McAfee M-1250 IPS Configuration Guide
McAfee M-1250 - Network Security Platform Manual
 |
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
McAfee M-1250 manual content summary:
- McAfee M-1250 | IPS Configuration Guide - Page 1
IPS Configuration Guide revision 10.0 McAfee® Network Security Platform Network Security Manager version 5.1 McAfee® Network Protection Industry-leading network security solutions - McAfee M-1250 | IPS Configuration Guide - Page 2
color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. contributed to Berkeley by Chris Torek. Issued JUNE 2010 / IPS Configuration Guide 700-1810-00/ 10.0 - English - McAfee M-1250 | IPS Configuration Guide - Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About the guide ...v Audience ...v Conventions used in this guide ...vi Related documentation ...vii Contacting Technical Support ...viii Chapter 1 Overview of IPS settings 1 Configuring and setting rule-based policies 1 - McAfee M-1250 | IPS Configuration Guide - Page 4
200 Network scenarios for Traffic Management 203 Enabling SSL decryption ...204 Configuring SSL decryption in the IPS Sensor 205 Managing the imported SSL keys of a Sensor 206 Configuring at the interface level 208 IPS Quarantine settings in the IPS Sensor 209 Summary of Sensor configurations - McAfee M-1250 | IPS Configuration Guide - Page 5
for this guide and how to contact McAfee Technical Support. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC) and network Intrusion Prevention System (IPS - McAfee M-1250 | IPS Configuration Guide - Page 6
McAfee® Network Security Platform 5.1 Preface not necessarily familiar with NAC or IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks. Conventions used in this guide This document uses the following typographical conventions: Convention - McAfee M-1250 | IPS Configuration Guide - Page 7
McAfee® Network Security Platform 5.1 Preface Related documentation The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides. • Quick Tour • Manager Installation Guide • 4.1 to 5.1 Upgrade Guide • Getting Started Guide • IPS - McAfee M-1250 | IPS Configuration Guide - Page 8
McAfee® Network Security Platform 5.1 Preface Contacting Technical Support If you have any questions, contact McAfee for assistance: Online Contact McAfee Technical Support http://mysupport.mcafee.com. Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on - McAfee M-1250 | IPS Configuration Guide - Page 9
of IPS related policies configuration on the McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor]. Policy configuration is available to users with a Security Expert or Super User role. When policies are applied, McAfee® Network Security Platform [formerly McAfee® IntruShield - McAfee M-1250 | IPS Configuration Guide - Page 10
McAfee® Network Security Platform 5.1 Overview of IPS settings In the McAfee® Network Security Policy Editor [formerly IPS Policy Editor], there are several provided rule sets which match the pre-configured will have no impact in a specific zone of your network. The second method is collaboration. - McAfee M-1250 | IPS Configuration Guide - Page 11
® Network Security Platform 5.1 Overview of IPS settings Tip: McAfee recommends using Wireshark( formerly known as Ethereal) for packet log viewing. Ethereal is a network protocol analyzer for Unix and Windows servers that enables you to examine the data captured by your Network Security Sensor - McAfee M-1250 | IPS Configuration Guide - Page 12
Pre-configured rule sets and policies (on page 63)). The following table illustrates how severity levels are assigned for attacks in different categories: Category Threat Type Reconnaissance Host sweep Port scan Brute force Service sweep OS Fingerprinting Range Used in Network Security Platform - McAfee M-1250 | IPS Configuration Guide - Page 13
McAfee® Network Security Platform 5.1 Overview of IPS settings Category Exploits Volume DoS Policy Violation Threat Type Protocol Violation Buffer Overflow Shellcode Execution Remote Access Privileged Access Probe DoS Evasion Attempt Arbitrary Command - McAfee M-1250 | IPS Configuration Guide - Page 14
detection • Configuration Update Figure 1: IPS Settings Tab Viewing assigned policies The Summary action allows you to view the IPS policy and Reconnaissance policies that have been assigned to the various resources of your McAfee® Network Security Platform. Policies are listed per Sensor, interface - McAfee M-1250 | IPS Configuration Guide - Page 15
tab contains the major actions for policy configuration and management. The provided, pre-configured rule sets and policies are included for immediate application-the Default Inline IPS policy operates by default when McAfee Network Security Platform is initialized. You can use a provided rule - McAfee M-1250 | IPS Configuration Guide - Page 16
McAfee® Network Security Platform 5.1 Managing IPS settings Managing policies with IPS Policy Editor The IPS Policy Editor action enables the use of the ultimate refining tool for IPS policy management. The Policy Editor brings together defining alert filters and rule sets for final customization - McAfee M-1250 | IPS Configuration Guide - Page 17
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 3: IPS Policy List The Add an IPS Policy window opens with the Configure the Denial of Service (DoS) tab. See Customizing Denial of Service (DoS) modes (on page 23). a. Customize Denial of Service notification. See Denial of Service - McAfee M-1250 | IPS Configuration Guide - Page 18
McAfee® Network Security Platform 5.1 Managing IPS settings Applying rule sets for inbound and outbound traffic Inbound and outbound refer to the direction that traffic is flowing in regards to the network. Inbound refers to traffic destined for the internal network to Sensors in SPAN mode, only Inbound rule - McAfee M-1250 | IPS Configuration Guide - Page 19
McAfee® Network Security Platform 5.1 Managing IPS settings 8 Specify the rule set in the Select Outbound Rule Set to Be Applied or select Use Inbound Rule set of Exploit Attacks and click - McAfee M-1250 | IPS Configuration Guide - Page 20
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 6: Add An IPS Policy Dialog - Exploit Tab 2 View the attacks for level at which the notification was indicated. Sensor Software Versions: Two columns with the current and previous Sensor software version names are either checked or - McAfee M-1250 | IPS Configuration Guide - Page 21
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 7: Configure Attack Details for Attack Category Dialog 3 Do one of the following: View/customize a single attack's details by selecting a row and clicking View / Edit. Continue to - McAfee M-1250 | IPS Configuration Guide - Page 22
McAfee® Network Security Platform 5.1 Managing IPS settings iv. Advanced Search: Allows you to search the dialog box. Figure 9: Edit Attack Details For Attack - Dialog Attack Name: assigned by McAfee. Severity: potential impact level of the attack. For per-attack customization, see Step 5. Attack - McAfee M-1250 | IPS Configuration Guide - Page 23
McAfee® Network Security Platform 5.1 Figure 10: Attack Signatures Display Managing IPS settings Benign Trigger Probability: probability attack signature will raise a false positive. Attack Direction: origin of flow; attack was either client or server initiated. Applications Impacted: - McAfee M-1250 | IPS Configuration Guide - Page 24
McAfee® Network Security Platform 5.1 Managing IPS settings New Attacks Sensor Software Versions 2 Select the option of your choice in the Search by field. A set of fields based on your selection will be displayed to help - McAfee M-1250 | IPS Configuration Guide - Page 25
McAfee® Network Security Platform 5.1 Managing IPS settings To search for attacks based on New Attacks signature 2 Under Search by Comparing Sensor Software Versions, select: Figure 12: Advanced Search - Search by Sensor Software Software Version #1: Select the Sensor type and the version number - McAfee M-1250 | IPS Configuration Guide - Page 26
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 13: Advanced Search - Search by Software Version Options Select Attacks by Sensor Software Version #1 and Version #2: Select your choice from the list: • All Versions • Both Version #1 and Version #2 • Only Version #1 • Only - McAfee M-1250 | IPS Configuration Guide - Page 27
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 14: Select Attacks by Software Versions - Choices 3 Click Search. The attack list is displayed as per the selected Search criteria. Customizing responses for an exploit attack 1 Click the Logging tab of the Configure Attack Details - McAfee M-1250 | IPS Configuration Guide - Page 28
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 15: Edit Attack Details For Attack - Dialog copied packet. Select the Enable Logging check box to enable further logging parameters. The Sensor logs packet application-level data by copying it and sending it to Manager. The - McAfee M-1250 | IPS Configuration Guide - Page 29
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 16: Edit Attack Details For Attack - Dialog / Sensor Actions Tab the detection of a specific attack. The choices are: Email: sends an email to configured email address. Pager: sends a page to a configured email pager number. Script - McAfee M-1250 | IPS Configuration Guide - Page 30
® Network Security Platform 5.1 Managing IPS settings Note: For an attack where the direction is Unknown (typically seen when in SPAN or Hub mode), you must set Auto. Acknowledge for an Exploit or DoS attack in the Inbound direction to use this functionality. SNMP: send an alert to a configured - McAfee M-1250 | IPS Configuration Guide - Page 31
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 18: Step1: Add an IPS Policy Dialog 8 Follow the steps to customize Exploit attack enforcement just as for the inbound rule set. When done with all Exploit category configuration, move to Customizing Denial of Service (DoS) modes ( - McAfee M-1250 | IPS Configuration Guide - Page 32
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 19: Add An IPS Policy Dialog - DoS / Inbound / Learning Mode Toggling the Response Sensitivity for All Learning Attacks drop-down list sets the learning curve for the profile to - McAfee M-1250 | IPS Configuration Guide - Page 33
McAfee® Network Security Platform 5.1 Managing IPS settings Attack Description: Sensor deployed in In-line mode. Note: For more information on monitoring modes, Denial-of-Service (DoS) modes, Getting Started Guide. . Denial of Service attack notification 1 Click the Notifications tab. Configure - McAfee M-1250 | IPS Configuration Guide - Page 34
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 22: Add An IPS Policy Dialog - DOS / Inbound / Threshold Mode 5 View the attack details for the selected attack. See Customizing Denial of Service Threshold Values 10 Configure the type of notification you want configured users to - McAfee M-1250 | IPS Configuration Guide - Page 35
McAfee® Network Security Platform 5.1 Managing IPS , scanning/probing attempts) policy is configured on a per-Sensor basis. Refer to Editing an IPS policy (on page 34). 14 the option by setting the value to FALSE in file "config\ems.properties". In this case, users will not be prompted with a dialog - McAfee M-1250 | IPS Configuration Guide - Page 36
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 25: Policy Creation - Enter Comment Option 3 Enter your comments in the Enter Comment field. 4 Click Commit. To view comments in the Audit log - McAfee M-1250 | IPS Configuration Guide - Page 37
McAfee® Network Security Platform 5.1 3 Click on the hyperlink to view the page. Managing IPS settings Figure 27: User Activity Audit can be added during attack customization. User annotations are displayed in the IPS Policy Editor, GARE and Reconnaissance Policy Editor for all attack categories. - McAfee M-1250 | IPS Configuration Guide - Page 38
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 28: Edit Attack Details For Attack Dialog - Attack Desc. Button 3 Select Annotations of Parent Admin Domain. Figure 29: Annotate Attack Description Dialog Append - McAfee M-1250 | IPS Configuration Guide - Page 39
McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The parent domain cannot view comments added by child domain. Note 3: As child domains cannot edit policies created by parent domains, child domains - McAfee M-1250 | IPS Configuration Guide - Page 40
McAfee® Network Security Platform 5.1 Managing IPS settings Note: Child annotations are displayed only in the domain created and its child domains. To override the parent domain annotations, do the following: 1 Select - McAfee M-1250 | IPS Configuration Guide - Page 41
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 32: Attack Information & Description Click Attack Desc to view your annotations under User Comments section of the Attack encyclopedia. Cloning an IPS environment. Cloning a provided policy specifically enables you to add/subtract - McAfee M-1250 | IPS Configuration Guide - Page 42
to a policy but want to save it under a different name, try Cloning an IPS policy (on page 33). • If you edit a Network Security Platform-provided policy and later want to recreate that policy as it was when provided by McAfee, simply add a new policy and apply the inbound and outbound rule set that - McAfee M-1250 | IPS Configuration Guide - Page 43
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Refer to Step 1 through Step 6 of Adding an IPS Policy (on page 8). Tip: Bulk editing is also useful for quickly customizing several attacks when either cloning or editing a policy. 2 Select multiple attacks from the Configure Attack - McAfee M-1250 | IPS Configuration Guide - Page 44
McAfee® Network Security Platform 5.1 Managing IPS settings 4 (Optional) Select the Severity for all selected attacks from the drop-down list. If there are multiple attacks with different severities, respectively, this action assigns the same severity across all selected attacks. 5 In the Sensor - McAfee M-1250 | IPS Configuration Guide - Page 45
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 36: Bulk Edit - Review Page Click Cancel to exit Bulk Editing without changes. 12 Click OK to confirm and save your Bulk Edit changes. You are returned to the Configure Attack Detail for Attack Category window. Deleting an IPS - McAfee M-1250 | IPS Configuration Guide - Page 46
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Select IPS Settings > Policies > IPS Policy Editor. 2 Select a policy. 3 Click Version Control. The IPS Policy Version List for Policy: dialog is displayed. The IPS , and Statistical sections. Managing policies with - McAfee M-1250 | IPS Configuration Guide - Page 47
McAfee® Network Security Platform 5.1 Managing IPS settings current or further impacts, and the methods of notification that will help your team respond to malicious use of your network in the most expeditious time. The Reconnaissance Policy Editor provides the following actions: • Adding policies - McAfee M-1250 | IPS Configuration Guide - Page 48
McAfee® Network Security Platform 5.1 Managing IPS settings The Add a Reconnaissance Policy dialog opens with the attribute values of the selected policy. Figure 38: Add A Reconnaissance Policy Dialog 3 Type a name for your - McAfee M-1250 | IPS Configuration Guide - Page 49
McAfee® Network Security Platform 5.1 Managing IPS settings Select two or Network Security Platform-designated name for attack. Severity: impact potential of attack. Attack Description: click to view full description of attack. For more information, see Attack Description, Attack Description Guide - McAfee M-1250 | IPS Configuration Guide - Page 50
McAfee® Network Security Platform 5.1 Managing IPS settings 8 View (and if necessary change) the default threshold values. The following fields are configurable this time, a new alert is not generated. 9 Select the Response section. The Enable Alert check box is selected by default. If you deselect - McAfee M-1250 | IPS Configuration Guide - Page 51
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 43: Notifications Settings 11 Click Ok to to your Sensor by performing the steps in Updating the configuration of a Sensor. Cloning a reconnaissance policy To clone a Reconnaissance Policy, do the following: 1 Select IPS Settings > - McAfee M-1250 | IPS Configuration Guide - Page 52
McAfee® Network Security Platform 5.1 Managing IPS settings 5 Edit the policy parameters. For step-by-step instructions, see Adding a Reconnaissance Policy (on page 39). Viewing/editing a Reconnaissance Policy Editing a policy allows you to make the changes necessary to match the policy with - McAfee M-1250 | IPS Configuration Guide - Page 53
McAfee® Network Security Platform 5.1 Managing IPS settings Using Bulk Edit for Reconnaissance Policy Clicking on Bulk Edit allows you to modify selected Reconnaissance Policies with specified attributes at the same time. This is similar to using Bulk Edit option for IPS Policies. For more - McAfee M-1250 | IPS Configuration Guide - Page 54
McAfee® Network Security Platform 5.1 Managing IPS settings Policy Assignment The Policy Assignment action enables you to easily re-assign policies applied to the Sensors within the current administrative domain or child administrative domains. Using this action, you can quickly find and re-assign - McAfee M-1250 | IPS Configuration Guide - Page 55
McAfee® Network Security Platform 5.1 Managing IPS settings When you select Reconnaissance Policy, the Reconnaissance policies applied to the resources under the admin domain/child domains are displayed. Tip: By default, Assign Policy page has the IPS the Sensor resources (and not Sensor interfaces - McAfee M-1250 | IPS Configuration Guide - Page 56
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 50: Re-assign Policy Dialog Tip: You can use the Ctrl or Shift key to select individual or adjacent list entries respectively. 10 Click OK, for re-assigning the policy. 11 Push the configuration changes to the Sensor for the - McAfee M-1250 | IPS Configuration Guide - Page 57
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Go to Device List > Sensor_name > Physical Sensor > Port Settings page. 2 Verify that port 1A is connected to Outside Network and 1B is connected to Inside Network. Example 1 Port 1A on your Sensor is connected to the outside network - McAfee M-1250 | IPS Configuration Guide - Page 58
McAfee® Network Security Platform 5.1 Managing IPS settings Steps: 1 Go to IPS Settings > Policies > HTTP Response Scanning or IPS Settings > Sensor_Name > IPS Sensor / IPS Failover Pair > HTTP Response Scanning page. 2 Select 1A-1B under the Outbound Status to enable HTTP response detection on - McAfee M-1250 | IPS Configuration Guide - Page 59
alerts based on specific criteria. • Enabling and starting the Incident Generator service: (on page 67) install and start the Incident Generator service, which enables correlative analysis of alert incident conditions to further enhance your McAfee® Network Security Platform security utilization - McAfee M-1250 | IPS Configuration Guide - Page 60
McAfee® Network Security Platform 5.1 Managing IPS settings You may add Sensors by performing the steps in Updating the configuration of all Sensors (on page 154). Figure 54: Non-Standard Port Configuration Note: Non-standard ports can be added at the Sensor name or failover pair nodes from IPS - McAfee M-1250 | IPS Configuration Guide - Page 61
field includes all of the attacks detected by Network Security Platform for specific selection by attack name, severity, and the chance a signature may trigger a false positive. Each rule you configure narrows the detection focus of your Sensor interfaces (where policy is applied) to provide the - McAfee M-1250 | IPS Configuration Guide - Page 62
McAfee® Network Security Platform 5.1 Managing IPS settings checked in descending order by a Sensor for each every tab, step, or action available. To create a rule set, do the following: 1 Select IPS Settings > Advanced Policies > Rule Set Editor. 2 Click Add. The Add a Rule Set window - McAfee M-1250 | IPS Configuration Guide - Page 63
McAfee® Network Security Platform 5.1 Managing IPS settings Excludes), a Network Security Sensor processes traffic using the ordered rules in the rule set. Note: McAfee recommends your (medium) Benign Trigger Probability, thus excluding a specific list of attacks that contain signatures that have a - McAfee M-1250 | IPS Configuration Guide - Page 64
McAfee® Network Security Platform 5.1 Managing IPS settings 10 Do one of the following: To include only specific attacks to your rule set, select the Select Specific Attacks Only check box and click Configure. A new pop-up opens. The Configure the Rule by Specific Attacks window enables users to - McAfee M-1250 | IPS Configuration Guide - Page 65
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 59: Configure The Rule - Category Tab 12 Click the Protocol tab. By default, all protocols are selected. The protocol tab lists the application protocols supported by Network Security Platform. (Optional) To custom select protocols - McAfee M-1250 | IPS Configuration Guide - Page 66
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 61: Configure The Rule - OS Tab 14 Click the Application tab. By default, all applications are selected. (Optional) To custom select applications, de-select the Select All - McAfee M-1250 | IPS Configuration Guide - Page 67
McAfee® Network Security Platform 5.1 Managing IPS settings to include in/exclude from your rule. Figure 63: Configure The Rule - Severity Tab 16 Click the Benign relates to the well-known attacks enforced by your rule set, specifically in regards to the chance a signature in an attack may raise - McAfee M-1250 | IPS Configuration Guide - Page 68
McAfee® Network Security Platform 5.1 Managing IPS settings 17 Click OK when done with the configuration of this single rule. (You have made changes within the Configure . Cloning a provided rule set specifically enables you to add/subtract from by-step instructions, see the procedure for Adding a - McAfee M-1250 | IPS Configuration Guide - Page 69
McAfee® Network Security Platform 5.1 Managing IPS settings Editing a rule set Editing a rule set allows you to make the changes necessary to better define the environment you will be monitoring. Note 1: You can edit only the rule sets you have created; the pre-configured policies cannot be edited - McAfee M-1250 | IPS Configuration Guide - Page 70
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 65: IPS Policy List The button options for each are as follow: Control: Roll Back, View, Delete or Show Difference of the selected policy from the IPS Policy version list. Figure 66: Rule Set List The "Rule Set Editor" and "Policy Editor - McAfee M-1250 | IPS Configuration Guide - Page 71
McAfee® Network Security Platform 5.1 Managing IPS settings • Rule Set / Policy Name: the name given to the rule set or policy. Several rule sets and policies are provided with names that represent the network area best protected by the rule set and policy. • Owner: admin domain in which rule set/ - McAfee M-1250 | IPS Configuration Guide - Page 72
McAfee® Network Security Platform 5.1 Managing IPS settings DMZ Rule Sets Inside Firewall Internal Segment Web Server Mail Server DNS Server File Server Windows Server Solaris Server UNIX Server Linux Server Windows - McAfee M-1250 | IPS Configuration Guide - Page 73
McAfee® Network Security Platform 5.1 Managing IPS settings Default Inline IPS policy By default, Network Security Platform uses the Default Inline IPS policy when Network Security Platform attributes can be customized (for example, Sensor response actions, logging, alert filters, notifications - McAfee M-1250 | IPS Configuration Guide - Page 74
McAfee® Network Security Platform 5.1 Managing IPS settings Setting up Global Auto Acknowledgement Using the Global Notification columns of GARE, Policy Editor, and in some of the configuration reports. In Network Security Platform, you can set up auto-acknowledgement using Policy Editor, GARE, or - McAfee M-1250 | IPS Configuration Guide - Page 75
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 67: Global Auto Acknowledgement Setting 2 Enable Global Auto ACK. This is enabled by default for a fresh install of Network Security Platform. 3 Specify the severity level of the attacks that you want to be auto acknowledged. For - McAfee M-1250 | IPS Configuration Guide - Page 76
McAfee® Network Security Platform 5.1 Managing IPS configured Period of Quiet for a specific source or destination IP. For example, you configure the scenario to report an incident if 100 attacks from any source IP are detected within 10 minutes. You configure service locally, click Start Service." - McAfee M-1250 | IPS Configuration Guide - Page 77
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 68: Incident Generator Details - Pre-Configuration 3 Click Download Service. Click Save in the File Download dialog. Figure 69: Incident Generator File Download Dialog 4 Save IGService.zip in the client machine. Figure 70: Saving - McAfee M-1250 | IPS Configuration Guide - Page 78
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 71: Incident Generator - Download Complete 6 Double click IGSetup.exe Figure 72: Starting IGSetup.exe 7 Click Extract all to extract the compressed files. Figure - McAfee M-1250 | IPS Configuration Guide - Page 79
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 74: Extraction Wizard - Opening Page 9 Extract the file to the desired location in the client machine, check Show extracted files and click Finish - McAfee M-1250 | IPS Configuration Guide - Page 80
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 76: Extracted IG_setup.exe 11 Click Run. Figure 77: Running the IG_setup 12 The Incident Generator is installed and the Installation wizard screen appears. Figure 78: Installation wizard screen 13 Follow onscreen instructions in - McAfee M-1250 | IPS Configuration Guide - Page 81
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 79: Incident Generator Installation Wizard 14 Once the Incident Generator has been installed, click Activate to start the Incident Generator service. The Status field changes from "Unknown" to "Connected." Note the activation time. - McAfee M-1250 | IPS Configuration Guide - Page 82
McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The Incident Generator service must be started or stopped only from the Manager UI (IPS Settings > Advanced Policies > Incident Generation). Using the Service Management Console of the operating system for this purpose will give - McAfee M-1250 | IPS Configuration Guide - Page 83
McAfee® Network Security Platform 5.1 Managing IPS and comparing policies The IPS Settings > Advanced Policies Manager server via CDROM or browsing connected network servers, or you can import from your server database, do the following: 1 Select IPS Settings > Advanced Policies > Import. 2 Click - McAfee M-1250 | IPS Configuration Guide - Page 84
McAfee® Network Security Platform 5.1 Comparing policies before importing To select policies before importing: Managing IPS settings Figure 83: differences between two different Network Security Platform policies (including differences between a single policy configured for Inbound and Outbound). - McAfee M-1250 | IPS Configuration Guide - Page 85
McAfee® Network Security Platform 5.1 Managing IPS settings Statistical attack details Reconnaissance attack details The displays all details, except attack difference details in the Exploit, Threshold and Statistical sections, which do display in Detail view. Detail: Detail View displays all data - McAfee M-1250 | IPS Configuration Guide - Page 86
McAfee® Network Security Platform 5.1 Managing IPS settings displayed (with diff details) in the utility. This indicates that there are more than 100 differences in that section. Note 2: If the Outbound Policy is configured for one of the policies, then, the Outbound Policy details are not - McAfee M-1250 | IPS Configuration Guide - Page 87
McAfee® Network Security Platform 5.1 Managing IPS settings • View/edit alert filters (on page 81) • Delete alert : Field Alert Filter Name Filter Type Description The name of the alert filter. The type of IP address. This can be IPv4 or IPv6. Owner Admin Domain The Name of that Admin Domain - McAfee M-1250 | IPS Configuration Guide - Page 88
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Enter the Name of the alert filter. 2 Enter the Filter Type. For example, IPv4. 3 To add the alert filter IP address, click Add under Alert Filter IP Address Setting List. The Add an Alert Filter Setting window displays. Figure 88: - McAfee M-1250 | IPS Configuration Guide - Page 89
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 89: Alert Filter added to the list 5 Click Commit Changes. The alert filter is added to the Alert Filter List. Cloning alert filters To clone alert filters, do the following: 1 Select IPS 4 In Alert Filter IP Address Setting List, - McAfee M-1250 | IPS Configuration Guide - Page 90
. Network Security Platform prompts you to confirm that you want to delete the filters before it completes the request. Alert filter assignments To apply alert filters to resources from the Configuration page, select one of the following nodes from the Resource Tree: • IPS Settings: IPS Settings - McAfee M-1250 | IPS Configuration Guide - Page 91
McAfee® Network Security Platform 5.1 Managing IPS settings Field Protocol No. of Available Attacks Description Shows which protocol is used in the attack. The number of attacks for each protocol. Fields under the Reconnaissance Tab: Field Description Attack Name The Network Security - McAfee M-1250 | IPS Configuration Guide - Page 92
McAfee® Network Security Platform 5.1 Managing IPS settings Select the drop-down list at the top right corner of Configure Alert Filter Association for Attack Category page. You can filter the list of attacks based on the following criteria: a. To view all the attacks, select - McAfee M-1250 | IPS Configuration Guide - Page 93
® Network Security Platform 5.1 Managing IPS settings Setting up ACLs You can create ACLs at the IPS Settings level and assign them to the corresponding Sensors, interfaces, and sub-interfaces. You can specify a unique name to an ACL when you create it. Figure 92: The ACL Tab See Configuring ACL - McAfee M-1250 | IPS Configuration Guide - Page 94
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 93: Applied ACL Detail The following fields are listed: Field ACL Name Description • Resource: ACL applied to Sensor/port/interface/sub-interface • Scope : ACL applied at level • Direction: ACL applied at direction ACL Group - McAfee M-1250 | IPS Configuration Guide - Page 95
McAfee® Network Security Platform 5.1 1 Select IPS Settings > ACL > ACL Editor. Managing IPS settings Figure 94: The ACL Editor 2 Click Add to add a rule. A new dialog box opens titled Add an ACL Rule. Figure 95: Add An ACL - McAfee M-1250 | IPS Configuration Guide - Page 96
McAfee® Network Security Platform 5.1 Managing IPS settings Note 1: The CIDR IP address field now enables you to enter IPv4 addresses in 4 different fields separated with dots. You can now enter the IP address value in the corresponding fields. Note 2: The maximum value in each field is 255.If - McAfee M-1250 | IPS Configuration Guide - Page 97
McAfee® Network Security Platform 5.1 Managing IPS settings Deny: (In-line Mode only) TCP Reset sent to source, destination, or both. Note: McAfee Only the unused ACL can be deleted. If the rule has been assigned to a Sensor, port, interface, or an ACL group, you will not be allowed to delete that - McAfee M-1250 | IPS Configuration Guide - Page 98
McAfee® Network Security Platform 5.1 Managing IPS settings The ACL group management options with the ACL • Deleting an ACL group (on page 93) Using ACL Group Editor To add an ACL group, select IPS Settings > ACL > ACL Group Editor. Figure 96: ACL Group Editor The following fields are listed in - McAfee M-1250 | IPS Configuration Guide - Page 99
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 97: ACL Group Editor 2 Click Add . The Add an ACL Group dialog opens. Figure 98: Add An Acl Group Dialog: ACL Group Tab 3 - McAfee M-1250 | IPS Configuration Guide - Page 100
McAfee® Network Security Platform 5.1 Managing IPS settings 6 Click on Add / Remove Rules. A dialog Configure ACL Rules for ACL Group: opens. 7 Select the ACL rule from the list. Click Add to add rules; Click Remove to remove the rules. Figure 100: Configuring ACL Rules For ACL Group Note: You - McAfee M-1250 | IPS Configuration Guide - Page 101
McAfee® Network Security Platform 5.1 Managing IPS settings Cloning an ACL group To clone an ACL group, do the following: 1 Select IPS Settings > ACL > ACL Group dialog, as required. 4 Edit the parameters. For step-by-step instructions, see Adding an ACL group (on page 90). Figure 102: Edit ACL - McAfee M-1250 | IPS Configuration Guide - Page 102
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Select IPS Settings > ACL > ACL Group Editor. 2 Select resource and assign another ACL (new or existing) to it. Resources include Sensors, Sensor interfaces, sub-interfaces or ports. Filtering by ACLs From the Manager, following steps - McAfee M-1250 | IPS Configuration Guide - Page 103
McAfee® Network Security Platform 5.1 Managing IPS settings a. All Child Admin Domains - filters ACLs in allows you to assign an ACL to single or multiple resources entries. The Available Resources section lists the resources in which you can assign the selected ACL. When you add entries, the - McAfee M-1250 | IPS Configuration Guide - Page 104
McAfee® Network Security Platform 5.1 Managing IPS settings 1 From the Resource Tree, select IPS Settings icon for the required admin domain. 2 Select ACL > ACL Assignments. 3 In Filter By option, choose Resource to filter the entries as per resources (Sensors, ports, interfaces or sub-interfaces - McAfee M-1250 | IPS Configuration Guide - Page 105
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 106: ADD / Remove Scope ACL Rules Dialog Then three tabs are displayed: • Select ACL/ ACL Groups - Here you can add or remove existing - McAfee M-1250 | IPS Configuration Guide - Page 106
McAfee® Network Security Platform 5.1 Managing IPS settings Note: The procedure for assigning ACLs has been assigned to Sensor/port/VIDS then, a Sensor configuration export has to take place. For more information on Sensor configuration export, see Sensor Configuration Guide. Importing an ACL You - McAfee M-1250 | IPS Configuration Guide - Page 107
ACL Syslog Forwarder Network Security Platform provides an optional ACL feature that will log packets that are dropped or permitted based on your ACL rule(s). The Sensor forwards ACL logs to Manager, where they are formatted and converted to Syslog messages and sent to the configured Syslog server - McAfee M-1250 | IPS Configuration Guide - Page 108
McAfee® Network Security Platform 5.1 Managing IPS settings Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) 7 Note: By default, ACL log messages forwarded to a Syslog server are of Debug severity and have Security authorization prioritization value. 100 - McAfee M-1250 | IPS Configuration Guide - Page 109
Importing an ACL, IPS Configuration Guide. When you install the Manager, the XML converter tool is seen as a batch file (aclxmlconverter.bat) in the diag folder within your Network Security Platform installation folder. (For example C:\Program Files\McAfee\ Network Security Manager\App\ diag folder - McAfee M-1250 | IPS Configuration Guide - Page 110
can mean evasion using IP fragments. L3 ACLs can be used only with: • Manager: 4.1.3.7 or later • Sensor: 4.1.1.75 or later • Signature set: 4.1.14.4 or later L3 ACLs feature is not supported on M-series or N-450 Sensors. Understanding L3 ACL rules In Network Security Platform, the rules that can - McAfee M-1250 | IPS Configuration Guide - Page 111
McAfee® Network Security Platform 5.1 Managing IPS settings In Network Security Platform, three new protocols are provided to support L3 rules for ICMP, TCP and UDP, that is, L3-ICMP, L3-TCP and L3-UDP. The user-specified protocol numbers are not supported. Configuring L3 ACLs in the Manager From - McAfee M-1250 | IPS Configuration Guide - Page 112
of SSL functionality in Network Security Platform, see Getting Started Guide. The available actions in this group are: • Enabling the SSL decryption functionality (on page 105): Enable SSL decryption and configure Sensor SSL parameters for the IPS Sensors under IPS Settings node. • Managing the - McAfee M-1250 | IPS Configuration Guide - Page 113
McAfee® Network Security Platform 5.1 Managing IPS settings Enabling SSL decryption in IPS Settings node The Enable action enables the SSL functionality of the IPS Sensor. SSL configuration includes enabling SSL decryption, enabling packet logging for SSL-encrypted attacks, setting the number of - McAfee M-1250 | IPS Configuration Guide - Page 114
. Network Security Platform supports PKCS12 keys with file suffixes ".pkcs12", ".p12", or ".pfx". Note: Before importing SSL keys to a Sensor, you must enable SSL decryption. For more information, see Enabling SSL functionality in IPS Settings node (on page 105). To import an SSL key to a specific - McAfee M-1250 | IPS Configuration Guide - Page 115
McAfee® Network Security Platform 5.1 1 Select IPS Settings > SSL Decryption > Key Import. Managing IPS settings Figure 115: Import SSL Sensor. 7 The changes are updated in the Sensor as explained in Updating the configuration of all Sensors (on page 154). Managing the imported SSL keys of Sensors - McAfee M-1250 | IPS Configuration Guide - Page 116
. 2 Select the radio button in the Configuration Update column for the desired Sensor. 3 Click Delete. Confirm the deletion. IPS Quarantine settings To protect your network from security threats, McAfee® Network Security Platform provides the IPS Quarantine feature which quarantine and remediate the - McAfee M-1250 | IPS Configuration Guide - Page 117
McAfee® Network Security Platform 5.1 Managing IPS settings Note: The Sensor successfully quarantine/ remediate hosts only if you have enabled IPS Quarantine for specific attacks in the IPS Policy Editor. Also, you need to configure IPS Quarantine in the individual Sensor monitoring ports. IPS - McAfee M-1250 | IPS Configuration Guide - Page 118
McAfee® Network Security Platform 5.1 Managing IPS settings 8 In Edit Attack Detail, under IPS Quarantine / McAfee NAC, select Customize. Figure 116: Edit Attack window, where you can enable IPS Quarantine 9 Note that the Quarantine drop-down options are enabled. You can see two options - All - McAfee M-1250 | IPS Configuration Guide - Page 119
Remediate. Note: When Network Security Platform notifies McAfee NAC about an attack, McAfee NAC may quarantine the attacking host based on its configuration regardless of Network Security Platform's response action. 13 Click OK, to save the policy level configuration for IPS Quarantine. 14 Select - McAfee M-1250 | IPS Configuration Guide - Page 120
McAfee® Network Security Platform 5.1 Managing IPS settings 16 Click Commit to save the changes. A message is displayed that the policy changes are committed to the Manager. 17 If the modified policy is applied to a sensor, you need to update the sensor configuration, for the changes to be - McAfee M-1250 | IPS Configuration Guide - Page 121
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 121: Enabling quarantine and remediation for multiple attacks 10 Configure the IPS Quarantine/McAfee NAC sections as described in Enabling IPS Quarantine in IPS Policy Editor (on page 109). Searching attacks eligible for IPS - McAfee M-1250 | IPS Configuration Guide - Page 122
ACLs and traditional ACLs IPS quarantine ACLs are configured to the IPS Quarantine Network Access Zone (NAZ). These ACLs monitor traffic from an IPS quarantined host. Traditional ACLs are configured to monitor traffic in inline mode on the Network Security Platform. Review the following to - McAfee M-1250 | IPS Configuration Guide - Page 123
McAfee® Network Security Platform 5.1 Managing IPS settings • The traditional ACLs permit certain traffic from a given host and are configured for IPS Quarantine. The traffic is routed through the IPS quarantine NAZ ACLs and if the quarantine drops the ACL, then the ACL is dropped. Thus, the IPS - McAfee M-1250 | IPS Configuration Guide - Page 124
McAfee® Network Security Platform 5.1 Managing IPS settings 1 In the Resource Tree, select IPS Settings > IPS Quarantine > Network Objects. 2 To add a network object, select Add. Figure 124: Adding network objects 3 In Add a Network Object, enter the following information: Name of the network - McAfee M-1250 | IPS Configuration Guide - Page 125
McAfee® Network Security Platform 5.1 Managing IPS settings When the Sensor identifies attacks from a host, the host is quarantined and assigned to an IPS Quarantine Network Access Zone (or IPS Quarantine NAZ). This is based on the System Health Level of the host. The IPS Quarantine NAZ maps the - McAfee M-1250 | IPS Configuration Guide - Page 126
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 126: Configuring NAC ACL rules 5 To add a new NAC ACL, select Manage NAC ACL Rules. 6 Select Add. Figure 127: Adding a NAC ACL rule 7 In the Add an ACL Rule window, enter the following values: a. NAC ACL name 118 - McAfee M-1250 | IPS Configuration Guide - Page 127
McAfee® Network Security Platform 5.1 Managing IPS settings b. Description c. Select the Visible to Child Admin Domain check box if you want the ACL to be visible to Child Admin Domains. d. Destination IP - IP address or CIDR e. Destination Protocol/ Port f. Sensor response action- select Permit - McAfee M-1250 | IPS Configuration Guide - Page 128
McAfee® Network Security Platform 5.1 Managing IPS settings 5 Enter the Syslog Server UDP Port. 6 Select the . Customizing IPS Quarantine browser messages When the quarantined host tries to access network resources outside its assigned IPS Quarantine Network Access Zone, an IPS Quarantine browser - McAfee M-1250 | IPS Configuration Guide - Page 129
Click Save, to save your customized IPS Quarantine browser message. Configuring Remediation Portal from IPS Settings To make the quarantined host clean of malicious traffic and thus compliant to the security policies of the network, Network Security Platform provides remediation by re-directing the - McAfee M-1250 | IPS Configuration Guide - Page 130
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 133: Remediation Portal settings in the Manager 2 Enable the redirection of HTTP traffic to the Remediation Portal, by selecting Redirect to a Remediation Portal?. 3 Configure the Remediation Portal, by specifying the Remediation - McAfee M-1250 | IPS Configuration Guide - Page 131
McAfee® Network Security Platform 5.1 Managing IPS settings • Enable quarantine of hosts, but disable remediation (or re-direction of HTTP requests) • Disable IPS NAC Configuration Guide. 9 To save the IPS Quarantine configuration, select Finish. The wizard displays a message that the Sensor(s) - McAfee M-1250 | IPS Configuration Guide - Page 132
McAfee® Network Security Platform 5.1 Managing IPS settings Following options are available for the IPS Quarantine in the Threat Analyzer: • Adding hosts for IPS Quarantine from Alerts page (on page 124) • Quarantine of hosts from Alert Details (on page 124) • Quarantine options from Hosts page ( - McAfee M-1250 | IPS Configuration Guide - Page 133
McAfee® Network Security Platform 5.1 Managing IPS 136: Quarantine from Alert Details 5 Click on Advanced Configuration. Two options are displayed: Quarantine and TCP Reset. available quarantine rules for the Sensor. Figure 137: Quarantined hosts for the sensor Following fields are displayed in - McAfee M-1250 | IPS Configuration Guide - Page 134
® Network Security Platform 5.1 Managing IPS settings Field Name Filter End Time Host Type Action Status Description This field represents the present value of the Filter End Time for the quarantine rule. The current value of Filter End Time is a combination of Quarantine Duration configured in - McAfee M-1250 | IPS Configuration Guide - Page 135
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 138: IPS Quarantine settings from Hosts page Two options are displayed for IPS Quarantine: • Extend IPS Quarantine - extends the time for which a host is quarantined (Quarantine Duration). Following options are displayed: 15 - McAfee M-1250 | IPS Configuration Guide - Page 136
McAfee® Network Security Platform 5.1 Managing IPS settings Archiving data The Archiving tab presents actions that enable you to save alerts and packet logs from the database on-demand or by a set schedule. You can also restore archived alerts and packet logs on the same or another McAfee® Network - McAfee M-1250 | IPS Configuration Guide - Page 137
McAfee® Network Security Platform 5.1 Managing IPS settings Note: Archive your alerts and packet logs regularly. We . When the archival process is complete, the file is saved to \alertarchival folder. The files also appears under Existing Archivs. 129 - McAfee M-1250 | IPS Configuration Guide - Page 138
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 142: Existing Archives List You can click an archived file (listed under Existing Archives) to view the details. 4 Optionally, select an archived file - McAfee M-1250 | IPS Configuration Guide - Page 139
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Select IPS Settings > Archiving > Schedule. 2 Select . Every time the process runs, finished archivals are saved to: \alertarchival. Figure 143: Archive Scheduler 6 (Optional) Click Refresh - McAfee M-1250 | IPS Configuration Guide - Page 140
McAfee® Network Security Platform 5.1 Managing IPS settings b. Scroll down the page to the Existing Archives. Select an archival and click Restore. Figure 145: Existing Archives List After clicking Restore for either - McAfee M-1250 | IPS Configuration Guide - Page 141
IPS Settings > Archiving > Export. 2 Select an archive to export from the list of Existing Archives. 3 Click Export. 4 Browse to the desired location and then click Save. Archiving alerts using dbadmin.bat You can archive alerts and packet logs from either the McAfee® Network Security Platform - McAfee M-1250 | IPS Configuration Guide - Page 142
McAfee® Network Security Platform 5.1 Managing IPS settings To archive alerts and packet logs using the standalone Database admin tool: 1 Navigate to \bin. 2 Execute the dbadmin.bat file. The standalone tool opens. 3 Select Archival > Alert Archival. - McAfee M-1250 | IPS Configuration Guide - Page 143
McAfee® Network Security Platform 5.1 Managing IPS settings 1 Navigate to \bin. 2 Execute the dbadmin.bat file. The standalone tool opens. 3 Select Archival > Alert Restore. Figure 148: Database Admin Tools - Archival Alert Restore Tab 4 - McAfee M-1250 | IPS Configuration Guide - Page 144
McAfee® Network Security Platform 5.1 Managing IPS settings Manager database maintenance The Maintenance tab under IPS Settings enables the following actions: • Viewing Capacity Planning (on page 136): Displays information that helps you track the historical trend of database space usage on a - McAfee M-1250 | IPS Configuration Guide - Page 145
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 150: Capacity planning details Manager retrieves default. (Only TCP- and UDP-based attacks generate packet logs by default; you must manually set packet logging for all other Exploit attacks.) To help you plan your capacity needs, - McAfee M-1250 | IPS Configuration Guide - Page 146
McAfee® Network Security Platform 5.1 Managing IPS settings • Alert with packet log = 650 bytes ( colored pie charts). The first pie chart details the "Total Alerts Per Sensor." Simply add the totals from each Sensor to determine the amount for one week. Database sizing requirements Based on the - McAfee M-1250 | IPS Configuration Guide - Page 147
McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The following graph and table estimate size Maintenance tab, then clicking the Alert Data Pruning action. This is seen in configuration steps as IPS Settings > Maintenance > Alert Data Pruning. Note 1: This threshold is purely for - McAfee M-1250 | IPS Configuration Guide - Page 148
McAfee® Network Security Platform 5.1 Managing IPS settings Alert Data Pruning The Alert Data Pruning action enables you to manage the database space required for the alerts generated by your Network Security Sensors. Alert data pruning is an important, ongoing task that must be performed for - McAfee M-1250 | IPS Configuration Guide - Page 149
McAfee® Network Security Platform 5.1 Managing IPS settings To allocate less disk space for your calculations, type a number less than 30,000,000. To calculate disk space capacity, click the Calculate Capacity link. This calculator has specific fields related to determining the database allocation - McAfee M-1250 | IPS Configuration Guide - Page 150
McAfee® Network Security Platform 5.1 Managing IPS settings 3 Answer the following questions: e. Is the Manager Down Or Off-Line (Y/N)? Note: The Manager service must be disabled prior to using purge.bat. If the service is not disabled, the purge will not continue. f. Do You Wish To Perform DB - McAfee M-1250 | IPS Configuration Guide - Page 151
McAfee® Network Security Platform 5.1 Managing IPS settings • Cached Reconnaissance policies: The number of reconnaissance 146): Forward Network Security Platform alerts to a defined Syslog server. • Specifying email or pager parameters for alert notification (on page 150): Configure how users are - McAfee M-1250 | IPS Configuration Guide - Page 152
McAfee® Network Security Platform 5.1 Managing IPS settings Figure 155: Alert Notification Details Forwarding alerts to an SNMP server The IPS Settings > Alert Notification > SNMP action specifies a server to which alert information will be sent from Manager. You can configure more than one SNMP - McAfee M-1250 | IPS Configuration Guide - Page 153
McAfee® Network Security Platform 5.1 Managing IPS settings 2 Check Enable SNMP Forwarder (default is Yes) and click Apply. 3 Click Add. Figure 157: SNMP Forwarder Configuration The Alert SNMP Forwarder window is displayed. 4 Fill in the following fields: Field Description Enable Domain - McAfee M-1250 | IPS Configuration Guide - Page 154
McAfee® Network Security Platform 5.1 Managing IPS settings Field Description Customize Community Define a customized SNMP community string, if there are more than one SNMP communities in the network : 1 Select IPS Settings > Alert Notification > SNMP. 2 Select the configured SNMP server instance - McAfee M-1250 | IPS Configuration Guide - Page 155
McAfee® Network Security Platform 5.1 Managing IPS settings a third-party Syslog application. For Syslog forwarding, the root domain and parent domains have the option to include alerts from all applicable child domains. To enable Syslog forwarding of alerts, do the following: 1 Select IPS - McAfee M-1250 | IPS Configuration Guide - Page 156
McAfee® Network Security Platform 5.1 Managing IPS settings Field Description Facilities Severity Mapping Forward Alerts Enable IPS Quarantine Alert Standard Syslog prioritization value. The choices are as follow • Security/authorization (code 4) • Security/authorization (code 10) • Log audit ( - McAfee M-1250 | IPS Configuration Guide - Page 157
McAfee® Network Security Platform 5.1 Managing IPS settings 2 Select the Message Preference, or message template, to send as the Syslog forwarding message. The choices are: Field Description System Default The default message - McAfee M-1250 | IPS Configuration Guide - Page 158
McAfee® Network Security Platform 5.1 Managing IPS settings Specifying email or pager parameters Users can be see Specifying a mail server for notifications, Manager Server Configuration Guide. Note 2: Email and pager notifications are configured per admin domain. To enable email or pager alert - McAfee M-1250 | IPS Configuration Guide - Page 159
McAfee® Network Security Platform 5.1 Managing IPS , attack type, severity, the Sensor interface where detected, and the source and/or destination IP addresses. The subject line of . You can type custom text in the Subject field or Body section, as well as click one or more of the provided elements - McAfee M-1250 | IPS Configuration Guide - Page 160
McAfee® Network Security Platform 5.1 Managing IPS settings Item 1 2 Description Custom typed text Selected tokens 6 Add mailing lists to your Email Alert Notification Mailing List or Pager Alert Notification Mailing List. Click - McAfee M-1250 | IPS Configuration Guide - Page 161
McAfee® Network Security Platform 5.1 Note: Notifications are configured per admin domain. Managing IPS settings Figure 165: Script Notification Settings To enable alert notification by script 1 Select IPS Settings > Alert Notification > Script. 2 Select the enabled status (Enable System Alert - McAfee M-1250 | IPS Configuration Guide - Page 162
McAfee® Network Security Platform 5.1 x. Click Edit. Managing IPS settings Figure 166: Customize Script Notification Item 1 2 Description Custom typed text Selected token i. Type a name for the script for Script Name. ii. For the Body section, type any text and select (click) the token fields - McAfee M-1250 | IPS Configuration Guide - Page 163
McAfee® Network Security Platform 5.1 Managing IPS settings Signature updates have new and/or modified signatures that can apply to the attacks enforced in an applied policy. Policy changes update the Sensor in case of a newly applied policy, or changes made to the current enforced policy. To - McAfee M-1250 | IPS Configuration Guide - Page 164
. IPS Sensor settings The IPS Sensor tab facilitate the following actions on the configured Sensor: • Manage policies • Manage alert filters • Manage HTTP response scanning • View DoS detection status Figure 168: IPS Sensor Tab Policies at Sensor_Name level In Network Security Platform, IPS policies - McAfee M-1250 | IPS Configuration Guide - Page 165
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Managing policy across the IPS Sensor The Policy tab enables you to set an alternate policy for a Sensor's interfaces/subinterfaces in cases where the original policy needs to be deleted. For example, you have created a custom policy - McAfee M-1250 | IPS Configuration Guide - Page 166
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node The Manager displays two tabs: Exploit and Reconnaissance. Figure 170: Edit Alert Filter Assignments Fields under the Exploit Tab: The Exploit tab has - McAfee M-1250 | IPS Configuration Guide - Page 167
® Network Security Platform 5.1 The IPS Sensor_Name node Viewing assigned alert filters To view or edit the assigned alert filters, do the following: 1 Select Exploit tab from Edit Alert Filter Association window. 2 Select Inbound or Outbound. 3 Select a protocol and click View/Edit. The Configure - McAfee M-1250 | IPS Configuration Guide - Page 168
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Alert filter association using the Threat Analyzer You can select a particular alert and configure an Alert Filter. If necessary, you can create a new Alert Filter and apply it to the selected alert. You apply an Alert Filter to the - McAfee M-1250 | IPS Configuration Guide - Page 169
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 172: HTTP Response Scanning Setting 2 Select 1A-1B under Inbound Status to enable HTTP response detection on inbound traffic. Example 2 Consider a reverse - McAfee M-1250 | IPS Configuration Guide - Page 170
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 1 Go to Device List > Sensor_name > Physical Sensor > Port Settings page. 2 Verify that port 1A is connected to Outside Network and 1B is connected to Inside Network of service (DoS) parameters are configured within each IPS policy - McAfee M-1250 | IPS Configuration Guide - Page 171
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node To view the DoS policies applied to a Sensor's interfaces, do the following: 1 Select IPS Settings/Sensor_Name > IPS Sensor DoS Learning Mode profiles on a Sensor (on page 165): Configure the DoS learning mode profile to restart - McAfee M-1250 | IPS Configuration Guide - Page 172
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Configuring IP settings (on page 172): Customize IPv4 and IPv6 alerting parameters. • Configuring Sensors resource configuration. If the network being monitored by a specific Sensor requires different non-standard ports configured, - McAfee M-1250 | IPS Configuration Guide - Page 173
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 2 configuration of a Sensor. Managing DoS Learning Mode profiles The DoS Profiles action configures the DoS learning mode profile to restart or load from a previous profile. Denial of service (DoS) attacks interrupt network services - McAfee M-1250 | IPS Configuration Guide - Page 174
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node traffic. The short-term profile is compared to the long-term profile and an alert is raised if the short-term statistics indicates a traffic surge that deviates too much from the long-term behavior. For Threshold Mode, the Sensor keeps - McAfee M-1250 | IPS Configuration Guide - Page 175
® Network Security Platform 5.1 The IPS Sensor_Name node There is no need to re-learn a profile when network traffic increases or decreases naturally over time (for example, an eCommerce site that is getting more and more customers, thus its Web traffic increases in parallel), since the Sensor can - McAfee M-1250 | IPS Configuration Guide - Page 176
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Click Manage DoS Profiles to return to the main screen to view your uploaded file. One file is uploaded for all interfaces, sub-interfaces, or DoS IDs of a Sensor. This file is listed in the "DoS Profiles Uploaded from Sensor to - McAfee M-1250 | IPS Configuration Guide - Page 177
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node measure. If the short-term volume is outside of the long-term volume, a Statistical attack type alert is raised. Once a Statistical alert has been raised, your Network Security Sensor can initiate an automatic or manual response to - McAfee M-1250 | IPS Configuration Guide - Page 178
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node You can customize the TCP parameter checks for a Sensor using the TCP Settings action from the IPS Settings and Sensor_Name nodes. To edit a parameter, type/toggle a new value and click Update for that parameter. To restore the - McAfee M-1250 | IPS Configuration Guide - Page 179
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node TCP Parameter Description TCP Flow Violation sent packet. If time not met, the packet is dropped. Normalization On/Off Sensor performs TCP/IP/ICMP options checking to normalize the traffic. Option On or Off TCP Overlap Option TCP - McAfee M-1250 | IPS Configuration Guide - Page 180
for DoS attack traffic only Configuring IP settings for IPv4 and IPv6 traffic You can use McAfee Network Security Platform 5.1 to parse IPv4 and IPv6 traffic for attacks (with the exception of DoS attacks in case of IPv6 traffic). M-series Sensors parse IPv6 packets. N-450 Sensors do not parse IPv6 - McAfee M-1250 | IPS Configuration Guide - Page 181
only users with detailed knowledge of IP configure these settings. McAfee Network Security Platform 5.1 can handle tunneled traffic. For more information, see the section on Tunneled Traffic (on page 174). Note 1: IP parameters are effective only when the configured Sensor is deployed in in-line - McAfee M-1250 | IPS Configuration Guide - Page 182
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPv6 Scanning Overlap Option Smallest Fragment Size Small Fragment Threshold IPv6 Parameters Configuration Specify how the Sensor should process IPv6 traffic. • Drop all IPv6 traffic (inline only): The Sensor drops IPv6 traffic the - McAfee M-1250 | IPS Configuration Guide - Page 183
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node encapsulating a packet within another packet of a different protocol to enable the packet to pass through incompatible networks is called as tunneling. I-Series and M-series Network Security Sensors support 4 types of tunneled traffic. - McAfee M-1250 | IPS Configuration Guide - Page 184
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • In Network Security Platform 5.1.5.x, GRE tunneled traffic is also parsed. However, only I-4010, I-4000, I-3000 and all M-series Sensors can parse GRE tunneled traffic. The other Sensors just pass the traffic. See the Upgrade Guide - McAfee M-1250 | IPS Configuration Guide - Page 185
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node The Correlate signatures for a single attack for [X] seconds field notes the amount of time that the Sensor 4 Type a value within the Maintain [X] unique source-destination IP pairs field. This is the number of unique instances that - McAfee M-1250 | IPS Configuration Guide - Page 186
information , see Viewing Alerts details, System Status Monitoring Guide ). 11 Download these changes to your Sensor by performing the steps in Updating the configuration of a Sensor. OS Fingerprinting Network Security Platform provides the capability to perform Operating System (OS) fingerprinting - McAfee M-1250 | IPS Configuration Guide - Page 187
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing OS information Operating System (OS) information can be viewed in the Alerts page of the Threat Analyzer when the passive OS option is enabled under IPS Settings > sensor_name > Advanced Scanning > Alerting and Logging. Figure - McAfee M-1250 | IPS Configuration Guide - Page 188
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node The Source and Destination OS columns in the Alerts page displays OS information for TCP traffic. These columns display "Not Available" in the following cases: • When OS finger printing is not enabled under IPS settings node • For non- - McAfee M-1250 | IPS Configuration Guide - Page 189
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note: To view the anti-spoofing configurations of a Sensor, you can generate the ACL Assignments Report. For more information on this report, see the Reports Guide. Figure 189: ACL Tab Assigning ACL rules in the IPS Sensor A Sensor - McAfee M-1250 | IPS Configuration Guide - Page 190
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node ACL rules applied at the Sensor (Sensors) level are inherited by all interfaces and subinterfaces of the Sensor -order You can assign ACL to the Entire Sensor or specific ports on the Sensor. You can create unique ACL rules for Inbound - McAfee M-1250 | IPS Configuration Guide - Page 191
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Choose created rules: : Applied to a Sensor/port/VIDS • Replaceable: Checked if replicable. Note: The policies are configured and editable only at the IPS node level. Hence polices assigned at the Sensor, interface and sub-interface - McAfee M-1250 | IPS Configuration Guide - Page 192
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 191: Adding ACLs 3 Select a rule/group from the list of groups or rules displayed, or click on Manage ACL rules to add - McAfee M-1250 | IPS Configuration Guide - Page 193
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing effective ACL rules You can view the complete description of an ACL rule /group created and assigned to a Sensor/port/sub-interface. Figure 192: Viewing Effective ACL rules The fields displayed are: Field Description ACL - McAfee M-1250 | IPS Configuration Guide - Page 194
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 1 Select IPS Settings/Sensor_Name > ACL > ACL Assignments 2 In the Effective ACL Rules tab, select an ACL rule. 3 Click View. Computing Number of ACL rules utilized per Sensor consumed for each ACL rule configured at the port level. - McAfee M-1250 | IPS Configuration Guide - Page 195
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 1 Select IPS Settings / Sensor_Name > ACL > ACL Logging from the IPS Settings node or NAC Settings / Sensor_Name > ACL > ACL Logging from the IPS Settings node. The "Edit ACL Settings for Resource " dialog opens. Figure - McAfee M-1250 | IPS Configuration Guide - Page 196
McAfee® Network Security Platform 5.1 The IPS you "accept" a specific number (x) of the network (outbound) which use IP addresses not defined in your customized list of "good" addresses. You can apply IP address spoofing detection to interfaces that are segmented by CIDR-based addressing. A Sensor - McAfee M-1250 | IPS Configuration Guide - Page 197
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Any port pair in In-line Mode that has been segmented by CIDR addressing is eligible for IP spoofing detection. This includes any CIDR-segmented sub-interfaces of an eligible port pair. For example, port pair 1A-1B protects the 192.168 - McAfee M-1250 | IPS Configuration Guide - Page 198
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 5 Click Commit Changes to enable IP spoofing detection; click Ignore Changes to abort. Once you select Commit Changes, the configuration is sent via SNMP to the Sensor; thus, you do not have to execute an Update Configuration for the - McAfee M-1250 | IPS Configuration Guide - Page 199
VLAN 802.1p tagging of packets, which are sent to VLAN 802.1p-compliant external network devices (for example, routers) for traffic management. Network Security Platform provides traffic management configuration at individual Sensor ports. That is, if 1A-1B is a port-pair, traffic management is - McAfee M-1250 | IPS Configuration Guide - Page 200
McAfee® Network Security Platform 5.1 The IPS Sensor_Name Sensor configuration for the traffic management changes to be effective. 5 Update the Sensor's configuration for the changes to be effective. For more information on updating Sensor configuration, see Updating the configuration of all Sensors - McAfee M-1250 | IPS Configuration Guide - Page 201
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 197: Setting DiffServ and VLAN to zero Suppose you have set the DiffServ tag value to zero for the unclassified traffic ( for example, Telnet) passing through the Sensor. In this case, if Telnet traffic reaches the Sensor with a - McAfee M-1250 | IPS Configuration Guide - Page 202
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note : For rate limiting queues, there can be a maximum of 64 entries per queue, where each entry is one of the selection criteria - defined Protocol, TCP port, UDP Port and IP Protocol number. For more information on selection - McAfee M-1250 | IPS Configuration Guide - Page 203
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Name Field Type Value Available Protocols Selected Protocols TCP Port UDP Port IP Protocol Number Description This field represents the name of the traffic management queue. The queue name is unique within a Sensor port. Note that - McAfee M-1250 | IPS Configuration Guide - Page 204
McAfee® Network Security Platform 5.1 The IPS GE (1 Gbps) Ports: 1 Mbps to 512 Mbps M-series Sensors (select the value): GE Ports: 64 kbps to 1 IPv4 packets, the Type of Service (TOS) field within the IP header of the packet, is tagged the traffic management queue configuration. Then click Add, to - McAfee M-1250 | IPS Configuration Guide - Page 205
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 10 Specify a TCP Port. • Enter the port 15 Push the configuration changes to the Sensor for the changes to be effective. For more information on updating Sensor configuration, see Updating the Configuration of all Sensors (on page - McAfee M-1250 | IPS Configuration Guide - Page 206
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 200: Edit Rate Limit Queue Here you can edit the traffic management queue configuration. Note 1: The fields in this window are similar to the Add Queue window that is used to add the rate limiting queues. For more information - McAfee M-1250 | IPS Configuration Guide - Page 207
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 2 Select one or more rate limit queues and click Delete. Network Security Platform displays a confirmation dialog before it removes the traffic management configuration for the interface. Figure 201: Delete Rate Limit 3 Click Yes to - McAfee M-1250 | IPS Configuration Guide - Page 208
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 3 If the Sensor is not able to identify a packet in terms of protocol or TCP/UDP ports defined for rate limiting, the rate limiting queues configured for IP Protocol Number are searched. If a match is found, the packet is rate limited - McAfee M-1250 | IPS Configuration Guide - Page 209
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node SSL keys are not present in the Sensor When the Sensor is configured such that there are no SSL keys to decrypt the traffic, the HTTPS traffic reaching the Sensor is not decrypted into HTTP. Several scenarios are possible depending on - McAfee M-1250 | IPS Configuration Guide - Page 210
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sensor M-8000 M-6050 M-2750 M-4050/ M-3050 M-1450/ M-1250 Restricted Ports In the M-8000 Sensor, interconnect ports XC2, XC3, XC4 and XC5 cannot be used for configuring rate limiting. In an M-8000 failover pair, 3A and 3B are used as - McAfee M-1250 | IPS Configuration Guide - Page 211
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node monitoring port(s) of each Sensor in a failover pair exceeds the configured bandwidth, each Sensor must see the configured traffic on its monitoring port(s) for rate limiting to occur. This is independent of the traffic that the peer - McAfee M-1250 | IPS Configuration Guide - Page 212
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node internal network. Similarly, when the response HTTP traffic passing port 1A from the internal network, exceeds the configured rate limiting value of 5120 Kbps, the Sensor rate limits the traffic by dropping excess data packets. Only - McAfee M-1250 | IPS Configuration Guide - Page 213
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node For a description of SSL functionality in Network Security Platform, see the Getting Started Guide. The available actions in this group are: • Configuring the SSL functionality of a Sensor (on page 205): Enable SSL decryption and - McAfee M-1250 | IPS Configuration Guide - Page 214
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 5 Enter a value for the SSL Cache not be processed. Figure 205: Configuring the Sensor's SSL functionality 6 Note the SSL Operation Status. This field indicates whether or not SSL decryption on the Sensor is currently enabled. 7 Click - McAfee M-1250 | IPS Configuration Guide - Page 215
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node lost its key encryption key. In order to protect the imported keys both in transit and in escrow, Manager uses the public key of the Sensor's public/private key pair. Network Security Platform supports PKCS12 keys with file suffixes ". - McAfee M-1250 | IPS Configuration Guide - Page 216
Sensor. 3 Click Next. 4 Click Delete. Confirm the deletion. Configuring at the interface level Configuring at the interface level involves enabling McAfee-NAC-based response action for the ports. For ports deployed in inline mode, you can enable McAfee NAC forwarding, Network Security Platform - McAfee M-1250 | IPS Configuration Guide - Page 217
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note: Forwarding attack details to McAfee NAC also depends on the McAfee NAC configuration at the policy level. For more information, see Configuration at the Policy Level. Figure 207: McAfee NAC Configuration at the port level Item - McAfee M-1250 | IPS Configuration Guide - Page 218
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node NAC ACL Logging in the Sensor for IPS Quarantine Following steps explain NAC ACL Logging configurations for the Sensor from the Manager user interface: 1 In the Resource Tree, select IPS Settings > IPS Sensor_Name > IPS Quarantine > - McAfee M-1250 | IPS Configuration Guide - Page 219
starts. This time interval is called Suppression Interval. After the Suppression Interval, Network Security Platform can suppress IPS notifications to McAfee NAC server. While configuring NAC ACL Logging at the Sensor port level, you can configure the suppression settings for NAC as well. To - McAfee M-1250 | IPS Configuration Guide - Page 220
and instructions in this chapter include selecting a traffic type, applying IPS and DoS policies, and creating sub-interfaces for specific network/host protection. Note: Interface and sub-interface configuration performed within the Configuration page does not immediately update the Sensors. You - McAfee M-1250 | IPS Configuration Guide - Page 221
all monitored with a single Network Security Sensor. Note: For more information on the maximum Virtual interfaces per Sensor, see the sections I-series Sensor capacity by model number, and M-series Sensor capacity by model number in Troubleshooting Guide. For information on setting policies - McAfee M-1250 | IPS Configuration Guide - Page 222
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Full-duplex Tap and In-line modes require two physical ports, and each mode uses these two ports to form a single logical interface. Therefore, all configuration and policy decisions are made at a logical interface level. After a new - McAfee M-1250 | IPS Configuration Guide - Page 223
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing interface details To view the details of an interface, select an interface node from the Resource Tree; the "Interface Detail" dialog appears under IPS Settings/Sensor_Name/Interface>IPS Interface >Summary. Figure 212: - McAfee M-1250 | IPS Configuration Guide - Page 224
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node VLANs that you specify.More commonly, if you have used CIDR addressing in your network, changing the traffic type to CIDR helps you better protect specific networks/hosts in your system. For VLAN and CIDR interfaces, you are able to - McAfee M-1250 | IPS Configuration Guide - Page 225
® Network Security Platform 5.1 The IPS Sensor_Name node Bridge VLAN: enables the bridging of traffic between VLANS Important: When the Sensor is down, the traffic is forwarded through the peer port with the same VLAN ID with which it came to the Sensor. So, if your switches are not configured to - McAfee M-1250 | IPS Configuration Guide - Page 226
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 215: Add VLAN IDs Item 1 2 of them to Sub-Interfaces. The VLANs should be unique within an Interface. For example, you cannot configure 20-21 and 22-21 as two VLAN pairs for one Interface. A Sub-Interface can have up - McAfee M-1250 | IPS Configuration Guide - Page 227
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 216: Edit CIDR Interface 7 Click Add to save your interface additions; click Cancel to abort. 8 Download the changes to your Sensor interface by performing the steps in Updating the configuration of a Sensor. Deleting a VLAN or - McAfee M-1250 | IPS Configuration Guide - Page 228
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 1 Select Sensors > Sensor_Name > Interface_Name > Manage Sub-interface. Figure 217: Manage Sub-interface 2 Click Add. Note: To edit an existing sub-interface, select the sub-interface and click - McAfee M-1250 | IPS Configuration Guide - Page 229
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note 2: The maximum value in each field is 255. Network Security Sensor can be configured with a different IPS policy. This is particularly useful if you have deployed a multi-port Network Security Sensor to protect a variety of network - McAfee M-1250 | IPS Configuration Guide - Page 230
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Enabling IPS Policies on the interface All interfaces inherit a policy from the Sensor by default, and the Sensor inherits the policy from the parent admin domain. The IPS Policy tab ( IPS Settings > IPS Sensor _Name > Interface-x > - McAfee M-1250 | IPS Configuration Guide - Page 231
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Outbound traffic is that traffic sent by a system in your intranet, and is on the port marked "Inside" (that is, originating from inside the network) in In-line or Tap mode. There are also Learning Mode attacks that do not have a - McAfee M-1250 | IPS Configuration Guide - Page 232
. DoS customization is key to protecting a specific host or server from a concentrated DoS or DDoS attack. McAfee Network Security Platform enables extremely granular DoS protection: you can have a single DoS policy applied and customized for an entire Sensor interface, or you can create custom DoS - McAfee M-1250 | IPS Configuration Guide - Page 233
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node If you customize DoS: At the Interface level, tags. Within a single VLAN tag, you can create multiple DoS IDs for CIDR-based network addresses in your network. Note: If you create DoS policies for your VLAN tags at the interface node, - McAfee M-1250 | IPS Configuration Guide - Page 234
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sample scenario: Custom DoS policy in a network In this example, suppose a Network Security Sensor is in SPAN mode, monitoring the traffic transmitting between the floors of a building. Sensor port 1A is the interface number. Figure - McAfee M-1250 | IPS Configuration Guide - Page 235
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Create multiple DoS policies for each VLAN ID in the network. In this instance, you can create unique DoS policies for VLAN 2, VLAN 4, and VLAN 5. All other traffic in the interface is protected against DoS by - McAfee M-1250 | IPS Configuration Guide - Page 236
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Create multiple DoS policies for each CIDR network ID and the rest of : In this first configuration, VLAN ID 2 is chosen, and rather than applying to the entire interface, a CIDR host, known in Network Security Platform as a DoS ID - McAfee M-1250 | IPS Configuration Guide - Page 237
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Second configuration 1 Select VLAN 3 (options were 1, 2, 3, or 4). 2 tags, or for specific CIDR networks within a VLAN tagged network. • You can customize DoS policy for your specified CIDR networks, or for specific CIDR hosts within a - McAfee M-1250 | IPS Configuration Guide - Page 238
McAfee® Network Security Platform 5.1 The IPS Denial of Service (DoS) modes (on page 222). For more information on rules on creating DoS profiles, see Denial of Service (DoS) IPS policy. 2 Click Edit. 3 Open a policy and make changes. 4 Click Commit Changes. 5 Click Version Control to track or review - McAfee M-1250 | IPS Configuration Guide - Page 239
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node For Learning Mode, all attacks are configuration of a Sensor. Managing alert filters in the IPS Sensor interface level You can create alert filters at the IPS Sensor interface level from Alert Filters tab (IPS Settings > IPS Sensor - McAfee M-1250 | IPS Configuration Guide - Page 240
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPS Settings node. Likewise, alert filters associated at the Sensor is associated with all interface/sub-interface belonging to that Sensor. The steps for adding alert filters at the interface level is similar to that given in Managing - McAfee M-1250 | IPS Configuration Guide - Page 241
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 2 (Optional) Select a Dos ID and click , which enables you to assign access control list rules for traffic passing through a specific Sensor interface. Figure 228: ACL Assignments Tab Assigning ACL rules You can assign ACL at - McAfee M-1250 | IPS Configuration Guide - Page 242
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note 2: If you are revoking an interface from child domain (that has been delegated from the parent domain), with ACL configured Network Security Sensors, placed at network addresses and apply a policy specific to Solaris server traffic, - McAfee M-1250 | IPS Configuration Guide - Page 243
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 230: Uniquely Named Sub-Interface Nodes Item 1 Description Uniquely named Sub-interface nodes The sub-interface node is created at the interface node level and found by navigating to IPS Settings > Sensor_Name > Interface-x > - McAfee M-1250 | IPS Configuration Guide - Page 244
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Managing the details of a sub-interface (on page 236) : Add/edit/delete IDs to those that already exist for a particular sub-interface. Viewing the details of a sub-interface The IPS Sub-Interface > Summary action allows you to view - McAfee M-1250 | IPS Configuration Guide - Page 245
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 3 Click Edit. 4 Do one of the following: For You can apply IPS and DoS policies at the sub-interface level from the Scanning tab (IPS Settings > IPS Sensor_Name > Interface > Sub-interface-x ). Network Security Sensors can process - McAfee M-1250 | IPS Configuration Guide - Page 246
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 232: IPS Sub-Interface Tab Item 1 2 3 Description Sensors node Interface node Sub-Interface Policies at the sub-interface level Each sub-interface created within an interface can have a specific IPS policy applied. For - McAfee M-1250 | IPS Configuration Guide - Page 247
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 3 You create a sub-interface, "File_Servers," to protect networks 192.168.0.0/24 and 192.168.1.0/24 with a more appropriate policy. You create a File Server policy to protect "File_Servers." Tip: The name "File_Servers" is used - McAfee M-1250 | IPS Configuration Guide - Page 248
McAfee® Network Security Platform 5.1 The IPS a notification method for a specific attack. By simply viewing a configuration of a Sensor. Managing alert filters in the sub-interface level You can create alert filters at the IPS Sensor interface level from Alert Filters tab (IPS Settings > IPS Sensor - McAfee M-1250 | IPS Configuration Guide - Page 249
McAfee® Network Security Platform 5.1 The IPS Sensor detects traffic that is outside of the normal parameters while continuing to take measurements of network to assign access control list rules for traffic passing through a specific sub-interface. Figure 233: ACL Tab At The Sub-Interface - McAfee M-1250 | IPS Configuration Guide - Page 250
Internet Explorer browser window. Figure 234: Attack Description Example The Attack Information & Description fields are as follows: • Name: McAfee Network Security Platform-designated name for an attack. • Vulnerability Type: type of inherent system flaw that can be exploited by attackers. • Impact - McAfee M-1250 | IPS Configuration Guide - Page 251
McAfee® Network Security Platform 5.1 Network Security Platform supports multiple standards and sources for finding information on known attacks. Cross-referencing a Network Security Platform unauthorized access to confidential information or services, or tamper normal system operations by - McAfee M-1250 | IPS Configuration Guide - Page 252
McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Reconnaissan This type of activities is for the purpose of intelligence gathering to ce prepare for further attacks; for example, a port scan or probe conducted to enumerate or identify services and - McAfee M-1250 | IPS Configuration Guide - Page 253
McAfee® Network Security Platform not, it can cause malfunction of the software, thus denial of service; if yes, it can lead to execution of arbitrary machine code specifications. Over Threshold Any of the well-defined traffic thresholds has been crossed. Examples include ICMP packet rate, IP - McAfee M-1250 | IPS Configuration Guide - Page 254
McAfee® Network Security Platform 5.1 the compromised system. Probe Probes of specific service or host, typically based on specially successful execution on the target system, will modify the target's configuration or behavior for malicious purposes. Statistical Deviation Indicates that a - McAfee M-1250 | IPS Configuration Guide - Page 255
McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Unassigned Unauthorized IP Virus Volume DoS Worm Write Exposure Arbitrary Command execution Description This category is for attacks that fall outside the scope of the known subcategories in the Network Security - McAfee M-1250 | IPS Configuration Guide - Page 256
McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Code execution Bot Service-sweep Description A vulnerability ; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than - McAfee M-1250 | IPS Configuration Guide - Page 257
McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Phishing PUP Description is a form of Internet fraud that aims to steal valuable information such as credit cards, social security numbers, user IDs and passwords. A fake website is created that is similar to that of - McAfee M-1250 | IPS Configuration Guide - Page 258
30, 31 average alert rate 163 B Back Door 283 Brute Force 283 Buffer Overflow 283 C capacity planning 161 Command Shell 283 Configuration reports 231 Configuring L3 ACLs 122 conventions vi CVE 281 D database alert threshold 164 database sizing 164 deny action 124 DoS 258 learning mode - McAfee M-1250 | IPS Configuration Guide - Page 259
McAfee NAC at Interface level 241 multi sensor correlation 282 N Network Security Platform ID 281 P packet log 163 packet log sizes 163 platforms affected 281 policies configuring cookie 124 T technical support viii Traffic Management 222, 226 Egress traffic 222 IP Protocol Number 222, 226
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
 |
 |
McAfee
®
Network Protection
Industry-leading network security solutions
IPS Configuration Guide
McAfee® Network Security Platform
Network Security Manager
version 5.1
revision 10.0