How to Enable GTI on the Network Security Platform

    Contents

     

     

    Introduction

    GTI has two components:

     

    IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide:

     

    Web reputation – URL and web domain categorization service to take policy-based threats.

     

    Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect customers against both known and emerging web-based threats.

     

    Message reputation – Message and sender reputation service to protect against message-based threats such as spam.

     

    Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.

     

    File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats

     

    Each of these technologies work together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively adjust reputations across all threat areas and thereby avoid attacks.

     

    Configuration

     

    This configuration guide assumes your sensor and Network Security Manager have been configured.  In our lab we browse to our manager at https://90.100.3.170.  To get to the GTI integration select “Manage,”

     

    config1.PNG

     

    Then “Integration” and “Global Threat Intelligence.”

     

    config2.PNG

     

    When you first visit this page, a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs.  A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right hand side of the page.

     

    To configure the information being reported via GTI select “Yes” or “No”  to each of the sections under “Global Threat Intelligence.”

     

    By selecting the “+” icon more detail is available to see exactly what is being sent from each section.  In my configuration I have selected to send Alert Data Details, Alert Data Summary, General Setup, and Feature Usage.  I have chosen not to send System Faults to GTI.

     

    config3.PNG

     

    Also in this window is the option to exclude our organizations IP address information for a given list of endpoints. We’ll insert our lab range of IP addresses here. This will be used in a later configuration.

     

    config4.PNG

     

    Enter in the IP address range you’d like to exclude, add them to the list then click ‘Save.’

     

    config5.PNG

     

    The Next section of the page allows you to determine what level of alerts are sent to GTI.  To reduce information being sent from my network, I have selected “High” and “Medium” opting not to send alerts that are either “Low” or “Informational.”

     

    config6.PNG

     

    The next section gives the user the option to provide contact information to McAfee.  This information will be used to communicate end of life and other key product milestones.  Since I am in a lab environment, my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.

     

    config7.PNG

     

    The last section on the Global Threat Intelligence integration page is a “test” portion.  This allows you to input any IP address and verify connectivity with GTI.

     

    config8.PNG

     

    Finally, save your configuration by selecting the save button at the bottom right hand corner of the page.

     

    Note: This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent, and some device details, it does not implement this information into a policy for blocking or alerting purposes.

     

    GTI Implementation

     

    As mentioned earlier there are two parts to GTI; IP Reputation and File Reputation.

     

    IP Reputation Implementation

     

    There are two steps to implement IP Reputation, the first is globally, at the domain level.  Then, additional changes are made at the interface on the device level.  Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally and then making specific changes per interface. 

     

    To implement these changes navigate to the “Devices” tab.

     

    imp1.PNG

     

     

    Implementation is a three-step process.

     

    Step 1: Implement settings at the Domain/Global level

     

    Devices > Global > Default Device Settings > IPS Devices > IP Reputation

     

    imp2.PNG

     

    At the global level, there are X steps to implement IP Reputation:

     

    • Check the box at the top “Use IP Reputation to Augment SmartBlocking?” 

     

    • Choose which protocols you’d like to whitelist and which ones you’d like to have queried (since I am in a lab environment and don’t have to worry about performance, I have selected all protocols to be inspected).

     

    • Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page, I selected “Inherit CIDR Exclusion list from GTI.” 

     

    • Finally select “Save.”

     

    ip.PNG

     

    Once this is saved, let’s move to our inspection ports and apply IP Reputation inspection.

     

     

    Step 2: Device level implementation

     

    Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile

     

    imp4.PNG

     

    Once you are on the protection profile page, there are five different areas defined by grey boxes.

    A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed, an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place. 

     

    To implement IP Reputation, select both the “Enable Inbound” and “Enable Outbound” boxes and select “Save.”

     

    ip2.PNG

     

    After you select “Save,” a dialogue box will appear asking you to deploy your settings.

     

    imp6.PNG

     

    Select “OK.”

     

     

    Step 3: Deploy pending changes


    Navigate to deploy pending changes.

     

    Devices > Devices > Deploy Pending Changes

     

    imp7.PNG

     

    Select “Update”

     

    Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.

     

    During the update a status window will appear to let you know of the update progress.

     

    imp8.PNG

     

    File Reputation Implementation

     

    File Reputation Implementation is also a three step process.

     

    Step 1: Navigate to Policy > Advanced Malware

     

    imp9.PNG

     

    If this is your first time navigating to this page, only the Default Malware Policy will be visible.

     

    Select “Default Malware Policy” and then hit the “Clone” button at the bottom of the page.  A new window will open.

     

    imp11.PNG

     

    • Give your new policy a name (a description is optional)

     

    • Select the boxes “visible to child domain” and the protocols you’d like to scan; I selected both SMTP and HTTP

     

    • Select the supported file types in the GTI File Reputation column under ”Malware Engines”

     

    • Select the small box next to the save button “Prompt for assignment after save”

     

    • Save your new policy

     

     

    Step 2: Apply the Advanced Malware Policy to an interface for inspection

     

    After Clicking “Save,” a “PolicyName / Assignments” window will open

     

    imp12.PNG

     

    • On this page, select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the page to move these interfaces to the “Selected Interfaces” window. 

     

    Notice there are two listings for each interface, one inbound and one outbound.

     

    • Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to apply the configuration on the sensor.

     

    imp13.PNG

     

     

    Step 3: Clicking okay will take you to the “Deploy Pending Changes” page.  If it doesn’t, it is located in Device > Devices (NS9200 in our example) > Deploy Pending Changes

     

    imp14.PNG

     

    Select “Update” to deploy the changes to your selected ports.

     

    After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File Reputation policy has been assigned to two interfaces.

     

    imp15.PNG

     

    Additional Resources

         Integration guide - https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24733/en_US/NSP_8.0_Integration_Guide_revC_en-us.pdf