McAfee IIP-M80K-ISAA, M-8000 Product Manual
M-8000 Sensor Product Guide
revision 2.0
McAfee® IntruShield® IPS
IntruShield M-8000 Sensor
version 4.1
McAfee®
Network Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION
PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS
(AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX,
VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks
or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTW ARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAf ee OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made
available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee
provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights
and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier,
Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (ht tp://www.apa che.org/). A copy
of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 19952002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. *
FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software
copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar
Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C)
1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data
Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by
Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry
Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C)
2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. *
Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco
Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http:/ /www.extreme.indiana.edu/). *
Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its
contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin
Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See
http://www. boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software
copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001.
See http: //www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software
copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi
(jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker,
(C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy
<http://www. housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software
copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John
R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991,
1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc
and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software
copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C)
1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued JUNE 2009 / M-8000 Sensor Product Guide
700-1763-00-G/ 2.0 - English
Contents
Preface ........................................................................................................... v
Introducing McAfee IntruShield IPS ..............................................................................................v
About this guide............................................................................................................................. v
Audience ....................................................................................................................................... v
Contents of this guide....................................................................................................................vi
Contacting Technical Support .......................................................................................................vi
Related documentation .................................................................................................................vi
Conventions used in this guide ....................................................................................................vii
Chapter 1 Overview...................................................................................... 1
About IntruShield sensors ............................................................................................................. 1
Sensor functionality ....................................................................................................................... 1
Network topology considerations .................................................................................................. 1
M-8000 key features...................................................................................................................... 2
M-8000 physical description.......................................................................................................... 2
Ports.......................................................................................................................................3
Front panel LEDs ...................................................................................................................5
Chapter 2 Before You Install....................................................................... 7
Usage Restrictions ........................................................................................................................ 7
Safety measures ........................................................................................................................... 7
Working with Fiber-Optic ports ...................................................................................................... 8
Contents of the box ....................................................................................................................... 8
Unpacking the sensor.................................................................................................................... 9
Chapter 3 Setting up an M-8000................................................................ 10
Setup Overview ........................................................................................................................... 10
Positioning the sensor ................................................................................................................. 10
Installing the rails and ears on the chassis and rack............................................................10
Mounting a sensor in a rack .................................................................................................11
Removing a sensor from the rack ........................................................................................11
Using the redundant power supply.............................................................................................. 12
Installing the power supply...................................................................................................12
Removing the power supply.................................................................................................13
Cabling the sensor ...................................................................................................................... 13
Using Small-factor Pluggable modules ....................................................................................... 14
Modules Description.............................................................................................................14
Installing a module ...............................................................................................................15
Removing a module .............................................................................................................16
Power-on the sensor ................................................................................................................... 16
Powering off the sensor............................................................................................................... 16
Chapter 4 Attaching Cables to the M-8000.............................................. 17
Cabling the Console port............................................................................................................. 17
Cabling the Auxiliary port ............................................................................................................ 17
Cabling the Response port.......................................................................................................... 18
Cabling the Fail-Open port .......................................................................................................... 18
Cabling the Management port .....................................................................................................18
Cabling the Interconnect ports .................................................................................................... 19
Cabling the Monitoring port ......................................................................................................... 19
Using peer ports...................................................................................................................19
Default Monitoring port speed settings.................................................................................20
Cable types for routers, switches, hubs, and PCs ...............................................................21
iii
Cabling for in-line ........................................................................................................................ 21
Cabling for TAP mode ................................................................................................................. 21
Cabling for SPAN or hub mode ................................................................................................... 22
Cabling the Failover interconnection ports .................................................................................. 22
Using Fail-Open hardware .......................................................................................................... 23
Chapter 5 Troubleshooting....................................................................... 24
Appendix A Sensor Technical Specifications......................................... 25
iv
Preface
This preface provides a brief introduction to McAfee IntruShield, discusses the
information in this document, and explains how this document is organized. It also
provides information such as the supporting documents for this guide and how to
contact McAfee Technical Support.
Introducing McAfee IntruShield IPS
McAfee IntruShield delivers the most comprehensive, accurate, and scalable network
IPS solution for mission-critical enterprise, carrier, and service provider networks,
while providing unmatched protection against spyware and known, zero-day, and
encrypted attacks.
IntruShield combines real-time detection and prevention to provide the most
comprehensive and effective network IPS in the market.
What do you want to do?
• Learn more about McAfee IntruShield components.
• Learn how to get started.
• Learn about the Home page and interaction with the Manager interface.
About this guide
This guide contains information necessary to setup your M-8000 sensor model. This
information includes guiding you through preconfiguring, cabling, and troubleshooting
your sensor. See the Related Documents section for a list of other product
documentation that covers topics ranging from planning and deployment to best
practices for your environment.
Audience
This guide is intended for use by network technicians and maintenance personnel
responsible for installing, configuring, and maintaining sensors, but is not necessarily
familiar with IPS-related tasks, the relationship between tasks, or the commands
necessary to perform particular tasks.
v
McAfee® IntruShield® IPS 4.1
M-8000 Sensor Product Guide
Contents of this guide
This guide is organized as follows:
Contents of this guide
• Chapter 1: Overview describes the features and port configurations of the M8000 sensor, including descriptions of the front panel LEDs.
• Chapter 2: Before You Install contains system specifications, and the safety
and usage requirements for the sensors.
• Chapter 3: Setting up an M-6050 describes the preliminary steps you must
follow prior to configuring the sensor.
• Chapter 4: Attaching Cables to the M-8000 Sensor describes how to attach
network, monitoring, configuration, and response cables to the sensor, and
how to cable the sensor to operate in various operating modes.
• Chapter 5: Troubleshooting provides basic information to help you assess
possible installation problems that could occur.
• Appendix A: Sensor Technical Specifications provides a physical description
(such as dimensions) as well as operating and environmental requirements.
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and
quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers
can also resolve technical issues with the online case submit, software downloads,
and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended
24x7 Technical Support is available for customers with Gold or Platinum service
contracts. Global phone contact numbers can be found at McAfee Contact
Information
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided
with a user name and password for the online case submission.
http://www.mcafee.com/us/about/contact/index.html page.
Related documentation
For information to assist you in hardware setup, installation, and configuration, see
the following related documents:
• Sensor Configuration—using the Manager
vi
McAfee® IntruShield® IPS 4.1
M-8000 Sensor Product Guide
For information to assist you planning for IntruShield IPS deployment and operation,
see the following related documents:
Additionally, you might want to refer to the
guides.
Conventions used in this guide
• Sensor Configuration Guide—using CLI
• Sensor Configuration Guide—using the Wizard
• Planning and Deployment Guide
• Special Topics Guide
• Database Tuning
• Best Practices
• Denial-of-Service
• Sensor High Availability
• Custom Roles Creation
• In-line Sensor Deployment
• Virtualization
• Troubleshooting Guide
• Release Notes
Getting Started Guide or various configuration
Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
The
Service field on the Properties tab specifies the
name of the requested service.
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
Menu or action group selections
Select My Company > Admin Domain > View Details.
are indicated using a right angle
bracket.
Procedures are presented as a
1. On the Configuration tab, click Backup.
series of numbered steps.
Names of keys on the keyboard
Press ENTER.
are denoted using UPPER CASE.
Text such as syntax, keywords,
Type:
setup and then press ENTER.
and values that you must type
exactly are denoted using
Courier New
Variable information that you must
font.
Type:
sensor-IP-address and then press ENTER.
type based on your specific
situation or environment is shown
italics.
in
Parameters that you must supply
set sensor ip <A.B.C.D>
are shown enclosed in angle
brackets.
vii
McAfee® IntruShield® IPS 4.1
M-8000 Sensor Product Guide
Convention Example
Conventions used in this guide
Information that you must read
Caution:
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Information that you must read to
Warning:
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Notes that provide related, but
Note:
non-critical, information are
denoted using this notation.
viii
C HAPTER 1
Overview
This chapter provides an introduction to IntruShield sensors.
About IntruShield sensors
IntruShield sensors are high-performance, scalable, and flexible content processing
appliances built for the accurate detection and prevention of intrusions, misuse, and
distributed denial of service (DDoS) attacks.
IntruShield sensors are specifically designed to handle traffic at wire speed, efficiently
inspect and detect intrusions with a high degree of accuracy, and flexible enough to
adapt to the security needs of any enterprise environment. When deployed at key
network access points, an IntruShield sensor provides real-time traffic monitoring to
detect malicious activity and respond to the malicious activity as configured by the
administrator.
Once deployed and once communication is established, sensors are configured and
managed using the central IntruShield ISM server.
The process of configuring a sensor and establishing communication with the ISM is
described in later chapters of this guide. The IntruShield ISM server is described in
detail in the
Getting Started Guide.
Sensor functionality
The primary function of an IntruShield sensor is to analyze traffic on selected network
segments and to respond when an attack is detected. The sensor examines the
header and data portion of every network packet, looking for patterns and behavior in
the network traffic that indicate malicious activity. The sensor examines packets
according to user-configured policies, or rule sets, which determine what attacks to
watch for, and how to respond with countermeasures if an attack is detected.
If an attack is detected, a sensor responds according to its configured policy. Sensors
can perform many types of attack responses, including generating alerts and packet
logs, resetting TCP connections, “scrubbing” malicious packets, and even blocking
attack packets entirely before they reach the intended target.
Network topology considerations
Deployment of an IntruShield IPS requires knowledge of your network to help
determine the level of configuration and amount of installed sensors and ISMs
required to protect your system.
1
McAfee® IntruShield® IPS 4.1 Overview
M-8000 Sensor Product Guide M-8000 key features
The IntruShield sensor is purpose-built for the monitoring of traffic across one or more
network segments. For more information on IntruShield, see the
Getting Started Guide.
Following is an example of a network topology using Gigabit Ethernet throughput. In
the illustration, IntruShield provides IPS and Alert Viewer protection to outsourced
servers. High port-density and virtualization provides a highly scalable solution, while
IntruShield protects against Web and eCommerce mail server exploits.
Figure 1: Service Provider Data Center-based Deployment
M-8000 key features
The M-8000 sensor includes the following features:
• 12 10-GbE XFP
• 16 SFP ports (10/100/1000 copper or 1 GbE fiber)
• 1 10/100/1000 Base-T Management port
• 1 Response port
• Hot-swappable SFP/XFP modules
• Dual power supply
• 6 Fan units (that are field replaceable)
M-8000 physical description
The high-port density IntruShield M-8000, designed for high bandwidth links, is
equipped to support six 10 Gigabit full-duplex Ethernet segments or twelve 10 Gigabit
SPAN ports transmitting aggregated traffic. Additionally, it supports eight 1 Gigabit
2
Loading...