SIEM Foundations: Basic Install and Config

Version 7

    Contents

    Step 1: Initial Power-Up and Configuration

    The first appliance to bring online is the Enterprise Security Manager (ESM). This includes any ESM combo boxes such as ESM/REC/ELM.

    1. Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptible Power Supply).
    2. Connect a network cable to the Management 1 NIC.
    3. Press the power button on the front of the bezel.
      For VM-based SIEM appliances, power on the guest image.
      Wait for the appliance to boot completely.
    4. Configure the basic ESM network settings.
      1. Connect a VGA monitor and keyboard.
        For VM-based SIEM appliances, enter Console mode.
        The LCD display is mimicked on the monitor/console.
        Console.png
      2. Press ESC on the keyboard to open the configuration menu.
        NOTE: The keyboard may appear unresponsive and may require multiple keystrokes to recognize each key press.
      3. Using the arrow keys on the keyboard, scroll down to MGMT IP Config. Press Enter.
      4. Configure the MGT 1 IP address using the keyboard (accepts numeric entry).
      5. Configure the NETMASK.
      6. Configure the GATEWAY IP.
      7. Save the network configuration.

     

    NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.

     

    Repeat the initial configuration process for all remaining appliances.

     

    Step 2: Connecting to the ESM via Web GUI

    The McAfee SIEM is managed and maintained entirely through a web/Flash interface. Following are the minimum requirements for a host connecting to the ESM:

    • Processor – P4-class Intel (not Celeron) or higher (Mobile/Xeon/Core2/Core i3/5/7) or AMD/AMD2 class or higher (Turion64/Athlon64/Opteron64/A4/6/8)
    • RAM – 1.5GB
    • Browser – IE7.x or later, Firefox 3.0.0.0+, Chrome 12.0.742.91+, Safari 5.1.7+ NOTE: Since some features of the web application utilize pop-up windows, it is recommended that you allow pop-ups for the IP address/hostname of the ESM.
    • Adobe Flash Player – Version 11.2.x.x or later

    To log into the ESM, follow the steps below.

    1. Open a web browser on your client computer.
    2. Connect to the IP address specified in previous section.
    3. Accept the security certificate error.
      NOTE: All McAfee SIEM appliances ship with a self-signed certificate. The customer can provide a valid security certificate through the GUI to avoid this certificate error.
    4. Click the Login link on the page that opens. The McAfee ESM application will load and prompt you for a username and password.
    5. Choose a default Language.
    6. Enter the default username NGCP.
    7. Enter the default password security.4u and click Login.
      Login-Screen.png
    8. Accept the EULA.
    9. You will be then be prompted to change your password.
    10. Enter security.4u in the current password field.
    11. Enter and confirm a new password of your choice in the new password field
    12. Click OK. The Enable FIPS dialog will appear.
      NOTE: It is highly recommended that you NEVER enable FIPS mode unless absolutely necessary. FIPS mode must be selected the first time you log on to the system and cannot subsequently be changed after the initial installation.
    13. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.
      FIPS-Question.pngFIPS-Confirmation.png
    14. Next, a dialog box will open with the following message:
      Rule-Update-Access.png
    15. Click OK. The McAfee ESM Startup screen will open.

     

    Step 3: Completing the Initial ESM Configuration Wizard

    The initial configuration of network settings (IP address, Netmask, Gateway) was sufficient to allow the basic log on via the web GUI. Additional configuration will be performed by the ESM setup wizard in the following dialogs.

    1. Select the system logging language and the time zone setting for the NGCP user.
    2. Click Next >.
    3. Enter the appropriate DNS values for the ESM to perform name resolution.
      Wizard_DNScircle.png
    4. Click Next >.
    5. If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server settings.
      Wizard_Proxy.png
    6. Click Next >.
    7. If additional static routes are required for the ESM to communicate, add them from the current screen.
      Wizard_StaticRoutes.png
    8. Click Next >.
    9. If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server address.  It is HIGHLY recommended that you leverage local NTP server for your SIEM implementation. Without a consistent time source, your SIEM components and data sources are likely to experience time drift.  This can have some very unexpected results, such as failed connections between SIEM devices, failed authentication to Windows data sources, and others.  If you do not have an NTP server available, it is often acceptable to enter the IP address of your primary Active Directory server.
      Wizard_NTPcircle.png
    10. Click Next >.
    11. Enter the Customer ID and Password provided by McAfee licensing to allow automatic rule updates, place a check in the Auto Check box and select the update interval.  If you do not have credentials, you can obtain them by sending an email to licensing@mcafee.com with your contact information and McAfee grant number.  If your ESM is not connected to the Internet, you can also download and install the rules update manually.
      Wizard_Rulescircle.png
    12. Click Finish.
    13. You may see a dialog box indicating that IP address changes were made that will require redirection. Click OK.
      Wizard_IPAddressChange.png
    14. A dialog box will appear indicating that the settings will be saved and services on the ESM will be restarted. When asked to continue, click Yes.
      Wizard_Confirm.png
    15. Once the ESM services have restarted, re-enter your password to complete the ESM setup wizard.

     

    « previousoutlinenext »