How to Install McAfee Network Security Manager and Network Security Platform


    Introduction

          This intent of this article is to walk you through the installation of the McAfee IPS sensor, Network Security Platform (NSP) and the McAfee Network Security Manager (NSM).

         Once both the manager and sensor have been installed I'll demonstrate how to integrate the two, update policies, enable GTI, and Application Identification.

     

             

              Network Security product:     http://www.mcafee.com/us/products/network-security-platform.aspx

              Contact Mcafee:                            http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales

     

     

    Video

        This video walks you through the steps required to install and integrate a McAfee IPS sensor with the McAfee Security Manager.

       You can also follow the step-by-step instructions below instead.

     

              

     

    Download and install NSM Software

        Go to http://www.mcafee.com/us/downloads/downloads.aspx at this point you will enter your grant number

     

              mcafee.com download.JPG

     

     

        Once on the download page navigate "McAfee Network Security Platform"

     

     

              download nsp.JPG

     

         Scroll down until you find the NSP Manager Software, after you click on the link you'll have to agree to McAfee's End User License Agreement prior to downloading the software.

     

              NSM software.JPG

     

         On the download page select the version of Network Security Manager that you'd like to install.  For the purposes of this document we used 8.1.3.6

             

              Tip: download the software directly onto the server you'd like NSM to be installed on. 

     

              NSM version.JPG

    Installing the Sensor

        The sensor I will be using is the M-1450

     

              Sensor faceplate.JPG

     

        Connect to the device via console to configure an IP address used later during the integration process with NSM

     

     

    NameSetting
    Baud Rate38400
    Number of bits8
    ParityNone
    Stop Bits1
    Flow ControlNone

     

     

       Once you've connected to the sensor default username and password is admin/admin123.  Type the command:

        "set sensor ip"

         and

        "set sensor gateway"

     

     

        This will give the sensor an IP address accessable to the Network Security Manager you'll be installing. 

     

        At this point test access via SSH using the assigned IP address.

     

     

        If your connection is successful WAIT to complete the sensor configuration.

     

              Note: We will complete the setup and integration later in a later step.

     

     

        If your connection failed go back to console connection and type the command "show" to verify IP and Gateway settings.

     

    Network Security Manager Installation

     

    Server Requirements

     

              server requirements.JPG

     

        After saving the NSM software to the desktop of the server you'd like to be your manager double click the NSM icon to begin the install process...

     

              nsm desktop icon.JPG

     

        The Installation wizzard opens after the "installAnywhere" dialogue box is finished.

     

     

     

     

        During the wizard you'll need to click through the steps listed in the screen shot above.

     

     

     

     

        "Install Type" is based on the number whether or not this is a central manager or a standard manager.

     

     

     

        The rest of the questions refer to installation locations and resources. 

     

     

     

        I've selected all the defaults, please choose what makes most sense for your installation and make notes if default folder locations are changed.

     

     

     

        If you'd like to connect to an existing database the credentials are asked for during setup in the "Customize Installation" section. 

     

     

     

                  However the database has to be installed on the same server

     

     

     

        If no database has been preconfigured on this server then one will be installed during this time. 

     

       

        Please make note of your user names and passwords used during the installation process.

     

       

        This process should take approximately 15 minutes. 

     

       

        Once complete you can access the manager via https://<computername> or https://<ipaddress_of_nsm_host>

     

     

    Configuration of the Network Security Manager

     

        If a browser doesn't launch on completion of installation open a browser and navigate to the manager at one of the above listed options. 

     

                 

         *Supported Browsers as of 6-2014

                      IE 9.0, 10.0, and 11.0

                      Firefox

                      Chrome

                      Safari 6.0 & 7.0     

     

       

        At this point 1 of 2 options will present itself, you'll find yourself at a configuration wizzard or on the NSM dashboard with no information

     

    Configuration Option 1 - Wizzard

              NSM install wizard.JPG

     

        You'll notice that the wizzard walks through a 10 step process.  This process updates the manager to the latest signature set and allows you to set a schedule

        to check for and install new signatures. 

     

        The video and following write-up DOES NOT follow option 1

     

    Configuration Option 2 - Blank Dashboard

              NSM blank dashboard.JPG

     

     

        The video follows option 2 for many reasons, the main reason being, that after following these steps the administrator is more familiar with work flows making changes in NSM. 

     

    Integrating NSM with Sensor

     

        From the dashboard navigate to the "Devices" tab.  On the left hand side of the page select the "Add Device Wizard" option.

     

     

       Earlier in the sensor configuration we didn't complete the setup because we want to establish a trust between the sensor and the manager. 

       

       At the time of the sensor install the manager wasn't ready and a trust couldn't have been established.

     

       

       On the "Add Device Wizard" page fill in the "Device Name", "Device Type", "Shared Secret <this will be the same on the sensor>, and "Confirm Shared Secret  "

     

             

        DON'T HIT "NEXT" YET!

              Sensor wizard on NSM.JPG

     

         Navigate to your sensor via a terminal or console connection and run the "setup" command.

     

       

         Running the  "setup" command will guide your through the steps necessary to connect the sensor to the manager...

     

     

     

     

              nsm sensor and terminal.JPG

     

       

        The "setup" command walks you through:

     

              Sensor Name (must match manager "sensor name in order to establish a trust)

              IPV4 or IPV6

              Sensor IP address

              Sensor subnet mask

              Manager primary address

              Manager secondary address (if one has been configured)

              Sensor default gateway

              Management port configuration

              Shared Secret Key (This is the same shared secret key entered on the manager)

     

     

     

     

     

        Once you have entered (and confirmed) the shared secret key on the sensor go back to the manager and select "next".

       

         At this point the NSM will try to establish a trust with the sensor and if there are no typos and the two devices can communicate over the

       

         network a trust should be established with a couple of minutes.

     

     

     

      

         By typing the "status" command on the terminal we can see when the trust has been established between the manager and the sensor...

     

        (Manager Communications)

              sensor trust established.JPG

     

     

        We can now also see that the device is listed in the manager

     

     

              device listed in manager.JPG

     

    Update Signature Set on Sensor from NSM

     

        Now that the Manager can manage the sensor we'll want to make sure that our sensor has the latest signature set that is available. 

     

      

       Navigate to the "Manage" tab and then under "updating' on the left, select "Download IPS Signature Sets"

     

              update signature set.JPG

     

        The signature version currently on the sensor is 8.6.28.4 and we can see there is a more recent set available, 8.6.32.7.  Select the radio button by the newest

      

         signature set and select "Download" in the lower right hand corner. 

             

    Note:  This action downloads the new signature set to the manager but does not push the signatures to the sensor.

     

     

    Enabling GTI for IP and File Reputation

     

         IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide

                 

              Web reputation – URL and web domain categorization service to take policy-based threats

               

              Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect customers

                                                      against both known and emerging web-based threats.

     

     

     

             Message reputation – Message and sender reputation service to protect against message-based threats such as spam.

     

              Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.

     

              File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats

     

        Each of these technologies work together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively

        adjust reputations across all threat areas and thereby avoid attacks.

     

    GTI IP Reputation Configuration

     

     

        Navigate to the "Manage" tab then on the left hand side expand "Integration" and select "Global Threat Intelligence"

     

        When you first visit this page a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs. 

       

        A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right hand side of the page. 

     

            

        To configure the information being reported via GTI select “yes” or “no”  to each of the sections under “Global Threat Intelligence”

     

       

        By selecting the “+” icon more detail is available to see exactly what is being sent from each section.  In my configuration I have selected to send Alert Data Details, Alert Data Summary,

        General Setup, and Feature Usage.  I have chosen not to send System Faults to GTI. 

     

              GTI opt-in.JPG

     

      

         Also in this window is the option to exclude our organizations IP address information for a given list of endpoints. 

       

     

              GTI exclude IP range.JPG

     

       

         Enter in the IP address range you’d like to exclude, add them to the list then click ‘save’ (typically this is your private address space)

     

     

              Exluded Range.png

     

     

        The Next section of the page allows you to determine what level of alerts are sent to GTI.  To reduce information being sent from my network, I have selected “high” and “medium”

        opting not to send alerts that are either “low” or “informational”.

     

     

              Alert Data Details Filter.jpg

       

        The next section gives the user the option to provide contact information to McAfee.  This information will be used to communicate end of life and other key product milestones. 

        Since I am in a lab environment my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.

     

              GTI Technical Contact Information.jpg

     

     

        The last section on the Global Threat Intelligence integration page is a “test” portion.  This allows you to input any IP address and verify connectivity with GTI.

     

     

              GTI Test GTI Lookup.jpg

     

     

     

         Note:  This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent,

         and some device details, it does not implement this information into a policy for blocking or alerting purposes.

     

    GTI Implementation

     

         As mentioned earlier there are two parts to GTI;

        IP Reputation and File Reputation

     

    GTI IP Reputation Implementation

     

        There are two steps to implement IP Reputation, the first is globally at the domain level.  Then additional changes are made at the interface on the device level. 

       

        Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally

     

        and then making specific changes per interface.

     

     

    Implementation is a three-step process.

     

    Step 1  Implement settings at the Domain/Global level

     

              Navigate to Devices > Global > Default Device Settings > IPS Devices > IP Reputation

     

              GTI Implementation navigation.jpg

         At the global level there are 3 steps to implement IP Reputation:

     

     

    • Check the box at the top “Use IP Reputation to Augment SmartBlocking?” 

     

    • Choose which protocols you’d like to whitelist and which ones you’d like to have queried.  (Since I am in a lab environment and don’t have to worry about performance I have selected all protocols to be inspected)

     

     

    • Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page, I selected “Inherit CIDR Exclusion list from GTI” 

     

    • Finally select “Save”.

     

     

     

     

     

              GTI Implementation steps.jpg

     

       

        Once this is saved let’s move to our inspection ports and apply IP Reputation inspection.

     

    Step 2  Device level implementation


        Navigate to Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile

     

     

       

        Once you are on the protection profile page there are five different areas defined by grey boxes.

     

        A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed, an ATD policy for my Advanced Malware Policy

     

        and no Firewall Policies or Connection Limiting Policies in place.

     

     

     

     

        To implement IP reputation select both the “Enable Inbound” and “Enable Outbound” boxes and select “save"

     

     

              GTI Implementation IP Reputation.JPG

     

        After you select “save” a dialogue box will appear asking you to deploy your settings.

       

        Select "Ok"

     

        This will take you to step 3

     

     

    Step 3 Deploy Pending Changes

     

        To push the GTI policy we just created out to the sensor, we need to deploy the changes.

     

        Navigate to the "Devices" tab then on the left there are two tabs "Global" and "Devices" select "Devices" then in that menue select "Deploy Pending Changes"

     

        On the Deploy Pending Changes page select "Update"

     

         GTI Deploy pending changes.JPG   

       

        Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.

     

        During the update a status window will appear to let you know of the update progress

     

     

              GTI updating window.jpg

     

    GTI File Reputation Implementation

       

    Step 1

     

    Navigate to Policy > Advanced Malware

     

              GTI FIle Reputation.jpg

     

    If this is your first time navigating to this page only the Default Malware Policy will be visible.

     

    Select “Default Malware Policy” and then hit the “clone” button at the bottom of the page.  A new window will open.

     

     

              GTI File advanced malware policy.JPG

     

        Define your advanced malware Polciy

     

    •     Give your new policy a name (a description is optional)
    •     Select the boxes “visible to child domain” and the protocols you’d like to scan, I selected both SMTP and HTTP
    •     Select the supported file types in the GTI File Reputation column under ”Malware Engines”
    •     Select the small box next to the save button “Prompt for assignment after save”
    •     Save your new policy

     

    Step 2 

     

        Apply the Advanced Malware Policy to an interface for inspection

     

        After Clicking “Save” a “PolicyName / Assignments” window will open

     

     

     

              GTI FIle Reputation Assignments.jpg

     

             

    • On this page select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the page to move these interfaces to the “Selected Interfaces” window.  Notice there are two listings for each interface, one inbound and one outbound.

     

     

     

     

     

    • Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to apply the configuration on the sensor.

     

     

    Step 3

         Clicking okay will take you to the “Deploy Pending Changes” page.  If it doesn’t it is located in Device > Devices (M1450 in our example) > Deploy Pending Changes

        

              GTI File Reputation deployment.jpg

     

        

         Select “Update” to deploy the changes to your selected ports.

     

         After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File

         Reputation policy has been assigned to two interfaces.

     

              GTI File Reputation deployment confirmation.jpg

     

     

     

         GTI is now enabled

     

    Enabling Application Identification

    What is Application Identification

     

         McAfee creates signatures for applications based on an ongoing research. This involves creating signatures for applications for which there were no signatures earlier.

     

         This also involves removing signatures for invalid and obsolete applications. These application signatures enable the Sensors to accurately detect the applications on your network.

     

     

         The application signatures are bundled as part of the regular signature set that the McAfee Update Server downloads to the Manager.

     

         So, if the Manager is connected to the McAfee Update Server, the application database of your Network Security Platform remains up-to-date

     

     

         NS-series and M-series Sensors can identify the applications being used in your network and act on them. So, you can allow or block specific applications on your network.

     

         For example, you can block just the connections to Facebook from your network while allowing all other HTTP and HTTPS traffic. Using advanced Quality of Service (QoS) policies,

     

         you can also control the bandwidth allocated for applications on your network.

     

     

         In addition to controlling the applications on your network, you can also view the Internet applications that are accessed from your network.

     

         Related details such as the network bandwidth consumed by specific applications is now available. You can also check if these applications generated any attacks.

     

    Configuration

             

         Without Application Identification enabled, application data regarding the network won’t be reported to the dashboard. 

              Application Identification dashboard.JPG

        

     

         Application identification is done on the NS-series and M-series sensors.  To enabled this feature brows to Devices > select ‘Devices’ tab > Policy > Application Identification

               Application Identification enablement.JPG

         This set up is straight forward

     

    1. select “Enable Application Identification”
    2. select which ports to which you’d like to enable application identification
    3. then “Save”.

     

     

         Now we need to push the new configuration out to the selected sensor. 

     

         On the same page to the left, select “Deploy Pending Changes”. 

     

         Once that page loads select “update” update to push the changes to the sensor.

              Application Identification deployment.JPG

          Within 5 minutes information is being reported to the dashboard

     

              Application Identification dashboard w apps.jpg

    Conclusion

     

         At this point we have

     

         1.      Deployed a sensor

         2.      Built NSM and Configured and updated the signature set

         3.      Enabled GTI both IP Reputation and File Reputation

         4.      Enabled Application Identification

    There are many more features that can be deployed on the Network Security Manager that can help increase visibility from external attacks to endpoint events.  Look for videos and write-ups on the McAfee Community.