Getting Started Guide

revision 4.0

McAfee® Network Security Platform
version 5.1

McAfee® Network Protection
Industry-leading network security solutions

COPYRIGHT
Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions
This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

Issued APRIL 2009 / Getting Started Guide
700-1803-00/ 4.0 - English

Contents
Preface ........................................................................................................... v
Introducing McAfee Network Security Platform............................................................................. v About this Guide............................................................................................................................ v Audience .......................................................................................................................................vi Conventions used in this guide .....................................................................................................vi Related Documentation................................................................................................................vii Contacting Technical Support ..................................................................................................... viii

Chapter 1 Intrusion Prevention and Network Security Platform............. 1
What is an attack?......................................................................................................................... 1 When attackers attack............................................................................................................2 Detecting attacks....................................................................................................................2 What is an Intrusion Detection System (IDS)? .............................................................................. 4 What is an Intrusion Prevention System (IPS)? ............................................................................ 4 Comprehensive Intrusion Detection .......................................................................................5 Intrusion Prevention ...............................................................................................................5 Flexible Deployment Options .................................................................................................5 Virtual IPS™...........................................................................................................................6 High-Availability......................................................................................................................6 Scalable IPS Management.....................................................................................................6 Detection and prevention with Network Security Platform ............................................................ 6

Chapter 2 Network Security Platform Basics............................................ 8
About the Network Security Platform ............................................................................................ 8 Network Security Platform components .................................................................................8 Network Security Manager license types .................................................................................... 12 Manager components ..........................................................................................................12 Update Server ............................................................................................................................. 14 Obtaining Updates from the Update Server .........................................................................15 Configuring software and attack signature updates .............................................................15 Modes of Sensor deployment...................................................................................................... 16 In-line mode .........................................................................................................................16 SPAN mode .........................................................................................................................17 Tap mode .............................................................................................................................18 Failover (high-availability) via in-line mode ..........................................................................20 Port clustering (interface groups) .........................................................................................20 Manager Disaster Recovery (MDR) ............................................................................................ 21 Switchover............................................................................................................................23 Double tagging attacks and L3 ACLs .......................................................................................... 23

Chapter 3 Working with Network Security Platform resources ............. 25
Network Security Platform resources .......................................................................................... 25 Admin Domain node.............................................................................................................25 Manager node ......................................................................................................................25 Users and Roles...................................................................................................................26 Sensors node .......................................................................................................................26 Interfaces node ....................................................................................................................26 Sub-Interfaces node.............................................................................................................26 Policies node........................................................................................................................27 The Resource Tree ..............................................................................................................27 Relationship between Sensors and resources in the Resource Tree ......................................... 29

Chapter 4 Working in Administrative domains ........................................ 33

iii

What is an administrative domain? ............................................................................................. 33 Parent and child admin domains..........................................................................................34 Admin domain hierarchy.............................................................................................................. 35 Nodes ...................................................................................................................................36 Inheritance ...........................................................................................................................36 Alert and fault notification and forwarding ................................................................................... 37 Vulnerability assessment of hosts ............................................................................................... 37 Using Foundstone from Manager.........................................................................................37

Chapter 5 Working with Security Policies ................................................ 39
What are security policies? ......................................................................................................... 39 Network Security Platform policies.......................................................................................39 Policy application......................................................................................................................... 40 VIPS--applying policies at the Interface and sub-interface level ..........................................40 Pre-configured policies................................................................................................................ 43 Configuring policies in Network Security Platform ...................................................................... 46 About rule-based policies.....................................................................................................46 Attacks vs. signatures in Network Security Platform............................................................47 Creating or customizing a policy ..........................................................................................48 Reassigning policies across Sensors...................................................................................49 Exporting and importing policies ................................................................................................. 49 Policy inheritance ........................................................................................................................ 49 Response management .............................................................................................................. 51 Response types ...................................................................................................................51 The Global Attack Response Editor (GARE) .......................................................................52 Denial of Service (DoS) modes ................................................................................................... 54 Learning mode .....................................................................................................................54 Threshold mode ...................................................................................................................55 Countering SYN floods with SYN cookies................................................................................... 55 Access Control Lists.................................................................................................................... 56 IP spoofing detection................................................................................................................... 57 ARP spoofing detection............................................................................................................... 58 Decrypting SSL for IPS inspection .............................................................................................. 58 Supported Web servers .......................................................................................................59 Supported Cipher suites.......................................................................................................59 Unsupported SSL functionality.............................................................................................60

Chapter 6 Managing users in Network Security Platform....................... 61
User management in Network Security Platform ........................................................................ 61 What is a role? .....................................................................................................................61 Creating a user.....................................................................................................................62 Roles within Network Security Platform ...................................................................................... 62 Role relationships between parent and child domains.........................................................62 Role descriptions..................................................................................................................63

Chapter 7 Working with Alerts................................................................... 65
What are alerts? .......................................................................................................................... 65 The lifecycle of an alert ........................................................................................................65 Suppressing alerts ...............................................................................................................66 About the Threat Analyzer ...................................................................................................67 About the Incident Generator ...................................................................................................... 72 Utilizing the Incident Generator............................................................................................72 Creating user-generated incidents .......................................................................................73 Viewing an incident ..............................................................................................................73 About Reports ............................................................................................................................. 73 IPS reports ...........................................................................................................................73 Configuration reports............................................................................................................74 Scheduled reports ................................................................................................................74 Alert and packet log archival ....................................................................................................... 74

Index ............................................................................................................. 76

iv

Preface
This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform
McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC) and network Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks. McAfee Network Security Platform combines real-time detection and prevention to provide the most comprehensive and effective network IPS in the market. What do you want to do? • • • Learn more about McAfee Network Security Platform components (on page 8). Learn how to Get Started. Learn about the Home page and interaction with the Manager interface.

About this Guide
This guide provides a basic overview of the Network Security Platform, including concepts and terminology you will encounter while using Network Security Platform. This manual is designed to help Network Security Platform users navigate the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] Interface and its components. You will find useful tips, hints, warnings, and screen shots interspersed throughout this guide. First, you will learn the basics of using McAfee Network Security Manager (Manager) such as about the Network Security Platform, McAfee® Network Security Sensors [formerly McAfee® IntruShield® Sensors], and working with Network Security Platform resources. Once the basics are covered, the tasks covered in this guide become progressively more advanced. We recommend that you read this guide before attempting to install and configure any component of the Network Security Platform. This guide will walk you through: Intrusion Prevention and Network Security Platform: (on page 1) describes intrusions, the process of intrusion detection, and Network Security Platform’s IPS capabilities at a high level Network Security Platform Basics: (on page 8) provides a basic overview of the Network Security Platform and its various components.

v

McAfee® Network Security Platform 5.1

Preface

Working with Network Security Platform resources (on page 25): describes the Network Security Platform resources and how they appear in the Manager System Configuration tool. Working in Administrative domain (on page 33): describes the Network Security Platform method of organizing your security environment into protected administrative domains and sub domains, so as to delegate management of your resources to specific individuals. Working with Security Policies (on page 39): describes how to construct policies that govern detection and counter-measures for the system. Managing users in Network Security Platform (on page 61): describes how to assign roles/grant privileges to Network Security Platform users. Working with Alerts (on page 65): provides an overview of alerts, the notifications triggered when your system detects attacks, and how you interact with them in the Manager.

Audience
This guide is intended for use by network technicians and maintenance personnel responsible for installing, configuring, and maintaining Manager and Sensors, but is not necessarily familiar with IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks.

Conventions used in this guide
This document uses the following typographical conventions:

vi

McAfee® Network Security Platform 5.1

Preface

Convention

Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font. Menu or action group selections are indicated using a right angle bracket. Procedures are presented as a series of numbered steps.

The Service field on the Properties tab specifies the name of the requested service.

Select My Company > Admin Domain > Summary.

1. In the Resource Tree, select NAC Settings.

Names of keys on the keyboard Press ENTER. are denoted using UPPER CASE. Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font. Type: setup and then press ENTER.

Variable information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. situation or environment is shown in italics. Parameters that you must supply are shown enclosed in angle brackets. Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation. Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Notes that provide related, but non-critical, information are denoted using this notation. set Sensor ip <A.B.C.D>

Caution:

Warning:

Note:

Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides.

vii

McAfee® Network Security Platform 5.1

Preface

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •

Quick Tour Manager Installation Guide 4.1 to 5.1 Upgrade Guide IPS Deployment Guide Manager Configuration Basics Guide Administrative Domain Configuration Guide Manager Server Configuration Guide Sensor CLI Guide Sensor Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide User-Defined Signatures Guide Central Manager Administrator's Guide Best Practices Guide Troubleshooting Guide I-1200 Sensor Product Guide I-1400 Sensor Product Guide I-2700 Sensor Product Guide I-3000 Sensor Product Guide I-4000 Sensor Product Guide I-4010 Sensor Product Guide M-8000 Sensor Product Guide M-6050 Sensor Product Guide M-3050/M-4050 Sensor Product Guide M-2750 Sensor Product Guide M-1250/M-1450 Sensor Product Guide N-450 Sensor Product Guide Gigabit Optical Fail-Open Bypass Kit Guide Gigabit Copper Fail-Open Bypass Kit Guide Special Topics Guide—In-line Sensor Deployment Special Topics Guide—Sensor High Availability Special Topics Guide—Virtualization Special Topics Guide—Denial-of-Service

Contacting Technical Support
If you have any questions, contact McAfee for assistance:

Online
Contact McAfee Technical Support http://mysupport.mcafee.com.

viii

McAfee® Network Security Platform 5.1

Preface

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

ix

CHAPTER 1

Intrusion Prevention and Network Security Platform
In the early days of computers, information stored on a computer was very difficult to get to without physical access to the computer itself. In those days, you hired security guards to deter intruders, put a sturdy lock on the door, turned on the security alarm, and your data was safe and sound. Attacks on the data were expensive, usually physical, and required great planning and technical savvy. Unfortunately, the many advances in technology changed all that. Back then, intrusion or attacks on computers was viewed as something unlikely, infeasible. These days a corporate network is prey even to pre-teens sitting in their bedrooms at home. The Internet is crawling with people from all walks of life who are continuously trying to test the security of various systems and networks. Some are simply seeking some sort of intellectual high, while others are fueled by more treacherous motives, such as revenge or stealing for profit. It is now much more important to make sure all of the doors and windows to your network are locked, the alarm is turned on, and that your security system knows what to look for. Because these days the question of intrusion is no longer if it will happen, but when.

What is an attack?
An attack is any unauthorized action taken with the intent of hindering, damaging, incapacitating, or breaching the security of a network. An attack typically prepares for or carries out threats to your critical assets. Some attempts to infiltrate a network are relatively harmless, but others can bring the network to a grinding halt and cripple a business. Individuals who intrude on or attack a system are known by a number of names, but are generally referred to as crackers, or more popularly, hackers. In this documentation set, these individuals are referred to as attackers. Intrusion detection is the discovery of an attack or intrusion. Intrusion prevention is blocking an attack before it reaches its target. Attacks are actions performed by an attacker that pose a threat to the security state of a protected entity in terms of confidentiality, integrity, authenticity, availability, authorization, and access policies. Attacks can be active, wherein the goal is to directly exploit some vulnerability in a system or software package. In contrast, passive attacks generally consist of monitoring or eavesdropping on traffic with the intention of viewing or capturing sensitive data. The result of a successful active attack is an intrusion—disruption of the normal services, unauthorized access, and/or some form of tampering with the system. Intrusion detection can also identify security-related events in a system that may not be triggered by an attack, such as server malfunctions.

1

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

When attackers attack
When attackers attack a network, they “abuse rules” established by the network. The rules are broken in a way that makes the attack appear to be a normal transmission. Active attacks can generally be divided into the following categories:
Exploits—An exploit is an attempt by an attacker to take advantage of hidden features or bugs in a system in order to gain unauthorized access. Examples include buffer overflows, directory traversal, and DNS cache poisoning. • Denial-of-service (DoS) and Distributed Denial-of-service (DDoS) attacks—In a DoS attack, the attacker attempts to crash a service (or the machine), overload network links, overload the CPU, or fill up the disk. The attacker does not always try to gain information, but to simply act as a vandal to prevent you from making use of your machine. Ping floods and Smurf attacks are examples of DoS attacks. DDoS attacks usually consist of DoS attacks orchestrated by attackers covertly controlling many, sometimes hundreds, of different machines. • Reconnaissance—These include host sweeps, TCP or UDP port scans, e-mail recons, brute force password guessing, and possibly indexing of public Web servers to find CGI holes or other system vulnerabilities that might later be exploited. • Policy Violations—All activities for which the underlying traffic content may not be malicious by itself, but are explicitly forbidden by the usage policies of the network as defined by a security policy. These can include “protocol violations” wherein packets do not conform to network protocol standards. (For example, they are incorrectly structured, have an invalid combination of flags set, or contain incorrect values.) Examples might include TCP packets with their SYN and RST flags enabled, or an IP packet whose specified length doesn’t match its actual length. A protocol violation can be an indication of a possible attack, but can also be triggered by buggy software or hardware. Some attackers are looking for specific information or targeting a specific company. Others are simply seeking an easy target. Some are advanced users who develop their own tools and leave behind sophisticated “backdoors.” Others have no idea what they are doing and only know how to start the script they’re playing with.

Regardless of their skill level, they all share a common strategy: use tools to search the entire Internet for a specific weakness, and then exploit that weakness. Sooner or later they find someone vulnerable. Anyone can be a target in a search, at any time—from established companies with networks developed over decades, to companies whose network has been up for two days. Sooner or later, you will be probed. Because networks are typically running 24 hours a day, attacks can occur at any time. Attacks often occur at night when domestic attackers who have “day jobs,” go to school, or do other things during the day that preclude attacking. Attacks can also occur during the day when it is evening in other parts of the world, such as Eastern Europe and Korea, which have become origins of numerous attacks.

Detecting attacks
Early intrusion detection was performed strictly using pattern matching schemes. Most attackers implement techniques that are tried, true, and well known in the security community. Unless the attacker is writing his own tools, she/he must rely on available, existing tools, each of which has limitations peculiar to its particular design. Thus, from the victim's point of view, all attacks using such tools will look basically the same. For example, seeing “default.ida” in the URL field of an HTTP packet along with a specific

2

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

pattern in the URL argument name field implies a Code Red attack and thus fits a standard—or signature—attack pattern.

Pattern Matching
Pattern matching relies upon knowing all of the ways the rules can be broken, and works by comparing network traffic to a database of attack patterns, which are called signatures. Signature-based detection, also known as misuse detection or rule-based detection, attempts to capture the manifestation of attacks in signatures and, if configured to do so, apply specific countermeasures based on each signature. This is very effective for known attacks with well-known signatures. However, this method of detection is flawed in three ways: first, it works only for known attacks. Attackers tend to be clever, and they continuously create new ways to hack a system, which quickly outdates the pattern-matching database. Second, pattern matching uses significant computing cycles to work effectively, and this can be exploited by hackers through overloading, which obscures the pattern-matching system’s visibility. Relying on signature detection alone leaves you unprotected against new or especially complex attacks.

Anomaly detection
Anomaly detection is another detection method, used to more effectively protect against unknown, or first-strike attacks. Anomaly detection attempts to capture the long-term normal behavior of the protected system in profiles (specifications of the behavior of traffic over a short- or long-term), and sends an alarm when significant deviation from the normal behavior is discovered. Profiles are created using statistical measures or other behavior specifications that can be applied to multiple platforms and operating systems. There are multiple learning disciplines that make it possible to create and maintain profiles – statistical, neural nets, fuzzy logic, genetic, and so forth. Anomaly detection is particularly useful when confronted with distributed denial of service (DDoS) and slow-scans attacks, which can affect a system over an extended period of time.

Denial of service (DoS) detection
Another special method of detection is denial of service (DoS) detection. A DoS attack disrupts service to a network or computer, and often occurs at the firewall or in the DMZ, particularly DMZ Web and mail servers. There are two ways to detect DoS attacks. First, there is threshold-based detection, wherein the IDS monitors for traffic volumes exceeding a threshold pre-configured by a network administrator. (This method requires you to fully understand your typical traffic pattern in order to pick “good” threshold values, otherwise it can produce a lot of false alarms due to traffic fluctuations, such as “flash crowds”— for example, everyone logging on the network at 9 a.m.—or other legitimate increased traffic.) The second method is by learned behavior—learning long-term normal behavior and comparing it to short-term observed behavior. Combining the methods greatly improves the reliability of detection.

3

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

What is an Intrusion Detection System (IDS)?
An Intrusion Detection System (IDS) is software or a hardware/software combination that attempts to detect and respond to attempted intrusions into a system or network. An IDS complements firewalls or anti-virus software by providing thorough network packet content inspection and protecting against attacks “embedded” within what a firewall might perceive as seemingly benign network traffic. There are several classifications of IDS. •
Host- or Network-based. A host-based IDS is concerned with what is happening on each individual computer or “host” and is able to detect such things as repeated failed access attempts or changes to critical system files. A network-based IDS (NIDS) examines all of the packets flowing through your network. A NIDS is able to understand all of the details of many protocols such as headers or protocol fields within a packet and can thus detect maliciously crafted traffic content. There are various types of network-based IDS—these can take the form of software agents running at various points throughout the network, or hardware McAfee® Network Security Sensors [formerly McAfee® IntruShield® Sensors] placed at strategic locations to examine network traffic. Signature, Anomaly, and Denial of Service detection. Another classification describes the types of misuse that an IDS detects. As described in the section Detecting attacks (on page 2), signature detection techniques systematically scan network traffic looking for signature patterns of known attacks, comparing these patterns against an extensive database of signatures. Anomaly detection determines a baseline of normal behavior of network traffic, and then attempts to detect intrusions by noting significant departures from normal behavior. Signature-based detection concentrates on known attack patterns, while anomaly detection is best at picking up new or unknown attacks. Denial of Service (DoS) attack detection characterizes normal traffic using preprogrammed thresholds or real-time, self-learning distributions, and then using this data to detect what might constitute a maliciously excessive consumption of network bandwidth, host processing cycles or other resources. Passive, reactive, or preventive IDS. Passive intrusion detection systems sniff packets as they traverse your network. They can detect the potential security breach, log the information about the attack, and raise an alert. Reactive systems are designed to respond to the intrusion—for example, by logging off a user or by reprogramming the firewall to disallow network traffic from a suspected hostile source. Both types of technology enable you to respond only after the attack has occurred. A preventive system sits in the path of your network traffic and thus is able to detect and drop hostile packets before they reach their target.

What is an Intrusion Prevention System (IPS)?
McAfee® Network Security Platform [formerly McAfee® IntruShield®] is a network-based Intrusion Prevention System (IPS) that combines McAfee Network Security Sensor (Sensor) and management software for the accurate detection and prevention of known attacks using signature detection, unknown (first strike) attacks using anomaly detection, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. The McAfee Network Security Platform couples real-time IDS with prevention—the ability to block attacks before they reach their target—to offer the most powerful, comprehensive and effective network security system in the market. Network Security Platform offers multi-gigabit performance, flexible deployment, robust scalability, and easy-to-use intrusion detection and prevention.

4

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

Comprehensive Intrusion Detection
Network Security Platform is the only comprehensive network-based IPS solution available. Only Network Security Platform encompasses all of today’s applicable IPS technologies to allow customers to detect known (using signatures), new/unknown (using anomaly techniques) and Denial-of-Service (DoS) attacks (using hybrid algorithms employing statistical and heuristic methods). The combination of these techniques significantly increases the capability and accuracy of the IPS. Majority of current products are exclusively signature-based and have little to no anomaly or DoS detection capabilities. No product on the market has the breadth or depth of coverage of Network Security Platform. For example, Network Security Platform can inspect SSL traffic and HTTP response traffic. In addition, Network Security Platform also detects attacks with unprecedented accuracy thanks to: Full protocol analysis and state tracking Multi-trigger, multi-field pattern matching Hardware acceleration to deliver wire-speed detection Network Security Platform’s ability to see all of the traffic in a variety of deployment modes, including active/active, active/passive, and asymmetricallyrouted traffic environments.

Intrusion Prevention
Network Security Platform can run in-line, so you can mediate the traffic flow and block malicious traffic before reaching its target. Current IDS products operate in a monitoringonly mode (operating as a “sniffer”) and cannot effectively and reliably block the malicious traffic before the damage is done. In sniffing mode, you see the attack at the same time it hits the target. You can apply some countermeasures, like TCP resets and firewall rule reconfiguration, but these are reactive actions. When running in-line, Network Security Platform can proactively drop malicious packets and not pass them through the network, so they never reach their target. In addition to dropping malicious traffic, Network Security Platform provides “packet scrubbing” functionality to remove protocol inconsistencies resulting from varying interpretations of the TCP/IP specification, which can be used by hackers to evade IDS systems and other security devices.

Flexible Deployment Options
Existing products were designed when shared media networks were common and are not easy to deploy in today's switched environments. Furthermore, the Network Security Platform product line allows customers to protect today's higher speed network segments ranging from 100 Mbps up to multi-Gbps, whereas current products are primarily limited to sub-100 Mbps environments. Network Security Platform provides wire-speed monitoring and analysis up to multi-Gbps network segments in three flexible modes of deployment, enabling you to easily integrate it into your network and adapt to any network or security changes that you may encounter in the future.

5

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

Some Sensor models contains built-in 10/100 Mbps Ethernet taps, thus making it extremely easy to switch between tap and in-line modes through software reconfiguration; no physical rewiring is required. The multi-port configuration of all Sensors empowers comprehensive network-wide IDS deployment with significantly fewer Sensors.

Virtual IPS™
Most products enable you to implement a single security policy per Sensor. Network Security Platform’s Virtualization feature (called VIDS or VIPS) enables you to segment a Sensor into a large number of virtual Sensors with each implementing a custom security policy, including individualized attack selection and associated response actions. This capability allows you to implement and enforce a heterogeneous set of security policies with a single Sensor, better serving the differing security needs within an organization. It further reduces the number of Sensors required for a network-wide IPS deployment, and it reduces the number of irrelevant alerts.

High-Availability
Sensors support high-availability deployment, using stateful Sensor failover between two hot-standby Sensors. The Sensors are interconnected, copy traffic between themselves, and maintain synchronization. If one Sensor fails, the standby Sensor automatically takes over and continues to monitor the traffic with no loss of session state or degradation of protection level. Network Security Platform also supports Manager Disaster Recovery (MDR). If, for any reason, the primary McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] goes off-line, its secondary can automatically take its place, processing alerts and managing Sensor configuration.

Scalable IPS Management
A scalable Web-based architecture allows customers to efficiently manage their IPS deployment while reducing operational costs. The configurable Network Security Platform real-time signature and software update mechanism automates the process of keeping the complete system current with little or no human intervention, thus reducing on-going operating costs.

Detection and prevention with Network Security Platform
Detection with the Network Security Platform goes beyond the simple string matching used in many current IDS signature engines. Sensors analyze and validate the traffic to its basic protocol elements and inspect specific protocol fields to improve accuracy, while maintaining full flow and application state. The Sensors perform IP fragment reassembly and TCP stream reassembly, and perform thorough protocol analysis all the way up to the Application Layer. The signature engine searches in a flow for multiple triggers (that is, sub-signatures) in multiple fields of a protocol using Network Security Platform’s embedded signature files to increase the precision by which an attack can be unambiguously detected.

6

McAfee® Network Security Platform 5.1

Intrusion Prevention and Network Security Platform

Once the packet is captured, it is analyzed into its corresponding protocol fields. The Sensor analyzes a frame completely and thoroughly from Layers two through seven, and understands the semantics of the protocol fields even at the Application Layer. After it analyzes the protocols, it verifies that the packet conforms to the protocol specification. Network Security Platform then passes the parsed packet through its DoS, Signature, and Anomaly detection engines. This enables Network Security Platform to be very efficient in terms of packet processing because the packet is “peeled” only once and then fed to the corresponding detection engines. All these processes are hardware-accelerated to provide the required wire-speed performance. If the detection engines detect something, they pass an alert and corresponding data to the Management process that is running on the Sensor. The Management process can then trigger the appropriate response, based on policy, and send alerts to the McAfee Network Security Manager (Manager). This response can include averting the attack entirely. If a Sensor is running in in-line mode on the network, you can enable blocking, which causes the Sensor to drop the attack so that the attack never reaches its goal.

7

CHAPTER 2

Network Security Platform Basics
This section provides an overview of McAfee® Network Security Platform and its components.

About the Network Security Platform
McAfee Network Security Platform is a combination of network appliances and software built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, and network misuse. Network Security Platform provides comprehensive network intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusion prevention system (IPS).

Network Security Platform components
Network Security Platform consists of the following major components: • • • McAfee® Network Security Sensor (Sensor) (on page 8) McAfee® Network Security Manager (Manager) (on page 12), with its Web-based graphical user interface McAfee® Network Security Update Server [formerly IPS Update Server] (on page 14)

Sensors
Sensors are high-performance, scalable, and flexible content processing appliances built for the accurate detection and prevention of intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. Sensors are specifically designed to handle traffic at wire-speed, efficiently inspect and detect intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any enterprise environment. When deployed at key network access points, a Sensor provides real-time traffic monitoring to detect malicious activity and respond to the malicious activity as configured by the administrator. Once deployed and once communication is established, Sensors are configured and managed via the Manager server, described in the section Network Security Manager (on page 12).

Sensor functionality
The primary function of a Sensor is to analyze traffic on selected network segments and to respond when an attack is detected. The Sensor examines the header and data portion of every network packet, looking for patterns and behavior in the network traffic that indicate malicious activity. The Sensor examines packets according to user-configured policies, or

8

McAfee® Network Security Platform 5.1

Network Security Platform Basics

rule sets, which determine what attacks to watch for, and how to respond with countermeasures if an attack is detected. If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform many types of attack responses, including generating alerts and packet logs, resetting TCP connections, “scrubbing” malicious packets, and even blocking attack packets entirely before they reach the intended target.

Sensor platforms
McAfee offers several types of Sensor platforms providing different bandwidth and deployment strategies.

9

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Tables with Sensor Information I-series Sensors:
Sensor Aggregate Performance 10/100 Base-T Monitoring Port Interface Module RJ-45 Response port Ports Used for failover

I-1200 I-1400 I-2700 I-3000 I-4000 I-4010

100 Mbps 200 Mbps 600 Mbps 1 Gbps 2 Gbps 2 Gbps

2 4 6 12 2 GBICs 12 SFP ports 4 GBICs 12 SFP ports

1 1 3 4 2 4

Response port Response port 4A 6A and 6B 2A and 2B 6A and 6B

Other features

I-4010

I-4000

I-3000

I-2700

I-1400

I-1200

Internal Taps

Nil

Nil Nil 1

Nil 4 1

Yes Nil 1

Yes Nil 1

Yes Nil 1

Fail-open Control 4 Ports 10/100 Management port Console Port Auxiliary Port Redundant power supply Fail-closed dongles 1

1 1 Yes Nil

1 1 Yes Nil

1 1 Yes Nil

1 1 Yes 6

1 1 Nil 4

1 1 Nil 2

M-series Sensors and N-450 Sensor:
Sensor Aggregate Performance 10/100/1000 BaseT Monitoring Port Interface Module RJ-45 Response port Ports Used for failover

M-8000

10 Gbps

16 One Gigabit SFP ports 12 Ten Gigabit XFP ports

1

3A and 3B

M-6050

5 Gbps

8 SFP ports 8 XFP ports

1

4A Note that 4B remains unused.

10

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Sensor

Aggregate Performance

10/100/1000 BaseT Monitoring Port

Interface Module

RJ-45 Response port

Ports Used for failover

M-4050

3 Gbps

4 XFP ports 8 SFP ports

1

2A

M-3050

1.5 Gbps

4 XFP ports 8 SFP ports

1

2A

M-2750

600 Mbps

20 SFP ports

1

10A Note that 10B is unused.

M-1450

200 Mbps

8 built-in 10/100/1000 RJ45 ports 8 built-in 10/100/1000 RJ45 ports 20 SFP ports

1

4A Note that 4B is unused.

M-1250

100 Mbps

1

4A Note that 4B is unused.

N-450

2 Gbps

0

10A and 10B

Other features

M-8000

M-6050

M-4050

M-3050

M-2750

M-1450

M-1250

N-450

Internal Taps Fail-open Control Ports Interconnect ports

Nil 14 4 Ten Gigabit XFPs 2 RJ-45 ports

Nil 8 Nil

Nil 6 Nil

Nil 6 Nil

Nil 10 Nil

Yes Nil Nil

Yes Nil Nil

Nil 10 Nil

10/100/1000 Management port Console Port Auxiliary Port Redundant power supply Fail-closed dongles

1

1

1

1

1

1

1

1

2 2 Yes 0

1 1 Yes 0

1 1 Yes 0

1 1 Yes 0

1 1 Yes 0

1 1 Nil 0

1 1 Nil 0

1 1 Yes 0

11

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Each Sensor is described in the corresponding Sensor Product Guide.

Network Security Manager license types
McAfee Network Security Manager (Manager) consists of hardware and software resources that are used to configure and manage your Network Security Platform deployment. There are three software versions of Manager: •
McAfee® Network Security Global Manager—best suited for global IPS deployments of more than six McAfee® Network Security Sensors [formerly McAfee® IntruShield® Sensors]. • McAfee® Network Security Manager—can support large or distributed deployments of up to six McAfee Network Security Sensors (Sensors). • McAfee® Network Security Manager Starter—can support two Sensors. The above software versions of the Manager are supported only on Windows Server 2003 (Standard Edition) SP2, English OS and Windows Server 2003 R2 (Standard Edition), Japanese OS.

Functionally, the products are otherwise identical. The license file provided to you by McAfee determines which version of the Manager you install.

Manager components
Manager is a term that represents the hardware and software resources that are used to configure and manage the Network Security Platform. The Manager consists of the following components: • • • • a hardware/OS server platform (on page 12) (Microsoft Windows Server 2003 SP2, Standard Edition, English or Japanese) the Manager software (on page 13) a back end database (on page 14) to persist data (MySQL) a connection to the McAfee® Network Security Update Server [formerly IPS Update Server] (on page 14)

Manager server platform
The Manager server is a dedicated Windows Server 2003 SP2 system running the Manager software. You remotely access the Network Security Platform user interface from a Windows XP system using an Internet Explorer 6.0 and Internet Explorer 7.0 browser session. Sensors use a built-in 10/100 Management port to communicate with the Manager server. You can connect a segment from a Sensor Management port directly to the Manager server; however, this means you can only receive information from one Sensor (typically, your server has only one 10/100 network port). During Sensor configuration, described in the Sensor CLI Guide, you will establish communication between your Sensor(s) and your Manager server.

12

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Manager software
The Manager software has a Web-based user interface for configuring and managing the Network Security Platform. Network Security Platform users connect to the Manager server from a Windows XP system using the Internet Explorer browser program. The Network Security Platform user interface runs with Internet Explorer version 6.0 and Internet Explorer version 7.0. The Manager functions are configured and managed through a GUI application, the Network Security Platform user interface, which includes complementary interfaces for system status, system configuration, report generation, and fault management. All interfaces are logically parts of the Manager program. Manager has five components: •
Manager Home. The Manager Home page is the first screen displayed after the user logs

on to the system. The Manager Home page displays Operational Status-that is, whether all components of the system are functioning properly, the number of unacknowledged alerts in the system, and the configuration options available to the current user. Options available within the Manager Home page are determined by the current user's assigned role(s). The Manager Home page is refreshed every 5 seconds by default. • Operational Status. The Operational Status page displays the status of Manager, database, and any deployed Sensors; including all system faults. Configuration. The Configuration page provides all system configuration options, and • facilitates the configuration of your Sensors, failover pairs of Sensors, administrative domains, users, roles, Network Access Control (NAC), attack policies and responses, user-created signatures, and system reports. Access to various activities, such as user management, system configuration, or policy management is based on the current user's role(s) and privileges. For more information on NAC configuration, see NAC Configuration Guide. • Threat Analyzer. The Threat Analyzer page displays the hosts detected on your network as well as the detected security events that violate your configured security policies. The Threat Analyzer provides powerful drill-down capabilities to enable you to see all of the details on a particular alert, including its type, source and destination addresses, and packet logs where applicable. • Reports. Users can generate reports for the security events detected by the system and reports on system configuration. Reports can be generated manually or automatically, saved for later viewing, and/or e-mailed to specific individuals. Other key features of Manager include: • The Incident Generator: The Incident Generator enables creation of attack incident conditions, which, when met, provide real-time correlative analysis of attacks. Once incidents are generated, view them using the Incident Viewer, which is within the Threat Analyzer tool. For more information on Manager components, see Manager Server Configuration Guide. Integration with other McAfee products: You can integrate Network Security Platform with other McAfee products such as McAfee ePolicy Orchestrator (ePO), McAfee® Host Intrusion Prevention [formerly McAfee® Entercept] , and so on. Then Network Security Platform collaborates with these products to provide you with a comprehensive network security solution. For details, see Integration Guide. Integration with third-party products: Network Security Platform enables the use of multiple third-party products for analyzing faults, alerts, and generated packet logs.

13

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Fault/Alert forwarding and viewing: You have the option to forward all fault management events and actions, as well as IPS alerts to a third-party application. This enables you to integrate with third-party products that provide trouble ticketing, messaging, or any other response tools you may wish to incorporate. Fault and/or alert forwarding can be sent to the following ways: - Syslog Server: forward IPS alerts and system faults - SNMP Server (NMS): forward IPS alerts and system faults - Java API: forward IPS alerts - Crystal Reports: view alert data from database via email, pager, or script Packet log viewing: view logged packets/flows using third-party software, such as Ethereal.

Manager database
The Manager server operates with an RDBMS (relational database management system) for storing persistent configuration information and event data. The compatible database is MySQL. The Manager server for Windows (only) includes a MySQL database that can be installed (embedded) on the target Windows server during Manager software installation. Your MySQL database can be tuned on-demand or by a set schedule via Manager user interface configuration. Tuning promotes optimum performance by defragmenting split tables, re-sorting and updating indexes, computing query optimizer statistics, and checking and repairing tables. To graphically administrate and view your MySQL database, you can download the MySQL administrator from the MySQL Web site http://dev.mysql.com/downloads/gui-tools.

Update Server
For your Network Security Platform to properly detect and protect against malicious activity, the Manager and Sensors must be frequently updated with the latest signatures and software patches available. Thus, the Network Security Platform team constantly researches and develops performance-enhancing software and attack-detecting signatures that combat the latest in hacking, misuse, and denials of service (DoS). When a severe-impact attack happens that cannot be detected with the current signatures, a new signature update is developed and released. Since new vulnerabilities are discovered regularly, signature updates are released frequently. New signatures and patches are made available to customers via the McAfee Network Security Update Server (Update Server). The Update Server is a McAfee owned and operated file server that houses updated signature and software files for Managers and Sensors in customer installations. The Update Server securely provides fully automated, real-time signature updates without requiring any manual intervention. Note: Communication between Manager and the Update Server is SSL-secured.

14

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Obtaining Updates from the Update Server
You have the following options for obtaining updates from the Update Server: Tip: To configure Update Server settings from the Manager interface, refer to the Manager Server Configuration Guide. 1 2 3 Connecting directly from your Manager server (via Manager interface action). Connecting via proxy server (via Manager interface action). You will then authenticate as in option 1. Connecting from any Windows XP system via browser, downloading updates to that system, and then importing the update to the Manager. This method can provide your Manager server with the safest defense against Internet attacks since no Internet connection is used by your Manager server. The import feature is a Manager interface action. Connecting from any Windows XP system via browser, downloading software updates to a TFTP server, and then loading the updates directly onto the Sensor using the Sensor’s command line interface (CLI). This is for Sensor software updates only. For more information, see Sensor CLI Guide.

4

Configuring software and attack signature updates
You configure interaction with the Update Server using the Manager Configuration page. You can pull updates from the Update Server on demand or you can schedule update downloads. With scheduled downloads, the Manager polls the Update Server (over the Internet) at the desired frequency. If an update has been posted, that update is registered as “Available” in the Manager interface for on-demand downloaded. Once downloaded to the Manager, you can immediately download (via an encrypted connection) the update to deployed Sensors or deploy the update based on a Sensor update schedule you define. Acceptance of a download is at the discretion of the administrator. You have a total of five update options: •
Automatic update to Manager, manual update from Manager to Sensors. This option enables Manager server to receive updates automatically, but allows the administrator to selectively apply the updates to the Sensors. Manual update to Manager, automatic update from Manager to Sensors. This option enables the administrator to select updates manually, but once the update is selected, it is applied to the Sensors automatically, without reboot. Fully manual update. This option allows the security administrator to determine which signature update to apply per update, and when to push the update out to the Sensor(s). You may wish to manually update the system when you make some configuration change, such as updating a policy or response. Fully automatic update. This option enables every update to pass directly from the Update Server to the Manager, and from the Manager to the Sensor(s) without any intervention by the security administrator. Note that fully automatic updating still happens according to scheduled intervals. Real-time update. This option is similar to fully automatic updating. However, rather than wait for a scheduled interval, the update is pushed directly from Update Server to Manager to Sensor. No device needs to be rebooted; the Sensor does not stop monitoring traffic during the update, and the update is active as soon as it is applied to the Sensor.

15

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Modes of Sensor deployment
With today’s complex network configurations, deploying Sensors at all the necessary points of protection in your network can become both very complex and very expensive. Network Security Platform makes deployment easy and cost-effective by requiring fewer Sensors and offering several flexible modes of Sensor deployment: • In-line mode (on page 16) • Tap mode (on page 18) • SPAN operating mode (on page 17) • Failover (high-availability) via in-line mode (on page 20) • Port clustering (interface groups) (on page 20) Sensors, by default, are configured to operate in in-line mode. The operating mode can be changed via the Network Security Platform user interface. Each of these modes is described briefly below and in more detail in Sensor Deployment Modes. Note: Although the Sensors are configured to run in-line by default, many new Network Security Platform users choose to operate in SPAN mode initially, and then move to tap or in-line mode later as they become more familiar with the product and are ready to “tune” their deployments.

In-line mode
In-line Mode, illustrated in the following figure, places a Sensor directly in the network traffic path, inspecting all traffic at wire-speed as it passes through the Sensor. In-line mode enables you to run the Sensor in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets can be dealt with immediately; you can actively drop malicious packets because the Sensor is physically in the path of all network traffic. This enables you to actually prevent an attack from reaching its target. You cannot prevent attacks from reaching their target in any other deployment mode. All Sensor ports are configured to run in-line by default; when a Sensor comes online for the first time, it is in in-line mode. Sensors are also configured to block certain attacks by default. Thus Network Security Platform can begin blocking attacks right out-of-the-box. All Sensor models can be deployed in In-line Mode, and all offer the option of operating in fail-open or fail-closed mode when monitoring traffic in-line.

16

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Note: Fail-open and fail-close refer to whether or not the Sensor will allow traffic to continue to pass in the event of port or Sensor failure. For more information on these options, see Fail-open versus fail-closed, IPS Deployment Guide.

Figure 1: Sensor Deployment - Inline Mode

For more information about deploying Sensors, see Sensor Deployment Modes, IPS
Deployment Guide.

SPAN mode
Most current IDS products are deployed in SPAN mode. An advantage of deploying Sensors in SPAN mode is that it merely requires connecting the Sensor and reconfiguring a setting on the switch—thus it is also the operating mode chosen by most new Network Security Platform users. Other modes of Sensor deployment—in-line mode or tap mode— involve connecting the Sensors within the flow of traffic, which requires brief network downtime. Thus most beginners prefer to ‘get used’ to the Network Security Platform while operating in SPAN mode, to tweak and tune their systems, and move to tap or in-line mode later. The Switch Port Analyzer (SPAN) port on a switch is designed specifically for security monitoring so that an attached network analyzer—like a Sensor or a sniffer—can receive a copy of every single packet that is sent from one host to another through the switch. The SPAN port forwards all incoming and outgoing traffic within the switch to a predetermined port where the Sensor or a sniffer is connected. This is called port forwarding or port mirroring, and it allows an attached device to monitor all traffic of that switch. The downside of monitoring via a SPAN port is that it is very easy to saturate a SPAN port. A SPAN port really only operates in a half-duplex mode (transmit to the Sensor only), so the maximum bandwidth the port can handle is 100 Mbps (when using a Fast Ethernet port), and when you exceed the 100 Mbps limit of the port, you are not copying all the packets seen on the switch. When all packets are not copied to the IDS, the IDS can report false alarms or miss real attacks. In addition, most switches only support one or two SPAN ports and there is a lot of competition for them (for example, for RMON probes, sniffers, etc.).

17

McAfee® Network Security Platform 5.1

Network Security Platform Basics

SPAN mode is also a “sniffing” mode, which—unlike in-line mode—does not enable you to prevent attacks from reaching their targets.

Figure 2: Sensor Deployment - SPAN Mode

Note: SPAN mode is not supported on N-450 Sensors.

Tap mode
Note: While the figure in SPAN operating mode (on page 17) demonstrates that you can issue response packets via the Sensor’s response ports, some switches allow response packets to be injected by an IPS back through the SPAN port. Tap mode, illustrated in the following figure, works through installation of an external fiber tap (for GBIC ports) or built-in internal taps (for 10/100 Monitoring ports). A Sensor deployed in tap mode monitors or “sniffs” the packet information as it traverses the fullduplex network segment. Full-duplex taps split a link into separate transmit and receive channels. Sensors provide multiple Sensor ports, wired in pairs to accommodate full-duplex taps.

18

McAfee® Network Security Platform 5.1

Network Security Platform Basics

The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks. Like SPAN mode, Tap mode is passive; the Sensor essentially sees malicious traffic as it passes.

Figure 3: Sensor Deployment - TAP Mode

Note 1: You cannot inject response packets back through an external tap, so Sensors offer Response ports through which a response packet (such as a TCP reset) can be injected to close a malicious connection. Sometimes the attacker can succeed in causing the intended damage when the attack packet reaches its intended victim host before the TCP reset closes the connection. Hence, in-line mode is more effective in preventing an attack. Note 2: Tap mode is not supported on N-450 Sensors.

About taps
A tap is a device that permits unimpeded traffic flow while simultaneously copying all the traffic from a full-duplex link and sending the information to a Sensor for analysis. Taps are used to monitor full-duplex links, and they split the link into separate transmit and receive channels. To monitor the two channels that the tap produces, you use two monitoring interfaces on the Sensor; one interface monitors the transmit channel, one monitors the receive channel—neither monitoring interface transmits back to the tap. Note: You cannot inject response packets back through a tap; you must connect a Sensor response port to another device, namely a switch or router, to respond to malicious packets. Taps are hardwired to the Sensor. One Sensor can monitor traffic from multiple taps without degradation or overloading up to the specified maximum.

19

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Failover (high-availability) via in-line mode
Enterprises often deploy fully redundant networks to maintain high network availability. In a redundant network, also known as an active/passive or active/standby configuration, two identical machines are deployed; one is designated as the active machine that performs the task while the other is in standby in case of the active machine’s failure. If the active machine fails, it fails over to the standby machine. System redundancy ensures that the network is always available even if the hardware fails. This reduces lapses in service to employees and customers that may lead to loss of productivity and revenue. Sensors are built to meet the needs of redundant networks. When running Sensors in-line, the option is available to you to use one Sensor as an active unit, with an identical Sensor standing by, should the active Sensor fail. Both Sensors share full state, so that the information on the standby Sensor is always current. Latency is very minimal; less, in fact, than many other devices providing failover, such as firewalls. For more information on deploying Sensors for high availability, see High-Availability, IPS
Deployment Guide.

Port clustering (interface groups)
Port clustering, referred to as Interface Groups in the Manager interface, enables multiple ports on a single Sensor to be grouped together for effective traffic monitoring, particularly useful for asymmetrically routed networks. You cluster ports when you want the traffic across multiple interfaces to be analyzed as if it were a single interface. Asymmetric networks are common in load balancing and active/passive configurations, and a complete transmission may be received on one segment, but depart on another. Thus keeping state of asymmetric transmissions is essential for successfully monitoring the traffic. Interface groups normalize the impact of traffic flows split across multiple interfaces, thus maintaining state to avoid information loss. Once configured, an interface group appears in the Configuration page’s Resource Tree as a single interface node (icon) under the Sensor where the ports are located. All of the ports that make up the interface are configured as one logical entity, keeping the configuration consistent.

20

McAfee® Network Security Platform 5.1

Network Security Platform Basics

When is clustering used?
If a company has two different active paths to and from the Internet passing through two different Sensor interfaces, for example, the traffic on each path will be analyzed independently. If a single communication flow is divided across paths, each interface will receive and analyze part of the conversation and therefore be susceptible to false positives and false negatives. When you create an interface group that contains both interfaces, you allow the Sensor to receive and properly analyze the entire communication.

Figure 4: Clustering

Manager Disaster Recovery (MDR)
Sometimes the worst happens. In this age, where outages to IT systems can cost millions of dollars in lost revenue, lost productivity, and legal issues, every organization must face the near certainty of a system failure occurring at a future date. Anticipating these events and planning corrective courses of action is now a prerequisite to business success. Most organizations now employ some manner of business continuity planning (BCP), a subset of which is disaster recovery planning (DRP). To this end, Network Security Platform has long provided a Sensor high-availability configuration; but what if the worst should happen to your Manager server? Most companies are not willing to rely on the manual method of Manager data archival, restoration of backups, and importing of exported policies to recover their Manager as part of their IPS DRP.

21

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Enter the MDR feature. With MDR, two Manager servers are deployed as part of Network Security Platform. One host is configured as the Primary system; the other as the Secondary. Each uses the same major release Manager software with mirrored databases; however, the two hosts’ hardware configuration does not need to be identical. The Secondary Manager can be deployed anywhere—for example, at a disaster recovery site, far from the Primary Manager. The Primary Manager is the active Manager by default; this Manager communicates with the Update Server, pushes configuration data to the Sensors, and receives alerts from the Sensors. The Secondary Manager remains in a standby state by default. While in standby mode it monitors the health status of the Primary Manager and retrieves Sensor configuration information from the Primary Manager at configured intervals of time. Note 1: The standby Manager receives no data from the Sensors while in standby mode. Note 2: The Secondary Manager is a warm standby system; it will not guarantee state synchronization with the Primary Manager. It does update configuration information at regular intervals (every 15 minutes), but it does not maintain state. (You can also manually update Secondary Manager configuration rather than waiting for the automatic update.) The Sensor, for its part, maintains a connection with both Managers; however, only the active Manager can control Sensors and receive alert data, and Sensors can only be added to an active Manager. (A new Sensor added to the active Manager in an MDR pair establishes trust first with the Primary Sensor, and then attempts on its own to establish trust with the Secondary.)

Figure 5: An MDR pair’s communication with sensors

22

McAfee® Network Security Platform 5.1

Network Security Platform Basics

Switchover
Switchover, or failover from the Primary to the Secondary, can be manual/voluntary or involuntary. Note: In a situation where you have planned manual downtime and the downtime is expected to be brief, McAfee recommends that you manually suspend MDR, preventing the Secondary Manager from taking over and becoming active. You can then resume MDR when the downtime period is over. The Secondary Manager performs regular “health checks” on the Primary Manager. If the Primary Manager is found to be unavailable during a health check by the Secondary Manager, the Secondary Manager waits for a configurable time interval. If the Primary Manager is still unavailable after that time period elapses, control then switches over to the Secondary Manager. Note: You can switch over to the Secondary manually, as well. Once the Secondary Manager is active, the Primary moves to standby. The Sensors are made aware of the switchover, communicate with the Secondary Manager, and the system continues to function without interruption. All “in-flight transactions” are lost upon failover from Primary to Secondary Manager. For instance, if the Primary Manager failed while a user was in the middle of a policy edit, the Secondary Manager will not be able to resume the policy edit. Note: The MDR feature, in fact, assumes that the Secondary Manager is a standby system, and that it will NOT assume control indefinitely. The Primary Manager should be diagnosed and repaired, and be brought back online. While the Secondary Manager is active, McAfee recommends against making any configuration modifications on the Secondary Manager, as these modifications could cause potential data synchronization problems when the Primary Manager is resurrected. Once the Primary Manager has recovered, you can switch control back to the Primary system. During this switch back, if you have made configuration changes on the Secondary, you have a choice whether to retain the configuration on the Primary or overwrite with changes made on the Secondary. After switch-back, alert and packet log data is copied from Secondary to Primary Manager, and can be viewed in the Historical Threat Analyzer. Data is re-synchronized, the Sensors return to communicating with the Primary, and the system is restored with the Primary Manager active and the Secondary Manager in standby mode. Note: You can easily dissolve the MDR relationship between the two Managers and return either Manager to stand-alone mode. For more information, see Preparing for Manager Disaster Recovery (MDR) , Manager Server
Configuration Guide.

Double tagging attacks and L3 ACLs
Network Security Platform supports detection of attacks on double VLAN tagged packets. For more information, see IPS on double VLAN tagged traffic, Sensor CLI Guide.

23

McAfee® Network Security Platform 5.1

Network Security Platform Basics

L3 ACLs helps you to specify rules for fragmented traffic in Network Security Platform. For more information, see Using L3 ACLs for fragmented traffic, IPS Configuration Guide.

24

CHAPTER 3

Working with Network Security Platform resources
This section describes the relationships between McAfee® Network Security Platform resource components.

Network Security Platform resources
McAfee Network Security Platform deployment consists of the following resources and relationships between resources. Note: The resources described here are documented in later chapters of this Guide, and in more detail in the Administrative Domain Configuration Guide.

Admin Domain node
Administrative Domains, or admin domains for short, are optional organizational tools that enable you to logically partition your IPS into discrete portions and delegate their management to specific users. (For example, your company might have a New York office and a San Jose office. You can create a NY admin domain, organize all of the resources protecting the New York office in that domain, and delegate its management to the New York administrator.) The entire Network Security Platform deployment is organized under the Root Admin Domain, which is represented in the Resource tree illustrations in this chapter as My Company. For more information on Admin Domains, see Administrative Domains (on page 33).

Manager node
McAfee® Network Security Manager (Manager) is the overall system orchestrator. You use the Manager to add, configure, administer, and manage the physical resources (hardware and software server, OS, and software components running on the server) that comprise the Network Security Platform. Within the Manager resource, you can also configure global properties, such as update schedules, data backups, proxy server settings, and so forth. You can also deploy two Managers for a high-availability configuration. For more information on Manager high availability, see Manager Disaster Recovery (MDR) (on page 21).

25

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Users and Roles
You can specify users of the system, and then assign them roles in an admin domain that permit them to perform the management and/or configuration tasks available to the role within that admin domain. For fine-grained customization of user roles, you can create custom roles and assign specific abilities to each role. For more information on users and roles, see Managing Users in Network Security Platform (on page 61).

Sensors node
McAfee® Network Security Sensors (Sensors) are the monitoring devices you configure to detect attacks. Each Sensor resource enables a variety of actions. Sensors are represented logically in the Manager by a user-given name with all corresponding interfaces and sub-interfaces displayed as hierarchical children. Sensor interfaces and sub-interfaces are the manifestation of the Network Security Platform’s Virtual IPS (VIPS) feature. Two Sensors of the same model can also be grouped into failover pairs, to provide high network availability. Sensor node actions include exporting and importing of individual Sensor configuration files, correspondence with host quarantine, configuration of Sensor ports, and updating of a Sensor’s configuration.

Interfaces node
An interface has both physical and logical attributes. An interface is represented as a single physical port on the Sensor (that is, port 1A) or a pair or ports (that is, ports 1A and 1B). An interface also has a logical connotation in that it allows the user to describe how they wish to segment the traffic flowing through it. A logical interface allows the user to configure it to be dedicated (unspecified, undefined traffic), VLAN (traffic marked with specific VLAN tags), or CIDR (traffic within a block of specific IP addresses). You can also logically group interfaces into an interface group to monitor an asymmetric traffic flow. Interface nodes enable application of IPS policy, creation of sub-interfaces for more granular policy application, as well as creation of granular Denial of Service policies.

Sub-Interfaces node
Sub-interfaces are logical subdivisions of interfaces. If an interface is connected to a segment that is transmitting VLAN or CIDR traffic, the interface can be segmented into several smaller groupings called sub-interfaces. One would normally configure a subinterface for the purpose of applying a different policy than what is applied to the rest of the interface or to group various unique traffic instances with others that have common characteristics. Sub-interface node actions are a subset of the interface node actions.

26

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Policies node
Policies are the rule sets that instruct the Sensor on what events to detect and what to do when the event occurs. You can apply separate policies to an admin domain (wherein it would be applied to all interfaces on any Sensors in that domain), to interfaces, and to sub-interfaces. Policy node actions include creation of alert filters, rule sets, policies, and user-defined signatures, viewing of applied policy(ies), and export/importing of policy from/to the Manager. For more information on policies, see Working with Security Policies (on page 39).

The Resource Tree
The Resource Tree, which is located in the Manager’s Configuration page, is a hierarchical view of all your physical and virtual Network Security Platform resources reporting to the Manager. (Manager is also depicted in the Resource tree). When you first log in, the Configuration page displays six primary nodes on the Resource Tree: the Root Admin Domain node (which displays a user-configured name representing the overall system—in the following illustration, the name is My Company), the Manager node, the Device List node, the IPS Settings node, the NAC Settings node, and the Integration node.

27

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Note: The hierarchical view within the Resource tree applies to the way the nodes are managed by Network Security Platform users and not necessarily to any networking or physical relationship between the resources. Nodes and the inheritance relationship between nodes are described in Nodes (on page 36) and Inheritance (on page 36).

Figure 6: The Resource Tree Item Description

1 2 3 4 5 6 7

Root Admin Domain node Manager node Device List node IPS Settings node NAC Settings node Integration Child Admin Domain node

Multiple new nodes may display as you leverage their features within Network Security Platform: the Failover Pairs node, the Interface node, and the Sub-Interface node. User-configured resources are represented with the same or a similar icon as one of the primary nodes, but labeled with the name you specified when you created the resource. For example, if you add a Sensor and name the Sensor “Bldg1Sensor,” the Sensor appears in the list labeled as Bldg1Sensor. The resource tree can also be viewed in the Split tree mode. Right-clicking on any of the nodes and enabling Split tree divides the resource tree into two tabs - Domain and Device

28

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

tabs. The Domain tab lists Root Admin Domain node, Manager node, and the Child Admin domains. The Device tab lists the Network Security Platform resources configured in each domain.

Working with the Resource Tree
To configure your system, you click on one of the nodes in the Resource Tree. Configuration options specific to that resource appear in the right pane of the Configuration page. Note: As you make configuration changes to resources, bear in mind that many configuration changes do not take effect until you push the changes to the Sensor. For more information on configuring your resources, see Administrative Domain Configuration Guide.

Relationship between Sensors and resources in the Resource Tree
Several icons in the Resource Tree reflect the Sensors deployed in your network. This section describes the relationship between the Sensor and the icons that visually reflect the Sensor’s configuration. As described in the section Network Security Platform resources (on page 25), multiple nodes reflect aspects of a Sensor: Sensors, Sensor_Name, Failover Pairs, Interface, and Sub-

Interface.

Sensors icon
This node represents the available Sensor(s). The Sensors node is a logical parent: all of the actions (configuring non-standard ports, updating all Sensors at once) configured at this level logically apply to every Sensor managed by this node, including any Sensors configured to act as a Failover Pair. Sensors nodes are admin-domain specific, that is, configured Sensors rules only apply to the Sensors of a single admin domain.

Sensor_Name icons
The Sensor_Name icons represent the Sensors you add to the system. These Sensors are labeled with the names you specify when you create them. Sensors have multiple ports, or interfaces. These interfaces can be allocated to multiple admin domains in the system, meaning that while the Sensor may have been added to one admin domain, the allocated interface is controlled within the domain to which it was allocated. A single Sensor can thus appear by name in several places in the Resource Tree; however, its icon varies depending in which domain the Sensor was added.

29

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Physical Sensors
The Physical Sensor icon represents the Sensor itself in the admin domain to which it was added. For example, if SensorA was added to Admin Domain A, then SensorA appears in the Resource Tree represented with a physical Sensor icon under the Admin Domain A node.

Virtual Sensors
The Virtual Sensors icon represents a parent domain Sensor that has had one or more interfaces allocated to the child domain under whose node it appears. For example, if SensorA was added to Admin Domain A, but has allocated two interfaces to Admin Domain B, then SensorA appears in the Resource Tree represented with a virtual Sensor icon under the Admin Domain B node. A Virtual Sensors node is not selectable. You can configure the real Sensor from its Physical Sensor node.

Failover Pair_Name
The Failover Pair_Name icon appears under the Sensors icon and represents two physical Sensors you configured to behave as one Failover Pair. A Failover Pair is labeled with the name you specify when you create it; for example, FailoverPair1. A Failover Pair consists of two identical Sensors (same model, same software, same configuration) running entirely in In-line Mode. Below the failover pair will display the interfaces configured for the Sensor pair. For I-4000 Sensors, this will be interface pair 1A and 1B. Interfaces are described below.

Member Sensors
The Member Sensors icon appears under the Failover Pair_Name icon, and lists the Sensors comprising the Failover Pair. The Member Sensors node is not selectable; configuration is performed at the Failover Pair_Name node.

Failover Sensor
Once you designate a Sensor to be part of a Failover Pair, its icon changes to show it is a Failover Sensor. A Failover Sensor is represented by the name you gave the Sensor when you created it.

Interfaces
Expanding the view of a Sensor displays the ports/interfaces available. An Interface is a representation of a single physical port on the Sensor (that is, 1A), a port pair (that is, 1A and 1B), or—for asymmetrically routed traffic—logically grouped ports (that is, 1A & 1B and 2A & 2B, or 1A and 2A). Sensor interfaces are represented in the Resource Tree by their port number, and can be named by the user in VLAN or CIDR scenarios; however, the port number still appears.

30

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Sub-interfaces
If an interface is connected to a segment that is transmitting VLAN or CIDR traffic, the interface can be segmented into several smaller groupings called sub-interfaces. One would normally configure a sub-interface to apply a different policy than what is applied at the interface level, or to group various unique traffic instances with others that have common characteristics (namely VLAN or CIDR traffic). You could also create a subinterface to protect a specific host that is the target of a DoS/DDoS attack. The subinterfaces are listed under the interface they constitute. Thus interface 1A could, for example, be subdivided into 5 sub-interfaces. Sub-interfaces are represented in the Resource Tree by their user-specified names or numbers. The following graphic illustrates failover pair nodes in the Configuration page Resource Tree.

Figure 7: Resource Tree with user-configured resources displayed

31

McAfee® Network Security Platform 5.1

Working with Network Security Platform resources

Item

Description

1 2 3 4 5 6

Sensor_Name Node(physical Sensor) Interface node Sub-Interface node Child Admin Domain node Failover Sensor node Sensor_Name Node(virtual Sensor)

The following graphic illustrates the location of interfaces in a physical Sensor.

Figure 8: Location of interfaces in the physical sensor

32

CHAPTER 4

Working in Administrative domains
This section explains the concept of administrative domains and how domains are represented in McAfee® Network Security Manager (Manager). For specific instructions on how to configure admin domains, see Administrative Domain Configuration Guide.

What is an administrative domain?
An administrative domain, or admin domain for short, is an organizational tool used specifically to group McAfee® Network Security Platform resources so that management of the resources can be delegated to specific McAfee Network Security Platform users. An admin domain can contain other admin domains, McAfee® Network Security Sensors (Sensors), Sensor interfaces, and Sensor sub-interfaces. This administrative domain concept enables enterprises to create a central authority that is responsible for the overall Network Security Platform, and to allow this central authority to delegate day-to-day operations of Network Security Platform security resources to appropriate entities— business units, geographic regions, IT departments, individual security personnel, and so on.

Root Admin Domain The top level admin domain is called the Root Admin Domain. (The icon used to depict it in the Resource tree is shown at left.) Users with Super User access to the Root Admin Domain have complete control over the entire administrative domain and all resources within it, including any child domains, and thus all security resources in the system. For example, suppose your company (which we’ll call My Company) is headquartered in London, and has satellite offices in New York, Paris, and San Francisco. If your Network Security Platform deployment monitors the entire company, your Root Admin Domain could encompass all four sites and all of the Network Security Platform components within the environment, and you could manage the entire system from London.

33

McAfee® Network Security Platform 5.1

Working in Administrative domains

The following graphic shows this arrangement in the Resource Tree in the Configuration page of the Manager. The root admin domain is labeled “My Company.”

Figure 9: The Root Administrative Domain for My Company

Parent and child admin domains
Perhaps managing “My Company’s” entire Network Security Platform deployment from London is impractical. It might make more sense to delegate management of the Network Security Platform resources protecting various geographical locations to entities in those locations. To delegate management functions to each of the four offices, you would create a subdomain representing each office. These subdomains are called child admin domains or child domains. Creating child domains enables you to delegate entities more familiar with the subdomain’s environment to monitor and/or configure the IPS devices in that subdomain. You are not required to subdivide your admin domains into child domains; however, if you want to delegate responsibilities for managing Network Security Platform resources among multiple individuals within your organization, you do so by creating child domains. Note: To delegate responsibilities, you create user accounts and give each user a role that defines how the user can interact with the resources in the child admin domain. For more information on roles, see Managing Users in Network Security Platform (on page 61). You can further break child domains into smaller subdomains. Any domain with child domains is a parent. A child domain can be parent to other child domains. You can subdivide your Root Admin Domain into child domains that are large, from a resource perspective, delegating management of all the Network Security Platform resources protecting multiple geographic regions. Or you can create domains that are very small—a few interfaces on a single Sensor, or even a VLAN tag or CIDR address within a segment of traffic transmitting between two hosts in the protected network.

34

McAfee® Network Security Platform 5.1

Working in Administrative domains

Admin domain hierarchy
Administrative domains are graphically represented in the Resource Tree as a hierarchical tree structure. Resources in the Network Security Platform are represented as nodes on the Resource Tree, as illustrated in the following graphic.

Figure 10: Resource Tree Components

35

McAfee® Network Security Platform 5.1

Working in Administrative domains

Item

Description

1 2 3 4 5

Sensor_Name Node(physical Sensor) Interface node Sub-Interface node Child Admin Domain node Allocated interface node

In this figure, the node (My Company) at the top of the tree represents the Root Admin Domain. Note: The structure of the Resource Tree applies to the way the nodes are managed by system users and not necessarily to any networking or physical relationship between the resources. A user’s role determines his/her view of the Resource Tree. Only resources the user is permitted to view are displayed in the tree.

Nodes
Each item in the Resource Tree is a node and represents a Network Security Platform resource. A node can represent a logical entity, like a child domain, or a physical entity, like an interface on a Sensor. A single Admin Domain node can be a parent or child. It can be a parent to nodes under it, while being a child to a node above it. There might be several levels of child nodes.

Inheritance
It is important to understand the relationship between parent and child admin domains because (by default) child admin domains inherit policies from parent admin domains, and because users are automatically granted the same privileges in the child domains as those enabled by their roles in the parent domain. Policy inheritance means that a child takes policies, or inherits them, from the parent. If you do not specify a policy when you create the child, the child automatically inherits the policies of its parent. To override policy inheritance from parent, you assign a policy to the child admin domain that is specific to that child domain. For more information on policies, see Working with Security Policies (on page 39). User roles work similarly, but with a slight difference. Roles apply within the current domain and any of its children. Because child domains are essentially contained within parent domains, if a user is given, for example, a Super User role for a parent domain, that role also applies to all children of the parent. Thus, to use the domain hierarchy shown in the figure in Admin domain hierarchy (on page 35) as an example, a user assigned a System Administrator role for the Finance department has that role for the Payroll and Accounts Payable domains as well. Note that additional roles can be granted to the user at the child level, but a role granted at a parent cannot be overridden at a child level.

36

McAfee® Network Security Platform 5.1

Working in Administrative domains

For more information on roles, see Managing Users in Network Security Platform (on page 61).

Alert and fault notification and forwarding
From the Admin Domain resource you can configure notification and forwarding of alerts and system faults. Notification enables the Manager to send an email, page an individual, or execute a script upon detection of alert or fault settings you have configured. Alert and fault forwarding enables you to configure the Manager to send alert and/or fault data to a specified syslog and/or SNMP server.

Vulnerability assessment of hosts
Manager now has the ability to load vulnerability data from the McAfee Foundstone and the Nessus open source vulnerability scanner. Based on common CVE and/or Bugtraq ID, Manager performs correlation, and then displays correlations with imported scan data in a separate column in the Threat Analyzer column entitled “Vulnerability Relevance”. If an Network Security Platform alert shares the same exploit/vulnerability combination as is found in the Foundstone data, and the target IP has also been cited by Foundstone as being vulnerable, the alert will be tagged with a value of '1', indicating that it is relevant. This information will help prioritize alert data.

Using Foundstone from Manager
McAfee Foundstone Enterprise is a leading vulnerability management software, which offers automated discovery, risk assessment, and prioritization of vulnerabilities and threats. Network Security Platform-Foundstone integration increases the timeliness of vulnerability assessment data correlation. Note: For more information on this integration, see Integration with Foundstone, Integration Guide. In Manager, following functionalities are available from Network Security PlatformFoundstone integration:

On-demand scan from Threat Analyzer using Foundstone
Foundstone can be set to scan critical hosts regularly from the Threat Analyzer. This is by executing an on-demand scan of individual alerts listed in the Threat Analyzer. The source or destination IP address specified in the alerts are used to scan the host. The Foundstone scan results indicate the relative risk level of the scanned hosts. Based on the relative risk level, you will be able to identify the most risky hosts attacking the highest value assets in your network.

37

McAfee® Network Security Platform 5.1

Working in Administrative domains

Automatic and manual import of vulnerability scanner reports
The vulnerability report from Foundstone database can be automatically imported via the Scheduler in Manager. A stored procedure installed in Foundstone database server is used directly in this process. Manager provides the last vulnerability report import time, as the criteria to fetch the most relevant vulnerability report from Foundstone database. For more information, see Automatic report import using Scheduler, Integration Guide. You can manually import Foundstone scan reports from Manager user interface. For detailed steps, see Manually importing scan reports, Integration Guide.

Relevance analysis
This involves the analysis of the relevance of real-time alerts, using the vulnerability data imported to Manager database. For more information, see Relevance analysis of attacks, Integration Guide.

38

CHAPTER 5

Working with Security Policies
This section provides information on developing and applying IPS policies for McAfee® Network Security Platform.

What are security policies?
A security policy, or IPS policy, is a set of rules that governs what traffic is permitted across your network, and how to respond to misuse of the network. An effective policy is one that is customized to the network environment being monitored. Security policies can set rules for protocols (HTTP, UDP), operating systems (NT, Solaris), and other types of information transmitted across your network. Knowing what types of traffic cross your different segments will help you determine the types of policies you will require to efficiently and successfully protect your network against intrusions and misuse.

Network Security Platform policies
Network Security Platform policy is a set of rules/instructions defining the malicious activity you want your McAfee® Network Security Sensors (Sensors) to detect and how you want to respond if the activity is detected. Creating a policy enables you to define a set of rules that define the different services, protocols, and/or product implementations in your network. The best practice for protecting against misuse is not to apply a one-size-fits-all policy to the entire network, but to create multiple specific policies which focus on the specific needs of unique segments of your network. McAfee Network Security Platform enables you to create policies for your network resources right down to individual sub-flows of network traffic. Imagine a network that has Windows and Linux hosts interspersed across it. The best approach here is to apply a policy that includes attacks for both Windows and Linux on all ports through which their traffic will flow. If this network happens to be controlled in such a way that the traffic from all Windows hosts is flowing through one segment of the network and the traffic from all Linux hosts is flowing through a different segment, you could connect these different segments to different monitoring ports. You could then apply Windows-specific and Linux-specific policies to the respective ports. In doing so, you would minimize the chance of false positives and reduce the quantity of scanning required on each port.

39

McAfee® Network Security Platform 5.1

Working with Security Policies

Policy application
Current Sensor-based IPS products permit you to apply only one security policy for the entire Sensor. Typically these one-policy Sensors also have only one port which cannot be segmented for more granular policy application. However, if you have multiple segments to monitor or you need to monitor aggregated traffic—like on Gigabit uplinks—a multi-port box and more granularity in the inspection process makes for a much more cost effective and efficient security solution. Sensor appliances have multiple ports coupled with multiple policy application options. Thus, Network Security Platform offers its Virtualization feature (known as VIDS or VIPS).

VIPS--applying policies at the Interface and sub-interface level
The VIPS feature enables you to configure multiple policies for multiple unique environments and traffic directions all monitored with a single Sensor. The goal of virtualization is scanning granularity. Virtualization allows you to apply multiple policies to traffic flowing through a single interface. In this way, a unique scanning policy can be applied to a single host or group of hosts, when their traffic will not travel through a unique Sensor port. For example, suppose port 1A of an I-2700 Sensor is connected to the SPAN port on a switch. Port 1A is configured with a specific environment detection policy. The rest of the ports on the Sensor can have policies completely different than the policy on 1A, or they can use the same policy. Or, each port can be segmented by multiple VLAN tags or CIDR addresses, each customized with its own security policy.

Sensors
Policy can be applied at the Sensor level; however, this policy application is intended to be inherited by those interfaces of a Sensor whose custom-applied policy has been deleted. For example, you have created a custom policy called Custom1. You apply it to interfaces 1B, 2A, and 4B on a single I-2700 Sensor. After some time, you determine Custom1 does not work effectively, and you want to delete it. You can apply a different policy to the Sensor that will allow you to delete the custom policy without having to change the policy at each interface where it has been applied. When you delete the custom policy, all of the interfaces (1B, 2A, and 4B) enforcing the policy will inherit the policy applied to the Sensor.

Interfaces
Networking professionals often interchange the terms port and interface. In the Network Security Platform context, however, there is an important distinction to be made; a port actually represents the physical component, whereas an interface represents the logical abstraction of one or more physical monitoring ports on a Sensor and all traffic flowing through the port(s). All Sensor interfaces are represented by FE or GE monitoring ports connected directly or through an external tap, hub, or SPAN port to network segments. A simple, yet effective example of the difference between port and interface is with regard to a “port pair.” When you configure a Sensor to run inline, you combine and manage the two physical ports as a single logical interface.

40

McAfee® Network Security Platform 5.1

Working with Security Policies

To use an example, suppose you have a Finance parent domain, and it has two child domains—Payroll and Accounts Payable. Now suppose that the Payroll department network is comprised entirely of Windows machines, and Accounts Payable is predominantly Solaris. You have a single Sensor that is running in internal tap mode with two peer ports, port pair 1A and 1B, monitoring traffic in the Payroll department and port pair 2A and 2B monitoring Accounts Payable. You can use the supplied Windows Server policy and apply it to the Payroll interface and the Solaris Server policy to apply to the Accounts Payable interface.

Figure 11: Deploying security policies

Sub-interfaces
The terms VIDS and VIPS reinforce the idea that virtualization allows you to tailor a single Sensor solution as if it were a multiple-Sensor solution. The Network Security Platform user interface uses the term sub-interface, and this term better describes the process by which virtualization is implemented.

41

McAfee® Network Security Platform 5.1

Working with Security Policies

Sensors take port monitoring deeper than the interface-level: you can segment the security management of an interface and apply policies at a traffic sub-flow level within the interface. A sub-flow, or sub-interface, is a segment of data within a traffic flow. This subinterface is also a VIPS. A VIPS can be defined based one or more blocks of CIDR-based IP addresses or one or more VLAN tags. Sensors can process these data segments and apply multiple traffic policies for the multiple subnets transmitting across a single wire, right down to policies protecting individual hosts.

Figure 12: Policies on sub-interfaces

In the above figure, a gigabit uplink between a router and a switch is monitored in external tap mode by an I-4000. Behind the switch is a corporate network with five departments: HR, Sales, Payroll, Engineering, and Marketing. The traffic for each of these departments has been segmented using VLANs with each department’s traffic tagged with a distinct VLAN ID, represented by the numbers 1-5 in the illustration. Using peer ports 1A and 1B to tap the full-duplex uplink, the I-4000 can analyze and process the VLAN IDs in the traffic transmitted between the router and switch. The security administrator can configure unique policies for each VLAN ID (representing traffic from the different departments) within the uplink, rather than apply a single policy across the entire interface. In this scenario, each of the five VLAN IDs from each of the five departments can have a distinct policy assigned to it, or different combinations of the VLAN IDs within the uplink can have the same policy applied. Policy application simply depends on assigning a policy to an interface or sub-interface resource as you see fit.

42

McAfee® Network Security Platform 5.1

Working with Security Policies

DoS policies
It is also worth noting that each interface and sub-interface maintains a unique Denial-ofService (DoS) profile. DoS policies can be applied to subsets of a sub-interface for even more granular security monitoring. These DoS profile instances are known as DoS IDs. You can monitor DoS attacks to the granularity of individual hosts. Any deviation from the established normal traffic behavior flags a DoS condition, even a situation wherein a single host/subnet downstream to a gigabit network link comes under attack—with even a couple of Mbps of traffic. The Sensor’s granular DoS detection can spot the attack. Another reason to consider creating a sub-interface for a single host is when that host tends to have traffic patterns that are significantly different from the rest of the hosts sharing the interface. An example is an e-commerce Web server as compared to internal file and print servers; the Web server will no doubt have a different traffic pattern than the file and print servers. If not isolated from the file and print servers, that one Web server is potentially skewing the calculations for the entire interface and therefore creating false positives, or even false negatives, in the DoS analysis process. By isolating that one host, you allow the Sensor to analyze the traffic destined to and originating from the file and print servers independently of the traffic to and from the Web server, and therefore increase the likelihood the analysis will be accurate.

Pre-configured policies
McAfee supplies a set of pre-configured policies for immediate application in a number of different network environments. These policies are available in the IPS Policy Editor, which is located under the Policies node in the Resource tree of the System Configuration tool. These policies are “starting points,” designed to help you get your system up and running quickly. You can use any of the default scenarios initially, or you can clone and modify these and apply your new policies. In fact, the Default Inline IPS policy, applied by default when you add your first Sensor, enables you to begin monitoring your network immediately, and actually begin blocking attacks right out of the box (if you deployed your Sensor in in-line mode). As you tune your IPS, you will modify these policies to best suit your particular environment. Each pre-configured policy is designed to address the most common attacks targeting specific network environments. To provide the most efficient attack detection options, these policies take into account distinct factors such as protocols (HTTP, SMTP), services (email, FTP, Web), and implementations (Apache, IIS). Attacks are classified into four general categories: •
Denial of Service (DoS) and Distributed Denial of Service (DDoS): all of the conditions indicative

• •

of activities that lead to service disruption, including the slowing down or crashing of applications, servers, or networks. Exploit: all malicious activities, other than DoS and Reconnaissance, carried out through specific traffic content. This includes buffer overflows, viruses, and worms. Reconnaissance: all of the conditions indicative of probing, scanning, and OS fingerprinting activities. These activities are generally in preparation for more targeted attacks. Policy Violation: all activities for which the underlying traffic content may not be malicious by itself, but are explicitly forbidden by the usage policies of the administrative domain. This includes application protocol behaviors that violate common usage practices.

43

McAfee® Network Security Platform 5.1

Working with Security Policies

The pre-formatted policies and their descriptions are listed below. Note: All provided policies, except for the two All-Inclusive policies, enable attacks with a minimum Severity of 2 (Low) and a maximum Benign Trigger Probability of 4 (Medium). The Severity and Benign Trigger Probability settings exclude known noisy signatures in an effort to limit spurious alerts.

44

McAfee® Network Security Platform 5.1

Working with Security Policies

Policy

Designed to Protect Against

Default Inline IPS

All attacks of Low severity or greater, below a Medium benign trigger probability, with a blocking Sensor action enabled for all McAfee Recommended for Blocking (RFB) attacks. All attacks of Low severity or greater, below a Medium benign trigger probability. All attacks except for Reconnaissance category. All attack types except for those Exploits using TFTP, Telnet, RIP, NETBIOS, NFS, and WINS. All attack types except for those Exploits using TFTP, Telnet, and RIP. All attacks except for Exploits using RIP and routing protocol attacks. All Reconnaissance and DoS attacks, generic backdoors, and Exploits using DNS, HTTP, and FTP protocols. All Reconnaissance and DoS attacks, generic backdoors, and Exploits using DNS, SMTP, POP3, and IMAP protocols. All Reconnaissance and DoS attacks, generic backdoors, and Exploits using the DNS protocol. All Reconnaissance and DoS attacks, generic backdoors, and Exploits using DNS, NFS/RPC, and NETBIOS/SMB protocols. All attacks where the impacted OS includes Windows. All attacks where the impacted OS includes Solaris. All attacks where the impacted OS includes UNIX. All attacks where the impacted OS includes Linux. All attacks where the impacted OS includes Windows or UNIX. All attacks where the impacted OS includes Windows or Solaris. All attacks where the impacted OS includes Windows, Linux, or Solaris.

Default IDS Outside Firewall DMZ Inside Firewall Internal Segment Web Server Mail Server DNS Server File Server Windows Server Solaris Server UNIX Server Linux Server Windows and UNIX Server Windows and Solaris Server Windows, Linux, and Solaris Server

All-Inclusive without Audit All attacks, including those with known noisy signatures, but omitting Informational severity attacks. This policy differs from Default as it alerts for every attack in the Network Security Platform database, including those with noisy signatures. This enables expert security personnel to fully analyze their network traffic. Informational “attacks” are not enabled. All-Inclusive with Audit Null Similar to above, with the exception that Informational-level alerts are included. All signatures are disabled by default. This policy is provided for the scenario where a substream of traffic needs to be ignored by the IPS.

45

McAfee® Network Security Platform 5.1

Working with Security Policies

For example, in the following figure, an I-2700 Sensor protects three network areas: outside the firewall, inside the firewall, and the DMZ. You can enforce a single policy across all three areas, or you can configure individual policies specifically for each zone. In this example, the area outside the firewall is best protected by the default Outside Firewall policy (or one similar to it created by an admin) provided with Network Security Platform. For the DMZ area, the provided DMZ policy is the most efficient for that segment. Similarly, for the area inside the firewall, the provided Inside Firewall policy is best suited for the traffic in that zone.

Figure 13: Deploying Security Policies

Configuring policies in Network Security Platform
You configure policies using the IPS Policy Editor in the Configuration page, apply them to a resource (for example, an admin domain, an interface, or a sub-interface) and these policies are then propagated to Sensors for enforcement. Although policies are inherently complex, the Policy Editor facilitates the configuration process with straightforward, stepby-step configuration screens.

About rule-based policies
Network Security Platform policies are rule-based. A rule-based policy consists of an ordered list of attack selection rules, and is somewhat similar to an Access Control List (ACL). A set of ordered rules are used to determine what attacks or conditions are of interest, and thus should be monitored. A rule set is configured based on attack category, operating system, protocol, application, severity, and benign trigger probability options. Each rule in a set is either an include rule or an exclude rule. An include rule (which should

46

McAfee® Network Security Platform 5.1

Working with Security Policies

always start a rule set) is a set of parameters that encompass a broad range of well-known attacks for detection. An exclude rule removes elements from the include rule in order to focus the policy’s rule set. By this process of broadening (includes) and narrowing (excludes), you can enable detection of just the attacks that impact the intended environment. For example, if you view the Default IDS policy rule set, the rule set includes all DoS and Reconnaissance attacks, includes all Exploit attacks above a level 2 (low) severity, below a level 4 (medium) benign trigger probability, thus excluding a specific list of attacks that are not critical enough or contain signatures that are inherently noisy.

Attacks vs. signatures in Network Security Platform
Note that as you interact with Network Security Platform policies, you encounter the term attack, not signature. Network Security Platform defines an attack as being comprised of one or more signatures, thresholds, anomaly profiles, or correlation rules, where each method is used to detect an attempt to exploit a particular vulnerability in a system. These signatures and checks may contain very specific means for identifying a specific known exploit of the vulnerability, or more generic detection methods that aid in detecting unknown exploits for the vulnerability. Combined in an attack, the signatures provide for maximum accuracy and coverage in attack detection.

The IPS Node
The IPS Node provides tools that enable you to view, create, edit, clone, and delete security policies. You can use Network Security Platform’s pre-configured policies as is, or use them as a template for creating custom policies, or you can create new policies.

Figure 14: Policies tab

The following are some of the options are available to you in the Policy Editor: • • •
Add/create your own policy. Edit a policy you created. (You cannot directly edit provided policies.) Clone an existing policy; that is, copy and customize any existing policy—including

provided policies—under a new name.

47

McAfee® Network Security Platform 5.1

Working with Security Policies

Delete any policy you created. (You cannot delete provided policies. You cannot delete

a policy that is currently applied to a resource.)

Creating or customizing a policy
The following steps describe policy creation at a high level. 1 Create a named policy. You can clone (copy) a default policy to use as a template, edit an existing policy, or create a new one. Your policy should specify all the attacks you want to detect and the responses to take when a particular attack is detected. Save the policy. Apply the policy to a resource—an admin domain, Sensor, an interface on a Sensor, or a sub-interface of a Sensor interface. (A newly added Sensor will inherit the policy from its admin domain; thus, all interfaces on the Sensor will be protected by the policy of the domain by default.) If an intrusion event is detected, the Sensor sends an alert to the McAfee® Network Security Manager (Manager) describing the event, and issues a response if you have configured it to do so. For more information on types of responses, see Response types (on page 51). Examine the alerts in the Threat Analyzer, or in an IPS Report. Over time, you can tune the policy based on the alert data generated. If you see a lot of alerts that you don’t want to see (that is, alerts that don’t apply to your environment, such as Windows attacks against a Solaris environment or other instances of alerts on events that you do not consider noteworthy), then you might want to tune your policy rules to see only impacting attacks.

2 3

4

5

Sensor response without alerting
By default, all of the attacks detected by a policy send an alert upon detection. In cases were you see the same alert time and time again in your Threat Analyzer and wish you could automatically send a response without having to see the alert again, Network Security Platform provides the Sensor response without alert feature. For Exploit attacks, you can disable alerting for any attack while still being able to activate a Sensor response upon detection of the attack. When the attack is detected, the configured response is executed and no alert is sent to the database. Note: If you disable alerting for an attack, packet logging is also turned off for that attack. You must enable the alert to enable packet logging.

Automatic acknowledgement of alerts
Dependent upon the number of attacks a day you experience, you may notice that several of the same attacks consistently target your network. With your Threat Analyzer open to a Real-time Threat Analyzer, you are constantly acknowledging instances of the same alert over and over, which can take productive time away from analyzing the other alerts. Network Security Platform policy customization enables the automatic acknowledgement of alerts for any attack in the database. The Notification option Auto. Acknowledge automatically marks the attack as “Acknowledged” in the database, thus detection of the

48

McAfee® Network Security Platform 5.1

Working with Security Policies

attack is not counted in the Unacknowledged Alert Summary (of the Manager Home page), and can only be viewed in the Threat Analyzer via Historical Threat Analyzer queries.

Reassigning policies across Sensors
You can easily reassign policies applied to Sensors within the current admin domain or any child admin domains this action without having to search extensively throughout Network Security Platform. If you need to reassign a policy on several Sensors, you can search by policy. If instead you want to reassign policies on selected Sensors, you can search by Sensor. For more information, see IPS Configuration Guide.

Exporting and importing policies
The Manager system enables you to export and import your custom policies. Exporting allows you to save a copy of a custom policy from the Manager server to your client or other location. Importing allows you to copy an exported policy back to the Manager. Note: Exported policies are saved as XML files. Do not attempt to customize the XML output, or you may have problems when importing the policy back to the system. The following three scenarios detail situations where exporting and/or importing policy is beneficial to your security strategy: • Scenario 1: Creating and archiving a policy You created a custom policy, and you want to back up that single policy for later reference, editing, or availability. You export the file to your client. You can import to a test environment to edit the policy, then import back to your live system. Also, you can import the original policy back to the Manager overwriting the current record of the policy in the event you aren’t satisfied with changes made to the policy since a previous export. Scenario 2: Utilize a test environment to create a policy, then import If you have set up a Manager server in a “test” or non-live environment, you can create multiple policies on your test Manager for use in your live system. Once policy creation is complete, export the custom policy to a client machine. Then connect remotely to your live Manager, and import the custom policy. Once imported, you can apply the policy to Network Security Platform resources. Scenario 3: Copying a policy from one live Manager to another live Manager If you have a large number of Sensors deployed, you may decide to split the Sensors between two or more Managers. For the custom policies you create, you can export the policies from one Manager to a client, then import the policies to the other Manager(s).

Policy inheritance
A policy defined at the admin domain level is inherited by its child admin domains, and the resources—Sensor interfaces and sub-interfaces—within the child domains unless the

49

McAfee® Network Security Platform 5.1

Working with Security Policies

policy is explicitly set during resource configuration. If you want to set another policy for a specific resource, you can select or create a different policy. The policy inheritance order is shown below.
Resource/ Node Type of Policy Exploit Policy DoS Learning Mode DoS Threshold Mode Reconnaissance

Policies node

Define policy

Define policy

(Is turned off by default)

NA

Any Admin Domain nodes Sensor_Name nodes

Assign policy defined at Policies node Same policy as that of the Admin Domain

Assign policy defined at Policies node

(Is turned off by default)

NA

Same policy as that of the Same policy as Define/Enforce Admin Domain that of the Recon. policy Admin Domain (defined for all the Sensor’s interfaces) Inherit from policy Admin Domain Modify inherited policy Enforce policy Inherit policy from Interface Modify inherited policy Enforce policy Inherit from Admin Domain Modify inherited policy Enforce policy Define policy Enforce policy NA Define policy Enforce policy NA Define policy Enforce policy NA

Interface nodes

Inherit policy from Admin Domain Assign new policy Enforce policy

Sub-interface nodes

Inherit policy from Interface Assign new policy Enforce policy

Individual VLAN NA ID, CIDR block within interface or sub-interface

Suppose you create a policy for use with an admin domain you plan to create. You can define the policy at the Policies level. It’s then available for any admin domain, and any Sensor in the domain. When you allocate Sensor interfaces to an admin domain (a process that is part of child admin domain creation), all of the interfaces automatically inherit the admin domain’s policy. So, as part of the process of creating an admin domain, you assign the policy to be inherited by the allocated interfaces. If you want, you can then go into each allocated interface and assign a different policy. Changing policies at higher levels (for example, admin domain level) once they have been applied at a lower level has no effect on the lower levels (for example, interface level). Note: A custom policy defined at a child admin domain level can’t be applied to a resource at the parent admin domain level.

50

McAfee® Network Security Platform 5.1

Working with Security Policies

Response management
When a Sensor detects activity to be in violation of a configured policy, a preset response from the Sensor is integral to the protection or prevention process. Proper configuration of responses is crucial to maintaining effective protection. Critical attacks like buffer overflows and DoS attacks require responses in real time, while scans and probes can be logged and researched to determine compromise potential and the source of the attack. Developing a system of actions, alerts, and logs based on specific attacks or attack parameters (such as severity) is recommended for effective network security. For example, since Network Security Platform can be customized protect any zone in a network, knowing what needs to be protected can help to determine the response type. If monitoring outside of the firewall in In-line Mode, preventing DoS attacks and attacks against the firewall is crucial. Most other suspicious traffic intended for the internal network, including scans and low-impact well-known exploits, are best logged and analyzed as the impact is not immediate and a better understanding of the potential attack purpose can be determined. Thus, if you are monitoring outside of a firewall in In-line Mode, it is important to not set the policies and responses so fine that they disrupt the flow of traffic and slow down the system; rather, prevent the crippling traffic from disrupting your network.

Response types
The response types offered by Sensors and Manager are as follows:

Sensor response actions
Sensor actions are responses your Sensor enacts or sends through the network to prevent or deter further attacks. •
Drop further packets (In-line mode only) — Dropping the specific attack packets is a key

advantage of in-line mode. When detecting in-line (real time), the packets that trigger signatures and (optionally) all subsequent packets related to that connection can be dropped before they reach the intended target system. This capability provides true “intrusion prevention.” This action is also known as “blocking.” Send an alert (default) — When traffic violates a Sensor policy, an alert is generated and sent to the Manager to be viewed using the Threat Analyzer. Alerts can be examined for content and sorted by key fields such as severity level, source and destination IPs, and so forth. For more information on the Threat Analyzer, see System Status Monitoring Guide. Host Quarantine action — Sensor performs the quarantine of infected host, by isolating the host for a specified period of time. For more information, see IPS Quarantine settings, IPS Configuration Guide. Packet log — Sends a log, or copy, of the packet information to the Manager database; this information acts as a record of the actual flow of traffic that triggered the attack and can be used for detailed packet analysis. When the data is viewed in the Threat Analyzer, the data is converted to libpcap format for presentation. Tools like Ethereal can be used to examine the packet log data for more detailed analysis of attack packet data. In the IPS Policy Editor/GARE, the user can specify how many packets should be logged or for what duration. You can also choose to encrypt the packet log channel via SSL to protect the packet log data. For more information, see Viewing a packet log, see System Status Monitoring Guide.

51

McAfee® Network Security Platform 5.1

Working with Security Policies

TCP reset — For TCP connections only. TCP uses the RST (Reset) bit in the TCP

header to reset a TCP connection. Resets are sent in response to a connection that carries traffic which violates the security policy of the domain. The user can configure reset packets to be sent to the source and/or destination IP address. Alert filters — Alert filtering enables you to filter out alerts based on the source or the destination of the security event. For example, if you know that your IT department executes vulnerability scans from a particular IP address, you can filter events originating from that address. The Alert Filter Editor provides a convenient interface for creating alert filters. ICMP host unreachable — ICMP Host Unreachable packets can be sent in response to the source of UDP or ICMP attacks.

Recommended for blocking (RFB)
Network Security Platform attack definitions contain an attribute that indicates whether an attack is considered “Recommended for Blocking (RFB)” by McAfee. A flag may be set in any cloned policy to block on the RFB attacks within the policy.

Manager response actions
There are three notification responses that can be configured to alert users of malicious activity: email, pager, or script notification. These responses are sent directly to admins based on either a configured severity level—represented as Low, Medium, or High severity—or based on the occurrence of a particular attack, regardless of the severity level.

The Global Attack Response Editor (GARE)
The GARE is essentially a ‘shortcut’ to customizing a particular attack’s response across all policies containing that attack. Responses configured at the GARE level are then available for that attack at the rule set and policy level. We’ve discussed policy inheritance and response actions. To fully understand GARE, consider a concept that we will loosely call response inheritance. A new signature set straight from the Update Server contains some default actions associated with particular attacks. For example, certain attacks are configured to log packets, and others are configured not to log packets. When you open an attack in the GARE editor, GARE displays the default attack values specified by the signature set. GARE thus “inherits” the response actions from the signature set. Customizing these values in the GARE overrides the signature set’s values. Regardless of what the signature set suggested as the attack’s response, the attack now has a custom response as specified in GARE. The GARE values are then available for customization at the Rule set level. For example, at the Rule set level, you inherit all the customizations from the GARE level, but can set a response action of “blocking” for certain attacks. Now the attack can have the GARE customization plus the Rule set customization.

52

McAfee® Network Security Platform 5.1

Working with Security Policies

Finally, you have the Policy level. All the customizations made at the Rule set level or at the GARE level are inherited at the Policy level. As shown in the following figure, each level inherits response attribute values from previous level. At each level you can either retain the inherited value for an attack or customize it by explicitly setting or removing a value.

Signature set

A signature set cont ains attacks with certain pre-defined values for response.

GARE

Changes made in the G ARE override default signature set behavior.

Rule set editor

The rule set editor inherits GARE changes; changes made in the Rule set editor o verride GARE customizations.

Policy editor

The Policy editor inherits all changes made at the G ARE and ule set levels; r responses can be changed at the policy level, as well.

The IPS Policy Editor now displays labels showing at what level an attack was customized: D – Default Network Security Platform-supplied G – GARE – Global attack response editor R – Rule Set Editor (only blocking action) P – IPS Policy Editor For example, suppose you want to create 3 policies that detect the attack “FTP: Attack Example,” which happens to be a Recommended For Blocking (RFB) attack. Your requirements are as follows: • • • • Policy1: block FTP: Attack Example and log packets Policy2: do not block FTP: Attack Example; log packets. Policy3: block FTP: Attack Example; do not log packets For all three policies, you want to be notified by email if FTP: Attack Example is discovered.

53

McAfee® Network Security Platform 5.1

Working with Security Policies

How to accomplish this?
At the GARE level for FTP: Attack Example, configure packet logging and email notification. At the Rule Set level, enable blocking for RFB attacks. At the Policy Editor level, create your three policies. When you choose FTP: Attack Example for Policy2, disable blocking. For Policy3, disable packet logging.

1 2 3

Note: GARE customization can be imported/exported using the Policy Import/Export feature.

Denial of Service (DoS) modes
Denial of service (DoS) attacks interrupt network services by flooding a system or host with

spurious traffic, which can overflow your system buffers and force you to take the system offline for repairs. Sensors support both learning- and threshold-based capabilities for combating DoS attacks. Since the Sensors maintain full TCP state, it is easy to differentiate the “bad” DoS packets from “good” traffic packets, and drop the bad packets when running in In-line mode. DoS policy applies to inbound, outbound, and bidirectional traffic. Inbound traffic is that traffic received on the port marked “Outside” (that is, originating from outside the network) in In-line or Tap mode. When using SPAN or Hub Mode, all traffic is considered inbound unless distinguished by creation of CIDR blocks; traffic destined to a specified CIDR block is considered inbound on a SPAN port. Typically inbound traffic is destined to the protected network, such as an enterprise intranet. Outbound traffic is that traffic sent a system in your intranet, and is on the port marked “Inside” (that is, originating from inside the network) in In-line or Tap mode. There are also Learning Mode attacks that do not have a directional association, specifically ICMP ECHO Anomaly and TCP Control Anomaly. Due to the nature of these attacks, the Sensor is unable to determine whether the attack occurred inbound versus outbound. Thus, these attacks are classified as bidirectional. Note: The ICMP Echo Anomaly and TCP Control Anomaly attacks cannot be blocked, even when the Sensor is in In-line Mode. When configuring with the Policy Editor, you can customize severities and enable an admin notification for a number of statistical categories. Report generation and the Threat Analyzer can help to determine the types of statistical information that are affecting your network’s performance.

Learning mode
In Learning Mode, the Sensor monitors the network traffic and develops a “normal” baseline profile, called a long-term profile, by collecting statistics on a number of traffic measures over time. The initial learning time for the profile is typically two days. After that time, the Sensor constantly updates these profiles (typically you will have multiple profiles being processed at a given time), which are kept on the internal Sensor flash, to keep an updated picture of the network. In real time, the Sensor develops a short-term profile, which is essentially a snapshot of the network traffic. The short-term profile is compared to

54

McAfee® Network Security Platform 5.1

Working with Security Policies

the long-term profile and an alert is raised if the short-term statistics indicates a traffic surge that deviates from the long-term behavior. The learning and detection algorithms take into account regular traffic surges that are caused by flash crowds or the like: normally there are no alerts for such surges. (Flash crowds are surges in traffic due to benign conditions, such as everyone logging in at 9:00am on a Monday.) Response sensitivity determines how much (volume and duration) a traffic surge is considered abnormal and if an alert should be raised. Setting the response sensitivity to “Low” tells the detection algorithm to be tolerant of traffic spikes (that is, because the network has abundant bandwidth and/or the server has adequate capacity) before raising alerts, while setting it to “High” makes the system more sensitive to any traffic surge. The implications of setting a “High” sensitivity are ambiguous: High makes it possible to detect even small-scale DDoS attacks while at the same time making the system more prone to false positives—the opposite can be said for “Low” sensitivity. DoS learning mode is configured during policy creation and is enforced at the interface and sub-interface levels. Customizations to learning mode profiles can be performed at these resource levels, and Learning Mode profiles can be reset (re-learned) or reloaded at the Sensor level. This is all performed in the Configuration page. Sub-interfaces and individual CIDR hosts within a VLAN tag or CIDR block being hit with a denial of service attack can be created and protected with specific learning mode settings. This is useful in preventing a server in your DMZ or other location from being shut down by a DoS attack. A separate profile is created for each resource.

Threshold mode
In Threshold Mode, the Sensor monitors the network traffic for packet floods, such as SYN attacks and too many IP fragments, transmitting through from a source to a destination as detected within a Sensor interface or sub-interface. When configuring with the IPS Policy Editor or customizing at the interface or sub-interface level, you must specify the count and interval (rate in seconds) for the threshold attacks you want to detect. The Sensor sends an alert when the traffic exceeds the customized thresholds for an enabled (sought after) attack. You can also enable a notification for an attack if it warrants special attention. Note: You must configure the actual thresholds and intervals for each DoS Threshold Mode attack you want to detect. Default thresholds are not provided since the packet rates in every network are different. Customization of DoS thresholds works best after researching the current levels each DoS Threshold attack defends against in order to determine exactly what counts and intervals best protect your network.

Countering SYN floods with SYN cookies
A SYN flood attack is a series of SYN packets from forged IP addresses targeted at a specific server. When a server is attacked in this manner, the SYN queue in the server fills and all new connection requests are dropped. The SYN cookie feature is a mechanism to counter SYN flood attacks. This feature is an adjunct to the existing statistical anomalybased Denial of Service detection. In cases where a DoS attack is already underway and there is no time for learning a long term profile, Network Security Platform provides the ability for the Sensor to proxy all inbound three-way handshakes.

55

McAfee® Network Security Platform 5.1

Working with Security Policies

With SYN cookies, whenever a new connection request arrives at a server, the server does not maintain any information about the connection request. Instead it sends back a SYN+ACK with an ISN uniquely generated using the information present in the incoming SYN packet and a secret key. If the connection request is from a legitimate host, the server gets back an ACK from the host. The Sensor will support a configurable threshold for SYN arrival rate, above which the Sensor will begin using SYN cookies to avoid having to maintain state during the threeway handshake. Manager provides an interface to the user to enable/disable the SYN cookie feature. It also provides user the ability to configure the threshold values for the SYN cookies. For more information, see Manager Server Configuration Guide.

Access Control Lists
Network Security Platform enables the creation of an access control list (ACL) with ordered rules for permitting and denying traffic from reaching a Sensor’s inspection engine and continuing on through the network. A Sensor ACL is useful for maximizing a Sensor’s detection and prevention capabilities by preventing, that is dropping or rejecting, specified traffic without requiring full inspection. Most commonly deployed in firewalls, an ACL is a set of ordered rules that governs what traffic is permitted to pass and what traffic is denied access beyond the device where the ACL resides. In the case of Network Security Platform, a Sensor ACL checks all traffic to determine what traffic is allowed to pass to a Sensor’s inspection engine and beyond, and which should be denied, that is either dropped from the network or rejected (TCP traffic only). Thus, a Network Security Platform ACL can preemptively drop any traffic by denying access to the inspection engine and beyond. Network Security Platform provides two permit options: “permit and inspect” and “permit and pass without inspection.” Permit and inspect passes traffic to a Sensor’s inspection engine to check for violations of applied IPS policy. Permit and pass without inspection passes the traffic back into the network without checking for IPS policy violations. Note: McAfee recommends permit and inspect rules for complete protection from potentially harmful traffic. If you configure multiple ACL rules, note the order as ACLs are executed in top-down sequence: the rule at the top of the list is checked first, followed in order by subsequent rules down to the bottommost rule. Network Security Platform employs a first-match process; the first ACL rule matched in sequence is enforced. You can create rules and groups for the entire Sensor as well as specific ports on the Sensor at the admin domain level. At the Sensor level, you can assign rules for the entire Sensor as well as those for specific ports/port pairs of the Sensor. Rules assigned at the Sensor level for a specific port/port pair are inherited by the corresponding interface and, if applicable, sub-interface(s). In the case of ACLs, an interface is a subset of the corresponding port or port pair. That is, ACL rules assigned for a port/port pair at the Sensor level are inherited by the corresponding interface as well as any sub-interfaces. However, ACL rules assigned at the interface level are not inherited by corresponding subinterfaces due to the rule of separating interface traffic flows from sub-interface traffic flows based on the following policy application rule:

56

McAfee® Network Security Platform 5.1

Working with Security Policies

If you apply a policy to a sub-interface that is different than the inherited policy, the policy enforced at the interface level protects all traffic not specific to the sub-interface. Thus, for ACL rules, the rule of inheritance requires you to create global rules at the Sensor or physical port/port pair level: interface rules only apply to interfaces, and subinterface rules only apply to sub-interfaces. It is not advisable to set ACL permit rules for protocols such as FTP, TFTP, and RPC services that negotiate ports dynamically. Multimedia protocols such as H.323 and services such as instant messaging and peer-topeer communication either negotiate the data channel separate from the control channel or negotiate ports that do not follow a standard. However, you can configure ACLs to deny these dynamic protocol instances by denying the fixed control port. Note: For RPC services, you can configure explicit allow and deny rules for RPC as a whole, but not its constituents, such as statd and mountd. Tip: Another option for denying protocols that use dynamic negotiation is to configure policies to drop the attacks that are detected in such transmissions. Network Security Platform detects use of and attacks in such programs as Yahoo Messenger, KaZaA, IRC, and so forth.

IP spoofing detection
The Anti-spoofing action enables the detection of attacks that either originate from sources external to your network (inbound) that use your internal addresses as the attacking source IP addresses, or those attacks that originate from your internal network (outbound) which use IP addresses not defined in your customized list of "good" addresses. You can apply IP address spoofing detection to any interfaces that have been previously segmented by CIDR-based addressing. Sensors can detect IP spoofing attacks; that is, attacks that originate from sources external to your network, but which use your internal addresses as the attacking source IP addresses. You can apply IP address spoofing detection to any interfaces that have been previously segmented by CIDR-based addressing. Your Sensor keeps a table with your protected CIDR-based addresses; thus, when a Sensor detects an attack that originated from outside your network but contains an identified internal address, an alert is generated for that traffic. Any port pair in In-line Mode that has been segmented by CIDR addressing is eligible for IP spoofing detection. This includes any CIDR-segmented sub-interfaces of an eligible port pair. For example, port pair 1A-1B protects the 192.168.1.0/24 and 192.168.2.0/24 networks in In-line Mode. You create the sub-interface "Payroll-Server” to protect host 192.168.1.1/32. When you enable and configure IP spoofing detection for 1A-1B, you will see all three of these addresses available for protection against IP spoofing attacks. Warning: If you are enabling anti spoofing on a port, make sure you have not configured DHCP NAC for that port because anti-spoofing may cause DHCP NAC not to work. If you have segmented 1A-1B by VLAN tagging, and you configured a DoS policy for a CIDR within a VLAN, that CIDR instance can have IP spoofing detection enabled. You enable IP spoofing detection for the interface (for example, 1A-1B) during configuration; an alert is raised if an attack is detected that contains both the VLAN tag and the CIDR

57

McAfee® Network Security Platform 5.1

Working with Security Policies

address. The rest of the interface segmented by VLANs does not have this option, only the CIDR within the VLAN. Note: For more information on CIDR-based addressing for Sensor interfaces, see Managing an Interface: Changing the Traffic Type and Naming the Interface, Sensor
Configuration Guide

Once enabled, open the Threat Analyzer to check for IP spoofing attacks. When you see an internal IP address in the “Source IP” column during Threat Analyzer use, check the packet log associated with that attack to determine whether the attack originated internally, or whether the transmission originated outside of your network, the latter being a case of IP spoofing. For enabling IP spoofing detection on a Sensor, see Sensor Configuration Guide. Note: IP Spoofing detection is not supported on N-450 Sensors.

ARP spoofing detection
ARP (Address Resolution Protocol) Spoofing detection is accomplished by mapping a table of IP address to corresponding MAC addresses. The detection of multiple ARP reply packets with a different sender MAC address than its mapped IP results in an alert. Check the Threat Analyzer for ARP spoofing-related alerts. In ARP spoofing, the MAC address of a spoofed ARP packet is the real MAC address of the host attempting the spoofing. Sometimes misconfiguration (two different machines are using the same IP address) and occasionally system malfunction (host or switch) may result in such ARP spoofing packets. Detection of ARP Spoofing results in the triggering of ARP Spoofing alerts. These alerts display in the Threat Analyzer component of Manager. Their names are prefaced with “ARP:” (for example, “ARP: ARP Spoofing with Different MAC Addresses”). For more information, see Sensor CLI Guide.

Decrypting SSL for IPS inspection
A disadvantage often cited for NIDS systems is the inability to analyze encrypted traffic. Encrypted traffic prevents nearly all NIDS from inspecting the packets for attacks or other unauthorized activity. Sensors, however, are equipped to decrypt Secure Socket Layer (SSL) packets for inspection and response in cases of attack. Network Security Platform SSL functionality allows a Sensor to maintain a copy of a server's private key, thereby allowing the Sensor to properly determine the session key for SSL sessions terminating on that server. From a client, you download your SSL keys through the Network Security Platform user interface to a Sensor. The Sensor keeps the server key in volatile memory after receiving it from the Manager. The key is stored in Manager, encrypted with a key only the Sensor knows. This prevents a single point of compromise. When a Sensor boots up, it requests all of the private keys that the Manager has for that Sensor.

58

McAfee® Network Security Platform 5.1

Working with Security Policies

Manager provides a passthru interface for importing a set of public/private keys to the Sensor. The Manager stores an escrow of the imported keys for Sensor recovery purpose. However, the Manager does not interpret the escrowed keys, nor does it attempt to recover the keys themselves in case a Sensor has lost its key encryption key. In order to protect the imported keys both in transit and in escrow, the Manager uses the public key of the Sensor’s public/private key pair. The Manager can also push down new keys when they are imported. Network Security Platform supports the PKCS12 format—file suffixes “.pkcs12”, “.p12”, or “.pfx”—with an RSA private key no longer than 2048 bits. Up to 64 keys can be loaded into a Sensor, and the keys work across all of a Sensor’s Virtual IPS (VIPS) instances. The private key must be a part of the PKCS12 file. For more information on SSL functionality, see Sensor Configuration Guide. Note 1: There is a performance impact when using the SSL detection feature. Performance information per Sensor can be found in Network Security Platform Release Notes. Note 2: SSL decryption is not supported on M-series and N-450 Sensors.

Supported Web servers
SSL decryption is supported for the following web servers: • • Microsoft Internet Information Server (IIS) Apache

Supported Cipher suites
The following SSL cipher suites (as named in their respective RFCs) are supported: SSLv2 cipher suites • • • • SSL_CK_RC4_128_WITH_MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

SSLv3/TLS cipher suites • • • • • • • • • DES_CBC3_SHA TLS_NULL_WITH_NULL_NULL TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA

59

McAfee® Network Security Platform 5.1

Working with Security Policies

TLS_RSA_WITH_AES_256_CBC_SHA

Unsupported SSL functionality
The following SSL functionality is not supported: • • • • iPlanet Web servers Diffie-Hellman ciphers Compression in the SSL records (a negotiable option in SSLv3 and TLS) PCT (Microsoft's extension to SSLv2)

60

CHAPTER 6

Managing users in Network Security Platform
This section explains the user management capabilities of the McAfee® Network Security Manager (Manager). The Manager Configuration page enables users with Super User privileges to delegate configuration and monitoring responsibilities of the various components of the McAfee® Network Security Platform to specific users. This section describes user management and roles at a high level, and describes the application of user roles in developing a safe and efficient security management environment. For more information on how to create users and assign roles, see Administrative Domain Configuration Guide.

User management in Network Security Platform
Security organizations usually are comprised of multiple individuals, and management of the overall system is generally delegated to different people according to some logical categorization—by department, by geographic location, by system (that is, the email servers, the Web servers), and so on. In McAfee Network Security Platform, you delegate the management of system components by organizing the components logically into admin domains and then granting various management privileges for the domains to your Network Security Platform users. The Manager enables the creation of multiple users within the system, and enables Super Users to grant specific privilege rules, called roles, to those users to allow them to manage an admin domain and any of its children. Within each admin domain, permission to carry out tasks is limited to only those users with appropriate roles. For example, recall that a child admin domain can consist of something as granular as an interface on a McAfee® Network Security Sensor (Sensor). You use roles to specify who can do what with that interface in that child domain.

What is a role?
A role is defined as a group of actions that a user is allowed to perform within a given domain. Roles determine the user’s authorized activities, ensuring the users have access to only the functions necessary to complete their particular operational responsibilities. Network Security Platform implements role-based authorization, wherein users can perform only those activities permitted by their role. Roles are always domain based, that is, a role governs what activities a user can perform within a particular domain. Users never have roles that are not tied to managing a resource within a specific domain and its children, although users can exist in the database without being assigned a role. Roles promote the integrity of security configuration by not allowing universal access to every security resource deployed in the system. Thus you can create a user with privileges to manage and configure a single child domain, perform user management tasks within that domain, generate reports, manage Sensors, and so on. You can assign the least

61

McAfee® Network Security Platform 5.1

Managing users in Network Security Platform

privileges necessary for a user to perform his/her specific job function, and no more. The user is limited to the specific role functions within the assigned child domain and its children, and prevents the user from manipulating other domains. For example, only the Root Admin Domain System Administrator sees the Manager node in the Resource tree. System Administrators without privileges at the Root Admin Domain level are allowed to configure and maintain their child domains within the system, but do not see the Manager resource. Note: The Root Admin Domain Super User is able to override the roles of any user.

Creating a user
You create a user from the Manager’s Configuration page , and you can assign the user roles for a particular domain at the time the user is created, or you can assign roles at a later time. Only users who have Super User privileges can assign or modify the assignment of user roles, and then only for the domains permitted by their role(s). Users are stored in the database with their username, an MD5 hash of their password, their role(s), and their roles in various domains. When the user logs in, the Manager makes available only those activities permitted by the user’s role. As most companies now centralize their user management and authentication, the Manager also supports RADIUS and LDAP (Active Directory) authentication for users. For either authentication method, you configure the authentication server information, and then when creating a user, you can choose whether the user is a RADIUS, LDAP or Manager Local user. User accounts for the Sensor can be centrally stored and authenticated with a TACACS+ (Terminal Access Controller Access Control System plus) server.

Roles within Network Security Platform
Network Security Platform provides five categories of roles. The section Role descriptions (on page 63) lists the five role types with the applicable description and activities available to each. All role types can view the Manager Home page, and all role types have read-only access to most actions available in the Configuration page. Restricted Users and No Role users—as their names imply—have the most limited read-only privileges within the system. In addition to Network Security Platform-provided roles, custom roles can added in order to assign specific abilities to certain members of an organization.

Role relationships between parent and child domains
Roles apply within the current domain and any of its children. Because child domains are essentially contained within parent domains, if a user is given, for example, Operator role for a parent domain, that role also applies to all children of the parent. Note that additional roles can be granted to the user at the child level, but a role granted at a parent cannot be overridden at a child level. Using the example above of a user granted an Operator role at

62

McAfee® Network Security Platform 5.1

Managing users in Network Security Platform

the Root Admin Domain level, suppose you create a child admin domain. The user with the Operator role inherits that role at the child level; however, if you wanted the user to have Super User status at the child level, you can assign the Super User role within that child domain. Network Security Platform roles provide a granular level of access within the system. This enables you to provide very limited responsibilities to a number of individuals, or to assign a single user multiple roles so the user can accomplish multiple administrative tasks (for example, grant System Administrator and Security Expert roles) within the system.

Role descriptions
The following section summarizes the Network Security Platform-provided user roles.

Super User role
The Super User role (not represented by an icon) enjoys all privileges. Each shipped Manager is configured with one built-in Super User account including a default password. Note: The default Super User account username is admin and password is admin123. McAfee strongly recommends that you change the default password for security purposes. (In the Configuration page, while logged in as admin, go to Root Admin Domain > Users > Manage My Account and change the password. The Super User role provides: • • • all the privileges possible in the current domain all the privileges a Super User has in all the children of the current domain the special privilege to assign (or remove) the Super User role for a user in the current domain A Super User can be defined at any level, and the role applies to the current domain and all of its children, but not for its parent domain or any other “sibling” domains.

System Administrator role
The System Administrator role pertains strictly to administration of the system itself. Tasks permitted to the System Administrator include managing software and system performance; creating users and granting roles; adding, deleting, or configuring Sensors; and handling system faults.

Security Expert role
The Security Expert role largely pertains to managing intrusion policies. The Security Expert can create, edit, and delete policies, view alerts, manage software and signature update downloads, generate reports, manage system faults, and handle security alerts.

63

McAfee® Network Security Platform 5.1

Managing users in Network Security Platform

Restricted User role
Restricted Users (not represented by an icon) can view the Manager Home page, and are

limited to read-only access to most areas of the Configuration page.

No role
The No Role user cannot perform any actions. This is the state when a user is first created.

64

CHAPTER 7

Working with Alerts
This section describes alerts, and the tools available for analyzing them.

What are alerts?
Alerts are asynchronous notifications sent when a system event or attack triggers the IPS. When a packet violating your enforced security policies is detected, the McAfee® Network Security Sensor (Sensor) compiles information about the offending packet and sends the information to the McAfee® Network Security Manager (Manager) in the form of an alert. An alert contains a variety of information on the incident that triggered it—such as the type of attack, its source and destination IP addresses, its source and destination ports, as well as security analysis information (performed by the Sensor) such as attack severity and type. You can use this information to perform forensic analysis on the alert—that is, careful investigation to determine its cause and how to prevent others of its kind. An attack is a violation of set policy parameters. An alert is one or more attack instances. In many cases, an alert represents a single detected attack. A multi-attack alert is generated when multiple instances of identical attacks (same source IP, destination IP, and specific attack) are detected within a two minute period; data for all attacks is throttled into one alert instance, however, you can also choose to configure for how many of each throttled attacks you want to see an individual alert. McAfee® Network Security Platform stores alerts in the Manager server database until you delete them. You can view your alerts in the Manager using the Threat Analyzer or the Reports Main page. You can also correlate of large number of identical alerts into a small number of incidents using the Incident Generator.

The lifecycle of an alert
Alerts exist in one of three states: unacknowledged/acknowledged, and marked for deletion. When an alert is raised, it appears in the Manager in an unacknowledged state. Unacknowledged means that you have not officially recognized its presence by marking it acknowledged. An alert remains in an unacknowledged state until you either acknowledge or delete it. Alerts are backed up to the database and archived in order of occurrence. Deleted alerts are removed from the database.

65

McAfee® Network Security Platform 5.1

Working with Alerts

Unacknowledged alerts display in the Unacknowledged Alert Summary section of the Manager Home page and the Real-time view in the Threat Analyzer. Acknowledging alerts dismisses them from these views. Acknowledged alerts display only in the Historical view in the Threat Analyzer and in reports.

Figure 15: Unacknowledged Alert Summary Display on the Manager home page Item Description

1 2 3

Unacknowledged alerts by severity Click to open Threat Analyzer Current "monitored domain"

Deleting an alert both acknowledges it and marks it for deletion. The alert is not actually deleted until a scheduled Disk Space Maintenance takes place. At that time, McAfee Network Security Platform deletes those alerts marked for deletion and those alerts meeting the deletion criteria specified in the scheduler—older than 30 days, for example—whether or not they have been manually marked for deletion. For more information on Disk Space Maintenance, see Manager Server Configuration Guide. To put an acknowledged alert back into an unacknowledged state or un-delete an alert, you can use the Historical view in Threat Analyzer to show all alerts from the time period in which the acknowledged /deleted alert took place. You can then locate the alert and unacknowledge or un-delete it. This alert will not display in the Real-time Threat Analyzer until you have closed and re-opened the Threat Analyzer.

Suppressing alerts
Over the course of time, you will become very familiar with your Network Security Platform alert data as you perform forensic analysis using the Threat Analyzer. At some point, you may even become tired of seeing some of the same alerts time and again. Network Security Platform provides multiple options for suppressing alerts, that is, lessening the number of alerts in either the Threat Analyzer and/or database, so that you can work on your higher priority issues. The following alert suppression options are available using various actions within the Manager interface:

66

McAfee® Network Security Platform 5.1

Working with Alerts

Disable alerting: During policy creation/modification, you can disable the alert for one or more attacks. This is not attack detection disabling, just alert disabling. The Sensor still detects the attack and can send an automatic response—if configured. (If no response is configured, then nothing is done when the attack is detected.) Auto Acknowledge: Also during policy creation, you have the option of automatically acknowledging a detected attack. The Auto Acknowledge feature suppresses the alert from the Real-time View of the Threat Analyzer by marking the alert as acknowledged, thus making the alert viewable only in a Historical View query. Alert throttling: Alert throttling (seen as Response Action Settings in the Manager interface) enables you to set a suppression limit for a singular Exploit attack, which originates from one source, targets a single destination IP, and is detected by the same VIPS (interface or sub-interface) multiple times within a limited time frame. Exploit throttling limits the number of duplicate alerts that are sent to the Manager from a Sensor. Throttling is very effective against repetitive Exploit attacks where a source IP address is spoofed and generates a high number of alerts.
Send alert to Manager Send Sensor response action Display alert in Real-time View Save alert to database

Normal behavior Detection on, disable alerting Auto Acknowledge Alert throttling

Yes No Yes Yes

Yes Yes Yes Yes

Yes No No Yes

Yes No Yes Yes

About the Threat Analyzer
The Threat Analyzer is a powerful forensic analysis tool you can use to examine the alerts detected by your Sensors. The Threat Analyzer can be opened from the Manager Home page by selecting the Realtime Threat Analyzer or Historical Threat Analyzer from the list and clicking the Launch button. The Threat Analyzer opens the Threat Analyzer Summary page in a separate browser window from that of the Manager Home page, providing a concentrated view for alert analysis. You need to specify a time frame to open the Historical Threat Analyzer. Manager retrieves the alerts that occurred in the specified time frame and displays them in the Threat Analyzer for your analysis. By examining the alerts, you can use the information your analysis provides to determine your system weaknesses and modify your defenses. •
Real-time Threat Analyzer. The Real-time Threat Analyzer opens the Threat Analyzer

Summary page. Once opened, the Real-time View refreshes frequently to display the alerts that are being detected by your Sensors, thus you can view the alerts as they happen in real time. Historical Threat Analyzer. The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and unacknowledged alerts archived in the database within a specified time frame. The Historical View does not refresh with new alerts; thus you can focus on analyzing all alerts within the time you requested.

67

McAfee® Network Security Platform 5.1

Working with Alerts

Figure 16: Threat Analyzer: Choices Item Description

1

Current Monitored Domain

Note: For more information on Threat Analyzer, see System Status Monitoring Guide.

68

McAfee® Network Security Platform 5.1

Working with Alerts

The Threat Analyzer summary page
Once you have retrieved alerts either from a particular time period or in real time, the Threat Analyzer Summary page is displayed. The Summary page is logically divided into 2 sections: the top menu bar and the lower display summary area.

Figure 17: Threat Analyzer Summary Window Item Description

1 2 •

Menu bar area Display area
Menu Bar Area: The menu bar of the Threat Analyzer Home page presents you with the following navigation options: Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for the selected time span in order of occurrence. Incident Viewer: links to the Incident Viewer page. You can create user-generated incidents to track alerts by parameters. Host Forensics: links to the Host Forensics page. You can view the Foundstone and ePO scan information. Preferences: links to the Preferences page. Enables you to personally set various options related to Threat Analyzer functionality and presentation. Display Area: The display area presents the summary of System Health and Alerts consolidated view.

69

McAfee® Network Security Platform 5.1

Working with Alerts

System Health: You can view the System Health page from the Threat Analyzer Summary

page. This System Health Status view cannot be operated in the same manner as the System Health Status available from the Home page: faults are not selectable. This view is available for quick glance usage so that you do not have to leave the Threat Analyzer to get an update on possible system faults. The System Health displays the status of the Sensor and the Manager. The Update button updates the Sensor configuration. IPS Views: There are four graphical representations of Attack Severity Summary, Attack Result Summary, RFB Attack Summary and IPS Quarantine Alerts Summary. These graphical representations can be clicked to view details.
a.

Attacks Over Time View: This pane displays the number of attacks in time intervals

that have been detected either in the last two hours (Real-Time) or within a specific time frame (Historical). The Time View displays as a bar graph. Each bar contains information related to the number of attacks and a time frame in which the attacks were detected. Clicking on a bar displays information on the attacks it represents in the status bar at the bottom of the Time View pane. The Severity level in the Time View displays the alerts as High, Medium, Low, or Informational. The Zoom In and Zoom out options changes the time level of alerts to be displayed.
b.

Consolidated View: The Consolidated view is below the Time View pane . Its display

is split into four panes (categories) for statistical review. Each pane is a bar graph, and each bar represents several alerts (Alert Result Status) or attack (“Top 5” panes) instances grouped by a specific parameter. An alert/attack may appear in a bar in more than one pane if that alert/attack has met the statistical parameters of multiple categories. The categories are described as follows: Attack: lists the top detected 5 attacks by count. • Note: “Blocking activated” applies to DoS traffic and indicates that the Sensor has discovered traffic suspicious in nature and blocking has started, though not all traffic may be blocked. This is by design; blocking is taking place on packets that are perceived as bad by the Sensor. The Sensor works to allow legitimate traffic to flow, while blocking the traffic that is exceeding its learned threshold or is not recognized based on its DoS profile. The Sensor makes this determination on a packet-by-packet basis. For more information, see Special Topics Guide—Denial-of-Service. • • •
Result Status: shows the probable result of all attacks corresponding to the alerts: successful, unknown, failed, suspicious, blocked, or ‘blocking activated.’ Source IP : lists the 5 most common source IP addresses by number of detected attacks. Target IP : lists the 5 most-targeted destination IP addresses by number of detected attacks.

70

McAfee® Network Security Platform 5.1

Working with Alerts

Drilling down--sorting alerts by categories
The Drilldown option offers several categorical views for all or selected alerts. Drilling down enables you to focus your view of particular alerts; for example, you might see from looking in the Consolidated View pane that most High Severity attacks are issuing from a particular Source IP address, and perhaps you want to see which attacks are being sent. You can select that source IP, then drill down to see the attacks and destinations have been issued from the address.

Figure 18: Drilling Down Through Alert Categories

Show the details of a specific alert
You can view the details of a specific alert for a clearer picture of the key information related to the attack. Different types of attacks produce different alert details. For example, a Port Scan attack’s alert details show the Source and Destination IP information, as well as the destination ports scanned in the attack. The information you learn in the Alert Details can then be used to augment your policy settings and/or to initiate a response action, such as a TCP Reset. By right-clicking an alert, you can perform certain actions on the alert, such as viewing or editing a response, running a script, saving an evidence report, and so on.

71

McAfee® Network Security Platform 5.1

Working with Alerts

About the Incident Generator
Network Security Platform provides real-time alert correlation with the Incident Generator and User-Generated Incident tools. Performing analysis can be quite a task when it means looking through thousands, tens of thousands, and even hundreds of thousands of alerts to determine what is happening to your network. Network Security Platform’s alert suppression feature helps reduce the number of alerts to wade through, but having an intelligent resource to correlate and group related alerts—in real-time—greatly facilitates the task. For example, suppose an attacker, looking for weaknesses, initiates a port scan against your network. If the attacker successfully locates a vulnerability on a particular machine, he or she may next perform an exploit against the vulnerability. If the exploit is successful, the attacker might then compromise the machine and use it as a tool for initiating other attacks. This one server’s compromise, occurring amidst all the other alerts indicating other attacks on your network, could go unnoticed for too long because of the sheer number of alerts to examine. Imagine, however, if you could see instead that a single incident had occurred—that a particular server had received too many alerts in a short period of time, that alerts related to its compromise were being seen, and that attacks were now being initiated from that server.

Utilizing the Incident Generator
The Incident Generator tool enables you to define how to group a large number of related alerts into a small number of incidents. An incident is a pre-configured number of related alerts with commonalities matching a particular scenario. Using the Incident Generator, you define a scenario, which by default is “more than 100 alerts in fifteen minutes from one source.” A scenario is a sequence of conditions, that, when met, cause Network Security Platform to raise an incident. If a situation matching the scenario is detected followed by a period of inactivity equal to or greater than two minutes, Network Security Platform raises multiple occurrences of the incident. For example, the system detects 100 alerts from the same source in a 10 minute period. There is no activity for three (3) minutes from the source, but then attacks start again from the noted source that surpasses the 100 alerts threshold in under 15 minutes. Instead of seeing 200+ related alerts from the same source as two incidents, you instead see two occurrences of a single incident matching the defined scenario.

Configuring Incident Generator scenarios
The Incident Generator tool, which is defined by the configuration of an XML file, runs on a separate host than the Manager server. Configuring Incident Generator involves specifying scenarios and customizing parameters in the XML file. Note: For more information on starting the Incident Generator, see Manager Server Configuration Guide.

72

McAfee® Network Security Platform 5.1

Working with Alerts

Creating user-generated incidents
Manager also enables you to create your own incidents as you perform forensic analysis in the Threat Analyzer. The User-Generated Incidents option provides you the ability to select individual alerts from an Attack Details View for inclusion in a custom incident. No scenario settings need to be met; rather, you select each alert to include in your incident. Since this feature is independent from the Incident Generator configuration scenario, you can create an incident with alerts from multiple source IPs, to multiple destinations, and so forth. There is no minimum number of alerts to meet, thus you can start an incident with just one alert, and more alerts, as well as custom occurrences, over time. Once satisfied with an incident, you export it to the Incident Viewer for further analysis. Note: For more information on working with the User-Generated Incidents tool, see
System Status Monitoring Guide.

Viewing an incident
Whether you started the IG service or created your own incidents via the User-Generated Incidents tool, you view the incidents in the Incident Viewer tool, which is located within the Threat Analyzer. Within this tool, you can analyze and manage incidents, including alert analysis, user assignment, and workflow commentary for maintaining an incident’s status. Note: For more information on working with the Incident Viewer, see System Status Monitoring Guide.

About Reports
You can generate a range of reports for both the alert information reported to your Manager, as well as information pertaining to your Network Security Platform configuration settings. • • •
IPS reports are summaries of alert information, such as severity, impact category,

source/destination IP, time of alert, alert trends, and so forth. Configuration reports detail information such as the current Manager and Sensor software versions, proxy server settings, policy configuration, and so forth. Scheduled reports generate reports at a configured time, and optionally email the reports to specific individuals and/or save them for later viewing.

Note: For more information on the Reports, see Reports Guide.

IPS reports
The Report Generator’s IPS reports detail the network alerts generated by your Sensors. Alert reports are summaries based on specific types of information such as the source/destination IP of an attack, attack name, or time of alert. Network Security Platform includes several pre-formatted reports for simple information gathering, including an Executive Summary report, which provides a high-level view of alert activity.

73

McAfee® Network Security Platform 5.1

Working with Alerts

These IPS reports provide information on the alerts generated from your installed Sensors. The generated alert information can include source and destination IP of the attack, time when attack occurred, the Sensor that detected the attack, and so forth. The multiple reports in this category provide various, concentrated views according to the specific parameters of each report. Each report lists alerts from most to least common detected. All IPS reports can be viewed in either HTML or PDF format. The Top N Report can also be viewed in bar graph or pie chart format.

Configuration reports
Configuration reports provide information on the settings configured using the Configuration page. You can generate reports to view your current software and signature versions, the status of a Sensor, policy and rule set configurations, or your proxy server settings. These reports provide a snapshot of the system’s current configuration.

Scheduled reports
Scheduled reports automate IPS report generation for convenient forensic analysis of the alerts generated by your Sensors. You can schedule reports to be generated and emailed on a daily or weekly basis. You create a report template consisting of the information you wish to be included, save the template, and configure the scheduler to run either weekly (on a particular day) or daily (at a particular time each day). You can also specify recipients for the reports. When the scheduled time arrives, a report is generated based on the template and mailed to specified individuals. Each report is saved for later review.

Alert and packet log archival
You can copy alerts and packet logs from the database and archive them for later retrieval and analysis without impacting the performance of your database. Using the Archival actions provided in the Network Security Platform user interface, you can archive your alerts and packet logs on-demand or by a schedule, and then restore the archival on a different Manager-database instance for further historical analysis. The archival process copies alerts and packet logs from the database into a zip file on the source Manager. From the Manager interface, you provide a time range within which all corresponding alerts and packet logs in the database are copied into the archival file. Note: Archived files are saved locally to the Manager, but can be exported to your client. The scheduled archival process is an incremental process. The process preserves the last archival time and uses it as the start date for the next (current) archival. The end date is always the current time. You can clear the preserved start date or set it to any date in the past. If it is cleared, the first process cycle archives all alerts and packet logs up to the current time, then the incremental process executes. Note: An archival cannot be executed when database tuning is in process.

74

McAfee® Network Security Platform 5.1

Working with Alerts

The restoration process requires the archival file to be copied over to a directory on the target Manager or a network directory which the target Manager can access. The restoration process enables you to filter through the alerts in the archival by severity of alert, the result status, and start and end times. For more information, see how to configure the archival process, Manager Server Configuration Guide.

75

relevant ............................................................. 37 Risk level........................................................... 37

Index
A
about the Update Server ........................................ 14 admin domains What are admin domains? ................................ 33 administrative domains ..... See See admin domains; Alert Filter Editor .................................................... 51 Detecting attacks; anomaly detection; .................... 2 anomaly detection .................................................... 3 attacks detection;............................................................. 3 overview; ............................................................. 3 authorization role-based authorization.............................. 61, 63

full duplex connection full duplex connection........................................ 18

I
inheritance ............................................................. 36 overview ............................................................ 35 roles ............................................................ 63, 64 in-line mode ........................................................... 16 interface groups ..................................................... 20 about ........................................................... 20, 21 interfaces ............................................................... 26 VIPS .................................................................. 40 Intrusion detection.................................................... 4 intrusion detection; .............................................. 1

M
Manager Incident Generator ............................................ 72 overview ............................................................ 72 modes of deployment............................................. 16

B
Bug Track ID .......................................................... 37

D
database how users are stored;.................................. 61, 62 DoS detection DoS detection;..................................................... 2

N
Network Security Platform system components .......................................... 12 roles; ................................................................. 62 Network Security Platform Update Server See Update Server........................................... 14 nodes ..................................................................... 36

F
Foundstone Integration automatic import................................................ 37 correlation of alerts............................................ 37 Foundstone Configuration ................................. 37 Foundstone scan............................................... 37 manual import.................................................... 37 Network Security Platform-Foundstone integration .................................................... 37 On-demand scan............................................... 37 Relevance Analysis ........................................... 37

P
policies ................................................................... 39 policies; ............................................................. 46 policy creation; .................................................. 48 policy inheritance ................................................... 50 policy inheritance .............................................. 36 privileges................................................................ 61

R
Recommended for blocking ................................... 52 Reports About Reports ................................................... 73 Resource Tree overview of ........................................................ 25 Restricted User role ......................................... 63, 64 description ......................................................... 62 roles ................................................................. 61, 62 relationship between parent and child domains 34 types of........................................................ 63, 64 Root Admin Domain node ...................................... 35

S
Security Expert role................................................ 64 Security Expert .................................................. 64 security policies.......................................... 39, 40, 43 security policies; ................................................ 39 sensor responsibilities.............................................. 8 signature-based detection........................................ 6 signature-based detection; .................................. 2 SPAN port SPAN port ......................................................... 17 Super User ............................................................. 63 Super User ........................................................ 63

T
taps ........................................................................ 19

U
Update Server .......................................................... 8 Update Server ................................................... 15 users creating........................................................ 61, 62

V
VIPS ....................................................................... 40 description ........................................................... 6