McAfee ESM 10x: How to perform the initial setup

Version 1

    Overview

     

    In this document, you will learn how to perform the initial setup of the McAfee Enterprise Security Manager product and components.

     

    McAfee Enterprise Security Manager components

     

    McAfee ESM and its components are installed in your network and configured to identify vulnerabilities, and threats.

     

    If a threat occurs, the ESM can:

    • Notify you using the user interface, email, SNMP, or a text message.
    • Save the history of the threat for analysis.
    • Automatically act on the treat based on configured policy.

     

    The McAfee ESM components include:

    • McAfee®  Enterprise Security Manager (McAfee ESM) — Available as a hardware component or Virtual Machine (VM) software installation, the McAfee ESM displays threat data, reputation feeds, and vulnerability status and a view of the systems, data, risks, and activities inside your enterprise.
    • McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, it collects up to tens of thousands of events per second, parses that data, and sends it to the ESM devices.
    • McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM software installation, it collects, compresses, signs, and stores all events to provide a proven audit trail of activity.
    • McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores all events to provide a proven audit trail of activity. The ELS searches the events faster using its indexes.
    • McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installation that includes both ELM and ERC.
    • McAfee Advanced Correlation Editor (ACE) — Available as a hardware component or VM software installation that simplifies event correlation and startup to identify and score threat events in historical or real time, using both rule- and risk-based logic.
    • McAfee Application Data Monitor (ADM) — A hardware component that monitors more than 500 known applications through the whole layer stack and captures full session detail of all violations.
    • McAfee Database Event Monitor (DEM) — A hardware component that automates the collection, management, analysis, visualization, and reporting of database access for most database platforms.
    • McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, or ELS to expand storage space.

    In redundant solutions, one DAS device is required in each system. For example, two redundant ESMs and two redundant ELMs require four DAS devices.

    • ESM Console — A computer with a browser used to configure and manage the ESM by security administrators.

     

    You might use just one combination ESM, or many of these components, depending on your environment.

     

     

    The steps will be the same whether you are using the hardware or a virtual version of the appliance. We will assume that you have your appliance ready to be powered up and that a monitor and keyboard are connected to it if you are using a hardware appliance, so you can interact with the appliance. And, if you are using the virtual version, we assume that you are ready to power up your virtual machine. In all cases, you will need to have an IP Address available to assign to your ESM. And lastly, you should know the IP address of your gateway and subnet mask.

     

    In our example, we are going to set up the ESM component, since it’s the first element you need to install. The steps are the same for all combo boxes or VMs that include the ESM component.

     

     

     

    Procedure

     

    1. Power up your ESM. After the boot process is completed, you will see the screen below. The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) page appears.

         2. Press the ESC key to enter the menu at the top left corner of the screen, until the menu comes up. If you are using a VM, remember to click inside the console window first, then press ESC until the menu appears.

         3. Use the arrow keys to navigate to ‘MGT IP Conf’ line and press Enter. Use the arrow keys again to move to the ‘Mgt1’ line and press Enter.

         4. Enter the IP Address using the arrow keys. Make sure you are at the end of the line and press Enter when complete.

         5. After setting the IP Address, do the same for the Netmask.

         6. After the Netmask is finished, use the arrow keys to navigate to ‘Done’ and press Enter. This returns to the MGT IP Conf Menu. Select 'Gateway' and add the Gateway Address.

         7. Optionally you can set the DNS servers, but this can also be accomplished through the UI. In our case, we’ll wait until we get to the UI part of the setup to enter the DNS information.

         8. When finished, navigate to ‘Save Changes’ and press Enter. The device will then update its network settings and will now be accessible from the network.

     

    Configuring the ERC, ELM, ELS, or ACE network interface

     

    You need to perform the same steps for additional SIEM devices you are adding to the environment such as ERC, ELM, ELS, DEM, ADM or ACE component.

      

    Completing the setup through the user interface

     

    • To log into the ESM for the first time, open a web browser on a client computer and go to the IP address you set when you configured the ESM network interface.

     

    • For example, if the ESM IP address is 172.016.001.140, type the following in your browser:

              https:\\172.016.001.140\

     

    • Click Continue to site, if a self-signed certificate error appears for your browser. Accept the security certificate error.  All McAfee SIEM appliances ship with a self-signed certificate. You can later provide a valid one through user interface to avoid seeing this error again.

     

    • Click Login, select the language for the console, then type the default user name and password.

              Default user name: NGCP

              Default password: security.4u

     

    • Click Login, read the End User License Agreement, then click Accept.

             When prompted, change your user name and password, then click OK.

     

    • Select whether to enable FIPS mode and if you select Yes, click the additional confirmation.

     

    Now that the appliance has an IP address assigned, you can complete the setup through the web user interface. The McAfee ESM is managed through a web HTML/Flash interface. Some features of the web console utilize pop-up windows, you should allow pop-ups for the IP address or host name for your SIEM.

     

    For Rules Update Access, click OK and follow the instructions that appear to obtain your user name and password, which are needed for access to rule updates.

     

    Perform initial ESM configuration:

    • Select the language to be used for system logs.
    • Select the time zone where this ESM is and the date format used with this account, then click Next.

     

    Enter the server information for the ESM.

    • Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.
    • (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.
    • Under General Settings, type the gateway, DNS servers, and any additional information needed to connect your ESM to your network.
    • Click Next.
    • (Optional) If needed to connect through a proxy server, type its IP address, port number, credentials, and set the local network setting, then click Next.
    • (Optional) If needed, enter any static routes that the ESM needs to communicate with the network.
    • When completed, click Next.

     

    Add your network time protocol (NTP) servers to synchronize the ESM system time. Type these settings as needed:

    • NTP Server IP address
    • Authentication Key
    • Key ID

     

    To achieve best results in the ESM, it’s important to have a common time reference across the enterprise. As default, the ESM uses a set of Internet-based NTP servers. Enter your own enterprise NTP server, then click Next.

     

    To automatically check the ESM server for rule updates:

    • Type your customer ID and password to verify your identity.
    • Configure your Auto check interval in hours and minutes.
    • Click Check Now or Manual Update.
    • Click Finish.
    • In the Network settings change dialog box, click Yes to restart the ESM service.

    The restart takes about 90 seconds to complete. Then you might be required to log back on to the ESM.

     

    Confirm in ESM that all devices appear

     

    In the ESM console, confirm that all various ESM devices appear before you begin detailed configuration of the devices.

    For detailed information about performing these confirmation steps, see McAfee Corporate KB - Enterprise Security Manager 10.0.0 Product Guide PD26818 .

     

    You are back into the console. If you need to make a change to your configuration, you can access the system configuration through System Properties under the Top-Left menu as indicated below:

     

     

     

    Conclusion

     

    You’ve seen how to perform the initial setup for McAfee ESM and components. Now your ESM is up and running. The suggested next steps would be to update your SIEM and add data sources.

     

    Useful Links

     

    For more information about McAfee ESM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales