Home » McAfee Manuals » Computer Software » McAfee EPOCDE-AA-BA » Manual Viewer

McAfee EPOCDE-AA-BA Product Guide - Page 272

How the Rogue System Sensor works, Passive listening to layer-2 traffic

View all McAfee EPOCDE-AA-BA manuals

Add to My Manuals
Save this manual to your list of manuals

Page 272 highlights

21 Detecting Rogue Systems How the Rogue System Sensor works How the Rogue System Sensor works The Rogue System Sensor is the distributed portion of the Rogue System Detection architecture. Sensors detect systems, routers, printers, and other devices connected to your network. They gather information about the devices they detect, and forward the information to the McAfee ePO server. The sensor is a Win32 native executable application that runs on any NT-based Windows operating system, including: • Windows XP • Windows Server 2003 • Windows 2008 • Windows Vista • Windows 7 It can be installed on systems throughout your network. A sensor reports on all systems in the broadcast segment where it is installed. A sensor installed on a DHCP server reports on all systems or subnets using DHCP. To maintain coverage In networks or broadcast segments that don't use DHCP servers, you must install at least one sensor in each broadcast segment, usually the same as a subnet. DHCP deployment can be used with segment-specific deployment of the Rogue System Sensor for the most comprehensive coverage. Passive listening to layer-2 traffic To detect systems on the network, the sensor uses WinPCap, a packet capture library. It captures layer-2 broadcast packets sent by systems that are connected to the same network broadcast segment. It also listens passively to all layer-2 traffic for Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), IP traffic, and DHCP responses. To obtain additional information, the sensor also performs NetBIOS calls and OS fingerprinting on systems that were already detected. It does this by listening to the broadcast traffic of all devices in its broadcast segment, and by using NetBIOS calls, actively probing the network to gather additional information about the devices connected to it, such as the operating system of a detected system. The sensor does not determine whether the system is a rogue system. It detects systems connected to the network and reports these detections back to the McAfee ePO server, which determines whether the system is rogue based on user-configured settings. Intelligent filtering of network traffic The sensor filters network traffic "intelligently" - it ignores unnecessary messages and captures only what it needs, which is Ethernet and IP broadcast traffic. By filtering out unicast traffic, which might contain non-local IP addresses, the sensor focuses only on devices that are part of the local network. To optimize performance and minimize network traffic, the sensor limits its communication to the server by relaying only new system detections, and by ignoring any re-detected systems for a user-configured time. For example, the sensor detects itself among the list of detected systems. If the sensor sent a message every time it detected a packet from itself, the result would be a network overloaded with sensor detection messages. 272 McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide

Section	Page
Contents	3
Preface	11
About this guide	11
Audience	11
Conventions	11
What's in this guide	12
Finding product documentation	12
Introducing McAfee ePolicy Orchestrator Software version 4.6.0	13
1 Introducing McAfee ePolicy Orchestrator Software version 4.6.0	15
What is ePolicy Orchestrator software	15
Components and what they do	16
How the software works	17
How to navigate the ePolicy Orchestrator interface	18
About the ePolicy Orchestrator navigation Menu	18
About the navigation bar	19
2 Planning your ePolicy Orchestrator configuration	21
About scalability	21
When to use multiple ePolicy Orchestrator servers	21
When to use multiple remote Agent Handlers	22
Server configuration overview	22
Setting up and configuring your ePolicy Orchestrator server	25
3 Configuring essential features	27
About essential features	27
Using the Guided Configuration to configure essential features	28
4 Configuring general server settings	31
About general server settings	31
Configuring general server settings	31
Allowing agent deployment credentials to be cached	31
Specifying default dashboards and dashboard refresh intervals	32
Determining which events are forwarded to the server	32
Choosing an ePO Notification Event interval	33
Configuring settings for global updates	33
Providing a license key	34
Creating a custom login message	34
McAfee Labs Security Threats	34
Working with McAfee Labs Security Threats	35
Controlling unsupported product policy visibility	35
Changing agent communication ports	36
Configuring the template and location for exported reports	36
Using a proxy server	36
SSL certificates	37
Replacing the server certificate	37
Installing a trusted security certificate for the McAfee ePO browser	38
Installing the security certificate when using Internet Explorer	38
Installing the security certificate when using Firefox 3.5 or higher	38
Enabling System Tree sorting on the server	39
ePolicy Orchestrator server settings categories and their descriptions	39
5 Creating user accounts	43
About user accounts	43
Global administrators	43
Working with user accounts	44
Creating user accounts	44
Editing user accounts	44
Deleting user accounts	45
6 Setting up permission sets	47
How users, groups, and permission sets fit together	47
Working with permission sets	49
Creating a new permission set	49
Modifying an existing permission set	50
Duplicating a permission set	50
Exporting permission sets	50
Importing permission sets	51
Removing a permission set	51
Deleting permission sets	51
7 Configuring advanced server settings	53
Configuring Active Directory user login	53
Managing ePolicy Orchestrator users with Active Directory	53
Windows authentication and authorization strategies	55
Configuring Windows authentication and authorization	56
Enabling Windows authentication in ePO Server	56
Configuring Windows authentication	56
Configuring Windows authorization	57
Authenticating with certificates	58
When to use certificate authentication	58
Configuring ePolicy Orchestrator for certificate authentication	58
Uploading server certificates	59
Removing server certificates	59
Configuring users for certificate authentication	60
Problems with certificate authentication	60
Configuring Rogue System Detection server settings	61
Configuring server settings for Rogue System Detection	61
Editing Detected System Compliance	61
Editing Detected System Exception Categories	62
Editing Detected Systems Matching	62
Editing Detected System OUIs	63
Editing Rogue System Sensor settings	63
Managing security keys	64
Security keys and how they work	64
Master repository key pair	65
Other repository public keys	65
Working with repository keys	65
Using one master repository key pair for all servers	66
Using master repository keys in multi-server environments	66
Agent-server secure communication (ASSC) keys	67
Working with ASSC keys	67
Deleting agent-server secure communication (ASSC) keys	68
Exporting ASSC keys	68
Importing ASSC keys	69
Generating and using new ASSC key pairs	69
Designating an ASSC key pair as the master	70
Using the same ASSC key pair for all servers and agents	70
Using a different ASSC key pair for each McAfee ePO server	71
Viewing systems that use an ASSC key pair	71
Backing up and restoring keys	71
Backing up all security keys	72
Restoring security keys	72
Restoring security keys from a backup file	73
Configuring source and fallback sites	73
Working with source and fallback sites	73
Creating source sites	74
Switching source and fallback sites	75
Editing source and fallback sites	75
Deleting source sites or disabling fallback sites	75
8 Setting up repositories	77
Repository types and what they do	78
Types of distributed repositories	79
Repository branches and their purposes	80
Repository list file and its uses	81
How repositories work together	82
Ensuring access to the source site	82
Configuring proxy settings	83
Configuring proxy settings for the McAfee Agent	83
Configuring proxy settings for McAfee Labs Security Threats	84
Using SuperAgents as distributed repositories	84
Creating SuperAgent repositories	85
Selecting which packages are replicated to SuperAgent repositories	86
Deleting SuperAgent distributed repositories	86
Creating and configuring FTP, HTTP, and UNC repositories	86
Creating a folder location on an FTP, HTTP server or UNC share	87
Adding the distributed repository to ePolicy Orchestrator	87
Avoiding replication of selected packages	89
Disabling replication of selected packages	89
Enabling folder sharing for UNC and HTTP repositories	90
Editing distributed repositories	90
Deleting distributed repositories	90
Using local distributed repositories that are not managed	91
Working with the repository list files	92
Exporting the repository list SiteList.xml file	92
Exporting the repository list SiteMgr.xml file for backup or use by other servers	93
Importing distributed repositories from the SiteMgr.xml file	93
Importing source sites from the SiteMgr.xml file	93
Changing credentials on multiple distributed repositories	94
9 Setting up registered servers	95
Registering servers	95
Registering McAfee ePO servers	95
Registering LDAP servers	97
Registering SNMP servers	98
Registering a database server	99
10 Setting up Agent Handlers	101
Agent Handlers and what they do	101
How Agent Handlers work	101
Handler groups and priority	102
Working with Agent Handlers	103
Assigning agents to Agent Handlers	103
Managing Agent Handler assignments	104
Setting up Agent Handler groups	104
Managing Agent Handler groups	105
Moving agents between handlers	105
Grouping agents using Agent Handler assignments	106
Grouping agents by assignment priority	107
Grouping agents using the System Tree	107
11 Other important server information	109
About Internet Protocols in managed environment	109
Exporting objects from ePolicy Orchestrator	110
Importing items into ePolicy Orchestrator	110
Exporting objects and data from your ePolicy Orchestrator server	111
ePolicy Orchestrator Log Files	112
The Audit Log	112
Working with the Audit Log	112
Viewing the Audit Log	112
Purging the Audit Log	113
Purging the Audit Log on a schedule	113
The Server Task log	114
Working with the Server Task Log	114
Viewing the Server Task Log	114
Filtering the Server Task Log	115
Purging the Server Task Log	115
Allowed Cron syntax when scheduling a server task	115
The Threat Event Log	116
Working with the Threat Event Log	117
Viewing the Threat Event Log	117
Purging Threat Events	117
Purging the Threat Event Log on a schedule	118
Managing your network security with your ePolicy Orchestrator server	119
12 Organizing the System Tree	121
The System Tree structure	121
Considerations when planning your System Tree	123
Administrator access	123
Environmental borders and their impact on system organization	124
Subnets and IP address ranges	124
Tags and systems with similar characteristics	124
Operating systems and software	125
Tags and how they work	125
Active Directory and NT domain synchronization	126
Active Directory synchronization	126
Types of Active Directory synchronization	127
Systems and structure	127
Systems only	127
NT domain synchronization	127
Criteria-based sorting	128
How settings affect sorting	129
IP address sorting criteria	129
Tag-based sorting criteria	130
Group order and sorting	130
Catch-all groups	130
How a system is added to the System Tree when sorted	130
Working with tags	132
Creating tags with the Tag Builder	132
Excluding systems from automatic tagging	133
Applying tags to selected systems	133
Applying criteria-based tags automatically to all matching systems	133
Applying criteria-based tags to all matching systems	134
Applying criteria-based tags on a schedule	134
Creating and populating groups	135
Creating groups manually	136
Adding systems manually to an existing group	137
Exporting systems from the System Tree	138
Importing systems from a text file	138
Creating a text file of groups and systems	139
Importing systems and groups from a text file	139
Sorting systems into criteria-based groups	140
Adding sorting criteria to groups	140
Enabling System Tree sorting on the server	141
Enabling and disabling System Tree Sorting on Systems	141
Sorting systems manually	141
Importing Active Directory containers	142
Importing NT domains to an existing group	144
Synchronizing the System Tree on a schedule	146
Updating the synchronized group with an NT domain manually	147
Moving systems manually within the System Tree	147
Transferring systems between McAfee ePO servers	148
13 Working with the agent from the McAfee ePO server	149
Agent-server communication	149
Agent-server communication interval	150
Agent-server communication interruption handling	150
Wake-up calls and tasks	151
SuperAgents and broadcast wake-up calls	151
SuperAgent caching and communication interruptions	152
Viewing agent and product properties	153
Responding to policy events	153
Running client tasks immediately	154
Sending manual wake-up calls to systems	155
Sending manual wake-up calls to a group	155
Locate inactive agents	156
Queries provided by McAfee Agent	156
Windows system and product properties reported by the agent	157
14 Using the Software Manager to check in software	159
What's in the Software Manager	159
Checking in, updating, and removing software using the Software Manager	160
15 Using policies to manage products and systems	163
Policy management	163
Policy application	165
How policy assignment rules work	166
Policy assignment rule priority	166
About user-based policy assignments	167
About system-based policy assignments	168
Using tags to assign system-based policies	168
Working with policy assignment rules	169
Creating policy assignment rules	169
Managing policy assignment rules	170
Creating Policy Management queries	170
Working with the Policy Catalog	171
Creating a policy from the Policy Catalog page	172
Duplicating a policy on the Policy Catalog page	172
Editing a policy’s settings from the Policy Catalog	173
Renaming a policy from the Policy Catalog	173
Deleting a policy from the Policy Catalog	173
Working with policies	173
Configuring agent policies to use a distributed repository	174
Changing the owners of a policy	175
Moving policies between McAfee ePO servers	175
Exporting a single policy	175
Exporting all policies of a product	176
Importing policies	176
Assigning a policy to a group of the System Tree	176
Assigning a policy to a managed system	177
Assigning a policy to multiple managed systems within a group	177
Enforcing policies for a product on a group	178
Enforcing policies for a product on a system	178
Copying and pasting assignments	179
Copying policy assignments from a group	179
Copying policy assignments from a system	179
Pasting policy assignments to a group	179
Pasting policy assignments to a specific system	180
Viewing policy information	180
Viewing groups and systems where a policy is assigned	181
Viewing the settings of a policy	181
Viewing policy ownership	182
Viewing assignments where policy enforcement is disabled	182
Viewing policies assigned to a group	182
Viewing policies assigned to a specific system	183
Viewing a group’s policy inheritance	183
Viewing and resetting broken inheritance	183
Sharing policies among McAfee ePO servers	183
Setting up policy sharing for multiple McAfee ePO servers	184
Registering servers for policy sharing	184
Designating policies for sharing	184
Scheduling server tasks to share policies	185
Frequently asked questions	185
16 Using tasks to manage products and systems	187
Deployment packages for products and updates	187
Product and update deployment	189
First time product and update deployment overview	189
Server tasks and what they do	190
Global updating	190
Deploying update packages automatically with global updating	191
Pull tasks	192
Replication tasks	193
Repository selection	193
Deploying update packages with pull and replication tasks	194
Using pull tasks to update the master repository	194
Running a pull task on a schedule	194
Running a Pull Now task	195
Replicating packages from the master repository to distributed repositories	196
Running a Repository Replication server task on a schedule	196
Running a Replicate Now task	197
Avoiding replication of selected packages	198
Allowed Cron syntax when scheduling a server task	198
About the pull and replication task information in the Server Task log	199
Client tasks and what they do	199
How the Client Task Catalog works	200
Deployment tasks	200
Using the Product Deployment task to deploy products to managed systems	200
Configuring the Deployment task for groups of managed systems	201
Configuring the Deployment task to install products on a managed system	202
Update tasks	203
Updating managed systems regularly with a scheduled update task	203
Working with client tasks	204
Creating and scheduling client tasks	204
Editing client tasks	205
Deleting client tasks	205
Confirming that clients are using the latest DAT files	205
Evaluating new DATs and engines before distribution	206
17 Managing packages and extensions manually	207
Bringing products under management	207
Checking in packages manually	207
Deleting DAT or engine packages from the master repository	208
Manually moving DAT and engine packages between branches	208
Checking in engine, DAT and ExtraDAT update packages manually	209
18 Responding to events in your network	211
About using Automatic Responses	212
Automatic Responses and how it works	212
Throttling, aggregation, and grouping	213
Default rules	213
Planning	214
Determining how events are forwarded	214
Determining which events are forwarded immediately	215
Determining which events are forwarded	215
Configuring Automatic Responses	216
Assigning permission sets to access Automatic Responses	216
Assigning permissions to Notifications	216
Assigning permissions to Automatic Responses	217
Working with SNMP servers	217
Editing SNMP servers	218
Deleting an SNMP server	219
Importing .MIB files	220
Working with registered executables and external commands	220
Adding registered executables	221
Editing registered executables	221
Deleting registered executables	221
Duplicating registered executables	221
Creating and editing Automatic Response rules	222
Describing the rule	222
Setting filters for the rule	223
Setting thresholds of the rule	223
Configuring the action for Automatic Response rules	224
Frequently asked questions	226
Monitoring and reporting on your network security status	227
19 Monitoring with Dashboards	229
Working with dashboards	229
Creating dashboards	230
Adding monitors to dashboards	230
Removing monitors from dashboards	231
Duplicating dashboards	231
Deleting dashboards	232
Importing dashboards	232
Exporting dashboards	232
Changing the system default dashboard	233
Assigning permissions to dashboards	233
Working with dashboard monitors	234
Configuring dashboard monitors	234
Moving and resizing dashboard monitors	235
Default dashboards and their monitors	235
20 Querying the database and reporting on system status	239
Query and report permissions	240
About queries	240
Query Builder	242
Working with queries	243
Creating custom queries	243
Running an existing query	244
Running a query on a schedule	245
Creating a query group	245
Moving a query to a different group	246
Duplicating queries	246
Deleting queries	246
Exporting a query	247
Importing a query	247
Exporting query results to other formats	248
Multi-server rollup querying	249
Creating a Rollup Data server task	249
Creating a query to define compliance	250
Generating compliance events	250
About reports	251
Structure of a report	251
Working with reports	252
Creating a new report	253
Editing an existing report	253
Adding elements to a report	254
Configuring image report elements	254
Configuring text report elements	255
Configuring query table report elements	255
Configuring query chart report elements	256
Customizing report headers and footers	256
Removing elements from a report	257
Reordering elements within a report	258
Viewing report output	258
Grouping reports together	258
Running reports	259
Configuring Internet Explorer 8 to automatically accept McAfee ePO downloads	259
Running a report with a server task	260
Exporting reports	260
Importing reports	261
Deleting reports	261
Using database servers	261
Working with database servers	262
Modifying a database registration	262
Removing a registered database	262
21 Detecting Rogue Systems	265
What are rogue systems	265
Rogue System Detection states	266
Overall system status	266
Rogue System Sensor status	267
Subnet status	268
Top 25 Subnets	268
Rogue Sensor Blacklist	269
Rogue System Detection policy settings	269
Considerations for policy settings	269
Rogue System Detection permission sets	271
How the Rogue System Sensor works	272
Passive listening to layer-2 traffic	272
Intelligent filtering of network traffic	272
Data gathering and communications to the server	273
Systems that host sensors	273
How detected systems are matched and merged	274
Working with detected systems	274
Configuring Rogue System Detection policy settings	275
Adding systems to the Exceptions list	276
Adding systems to the Rogue Sensor Blacklist	277
Adding detected systems to the System Tree	277
Editing system comments	277
Exporting the Exceptions list	278
Importing systems to the Exceptions list	278
Merging detected systems	278
Pinging a detected system	279
Querying detected system Agents	279
Removing systems from the Detected Systems list	279
Removing systems from the Exceptions list	280
Removing systems from the Rogue Sensor Blacklist	280
Viewing detected systems and their details	280
Working with sensors	280
Installing sensors	281
Installing sensors on specific systems	281
Using queries and server tasks to install sensors	282
Using client task to install sensors	282
Editing sensor descriptions	283
Removing sensors	283
Working with subnets	284
Adding subnets	284
Deleting subnets	285
Ignoring subnets	285
Including subnets	285
Renaming subnets	286
Viewing detected subnets and their details	286
Rogue System Detection command-line options	286
Default Rogue System Detection queries	287
22 Managing Issues and Tickets	289
Issues and how they work	290
Working with issues	290
Creating basic issues manually	290
Configuring responses to automatically create issues	291
Managing issues	294
Purging closed issues	295
Purging closed issues manually	295
Purging closed issues on a schedule	295
Tickets and how they work	296
Ways to add tickets to issues	296
Assignment of ticketed issues to users	296
How tickets and ticketed issues are closed	296
Benefits of adding comments to ticketed issues	297
How tickets are reopened	297
Ticketed issue synchronization	297
Integration with ticketing servers	297
Considerations when deleting a registered ticketing server	298
Required fields for mapping	298
Sample mappings	298
Sample mapping for Hewlett-Packard Openview Service Desk	299
Sample mapping for BMC Remedy Action Request System	300
Working with tickets	301
Adding tickets to issues	301
Synchronizing ticketed issues	302

Match case Limit results 1 per page

How the Rogue System Sensor works

The Rogue System Sensor is the distributed portion of the Rogue System Detection architecture.

Sensors detect systems, routers, printers, and other devices connected to your network. They gather

information about the devices they detect, and forward the information to the McAfee ePO server.

The sensor is a Win32 native executable application that runs on any NT-based Windows operating

system, including:

•

Windows XP

•

Windows Server 2003

•

Windows 2008

•

Windows Vista

•

Windows 7

It can be installed on systems throughout your network. A sensor reports on all systems in the

broadcast segment where it is installed. A sensor installed on a DHCP server reports on all systems or

subnets using DHCP. To maintain coverage In networks or broadcast segments that don’t use DHCP

servers, you must install at least one sensor in each broadcast segment, usually the same as a

subnet. DHCP deployment can be used with segment-specific deployment of the Rogue System Sensor

for the most comprehensive coverage.

Passive listening to layer-2 traffic

To detect systems on the network, the sensor uses WinPCap, a packet capture library. It captures

layer-2 broadcast packets sent by systems that are connected to the same network broadcast

segment. It also listens passively to all layer-2 traffic for Address Resolution Protocol (ARP), Reverse

Address Resolution Protocol (RARP), IP traffic, and DHCP responses.

To obtain additional information, the sensor also performs NetBIOS calls and OS fingerprinting on

systems that were already detected. It does this by listening to the broadcast traffic of all devices in

its broadcast segment, and by using NetBIOS calls, actively probing the network to gather additional

information about the devices connected to it, such as the operating system of a detected system.

The sensor does not determine whether the system is a rogue system. It

detects systems connected to the network and reports these detections

back to the McAfee ePO server, which determines whether the system is

rogue based on user-configured settings.

Intelligent filtering of network traffic

The sensor filters network traffic "intelligently" — it ignores unnecessary messages and captures only

what it needs, which is Ethernet and IP broadcast traffic. By filtering out unicast traffic, which might

contain non-local IP addresses, the sensor focuses only on devices that are part of the local network.

To optimize performance and minimize network traffic, the sensor limits its communication to the

server by relaying only new system detections, and by ignoring any re-detected systems for a

user-configured time. For example, the sensor detects itself among the list of detected systems. If the

sensor sent a message every time it detected a packet from itself, the result would be a network

overloaded with sensor detection messages.

Detecting Rogue Systems

How the Rogue System Sensor works

272

McAfee

ePolicy Orchestrator

4.6.0 Software Product Guide