Addendum I to 7.1 Documentation. McAfee Network Security Platform 7.1

Transcription

1 Addendum I to 7.1 Documentation McAfee Network Security Platform 7.1

2 COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

3 Contents Preface 7 About this guide Audience Conventions What's in this guide Find product documentation Overview 9 Introducing McAfee Network Security Platform IPS enhancements 11 Integration with VMWare Packet inspection of virtual machines Stateless access rules Stateless access rules and scanning exceptions Configure stateless access rules IPS for mobile networks set mnsconfig set mnsconfig radiuslb show mnsconfig View Mobile Alerts in the Threat Analyzer Troubleshooting support Simulated blocking enhancement Configure simulated blocking at the interface level Latency monitor enhancement latency-monitor restore-inline enable/disable SNMP v2 support enhancement snmpv2support Quoted printable character decoding in SMTP NTP client Malware detection enhancement Configure File Reputation Audit log events to the Manager Enable audit log events from the Manager View Sensor CLI user activity log View Sensor CLI user activity report Periodic inline restore from bypass mode Default IP for Sensor management port Restricted SNMP write access for 3rd party NMS users Packet logging enhancement TACACS+ user in audit logs Audit forwarding using SNMP v VLAN ID in reconnaissance events Support for forwarding fragmented packets Inline fail-over port pair functionality McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 3

4 Contents Add Device Wizard enhancements Add a device using the wizard Syslog notification enhancement Forwarding alerts to a syslog server Adding a syslog notification profile Editing or deleting a syslog notification profile Adding a syslog server profile Editing or deleting a syslog server profile Dashboard and display filter option Adding or editing a new dashboard Dashboard options Add a new display filter Action buttons Display filter options Alert assignment enhancement Assigning alerts to users Removing assignments from alerts Grouping alerts by assignments Display Filter option for assignments Attack Filters enhancement Management of rule objects Deleting attack filters from the Attack Filters editor Deleting attack filters from the Threat Analyzer Configure password complexity settings Password strength Password History Password Expiration Account Lockout Account Lockout Message Password Expiration page Configure session control settings Granular access control for CLI commands (for TACACS user) NAC enhancements 81 4 NTBA enhancements 83 Support for Virtual NTBA Appliance Upgrade support Heterogeneous support for NTBA Appliances Next Generation Reports enhancements Run a Next Generation Default report Reports that are no longer in use Create a Next Generation duplicate report Next Generation User Defined report Integration with McAfee Logon Collector Enterprise Appliance enhancements Configure an Enterprise NTBA Appliance Display monitors for Enterprise Appliance External storage enhancements Define an external storage device Retrieve data stored on external storage Netflow exclusion filters enhancements Add a new exclusion Inherit exclusions to child domains Deploy configuration changes on device NTBA attack notification enhancements McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

5 Contents Send notifications for quarantined attacks Create a custom message Add Device Wizard enhancements Add an NTBA Appliance Delete an Appliance configuration Capacity planning enhancements Prune the database Dashboard enhancements Types of dashboards Add a new dashboard Assign a monitor to a dashboard Edit a dashboard Types of NTBA monitors and options List of NTBA default monitors List of NTBA additional default monitors List of NTBA custom monitors Change custom parameters of NTBA monitors TimeView Charts enhancements View TimeView charts in the default monitors Viewing TimeView charts in custom monitors Display filter enhancements Add a new display filter Display filter options Action buttons Usability enhancements in NTBA Host threat factor enhancements Time Zone enhancements NetFlow forwarding enhancements NTBA Settings user interface enhancements Exporter configuration enhancements NetFlow direction setting per port Default population of CIDRs DNS configuration is independent of GTI NS Lookup Support HTF monitor enhancement Support for sorting GTI data in monitors Other enhancements in monitors Quarantine enhancements Other CLI command enhancements Debugging enhancements XC Cluster support Manager and Central Manager enhancements 129 Support for heterogeneous environments What are heterogeneous environments When would you need a heterogeneous environment? Feature-support in a heterogeneous environment Enhancements related to custom attacks Snort rule validation utility Templates for McAfee custom attacks Access the Manager from mobile devices Preferences enhancement in Threat Analyzer General panel Persisting user-selected views in Alert Details Quick filter option McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 5

6 Contents Alerts details display Hosts details display Attack filter assignment in Central Manager Attack filter configuration Central Manager and Manager infrastructure details Troubleshooting enhancements Product integrations 159 Integration with McAfee Logon Collector Benefits Integration requirements How Network Security Platform - Logon Collector integration works Configuration details for Logon Collector integration Viewing Logon Collector details in the Threat Analyzer Viewing Logon Collector details in Network Security Manager reports Communication error Vulnerability Manager integration enhancement Integration requirements Save Vulnerability Manager settings Error messages Global Threat Intelligence (GTI) Participation enhancements Alert Data Details General Setup Feature Usage Technical Contact Information Index McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

7 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 7

8 Preface Find product documentation What's in this guide This guide contains information regarding enhancements for IPS, NAC, NTBA, Central Manager, and Manager. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 8 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

9 1 1 Overview This document is a standalone document for this release of McAfee Network Security Platform 7.1. The addendum supplements and supersedes information released in the earlier release of Network Security Platform 7.1 user documentation. Introducing McAfee Network Security Platform McAfee Network Security Platform delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical enterprise, carrier and service provider networks, while providing unmatched protection against spyware; known, zero-day, and encrypted attacks. McAfee Network Threat Behavior Analysis Appliance provides the capability of monitoring network traffic by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a single Manager. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 9

10 1 Overview Introducing McAfee Network Security Platform 10 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

11 2 IPS 2 enhancements This chapter describes the IPS enhancements for this release. Contents Integration with VMWare Stateless access rules IPS for mobile networks Simulated blocking enhancement Latency monitor enhancement SNMP v2 support enhancement Quoted printable character decoding in SMTP NTP client Malware detection enhancement Audit log events to the Manager Periodic inline restore from bypass mode Default IP for Sensor management port Restricted SNMP write access for 3rd party NMS users Packet logging enhancement TACACS+ user in audit logs Audit forwarding using SNMP v3 VLAN ID in reconnaissance events Support for forwarding fragmented packets Inline fail-over port pair functionality Add Device Wizard enhancements Syslog notification enhancement Dashboard and display filter option Alert assignment enhancement Attack Filters enhancement Configure password complexity settings Configure session control settings Granular access control for CLI commands (for TACACS user) Integration with VMWare With this release, McAfee Network Security Manager supports integration with virtual network security management vendors, such as Reflex Systems, and with VMWare to analyze traffic flows between virtual machines, and performs IDS on the virtual traffic. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 11

12 2 IPS enhancements Integration with VMWare Packet inspection of virtual machines With this release, McAfee Network Security Manager supports integration with virtual network security management vendors, such as Reflex Systems, and with VMWare to analyze traffic flows between virtual machines, and perform IDS on the virtual traffic. McAfee Network Security Sensor can be connected to ESX servers that are hosting virtual networks through a switch port. A virtual management center (VMC) that manages these ESX servers can send traffic flows between the virtual machines (VMs) to the Sensor for inspection. The Sensor analyzes the traffic based on configured policies. If any anomaly is detected, the Sensor sends details such as the source ESX server IP address, destination ESX server IP address and the attack information to the Manager. The Manager raises an alert in the Threat Analyzer and sends the quarantine details to the VMC. The quarantine action on the affected host (virtual machine) is taken by the VMC. A new interface type VM-Aware has been introduced in the Manager to enable monitoring of attacks generated on traffic between virtual machines or the inter-vm traffic. Note the following: This release supports integration with Reflex Systems VMC and with VMWare. The operating mode for the Sensor port must be set to SPAN. The Manager supports one vendor per Sensor interface. Multiple ESX servers can be connected to a single Sensor. This release supports configuring more than one VMWare or Reflex setup on a single VM-Aware interface. 12 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

13 IPS enhancements Integration with VMWare 2 Prerequisites The following section lists the components required for configuring IDS on virtual networks: For VMWare: ESXi 5.0, vshield 5.0, and vsphere 5.0 with vsphere Distributed Switch or later For Reflex: Reflex VMC version 2.12 build or later McAfee Network Security Manager version 7.1.x.x or later For more information on Manager installation, refer to Network Security Platform Installation Guide. For more information on virtulization features in Network Security Platform, refer to Network Security Platform Device Administration Guide. Configuration of port mirroring for VMware First you have to set up a connection from a dedicated switch uplink port on the host to the Sensor monitoring port. The simplest form is connecting a direct cable from an ESX physical NIC to a Sensor monitoring port. Figure 2-1 Virtual network with port mirror for VMware Task 1 Use vsphere Client to connect to the VMware vcenter Server Appliance. 2 Set up a datacenter with a vsphere Distributed Switch (vds). 3 Select Home Inventory Networking, and select the vds for which you want to set up the IDS inspection. 4 Right-click and select Edit Settings. 5 Select the Port Mirroring tab and click Add. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 13

14 2 IPS enhancements Integration with VMWare 6 Enter the session name, for example, McAfee Intrusion Detection Monitoring. 7 Select the Encapsulation VLAN checkbox and enter the VLAN ID corresponding to the VLAN range entered in the VM-Aware interface. 8 Make sure the mirrored packet is not restricted in its length (keep Mirrored packet length deselected). 9 Click Next. 10 From Specify Sources, select the ports whose traffic you want inspected, for example, Click Next. 12 From the Destination type, select Uplink. Select the dvuplinks that are connected/routable to a Sensor monitoring port. For example, if there are two uplinks, then dvuplink2 is typically chosen for mirroring whereas dvuplink1 can be used for the normal uplink communication on the vds. 13 Click Next. 14 Select the Enable this port mirroring session checkbox and click Finish. Tasks Check if traffic is mirrored on page 14 Check if traffic is mirrored Task 1 Verify the connection is up by going back to Step 4 of the preceding section to check the port mirror is not disabled. 2 Go to the vds ports page and find a virtual machine in the ports that you specified in Step 10 of the preceding section. Make this virtual machine send traffic and verify that the packet counter on the VM-Aware interface are received. 3 Trigger an alert (by accessing on a remote virtual machine that is ideally also being included in Step 10 of the previous section). 4 On the Manager, open the Real-Time Threat Analyzer and right-click the attack or trigger an attack that has the automatic response of quarantining specified. 5 Specify quarantine as response and see if the response is carried out successfully by verifying that the attacking virtual machine is moved to the quarantine zone as specified in Step 5 of the preceding section. Define and apply McAfeeQuarantine group in vshield Task 1 Log on to the vshield Manager from the browser. 2 Select Datacenters General Grouping. 3 Click Add to create a new group called McAfeeQuarantine with the entire datacenter as the scope. 4 Save the information. 5 From the vshield Manager, select the ESX host to be protected and install the vshield App by clicking Install. 14 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

15 IPS enhancements Integration with VMWare 2 6 Select Datacenters App Firewall L3 InsideMcAfeeQuarantine Add. The Add L3 Rule-IP protocols window is displayed. Figure 2-2 Add L3 Rule-IP protocols window 7 Fill out the following fields: Source -- Type source as McAfeeQuarantine. Source boundary -- Select the Inside checkbox. Destination -- Specify the destination or leave it blank. Type of traffic -- Select the type of traffic. Action -- Select the Block checkbox. Logging --Select an option. Enabled --Select an option. 8 Click OK to save the changes. 9 Click Publish Changes. 10 Repeat the steps to block L2 traffic. Configuration of reflex VMC This section covers the prerequisite steps that must be completed on the Reflex VMC before configuring VM-Aware interfaces on the Manager. Install reflex VMC Obtain the installation package from Reflex. The package is a.zip file that contains the VMC server image packed in the open virtualization format [OVF]. The OVF file contains all the software components required like the Reflex VMC server and Reflex VMC client for Microsoft Windows. For more information on Reflex VMC installation, refer to Reflex Systems documentation. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 15

16 2 IPS enhancements Integration with VMWare Task 1 Unzip the OVF installation.zip to your local machine. 2 Open your VMware vsphere client. 3 Select the ESX host on which you wish to run the VMC server. 4 Click File Deploy OVF Template. 5 Browse and select the OVF file [unzipped in Step 1]. 6 When prompted by the wizard, enter the following information: Static management IP address for the VMC server: Ensure that the IP address that you enter is accessible from the VMC client. Netmask Network gateway DNS server IP address Support Label: Enter a unique support label for your VMC server. 7 Click OK to start the installation. After installation is complete, it may take around 4-5 minutes for Reflex VMC to be ready for use. 8 Open a web browser session on the machine where you wish to install the VMC client. 9 Enter the IP address of the VMC server [that you provided during Step 6]. The Reflex VMC server web page opens, and prompts you to download and install the Reflex VMC client. 10 Install the Reflex VMC client. 11 When prompted to enter the license information, provide your valid license key or you can also opt to use the 30-day evaluation license key. 12 Complete the installation process. Following this the VMC client icon appears on your desktop. 13 When you launch the Reflex VMC client, it prompts you to enter the VMC server IP address, username and password. By default, username = admin, password = admin. When you log on the first time, the application opens the VMS Properties window. 14 Enter the VI center IP address details and select the Enable Harvesting option. This will discover all the ESX hosts and virtual machines under the VMC server. Install vtrust Task 1 On the Reflex VMC server, select Topology Inventory. 2 Select the ESX host, right-click and select vtrust Install/Update on hosts. Complete the wizard steps. The ESX host must be placed in the maintenance mode during the vtrust installation. 16 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

17 IPS enhancements Integration with VMWare 2 3 Select the virtual machines to be protected by right-clicking and selecting vtrust Install on VM(s). 4 Select the network adapters. It prompts for the IP address of the vtrust Sensor. The IP address should be present on the Reflex VMC server. 5 Click Next and complete the wizard steps. A lock icon is displayed on the virtual machines when the vtrust installation is successful. Create policies Task 1 On the Reflex VMC server, select Security vtrust Workspace. 2 Under the Zones tab, click the + icon to create the zones. Enter a zone name in the Define a Zone window. 3 Specify your name and parameters. Zones can have more than one object. 4 Under the Policies tab, click the + icon to create a policy. Enter a policy name in the Policy Name window. 5 Click Add to create a rule. 6 Enable the following actions in the rule: Log, IDS, and Allow. 7 Select the source and destination zones to apply the policy to the correct zones. 8 SelectSecurity Policy Engine and click Push policy. The policy push can be automatic or manual. McAfee recommends that you enable the automatic policy push option. When you run traffic between two zones, you can view alerts under Security Log Viewer. Configure the IDS Redirector Task 1 Log on to the Reflex VMC server. 2 Select Administration IDS Redirectors. 3 In the vtrust IDS Redirector page, click Edit. 4 Add the following details: VLAN ID: Use it to tag the redirected traffic. MAC Address: Not used currently but you must still enter a MAC address, for example, 00:00:00:00:00:00. 5 Select the ESX host and the vswitch you want to redirect the traffic on the particular ESX host, and click OK. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 17

18 2 IPS enhancements Integration with VMWare Enable IPS Quarantine Task 1 Log on to the Reflex VMC server. 2 Click vtrust workspace. 3 Right-click a virtual machine and select Edit All Tags New. 4 Define a tag with the name as McAfeeQuarantine, and click Save. 5 Install the default policies, which include McAfeeQuarantine (the name is case- sensitive). The McAfeeQuarantine policy must be enabled manuallyby selecting the Enabled checkbox. 6 Verify that the automatic Policy push is enabled on the Reflex VMC server. Enable APIs For the integration between the Reflex VMC server and the Manager to work, the following API properties must be enabled on the Reflex VMC server: Task 1 Select Administration Server Edit server configuration and set the following: Core.api.enabled=true Core.api.require.auth = true 2 Restart the VMC server for the changes to take effect. By default, the communication between the Reflex VMC erver and the Manager is through a non-secured HTTP connection. To use the secured communication using SSL, complete the following steps: Enable the SSL in the API section in Reflex VMC as Core.api.use.ssl = true Enable the SSL in the Manager by adding the following line in the ems.properties file: Iv.core.virtualization.usessl=true 3 From the <Manager install>\bin directory, run the InstallCert to retrieve the certificate from Reflex VMC to the Manager key store. For example, InstallCert <Reflex_VMC_IP_Address: 8443> 4 Run the tool to install the certificate for every Reflex VMC that you plan to integrate with the Manager. 5 Restart the Manager after the installation of the certificate is complete. 18 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

19 IPS enhancements Integration with VMWare 2 Configure the VM-Aware interface in the Manager Task 1 From the Manager, select <Admin Domain Name> IPS Settings <Device Name> <Interface-x> Properties Edit. The Edit page is displayed. Figure 2-3 Edit page The fields on this page will differ depend on the interface chosen. For example, the Interface Type drop-down list will also populate values deending on the interface chosen. 2 To configure the VM-Aware interface, select a virtual interface whose operating mode is configured as SPAN or Hub (single port). 3 From the Interface Type drop-down list, select VM-Aware. A message will be displayed: The IPS Interface to this port pair is currently configured for Virtualization. Please ensure your switches are configured to handle this scenario. More than one Virtualization configuration on a port is supported. Once interface is configured as Dedicated, further sub-interfaces cannot be configured on this. 4 Click Edit to define the configuration. Using the configuration profile page, you can create and manage the basic information and the list of configurations. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 19

20 2 IPS enhancements Integration with VMWare 5 Type the required information in the Edit VM-Aware Interface page. Figure 2-4 Edit VM-Aware Interface page Interface Name: Enter a name that will help you quickly identify the interface. Description: (Optional) Enter a description for the interface. Virtualization Management Server Type: Select either Reflex System LLC or VMware. More than one interface per Sensor can be configured as VM-Aware. 6 Click Save. The following window will be displayed. Figure 2-5 Virtual Management Servers page 7 Click New to add new configuration for VMWare or Reflex System as explained in the following section. Tasks Add new configuration for the VMware on page 21 Add new configuration for the Reflex System on page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

21 IPS enhancements Integration with VMWare 2 Add new configuration for the VMware Task 1 On the Edit VM-Aware Interface page, click New. The Edit VMware page is displayed. Figure 2-6 Edit VMware page 2 Enter the required information: vcenter IP Address: Enter the IP address of vcenter. vcenter Port Number: Enter the port number for communicating with the vcenter. It should be within the range of vcenter Username: Enter the username to access the vcenter. vcenter Password: Enter the password. vcenter WebService Path: Enter the web services path data. vshield Manager IP Address: Enter the IP address of vshield Manager. vshield Port Number: Enter the port number for communicating with the vshield. It should be within the range of vshield Username: Enter the username to access vshield. vshield Password: Enter the password. vshield WebService Path: Enter the web services path data. VLAN Range: Enter the VLAN range that will correspond to the VLANs setup in the port mirroring sessions. 3 Click Test Connection to test the connection. 4 Click Save. You can add multiple VMware configurations. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 21

22 2 IPS enhancements Integration with VMWare Add new configuration for the Reflex System Task 1 On the Edit VM-Aware Interface page, click New. The Edit Reflex System LLC page is displayed. Figure 2-7 Edit Reflex System LLC page 2 Enter the required information: in the Virtualization Management Server IP address: Enter the IP address of the Virtualization Management Server. Port Number: Enter the port number for communicating with the third-party VMC server. It should be within the range of Username: Enter the username to access the third-party VMC server. Password: Enter the password Web Service Path: Enter the web services path data. VLAN Range: Enter the VLAN range that will correspond to the VLANs setup in the port mirroring sessions 3 Click Test Connection. 4 Click Save. How to view alerts on inter-vm traffic After your VM-Aware interface configuration is complete, the Sensor begins monitoring the virtual traffic. When the Sensor detects an attack on the inter-vm traffic, an alert is raised in the Threat Analyzer of the Manager. 22 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

23 IPS enhancements Integration with VMWare 2 The Threat Analyzer All Alerts page now has additional columns to display the source and destination virtual machine names. Alerts in Central Manager also display the source and destination of the virtual machine names. You can get the IP addresses/names of the virtual machines if you have installed VM Tools on the guests. Figure 2-8 Viewing source and destination of virtual machines You can opt to group alerts by the Src VM Name and Dest VM Name columns using the Group By and Display Filter options. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 23

24 2 IPS enhancements Integration with VMWare When you select an alert, right-click and select Show Details. The Alerts Details page opens. Figure 2-9 Alert Details page You can view the following information on the Alerts Details page: Source VM Name Destination VM Name Source ESX Server Name Destination ESX Server Name Considerations The Manager supports the following while using the VM-Aware option: You can include source and destination VM hostnames when sending alert information to syslog servers. If you want to configure the Manager to notify you via , pager, or script for alerts based on alert severity, you can now also include the source and destination VM hostnames. Data source for the next generation user defined reports includes Destination VM Name and Source VM Name under the Available fields. If you have an MDR pair in your deployment, then the VM-Aware configuration and alerts related to the inter-vm traffic on the primary Manager are automatically synchronized with the secondary Manager. 24 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

25 IPS enhancements Stateless access rules 2 How to quarantine virtual machines The network traffic flowing between virtual machines on the same physical server poses a blind spot to Appliances thus evading detection. By redirecting a copy of the traffic to a Manager Sensor monitoring port configured as VM Aware, attacks can now be detected. A new response action allows placing attacking virtual machines into a quarantine zone that limits or turns off all further network communication. Responses are enforced by using VMWare's vshield product that allows for flexible quarantine zone creation. Reverse the Quarantine You can reverse a quarantined host that is placed in the quarantine list. Task 1 Add the virtual machine to the Quarantine List. 2 Go to the list of Quarantined hosts and remove it from the list. 3 Alternatively, you can also extend the quarantine time. Stateless access rules There could be certain traffic that you want the Sensor to allow or block without deeper inspection. That is, you may not want to spend time or valuable Sensor resources on traffic that you completely trust or traffic that you want to completely avoid. You can use stateless access rules for such cases. You can use them to bypass IPS inspection for trusted high throughput applications like database backups. You'll observe lesser latency when using stateless access rules when compared with stateful access rules. The Sensor allows or blocks packets just based on the L4 information in those packets, thereby saving time and resources. To use stateless access rules, you need a Manager and M-series Sensors running on x or above. You can create stateless access rules in both advanced and classic Firewall policies. When compared to the regular access rules, the stateless access rules allow or drop traffic in a stateless manner. That is, the for stateless rules the Sensor considers the traffic on a per-packet basis whereas for service-based and application-based regular access rules, it considers the entire flow. So, if you set the response as drop for stateless rules, the Sensor drops the packets, but for the regular rules, it drops the flow. You can use the stateless access rules during troubleshooting, where you might want the Sensor to drop packets of only one direction in a flow. Notes: You create a stateless access rule just like any other Firewall access rule but with the following differences: Except for the response and application, all other columns are similar to the regular access rules in terms of functionality and usage. In the response column of the rule, you select stateless ignore or stateless drop. The Sensor identifies a stateless access rule based on this selection only. Stateless ignore: This is the same as ignore option. That is, the Sensor permits the packet without further inspection. Stateless drop: The Sensor discards the packet. You can use the stateless access rules in SPAN and tap mode, but the stateless drop response action has no effect. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 25

26 2 IPS enhancements Stateless access rules For the application column, you cannot select any rule object that is related to stateful traffic. For example, you cannot select anything related to TCP. You cannot use any rule object that requires the Sensor to inspect beyond L4. You can only select the following for stateless access rules: UDP-any default service rule object ICMP-any default service rule object. All default ICMP rule objects are allowed. Custom service rule objects where the IP Protocol is UDP or Protocol Number is something other than 6 or 89. IP protocol number 89 relates to OSPF (RFC 1583), which is a routing protocol; this traffic bypasses the stateless access rules on the Sensor. You cannot configure for Protocol Number 6. Custom service group rule objects that uses service rule objects created as described in the previous point. You cannot use any of the default service rule objects except UDP-any and ICMP-any. Nor can you use any service group rule objects created using the default service rule objects other than UDP-any and ICMP-any. The Sensor cannot log matched traffic to a syslog server. You cannot create a stateless access rule with logging enabled. The stateless access rules generally target traffic that must be allowed or blocked on a priority basis (is allowed or blocked across your network). Also, as explained earlier, the Sensor takes less time to process these rules. For these reasons, it is recommended that you define the stateless rules ahead of other similar regular rules and assign them at the pre-device level. Stateless access rules and scanning exceptions Stateless access rules are comparable to scanning exceptions in terms of functionality. Scanning exceptions too enable traffic to bypass Sensor's inspection in a stateless manner. However, stateless access rules provide more features for a more granular control over. If both scanning exceptions and Firewall access rules are configured, the Sensor processes scanning exceptions first. That is, only those traffic that are allowed based on scanning exceptions are subjected to the Firewall access rules (stateless or tateful). The following table compares stateless access rules with scanning exceptions: Scanning exceptions The Sensor processes these before the access rules. These rules allow the matched traffic to pass through the Sensor without inspection for attacks. There is no provision to drop the matched traffic. Stateless access rules The Sensor checks only those packets that did not match the scanning exception rules. If a packet had matched a scanning exception rule, it would have bypassed the Sensor. The matched traffic can either be dropped or allowed to pass through. 26 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

27 IPS enhancements Stateless access rules 2 Scanning exceptions You cannot define the source or destination of the traffic in the rule. The criteria to match traffic can be TCP port numbers, UDP port numbers, or VLAN IDs. No option to specify direction or time. You define the scanning exceptions at the Sensor level. The TCP and UDP-based scanning exceptions are applied at the Sensor level. VLAN-based exceptions are applied at the Sensor or port-pair level. Immediately after you define them, the Manager sends the scanning exceptions to the corresponding Sensor. Does not require a configuration update. Supported only on M-series Sensors except M-1250 and M Supported only in inline mode. Stateless access rules You can apply the rule based on the source and destination of the traffic. You can set any of the following as the criteria for source and destination in case of advanced Firewall policies: Country to which the source or destination IP address belongs Host DNS name Specific IPv4 addresses Range of IPv4 addresses Specific network or any network in a group The criteria can be the following: IP protocol number between 0 and 255 except 6 and 89. You can configure 89, but this traffic cannot be dropped as the Sensor ignores it by default. UDP port numbers ICMP You can apply the rule in the inbound, outbound, or both the directions. In case of advanced Firewall policies, you can specify the time period when the Sensor must enforce a rule. Though Sensor (pre-device) level is what is recommended, you can apply these at the following levels: Sensor Interface or sub-interface Port level Needs a configuration update to take effect. Supported on all M-series Sensors running on x or above. Supported in inline, SPAN, and tap. However, the response action in SPAN and tap do not affect the actual traffic. Configure stateless access rules Before you begin You have created an advanced or classic Firewall policy to which you want to add stateless access rules. You have created the rule objects, especially the service or service group rule objects, required to create your stateless access rules. This section provides the high-level steps to create stateless access rules. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 27

28 2 IPS enhancements Stateless access rules Task 1 Go to <Admin Domain Name> IPS Settings Policies Firewall Policies. 2 Select the Firewall policy in which you want to add the stateless rules. 3 It is recommended to have the stateless rules above any of the other rules. So, select the top-most rule and click Insert Above. 4 Enter the Description for the rule. 5 Select the appropriate values for Source, Destination, Effective Time, and Direction. 6 For Application, select from the following: ICMP-any or UDP-any default Service rule objects All default ICMP objects The custom Service or Service Group rule object that you created. Note that these rule objects must be based on IP protocol number (other than 6 and 89) or UDP port number. 7 In the Response column, select stateless ignore or stateless drop. 28 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

29 IPS enhancements IPS for mobile networks 2 8 Click Save. 9 Update the Sensor configuration for the rule to be enforced. You cannot log the packets that matched a stateless access rule. However, you can view the number of packets dropped by using the show inlinepktdropstats <monitoring port> command on the Sensor CLI. You cannot view the number of packets that were ignored as per stateless access rules. Figure 2-10 Count of packets dropped as per stateless access rules IPS for mobile networks With this release, you can monitor traffic in a mobile network. Sensors deployed in mobile networks monitor web traffic and Radius accounting traffic that goes out of GGSN to Internet gateway and Radius servers. This is enabled using CLI. When the mobile security feature is enabled, Sensors can detect application download on Android (.apk file) and work with McAfee Global Threat Intelligence File Reputation to detect/block malware. For more information, see command set mnsconfig in the McAfee Network Security Platform CLI Guide. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 29

30 2 IPS enhancements IPS for mobile networks set mnsconfig Sensors deployed in mobile networks monitor subscriber traffic and RADIUS accounting traffic that goes out of GGSN to Internet gateway and RADIUS servers. Each mobile device in the network has an IP address. The Sensor parses RADIUS accounting exchanged between GGSN and the RADIUS server and forms an association of IP addresses and subscriber mobile identity details like phone number, IMSI number, and APN. The Sensor also associates the attacks that are detected on the internet traffic with the mobile subscriber identity data and includes them in alerts sent to the Manager. The following commands are used to enable monitoring RADIUS accounting traffic in mobile networks. This feature is disabled by default. Mobile entries are not persisted across a Sensor reboot. Syntax set mnsconfig on Enables capturing and tagging of mobile subscriber data in the alerts sent to the Manager. set mnsconfig off Disables capturing and tagging of mobile subscriber data in the alerts sent to the Manager. For more information, see the Monitoring through the Threat Analyzer and Report Generation section in the McAfee Network Security Platform Device Administration Guide and the File Reputation section in the McAfee Network Security Platform IPS Administration Guide. set mnsconfig radiuslb This command enables and disables the RADIUS traffic load balancing on the Sensor. Due to the use of fixed source and destination ports in all RADIUS packets that are exchanged over UDP by the GGSN/RADIUS server, there is a possibility that the Sensor could miss parsing RADIUS accounting traffic at high data rates. Enabling this command prevents such a scenario. Syntax set mnsconfig radiuslb on Enables RADIUS traffic load balancing. set mnsconfig radiuslb off Disables RADIUS traffic load balancing. show mnsconfig Displays the status of mobile network security (enabled or disabled). Syntax show mnsconfig View Mobile Alerts in the Threat Analyzer The Threat Analyzer displays the following new fields for mobile alerts: 30 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

31 IPS enhancements IPS for mobile networks 2 Src Phone: source mobile phone number Dest Phone: destination mobile phone number Src IMSI: source IMSI Dest IMSI: destination IMSI Src APN: source APN Dest APN: destination APN Figure 2-11 Mobile Alerts McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 31

32 2 IPS enhancements Simulated blocking enhancement You can group and filter alerts by these fileds. Figure 2-12 Alert details The mobile related alert details are can be viewed. For more information, see the McAfee Network Security Platform Manager Administration Guide. Troubleshooting support The following debug commands are supported: mobliedbg print: Displays the mobile entries; IP, Phone, IMSI and APN. mobliedbg delete: Clears the mobile entries; IP, Phone, IMSI and APN. Simulated blocking enhancement Earlier, simulated blocking was supported via the Sensor CLI command, and was configurable only at the Sensor level. With this release you can enable and manage Simulated Blocking from the Manager, and is configurable at the interface levels. Simulated Blocking enables you to put the Sensor in a non-blocking mode whereby exploit attacks are not blocked even if the applied IPS policy is configured to do so. Alerts are still raised based on the configured policy. When Simulated Blocking is enabled, response actions that affect the flow of traffic blocking, sending a TCP reset, and sending an ICMP host unreachable message are not applied. This feature does not affect the IPS quarantine actions. This feature allows an IPS sanity check where you get to know the specific attacks that would have hit a blocking rule, that is, which attacks would be blocked during normal operation without actually blocking them (the alerts explicitly mention that blocking has been simulated). You can use this feature to also temporarily disable blocking for troubleshooting. Simulated blocking applies to signature-based attack definitions only. Denial-of-Service and reconnaissance attacks will continue to activate response actions if configured to do so. 32 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

33 IPS enhancements Latency monitor enhancement 2 Simulated Blocking does not change the behavior of the Sensor for the following features: DoS blocking Host quarantine Artemis blocking IP sanity errors checks ACL drop action These features need to be disabled individually if required. Disable Simulated Blocking before performing an upgrade using the CLI. This allows data in the Manager to synchronize with the Sensor immediately after the upgrade. If not disabled, the first sigfile push will disable this option (by default it is disabled at device level). For more information, see McAfee Network Security Platform CLI Guide. and McAfee Network Security Platform IPS Administration Guide. Configure simulated blocking at the interface level To configure Simulated Blocking at the interface level: Task 1 Select <Admin Domain Name> IPS Settings <Device Name> <Interface-x Name> IPS Interface Protection Profile. By default, Simulated Blocking is disabled for the entire device. Figure 2-13 Simulated Blocking dialog 2 Select Simulated Blocking for inbound/outbound traffic. Simulated Blocking is not supported separately for the traffic directions. If one is configured (enabled/ disabled), the other is also configured similarly. 3 From the Device-Level Logic drop-down list, make a selecton. To enable Simulated Blocking device wide, select Simulation enabled device wide. To disable Simulated Blocking device wide, select Simulation disabled device wide. To control Simulated Blocking per VIDS, select Simulation controlled per interface. 4 Click Save. The device level settings override the interface level settings, that is, you cannot configure Simulated Blocking at the interface level if it is configured at the device level. The set ipssimulation disable and show ipssimulation status commands are used to manage Simulated Blocking. For more information, see Network Security Platform CLI Guide. Latency monitor enhancement Earlier when a high latency is observed on the Sensor and the latency monitor is configured, the Sensor remains in layer 2 until a layer 2 deassert is invoked or a Sensor reboots. With this release, the Sensor comes out of layer2 mode without layer 2 deassert. For more information, see the McAfee Network Security Platform CLI Guide. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 33

34 2 IPS enhancements SNMP v2 support enhancement latency-monitor restore-inline enable/disable When a high latency is observed on the Sensor and the latency monitor is configured, the Sensor remains in layer 2 until a layer 2 deassert is invoked or a Sensor reboots. This command allows the Sensor to come out of layer2 mode without layer 2 deassert. The Sensor restores to inline from layer 2 if the following conditions are met: The latency monitor has put the Sensor in layer2 mode. The Sensor is in good health. If the Sensor is in bad health, a deassert cannot be performed and the Sensor reboots. A substantial amount of time has lapsed, as configured using this command, when the Sensor went into layer 2 due to latency. The default time to trigger an automatic layer 2 deassert is 10 minutes. If the latency continues to exist after the Sensor is restored to inline mode, the Sensor behaves as per the current setting of the latency monitor. Syntax latency-monitor restore-inline enable <10-60> latency-monitor restore-inline disable Parameter Description <10-60> The time to trigger the restore inline from layer 2. It is counted since the time the Sensor moved into layer 2 state due to high latency. The latency-monitor status command displays the current status of the latency monitor feature, as well as the current status of the restore-inline feature of the latency monitor. SNMP v2 support enhancement With this release, you can obtain access to the read-only components of the Network Security Platform MIBs using SNMP v2. For more information, see the McAfee Network Security Platform CLI Guide. snmpv2support You can obtain access to the read-only components of the Network Security Platform MIBs using SNMP v2. Configure the NMS IP address on the Manager. See the McAfee Network Security Platform Device Administration Guide. Syntax snmpv2support enable <CommunityString> This command enables SNMP v2 support. Parameter CommunityString Description The SNMP community string to authenticate access to MIB objects and functions. snmpv2support disable This command disables SNMP v2 support. 34 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

35 IPS enhancements Quoted printable character decoding in SMTP 2 snmpv2support status This command displays the status of SNMP v2 support (enabled or disabled). Quoted printable character decoding in SMTP The SMTP protocol specification does not address the transfer of binary data, so binary data is encoded to that end. With this release, you can inspect Quoted-printable encoded PDF files in SMTP traffic to detect threats or anomalies. Figure 2-14 Configure Advanced Traffic Inspection Select the option Inspect PDF files in quoted-printable encoded SMTP traffic for malicious Javascript The SMTP protocol specification uses MIME content transfer encoding to transport binary data. Since SMTP protocol can handle only 7-bit ASCII data, each 3-byte group of binary data is converted to 6-bit number and replaced with an ASCII character. Quoted-printable and Base64 are the two basic MIME content transfer encodings. Quoted-printable encoding uses printable ASCII characters, such as alphanumeric and the equals sign (=), to transmit 8-bit data over a 7-bit data path. Quoted-printable encoding technique maps arbitrary bytes into sequences of ASCII characters. For more information, see the McAfee Network Security Platform IPS Administration Guide. NTP client Earlier the clock on the Sensor was updated (synchronized) with the Manager. This release provides NTP support allowing you to configure the Sensor as an NTP client that synchronizes time from a public NTP server. If NTP is configured and also the Manager connectivity is established then the Sensor receives time from both the NTP server and the Manager. If there is loss of connectivity with either the Manager or NTP server, then the other takes over as the time source. The Manager should be synced with an NTP server, prior to starting NTP on the Sensor. Not doing this will break the communication between the Sensors and the Manager. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 35

36 2 IPS enhancements NTP client If the Manager is not using the time received from the NTP server then while switching from NTP server to the Manager and vice versa, there might be issues because of the time difference. To specify your NTP server, do the following: Task 1 Select Device List Misc NTP Server. The NTP Server page displays. The NTP can also be configured for each device as well. 2 To enable communication with the NTP server, select Enable NTP Server? To stop NTP from the Manager, unselect this option. 3 Configure the two NTP servers: the Sensor will use one of the configured NTP severs based on least RTT (Round-Trip Time). a Type the IP Address. This can be an IPv4 or IPv6 address. b c d e Enter the Polling Interval. The range is 3 ~ 17. The configured polling interval is applied as 2^x seconds (2 power x). Select Authentication to enable authenticating the NTP servers. Enter the Authentication Key and Authentication Key ID. Select the Authentication Key Type; MD5, SHA, or SHA1. The parameters in d and e are provided by the NTP service provider. f Click Save to save your settings. The IPv4 and IPV6 addresses are mutually exclusive. At any configuration either the IPV4 or IPV6 address will be used. For the IPV6 address to work, the Sensor management port should be assigned an IPV6 address. Figure 2-15 Configure NTP servers 36 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

37 IPS enhancements Malware detection enhancement 2 Malware detection enhancement Earlier, HTTP Response Scanning had to be enabled for malware detection (Integration with McAfee Artemis) to work. With this release, you can enable malware detection separately. Configure File Reputation Sensors use File Reputation [formerly McAfee Artemis] to provide real-time malware detection and protection for the users during file downloads from the Internet. Network Security Platform also provides users the option to upload custom fingerprints which can be used for malware detection. You can enable malware detection under <Admin Domain Name> IPS Settings Default Protection Options File Reputation. For more information, see McAfee Network Security Platform Integration Guide. Audit log events to the Manager Network Security Platform allows you to view the Sensor CLI user actions, such as user login and command execution, on the Manager. By default, this feature is disabled. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 37

38 2 IPS enhancements Audit log events to the Manager Enable audit log events from the Manager To enable audit log events from the Manager: Task 1 Select Device List Misc Sensor CLI Audit Log. 2 Enable the Sensor Audit Log Notification. 3 Click Save. Figure 2-16 Enable audit log notification 38 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

39 IPS enhancements Audit log events to the Manager 2 View Sensor CLI user activity log To view the Sensor CLI user activity log: Task 1 Click My Company Log User Activity Audit. 2 Select Sensor CLI User as the Administrative User to Audit. 3 Click View Messages. The message details are displayed. Click on the description to view more details. Figure 2-17 View Sensor CLI user activity log For more information, see the McAfee Network Security Platform IPS Administration Guide. View Sensor CLI user activity report To view the Sensor CLI user activity report: Task 1 Select the Reports icon from the Manager Home page. 2 Click Traditional Configuration User Activity. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 39

40 2 IPS enhancements Periodic inline restore from bypass mode 3 Select Sensor CLI User as the User(s) to Audit. 4 Generate the report. Figure 2-18 Generate Traditional User Activity report Figure 2-19 User Activity report For more information, see the McAfee Network Security Platform Manager Administration Guide. Periodic inline restore from bypass mode Sensor port pairs deployed in the inline fail-open mode, that is, connected to external passive fail-open kits and, port pairs with built-in fail-open support, are disabled when the they go into the bypass mode due to external network link-down events. In such cases, the Network Security Platform operator is required to monitor the appliance and administratively enable such port pairs to restore inline functionality. 40 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

41 IPS enhancements Periodic inline restore from bypass mode 2 With this release, you can configure to periodically restore all such port pairs from bypass to inline mode. This feature is not supported for active fail-open kits. By default, this feature is disabled. When enabled, the Sensor attempts to restore a port pair from bypass to inline mode periodically as per the configured interval. This restore operation can be enabled only when the Sensor is in good health. The feature is configured through the CLI. setfailopencfg restore-inline Configures the Sensor to periodically restore the port pairs from bypass to inline mode. Syntax setfailopencfg restore-inline <enable disable> setfailopencfg restore-inline-interval Configures the time interval to restore port from bypass to inline mode. Syntax setfailopencfg restore-inline-interval < 5-60 minutes > Parameter Description 5-60 minutes Time interval (in minutes) at which the Sensor attempts to restore a port-pair from bypass to inline. showfailopencfg Default is 5 minutes. Displays the current configuration. Syntax showfailopencfg Sample output: External Passive Failopen Configuration : INLINE Periodically Restore Inline-Failopen : DISABLED Restore Inline-Failopen interval : 5 minutes setfailopencfg internal/external-failopen bypass/inline Configures the behavior of the port pair after Sensor reboots. setfailopencfg internal/external-failopen bypass/inline Parameter Description inline If the Sensor has a link down and is rebooted (setfailopencfg restore-inline is disabled/ enabled, but is not triggered at the time of reboot) the port-pair restores itself into inline state (by getting enabled and coming up). bypass The port pairs stay in the bypass mode (by staying disabled and not coming up). This configuration is persisted across Sensor reboots. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 41

42 2 IPS enhancements Periodic inline restore from bypass mode For the port pairs to be restored from bypass to inline mode, the following conditions should be met: The operating mode is inline-fail-open (fail-open support is built-in or passive fail-open kits are connected). If a passive fail-open kit is used, the kit is connected to the Sensor. If the port pair goes into the bypass mode due to monitoring port link down or a missing cable. When this feature is enabled or you change the time interval, the Sensor checks and attempts to restore the port pairs to the inline mode immediately. Consider the following scenarios. Scenario1: Change of time interval The feature is enabled at with the default time interval of 5 minutes; at the port link goes down for a few milli seconds and is then restored. At the time interval is changed to 10 minutes; the Sensor checks the port pair and restores the port pair to the inline mode at Subsequently, the Sensor checks the port pairs every 10 minutes (unless the time interval is changed again), that is, the next attempt to restore from bypass to inline mode takes place at Scenario 2: Feature enabled/disabled The feature is enabled at with a default time interval of 5 minutes; at the port link goes down for a few milli seconds and is then restored. At the feature is disabled. At the port pair is admin down. The feature is enabled at 11:07, the Sensor checks the port pair but restores the port pair to the inline mode at 11:12. If you manually disable the port s administrative status, the port continues to remain in the bypass mode even though this feature is enabled. 42 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

43 IPS enhancements Default IP for Sensor management port 2 The Sensor sends a notification to the Manager with a revised timestamp for every failed attempt to restore a port pair from bypass to the inline mode (typically due to link negotiation failure with peer devices). Figure 2-20 Fault notification If the restore to inline from bypass operation is successful, the Manager clears prior (bypass) notifications, if any, for that port pair. Default IP for Sensor management port Currently, Sensors with default factory settings do not have the management port configured. This release provides a default IP and netmask for the management port. The following default values are set for the management port: IP Address : Netmask : Gateway : This allows you an additional option of configuring the Sensor via the management port apart from the console port. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 43

44 2 IPS enhancements Restricted SNMP write access for 3rd party NMS users Restricted SNMP write access for 3rd party NMS users Sensors support read-only access to the supported proprietary SNMP MIB objects, present in the MIB files, MCAFEE-SENSOR-CONF-MIB and MCAFEE-SENSOR-PERF-MIB. These files are available in the Manager installion folder (app/config/mibs). This release provides read-write access to a Host Quarantine Group portion of the MIB tree. To have read-write access to these MIBs, the following configurations are needed: Configure third party NMS users. Configure a set of IPv4/IPv6 addresses from where third party SNMP access would be allowed. For more information on the above configurations, see the McAfee Network Security Platform IPS Administration Guide and the McAfee Network Security Platform Manager Administration Guide. For managing the restricted read-write access, you need to enable/disable it from the Sensor CLI. After enabling/disabling the access, the Sensor is to be rebooted only if the SNMP users are already configured. If no SNMP user is configured on the Sensor, then the configuration is done without rebooting the Sensor. set nmsuserwriteaccess <enable disable> Configures read-write access for third part NMS users. Syntax set nmsuserwriteaccess <enable disable> Parameter enable disable Description Enables read-write access to third party NMS users Disables read-write access to third party NMS users When enabled, the above command would activate restricted read-write access to the Host Quarantine Group section of the MIB tree. This restricted read-write access would be made available to all the configured NMS third party users. show nmsuserwriteaccess status Displays the current SNMP restricted read-write access status. The following write operations are permitted: Add an IPv4/IPv6 entry to quarantine the host. Extend the quarantine duration of an existing quarantined IPv4/IPv6 host entry. Delete the IPv4/IPv6 filter entries one by one. Delete all the IPv4/IPv6 filter entries at once. Remediation for IPv4. If the Sensor is in the fail-over mode, make sure that the entries are created on both the primary and secondary Sensors. 44 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

45 IPS enhancements Restricted SNMP write access for 3rd party NMS users 2 Restricted read-write access is permitted for the section of the MIB tree depicted in the following image. User Scenarios Scenario 1 To isolate a host in the Sensor from the third party SNMP application. Set the hostquserdeffilteraction object of the hostisoluserdeffiltertable to a value 1. For setting this object, the following indices are needed: IP Address (To be provided in a dot separated format) VidsId (should always be set to 0) AttackId (should always be set to 0) The above action is applicable to both IPv4 as well as IPv6 entries. Consider the following example: For isolating a host with IPv4 address of , the following OID is to be set with a value 1. OID Scenario 2 To extend the isolation end time of an already isolated host in the Sensor from the third party SNMP application. Set the hostquserdeffilterduration object of the hostisoluserdeffiltertable to a value <time in minutes>. For setting this object, the following indices are needed: McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 45

46 2 IPS enhancements Restricted SNMP write access for 3rd party NMS users IP Address (To be provided in a dot separated format) VidsId (should always be set to 0) AttackId (should always be set to 0) The above action is applicable to both IPv4 as well as IPv6 entries. Consider the following example: For extending the isolation duration of an already isolated host with IPv4 address of , by 30 more minutes, the following OID is to be set with a value 30. OID Scenario 3 A list of already isolated hosts can be retrieved by performing an SNMP walk on the hostqbulkfiltertable. To obtain the list of isolated hosts with IPv4 address, perform a walk on the hostqbulkfiltertablev4. Similarly, to obtain the list of isolated hosts with IPv6 addresses, perform a walk on the hostqbulkfiltertablev6. Scenario 4 To delete an already isolated host in the Sensor from the third party SNMP application: Set the hostquserdeffilteraction object of the hostisoluserdeffiltertable to a value 2. For setting this object, the following indices are needed: IP Address (To be provided in a dot separated format) VidsId (should always be set to 0) AttackId (should always be set to 0) The above action is applicable to both IPv4 as well as IPv6 entries. Consider the following example: For isolating a host with IPv4 address of , the following OID is to be set with a value 2. OID Scenario 5 To delete all the isolated hosts in the Sensor from the third party SNMP application. Set the hostqdeleteallfilters object of the hostqconfiggrp to a value 2. OID Scenario 6 To isolate and remediate an IPv4 host in the Sensor from the third party SNMP application. Set the hostquserdeffilterremediationv4 object of the hostisoluserdeffiltertablev4 to a value 1. For setting this object, the following indices are needed: IP Address (To be provided in a dot separated format) VidsId (should always be set to 0) AttackId (should always be set to 0) 46 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

47 IPS enhancements Packet logging enhancement 2 The above action is applicable only to IPv4 entries. Consider the following example: To isolate and remediate a host with IPv4 address of , the following OID is to be set with a value 1. OID Packet logging enhancement Earlier, by default, the Sensor logged the previous 64 bytes, that is, 64 bytes of data prior to the attack packet for I-series, and previous 128 bytes for M-series Sensors. With this release, you can configure to enable previous 256 bytes logging. This feature is enabled on the CLI, and requires a Sensor reboot to take effect. set previous256byteslogging Configures the Sensor to log the previous 256 bytes of packet data. Syntax set previous256byteslogging <enable disable> Parameter enable disable Description Enables previous 256 bytes logging Disables previous 256 bytes logging show previous256byteslogging status Displays the status of the previous 256 bytes logging feature; whether enabled or disabled. Syntax show previous256byteslogging status When the previous 256 bytes logging is configured on the Sensor and Capture 128 Bytes of Attack Data Prior to Attack is enabled (IPS Settings Policies IPS Policies Edit Attack Details for Attack Logging) on the Manager, previous 256 bytes of packet data is logged. Since 256 bytes packet logging requires more memory at the Sensor, it reduces the number of flows supported by 10% on M-series Sensors and 24% on I-series Sensors. TACACS+ user in audit logs Network Security Platform allows you to access the Sensor CLI by authenticating against a TACACS+ server database. Although authenticated against TACACS+, the actual login at Sensor is done as an admin user, and hence audit log records show commands as executed by admin. This release allows the TACACS+ user to login as the TACACS+ user itself, that is, the audit log has all the operations performed by the TACACS+ user tagged to the user name. The TACACS+ user is allowed to log into the Sensor CLI using his credentials and the session is created using a unique Sensor generated UID, whether authorization is enabled or disabled. Any local database file created for TACACS+ users at the Sensor is not persisted; after reboot, the database entries are created as and when the TACACS+ users login. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 47

48 2 IPS enhancements Audit forwarding using SNMP v3 For more information, see the McAfee Network Security Platform CLI Guide, McAfee Network Security Platform IPS Administration Guide and McAfee Network Security Platform Device Administration Guide. Refer to KB articles KB58269 and KB Audit forwarding using SNMP v3 Network Security Platform allows you to configure an SNMP server to which system audit information is sent from the Manager. You can configure more than one SNMP servers where you want to send audit messages. The Manager displays the SNMP servers that have been configured. The fields in this page are described within the configuration steps that follow. For SNMP forwarding, the root domain and parent domains have the option to include audit information from all corresponding child domains. To configure an SNMP server from your Manager, do the following: Task 1 Select Admin-Domain-Name Audit Notification SNMP. 2 Select Enable SNMP Notification (default is No) and click Save. Figure 2-21 Enable SNMP notification 48 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

49 IPS enhancements Audit forwarding using SNMP v3 2 3 Click New. The SNMP page is displayed. Figure 2-22 Configure SNMP Fill in the following fields: Field Admin Domains IP Address Description Enables VLAN based reconnaissance. Disables VLAN based reconnaissance. Target Port Target server's SNMP listening port. The standard port for SNMP, 162, is pre-filled in the field. SNMP Version Community String Forward Audit Version of SNMP running on the target SNMP server. Version options are 1, 2c, Both 1 and 2c, and 3. Type an SNMP community string to protect your Network Security Platform data. SNMP community strings authenticate access to Management Information Base (MIB) objects and functions as embedded passwords. Choose the audit logs to be forwarded. The options are AllowAll Auditlogs, Failed Only, Successful Only, and In Progress Only. The following fields appear only when SNMP Version 3 is selected. User Name Authoritative Engine ID (Hex Values) Type a username that will be used for authentication. The Authoritative (security) Engine ID of the Manager used for sending SNMP version 3 REQUEST messages. The hex value of the Authoritative Engine ID should have only even pairs (For example, you can have hex value of 4 pairs like 00-1B-3F-2C). MAC address can also be used as Authoritative Engine ID. Authentication Level This specifies the authentication level and has the following categories: No Authorization, No Privileges: Uses a user name match for authentication. Authorization, No Privileges: Provides authentication based on the MD5 or SHA algorithms Authorization and Privileges: Provides authentication based on the MD5 or SHA algorithms. It also provides encryption in addition to authentication based on the DES or AES standards. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 49

50 2 IPS enhancements VLAN ID in reconnaissance events Field Description The following fields appear only when Authorization, No Privileges or Authorization and Privileges is selected in Authentication Level. Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3 messages. Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages. Encryption Type The privacy protocol (DES or AES) used for encrypting SNMP version 3 messages. Privacy Password 4 Click Save. The privacy pass phrase used for encrypting SNMP version 3 messages. To edit or delete an SNMP server, select the appropriate server from the list of SNMP servers and use the desired option (Edit or Delete). VLAN ID in reconnaissance events Network Security Platform supports VLAN based reconnaissance attack detection. Earlier, the Sensor performed reconnaissance attack detection on a VIDS basis. When this feature is enabled, the reconnaissance attack detection is done on both VLAN and VIDS. By default, this feature is disabled; you can use the Sensor CLI to enable this feature only if you want the reconnaissance attack detection to be done on a VLAN basis. This feature is supported on both I-series and M-series Sensor models. set vlanbasedrecon <enable/disasble> Configures VLAN based reconnaissance. Syntax set vlanbasedrecon <enable/disasble> Parameter enable disable Description Enables VLAN based reconnaissance. Disables VLAN based reconnaissance. show vlanbasedrecon status Displays the status of VLAN based reconnaissance. 50 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

51 IPS enhancements Support for forwarding fragmented packets 2 The VLAN ID is included in reconnaissance alert messages. Figure 2-23 Alerts View-Threat Analyzer The VLAN ID is included in Fault Notifications and Reports. In case of a fail-over pair, the feature has to be enabled on both the Sensors. For more information, see the McAfee Network Security Platform Manager Administration Guide, and McAfee Network Security Platform IPS Administration Guide. Support for forwarding fragmented packets Sensors receive the fragmented packets and hold them until all the fragments arrive or the fragment timer expires. After the fragment timer expires (default value set to 2 minutes) the fragments are dropped. This release allows you to configure the Sensor to forward such fragments instead of dropping them. ipreassembly timeout forward <enable disable> Configures the packet fragments to be forwarded. Syntax ipreassembly timeout forward <enable disable> This configuration is persisted across Sensor reboots. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 51

52 2 IPS enhancements Inline fail-over port pair functionality Parameter enable disable Description Enables the packet fragments to be forwarded. Disables the packet fragments to be forwarded. ipreassembly timeout forward status Displays the status of the ipreassembly timeout forward. Inline fail-over port pair functionality During Sensor boot up, there is a small time difference between when an inline fail-open port pair is enabled (port status LED is green) and actually put inline (activity LED starts blinking). This causes a minor traffic loss. This release resolves this issue. Such a time difference is eliminated. This enhancement is specific to the M-series and N-450 Sensors. Add Device Wizard enhancements With this release, when a new user now logs on to the interface for the first time, the Add Device Wizard is prompted after the Manager Initialization Wizard is completed. The Add Device Wizard is also available in the Wizard node of the Resource Tree. Instructions have also been added to prompt the user to complete the command line interface setup before establishing the trust between the Appliance and the Manager. Add a device using the wizard Adding a device to the Manager enables the Manager to accept communication from a physically installed and network-connected device. Once communication has been established, the Manager allows editing of the device configuration. The alert data is available in the Threat Analyzer and Report queries. McAfee recommends adding a device to the Manager first. The Add Device Wizard will be displayed once the Manager Initialization Wizard is completed. 52 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

53 IPS enhancements Add Device Wizard enhancements 2 To add a device to the Manager: Task 1 Click the To add a Device hyperlink at the bottom of the Manager Home page. Figure 4-24 Add Device link on the Home page -OR- Select <Admin Domain Name> Wizards Add Device. Figure 4-25 Add Device link under the Wizard node You can access the Add Device node in a domain only if you have the Super User permission to that domain. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 53

54 2 IPS enhancements Add Device Wizard enhancements The Add Device page is displayed. Figure 4-26 Add Device page 2 Click Start the Add Device Wizard. The Preparation page is displayed. 3 Click Next. The Add New Device page is displayed. 4 Enter the device name. The Name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and periods. The length of the name is not configurable. 5 Select the Device Type as IPS. This wizard supports adding NAC sensors, but does not currently support configuring NAC settings. The support will be added in the future release. 6 Enter Shared Secret (repeat at Confirm Shared Secret). The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret cannot start with an exclamation mark or have any spaces. The characters that can be used while creating a shared secret are as follows: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. <? / IMPORTANT: The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also be entered on the device command line interface (CLI) during physical installation and initialization. If not, the device will not be able to register itself with the Manager. 7 Select Updating Mode as Online or Offline. Online is the default mode. Devices with Online update mode will have the signature set/software directly pushed to the devices. Devices for which you want the signature set/software to be manually pushed can be done by selecting the update mode as Offline. 8 [Optional] Enter the Contact Information and Location. 54 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

55 IPS enhancements Add Device Wizard enhancements 2 9 Click Next. The Trust Establishment page is displayed. 10 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust. Using the command line interface (CLI), enter the necessary information for the device identification and communication as described in the McAfee Network Security Platform Installation Guide. If you set up the device first, you will need to return to the device after the Manager addition to reset the shared secret key and begin device-to-manager communication. 11 Click Next. The Next button will be enabled once the trust between the device and the Manager is established. The Port Settings page is displayed. 12 Make the necessary changes and click Next. The Policy Assignments page is displayed. 13 Make the necessary changes and click Next. The DNS Settings page is displayed. The DNS Settings page is applicable only to M-series Sensor (software version above 7.0). 14 Configure the DNS server details. Click Next. The Application Identification page is displayed. The Application Identification page is applicable only to M-series Sensor (software version above 7.0). 15 Select the Enable Application Identifier? checkox for the required ports. Click Next. 16 Click Update to start update. The Update Configuration page is displayed. 17 Click Finish. You will now be able to see the device added under the Device List node. Figure 4-27 Device added under Device List McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 55

56 2 IPS enhancements Syslog notification enhancement Syslog notification enhancement Earlier, Manager had a functionality for forwarding events (alerts and faults) to syslog engines. The forwarding functionality allowed to filter events based on severity, to forward events from an admin domain to a single syslog engine, to forward events in a clear text format to syslog engines while using the unreliable transport UDP for forwarding to syslog engines. With this release, you can reuse syslog server details across multiple admin domains, forward events to multiple syslog engines, and forward events to syslog engines over TCP with SSL encryption. Forwarding alerts to a syslog server The <Root Admin Domain Name> Alert Notification Syslog enables forwarding of Network Security Platform alerts to a syslog server. Syslog forwarding enables you to view the forwarded alerts from third-party syslog applications that support UDP and TCP over SSL, for example, Syslog NG. To enable syslog forwarding of alerts: Task 1 Select IPS Settings Alert Notification Syslog. The Syslog page is displayed. Figure 2-28 Syslog page - IPS Settings 2 Click the Yes option in Enable Syslog Notication to enable syslog forwarding of alerts. 3 Click Save. You can forward Sensor alerts to multiple syslog servers by creating new syslog notification profiles (see also Adding a syslog server profile). You can forward IPS alerts to sylog servers using UDP or TCP (with or without SSL). Adding a syslog notification profile You can add notification profiles that will be displayed on the Syslog page. 56 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

57 IPS enhancements Syslog notification enhancement 2 To create a syslog notification profile: Task 1 Click New on the Syslog page. The Add a Syslog Notification Profile page is displayed. Figure 2-29 Syslog Notification Profile page 2 Configure the following fields: Field Admin Domain Notification Profile Name Target Server Facility Description Current --Send notifications for alerts in the current domain. Always enabled for current domain by default. Children --Include alerts for all child domains of the current domain. (Not applicable to NTBA.) Profile name from where notifications are sent. TCP (with or without SSI) or UDP -- Port on the target syslog server that is authorized to receive syslog messages. See also Adding a syslog server profile. Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Local user 2 (local2) Security /authorization (code 10) Local user 3 (local3) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 57

58 2 IPS enhancements Syslog notification enhancement Field Severity Mappings Description You can map each severity (Informational, Low, Medium, or High) to one of the standard syslog severities listed below: Emergency -- System is unusable Alert -- Action must be taken immediately Critical --Critical conditions Error -- Error conditions Warning -- Warning conditions Notice -- Normal but significant condition Informational -- Informational messages Debug -- Debug-level messages Notify for All Alerts By default, this checkbox will be selected. Notifies for all discovered attacks. The following field is enabled only on deselecting the Notify for All Alerts checkbox. Only Notify When The attack definition has this notification option explicitly enabled: Send notification for attacks that match customized policy notification settings, which you must set when editing attack responses within the policy editor (<Root Admin Domain Node> IPS settings Policies IPS Policies) based on the following filters: Severity High -- Includes only high severity alerts. Severity Informational and above -- Includes all alerts. Severity Low and above -- Includes low, medium, and high severity alerts. Severity Medium and above --Includes both medium and high severity alerts. Notify on IPS Quarantine Events (not applicable to NTBA Appliance) Message Select this checkbox to see IPS quarantine events. The default message is a quick summary of an alert with two fields for easy recognition: Attack Name and Attack Severity. A default message reads: $IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity = $IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ -> $IV_DESTINATION_IP$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$) For syslog message to appear correctly, ensure that you use the dollar-sign ($) delimiter immediately before and after each parameter. Example: $ATTACK_TIME$ Type a message and select (click) the parameters for the desired alert identification format. You can type custom text in the Message field. 58 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

59 IPS enhancements Syslog notification enhancement 2 3 Click Save. The newly added notification profile will be displayed on the Syslog page. Figure 2-30 Newly added syslog notification profile Editing or deleting a syslog notification profile You can edit or delete a syslog notification profile by clicking the Edit ordelete in the Syslog Notification Profile page. Adding a syslog server profile You can add server profiles that will be populated in the Target Server drop-down list on the Add a Syslog Notification Profile page. To create a new syslog server profile: Task 1 Click New beside the Target Server drop-down list. The Add a Syslog Server Profile page is displayed. Figure 2-31 Add a Sysog Server Profile page 2 Enter the target server profile name. 3 Enter the syslog server name or IP address. 4 Select TCP or UDP from the Protocol drop-down list. If you select the TCP protocol: You will have to provide a certificate when you select the Use SSL checkbox. Click the Test Connection button to check if the connection is successful. If a TCP server is down, at least five attempts will be made to ping the server before a fault is raised. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 59

60 2 IPS enhancements Dashboard and display filter option 5 Specify the port. By default, the port is set to 0; this is an invalid port. 6 Click Save. Now you can select the server where you want to forward the alert. Editing or deleting a syslog server profile You can edit or delete a syslog server profile by clicking the Edit or Delete in the Syslog Notification Profile page. You can delete a syslog server only when it is not in use, else you will see an error message. Dashboard and display filter option You can not only designate dashboards as public or private but can also add, edit, or duplicate a default dashboard (the first time you open the Threat Analyzer) or the dashboards you created. You can also define and assign dashboards, close/hide, and customize (and therefore also restore) default dashboards. Each existing saved view is converted into a display filter upon upgrade. The Display Filter functionality is also enhanced to allow you to easily update the current display filter or to create a new display filter based on the current display, that is, the current nested filters. The Display Filter functionality also enables you to designate a given display filter as public or private, and for all to be able to use the public display filters. Adding or editing a new dashboard When you open the Threat Analyzer for the first time, a new dashboard is created by default on the Dashboards page. You can add more dashboards or edit them. To edit a dashboard: Task 1 From the Home page, select Real-time Threats Dashboards. The Dashboards page is displayed. Figure 2-32 Dashboards page 60 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

61 IPS enhancements Dashboard and display filter option 2 2 Right-click the new dashboard name and click Edit. Tip: Alternatively, you can also select Options Dashboard Edit. Figure 2-33 Edit dashboards page 3 Enter the dashboard name. By default, the dashboard will be public and will be made visible to the child admin domains. The dashboard name cannot exceed 25 characters in length. It cannot contain any special characters; however, it can contain a space. 4 Click Assign Monitor. You can assign the dashboard to an existing Monitor or create a new Monitor as shown. Figure 2-34 Assign Monitor window McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 61

62 2 IPS enhancements Dashboard and display filter option 5 Make the necessary changes and click OK. 6 Click Save. By default, the Properties panel will be hidden. Click to open. To close an existing dashboard, right-click the dashboard and click Close. To open a closed dashboard, select Options Dashboard Open. Dashboard options Table 4-1 Dashboard options Dashboard option Open New Edit Duplicate Description At any time, you can view more than one filter (public and private) on the screen using this option. The filter will now be displayed beside the default dashboards. You can create a new dashboard and assign it to a new or an existing Monitor. See also Adding or editing new dashboard. You can edit a dashboard you created to change its name or to make it public or private. See also Adding or editing new dashboard. You can duplicate a dashboard using an existing one. Use the right-click option to create a new dashboard based on the current values of an existing dashboard. By default, the dashboard name will remain the same but will have the prefix Duplicate of. For example, if you are duplicating New Dashboard1, then the duplicate filter name will be Duplicate of New Dashboard1. Alternatively, you can also right-click a dashboard and click Duplicate. Delete Reset Default Dashboards You can delete private dashboards and public ones that you own. You can, however, only view the contents of filters owned by other users. Alternatively, you can right-click a dashboard and click Delete. You can use this option to reset the default dashboards to their default settings and to discard all customizations. Add a new display filter You can use display filters to search for alerts based on one or more attributes. When you create a display filter, the Threat Analyzer allows you to specify your own criteria for filtering the alerts. The filter can be saved, and is displayed as a tab in the Alerts page. You can close display filters anytime using the right-click option. Task 1 On the Manager home page, click Real-time Threats to start Threat Analyzer. The Threat Analyzer page is displayed. 2 On the menu bar, click Alerts. Alternatively, you can right-click the All Alerts tab. 62 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

63 IPS enhancements Dashboard and display filter option 2 3 Select Display Filter New. Figure 4-35 New Display Filter option The Display Filter page is displayed. Figure 4-36 Display Filter page 4 Enter a name for the filter. 5 If you want other users to only view the filter but not edit it, select the Make this Filter Public? checkbox. 6 The Make Visible to Child Admin Domains checkbox and the Filter Owner checkbox are displayed. 7 Define the filter properties and enter a value for the parameters. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 63

64 2 IPS enhancements Dashboard and display filter option 8 Save the filter. To keep the filter, click Save and Apply. To save the filter temporarily, click Apply once. The new filter appears as a new tab beside the All Filters tab. Figure 4-37 Display a new filter on the All Alerts page To close an existing filter, right-click the filter and click Close. Action buttons The following action buttons are available on clicking the Options button at the bottom of the Alerts page: Quarantined - When the Sensor detects attacks from a host on its configured monitoring port, a quarantine rule is created for the source IP address of the host. The host is now in quarantine. Thereafter, the Sensor drops any traffic from the host until the quarantine rule expires. Thus quarantine action prevents non-compliant hosts from harming other network systems, by isolating them from the network for a specified period of time. Figure 4-38 Quarantine Host dialog Search by Attack ID - You can search for attacks from the Threat Analyzer. Figure 4-39 Search an Alert dialog 64 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

65 IPS enhancements Alert assignment enhancement 2 Save Window Content as - Use this option to save the content as: o Save as CSV - Save the selected view (any selected Threat Analyzer table or graph) as a CSV file. A comma separated values (CSV) file is a file format used as a portable representation of a database. You can save this CSV file to your client system. You can view this file with Excel by using the Import/ Chart feature to display the CSV file as a graph. o Save as PDF - Save the selected view (any selected table or graph) as a PDF file. You can save this PDF file to your client system, then view the saved file with Adobe Acrobat. For example, you are working in a Real-Time Threat Analyzer and you want to save the Attack Details View table to view alert details Display filter options Display Filter option Apply Delete Duplicate Description At any time, you can view more than one filter (public and private) on the screen using this option. The filter is displayed beside the All Alerts tab. You can delete private filters and public ones that you own using this option. You can duplicate a filter by applying an existing one. Use the right-click option to create a new filter based on the current window content. By default, the filter name will remain the same but will have the prefix Duplicate of. For example, if you are duplicating Filter1, then the duplicate filter name will be Duplicate of Filter1. Edit You can edit private filters and public ones that you own. You can, however, only view the contents of filters owned by other users. Alternatively, you can right-click any applied filter on the All Alerts page and click Edit Filter. If you want to replace the current content with those in the current window, select Manually or Replace Filter Content with Current Window. Alert assignment enhancement With this release, users with (read-write (RW) permission can manipulate the assignment of an alert, including assigning it to oneself, removing current assignment (making it unassigned again) irrespective of who the current assignee is, and assigning the alert to a specific user. Assigning alerts to users You can assign a new alert to a specific administrative user account. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 65

66 2 IPS enhancements Alert assignment enhancement To assign new alerts to users: Task 1 From the Home page, select Real-time Threats Alerts. The All Alerts page is displayed. Figure 2-40 All Alerts page 2 By default, a new alert is unassigned. To assign it, right-click an attack and select Assign and choose from the options: Assign to me or Assign to someone else. 3 When you select the Assign to someone else option, the Assign To window will be displayed. Figure 2-41 Assign To window You can assign an alert to yourself only if it is unassigned and if you have the appropriate RW permissions. 4 Select a user from the drop-down list and click OK. The user's name will now be displayed against the alert as shown. You can also assign multiple alerts by selecting more than one alert and right-clicking to assign them. Figure 2-42 Assigned alerts 66 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

67 IPS enhancements Alert assignment enhancement 2 Removing assignments from alerts You can remove an assignment only: If you have the appropriate read-write (RW) permissions If the alert is in your name To remove assignments from alerts: Task 1 Right-click an attack, and select Assign Remove assignment. Figure 2-43 All Alerts page The Remove Assignment window is displayed. Figure 2-44 Remove Assignment window 2 Click OK. The assignment is now removed. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 67

68 2 IPS enhancements Alert assignment enhancement Grouping alerts by assignments To group alerts by assignments: Task Select the Group By option and then select the Assigned To option from the drop-down list. Figure 2-45 Group By page Display Filter option for assignments You can create your own filter option for assignments of accounts that do not have the appropriate RW permissions. 68 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

69 IPS enhancements Alert assignment enhancement 2 To create display filter option for assignments: Task 1 Select Display Filter New on the All Alerts page. The Display Filter window is displayed. Figure 2-46 Display Filter window 2 Select Assigned To from the Filter Criteria. 3 Enter a filter name. The filter name cannot exceed 25 characters in length. It cannot contain any special characters; however, it can contain a space. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 69

70 2 IPS enhancements Attack Filters enhancement 4 [Optional] Select Make this Filter Public? checkbox, which allows users to use the filter but not edit it. 5 Click Save and Apply. The new filter is displayed as shown. Figure 2-47 New Filter page You can also apply, edit, duplicate, or delete a filter by selecting any of the options from Display Filter as shown. Figure 2-48 Display filter options Attack Filters enhancement This release provides you the ability to create rule objects for IPS. The rule objects can be created at the admin domain level and modified at the child domain- or sensor-levels. These modifications automatically apply to the specific sensors, interfaces and sub-interfaces. Manager also allows you to delete attack filters that are unassigned; however, if an attack filter is assigned to a resource, then the assignment has to be removed before the attack filter can be deleted. The attack filters can be deleted from both the Attack Filters editor and from Manage Attack Filter in the Threat Analyzer. Management of rule objects You can use rule objects to create attack filter rules. You can use common rule objects across other features in the Manager such as NAC and Firewall. Rule objects, in attack filters, can be customized to override any settings made at the parent domain level. They can be customized at the admin domain level, child domain level or the Sensor level. The ability to customize a rule object is only available for attack filters. Firewall and NAC, which also use rule objects, do not support rule object customization. The following table lists the available rule objects and the corresponding icons. Icon Rule Object Host IPv4 Host IPv6 IPv4 Address Range IPv6 Address Range 70 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

71 IPS enhancements Attack Filters enhancement 2 Icon Rule Object Network Network Group for Attack Filter IPv6 Address Range and Network Group for Attack Filter are two new types of rule objects that are only applicable to attack filters. By default, a Sensor inherits the rule object definitions from the domain that owns the sensor (when the rule object is not customized at the Sensor level). If there is no customized definition present in this domain, the Sensor inherits the object definition from its parent domains in the hierarchy until a valid definition is found. You can customize rule object definitions at the child domain level, only if the resources belong to the child domain. Such changes, made at the child domain level, will be be visible in the parent admin domain level and can also be modified here. If you delegate an interface (say 1A) belonging to a Sensor to a child domain, all the rule objects assigned to that interface (through attack filters) inherit their definition from the customization at the physical Sensor level. If there is no Sensor level definition, the specific rule object inherits its definition from the admin domain to which the sensor belongs. View a rule object Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Rule Objects. Rule objects for the selected admin domain are listed. For a rule object to be listed, it must meet one of these conditions: It is a default rule object. It is created at a parent admin domain, but it is set to be visible to the child admin domains. The rule object was created at the current admin domain. The Rule Objects window appears. 2 To locate specific rule object, use the following methods in combination: Enter a string in the Search text box. Rule objects containing the search string in their Names are listed. For example, type google to list the rule objects containing google as part of their Names. Select the Default or the Custom check box as required. Select the rule object type in the Show list. Click on Name, Owner, Type, or Editable headings to sort the list in the ascending or descending order. 3 To view the complete details of a rule object, double-click it or select the rule object and click View/ Edit. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 71

72 2 IPS enhancements Attack Filters enhancement Add a rule object Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters. Rule objects for the selected admin domain are listed. 2 Click New. 3 Select the Type of rule object in the New Rule Object window. 4 Enter the Name for the rule object. For a given admin domain, each rule object must have a unique name. 5 Optionally, enter the Description for the rule object. The Owner field displays the current admin domain from where you are creating the rule object. 6 Optionally, select Visible to Child Admin Domains. The new rule object is displayed in the Rule Objects window main page. Modify a rule object You can modify a rule object only at the admin domain where it was created. If required, you can clone a custom rule object that was created at a parent admin domain and then modify it as required in the current admin domain. You cannot clone a default Rule Object except for Network. You cannot edit or delete any default Rule Object. You can edit or delete custom Rule Objects only at the admin domain where they were created. Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Rule Objects. Rule objects for the selected admin domain are listed. 2 Locate the rule object that you want to modify. To filter the list, clear Default and select Custom and select the corresponding rule object type from the Show drop-down. 3 Make sure the Editable field is selected for the rule object you want to modify. Then double-click it, or select the rule object and click View/Edit. If the Editable field is not selected, the rule object belongs to a parent admin domain. 4 Make the required changes and click Save. If the rule object that you modified is part of an attack filter rule that is in use, you must do a configuration update to the Sensor for the changes to take effect. Delete a rule object Before you begin Make sure the rule object is not used in any attack filter rules or other features. You can delete a rule object only at the admin domain where it was created. You cannot edit or delete any default rule object. You can edit or delete custom rule objects only at the admin domain where they were created. 72 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

73 IPS enhancements Attack Filters enhancement 2 Task 1 Go to <Admin Domain Name IPS Settings Attack Filters Rule Objects. Rule objects for the selected admin domain are listed. 2 Locate the rule object that you want to delete. To filter the list, select Custom and select the corresponding rule object type from the Show drop-down. 3 Make sure the Editable field is selected for the rule object you want to delete. Then select the rule object and click Delete. If the Editable field is not selected, the rule object belongs to a parent admin domain. 4 Click Yes to confirm deletion. The rule object is permanently removed from that domain. Deleting attack filters from the Attack Filters editor You can delete attack filters along with their assignments from the Attack Filters editor. An attack filter created at the parent/child domain that has been assigned to a resource at the child domain can still be deleted; however, an attack filter created at the parent domain cannot be deleted at the child domain level. Task 1 From the Home page, select Configure My Company IPS Settings Attack Filters. The Attack Filters page is displayed. Figure 2-49 Attack Filters - IPS settings page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 73

74 2 IPS enhancements Attack Filters enhancement 2 Select an attack filter you want to delete and click Delete. If this attack filter is assigned to a resource, the following dialog box will pop up prompting to delete the attack filter assignment first. Figure 2-50 Delete Confirmation dialog box 3 Click Yes to remove all assignments of the attack filter. The attack filter along with its assigned resources will be deleted. You can select and delete multiple attack filters along with their assignments at one go. Deleting attack filters from the Threat Analyzer You can delete attack filters along with their assignments from the Manage Attack Filter option in the Threat Analyzer. An attack filter created at the parent/child domain that has been assigned to a resource at the child domain can still be deleted; however, an attack filter created at the parent domain cannot be deleted at the child domain level. Task 1 From the Home page, select Real-time Threats Alerts. The All Alerts page is displayed. 74 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

75 IPS enhancements Attack Filters enhancement 2 2 From All Alerts, right-click an alert and select Assign Attack Filter. Select from one of the options: Admin Domain, Sensor, or Interface/SubInterface. Figure 2-51 All Alerts page on Threat Analyzer The Filter Assignment window is displayed. Figure 2-52 Filter Assignment window McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 75

76 2 IPS enhancements Configure password complexity settings 3 Click Manage Attack Filters. The Manage Attack Filters window is displayed. Figure 2-53 Manage Attack Filter window 4 Select an attack filter and click Delete. If this attack filter is assigned to a resource, the a dialog box will pop up prompting to delete the attack filter assignment first. 5 Click Yes to remove all assignments of the attack filter. The attack filter along with its assigned resources will be deleted. You can select and delete multiple attack filters along with their assignments at one go. Configure password complexity settings Follow the steps below to set the password control options, perform the following on the Manager software: Task Go to Manager Password Control GUI Access. Tasks Account Lockout on page 77 Account Lockout Message on page 77 Password Expiration page on page 78 Password strength Use the fields in this section to set parameters to strengthen your password. Field Description Require Uppercase Letter Select this option and set the minimum value to 2. Require Lowercase Letter Select this option and set the minimum value to 2. Require Number Select this option and set the minimum value to 2. Require Special Character Select this option and set the minimum value to McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

77 IPS enhancements Configure password complexity settings 2 Field Password Cannot be the same as Login ID Description Select this option to ensure that the user does not enter the same set of characters as Login ID and Password. For example: If the Login ID is admin1, the Manager must disallow the user from entering the password as 'admin1'. Minimum Password Length Set the minimum password length to 15 characters. Password History Use the fields in this section to ensure that the previously set passwords are not repeatedly used: Field Number of Characters that must be Changed Number of Previous Passwords to Track Description Set the number of characters that are required to be changed when setting a new password to 4. Set the number of passwords to track to 10. Password Expiration Use the fields in this section to ensure that the passwords are changed at regular intervals: Field Time to Wait Before New Passwords Can Be Changed Passwords Expire After Warning Interval Description Set the minimum time to wait before passwords can be changed to 24 hours. Set the passwords expire after field to 45 days. Set the warning interval to 3 days. Account Lockout Use the fields in this section to set the parameters based on which a user account would be locked: Field Maximum Number of Unsuccessful Login Attempts Duration of Lock Out Description Set the maximum number of unsuccessful login attempts to 3. Set the duration of lock out field to 30 minutes. After enabling the required check boxes, do the following to enable the Password Policy: Task 1 Go to My Computer Users Users. 2 Create/select the user and click Add/Edit to apply the password policy for the user. Account Lockout Message Task Enter the Login ID and Password and if you have exceeded the login attempts, the following message is displayed. Login failed: Maximum allowable login attempts 3 have exceeded. Your account is locked for 30 minutes. Please check your credentials and retry after 30 minutes. If you still have a problem, contact your Administrator. A similar message appears for password expiration and account locked for timeout. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 77

78 2 IPS enhancements Configure session control settings Password Expiration page Task 1 If your password has expired, then upon trying to log in, you are re-directed to a new page to reset your password. 2 Enter you old password, and set a new password. After the new password setting is successful, you are automatically directed to the Manager Home page. Configure session control settings The Manager provides the option to automatically close Manager/Central Manager sessions. Only events constitute for a key stroke activity. For example: Session timeout is applicable even when there is an activity on the Add a User page. Only when you click Submit, it is considered as an activity. Accessing the Threat Analyzer, Port Settings, Policy Editor are considered as events. To set this option: Task 1 Go to Manager GUI Access Session Control. 2 Set the following options: Field Limit the Number of Concurrent Sessions a User Can Open? Session Options Description Select this option and set the maximum value to 1. The session control options help you to configure your security requirements for monitoring user activity on currently open Manager sessions. User Activity is defined as the mouse clicks or keyboard usage not in use for X minutes on the Manager. Select Automatically close user sessions after X minutes of inactivity. Set the time to 15 minutes. The Threat Analyzer session will also be closed. Warning Interval Set a value between 1-43,200 minutes as per your site s policy. The Administrator is warned before the session is timed out due to inactivity or time limit. The warning interval value must be lesser than the set timeout activity. Granular access control for CLI commands (for TACACS user) For a TACACS user to obtain granular access control, TACACS authorization should be enabled at the Sensor. If not, Admin access is given to the user. The role should be assigned in the TACACS server configuration. If no role is configured in the TACACS server, Admin access is given. If a role, other than the allowed roles is assigned, Read-Only access is given. 78 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

79 IPS enhancements Granular access control for CLI commands (for TACACS user) 2 The following is an example of the TACACS server configuration file: user=user1 { service = intrushell { role= RO-Access } } The allowed strings to be given in the configuration file are: Updater RW-Access Maintainer Admin-Access RO-Access McAfee recommends that either TACACS users or local users on the Sensor are configured. If both are required, ensure that users with the same name are not present in the sensor and the TACACS server. For more information, see the McAfee Network Security Sensor (Sensor) CLI Guide. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 79

80 2 IPS enhancements Granular access control for CLI commands (for TACACS user) 80 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

81 3 3 NAC enhancements The following are the NAC features developed for release 7.1: From this release, 7.x software is available for the N-450 and N-550 Sensors. Policy enhancements in OOB NAC In this release the OOB NAC feature is greatly enhanced in terms of configuration and fuctionality. Compared to the earlier releases, OOB NAC is now easy to configure, and provides a lot of options and flexibility in how you want to define your NAC policies. In OOB NAC, you can set one or more of the following parameters as the criteria for network access: The Sensor that detected the host. The access switch to which the host is connected. The type of host. Hosts are classified based on: Organizationally Unique Identifier (OUI) and MAC address Whether they are managed, unmanaged, or unmanageable System health User logged on to the host including any of the LDAP attributes of the user. RADIUS attributes including the standard and vendor-specific attributes of your Network Access Server (NAS) such as a switch. In the earlier releases, you specify the NAC criteria for OOB NAC in the policies such as the system posture policy and the IBAC policy. Only for OOB NAC, these policies are now replaced by NAC rules. You define the NAC rules similar to firewall access rules with respect to configuration and functionality. Also deprecated in this release are concepts such as switch networks and switch port groups. The NAC policies are enhanced to support custom RADIUS responses. For instance, the policies can be used to apply "RADIUS ACLs" on the NAS. Because of the major enhancements, the 7.1 version of the Sensor and Manager is not compatible with the 6.1 version with respect to OOB NAC. For example, you could have deployed DHCP inline NAC and OOB NAC in a x installation. Then, you can: McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 81

82 3 NAC enhancements 1 Upgrade the Manager to x. 2 Upgrade the Sensor to x from the Manager or using a TFTP server. When the Sensor reboots, all the OOB NAC configuration is removed. However, inline NAC configuration, trust with the McAfee NAC server, RADIUS server configuration, Active Directory configuration are all retained. 3 Configure OOB NAC in x. Failover Sensor support is not available for OOB NAC in the 7.1 release. Enhanced communication with McAfee NAC When a Sensor detects a host, it contacts the McAfee NAC server for the system type (managed, unmanaged, or unmanageable) and system health of that host. With this release, the McAfee NAC Client or the McAfee NAC Guest Client sends host information directly to the Sensor's management port. This feature eliminates any possible delay in the host information being communicated to the Sensor. It also reduces the load on the McAfee NAC server, making it more scalable. 6.1 New Features The following are the new features released first in version 6.1, and now also available in version 7.1. L3 Out-of-band NAC (L3 OOB NAC) The OOB NAC feature in the earlier versions is designed specifically for Layer 2 (L2) networks. This release introduces the L3 OOB NAC feature. This feature is especially designed for scenarios where the NAC Sensor is deployed in the head-office and you want to use the same Sensor to enforce OOB NAC on the hosts in the branch offices. In the earlier versions, the access switches involved in the OOB NAC implementation are classified as managed switches and Universal Control Points (UCPs). In this release, access switches are referred to as Network Access Servers (NAS). Display the Hosts tab in the Central Manager Threat Analyzer This release introduces the Threat Analyzer Hosts tab in the Central Manager. The Hosts tab functionality is similar to that of the Manager. Display message for guest users With this release, you can configure your organization's policy, terms, and conditions that your guest users must agree to comply with. Only then they can proceed to self-register or enter their logon credentials in the Guest Portal. OOB NAC and Standard inline NAC using the same Sensor With this release, you can use the same NAC Sensor to implement L2 OOB NAC and Standard inline NAC. For the details of the enhancements, see the McAfee Network Security Platform NAC Administration Guide for this release. 82 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

83 4 NTBA 4 enhancements This chapter describes the NTBA enhancements for this release. Contents Support for Virtual NTBA Appliance Upgrade support Heterogeneous support for NTBA Appliances Next Generation Reports enhancements Integration with McAfee Logon Collector Enterprise Appliance enhancements External storage enhancements Netflow exclusion filters enhancements NTBA attack notification enhancements Add Device Wizard enhancements Capacity planning enhancements Dashboard enhancements TimeView Charts enhancements Display filter enhancements Usability enhancements in NTBA Other CLI command enhancements Debugging enhancements Support for Virtual NTBA Appliance With this 7.1 release, McAfee provides a single instance of the NTBA Virtual Appliance with every new purchase of Network Security Manager. If you are an existing user of Network Security Manager, then you can download and install a single instance of the NTBA Virtual Appliance. The NTBA Virtual Appliance runs on the VMware ESX operating system, allowing you to provide flexible security for your virtual environment. All features supported on T-200 and T-500 NTBA Appliances in release x are available in the NTBA Virtual Appliance as well. Configuring the NTBA Virtual Appliance as part of the aggregator setup is also supported. Only two IPS Sensors can be connected to the free Virtual NTBA Appliance. For more information, see NTBA Virtual Appliance Installation Guide. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 83

84 4 NTBA enhancements Upgrade support Upgrade support This release supports direct upgrade of the NTBA Appliance from the following versions: Upgrade from to 7.1 is also supported for the Virtual NTBA Appliance. Heterogeneous support for NTBA Appliances You can manage a heterogeneous NTBA environment using the Manager. Notes: In the context of NTBA, a heterogeneous environment means only NTBA Appliances and 7.1 NTBA Appliances managed by a 7.1 Manager. From release 7.0, NTBA's capability to detect applications is significantly enhanced. Therefore, expect a difference in the number of applications detected by the NTBA devices on 7.1 when compared to the devices on Botnet feature is not supported for the NTBA Appliances. When you add a NTBA to a Manager, the following happens. Under Inside Zones, by default a private IP zone is created consisting of the CIDRs mentioned in RFC Next Generation Reports enhancements With this release, 17 new reports have been added and five reports have been deleted. Tasks Run a Next Generation Default report on page 85 Reports that are no longer in use on page 90 Create a Next Generation duplicate report on page 90 Next Generation User Defined report on page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

85 NTBA enhancements Next Generation Reports enhancements 4 Run a Next Generation Default report The Next Generation reports display network-wide information with data options for generating queries for a day, between two dates, or during the past months, weeks, days, or hours. Figure 4-1 Next Generation Saved Reports McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 85

86 4 NTBA enhancements Next Generation Reports enhancements Tasks Default - Top URLs Accessed report on page 86 Default - Top URLs by Reputation report on page 86 Default - Top URL Categories report on page 86 Default - Top Files Accessed report on page 87 Default - Top Most Recently-Active Hosts report on page 87 Default - Top Host Summary report on page 87 Default - Top Hosts by Bandwidth Usage report on page 87 Default - Top Hosts by GTI Reputation report on page 88 Default - Top Hosts by Threat Factor report on page 88 Default - Top New Applications Seen report on page 88 Default - Top New Services Seen report on page 88 Default - Top New Hosts Seen report on page 89 Default - Top Services by Bandwidth Usage report on page 89 Default - Top Applications by Bandwidth Usage report on page 89 Default - Top Most Recent Connections report on page 89 Default - Top Interface Traffic report on page 90 Default - Top Conversations report on page 90 Default - Top URLs Accessed report This report shows the most accessed URLs by hosts in the network during the selected period. Field Access Count URL URL Category URL Reputation Country Description Displays the number of times the URLs were accessed. Displays all the URLs accessed. Displays the URL categories, for example, Business,Games, Search Engine. Displays the reputation score (risk factor) of the URLs. Displays the country the URLs originate from. Default - Top URLs by Reputation report This report shows the list of URLs sorted by reputation during the selected period. Field URL Reputation URL URL Category Country Access Count Description Displays the reputation score (risk factor) of the URLs. Displays all the URLs accessed. Displays the category of the URLs, for example, Business, Games, Search Engine. Displays the country the URLs originates from. Displays the number of times the URLs were accessed. Default - Top URL Categories report This report shows the most accessed URL categories during the selected period. 86 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

87 NTBA enhancements Next Generation Reports enhancements 4 Field URL Count URL Category Description Displays the number of times the URLs were accessed. For each category, the following data will be displayed: URL - Displays all the URLs accessed. URL Reputation - Displays the reputation score (risk factor) of the URLs. Country- Displays the country the URLs originates from. Default - Top Files Accessed report This report shows the most accessed files in the network during the selected period. Field Access Count File Name File Path Description Displays the number of times the files were accessed. Displays the name of the files accessed. Displays the path of the files accessed. Default - Top Most Recently-Active Hosts report This report shows the hosts most recently active on the network. Field Last Seen Host IP Host Name Zone HTF Description Displays when the hosts were last seen on the network. Displays the IP address of the hosts. Displays the hosts accessed. Displays the zone names. Displays the threat factor value of the hosts. See also, Host Threat Factor. Default - Top Host Summary report This report shows the summary detail for hosts in the network during the selected period. Field Last Activity Time Host IP Host Name Zone Applications Active Connections HTF Description Displays the last activity time of the hosts. Displays the IP address of the hosts. Displays name of the hosts. Displays zone name of the hosts. Displays the list of application names, for example, HTTP, Gmail, edonkey. Displays the number of active connections to the host. Displays the threat factor value of the hosts. See also, Host Threat Factor. Default - Top Hosts by Bandwidth Usage report This report shows hosts sending/receiving the most bytes in the network during the selected period. Field Total Bytes Host IP Host Name Description Displays the traffic volume in bytes. Displays the IP address of the hosts. Displays name of the hosts. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 87

88 4 NTBA enhancements Next Generation Reports enhancements Field Zone HTF In Bytes Out Bytes Description Displays zone name of the hosts. Displays the threat factor value of the hosts. See also, Host Threat Factor. Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Default - Top Hosts by GTI Reputation report This report shows the hosts with the Highest GTI Reputation in the network during the selected period. Field Reputation Host IP Host Name Country Zone Description Displays the reputation of the hosts. Displays IP address of the hosts. Displays the name of the hosts. Displays the country of the hosts. Displays the zone name of the hosts. Default - Top Hosts by Threat Factor report This report shows the hosts sorted by Threat Factor during the selected period. Field HTF Host IP Host Name Zone In Bytes Out Bytes Total Bytes Description Displays the threat factor value of the hosts. See also, Host Threat Factor. Displays the IP address of the hosts. Displays the name of the hosts. Displays the zone name of hosts. Displays the inbound traffic in bytes. Displays the outbound traffic in bytes. Displays the traffic volume in bytes. Default - Top New Applications Seen report This report shows the applications that are new on the network during the selected period. Field First Seen App Name Last Seen Description Displays the first seen time of the applications. Displays the application names, for example, HTTP, Gmail, edonkey. Displays the last seen time of the applications. Default - Top New Services Seen report This report shows services that are new on the network during the selected period. Field First Seen Service Name Last Seen Description Displays the first seen time of the services. Displays the service names, for example, ftp (tcp), dns (udp). Displays the last seen time of the services. 88 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

89 NTBA enhancements Next Generation Reports enhancements 4 Default - Top New Hosts Seen report This report shows the hosts that are new on the network during the selected period. Field First Seen Host IP Host Name Zone HTF Description Displays the first seen time of the hosts. Displays the IP address of the hosts. Displays the name of the hosts. Displays the zone name of the hosts. Displays the threat factor value of the hosts. See also, Host Threat Factor. Default - Top Services by Bandwidth Usage report Thisreport shows services consuming the most bandwidth (bytes) in the network during the selected period. Field Total Bytes Service Name In Bytes Out Bytes In Packets Out Packets Total Packets Description Displays the traffic volume in bytes. Displays the service names, for example, ftp (tcp), dns (udp). Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Displays the inbound packets on the network. Displays the outbound packets on the network. Displays the total packets on the network. Default - Top Applications by Bandwidth Usage report This report shows applications consuming the most bandwidth (bytes) in the network during the selected period. Field Total Bytes App Name In Bytes Out Bytes In Packets Out Packets Total Packets Description Displays the traffic volume in bytes. Displays the application being accessed. Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Displays the inbound packets in the network. Displays the outbound packets in the network. Displays the total packets in the network. Default - Top Most Recent Connections report This report shows connection summary in the network during the selected period. Field Time Src IP Dst IP Src Port Dst Port Description Displays the time of connections. Displays the IP address of the source hosts. Displays the IP address of the destination hosts. Displays the source port of the hosts. Displays the destination port of the hosts. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 89

90 4 NTBA enhancements Next Generation Reports enhancements Field App Total Bytes Total Packets URLs File Names Description Displays the application names or service names or protocol. Displays the traffic volume in bytes. Displays the total packets on the network. Displays the URLs on the network. Displays the files on the network. Default - Top Interface Traffic report This report lists the Exporter interfaces that were high on traffic during the selected period. Field Total Bytes (packets) Interface Name In Bytes (packets) Out Bytes (packets) Avg Bytes (packets) Max Bytes (packets) Description Displays the traffic volume in bytes. Displays name of the interface. Displays the inbound traffic in bytes. Displays the outbound traffic in bytes. Displays the average traffic in bytes. Displays the maximum traffic in bytes. Default - Top Conversations report This report lists conversations that were high on traffic during the selected time period. Field Total Bytes Src IP Dest IP Service In Bytes Out Bytes Description Displays the traffic volume in bytes. Displays the IP address of the source hosts. Displays the IP address of the destination hosts. Displays the service names, for example, ftp (tcp), dns (udp). Displays the inbound traffic in bytes. Displays the outbound traffic in bytes. Reports that are no longer in use The following default reports are deleted in the current release: Default - Top 10 Applications Default - Top 10 Conversations Default - Top 10 Services Default - Top 10 Host Traffic Default - Top 10 Interface Traffic If you have created duplicate reports from any of the deleted reports, you have to delete them. You can duplicate from any of the following reports, which provide more flexibility and output data: Default - Top Applications by Bandwidth Usage Default - Top Conversations Default - Top Services by Bandwidth Usage Default - Top Hosts by Bandwidth Usage Default - Top Interface Traffic Create a Next Generation duplicate report You can create duplicate reports of the Default Next Generation reports. You can then edit the parameters to suit your requirements. 90 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

91 NTBA enhancements Next Generation Reports enhancements 4 Task 1 On the Manager home page, click Reports. 2 Click the Next Generation tab. 3 From the Saved Reports list, select a Next Generation default report and click Duplicate. 4 Select a Next Generation default report and click Duplicate. The Duplicate Next Generation Report page is displayed. Figure 4-2 Duplicate Next Generation Report page 5 Enter the name and description (mandatory fields), then click Ok. The duplicate report is displayed in the Saved Reports section. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 91

92 4 NTBA enhancements Next Generation Reports enhancements 6 Click Edit to change the parameters. The Data Source page is displayed. Figure 4-3 Data Source page 7 Select a row in the left pane to view the Data Fields options. 8 Click Save. 9 On the Save Query page, enter a name and description for the query. 10 Click Next. The Select Recipients page is displayed. 11 Click New to add a recipient. 12 Click Finish to complete the process. Next Generation User Defined report You can create a new report with a choice of data source, presentation and filter. Task 1 On the Manager home page, click Reports. 2 Click the Next Generation tab. 3 Click New. 4 Select a data source for the report. Data source represent the database tables the report information is retrieved from. 5 Click New. 92 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

93 NTBA enhancements Next Generation Reports enhancements 4 6 Select how the report is displayed: table, bar chart, or pie chart. The Display Options page is displayed. Figure 4-4 Display Options page 7 Select the columns that you want to include in the report by selecting rows in the left pane. 8 Select a row in the left pane to view the data filter options. You can enhance the filter options for the fields selected in step 4 from the Data Filter options. Use the + and - options to add or delete conditions. When you finish the selections, you can save your report query by clicking Save. You can also run the report directly without saving by clicking the Run Once option. 9 On the Save Query page, enter a name and description for the query. 10 Click Finish to save the query. The report is saved and displayed in the Saved Reports section of the Next Generation page. 11 Select the report, then click Run Once. 12 In Run Query, enter the data options and the report format. 13 Click Run to run the report query. The generated report is displayed in the selected report format. If there are no alerts, only the table is displayed. After the User Defined Report is saved, you cannot change its data source. The New option is not supported for NTBA Generated Reports. You can either run it or duplicate and modify some of the conditions in the query. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 93

94 4 NTBA enhancements Integration with McAfee Logon Collector Integration with McAfee Logon Collector With this release of Network Security Platform, the NTBA-McAfee Logon Collector (MLC) integration is supported to display user names of the hosts in your IPS and NTBA deployments. MLC provides an out-of-band method to obtain user names from the Active Directories. See also Integration with McAfee Logon Collector on page 159 Enterprise Appliance enhancements Earlier, if more than one NTBA Appliance was in use, it was mandatory to configure at least one primary Enterprise NTBA Appliance, that is, you were forced to show data at an enterprise level. With this release, configuring the Enterprise NTBA Appliance is not mandatory if you have multiple NTBA Appliances. The Manager now does not enforce you to configure Enterprise NTBA Appliance if more than one NTBA Appliance has been deployed. Configure an Enterprise NTBA Appliance In an environment with multiple NTBA Appliances, the designated Enterprise NTBA Appliance consolidates flow information from all other NTBA Appliances to provide a network-wide view. You can configure the Enterprise NTBA Appliance only at the root level. You can either configure an aggregator or leave it as individual devices. Only one NTBA Appliance can be nominated as the Enterprise NTBA Appliance among multiple NTBA Appliances. Task 1 On the Manager home page, click Configure. 2 Click <Admin Domain Name> NTBA Settings Enterprise NTBA Settings. The Enterprise NTBA Appliances page is displayed. Figure 4-5 Enterprise NTBA Appliances page 3 From the drop-down list, select an Enterprise NTBA Appliance. 4 Click Save. 94 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

95 NTBA enhancements Enterprise Appliance enhancements 4 Display monitors for Enterprise Appliance You can select the display option for a specific NTBA Appliance if you have not configured the NTBA Appliance as described in the preceding section. In case there is more than one NTBA Appliance but you have not configured any as Enterprise Appliance, then you will see a drop-down list of all the NTBA Appliances. You can select one to display the monitors only for the selected Appliance. Figure 4-6 Monitor-level data filtering page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 95

96 4 NTBA enhancements External storage enhancements Task 1 On the Manager home page, click Configure. 2 Select Enterprise NTBA as None. 3 Restart Threat Analyzer. The dashboard will now display the name of the configured Enterprise NTBA Appliance and display the Enterprise wide data in monitors. Figure 4-7 Monitor display for the Enterprise NTBA The Manager does not support different time period options for these monitors; it displays data only for the last 10 minutes. External storage enhancements With this release, the NTBA Appliance has been enhanced to provide an option to store netflow data in an external server. The NTBA Appliance provides internal storage for typical data storage time requirements. In the event that you need to maintain data for an extended period of time, use this page to define an external storage device. Define an external storage device The NTBA Appliance provides internal storage for typical data storage time requirements. In the event that you need to maintain data for an extended period of time, use this page to define an external storage device. 96 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

97 NTBA enhancements External storage enhancements 4 Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings device External Storage. The External Storage page is displayed. Figure 4-8 External Storage page 3 Configure the following fields: Field Server Name or IP Address File System Description Enter the Host IP address or the Host name of the backup server where data will be stored. For Host IP address, you can enter IPv4 address. Select either CIFS or NFS. By default, it is CIFS. The Common Internet File System (CIFS) is an enhanced version of Microsoft Server Message Block (SMB) which operates as an application-layer network protocol mainly used for providing shared access to files between nodes on a network. Network File System (NFS) is a distributed file system protocol to allow a user on a client computer to access files over a network in a manner similar to how local storage is accessed. Server Port Target Directory Username Password Storage Interval (1-24 hours) Storage Limit (1-100%) Include Layer 7 Data Enter the server port number (applicable for CIFS only). Enter the directory on the external storage where files will be stored. Enter the user name for file system authentication (applicable for CIFS only). Enter the password for file system authentication (applicable for CIFS only). Specify the storage interval between 1 and 24 hours. Specify the maximum storage that can be used on external storage. Indicate whether Layer 7 data must be backed up. The default is Yes. The following field is displayed only when NFS is selected: Do you want to use SUN RPC Port Mapper? Select this if you want to use the SUN RPC Port Mapper. The default is Yes. The following fields are displayed when you select No in the Do you want to use SUN RPC Port Mapper? option: Service Port Mount Port Enter the service port number. Enter the mount port number. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 97

98 4 NTBA enhancements Netflow exclusion filters enhancements 4 Click Test Connection to check if the connection is successful. The connection may fail if the device is down. 5 Click Save when you get a message that the connection as successful. Retrieve data stored on external storage You can retrieve data stored on an external storage device using the Top Most Recent Connections report. You can specify a time range and NTBA fetches the data from either local storage or external storage to provide a unified report for the specified time range. Netflow exclusion filters enhancements With this release, you can exclude flow data from NTBA processing from specific hosts. Any netflows that include IP addresses specified in the exclusion list will not be processed. Add a new exclusion You can exclude processing of all flow data or Layer 7 (L7) data for specific networks by including the IP address to the exclusion list. These data will not be displayed, stored, and analyzed for threats. Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings NTBA Settings Exclusions. You can add exclusions at the root node and child node. The Exclusions page is displayed. 3 Click New in the Exclusions page. 4 Provide the IP address and the gateway port of the host you want to exclude. Figure 4-9 Add exclusions page 5 From the drop-down list, select Exclude all flow data or Exclude only L7 flow data. 6 Click Add and click Save. Click Edit or Delete to make updates to the existing exclusion. Inherit exclusions to child domains You can set exclusions at the root level so it can be inherited to the child domains. 98 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

99 NTBA enhancements Netflow exclusion filters enhancements 4 Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings NTBA Settings Exclusions. The Exclusions page is displayed. Figure 4-10 NTBA Settings Exclusions page 3 If you want the child nodes under NTBA settings to inherit the exclusion list, select the Inherit CIDR Exclusion list from Participation Page checkbox. 4 Click Save. Deploy configuration changes on device For the exclusions to be implemented, you must deploy configuration changes on your device. Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings Configuration Update. The Configuration Update page is displayed. Figure 4-11 Configuration Update page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 99

100 4 NTBA enhancements NTBA attack notification enhancements 3 Select the Configuration Update checkbox for the device and click Update. Figure 4-12 Download status window 4 When the download completes, click Close Window. NTBA attack notification enhancements This release supports an option for notifying administrators when host are quarantined. Send notifications for quarantined attacks You can define if and how administrators should be notified when hosts are quarantined. This can be done only at the root level and it is inherited by the child domains. Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings Quarantine. The Syslog Notification page is displayed. Figure 4-13 Syslog Notification page 3 Configure the following fields. 100 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

101 NTBA enhancements NTBA attack notification enhancements 4 Field Enable Syslog Notification Server Name or IP Address UDP Port Facility Severity Mapping Description Yes is enabled; No is disabled. Enter the Host IP address or the Host name of the syslog server where alerts will be sent. For Host IP address, you can enter either IPv4 or IPv6 address. Port on the target syslog server that is authorized to receive syslog messages. Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Local user 2 (local2) Security /authorization (code 10) Local user 3 (local3) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) You can map each severity (Informational, Low, Medium, or High) to one of the standard syslog severities listed below: Emergency - System is unusable Warning - Warning conditions Alert - Action must be taken immediately Notice - Normal but significant condition Critical - Critical conditions Error - Error conditions Informational - Informational messages Debug - Debug-level messages 4 Click Save. You must click Save before you can customize the message format to be sent to your syslog server. TheCustomization option is available only if notification is enabled against Enable Syslog Notification. 5 Select a Message Preference to customize the format of the message to be sent to your syslog server. Field System default Customized Description The default message is a summary of an alert with two fields for easy recognition: Attack Name and Attack Severity. A default message reads: Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$). Create a custom message. Create a custom message Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings Quarantine. 3 In Message Preference, select the Customized option and click Edit. The Custom Message page is displayed. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 101

102 4 NTBA enhancements Add Device Wizard enhancements 4 Type a message and select (click) the parameters for the desired alert identification format. You can type custom text in the Message field. You can also click the Content-Specific Variables to move them to the Message field. Figure 4-14 Custom Message page Ensure that you use the dollar-sign ($) delimiter immediately before and after each element. Example: $ATTACK_TIME$. 5 Click Save to return to the Syslog page. 6 Click Save. Add Device Wizard enhancements With this release, when a new user now logs on to the interface for the first time, the Add Device Wizard is prompted after the Manager Initialization Wizard is completed. The Add Device Wizard is also available in the Wizard node of the Resource Tree. Instructions have also been added to prompt the user to complete the command line interface setup before establishing the trust between the Appliance and the Manager. Add an NTBA Appliance Adding an NTBA Appliance to the Manager enables the Manager to accept communication from a physically installed and network-connected Appliance. After communication has been established, the Manager allows editing of the Appliance configuration. The alert data is available in the Threat Analyzer and Report queries. 102 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

103 NTBA enhancements Add Device Wizard enhancements 4 Task 1 The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed. McAfee recommends adding an Appliance to the Manager first. Click the To add a Device link at the bottom of the Home page. Figure 4-15 Add Device link on the Home page -OR- -OR- Select <Admin Domain Name> Wizards Add Device. You can access the Add Device node in a domain only if you have the SuperUser permission to that domain. Figure 4-16 Add Device option on the Configure page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 103

104 4 NTBA enhancements Add Device Wizard enhancements The Add Device page is displayed. Figure 4-17 Add Device page 2 Click Start the Add Device Wizard. The Preparation page is displayed. 3 Click Next. The Add New Device page is displayed. 4 Enter the Appliance name. The name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and periods. The length of the name is not configurable. 5 Select the Device Type as NTBA. 6 Enter the Shared Secret (repeat at Confirm Shared Secret). The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also be entered on the device command line interface (CLI) during physical installation and initialization. If not, the Appliance will not be able to register itself with the Manager. The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret cannot start with an exclamation mark or have any spaces. The characters that can be used while creating a shared secret are as follows: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. <? / 7 [Optional] Enter the Contact Information and Location. 8 Click Next. The Trust Establishment page is displayed. 9 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust. Using the command line interface (CLI), enter the necessary information for the Appliance identification and communication as described in the McAfee Network Security Platform Installation Guide. If you set up the Appliance first, you will need to return to the Appliance after the Manager addition to reset the shared secret key and begin Appliance-to-Manager communication. 104 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

105 NTBA enhancements Add Device Wizard enhancements 4 10 Click Next. The Next button will be enabled once the trust between the Appliance and the Manager is established. The Port Settings page is displayed. 11 Make the necessary changes and click Next. The General Settings page is displayed. 12 Define essential NTBA Appliance settings, including flow record listening port and Ethernet port IP settings. Click Next. The DNS Settings page is displayed. The DNS Settings page is applicable only to M-series Sensor (software version above 7.0). 13 Configure the DNS server details. Click Next. The Exporters page is displayed. You can add a new exporter or edit the existing one. 14 Define exporters that will forward records to the NBA Sensor for processing and click Next. The Inside Zones page is displayed. You can add a new inside zone or edit the existing one. 15 Define inside zones and click Next. The Outside Zones page is displayed. You can add a new outside zone or edit the existing one. 16 Define outside zones and click Next. The Update Configuration page is displayed. 17 Click Update to start update. The Update Configuration page is displayed. 18 Click Finish. The NTBA Appliance appears added under the Device List node. Figure 4-18 New NTBA Appliance added under the Device List McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 105

106 4 NTBA enhancements Capacity planning enhancements Delete an Appliance configuration To delete a previously added Appliance, select the Appliance from the Devices List. Confirm the deletion by clicking OK. Do not delete the Appliance from the Manager if you plan to generate reports with data specific to the Appliance. If the Appliance is in the middle of active communication with the database, deleting the Appliance might not be successful (the Appliance still appears in the Resource Tree). If you experience this problem, check your Appliance to make sure communication to the Manager is quiet, then reattempt the delete action. Capacity planning enhancements With this release, the default values of threshold for pruning of the database have changed. As part of 6.1.5, the migration status can be checked using the console (nbacli). Command: show dbstats. This command displays the current migration status, which indicates the total time the migration is in execution and the time taken by the current step. After the migration is complete, the migration status no longer appears as part of the db_stat console command. Use this to check what the latest migration step in execution is. Prune the database You can prune the NTBA Appliance database by setting the disk space capacity planning threshold. Setting disk space thresholds ensures that older flow records are deleted, to make space for new records. Capacity planning sessions can be set for 1-minute data, 10-minute data, 1-hour data, and 1-day data.the 1-minute data refers to data refreshed every one minute in the NTBA monitors displayed in the Threat Analyzer. The 1-hour data and the 1-day data refer to data summarized and presented in the following NTBA monitors: Applications - Active (Last 7 Days) Services Traffic (Bytes) Applications - New (Last 7 Days) Throughput Enterprise Traffic (Bytes) Applications Traffic (Bytes) Top External Hosts By Reputation Bandwidth Utilization (%) - Interfaces Top Files Hosts - Active (Last 7 Days) Top URLs Hosts - New (Last 7 Days) Top URLs By Category Hosts - Threat Factor Top URLs By Reputation Protocol Distribution (Bytes) Traffic Volume (Bytes) - Zones Services - Active (Last 7 Days) Traffic Volume (Bytes) - Top Source Hosts Services New (Last 7 Days) The following are the default threshold settings. Interface label Default value (days) Delete '1-minute data' older than: (days) 10 Delete '10-minute data' older than: (days) McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

107 NTBA enhancements Capacity planning enhancements 4 Interface label Delete '1-hour data' older than: (days) 20 Delete '1-day data' older than: (days) 30 Default value (days) The default threshold settings are adequate to ensure proper pruning of the database and to ensure optimum memory usage. The default threshold settings are therefore recommended. You can change the default settings based on the volume of traffic in your network. You can use the following broad indicators for settings the values for the 1-minute data, which is the crucial segment in relation to database capacity: Average traffic volume Light (less than or equal to 1000 NetFlow records per minute) 10 Medium (around NetFlow records per minute) 5-7 High ( NetFlow records per minute) 1-3 Recommended threshold setting (days) The NTBA application and MySql database are automatically restarted once every three capacity planning sessions by the NTBA monitor. This is to reset the system memory and to optimize memory usage by capacity planning so that the system does not run out of memory. Only the application and database are restarted and not the NTBA Appliance. Hence, uptime is not affected. The threshold settings should be based on a clear idea of average traffic volume, and set as soon as possible after the NTBA Appliance is installed. Changing the threshold settings later may involve pruning a large number of NetFlow records. This may tie up system resources. If you are in doubt about your average traffic volume, retain the default values. Task 1 On the Manager home page, click Configure. 2 Select <Admin Domain Name> NTBA Settings Maintenance Database Pruning. The Database Pruning page is displayed. Figure 4-19 Database Pruning page McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 107

108 4 NTBA enhancements Dashboard enhancements 3 Enter the values in the following fields: Informational Alarm Delete '10-minute data' older than (days) Warning Alarm Delete '1-hour data' older than (days) Critical Alarm Delete '1-day data' older than (days) Delete '1-minute data' older than (days) Alarms are raised when the database capacity reaches the set values. 4 Click Save. The procedure for database pruning from the NTBA_Appliance_name node and the NTBA Settings node of child admin domains is similar. An option to apply global settings (set at the NTBA Settings of the root admin domain node) is available in these nodes. If the global settings are not applied, you can set values specific to NTBA_Appliance_name nodes and the NTBA Settings node of child admin domains. Dashboard enhancements With this release, you can create a dashboard and assign monitors to it. You can add, delete, and customize monitors. You can also filter data at the monitor-level if the Manager has more than one NTBA Appliance added to it. You can change the parameters for the NTBA monitors. The Manager provides different time periods to display data in monitors: last 10 minutes, last 1 hour, last 1 day, last 1 week, last 1 month. The Manager automatically adjusts the frequency for bar charts - for last 1 hour - minute wise, for last 1 day-hourly data, and so on. A new column for 'Reputation' has been added for the following monitors so you can sort them based on their IP address and reputation: Top External Hosts By Reputation Top URLsBy Reputation Types of dashboards Following are the types of dashboards available in the Threat Analyzer: Default - System-generated dashboards that can be edited, viewed/hidden and reset to factory defaults. Private - User-created dashboards that can be edited, viewed/hidden, and deleted only by the user who created them. Other users will not be able to view these dashboards. Public - User-created dashboards that have been explicitly shared so that all other users can view them. The owner (creator) of a public dashboard can edit, view/hide, and delete it, whereas non-owners can only view/hide it. Add a new dashboard Besides the default dashboards, you can create your own dashboard with the monitors you want to look at. You can also add, delete, and customize monitors. You can create a custom dashboard only if you have added an Appliance to the Manager. 108 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

109 NTBA enhancements Dashboard enhancements 4 Task 1 Start the Real-time Threat Analyzer from the Manager home page and click the NTBA tab to open the NTBA Dashboard page. The NTBA Dashboard page is displayed. Figure 4-20 NTBA dashboard page 2 Select Options Dashboard New. The New Dashboard page is displayed. Figure 4-21 New Dashboard page 3 Enter the dashboard name. The name cannot contain IPS or NTBA in its name. By default, the dashboard is public and is visible to the child admin domain. The dashboard name cannot exceed 25 characters in length. It cannot contain any special characters; however, it can contain a space. The dashboard displays the selected monitor with prepopulated data. The Properties pane is after the dashboard is created. Click to open. 4 To close an existing dashboard, just right-click the dashboard and click Close. To open a closed dashboard, select Options Dashboard Open. Assign a monitor to a dashboard You can assign more than one monitor to the dashboard. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 109

110 4 NTBA enhancements Dashboard enhancements Task 1 On the dashboard, click Assign Monitor. The Assign Monitor page is displayed. Figure 4-22 Assign Monitor page 2 Make the following selections: a Select Assign an existing Monitor. b c d Select a Category. Select NTBA as the Type. Select a monitor from the listed monitors. 3 Click OK to display the selected monitor in the dashboard. You can only add one monitor at a time. To add or delete monitors, see Edit a dashboard. 4 Click Save. Edit a dashboard You can edit a dashboard that you created to change its name or to make it public or private. You can also add or delete monitors. 110 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

111 NTBA enhancements Dashboard enhancements 4 To edit a dashboard: Task 1 Select Options Dashboard Edit. You can right-click the dashboard you want to edit and click Edit. The Dashboards page is displayed. Figure 4-23 Edit Dashboard page 2 Click Assign Monitor and follow the steps as described in the Section, "Assign a monitor to a dashboard". 3 Make the necessary changes and click Save. 4 To delete an existing monitor and to add a new one, click X. The monitor is deleted. Tasks Dashboard options on page 62 Dashboard options Table 4-1 Dashboard options Dashboard option Open New Description At any time, you can view more than one filter (public and private) on the screen using this option. The filter will now be displayed beside the default dashboards. You can create a new dashboard and assign it to a new or an existing Monitor. See also Adding or editing new dashboard. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 111

112 4 NTBA enhancements Dashboard enhancements Table 4-1 Dashboard options (continued) Dashboard option Edit Duplicate Description You can edit a dashboard you created to change its name or to make it public or private. See also Adding or editing new dashboard. You can duplicate a dashboard using an existing one. Use the right-click option to create a new dashboard based on the current values of an existing dashboard. By default, the dashboard name will remain the same but will have the prefix Duplicate of. For example, if you are duplicating New Dashboard1, then the duplicate filter name will be Duplicate of New Dashboard1. Alternatively, you can also right-click a dashboard and click Duplicate. Delete Reset Default Dashboards You can delete private dashboards and public ones that you own. You can, however, only view the contents of filters owned by other users. Alternatively, you can right-click a dashboard and click Delete. You can use this option to reset the default dashboards to their default settings and to discard all customizations. Types of NTBA monitors and options The Threat Analyzer of the Manager displays eight default monitors on the NTBA dashboard. You can create additional dashboards and assign additional default or custom monitors. You can create a set of dashboards and monitors to suit your monitoring requirements. The right-click menu in the relevant default and additional default monitors has options for scanning hosts and viewing alerts listed in the Alerts page of the Threat Analyzer. Tasks Viewing options on page 112 Viewing options Some monitors have options to switch views. To switch between settings and its monitor options, click View Settings, [ ] (settings to monitor options) and back. To switch between bar graph and table, click View Graph [ ] (table to bar graph) and View Table [ ] (graph to table) icons at top right of the monitor. To switch between pie chart and table, click View Pie Chart [ ] (table to pie chart) and View Table[ ] (pie chart to table) icons at top right of the monitor. To switch between area chart and table, click View Area Chart [ ] (table to area chart) and View Table [ ] (area chart to table) icons at top right of the monitor. The refresh rate of data in all the monitors is five minutes. List of NTBA default monitors Eight monitors are displayed in the default NTBA dashboard. Some of the default monitors have drill-down options in the right-click menu. You can use the drill-down information to view related information in the drill-down monitors. 112 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

113 NTBA enhancements Dashboard enhancements 4 Monitor name Hosts - Threat Factor Drill-down monitors Host Information Service Traffic Summary Host Profile DoS Profile Application Traffic Summary Active Services Host Interactions Active Applications Layer7 Activity Host Traffic Active Ports NSLookup Information Top External Hosts By Reputation Top URLs By Reputation Traffic Volume (Bytes) - Top Source Hosts None None Host Information Layer7 Activity Host Profile DoS Profile NSLookup Information TrustedSource Information Host Interactions Hosts New Host Information Active Ports Layer7 Activity Active Services NSLookup Information TrustedSource Information Active Applications Top URLs By Category Applications Traffic (Bytes) Top Files Show URLs Application Profile Show File Activity Figure 4-24 Accessing right-click monitors - an example List of NTBA additional default monitors The NTBA additional default monitors provide an enterprise-wide view of various components of the network traffic. You can create new dashboards and assign the additional monitors to suit your monitoring requirements. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 113

114 4 NTBA enhancements Dashboard enhancements Monitor name Applications - Active (Last 7 Days) Applications - New (Last 7 Days) Applications Traffic (Bytes) Bandwidth Utilization (%) - Interfaces Hosts - Active (Last 7 Days) Hosts - New (Last 7 Days) Drill-down monitors Application Profile Application Profile Application Profile Interface Traffic Top Bandwidth Consumers Service Traffic Summary None None Hosts - Threat Factor Host Information Application Traffic Summary Host Profile DoS Profile Host Interactions Layer7 Activity Host Traffic Service Traffic Summary Active Services Active Applications Active Ports NSLookup Information TrustedSource Information Protocol Distribution (Bytes) Services - Active (Last 7 Days) Services New (Last 7 Days) Services Traffic (Bytes) Throughput Enterprise Traffic (Bytes) Top External Hosts By Reputation Top Files Top URLs Top URLs By Category Top URLs By Reputation None None None None None None Show File Activity Show URL Activity Show URLs None 114 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

115 NTBA enhancements Dashboard enhancements 4 Monitor name Drill-down monitors Traffic Volume (Bytes) - Zones Zone Traffic Zone Files Zone Services Traffic Show NTBA Alerts Zone URLs Zone DoS Profile Top Bandwidth Consumers Traffic Volume (Bytes) - Top Source Hosts Host Information Host Interaction Host Profile DoS Profile NSLookup Information TrustedSource Information Layer7 Activity List of NTBA custom monitors The NTBA custom monitors display NTBA Appliance-specific or zone-specific information in new dashboards. All the NTBA default and additional default monitors can be assigned to new dashboards as NTBA Appliance-specific custom monitors. In addition you can also create zone-specific custom monitors and assign them to new dashboards. Each custom monitor has parameters that are customizable. Monitor name Applications - Active Applications - New Applications Traffic (Bytes) Bandwidth Utilization (%) - Interfaces Hosts - Active Hosts - New Protocol Distribution (Bytes) Services - Active Services New Services Traffic (Bytes) Top External Hosts By Reputation Top Files Top URLs Top URLs By Category Top URLs By Reputation Drill-down monitors Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) Top N Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Custom (Start Time and End Time) Top N, Custom (Start Time and End Time) Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 115

116 4 NTBA enhancements TimeView Charts enhancements Monitor name Traffic Volume (Bytes) - Zones Traffic Volume (Bytes) - Top Source Hosts Drill-down monitors Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily) Top N, Direction (Bi-directional, Inbound, Outbound), Customize (Start Time and End Time) Change custom parameters of NTBA monitors You can change the custom parameters of NTBA monitors. To change the custom parameters of NTBA monitors: Task 1 Click View Settings icon [ ] on a monitor. 2 Deselect Auto-refresh monitor with default parameters checkbox to make the changes. 3 Make the necessary changes and click Update Now. After the settings are saved, these will be displayed the next time you restart the Threat Analyzer. See also Configure an Enterprise NTBA Appliance on page 94 Display monitors for Enterprise Appliance on page 95 TimeView Charts enhancements With this release, monitors that have the TimeView charts support the panning option, which allows you to scroll back and forth across the charts to view historical data from the current display time up till the last 24 hours. There is, however, no backward panning restriction on custom monitors. View TimeView charts in the default monitors Monitors with TimeView charts support the panning option to scroll (back and forth) across the graph to view data from the current display time up till the last 24 hours. The following monitors support TimeView charts: Applications Traffic (Bytes) Throughput Enterprise Traffic (Bytes) Services Traffic 116 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

117 NTBA enhancements TimeView Charts enhancements 4 Traffic Volumes (Bytes) Zones Interface Traffic In addition to these monitors, the TimeView chart is supported by the Host Traffic monitor, the Bandwidth Utilization (%)- Interfaces monitor, and the Service Traffic monitor when the user right-clicks and selects these from the Hosts Threat Factor report in the Threat Analyzer. To view TimevIew charts in default monitors: Task 1 On the Manager home page, click Real-time Threats. The Threat Analyzer page is displayed. 2 Click the NTBA tab to open the NTBA Dashboard page. The NTBA Dashboard page is displayed. 3 Create or open dashboards that have the above-mentioned monitors to pan across the TimeView charts. The following illustration shows a dashboard with the Throughput Enterprise Traffic (Bytes) monitor and the Application Traffic (Bytes) monitor that displays data for the last 24 hours from the current time. These monitors query for the last 1 hour's data instead of 30 minutes data (subsequent queries are made for every 5 minutes and get last 10 minutes data as usual) Figure 4-25 Monitors displaying the last 24-hours'data McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 117

118 4 NTBA enhancements Display filter enhancements 4 Place the cursor anywhere on the graph and drag the mouse (backward or forward) to view data up till the last 24 hours. For monitors whose frequency has been set to Daily, you can use the panning feature to view data for the last 30 days. Viewing TimeView charts in custom monitors When you customize the start time and the end time on these monitors, then there is no backward panning restriction, that is, you can view data for more than the last 24 hours. Figure 4-26 Custom monitors Display filter enhancements With this release, the existing Views function has been merged into the Display Filter function. The Display Filter function has been enhanced to allow you to create a new display filter based on the current display or to update the current display filter. You can also designate a display filter as public or private. Add a new display filter You can use display filters to search for alerts based on one or more attributes. When you create a display filter, the Threat Analyzer allows you to specify your own criteria for filtering the alerts. The filter can be saved, and is displayed as a tab in the Alerts page. You can close display filters anytime using the right-click option. Task 1 On the Manager home page, click Real-time Threats to start Threat Analyzer. The Threat Analyzer page is displayed. 2 On the menu bar, click Alerts. Alternatively, you can right-click the All Alerts tab. 118 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

119 NTBA enhancements Display filter enhancements 4 3 Select Display Filter New. Figure 4-27 New Display Filter option The Display Filter page is displayed. Figure 4-28 Display Filter page 4 Enter a name for the filter. 5 If you want other users to only view the filter but not edit it, select the Make this Filter Public? checkbox. 6 The Make Visible to Child Admin Domains checkbox and the Filter Owner checkbox are displayed. 7 Define the filter properties and enter a value for the parameters. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 119

120 4 NTBA enhancements Display filter enhancements 8 Save the filter. To keep the filter, click Save and Apply. To save the filter temporarily, click Apply once. The new filter appears as a new tab beside the All Filters tab. Figure 4-29 Display a new filter on the All Alerts page To close an existing filter, right-click the filter and click Close. Display filter options Display Filter option Apply Delete Duplicate Description At any time, you can view more than one filter (public and private) on the screen using this option. The filter is displayed beside the All Alerts tab. You can delete private filters and public ones that you own using this option. You can duplicate a filter by applying an existing one. Use the right-click option to create a new filter based on the current window content. By default, the filter name will remain the same but will have the prefix Duplicate of. For example, if you are duplicating Filter1, then the duplicate filter name will be Duplicate of Filter1. Edit You can edit private filters and public ones that you own. You can, however, only view the contents of filters owned by other users. Alternatively, you can right-click any applied filter on the All Alerts page and click Edit Filter. If you want to replace the current content with those in the current window, select Manually or Replace Filter Content with Current Window. Action buttons The following action buttons are available on clicking the Options button at the bottom of the Alerts page: 120 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

121 NTBA enhancements Usability enhancements in NTBA 4 Quarantined - When the Sensor detects attacks from a host on its configured monitoring port, a quarantine rule is created for the source IP address of the host. The host is now in quarantine. Thereafter, the Sensor drops any traffic from the host until the quarantine rule expires. Thus quarantine action prevents non-compliant hosts from harming other network systems, by isolating them from the network for a specified period of time. Figure 4-30 Quarantine Host dialog Search by Attack ID - You can search for attacks from the Threat Analyzer. Figure 4-31 Search an Alert dialog Save Window Content as - Use this option to save the content as: o Save as CSV - Save the selected view (any selected Threat Analyzer table or graph) as a CSV file. A comma separated values (CSV) file is a file format used as a portable representation of a database. You can save this CSV file to your client system. You can view this file with Excel by using the Import/ Chart feature to display the CSV file as a graph. o Save as PDF - Save the selected view (any selected table or graph) as a PDF file. You can save this PDF file to your client system, then view the saved file with Adobe Acrobat. For example, you are working in a Real-Time Threat Analyzer and you want to save the Attack Details View table to view alert details Usability enhancements in NTBA This release of NTBA 7.1 focuses on providing a few usability enhancements with respect to the installation and configuration of an NTBA Appliance (physical and virtual). Host threat factor enhancements Earlier, there were only three color codes for Threat Factor [Yellow (<6), Orange (6-9), and Red (>9)]. Previously it was designed such that alerts were generated from the host only if the Threat Factor > The new design initializes the Threat Factor to 0.0, which is shown by the color code, Green. The host threat factor has the following color-coded threat ranges: Less than Six (Low/Medium Threat) YELLOW Greater or equal to Six (High Threat) ORANGE McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 121

122 4 NTBA enhancements Usability enhancements in NTBA Greater or equal to Nine (Critical Threat) RED Equal to Zero GREEN The table and pie charts will show green color code for HTF=0.0. Time Zone enhancements Earlier, the NTBA Appliance could understand only the UTC time, that is, if the customer had four appliances in as many time zones, for the communication rules to work in those time zones, the admin had to manually convert the local time to UTC. With this release, the time zone can be configured for the appliance so that the admin can define peak/off peak hours in the local time zone. By default, time of the day values are populated. Time Zone configuration will be provided at the admin domain level as well as device level. You can set the time zone by selecting <Admin Domain Name> Device List <NTBA Appliance Name> Misc Time of Day. NetFlow forwarding enhancements With release 7.1, NetFlow forwarding is supported before and after deduplication. NetFlow collectors such as Nitro can integrate with the NTBA Appliance using this option. The following CLI commands are provided to set the deduplication option: show flowforwardinfo: Displays flow forwarding configurations. Syntax: show flowforwardinfo flowforward collector add/delete ip A.B.C.D port < >: Adds or removes flowforwarding destination entry on a particular IP address and port. Syntax: flowforward collector add/delete ip A.B.C.D port < > Maximum of 5 entries are supported. NTBA Settings user interface enhancements This section details the user interface enhancements on the NTBA Settings page: The NTBA Summary page has been enhanced to include the zone configuration details and various configurations on the subsequent pages. You can view the zone configuration details by selecting <Admin Domain Name> NTBA Settings <NTBA Appliance Name> NTBA Appliance Summary. The Bindings tab has been renamed to IP Settings under <Admin Domain Name> NTBA Settings <NTBA Appliance Name> NTBA Appliance. Earlier, the IP address and the subnet mask of the NTBA Appliance were set through the command line interfacee and the gateway/routes in another page by selecting <Admin Domain Name> NTBA Settings <NTBA Appliance Name> NTBA Appliance Static Routes. With this release, you can define the IP settings add the static route on the same page by selecting <Admin Domain Name> NTBA Settings <NTBA Appliance Name> NTBA Appliance IP Settings. Exporter configuration enhancements This section lists the enhancements in the Exporters node: 122 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

123 NTBA enhancements Usability enhancements in NTBA 4 Earlier, to add an IPS Sensor as an exporter, you had to configure the settings in two separate tabs namely: <Admin Domain Name> NTBA Settings <NTBA Appliance Name> Exporters Exporter. <Admin Domain Name> IPS Settings <Network Security Sensor Name> NTBA Setting. With this release, you can complete all configurations required for setting an IPS Sensor as an exporter under <Admin Domain Name> NTBA Settings <NTBA Appliance Name> Exporters Exporter. Configuration for setting a router as an exporter can be done under <Admin Domain Name> NTBA Settings <NTBA Appliance Name> Exporters Exporter. as in the previous release. Earlier the routers would be configured as internal or external, by default. With this release, you must manually set a router once configured as internal or external. NetFlow direction setting per port Earlier, the NetFlow direction of IPS exporter interfaces was not enforced and by default, it was as per the "set default-host-type" command, that is, if this command was set for "Internal", then all interfaces would be marked as "Inside". With this release, the "set default-host-type" command has been removed from CLI. The ports that are not in inline mode are configurable for direction. For inline ports, it is not configurable and it follows the IPS direction. When you configure an IPS device as exporter, you can configure the ports for NetFlow direction as internal or external zone, for example, if port 1A is configured as Inbound, then you can configure that interface as external zone; if port 1A is configured as Outbound, then you can configure it as internal zone. You can mark an interface as either external or internal by selecting <Admin Domain Name> IPS Settings <Device Name> NTBA Exporting. Default population of CIDRs Earlier, there were no default CIDR entries. With this release, all the RFC 1918 IP addresses such as /8, /12, and /16 are populated in the Default Inside Zone when an NTBA Appliance is added to the Manager. You can see the default CIDRs by selecting <Admin Domain Name> NTBA Settings <NTBA Appliance Name> Zones Inside Zones Default Inside Zone. You can also remove the default internal CIDRs by clicking the Remove button in the Default Inside Zone page. DNS configuration is independent of GTI Earlier, for the DNS settings to be applied to the Sensor, McAfee GTI had to be enabled even when the DNS was set under <Admin Domain Name> Device List <NTBA Appliance Name> Misc DNS. Now, when the DNS setting is enabled, the DNS setting is applied to the Sensor irrespective of the McAfee GTI settings. NS Lookup Support The CLI command nslookup has been added to display the nslookup query result for the given host-name. Syntax : nslookup host-name McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 123

124 4 NTBA enhancements Other CLI command enhancements This command is applicable only to NTBA Appliances. HTF monitor enhancement Earlier, the HTF monitor would populate data only after 48 hours of the NetFlow reception. With this release, the HTF monitor is populated immediately after the NetFlow reception. Support for sorting GTI data in monitors A new column for 'Reputation' has been added for the following monitors so you can sort them based on their IP address and reputation: Top External Hosts By Reputation Top URLs By Reputation Other enhancements in monitors This section details the other enhancements in monitors: Bandwidth Utilization (%) - Interfaces - The Top Bandwidth Consumers graph now moves as time passes (fetches data from the NTBA Appliance every 5 minutes). At the launch of Real-time Threat Analyzer, the default monitors, Application Traffic (Bytes) and Throughput Enterprise Traffic (Bytes), will query for last 1 hour data instead of 30 minutes. Subsequent queries are made for every 5 minutes and retrieves data for the last 10 minutes. Quarantine enhancements Earlier, anomaly alerts could not be quarantined. With this release, anomaly alerts can be quarantined from <Admin Domain Name> NTBA Settings Policies NTBA Policies. Other CLI command enhancements The following CLI command was included in the release 6.1: Setup:Used to setup Sensor parameters. You are required to run this command when you newly set up your Sensor or after resetting the Sensor by using the factory defaults command. This command has no parameters. Syntax: Setup When you enter this command, you are prompted to enter the following: Current password New password Sensor name IP Type (IPV4=1 or IPV6=2 or BOTH=3) The IP Type command is applicable only for IPS. It is not applicable for NTBA. Sensor IP(IPv4 or IPv6 address or BOTH) Sensor subnet mask (IP address) 124 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

125 NTBA enhancements Debugging enhancements 4 Manager primary IP (IPv4 or IPv6 address or BOTH) Manager secondary IP (IPv4 or IPv6 address or BOTH) Sensor default gateway (IPv4 or IPv6 address or BOTH) Management port configuration choice (a/m) Shared secret key If you press Enter, your current settings are taken as default. For more information, see the McAfee Network Security Platform CLI Guide. The following CLI commands have been removed in release 7.1: show default-host-type set flow-fw Debugging enhancements The CLI command tcpdump has been added to display the tcpdump capture for specified duration in seconds. Syntax: tcpdump sec <1-30> [word] [word] Examples: tcpdump sec 5 tcpdump sec 5 -i eth4 dst host A.B.C.D McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 125

126 4 NTBA enhancements Debugging enhancements 126 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

127 5 5 XC Cluster support With this release XC Clusters are supported in Network Security Platform version 7.1. An XC Cluster in McAfee Network Security Platform, comprising of an XC-240 Load Balancer and M-8000XC Sensors, functions like a single virtual Sensor. The XC Cluster handles traffic at wire-speed, efficiently inspects, detects, and prevents intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks with a high degree of accuracy. It enables high traffic loads to be processed by distributing the traffic flow to multiple Sensors to avoid congestion providing a maximum throughput of 80 Gbps. XC Clusters also support high-availability deployment monitoring traffic with no loss of session state or degradation of protection level. An XC Cluster can be configured in both the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) modes. XC Clusters are flexible enough to adapt to the security needs of any enterprise environment. When deployed at key network access points, they provide real-time monitoring on high traffic loads to detect malicious activity and respond to the malicious activity as configured by the administrator. After deployed, XC Clusters are configured and managed through the command line and the Network Security Manager (Manager). For more information, see the McAfee Network Security Platform XC Cluster Administration Guide. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 127

128 5 XC Cluster support 128 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

129 6 6 Manager and Central Manager enhancements This chapter describes the Manager and Central Manager enhancements for this release. Contents Support for heterogeneous environments Enhancements related to custom attacks Access the Manager from mobile devices Preferences enhancement in Threat Analyzer Persisting user-selected views in Alert Details Quick filter option Attack filter assignment in Central Manager Central Manager and Manager infrastructure details Troubleshooting enhancements Support for heterogeneous environments This release of Network Security Platform supports a heterogenous environment of Managers and devices. This feature is discussed in detail in the McAfee Network Security Platform Upgrade Guide pertaining to this release. What are heterogeneous environments Typically, the Manager and the Sensors that it manages are of the same major version. For example, a 7.1 Manager manages Sensors running on Sensor software 7.1.x.x. Similarly, a Central Manager and the corresponding Managers are all of the same major version. This document refers to these as homogeneous environments. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 129

130 6 Manager and Central Manager enhancements Support for heterogeneous environments This document refers to the following as heterogeneous environments: The Central Manager and the corresponding Managers are of different successive major versions. For example, a 7.1 Central Manager manages 7.1 Managers and 6.1 Managers. The Manager and the corresponding Sensors are of different successive major versions. For example, some Sensors are on 6.1.x.x and the rest are on 7.1.x.x, all managed by a 7.1 Manager. Notes: A Manager must always be of the same or higher version than the corresponding Sensors. Therefore, a 6.1 Manager managing 7.1 Sensors is not a valid scenario. Similarly, the Central Manager must be of the same or higher version than the corresponding Managers. Heterogeneous environments are supported only across two successive major versions. For example, a 7.1 Manager can manage Sensors on 6.1.x.x and 7.1.x.x but not Sensors on 5.1.x.x. Similarly, Central Manager 7.1 can manage 7.1 and 6.1 Managers but not 5.1 Managers. Another example of a heterogeneous environment is a 7.1 Manager managing 6.0 and 7.1 Sensors. Similarly, a 7.1 Central Manager managing 6.1 and 7.0 Managers is a heterogeneous environment. You can add 5.1 Sensors to a 7.1 Manager, but do not attempt to manage your 5.1 Sensors using this Manager; it is not supported. You must upgrade the 5.1 Sensors directly to 7.1 to manage them using the 7.1 Manager. In Network Security Platform 7.x, Central Managers and Managers support heterogeneous environments only from version x and above. To use the information in this section, familiarize yourself with the following terms: Homogeneous Manager environment: The Central Manager and all the Managers are of the same major version. Heterogeneous Manager environment: At least one Manager is of a lesser major version than the Central Manager. For example, a 7.1 Central Manager that manages 7.1 and 6.1 Managers. Homogeneous Sensor environment: The Manager and all the Sensors are of the same major version. Heterogeneous Sensor environment: At least one Sensor is of a lesser major version than the Manager. For example, a 7.1 Manager managing 6.1 and 7.1 Sensors. Recall that a 7.1 Manager cannot manage 5.1 Sensors. 130 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

131 Manager and Central Manager enhancements Support for heterogeneous environments 6 When would you need a heterogeneous environment? Support for managing a heterogeneous environment is typically for large deployments where upgrade of the Managers or the Sensors happens in phases. Consider a deployment of over a hundred Sensors that are on 6.1.x.x. As part of the upgrade process, you first upgrade the Manager as well as a few of the Sensors to 7.1. However, you may still need to make configuration changes and manage the 6.1 Sensors using the upgraded 7.1 Manager. You may also want to add some new 6.1 Sensors to the upgraded 7.1 Manager. These are possible with a Manager version that supports a heterogeneous Sensor environment. McAfee strongly advises that you use the heterogeneous support feature only as an interim arrangement until you upgrade all your Managers and Sensors to the latest version. This enables you to make use of the latest features in Network Security Platform. Feature-support in a heterogeneous environment This section details the supported features and the points that you should note when you work in a heterogeneous environment in Network Security Platform 7.1. If this upgrade involves 5.1 Sensors, then note that from release 6.0, the names of some of the features have been changed for a better user-experience. Also, there are also many functional changes since release 6.0. All these information are available in the latest 6.1 McAfee Network Security Platform Upgrade Guide, which you need to review carefully before you begin your 7.1 upgrade. In a 7.1 heterogeneous environment, you need a 7.1 NAC Sensor to implement OOB NAC. For Standard Inline and DHCP Inline deployments, you can use a 6.1 or 7.0 Sensor. If you had implemented OOB NAC in 6.1, you need to reconfigure OOB NAC in 7.1. The method of configuring OOB NAC is vastly different in release 7.1 when compared to any of the earlier releases. For example, NAC policies are replaced by NAC rules. Also, OOB NAC enforcement is greatly enhanced in 7.1. For example, Sensor can convert the NAZ to RADIUS ACLs and apply it on the access port. These enhancements have made OOB NAC a simple yet powerful way to enforce hosts. However, because of such major changes, the 7.1 version is not compatible with x with respect to OOB NAC only. Therefore, a 7.1 Manager cannot manage a 6.1 N-series Sensor with respect to OOB NAC. In release 7.0 and above, the IPS policy applied at a Sensor level is referred to as the baseline IPS policy. You can customize exploit and DoS attacks of this policy for specific interfaces and sub-interfaces. This customization applies only to that interface or sub-interface, and such customized policies are referred to as local IPS policies. For 6.1 Sensor interfaces and sub-interfaces, only the DoS-attack customizations are applied and the exploit-attack customizations are not. In the Manager, you are allowed to customize the exploit attacks even for 6.1 Sensor interfaces and sub-interfaces. However, these customizations are not applied on the Sensor resources when you do a configuration update. In Network Security Platform 7.0 and above, the ACL feature is referred to as Firewall; see Note regarding ACLs. Also, note that the advanced Firewall policies are available only for M-series Sensors on 7.0 or above; classic Firewall policies are available for M-series and I-series Sensors on 6.1, 7.0, or 7.1. Application identification feature is available only for M-series Sensors on 7.0 or above. Stateless access rule, which is a type of Firewall access rule, is available only for M-series Sensors on 7.1 or above. The connection limiting policy feature is available only for M-series Sensors running on 7.x software. From release 7.0, there are a set of protection options available at the interface and sub-interface levels. On a 7.x Manager, go to IPS Settings Sensor name Interface or sub-interface name Protection Profile. to view these options. The availability of these options depend on the Sensor model and its software McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 131

132 6 Manager and Central Manager enhancements Support for heterogeneous environments version as explained below. If an option is not available, you can mouse-hover that option for the reason. Figure 6-1 Availability of protection options Advanced Botnet Detection: This is available to I-series and M-series Sensors on 7.0 or above. Advanced Traffic Inspection: This is available to I-series and M-series Sensors on 7.0 or above. File Reputation - Custom Fingerprints: This is available for M-series on 6.1 and above. However, for 6.1 Sensors, it is available only at the Sensor level. File Reputation - GTI Fingerprints: This is available for M-series on 6.1 and above. However, for 6.1 Sensors, it is available only at the Sensor level. Heuristic Web Application Server Protection: This is available only for M-series Sensors on 7.0 or above. HTTP Response Scanning: This is available for I-series and M-series on 6.1 and above. However, for 6.1 Sensors, it is available only at the Sensor level. IP Reputation: This is available only for M-series Sensors on 7.0 or above. Layer 7 Data Collection: This is available only for M-series Sensors on 7.0 or above. Simulated Blocking: This is available only for I-series and M-series Sensors on 7.1 or above. X-Forwarded-For (XFF) Header Parsing: This is available only for M-series Sensors on 7.0 or above. Hitless reboot feature is available only for M-3050, M-4050, M-6050, and M-8000 Sensors on 7.0 or above. The Misc tab (Device List Sensor name Misc)is available only for Sensors on 7.0 or above. Proxy Server: Available only for M-series Sensors on 7.0 or above. DNS Setting: Available only for M-series Sensors on 7.0 or above. Time Zone: Available only for M-series Sensors on 7.0 or above. 132 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

133 Manager and Central Manager enhancements Enhancements related to custom attacks 6 NTP Server: Available for both M-series and I-series on and 7.1 or above (not available for 7.0). CLI Auditing: Available for both M-series and I-series on and 7.1 or above (not available for 7.0). Packet Capturing: This feature is available only for M-series Sensors. In case of 6.1 Sensors, you can capture packets only in the port mode. In case of Sensors on 7.0 and above, you can capture packets in the port or file mode. The Snort Rule Validation utility validates Snort rules only for M-series Sensors on 7.0 or above. Enhancements related to custom attacks This section discusses the enhancements related to custom attacks in this release. Snort rule validation utility When you import Snort Custom Attacks from a file, only the valid rules that contain the Snort features supported in Network Security Platform are converted successfully. You need to view the corresponding Conversion Notes in the Edit Snort Attack window for information why they failed to convert. Then, you must make the necessary changes to the rules and re-import them. If you are using Manager x or above, you can validate the Snort rules through the Snort Rule Validation utility before you import them. This tool checks the rules for their validity and provides the details for those that will fail to import successfully. You can then correct the required rules and make sure that all your rules are successfully imported at the first attempt. If you receive your Snort rules from a vendor, you can provide the Snort Rule Validation utility to your vendor. This will enable them to provide you validated rules, which you can subsequently import into the Manager. Another advantage is that you can use it offline to validate your Snort rules. The location of the Snort Rule Validation utility is <Manager install directory> \App\diag\SnortUtil. Unzip the contents of McAfeeSnortStandAlone.ZIP on any Windows machine. The information on how to use this tool is in the README.txt, which is included in McAfeeSnortStandAlone.ZIP. Templates for McAfee custom attacks In Manager and above, pre-defined templates to create some of the commonly used McAfee custom attacks are available. In terms of syntax and effectiveness, a McAfee custom attack is the same whether you used a template to create it or not. However, using these templates, you can create effective McAfee custom attacks even if you do not possess detailed knowledge of the related protocol, its header, or the syntax of McAfee custom attacks. Therefore, the templates save you considerable time and effort when creating the McAfee custom attacks. Pre-defined templates are available to create McAfee custom attacks that: Detect a URL Detect the name of the file attached in an Detect a domain name Detect a string in a custom application Detect a TCP connection attempt from a specific IP address McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 133

134 6 Manager and Central Manager enhancements Enhancements related to custom attacks When you use the templates, a McAfee custom attack with the relevant protocol is automatically created. Also, the corresponding signature is created for this attack. You can add more conditions to this signature or add more signatures to this McAfee custom attack like how you would do traditionally for McAfee custom attacks. For example, when you use the template to detect TCP connection attempts from specific IP addresses, the signature for the IP address that you specify is automatically created. To specify more IP addresses to this attack, you need to create the corresponding signatures for those IP addresses. By default, the signatures that are created when you use the templates are of Benign Trigger Probability (BTP) value high. You can edit this value post-creation. Note that the attacks of BTP value high are not included in the default IDS and default inline IPS policies. When you save the McAfee custom attacks in the Manager database, an informational fault is displayed in the Status page to indicate whether the custom attacks were successfully saved. Create a McAfee custom attack to detect a URL You can use the pre-defined template to create a McAfee custom attack to detect a URL. Task 1 In the Resource Tree, select <Root Admin Domain> IPS Settings IPS&Recon Custom Attacks Custom Attack Editor. The Custom Attack Editor opens with the existing Custom Attacks listed in the All Custom Attacks tab. 2 Select Attack New McAfee Attack Definition Exploit Attack. 3 In the Templates page, select Detect a URL and click Next. 4 Enter a Name and Description for the attack. "UDS" (User-Defined Signature) is appended at the front automatically when you save the attack. For example, if you name the new attack "HTTP Attack XYZ", it appears as "UDS-HTTP Attack XYZ" in the Custom Attack Editor as well as in the attack database when you save the attack. The Manager provides the Attack ID when you save the attack. 5 Select the appropriate Severity for the attack. 6 Select the most appropriate Protection Category for the attack. 7 You can skip the Blocking Logic field since it is applicable only for UDP. You set Target Device Type only in the signatures. 134 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

135 Manager and Central Manager enhancements Enhancements related to custom attacks 6 8 Enter the URL that is to be detected and click Finish. If you are specifying the protocol, then you can specify only http or https in the URL. The attack is listed in the All Custom Attacks tab. Figure 6-2 Create a McAfee custom attack to detect a URL 9 Right-click the attack that you created in the All Custom Attacks tab and select Edit. In the Matching Criteria section, the protocol is automatically selected as HTTP. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 135

136 6 Manager and Central Manager enhancements Enhancements related to custom attacks 10 The signature for the URL that you specified is created automatically with the default values. To edit these values, select the signature and click Edit. You can modify the default values. You can also add more conditions to the signature. From the Edit Exploit Attack window, you can also add more signatures to the attack. Figure 6-3 Details of the McAfee custom attack 11 To save the McAfee custom attack to the database, in the Custom Attack Editor click File Save. Until you save the attack in the database, the NSP Attack ID column in the Custom Attack Editor shows as pending. The Sensor detects this attack after a configuration update. Create a McAfee custom attack to detect an attachment by file name You can use the pre-defined template to create a McAfee custom attack to detect an attachment by the file name. Task 1 In the Resource Tree, select <Root Admin Domain> IPS Settings IPS&Recon Custom Attacks Custom Attack Editor. The Custom Attack Editor opens with the existing Custom Attacks listed in the All Custom Attacks tab. 2 Select Attack New McAfee Attack Definition Exploit Attack. 3 In the Templates page, select Detect an attachment file name and click Next. 136 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

137 Manager and Central Manager enhancements Enhancements related to custom attacks 6 4 Enter a Name and Description for the attack. "UDS" (User-Defined Signature) is appended at the front automatically when you save the attack. For example, if you name the new attack "HTTP Attack XYZ", it appears as "UDS-HTTP Attack XYZ" in the Custom Attack Editor as well as in the attack database when you save the attack. The Manager provides the Attack ID after you save the attack. 5 Select the appropriate Severity for the attack. 6 Select the most appropriate Protection Category for the attack. 7 Skip the Blocking Logic field since it is applicable only for UDP. The protocol for the attack that you are creating is SMTP. You set Target Device Type only in the signatures. 8 Select the required parameter for Attachment File Name and enter the corresponding value in the text box. Figure 6-4 Custom attack to detect an attachment by its file name 9 Click Finish. 10 Right-click the attack that you created in the All Custom Attacks tab and select Edit. In the Matching Criteria section, the protocol is automatically selected as SMTP. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 137

138 6 Manager and Central Manager enhancements Enhancements related to custom attacks 11 The signature for the URL that you specified is created automatically with the default values. To edit these values, select the signature and click Edit. You can modify the default values. You can also add more conditions to the signature. From the Edit Exploit Attack window, you can also add more signatures to the attack. Figure 6-5 Details of the McAfee custom attack 12 To save the McAfee custom attack to the database, in the Custom Attack Editor click File Save. Until you save the attack in the database, the NSP Attack ID column in the Custom Attack Editor shows as pending. The Sensor detects this attack after a configuration update. Create a McAfee custom attack to detect a DNS query or response You can use the pre-defined template to create a McAfee custom attack to detect a DNS query or response related to a domain name. Task 1 In the Resource Tree, select <Root Admin Domain> IPS Settings IPS&Recon Custom Attacks Custom Attack Editor. The Custom Attack Editor opens with the existing Custom Attacks listed in the All Custom Attacks tab. 2 Select Attack New McAfee Attack Definition Exploit Attack. 3 In the Templates page, select Detect a DNS query or response and click Next. 4 Enter a Name and Description for the attack. "UDS" (User-Defined Signature) is appended at the front automatically when you save the attack. For example, if you name the new attack "HTTP Attack XYZ", it appears as "UDS-HTTP Attack XYZ" in the Custom Attack Editor as well as in the attack database when you save the attack. The Manager provides the Attack ID after you save the attack. 5 Select the appropriate Severity for the attack. 6 Select the most appropriate Protection Category for the attack. 138 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

139 Manager and Central Manager enhancements Enhancements related to custom attacks 6 7 In the Blocking Logic field select whether the Sensor should act only on the packet that matched this attack definition or the entire flow. You set Target Device Type only in the signatures. 8 Enter the full or the partial Domain Name that the Sensor should detect in a DNS query or response, and then click Finish. Figure 6-6 Custom attack to detect an DNS query or response 9 Right-click the attack that you created in the All Custom Attacks tab and select Edit. In the Matching Criteria section, the protocol is automatically selected as DNS. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 139

140 6 Manager and Central Manager enhancements Enhancements related to custom attacks 10 The signature for the URL that you specified is created automatically with the default values. To edit these values, select the signature and click Edit. You can modify the default values. You can also add more conditions to the signature. From the Edit Exploit Attack window, you can also add more signatures to the attack. Figure 6-7 Details of the McAfee custom attack 11 To save the McAfee custom attack to the database, in the Custom Attack Editor click File Save. Until you save the attack in the database, the NSP Attack ID column in the Custom Attack Editor shows as pending. The Sensor detects this attack after a configuration update. Create a McAfee custom attack to detect a string in an application running on a custom port You can use the pre-defined template to create a McAfee custom attack to detect a string in an application that is running on a custom port. Task 1 In the Resource Tree, select <Root Admin Domain> IPS Settings IPS&Recon Custom Attacks Custom Attack Editor. The Custom Attack Editor opens with the existing Custom Attacks listed in the All Custom Attacks tab. 2 Select Attack New McAfee Attack Definition Exploit Attack. 3 In the Templates page, select Detect a string in an application running over a custom port and click Next. 4 Enter a Name and Description for the attack. "UDS" (User-Defined Signature) is appended at the front automatically when you save the attack. For example, if you name the new attack "HTTP Attack XYZ", it appears as "UDS-HTTP Attack XYZ" in the Custom Attack Editor as well as in the attack database when you save the attack. The Manager provides the Attack ID after you save the attack. 5 Select the appropriate Severity for the attack. 140 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

141 Manager and Central Manager enhancements Enhancements related to custom attacks 6 6 Select the most appropriate Protection Category for the attack. 7 If the application is using UDP, then in the Blocking Logic field select whether the Sensor should act only on the packet that contained the string or the entire flow. You set Target Device Type only in the signatures. 8 Enter the Application Name and Application Description. Enter the actual application name or the application protocol name in the Application Name field. You cannot enter any standard application protocols. 9 Select whether the application is using TCP or UDP and the corresponding port number. You cannot enter a standard port number. 10 Enter the string that you want the Sensor to detect, and then click Finish. The String to Match field is case-sensitive. That is, the Sensor matches the case when it detects the string. Figure 6-8 Custom attack to detect a string in an application on a custom port 11 Right-click the attack that you created in the All Custom Attacks tab and select Edit. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 141

142 6 Manager and Central Manager enhancements Enhancements related to custom attacks 12 The signature for the URL that you specified is created automatically with the default values. To edit these values, select the signature and click Edit. You can modify the default values. You can also add more conditions to the signature. From the Edit Exploit Attack window, you can also add more signatures to the attack. Figure 6-9 Details of the McAfee custom attack 13 To save the McAfee custom attack to the database, in the Custom Attack Editor click File Save. Until you save the attack in the database, the NSP Attack ID column in the Custom Attack Editor shows as pending. The Sensor detects this attack after a configuration update. Create a McAfee custom attack to detect TCP connection attempts You can use the pre-defined template to create a McAfee custom attack to detect TCP connection attempts from specific IP addresses. Task 1 In the Resource Tree, select <Root Admin Domain> IPS Settings IPS&Recon Custom Attacks Custom Attack Editor. The Custom Attack Editor opens with the existing Custom Attacks listed in the All Custom Attacks tab. 2 Select Attack New McAfee Attack Definition Exploit Attack. 3 In the Templates page, select Detect a TCP connection attempt from a specific IP address and click Next. 4 Enter a Name and Description for the attack. "UDS" (User-Defined Signature) is appended at the front automatically when you save the attack. For example, if you name the new attack "HTTP Attack XYZ", it appears as "UDS-HTTP Attack XYZ" in the Custom Attack Editor as well as in the attack database when you save the attack. The Manager provides the Attack ID after you save the attack. 5 Select the appropriate Severity for the attack. 142 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

143 Manager and Central Manager enhancements Enhancements related to custom attacks 6 6 Select the most appropriate Protection Category for the attack. 7 You can skip the Blocking Logic field since it is applicable only for UDP. You set Target Device Type only in the signatures. 8 Enter the IPv4 or IPv6 Source IP Address from which TCP connection attempts are to be detected and click Finish. The attack is listed in the All Custom Attacks tab. Figure 6-10 Create a McAfee custom attack to detect TCP connection attempts 9 Right-click the attack that you created in the All Custom Attacks tab and select Edit. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 143

144 6 Manager and Central Manager enhancements Access the Manager from mobile devices 10 The signature for the URL that you specified is created automatically with the default values. To edit these values, select the signature and click Edit. You can modify the default values. You can also add more conditions to the signature. From the Edit Exploit Attack window, you can also add more signatures to the attack. Figure 6-11 Details of the McAfee custom attack 11 To save the McAfee custom attack to the database, in the Custom Attack Editor click File Save. Until you save the attack in the database, the NSP Attack ID column in the Custom Attack Editor shows as pending. The Sensor detects this attack after a configuration update. Access the Manager from mobile devices With the growing popularity of mobile devices, there has been an increase in the usage of mobile phones and tabs in corporate environment. In order to accommodate these client devices, this release supports accessing Manager from mobile devices - phones and tabs. A set of Manager pages catering to the mobile devices are collectively referred to as the Manager mobile application. The mobile application provides a SmartHelp for easy and quick reference. The Manager has been tested using the default browsers for the following mobile platforms: iphone 4 ipad 2 Android 2.2 and 2.3 BlackBerry 6 Preferences enhancement in Threat Analyzer Earlier, the Real-Time Threat Analyzer allowed to load and view a maximum limit of 100,000 alerts. From this release, you can view a maximum of 480,000 alerts. Use the No. of Alerts at startup option under the General tab to load and view the alerts. 144 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

145 Manager and Central Manager enhancements Preferences enhancement in Threat Analyzer 6 General panel Use the General tab to set preferences for basic program functions. There available options are: Ethereal: The location of your Ethereal program for packet log viewing. The first time you open the Threat Analyzer, click (...) to set the location of the Ethereal program. Default Time Format: Click to edit the time format to how you want your alerts to be time stamped. The default time format is MM-dd HH:mm:ss. Time Zone: The time zone format to be used in time-related display columns of the Threat Analyzer. Available formats are Client Host Time Zone (default) and UTC/GMT. Whois Server URL: The URL of the Whois server. No. of Alerts at startup: The number of alerts that are displayed at the startup. You can choose to load a maximum number of 480,000 alerts from the drop-down list. These alerts will be displayed at the startup. The default is 20,000 alerts. This option requires a minimum of 1024 memory for javaw running on the client. This can be configured through the ems.properties in the server : iv.ui.ta.realtime.max.heap.size=1024m. Figure 6-12 Option to select the number of alerts at startup Max. No. of Alerts: Maximum amount of alerts that can be viewed in the Threat Analyzer. IP Address Name Resolution: When enabled, the IP address name is displayed. IP Address Name Resolution Maximum Timeout (milliseconds): Time taken to resolve IP address name. Default is 1000 milliseconds. Warn about Impact of Real-Time Sensor Performance Polling: When enabled, the Threat Analyzer displays a warning message about the impact of Real-Time Sensor Performance polling. Default is enabled. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 145

146 6 Manager and Central Manager enhancements Persisting user-selected views in Alert Details Highlight New Threats: To enable preferences for highlighting new threats in the Threat Analyzer. Threats New if First Seen: To view the First Seen Alerts in the Alerts page. Enable Auto Scan: To enable or disable automatic Vulnerability Scan of new hosts discovered by the NTBA Appliance (applicable if McAfee Vulnerability Manager is integrated). Proxy Server: Proxy server is set or not set. Default is disabled. Figure 6-13 Threat Analyzer Preferences view - General tab Persisting user-selected views in Alert Details An enhancement in the view of specific details you will notice in this release is that tabs in the Alert Details window remain expanded or collapsed, depending on your choice, across all attacks and sessions. For instance, if you go to Real-time Threats Alerts and view specific details of an alert, you will notice that the tabs retain your choice across all alerts. This view will even persist if you log off and log back on. Further, the state is synchronized between the Realtime and Historical Threat Analyzers. In case of an MDR pair, the state of the panels is in the Alert Details window is synchronized between the primary and secondary after the config dump. Quick filter option Earlier, you could only filter the alerts and attack definitions using display filters. From this release, you can also implement a temporary and quicker search of a single attribute or more than one attribute along with the display filters in the Threat Analyzer. Use the quick filter option in the Alerts and Hosts pages of the Threat Analyzer to filter any or all the attributes. 146 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

147 Manager and Central Manager enhancements Quick filter option 6 Alerts details display The Alerts page lists attacks on a real-time basis in the Real-time Threat Analyzer and for the selected time span in the Historical Threat Analyzer in order of occurrence, with most recent being listed first. Attack details are presented using multiple columns, known as attributes. The attributes represent packet fields such as source and destination IP address, as well as Sensor analysis fields such as attack severity and type. You can right-click and select Show Details to view further details for an attack. The All Alerts view displays all attacks present in the current query view (in real time in the Real-time Threat Analyzer or for a selected time span in the Historical Threat Analyzer). When the Group By option is selected, the display shows the Alert, Attack counts, and other parameters for the chosen group attribute. The Alert count displays the number of times each attack has been reported within the parameters. For example, for a query, there are two reported alerts (Alert Count = 2) and two reported attacks (Attack Count = 2) for the "ARP: ARP Spoofing Detected" attack. Thus, the "ARP: ARP Spoofing Detected" attack was detected and reported exactly twice during the queried period. Also, the Alert Count and Attack Count for the "Samba Trans2Open Buffer Overflow" attack: 74 alerts have been generated for this attack; however, there were 2133 attack instances. One or more attack instances was suppressed according to the configuration set. The All Alerts view also displays pertinent information for each attack, including severity, benign trigger probability, and so forth. Figure 6-14 All Alerts page Item Description 1 Search a single attribute and click the Clear Filter icon,, to clear the values entered for a particular search of an alert attribute. 2 Search more than one attribute and click the Clear All Filter icon,, to clear all the entries in the search fields of the alert attributes in a single click. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 147

148 6 Manager and Central Manager enhancements Quick filter option Using quick filter option The quick filter option helps you to filter any or all the attributes in the All Alerts page. This filtering method is case-insensitive and is based on the "string contains" search concept, which enables you to view all the values that you have typed in the search field, and allows you to select a particular value from the list once the latter is narrowed down. For example, if you want to search the Attack Names related to SMTP, and start typing in the search field, a list of attack names containing the word SMTP will be filtered. As you continue to type, this list of names will be narrowed down so that you can view the exact ones of your choice. Also, this option enables an easier method to enter the exact syntax required to match less obvious fields, such as NAC state or IPS result. Thus, you can filter the alert attributes quickly and easily by narrowing down a huge list. You can also search more than one attribute using this option. Type the values in all the search fields corresponding to the alert attributes to view the exact match of your choice. You can also use this option in the Hosts page of the Threat Analyzer. Using Java regular expressions You can use Java regular expressions to ensure a quicker search. The following table shows some of the important expressions that can be used for quick filter option. Regular expression ^ Description Matches beginning of line $ Matches end of line abc*xyz String starts with abc and ends with xyz \A Beginning of entire string \z End of entire string. Matches any single character Example of using Java regular expressions in the Alerts page 148 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

149 Manager and Central Manager enhancements Quick filter option 6 If you want to filter only the SNMP attack names, type '^SNMP' in the Attack Name attribute field to list the SNMP attack names. Figure 6-15 Example of using Java regular expression in the Alerts page Example of using Java regular expressions in the Hosts page If you want to filter only the unmanaged NAC clients, type '^un' in the McAfee NAC Client attribute field to list all the unmanaged NAC clients. Figure 6-16 Example of using Java regular expression in the Hosts page Using symbols in the alert count filter You can use the greater than symbol (>) or lesser than symbol (<) to search the alert count in the Count attribute. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 149

150 6 Manager and Central Manager enhancements Quick filter option The examples are: >=20 <7 <=15 11 (this means that the search value is '=11') >0 The values entered for the search will be lost for any of the following actions: If you switch between the Detail View and Group By view If you navigate to any other tab of the Threat Analyzer If you close the Threat Analyzer If you restart the Threat Analyzer Using quick filter option for Acknowledged and Deleted attributes Open the Real-Time or Historical Threat Analyzer. Right-click on the alert attributes header, click Show Column, and enable Acknowledged and Deleted attributes. This search is based on the boolean variables 'True' or 'False'. Select few alerts, right-click on the selected alerts, and click Acknowledge. Type 'True' in the search field. Figure 6-17 Value for acknowledged alerts The 'True' value displays all the acknowledged or deleted alerts. This is only applicable for Historical Threat Analyzer. Figure 6-18 Value for unacknowledged alerts 150 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

151 Manager and Central Manager enhancements Quick filter option 6 The 'False' value displays all the unacknowledged or deleted alerts. This is applicable for both Real-Time and Historical Threat Analyzer. Hosts details display When a host is detected on a Sensor port for which you have configured NAC (Standard NAC, DHCP, or IBAC) the Sensor sends the available details of the host to the Manager. These details are displayed in the Host page of the Threat Analyzer. As and when the Sensor gathers more information, this entry in the Host page is updated in real time. A similar entry is created for attacking hosts if you have configured IPS Quarantine. Figure 6-19 Host page Item Description 1 2 Search a single attribute and click the Clear Filter icon, particular search of an host attribute. Search more than one attribute and click the Clear All Filter icon, the search fields of the host attributes in a single click. Using quick filter option, to clear the values entered for a, to clear all the entries in The quick filter option helps you to filter any or all the attributes in the Hosts page. This filtering method is based on the "string contains" search concept, which enables you to view all the values that you have typed in the search field, and allows you to select a particular value from the list once the latter is narrowed down. For example, if you want to search the State related to Admitted, and start typing in the search field, a list of states containing the word Admitted will be filtered. As you continue to type, this list of names will be narrowed down so that you can view the exact ones of your choice. Thus, you can filter the host attributes quickly and easily by narrowing down a huge list. You can also search more than one attribute using this option. Type the values in all the search fields corresponding to the host attributes to view the exact match of your choice. The quick filter option in the Alerts page is similar to that of the Hosts page. Refer to How to view Alerts Details section for more information. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 151

152 6 Manager and Central Manager enhancements Quick filter option To view the host details, you need to select the details that you want to view in the Preferences page. Then the Hosts page in the Real-time Threat Analyzer displays these details. Figure 6-20 Preferences page You can right-click on an entry in the Hosts page for additional options. Figure 6-21 Right-click options in the Hosts page 152 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

153 Manager and Central Manager enhancements Attack filter assignment in Central Manager 6 You can double-click on an entry in the Hosts page to see the details in a pop-up window. Figure 6-22 Double click to view host details Attack filter assignment in Central Manager This release of Central Manager allows you to assign attack filters to attack definitions at the Central Manager level. Assignments made in the Central Manager affects all the Managers that belong to it. Attack filter configuration Using Central Manager, you can create attack filters and assign them to attack definitions. Simultaneously, an attack filter created here is pushed to all Managers assigned to that Central Manager, saving you the effort of assigning an attack filter individually to each Manager. The attack filters can only be assigned to an admin domain. Using the Attack Filters tab on the IPS Settings page, you can create, modify and delete an attack filter. For the above functionality to work, you will need to make sure that the Manager is also running McAfee Network Security Platform 7.1 or higher. Add attack filters Before you begin Make sure the Manager that you plan to assign attack filters to is also running McAfee Network Security Platform 7.1 or above. Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Attack Filters. The Attack Filters page is displayed. 2 Assign a name to the attack filter. 3 Select an Admin Domain and Filter Type from the drop-down list. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 153

154 6 Manager and Central Manager enhancements Attack filter assignment in Central Manager 4 Select a Matching Criteria. If you do not see any matching criteria in the list, you can choose to create one. This section allows you to also view, edit, clone or delete matching criteria. Before you delete a matching criterion, you will need to make sure it is not in use in any of the attack filters. If it is in use you will need to remove this association before attempting to delete the matching criterion. 5 Click Save. The attack filter you created shows up in the Attack Filters page. Modify attack filters Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Attack Filters. 2 To view complete details of the attack filter, either double-click the attack filter in the list or select one of them and click View/Edit. If an attack filter is editable, the Editable column is checked. You can edit an attack filter only if it was created at the same admin domain level. 3 When the attack filter description appears, make changes to either the Filter Type or Matching Criteria since the other fields will not be available to edit. 4 Click Save after you have made your changes. The attack filter is modified and therefore affects the functionality of the attack definitions to which it is assigned. As a result, all Managers assigned to the specific Central Manager are affected. Clone attack filters You can clone an attack filter and customize all its parameters to save time. Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Attack Filters. 2 Select one of the attack filters that you want to clone and click Clone. The Clone an Attack Filter window opens. 3 Customize the attack filter as necessary or click Save and return to it later. The cloned attack filter appears in the list. If you did not change the name of the original attack filter the new attack filter contains Clone in the suffix. Delete attack filters Before you begin Make sure that any attack filter that you choose to delete is not in use by any attack definition. If it is in use, you will need to remove this association before attempting to delete the attack filter. 154 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

155 Manager and Central Manager enhancements Attack filter assignment in Central Manager 6 Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Attack Filters. 2 From the list, select the attack filter that you want to delete. 3 Click Delete. The attack filter is permanently removed from the list. Assign attack filters to attack definitions After you create an attack filter you will need to assign it to an attack definition for it to affect the behaviour of the Managers assigned to your Central Manager. Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Filter Assignments. The Filter Assignments page is displayed. 2 You can choose to assign the attack filter to an exploitative or a reconnaissance attack definition. Depending on that click either the Exploit or the Reconnaissance tab. 3 If you clicked Exploit: a Choose between Inbound Attacks and Outbound Attacks. b c Irrespective of which type of attack you choose, you will be able to view or modify the attack definition either by double-clicking a specific item from the list or by selecting it and clicking View / Edit. After you select an attack definition, select one of the attacks from the list and view its details either by double-clicking or selecting the attack and clicking View / Edit. You also have the choice of editing many attacks at once by selecting a number of attacks (if available) and clicking Bulk Edit. The Filter Assignment window for the selected attacks is displayed. d e f Select from the list of attack filters present in both columns depending on what type of changes you want to make. After you have selected the attack filters, click on the or buttons. Click Save and Ok. Your changes are saved and you return to the Filter Assignment window of the attack definition. g If you have completed all necessary changes, click Done The Filter Assignments page for all exploitative attack definitions is displayed. 4 If you clicked Reconnaissance: a Select an attack from the list. b You can view its details either by double-clicking or selecting the attack and clicking View / Edit. You also have the choice of editing many attacks at once by selecting a number of attacks (if available) and clicking Bulk Edit. The Filter Assignment window for the selected attacks is displayed. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 155

156 6 Manager and Central Manager enhancements Central Manager and Manager infrastructure details c d Select from the list of attack filters present in both columns depending on what type of changes you want to make. After you have selected the attack filters, click on the or buttons. Your changes are saved and you return to the Filter Assignment window of all the attacks. Export attack filters To export attack filters, do the following: Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Export. The Export Attack Filters window displays. 2 Select one or more filters you want to export. 3 Click Export. You are then prompted to Save the filters to an XML file, Open the filter(s), or Cancel the request. Import attack filters You can import files containing attack filters into the Manager server. Task 1 Go to <Admin Domain Name> IPS Settings Attack Filters Import. 2 In the Import Attack filters indicate whether to skip duplicate filter definitions by selecting the check box. Otherwise, leave the field unchecked. 3 Click Browse. 4 Select a file to import. Network Security Platform prompts you for the file name. 5 Click Import to accept the imported file for attack filters. Central Manager and Manager infrastructure details The following table lists the Central Manager/Manager server requirements for this release of 6.1: OS Minimum Windows 2008 R2 Standard Edition with SP1 (English) (64 bit) Windows 2008 R2 Enterprise Edition with SP1 (English) (64 bit) Windows 2008 R2 Standard Edition with SP1 (Japanese) (64 bit) Windows 2003 SP2 Standard Edition (English) (32 bit) Windows 2003 SP2 Standard Edition (English) (64 bit) Windows 2003 SP2 Standard Edition (Japanese) (32 bit) Windows 2003 SP2 Standard Edition (Japanese) (64 bit) Recommended RAM 4 GB 8 GB 156 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

157 Manager and Central Manager enhancements Troubleshooting enhancements 6 The following table lists the Central Manager/Manager client requirements for this release of 6.1: Minimum OS Windows 7 RAM 2 GB 4 GB Browser Internet Explorer 7.0, 8.0, or 9.0 Internet Explorer 9.0 is supported only from Central Manager/Manager for this release. Recommended Internet Explorer 8.0 and 9.0. MySQL is the database used in Central Manager and Manager for this release. Troubleshooting enhancements Additional log files The two additional log files available in Central Manager and Manager and above are: mgrversion.properties: Every fresh installation or upgrade of the Central Manager or Manager is logged to this file. Each entry contains the version of the Central Manager or Manager that you installed or upgraded to. It also contains the date and time of when you performed this action. This can help you troubleshoot issues. For example, you can go through this log to correlate an issue with a specific Manager upgrade. This file is stored at <Central Manager or Manager install directory>\app\config. dbconsistency.log: When you upgrade the Central Manager or Manager, the installed database schema is compared against the actual schema of the version you are upgrading to. This comparison is to check for any inconsistencies. The details of this comparison are logged to this file as error, warning, and informational messages. This file is stored at <Central Manager or Manager install directory>\app. You can verify this log to check if any database inconsistency is the cause of an issue. This file is updated whenever you upgrade the Central Manager or Manager. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 157

158 6 Manager and Central Manager enhancements Troubleshooting enhancements Warning message during downgrade Downgrade of Central Manager or Manager is not supported. To revert to an earlier version, you must uninstall your current version, install the older version, and restore the database backup from that older version. There can be instances when you may inadvertently attempt to install an older version of the Central Manager or Manager when a later version is already installed. In such cases, the Installation Wizard displays the following warning message. 158 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

159 7 Product 7 integrations This chapter describes the product integrations with Network Security Platform in this release. Contents Integration with McAfee Logon Collector Vulnerability Manager integration enhancement Global Threat Intelligence (GTI) Participation enhancements Integration with McAfee Logon Collector The Manager can display a variety of information about the hosts inside and outside a network. In the Real-Time Threat Analyzer, the host user name is available along with the IP address. However, the user names are available only when NAC is enabled. With this release of Network Security Platform, the Manager integrates with McAfee Logon Collector (MLC) to display user names of the hosts in your IPS and NTBA deployments. MLC provides an out-of-band method to obtain user names from the Active Directories. For more information, refer to the McAfee Network Security Platform Integration Guide. Benefits This integration helps to provide the information about the source and destination users without any dependency on the NAC module. It is useful in scenarios where NAC Sensors cannot be deployed. Integration requirements The followings are the minimum requirements for this integration: Manager version and above MLC version and above System requirements - Windows server 2003 for running MLC The Logon Monitor is part of the Logon Collector bundle that you downloaded. How Network Security Platform - Logon Collector integration works Logon Collector is a Microsoft Windows-based distributed collector. It is an independent service installed in a network, which obtains and preprocesses the network entities data from the Active Directories in the network. The data include users, IP to user bindings, computer groups, new IP addresses, and new computers. This information is published in the form of messages. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 159

160 7 Product integrations Integration with McAfee Logon Collector This solution does not require any modification to Active Directory or the Active Directory directory schema and requires no agents. Logon Monitors can be used to poll nearby domain controllers and forward collected information on to the Logon Collector, shortening the distance domain controller communication must travel. Identity Acquisition Agent (IAA), is deployed on the Network Security Platform side and is used as an interface to listen to the message service where the updates are published by the Logon Collector server. IAA listens to the Logon Collector Active Message Queue (MQ) service and regularly receives new updates from the Logon Collector server. A listener for receiving the updates is registered with the IAA. The registered listener regularly receives new updates from the Logon Collector through IAA. All IP to user bindings data are loaded into a newly created Manager cache for the first time. The cache is subsequently updated with the differences on subsequent updates. As all the other components of the Manager can query the Manager cache, it is not required to communicate with the Logon Collector server each time an update happens. Figure 7-1 Manager-Logon Collector integration Configuration details for Logon Collector integration This section gives the configuration details for the integration between McAfee Network Security Manager and Logon Collector server. Configure integration at the admin domain level You can enable the integration between the McAfee Network Security Manager and the Logon Collector server at the admin domain level. Task 1 In the Resource Tree, select My Company Integration Logon Collector Enable. 2 In the Enable section, select Enable MLC Integration. 160 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

161 Product integrations Integration with McAfee Logon Collector 7 3 Enter the IP address of the Logon Collector server in the Server Name or IP Address option. 4 The Server Port is added by default. The default port number is It is not recommended to change the default port number. Figure 7-2 Enable Logon Collector integration Establishing trust between the McAfee Network Security Manager and Logon Collector server Logon Collector communicates with the McAfee Network Security Manager through a two-way SSL authentication. This requires the exchange of certificate between the McAfee Network Security Manager and the Logon Collector server. Export the McAfee Network Security Manager certificate To export the McAfee Network Security Manager certificate: Task 1 Select My Company Integration Logon Collector Enable. 2 In the Export Certificate section, select Export to file in the Export Manager Certificate option. A pop-up window opens. 3 Click Save to save the file in your local directory. 4 Click Open MLC Console. 5 Enter the user name and password. The Logon Collector console is displayed. 6 In the Logon Collector console, select Menu Configuration Trusted CAs. 7 Click New Authority to open the New Trusted Authority window. 8 Select Import From File, then click Browse to add the exported file saved in your local directory. You can also use the Copy/Paste Certificate option. 9 Click Save. Import the Logon Collector certificate To import the Logon Collector certificate: McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 161

162 7 Product integrations Integration with McAfee Logon Collector Task 1 In the Logon Collector console, select Menu Configuration Server Settings. 2 In the Settings Categories section, click Identity Replication Certificate. 3 You can import the Logon Collector certificate in one of the following ways: Upload the Logon Collector Certificate: 1 Copy the Logon Collector certificate from the Logon Collector console and paste it in a newly created file in your local directory. 2 Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option. 3 Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your local directory. Paste the certificate directly in the Manager: 1 In the Import Certificate section, select Paste Certificate. 2 Paste the copied Logon Collector certificate in the Paste Certificate box. Figure 7-3 Paste the MLC Certificate option The imported Logon Collector certificate is displayed under the Current MLC Certificate section. 4 Click Save. 5 Click Test Connection to test the integration. Viewing Logon Collector details in the Threat Analyzer This section discusses the changes in the Dashboards and Alerts windows of the Threat Analyzer for viewing user information received from the Logon Collector server. 162 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

163 Product integrations Integration with McAfee Logon Collector 7 Viewing Logon Collector details in the Dashboards window You can assign monitors based on the source and destination users while creating a new dashboard. The following monitors are added: Top 10 Attack Destination Users Top 10 Attack Source Users Figure 7-4 Assign Monitor option Viewing user information in NTBA monitors The Dashboards window of the Threat Analyzer now displays the user names along with the Host IP addresses in NTBA monitors. The following NTBA monitors display the user names in the User Name column. Hosts - Threat Factor Traffic Volume (Bytes) - Top Source Hosts McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 163

164 7 Product integrations Integration with McAfee Logon Collector Top External Hosts By Reputation Hosts - New (Last 7 Days) Figure 7-5 NTBA monitors with User Name details The User name section is displayed as "---" when no user name is received from the Logon Collector server for that particular host IP address. Changes in the Host IP information The user names are displayed in the following right-click options under Host IP section of the NTBA monitors: Host Information Service Traffic Summary Host Profile Application Traffic Summary Host DoS Profile Active Services Host Interactions Active Applications Host Alerts Active Ports Layer 7 Activity NSLookup Information Host Traffic 164 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

165 Product integrations Integration with McAfee Logon Collector 7 The following figure shows the User Name details section for the Host Interactions option. Figure 7-6 Host Interactions option showing User name details Show Alerts option for Hosts - Threat Factor monitor The source and destination user information is displayed for the following options under the Show Alerts section of the Hosts - Threat Factor monitor: All Alerts IPS Alerts NTBA Alerts Figure 7-7 NTBA Alerts showing Source and Destination user information McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 165

166 7 Product integrations Integration with McAfee Logon Collector Viewing Logon Collector details in the Alerts window Earlier, the information of Source User and Destination User columns in the Alerts window of Threat Analyzer could only be obtained when NAC was enabled. After the integration with Logon Collector, McAfee Network Security Manager obtains the Source User and Destination User data from the Logon Collector server and displays it in the Threat Analyzer. Figure 7-8 Source User and Destination User data in Threat Analyzer The Group By section in the Alerts window of the Threat Analyzer displays the Dest IP and Src IP options. Figure 7-9 Dest IP and Src IP options under Group By section When NAC and Logon Collector integration are enabled at the same time, the information about the source and destination users from NAC take precedence over the information from Logon Collector. 166 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

167 Product integrations Integration with McAfee Logon Collector 7 Viewing Logon Collector details in Network Security Manager reports This section discusses the reports that display the user information received for Logon Collector. Next Generation custom reports In the McAfee Network Security Manager, select Reports Next Generation New. Option 1 When you select the Display Options as Table, the Available Fields section includes Src UserId and Dest UserId. The generated custom reports contain the data about the source and destination users. Figure 7-10 Table properties : Src UserId and Dest UserId fields McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 167

168 7 Product integrations Integration with McAfee Logon Collector Option 2 When you select the Display Options as Bar Chart, the Bar Labels section includes the Src UserID and Dest UserID options. The generated custom reports contain the data about the source and destination users. Figure 7-11 Src UserId and Dest UserId fields options in the bar chart Option 3 When you select the Display Options as Pie Chart, the Pie Slice Labels section includes the Src UserID and Dest UserID options. The generated custom reports contain the data about the source and destination users. Figure 7-12 Src UserId and Dest UserId fields options in the pie chart 168 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

169 Product integrations Integration with McAfee Logon Collector 7 Display Filter The Display Filter option allows you to search for alerts based on two newly added attributes, namely Source Users and Destination Users. Figure 7-13 Display Filter options McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 169

170 7 Product integrations Integration with McAfee Logon Collector Communication error A connection error report is shown in the Status window of McAfee Network Security Manager when there is an improper communication between the McAfee Network Security Manager server and Logon Collector server. From the McAfee Network Security Manager Home page, go to Operational Status. Click Error to display the error message. Figure 7-14 Error in Home page It shows the following information: Fault Type Severity Source Last Occurrence Time Condition Type Additional Text Alarm Type Creation Time Figure 7-15 Connection error report in the Status window You can also view the communication error message in the Alerts window of the Threat Analyzer for an improper connection. 170 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

171 Product integrations Vulnerability Manager integration enhancement 7 The following details are displayed under the Src User column: Communication Error Error in communication with the Logon Collector server Not Applicable Improper mapping Figure 7-16 Communication error in the Threat Analyzer Vulnerability Manager integration enhancement Prior to this release, there were few manual steps to install Vulnerability Manager client certificates for a successful integration. This process often resulted in the failure of integration due to manual errors. With this release, some of the manual steps are automated to reduce these errors involved in the manual import of client certificates into the Manager server. Integration requirements The following table gives the details of the integration requirements: Software Version Vulnerability Manager 6.8, 7.0, and 7.5 Manager and above McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 171

172 7 Product integrations Vulnerability Manager integration enhancement Save Vulnerability Manager settings To save the Vulnerability Manager server settings: Task 1 In the Manager, select <Admin Domain Name> Integration Vulnerability Manager API Server. 2 Under the Vulnerability Manager Server Settings section, configure the following details: Engine Version - The 7.0 version of Vulnerability Manager used Server Name or IP Address - The IP address of the Vulnerability Manager server Server Port - The server port number You can change the default port number. User Name - The username assigned to the user having the full rights to all the scans initiated from the Threat Analyzer Password - The password associated with the username above 3 Click Save to save the configuration. Figure 7-17 API Server page When the API Server settings is saved, some of the settings like Server IP and Port settings are updated into Windows Registry. These settings are required for the Foundstone Configuration Management (FCM) Agent Service to communicate with the Foundstone Configuration Management Server. 4 A pop-up opens with the message to start the Foundstone Configuration Management Agent Service. Click OK. Foundstone and Vulnerability Manager refer to the same product. 172 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation

173 Product integrations Vulnerability Manager integration enhancement 7 Updating permissions for the integration The Manager must update the Windows registry for a proper integration. However, the user account used to run Manager service does not have permissions to write to the Windows registry by default. For updating the permissions: Task 1 On the server running the Manager, run regedit.exe. 2 Select My Computer HKEY_LOCAL_MACHINE SOFTWARE. 3 Right-click and select Permissions. 4 Add the user account used to run the Manager service. Allow full permission for this folder. Click Apply and OK. Figure 7-18 Updating permissions Changes take effect immediately and a restart is not required. 5 Go back to the API Settings page. Click Save. Start the FCM Agent service Start the FCM Agent service after updating the permissions for the Windows Registry. McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation 173

174 7 Product integrations Vulnerability Manager integration enhancement Task 1 From the Windows Start button, click Run and open Services. 2 You can find Foundstone Configuration Management (FCM) Agent here. Figure 7-19 Services page 3 Click the Start button ( ) to start the FCM Agent service. After the FCM Agent Service is started successfully, certificates are pushed to Agent software from the FCM Server with a slight delay of 30 to 40 seconds. 174 McAfee Network Security Platform 7.1 Addendum I to 7.1 Documentation