Release Notes 7.5 [formerly IntruShield]

Transcription

1 Release Notes Release Notes 7.5 [formerly IntruShield] Revision B Contents About this document New features Resolved issues Known issues Install and upgrade notes Find product documentation About this document This document applies only to the following software versions: Network Security Manager software Signature set NTBA Appliance software This version of 7.5 Manager software can be used to configure and manage the following hardware: I series Sensors, M series Sensors, N series Sensors, XC Cluster, and NTBA Appliances. Manager software version 7.5 and above are not supported on Dell based Manager Appliances. Upgrade from Manager software version to is not supported. New features Here is a list of features included with this release of the product. Virtual NTBA Appliance enhancements Free version: With this 7.5 release, the Manager will manage only one instance of free virtual NTBA Appliance (T VM). It will enforce a maximum limit of two IPS exporters for a free virtual NTBA Appliance. Licensed version: This release supports two versions of paid virtual NTBA Appliance SKUs, called as T 100VM and T 200VM. Each of these SKUs will have a separate software image. The T 100VM supports a maximum of 10,000 flows per second. T 200VM supports a maximum of 25,000 flows per second. You can upgrade from a free version to a paid version. For example, T VM can be upgraded to T 100VM or T 200VM SKU, T 100VM can be upgraded to T 200VM. 1

2 Support for J Flow J Flow is a Juniper Networks proprietary flow monitoring implementation. Juniper devices generate summarized flow records for sampled packets. J Flow records are compliant with the NetFlow format. Reputation lookup and quarantine of client IPs in XFF header The X Forwarded For (XFF) feature allows the Manager to identify the true client IP address even when that client resides behind an explicit HTTP proxy IP address. Earlier, the IPS Sensor would send only the proxy IP addresses of hosts to the NTBA Appliance. With this release: The IPS Sensor will send the XFF IP addresses along with the proxy IP addresses of the hosts to the NTBA Appliance. The NTBA Appliance will, therefore, be able to perform the IP reputation lookup on the true client IP addresses and quarantine them whenever they match the communication rule configured to quarantine hosts with bad IP reputations. Active Device Profiling With this release, NTBA Appliances can actively scan your internal devices to identify the device type and operating system. By default, the NTBA Appliance will scan all hosts that fall in the inside zones. Before scanning, the NTBA Appliance will fetch the list of IP addresses to scan from the Manager. The Manager then sends the passive scan information to the NTBA Appliance to optimize the active scans. The NTBA Appliance sends active host scan details to the Manager. The Manager will collaborate data from all sources and provide a comprehensive view of the hosts on the network. It also uses the data for alert relevance. The NTBA Appliance supports CIDR/zone based exclusions for scanning. It also supports port exclusions, which are passed as input to the scan engine. Manager user interface redesign In this release, the Network Security Manager user interface has been redesigned to transition from a resource based framework to a task based one. The new design does not require you to have any prior knowledge on how to navigate through the Manager interface; you can use the menu bar to logically navigate to the task you wish to perform. For instance, all policies can be configured using the Policy tab, and all drill downs for further investigation can be done using the Analysis tab. Similarly, the Next Generation reports are generated based on events analysis and therefore, are available under the Analysis tab. On the other hand, the Configuration reports include details of the configurations selected in your setup and therefore, are available under the Manage tab. In the 7.5 Manager, operations like policy management, device management, and forensic analysis are elevated as top level tabs. The re designed 7.5 menu bar now contains five tabs: 2

3 Dashboard: The 7.1 Manager Home page has been renamed to Dashboard in release 7.5. By default, the Dashboard page opens in a three column layout, which can be further customized. You can optimize your Dashboard view by using the drag and drop options to move around the monitors. You can also set the refresh time for the Dashboard page. In the 7.5 Dashboard page, you can view all the information that were displayed in the 7.1 Manager Home page such as Unacknowledged Alert Summary, Messages from McAfee, Operational Status, and Update Status. In addition to these, you can add monitors of your choice using the Preferences option. A total of 16 security and operational monitors are available for you to choose from Top High Risk Hosts, Top Active Botnets, Top Attack Subcategories, Top Attacker Countries, Top Target Countries, Top Malware Downloads, to name a few. The Dashboard page security monitors are displayed as bar charts. You can move your mouse on each bar to view a snapshot of the attack/botnet/malware based on which monitor you're using. If you wish to drill down further on a specific attack, click on a bar, and you'll be redirected to the Threat Explorer page, which displays additional details on that attack. Analysis: This is a new tab introduced in 7.5. The Threat Analyzer and the next generation reports are listed under the Analysis tab. Under this tab, you'll also notice new options such as the Threat Explorer, Active Botnets and Malware Downloads. With all these options grouped under one tab, the Manager provides you with a complete view of the events and threats on your network for further analysis and actions. Policy: This tab provides you with all policy management options for the IPS, NAC, and NTBA solutions under the Network Security Platform umbrella. Once you are inside the Policy tab, you can configure/manage your policies at the root as well as child domains using the Domain option. Devices: Use the Devices tab to configure and manage your devices. The options that were available under the Device List node in 7.1 Manager are now available under the Global sub tab. You can use the Devices sub tab to configuration options for individual devices. Likewise, the interface level and sub interface level configurations are now found under the Devices sub tab. Manage: Use the Manage tab to do the initial setup like creating domains, and then later to perform all maintenance activities such as signature set updates or reviewing roles and privileges assigned to various users. In addition to the task based design, the Manager user interface navigation moves away from the earlier three tiered menu to a two tiered menu to facilitate further ease of navigation. The two tiered menu is designed such that you can manage your tasks with more ease in your enterprise level deployments. For more details, see Upgrade Guide, Manager Administration Guide. For a comparison of the 7.1 and 7.5 Manager UI navigation paths, see Manager Online Help, Upgrade Guide. Information displayed on the Dashboard page, and all pages under the Analysis tab are derived from attacks seen across all admin domains. Frequent back and forth switches between the Dashboard page monitors and the pages under the Analysis tab can have a performance impact on the Manager. This is because every switchback triggers a set of database queries to the Manager database. McAfee has a hotfix available to address this issue. Contact McAfee Support for more information on the hotfix. Advanced Malware Protection Modern advanced malware based attacks pose acute security threats to enterprises. Conventional network security solutions do not possess the infrastructure required to effectively detect these attacks. 3

4 With this release, Network Security Platform provides the Advanced Malware Protection feature to detect and block malware and bot command & control server activities. Various Malware Engines are supported to scan the selected file types in the network traffic. You can configure one or more supported engines for a specific file type. After the scanning is complete, these engines report a certain confidence level for the scanned file. The confidence level is based on the specificity and severity of the malware, and is indicative of the extent to which the file is infected. For example, a high confidence level indicates a high probability of the file being infected. The following malware detection engines are supported in 7.5: PDF Emulation: The IPS Sensor has a PDF JavaScript emulation engine, which scans the PDF files for potential malware. This engine has a PDF analysis component that extracts JavaScript in the PDF, and a JavaScript analysis component, which analyzes the extracted JavaScript for attacks. Gateway Anti Malware: NTBA has the McAfee Gateway Anti Malware Engine running on it. The IPS Sensor sends the file with potential malware to NTBA which scans this using this engine, and sends the results (confidence level) back to IPS Sensor. The Sensor sends the alert to the Manager following which, the configured response action takes place. Network Security Platform, in a prior release supported detection of Malware using GTI File Reputation and Custom Fingerprints options. GTI File Reputation: IPS Sensors use GTI File Reputation [formerly McAfee Artemis] to provide real time malware detection and protection for the users during file downloads from the Internet. Network Security Platform also provides users the option to upload custom fingerprints, which can be used for malware detection. Custom Fingerprints: Network Security Platform also provides users the option to upload custom fingerprints to the Manager which can be used for File Reputation instead of GTI lookups or to complement them. When multiple engines are selected, Custom Fingerprints gets the highest priority. It is the first engine to scan the file and if detected to be malicious, the file is not sent to other configured engines for scanning. You can upload both white lists and black lists. The supported file types are executables, MS Office Files, PDF Files, Compressed Files, Android Application Package, and Java Archive. For details on the file type scanning supported by each engine, refer to IPS Administration Guide. These file types are supported on both HTTP and SMTP protocols. Based on the confidence level returned, the action thresholds are set to be triggered. You can remediate the threat through configured response actions like raising alerts, blocking, sending TCP resets. While configuring a malware policy, you are also provided with the option of saving the files to the Manager. For more details, see IPS Administration Guide. Detection of Bot C&C server activities Detecting malicious Bot Command and Control (C&C) server activity is another key functionality of this feature. Since release 7.0, Network Security Platform provides heuristics based Advanced Botnet Detection. With 7.5, you can detect malicious Bot zombie activities using blacklisted C&C server IP addresses, domains and URLs, when compromised hosts within your network connect to the C&C servers. The Manager downloads information about C&C server IP addresses, domains and URLs using the Botnet Detector file from McAfee Cloud. The Botnet Detectors are updated at regular intervals by the Manager. These can also be downloaded manually and imported into the Manager. 4

5 Details of the detected malware are displayed on the Manager Dashboards namely, Top Malware Downloads, Top Unblocked Malware Downloads, and Top Active Botnets. These dashboards are populated when a malicious file has been downloaded or a bot activity has been detected. Using the dashboards, you can drill down to view details of the of the malware downloads, and the active botnets. For more details, see IPS Administration Guide. Network Forensics Analyzing a host for forensic network activities is a key feature in the 7.5 release. The Manager integrates with McAfee Network Threat Behavior analysis (NTBA), for capturing network activity information, and summarizing them for user consumption. NTBA uses the McAfee Gateway Anti Malware Engine to detect malware, once it receives potentially infected files from the Sensor. The network forensic details can then be viewed and analyzed on the Manager. The Manager acts as a proxy, and expects NTBA to cache, filter, and sort information. Briefly, you can view the network forensics such as, the host summary, client connections from this host that include the TCP services, UDP services, the conversations and events of the host, file and URL access details. For more details, see IPS Administration Guide. High risk Hosts In networks that have thousands of hosts to monitor, the 7.5 High risk Hosts page helps to quickly identify hosts that need immediate attention. Using the High risk Hosts page, you can view and analyze details such as, IP address, DNS name, OS, the user details and the host risk, which is determined by the attacks and certain behavioral indicators. You can also view the count of the attacks per malware phase. These are classified as, Exploits, Downloads, and Callbacks. Once the risk is determined, you can initiate an appropriate response action from the IPS Sensor. For more details, see Manager Administration Guide. Threat Explorer In release 7.5, Network Security Platform introduces a new feature named the Threat Explorer to provide a comprehensive view of the threat landscape in your network. Using the Threat Explorer, you can view top attacks, attackers, targets, applications, and malware for a selected time period and/or direction of your network traffic. To elaborate further, the Threat Explorer shows details such as attacks that have happened the most, IP addresses responsible for most of the attacks, IP addresses that are mostly attacked, applications used to perform most of these attacks, and the most commonly downloaded malware to perform these attacks. The Threat Explorer page provides you with the flexibility of filtering and sorting the information displayed based on your choices. For example, if you select an attacker IP address, you can drill down to view all the target IP addresses, and all the attacks originating from this attacker IP address. In addition to these filtering/sorting options, you can also view the alerts that match the filter criteria by opening the Threat Analyzer Alerts page directly from the Threat Explorer. If you have integrated the Manager with McAfee products like epolicy Orchestrator, Logon Collector, or Vulnerability Manager, you can view the host name, operating system, open ports, known vulnerabilities on the Threat Explorer. For more details, see Manager Administration Guide. 5

6 Alert relevance enhancements Earlier, Network Security Platform determined alert relevance with the help of vulnerability scanners such as McAfee Vulnerability Manager. With this release, the Manager displays alert relevance information based on host details such as operating system versions, browsers, and services that are provided by NTBA, McAfee epo, and passive device profiling. For more details, see IPS Administration Guide. Support for setting Exceptions In earlier releases, exception objects were referred to as attack filters and needed to be assigned to an alert in a separate step. The assignment of attack filters to an alert was called attack filter assignment. However, with the 7.5 release, exception objects can be created and assigned to an alert in a single step. Exception objects are alert filters that restrict the appearance of certain alerts based on user defined parameters. These provide you the flexibility to create and assign rules to different attack types using a single page, and can be used for the following tasks: Creating and assigning exception objects. Disabling an attack from the Default Attack Settings (GARE), Baseline Policy, and Light Weight Policy. Creating and assigning ACLs. Consider using exceptions when you receive an alert generated by: Vulnerability scanners and such similar hosts, which are not actually threats or you can ascertain them to be harmless. Alerts for traffic not classified as an attack. For instance, traffic that is allowed by your corporate policy. An attack between two hosts that are not relevant to you. For more details, see IPS Administration Guide. Users and roles enhancements With this release, you can create users and grant them privileges by using the Manage tab. You can add, edit, and delete the users using the Users option as before. Under Roles, the default roles remain the same. The privileges under each role however, have been re named/modified to match the redesign of the Manager user interface. For more details, see Manager Administration Guide. Device Wizard enhancements In release 7.5, you can add or remove devices by using the Devices ǀ Global sub tab. The option to enable active device profiling using NTBA Appliances has also been added to the Add Device Wizard. For more details, see Device Administration Guide. 6

7 Resolved issues Here is a list of issues from previous releases of the software that have been fixed in this release. Resolved Sensor software issues The following table lists the high severity NTBA software issues: ID # Issue Description When multiple zones with interface only are created and edited, interfaces are not properly assigned to the newly created zones The NTBA Appliance process can crash with certain combinations of communication rules When multiple traffic times are configured for a traffic hour, alerts are triggered even when the traffic hour does not match Not able to add more than 18 zone elements in a zone. The following table lists the medium severity NTBA software issues: ID # Issue Description Some internal hosts appear in the Top External hosts by Reputation monitor and as a result, right click option on those hosts does not work sometimes Unable to reset monitoring port IP address with Under rare conditions, the NTBA process crashes when doing URL reputation lookup with GTI enabled. Resolved Manager software issues The following table lists the high severity Manager software issues: ID # Issue Description While creating XC Cluster, member device list box collapses on changing the template device with Mozilla, GChrome, and Safari but works fine with Internet Explorer Got a null pointer exception when trying to assign the "My Company" QOS policy a delegated interface Compilation failure after Sensor upgrade Proxy server option not available in Central Manager Central Manager Manager communication problem in MDR x Manager imposed a new limit on rule objects at 10. This is not feasible for NAC implementations Layer 7 data forward to Syslog is not available Automated import of Vulnerability data to the Manager failed Java process reaches 100% of the CPU utilization due to issue in Sensor CLI audit log feature Error when running alert table offline update scripts after Manager upgrade Compilation error occurs when deploying signature set/uds to Sensors Unable to save the Archive scheduler configuration Javascript errors when adding an address to a CIDR sub interface. The following table lists the medium severity Manager software issues: 7

8 ID # Issue Description Wrong error message when selecting higher number of flows to SSL decryption Bulk Edit for Multiple policies does not take effect if attacks are selected using a filter based on signature set version Compilation failure after Sensor upgrade Unable to configure SNMP access to multiple M 8000XC Sensors Customized Policies Granularity settings changes automatically Tomcat CVE vulnerabilities Configuration update status is not written on the "iv_audit" table correctly Some of the Edit Attack Detail options that are unavailable are not grayed out Error while saving Protection Profile settings Unable to push update configuration to the Sensor Central Manager to Manager synchronization fails on inclusion of a Snort rule Unable to generate the Default Top 10 Application Categories by Bandwidth Usage report correctly When policy assigned for QOS in inline mode is changed to span and then changed back to inline, it shows two policies as assigned BTP value of alert detail on Real Time Threat Analyzer is incorrect Unable to change the following notification filter settings in the Syslog settings for Network Threat Behavior Analysis The Network Security Platform extension caused high utilization on the epo server during an epo Server upgrade The Real Time Threat Analyzer freezes [Device Cluster] Creating an alert filter in the Threat Analyzer shows template Sensor name instead of cluster name [Device Cluster] User activity log shows template Sensor name instead of cluster name for any activity Sensor shows update required after Manager service restart even when there is no change on the Manager XC Cluster's port status does not reflect actual port status Syslog sends to facility mailog, when configured to send to facility local Two entries of "Not applicable" countries are shown in the Source Country report Special characters are not allowed in proxy settings Threat Analyzer Watch List not highlighting attacks for specific IP addresses Relevancy is not working even after importing data from the MVM database to the Manager via Scheduled Import Java high CPU utilization (95%+) after Manager upgrade Not able to find "GenVulReportFlat.dtd" to import the third party report Ports speed and duplex are shown incorrectly in the TAP mode Customer is unable to add, remove, and delete scheduled reports Host name and session start are not correct for the epo host entries in the Real Time Threat Analyzer Attack Filter is not getting applied on policy for LOIC Reconnaissance attacks from Threat Analyzer. 8

9 ID # Issue Description In Threat Analyzer, user is unable to close the Manage Attack Filter window if the Filter Assignment window is closed first The Manager sends a wrong syslog facility to the Syslog server The Customized Community field value is overwritten by the Community String field value when they have different values The "Device re discovery failure" alert occurs when a Sensor is rebooted The Attack Destination Reputation Summary dashboard shows incorrect Source Reputation data Java process reaches 100% of the CPU utilization and was unable to connect because of applications query in firewall module The Hourly Data Mining and the Daily Data Mining fields are not displayed under the correct section on the Manager user interface Fields in Next generation report generated for bot are blank Child user can see data in reports for all Sensors Dashboard is not showing the port throughput The MDR dump also contains the APP_VIZ tables leading to a big file size The Configuration Tables backup does not exclude all the tables it should Keycertgen utility is not replacing the certification files The Destination Country filter in the Threat Analyzer does not populate any values Manager can create more ACL rules than compared to the Sensor limit Attack Encyclopedia not available for some of the attacks after Manager upgrade Backup type in Automation setting does not save the provided value Unable to read imported MVM 7.0 xml reports Host_Data.xml or Risk_Data.xml in Manager Should not display the earlier UDS attacks on importing new signature set The Show Diff on the policy settings displays incorrect information for Syslog and SNMP notification The threatanalyzer log increases in size after session time out Auto Update / Auto Deployment updates even Sensor is configured to offline updates The Disable Blocking option is not working for 5.1 Sensors after changing the signature set NSLookup through Real Time Threat Analyzer for most IP addresses does not return results Unable to save the Archive scheduler configuration Java process reaches 100% of the CPU utilization because of issue in the Sensor CLI audit log feature Signature software image signature file combo download signature push failure after Sensor upgrade Unable to save changes in the Maintenance tab [Central Manager] Not able to save a display filter if you use the Sensor name in the display filter SMTP address field of NTBA alert notification is limited to 24 characters VLAN scanning exception for a port cluster only displays one of the port pairs Unable to select policy of child domain in Traditional report Unable to add fixed field value comparison based custom signatures. 9

10 ID # Issue Description SNMP trap showing wrong interface information The Port Utilization graph does not show data when zoomed back into 5 minutes' view Alerts displayed must be in the local time of the NTBA Appliance Newly added CIDR blocks are not displayed in the Manager Numerous Java Null Pointer exceptions causing Real Time Threat Analyzer performance issues Logger names (SyslogAlertForwarder, SyslogFaultForwarder etc.) are missing in the Syslog header messages [Threat Analyzer] The Sensor sometimes sends "duration" as non zero for individual alerts but on the Threat Analyzer, the source and destination port are shown as '0' The Sensor compilation fails if the Sensor has any Interface group created with a SPAN port inside it The columns in report are not aligned properly "An internal application error occurred" message is displayed when generating report Deprecated signature still appears in the Signature description The Update server Automation weekly schedule option goes back to SUNDAY Manager fails to retrieve some data in failover Performance Monitoring Alerts are not being sent to the trap receiver system The Network Access Zone and the Monitoring Port are not available after restarting the Threat Analyzer Timestamp format exception when running an archive restore Out of memory error during compilation due to bug in readfully JAVA API Incident Generator is not working. 10

11 Known issues Known NTBA Appliance software issues Manager software issues: KB77069 NTBA software issues: KB77071 Install and upgrade notes The following table lists the 7.5 Manager server requirements: OS Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English OS, SP1 (64 bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese OS, SP1 (64 bit) (Full Installation) Only X64 architecture is supported. Recommended Same as the minimum required. Memory 4GB 8GB CPU Server model processor such as Intel Xeon Same Disk space 100GB 300GB or more Network 100Mbps card 1000Mbps card Monitor 32 bit color, 1440 x 900 display setting 1440 x 900 (or above). Manager software version 7.5 and above are not supported for Dell based Manager Appliances. The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 1 VMware ESX server requirements Component Minimum Virtualization software VMware ESX Server version 4.0 update 1 and version 4.1 ESXi 5.0 ESXi 5.1 CPU Memory Internal Disks Intel Xeon CPU ES 2.00GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00GHz. Physical Memory: 16GB 1 TB 11

12 Table 2 Virtual machine requirements Component Minimum OS Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition with SP1 (English) (64 bit) Windows Server 2008 R2 Standard or Enterprise Edition with SP1 (Japanese) (64 bit) Windows Server 2012 Standard (Server with a GUI) English OS Windows Server 2012 Standard (Server with a GUI) Japanese OS Recommended Same as minimum required. Only X64 architecture is supported. Memory 4 GB 8 GB Virtual CPUs 2 2 or more Disk Space 100GB 300GB or more The following table lists the 7.5 Manager client requirements when using Windows 7: Minimum Recommended OS Windows 7 RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 8.0 or 9.0 Mozilla Firefox Google Chrome Internet Explorer 9.0 Mozilla Firefox 17.0 or above Google Chrome 24.0 or above The following table lists the 7.5 Manager client requirements when using Windows XP SP3: Minimum Recommended OS Windows XP SP3 RAM 1 GB 2 GB Browser Internet Explorer 8.0 Mozilla Firefox Internet Explorer 8.0 Mozilla Firefox 17.0 or above For the Manager client, in addition to Windows 7 and Windows XP, you can also use the operating systems mentioned for the Manager server. The following table lists the 7.5 Central Manager / Manager client requirements when using Mac: Mac OS Lion Mountain Lion Browser Safari 6 For more information, see McAfee Network Security Platform Installation Guide. 12

13 For the Manager client, in addition to Windows 7 and Windows XP, you can also use the operating systems mentioned for the Manager server. For more information, see McAfee Network Security Platform Installation Guide. McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: NSP Component Manager/Central Manager Minimum Software Version 6.1: or above 7.0: : NTBA Appliance software 6.1: , : : Upgrade from Manager software version to is not supported. In release 7.5, in addition to the NTBA Virtual Appliance software, the following are also available: NTBA T 100 Virtual Appliance, NTBA T 200 Virtual Appliance. You can upgrade your earlier NTBA Virtual Appliance to NTBA T 100 or T 200 Virtual Appliance software. However, once you have upgraded, you cannot downgrade. For example, if you have upgraded your NTBA Virtual Appliance software to NTBA T 200 Virtual Appliance, you cannot downgrade to NTBA T 100 Virtual Appliance or any version of NTBA Virtual Appliance. In release 7.5, there are specific software versions for NTBA T 200 and NTBA T 500 Appliances. You cannot load software versions across appliances. For example, you cannot load NTBA T 200 image on a NTBA T 500 Appliance. The same applies to the NTBA Virtual Appliances as well. For more information, see McAfee Network Security Platform Upgrade Guide. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: 13

14 To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. Copyright 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.