This document will walk through a basic setup and integration of the McAfee Network Threat Behavioral Analysis appliance with the McAfee Network Security Platform. Each NSP license includes a free instance of a virtual NTBA appliance. This document will explain the install and integration process to receive enhanced detection capabilities on the NSP, including the use of the McAfee Endpoint Intelligence Agent.
The McAfee NTBA Appliance is a feature-rich, non-intrusive solution for monitoring network traffic by analyzing flow information flowing through the network in real time. The NTBA Appliance complements the IPS capabilities in a scenario where Network Security Platform IPS Sensors and NTBA Appliances are installed and managed through the McAfee® Network Security Manager (Manager).
The NTBA Appliance gathers flow information from across users, applications, endpoints, network devices, and stores them in an embedded database. You can see real-time data and a moving profile of applications, endpoints, zones, and interface traffic. The NTBA Appliance provides a graphics configurable real-time view of the network traffic.
Threat-related events such as endpoint scans, port scans, worm attacks, new service/application, new endpoint, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. All this information is coalesced into a summary view in the Threat Analyzer of the Manager that can be drilled down for detailed information.
From the product downloads, page find the image that best suits your needs based on the sizing guide. In this instance, the free T-VM image is used.
Save this in a location close to your vCenter server to ensure connectivity issues don't interfere with your production installation.
Open your vSphere Client and select File --> Deploy OVF Template
Browse to the download location of the template, select the file, in this case 'ntbasensorImage.T-VM_8274.ova
Based on your requirements configure the proper settings. In my case, I chose "Thin Provisioning" and Monitoring and Management networks on the same network. Since I'm in a lab environment I don't need to dedicate the full 500Gb to this appliance. I also have a flat network so my monitoring ports and management ports are on the same network (This will display a warning).
Review your settings then click "Finish"
Upon completion of this step refer to the NTBA guide for specific NTBA model configuration and follow the steps beginning in chapter 5 on page 67. Review and verify the settings for your model. Boot up the NTBA virtual appliance.
Once the bootup is complete log in using the default credentials:
NTBA Login: admin
You will then be prompted to run the "Sensor Configuration Wizard" select "Y"
Information you'll need:
Sensor Name - This will need to be entered exactly into the Manager to create a trust
Sensor IP address
Sensor subnet mask
Primary Manager IP address
Secondary Manager IP address (if present)
Sensor default gateway
Management Port Configuration (a/m)
At this point you'll get a prompt to set a "Shared Secret Key" this is to establish a trust between the sensor and the manager.
STOP! before you proceed with this step navigate to the Manager to add the device. This step needs to be done on the manager prior to the sensor.
Open a browser and navigate to Devices --> Global --> Add and Remove Devices find the "new" button and click it.
Fill out the following information:
Device Name - This has to be an exact match of what you entered on the sensor
Device Type - The default selection is an IPS sensor select "NTBA Appliance"
Shared Secret Key - This passphrase and the device name is used to establish a trust between manager and sensor. Confirm Shared Secret - Retype the passphraseClick "Save"
Navigate back to your NTBA console to complete the setup and establish a trust between sensor and the manager.
*Note - If your NTBA sensor has logged out, log in using your new credentials and use the command "set sensor sharedsecretkey" to restart the trust process
Type in the same shared secret key on the sensor that you did on the manager and hit enter. To check the status of the trust process type "status" to monitor progress.
After the trust has been established the message in the status commmand will look like this
In the manager navigate to Devices --> Devices (tab)
In the drop down menu the new device should be present. If it's not hit the "refresh" button and see if it appears. A summary of the device settings will be available in the right pane if everything was correctly set up.
There are two common problems when a trust isn't able to be established between the manager and the sensor
1. Network connectivity issues
2. Incorrect configuration parameters
Problem: Firewall is enabled on the host of the manager preventing communication
Solution: Disable the firewall on the host OS where the manager is installed
Problem: Ports not opened if there is a firewall between the manager and sensor
Solution: Refer to the install Administration Guide for a full list of ports
Problem: Ports configured in VM are incorrectly mapped from virtual to physical
Solution: Change the NIC in vSphere to match the NIC on the NTBA (see below)
In this case the "show Intfport 1" command eth0 is disabled
However this port is assigned as management in vSphere
To identify which port is management at the sensor, use the command "show mgmtport"
In my case the management port is the last physical interface, so I need to make the corresponding change
Now I am able to ping my management device and the trust is successfully established after running the, "set sensor sharedsecretkey" command from the cli in NTBA.
By default on many IPS sensor models ports are configured in pairs 1A & 1B. This is done to define inbound and outbound traffic for inspection purposes. To forward traffic configure one port as a SPAN or hub port and assign it an IP address.
Navigate in your manager to Devices --> Devices (tab) --> Setup --> Physical Ports and select a port you'd like to use to forward netflow (in this case 4A)
Change the operation mode to "SPAN or Hub" and enable the port. Connect this port to a switch that has access to the NTBA management port or directly to a collection port on the NTBA appliance.
In the left hand "Devices" pane select "IP Binding". For the "Monitoring Port" select the port you just configured as a SPAN or Hub and assign it an IP address, then select "Save"
In the left hand "Devices" pane select "NTBA Integration. In this section there are three steps to complete NTBA Integration.
In the NTBA Integration drop-down select "Enable for Flow Exproting and Advanced Malware Analysis"
In the Target NTBA Appliance select the NTBA appliance you have just configured
In the FLow Collection IP Address select "Management Port (22.214.171.124)"
In the IPS Monitoring Port to be Used to Export Traffic section select the port you just configured in the IP Binding
Section, the IP address, mask, and gateway will auto populate.
Click the "View Connectivity" button to see if connection to the NTBA is working. Don't be surprised if 0 flow records have been sent, the configurarion still needs to be pushed to the sensor.
In the "Traffic to be Forwarded to NTBA" section selet the active ports on your sensor
Finally select "Save" in the bottom right hand corner
In the left hand "Devices" pane select "Deploy Pending Changes" and then select "Update" to push the changes
Repeat these steps for any other sensor in your environment from which you'd like to forward netflow records.
Now that the NTBA has been integrated with the Network Security Platform you can now leverage the GAM engine for malware inspection (on M-Series hardware). You also have greater botnet detection and greater visibility.
NTBA integration also provides access to the Endpoint Intelligent Agent which allows for greater endpoint visibility and application behavior analysis. See how to enable the Endpoint Intelligence Agent on NSP here.
NTBA Product Page
NTBA Data Sheet
Endpoint Intelligence Agent NSP Integration
Endpoint Intelligence Agent ePO Integration