4 Replies Latest reply on Dec 27, 2010 4:20 PM by bgable

    McAfee Host Intrusion Prevention - Content Updates

      [duplicate posting of https://community.mcafee.com/message/166015#166015]

       

      Hi All,

       

      We currently use VirusScan Enterprise 8.7 in "unmanaged" mode (ie no ePO); we have two computers also running VirusScan Enterprise 8.7 that run a mirror task; the mirrored folders are then made available to network PCs via FTP service.  This means that all clients fetch updates from these FTP servers.  It is highly resilient and load balanced;

      • have a DNS entry called "AV" that resolves to either FTP server (called AV1 and AV2)
      • AV1 refers to the first FTP server, AV2 refers to the second FTP server (naturally!)
      • the client is configured to fetch updates from
        • AV
        • AV1
        • AV2
        • McAfeeHTTP
      • this means it will first try AV, which will resolve to either AV1 or AV2's IPv4 address.  This gives crude but effective load balancing.  If this fails, it will try AV1, then AV2, then McAfeeHTTP
      • the two FTP servers are completely independent; they each fetch updates directly from McAfeeHTTP themselves.
      • This works really well.  A server, or even two servers, can fail, yet the clients will continue to get updates (the only scenario it doesn't help with is corrupted repositories; the client will successfully connect and attempt to update, but the repository is corrupted so the client can't update, but will not try the next repository.  Accept this)

       

      Anyway, we're looking to deploy McAfee HIPS 7.0.  We've been trialling this successfully.  Now looking for "production class" deployment.  According to "McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0", page 22, HIPS clients can only fetch updates from ePO server.  The spirit of ePO seems to be one ePO server in an environment, then use distributed repositories.  Fine for anti-virus DATs, no use for HIPS content updates.

       

      How do I design the system in order to give us highly available content updates?

      - Register an additional ePO server?  the ePO product guide hints at what to do, but doesn't really elaborate why.  Further, it seems a fairly "intimate" relationship - using SQL database instances and passwords, etc.  This suggests they might be less than "independent"; what I have with the two McAfee VirusScan Enterprise 8.7 mirror-then-FTP-service boxes is completely independent boxes - one can fail and have absolutely zero impact on the other.  Am anxious this won't be the case with these ePO servers

      - have two, independent ePO servers, each with a master repository that is updated hourly, but then clients register and managed by only one of the ePO servers, but the second ePO server is an additional repository?  Is this even possible?  Would imagine I'd have to export keys from the first server and import them into the second to avoid authentication/trust issues.

      - accept this limitation?  Only one ePO server, and be prepared with short RPO/RTO?

       

      Another, related question - using ePO mainly because I have to: HIPS requires it.  Need to distribute updates and policies, and feedback about detections is nice, but keeping it for a long time is not really necessary.  Would it be appropriate for my backup/recovery strategy to simply backup the keys; then, to restore, rebuild from scratch, same server/IPv4 address, import the keys, connect to Active Directory.  Initially, all the clients would be unmanaged again.  However, within hours, McAfee Agent will connect to the newly-built server and become "managed" again.  While the server is down, the last known policies will be retained and continue

       

      Would be interested in how others have considered/approached/addressed this.

       

      Kind regards,

       

      Anwar

        • 1. Re: McAfee Host Intrusion Prevention - Content Updates
          Kary Tankink

          Some comments:

          According to "McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0", page 22, HIPS clients can only fetch updates from ePO server.  The spirit of ePO seems to be one ePO server in an environment, then use distributed repositories.  Fine for anti-virus DATs, no use for HIPS content updates.

          Host IPS clients can retrieve updates from a managed ePO repository (which can be the Master or Distributed Repositories).  The McAfee Agent policy dictates what repository clients connect to in order to get updates.

           

          Another, related question - using ePO mainly because I have to: HIPS requires it.  Need to distribute updates and policies, and feedback about detections is nice, but keeping it for a long time is not really necessary.


          The Host IPS product architecture requires ePO server (policy/update) functionality.  The product is not supported in un-managed mode.

          • 2. Re: McAfee Host Intrusion Prevention - Content Updates

            Hi Kary,

             

            Thanks for your reply.  The Product Guide does seem to insist content updates can only come from ePO master repository:

             

            page 22: "Host Intrusion Prevention clients obtain updates only through communication with the ePO server, and not directly through FTP or HTTP protocols"

             

            By implication, HIPS clients cannot obtain updates from distributed repositories (ie FTP, HTTP or UNC repositories).  Have I misunderstood?

             

            I am aware that HIPS requires ePO.  I'm really suggesting I don't really need to backup or recover the ePO data store; in a restore situation, simply rebuild from scratch and restore the keys only.  Wanted opinions on this approach.

             

            Kind regards,

             

            Anwar

             

            • 3. Re: McAfee Host Intrusion Prevention - Content Updates

              Hi All,

               

              Just to clarify,

              - is the documentation wrong?  HIPS clients can obtain content updates from either the master repository or distributed repositories?

              - what are backup and recovery strategies for ePO?

               

              Kind regards,

               

              Anwar

              • 4. Re: McAfee Host Intrusion Prevention - Content Updates

                You should be able to set up a distributed repositories using ePO.  You can also specify how you want failover to occur for content.  You might want to post this question on the ePO forum.

                 

                HIP only requires that it be managed by ePO.  HIP content is not posted on an HTTP or FTP common updater site such as the case for VSE DATs.