cancel
Showing results for 
Search instead for 
Did you mean: 

How to Integrate McAfee Endpoint Intelligence Agent (EIA) on the McAfee Network Security Platform (IPS)

Introduction

          The McAfee Endpoint Intelligence Agent correlates application behavior and network activity to give you true application visibility.  In this document, you'll learn what the McAfee Endpoint Intelligence Agent (EIA) is, how to install it and how it protects your organization from malicious applications.

What is Endpoint Intelligence?

          McAfee Endoint Intelligence Agent provides real-time, pre-flow endpoint traffic correlation.  This lightweight

          agent positively associates each session with the originating host system, user, and application process.  It

          provides a new type of threat detection that combines behavioral analysis of network traffic flows with multiple

          sources of reputation intelligence and eliminates the need to parse and analyze message content.  This

          solution leverages intelligence in the network and on every windows host to reveal relationships between

          endpoint executables and network traffic flows making it possible to:

    • Identify malicious network connections and executables in real time.
    • Incorporate detailed process context for attacks.
    • Block malicious communications and prevent the spread of advanced malware.
    • Quarantine and remediate compromised host systems

Installing Endpoint Intelligence

          Installation of the McAfee Endpoint Intelligence Agent is handled from ePolicy Orchestrator (ePO).  For instructions on ePO please see our documentation:  How to Install Endpoint Intelligence in ePO

Integration and Configuration of Endpoint Intelligence on NSP

          Configuration of EIA in the Network Security Manager assumes the presence of a NTBA appliance either physical or virtual.

          For steps on NTBA Integration: How to Install and Configure NTBA with NSP

Forward Application Information to NTBA

          To forward application information from the endpoint to the Network Security Platform one need to define the IP address in the EIA policy on the endpoint.

          To do this open your ePO console and navigate to your "Policy Catalog" Menu --> Policy --> Policy Catalog From the drop down menu select Endpoint Intelligence Agent 2.x.x

 

          Select the "My Default" policy to define the NTBA IP address

          1.     In the Device Type select "NTBA" from the dropdown menu

          2.     In the "Source" and Subnet Mask type; 0.0.0.0 and 0 respectively

          3.     In Device IP input the IP address of your NTBA Appliance (physical or virtual)

          3.     In "Port" the default port 9008

          4.     Select "Add Route"

    

          You'll notice there are other tabs, "Advanced Settings" and "Raptor Settings" no changes are required on of these tabs are required.

          At the bottom of the Policy Catalog page, there are three bottons "Duplicate", "Save", and "Cancel.  Select "Save"

          Do and "agent wakeup" on the selected systems to push out the updated policy or wait until the next agent check-in.

EIA Configuration at the Global Level

          To configure the Endpoint Intelligence on the Network Security manager navigate to Devices --> Global  -->NTBA Device Settings -->Device Settings --> Setup --> EIA Integration

          1. Enable EIA Integration by checking the box

          2. NTBA Listening Port is 9008 by default

          3. Enter ePO IP address, port (8444 by default) and a username and password (must be previous added user in ePO)

          4. Classification settings is where you define action to be taken by NSM on EIA results

          5. Hit the "Update ePO Certificate" button to verify proper ePO configuration then "Save"

    

EIA Configuration at the Device Level

          Configuration of the NTBA can also be done at the device level.  Navigate to Devices -->

          Devices (tab) --> Select your installed NTBA device from the device dropdown menu -->

          Setup --> EIA Integration

          The options are exactly the same as they are on the Global tab

    

Other Resources

          8.2 NTBA Administration Guide (p.201 EIA Integration)

          NSP Product Page

          NTBA Product Page

          NTBA and NSP integration configuration guide

          EIA Installation and configuration in ePO

Labels (1)
Comments

Perfect

Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 09:16 AM
Updated by: