Me Ec User Group Epo Best Practices
-
Upload
danh-nhan-tran -
Category
Documents
-
view
215 -
download
0
Transcript of Me Ec User Group Epo Best Practices
-
7/28/2019 Me Ec User Group Epo Best Practices
1/34
McAfee ePolicy Orchestrator 4.5Best Practices
McAfee User Group meeting organized byMEEC
Sumeet Gohri
Mid-Atlantic Sales Engineer
-
7/28/2019 Me Ec User Group Epo Best Practices
2/34
Agenda
9:30 am 9:45 am Welcome
9:45 am - 11:00 am ePO11:00 am 11:15 - Break
11:15 11:45 Firewall11:45 - 12:30 Lunch
12:30 1:15 GTI1:15 1:30 Q&A Closing remarks
December 2, 2010
2
-
7/28/2019 Me Ec User Group Epo Best Practices
3/34
3
December 3, 20103
2008
Virus and Bots PUP Trojan
Unprecedented Malware Growth
Malware Growth (Main Variations)
2,400,000
2,600,000
2,800,000
3,000,000
3,200,000
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
2009
Source: McAfee Labs3December 2, 2010
-
7/28/2019 Me Ec User Group Epo Best Practices
4/34
Cost to Value Relationship
V
alue
Secure Compliant Proactive Optimized
Ad
ditivecost
The relationship to cost and security diverge duringprogression to the proactive and optimized states
Organizational Maturity
December 2, 2010
4
-
7/28/2019 Me Ec User Group Epo Best Practices
5/34
System Security
Network IPS
Email Security
Web Security
Network DLP
Firewall
Mobile Data Protection
McAfee Security Leadership Across the Board
Integra
ted
Challengers Leaders
AbilitytoE
xecute
Completeness of Vision
Firewall E-mail
DLP
Web
IPS
System SecurityMobile Data
Protection
December 2, 2010
5
-
7/28/2019 Me Ec User Group Epo Best Practices
6/34
System Security
Network IPS
Email Security
Web Security
Network DLP
Firewall
Mobile Data Protection
Integra
ted
McAfee Security Leadership Across the Board
Challengers Leaders
AbilitytoE
xecute
Completeness of Vision
Firewall E-mail
DLP
Web
IPS
System SecurityMobile Data
Protection
December 2, 2010
6
-
7/28/2019 Me Ec User Group Epo Best Practices
7/34
McAfee Labs300+ dedicated threat researchers
Global Threat
Intelligence
Founded in 1995
First global 24/7 emergency response team in the industry
1,400 people in R&D with more than 300 dedicated threat researchers worldwide
McAfee Labs has analyzed hundreds of thousands of threats and was first todiscover some of the highest profile threats: MyDoom, Sasser, Blaster
December 2, 2010
7
-
7/28/2019 Me Ec User Group Epo Best Practices
8/34
Network
Network DLP
E-mail Security
Web Security
Firewall/UTM
IPS
NAC
Behavioral Analysis
Vulnerability Mgmt.
Remediation
Policy Auditing
Risk and Compliance
Vulnerabilities andReports
Vulnerabilities andReports
Agents andPoliciesAgents andPolicies
McAfee Integrated Security Platform
McAfeeAgent
Endpoint
Data Protection
Host DLP
Endpoint Encryption
Device Control
Anti-Virus & Anti-Spyware
Email AV & Anti-Spam
Desktop Firewall
Host IPS
NAC
Policy Auditing
SiteAdvisor
Macintosh AV
Linux AV
Agent deployment Configuration Updates
Policy settings Alerts and Reporting
Single Agent Single Console
ePO
EventsandReports
Artemis | Software-as-a-Service (SaaS)
SIA Ecosystem December 2, 2010
8
-
7/28/2019 Me Ec User Group Epo Best Practices
9/34
McAfees Open Platform for Security Risk ManagementIndustry Leadership to Drive Better Protection, Greater Compliance and Lower TCO
SIA Associate Partner
SIA Technology Partner(McAfee Compatible)
December 2, 2010
9
-
7/28/2019 Me Ec User Group Epo Best Practices
10/34
Cost to Value Relationship
V
alue
Secure Compliant Proactive Optimized
Ad
ditivecost
Where is my organization?
Organizational Maturity
December 2, 2010
10
-
7/28/2019 Me Ec User Group Epo Best Practices
11/34
Agenda
Introductions
ePo 4.5, a brief overview
How to size the ePo server infrastructure
How to upgrade/migrate to ePo 4.5 server
How do I check for performance issues on my ePo Server
Tricks and tips on optimizing ePo performance
Enabling Global Threat Intelligence in AV policy Agent Deployment
VSE 8.7 Policy Best Practices
December 2, 2010McAfee User Group meeting organized by MEEC11
-
7/28/2019 Me Ec User Group Epo Best Practices
12/34
ePo Management ConsoleIntuitive Web Based Security Management
December 2, 2010McAfee User Group meeting organized by MEEC12
-
7/28/2019 Me Ec User Group Epo Best Practices
13/34
13
McAfee ePolicy OrchestratorKey Feature Overview
McAfee ePolicy Orchestor
End-to-End Visibility
Single point of reference acrossnetworks and systems
Personalized Command Center
Tune work environment to optimizeefficiencies
Drillable Dashboards and ActionableReports
Immediate insight to action slashesresponse times
Role-based Access Control Distribute administration and
information
Rogue System Detection
Identify and manage all networkedassets to lower risk
Powerful Workflows
Automate common routines, streamlineprocesses across systems
Flexible Architecture
Can scale from managing a handful ofmachines to very large enterprises
Extensible Framework
Increase value of existing securityassets, optimize for future needs
December 2, 2010McAfee User Group meeting organized by MEEC
-
7/28/2019 Me Ec User Group Epo Best Practices
14/34
McAfee Security Integration Architecture
ePO Agent
Encryption
Anti-Virus
Anti-S
pyware
Desk
topFW
HostIPS
N
AC
DeviceC
ontrol/DLP
ePolicy Orchestrator
ManagementConsole
NetworkVM
Secure EmailGateway
Network IPS/
NAC
TOPS Endpoint
McAfee SecureInnovation Alliance (SIA)
and future technologies
Firewall
TOPS Data
Policy
Auditor
Secure WebGateway
Data Loss Prev.
EncryptedUSB
SolidCore
DeviceControl
December 2, 2010McAfee User Group meeting organized by MEEC14
-
7/28/2019 Me Ec User Group Epo Best Practices
15/34
AvertLabsTre
atData
Security that Spans the Network to the Endpoint
ePO
Network Security Endpoint Security
ToPS
ToPS
Advanced
VirusScan & Anti-Spyware
HIPS & Firewall
McAfee Site Advisor
Host Policy Auditor
Network Access Control
GroupShield for Mail
Host DLP
Host Encryption
ToPS
For Data
Network Security Platform
Vulnerability Manager
Network Data Loss Prevention
Secure Web Gateway
Secure Mail Gateway
Network User Behavior
Change Control
Integrity MonitorApplication Control
Change Reconciliation
SolidCore
Holistic Security Not Disparate Solutions
Risk Advisor
Single Management Console to manage Endpoint security
and integration with Network SecurityDecember 2, 2010McAfee User Group meeting organized by MEEC15
-
7/28/2019 Me Ec User Group Epo Best Practices
16/34
McAfee Global Threat Intelligence
McAfee Labs
Reputation Technologies Trusted Source Artemis
Local Protection
Network ReputationEmail ReputationWeb Reputation
File Reputation
Network Security Web Security Email Security Endpoint
December 2, 201016
-
7/28/2019 Me Ec User Group Epo Best Practices
17/34
Artemis (GTI) Technology
User receives
new file viae-mail or Web
1
No detection withexisting DATs, butthe file is suspicious
2
Fingerprint of file
is created and sentusing Artemis
3
Artemis reviews thisfingerprint and otherinputs statistically
across threat landscape
4
VirusScan processesinformation andremoves threat
6
Artemis identifiesthreat and notifiesclient
5
Internet
Artemis is enabled on the endpoint without any additional client side install
Artemis
December 2, 2010McAfee User Group meeting organized by MEEC17
-
7/28/2019 Me Ec User Group Epo Best Practices
18/34
Enabling Artemis (GTI) Cloud Lookup
By leveraging Cloud Based threat intelligence customers can protectthemselves from potential Zero Day attacks.
Extremely easy to enable
Level of Heuristic check can be throttled
Uses standard DNS mechanism to perform lookups
Provides Zero Day protection from unknown malware
Provides protection from emerging threats
Not dependent on DAT updates to be effective
No impact on performance of the endpoint
No customer data is transferred to McAfee
18 December 2, 2010McAfee User Group meeting organized by MEEC
-
7/28/2019 Me Ec User Group Epo Best Practices
19/34
ePo Infrastructure Sizing
Can I install ePO and my SQLserver on the same physicalhardware?
Can I use a VM environment forePO or my SQL Server?
Can ePO use an existing SQLServer that has other Databases onit for ePO?
How should I partition my drives onePO and SQL?
December 2, 2010McAfee User Group meeting organized by MEEC19
-
7/28/2019 Me Ec User Group Epo Best Practices
20/34
Installing ePo on a Single Server vs MultipleServers
ePo can be hosted on a single server, where SQL DB is installedlocally. There are certain considerations to keep in mind when
sizing hardware.
Single Server configurations can scale up to 5K to 10K nodes,depending on the environment and products managed.
McAfee recommends optimizing disk sizing on the server to
enhance performance, (ex hosting DB on a separate disk) If using ePo to manage products in addition to AV, ASPY, HIPS,
it is recommended that SQL server to be hosted separately.
Plan ahead by sizing ePo Server appropriately if you plan to
roll out additional McAfee ePo managed modules like HDLP,Disc Encryption, Device Control, Site Advisor etc.
December 2, 2010McAfee User Group meeting organized by MEEC20
-
7/28/2019 Me Ec User Group Epo Best Practices
21/34
Installing ePo in a Virtualized Environment
McAfee supports ePo installs in a virtualenvironment(s)
ePo scales up to 25k to 30k nodes in a VirtualEnvironment
Beyond 25k to 30K range the disk performancebecomes a bottle neck
Ensure that, when managing around 30K nodes,
dedicated physical discs are used with assignedCPU priority
McAfee recommends not to host ePo database ona virtualized SQL server when node count isaround or exceeds 30K
Many of our customers are successfully hostingtheir ePo environments virtually without anyproblems
December 2, 2010McAfee User Group meeting organized by MEEC21
-
7/28/2019 Me Ec User Group Epo Best Practices
22/34
Hosting ePO DB on a shared SQL server
Shared SQL servers can be used to host ePo DB, fewconsideration when doing this:
On a shared server ePo will be competing for resources with otherapplications, so ensure that the DB sizing is appropriate.
Sudden spikes in DB server usage by other hosted applicationcan impact the ePo performance.
McAfee recommends a node limit of 20k, beyond which a
dedicated SQL server for the ePo may be more appropriate forthe environment
Keep in mind that that operationally you may have to work withSQL DBAs when ePo server is hosted on a shared server,including getting them involved with potential troubleshooting.
Ensure that DB and schema updates can be applied to the ePodatabase on a shared server.
December 2, 2010McAfee User Group meeting organized by MEEC22
-
7/28/2019 Me Ec User Group Epo Best Practices
23/34
Disk configuration for ePo Deployment
Disk configuration and partitioningis rarely an issue below 5K nodes
When using a single server
configuration a separate discs arerecommended for the OS, SQLand ePo Application
Disc performance is a critical
factor for ePo performance, sowhen using RAID, higherperformance Arrays like RAID 1 RAID 10 are preferred.
December 2, 2010McAfee User Group meeting organized by MEEC23
-
7/28/2019 Me Ec User Group Epo Best Practices
24/34
Recommended Configuration Recap
Node Count ePO & SQL on
same server
VM Server ePO DB on a
shared SQLserver
100-5k Yes Optional Optional
5k-25k Optional Optional Optional
25k75k NotRecommended
NotRecommended
NotRecommended
75k+ No No No
December 2, 2010McAfee User Group meeting organized by MEEC24
-
7/28/2019 Me Ec User Group Epo Best Practices
25/34
Server Hardware, OS & DB Recommendations
Less is better, ePo can scale to 200K plus nodes so maintainingmultiple instances of ePo will add to the overall work load.
CPU, RAM and Disc Performance are critical for ePo, as in case of
any other application. Use 64bit software where possible and if you have hardware that
support 64Bit OS and apps.
Very small organizations (up to 500 nodes) can use SQL Express that
has 4GB DB size limit
RAM CPU and HDD Sizing
December 2, 2010McAfee User Group meeting organized by MEEC25
-
7/28/2019 Me Ec User Group Epo Best Practices
26/34
Distributed Repositories
Leverage distributed repositories to savebandwidth
Better performance when uploading DATs and
patches Lightweight hosting requirements
FTP, UNC, HTTP supported
Super Agents can be used as a part of
distribution infrastructure
Typical hosting agents are, file & print servers,FTP servers, UNC shares.
Can be hosted in a DMZ environment
December 2, 2010McAfee User Group meeting organized by MEEC26
-
7/28/2019 Me Ec User Group Epo Best Practices
27/34
In Place Upgrade to ePo 4.5
If you want to upgrade to 4.5 from 3.x, then you have toupgrade to 4.0 and then on to ePo4.5
Ensure that your hardware and software specs are inline with therequirements for ePo 4.5
Decommission any unused repositories
Clean out any unused or redundant policies
Clean out old and unused user accounts.
Remove the client and server tasks that are not being used
Purge events that are more than 60 days old
Back up, re-index and defrag the Database and ensure that it hasenough space
Backup your ePo system and DB Backup the system certs
If possible, do a demo upgrade in a VM enviornment
December 2, 2010McAfee User Group meeting organized by MEEC27
-
7/28/2019 Me Ec User Group Epo Best Practices
28/34
Moving ePo server to a different platform
Key to moving from one physical ePo server toanother is to follow the procedure in KB Article 66616.
The main steps to accomplish the migration is to
Back up the ePo Database
Backup the Agent Keys and SSL Certs
Install the ePo Application and SQL server on the new box Ensure that new ePo server has the same IP and DNS name as the
old ePo server
Attach the backup DB to the SQL on the new box
Apply the SSL Certs and Agent keys to the new ePo Server Disconnect the old ePo server from the network
Connect the new ePo server to the network and monitor activity.
December 2, 2010McAfee User Group meeting organized by MEEC28
-
7/28/2019 Me Ec User Group Epo Best Practices
29/34
McAfee Agent Deployment
Deploying ePO agent to the endpoint, what are my options?
Active Directory
Login Scripts
Pre installed with the enterprise desktop/laptop image
Using 3rd party tools ie: Tivoli, SMS, BMC
Self Serve HTTP, FTP, UNC shares
The ePO Agent is a small 5Mb package
Additional packages are pushed from ePO once ePO Agent checks
back to ePO Server
29 December 2, 2010McAfee User Group meeting organized by MEEC
-
7/28/2019 Me Ec User Group Epo Best Practices
30/34
Is my ePo Server having a performance issue ??
Have you looked at the performancecounters for the ePo underPerformance Monitor ?
Total number of Open ePo Agentconnections should not exceed 200(250 max) typical value should bearound 30
Processed events per second is
consistently high.
The files in the events folderC:\Program Files\McAfee\ePolicy Orchestrator\DB\Events
is consistently high and getting higher.
Throttle down Agent to Server CommInterval (ASCI) from default 60 mins
Additionally flag ePo server processesas low risk processes in AV policy.
December 2, 2010McAfee User Group meeting organized by MEEC30
-
7/28/2019 Me Ec User Group Epo Best Practices
31/34
Maintaining ePo Database
Use Server Tasks under Automation tabto purge old events and logs
Purging events based on time Purging events based on type
Purging events based on a query
Deleting inactive assets
Deleting machines with duplicate GUID
Backup the ePo DB and transaction log Re-index the DB on a regular basis
Rebuild the DB on a regular basis
December 2, 2010McAfee User Group meeting organized by MEEC31
-
7/28/2019 Me Ec User Group Epo Best Practices
32/34
Tuning VSE 8.7 policies
Enable Access Protection and prevent services frombeing stopped
Ensure, when applying policy for Server, use Server
profile Enable Buffer Overflow Protection policy and enforce
protection
Use different scanning policies for high-risk, low-risk
and default processes Enable client task to scan memory at least once a day
Enable GTI lookups
Scriptscan (KB65382)
Daily scan task to check memory for rootkits andrunning process
December 2, 2010McAfee User Group meeting organized by MEEC32
-
7/28/2019 Me Ec User Group Epo Best Practices
33/34
McAfees Open Platform for Security Risk Management
Industry Leadership to Drive Better Protection, Greater Compliance & Lower TCO
December 2, 2010McAfee User Group meeting organized by MEEC33
-
7/28/2019 Me Ec User Group Epo Best Practices
34/34
Thank YouMcAfee Sales TeamDerrick [email protected]
Sumeet Gohri
Questions ??