cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee IPS - How to Enable GTI on the Network Security Platform

Introduction

GTI has two components:

IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide:

Web reputation – URL and web domain categorization service to take policy-based threats.

Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect customers against both known and emerging web-based threats.

Message reputation – Message and sender reputation service to protect against message-based threats such as spam.

Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.

File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats.

Each of these technologies work together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively adjust reputations across all threat areas and thereby avoid attacks.

 

Configuration

This configuration guide assumes your sensor and Network Security Manager have been configured.  In our lab we browse to our manager at https://90.100.3.170.  To get to the GTI integration select “Manage,”

 

config1.PNG

 

Then “Integration” and “Global Threat Intelligence.”

 

config2.PNG

 

When you first visit this page, a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs.  A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right-hand side of the page.

To configure the information being reported via GTI select “Yes” or “No”  to each of the sections under “Global Threat Intelligence.”

By selecting the “+” icon more detail is available to see exactly what is being sent from each section.  In my configuration I have selected to send Alert Data Details, Alert Data Summary, General Setup, and Feature Usage.  I have chosen not to send System Faults to GTI.

 

config3.PNG

 

Also in this window is the option to exclude our organizations IP address information for a given list of endpoints. We’ll insert our lab range of IP addresses here. This will be used in a later configuration.

 

config4.PNG

 

Enter in the IP address range you’d like to exclude, add them to the list then click ‘Save.’

 

config5.PNG

 

The Next section of the page allows you to determine what level of alerts are sent to GTI.  To reduce information being sent from my network, I have selected “High” and “Medium” opting not to send alerts that are either “Low” or “Informational.”

 

config6.PNG

 

The next section gives the user the option to provide contact information to McAfee.  This information will be used to communicate end of life and other key product milestones.  Since I am in a lab environment, my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.

 

config7.PNG

 

The last section on the Global Threat Intelligence integration page is a “test” portion.  This allows you to input any IP address and verify connectivity with GTI.

 

config8.PNG

 

Finally, save your configuration by selecting the save button at the bottom right-hand corner of the page.

 

Note: This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent, and some device details, it does not implement this information into a policy for blocking or alerting purposes.

 

GTI Implementation

As mentioned earlier there are two parts to GTI; IP Reputation and File Reputation.

IP Reputation Implementation

There are two steps to implement IP Reputation, the first is globally, at the domain level.  Then, additional changes are made at the interface on the device level.  Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally and then making specific changes per interface.

To implement these changes navigate to the “Devices” tab.

 

imp1.PNG

 

Implementation is a three-step process.

Step 1: Implement settings at the Domain/Global level

Devices > Global > Default Device Settings > IPS Devices > IP Reputation

 

imp2.PNG

 

At the global level, there are X steps to implement IP Reputation:

• Check the box at the top “Use IP Reputation to Augment SmartBlocking?”

• Choose which protocols you’d like to whitelist and which ones you’d like to have queried (since I am in a lab environment and don’t have to worry about performance, I have selected all protocols to be inspected).

• Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page, I selected “Inherit CIDR Exclusion list from GTI.”

• Finally select “Save.”

 

ip.PNG

 

Once this is saved, let’s move to our inspection ports and apply IP Reputation inspection.

Step 2: Device level implementation

Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile

 

imp4.PNG

 

Once you are on the protection profile page, there are five different areas defined by grey boxes.

A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed, an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place.

To implement IP Reputation, select both the “Enable Inbound” and “Enable Outbound” boxes and select “Save.”

 

ip2.PNG

 

After you select “Save,” a dialogue box will appear asking you to deploy your settings.

 

imp6.PNG

 

Select “OK.”

Step 3: Deploy pending changes

Navigate to deploy pending changes.

Devices > Devices > Deploy Pending Changes

imp7.PNG

 

Select “Update”

Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.

During the update a status window will appear to let you know of the update progress.

 

imp8.PNG

 

File Reputation Implementation

File Reputation Implementation is also a three-step process.

Step 1: Navigate to Policy > Advanced Malware

imp9.PNG

 

If this is your first time navigating to this page, only the Default Malware Policy will be visible.

Select “Default Malware Policy” and then hit the “Clone” button at the bottom of the page.  A new window will open.

 

imp11.PNG

 

• Give your new policy a name (a description is optional)

• Select the boxes “visible to child domain” and the protocols you’d like to scan; I selected both SMTP and HTTP

• Select the supported file types in the GTI File Reputation column under ”Malware Engines”

• Select the small box next to the save button “Prompt for assignment after save”

• Save your new policy

 

Step 2: Apply the Advanced Malware Policy to an interface for inspection

After Clicking “Save,” a “PolicyName / Assignments” window will open

imp12.PNG

 

• On this page, select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the page to move these interfaces to the “Selected Interfaces” window.

Notice there are two listings for each interface, one inbound and one outbound.

• Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to apply the configuration on the sensor.

 

imp13.PNG

 

Step 3: Clicking okay will take you to the “Deploy Pending Changes” page.  If it doesn’t, it is located in Device > Devices (NS9200 in our example) > Deploy Pending Changes

imp14.PNG

 

Select “Update” to deploy the changes to your selected ports.

After the changes have been applied you should be able to browse to the Advanced Malware Policies and see that the GTI File Reputation policy has been assigned to two interfaces.

 

imp15.PNG

 

Additional Resources

     Integration guide - https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24733/en_US/...

Comments

When I click on some pictures they open up a zoomed-in version which is exactly the same size. Just thought you may like to know.

Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-29-2018 08:27 AM
Updated by: