McAfee M-3050, Network Security Platform Installation Manual

Installation Guide

revision 5.0

McAfee® Network Security Platform

version 6.0

McAfee®

Network Protection

Industry-leading network security solutions

Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSIVELY, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,

2002. See http://www.boost.org/libs/bind/bind.html Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See

Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net

1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)

2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

Issued NOVEMBER 2010 / Installation Guide

700-2252-00/ 5.0 - English

Contents

Preface ........................................................................................................... v

Introducing McAfee Network Security Platform............................................................................. v

Conventions used in this book ...................................................................................................... v

Related Documentation.................................................................................................................vi

Contacting Technical Support ......................................................................................................vii

Chapter 1 About Network Security Platform.............................................. 1

Network Security Platform components ........................................................................................ 1

About McAfee Network Security Sensor ................................................................................1

Manager components ............................................................................................................4

McAfee Update Server...........................................................................................................6

Chapter 2 About Network Security Central Manager ................................ 8

Chapter 3 Preparing for the Manager installation...................................... 9

Pre-requisites ................................................................................................................................ 9

General settings .....................................................................................................................9

Other third-party applications ...............................................................................................10

Browser display settings (Windows) ....................................................................................10

Server requirements.............................................................................................................10

Manager installation with Local Service account privileges .................................................12

Client requirements ..............................................................................................................12

Java runtime engine requirements.......................................................................................12

Database requirements........................................................................................................13

Pre-installation recommendations............................................................................................... 13

Planning for installation ........................................................................................................13

Functional requirements.......................................................................................................14

Using anti-virus software with the Manager .........................................................................14

User interface responsiveness.............................................................................................15

Downloading the Manager/Central Manager executable ............................................................ 16

Chapter 4 Installing the Manager/Central Manager................................. 17

Installing the Manager ................................................................................................................. 17

Installing the Central Manager .................................................................................................... 28

Chapter 5 Starting the Manager/Central Manager ................................... 30

Accessing the Manager from a client machine............................................................................ 30

Java installation for client systems.............................................................................................. 31

Logging onto the Manager .......................................................................................................... 31

Logging onto the Central Manager.............................................................................................. 32

Authenticating Access to the Manager using CAC ..................................................................... 33

Shutting down the Manager/Central Manager services .............................................................. 35

Closing all client connections ...............................................................................................36

Shutting down using the Network Security Platform system tray icon .................................36

Shutting down using the Control Panel ................................................................................37

Chapter 6 Adding a Sensor........................................................................ 39

Before You Install Sensors.......................................................................................................... 39

Network topology considerations .........................................................................................39

Safety measures ..................................................................................................................39

Usage restrictions ................................................................................................................40

iii

Unpacking the Sensor..........................................................................................................41

Cable Specifications.................................................................................................................... 41

Network Security Platform fail-closed dongle specification.................................................. 42

Console port pin-outs ...........................................................................................................42

Auxiliary port pin-outs...........................................................................................................42

Response port pin-outs ........................................................................................................43

Monitoring port pin-outs .......................................................................................................44

Configuring a Sensor................................................................................................................... 45

Configuration overview.........................................................................................................45

Establish a Sensor naming scheme.....................................................................................45

Communication between the Sensor and the Manager .......................................................46

Configuring the Sensor ........................................................................................................46

Adding a Sensor to the Manager .........................................................................................48

Verifying successful configuration........................................................................................49

Changing Sensor values ......................................................................................................50

Adding a secondary Manager IP..........................................................................................51

Removing a secondary Manager IP.....................................................................................51

Device Licenses .......................................................................................................................... 52

Importing a Device License..................................................................................................52

Manually assigning a device license ....................................................................................53

Chapter 7 Configuring the Update Server................................................ 55

Specifying the Update Server authentication .............................................................................. 55

Specifying a proxy server for Internet connectivity...................................................................... 56

Manually importing a software image or signature set................................................................ 57

Downloading software updates ................................................................................................... 57

Downloading signature set updates ............................................................................................ 60

Automating updates .................................................................................................................... 62

Automating signature set downloads from the Update Server.............................................62

Automatically deploy new signature sets to your devices....................................................63

Chapter 8 Uninstalling the Manager/Central Manager ............................ 65

Uninstalling using Add/Remove Programs.................................................................................. 65

Uninstalling via script................................................................................................................... 66

Index............................................................................................................. 68

Preface

This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as, the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee® Network Security Platform [formerly McAfee® Intrushield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical enterprise, carrier and service provider networks, while providing unmatched protection against spyware; known, zero-day, and encrypted attacks.

McAfee network traffic by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a single Manager.

Network Threat Behavior Analysis Appliance provides the capability of monitoring

Conventions used in this book

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in font.

Menu or action group selections are indicated using a right angle bracket.

Procedures are presented as a series of numbered steps.

Names of keys on the keyboard are denoted using UPPER CASE.

Text such as syntax, key words, and values that you must type exactly are denoted using Courier New font.

Arial Narrow bold

Service field on the Properties tab specifies the

The name of the requested service.

Select My Company > Admin Domain > Summary.

1. On the Configuration tab, click Backup.

Press ENTER.

Type: setup and then press ENTER.

McAfee® Network Security Platform 6.0

Convention Example

Preface

Variable information that you must type based on your specific situation or environment is shown

in italics.

Parameters that you must supply are shown enclosed in angle brackets.

Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.

Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation.

Notes that provide related, but non-critical, information are denoted using this notation.

Related Documentation

Type: Sensor-IP-address and then press

ENTER.

set Sensor ip <A.B.C.D>

Caution:

Warning:

Note:

The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides.

 Quick Tour  Upgrade Guide  Getting Started Guide  IPS Deployment Guide  Manager Configuration Basics Guide  I-1200 Sensor Product Guide  I-1400 Sensor Product Guide  I-2700 Sensor Product Guide  I-3000 Sensor Product Guide  I-4000 Sensor Product Guide  I-4010 Sensor Product Guide  M-1250/M-1450 Sensor Product Guide  M-1250/M-1450 Quick Start Guide  M-2750 Sensor Product Guide  M-2750 Quick Start Guide  M-3050/M-4050 Sensor Product Guide  M-3050/M-4050 Quick Start Guide  M-6050 Sensor Product Guide  M-6050 Quick Start Guide

McAfee® Network Security Platform 6.0

 M-8000 Sensor Product Guide  M-8000 Quick Start Guide  Gigabit Optical Fail-Open Bypass Kit Guide  Gigabit Copper Fail-Open Bypass Kit Guide  10 Gigabit Fail-Open Bypass Kit Guide  M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure  M-2750 Slide Rail Assembly Procedure  M-series DC Power Supply Installation Procedure  Administrative Domain Configuration Guide  Manager Server Configuration Guide  CLI Guide  Device Configuration Guide  IPS Configuration Guide  NAC Configuration Guide  Integration Guide  System Status Monitoring Guide  Reports Guide  Custom Attack Definitions Guide  Central Manager Administrator's Guide  Best Practices Guide  Troubleshooting Guide  Special Topics Guide—In-line Sensor Deployment  Special Topics Guide—Sensor High Availability  Special Topics Guide—Virtualization  Special Topics Guide—Denial-of-Service  NTBA Appliance Administrator's Guide  NTBA Monitoring Guide  NTBA Appliance T-200 Quick Start Guide  NTBA Appliance T-500 Quick Start Guide

Preface

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts.

vii

McAfee® Network Security Platform 6.0

Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/cont

Note: McAfee requires that you provide your GRANT ID and the serial number of

your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

Preface

act/index.html page.

viii

C HAPTER 1

About Network Security Platform

McAfee® Network Security Platform [formerly McAfee® IntruShield®] is a combination of network appliances and software built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, and network misuse. Network Security Platform provides comprehensive network intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusion prevention system (IPS).

Network Security Platform components

Network Security Platform consists of the following major components:

 McAfee  McAfee® Network Security Manager (Manager), with its Web-based graphical user

interface

 McAfee Update Server (on page 6

About McAfee Network Security Sensor

A McAfee® Network Security Sensor is a content-processing appliance built for accurate detection and prevention of intrusions, misuse, and distributed denial of service (DDoS) attacks. McAfee Network Security Sensor (Sensor) are specifically designed to handle traffic at wire speed, inspect and detect intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any enterprise environment.

Network Security Sensor (Sensor) (on page 1)

)

When deployed at key network access points, a Sensor provides real-time traffic monitoring to detect malicious activity and respond to the malicious activity as configured by the administrator.

Sensors are configured and managed using McAfee Network Security Manager (Manager). The process of configuring a Sensor and establishing communication with the Manager is described in later chapters of this guide. The Manager server is described in detail in the

Getting Started Guide.

Sensor functionality

The primary function of a device is to analyze traffic on selected network segments and to respond when an attack is detected. The device examines the header and data portion of every network packet, looking for patterns and behavior in the network traffic that indicate malicious activity. The device examines packets according to user-configured policies, or rule sets, which determine what attacks to watch for, and how to respond with countermeasures if an attack is detected.

McAfee® Network Security Platform 6.0

If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform many types of attack responses, including generating alerts and packet logs, resetting TCP connections, “scrubbing” malicious packets, and even blocking attack packets entirely before they reach the intended target.

Sensor platforms

Network Security Platform offers several types of Sensor platforms providing different bandwidth and deployment strategies.

I-series Sensors

I-4010 I-4000 I-3000 I-2700 I-1400 I-1200

About Network Security Platform

10/100 Base-T

Nil Nil Nil 6 4 2

Monitoring Port

10/100/1000 Gigabit Ethernet Monitoring Port

RJ-45 Response

10/100/100 0 only with Copper SFP

4 12

10/100/100 0 only with Copper SFP

2 2 2 3 1 1

2 Nil Nil

Port

Ports Used for Failover

6A and 6B 2A and 2B 6A and 6B 4A Response

port

Response port

Internal Taps Nil Nil Nil Yes Yes Yes

Fail-open Control

6 2 6 Nil Nil Nil

Ports

10/100

1 1 1 1 1 1

Management port

Console Port 1 1 1 1 1 1

Auxiliary Port 1 1 1 1 1 1

Redundant power

Yes Yes Yes Yes Nil Nil

supply

Fail-closed dongles Nil Nil Nil 6 4 2

McAfee® Network Security Platform 6.0

M-series and N-450 Sensors

M-8000 M-6050 M-4050 M-3050 M-2750 M-1450 M-1250 N-450

About Network Security Platform

10/100 Base-T Monitoring

Nil Nil Nil Nil Nil 8 built-in

10/100/1000 RJ-45 ports

8 built-in 10/100/1000 RJ-45 ports

Nil

Port

Interface Module

16 One Gigabit SFP ports

8 SFP ports

8 XFP ports

4 XFP ports

8 SFP ports

4 XFP ports

8 SFP ports

20 SFP ports

12 Ten Gigabit XFP ports

RJ-45

1 1 1 1 1 1 1 0 Response Port

Ports Used for failover

3A and

Note that 4B remains unused.

2A 2A 10A

Note that 10B is unused.

Note that 4B is unused.

10A and 10B

Internal Taps Nil Nil Nil Nil Nil Yes Yes Nil

Fail-open

14 8 6 6 10 Nil Nil 10 Control Ports

Interconnect ports

4 Ten

Gigabit

Nil Nil Nil Nil Nil Nil Nil

XFPs

2 RJ-45

ports

10/100/1000

1 1 1 1 1 1 1 1 Management port

Console Port 2 1 1 1 1 1 1 1

Auxiliary

2 1 1 1 1 1 1 1 Port

Redundant

Yes Yes Yes Yes Yes Nil Nil Yes power supply

Fail-closed

Nil Nil Nil Nil Nil Nil Nil Nil dongles

McAfee® Network Security Platform 6.0

Each device is described in the corresponding Sensor Product Guide.

Manager components

The Manager is a term that represents the hardware and software resources that are used to configure and manage the Network Security Platform. The Manager consists of the following components:

About Network Security Platform

 Either of the following hardware/OS server platform (on page 4

)

 Microsoft Windows Server 2003 - SP2, Standard Edition, English or Japanese

 Microsoft Windows Server 2008 - R2, Standard Edition, English or Japanese

 the Manager software (on page 4  a back end database (on page 6  a connection to McAfee Update Server (on page 6)

)

) to persist data (MySQL version 5.1.47)

Manager server platform

The Manager server is a dedicated Windows Server 2003 SP2 / Windows 2008 R2 system hosting the Manager software. You can remotely access the Network Security Platform user interface from a Windows XP or Windows 7 system using an Internet Explorer 7.0 or

8.0.

Sensors use a built-in 10/100 Management port to communicate with the Manager server. You can connect a segment from a Sensor Management port directly to the Manager server; however, this means you can only receive information from one Sensor (typically, your server has only one 10/100 network port). During the Sensor configuration, you will establish communication between your Sensor(s) and your Manager server.

Manager software

The Manager software has a Web-based user interface for configuring and managing the Network Security Platform. Network Security Platform users connect to the Manager server from a Windows XP system using the Internet Explorer browser program. The Network Security Platform user interface runs with Internet Explorer versions 7.0 and 8.0. The Manager functions are configured and managed through a GUI application, the Network Security Platform user interface, which includes complementary interfaces for system status, system configuration, report generation, and fault management. All interfaces are logically parts of the Manager program.

The Manager has five components:

Manager Home. The Manager Home page is the first screen displayed after the user logs



on to the system. The Manager Home page displays Operational Status-that is, whether all components of the system are functioning properly, the number of unacknowledged alerts in the system, and the configuration options available to the current user. Options available within the Manager Home page are determined by the current user's assigned role(s). The Manager Home page is refreshed every 5 seconds by default.

 Operational Status. The Operational Status page displays the status of Manager,

database, and any deployed Sensors; including all system faults.

McAfee® Network Security Platform 6.0

 Configure. The Configure page provides all system configuration options, and facilitates

the configuration of your devices - Sensors and NTBA Appliances, failover pairs of Sensors, administrative domains, users, roles, Network Access Control (NAC), attack policies and responses, user-created signatures, and system reports. Access to various activities, such as user management, system configuration, or policy management is based on the current user's role(s) and privileges.



Threat Analyzer. The Threat Analyzer page displays the hosts detected on your network

as well as the detected security events that violate your configured security policies. The Threat Analyzer provides powerful drill-down capabilities to enable you to see all of the details on a particular alert, including its type, source and destination addresses, and packet logs where applicable.

 Reports. You can generate reports for the security events detected by the system and

reports on system configuration. Reports can be generated manually or automatically, saved for later viewing, and/or e-mailed to specific individuals.

Other key features of Manager include:

About Network Security Platform

 The

Incident Generator: The Incident Generator enables creation of attack incident

conditions, which, when met, provide real-time correlative analysis of attacks. Once incidents are generated, view them using the Incident Viewer, which is within the Threat Analyzer.

For more information on Manager components, see

Manager Server Configuration Guide.

 Integration with other McAfee products: You can integrate Network Security Platform

with other McAfee products to provide you with a comprehensive network security solution.



McAfee ePolicy Orchestrator: McAfee ePolicy Orchestrator (ePO) is a scalable

platform for centralized policy management and enforcement of your system security products such as, anti-virus, desktop firewall, and anti-spyware applications. You can integrate McAfee Network Security Platform with ePO 4.0. The integration enables you to query the ePO server from the Manager for viewing details of a network host.



McAfee Host Intrusion Prevention: McAfee Host Intrusion Prevention (HIP) is a host-

based intrusion prevention system that prevents external and internal attacks on the hosts in the network, thus protecting services and applications running on them. Network Security Platform integrates with McAfee Host Intrusion Prevention version

7.0.



McAfee Network Access Control: Using Network Security Sensors, you can enforce

network access control (NAC) based on system health, user identity, or both. For system-health-based NAC, the Sensors depend on McAfee Network Access Control (McAfee NAC) for posture assessment. You need to configure ePO configuration details at the admin domain level and then install the trust between a Sensor and the ePO Server on which McAfee NAC is installed. This enables the Sensor to communicate with McAfee NAC to get host details and also to notify McAfee NAC about hosts sending unwanted traffic on the network.



McAfee Vulnerability Manager: Vulnerability assessment is an automated process of

pro-actively identifying vulnerabilities of computing systems in a network to determine security threats in the network. Network Security Platform integrates with McAfee Vulnerability Manager to enable import of the Vulnerability Manager scan data into the Manager, to provide automated updating of IPS-event data relevancy.

You can also initiate a Vulnerability Manager on-demand scan of a single or group

of IP addresses directly from the Threat Analyzer console. This provides a simple way for security administrators to access near real-time updates of host vulnerability details, and improved focus on critical events.

McAfee® Network Security Platform 6.0

 McAfee Artemis: Network Security Platform integrates with McAfee Artemis

technology, which is an Internet-based service that provides active malware detection in an Internet cloud. Network Security Sensors use McAfee Artemis to provide real-time malware detection and protection for users during file downloads from the Internet. Network Security Platform also provides users the option to upload Custom Fingerprints that can be used for malware detection.



McAfee Global Threat Intelligence: McAfee Global Threat Intelligence (GTI) is a global

threat correlation engine and intelligence base of global messaging and communication behavior; including reputation, volume, trends, email, web traffic and malware. By having McAfee Global Threat Intelligence integration, you can report, filter, and sort hosts involved in attacks based on their network reputation and the country of the attack origin.

For more information on all the above mentioned integration options, see

Integration Guide.

 Integration with third-party products: Network Security Platform enables the use of

multiple third-party products for analyzing faults, alerts, and generated packet logs.

 Fault/Alert forwarding and viewing: You have the option to forward all fault

management events and actions, as well as IPS alerts to a third-party application. This enables you to integrate with third-party products that provide trouble ticketing, messaging, or any other response tools you may wish to incorporate. Fault and/or alert forwarding can be sent to the following ways:

- Syslog Server: forward IPS alerts and system faults

- SNMP Server (NMS): forward IPS alerts and system faults

- Java API: forward IPS alerts

- Crystal Reports: view alert data from database via email, pager, or script

 Packet log viewing: view logged packets/flows using third-party software, such as

Ethereal.

About Network Security Platform

Manager database

The Manager server operates with an RDBMS (relational database management system) for storing persistent configuration information and event data. The compatible database is MySQL (current version 5.1.47).

The Manager server for Windows (only) includes a MySQL database that can be installed (embedded) on the target Windows server during Manager software installation.

Your MySQL database can be tuned on-demand or by a set schedule via Manager user interface configuration. Tuning promotes optimum performance by defragmenting split tables, re-sorting and updating indexes, computing query optimizer statistics, and checking and repairing tables.

To graphically administrate and view your MySQL database, you can download the MySQL administrator from the MySQL Web site http://dev.mysql.com/downloads/gui-tools.

McAfee Update Server

For your Network Security Platform to properly detect and protect against malicious activity, the Manager and Sensors must be frequently updated with the latest signatures and software patches available. Thus, the Network Security Platform team constantly researches and develops performance-enhancing software and attack-detecting

McAfee® Network Security Platform 6.0

signatures that combat the latest in hacking, misuse, and denials of service (DoS). When a severe-impact attack happens that cannot be detected with the current signatures, a new signature update is developed and released. Since new vulnerabilities are discovered regularly, signature updates are released frequently.

New signatures and patches are made available to customers via McAfee Security Update Server (Update Server). The Update Server is a McAfee owned and operated file server that houses updated signature and software files for Managers and Sensors in customer installations. The Update Server securely provides fully automated, real-time signature updates without requiring any manual intervention.

Note: Communication between the Manager and the Update Server is SSL-

secured.

Configuring software and attack signature updates

You configure interaction with the Update Server using the Manager Configure > Update Server page. You can pull updates from the Update Server on demand or you can schedule update downloads. With scheduled downloads, the Manager polls the Update Server (over the Internet) at the desired frequency. If an update has been posted, that update is registered as “Available” in the Manager interface for on-demand downloaded. Once downloaded to the Manager, you can immediately download (via an encrypted connection) the update to deployed Sensors or deploy the update based on a Sensor update schedule you define. Acceptance of a download is at the discretion of the administrator.

About Network Security Platform

Network

You have a total of five update options:

Automatic update to Manager, manual update from Manager to Sensors. This option enables



Manager server to receive updates automatically, but allows the administrator to selectively apply the updates to the Sensors.

 Manual update to Manager, automatic update from Manager to Sensors. This option enables the

administrator to select updates manually, but once the update is selected, it is applied to the Sensors automatically, without reboot.

 Fully manual update. This option allows the security administrator to determine which

signature update to apply per update, and when to push the update out to the Sensor(s). You may wish to manually update the system when you make some configuration change, such as updating a policy or response.

Fully automatic update. This option enables every update to pass directly from the Update



Server to the Manager, and from the Manager to the Sensor(s) without any intervention by the security administrator. Note that fully automatic updating still happens according to scheduled intervals.

Real-time update. This option is similar to fully automatic updating. However, rather than



wait for a scheduled interval, the update is pushed directly from Update Server to Manager to Sensor. No device needs to be rebooted; the Sensor does not stop monitoring traffic during the update, and the update is active as soon as it is applied to the Sensor.

C HAPTER 2

About Network Security Central Manager

McAfee® Network Security Platform [formerly McAfee® IntruShield®] provides a centralized, “manager of managers” capability, named McAfee

McAfee Network Security Central Manager (Central Manager) allows users to create a management hierarchy that centralizes policy creation, management, and distribution across multiple McAfee® Network Security Managers. For example, a policy can be created in the Central Manager and synchronized across all McAfee Network Security Managers (Managers) added to that Central Manager. This avoids manual customization of policy at every Manager.

The Central Manager provides you with a single sign-on mechanism to manage the authentication of global users across all Managers. McAfee® Network Security Sensor configuration and threat analysis tasks are performed at the Manager level.

Network Security Central Manager.

C HAPTER 3

Preparing for the Manager installation

software requirements and pre-installation tasks you should perform prior to installing the software.

This section describes the McAfee® Network Security Manager (Manager) hardware and

Unless explicitly stated, the information in this chapter applies to both the McAfee

Network Security Central Manager and Manager though the sections refer to Manager.

Pre-requisites

The following sections list the Manager installation and functionality requirements for your operating system, database, and browser.

Caution: We strongly recommend that you also check the corresponding Release

Notes. If you are installing the Manager as part of an upgrade to the latest version of Network Security Platform, refer to

General settings

 McAfee recommends you use a dedicated server, hardened for security, and placed

on its own subnet. This server should not be used for programs like instant messaging or other non-secure Internet functions.

 You must have

the Manager software, as well as the installation of an embedded MySQL database for Windows Managers during Manager installation.

 It is essential that you synchronize the time on the Manager server with the current

time. To keep time from drifting, use a timeserver. If the time is changed on the Manager server, the Manager will lose connectivity with all McAfee Sensors (Sensors) and the McAfee Update Server] because SSL is time sensitive.

 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference

between the Primary and Secondary Managers is less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with the Sensors will be lost.

Administrator/root privileges on your Windows server to properly install

Network Security Platform 6.0 Upgrade Guide.

Network Security Update Server [formerly IPS

Network Security

Tip: For more information about setting up a time server on Windows Server 2003

SP2, see the following Microsoft KnowledgeBase article:

http://support.microsoft.com/kb/816042

Note: Once you have set your server time and installed the Manager, do not change

the time on the Manager server for any reason. Changing the time may result in errors that could lead to loss of data.

http://support.microsoft.com/kb/816042//.

McAfee® Network Security Platform 6.0

Other third-party applications

Install a packet log viewing program to be used in conjunction with the Threat Analyzer interface. Your packet log viewer, also known as a protocol analyzer, must support library packet capture (libpcap) format. This viewing program must be installed on each client you intend to use to remotely log onto the Manager to view packet logs.

Wireshark (formerly known as Ethereal) is recommended for packet log viewing. WireShark is a

network protocol analyzer for Windows servers that enables you to examine the data captured by your Sensors. For information on downloading and using Ethereal, go to

www.wireshark.com

Browser display settings (Windows)

 The Manager is viewed via a client browser. Only Windows XP SP2 and Windows 7

clients are supported using Internet Explorer 7.0 or 8.0.

 Set your display to 32-bit or higher by selecting

Setting

, and configuring the “Colors” field to True Color (32bit).

 McAfee recommends setting your monitor’s “Screen Area” to

1024 x 768 pixels. This can be done by changing the display settings at:

Start > Settings > Control Panel > Display > Settings.

 When working with the Manager using Internet Explorer, your browser should check

for newer versions of stored pages. By default, Internet Explorer is set to automatically check for newer stored page versions. To check this function, open your IE browser and go to Internet files,” and under “Check for newer versions of stored pages:” select any of the

four choices except for Never. Selecting Never will cache Manager interface pages that

require frequent updating, and not refreshing these pages may lead to system errors.

Preparing for the Manager installation

. http://www.wireshark.org

Start > Settings > Control Panel > Display >

Tools > Internet Options > General, click the Settings button under “Temporary

Server requirements

The following are the system requirements for a Manager server running with a MySQL database.

Component Minimum Recommended

Memory

Any one of the following:  Windows Server 2003 Standard Edition,

SP2 (32 or 64 bit), English OS

 Windows Server 2008 R2 Standard

Edition, (64 bit), English OS

 Windows Server 2003 R2 (Standard

Edition), Japanese OS (32 or 64 bit)

 Windows Server 2008 R2 (Standard

Edition), Japanese OS (64 bit)

Note: For 64-bit, only X64 architecture is supported.

 2GB or higher for 32-bit  4GB or higher for 64-bit

Windows Server 2008 R2 Standard Edition, English or Japanese OS, (64 bit)

4GB

McAfee® Network Security Platform 6.0

Component Minimum Recommended

CPU Disk space

Network Monitor

Hosting the Manager on a VMware platform

The following are the system requirements for hosting Manager server on a VMware platform.

Component Minimum Recommended

Preparing for the Manager installation

Server model processor such as Intel Xeon Same

40GB 80GB disk with 8MB

memory cache

100Mbps card 10/100/1000Mbps card

32-bit color, 1024 x 768 display setting 1280 x 1024

Any one of the following:  Windows Server 2003 Standard Edition,

Same as the minimum requirement

SP2 (32 or 64 bit), English OS

 Windows Server 2008 R2 Standard Edition,

(64 bit), English OS

 Windows Server 2003 R2 (Standard

Edition), Japanese OS (32 or 64 bit)

 Windows Server 2008 R2 (Standard

Edition), Japanese OS (64 bit)

Note: For 64-bit, only X64 architecture is supported.

Memory Virtual CPUs Disk Space

2GB 2GB or higher

2 2 or more

40GB 80GB

The following are the system requirements for hosting Manager server on a VMware platform such as Dell Powered Edge 1950.

Component Minimum

Virtualization software VMWare ESX Server Version 3.5.0 Update 3 Build

123630

Virtual Infrastructure Client

CPU Intel Xeon ® CPU ES 5335 @ 2.00GHz; Physical

Memory Physical Memory: 16GB

Internal Disks 364.25 GB

Version 2.5.0 Build 19826

Processors – 2; Logical Processors – 8; Processor Speed – 2.00GHz.

McAfee® Network Security Platform 6.0

Manager installation with Local Service account privileges

The Manager installs the following services as a Local Service:

 McAfee Network Security Manager  McAfee Network Security Manager Database  McAfee Network Security Manager User Interface (Apache)

Preparing for the Manager installation

Note: McAfee Network Security Manager Watchdog runs as a

Local System to

facilitate restart of the Manager in case of abrupt shutdown. The Local Service account has fewer privileges on accessing directories and resources than

the

Local System. By default, the Manager installation directory and database directory are

granted full permission to the

Local Service account during installation or upgrade of

Manager.

Set the permissions to a

Local Service as needed in the following scenarios:

 Backup directory location: If the backup directory was different from the Network

Security Manager installed directory before upgrade to the current release, full permission on these directories for a

Local Service should be granted.

 Notification script execution: If a user uses a script that accesses directories or

resources located in directories other than in Network Security Manager installed directories for notifications like alerts, faults etc.,full permission on these directories for a

Local Service should be granted.

 Database configuration: If a user has a MySQL database configured for using a

directory for temporary files other than the one provided during installation, then those directories should be given full permissions for a Local Service.

Client requirements

The following are the system requirements for client systems connecting to the Manager application.

Component Minimum

OS Any one of the following:

Memory 1GB. Recommended is 2GB.

Browser Internet Explorer (IE) 7.0 or 8.0 (only 32 bit IE is supported)

Monitor 32-bit color, 1024x768 display

Java runtime engine requirements

When you first log onto the Manager, a version of JRE is automatically installed on the client machine (if it is not already installed). This version of the JRE software is required for operation of various components within Manager including the Threat Analyzer and the Custom Attack Editor.

 Windows XP (Standard Edition) SP2  Windows 7

McAfee® Network Security Platform 6.0

Database requirements

The Manager requires communication with MySQL database for the archiving and retrieval of data.

The Manager installation set includes a MySQL database for installation (that is, embedded on the target Manager server). You must use one of the supported OS listed under Server requirements (on page 10 supplied version of MySQL (currently 5.1.47). The MySQL database Manager.

Note: If you have a MySQL database previously installed on the target server,

uninstall the previous version and install the Network Security Platform version.

Pre-installation recommendations

These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the information gathered from individual interviews with some of the most seasoned McAfee Network Security Platform System Engineers at McAfee.

Preparing for the Manager installation

) and must use the Network Security Platform-

must be dedicated to the

Planning for installation

Before installation, ensure that you complete the following tasks:

 The server, on which McAfee

should be configured and ready to be placed online.

 You must have administrator privileges for McAfee Network Security Manager

(Manager) server.

 This server should be dedicated, hardened for security, and placed on its own subnet.

This server should not be used for programs like instant messaging or other nonsecure Internet functions.

 Make sure your hardware requirements meet the requirements. See Server

requirements (on page 10

 Ensure the proper static IP address has been assigned to the Manager server. For the

Manager server, McAfee strongly recommends assigning a static IP against using DHCP for IP assignment.

 If applicable, configure name resolution for the Manager.  Ensure that all parties have agreed to the solution design, including the location and

mode of all McAfee

Network Security Sensor, the use of sub-interfaces or interface

groups, and if and how the Manager will be connected to the production network.

 Get the required license file and grant number. Note that you do not require a license

file for using Manager/Central Manager version 6.0.7.5 or above.

 Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs.

Ensure these are approved hardware from McAfee or a supported vendor. Ensure that the required number of Network Security Platform dongles, which ship with the McAfee Network Security Sensors (Sensors), are available.

 Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they

are directly connected to a firewall, router, or end node. Otherwise, standard patch cables are required for the Fast Ethernet ports.

Network Security Manager software will be installed,

McAfee® Network Security Platform 6.0

 If applicable, identify the ports to be mirrored, and someone who has the knowledge

and rights to mirror them.

 Allocate the proper static IP addresses for the Sensor. For the Sensors, you cannot

assign IPs using DHCP.

 Identify hosts that may cause false positives, for example, HTTP cache servers, DNS

servers, mail relays, SNMP managers, and vulnerability scanners.

Functional requirements

Following are the functional requirements to be taken care of:

 Install Wireshark (formerly known as Ethereal http://www.wireshark.com

http://www.wireshark.org) on the client PCs. Ethereal is a n for Unix and Windows servers, used to analyze the packet logs created by Sensors.

 Ensure the correct version of JRE is installed on the client system, as described in the

Release Notes. This can save a lot of time during deployment.

 Determine a way in which the Manager maintains the correct time. To keep time from

drifting, for example, point the Manager server to an NTP timeserver. (If the time is changed on the Manager server, the Manager will lose connectivity with all Sensors and the McAfee

 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference

between the Primary and Secondary Managers is less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with the Sensors will be lost.)

 If you are upgrading from a previous version, we recommend that you follow the

instructions in the respective version’s release notes or, if applicable, the

Guide

Preparing for the Manager installation

etwork protocol analyzer

Network Security Update Server because SSL is time sensitive.)

Upgrade

Using anti-virus software with the Manager

If you plan to install anti-virus software such as McAfee VirusScan on the Manager, be sure the MySQL directory and its sub-directories are excluded from the anti-virus scanning processes. For example selecting ...\Manager\MySQL and its subdirectories will exclude the entire MySQL installation directory from the anti-virus scanning processes. Otherwise, Network Security Platform packet captures may result in the deletion of essential MySQL files.

Also exclude the Network Security Platform installation directory and its sub-directories because temporary files are created there that might conflict with the anti-virus scanner.

Note: If you install McAfee VirusScan 8.5.0i on the Manager after the installation of

the Manager software, the MySQL scanning exceptions will be created automatically, but the Network Security Platform exceptions will not.

McAfee VirusScan and SMTP notification

From 8.0i, VirusScan includes an option (enabled by default) to block all outbound connections over TCP port 25. This helps reduce the risk of a compromised host propagating a worm over SMTP using a homemade mail client.

McAfee® Network Security Platform 6.0

VirusScan avoids blocking outbound SMTP connections from legitimate mail clients, such as Outlook and Eudora, by including the processes used by these products in an exclusion list. In other words, VirusScan ships with a list of processes it will allow to create outbound TCP port 25 connections; all other processes are denied that access.

The Manager takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification and also run VirusScan 8.0i or above, you must therefore add java.exe to the list of excluded processes. If you do not explicitly create the exclusion within VirusScan, you will see a Mailer Unreachable error in the Manager Operational Status to each time the Manager attempts to connect to its configured mail server.

To add the exclusion, follow these steps:

Preparing for the Manager installation

1 Launch the 2 Right-click the task called

VirusScan Console.

Access Protection and choose Properties from the right-click

menu.

3 Highlight the rule called 4 Click

Edit.

5 Append java.exe to the list of 6 Click

OK to save the changes.

Prevent mass mailing worms from sending mail.

Processes to Exclude.

User interface responsiveness

The responsiveness of the user interface, the Threat Analyzer in particular, has a lasting effect on your overall product satisfaction.

In this section we suggest some easy but essential steps, to ensure that Network Security Platform responsiveness is optimal:

 During Manager software installation, use the recommended values for memory and

connection allocation.

 You will experience better performance in your configuration and data forensic tasks

by connecting to the Manager from a browser on a client machine. Performance may be slow if you connect to the Manager using a browser on the server machine itself.

 Perform monthly or semi-monthly database purging and tuning. The greater the

quantity of alert records stored in the database, the longer it will take the user interface to parse through those records for display in the Threat Analyzer. The default Network Security Platform settings err on the side of caution and leave alerts (and their packet logs) in the database until the user explicitly decides to remove them. However, most users can safely remove alerts after 30 days.

Caution: It is imperative that you tune the MySQL database after each purge

operation. Otherwise, the purge process will fragment the database, which can lead to significant performance degradation.

 Defragment the disks on the Manager on a routine basis, with the exception of the

MySQL directory. The more often you run your defragmenter, the quicker the process will be. Consider defragmenting the disks at least once a month.

Warning: Do NOT attempt to defragment the MySQL directory using an O/S

defrag utility. To defragment MySQL tables, use a MySQL-specific utility, myisamchk available in the <mysqlinstallation>\bin directory.

 Limit the quantity of alerts to view when launching the Threat Analyzer. This will

reduce the total quantity of records the user interface must parse and therefore potentially result in a faster initial response on startup.

+ 53 hidden pages

McAfee M-3050, Network Security Platform Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual