nsp getting started 5.1

8/3/2019 NSP Getting Started 5.1

1/86

Getting Started Guiderevision 4.0

McAfee

Network ProtectionIndustry-leading network security solutions

McAfee Network Security Platform

version 5.1


2/86

COPYRIGHT

Copyright 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into

any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTHTHE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGINGOR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITEFROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALLTHE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *

Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,

Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by

Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the

University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,

California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by

Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted

by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham

Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python

Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman

Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone

Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab

(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http:// www.modssl.org/). * Software

copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,

2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *

Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software

copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See

http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by

Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi ([email protected]), (C) 1999, 2000. *

Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen

Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C)

1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter

Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *

Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by

Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software

copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)

2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software

contributed to Berkeley by Chris Torek.

Issued APRIL 2009 / Getting Started Guide700-1803-00/ 4.0 - English
http://www.openssl.org/http://www.apache.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.python.org/http://www.extreme.indiana.edu/mailto:[email protected]://www.modssl.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.boost.org/mailto:[email protected]:[email protected]:[email protected]://www.housemarque.com/http://www.housemarque.com/mailto:[email protected]:[email protected]:[email protected]://www.boost.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.modssl.org/mailto:[email protected]://www.extreme.indiana.edu/http://www.python.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.apache.org/http://www.openssl.org/


3/86

Contents

Preface ........................................................................................................... vIntroducing McAfee Network Security Platform............................................................................. vAbout this Guide............................................................................................................................ vAudience .......................................................................................................................................viConventions used in this guide .....................................................................................................viRelated Documentation................................................................................................................viiContacting Technical Support .....................................................................................................viiiChapter 1 Intrusion Prevention and Network Security Platform............. 1What is an attack?......................................................................................................................... 1

When attackers attack............................................................................................................2Detecting attacks....................................................................................................................2

What is an Intrusion Detection System (IDS)?.............................................................................. 4What is an Intrusion Prevention System (IPS)? ............................................................................ 4Comprehensive Intrusion Detection.......................................................................................5Intrusion Prevention ...............................................................................................................5Flexible Deployment Options .................................................................................................5Virtual IPS...........................................................................................................................6High-Availability......................................................................................................................6 Scalable IPS Management.....................................................................................................6

Detection and prevention with Network Security Platform ............................................................ 6Chapter 2 Network Security Platform Basics............................................ 8About the Network Security Platform ............................................................................................ 8

Network Security Platform components.................................................................................8Network Security Manager license types .................................................................................... 12

Manager components ..........................................................................................................12Update Server ............................................................................................................................. 14

Obtaining Updates from the Update Server.........................................................................15Configuring software and attack signature updates.............................................................15Modes of Sensor deployment...................................................................................................... 16

In-line mode .........................................................................................................................16SPAN mode .........................................................................................................................17Tap mode ............... ................ ................ ................ ................ ................ ................ ..............18Failover (high-availability) via in-line mode ..........................................................................20Port clustering (interface groups) .........................................................................................20

Manager Disaster Recovery (MDR) ............................................................................................ 21Switchover............................................................................................................................23

Double tagging attacks and L3 ACLs.......................................................................................... 23Chapter 3 Working with Network Security Platform resources ............. 25Network Security Platform resources.......................................................................................... 25

Admin Domain node.............................................................................................................25Manager node ................ ................ ................ ................ ................ ................. ................ .....25Users and Roles...................................................................................................................26Sensors node ............... ................ ................ ............... ................ ................ ................ .........26Interfaces node ....................................................................................................................26Sub-Interfaces node.............................................................................................................26Policies node........................................................................................................................27The Resource Tree ..............................................................................................................27

Relationship between Sensors and resources in the Resource Tree ......................................... 29Chapter 4 Working in Administrative domains........................................ 33

iii


4/86

What is an administrative domain? ............................................................................................. 33Parent and child admin domains..........................................................................................34

Admin domain hierarchy.............................................................................................................. 35Nodes...................................................................................................................................36 Inheritance ...........................................................................................................................36

Alert and fault notification and forwarding................................................................................... 37

Vulnerability assessment of hosts............................................................................................... 37Using Foundstone from Manager.........................................................................................37

Chapter 5 Working with Security Policies................................................ 39What are security policies? ......................................................................................................... 39

Network Security Platform policies.......................................................................................39Policy application.........................................................................................................................40

VIPS--applying policies at the Interface and sub-interface level ..........................................40Pre-configured policies................................................................................................................ 43Configuring policies in Network Security Platform ...................................................................... 46

About rule-based policies.....................................................................................................46Attacks vs. signatures in Network Security Platform............................................................47Creating or customizing a policy ..........................................................................................48Reassigning policies across Sensors...................................................................................49

Exporting and importing policies ................................................................................................. 49Policy inheritance ........................................................................................................................ 49

Response management .............................................................................................................. 51

Response types ...................................................................................................................51The Global Attack Response Editor (GARE) .......................................................................52

Denial of Service (DoS) modes................................................................................................... 54Learning mode .....................................................................................................................54Threshold mode ...................................................................................................................55

Countering SYN floods with SYN cookies................................................................................... 55Access Control Lists....................................................................................................................56IP spoofing detection...................................................................................................................57ARP spoofing detection............................................................................................................... 58Decrypting SSL for IPS inspection ..............................................................................................58

Supported Web servers .......................................................................................................59Supported Cipher suites.......................................................................................................59Unsupported SSL functionality.............................................................................................60

Chapter 6 Managing users in Network Security Platform....................... 61

User management in Network Security Platform ........................................................................ 61What is a role? .....................................................................................................................61Creating a user.....................................................................................................................62

Roles within Network Security Platform ......................................................................................62Role relationships between parent and child domains.........................................................62Role descriptions..................................................................................................................63

Chapter 7 Working with Alerts................................................................... 65What are alerts?..........................................................................................................................65

The lifecycle of an alert ........................................................................................................65Suppressing alerts ...............................................................................................................66About the Threat Analyzer ...................................................................................................67

About the Incident Generator ......................................................................................................72Utilizing the Incident Generator............................................................................................72Creating user-generated incidents.......................................................................................73Viewing an incident ..............................................................................................................73

About Reports ............................................................................................................................. 73IPS reports ............... ................ ................ ................. ................ ................ ................ ...........73Configuration reports............................................................................................................74Scheduled reports ................ ................ ................ ................ ................. ................ ...............74

Alert and packet log archival .......................................................................................................74Index............................................................................................................. 76

iv


5/86

PrefaceThis preface provides a brief introduction to the product, discusses the information in thisdocument, and explains how this document is organized. It also provides information suchas the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee Network Security Platform [formerly McAfee IntruShield] delivers the mostcomprehensive, accurate, and scalable Network Access Control (NAC) and networkIntrusion Prevention System (IPS) for mission-critical enterprise, carrier, and serviceprovider networks, while providing unmatched protection against spyware and known,zero-day, and encrypted attacks.

McAfee Network Security Platform combines real-time detection and prevention to providethe most comprehensive and effective network IPS in the market.

What do you want to do?

Learn more about McAfee Network Security Platform components (on page 8).

Learn how to Get Started.

Learn about the Home page and interaction with the Manager interface.

About this Guide

This guide provides a basic overview of the Network Security Platform, including conceptsand terminology you will encounter while using Network Security Platform. This manual isdesigned to help Network Security Platform users navigate the McAfee Network SecurityManager [formerly McAfee IntruShield Security Manager] Interface and its components.

You will find useful tips, hints, warnings, and screen shots interspersed throughout thisguide. First, you will learn the basics of using McAfee Network Security Manager(Manager) such as about the Network Security Platform, McAfee Network SecuritySensors [formerly McAfee IntruShield Sensors], and working with Network SecurityPlatform resources. Once the basics are covered, the tasks covered in this guide becomeprogressively more advanced.

We recommend that you read this guide before attempting to install and configure anycomponent of the Network Security Platform.

This guide will walk you through:

Intrusion Prevention and Network Security Platform: (on page 1) describesintrusions, the process of intrusion detection, and Network Security Platforms IPScapabilities at a high level

Network Security Platform Basics: (on page 8) provides a basic overview of theNetwork Security Platform and its various components.

v


6/86

McAfee Network Security Platform 5.1 Preface

Working with Network Security Platform resources (on page 25): describes theNetwork Security Platform resources and how they appear in the Manager SystemConfiguration tool.

Working in Administrative domain (on page 33): describes the Network Security

Platform method of organizing your security environment into protectedadministrative domains and sub domains, so as to delegate management of yourresources to specific individuals.

Working with Security Policies (on page 39): describes how to construct policiesthat govern detection and counter-measures for the system.

Managing users in Network Security Platform (on page 61): describes how toassign roles/grant privileges to Network Security Platform users.

Working with Alerts (on page 65): provides an overview of alerts, the notificationstriggered when your system detects attacks, and how you interact with them in theManager.

Audience

This guide is intended for use by network technicians and maintenance personnelresponsible for installing, configuring, and maintaining Manager and Sensors, but is notnecessarily familiar with IPS-related tasks, the relationship between tasks, or thecommands necessary to perform particular tasks.

Conventions used in this guide

This document uses the following typographical conventions:

vi


7/86


Convention Example

Terms that identify fields, buttons,tabs, options, selections, andcommands on the User Interface(UI) are shown in Arial Narrow boldfont.

The Service field on the Properties tab specifies thename of the requested service.

Menu or action group selectionsare indicated using a right anglebracket.

Select My Company > Admin Domain > Summary.

Procedures are presented as aseries of numbered steps.

1. In the Resource Tree, select NAC Settings.

Names of keys on the keyboardare denoted using UPPER CASE.

Press ENTER.

Text such as syntax, keywords,and values that you must typeexactly are denoted using

Courier New font.

Type: setup and then press ENTER.

Variable information that you musttype based on your specificsituation or environment is shownin italics.

Type: Sensor-IP-addressand then pressENTER.

Parameters that you must supplyare shown enclosed in anglebrackets.

set Sensor ip

Information that you must readbefore beginning a procedure orthat alerts you to negativeconsequences of certain actions,

such as loss of data is denotedusing this notation.

Caution:

Information that you must read toprevent injury, accidents fromcontact with electricity, or otherserious consequences is denotedusing this notation.

Warning:

Notes that provide related, butnon-critical, information aredenoted using this notation.

Note:

Related Documentation

The following documents and on-line help are companions to this guide. Refer to Quick Tourfor more information on these guides.

vii


8/86


Quick Tour

Manager Installation Guide

4.1 to 5.1 Upgrade Guide

IPS Deployment Guide

Manager Configuration Basics Guide

Administrative Domain Configuration Guide

Manager Server Configuration Guide

Sensor CLI Guide

Sensor Configuration Guide

IPS Configuration Guide

NAC Configuration Guide

Integration Guide

System Status Monitoring Guide

Reports Guide

User-Defined Signatures Guide

Central Manager Administrator's Guide

Best Practices Guide

Troubleshooting Guide

I-1200 Sensor Product Guide






M-8000 Sensor Product Guide

M-6050 Sensor Product Guide

M-3050/M-4050 Sensor Product Guide

M-2750 Sensor Product Guide M-1250/M-1450 Sensor Product Guide

N-450 Sensor Product Guide

Gigabit Optical Fail-Open Bypass Kit Guide

Gigabit Copper Fail-Open Bypass Kit Guide

Special Topics GuideIn-line Sensor Deployment

Special Topics GuideSensor High Availability

Special Topics GuideVirtualization

Special Topics GuideDenial-of-Service

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

viii
http://mysupport.mcafee.com/http://mysupport.mcafee.com/


9/86


Registered customers can obtain up-to-date documentation, technical bulletins, and quicktips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can alsoresolve technical issues with the online case submit, software downloads, and signatureupdates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7Technical Support is available for customers with Gold or Platinum service contracts.Global phone contact numbers can be found at McAfee Contact Informationhttp://www.mcafee.com/us/about/contact/index.htmlpage.

Note: McAfee requires that you provide your GRANT ID and the serial number ofyour system when opening a ticket with Technical Support. You will be provided witha user name and password for the online case submission.

ix
http://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/about/contact/index.html


10/86

C H A P T E R 1

Intrusion Prevention and Network Security PlatformIn the early days of computers, information stored on a computer was very difficult to get towithout physical access to the computer itself. In those days, you hired security guards todeter intruders, put a sturdy lock on the door, turned on the security alarm, and your datawas safe and sound. Attacks on the data were expensive, usually physical, and requiredgreat planning and technical savvy.

Unfortunately, the many advances in technology changed all that. Back then, intrusion orattacks on computers was viewed as something unlikely, infeasible. These days acorporate network is prey even to pre-teens sitting in their bedrooms at home. The Internetis crawling with people from all walks of life who are continuously trying to test the securityof various systems and networks. Some are simply seeking some sort of intellectual high,while others are fueled by more treacherous motives, such as revenge or stealing forprofit.

It is now much more important to make sure all of the doors and windows to your networkare locked, the alarm is turned on, and that your security system knows what to look for.Because these days the question of intrusion is no longerifit will happen, but when.

What is an attack?

An attackis any unauthorized action taken with the intent of hindering, damaging,incapacitating, or breaching the security of a network. An attack typically prepares for orcarries out threats to your critical assets.

Some attempts to infiltrate a network are relatively harmless, but others can bring thenetwork to a grinding halt and cripple a business. Individuals who intrude on or attack asystem are known by a number of names, but are generally referred to as crackers, ormore popularly, hackers. In this documentation set, these individuals are referred to asattackers.

Intrusion detectionis the discovery of an attack or intrusion. Intrusion preventionisblocking an attack before it reaches its target. Attacks are actions performed by anattacker that pose a threat to the security state of a protected entity in terms ofconfidentiality, integrity, authenticity, availability, authorization, and access policies.Attacks can be active, wherein the goal is to directly exploit some vulnerability in a systemor software package. In contrast, passiveattacks generally consist of monitoring oreavesdropping on traffic with the intention of viewing or capturing sensitive data. The resultof a successful active attack is an intrusiondisruption of the normal services,unauthorized access, and/or some form of tampering with the system.

Intrusion detection can also identify security-related events in a system that may not betriggered by an attack, such as server malfunctions.

1


11/86

McAfee Network Security Platform 5.1 Intrusion Prevention and Network Security Platform

When attackers attack

When attackers attack a network, they abuse rules established by the network. The rulesare broken in a way that makes the attack appear to be a normal transmission.

Active attacks can generally be divided into the following categories:

ExploitsAn exploit is an attempt by an attacker to take advantage of hidden featuresor bugs in a system in order to gain unauthorized access. Examples include bufferoverflows, directory traversal, and DNS cache poisoning.

Denial-of-service (DoS) and Distributed Denial-of-service (DDoS) attacksIn a DoS attack, theattacker attempts to crash a service (or the machine), overload network links,overload the CPU, or fill up the disk. The attacker does not always try to gaininformation, but to simply act as a vandal to prevent you from making use of yourmachine. Ping floods and Smurf attacks are examples of DoS attacks. DDoS attacksusually consist of DoS attacks orchestrated by attackers covertly controlling many,sometimes hundreds, of different machines.

ReconnaissanceThese include host sweeps, TCP or UDP port scans, e-mail recons,brute force password guessing, and possibly indexing of public Web servers to find

CGI holes or other system vulnerabilities that might later be exploited. Policy ViolationsAll activities for which the underlying traffic content may not be

malicious by itself, but are explicitly forbidden by the usage policies of the network asdefined by a security policy. These can include protocol violations wherein packetsdo not conform to network protocol standards. (For example, they are incorrectlystructured, have an invalid combination of flags set, or contain incorrect values.)Examples might include TCP packets with their SYN and RST flags enabled, or an IPpacket whose specified length doesnt match its actual length. A protocol violation canbe an indication of a possible attack, but can also be triggered by buggy software orhardware.

Some attackers are looking for specific information or targeting a specific company. Othersare simply seeking an easy target. Some are advanced users who develop their own toolsand leave behind sophisticated backdoors. Others have no idea what they are doing andonly know how to start the script theyre playing with.

Regardless of their skill level, they all share a common strategy: use tools to search theentire Internet for a specific weakness, and then exploit that weakness. Sooner or laterthey find someone vulnerable. Anyone can be a target in a search, at any timefromestablished companies with networks developed over decades, to companies whosenetwork has been up for two days. Sooner or later, you will be probed.

Because networks are typically running 24 hours a day, attacks can occur at any time.Attacks often occur at night when domestic attackers who have day jobs, go to school, ordo other things during the day that preclude attacking. Attacks can also occur during theday when it is evening in other parts of the world, such as Eastern Europe and Korea,which have become origins of numerous attacks.

Detecting attacksEarly intrusion detection was performed strictly using pattern matchingschemes. Mostattackers implement techniques that are tried, true, and well known in the securitycommunity. Unless the attacker is writing his own tools, she/he must rely on available,existing tools, each of which has limitations peculiar to its particular design. Thus, from thevictim's point of view, all attacks using such tools will look basically the same. Forexample, seeing default.ida in the URL field of an HTTP packet along with a specific

2


12/86


pattern in the URL argument name field implies a Code Red attack and thus fits astandardorsignatureattack pattern.

Pattern Matching

Pattern matching relies upon knowing all of the ways the rules can be broken, and worksby comparing network traffic to a database of attack patterns, which are called signatures.Signature-baseddetection, also known as misuse detectionorrule-based detection,attempts to capture the manifestation of attacks in signatures and, if configured to do so,apply specific countermeasures based on each signature. This is very effective for knownattacks with well-known signatures.

However, this method of detection is flawed in three ways: first, it works only for knownattacks. Attackers tend to be clever, and they continuously create new ways to hack asystem, which quickly outdates the pattern-matching database. Second, pattern matchinguses significant computing cycles to work effectively, and this can be exploited by hackersthrough overloading, which obscures the pattern-matching systems visibility. Relying onsignature detection alone leaves you unprotected against new or especially complex

attacks.

Anomaly detection

Anomaly detectionis another detection method, used to more effectively protect againstunknown, or first-strike attacks. Anomaly detection attempts to capture the long-termnormal behavior of the protected system in profiles(specifications of the behavior of trafficover a short- or long-term), and sends an alarm when significant deviation from the normalbehavior is discovered. Profiles are created using statistical measures or other behaviorspecifications that can be applied to multiple platforms and operating systems. There aremultiple learning disciplines that make it possible to create and maintain profiles statistical, neural nets, fuzzy logic, genetic, and so forth. Anomaly detection is particularlyuseful when confronted with distributed denial of service (DDoS) and slow-scans attacks,which can affect a system over an extended period of time.

Denial of service (DoS) detection

Another special method of detection is denial of service (DoS) detection. A DoS attackdisrupts service to a network or computer, and often occurs at the firewall or in the DMZ,particularly DMZ Web and mail servers. There are two ways to detect DoS attacks. First,there is threshold-based detection, wherein the IDS monitors for traffic volumes exceedinga threshold pre-configured by a network administrator. (This method requires you to fullyunderstand your typical traffic pattern in order to pick good threshold values, otherwise itcan produce a lot of false alarms due to traffic fluctuations, such as flash crowds forexample, everyone logging on the network at 9 a.m.or other legitimate increased traffic.)

The second method is by learned behaviorlearning long-term normal behavior andcomparing it to short-term observed behavior. Combining the methods greatly improvesthe reliability of detection.

3


13/86


What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is software or a hardware/software combination thatattempts to detect and respond to attempted intrusions into a system or network. An IDS

complements firewalls or anti-virus software by providing thorough network packet contentinspection and protecting against attacks embedded within what a firewall might perceiveas seemingly benign network traffic.

There are several classifications of IDS.

Host- or Network-based. A host-based IDS is concerned with what is happening on eachindividual computer or host and is able to detect such things as repeated failedaccess attempts or changes to critical system files. A network-based IDS (NIDS)examines all of the packets flowing through your network. A NIDS is able tounderstand all of the details of many protocols such as headers or protocol fieldswithin a packet and can thus detect maliciously crafted traffic content. There arevarious types of network-based IDSthese can take the form of software agentsrunning at various points throughout the network, or hardware McAfee NetworkSecurity Sensors [formerly McAfee IntruShield Sensors] placed at strategic locations

to examine network traffic. Signature, Anomaly, and Denial of Service detection. Another classification describes the types

of misuse that an IDS detects. As described in the section Detecting attacks (on page2), signature detectiontechniques systematically scan network traffic looking forsignature patterns of known attacks, comparing these patterns against an extensivedatabase of signatures. Anomalydetection determines a baseline of normal behaviorof network traffic, and then attempts to detect intrusions by noting significantdepartures from normal behavior. Signature-based detection concentrates on knownattack patterns, while anomaly detection is best at picking up new or unknown attacks.Denial of Service(DoS) attack detection characterizes normal traffic using pre-programmed thresholds or real-time, self-learning distributions, and then using thisdata to detect what might constitute a maliciously excessive consumption of networkbandwidth, host processing cycles or other resources.

Passive, reactive, or preventive IDS. Passiveintrusion detection systems sniff packets as

they traverse your network. They can detect the potential security breach, log theinformation about the attack, and raise an alert. Reactivesystems are designed torespond to the intrusionfor example, by logging off a user or by reprogramming thefirewall to disallow network traffic from a suspected hostile source. Both types oftechnology enable you to respond only after the attack has occurred. A preventivesystem sits in the path of your network traffic and thus is able to detect and drophostile packets before they reach their target.

What is an Intrusion Prevention System (IPS)?

McAfee Network Security Platform [formerly McAfee IntruShield] is a network-basedIntrusion Prevention System(IPS) that combines McAfee Network Security Sensor(Sensor) and management software for the accurate detection and prevention of known

attacks using signature detection, unknown (first strike) attacks using anomaly detection,denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. TheMcAfee Network Security Platform couples real-time IDS with preventionthe ability toblock attacks before they reach their targetto offer the most powerful, comprehensiveand effective network security system in the market.

Network Security Platform offers multi-gigabit performance, flexible deployment, robustscalability, and easy-to-use intrusion detection and prevention.

4


14/86


Comprehensive Intrusion Detection

Network Security Platform is the only comprehensive network-based IPS solutionavailable. Only Network Security Platform encompasses all of todays applicable IPS

technologies to allow customers to detect known (using signatures), new/unknown (usinganomaly techniques) and Denial-of-Service (DoS) attacks (using hybrid algorithmsemploying statistical and heuristic methods). The combination of these techniquessignificantly increases the capability and accuracy of the IPS. Majority of current productsare exclusively signature-based and have little to no anomaly or DoS detectioncapabilities. No product on the market has the breadth or depth of coverage of NetworkSecurity Platform. For example, Network Security Platform can inspect SSL traffic andHTTP response traffic. In addition, Network Security Platform also detects attacks withunprecedented accuracy thanks to:

Full protocol analysis and state tracking

Multi-trigger, multi-field pattern matching

Hardware acceleration to deliver wire-speed detection

Network Security Platforms ability to see all of the traffic in a variety of

deployment modes, including active/active, active/passive, and asymmetrically-routed traffic environments.

Intrusion Prevention

Network Security Platform can run in-line, so you can mediate the traffic flow and blockmalicious traffic before reaching its target. Current IDS products operate in a monitoring-only mode (operating as a sniffer) and cannot effectively and reliably block the malicioustraffic before the damage is done. In sniffing mode, you see the attack at the same time ithits the target. You can apply some countermeasures, like TCP resets and firewall rulereconfiguration, but these are reactive actions. When running in-line, Network SecurityPlatform can proactively drop malicious packets and not pass them through the network,so they never reach their target.

In addition to dropping malicious traffic, Network Security Platform provides packetscrubbing functionality to remove protocol inconsistencies resulting from varyinginterpretations of the TCP/IP specification, which can be used by hackers to evade IDSsystems and other security devices.

Flexible Deployment Options

Existing products were designed when shared media networks were common and are noteasy to deploy in today's switched environments. Furthermore, the Network SecurityPlatform product line allows customers to protect today's higher speed network segments

ranging from 100 Mbps up to multi-Gbps, whereas current products are primarily limited tosub-100 Mbps environments. Network Security Platform provides wire-speed monitoringand analysis up to multi-Gbps network segments in three flexible modes of deployment,enabling you to easily integrate it into your network and adapt to any network or securitychanges that you may encounter in the future.

5


15/86


Some Sensor models contains built-in 10/100 Mbps Ethernet taps, thus making itextremely easy to switch between tap and in-line modes through software reconfiguration;no physical rewiring is required.

The multi-port configuration of all Sensors empowers comprehensive network-wide IDS

deployment with significantly fewer Sensors.

Virtual IPS

Most products enable you to implement a single security policy per Sensor. NetworkSecurity Platforms Virtualization feature (called VIDS or VIPS) enables you to segment aSensor into a large number of virtual Sensors with each implementing a custom securitypolicy, including individualized attack selection and associated response actions. Thiscapability allows you to implement and enforce a heterogeneous set of security policieswith a single Sensor, better serving the differing security needs within an organization. Itfurther reduces the number of Sensors required for a network-wide IPS deployment, and itreduces the number of irrelevant alerts.

High-Availability

Sensors support high-availability deployment, using stateful Sensor failover between twohot-standby Sensors. The Sensors are interconnected, copy traffic between themselves,and maintain synchronization. If one Sensor fails, the standby Sensor automatically takesover and continues to monitor the traffic with no loss of session state or degradation ofprotection level. Network Security Platform also supports Manager Disaster Recovery(MDR). If, for any reason, the primary McAfee Network Security Manager [formerlyMcAfee IntruShield Security Manager] goes off-line, its secondary can automatically takeits place, processing alerts and managing Sensor configuration.

Scalable IPS Management

A scalable Web-based architecture allows customers to efficiently manage their IPSdeployment while reducing operational costs. The configurable Network Security Platformreal-time signature and software update mechanism automates the process of keeping thecomplete system current with little or no human intervention, thus reducing on-goingoperating costs.

Detection and prevention with Network Security Platform

Detection with the Network Security Platform goes beyond the simple string matching used

in many current IDS signature engines. Sensors analyze and validate the traffic to its basicprotocol elements and inspect specific protocol fields to improve accuracy, whilemaintaining full flow and application state. The Sensors perform IP fragment reassemblyand TCP stream reassembly, and perform thorough protocol analysis all the way up to theApplication Layer. The signature engine searches in a flow for multiple triggers (that is,sub-signatures) in multiple fields of a protocol using Network Security Platformsembedded signature files to increase the precision by which an attack can beunambiguously detected.

6


16/86


Once the packet is captured, it is analyzed into its corresponding protocol fields. TheSensor analyzes a frame completely and thoroughly from Layers two through seven, andunderstands the semantics of the protocol fields even at the Application Layer. After itanalyzes the protocols, it verifies that the packet conforms to the protocol specification.Network Security Platform then passes the parsed packet through its DoS, Signature, andAnomaly detection engines. This enables Network Security Platform to be very efficient interms of packet processing because the packet is peeled only once and then fed to thecorresponding detection engines. All these processes are hardware-accelerated to providethe required wire-speed performance.

If the detection engines detect something, they pass an alertand corresponding data tothe Management process that is running on the Sensor. The Management process canthen trigger the appropriate response, based on policy, and send alerts to the McAfeeNetwork Security Manager (Manager). This response can include averting the attackentirely. If a Sensor is running in in-line mode on the network, you can enable blocking,which causes the Sensor to drop the attack so that the attack never reaches its goal.

7


17/86

C H A P T E R 2

Network Security Platform BasicsThis section provides an overview of McAfee Network Security Platform and itscomponents.

About the Network Security Platform

McAfee Network Security Platform is a combination of network appliances and softwarebuilt for the accurate detection and prevention of intrusions, denial of service (DoS)attacks, distributed denial of service (DDoS) attacks, and network misuse. NetworkSecurity Platform provides comprehensive network intrusion detection and can block, or

prevent, attacks in real time, making it truly an intrusion prevention system (IPS).

Network Security Platform components

Network Security Platform consists of the following major components:

McAfee Network Security Sensor (Sensor) (on page 8)

McAfee Network Security Manager (Manager) (on page 12), with its Web-basedgraphical user interface

McAfee Network Security Update Server [formerly IPS Update Server] (on page 14)

Sensors

Sensorsare high-performance, scalable, and flexible content processing appliances builtfor the accurate detection and prevention of intrusions, misuse, denial of service (DoS)attacks, and distributed denial of service (DDoS) attacks. Sensors are specificallydesigned to handle traffic at wire-speed, efficiently inspect and detect intrusions with ahigh degree of accuracy, and flexible enough to adapt to the security needs of anyenterprise environment. When deployed at key network access points, a Sensor providesreal-time traffic monitoring to detect malicious activity and respond to the malicious activityas configured by the administrator.

Once deployed and once communication is established, Sensors are configured andmanaged via the Manager server, described in the section Network Security Manager (onpage 12).

Sensor functionality

The primary function of a Sensor is to analyze traffic on selected network segments and torespond when an attack is detected. The Sensor examines the header and data portion ofevery network packet, looking for patterns and behavior in the network traffic that indicatemalicious activity. The Sensor examines packets according to user-configured policies, or

8


18/86

McAfee Network Security Platform 5.1 Network Security Platform Basics

rule sets, which determine what attacks to watch for, and how to respond withcountermeasures if an attack is detected.

If an attack is detected, a Sensor responds according to its configured policy. Sensor canperform many types of attack responses, including generating alerts and packet logs,

resetting TCP connections, scrubbing malicious packets, and even blocking attackpackets entirely before they reach the intended target.

Sensor platforms

McAfee offers several types of Sensor platforms providing different bandwidth anddeployment strategies.

9


19/86


Tables with Sensor Information

I-series Sensors:

Sensor Aggregate

Performance

10/100 Base-T

Monitoring Port

Interface

Module

RJ-45 Response

port

Ports Used for

failover

I-1200 100 Mbps 2 1 Response port

I-1400 200 Mbps 4 1 Response port

I-2700 600 Mbps 6 2 GBICs 3 4A

I-3000 1 Gbps 12 12 SFPports

4 6A and 6B

I-4000 2 Gbps 4 GBICs 2 2A and 2B

I-4010 2 Gbps 12 SFPports

4 6A and 6B

Other features I-4010 I-4000 I-3000 I-2700 I-1400 I-1200

Internal Taps Nil Nil Nil Yes Yes Yes

Fail-open ControlPorts

4 Nil 4 Nil Nil Nil

10/100Managementport

1 1 1 1 1 1

Console Port 1 1 1 1 1 1

Auxiliary Port 1 1 1 1 1 1

Redundantpower supply

Yes Yes Yes Yes Nil Nil

Fail-closeddongles

Nil Nil Nil 6 4 2

M-series Sensors and N-450 Sensor:

Sensor Aggregate

Performance

10/100/1000 Base-

T Monitoring Port

Interface Module RJ-45

Response

port

Ports Used for

failover

M-8000 10 Gbps 16 One Gigabit

SFP ports12 Ten GigabitXFP ports

1 3A and 3B

M-6050 5 Gbps 8 SFP ports

8 XFP ports

1 4A

Note that 4Bremains unused.

10


20/86


Sensor Aggregate 10/100/1000 Base- Interface Module RJ-45 Ports Used for

Performance T Monitoring Port Response failover

port

M-4050 3 Gbps 4 XFP ports

8 SFP ports

1 2A

M-3050 1.5 Gbps 4 XFP ports

8 SFP ports

1 2A

M-2750 600 Mbps 20 SFP ports 1 10A

Note that 10B isunused.

M-1450 200 Mbps 8 built-in10/100/1000 RJ-45 ports

1 4A


M-1250 100 Mbps 8 built-in

10/100/1000 RJ-45 ports

1 4A


N-450 2 Gbps 20 SFP ports 0 10A and 10B

Other features M-8000 M-6050 M-4050 M-3050 M-2750 M-1450 M-1250 N

Internal Taps Nil Nil Nil Nil Nil Yes Yes Ni

Fail-open

Control Ports

14 8 6 6 10 Nil Nil 10

Interconnectports

4 TenGigabitXFPs

2 RJ-45ports

Nil Nil Nil Nil Nil Nil Ni

10/100/1000Managementport

1 1 1 1 1 1 1 1

Console Port 2 1 1 1 1 1 1 1

Auxiliary Port 2 1 1 1 1 1 1 1

Redundantpower supply

Yes Yes Yes Yes Yes Nil Nil Ye

Fail-closeddongles

0 0 0 0 0 0 0 0

11


21/86


Each Sensor is described in the corresponding Sensor Product Guide.

Network Security Manager license typesMcAfee Network Security Manager (Manager) consists of hardware and softwareresources that are used to configure and manage your Network Security Platformdeployment.

There are three software versions of Manager:

McAfee Network Security Glob al Managerbest suited for global IPS deployments of morethan six McAfee Network Security Sensors [formerly McAfee IntruShield Sensors].

McAfee Network Security Managercan support large or distributed deployments of up tosix McAfee Network Security Sensors (Sensors).

McAfee Network Security Manager Startercan support two Sensors.

The above software versions of the Manager are supported only on Windows Server 2003(Standard Edition) SP2, English OS and Windows Server 2003 R2 (Standard Edition),Japanese OS.

Functionally, the products are otherwise identical. The license file provided to you byMcAfee determines which version of the Manager you install.

Manager components

Manager is a term that represents the hardware and software resources that are used toconfigure and manage the Network Security Platform. The Manager consists of thefollowing components:

a hardware/OS server platform (on page 12) (Microsoft Windows Server 2003 SP2,Standard Edition, English or Japanese)

the Manager software (on page 13)

a back end database (on page 14) to persist data (MySQL)

a connection to the McAfee Network Security Update Server [formerly IPS UpdateServer] (on page 14)

Manager server platform

The Manager server is a dedicated Windows Server 2003 SP2 system running theManager software. You remotely access the Network Security Platform user interface froma Windows XP system using an Internet Explorer 6.0 and Internet Explorer 7.0 browsersession.

Sensors use a built-in 10/100 Management port to communicate with the Manager server.You can connect a segment from a Sensor Management port directly to the Managerserver; however, this means you can only receive information from one Sensor (typically,your server has only one 10/100 network port). During Sensor configuration, described inthe Sensor CLI Guide, you will establish communication between your Sensor(s) and yourManager server.

12


22/86


Manager software

The Manager software has a Web-based user interface for configuring and managing theNetwork Security Platform. Network Security Platform users connect to the Manager

server from a Windows XP system using the Internet Explorer browser program. TheNetwork Security Platform user interface runs with Internet Explorer version 6.0 andInternet Explorer version 7.0. The Manager functions are configured and managed througha GUI application, the Network Security Platform user interface, which includescomplementary interfaces for system status, system configuration, report generation, andfault management. All interfaces are logically parts of the Manager program.

Manager has five components:

Manager Home. The Manager Home page is the first screen displayed after the user logson to the system. The Manager Home page displays Operational Status-that is,whether all components of the system are functioning properly, the number ofunacknowledged alerts in the system, and the configuration options available to thecurrent user. Options available within the Manager Home page are determined by thecurrent user's assigned role(s). The Manager Home page is refreshed every 5seconds by default.

Operational Status. The Operational Status page displays the status of Manager,database, and any deployed Sensors; including all system faults.

Configuration. The Configuration page provides all system configuration options, andfacilitates the configuration of your Sensors, failover pairs of Sensors, administrativedomains, users, roles, Network Access Control (NAC), attack policies and responses,user-created signatures, and system reports. Access to various activities, such asuser management, system configuration, or policy management is based on thecurrent user's role(s) and privileges. For more information on NAC configuration, seeNAC Configuration Guide.

Threat Analyzer. The Threat Analyzer page displays the hosts detected on your networkas well as the detected security events that violate your configured security policies.The Threat Analyzer provides powerful drill-down capabilities to enable you to see allof the details on a particular alert, including its type, source and destinationaddresses, and packet logs where applicable.

Reports. Users can generate reports for the security events detected by the system andreports on system configuration. Reports can be generated manually or automatically,saved for later viewing, and/or e-mailed to specific individuals.

Other key features of Manager include:

The Incident Generator: The Incident Generator enables creation of attack incidentconditions, which, when met, provide real-time correlative analysis of attacks. Onceincidents are generated, view them using the Incident Viewer, which is within the ThreatAnalyzer tool.

For more information on Manager components, see Manager Server Configuration Guide.

Integration with other McAfee products: You can integrate Network Security Platformwith other McAfee products such as McAfee ePolicy Orchestrator (ePO), McAfeeHost Intrusion Prevention [formerly McAfee Entercept] , and so on. Then NetworkSecurity Platform collaborates with these products to provide you with acomprehensive network security solution. For details, see Integration Guide.

Integration with third-party products: Network Security Platform enables the use ofmultiple third-party products for analyzing faults, alerts, and generated packet logs.

13


23/86


Fault/Alert forwarding and viewing: You have the option to forward all faultmanagement events and actions, as well as IPS alerts to a third-party application.This enables you to integrate with third-party products that provide trouble ticketing,messaging, or any other response tools you may wish to incorporate. Fault and/oralert forwarding can be sent to the following ways:

- Syslog Server: forward IPS alerts and system faults

- SNMP Server (NMS): forward IPS alerts and system faults

- Java API: forward IPS alerts

- Crystal Reports: view alert data from database via email, pager, or script

Packet log viewing: view logged packets/flows using third-party software, such asEthereal.

Manager database

The Manager server operates with an RDBMS (relational database management system)for storing persistent configuration information and event data. The compatible database is

MySQL.

The Manager server for Windows (only) includes a MySQL database that can be installed(embedded) on the target Windows server during Manager software installation.

Your MySQL database can be tuned on-demand or by a set schedule via Manager userinterface configuration. Tuning promotes optimum performance by defragmenting splittables, re-sorting and updating indexes, computing query optimizer statistics, and checkingand repairing tables.

To graphically administrate and view your MySQL database, you can download theMySQL administrator from the MySQL Web site http://dev.mysql.com/downloads/gui-tools.

Update ServerFor your Network Security Platform to properly detect and protect against maliciousactivity, the Manager and Sensors must be frequently updated with the latest signaturesand software patches available. Thus, the Network Security Platform team constantlyresearches and develops performance-enhancing software and attack-detectingsignatures that combat the latest in hacking, misuse, and denials of service (DoS). When asevere-impact attack happens that cannot be detected with the current signatures, a newsignature update is developed and released. Since new vulnerabilities are discoveredregularly, signature updates are released frequently.

New signatures and patches are made available to customers via the McAfee NetworkSecurity Update Server (Update Server). The Update Server is a McAfee owned andoperated file server that houses updated signature and software files for Managers andSensors in customer installations. The Update Server securely provides fully automated,

real-time signature updates without requiring any manual intervention.

Note: Communication between Manager and the Update Server is SSL-secured.

14
http://dev.mysql.com/downloads/gui-toolshttp://dev.mysql.com/downloads/gui-tools


24/86


Obtaining Updates from the Update Server

You have the following options for obtaining updates from the Update Server:

Tip: To configure Update Server settings from the Manager interface, refer to theManager Server Configuration Guide.

1 Connecting directly from your Manager server (via Manager interface action).

2 Connecting via proxy server (via Manager interface action). You will then authenticateas in option 1.

3 Connecting from any Windows XP system via browser, downloading updates to thatsystem, and then importingthe update to the Manager. This method can provide yourManager server with the safest defense against Internet attacks since no Internetconnection is used by your Manager server. The import feature is a Manager interfaceaction.

4 Connecting from any Windows XP system via browser, downloading software updatesto a TFTP server, and then loading the updates directly onto the Sensor using theSensors command line interface (CLI). This is for Sensor software updates only. Formore information, see Sensor CLI Guide.

Configuring software and attack signature updates

You configure interaction with the Update Serverusing the ManagerConfiguration page.You can pull updates from the Update Server on demand or you can schedule updatedownloads. With scheduled downloads, the Manager polls the Update Server (over theInternet) at the desired frequency. If an update has been posted, that update is registeredas Available in the Manager interface for on-demand downloaded. Once downloaded tothe Manager, you can immediately download (via an encrypted connection) the update todeployed Sensors or deploy the update based on a Sensor update schedule you define.Acceptance of a download is at the discretion of the administrator.

You have a total of five update options:

Automatic upd ate to Manager, manual update from Manager to Sensors. This option enablesManager server to receive updates automatically, but allows the administrator toselectively apply the updates to the Sensors.

Manual update t o Manager, automatic update from Manager to Sensors. This option enables theadministrator to select updates manually, but once the update is selected, it is appliedto the Sensors automatically, without reboot.

Fully manual update. This option allows the security administrator to determine whichsignature update to apply per update, and when to push the update out to theSensor(s). You may wish to manually update the system when you make someconfiguration change, such as updating a policy or response.

Fully automatic update. This option enables every update to pass directly from the UpdateServer to the Manager, and from the Manager to the Sensor(s) without any

intervention by the security administrator. Note that fully automatic updating stillhappens according to scheduled intervals.

Real-time update. This option is similar to fully automatic updating. However, rather thanwait for a scheduled interval, the update is pushed directly from Update Server toManager to Sensor. No device needs to be rebooted; the Sensor does not stopmonitoring traffic during the update, and the update is active as soon as it is applied tothe Sensor.

15


25/86


Modes of Sensor deployment

With todays complex network configurations, deploying Sensors at all the necessarypoints of protection in your network can become both very complex and very expensive.

Network Security Platform makes deployment easy and cost-effective by requiring fewerSensors and offering several flexible modes of Sensor deployment:

In-line mode (on page 16)

Tap mode (on page 18)

SPAN operating mode (on page 17)

Failover (high-availability) via in-line mode (on page 20)

Port clustering (interface groups) (on page 20)

Sensors, by default, are configured to operate in in-line mode. The operating mode can bechanged via the Network Security Platform user interface.

Each of these modes is described briefly below and in more detail in Sensor DeploymentModes.

Note: Although the Sensors are configured to run in-line by default, many newNetwork Security Platform users choose to operate in SPAN mode initially, and thenmove to tap or in-line mode later as they become more familiar with the product andare ready to tune their deployments.

In-line mode

In-line Mode, illustrated in the following figure, places a Sensor directly in the networktraffic path, inspecting all traffic at wire-speed as it passes through the Sensor. In-linemode enables you to run the Sensor in a protection/prevention mode, where packetinspection is performed in real time, and intrusive packets can be dealt with immediately;you can actively drop malicious packets because the Sensor is physically in the path of all

network traffic. This enables you to actually prevent an attack from reaching its target. Youcannot prevent attacks from reaching their target in any other deployment mode.

All Sensor ports are configured to run in-line by default; when a Sensor comes online forthe first time, it is in in-line mode. Sensors are also configured to block certain attacks bydefault. Thus Network Security Platform can begin blocking attacks right out-of-the-box.

All Sensor models can be deployed in In-line Mode, and all offer the option of operating infail-open or fail-closed mode when monitoring traffic in-line.

16


26/86


Note: Fail-open and fail-close refer to whether or not the Sensor will allow traffic tocontinue to pass in the event of port or Sensor failure. For more information onthese options, see Fail-open versus fail-closed, IPS Deployment Guide.

Figure 1: Sensor Deployment - Inline Mode

For more information about deploying Sensors, see Sensor Deployment Modes, IPSDeployment Guide.

SPAN mode

Most current IDS products are deployed in SPAN mode. An advantage of deployingSensors in SPAN mode is that it merely requires connecting the Sensor and reconfiguringa setting on the switchthus it is also the operating mode chosen by most new NetworkSecurity Platform users. Other modes of Sensor deploymentin-line mode or tap modeinvolve connecting the Sensors within the flow of traffic, which requires brief networkdowntime. Thus most beginners prefer to get used to the Network Security Platform whileoperating in SPAN mode, to tweak and tune their systems, and move to tap or in-linemode later.

The Switch Port Analyzer (SPAN) port on a switch is designed specifically for securitymonitoring so that an attached network analyzerlike a Sensor or a sniffercan receive a

copy of every single packet that is sent from one host to another through the switch. TheSPAN port forwards all incoming and outgoing traffic within the switch to a predeterminedport where the Sensor or a sniffer is connected. This is called port forwardingorportmirroring, and it allows an attached device to monitor all traffic of that switch.

The downside of monitoring via a SPAN port is that it is very easy to saturate a SPAN port.A SPAN port really only operates in a half-duplex mode (transmit to the Sensor only), sothe maximum bandwidth the port can handle is 100 Mbps (when using a Fast Ethernetport), and when you exceed the 100 Mbps limit of the port, you are not copying all thepackets seen on the switch. When all packets are not copied to the IDS, the IDS canreport false alarms or miss real attacks. In addition, most switches only support one or twoSPAN ports and there is a lot of competition for them (for example, for RMON probes,sniffers, etc.).

17


27/86


SPAN mode is also a sniffing mode, whichunlike in-line modedoes not enable you toprevent attacks from reaching their targets.

Figure 2: Sensor Deployment - SPAN Mode

Note: SPAN mode is not supported on N-450 Sensors.

Tap mode

Note: While the figure in SPAN operating mode (on page 17) demonstrates that youcan issue response packets via the Sensors response ports, some switches allow

response packets to be injected by an IPS back through the SPAN port.

Tap mode, illustrated in the following figure, works through installation of an external fibertap (for GBIC ports) or built-in internal taps (for 10/100 Monitoring ports). A Sensordeployed in tap mode monitors or sniffs the packet information as it traverses the full-duplex network segment.

Full-duplex taps split a link into separate transmit and receive channels. Sensors providemultiple Sensor ports, wired in pairs to accommodate full-duplex taps.

18


28/86


The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks.Like SPAN mode, Tap mode is passive; the Sensor essentially sees malicious traffic as itpasses.

Figure 3: Sensor Deployment - TAP Mode

Note 1: You cannot inject response packets back through an external tap, soSensors offer Response ports through which a response packet (such as a TCPreset) can be injected to close a malicious connection. Sometimes the attacker cansucceed in causing the intended damage when the attack packet reaches itsintended victim host before the TCP reset closes the connection. Hence, in-linemode is more effective in preventing an attack.

Note 2: Tap mode is not supported on N-450 Sensors.

About taps

A tapis a device that permits unimpeded traffic flow while simultaneously copying all thetraffic from a full-duplex link and sending the information to a Sensor for analysis. Taps areused to monitor full-duplex links, and they split the link into separate transmit and receivechannels. To monitor the two channels that the tap produces, you use two monitoringinterfaces on the Sensor; one interface monitors the transmit channel, one monitors thereceive channelneither monitoring interface transmits back to the tap.

Note: You cannot inject response packets back through a tap; you must connect aSensor response port to another device, namely a switch or router, to respond tomalicious packets.

Taps are hardwired to the Sensor. One Sensor can monitor traffic from multiple tapswithout degradation or overloading up to the specified maximum.

19


29/86


Failover (high-availability) via in-line mode

Enterprises often deploy fully redundant networks to maintain high network availability. In aredundant network, also known as an active/passiveoractive/standbyconfiguration, two

identical machines are deployed; one is designated as the active machine that performsthe task while the other is in standby in case of the active machines failure. If the activemachine fails, it fails over to the standby machine. System redundancy ensures that thenetwork is always available even if the hardware fails.

This reduces lapses in service to employees and customers that may lead to loss ofproductivity and revenue. Sensors are built to meet the needs of redundant networks.When running Sensors in-line, the option is available to you to use one Sensor as anactive unit, with an identical Sensor standing by, should the active Sensor fail. BothSensors share full state, so that the information on the standby Sensor is always current.Latency is very minimal; less, in fact, than many other devices providing failover, such asfirewalls.

For more information on deploying Sensors for high availability, see High-Availability, IPSDeployment Guide.

Port clustering (interface groups)

Port clustering, referred to as Interface Groupsin the Manager interface, enables multipleports on a single Sensor to be grouped together for effective traffic monitoring, particularlyuseful for asymmetrically routed networks. You cluster ports when you want the trafficacross multiple interfaces to be analyzed as if it were a single interface. Asymmetricnetworks are common in load balancing and active/passive configurations, and a completetransmission may be received on one segment, but depart on another. Thus keeping stateof asymmetric transmissions is essential for successfully monitoring the traffic. Interfacegroups normalize the impact of traffic flows split across multiple interfaces, thusmaintaining state to avoid information loss.

Once configured, an interface group appears in the Configuration pages Resource Treeas a single interface node (icon) under the Sensor where the ports are located. All of theports that make up the interface are configured as one logical entity, keeping theconfiguration consistent.

20


30/86


When is clustering used?

If a company has two different active paths to and from the Internet passing through twodifferent Sensor interfaces, for example, the traffic on each path will be analyzed

independently. If a single communication flow is divided across paths, each interface willreceive and analyze part of the conversation and therefore be susceptible to falsepositives and false negatives. When you create an interface group that contains bothinterfaces, you allow the Sensor to receive and properly analyze the entire communication.

Figure 4: Clustering

Manager Disaster Recovery (MDR)

Sometimes the worst happens. In this age, where outages to IT systems can cost millionsof dollars in lost revenue, lost productivity, and legal issues, every organization must facethe near certainty of a system failure occurring at a future date. Anticipating these events

and planning corrective courses of action is now a prerequisite to business success. Mostorganizations now employ some manner of business continuity planning (BCP), a subsetof which is disaster recovery planning (DRP). To this end, Network Security Platform haslong provided a Sensor high-availability configuration; but what if the worst should happento your Manager server? Most companies are not willing to rely on the manual method ofManager data archival, restoration of backups, and importing of exported policies torecover their Manager as part of their IPS DRP.

21


31/86


Enter the MDR feature. With MDR, two Manager servers are deployed as part of NetworkSecurity Platform. One host is configured as the Primary system; the other as theSecondary. Each uses the same major release Manager software with mirroreddatabases; however, the two hosts hardware configuration does not need to be identical.The Secondary Manager can be deployed anywherefor example, at a disaster recoverysite, far from the Primary Manager.

The Primary Manager is the active Manager by default; this Manager communicates withthe Update Server, pushes configuration data to the Sensors, and receives alerts from theSensors.

The Secondary Manager remains in a standby state by default. While in standby mode itmonitors the health status of the Primary Manager and retrieves Sensor configurationinformation from the Primary Manager at configured intervals of time.

Note 1: The standby Manager receives no data from the Sensors while in standbymode.

Note 2: The Secondary Manager is a warm standbysystem; it will not guarantee

state synchronization with the Primary Manager. It does update configurationinformation at regular intervals (every 15 minutes), but it does not maintain state.(You can also manually update Secondary Manager configuration rather thanwaiting for the automatic update.)

The Sensor, for its part, maintains a connection with both Managers; however, only theactive Manager can control Sensors and receive alert data, and Sensors can only beadded to an active Manager. (A new Sensor added to the active Manager in an MDR pairestablishes trust first with the Primary Sensor, and then attempts on its own to establishtrust with the Secondary.)

Figure 5: An MDR pairs communication with sensors

22


32/86


Switchover

Switchover, or failover from the Primary to the Secondary, can be manual/voluntary orinvoluntary.

Note: In a situation where you have planned manual downtime and the downtime isexpected to be brief, McAfee recommends that you manually suspend MDR,preventing the Secondary Manager from taking over and becoming active. You canthen resume MDR when the downtime period is over.

The Secondary Manager performs regular health checks on the Primary Manager. If thePrimary Manager is found to be unavailable during a health check by the SecondaryManager, the Secondary Manager waits for a configurable time interval. If the PrimaryManager is still unavailable after that time period elapses, control then switches over to theSecondary Manager.

Note: You can switch over to the Secondary manually, as well.

Once the Secondary Manager is active, the Primary moves to standby. The Sensors aremade aware of the switchover, communicate with the Secondary Manager, and the systemcontinues to function without interruption.

All in-flight transactions are lost upon failover from Primary to Secondary Manager. Forinstance, if the Primary Manager failed while a user was in the middle of a policy edit, theSecondary Manager will not be able to resume the policy edit.

Note: The MDR feature, in fact, assumes that the Secondary Manager is a standbysystem, and that it will NOT assume control indefinitely. The Primary Managershould be diagnosed and repaired, and be brought back online.

While the Secondary Manager is active, McAfee recommends against making anyconfiguration modifications on the Secondary Manager, as these modifications couldcause potential data synchronization problems when the Primary Manager is resurrected.

Once the Primary Manager has recovered, you can switch control back to the Primarysystem. During this switch back, if you have made configuration changes on theSecondary, you have a choice whether to retain the configuration on the Primary oroverwrite with changes made on the Secondary. After switch-back, alert and packet logdata is copied from Secondary to Primary Manager, and can be viewed in the HistoricalThreat Analyzer. Data is re-synchronized, the Sensors return to communicating with thePrimary, and the system is restored with the Primary Manager active and the SecondaryManager in standby mode.

Note: You can easily dissolve the MDR relationship between the two Managers andreturn either Manager to stand-alone mode.

For more information, see Preparing for Manager Disaster Recovery (MDR) , Manager ServerConfiguration Guide.

Double tagging attacks and L3 ACLs

Network Security Platform supports detection of attacks on double VLAN tagged packets.For more information, see IPS on double VLAN tagged traffic, Sensor CLI Guide.

23


33/86


L3 ACLs helps you to specify rules for fragmented traffic in Network Security Platform. Formore information, see Using L3 ACLs for fragmented traffic, IPS Configuration Guid e.

24


34/86

C H A P T E R 3

Working with Network Security Platform resourcesThis section describes the relationships between McAfee Network Security Platformresource components.

Network Security Platform resources

McAfee Network Security Platform deployment consists of the following resources andrelationships between resources.

Note: The resources described here are documented in later chapters of this Guide,and in more detail in the Administrative Domain Configuration Guide.

Admin Domain node

Administrative Domains, oradmin domainsfor short, are optional organizational tools thatenable you to logically partition your IPS into discrete portions and delegate theirmanagement to specific users. (For example, your company might have a New York officeand a San Jose office. You can create a NY admin domain, organize all of the resourcesprotecting the New York office in that domain, and delegate its management to the NewYork administrator.)

The entire Network Security Platform deployment is organized under the Root Admin Domain,

which is represented in the Resource tree illustrations in this chapter as My Company.

For more information on Admin Domains, see Administrative Domains (on page 33).

Manager node

McAfee Network Security Manager (Manager) is the overall system orchestrator.

You use the Manager to add, configure, administer, and manage the physical resources(hardware and software server, OS, and software components running on the server) thatcomprise the Network Security Platform. Within the Manager resource, you can alsocon

nsp getting started 5.1

Documents