Integrating MWG + TIE/DXL

Version 3


    This guide will only include the minimum requirements to integrate MWG with TIE/DXL. For guidance on connecting endpoints or other products, please reference the Threat Intelligence Exchange Getting Started Guide on the McAfee community.

    Pre-requisites

    In order to integrate a MWG and TIE/DXL, you'll need the following pre-requisites:

     

    • Web Gateway running 7.5.2 or greater
    • ePO 5.1.1 or later running on Windows Server 2008 R2 or later
    • VMware / ESXi server 5.1 or greater for hosting the TIE/DXL server

     

     

    Setup

    The setup section will consist of three separate parts:

    • ePO: Downloading/Installing required extensions and checking in packages
    • Configuring a TIE/DXL server
    • Connecting the MWG to DXL


    ePO

              Downloading required extensions and packages for ePO

    The extensions can be found in these locations:

    Reseller Support > McAfee Data Exchange Layer

    Reseller Support > Threat Intelligence Exchange

    Note: If you are on EPO version 5.3 the DXL extensions may already be installed.


    mePO extension:

    DXL extensions:

      • DXLBrokerMgmt_1.x.0_Build_xxxx Package #x.zip
      • DXLClientMgmt_1.x.0_Build_xxx Package #x.zip
      • help_dxl_1xx.zip

    DXL client package:

      • DXLClient_1.x.0_Build_xxxx Package #x.zip

    TIE extensions:

      • TIEServerMgmt_1.x.0_Build_xxx Package #x.zip
      • TIEmMeta.zip
      • help_tie_1xx.zip
      • help_jtic_100.zip

    TIE client package:

      • JTICAgent.zip

    Installing Extensions

    Go to Menu > Software > Extensions and then click Install Extension. Install all of the extensions above.

    Check in the DXL and TIE client package

    Go to Menu > Software > Master Repository and then click Check In Package. Check in both packages listed above.

     

    Configuring a TIE/DXL Server

    Follow the guide Installing the TIE/DXL server. After completing this section come back to this article.

    Note: The OVF file is pre-configured with 16GB of RAM, 8 CPUs, and 116 GB disk. Be sure to adjust the memory and CPUs to an appropriate value for your ESXI server and adjust the disk provisioning to 'Thin Provision'.


    Connecting MWG to a DXL broker

      1. In ePO, create an ePO user and give the user a role that has permissions for DXL McAfee MePO Certificate Creation.  (Menu > Users | Menu > Permissions Sets)
      2. In ePO, Check the Policy for the McAfee Threat Intelligence Exchange Server Management to make sure Web Gateway Integration is enabled (Menu > Policy Catalog > Threat Intelligence Exchange Server Management)SettingEnabled.png
      3. In MWG, go to Configuration > ePolicy Orchestrator and specify the ePO user and password from above, as well as the hostname of the ePO server, hostname must be used, not IP. Save Changes.MWGsettings.png
      4. In ePO, click on System Tree and change the Preset filter to 'This Group and All Subgroups'. You should see your MWG listed as a system.

        Note: MWG did not appear in the ePO System Tree until you do a service restart on mwg-core. (service mwg-core restart)

      5. MWG will use MePO extension to communicate to ePO and fetch certificates/config from the DXL broker. If the subscription was successful, your /opt/mwg/data/dxl directory should look like this:


        opt-dxl-directory-on-mwg.png


      6. Edit your MWG system on ePO and click on the DXL Status tab to verify you have a 'Connected' status.

    2-mod-epo-system-tree.png

    Configuring MWG concept rules

    Guidance and rule creation was provided by Michael Schneider via these community posts:
    https://community.mcafee.com/videos/2217
    Webgateway and DXL Integration done - what is m... | McAfee Communities

    • TIE at this time only provides file reputation for executables, drivers, and dll's.
    • The provided rules allow the MWG to query TIE server for reputation of supported files in order to provide filtering on the MWG.
    • The provided test rules will block if the reputation given by TIE is between 1-50(Known Malicious to Unknown).


    1. Import the attached rule set. You can also import the attached block page as well.
    2. Override the TIE file reputation for a test executable file to 'Known Malicious'. In ePO, go to Menu > Systems Section > TIE Reputations. Import a file following the guidance outlined in the guide: How to Import File and Certificate Reputations into TIE

      set-tie-reputation.png


      Note: the import requires that you know the SHA-1 and MD5 Hash of the file. If you don't have a tool to get you this information, Online MD5 Hash Generator & SHA1 Hash Generator is an example site that offers an online tool.

    3. Try to download the your test executable file through your MWG. You should receive the TIE File reputation Block template.

     

    mwg-rulesssss.png

    Troubleshooting

    I accidentally deleted the MWG system from ePO's System Tree. What do I do?!

    Once MWG initially subscribes to DXL and pulls down the necessary certificates and config files, it no longer needs to communicate with ePO to query the TIE server for file reputation. However, for ePO reporting purposes it will be best if the MWG is added back in the System Tree.


    Support Note: It's a common practice for admins to run reports/server tasks on ePO for *inactive agents* on ePO and remove them. In fact there is a default report called "Inactive agents".n  After MWG is removed from ePO, you're not easily able to track TIE detections for the MWG system. (ePO Dashboard: TIE Server Top 10 Systems with New Files...)

    MWG doesn't exist as a system, so the System Name shows up obfuscated. For example:

     

    New Files on Systems Information

     

    System Name: {2a703f0b-c5a9-201b-e41e-dc9b2bd20fbb}

    Date: 8/6/15 5:00:00 PM

    File Count: 12


    To rejoin MWG back to ePO, you'll need to do the following:

      1. SSH to the MWG and navigate to /opt/mwg/data/dxl.
      2. Remove the cert and config files shown below. Don't delete the '0' folder inside!

        dir.png

      3. Restart the mwg-core service.
      4. MWG should fetch the new cert/config files again and should be listed as a system in the system tree of ePO.

     

    MWG can't connect to DXL - Error: "DXL is not available."


    pastedImage_4.png


    Error from mwg-core.errors.log:

    [2016-03-23 11:04:04.031 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

    [2016-03-23 11:05:20.435 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

    [2016-03-23 11:05:20.991 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

    [2016-03-23 11:05:21.228 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

    [2016-03-23 11:07:25.643 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

    Possible Solution:-The plugins are not successfully installed on the ePO. Please check the ePO server and install all plugins.

                                 -The broker is not reachable



    Troubleshooting Broker Connections


    If you are getting a DXL not available error in your MWG-core.errors.log and you have verified that your plugins are correctly installed on epo, there is a possibility that your MWG is not able to  communicate with the configured brokers. In order to find out what brokers are configured you will need to pull the MWG_DXL.config file.

    MWG_dxl.conf.png

     

    Once you open the file, you can seen the broker UUID, Communication port, Hostname and IP address


    DXLTIE_MWG_dxl.config 8.png


    From this information, use nslookup and telnet to ensure the MWG can communicate with the DXL broker on the configured port.



    Notes, Observations, and gotchas

     

    • TIE provides file reputation for executables, drivers, and dll's.
    • MWG only relies on ePO for its initial subscription/connection in order to fetch config and certificates from the DXL broker.
    • MWG will  not immediately appear in the ePO System Tree after you add in your ePO dxl credentials on MWG.  You will need to do a service restart on mwg-core. (service mwg-core restart)
    • The "Last Update" status ePO displays for MWGs DXL status (in System Tree) will ONLY reflect MWGs initial subscription/connection time. This value will never be updated again.
    • The "DXL" status page on ePO for the MWG system will show that MWG uses McAfee agent 4.6. Disregard this. MWG doesn't use McAfee Agent or that version; it uses the mePO extension
    • On the MWG, the ePO hostname must be used, not the IP
    • Removing MWG as a system in ePO will not affect any file reputation lookups that MWG makes to the TIE server as ePO is effectively not used post initial subscription.
    • Possible Values for Reputation Level:
      • Known Trusted: 99
      • Most likely trusted: 85
      • Might be trusted: 70
      • Unknown: 50
      • Might be Malicious: 30
      • Most likely malicious: 15
      • Known malicious: 1  (this is what we use in example file above)
      • Not set: 0