Page 1
IntruShield Sensor 3000 Product Guide
revision 6.0
McAfee® IntruShield® IPS
IntruShield Sensor 3000
version 4.1
McAfee®
Network Protection
Industry-leading intrusion prevention solutions
Page 2
COPYRIGHT
Copyright ® 2001 - 2008 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN
KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM,
VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of
McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and
unregistered trademarks herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB
SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT
INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made
available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee
provide rights to use, copy or modify a software program that are broader than the rig hts granted in this agreement, then such rights shall take precedence over the rights
and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier,
Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A
copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C)
1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. *
FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software
copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar
Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C)
1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data
Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by
Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by
Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright
(C) 2001, 2002, 2003. A copy of the license agreement for this software can be foun d at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002.
* Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco
Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/).
* Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its
contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by
Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002.
http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
See
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. *
Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp,
(C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. *
Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi
(jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker,
(C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy
<
http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software
copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John
R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991,
1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc
and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software
copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C)
1998. * Software copyrighted by The Regents of the University of California, (C) 19 90, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued DECEMBER 2008 / IntruShield Sensor 3000 Product Guide
700-1548-00/ 6.0 - English
Page 3
Contents
Preface ...................................................................................... v
Introducing McAfee IntruShield IPS ..............................................................................................v
About this guide ............................................................................................................................ v
Contents of this guide............................................................................................................ v
Audience .......................................................................................................................................vi
Conventions used in this guide .....................................................................................................vi
Related Documentation................................................................................................................ vii
Contacting Technical Support...................................................................................................... viii
Chapter 1 An introduction to IntruShield sensors .................... 1
What is an IntruShield sensor?...................................................................................................... 1
Sensor functionality................................................................................................................1
Sensor platforms....................................................................................................................1
The IntruShield 3000 sensor ..................................................................................................2
Chapter 2 Before you install ..................................................... 6
I-3000 sensor specifications.......................................................................................................... 6
Sensor capacity for I-3000 sensor ................................................................................................. 7
Network topology considerations.................................................................................................. 8
Safety measures ........................................................................................................................... 9
Working with fiber-optic ports....................................................................................................... 9
Usage restrictions ....................................................................................................................... 10
Unpacking the sensor.................................................................................................................. 10
Contents of sensor box ........................................................................................................10
Chapter 3 Setting up the I-3000 sensor prior to configuration12
Setup overview ........................................................................................................................... 12
Positioning the I-3000.................................................................................................................. 12
Installing the ears on the chassis ......................................................................................... 12
Mounting the I-3000 sensor in a rack...................................................................................13
Installing the I-3000 redundant power supply ............................................................................. 14
Installing a power supply......................................................................................................14
Removing a power supply....................................................................................................15
Installing SFP modules ................................................................................................................ 16
Installing a SFP module........................................................................................................17
Removing a SFP module......................................................................................................18
Connecting copper SFP for 10/100 Fast Ethernet ports ......................................................18
Cabling the sensor....................................................................................................................... 20
Powering on the I-3000 ............................................................................................................... 20
Powering off the sensor.......................................................................................................20
Chapter 4 Attaching cables to the I-3000 Sensor ................... 21
Cabling the Console port ............................................................................................................. 21
Cabling the Auxiliary port............................................................................................................. 21
Cabling the Response ports ........................................................................................................ 22
Cabling the Fail-Open Control ports ............................................................................................ 22
Cabling the Management port.....................................................................................................23
Cabling the I-3000 Monitoring ports.....................................................................................23
Default Monitoring port speed settings for I-3000 ...............................................................24
Cable types for routers, switches, hubs, and PCs ...............................................................25
iii
Page 4
Cabling for in-line mode............................................................................................................... 25
Cabling the I-3000 to monitor in in-line mode ......................................................................25
Cabling for Tap mode .................................................................................................................. 26
Cabling the I-3000 SFP ports to monitor in external tap mode ............................................26
Cabling for SPAN mode............................................................................................................... 26
Cabling the I-3000 sensor to monitor in SPAN or hub mode ...............................................26
Cabling the failover interconnection ports............................................................................26
Index ........................................................................................ 29
iv
Page 5
Preface
This preface provides a brief introduction to McAfee IntruShield, discusses the
information in this document, and explains how this document is organized. It also
provides information such as the supporting documents for this guide and how to
Introducing McAfee IntruShield IPS
contact McAfee Technical Support.
McAfee IntruShield delivers the most comprehensive, accurate, and scalable
network IPS solution for mission-critical enterprise, carrier, and service provider
networks, while providing unmatched protection against spyware and known, zeroday, and encrypted attacks.
IntruShield combines real-time detection and prevention to provide the most
comprehensive and effective network IPS in the market.
What do you want to do?
• Learn more about McAfee IntruShield components.
• Learn how to get started.
• Learn about the Home page and interaction with the Manager interface.
About this guide
This guide provides all the information that you would require about the I-3000
sensor. It uses real-life pictures of sensors and easy-to-understand steps to help right
from unpacking the sensor to deploying the sensor in your production environment
as per your requirements.
Contents of this guide
This guide is organized as described below:
•
•
•
Chapter 1: An Introduction to IntruShield Sensors (on page 1) describes the
features and port configurations of the I-3000 sensor, including descriptions
of the front panel LEDs.
Chapter 2: Before You Install (on page 6) contains system specifications,
and the safety and usage requirements for the sensors.
Chapter 3: Setting up an I-3000 Sensor (on page 12) describes the
preliminary steps you must follow prior to configuring the sensor.
v
Page 6
McAfee® IntruShield® IPS 4.1 Preface
IntruShield Sensor 3000 Product Guide
Audience
• Chapter 4: Attaching Cables to the I-3000 Sensor (on page 21) describes
how to attach monitoring and response cables to the sensor, and how to
cable the sensor to operate in various operating modes.
Audience
This guide is intended to be used by network technicians and maintenance personnel
who are responsible for installing, configuring, and maintaining this IntruShield
sensor, but not necessarily familiar with IPS-related tasks, the relationship between
tasks, or the commands necessary to perform particular tasks.
Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial Narrow bold
font.
Menu or action group selections
are indicated using a right angle
bracket.
Procedures are presented as a
series of numbered steps.
Names of keys on the keyboard
are denoted using UPPER CASE.
Text such as syntax, keywords,
and values that you must type
exactly are denoted using
Courier New
font.
Variable information that you must
type based on your specific
situation or environment is shown
italics.
in
Parameters that you must supply
are shown enclosed in angle
brackets.
The Service field on the Properties tab specifies the
name of the requested service.
Select My Company > Admin Domain > View Details.
1. On the Configuration tab, click Backup.
Press ENTER.
Type: setup and then press ENTER.
sensor-IP-address and then press ENTER.
Type:
set sensor ip <A.B.C.D>
vi
Page 7
McAfee® IntruShield® IPS 4.1 Preface
IntruShield Sensor 3000 Product Guide
Convention Example
Related Documentation
Information that you must read
before beginning a procedure or
that alerts you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Information that you must read to
prevent injury, accidents from
contact with electricity, or other
serious consequences is denoted
using this notation.
Notes that provide related, but
non-critical, information are
denoted using this notation.
Related Documentation
The following documents and on-line help are companions to this guide. Refer to
IntruShield IPS Quick Reference Card
• IntruShield Manager Installation Guide
• IntruShield Getting Started Guide
• IntruShield 3.1 to 4.1 Upgrade Guide
• IntruShield Quick Tour
• IntruShield Planning & Deployment Guide
• IntruShield Sensor 1200 Product Guide
• IntruShield Sensor 1400 Product Guide
• IntruShield Sensor 2600 Product Guide
• IntruShield Sensor 2700 Product Guide
• IntruShield Sensor 4000 Product Guide
• IntruShield Sensor 4010 Product Guide
• IntruShield Configuration Basics Guide
• Administrative Domain Configuration Guide
• Manager Server Configuration Guide
• Policies Configuration Guide
• Sensor Configuration Guide—using CLI
• Sensor Configuration Guide—using ISM
• Sensor Configuration Guide—using ISM Wizard
• Alerts & System Health Monitoring Guide
• Reports Guide
• IntruShield User-Defined Signatures Developer's Guide
• IntruShield Troubleshooting Guide
• IntruShield Attack Description Guide
• IntruShield Special Topics Guide
Caution:
Warning:
Note:
for more information on these guides.
vii
Page 8
McAfee® IntruShield® IPS 4.1 Preface
IntruShield Sensor 3000 Product Guide
Contacting Technical Support
• Database Tuning
• Best Practices
• Denial-of-Service
• Sensor High Availability
• Custom Roles Creation
• In-line Sensor Deployment
• Virtualization
• IntruShield Gigabit Optical Fail-Open Bypass Kit Guide
• IntruShield Gigabit Copper Fail-Open Bypass Kit Guide
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
Registered customers can obtain up-to-date documentation, technical bulletins, and
quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers
can also resolve technical issues with the online case submit, software downloads,
and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended
24x7 Technical Support is available for customers with Gold or Platinum service
contracts. Global phone contact numbers can be found at McAfee Contact
Information
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided
with a user name and password for the online case submission.
http://www.mcafee.com/us/about/contact/index.html page.
viii
Page 9
C HAPTER 1
An introduction to IntruShield sensors
This section describes IntruShield sensors at a high-level and also describes the I-
What is an IntruShield sensor?
3000 in detail.
IntruShield sensors are high-performance, scalable, and flexible content processing
appliances built for the accurate detection and prevention of intrusions, misuse, and
distributed denial of service (DDoS) attacks.
IntruShield sensors are specifically designed to handle traffic at wire speed,
efficiently inspect and detect intrusions with a high degree of accuracy, and flexible
enough to adapt to the security needs of any enterprise environment. When
deployed at key Network Access Points, an IntruShield sensor provides real-time
traffic monitoring to detect malicious activity, and respond to the malicious activity as
configured by the administrator.
Once deployed and once communication is established, sensors are configured and
managed via the central IntruShield Security Manager (ISM) server.
The process of configuring a sensor and establishing communication with the ISM is
described in later chapters of this guide. The ISM server is described in detail in
IntruShield Security Manager, Getting Started Guide.
Sensor functionality
The primary function of an IntruShield sensor is to analyze traffic on selected network
segments and to respond when an attack is detected. The sensor examines the
header and data portion of every network packet, looking for patterns and behavior in
the network traffic that indicate malicious activity. The sensor examines packets
according to user-configured policies, or rule sets, which determine what attacks to
watch for, and how to respond with countermeasures if an attack is detected.
If an attack is detected, a sensor responds according to its configured policy. Sensors
can perform many types of attack responses, including generating alerts and packet
logs, resetting TCP connections, “scrubbing” malicious packets, and even blocking
attack packets entirely before they reach the intended target.
Sensor platforms
McAfee offers multiple sensor platforms providing different bandwidth and
deployment strategies.
1
Page 10
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 3000 Product Guide What is an IntruShield sensor?
This document describes the I-3000 sensor.
The IntruShield 3000 sensor
The high-port-density IntruShield 3000 (the I-3000), designed for high-bandwidth
links, is equipped to support six full-duplex Ethernet segments, or twelve SPAN ports
transmitting no more than 1 Gbps for up to 1 Gbps of aggregated traffic.
Ports on the I-3000
The I-3000 is a 2RU unit, and is equipped with the following ports:
Figure 1: The I-3000 sensor
Name Description
1 Management port
2 Console port
3 Auxiliary port
4 SFP Gigabit Ethernet Monitoring ports or
Failover interconnection ports (6A and 6B only).
5 Response ports
6 Fail-Open Control ports
7 External Compact Flash port
8 Power Supply A
9 Power Supply B
2
Page 11
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 3000 Product Guide What is an IntruShield sensor?
1 One 10/100 Management port, which is used for communication with ISM server. This
port has an assigned IP address.
One RS-232C Console port, which is used to set up and configure the sensor.
2
3
One RS-232C Auxiliary port, which may be used to dial in remotely to set up and
configure the sensor.
4
Twelve small form-factor pluggable (SFP) Gigabit Monitoring ports, which enable you to
monitor twelve SPAN ports, six full-duplex tapped segments, six segments inline, or a combination (that is, three full-duplex segment, six SPAN ports).
The Monitoring interfaces of the I-3000 work in stealth mode, meaning they
have no IP address and are not visible on the monitored segment.
If you choose to run in failover mode, ports 6A and 6B are used to interconnect
with a standby sensor.
Note: The gigabit ports of the I-3000 running in In-line Mode fail closed,
meaning that if the sensor fails, it will interrupt/block data flow. Fail-open
functionality requires either the Layer 2 Passthru feature, described in detail in
Enabling Layer 2 settings for sensor failure, Sensor Configuration Guide-using ISM,
or the hardware Fail-Open Bypass kit for Gigabit ports, described in
failover interconnection ports
section.
Cabling the
5 Four RJ45 Response ports, which, when you are operating in SPAN mode, enable
you to inject response packets back through a switch or router.
6 Four RJ-11 Fail-Open Control ports, designed for use the Optical Fail-Open Bypass kit.
The ports are marked X1, X2, X3, and X4 and are used in conjunction with ports
1A/1B, 2A/2B, 3A/3B, and 4A/4B, respectively. (Fail-open control for ports 5A/5B
and 6A/6B is managed via the Compact Flash port).
One External Compact Flash port. This port is used for two purposes. It is used to
7
control optional fail-open hardware as described in the
Bypass Kit Guide
. It is also used in troubleshooting situations where the sensor’s
Gigabit Optical Fail-Open
internal flash is corrupted and you must reboot the sensor via the external
compact flash. For more information, see the on-line KnowledgeBase at
Support Site.
https://mysupport.mcafee.com
Mcafee
8 Power Supply A (included). Power supply A is included with each sensor. The
supply uses a standard IEC port (IEC320-C13). The supply uses a standard IEC
port (IEC320-C13). McAfee provides a standard, 2m NEMA 5-15P (US) power
cable (3 wire). International customers must procure a country-appropriate
power cable.
Power Supply B (optional, purchased separately). Power supply B is a hot-
9
swappable, redundant power supply. This power supply also uses a standard
IEC320-C13 port, and you can use the McAfee-provided cable or acquire one
that meets your specific needs.
The I-3000 does not have internal taps; it must be used with a 3rd party external tap
to run in tapped mode.
Front panel LEDs on the I-3000
The front panel LEDs provide status information for the health of the sensor and the
activity on its ports. The following table describes the I-3000 front panel LEDs.
3
Page 12
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 3000 Product Guide What is an IntruShield sensor?
LED Status Description
Power A Green
Amber
Power B Green
Amber
Power Supply A is functioning.
Power Supply A is not functioning.
Power Supply B is functioning.
Power Supply B is not functioning.
Note: If a power supply is not present, both green and amber LEDs are off.
Management Port
Speed
Management Port
Link
Sys Green
Fan OK Green
Fan 1 Green
Fan 2 Green
Amber
Off
Green
Off
Amber/blinking
Amber
Amber
Amber
The port speed is 100 Mbps
The port speed is 10 Mbps
The link is connected.
The link is disconnected.
Sensor is operating.
Sensor is booting.
All three fans are operating.
Indicates one or more fans have failed.
Fan 1 is not operating.
Fan 1 is operating.
Fan 2 is not operating.
Fan 2 is operating.
Fan 3 Green
Amber
Temp Green
Amber
Flash Green
Off
Gigabit Ports Act Amber
Off
Gigabit Ports Link Green
Off
Response Port
Speed
Amber
Off
Fan 3 is not operating.
Fan 3 is operating.
Inlet air temperature measured inside chassis is
normal. (Chassis temperature OK.)
Inlet air temperature measured inside chassis is
too hot. (Chassis temperature too hot.)
Activity on external compact flash. (For
example, the Fail-Open Controller has been
inserted)
No activity on external compact flash.
Data transferring.
No data transferring.
The link is connected.
The link is disconnected.
The port speed is 100 Mbps.
The port speed is 10 Mbps.
4
Page 13
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors
IntruShield Sensor 3000 Product Guide What is an IntruShield sensor?
LED Status Description
Response Port
Link
Green
Off
The link is connected.
The link is disconnected.
5
Page 14
C HAPTER 2
Before you install
Sensor specifications, safety measures, unpacking a sensor
This chapter describes best practices for deployment of IntruShield sensors on your
network. Topics include system requirements, site planning, safety considerations
for handling the sensor, and usage restrictions that apply to the sensor.
I-3000 sensor specifications
The following table lists the specifications of the I-3000 sensor.
Sensor Specifications Description
Dimensions
Weight
Without mounting ears/cable management:
• width: 17.44 in. (43.30 cm.)
• height: 3.44 in. (8.74 cm.)
• depth: 23.00 in. (58.42 cm.)
With mounting ears/cable management:
• width: 18.94 in. (48.11 cm.)
• height: 3.44 in. (8.74 cm.)
• depth: 24.00 in. (60.96 cm.)
Dimensions do not include cables or power
cords.
38 lb. (17.25 kg.)
Voltage Range
Frequency
Vibration, operating
Vibration, nonoperating
Power requirements
Ambient Temperature
Range (Noncondensing)
100-240 VAC
50/60 Hz
5 to 200 Hz, 0.5 g (1 oct/min)
5 to 200 Hz, 1g (1 oct/min)
200 to 500 Hz, 2g (1 oct/min)
350 W
Operating
0C(32F) to 40C(104F)
Non-operating
-40C(-40F) to 70C(158F)
6
Page 15
McAfee® IntruShield® IPS 4.1 Before you install
IntruShield Sensor 3000 Product Guide Sensor capacity for I-3000 sensor
Sensor Specifications Description
Relative Humidity
(Non-condensing)
Operating
10%-90% non-condensing
Non-operating
5% to 95% non-condensing
System Heat
1194.3 BTU/hr
Dissipation
Airflow
Altitude
Throughput
200 lfm (1 m/s)
Sea level to 10,000 ft (3050 m)
1 Gbps
Cabling Specifications:
Note the following cabling specifications for the sensor:
• Category 5 Enhanced (Cat 5e) cable is required for transmission speeds up
to 1 Gigabit per second (Gigabit Ethernet).
• For Ethernet networks running at 10 or 100 Mbps, Category 5 (Cat 5) OR
Cat 5e cable can be used.
Note: Throughout this guide, cabling specifications will be mentioned as Cat 5/Cat
5e.
Sensor capacity for I-3000 sensor
The following table lists the sensor limitations by category:
Maximum Type I-3000
Concurrent connections 500,000
Connections established per sec. 10,000
Concurrent SSL Flows (2.1.x and later) 50,000
Number of SSL keys that can be stored on the
sensor
Virtual Interfaces (VIDS) 1000
VLANS / CIDR Blocks 3000
VLANS / CIDR Blocks per Physical Port 254
Customized attacks 100,000
Alert filters 128,000
Default number of supported UDP Flows 100,000
64
7
Page 16
McAfee® IntruShield® IPS 4.1 Before you install
IntruShield Sensor 3000 Product Guide Network topology considerations
Supported UDP Flows 750,000
DoS Profiles 5000
SYN rate (64-byte packets per second) 500,000
ACL Rules (refer to note below) 1000
Computing Number of ACL rules utilized per sensor
You can calculate the number of ACL rules being utilized per sensor by adding all the
rules configured at the sensor-level, port-level, and sub-interface level.
Example: Computing ACL rules utilized per sensor
On a I-4010 sensor, if you configure 8 rules at the sensor level, 20 rules on port pair
2A-2B, and 10 rules on the sub-interface of 4A-4B, you would have utilized 38 out of
the 1000 limit.
You can also calculate the number of ACL rules utilized by adding the number of
rules displayed under
each sub-interface level.
Effective ACL Rules tab at the sensor level, each port level, and
Computing Number of ACL rules utilized during port clustering
When port clustering (interface grouping) is used, and port-level ACL rules are
configured, the number of ACL rules utilized (for each port-cluster-level ACL) will be
different based on the participant port-types of the cluster. One ACL rule will be
consumed per each inline port-pair member, and one ACL rule will be consumed per
each SPAN port member of the port cluster.
Examples: Computing the effective ACL rule utilization for each port-level ACL rule defined for a portcluster
Port cluster 1: If your port cluster consists of 1A-1B (inline, fail-open), 2B (SPAN), and
4A-4B (inline, fail-close), 3 ACL rules will be consumed for each ACL rule configured
at the port level.
Port cluster 2: If your port cluster consists of 1A (SPAN), 4A (SPAN), 5A (SPAN), 6A6B (inline, fail-close), 4 ACL rules will be consumed for each ACL rule configured at
the port level.
Network topology considerations
Deployment of an IntruShield IPS requires basic knowledge of your network to help
determine the level of configuration and amount of installed sensors and ISMs
required to protect your network.
The IntruShield sensor is purpose-built for the monitoring of traffic across one or
more network segments. For more information on the network topology
considerations for IntruShield deployment, see
Planning and Deployment Guide.
Pre-deployment considerations,
8
Page 17
McAfee® IntruShield® IPS 4.1 Before you install
IntruShield Sensor 3000 Product Guide Safety measures
Safety measures
The safety measures given below apply to all sensor models unless otherwise
specified. Carefully read the following warnings before you install the product.
Failure to observe these safety warnings could result in serious physical injury.
Warnings:
• Read the installation instructions before you connect the system to its
power source.
• To remove all power from the I-3000 sensor, unplug all power cords,
including the redundant power cord.
• Only trained and qualified personnel should be allowed to install, replace, or
service this equipment.
• Before working on equipment that is connected to power lines, remove
jewelry (including rings, necklaces, and watches). Metal objects will heat up
when connected to power and ground and can cause serious burns or weld
the metal object to the terminals.
• This equipment is intended to be grounded. Ensure that the host is
connected to earth ground during normal use.
• Do not remove the outer shell of the sensor. Doing so will invalidate your
warranty.
• Do not operate the system unless all cards, faceplates, front covers, and
rear covers are in place. Blank faceplates and cover panels prevent exposure
to hazardous voltages and currents inside the chassis, contain
electromagnetic interference (EMI) that might disrupt other equipment, and
direct the flow of cooling air through the chassis.
• To avoid electric shock, do not connect safety extra-low voltage (SELV)
circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV
circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports
both use RJ45 connectors. Use caution when connecting cables.
• This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are
designed to provide reasonable protection against harmful interference
when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if
not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment
in a residential area is likely to cause harmful interference in which case the
user will be required to correct the interference at his own expense.
Working with fiber-optic ports
The IntruShield I-3000 sensor uses fiber-optic connectors for its 12 Monitoring ports.
The connector type is a Small Form-Factor Pluggable (SFP) fiber optic connector that
is LC-Duplex compatible
• Fiber-optic ports (for example, FDDI, OC-3, OC-12, OC-48, ATM, GBIC, and
100BaseFX) are considered Class 1 laser or Class 1 LED ports.
9
Page 18
McAfee® IntruShield® IPS 4.1 Before you install
IntruShield Sensor 3000 Product Guide Usage restrictions
• These products have been tested and found to comply with Class 1 limits of
IEC 60825-1, IEC 60825-2, EN 60825-1, EN 60825-2, and 21CFR1040.
Warning: To avoid exposure to radiation, do not stare into the aperture of a fiber-
optic port. Invisible radiation might be emitted from the aperture of the port when
no fiber cable is connected.
• Only FDA registered, EN 60825-1 and IEC 60825-1 certified Class 1 SFP
laser transceivers are acceptable for use with the I-3000 sensor.
Usage restrictions
The following restrictions apply to the use and operation of an IntruShield sensor:
• You may not remove the outer shell of the sensor. Doing so will invalidate
your warranty.
• The sensor appliance is not a general purpose workstation.
• McAfee prohibits the use of the sensor appliance for anything other than
operating the IntruShield IPS.
• McAfee prohibits the modification or installation of any hardware or
software in the sensor appliance that is not part of the normal operation of
the IntruShield IPS.
Unpacking the sensor
To unpack the sensor:
1 Place the sensor box as close to the installation site as possible.
2 Position the box with the text upright.
3 Open the top flaps of the box.
4 Remove the accessory box.
5 Verify you have received all parts. These parts are listed on the packing list and
in Contents of the sensor box.
6 Pull out the packing material surrounding the sensor.
7 Remove the sensor from the anti-static bag.
8 Save the box and packing materials for later use in case you need to move or
ship the sensor.
Contents of sensor box
The following accessories are shipped in the sensor box:
• one sensor
• one CD-ROM containing the sensor software and on-line documentation.
10
Page 19
McAfee® IntruShield® IPS 4.1 Before you install
IntruShield Sensor 3000 Product Guide Unpacking the sensor
• one power cord. McAfee provides a standard, 2m NEMA 5-15P (US) power
cable (3 wire). International customers must procure a country-appropriate
power cable.
• one set of rack mounting ears
• one printed Quick Start Guide
• Release Notes
11
Page 20
C HAPTER 3
Setting up the I-3000 sensor prior to configuration
This chapter describes the process of setting up a sensor prior to configuring it via
Setup overview
the ISM.
Setting up a sensor involves the following steps:
1 Positioning the sensor. (See Positioning the I-3000)
2 Installing the GBICs.
3 Attaching power, network, and monitoring cables. (See
3000 Sensor
4 Powering on the sensor. (See
Once you have set up and powered on the sensor, you can proceed with
configuration.
(on page 20))
Powering on the sensor (on page 20).)
Attaching Cables to the I-
Positioning the I-3000
Place the sensor in a physically secure location, close to the switches or routers it
will be monitoring. Ideally, the sensor should be located within a standard
communications rack.
The I-3000 is a 2RU (2 rack unit).
To mount the sensor in a rack, you will attach two mounting ears to the sensor, then
mount the ears to the rack. The sensor ears attach to either the front or the middle of
the chassis.
Installing the ears on the chassis
Caution: Before you install the ears on the chassis, make sure that power is OFF.
Remove the power cable and all network interface cables from the sensor.
Each rack-mounting ear has holes that match up with holes in the chassis.
12
Page 21
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Positioning the I-3000
► To install the ears on the chassis, follow these steps:
1 Verify that you have all the parts you will need: two chassis ears and twelve
Phillips flathead screws.
2 Attach the first chassis ear to the right side of the chassis. Use a Phillips
screwdriver to secure the Phillips flathead screws to the chassis.
3 Repeat this procedure for the other ear.
Figure 2: Attaching the mounting ears to the sensor chassis
Mounting the I-3000 sensor in a rack
McAfee recommends rack-mounting your sensors. The rack-mounting hardware
included with the sensors is suitable for most 19-inch equipment racks and telco-type
racks. For maintenance purposes, you should have access to the front and rear of the
sensor.
Caution: Before you mount the sensor in the rack, make sure that power is OFF.
Remove the power cable and all network interface cables from the sensor
Rack-mount the sensor by securing the rack mount ears to two posts or mounting
strips in the rack. The ears secure the sensor to two rack posts, and the rest of the
sensor is cantilevered off the ears.
Note: You need two people to install the sensor in the rack—one person to hold
the sensor and one person to secure it to the rack.
13
Page 22
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing the I-3000 redundant power supply
Mount the sensor by securing the ears to two posts or mounting strips in the rack.
Because the ears bear the weight of the entire sensor, be sure to fasten the ears
securely to the rack.
Figure 3: Mounting the I-3000 sensor in a rack
Installing the I-3000 redundant power supply
A basic configuration of the I-3000 includes one hot-swappable power supply. You
may install a second hot-swappable power supply (purchased separately from
McAfee) for redundancy.
Each of these modules has one handle for insertion or extraction from the unit and a
fastening screw.
Installing a power supply
► To install a power supply in the I-3000:
1 Unpack the power supply from its shipping carton.
2 Remove the faceplate panel covering the power supply slot.
Note: The faceplate panel should remain in place unless a power supply is in
the power supply slot. Do not operate the sensor without the faceplate panel
in place.
14
Page 23
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing the I-3000 redundant power supply
3 Place the power supply in the slot with the cable outlet facing front and on the
left side of the faceplate.
Figure 4: Installing a power supply
4 Slide in the power supply until it makes contact with the backplane, then push
firmly to mate the connectors solidly with the backplane.
5 Secure the power supply’s front panel to the sensor chassis using the mounting
screw on the left of the power supply’s front panel.
Note: For true redundant operation with the optional redundant power supply,
McAfee recommends that you plug each supply into a different power circuit. For
optimal protection, use uninterrupted power sources.
Removing a power supply
► To remove a power supply from the I-3000 (Optional—the power
supplies are hot-swappable):
1 Unplug the power cable from its power source and remove the power cable
from the power supply.
2 Put on an antistatic wrist or ankle strap. Attach the strap to a bare metal surface
of the chassis.
3 Unscrew the screws connecting the mounting bracket and remove the bracket
from the front the power supply.
4 Squeeze the handle of the power supply and pull it out.
5 Use faceplate panels to protect unused slots from dust and reduce
electromagnetic radiation.
6 Replace the mounting bracket.
Warning 1: To remove all power from the I-3000 sensor, unplug all power cords.
Warning 2: To avoid data interruption, do not power off both power supplies on an
in-line sensor, or the sensor shuts down and all data traffic stops. Power off only
the power supply you are replacing.
15
Page 24
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing SFP modules
Installing SFP modules
The Small Form-factor Pluggable (SFP) module is a hot-swappable input/output
device that plugs into an LC-type Gigabit Ethernet port, linking the module port with a
copper or fiber-optic network. SFP optical interfaces are less than half the size of
GBIC interfaces.
Note: To ensure compatibility, McAfee supports only those SFP modules
purchased through McAfee or from a McAfee-approved vendor. For a list of
approved vendors, see the on-line KnowledgeBase,
https://mysupport.mcafee.com
These installation instructions provide information for installing an SFP module that
uses a bail clasp for securing the module in place in the sensor. Your SFP module
may be slightly different. Check the SFP module manufacturer’s installation
instructions for more details.
For ease of installation, insert the SFP GBIC module in the sensor while it is powered
down and before placing it in a rack.
Caution: To prevent eye damage, do not stare into open laser apertures.
McAfee Support Site.
16
Page 25
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing SFP modules
Installing a SFP module
► To install a SFP module with a bail clasp, follow these steps:
1 Remove the SFP module from its protective packaging.
2 Ensure the SFP module is the correct model for your network.
3 Locate the label on the SFP module and turn the module so that its label is on
top and the alignment groove is down.
4 Grip the sides of the module with your thumb and forefinger and insert SFP
module into the module socket.
SFP modules are keyed to prevent incorrect insertion.
Figure 5: Inserting a SFP module into a Monitoring port on the I-3000 sensor
5 Insert the SFP module into sensor Monitoring ports 1A/B, 2A/2B, 3A/3B, 4A/4B,
5A/5B, or 6A/6B. Slide the module until you hear a click indicating that it is
properly inserted into the slot.
6 Lock the SFP module by pushing the bail clasp up into place.
7 SFP modules generally have a protective plug in the optical bore. When you are
ready to attach the network interface cable, remove the plug from the SFP
module optical bore and save the plug for future use.
Note: If you choose not to use the port, McAfee still recommends that you leave a
SFP module in the slot.
17
Page 26
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing SFP modules
Removing a SFP module
► If you are removing a SFP module with a bail clasp, follow these
steps:
1 Disconnect the network fiber-optic cable from the SFP module.
2 Release the module from the slot by pulling the bail clasp out of its locked
position.
3 Slide the SFP module out of the slot.
4 Insert the SFP module plug into the module optical bore for protection.
Connecting copper SFP for 10/100 Fast Ethernet ports
In addition to fiber GBICs, McAfee supports copper SFPs for I-3000 and I-4010
sensors.
I-3000 and I-4010 sensors, when packaged are set to 1 Gbps speed. When a copper
SFP is used, the port speed can be set to 10/100/1000/10-auto/100-auto/1000-auto
Mbps, whereas when a fiber SFP is used the speed can be set to 1 Gbps or 1 Gbpsauto.
Figure 6: Copper SFP
Note: McAfee recommends you to use McAfee branded SFPs with our sensors.
18
Page 27
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Installing SFP modules
To connect a copper SFP
1 Remove the SFP module from its protective packaging.
2 Ensure the SFP module is the correct model for your network.
3 Locate the label on the SFP module and turn the module so that its label is on
top and the alignment groove is down.
4 Grip the sides of the module with your thumb and fore finger and insert SFP
module into the module socket.
5 SFP modules are keyed to prevent incorrect insertion.
6 Insert the copper SFP sensor Monitoring ports 1A/B, 2A/2B, 3A/3B, 4A/4B,
5A/5B, or 6A/6B. Slide the module until you hear a click indicating that it is
properly inserted into the slot.
Physical installation of the copper SFP has to be done to use this functionality.
Once you have plugged in the copper SFP, you can change the speed and other
configurations in the IntruShield Security Manager (ISM).
Figure 7: Connecting Copper SFP
7 Lock the SFP module by pushing the bail clasp up into place.
8 Connect the network cable in the port.
9 In ISM, go to
10 Select the port where the SFP has been connected.
11 Change the speed and port settings to 10/100/10-auto/100-auto.
Check the LED turns green on the sensor.
12 Click OK.
Note: If the SFP has been pulled and put back into the ports, the port has to be
disabled and enabled to restore the restore the configuration settings.
Note 2: For more information on configuring monitoring port settings from ISM,
Senor Configuration Guide—using ISM.
see
Sensor > Sensors > Configure ports.
19
Page 28
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration
IntruShield Sensor 3000 Product Guide Cabling the sensor
To remove a copper SFP
If you are removing an SFP module with a bail clasp, follow these steps:
1 Disconnect the network straight Ethernet RJ45 cable from the SFP module.
2 Release the module from the slot by pulling the bail clasp out of its locked
position.
3 Slide the SFP module out of the slot.
Cabling the sensor
Follow the steps outlined in Attaching Cables to the I-3000 Sensor (on page 21) to
connect cables to the monitoring, response, console, and management ports on your
sensor.
Powering on the I-3000
Do not attempt to power on the sensor until you have installed the sensor in a rack,
made all necessary network connections, and connected the power cable to the
power supply.
1 Connect the power cable to the sensor power supply.
2 Connect the power cable to a power source.
Note: If you are installing a redundant power supply, you should install it as
described in Installing a power supply. For true redundant operation with the
optional redundant power supply, McAfee recommends that you plug each supply
into a different power circuit.
The I-3000 sensor has no power switch. The sensor powers on as soon as one of its
power cables is connected to a power source.
Powering off the sensor
McAfee recommends that you use the shutdown CLI command to halt the sensor
before powering it down. For more information on CLI commands, see
Configuration Guide—using CLI
.
Sensor
20
Page 29
C HAPTER 4
Attaching cables to the I-3000 Sensor
Follow the steps outlined in this chapter to connect cables to the various ports on
Cabling the Console port
your sensor.
The Console port is used for setup and configuration of the sensor.
1 For console connections, plug the DB9 Console cable supplied by McAfee into
Console port (labeled Console on the sensor front panel).
the
2 Connect the other end of the Console port cable directly to a COM port of the
PC or terminal server you will use to configure the sensor (for example, a PC
running correctly configured Windows HyperTerminal software). You must
connect directly to the console for initial configuration.
Required settings for HyperTerminal are:
Name Setting
Baud rate 9600
Number of bits 8
Parity None
Stop bits 1
Flow Control None
3 Power on the sensor.
Cabling the Auxiliary port
The Auxiliary (Aux) port is used for modem access to the sensor for setup and
configuration.
You cannot use a modem the first time you configure a sensor.
1 For modem connections, plug a straight-through modem cable into the Auxiliary
port (labeled
2 Connect a modem to the Aux port.
3 Connect a telephone line to the modem.
Required settings for the
Aux on the sensor front panel).
Aux port are:
21
Page 30
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling the Response ports
Name Setting
Baud rate 9600
Number of bits 8
Parity None
Stop bits 1
Flow Control None
Required settings for the modem are:
• 9600 bps port speed
• Answer after 1 ring
• Save the configuration to NVRAM.
Cabling the Response ports
The sensor's Response ports are used to send responses to attacks when operating
in SPAN or tap mode. You must use a Response port to inject response packets to
the switches or routers.
► To connect the Response port to a network device:
1 Plug a Cat 5/Cat 5e cable into the Response port (labeled Rx on the sensor front
panel).
2 Connect the other end of the cable to the network device (for example, hub,
switch, router) through which you want to respond to attacks.
Cabling the Fail-Open Control ports
Fail-open functionality for the GE Monitoring ports is accomplished via the Gigabit
Fail-open Bypass Kit, sold separately. (Both Copper and Optical versions are
available.)
For 10/100 Mpbs port speed setting, you are required to use the copper Bypass Kit.
For more information, see Gigabit Copper Fail Open Kit Guide.
For 1 Gbps port speed setting, you can use either the optical Bypass Kit or the
copper Bypass Kit.
Installation and troubleshooting instructions for the Kit can be found in the kit’s
documentation. More details on fail-open operation with the kit is available in
fail-open hardware
For more information, see the documentation that accompanies the Kit.
(on page 28).
Using
22
Page 31
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling the Management port
Cabling the Management port
The Management (Mgmt) port is used for communication with the ISM server.
► To connect the sensor to the ISM server:
1 Plug a Cat 5/Cat 5e cable into the Management port (labeled Mgmt on the sensor
front panel).
2 Connect the other end of the cable to the network device (for example, hub,
switch, router) that in turn connects to the ISM server.
Note: To isolate and protect your management traffic, McAfee strongly
recommends using a separate, dedicated management subnet to interconnect the
sensors and the ISM.
Cabling the I-3000 Monitoring ports
Connect to the network devices you will be monitoring via the sensor Monitoring
ports. You can deploy sensors in the operating modes shown in the following table.
Cabling instructions for the sensor Monitoring ports are shown on the pages
indicated.
To cable the I-3000 in this
mode...
See...
In-line mode (fail-closed) Cabling the I-3000 to monitor in in-inline
mode
In-line mode (fail-open) Using fail-open hardware (on page 28)
External tap mode (GBIC ports) Cabling I-3000 SFP ports in external Tap
mode (on page 26)
SPAN or Hub mode Cabling the I-3000 sensor to monitor in
SPAN or hub mode
Failover Cabling I-3000 sensors for failover
Using peer ports for I-3000
All full-duplex sensor deployment modes require the use of two peer monitoring
ports on the sensor. On the sensors, the numbered ports are wired in pairs to
accommodate the traffic.
The following SFP Gigabit Ethernet ports are coupled and must be used together:
23
Page 32
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling the Management port
Port Pairs
1A and 1B
2A and 2B
3A and 3B
4A and 4B
5A and 5B
6A and 6B
Note: You cannot configure, for example, IA and 2A to work together as a pair.
Figure 8: Peer ports on a I-3000 sensor
For all ports, polling takes place inside the sensor for the port LINK status. If the link
goes down, the peer ports will also go down. Once the link comes up, the peer ports
will also come up.
Default Monitoring port speed settings for I-3000
Make sure that the switch/router ports connected to the sensor Monitoring ports
match the sensor configuration.
Monitoring Ports Operating Mode Speed/Duplex Setting
SFP ports SPAN Auto-negotiation is ON
Tap Auto-negotiation is ON
In-line Auto-negotiation is ON
24
Page 33
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling for in-line mode
Cable types for routers, switches, hubs, and PCs
The cabling instructions in this chapter:
• Use a crossover Ethernet RJ45 cable to connect a router port to 10/100
Monitoring ports.
• Use a straight-through Ethernet RJ45 cable to connect a switch/hub port to
10/100 Monitoring ports.
• Use a crossover Ethernet RJ45 cable to connect a router port to PC to the
sensor Management port.
Note: You should also use a crossover Ethernet RJ45 cable to connect a PC to the
sensor monitoring port.
Cabling for in-line mode
Cabling the I-3000 to monitor in in-line mode
In-line mode requires that you use a pair of sensor ports as described in Using peer
ports,
IntruShield Sensor 1200 Product Guide.
Caution: Cabling sensors for in-line mode requires a brief network interruption as
you insert it in the flow of network traffic. To avoid extended network downtime,
you should cable a sensor for in-line mode
after you have completed all other
configuration tasks.
The I-3000’s GBICs ports fail open, meaning they allow traffic to continue to flow
unimpeded if the sensor fails. To interrupt traffic, you must use the special fail-closed
dongle that is supplied in the sensor box.
► To connect the I-3000's SFP GBIC ports for in-line monitoring:
Note: This procedure uses port pair 1A and 1B as the example.
1 Plug a cable appropriate for use with your SFP module into one of the
Monitoring ports labeled xA (for example, 1A).
2 Connect the other end of each cable to the network devices that you want to
monitor. (For example, if you plan to monitor traffic between a switch and a
router, connect the cable connected to 1A to the switch and the one connected
to 1B to the router.)
25
Page 34
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling for Tap mode
Cabling for Tap mode
Cabling the I-3000 SFP ports to monitor in external tap
mode
TheI-3000 sensor’s SFP ports must be used with a 3rd-party external tap.
Note: For a list of approved 3rd-party tap vendors, see the on-line KnowledgeBase,
Mcafee Support Site https://mysupport.mcafee.com.
► To connect the sensor to the devices you want to monitor in external
tap mode:
1 Plug the cable appropriate for use with your SFP module into one of the
Monitoring ports labeled xA (for example, 1A).
2 Plug another cable into the other Monitoring port labeled xB (for example, 1B).
3 Connect the other end of each cable to the tap.
4 Connect the network devices that you want to monitor to the tap.
Cabling for SPAN mode
Cabling the I-3000 sensor to monitor in SPAN or hub
mode
When you monitor in SPAN or Hub mode, you do not need to use a port pair. You
can use single ports.
► To connect an I-3000 sensor to a SPAN port or Hub:
1 Plug an LC-type fiber optic cable into one of the monitoring ports.
2 Connect the other end of the cable to the SPAN port or the hub.
Note: See Cable types for routers, switches, hubs, and PCs (on page 25) to
determine which cable type to use with which type of network device.
Cabling the failover interconnection ports
Failover requires connecting two identical I-3000 sensors (same model, same
software) via an interconnection cable or cables.
Previously, the creation of Sensor fail-over pair was allowed only if all the Primary
sensor's monitoring port pairs were in in-line mode. Now, the flexibility to create a
26
Page 35
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling for SPAN mode
fail-over pair even if the Primary sensor has some of its monitoring port pairs in nonInline (TAP/SPAN) mode is provided.
For example, in an I-3000, you may have port pairs as 1A-1B, 2A-2B, 3A-3B and 4A4B configured in in-line mode and ports 5A, 5B configured in SPAN mode.
Note: TCP reset is not supported when connected in TAP mode.
Cabling I-3000 sensors for Failover
Monitoring ports 6A-and 6B are the interconnection ports on the I-3000. A failover
cable is the only additional hardware required to support failover communication
between two I-3000 sensors.
When 6A-6B interconnection ports are connected in failover mode with 10 or 100
Mpbs speed value, during failover creation the ports will be updated to 1 Gbps speed
value.
► To connect two I-3000s for failover:
1 Plug the cable appropriate for use with your GBIC into port 6A of the active
sensor.
2 Connect the other end of the cable to port 6A of the standby sensor.
3 Plug the cable appropriate for use with your GBIC into port 6B of the active
sensor.
4 Connect the other end of the cable to port 6B of the standby sensor.
Figure 9: Cabling I-3000 sensors for Failover
27
Page 36
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor
IntruShield Sensor 3000 Product Guide Cabling for SPAN mode
Using fail-open hardware
The Gigabit Fail-Open kit (sold separately) minimizes the potential risks of in-line
IntruShield sensor failure on critical network links. Both Copper and Optical versions
of the Kit are available.
The Gigabit Ethernet (GE) Monitoring ports on IntruShield sensors are configured to
fail close by default; thus, if the sensor is deployed in-line, a hardware failure results
in network downtime. Fail-open operation for GE ports requires the use of the
optional external Bypass Switch provided in the Kit.
With the Bypass Switch in place, normal sensor operation supplies power to the
switch via a control cable. While the sensor is operating, the switch is “on” and
routes all traffic directly through the sensor. When the sensor fails, the switch
automatically shifts to a bypass state: in-line traffic continues to flow through the
network link, but is no longer routed through the sensor. Even after the sensor
comes back online, the ports configured as fail-open will remain in 'Bypass' mode
until the user manually puts them back to fail-open.
Caution 1: Note that sensor outage breaks the link connecting the devices on
either side of the sensor for a brief moment and requires the renegotiation of the
network link between the two peer devices connected to the sensor. Depending
on the network equipment, this disruption introduced by the renegotiation of the
link layer between the two peer devices may range from a couple of seconds to
more than a minute with certain vendors’ devices.
Caution 2: A very brief link disruption may also occur while the links between the
sensor and each of the peer devices are renegotiated to place the sensor back in
in-line mode. This outage, again, varies depending on the device, and can range
from a few seconds to more than a minute.
Installation and troubleshooting instructions for the Kit can be found in the Quick
Guide that accompanies the kit. For more information on the Optical kit, see
Optical Fail-Open Bypass Kit Guide.
Gigabit
28
Page 37
Index
1
10/100 ports
10/100 Management port ..................................23
10/100 Monitoring ports Link LED ....................... 3
10/100 Response port ....................................... 22
10/100 Response port Link LED .................... 3
10/100 Response port Speed LED ................3
10/100 speed for FE ports...................................... 18
F
fail-closed dongle ..................................................... 2
failing closed ............................................................ 2
failing open............................................................... 2
fail-open functionality ............................................. 27
failover ................................................................... 27
fan LED .................................................................... 3
fiber optics.............................................................. 10
flash LED ................................................................. 3
front panel LEDs ...................................................... 3
H
heat requirements .................................................... 6
A
accomplishing fail-closed functionality ..................... 2
auxiliary port............................................................. 2
B
boot LED ..................................................................3
C
cabling...................................... 20, 21, 22, 23, 25, 26
cabling Fail-Open control ports ..............................22
cabling for failover .................................................. 27
cabling for monitoring ports.................................... 23
cabling instructions................................................. 20
cabling SFP ports................................................... 26
cabling the auxiliary port ........................................21
cabling the console port .........................................21
cabling the sensors for failover ..............................27
chasis ..................................................................... 12
Compact Flash port.................................................. 2
connecting to sensor .............................................. 23
console port.............................................................. 2
D
describing an IntruShield sensor.............................. 1
dongles................................................................... 26
I
in-line mode
deployment........................................................ 25
installing SFPs ................................................. 16, 17
L
LED description........................................................ 3
link LED.................................................................... 3
M
mounting the sensor .............................................. 13
P
peer ports on I-3000............................................... 24
ports on the I-3000................................................... 2
power LED ............................................................... 3
powering the sensor......................................... 14, 20
S
sensor capacity ........................................................ 8
sensor responsibilities.............................................. 1
SPAN port .............................................................. 26
speed LED ............................................................... 3
Sys LED ................................................................... 3
Page 38
T
tap mode ................................................................26
Temp LED ................................................................ 3
U
using Copper SFP.................................................. 18
connecting Copper SFP ....................................19
removing Copper SFP....................................... 20
using fail-open hardware........................................ 28
Loading...