Home » McAfee Manuals » Networking » McAfee M-1250 » Manual Viewer

McAfee M-1250 Network Protection

McAfee M-1250 - Network Security Platform Manual

View all McAfee M-1250 manuals

Add to My Manuals
Save this manual to your list of manuals

McAfee M-1250 manual content summary:

McAfee M-1250 | Network Protection - Page 1
Special Topics Guide-In-line Sensor Deployment revision 1.0 McAfee® Network Security Platform Network Security Sensor version 6.0 McAfee® Network Protection Industry-leading network security solutions
McAfee M-1250 | Network Protection - Page 2
color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. by Chris Torek. Issued DECEMBER 2009 / Special Topics Guide-In-line Sensor Deployment 700-2381-00/ 1.0 - English
McAfee M-1250 | Network Protection - Page 3
Introducing McAfee Network Security Platform v About this Guide...v Conventions used in this guide ...v Related Documentation...vi Contacting Technical Support ...vii ...19 Blocking based on configured TCP & IP Settings 20 Blocking of IP-spoofed packets 20 Chapter 8 Troubleshooting 21 iii
McAfee M-1250 | Network Protection - Page 4
Verify that traffic is flowing through the Sensor 21 Verify failover pair creation success 21 show ...21 status...21 show failover-status ...22 downloadstatus ...22 Index ...23 iv
McAfee M-1250 | Network Protection - Page 5
configuration, information on attack blocking, and inline troubleshooting options. This guide assumes that the reader has a working understanding of McAfee Network Security Platform products, including McAfee Network Security Manager (nsm) and McAfee Network Security Sensors (Sensors). Conventions
McAfee M-1250 | Network Protection - Page 6
McAfee® Network Security Platform 6.0 Preface Convention Procedures are presented as a series of numbered steps. Example 1. On the Configuration tab, click Backup. Names of keys on the keyboard Press ENTER. are denoted using UPPER CASE. Text such as syntax, key words, and values that
McAfee M-1250 | Network Protection - Page 7
McAfee® Network Security Platform 6.0 • I-4000 Sensor Product Guide • I-4010 Sensor Product Guide • M-1250/M-1450 Sensor Product Guide • M-1250/M-1450 Quick Start Guide • M-2750 Sensor Product Guide • M-2750 Quick Start Guide • M-3050/M-4050 Sensor Product Guide • M-3050/M-4050 Quick Start Guide •
McAfee M-1250 | Network Protection - Page 8
McAfee® Network Security Platform 6.0 Preface Online Contact McAfee Technical Support http://mysupport.mcafee.com. Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve
McAfee M-1250 | Network Protection - Page 9
, Network Security Platform can scrub-or normalize-traffic to take out any ambiguities in protocols that the attacker may be using to try to evade detection. Current IDS products are susceptible to these techniques, and an example of this attempt is IP fragment and TCP segment overlaps. The Sensor
McAfee M-1250 | Network Protection - Page 10
McAfee® Network Security Platform 6.0 What is inline mode? In inline mode, the Sensor logically acts as a transparent repeater with minimal latency for packet processing. Unlike bridges, routers, or switches, the Sensor does not need to learn MAC addresses or keep an ARP cache or a routing table.
McAfee M-1250 | Network Protection - Page 11
ports. 5 Understand how blocking works, and configure blocking. Note: You must use McAfee® Network Security Manager (Manager) to configure most aspects of your Sensor(s), including port configuration, pairing two Sensors for failover operation, and configuring and applying policies to detect and
McAfee M-1250 | Network Protection - Page 12
a single point of failure. McAfee® Network Security Platform provides a variety of options to minimize network downtime in the event of Sensor failure. For example, Sensors support complete stateful failover, delivering the industry's first true highavailability IPS deployment, similar to what you
McAfee M-1250 | Network Protection - Page 13
McAfee® Network Security Platform 6.0 Determine your high availability strategy Fail-open or fail-closed functionality Sensor ports flow through the Sensor without being copied to the detection engine. Note: The Layer 2 Passthru option is provided specifically to handle internal Sensor errors; it
McAfee M-1250 | Network Protection - Page 14
with the McAfee® Network Security Manager Manager. This documentation consists of model-specific Product Guides and Quick Start Guides and a model-generic Sensor Configuration Guide. These documents provide detailed installation, configuration and cabling instructions for your Sensor. You may
McAfee M-1250 | Network Protection - Page 15
McAfee® Network Security Platform 6.0 Install and cable the Sensor Cable the Fast Ethernet monitoring ports The FE ports available on some Sensor models fail-open and require no extra hardware; simply connect your cables to a port pair (For example: 1A-1B). Fail-closed mode for FE ports
McAfee M-1250 | Network Protection - Page 16
McAfee® Network Security Platform 6.0 Install and cable the Sensor Sensor M-8000 M-6050 M-4050 M-3050 M-2750 M-1450 M-1250 N-450 Failover port HA1 and HA2 (3A and 3B) HA1 (4A). Note that HA2 (4B) remains unused 2A 2A 10A 4A 4A 10A and 10B
McAfee M-1250 | Network Protection - Page 17
McAfee® Network Security Platform 6.0 Install and cable the Sensor 1 In the Manager interface, select / My Company / Device List / Sensor_Name > Physical Device > Port Settings. 2 Click a numbered port (For example: 4A) from Monitoring Ports. View Monitoring
McAfee M-1250 | Network Protection - Page 18
McAfee® Network Security Platform 6.0 Install and cable the Sensor 6 Select the area of your network to which the current port is connected: Inside (traffic initiating internally, destined for the external network) or Outside (traffic initiating externally, destined for the internal network). 7
McAfee M-1250 | Network Protection - Page 19
Pair You can create a Failover Pair using McAfee® Network Security Manager (Manager) System Configuration tool. Failover Pair creation happens in real time; there is no need to explicitly update the configuration. Note 1: By design, the configuration of the primary Sensor is copied to the secondary
McAfee M-1250 | Network Protection - Page 20
McAfee® Network Security Platform 6.0 Failover: configure two Sensors in inline mode 1 Click / My Company / Device List > Device List > Failover Pairs. 2 Click New. The Add a Failover Pair dialog opens. 3 Select the Sensor Model type. Both Sensors in a failover pair must be the same model. 4 Type
McAfee M-1250 | Network Protection - Page 21
CHAPTER 6 Configure policies Your policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will perform. McAfee® Network Security Platform provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and
McAfee M-1250 | Network Protection - Page 22
McAfee® Network Security Platform 6.0 Configure policies About false positives and "noise" The mere mention of false positives always causes concern in the mind of any security analyst. However, false positives may mean quite differently things to different people. In order to better manage the
McAfee M-1250 | Network Protection - Page 23
McAfee® Network Security Platform 6.0 Configure policies can use against your network: the fact that the attack failed can ratio can be fairly high, particularly in the following conditions: • The configured policy includes a lot of Informational alerts, or scan alerts which are based
McAfee M-1250 | Network Protection - Page 24
one or more of McAfee® Network Security Platform's IPS Policies to pro-actively drop malicious traffic. One of McAfee Network Security Platform's pre-configured policies includes this functionality by default. The Default Inline IPS policy is automatically applied to Sensor interfaces when the
McAfee M-1250 | Network Protection - Page 25
in the policy). If the traffic is bad, the Sensor then applies the configured "drop packets" action. When Network Security Platform identifies a malicious flow, it blocks only the flow; not all the traffic from the source IP (Sensor behavior is unlike that of a firewall). • For UDP and ICMP
McAfee M-1250 | Network Protection - Page 26
McAfee® Network Security Platform 6.0 Block attacks How blocking works for DoS traffic A DoS policy applies to inbound, outbound, and bidirectional traffic. Inbound traffic is that traffic received on the port marked "Outside" (that is, originating from outside the network) in inline mode.
McAfee M-1250 | Network Protection - Page 27
the MSS option, the Sensor removes it. In both cases, Network Security Platform performs an incremental checksum of the TCP header and regenerates the CRC integrity check value. Note: Packet scrubbing must be manually enabled (navigate to / My Company / IPS Settings / Sensor_Name > Advanced Scanning
McAfee M-1250 | Network Protection - Page 28
McAfee® Network Security Platform 6.0 Block attacks Blocking based on configured TCP & IP Settings Network Security Sensors have the intelligence to keep a number of TCP/IP connection parameters, as well as complete state information. The / My Company / IPS Settings / Sensor_Name > Advanced
McAfee M-1250 | Network Protection - Page 29
in the CLI Guide. show Shows all of the current configuration settings on the Sensor. You can use the show command to verify information such as the Sensor's management port IP address, the version of software currently running, McAfee® Network Security Manager's (Manager's) IP address, and the
McAfee M-1250 | Network Protection - Page 30
McAfee® Network Security Platform 6.0 Troubleshooting • If trust is not established, check the Sensor name and shared secret on both the Sensor and the Manager. • If the Sensor is not seeing attacks for a significant period of time, check status for Sensor health and established trust. Also, check
McAfee M-1250 | Network Protection - Page 31
-open mode 8 in-line mode 1 M monitoring ports 8 N noise 14 noise-to-incorrect-identification ratio 14 O optimal high availability strategy 3 P packet scrubbing 1 policy tuning 13 port configuration 7, 8 R renegotiation 5 S sensor outage 5 software fail-open 5 T technical support viii
McAfee M-1250 | Network Protection - Page 32
traffic normalization 19 W wire rates 1 wire-matched sensor ports 1

Section	Page
Preface	5
Introducing McAfee Network Security Platform	5
About this Guide	5
Conventions used in this guide	5
Related Documentation	6
Contacting Technical Support	7
What is inline mode?	9
Benefits of running inline	9
Inline deployment walkthrough	11
Determine your high availability strategy	12
Failover, or High-Availability	12
Fail-open or fail-closed functionality	13
Install and cable the Sensor	14
Cable the Fast Ethernet monitoring ports	15
Cable the Gigabit Ethernet monitoring ports	15
Cable a failover pair	15
Configure the Sensor monitoring ports	16
About Sensor port configuration	16
Failover: configure two Sensors in inline mode	19
Create a Failover Pair	19
Download configuration, signature set, and software updates to the Sensor	20
Configure policies	21
Tune your policies	21
About false positives and \	22
Incorrect identification	22
Correct identification; significance subject to usage policy	22
Correct identification; significance subject to user sensitivity (also known as noise)	22
Block attacks	24
Methods for blocking attacks	24
Block exploit traffic	24
How blocking works for exploit traffic	25
Verify dropped exploit attacks using the Threat Analyzer	25
Block DoS traffic	25
How blocking works for DoS traffic	26
Verify blocked DoS attacks using the Threat Analyzer	26
Drop DoS Attacks from the Threat Analyzer	26
Block using ACLs	26
Utilize traffic normalization	27
Blocking based on configured TCP & IP Settings	28
Blocking of IP-spoofed packets	28
Troubleshooting	29
Verify that traffic is flowing through the Sensor	29
Verify failover pair creation success	29
show	29
status	29
show failover-status	30
downloadstatus	30