McAfee IIP-S41K-NA-100I, IntruShield 4000 Product Manual
IntruShield Sensor 4000 Product Guide
revision 7.0
McAfee® IntruShield® IPS
IntruShield Sensor 4000
version 4.1
McAfee®
Network Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright ® 2001 - 2008 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN
KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM,
VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of
McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and
unregistered trademarks herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB
SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT
INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made
available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee
provide rights to use, copy or modify a software program that are broader than the rig hts granted in this agreement, then such rights shall take precedence over the rights
and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier,
Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A
copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C)
1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. *
FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software
copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar
Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C)
1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data
Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by
Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by
Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright
(C) 2001, 2002, 2003. A copy of the license agreement for this software can be foun d at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002.
* Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco
Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/).
* Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its
contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by
Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002.
http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
See
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. *
Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp,
(C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. *
Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi
(jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker,
(C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy
<
http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software
copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John
R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991,
1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc
and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software
copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C)
1998. * Software copyrighted by The Regents of the University of California, (C) 19 90, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued DECEMBER 2008 / IntruShield Sensor 4000 Product Guide
700-1549-00/ 7.0 - English
Contents
Preface ...................................................................................... v
Introducing McAfee IntruShield IPS ..............................................................................................v
About this guide ............................................................................................................................ v
Contents of this guide............................................................................................................ v
Audience .......................................................................................................................................vi
Conventions used in this guide .....................................................................................................vi
Related Documentation................................................................................................................ vii
Contacting Technical Support...................................................................................................... viii
Chapter 1 An introduction to IntruShield sensors .................... 1
What is an IntruShield sensor?...................................................................................................... 1
Sensor functionality....................................................................................................................... 1
Sensor platforms ........................................................................................................................... 1
The IntruShield 4000 sensor ......................................................................................................... 2
Ports on the I-4000.................................................................................................................2
Front panel LEDs on the I-4000 .............................................................................................3
Chapter 2 Before you install ..................................................... 6
I-4000 sensor specifications.......................................................................................................... 6
Sensor capacity for I-4000 sensor ................................................................................................. 7
Network topology considerations.................................................................................................. 8
Safety measures ........................................................................................................................... 9
Working with Fiber-optic ports .................................................................................................... 10
Usage restrictions ....................................................................................................................... 10
Unpacking the sensor.................................................................................................................. 10
Contents of sensor box ........................................................................................................10
Chapter 3 Setting up the I-4000 sensor prior to configuration12
Setup overview ........................................................................................................................... 12
Positioning the I-4000.................................................................................................................. 12
Installing the ears on the chassis ......................................................................................... 12
Mounting the I-4000 sensor in a rack...................................................................................13
Installing the I-4000 redundant power supply ............................................................................. 14
Installing a power supply......................................................................................................14
Removing a power supply....................................................................................................15
Installing GBICs ........................................................................................................................... 16
Installing a GBIC...................................................................................................................16
Removing a GBIC.................................................................................................................17
Cabling the sensor....................................................................................................................... 17
Powering on the I-4000 ............................................................................................................... 17
Powering off the sensor.......................................................................................................17
Chapter 4 Attaching cables to the I-4000 Sensor ................... 18
Cabling the Console port ............................................................................................................. 18
Cabling the Auxiliary port............................................................................................................. 18
Cabling the Response ports ........................................................................................................ 19
Cabling the Management port.....................................................................................................19
Cabling the I-4000 Monitoring ports.....................................................................................20
Default Monitoring port speed settings for I-4000 ...............................................................21
Cable types for routers, switches, hubs, and PCs ...............................................................21
iii
Using fail-open hardware .....................................................................................................21
Cabling for in-line mode............................................................................................................... 22
Cabling for Tap mode .................................................................................................................. 22
Cabling I-4000 GBIC ports in external Tap mode .................................................................22
Cabling for SPAN mode............................................................................................................... 23
Cabling the I-4000 sensor to monitor in SPAN or hub mode ...............................................23
Cabling the failover interconnection ports............................................................................23
Index ........................................................................................ 26
iv
Preface
This preface provides a brief introduction to McAfee IntruShield, discusses the
information in this document, and explains how this document is organized. It also
provides information such as the supporting documents for this guide and how to
Introducing McAfee IntruShield IPS
contact McAfee Technical Support.
McAfee IntruShield delivers the most comprehensive, accurate, and scalable
network IPS solution for mission-critical enterprise, carrier, and service provider
networks, while providing unmatched protection against spyware and known, zeroday, and encrypted attacks.
IntruShield combines real-time detection and prevention to provide the most
comprehensive and effective network IPS in the market.
What do you want to do?
• Learn more about McAfee IntruShield components.
• Learn how to get started.
• Learn about the Home page and interaction with the Manager interface.
About this guide
This guide provides all the information that you would require about the I-4000
sensor. It uses real-life pictures of sensors and easy-to-understand steps to help right
from unpacking the sensor to deploying the sensor in your production environment
as per your requirements.
Contents of this guide
This guide is organized as described below:
•
•
•
Chapter 1: An Introduction to IntruShield Sensors (on page 1) describes the
features and port configurations of the I-4000 sensor, including descriptions
of the front panel LEDs.
Chapter 2: Before You Install (on page 6) contains system specifications,
and the safety and usage requirements for the sensors.
Chapter 3: Setting up an I-4000 Sensor (on page 12) describes the
preliminary steps you must follow prior to configuring the sensor.
v
McAfee® IntruShield® IPS 4.1 Preface
IntruShield Sensor 4000 Product Guide
Audience
• Chapter 4: Attaching Cables to the I-4000 Sensor (on page 18) describes
how to attach monitoring and response cables to the sensor, and how to
cable the sensor to operate in various operating modes.
Audience
This guide is intended to be used by network technicians and maintenance personnel
who are responsible for installing, configuring, and maintaining this IntruShield
sensor, but not necessarily familiar with IPS-related tasks, the relationship between
tasks, or the commands necessary to perform particular tasks.
Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
Menu or action group selections
are indicated using a right angle
bracket.
Procedures are presented as a
series of numbered steps.
Names of keys on the keyboard
are denoted using UPPER CASE.
Text such as syntax, keywords,
and values that you must type
exactly are denoted using
Courier New
font.
Variable information that you must
type based on your specific
situation or environment is shown
italics.
in
Parameters that you must supply
are shown enclosed in angle
brackets.
The Service field on the Properties tab specifies the
name of the requested service.
Select My Company > Admin Domain > View Details.
1. On the Configuration tab, click Backup.
Press ENTER.
Type: setup and then press ENTER.
sensor-IP-address and then press ENTER.
Type:
set sensor ip <A.B.C.D>
vi
McAfee® IntruShield® IPS 4.1
IntruShield Sensor 4000 Product Guide
Convention Example
Related Documentation
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Notes that provide related, but
non-critical, information are
denoted using this notation.
Related Documentation
The following documents and on-line help are companions to this guide. Refer to
IntruShield IPS Quick Reference Card
• IntruShield Manager Installation Guide
• IntruShield Getting Started Guide
• IntruShield 3.1 to 4.1 Upgrade Guide
• IntruShield Quick Tour
• IntruShield Planning & Deployment Guide
• IntruShield Sensor 1200 Product Guide
• IntruShield Sensor 1400 Product Guide
• IntruShield Sensor 2600 Product Guide
• IntruShield Sensor 2700 Product Guide
• IntruShield Sensor 3000 Product Guide
• IntruShield Sensor 4010 Product Guide
• IntruShield Configuration Basics Guide
• Administrative Domain Configuration Guide
• Manager Server Configuration Guide
• Policies Configuration Guide
• Sensor Configuration Guide—using CLI
• Sensor Configuration Guide—using ISM
• Sensor Configuration Guide—using ISM Wizard
• Alerts & System Health Monitoring Guide
• Reports Guide
• IntruShield User-Defined Signatures Developer's Guide
• IntruShield Troubleshooting Guide
Caution:
Warning:
Note:
for more information on these guides.
vii
McAfee® IntruShield® IPS 4.1 Preface
IntruShield Sensor 4000 Product Guide
Contacting Technical Support
• IntruShield Attack Description Guide
• IntruShield Special Topics Guide
• Database Tuning
• Best Practices
• Denial-of-Service
• Sensor High Availability
• Custom Roles Creation
• In-line Sensor Deployment
• Virtualization
• IntruShield Gigabit Optical Fail-Open Bypass Kit Guide
• IntruShield Gigabit Copper Fail-Open Bypass Kit Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and
quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers
can also resolve technical issues with the online case submit, software downloads,
and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended
24x7 Technical Support is available for customers with Gold or Platinum service
contracts. Global phone contact numbers can be found at McAfee
Information
http://www.mcafee.com/us/about/contact/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided
with a user name and password for the online case submission.
Contact
viii
C HAPTER 1
An introduction to IntruShield sensors
This section describes IntruShield sensors at a high-level and also describes the I-
What is an IntruShield sensor?
4000 in detail.
IntruShield sensors are high-performance, scalable, and flexible content processing
appliances built for the accurate detection and prevention of intrusions, misuse, and
distributed denial of service (DDoS) attacks.
IntruShield sensors are specifically designed to handle traffic at wire speed,
efficiently inspect and detect intrusions with a high degree of accuracy, and flexible
enough to adapt to the security needs of any enterprise environment. When
deployed at key Network Access Points, an IntruShield sensor provides real-time
traffic monitoring to detect malicious activity, and respond to the malicious activity as
configured by the administrator.
Once deployed and once communication is established, sensors are configured and
managed via the central IntruShield Security Manager (ISM) server.
The process of configuring a sensor and establishing communication with the ISM is
described in later chapters of this guide. The ISM server is described in detail in
IntruShield Security Manager, Getting Started Guide.
Sensor functionality
The primary function of an IntruShield sensor is to analyze traffic on selected network
segments and to respond when an attack is detected. The sensor examines the
header and data portion of every network packet, looking for patterns and behavior in
the network traffic that indicate malicious activity. The sensor examines packets
according to user-configured policies, or rule sets, which determine what attacks to
watch for, and how to respond with countermeasures if an attack is detected.
If an attack is detected, a sensor responds according to its configured policy. Sensors
can perform many types of attack responses, including generating alerts and packet
logs, resetting TCP connections, “scrubbing” malicious packets, and even blocking
attack packets entirely before they reach the intended target.
Sensor platforms
McAfee offers multiple sensor platforms providing different bandwidth and
deployment strategies.
1
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 4000 Product Guide The IntruShield 4000 sensor
This document describes the I-4000 sensor.
The IntruShield 4000 sensor
The IntruShield 4000 sensor (the I-4000), designed for high-bandwidth links, is
equipped to support two full-duplex Ethernet segments, or four SPAN ports
transmitting no more than 2 Gbps for up to 2 Gbps of aggregated traffic.
Ports on the I-4000
The I-4000 is a 2RU unit, and is equipped with the following ports:
Figure 1: The I-4000 sensor
Name Description
1 Management port
2 Console port
3 Auxiliary port
4 GBIC monitoring ports or Failover
interconnection ports (2A and 2B only).
5 Response ports
6 Response ports(not used)
7 External Compact Flash port
8 Power Supply A
9 Power Supply B
2
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 4000 Product Guide The IntruShield 4000 sensor
1 One 10/100 Management port, which is used for communication with the ISM server.
This port has an assigned IP address.
One RS-232C Console port, which is used to set up and configure the sensor.
2
3
One RS-232C Auxiliary port, which may be used to dial in remotely to set up and
configure the sensor.
4
Four monitoring GBIC ports, which enable you to monitor four SPAN ports, two full-
duplex tapped segments, two segments in-line, or a combination (that is, one
full-duplex segment, two SPAN ports). The monitoring interfaces of the I-4000
work in stealth mode, meaning they have no IP address and are not visible on
the monitored segment. If you choose to run in failover mode, ports 2A and 2B
are used to interconnect with a standby sensor.
Two response ports, which, when you are operating in SPAN mode, enable you to
5
inject response packets back through a switch or router.
One External Compact Flash port. This port is used for two purposes. It is used to
6
control optional fail-open hardware as described in the
Bypass Kit Guide
. It is also used in troubleshooting situations where the sensor’s
Gigabit Optical Fail-Open
internal flash is corrupted and you must reboot the sensor via the external
compact flash. For more information, see the on-line KnowledgeBase at
Support Site.
7
Power Supply A (included). Power supply A is included with each sensor. The supply
https://mysupport.mcafee.com
Mcafee
uses a standard IEC port (IEC320-C13). The supply uses a standard IEC port
(IEC320-C13). McAfee provides a standard, 2m NEMA 5-15P (US) power cable
(3 wire). International customers must procure a country-appropriate power
cable.
Power Supply B (optional, purchased separately). Power supply B is a hot-swappable,
8
redundant power supply. This power supply also uses a standard IEC320-C13
port, and you can use the McAfee-provided cable or acquire one that meets your
specific needs.
The I-4000 does not have internal taps; it must be used with a 3rd party external
tap to run in tapped mode.
Front panel LEDs on the I-4000
The front panel LEDs provide status information for the health of the sensor and the
activity on its ports. The following table describes the front panel LEDs.
3
Loading...