NSP IPS Deployment 6

IPS Deployment Guiderevision 2.0

McAfee® Network Protection Industry-leading network security solutions

McAfee® Network Security Platform version 6.0

COPYRIGHT Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi ([email protected]), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

700-2366-00/ 2.0 - English

Issued NOVEMBER 2010 / IPS Deployment Guide

Contents

Preface .......................................................................................................... iv Introducing McAfee Network Security Platform.............................................................................iv About this Guide............................................................................................................................iv Audience .......................................................................................................................................iv Conventions used in this guide .....................................................................................................iv Related Documentation................................................................................................................. v Contacting Technical Support ......................................................................................................vii

Chapter 1 Getting Started............................................................................ 1 Deciding where to deploy Sensors and in what operating mode .................................................. 1 Setting up your Sensors ................................................................................................................ 2 Establish Sensor-to-Manager communication............................................................................... 4 Viewing and working with data generated by Network Security Platform ..................................... 5 Configuring your deployment using the Manager ......................................................................... 5 Updating your signatures and software......................................................................................... 6 Tuning your deployment................................................................................................................ 7

Chapter 2 Planning Network Security Platform Installation ..................... 8 Pre-deployment considerations..................................................................................................... 8

What is the size of your network? ..........................................................................................8 How many access points are there between your network and the extranets or Internet? ...9 Where are the critical servers that require protection within your network?...........................9 How complex is your network topology?................................................................................9 How much traffic typically crosses your network?................................................................10 Where are your security operations located?.......................................................................11 Where should I deploy Sensors? .........................................................................................11

Chapter 3 Sensor Deployment Modes ...................................................... 13 Flexible deployment options........................................................................................................ 13

Multi-port Sensor deployment ..............................................................................................13 Supported deployment modes .............................................................................................13 Full-duplex and half-duplex monitoring ................................................................................15

Deploying Sensors in in-line mode.............................................................................................. 15 Fail-open versus fail-closed .................................................................................................17

Deploying Sensors in tap mode .................................................................................................. 18 Deploying the Sensors with FE ports in internal tap mode ..................................................19 Deploying Sensors with GE ports in external tap mode.......................................................20 Shifting from tap mode to in-line mode ................................................................................21

SPAN port and hub monitoring.................................................................................................... 21 SPAN port and hub monitoring ............................................................................................22

High-Availability........................................................................................................................... 22 Understanding failover in Network Security Platform...........................................................23

Interface groups .......................................................................................................................... 24

Chapter 4 Deployment Scenarios.............................................................. 26 Deployment flexibility................................................................................................................... 26 Deployment scenario for beginners............................................................................................. 26 Deployment scenario for intermediate users............................................................................... 27 Deployment scenario for advanced users ................................................................................... 27

Index ............................................................................................................. 29

iii

iv

Preface This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as, the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks.

McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring network traffic by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a single Manager.

About this Guide

This guide contains information to help you in determining your network security needs and provides basic information about deployment. Included are various deployment scenarios for network technicians with different experience levels. With this information, you can determine which McAfee® Network Security Sensor model(s) will best suit your environment and which operating mode you will need to employ each McAfee Network Security Sensor (Sensor) port.

Audience

This guide is intended for use by network technicians responsible for planning and deploying company>® Network Security Manager as you ensure your system architecture meets your security requirements, develop security mechanisms within the software architecture, and ensure the integrity of the architectures (such as data center, software, hardware, and network).

Conventions used in this guide

This document uses the following typographical conventions:

McAfee® Network Security Platform 6.0 Preface

Convention Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font.

The Service field on the Properties tab specifies the name of the requested service.

Menu or action group selections are indicated using a right angle bracket.

Select My Company > Admin Domain > Summary.

Procedures are presented as a series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, key words, and values that you must type exactly are denoted using Courier New font.

Type: setup and then press ENTER.

Variable information that you must type based on your specific situation or environment is shown in italics.

Type: Sensor-IP-address and then press ENTER.

Parameters that you must supply are shown enclosed in angle brackets.

set Sensor ip <A.B.C.D>

Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.

Caution:

Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation.

Warning:

Notes that provide related, but non-critical, information are denoted using this notation.

Note:

Related Documentation

The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides.

Quick Tour

Installation Guide

v


Upgrade Guide

Getting Started Guide

Manager Configuration Basics Guide

I-1200 Sensor Product Guide






M-1250/M-1450 Sensor Product Guide

M-1250/M-1450 Quick Start Guide

M-2750 Sensor Product Guide

M-2750 Quick Start Guide

M-3050/M-4050 Sensor Product Guide

M-3050/M-4050 Quick Start Guide





Gigabit Optical Fail-Open Bypass Kit Guide

Gigabit Copper Fail-Open Bypass Kit Guide

10 Gigabit Fail-Open Bypass Kit Guide

M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure

M-2750 Slide Rail Assembly Procedure

M-series DC Power Supply Installation Procedure

Administrative Domain Configuration Guide

Manager Server Configuration Guide

CLI Guide

Device Configuration Guide

IPS Configuration Guide

NAC Configuration Guide

Integration Guide

System Status Monitoring Guide

Reports Guide

Custom Attack Definitions Guide

Central Manager Administrator's Guide

Best Practices Guide

Troubleshooting Guide

Special Topics Guide—In-line Sensor Deployment

Special Topics Guide—Sensor High Availability

Special Topics Guide—Virtualization

Special Topics Guide—Denial-of-Service

NTBA Appliance Administrator's Guide

NTBA Monitoring Guide

NTBA Appliance T-200 Quick Start Guide

vi


vii

NTBA Appliance T-500 Quick Start Guide

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online Contact McAfee Technical Support http://mysupport.mcafee.com

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

http://mysupport.mcafee.com/

http://www.mcafee.com/us/about/contact/index.html

1

C H A P T E R 1

Getting Started This chapter provides a high-level overview of McAfee® Network Security Platform [formerly McAfee® IntruShield®].

The tasks described in this chapter provide pointers to more detailed information in the other books of the McAfee Network Security Platform documentation set.

Note: Most of your interaction with Network Security Platform is through McAfee® Network Security Manager. Some configuration can be done using the McAfee® Network Security Sensor Command Line interface.

The process of setting up and running Network Security Platform falls into these basic stages:

1 Deciding where to deploy McAfee Network Security Sensors (Sensors) and in what operating mode

2 Setting up your Sensors for the desired deployment mode(s)

3 Installing the Manager software and establishing Sensor-to-McAfee Network Security Manager (Manager) communication

4 Configuring your deployment using the Manager

5 Updating your signatures and software

6 Viewing and working with data generated by Network Security Platform

7 Tuning your deployment Each of these stages consists of a number of tasks; some are simple, some are complex. You will generally perform steps 1 through 3 only once per Sensor.

Deciding where to deploy Sensors and in what operating mode

Where you deploy your Sensors and which Sensor model to use depends on your network topology, the amount of traffic on the network, and your security goals, which, ideally, are specified in your company’s security policy.

Determine where you will place the Sensors. This is an individual decision your company will need to make. Questions to ask yourself in making this decision are covered at a high level in Pre-Installation Considerations (on page 8). Some things to consider are what assets you want to protect, the configuration of your network, the location of your aggregation points, the type of traffic, how the traffic is routed, and so on.

Establish a naming convention for your Sensors. The Sensor name is used to identify the Sensor in the Manager interface, in certain reports, and in the alert data generated by the Sensor. McAfee recommends you establish a naming convention that is easy to interpret by anyone working with the Network Security Platform deployment. Once you name a Sensor, you cannot rename it without de-installing and reinstalling it.

McAfee® Network Security Platform 6.0 Getting Started

Setting up your Sensors

The process of setting up a Sensor is described below at a high level. You perform these tasks on the Sensor.

For more information on these tasks, see CLI Guide.

1 Position the Sensor.

Unpack the Sensor and place on a sturdy, level counter top.

Attach the provided rack mounting ears to the Sensor.

Install the Sensor in a rack.

Note: The I-1200 and I-1400 are 1-RU(rack unit) boxes; the I-2700, I-3000, I-4000, and I-4010 are 2-RU boxes.

The M-8000 includes two 2-RU boxes; M-6050, M-4050, M-3050, and M-2750 are 2 RU boxes; and M-1450, and M-1250 are 1 RU boxes.

2 Install any additional hardware.

3 Install GBICs, SFP GBICs, or XFP GBICs (not included) in the GBIC slots. Note that four XFP GBICs are included in the Accessory Kit of an M-8000 to use in the Interconnect ports (XC2, XC3, XC5, and XC6).

Optical slots per Sensor model

Sensor model Number of slots

I-2700 2

I-3000 12 (SFP slots)

I-4000 4

I-4010 12 (SFP slots)

Optical slots per Sensor model

Sensor model Number of slots

M-8000 28 (16 SFP slots and 12 XFP slots)




M-2750 20 (20 SFP slots)

M-1450 8 (0 SFP slots)

M-1250 8 (0 SFP slots)

N-450 20 (20 SFP slots)

Note: To ensure compatibility, McAfee supports only those GBIC or SFP and XFP GBIC modules purchased through McAfee or from a McAfee-approved vendor. For a list of approved vendors, see the on-line KnowledgeBase http://mysupport.mcafee.com

2


4 (Optional) If you have purchased a redundant power supply, install the power supply. Sensor models supporting redundant power supply are listed in the table below.

Models supporting a redundant power supply

Sensor Power supply

I-1200 1 internal

I-1400 1 internal

I-2700 1 included

1 redundant available separately

I-3000 1 included


I-4000 1 included


I-4010 1 included


Models supporting a redundant power supply

Sensor Power supply

M-8000 2 included


M-6050 1 included


M-4050 1 included


M-3050 1 included


M-2750 1 included


M-1450 1 internal

M-1250 1 internal

N-450 1 included


5 Cable the Sensor for configuration.

Attach network cables to the Sensor as described in each Sensor model's Sensor Product Guide. You must cable the Sensor Management and Console ports, respectively, to communicate with the Manager server and the console machine you will use to configure the Sensor. You can cable the Sensor Monitoring and Response ports at a later time.

Power on the Sensor to initialize it.

3


Establish Sensor-to-Manager communication

The process of setting up a Sensor is described below at a high level.

1 Set up the Manager software on the server machine.

Install the Manager software on the server machine. For more information on this process, see Installation Guide.

Start the Manager software as described in Manager Server Configuration Guide. You can establish communication with a Sensor via the Manager server or from a browser on a client machine that can connect to the Manager server.

McAfee recommends you connect to the Manager server via browser session from a separate client machine to perform your configuration tasks.

You can choose a specific policy to apply by default to the Root Admin Domain (and thus all monitoring interfaces on the Sensor). By default, the provided Default policy is applied to all of your Sensor ports upon Sensor addition.

For more information on admin domains, see Administrative Domains, Getting Started Guide. For more information on policies, see Working with Security Policies, Getting Started Guide.

Whatever policy you’ve specified will apply until you make specific changes; the Default policy gets you up and running quickly. Most users tune their policies over time, in conjunction with VIPS, to best suit their environments and reduce the number of irrelevant alerts.

Open the System Configuration tool and add the Sensor, providing the Sensor with a name and a shared secret key value. This process is described in Device Configuration Guide.

2 Configure the Sensor.

From a serial console connected physically or logically to the Sensor, configure the Sensor with network identification information (that is, IP address, IP address of the Manager server, and so on), and configure it with the same case-sensitive name and shared secret key value you provided in the Manager.

For more information on configuring the Sensor using the Sensor CLI, see CLI Guide.

3 Verify communication between the Sensor and the Manager.

Verify on the Sensor CLI the health of the Sensor and that Sensor has established communication with the Manager. Use the status command.

Verify in the Manager interface that a node representing the Sensor appears in the Resource Tree under the Sensors node. Viewing the Resource Tree is described in The Resource Tree, Getting Started Guide.

4 Troubleshoot any problems you run into.

If you run into any problems, check your configuration settings, and ensure that they’re correct. For more troubleshooting tips, see Troubleshooting Guide.

5 Verify the operating mode of the ports on your Sensor.

Your Sensor ports are configured by default for monitoring in in-line mode; that is, connected via a port pair on the Sensor to a segment of your network. If you’ve cabled the Sensor to monitor in in-line mode, check your settings to make sure everything is correct.

For more information on verifying port configuration, see Device Configuration Guide.

4


Viewing and working with data generated by Network Security Platform

Once you’ve completed the steps in the previous sections, you’re up and running. While actively monitoring network traffic, your Sensor will generate alerts for traffic that is in violation of the set security policy.

Network Security Platform displays a summary view of the count of alerts in the Manager Home page, organized by severity (High, Medium, Low, and Informational). Network Security Platform provides two tools for examining and viewing the alerts:

The Threat Analyzer enables you to drill down to the details of an alert such as what triggered the alert, when, what Sensor detected it, the source IP address of the attack that triggered the alert, the destination IP address of the attack, and so on. You use the Threat Analyzer to perform forensic analysis on the alert to help you tune the Network Security Platform system, provide better responses to attacks, and otherwise shore up your defenses.

The Reports Main page provides you detailed reports based on your alerts, and reports on your Network Security Platform configuration. You can use these reports to communicate incidents to other members of your team and to your management.

Note: For more information on these tools, see Manager Server Configuration Guide and Reports Guide.

Configuring your deployment using the Manager

Once you’re up and running and reviewing the data generated by the system, you can further configure and maintain your system. For example, you can do the following:

Apply security policies to each interface of your multi-port Sensor (instead of applying one policy to all interfaces, as when you chose the default policy in Establish Sensor-to-Manager communication (on page 2)). You can ensure all of your interfaces use policies specifically for the areas of your network they are monitoring. For example, you can apply the Web Server policy to one interface, a Mail Server policy to another, the Internal Segment policy to another, and so on. For more information on the provided policies, see Network Security Platform policies, Getting Started Guide.

Configure responses to alerts. Developing a system of actions, alerts, and logs based on impact severity is recommended for effective network security. For example, you can configure Network Security Platform to send a page or an email notification, execute a script, disconnect a TCP connection, send an “ICMP Host Not Reachable” message to the attack source for ICMP transmissions, or send address-blocking for a host. For more information on response actions, see Response management, Getting Started Guide. For more information on configuring pager, email, or script notification, or configuring an IPS quarantine response, see Administrative Domain Configuration Guide and Device Configuration Guide.

Filter alerts. An attack filter limits the number of alerts generated by the system by excluding certain Source and Destination IP address parameters. If these address parameters are detected in a packet, the packet is not analyzed further (and is automatically forwarded when in In-line Mode). For more information on attack filters, see Administrative Domain Configuration Guide.

5


View the system’s health. The Operational Status page details the functional status for all of your installed Network Security Platform system components. Messages are generated to detail system faults experienced by your Manager, Sensors, or database. For more information, see System Status Monitoring Guide.

View a port’s performance. The Performance Statistics action enables you to view performance data for a port on a Sensor. The data collected is a reflection of the traffic that has passed through the port. For more information, see Device Configuration Guide.

Back up all or part of your Manager configuration information to your server or other location. Network Security Platform provides three backup options:

All Tables: all Network Security Platform data (configuration, audit, and alert).

Config Tables: all information related to system configuration, such as port configuration, users, admin domains, policies for all Network Security Platform resources in all domains.

Audit and Alert Tables: all information related to user activity and alerts.

Note: The All Tables and Audit and Alert Tables options can be rather large in size, depending upon the amount of alert data in your database. McAfee recommends saving these types of backups to an alternate location.

For more information on how to back up your data, see Manager Server Configuration Guide.

Updating your signatures and software

An essential element to a reliable IPS is updating the system signature and software images. McAfee periodically releases new Manager software and Sensor signature and software images, and makes these updates available via the McAfee® Network Security Update Server to registered support customers.

Figure 1: Sensor software update methods

Field Description

1 Update Server

2 Internet

6


7

Field Description

3 Manager Server

4 PC/tftp server

5 Import/disk

6 Sensor

Note: Manager software installation includes a default signature set image.

There are several options for loading updates to your Manager and Sensors.

1 Download images from the McAfee Network Security Update Server (Update Server) to your Manager.

You can use the Manager interface to download Sensor software and signature updates from the Update Server to the Manager server, and then download the Sensor image to the Sensor. For more information, see Manager Server Configuration Guide.

2 Import image files from a remote workstation to your Manager.

If your Manager server is not connected to the Internet, you can download the updates from the Update Server to any host, then do one of the following:

Download the image to a remote host, then log in to the Manager via browser session on the remote host and import the image to the Manager server. You can then download the Sensor image to the Sensor. For more information, see Manager Server Configuration Guide.

Similar to above, download the image from the Update Server to any host, put it on a disk, take the disk to the Manager server, and then import the image and download it to the Sensor.

3 Download Sensor software from the Update Server to a TFTP client then to a Sensor. You can download the software image from the Update Server onto a TFTP server, and then download the image directly to the Sensor using commands on the Sensor CLI. This is useful if you prefer not to update Sensor software via the Manager, or you may encounter a situation wherein you cannot do so. For more information on this method, see CLI Guide.

Tuning your deployment

Once you become familiar with the basics of the Manager program, you can further enhance your deployment by utilizing some of the more advanced features. These features include:

Cloning and modifying the Network Security Platform-provided policy. For more information, see Working with Security Policies, Getting Started Guide.

Deploying your Sensor to monitor traffic in Tap mode or, ultimately, in In-line mode. For more information, see Sensor Deployment Modes (on page 13).

Adding users and assigning management roles. For more information, see Managing Users in Network Security Platform, Getting Started Guide.

Adding admin domains for resource management. For more information, see Administrative Domains, Getting Started Guide.

Changing your interface type to CIDR or VLAN depending on your network configuration. For more information, see Interface and Sub-Interface Node, Device Configuration Guide.

Using Access Control Lists (ACLs) to block traffic or pass traffic without sending it through the IDS engine. For more information, see Device Configuration Guide.

8

C H A P T E R 2

Planning Network Security Platform Installation This section discusses the considerations and pre-installment steps that require planning and completion before you deploy the McAfee® Network Security Platform.

Tip: If you are a beginner and want some strategies for deploying McAfee Network Security Platform, you should also read Deployment Scenarios (on page 26).

Pre-deployment considerations

Deployment of Network Security Platform requires specific knowledge of your network’s security needs. Answering these questions will determine which McAfee® Network Security Sensor (Sensor) model will best suit your environment, and what in what operating mode you’ll need to employ each Sensor port.

Consider the following questions as you plan your Network Security Platform deployment:

What is the size of your network?

How many access points are there between your network and the extranets or Internet?

Where are the critical servers that require protection within your network?

How complex is your network topology?

How much traffic typically crosses your network?

Where are your security operations located?

Where should I deploy Sensors?

What is the size of your network?

The size of your network will determine the number of Sensors you will require to successfully and efficiently protect your network. A large network with many access points, file servers, and machines in use may require a larger level of IPS deployment than a small office with just a single access point and few machines.

Knowing how your business will grow can help determine the amount of equipment you will require and the proper strategy for network placement. Network Security Platform is built with growth in mind. The Network Security Platform can manage multiple Sensors, and Sensors can scale in performance from 100 Mbps to multi gigabits per second for monitoring network segments.

McAfee® Network Security Platform 6.0 Planning Network Security Platform Installation

How many access points are there between your network and the extranets or Internet?

Large corporations have several points of access that can be exploited by parties with malicious intent. Protecting the various points of access to your network is the key to any successful IDS installation. You’re only as strong as your weakest link.

Intrusions coming in from the Internet are important to combat, but misuse and intrusions attempted through the extranets or inside the corporate network are equally as critical to defend against. In fact, research statistics show that insiders are the most common source of attacks.

Where are the critical servers that require protection within your network?

File servers containing financial, personnel, and other confidential information need protection from those people wishing to exploit your critical information. These machines are extremely appealing targets. And, as discussed in the previous section, insiders pose a threat that must be addressed.

You should also consider whether you need different levels of security for different parts of the organization. Assess how much of your sensitive material is on-line, where it is located, and who has access to that material.

How complex is your network topology?

Asymmetrically routed networks are complex environments that require careful planning and execution.

The following figure shows a network protected by the Sensor in tap operating mode. Since both links are monitored by the same Sensor, the state machine remains in sync. The Sensor can support an Active-Active configuration as long as the aggregate bandwidth does not exceed the total processing capacity of the Sensor.

Furthermore, a Sensor can also monitor asymmetrically routed traffic where the traffic comes in on one link and goes out another link, because the state machine on the Sensor associates the inbound and outbound traffic efficiently. For more information on monitoring asymmetrically routed traffic, see Interface groups (on page 24).

9


Figure 2: Tap Monitoring of Active-Passive Links

How much traffic typically crosses your network?

Bandwidth and traffic flow are crucial to running a successful enterprise network. Bandwidth requirements will vary in an enterprise network, as different applications and business functions have different needs. Bandwidth utilization on the network segments that you need to monitor will determine what type of Sensor will work best for you. Network Security Platform offers multiple Sensors providing different bandwidths:

Sensor bandwidth Sensor Aggregate Performance

I-1200 100Mbps

I-1400 200Mbps

I-2700 600Mbps

I-3000 1Gbps

I-4000 2Gbps

I-4010 2Gbps

10


Sensor Aggregate Performance

M-8000 10 Gbps

M-6050 5 Gbps

M-4050 3 Gbps

M-3050 1.5 Gbps

M-2750 600 Mbps

M-1450 200 Mbps

M-1250 100 Mbps

N-450 2 Gbps

Where are your security operations located?

To successfully defend against intrusions, McAfee recommends dedicated monitoring of the security system. Network intrusions can happen at any given moment, so having a dedicated 24-hour-a-day prevention system will make the security solution complete and effective.

Where are your security personnel? How many users are involved? Knowing who will be configuring your policies, monitoring events, running reports, and performing other configuration tasks will help you manage your users and determine where you locate your McAfee® Network Security Manager server. The Manager should be placed in a physically secure location, should be logically accessible to users, and must have reliable connectivity so as to be able to communicate with all deployed Sensors.

Where should I deploy Sensors?

Should you deploy Sensors at the perimeter of your network, in front of the servers you want to protect, or at a convenient nexus where all traffic passes?

Deployment at the perimeter does not protect you from internal attacks, which are some of the most common source of attacks. Perimeter monitoring is also useless if a network has multiple ISP connections at multiple locations (such as one Internet connection in New York and one in San Jose) and if you expect to see asymmetric traffic routing (that is, incoming traffic comes through New York and outgoing traffic goes out through San Jose). The IPS simply will not see all the traffic to maintain state and detect attacks. Deployment in front of the servers that you want to protect both detects attacks from internal users and deals effectively with the geographically diverse asymmetric routing issue.

An illustration of the advantage of Sensors’ multiple segment monitoring is to consider the question of installing Sensors with respect to firewalls. It is very common to deploy Sensors around firewalls to inspect the traffic that is permitted by the firewall. A common question when installing Sensors around the firewall is: Do you put the Sensors on the inside (Private and DMZ) or put them outside (Public) the firewall?. There are benefits to both scenarios, and the more complete solution includes both. For example, if you detect

11


12

an attack on the outside of the firewall and you detect the same attack on the inside of the firewall, then you know your firewall has been breached. This is obviously a much higher severity event than if you were just to see the attack on the outside and not on the inside, which means that your firewall blocked the attack.

When using the existing, single monitoring port products available today, you would have to deploy multiple Sensors to get the required coverage (as shown on the left side of the following figure). Furthermore, you’d need to figure out how to connect them to the segments that you want to monitor, and only via a SPAN or hub port.

Consider the same scenario using the I-2700 Sensor (as shown on the right side of the following figure). You can simultaneously monitor all three segments with one Sensor, and, with the integrated taps, you can easily monitor the full-duplex uplinks between your routers and the firewall. You can also run the inside connections in in-line mode, which provides intrusion protection/prevention, while running the outside connection in tapped mode.

Figure 3: Comparing IDS Sensor Deployment Scenarios

Figure 4: Comparing IDS Sensor Deployment Scenarios

13

C H A P T E R 3

Sensor Deployment Modes This section presents suggestions for implementing McAfee® Network Security Platform in a variety of network environments.

Flexible deployment options

McAfee Network Security Platform offers unprecedented flexibility in McAfee® Network Security Sensor (Sensor) deployment. Sensors can be deployed in a variety of topologies and network security applications, providing industry-leading flexibility and scalability. Most PC-based IDS Sensors on the market today can monitor only one network segment at a time, and only via the SPAN port on a switch. Thus, to monitor a switched environment with multiple segments and multiple switches deployed in a high-availability environment, you would need multiple Sensors.

Multi-port Sensor deployment

Unlike single-port Sensors, a single multi-port Sensor can monitor many network segments (up to twelve, in the case of the I-3000 or I-4010) in any combination of operating modes—that is, the monitoring or deployment mode for the Sensor—SPAN, Tap, or In-line mode. Additionally, Network Security Platform’s Virtual IPS (VIPS) feature enables you to further segment a port on a Sensor into many “Virtual Sensors.”

This makes deployment easy; not only can you use one Sensor to monitor multiple network segments, but you also can configure the Sensor to run whatever mode best suits each network segment.

Supported deployment modes

Every port on the Sensor supports the following deployment modes:

SPAN or Hub

Tap

In-line, fail-closed

In-line, fail-open Additionally, Network Security Platform provides features vital to today’s complex networks: interface groups (also called port clustering), and high-availability.

McAfee® Network Security Platform 6.0 Sensor Deployment Modes

In the following example, a single Network Security Platform I-2700 Sensor is deployed to monitor the several external and internal points of exposure of an enterprise network. This includes the Web Presence, Corporate Internet Access for employees, employee Remote Access, Extranet connections, and internal attacks on critical department servers such as Finance and HR.

Figure 5: Network Security Platform protecting enterprise network

In this example, the ports on this I-2700 Sensor might be configured as such:

Tap 1: Ports 1A and 1B run in Tap mode and respond to attacks via Response port R1.

Tap 2: Ports 2A and 2B run in Tap mode and respond to attacks via Response port R2.

SPAN from Switch A: Port 3B runs in SPAN mode and inject response packets back to the switch through the SPAN port.

SPAN from Switch B: Port 3A runs in SPAN mode and responds to attacks via Response port R3.

14


Full-duplex and half-duplex monitoring

Sensors are equipped with multiple Monitoring and Response ports. By default, the Sensor ports are internally wire matched (that is, 1A and 1B) to monitor traffic in full-duplex pairs, that is, two detection ports work together to monitor traffic flowing in both directions.

To monitor a full-duplex segment in In-line or Tap mode, you use two Sensor ports (one port for transmit, one for receive). SPAN port monitoring receives on one port and can respond via the same port (if the switch supports this feature).

Sensor Model Supported number of full-duplex links

Supported number of half-duplex links

I-1200 1 2

I-1400 2 4

I-2700 4 8

I-3000 6 12

I-4000 2 4

I-4010 6 12

Sensor Model Supported number of full-duplex links

Supported number of half-duplex links

M-8000 28 16

M-6050 16 8

M-4050 12 8

M-3050 12 8

M-2750 20 20

M-1450 8 8

M-1250 8 8

N-450 20 20

In-line mode and tap mode can both monitor full-duplex links.

SPAN monitoring works in either half- or full-duplex mode (depending on the switch).

Hub monitoring works in half-duplex mode.

Deploying Sensors in in-line mode

In-line mode is achieved when the Sensor is placed directly in the path of a network segment, becoming, essentially, a “bump in the wire,” with packets flowing through the Sensor. In this mode, the Sensor can prevent network attacks by dropping malicious traffic in real time. Preventative actions can be at a highly granular level, including the automated dropping of DoS traffic intended for a specific Web server.

15


Note: Sensors are configured by default to run in in-line mode.

When running in in-line mode, network segments are connected to two matched ports of the Sensor (for example, ports 1A and 1B), and packets are examined in real time as they pass through the Sensor.

The benefits to using Sensors in in-line mode are:

Protection/Prevention. Prevention is a feature unique to in-line mode. Basically, if you’re running in any “sniffing” mode, there is no way for the IPS to prevent malicious packets from reaching their intended target. In a sniffing mode, the Sensor sees the attack at the same time it hits the target. You can apply some countermeasures, like TCP Resets, but these are post-detection actions. The only way to prevent the malicious packets from reaching the target is to mediate the traffic flow. When running in-line, the Sensor can drop malicious packets and not pass them through the network. This acts sort of like an “adaptive firewall,” with your detection policy dictating what is dropped. Furthermore, when dropping packets, Network Security Platform is very precise and granular. The Sensor can drop only those packets it identifies as malicious or all of the packets related to that flow (a choice that is user configurable). One of the problems with using firewall reconfiguration actions with current IDS products is that an attacker can spoof large address ranges and mislead you into blocking legitimate traffic with the firewall, creating your own denial of service condition. Network Security Platform only drops the malicious packets, so spoofed traffic doesn’t have the same effect.

Packet “scrubbing.” In addition to dropping malicious traffic, Network Security Platform can scrub—or normalize—traffic to take out any ambiguities in protocols that the attacker may be using to try to evade detection. Current IDS products are susceptible to these techniques, and an example of this attempt is IP fragment and TCP segment overlaps. The Sensor can reassemble the IP fragments and TCP segments and enforce a reassembly mode of the user’s choice to accept either the old or the new data.

Processing at wire-speed. An obvious requirement with running in-line is to avoid dropping packets and your IDS Sensor becoming a bottleneck. Sensors are able to process packets at wire rates.

16


High-availability. In in-line mode, the Sensor does become a single point of failure, so the Sensors support complete stateful fail-over, delivering the industry's first true high-availability IPS deployment, similar to what you’d find with firewalls. If you’re running in-line, McAfee recommends that you deploy two Sensors redundantly for failover protection.

Figure 6: In-line mode

In in-line mode (seen in the previous figure), the Sensor logically acts as a transparent repeater with minimal latency for packet processing. Unlike bridges, routers, or switches, the Sensor does not need to learn MAC addresses or keep an ARP cache or a routing table.

When deployed in-line, you must specify whether the Sensor port is monitoring inside or outside of the network it is protecting. For example, the Sensor shown in the figure in How complex is your network topology? (on page 9) is monitoring links both inside and outside the network.

Fail-open versus fail-closed

Sensor ports deployed in In-line Mode have the option of failing open or closed. Similar in terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus, even if the ports fail, your Sensor does not become a bottleneck; however, monitoring ceases which may allow bad traffic to impact systems in your network. When ports are configured to fail closed, the Sensor does not allow traffic to continue to flow, thus the failed ports become a bottleneck, stopping all traffic at the Sensor.

17


Fail-open option for GE ports

Gigabit Ethernet ports on Sensors require the connection of an optional optical bypass switch and controller card for In-line Fail-open functionality; no extra hardware is required for In-line Fail-closed mode. This hardware is contained in the Optical Bypass Gigabit Fail-open Kit, sold separately.

For more information on hardware connection, see Gigabit Optical Fail-Open Bypass Kit Guide. And, for more information on port configuration, see Manager Server Configuration Guide.

Fail-open option for FE ports

Fast Ethernet ports require the use of fail-closed dongles for fail-closed mode; no extra hardware is required for In-line Fail-open mode for FE ports.

Layer 2 passthru mode

Fail-open operation provides a measure of network integrity when a Sensor fails. When a Sensor with ports operating in In-line Fail-Open Mode experiences a critical fault, the Sensor reboots; during the reboot, the Sensor goes into fail-open mode until it restarts. If a critical fault occurs again, another reboot cycle is initiated. This can continue until acted upon through human intervention.

You can enable a failure threshold to automatically initiate fail-open, or passthru, mode by configuring the Layer 2 Passthru (L2) feature from the Network Security Platform user interface. This feature enables you to set a threshold on the number of critical failures within a configured period of time that the Sensor can experience before being forced into passthru mode at Layer 2.

For example, you configure Layer 2 Passthru mode to enable if there are three critical faults in any 10-minute period. At minutes 1, 3, and 7, faults occur; L2 mode is enabled. Here is another scenario: at minutes 1, 4, 11, and 13, faults occur. In this case, the last three faults occurred within 10 minutes of each other, thus the Sensor enters L2 mode.

Sensor reboot may take a few minutes to complete. This downtime is not counted against the L2 duration; only Sensor uptime is counted.

The L2 feature is supported by all models of Sensor. For more information, see Enabling Layer2 Settings, Device Configuration Guide.

Deploying Sensors in tap mode

A tap—internal or external—is a passive wiring device that copies traffic on full-duplex Ethernet segments, and sends this copied traffic information to the S processors for analysis.

Full-duplex taps split a link into separate transmit and receive channels. Sensors provide multiple monitoring interfaces to monitor the two channels, and Sensor ports are wired in pairs in order to accommodate full-duplex taps. Two monitoring ports are used to monitor one full-duplex link using a tap.

18


Tap monitoring (Figure Tap mode) can work in one of two ways for the 10/100 Monitoring ports on the I-1200 and I-2700 Sensors: the internal tap can be enabled, or the interface can be connected to an external tap. Sensor GBIC ports must use an external tap.

The benefits to using Sensors in tap mode are:

Monitor uplinks passively. Taps cause no latency in your network traffic. You essentially sniff traffic as it passes.

No need for SPAN ports. On most switches, the SPAN port operates in half-duplex mode, so the maximum bandwidth a Fast Ethernet port can handle is 100 Mbps before it begins dropping packets. If the uplink is running at more than 100Mbps aggregate, a Fast Ethernet SPAN port can’t handle it; a full-duplex tap can. Another issue is that there are a limited number of SPAN ports supported on most switches, and there is typically a lot of competition for them (for example, for RMON probes, sniffers, etc.).

Traffic continues to flow if the tap fails. Completely passive and fault tolerant, taps provide fail-safe operation with no impact on network connectivity or performance. Taps fail open, meaning that a failed Sensor permits traffic to continue to flow unimpeded.

The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks. Tap mode is passive; the Sensor essentially sees malicious traffic as it passes, so sensing an attack in tap mode triggers a response post-attack. You also cannot inject response packets back through a tap; the Sensor provides Response ports to inject response packets.

Figure 7: Tap mode

Deploying the Sensors with FE ports in internal tap mode

The 10/100 (FE) monitoring ports can process network traffic in full-duplex stealth mode by enabling internal taps. in this mode, network segments are connected as in in-line mode, but the Sensor handles the traffic differently. The enabled internal tap receives the traffic, makes a copy of the incoming packets, and sends the copy to the Sensor’s detection processor as it forwards the packets.

By Sensor default, the ports (xA and xB, illustrated with 1A and 1B in the following illustration) are matched for full-duplex tap mode monitoring. Data is looped back within the tap and a copy is forwarded to the rest of the Sensor per port. Responses are sent through a Response port to a switch or router.

19


The internal taps of these three Sensors fail open; thus if the Sensor should fail, data will continue to flow unimpeded.

You can easily reconfigure the 10/100 monitoring ports of the I-1200, I-1400 and I-2700 to disable the internal tap and monitor in In-line Mode at any time via McAfee® Network Security Manager (Manager). This process is described in the section, Shifting from tap mode to in-line mode (on page 21). When in-line, the Sensor can block malicious traffic from reaching its intended target host.

Figure 8: I-2700 Sensor: Internal Tap Mode

Deploying Sensors with GE ports in external tap mode

Sensors with GE monitoring ports require external taps. The external taps are full-duplex; they connect in-line with the network segment, copy the traffic, and send the copies to the Sensor for analysis.

20


Figure 9: I-4000 sensor deployed in tap mode

Shifting from tap mode to in-line mode

You can easily shift from tapped to in-line mode. If you are running a Sensor with built-in taps in internal tap mode, you can toggle between tap and in-line mode with a simple software configuration command from the Manager’s System Configuration tool. Thus, you can run in tap mode until you feel comfortable with the Sensor’s reliability, and then shift into in-line mode without needing to touch the Sensor. You can also mix modes with the ports on the I-2700. You can run one pair in In-line Mode and others in Tap mode. With the GE port-Sensors, you’ll have to do some minimal re-cabling to convert from tap to in-line mode.

SPAN port and hub monitoring

Sensors can connect to the SPAN port of a switch or to a port on a hub. Most vendors’ IDS Sensors are deployed in this manner, and many beginning Network Security Platform users choose to deploy in this mode. The Switch Port Analyzer (SPAN) port is designed for troubleshooting and network analysis so that an attached network analyzer can receive a copy of every single packet that is sent from one host to another through the switch. The SPAN port forwards all incoming and outgoing traffic within the switch to a predetermined port where a Sensor or a sniffer is connected. This is called port forwarding or port mirroring, and it allows an attached device to monitor all traffic of that switch.

When monitoring SPAN ports and hubs, traffic is typically half-duplex. Only one monitoring port is required to monitor each SPAN or hub port. You can send a response back through a hub; if you choose to send a response back through the SPAN port, you can do so if the switch supports transmit back through the SPAN port.

Note: If the switch does not support transmit back through the SPAN, you can send a response via a Sensor response port.

21


SPAN port and hub monitoring

When monitoring a SPAN or hub port, Sensors with internal taps disabled.

Note: McAfee recommends cabling your Fast Ethernet ports with fail-closed dongles if deploying in SPAN or Hub mode.

In Figure SPAN Port Monitoring which shows an I-4000 Sensor, Port 1A receives data from the SPAN port of SwitchA. Port 1B gets data from the SPAN port of SwitchB. Two distinct network links from two separate switches are monitored by the one active I-4000 Sensor with a 1Gbps rate per link to the Sensor, allowing a total of 2Gbps traffic to the IPS engine.

Figure 10: SPAN Port Monitoring

High-Availability

Redundancy is a key element for any network requiring 24x7 uptime. Using an identical pair of Sensors (same model, software image, signature set) deployed redundant in In-line Mode, Network Security Platform can provide high availability with no administrator intervention.

22


Understanding failover in Network Security Platform

In typical failover configurations, one device is the “Active” device while the other is the “Standby.” As its name implies, the active device performs normal network functions while the standby monitors, ready to take control should the active device fail.

In Network Security Platform, because both failover Sensors must be ready to process packets on their monitoring ports at all times, both Sensors are actually active at all times; neither Sensor is inoperative, or ‘standing by’ unless the unit has failed. Instead, both Sensors operate normally.

In Figure Two I-4000s in a High-Availability configuration for example, two Sensors are placed in-line, connected to each other via cables, and configured to act as a Failover Pair. All traffic is copied and shared between them in order to maintain state. Sensor A copies the packets received on its monitoring ports to Sensor B using the interconnection ports and vice versa. Since both Sensors see all traffic and build state based on it, their state information is synchronized at all times.

All packets are seen by both Sensors (when both are operational); however, only one Sensor in the pair raises an alert whenever an attack is detected.

Figure 11: Two I-4000s in a High-Availability configuration

23


"Primary" versus "active"

You configure a Failover Pair using the Manager’s Configuration page. You designate one Sensor as the Primary Sensor and the other as Secondary. This designation is used purely for configuration purposes and has no bearing on which Sensor considers itself active.

Once configured, the two Sensors exchange information to determine their respective roles; the Sensor that has been online the longest becomes the active Sensor. If they have been online for exactly the same amount of time, the Sensor with the higher serial number takes the active role. The Sensors communicate every second to determine if their peer is available. If the failover pair cannot communicate with each other, each Sensor will assume its peer Sensor is down, and both will issue alerts. If communication is re-established, the two Sensors communicate to determine their respective failover roles.

When one Sensor is brought up well after the other, the new Sensor synchronizes state with the old Sensor and builds on the synchronized state based on the packets received on its monitoring and interconnect ports.

This Active-Active configuration provides the added benefit of supporting asymmetric traffic flows (that is, when packets belonging to the same TCP/UDP flow are divided across Sensors). Thus, the Network Security Platform failover pair will detect attacks even when the traffic is asymmetric. This topic is discussed, in the section Interface groups (on page 24).

Interface groups

An interface group, also known as port clustering in networking parlance, combines the traffic processed on separate Sensor interfaces—or, in the case of a Failover Pair, on separate Sensors—into a single logical interface for state and intrusion analysis. Asymmetric routing is a good example of where an interface group is recommended. In asymmetric routing, a TCP connection does not always send and receive along the same network path. Therefore, a single-interface Sensor monitoring this transmission may only see the traffic received, not the traffic sent in response; thus not seeing all data from a transmission.

24


25

Sensors’ multiple interfaces make the monitoring of asymmetric traffic possible. For example, as shown in Figure Interface groups in an asymmetric network , an I-4000 has four ports that are wired in pairs by default, and therefore two interfaces. Peer ports 1A and 1B can monitor one direction of an asymmetric transmission, while peer ports 2A and 2B can monitor the other direction. By making an interface group of 1A-1B and 2A-2B, the Sensor is able to see all the traffic for all sessions in the asymmetrically routed network and still is able to maintain state and accurately detect all attacks.

Figure 12: Interface groups in an asymmetric network

26

C H A P T E R 4

Deployment Scenarios This section provides some guidance on how to deploy McAfee® Network Security Platform using the most simple, or out-of-the-box method, and then gear up to more complex scenarios.

Deployment flexibility

IPS deployment can be daunting, and a complex product can be difficult to integrate initially. Network Security Platform, while complex, provides great flexibility in deployment so you can start monitoring your network even while you familiarize yourself with its features and capabilities and tune your security policies.

McAfee Network Security Platform deployment can be simple or complex, depending on your needs and your skill with the product. If you are a Beginner, you can use Network Security Platform straight out of the box and get your entire deployment up and monitoring in an extremely short period of time. An Intermediate approach might be to customize your policies a bit and shift to another operating mode, such as Tap mode. An Advanced user might use all of the features available, tracking traffic at extremely granular levels, creating multiple administrative domains managed by a variety of users with various privileges, tailored policies and custom responses to detected attacks, and so on.

Deployment scenario for beginners

Network Security Platform includes a variety of pre-configured security policies targeting different environments. These policies (defined in Working with Network Security Platform Resources, Getting Started Guide) enable you to start monitoring your network right away. Details on how to accomplish these tasks, unless otherwise specified, are described in Administrative Domain Configuration Guide.

1 Install the Manager as described in Installation Guide.

2 The Default Inline IPS policy is specified by default. You can leave this policy in place or pick the policy that best matches your needs. McAfee® Network Security Sensors (Sensors) you add will inherit this policy and pass it along to all interfaces of the Sensor.

Note: This policy enables blocking for certain attacks; immediately upon in-line deployment Sensors will begin blocking these attacks when they are detected.

McAfee® Network Security Platform 6.0 Deployment Scenarios

3 Configure the Sensor and add it to the Manager as described in CLI Guide, Device Configuration Guide.

4 On the Manager, check the Sensor’s port configuration to be sure that it matches the way you have deployed the Sensor. Make changes as necessary.

5 Download and apply the latest Sensor software and signature file from the Update Server.

6 Send all configuration changes to the Sensor.

7 If you want, set up alert notification to email or pager by attack severity.

8 Using the Report Generator and the Threat Analyzer, examine the resulting alerts for patterns, to help you tune your policies.

9 Back up your data.

Deployment scenario for intermediate users

The pre-configured policies have an umbrella effect—you’re protected from all attacks defined in the policy. This enables you to get up and running quickly, but it also may protect you against attacks you do not care about. For example, if you have an entirely Solaris environment, you may not care if someone is initiating IIS attacks against the network, because these attacks are irrelevant to you. Some administrators prefer to see all network activity, including unsuccessful attacks, to get a complete picture of what is occurring on the network. Others want to reduce the “noise” generated by irrelevant attacks. Tuning your policies to delete attacks that do not apply to your environment reduces the amount of unimportant alerts generated by your Sensors.

To tune your deployment, you might do the following:

Try a more advanced deployment mode. If you were running in SPAN mode, you may choose to try another deployment mode, such as tap mode.

Take advantage of the Sensor’s ability to apply multiple policies to multiple interfaces. Instead of applying a single policy to the entire Sensor, you may try applying different policies to dedicated interfaces of the Sensor. You can go a step further and segment your traffic into VLAN tags or CIDR blocks, create sub-interfaces, and apply policies to the Sensor’s sub-interfaces.

Tune your policies. Pick the policy that best matches your needs and clone the policy (or create a policy from scratch). Then remove any irrelevant attacks, add any additional attacks, and configure appropriate response actions to respond to detected attacks.

Generate reports and view alerts. Look at the data generated by the system to help you further tune your policies, and if necessary, implement more granular monitoring or delegation of monitoring activities to others.

Deployment scenario for advanced users

An advanced deployment of Network Security Platform utilizes more of Network Security Platform’s features to best tune your system. Once you are more familiar with Network Security Platform, you might do the following:

Try running in in-line mode. In-line mode enables you to drop malicious traffic and thus prevent attacks from ever reaching their targets.

27

McAfee® Network Security Platform 6.0 Deployment Scenarios

28

Split your deployment into multiple Admin Domains. You may want to organize your deployment by geographical location, business unit, or functional area (that is, HR, Finance).

Segment your network traffic into VLAN tags and CIDR blocks. You can then monitor various traffic with distinct policies using the sub-interfaces feature.

Create (or clone) policies on a sub-interface basis. Create policies tuned for specific traffic flows within a network segment, and apply them on an extremely granular level.

Define user roles. Delegate the day-to-day management of the IPS to specific individuals, providing each person with only enough access to the system to carry out his/her responsibilities.

Define DoS policies. Configure DoS policies for specific hosts or a subset of your network.

Index

C conventions .............................................................. v

D deploying sensors in in-line mode.......................... 15

deploying sensors in tap mode .............................. 17

deployment................................................... 9, 10, 13

for beginners; .................................................... 22

pre-deployment considerations ....... 13, 15, 17, 19

deployment scenarios ............................................ 22

F fail-closed ............................................................... 17

Fail-open and fail-closed ........................................ 16

full duplex connection............................................. 14

full-duplex and half-duplex monitoring ................... 14

I in-line mode

about, in-line mode................................ 15, 16, 17

interface groups ..................................................... 21

monitoring with interface groups; ...................... 21

L layer 2 passthru mode............................................ 17

M modes of deployment

Sensor deployment .............15, 17, 18, 19, 22, 23

N Network Security Platform sensor deployment

modes ............................................................... 13

S SPAN port .............................................................. 19

SPAN port and hub monitoring .............................. 19

SPAN/hub operating mode .................................... 19

deploying the I-1200 in.......................... 13, 17, 23

T tap mode

shifting from tap mode to in-line mode.............. 19

technical support.....................................................vii

NSP IPS Deployment 6

Documents

Transcript of NSP IPS Deployment 6