McAfee M-1250 Network Protection - Page 12

C

HAPTER

3

Determine your high availability strategy

Before you move your McAfee

®

Network Security Sensor (Sensor) inline, consider the

impact of a Sensor outage and its effect on your network. In inline mode, the Sensor does

become a single point of failure. McAfee

®

Network Security Platform provides a variety of

options to minimize network downtime in the event of Sensor failure. For example,

Sensors support complete stateful failover, delivering the industry's first true high-

availability IPS deployment, similar to what you’d find with firewalls. If you’re running the

Sensor in inline mode, McAfee recommends that you deploy two Sensors redundantly for

failover protection.

The following deployment options are available:

•

Failover, or High-Availability.

•

Fail-open or fail-closed functionality.

±

Fail-open with external hardware.

±

Fail-open with the Layer 2 Passthru (L2) feature

Failover, or High-Availability

Where redundancy is an essential requirement, it is best practice to implement Network

Security Platform 'high-availability' configuration. When running Sensors inline, this option

is available to an identical pair of Sensors (same model, software image, signature set)

deployed redundantly in inline mode. Both Sensors in the pair are active and share full

state, so that the information on both Sensors is always current. Latency is very minimal;

than other devices providing failover, such as, firewalls.

The keys to the Network Security Platform failover architecture are as follows:

±

Sensors configured for failover confirm a “heartbeat” once each second.

±

Sensors configured for failover share flow information in real time.

±

Sensors are invisible at Layer 2 and above; the monitoring ports do not have MAC

addresses.

As a result, you do not have to worry about Layer 2 and 3 topology changes when you

introduce Network Security Platform failover into the environment, and in the unlikely event

of a Sensor failure, failover is instantaneous and connection state is maintained.

All Sensor models support failover.

This subject is discussed in detail in the document

Special Topics Guide—Sensor High

Availability

.

4

Section	Page
Preface	5
Introducing McAfee Network Security Platform	5
About this Guide	5
Conventions used in this guide	5
Related Documentation	6
Contacting Technical Support	7
What is inline mode?	9
Benefits of running inline	9
Inline deployment walkthrough	11
Determine your high availability strategy	12
Failover, or High-Availability	12
Fail-open or fail-closed functionality	13
Install and cable the Sensor	14
Cable the Fast Ethernet monitoring ports	15
Cable the Gigabit Ethernet monitoring ports	15
Cable a failover pair	15
Configure the Sensor monitoring ports	16
About Sensor port configuration	16
Failover: configure two Sensors in inline mode	19
Create a Failover Pair	19
Download configuration, signature set, and software updates to the Sensor	20
Configure policies	21
Tune your policies	21
About false positives and \	22
Incorrect identification	22
Correct identification; significance subject to usage policy	22
Correct identification; significance subject to user sensitivity (also known as noise)	22
Block attacks	24
Methods for blocking attacks	24
Block exploit traffic	24
How blocking works for exploit traffic	25
Verify dropped exploit attacks using the Threat Analyzer	25
Block DoS traffic	25
How blocking works for DoS traffic	26
Verify blocked DoS attacks using the Threat Analyzer	26
Drop DoS Attacks from the Threat Analyzer	26
Block using ACLs	26
Utilize traffic normalization	27
Blocking based on configured TCP & IP Settings	28
Blocking of IP-spoofed packets	28
Troubleshooting	29
Verify that traffic is flowing through the Sensor	29
Verify failover pair creation success	29
show	29
status	29
show failover-status	30
downloadstatus	30

McAfee M-1250 Network Protection - Page 12

Determine your high availability strategy, Failover, or High-Availability

Page 12 highlights