McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Transcription

1 McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course The McAfee Firewall Enterprise System Administration course from McAfee University is a fast-paced, hands-on introduction to the product. It supplies a broad familiarity with dayto-day administration skills and the knowledge required to use those skills effectively. Course Goals Customize SMTP application to increase system and network security. Customize McAfee Firewall Enterprise auditing. Configure firewall to send logs to an off-board server. Perform configuration backups and restores. Agenda At A Glance Day 1 Firewall Security Features and Components System Planning & Integration Firewall Routing Zones Audience System and network administrators, security personnel, auditors, and/or consultants concerned with network and system security should take this course. Register Now for Training

2 Agenda At A Glance Continued Day 2 Man Pages Day 3 tcpdump Auditing & Reporting DNS Configuration Policy Management Application Rule Endpoints Application Defenses Day 4 NAT and Redirection Authentication Network Integrity Agent GeoLocation IPS Inspection SSL Decryption/Re-Encryption Mail Day 5 Global Threat Intelligence SmartFilter Backup & Restoration IPSEC VPN s High AvailabilityCase Studies CLI Administration Best Practices Working with SIEM IPv6 Control Center Recommended Pre-Work It is recommended that the students have a working knowledge of Microsoft Windows administration, system administration concepts, a basic understanding of computer security concepts, and a general understanding of Internet services. Course Outline Module 0: About The Course McAfee university Product Curriculum No Duplication Facilities McAfee Technical Support Introduction Prerequisites Course Objectives Course Materials Acronyms Used in Course Lab Environment Standalone Firewalls Lab Topology Standalone Firewalls Lab Environment HA Cluster Lab Topology HA Cluster Module 1: Firewall Security The Basics Packet Filter Firewall Security Concepts Stateful Inspection Firewall Security Concepts Application Defense Firewall Security Concepts Differences Between Firewall Security Types Next-Generation Firewall Next-Generation Firewall Use Cases

3 Module 2: Firewall Enterprise Features and Components Background of McAfee Firewall Enterprise Global Threat Intelligence (GTI) Features and Components Module 3: Firewall Enterprise System McAfee Firewall Enterprise Product Portfolio Multi-Firewall Appliance Options 3rd Party Integration Options Virtual Appliance Software Only SecureOS Type Enforcement Concept Type Enforcement Benefits Type Enforcement Implementation Type Enforcement Controls Disk Format Boot Options Packet Processing Module 4: Planning for Firewall Enterprise Integrations Interactions with Other Network Devices Zones Before Firewall Enterprise Zones Physical Zones Virtual Zones Zones Zones: Sample Multi-Zone Configuration Firewall Integration Planning Zones Zones After Firewall Enterprise Routing Before Firewall Enterprise Firewall Integration Planning Routing Routing After Firewall Enterprise DNS Before Firewall Enterprise Firewall Integration Planning DNS DNS After Firewall Enterprise Mail Before Firewall Enterprise Firewall Integration Planning SMTP Mail after Firewall Enterprise Integration Policy Integration Wrap-Up Cutover Considerations Module 5: Firewall Enterprise Firewall Enterprise Software Creating Initial Configuration Initial Configuration Methods Text-Based Quick Start Program Quick Start Wizard Lab Management software and

4 Quick Start Wizard Firewall Enterprise Administration Remote Administration Firewall Enterprise Admin Console Firewall Enterprise Admin Console Setup Connecting to Admin Console Firewall Admin Console Firewall Enterprise Keyboard Mapping Secure Command Line Access Connecting to the SSH Server Lab - Secure Command Line Access Firewall Enterprise License Lab Activate Firewall Enterprise License Software Management Managing Firewall Enterprise Packages Software Management Creating a CD with Firewall Enterprise Packages Installing Admin Console Patches Lab Load and Install Patches Using MFE GUI Lab Verify the MFE Module 6: Routing Routing Dynamic Routing Static Routes Lab - Static Routes Module 7: Firewall Enterprise Zones Zone Zone Configuration Physical Zone Configuration Lab - Physical Zone Configuration Module 8: man Pages Using the Firewall s built in Manual System Reading Firewall Enterprise man Pages Lab man pages Module 9: tcpdump Looking at network traffic on Firewall Enterprise Command Line tcpdump Introduction Sample command line test of HTTP server Sample tcpdump output of command line HTTP test Connection setup Client data transfer Server data transfer and connection close Looking deeper into the packet Decoding application data Example of Netprobe Traffic

5 Example of ACL Deny Traffic Example of Upstream Network Problem (1) Example of Upstream Network Problem (2) Using tcpdump in the Admin Console Module 10: Auditing and Reporting Audit Process syslog Audit Process Components Pre-Defined Audit Filters Advanced Pre-Defined Audit Filters Audit Process Tools Audit Viewing Audit Viewing A Specific Filter Type Audit Viewing Detail View Audit Viewing Ascii View Audit Viewing Export Output Audit Viewing An Ascii Exported File Audit Viewing A SEF Exported File Audit Viewing A XML Exported File showaudit Custom Audit Filters Custom Audit Filters Admin Console Custom Audit Filters Command Line acat and sacap_filter Understanding Audit Messages Exporting Audit Reporting Exporting Audit Archiving Lab syslog Log Administration Crontab Admin Console GUI File Editor rollaudit.conf Lab - Audit File Rotation Attack and System Event Responses Attack Responses Pre-Defined Attack Responses System Responses Pre-Defined System Response Events (1 of 2) Attack Response Configuration Attack Response Settings Attack Response Configuration cf audit Command Lab - Attack Response Configuration Module 11: Firewall Enterprise DNS Configuration Module Topic DNS Before Firewall Enterprise Firewall Enterprise DNS Configuration Options Split DNS Servers Architecture Split DNS Servers - Outbound Flow Split DNS Internet Name Server Split DNS Unbound Name Server Split DNS File Contents Split DNS Single DNS Server Architecture Single DNS Server Outbound Flow Single DNS Unbound Server Single DNS File Contents

6 Single DNS Transparent DNS Transparent DNS Flow Transparent DNS Split DNS Name Server Log Examples Split DNS Internet Name Server Log Examples dig host Nslookup DNS Administration GUI Firewall Enterprise DNS Administration Lab - Transparent DNS Configuration Module 12: Policy Management Policy Terminology Policy Rules Access Control Rules Access Control Rule Groups Access Control SSL Rules SSL Rule Interactions Rule Organization Firewall Enterprise Default Policy Default Policy - Initial Configuration Default Policy Disabled Rules Default SSL Rules Use Case Scenarios Policy Command-line Administration Lab Policy Management Application Discovery Application Evaluation/Discovery Configuring Application Discovery Lab Application Discovery Module 13: Application About Applications Application Elements Types of Applications Application Type Scenarios Application Management Rule Interactions Application Selection Outbound Web Browsing Application Rule Verification Lab - Outbound Web Browsing Application Rule Outbound Web Traffic Using A Proxy Outbound Web Traffic Using A Proxy Verification Lab - Outbound Web Traffic Using A Proxy Allowing Outbound Access Using a Zone Group Lab - Allowing Outbound Access Using a Zone Group Deny/Drop Traffic Lab Allow Web Traffic with Restrictions Deny/Drop Traffic Example using the Deny option Verification Example using the Drop option Verification Lab - Deny/Drop Access Control

7 Rules Rules with Multiple Applications Application Group Management Application Group Selection Lab Allow Outbound Traffic Using Multiple Services in a Rule Servers Administration Access Control Rules Remote Access Management Run the SSH Server and Application Together Lab - Run the SSH Server and Application Together Module 14: Rule Endpoints Condition Elements Condition Elements Sources and Destinations Policy Refinement - Network Objects Policy Refinement Groups Network Objects and Netgroups Network Object Administration Netmap Network Objects Adding a Netmap Network Object Reviewing Membership of a Network Group Object Usage Special Objects Policy Refinement Time Periods Advanced Area Endpoint Usage Rule Endpoints and Redirection Policy Command-line Administration Lab - Network Objects and Netgroups Rule Elements Module 15: Application Defenses Application Defense Application Defense Profiles Application Defense Groups Configuration Application Defense Configuration Specialized Application Defenses Administration Generic Application Defense Administration Transparent vs. Non-Transparent Access Anti-Virus Feature Virus Scanning Lab - MIME/Virus/Spyware Scanning for Outbound HTTP Traffic Module 16: NAT and Redirection NAT vs. Redirection Inbound Connections Redirected Inbound Connections Re-directed Rule Operation Re-directed Access Control Rules Operation Multiple Inbound Redirected Connections NAT and Redirect Rule Properties Inbound Policy Using a Netmap Rule Groups

8 Lab - Allowing Inbound Access Module 17: Authentication Authentication Administrator Accounts Users and User Groups Requiring Authentication on a Rule Lab - Users and Administrator Account Users of Authenticators Configuring Password Authenticator Configuring Off-Board Authenticators Active Passport Active Passport Authenticators Active Passport Configuration Passport Authentication Example Passport Authentication Example Removing Users from Authentication Cache Lab - Passport Authentication Passive Passport McAfee Login Collector MLC Component MLC Operation MLC Product Integration MLC Deployment General MLC Deployment Firewall Enterprise MLC 2.0 New Features Configuring Passive Passport Validate MLC Architecture Requirements Install the MLC Configure the MLC Configure Passive Passport on MFE Configure Rules to use Passive Passport Passive Passport Audit Logs Module 18: Network Integrity Agent Hardware and Software Requirements Limitations Deployment via epo Manual Deployment NIA Configuration Certificate Configuration Configure Firewall Enterprise NIA Settings NIA Hosts and Discovery NIA Advanced Settings Command Line Configuration Discovery Mode Command Line Explicit NIA Communication Rule Active Hosts Firewall View NIA Audit Agent Status and Logs Lab Install and Configure NIA Module 19: Geo-Location Firewall Enterprise Geo-Location Geo-Location Configuration Geo-Location License Lab Geo-Location for Inbound Traffic

9 Module 20: IPS Inspection Background IPS Strategies - Anomaly based IPS Strategies - Signature based Firewall Enterprise s IPS Feature IPS Inspection High Level Process Flow IPS Configuration Signatures Attributes Category Signatures Attributes Class Type Signatures Attributes - Threat Level IPS Configuration IPS Responses Signature Groups Signature Browser Adding IPS Inspection to Rules IPS Inspection IPS Inspection Verification Lab - IPS Inspection for Inbound HTTP Traffic Module 21: SSL Decryption/Re-Encryption Terminology Traffic Interaction Decrypt Only Traffic Interaction Decrypt/Re- Encrypt SSL Rule and Access Control Rule Interactions No Decryption Configuration Decrypt Only Configuration Traffic Interaction Decrypt Only SSL Decryption Configuration Prerequisites Decrypt Only Configuration SSL Rule Decrypt Only Configuration Access Control Rule Decrypt Only Configuration Lab - SSL Decryption Decryption/Re-Encryption Configuration Decrypt/Re-Encrypt Configuration SSL Rules Decryption Exemption Configuration SSL Rules Decrypt/Re-Encrypt Configuration Access Control Rules Decrypt/Re-Encrypt Configuration Summary Decrypt/Re-Encrypt Configuration Module 22: Mail Mail Before Firewall Enterprise How Mail Flows before Firewall Enterprise Mail Sendmail External Sendmail Server Internal Sendmail Server Common_Sendmail Server Outbound Mail Flow Using Sendmail Inbound Mail Flow Using Sendmail Sendmail Controls Sendmail Controls Incoming Mail

10 Sendmail Controls Outgoing Mail Sendmail Configuration Sendmail Operations Sendmail Server Log Examples Testing Mail Reconfigure Mail Transparent Mail Transparent Configuration Mail Flow Transparent Mail Configuration Mail Addressed to root Lab Mail Transparent Mail Configuration Module 23: Global Threat Intelligence (GTI) GTI Using GTI GTI License Reputation Classes Filtering Mail with GTI TrustedSource Reputation Scores Enabling GTI Filtering Reviewing Log Files Reviewing Log Files Command Line Examples Checking Reputation Lab TrustedSource Filtering Module 24: SmartFilter SmartFilter Feature SmartFilter Architecture SmartFilter Architecture Option 1 SmartFilter Architecture Option 2 Filter Policies Custom Categories SmartFilter Auditing SmartFilter Configuration Management Source and Licensing Download SmartFilter Database Define Policy Non-Transparent Access Allow Non-Transparent HTTP Connections Apply Policy Using Application Defenses Configure Client to Use a Proxy Server Deny or Warn Access Based on SmartFilter Policy Lab SmartFilter Module 25: Firewall Enterprise Backup/ Restore Options Backup and Restore Configuration Backups and Restores Configuration Backup and Restore Options Client System Configuration Backup Manage Configuration Backups Disaster Recovery Backup and Restore Restoring a Configuration Backup from Local HDD Schedule Automatic Configuration Backups Lab Firewall Enterprise Backup/

11 Restore Module 26: VPN s VPN VPN Encapsulation Types Firewall Enterprise Specific Encapsulation Types How an Inside Tunnel VPN works Virtual Zone Firewall Enterprise Specific Encapsulation Types VPN Key Exchange Rules VPN Key Exchange Protocols Certificate Authority Functionality Authentication and Encryption Algorithms NAT-Traversal with IPSec VPN Configuration VPN Configuration - ISAKMP Server VPN Configuration ISAKMP Rule VPN Configuration - VPN Definitions VPN Administration VPN Scenarios VPN Scenario #1 Lab - Gateway to Gateway Shared Password VPN Certificate/Key Management VPN Scenario #2 Lab - Gateway to Gateway Certificate/Virtual Zone VPN Module 27: High Availability High Availability Concepts HA Concepts Configuration Options HA Concepts Failover Event HA Concepts Firewall Boot Sequence Load Sharing High Availability Concepts LSHA Concepts - Layer 2 Modes Multicast LSHA Concepts - Layer 2 Modes Unicast Mirrored LSHA Concepts - Layer 2 Modes Unicast Flooded LSHA Concepts Traffic Handling LSHA Concepts Load Sharing Method LSHA Concepts VPNs LSHA Concepts Failover Event LSHA Concepts Firewall Boot Sequence High Availability Remote Test IP/ Interface Test HA Configuration Remote Test IP/ Interface Test LSHA Configuration Remote Test IP/Interface Test HA/LSHA Stateful Failover Cluster Management Cluster Management HA Cluster Management Cluster Setup Cluster Management Registration Cluster Management Entrelayd Cluster Management Administration Cluster Management HA/LSHA Configuration HA/LSHA Configuration 1st firewall HA Configuration 1st firewall Step 2 HA Configuration 1st firewall Step 3 HA Configuration 1st firewall Step 4 HA Configuration 2nd firewall

12 HA Configuration 2nd firewall Step 3 HA Configuration Verification Restarting an HA Cluster Lab - High Availability Removing Firewalls from an HA Cluster Lab Removing Firewalls from HA Cluster Module 28: SIEM What is SIEM How SIEM is used McAfee SIEM Components McAfee SIEM Architecture Combo Boxes McAfee SIEM Architecture ESM McAfee SIEM Architecture Receiver McAfee SIEM Architecture DEM McAfee SIEM Architecture ADM McAfee SIEM Architecture ACE McAfee SIEM Architecture - McAfee SIEM Sizing Receiver Data Sources Receiver Properties Add Data Source System Navigation Add Data Source Data Source Screen Add Data Source Data Source Auto Learn Data Sources Event Reporter Dashboard SIEM Course Module 29: IPv6 IPv6 IPv6 Address Subnets Interfaces Initial Allocations Unique Local Unicast MAC Address IPv6 Improvements The Death of NAT Automatic Network Configuration The Death of Broadcast The Death of ARP Path MTU IP Header Changes for Faster Routing Controlling BGP Table Size at the Core Firewall Enterprise IPv6 Support Using IPv6 on Firewall Enterprise Lab IPv6 Module 30: Control Center About McAfee Firewall Enterprise Control Center Key Feature What s New in Control Center Components Control Center Appliance Options

13 McAfee Firewall Enterprise Management Portfolio Supported Features and Functions Policy Management Tools Client Application Dashboard Icon Policy Icon Monitor Icon Maintenance Icon Control Center Icon epolicy Orchestrator Integration Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc. To order, or for further information, please contact McAfee Education at: NA, LTAM, and APAC: EMEA: