Home » McAfee Manuals » Networking » McAfee M-1250 » Manual Viewer

McAfee M-1250 IPS Configuration Guide - Page 199

Configuring Traffic Management, in Enabling Traffic Management Settings

Add to My Manuals
Save this manual to your list of manuals

Page 199 highlights

McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Network Security Platform provides three different traffic management techniques- Rate limiting, DiffServ tagging and VLAN 802.1p tagging. Rate limiting is used to control the rate of traffic sent or received on a network interface. When deployed in the inline mode, Network Security Sensor provides rate limiting of traffic by limiting the bandwidth of the traffic that goes out of the Sensor port. Traffic that is less than or equal to the specified bandwidth value is allowed, whereas traffic that exceeds the bandwidth value is dropped. Network Security Sensor uses the token bucket approach for rate limiting traffic. Note: The token bucket is a control mechanism that specifies when the traffic can be transmitted, based on the presence of tokens in the bucket. Each token represents a unit of bytes. Differentiated services or DiffServ operates on the principle of traffic classification, where each data packet is classified and placed into a limited number of traffic classes. Each network device which supports DiffServ (for example, router), can be configured to differentiate traffic based on its class. So, you can manage each traffic class differently, ensuring preferential treatment for higher-priority traffic on the network. Network Security Sensor provides DiffServ tagging of packets. The tagged packets are used by DiffServ- compliant external network devices (such as routers) for traffic management. IEEE 802.1p specification enables network devices to prioritize traffic at the media access control (MAC) layer, and perform dynamic multi-cast filtering. The 802.1p header includes a three-bit field for prioritization, which allows packets to be grouped into various traffic classes. The three-bit prioritization field provides eight different classes of service to the user. The way the traffic is treated when assigned to any particular class is undefined, and left to the implementation. Network Security Sensor provides VLAN 802.1p tagging of packets, which are sent to VLAN 802.1p-compliant external network devices (for example, routers) for traffic management. Network Security Platform provides traffic management configuration at individual Sensor ports. That is, if 1A-1B is a port-pair, traffic management is configured separately for 1A and 1B. Traffic Management configuration for a port applies to the traffic going out of the port or egress traffic only. Note: Egress traffic is the network traffic that goes out of the monitoring port of the Sensor. Traffic management is applicable to Sensor ports in the inline mode only. In Manager, every traffic management queue of a Sensor is uniquely identified by a name. The traffic management queues are configured based on Protocol, TCP and UDP ports, and IP Protocol Number. For more information on adding different traffic management queues, see Adding Traffic Management Queues (on page 194). You can create multiple queues for each port of the Sensor. For more information on the number of queues that can be configured for each type of Sensor port (FE or GE), refer the section Queue Count in Enabling Traffic Management Settings (on page 192). The traffic management configuration in Manager must be followed by a configuration update to the Sensor. Configuring Traffic Management You can perform the following configuration tasks for traffic management, from Manager: 191

Section	Page
Preface	5
Introducing McAfee Network Security Platform	5
About the guide	5
Audience	5
Conventions used in this guide	6
Related documentation	7
Contacting Technical Support	8
Overview of IPS settings	9
Configuring and setting rule-based policies	9
Responding to detected attacks	10
Packet logging	10
Sensor actions	11
Setting notification for attacks	11
How Network Security Platform calculates severity level	12
Attack categories and severity range	12
Managing IPS settings	14
Viewing assigned policies	14
Configuring and managing policies	15
Managing policies with IPS Policy Editor	16
Adding an IPS policy	16
Applying rule sets for inbound and outbound traffic	18
Steps for applying a rule set	18
Specifying the Inbound Policy the same as Outbound Policy	19
Customizing exploit attack enforcement	19
Using Advanced Search to locate attacks	23
Customizing responses for an exploit attack	27
Exploit attack notification	29
Customizing Denial of Service (DoS) modes	31
Denial of Service attack notification	33
Audit Log Comments	35
To enter comments in the Enter Comment dialog	35
To view comments in the Audit log table	36
User annotations in the Attack Encyclopedia	37
Appending comments to parent domain	39
Overriding the parent domain annotations	39
Viewing user annotations	40
Cloning an IPS policy	41
Viewing/editing an IPS policy	42
Using Bulk Edit for IPS Policy	42
Deleting an IPS policy	45
Creating versions of an IPS policy	45
Managing policies with Reconnaissance Policy Editor	46
Adding a Reconnaissance Policy	47
Cloning a reconnaissance policy	51
Viewing/editing a Reconnaissance Policy	52
Using Bulk Edit for Reconnaissance Policy	53
Deleting a Reconnaissance Policy	53
Policy Assignment	54
Managing HTTP response scanning	56
Configuring Advanced Policies	58
Configuring non-standard ports	59
Adding a non-standard port entry	59
Editing a non-standard port entry	60
Managing rule sets with the Rule Set Editor	61
Viewing a rule set	61
Adding a rule set	61
Cloning a rule set	68
Editing a rule set	69
Deleting a rule set	69
Policy Editors and Rule Set Editor	69
Pre-configured rule sets and policies	71
Attack Categories	71
Default Inline IPS policy	73
Managing attack responses using GARE	73
User-Defined Signatures action	73
Setting up Global Auto Acknowledgement	74
Configuring Global Auto Acknowledgement	74
Using the Incident Generator service	75
Exporting and importing policies	82
Exporting policies	82
Importing and comparing policies	83
Selecting a policy to import	83
Comparing policies before importing	84
Completing the policy import	86
Managing alert filters and attack responses	86
Using the Alert Filter Editor	86
Adding alert filters	87
Cloning alert filters	89
Viewing or editing alert filters	89
Deleting alert filters	89
Alert filter assignments	90
Viewing assigned alert filters	91
Exporting Alert Filters	92
Importing alert filters	92
Setting up ACLs	93
Configuring ACL rules	93
Viewing applied ACLs	93
Using the ACL Editor	94
Adding an ACL rule	94
Cloning an ACL rule	97
Viewing/Editing an ACL rule	97
Deleting an ACL rule	97
Creating ACL Groups	97
Using ACL Group Editor	98
Adding an ACL Group	98
Cloning an ACL group	101
Viewing/editing an ACL group	101
Deleting an ACL group	101
Assigning ACLs	102
Exporting an ACL	106
Importing an ACL	106
ACL Syslog Forwarder	107
Creating a custom Syslog message	109
XML converter tool for ACL rules	109
Using L3 ACLs for fragmented traffic	110
Understanding L3 ACL rules	110
Configuring L3 ACLs in the Manager	111
Limitations	112
Enabling Secure Socket Layer (SSL) Decryption	112
Enabling SSL decryption in IPS Settings node	113
Importing SSL keys to the Sensors	114
Managing the imported SSL keys of Sensors	115
Re-importing an SSL key file	115
Deleting SSL key files from Manager	116
IPS Quarantine settings	116
IPS Quarantine configuration in Policy Editors	117
Enabling IPS Quarantine in IPS Policy Editor	117
Selecting multiple attacks for IPS Quarantine	120
Searching attacks eligible for IPS Quarantine	121
Considerations for IPS Quarantine rule creation	122
IPS Quarantine configuration in Admin Domain	123
Creating network objects for IPS Quarantine	123
Adding Network Access Zones for IPS Quarantine	124
Configuring Syslog messages for IPS Quarantine	127
Customizing IPS Quarantine browser messages	128
Configuring Remediation Portal from IPS Settings	129
IPS Quarantine configuration using Wizard	130
Summary of Admin Domain configurations for IPS Quarantine	131
IPS Quarantine settings in the Threat Analyzer	131
Adding hosts for IPS Quarantine from Alerts page	132
Quarantine of hosts from Alert Details	132
IPS Quarantine options from Hosts page	134
IPS Quarantine summary	135
Archiving data	136
Viewing scheduled actions	136
Archiving alerts and packet logs	136
Scheduling automatic archival	138
Restoring an archive	139
Deleting archivals from Manager	141
Exporting an archive	141
Archiving alerts using dbadmin.bat	141
Restoring alerts using dbadmin.bat	142
Manager database maintenance	144
Capacity planning	144
Capacity planning in Manager	144
Alert and packet log sizes	145
Determining average alert rate-weekly	146
Database sizing requirements	146
Database alert threshold - reaching capacity	147
Alert Data Pruning	148
Deleting alerts and packet logs from the database using purge.bat	149
Packet log database table indexing for MySQL databases	150
Manager Pruning	150
Setting up alert notifications	151
Viewing alert notification details	151
Forwarding alerts to an SNMP server	152
Modifying or deleting SNMP forwarder settings	154
Forwarding alerts to a Syslog server	154
Specifying email or pager parameters	158
Specifying script parameters	160
Updating the configuration of all Sensors	162
The IPS Sensor_Name node	164
IPS Sensor settings	164
Policies at Sensor_Name level	164
Managing policy across the IPS Sensor	165
Alert filter assignments	165
Viewing assigned alert filters	167
Alert filter association using the Threat Analyzer	168
Managing HTTP response scanning	168
Viewing the DoS detection status of a Sensor	170
Configuring advanced scanning	171
Managing Non-standard Ports	172
Creating an interface group	172
Managing DoS Learning Mode profiles	173
Managing DoS filters	176
Configuring TCP settings	177
Configuring IP settings for IPv4 and IPv6 traffic	180
Tunneled traffic	182
Configuring alert suppression with packet log response	184
OS Fingerprinting	186
Viewing OS information	187
Configuring ACL rules in the IPS Sensor	188
Assigning ACL rules in the IPS Sensor	189
Managing ACL rules in the IPS Sensor	191
Viewing effective ACL rules	193
Editing ACL Log settings	194
Enabling IP Address spoofing detection	196
Traffic Management	198
Configuring Traffic Management	199
Enabling Traffic Management settings	200
Adding Traffic Management Queues	202
Editing or viewing Traffic Management Queues	205
Deleting Traffic Management Queues	206
Viewing Traffic Management reports	207
Precedence in Traffic Management	207
Considerations in rate limiting	208
Rate limiting of application protocols using SSL	208
Port-level limitations	209
Network scenarios for Traffic Management	211
Enabling SSL decryption	212
Configuring SSL decryption in the IPS Sensor	213
Managing the imported SSL keys of a Sensor	214
Importing SSL keys to the Manager for a Sensor	214
Re-importing an SSL key file	215
Deleting SSL key files from Manager	216
Configuring at the interface level	216
IPS Quarantine settings in the IPS Sensor	217
Summary of Sensor configurations for IPS Quarantine	217
NAC ACL Logging in the Sensor for IPS Quarantine	218
Sensor port settings for IPS quarantine	219
Setting policy for interfaces and sub-interfaces	221
Using Virtualization for policy application	221
The IPS Sensor interface node	221
Configuring general interface settings	222
Viewing interface details	223
Managing an interface	223
Deleting a VLAN or CIDR ID from an interface	227
Creating sub-interfaces	227
Scanning policies at the interface level	229
Enabling IPS Policies on the interface	230
Managing the policy applied to an interface	230
Denial of Service (DoS) modes	230
Learning mode	231
Threshold mode	231
Denial of Service (DoS) customization	232
DoS Customization configuration rules	232
Sample scenario: Custom DoS policy in a network	234
Dedicated	234
VLAN	234
CIDR	235
DoS IDs in the Configuration page	236
First configuration	236
Second configuration	237
Third configuration	237
Customizing one or more DoS policies for an interface	237
Deleting a custom DoS ID entry	239
Managing alert filters in the IPS Sensor interface level	239
Viewing the applied DoS policies of an interface	240
Adding ACLs on the interface	241
Assigning ACL rules	241
IPS Sensor sub-interface node	242
Configuring general sub-interface settings	243
Viewing the details of a sub-interface	244
Managing the details of a sub-interface	244
Scanning policies at the sub-interface level	245
Policies at the sub-interface level	246
Scenario: Applying different policies to multiple sub-interfaces	246
Managing the policy of a sub-interface	247
Customizing DoS policy for a sub-interface	247
Managing alert filters in the sub-interface level	248
Viewing the applied DoS policies of a sub-interface	248
Adding ACL rules on the sub-interface	249
Understanding attack descriptions	250
Impact categories	251
Impact subcategories	252

Match case Limit results 1 per page

McAfee® Network Security Platform 5.1

The IPS Sensor_Name node

191

Network Security Platform provides three different traffic management techniques- Rate

limiting, DiffServ tagging and VLAN 802.1p tagging.

Rate limiting is used to control the rate of traffic sent or received on a network interface.

When deployed in the inline mode, Network Security Sensor provides rate limiting of traffic

by limiting the bandwidth of the traffic that goes out of the Sensor port. Traffic that is less

than or equal to the specified bandwidth value is allowed, whereas traffic that exceeds the

bandwidth value is dropped. Network Security Sensor uses the token bucket approach for

rate limiting traffic.

Note:

The token bucket is a control mechanism that specifies when the traffic can

be transmitted, based on the presence of tokens in the bucket. Each token

represents a unit of bytes.

Differentiated services or DiffServ operates on the principle of traffic classification, where

each data packet is classified and placed into a limited number of traffic classes. Each

network device which supports DiffServ (for example, router), can be configured to

differentiate traffic based on its class. So, you can manage each traffic class differently,

ensuring preferential treatment for higher-priority traffic on the network. Network Security

Sensor provides DiffServ tagging of packets. The tagged packets are used by DiffServ—

compliant external network devices (such as routers) for traffic management.

IEEE 802.1p specification enables network devices to prioritize traffic at the media access

control (MAC) layer, and perform dynamic multi-cast filtering. The 802.1p header includes

a three-bit field for prioritization, which allows packets to be grouped into various traffic

classes. The three-bit prioritization field provides eight different classes of service to the

user. The way the traffic is treated when assigned to any particular class is undefined, and

left to the implementation. Network Security Sensor provides VLAN 802.1p tagging of

packets, which are sent to VLAN 802.1p—compliant external network devices (for

example, routers) for traffic management.

Network Security Platform provides traffic management configuration at individual Sensor

ports. That is, if 1A-1B is a port-pair, traffic management is configured separately for 1A

and 1B. Traffic Management configuration for a port applies to the traffic going out of the

port or egress traffic only.

Note:

Egress traffic is the network traffic that goes out of the monitoring port of the

Sensor.

Traffic management is applicable to Sensor ports in the inline mode only.

In Manager, every traffic management queue of a Sensor is uniquely identified by a name.

The traffic management queues are configured based on Protocol, TCP and UDP ports,

and IP Protocol Number. For more information on adding different traffic management

queues, see Adding Traffic Management Queues (on page

194

You can create multiple queues for each port of the Sensor. For more information on the

number of queues that can be configured for each type of Sensor port (FE or GE), refer

the section

Queue Count

in Enabling Traffic Management Settings (on page

192

The traffic management configuration in Manager must be followed by a configuration

update to the Sensor.

Configuring Traffic Management

You can perform the following configuration tasks for traffic management, from Manager: