8 Replies Latest reply on Jul 19, 2010 11:47 AM by easy1ndian

    McAfee Infrastructure Design Evaluation

      Dear All,

       

      I'm coming close to the testing of our Mcafee Infrastructure in our organization. I want it to be as good as possible since this project (other than mcafee) is going to complicate our systems and network. So I just want to make sure that design flaws do not add to the complication.

       

      I've attached the design (two different path to Web Gateway) I want to implement (if it's approved by all of you). Now, I want all your comments to make sure that things will work as smooth as the diagram itself :-)

       

      You will see lots of DMZs and even internal departments within the same building separated by firewall. we are not allowed to use VLANs.

       

      I've noted the number of devices that will use McAfee services in each network. I want to reduce the traffic crossing the firewall to data center to minimum. this is the reason I chose to install a server in each network that will serve directory authentication, DNS, Global Catalog, File Services and McAfee Agent Handlers.

       

      I don't want the data centre ePO server to go to internet and download updates and pacthes. But I want the data center ePO to have the management console which Support team can use. The ePO in the perimeter network should also serve the systems in the DMZs connected to the same firewall. Should I be using agent handler in the perimeter? It's my understanding that ePO does not support hot standby.

       

      Please let me know your queries, concerns, comments, suggesstions and everything else that can help me.

       

      Project.McAfee.2010.00.pngProject.McAfee.2010.01.png

       

      Thank you all in advance.

      regards,

      1ndian

       

      I will use the following McAfee Products:

      VirusScan, AntiSpyware, HIPS or SolidCore, EEPC, EEFF, Policy Auditor, Vulnerability Manager, Remediation Manager and Host DLP

       

       

      on 14/7/10 8:38:35 AM GST
        • 1. Re: McAfee Infrastructure Design Evaluation
          djjava9

          how many users is this for?  if im not mistaken there are only a few users....why do you need two ePO servers?  why are you separating the epo server and the sql db if its a small amount of users....you can put them on the same server.

          • 2. Re: McAfee Infrastructure Design Evaluation
            jstanley

            This statement concerns me: "I want to reduce the traffic crossing the firewall to data center to minimum."

             

            Agent handlers are not meant to address bandwidth concerns. From page 15 of the AH whitepaper:

            Agent Handler should not be installed to:

            • Replace distributed repositories. Distributed repositories exist to distribute large files

            throughout an organization, and do not contain any logic.

            • Connect a disconnected network segment where there is limited or irregular connectivity to

            the ePO database.

             

            So to be clear agent handlers will not in any way reduce the amount of traffic flowing across the WAN. All of the information clients send to the AH ends up getting transferred accross the WAN back to the ePO DB. You should use distributed repositories to reduce your WAN traffic.

             

            Unless you have a very large environment (think more than 50,000 nodes) or a hardware-challenged ePO server the only reason to use agent handlers would be if you didn't want to poke holes through your firewall to allow the agents to communicate directly to the ePO server (think DMZ). In that scenario you can put an agent handler on the other side of the firewall for the agents to communicate with and poke holes through the firewall specifically for the AH to communicate with both the ePO server and the SQL server. From your description it sounds like this scenario *may* apply to you.

             

            I've attached a copy of the Agent Handler White paper for you. If you do decide to implement all those agent handlers you may want to review the chart on page 14 of the AH whitepaper for the proper ports to open through the firewall.

            1 of 1 people found this helpful
            • 3. Re: McAfee Infrastructure Design Evaluation

              Thank you dj for your comments.

               

              In the Datacenter, besides ePO, database server will host other databases for different applications, so SQL server license is justified. In the DMZ, SQL server will host SFTP Server databases, SMTP reporting databases, share point and couple of other databases. So the database server is not dedicated for ePO in either case.

               

              regards,

              1ndian

              • 4. Re: McAfee Infrastructure Design Evaluation

                Thank you jeremy,

                 

                My statement about firewall traffic only meant to address the end users or devices; not to reduce bandwidth. I don't want any devices in the network to access the ePO in the datacenter but agent handler in the same network. My firewall will allow only Agent Handler server to contact ePO and the database.

                 

                Can I keep an Agent Handler in the perimeter that can act as Master Repository?

                 

                My requirement is that internal servers must not connect to Internet directly (even through firewall) and perimeter devices must not contact internal systems directly (even through  firewall).

                 

                It's a paranoid network configuration mandated by the authorities :-) we even need two people to access any rooms within the facility. So it's not about number of users. its about having contingency for each and every services. we are not allowed to use virtualization too.

                 

                Thank you for the white paper.

                 

                regards

                1ndian

                • 5. Re: McAfee Infrastructure Design Evaluation
                  jstanley
                  Can I keep an Agent Handler in the perimeter that can act as Master Repository?

                   

                  You can but if this is the ONLY purpose for the agent handler I would recommend using a distributed repository. Its a simpler solution because distributed repositories have no logic and it will accomplish the same goal.

                   

                  My requirement is that internal servers must not connect to Internet directly (even through firewall) and perimeter devices must not contact internal systems directly (even through  firewall).


                  This is a valid reason to use an AH. So to be clear their are exactly two reasons to use an AH. Although technically a AH in the perimeter would make direct contact with the ePO server and the SQL server on the internal network.

                  • 6. Re: McAfee Infrastructure Design Evaluation

                    Hi Jeremy,

                     

                    Thank you very much for clearing that up.

                     

                    I've one question:

                     

                    Can I've two separate ePO - one in perimeter and other in intranet and get report and logs in one place? Is this scenarion possible? Would you recommend it? Why and Why not?

                     

                    Do you have a better design in this scenario than I proposed. What would you change?

                     

                    Thanks

                    1ndian

                    • 7. Re: McAfee Infrastructure Design Evaluation
                      jstanley
                      My requirement is that internal servers must not connect to Internet directly (even through firewall) and perimeter devices must not contact internal systems directly (even through  firewall).

                       

                      If this statement must be adhered to strictly then their is literally no way to accomplish what you want. We do have the ability to roll up data between two separate ePO servers to generate reporting on one server for both; however, this would require direct access between the two ePO servers. Otherwise an agent handler would come close to accomplishing what you need. Only one machine (the AH itself) would have to violate the above rule while all clients reporting to that agent handler would not require direct access to the internal network.

                       

                      My suggestion if possible would be to use an AH in your DMZ to the external world for external clients (i.e. clients that are not on your WAN but must communicate over the WWW or for those handful of machines that are actually in the DMZ) and use distributed repositories for all your internal locations (sites). I would recommend keeping then number of AHs to a minimum. Agent handlers are much more complicated than distributed repositories and I believe the simplest solution is the best. That said if you have some internal constraints that force you to treat internal WAN sites as if they were external sites going through a DMZ then what you have outlined above is probably the closest thing you will get with the once exception to your rule being that the Agent Handlers in the DMZ will still require direct access to internal systems (the ePO server and the SQL server).

                      • 8. Re: McAfee Infrastructure Design Evaluation

                        Thank you very much Jeremy,

                         

                        I will try your solution in the next couple of months. At present my test bed is doing SQL/Exchange/sharepoint. I think I can allow AH in DMZ to access the internal network since the traffic is not initiated from the internet. I've few doubts regarding your solution about AH and distributed repostories; I will get back to you after I finish reading the ePO guide :-) I don't want to bug with each every concerns that  I have.

                         

                        Thanks again. really appreciaet your help.

                        regards

                        1ndian