

How blocking works for DoS traffic ......................................................................................18

Verify blocked DoS attacks using the Threat Analyzer........................................................18

Drop DoS Attacks from the Threat Analyzer........................................................................18

Block using ACLs........................................................................................................................18

Utilize traffic normalization ..........................................................................................................19

Blocking based on configured TCP & IP Settings.......................................................................20

Blocking of IP-spoofed packets...................................................................................................20

Chapter 8 Troubleshooting........................................................................ 21

iii

Verify that traffic is flowing through the Sensor...........................................................................21

Verify failover pair creation success............................................................................................ 21

show.....................................................................................................................................21

status....................................................................................................................................21

show failover-status .............................................................................................................22

downloadstatus ....................................................................................................................22

Index............................................................................................................. 23

Preface

This preface provides a brief introduction to the product, discusses the information in this

document, and explains how this document is organized. It also provides information such

as, the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee

Network Security Platform [formerly McAfee

IntruShield

] delivers the most

comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion

Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical

enterprise, carrier, and service provider networks, while providing unmatched protection

against spyware and known, zero-day, and encrypted attacks.

McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring

network traffic by analyzing NetFlow information flowing through the network in real time,

thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network

Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a

single Manager.

About this Guide

This guide describes the process of deploying Network Security Sensors (Sensors) in inline

mode

. The information in this guide details best practices for inline mode configuration,

information on attack blocking, and inline troubleshooting options.

This guide assumes that the reader has a working understanding of McAfee Network

Security Platform products, including McAfee Network Security Manager (nsm) and

McAfee Network Security Sensors (Sensors).

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons,

tabs, options, selections, and

commands on the User Interface

(UI) are shown in

Arial Narrow bold

font.

The

Service field on the Properties tab specifies the

name of the requested service.

Menu or action group selections

are indicated using a right angle

bracket.

Select My Company > Admin Domain > Summary.

McAfee® Network Security Platform 6.0

Preface

Convention Example

Procedures are presented as a

series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard

are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, key words,

and values that you must type

exactly are denoted using

Courier New

font.

Type:

setup and then press ENTER.

Variable information that you must

type based on your specific

situation or environment is shown

italics.

Type: S

ensor-IP-address and then press

ENTER.

Parameters that you must supply

are shown enclosed in angle

brackets.

set Sensor ip <A.B.C.D>

Information that you must read

before beginning a procedure or

that alerts you to negative

consequences of certain actions,

such as loss of data is denoted

using this notation.

Caution:

Information that you must read to

prevent injury, accidents from

contact with electricity, or other

serious consequences is denoted

using this notation.

Warning:

Notes that provide related, but

non-critical, information are

denoted using this notation.

Note:

Related Documentation

The following documents and on-line help are companions to this guide. Refer to Quick

Tour for more information on these guides

• Quick Tour

• Installation Guide

• Upgrade Guide

• Getting Started Guide

• IPS Deployment Guide

• Manager Configuration Basics Guide

• I-1200 Sensor Product Guide

• I-1400 Sensor Product Guide

• I-2700 Sensor Product Guide

• I-3000 Sensor Product Guide

McAfee® Network Security Platform 6.0

Preface

• I-4000 Sensor Product Guide

• I-4010 Sensor Product Guide

• M-1250/M-1450 Sensor Product Guide

• M-1250/M-1450 Quick Start Guide

• M-2750 Sensor Product Guide

• M-2750 Quick Start Guide

• M-3050/M-4050 Sensor Product Guide

• M-3050/M-4050 Quick Start Guide

• M-6050 Sensor Product Guide

• M-6050 Quick Start Guide

• M-8000 Sensor Product Guide

• M-8000 Quick Start Guide

• Gigabit Optical Fail-Open Bypass Kit Guide

• Gigabit Copper Fail-Open Bypass Kit Guide

• 10 Gigabit Fail-Open Bypass Kit Guide

• M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure

• M-2750 Slide Rail Assembly Procedure

• M-series DC Power Supply Installation Procedure

• Administrative Domain Configuration Guide

• Manager Server Configuration Guide

• CLI Guide

• Device Configuration Guide

• IPS Configuration Guide

• NAC Configuration Guide

• Integration Guide

• System Status Monitoring Guide

• Reports Guide

• Custom Attack Definitions Guide

• Central Manager Administrator's Guide

• Best Practices Guide

• Troubleshooting Guide

• Special Topics Guide—Sensor High Availability

• Special Topics Guide—Virtualization

• Special Topics Guide—Denial-of-Service

• NTBA Appliance Administrator's Guide

• NTBA Monitoring Guide

• NTBA Appliance T-200 Quick Start Guide

• NTBA Appliance T-500 Quick Start Guide

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

vii

McAfee® Network Security Platform 6.0

Preface

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

Registered customers can obtain up-to-date documentation, technical bulletins, and quick

tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also

resolve technical issues with the online case submit, software downloads, and signature

updates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7

Technical Support is available for customers with Gold or Platinum service contracts.

Global phone contact numbers can be found at McAfee

Contact Information

http://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of

your system when opening a ticket with Technical Support. You will be provided with

a user name and password for the online case submission.

viii

C HAPTER 1

What is inline mode?

Inline monitoring mode provides prevention of attacks by enabling Security Administrators

to select the types of attacks/traffic to drop, thus preventing the negative end-system

impact common with today's network attacks. Inline mode is achieved when Network

Security Sensor is placed directly in the path of a network segment, becoming,

essentially, a “bump in the wire,” with packets flowing through Sensor. In this mode, the

Sensor inspects all traffic at wire-speed and can prevent network attacks by dropping

malicious traffic in real time—the Sensor actually ends the attacking transmission before it

can reach and impact the target. Preventative actions can operate at a highly granular

level, including the automated dropping of DoS traffic intended for a specific host.

When operating in inline mode, network segments are connected to two wire-matched

Sensor ports (For example: peer ports 1A and 1B), and packets are examined in real time

as they pass through the Sensor. In this mode, a packet comes in through the first

interface of the pair of the Sensor and out the second interface of the pair. The packet is

sent to the second interface of the pair unless that packet is being denied or modified by a

signature.

As of release 2.1.7, Sensor ports are configured by default for monitoring in inline mode;

that is, connected inline on a network segment (For example: between a switch and a

router or two switches). A Sensor with 2.1.7 or later software will initially come online with

its peer ports configured in pairs and in inline mode.

Note: This change will not override user-configured settings. Deployed Sensors

upgraded to 2.1.7 or later and will retain their user-configured settings.

Benefits of running inline

The benefits to using Sensors in inline mode are:

•

Protection/Prevention. Prevention is a feature unique to inline mode. When running inline,

a Sensor can drop malicious packets and not pass them through the network. This

acts sort of like an “adaptive firewall,” with your detection policy dictating what is

dropped. Furthermore, when dropping packets, Network Security Platform is very

precise and granular. The Sensor can drop only those packets it identifies as

malicious or all of the packets related to that flow (a choice that is user configurable).

•

Packet “scrubbing.” In addition to dropping malicious traffic, Network Security Platform

can

scrub—or normalize—traffic to take out any ambiguities in protocols that the

attacker may be using to try to evade detection. Current IDS products are susceptible

to these techniques, and an example of this attempt is IP fragment and TCP segment

overlaps. The Sensor can reassemble the IP fragments and TCP segments and

enforce a reassembly mode of the user’s choice to accept either the old or the new

data.

•

Processing at wire-speed. Sensors are able to process packets at wire rates.

McAfee® Network Security Platform 6.0

What is inline mode?

In inline mode, the Sensor logically acts as a transparent repeater with minimal

latency for packet processing. Unlike bridges, routers, or switches, the Sensor does

not need to learn MAC addresses or keep an ARP cache or a routing table.

C HAPTER 2

Inline deployment walkthrough

Deploying your Sensor inline consists of the following steps:

1 Determine the optimal high availability strategy for the Sensor. This indicates how you

would like the Sensor to behave when it fails (i.e., fail-open, fail-closed, or support a

failover/high-availability configuration).

2 Physically install the Sensor on your network, and cable the Sensor for the

deployment mode of your choice. For example, cable one Sensor standalone (to fail-

open, if applicable, or configure two Sensors as part of a failover pair).

3 Configure the Sensor monitoring ports.

4 Configure one or more policies for the inline ports.

5 Understand how blocking works, and configure blocking.

Note: You must use McAfee

Network Security Manager (Manager) to configure

most aspects of your Sensor(s), including port configuration, pairing two Sensors for

failover operation, and configuring and applying policies to detect and drop

malicious traffic.

C HAPTER 3

Determine your high availability strategy

Before you move your McAfee

Network Security Sensor (Sensor) inline, consider the

impact of a Sensor outage and its effect on your network. In inline mode, the Sensor does

become a single point of failure. McAfee

Network Security Platform provides a variety of

options to minimize network downtime in the event of Sensor failure. For example,

Sensors support complete stateful failover, delivering the industry's first true high-

availability IPS deployment, similar to what you’d find with firewalls. If you’re running the

Sensor in inline mode, McAfee recommends that you deploy two Sensors redundantly for

failover protection.

The following deployment options are available:

• Failover, or High-Availability.

• Fail-open or fail-closed functionality.

 Fail-open with external hardware.

 Fail-open with the Layer 2 Passthru (L2) feature

Failover, or High-Availability

Where redundancy is an essential requirement, it is best practice to implement Network

Security Platform 'high-availability' configuration. When running Sensors inline, this option

is available to an identical pair of Sensors (same model, software image, signature set)

deployed redundantly in inline mode. Both Sensors in the pair are active and share full

state, so that the information on both Sensors is always current. Latency is very minimal;

than other devices providing failover, such as, firewalls.

The keys to the Network Security Platform failover architecture are as follows:

 Sensors configured for failover confirm a “heartbeat” once each second.

 Sensors configured for failover share flow information in real time.

 Sensors are invisible at Layer 2 and above; the monitoring ports do not have MAC

addresses.

As a result, you do not have to worry about Layer 2 and 3 topology changes when you

introduce Network Security Platform failover into the environment, and in the unlikely event

of a Sensor failure, failover is instantaneous and connection state is maintained.

All Sensor models support failover.

This subject is discussed in detail in the document

Special Topics Guide—Sensor High

Availability

McAfee® Network Security Platform 6.0

Determine your high availability strategy

Fail-open or fail-closed functionality

Sensor ports deployed in inline mode have the option of failing open or closed. Similar in

terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus,

even if the ports fail, your Sensor does not become a bottleneck. However, monitoring

ceases, allowing all traffic to continue to flow through the network, which can allow attacks

to impact systems in your network. When ports are configured to fail-closed, the Sensor

does not allow traffic to continue to flow, thus the failed ports become a bottleneck,

stopping all traffic at the Sensor.

Note: There are security consequences when the Sensor is in bypass mode. When

bypass mode is on, the traffic bypasses the Sensor and is not inspected; therefore,

the Sensor cannot prevent malicious attacks.

There are two fail-open options available:

Fail-open with external hardware

Inline fail-open mode, available for both 10/100 and GE links, guarantees that data will be

forwarded over a monitored link in the event that the Sensor's processes are temporarily

stopped for upgrades or when the Sensor fails. This guarantee is delivered for 10/100 port

pairs using an internal mechanical tap that connects the monitoring ports when hardware

failure is detected. The 10/100 configurations is a choice made per port pair. The Gigabit

fail-open implementation involves the use of the external Gigabit Fail-Open Kit, which

includes a Bypass Switch.

Caution 1: Note that Sensor outage breaks the link connecting the devices on

either side of the Sensor and requires the renegotiation of the network link

between the two peer devices connected to the Sensor.

Caution 2: Depending on the network equipment, this disruption introduced by

the renegotiation of the link layer between the two peer devices may range from

a couple of seconds to more than a minute with certain vendors’ devices.

Caution 3: A very brief link disruption may also occur while the links between

the Sensor and each of the peer devices are renegotiated to place the Sensor

back in inline mode. This outage, again, varies depending on the device, and

can range from a few seconds to more than a minute.

Fail-open with the Layer 2 Passthru (L2) feature

Layer 2 Passthru is also known as “software fail-open.” The L2 feature, when triggered,

causes traffic to flow through the Sensor without being copied to the detection engine.

Note: The Layer 2 Passthru option is provided specifically to handle internal

Sensor errors; it is not provided as an alternative to other HA options, such as

the Fail-Open kit.

C HAPTER 4

Install and cable the Sensor

Each McAfee

Network Security Sensor (Sensor) model are shipped with documentation

on how to set up the Sensor and configure it to communicate with the McAfee

Network

Security Manager Manager. This documentation consists of model-specific Product

Guides and Quick Start Guides and a model-generic Sensor Configuration Guide. These

documents provide detailed installation, configuration and cabling instructions for your

Sensor.

You may need special equipment depending on your deployment strategy. Certain Sensor

models have Fast Ethernet (FE) ports. Each FE port requires a Network Security Platform

dongles for In-line Fail-closed mode. Dongles are included with FE-port Sensors. Gigabit

Ethernet (GE) port Sensors require the optional Gigabit Fail-Open Bypass Kit (Optical

Single-mode, Optical Multimode, or Copper), sold separately, for In-line Fail-Open mode.

The following table shows the monitoring port types for each Network Security Sensor

model.

Sensor Monitoring port

type

Fail-open behavior

I-4010 GE ports Fail-closed; require external Fail-Open Kit

I-4000 GE ports Fail-closed; require external Fail-Open Kit

I-3000 GE ports Fail-closed; require external Fail-Open Kit

I-2700 FE ports

GE ports

Fail-open; require no extra hardware

Fail-closed; require external Fail-Open Kit

I-1400 FE ports Fail-open; require no extra hardware

I-1200 FE ports Fail-open; require no extra hardware

Sensor Monitoring port

type

Fail-open behavior

M-8000 GE ports Fail-closed; require external Fail-Open Kit

M-6050 GE ports Fail-closed; require external Fail-Open Kit

M-4050 GE ports Fail-closed; require external Fail-Open Kit

M-3050 GE ports Fail-closed; require external Fail-Open Kit

M-2750 GE ports Fail-closed; require external Fail-Open Kit

M-1450 GE ports Fail-closed and Fail-Open built-in

M-1250 GE ports Fail-closed and Fail-Open built-in

N-450 GE ports Fail-closed; require external Fail-Open Kit

McAfee® Network Security Platform 6.0

Install and cable the Sensor

Cable the Fast Ethernet monitoring ports

The FE ports available on some Sensor models fail-open and require no extra hardware;

simply connect your cables to a port pair (For example: 1A-1B).

Fail-closed mode for FE ports requires use of the fail-closed dongles on each connecting

cable of the port pair. The fail-closed dongles provided with the Sensor are designed to

complement 10/100 monitoring port functionality. You plug the dongles into a Sensor’s

10/100 monitoring port, and then connect a Cat 5/Cat 5e cable to the dongles.

Cable the Gigabit Ethernet monitoring ports

Fail-Open mode for Gigabit Ethernet (GE) ports requires use of the external Gigabit Fail-

open Kit. This kit includes a Gigabit Bypass Switch and an adaptor that connects the

switch to the Sensor.

Note: Fail-closed mode for GE ports requires no extra hardware; simply connect

your fiber cables to the GE port pair (For example: 1A-1B).

For information on how to cable the Sensor with a Gigabit Fail-Open Kit, see the

documentation that accompanies the kit. For example, the Gigabit Copper Kit includes the

Gigabit Copper Fail-Open Kit Guide.

Cable a failover pair

Failover requires connecting the paired Sensors via an interconnection cable or cables.

Communication between paired Sensors maintains the failover heartbeat and state

information.

There is no standard heartbeat port across all the Sensor models. The port or ports you

use to connect the two Sensors depends on the Sensor model. The Sensor models and

their failover interconnection ports are described below.

Sensor Failover port

I-4010 HA1 and HA2 (6A and 6B)

I-4000 2A and 2B

I-3000 HA1 and HA2 (6A and 6B)

I-2700 4A

I-1400 Response port 1 (R1)

I-1200 Response port 1 (R1)

McAfee® Network Security Platform 6.0

Install and cable the Sensor

Sensor Failover port

M-8000 HA1 and HA2 (3A and 3B)

M-6050 HA1 (4A). Note that HA2 (4B)

remains unused

M-4050 2A

M-3050 2A

M-2750 10A

M-1450 4A

M-1250 4A

N-450 10A and 10B

The following is a quick summary of the rules for cabling:

• Cabling for the heartbeat connection must be direct; you may not cable the heartbeat

through another network device, such as a switch.

• When 2 ports are used on each Sensor for the heartbeat connection, always cable

between identical port names. For example, port 2A on Sensor 1 must be cabled to

port 2A on Sensor 2 (not 2B).

Configure the Sensor monitoring ports

Once you have installed and cabled the Sensor(s), you must configure the Sensor’s ports.

The following list summarizes the port configuration requirements:

• The port configuration must match the Sensor cabling; for example, if you cable the

port with no Fail-Open Kit, the port must be configured as In-line, Fail-closed, not Fail-

open.

• The ports must be set to “In-line,” AND to “Fail-open” or “Fail-closed” as appropriate

• The ports must be enabled.

About Sensor port configuration

Before you configure the Sensor ports, you must have installed the Sensor and added to

the Manager interface as described in the

Sensor Configuration Guide.

Configure inline mode for a single Sensor

This section contains recommendations for deploying a single Network Security Sensor in

inline mode.

Note: Configuration for a fail-open kit is described in the fail-open kit documentation.

For example, to configure the Sensor to work with the copper fail-open kit, see the

Gigabit Copper Fail-Open Bypass Kit Guide.

To view/configure the settings of your monitoring ports, do the following:

McAfee® Network Security Platform 6.0

Install and cable the Sensor

1 In the Manager interface, select / My Company / Device List / Sensor_Name > Physical Device >

Port Settings

2 Click a numbered port (For example: 4A) from

Monitoring Ports. View Monitoring Port

window displays current port settings.

Figure 1: Verifying Ports and Bypass Switch Status for GE In-line Fail-Open Mode

3 Set the Administrative Status to Disable (off).

4 Select the Port

Speed.

5 Do one of the following:

 For inline fail-closed operation, select

In-line Fail-closed (Port Pair) as the Operating Mode.

 For inline fail-open operation, select

In-line Fail-open (Port Pair) as the Operating Mode.

onfirm (Yes) that you have already connected the bypass switch and controller or

control cable

Figure 2: GE Interface Optical Bypass Switch connection confirmation

McAfee® Network Security Platform 6.0

Install and cable the Sensor

6 Select the area of your network to which the current port is connected: Inside (traffic

initiating internally, destined for the external network) or

Outside (traffic initiating

externally, destined for the internal network).

7 Set the

Administrative Status to Enable (on).

8 Click

OK.

9 Click

Commit Changes.

10 Repeat for any other ports you need to configure.

11 Download the changes to your Sensor as described in

Download configuration,

signature set, and software updates to the Sensor.

(on page 12)

C HAPTER 5

Failover: configure two Sensors in inline mode

In a failover configuration, the two Sensors are placed inline, connected to each other via

cables, and configured to act as a

Failover Pair. All traffic is copied and shared between

them in order to maintain state. Sensor A copies the packets received on its monitoring

ports to Sensor B using the interconnection ports and vice versa. Since both Sensors see

all traffic and build state based on it, their state information is synchronized at all times.

All packets are seen by both Sensors (when both are operational); however, only one

Sensor in the pair raises an alert whenever an attack is detected.

When deploying the two Sensors in failover mode, you must ensure the following:

• The Sensor interconnection ports must be cabled appropriately so the two Sensors

can communicate.

• Both Sensors must be of the identical model type, and have the same signature set

and software loaded. (One of the two Sensors may be a “Fail-over (FO)” Sensor

model, which is a fully functional Sensor limited to operation as part of a failover pair;

it cannot operate standalone.)

• Additionally, all ports on both the Sensors must be configured to run in inline mode.

Note: The exceptions are the ports that will be used for the heartbeat. For example,

on the I-2700, you do not need to explicitly configure ports 4A/4B to run in inline

mode because 4A will be automatically configured for the heartbeat and 4B will be

disabled when the failover pair is created.

Create a Failover Pair

You can create a Failover Pair using McAfee

Network Security Manager (Manager)

System Configuration tool. Failover Pair creation happens in real time; there is no need to

explicitly update the configuration.

Note 1: By design, the configuration of the primary Sensor is copied to the

secondary Sensor, overwriting the original configuration on the secondary. If you

intend to configure both Sensors to fail-closed or fail open, you need only configure

the ports on the Sensor you intend to designate as the primary during the Failover

Pair creation.

Note 2: If you intend to have one Sensor fail-closed and the other fail open,

however, you must revisit the Port Configuration page of each Sensor after Failover

Pair creation and make the appropriate changes.

McAfee® Network Security Platform 6.0

Failover: configure two Sensors in inline mode

1 Click / My Company / Device List > Device List > Failover Pairs.

2 Click

New. The Add a Failover Pair dialog opens.

3 Select the Sensor

Model type. Both Sensors in a failover pair must be the same model.

4 Type a failover pair

Name that will uniquely identify the grouping.

5 Select the Primary Sensor Template Device from the drop-down menu.

6 Select the Secondary Sensor

Peer Device from the drop-down menu.

7 Click

Create. Upon saving, a message informs you that the failover pair creation will

take a few moments.

8 Click

OK. The new failover pair appears as a child node of the Sensors node under

which it was created. That node contains icons for each interface taking part in the

failover process. Also within the Failover Pair node is a list of its member Sensors.

Most configuration options are hereafter done at the Failover Pair node level. For example,

you can now apply a policy, update the configuration, or even create an ACL rule at the

Failover Pair node level and it will automatically propagate to each of the member

Sensors. On the other hand, you still configure the port settings, view interface statistics,

and upgrade the Sensor software at the Sensor node level. The easiest way to get a feel

for the Failover Pair configuration process is to examine the user interface once the Pair

has been created.

Note: The Sensors must be running the same software version to run in a failover

configuration. However, you upgrade software at a Sensor level, even those that are

part of a Failover Pair. The recommended upgrade procedure is to therefore

upgrade the software version on both Sensors, and then reboot them sequentially.

That is, once the upgrade process is complete on both, reboot (for example) the

secondary, confirm that it has rebooted without error, and reboot the primary.

Download configuration, signature set, and software updates

to the Sensor

After configuring your ports for inline mode, setting the TCP/IP parameters, and

customizing and applying policy, you will need to download this configuration to the Sensor

in order for all of your changes to be active. This process is described in detail in the

section

Updating the Configuration of a Sensor in the Sensor Configuration Guide.

• Configuration changes, including port configuration, policy, and signature set updates:

/ My Company / Device List / Sensor_Name> Physical Device > Configuration Update

• Software updates only: / My Company / Device List / Sensor_Name > Physical Device > Software

Upgrade

Page is loading ...

McAfee Network Security Platform User manual

Brand: McAfee

Model: Network Security Platform

Category: General utility software

Type: User manual

This manual is also suitable for

M-1250 - Network Security Platform

Download PDF

report

McAfee Network Security Platform User manual

This manual is also suitable for

McAfee Network Security Platform User manual

Related papers

Other documents