cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee IPS - How to Integrate McAfee's sandbox technology with the IPS

Introduction

 

The purpose of this document is to illustrate how to integrate McAfee's Advanced Threat Defense (ATD) sandboxing technology with McAfee's Network Security Platform.

Video

    

Part 1 - Preparing the Advanced Threat Defense

Preparing the Analyzer Profile

               Navigate to the "Policy" tab within the Advanced Threat Defense

          analyzer profile.png

               On the Analyzer page a list of the current analyzer profiles is listed.  The "android" profile is there by default.  Any other profile are the custom images that have been built and added to the ATD device.

 Select "New" at the bottom if you'd like a specific analyzer profile for files submitted via McAfee Network Security Platform sensors.  If you'd like to use an existing analyzer profile proceed to the next step.

          analyzer profile name.JPG

              Analyzer Profile - Fill out "Name" as it's required and then the "VM Profile" will provide a list of the VM's that have been uploaded to the ATD device.

 

          new analyzer profile.JPG

 

         automatically select OS.JPG

               Automatically Select OS - If there are two images on the ATD, one 64-bit and one 32-bit, then enabling this feature will automatically select which image to use for analysis.

        reports logs and artifacts.JPG

 

               Reports, Logs, and Artifacts - This section select the boxes for the reports and artifacts you'd like generated for each file analysis.

               By default, all boxes are checked.  After submitting multiple file samples and viewing the reports you may find sections that aren't helpful, this is where you can come in and de-select specific options.

         Analyze Options.JPG

               Analyze Options - lists the options that can be used to analyze a file set to ATD.  In my case, I have not selected local blacklist, as there is currently no data in the blacklist.  I have also chosen not to "Run All Selected" as this can add significant time to the analysis process.

               However, if you would like as much detail as possible in all your reports checking this box will provide that detail.

  internet options.JPG

               Internet Options - If you would like and if your ATD has access to the internet you can select this box to allow the analyzer VM access to the Internet.

               This can potentially lead to more detailed information and additional execution paths that would be available in the reports.

 

               Select "Save" to save your new analyzer profile.

 

User Management

               Now that the analyzer profile exists that you would like to use for file submitted by the Network Security Platform sensors you have to assign that profile to the built-in NSP user. Navigate to "Manage"

          Manage tab.JPG

 

               On the Manage the first-page "User Management" displays a list of the current users. The "NSP" User is a built in user. To assign the profile you just created to the NSP user select the radio button and then select "edit".

          user management.JPG

              

User Management page

          User Credentials.JPG

 

User Credentials - This section is important to note as these are the credentials that you have to configure in the Network Security Manager

Note: write down the user name and password you choose

 

          User Details.JPG

 

               User Details - The only mandatory section here is the "First and Last Name".

 

          default analyzer profile.JPG

 

Default Analyzer Profile - this is where we select the analyzer profile that we just configured from the "Policy" tab.

 

          Roles.JPG

 

               Roles - Since your NSP user will be logging in automatically to submit files there is no need to assign this user Admin rights.

Leave all the other boxes checked.

 

          FTP.JPG

 FTP Results Output - If you'd like to output results to an FTP server input the credentials here.

 Finally, click "Save" at the bottom of the page to assign the analyzer profile to the user.

Part 2 - Connect the Network Security Manager to Advanced Threat Defense

 

               Log into your Network Security Manager and navigate to the "Devices" tab and then on the left side of the page expand "Default Device Settings" and then "IPS Devices" and select ATD Integration

          NSP - ATD Integration page.JPG

 

               Fill out the Fields with your ATD's IP address.

          enable communication.JPG

The username is the default user that was built into the ATD user accounts that we just edited and added a default analyzer profile too.

                    Note: This is the password that you wrote down earlier

 

          Test connection.JPG

 

After you have entered in the credentials click "Test Connection from Manager".  If the connection is successful (the message will appear above the "ATD Integration" box) click "Save".

Note: If the connection fails then verify the credentials have been entered correctly.  If the credentials are good then verify that a firewall or router isn't blocking the connection.

 

Part 3 - Configure the Malware Policy for ATD and deploy policy to inspection ports

 

 Navigate to the "Policy" tab to create a policy that forwards files to ATD for inspection.

 

          Advanced Malware Policy.JPG

 

  On the Left expand the "Advanced Malware" section then select "Advanced Malware Policies".  We want to create a new policy, in the bottom right hand corner select "new"

          Advanced Malware Properties.JPG

 In the Properties section give your new rule a name.  You can also give it a description, however, this is optional.  Since we are making this change at the "Global" level and not per device, making the policy visible to Child Admin Domains allows for specific policies to be  applied at the child domains.

 I recommend selecting both HTTP and SMTP, this allows files downloaded via web and attachments in email to be inspected by ATD. Next we'll edit our scanning options

          Scanning Options.JPG

 

               Our scanning options include the list of file types that can be scanned, the Malware Engines that we can select to scan and the

               "Action Thresholds" or the actions we would like to apply upon scanning results.

               Some items to note:

                    Boxes grayed out implied that malware engine isn't available for that file type.  In the case of NTBA it is all grayed out since files scanned by ATD can't also be scanned by NTBA.  If you currently have an NTBA in your environment you can select file scanning  by either ATD or NTBA, but not both.

                    Action Thresholds determine at which point to take action.  In the case of "Alert" if files in ATD are inspect and are rated "Medium" no alert will be created in the manager.  Since I'd like to initially see ATD returning alerts to the manager I'm going to set my Alert Threshold to "Low"

          Scanning Options changed.JPG

 

               Once you have finised configuring your changes select the box "Prompt for assignment after save" the click "Save".  By checking the box you will be guided through the process of assigning your new policy to inspection ports.

 After Clicking "Save" a new page will open asking you to which ports you'd like to assign your new malware inspection policy.

          ATD Policy assignment.JPG

 

               After selecting the ports (and direction) you'd like to apply your policy move them to the "Selected Interfaces" section.  Once you have selected all relevant ports click "Save".

          update required.JPG

 

               A dialogue box will open reminding you that you now have to update your sensors to have the policy take effect, select "OK".

               On the right hand side under Advance Malware Policy. Select the Assignment Logic and then select the policy you just created for the Inbound and Outbound Policy(s)

                    malware policy.JPG

Scroll further down to "Protection Options". It is recommended to enable Layer7 Data Collection on the interfaces to provide better incident reporting and collection of the file names.

                    Protection Options.JPG

 

After Clicking "Save" navigate to the "Devices" tab and on the left side you can select either "Global" or "Devices" tab to deploy the pending changes.  You can deploy the changes on only the devices being affected but if you have other changes you'd like to make at the same time it can be done from the "Global" tab.  I only have a change at a single sensor so I chose the "Devices" tab.

     deploy pending changes.JPG

               Once you've navigated to the "Deploy Pending Changes" page in either the "Devices" tab or "Global" tab click "update".

After the changes have been deployed to the sensor the new malware policy will be in effect.

To verify that ATD is properly sending alerts please see the video at the top of this document to see where and when an alert from ATD will show in your Network Security Manager.

Additional Resources

               Integration Guide - https://kc.mcafee.com/corporate/index?page=content&id=PD24733&actp=null&viewlocale=en_US&showDraft=f...

Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-14-2018 11:57 AM
Updated by: