McAfee IPS - How to Enable GTI on the Network Security Platform
McAfee IPS - How to Enable GTI on the Network Security Platform
GTI has two components:
IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide:
Web reputation – URL and web domain categorization service to take policy-based threats.
Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect customers against both known and emerging web-based threats.
Message reputation – Message and sender reputation service to protect against message-based threats such as spam.
Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.
File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats
Each of these technologies work together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively adjust reputations across all threat areas and thereby avoid attacks.
This configuration guide assumes your sensor and Network Security Manager have been configured. In our lab we browse to our manager at https://18.104.22.168. To get to the GTI integration select “Manage,”
Then “Integration” and “Global Threat Intelligence.”
When you first visit this page, a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs. A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right hand side of the page.
To configure the information being reported via GTI select “Yes” or “No” to each of the sections under “Global Threat Intelligence.”
By selecting the “+” icon more detail is available to see exactly what is being sent from each section. In my configuration I have selected to send Alert Data Details, Alert Data Summary, General Setup, and Feature Usage. I have chosen not to send System Faults to GTI.
Also in this window is the option to exclude our organizations IP address information for a given list of endpoints. We’ll insert our lab range of IP addresses here. This will be used in a later configuration.
Enter in the IP address range you’d like to exclude, add them to the list then click ‘Save.’
The Next section of the page allows you to determine what level of alerts are sent to GTI. To reduce information being sent from my network, I have selected “High” and “Medium” opting not to send alerts that are either “Low” or “Informational.”
The next section gives the user the option to provide contact information to McAfee. This information will be used to communicate end of life and other key product milestones. Since I am in a lab environment, my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.
The last section on the Global Threat Intelligence integration page is a “test” portion. This allows you to input any IP address and verify connectivity with GTI.
Finally, save your configuration by selecting the save button at the bottom right hand corner of the page.
Note: This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent, and some device details, it does not implement this information into a policy for blocking or alerting purposes.
As mentioned earlier there are two parts to GTI; IP Reputation and File Reputation.
IP Reputation Implementation
There are two steps to implement IP Reputation, the first is globally, at the domain level. Then, additional changes are made at the interface on the device level. Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally and then making specific changes per interface.
To implement these changes navigate to the “Devices” tab.
Implementation is a three-step process.
Step 1: Implement settings at the Domain/Global level
Devices > Global > Default Device Settings > IPS Devices > IP Reputation
At the global level, there are X steps to implement IP Reputation:
• Check the box at the top “Use IP Reputation to Augment SmartBlocking?”
• Choose which protocols you’d like to whitelist and which ones you’d like to have queried (since I am in a lab environment and don’t have to worry about performance, I have selected all protocols to be inspected).
• Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page, I selected “Inherit CIDR Exclusion list from GTI.”
• Finally select “Save.”
Once this is saved, let’s move to our inspection ports and apply IP Reputation inspection.
Once you are on the protection profile page, there are five different areas defined by grey boxes.
A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed, an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place.
To implement IP Reputation, select both the “Enable Inbound” and “Enable Outbound” boxes and select “Save.”
After you select “Save,” a dialogue box will appear asking you to deploy your settings.
Step 3: Deploy pending changes
Navigate to deploy pending changes.
Devices > Devices > Deploy Pending Changes
Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.
During the update a status window will appear to let you know of the update progress.
File Reputation Implementation
File Reputation Implementation is also a three step process.
Step 1: Navigate to Policy > Advanced Malware
If this is your first time navigating to this page, only the Default Malware Policy will be visible.
Select “Default Malware Policy” and then hit the “Clone” button at the bottom of the page. A new window will open.
• Give your new policy a name (a description is optional)
• Select the boxes “visible to child domain” and the protocols you’d like to scan; I selected both SMTP and HTTP
• Select the supported file types in the GTI File Reputation column under ”Malware Engines”
• Select the small box next to the save button “Prompt for assignment after save”
• Save your new policy
Step 2: Apply the Advanced Malware Policy to an interface for inspection
After Clicking “Save,” a “PolicyName / Assignments” window will open
• On this page, select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the page to move these interfaces to the “Selected Interfaces” window.
Notice there are two listings for each interface, one inbound and one outbound.
• Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to apply the configuration on the sensor.
Step 3: Clicking okay will take you to the “Deploy Pending Changes” page. If it doesn’t, it is located in Device > Devices (NS9200 in our example) > Deploy Pending Changes
Select “Update” to deploy the changes to your selected ports.
After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File Reputation policy has been assigned to two interfaces.