6 Replies Latest reply on Sep 2, 2010 1:13 PM by dgold

    McAfee Logon Collector with MFE



      I  am setting up a laboratory for testing and I am trying to use the  Mcafee Logon Collector, the MLC installed on a Windows server 2003  perfectly, through the web console I view who is logged on a given  workstation. In  MFE create an authenticator to use Active Directory and configure the  passport to use passive mode and configure the authenticator in the  passport and when I create a rule and use this authenticator, the access  is requesting login and password, should not be transparent? Anyone know where I can be wrong.



        • 1. Re: McAfee Logon Collector with MFE


          The only transparent authentication method (transparent to the user) on the Sidewinder is the Windows Authenticator (NTLM).  All other authenticators require you to enter a username and password.  Once you enter the username and password a Passport will be created and you will not have to authenticate again until the Passpot expires.

          • 2. Re: McAfee Logon Collector with MFE



            If using the MLC and v8 of the Firewall you don't need to configure an authenticator on your rule - select the MLC user/user groups that you want to be allowed or denied and that is all you need to do. Assuming the MLC is configured correctly you should see user information in your audit for all connections coming from a system that is authenticated and you should also see a list of AD user groups as available for creating policy. You can also select the <Authenticated> option which will allow all authenticatd users.



            • 3. Re: McAfee Logon Collector with MFE



              So because it serves the McAfee Log Collector? because i thought it was useful for authentication to be transparent.



              • 4. Re: McAfee Logon Collector with MFE

                The MLC is essentially 'transparent' authentication, but the user is not required to submit credentials (like with NTLM).


                So with MLC (Passive) authenitcation the MLC agent monitors the AD server and identifies the username that is logged into the IP at any given time. This allows you to use user information for any type of connection (not just those that support authenitcation channels.) This information is provided to the firewall and can be used for user/identify discovery or as part of policy enforcement.


                If using the MLC for user discovery, you will see that the user will be audited for all connections where a user is logged in to a specific IP address. (MLC knows that user dgold is coming from for example), so if I am logged in to my machine and my machine has address, all connections from my machine through the firewall will audit my username. This is great for identifying who is doing what through the firewall.


                I can then also use the MLC as part of policy enforcement, which means I can create user based policy. I can create a rule for users or user groups and then my credentials are used to match a rule. Therefore we are using the MLC information to authenitcate, but I am actually not sending the credentials directly, the firewall just knows where I am logged in on the network. In this case the authenitcator on your rule should be set to None/Passport and you should select the MLC users or user groups under 'Users and Groups' in your policy.


                Hope that helps. I would look at the documentation for additional examples.



                • 5. Re: McAfee Logon Collector with MFE

                  Hi Dave,


                  Are you saying that:


                  I can have rule which allows traffic between a host and server that can be fine tuned to allow only when a particular user is logged on to the host? Or logon collector is only used for logging and auditing?


                  By the way, do you have any chart comparing MFE8 to other vendor's firewall in the same segment?





                  • 6. Re: McAfee Logon Collector with MFE

                    The MLC can be used for auditing/logging as well as enforcement. The big benefit with enforcement is that we are able to tie policy to users without requiring that the protocol support authentication channels. When a packet comes in, the firewall looks at the IP and maps this to the user logged in to that IP with the MLC monitoring AD authentication and mapping to IP addresses.