This intent of this article is to walk you through the installation of the McAfee IPS sensor,
Network Security Platform (NSP) and the McAfee Network Security Manager (NSM).
Once both the manager and sensor have been installed I'll demonstrate how to integrate
the two, update policies, enable GTI, and Application Identification.
Network Security product: http://www.mcafee.com/us/products/network-security-platform.aspx
Contact Mcafee: http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales
This video walks you through the steps required to install and integrate a McAfee IPS sensor with the McAfee Security Manager. You can also follow the step-by-step instructions below instead.
Go to http://www.mcafee.com/us/downloads/downloads.aspx at this point you will enter your grant number
Once on the download page navigate "McAfee Network Security Platform"
Scroll down until you find the NSP Manager Software, after you click on the link you'll have to agree to McAfee's End User License Agreement prior to downloading the software.
On the download page select the version of Network Security Manager that you'd like to install. For the purposes of this document we used 184.108.40.206
Tip: download the software directly onto the server you'd like NSM to be installed on.
The sensor I will be using is the M-1450
Connect to the device via console to configure an IP address used later during the integration process with NSM
|Number of bits||8|
Once you've connected to the sensor default username and password is admin/admin123.
Type the command:
"set sensor ip" and
"set sensor gateway"
This will give the sensor an IP address accessible to the Network Security Manager you'll be installing.
At this point test access via SSH using the assigned IP address.
SSH default username and password is admin/admin123
If your connection is successful WAIT to complete the sensor configuration.
Note: We will complete sensor management integration later in a later step.
If your connection failed, go back to console connection and type the command "show"
to verify IP and Gateway settings.
After saving the NSM software to the desktop of the server you'd like to be your manager double click the NSM icon to begin the install process...
The Installation wizard opens after the "installAnywhere" dialogue box is finished. During the wizard, you'll need to click through the steps listed in the screenshot above. "Install Type" is based on the number whether or not this is a central manager or a standard manager.
The rest of the questions refer to installation locations and resources. I've selected all the defaults, please choose what makes the most sense for your installation and make notes if default folder locations are changed.
*If you'd like to connect to an existing database the credentials are asked for during setup in the "Customize Installation" section.
If no database has been preconfigured on this server then one will be installed during this time.
*Please make note of your user names and passwords used during the installation process.
If a browser doesn't launch on completion of installation open a browser and navigate to the manager at one of the above-listed options.
*Supported Browsers as of 6-2014
IE 9.0, 10.0, and 11.0
Safari 6.0 & 7.0
*Note: Recent versions of Chrome will not support the Java required in NSM version 8.2 or older
At this point 1 of 2 options will present itself, you'll find yourself at a configuration wizard or on the NSM dashboard with no information.
You'll notice that the wizard walks through a 10 step process. This process updates the manager to the latest signature set and allows you to set a schedule to check for and install new signatures.
The video and following write-up DOES NOT follow option 1
The video follows option 2 for many reasons, the main reason being, that after following these steps the administrator is more familiar with workflows making changes in NSM.
From the dashboard navigate to the "Devices" tab. On the left-hand side of the page select the "Add Device Wizard" option. Earlier in the sensor configuration, we didn't complete the setup because we want to establish a trust between the sensor and the manager.
At the time of the sensor install, the manager wasn't ready and a trust couldn't have been established.On the "Add Device Wizard" page fill in the "Device Name", "Device Type", "Shared Secret <this will be the same on the sensor>, and "Confirm Shared Secret "
Hit "next" and navigate to your sensor through either a console or SSH connection
Type "setup" in the command line. You will now be guided your through the steps necessary to connect the sensor to the manager...
The "setup" command walks you through:
Sensor Name (must match manager "sensor name in order to establish a trust)
IPV4 or IPV6
Sensor IP address
Sensor subnet mask
Manager primary address
Manager secondary address (if one has been configured)
Sensor default gateway
Management port configuration
Shared Secret Key (This is the same shared secret key entered on the manager)
Once you have entered (and confirmed) the shared secret key on the sensor go back to the manager and select "next". At this point, the NSM will try to establish a trust with the sensor and if there are no typos and the two devices can communicate over the network a trust should be established with a couple of minutes.
By typing the "status" command on the terminal we can see when the trust has been established between the manager and the sensor...(Manager Communications)
We can now also see that the device is listed in the manager
Now that the Manager can manage the sensor we'll want to make sure that our sensor has the latest signature set that is available.
Navigate to the "Manage" tab and then under "updating' on the left, select "Download IPS Signature Sets"
The signature version currently on the sensor is 220.127.116.11 and we can see there is a more recent set available, 18.104.22.168. Select the radio button by the newest signature set and select "Download" in the lower right hand corner.
Note: This action downloads the new signature set to the manager but does not push the signatures to the sensor.
IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide
Web reputation – URL and web domain categorization service to take policy-based threats
Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect custom against both known and emerging web-based threats.
Message reputation – Message and sender reputation service to protect against message-based threats such as spam
Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.
File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats
Each of these technologies works together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively adjust reputations across all threat areas and thereby avoid attacks.
Navigate to the "Manage" tab then on the left-hand side expand "Integration" and select "Global Threat Intelligence". When you first visit this page a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs.
A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right-hand side of the page.
To configure the information being reported via GTI select “yes” or “no” to each of the sections under “Global Threat Intelligence”
By selecting the “+” icon more detail is available to see exactly what is being sent from each section.
In my configuration, I have selected to send Alert Data Details, Alert Data Summary, General Setup, and Feature Usage. I have chosen not to send System Faults to GTI.
Also in this window is the option to exclude our organizations IP address information for a
given list of endpoints.
Enter in the IP address range you’d like to exclude, add them to the list then click ‘save’
(typically this is your private address space)
The Next section of the page allows you to determine what level of alerts are sent to GTI.
To reduce information being sent from my network, I have selected “high” and “medium”
opting not to send alerts that are either “low” or “informational”.
The next section gives the user the option to provide contact information to McAfee. This information will be used to communicate end of life and other key product milestones. Since I am in a lab environment my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.
The last section on the Global Threat Intelligence integration page is a “test” portion. This allows you to input any IP address and verify connectivity with GTI.
Note:This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent, and some device details, it does not implement this information into a policy for blocking or alerting purposes.
As mentioned earlier there are two parts to GTI;
IP Reputation and File Reputation.
There are two steps to implement IP Reputation, the first is globally at the domain level. Then additional changes are made at the interface on the device level. Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally and then making specific changes per interface.
Navigate to Devices > Global > Default Device Settings > IPS Devices > IP Reputation
At the global level there are 3 steps to implement IP Reputation:
(Since I am in a lab environment and don’t have to worry about performance I have
selected all protocols to be inspected)
I selected “Inherit CIDR Exclusion list from GTI
Once this is saved let’s move to our inspection ports and apply IP Reputation inspection.
Navigate to Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile
Once you are on the protection profile page there are five different areas defined by grey boxes.
A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed,
an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place.
To implement IP reputation select both the “Enable Inbound” and “Enable Outbound” boxes and select “save"
After you select “save” a dialogue box will appear asking you to deploy your settings.
This will take you to step 3
In version 8.2 or later of the NSM GTI implementation is done at the policy level, specifically
in the advanced malware policy. Navigate to Policy -->Intrusion Prevention -->Advanced Malware
Use the default malware policy as a clone to create a new policy by selecting the "Default Malware
Policy" then select "clone" in the lower right hand corner.
The Advanced Malware Policies page will open. Name your new policy and select the protocols you'd like to
scan. On the lower half of the page titled "Scanning Options" you'll see all of the Network Security Platform's
signature-less engines, including GTI.
Select the file types you'd like to look up in GTI and select save in the lower right hand corner and move to step 3.
To push the GTI policy we just created out to the sensor, we need to deploy the changes.
Navigate to the "Devices" tab then on the left there are two tabs "Global" and "Devices" select "Devices"then in that menue select "Deploy Pending Changes" On the Deploy Pending Changes page select "Update"
Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.
During the update a status window will appear to let you know of the update progress
Navigate to Policy > Advanced Malware
If this is your first time navigating to this page only the Default Malware Policy will be visible. Select “Default Malware Policy” and then hit the “clone” button at the bottom of the page. A new window will open.
Define your advanced malware Polciy
Apply the Advanced Malware Policy to an interface for inspection
After Clicking “Save” a “PolicyName / Assignments” window will open
*Notice there are two listings for each interface, one inbound and one outbound.
Clicking okay will take you to the “Deploy Pending Changes” page. If it doesn’t it is located in Device >
Devices (M1450 in our example) > Deploy Pending Changes
Select “Update” to deploy the changes to your selected ports.
After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File
Reputation policy has been assigned to two interfaces.
GTI is now enabled
McAfee creates signatures for applications based on an ongoing research. This involves creating signatures for applications for which there were no signatures earlier. This also involves removing signatures for invalid and obsolete applications. These application signatures enable the Sensors to accurately detect the applications on your network. The application signatures are bundled as part of the regular signature set that the McAfee Update Server downloads to the Manager. If the Manager is connected to the McAfee Update Server, the application database of your Network Security Platform remains up-to-date.NS-series and M-series Sensors can identify the applications being used in your network and act on them.
You can choose to allow or block specific applications on your network. For example, you can block just the connections to Facebook from your network while allowing all other HTTP and HTTPS traffic. Using advanced Quality of Service (QoS) policies, you can also control the bandwidth allocated for applications on your network.
In addition to controlling the applications on your network, you can also view the Internet applications that are accessed from your network. Related details such as the network bandwidth consumed by specific applications is now available. You can also check if these applications generated any attacks.
Without Application Identification enabled, application data regarding the network won’t be reported to the dashboard.
Application identification is done on the NS-series and M-series sensors. To enabled this feature brows to Devices >
select ‘Devices’ tab > Policy > Application Identification
This set up is straight forward
Now we need to push the new configuration out to the selected sensor.
On the same page to the left, select “Deploy Pending Changes”.
Once that page loads select “update” update to push the changes to the sensor.
Within 5 minutes information is being reported to the dashboard
At this point we have
1. Deployed a sensor
2. Built NSM and Configured and updated the signature set
3. Enabled GTI both IP Reputation and File Reputation
4. Enabled Application Identification
There are many more features that can be deployed on the Network Security Manager that can help increase visibility from external attacks to endpoint events. Look for videos and write-ups on the McAfee Community.