cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee IPS - How to Install and Configure McAfee's NetFlow Appliance (NTBA) with McAfee IPS (NSP)

Introduction

          This document will walk through a basic setup and integration of the McAfee Network Threat Behavioral Analysis appliance with the McAfee Network Security Platform.  Each NSP license includes a free instance of a virtual NTBA appliance.  This document will explain the install and integration process to receive enhanced detection capabilities on the NSP, including the use of the McAfee Endpoint Intelligence Agent.

What is Network Threat Behavioral Analysis?

          The McAfee NTBA Appliance is a feature-rich, non-intrusive solution for monitoring network traffic by analyzing flow information flowing through the network in real time. The NTBA Appliance complements the IPS capabilities in a scenario where Network Security Platform IPS Sensors and NTBA Appliances are installed and managed through the McAfee® Network Security Manager (Manager).

  The NTBA Appliance gathers flow information from across users, applications, endpoints, network devices, and stores them in an embedded database. You can see real-time data and a moving profile of applications, endpoints, zones, and interface traffic. The NTBA Appliance provides a graphics configurable real-time view of the network traffic.

 Threat-related events such as endpoint scans, port scans, worm attacks, new service/application, new endpoint, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. All this information is coalesced into a summary view in the Threat Analyzer of the Manager that can be drilled down for detailed information.

Installing a virtual instance of NTBA

          From the product downloads, page find the image that best suits your needs based on the sizing guide.  In this instance, the free T-VM image is used.

 

          Save this in a location close to your vCenter server to ensure connectivity issues don't interfere with your production installation.

 Open your vSphere Client and select File --> Deploy OVF Template

   

         

Browse to the download location of the template, select the file, in this case 'ntbasensorImage.T-VM_8274.ova

   

 

          Based on your requirements configure the proper settings.  In my case, I chose "Thin Provisioning" and Monitoring and Management networks on the same network.  Since I'm in a lab environment I don't need to dedicate the full 500Gb to this appliance.  I also have a flat network so my monitoring ports and management ports are on the same network (This will display a warning).

          Review your settings then click "Finish"

   

          Upon completion of this step refer to the NTBA guide for specific NTBA model configuration and follow the steps beginning in chapter 5 on page 67. Review and verify the settings for your model.  Boot up the NTBA virtual appliance.

Configure your NTBA Appliance and add it to the Manager

          Once the bootup is complete log in using the default credentials:

          NTBA Login:  admin

          Password:  admin123

          You will then be prompted to run the "Sensor Configuration Wizard" select "Y"

   

        Information you'll need:

              Sensor Name - This will need to be entered exactly into the Manager to create a trust

              Sensor IP address

              Sensor subnet mask

              Primary Manager IP address

              Secondary Manager IP address (if present)

              Sensor default gateway

              Management Port Configuration (a/m)

          At this point you'll get a prompt to set a "Shared Secret Key" this is to establish a trust between the sensor and the manager.

          STOP!  before you proceed with this step navigate to the Manager to add the device.  This step needs to be done on the manager prior to the sensor.

     

          Open a browser and navigate to Devices --> Global --> Add and Remove Devices find the "new" button and click it.

 

          Fill out the following information:

              Device Name - This has to be an exact match of what you entered on the sensor

              Device Type - The default selection is an IPS sensor select "NTBA Appliance"

              Shared Secret Key - This passphrase and the device name is used to establish a trust between manager and sensor. Confirm Shared Secret - Retype the passphraseClick "Save"

   

          Navigate back to your NTBA console to complete the setup and establish a trust between sensor and the manager.

          *Note - If your NTBA sensor has logged out, log in using your new credentials and use the command "set sensor sharedsecretkey" to restart the trust process

          Type in the same shared secret key on the sensor that you did on the manager and hit enter.  To check the status of the trust process type "status" to monitor progress.

   

          After the trust has been established the message in the status commmand will look like this

   

          In the manager navigate to Devices --> Devices (tab)
          In the drop down menu the new device should be present.  If it's not hit the "refresh" button and see if it appears. A summary of the device settings will be available in the right pane if everything was correctly set up.

   

Troubleshooting the "trust establishment" process

          There are two common problems when a trust isn't able to be established between the manager and the sensor

              1.  Network connectivity issues

              2.  Incorrect configuration parameters

1. Network connectivity common issues

              Problem: Firewall is enabled on the host of the manager preventing communication

              Solution: Disable the firewall on the host OS where the manager is installed

              Problem: Ports not opened if there is a firewall between the manager and sensor

              Solution: Refer to the install Administration Guide for a full list of ports

              Problem: Ports configured in VM are incorrectly mapped from virtual to physical

              Solution: Change the NIC in vSphere to match the NIC on the NTBA (see below)

              In this case the "show Intfport 1" command eth0 is disabled

   

          However this port is assigned as management in vSphere

   

          To identify which port is management at the sensor, use the command "show mgmtport"

   

          In my case the management port is the last physical interface, so I need to make the corresponding change

          in vSphere

   

          Now I am able to ping my management device and the trust is successfully established after running the, "set sensor sharedsecretkey" command from the cli in NTBA.

2. Incorrect configuration parameters. Other common mistakes are in the configuration on the manager side.  Review the settings on the setup page and verify that everything was entered correctly.

 

   

Configure NSP sensors to send netflow to NTBA

Configure a port on the sensor to forward flow records to NTBA

          By default on many IPS sensor models ports are configured in pairs 1A & 1B.  This is done to define inbound and outbound traffic for inspection purposes.  To forward traffic configure one port as a SPAN or hub port and assign it an IP address.

          Navigate in your manager to Devices --> Devices (tab) --> Setup --> Physical Ports and select a port you'd like to use to forward netflow (in this case 4A)

          Change the operation mode to "SPAN or Hub" and enable the port.  Connect this port to a switch that has access to the NTBA management port or directly to a collection port on the NTBA appliance.

   

Assing an IP address to the port used to forward netflow

          In the left hand "Devices" pane select "IP Binding".  For the "Monitoring Port" select the port you just configured as a SPAN or Hub and assign it an IP address, then select "Save"

   

Complete NTBA Integration on the IPS sensor

          In the left hand "Devices" pane select "NTBA Integration.  In this section there are three steps to complete NTBA Integration.

          In the NTBA Integration drop-down select "Enable for Flow Exproting and Advanced Malware Analysis"

In the Target NTBA Appliance select the NTBA appliance you have just configured

In the FLow Collection IP Address select "Management Port (1.1.1.1)"

   

          In the IPS Monitoring Port to be Used to Export Traffic section select the port you just configured in the IP Binding

          Section, the IP address, mask, and gateway will auto populate.

          Click the "View Connectivity" button to see if connection to the NTBA is working.  Don't be surprised if 0 flow records have been sent, the configurarion still needs to be pushed to the sensor.

   

          In the "Traffic to be Forwarded to NTBA" section selet the active ports on your sensor

   

          Finally select "Save" in the bottom right hand corner

          In the left hand "Devices" pane select "Deploy Pending Changes" and then select "Update" to push the changes

   

          Repeat these steps for any other sensor in your environment from which you'd like to forward netflow records.

NTBA Key Benefits

          Now that the NTBA has been integrated with the Network Security Platform you can now leverage the GAM engine for malware inspection (on M-Series hardware).  You also have greater botnet detection and greater visibility.

          NTBA integration also provides access to the Endpoint Intelligent Agent which allows for greater endpoint visibility and application behavior analysis.  See how to enable the Endpoint Intelligence Agent on NSP here.

   

Additional Resources

          NTBA Administration Guide

          NTBA Product Page

          NTBA Data Sheet

          Endpoint Intelligence Agent NSP Integration

          Endpoint Intelligence Agent ePO Integration    

          NTBA Brief Video Description

Labels (1)
Comments

Excellent article. Here's a link to : Ports used by Network Security Platform (KB59342). NTBA ports are listed in the middle.

I'm afraid I need to disagree with Moe on this one.... I believe some points on this article need reviewing and updating:

  • No need to setup IP bindings on export port - just configure the IP address for the export port on NTBA integration
  • Export port can also be an inline port - no mention of this on the document - and why this may not be a good idea
  • Screenshots show all IP addresses are on the same segment - not recommended as per NSP docs
  • NTBA collection port has not been configured on this article - Screenshot shows collection port set to mgmt. Text on the article states 1.1.1.1 but screenshot shows something different
  • NTBA benefits could be expanded to include netflow analysis  - i.e. host interactions, L7 data, host/zone comms rules, etc

d_aloy, great feedback. Thanks for pointing that out. Hopefully blog author at McAfee will take notice and adjust accordingly. I would also recommend simply clicking on the KB link I posted earlier, and copy/paste your post there in the feedback field. That should reach the KB author and they can update.

Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 09:15 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community