System Requirements and Architecture

Similar documents
Virtualization Guide. McAfee Vulnerability Manager Virtualization

Installation Guide. McAfee Vulnerability Manager 7.5

Ignify ecommerce. Item Requirements Notes

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Sage Grant Management System Requirements

BlackBerry Enterprise Server Express for Microsoft Exchange. Version: 5.0 Service Pack: 4. Upgrade Guide

IBM. Vulnerability scanning and best practices

Server Software Installation Guide

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

Installation & Configuration Guide


System Administration Training Guide. S100 Installation and Site Management


Total Protection for Enterprise-Advanced

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Detecting rogue systems

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Server Installation ZENworks Mobile Management 2.7.x August 2013

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Enterprise Manager. Version 6.2. Installation Guide

GFI Product Manual. Deployment Guide

Best Practices Guide Revision B. McAfee epolicy Orchestrator Software

Trend Micro Control Manager 6.0 Service Pack 3 System Requirements

Windows Server Update Services 3.0 SP2 Step By Step Guide

NETWRIX EVENT LOG MANAGER

McAfee Network Security Platform 8.2

11.1. Performance Monitoring

Server Installation Manual 4.4.1

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

SQL Server Express Edition

Requirements & Install. Module 2 Single Engine Installation

inforouter V8.0 Server & Client Requirements

Attix5 Pro Storage Platform

Features Overview Guide About new features in WhatsUp Gold v12

Network Security Platform 7.5

HP Vulnerability and Patch Manager 6.0 software Installation and Configuration Guide

1. Server Microsoft FEP Instalation

GoGrid Implement.com Configuring a SQL Server 2012 AlwaysOn Cluster

NEFSIS DEDICATED SERVER

NSi Mobile Installation Guide. Version 6.2

Steps for Basic Configuration

Lifecycle Manager Installation and Configuration Guide

Table of Contents. FleetSoft Installation Guide

Installing an Omnicast System Omnicast version 3.5

Rebasoft Auditor Quick Start Guide

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

VMware vcenter Log Insight Getting Started Guide

Product Guide Revision A. McAfee Web Reporter 5.2.1

Click Studios. Passwordstate. Installation Instructions

F-Secure Messaging Security Gateway. Deployment Guide

SyAM Software Management Utilities. Creating Templates

Configuration Guide. Installation and. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Preinstallation Requirements Guide

DEPLOYMENT GUIDE. Websense Enterprise Websense Web Security Suite TM. v6.3.3

SysPatrol - Server Security Monitor

Installing GFI MailSecurity

Delphi+ System Requirements

Purpose Computer Hardware Configurations... 6 Single Computer Configuration... 6 Multiple Server Configurations Data Encryption...

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

BlackBerry Enterprise Server Express for Microsoft Exchange Version: 5.0 Service Pack: 1. Installation and Configuration Guide

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4. Upgrade Guide

Fiery E100 Color Server. Welcome

PLATO Learning Environment 2.0 System and Configuration Requirements. Dec 1, 2009

Release Notes for Websense Security v7.2

ADC Installation Reference. SQL Server November Revision: Release

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

msuite5 & mdesign Installation Prerequisites

Request Manager Installation and Configuration Guide

Parallels Plesk Automation

Active Directory Management. Agent Deployment Guide

Richmond Web Services Installation Guide Web Reporting Version 10.0

Sage HRMS 2014 Sage Employee Self Service

RSA SecurID Ready Implementation Guide

Server Installation Guide ZENworks Patch Management 6.4 SP2

McAfee Agent Handler

LabTech Installation Prerequisites

IBM Security QRadar Vulnerability Manager Version User Guide IBM

Filter. SurfControl Filter 5.0 for SMTP Getting Started Guide. The World s #1 Web & Filtering Company

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

Installation Guide. McAfee VirusScan Enterprise for Linux Software

Configuration Guide. Websense Web Security Solutions Version 7.8.1

EIOBoard Intranet Installer Guide

WhatsUp Event Archiver v10 and v10.1 Quick Setup Guide

McAfee Web Gateway 7.4.1

F-Secure Internet Gatekeeper Virtual Appliance

intertrax Suite resource MGR Web

Smart Business Architecture for Midsize Networks Network Management Deployment Guide

Sage MAS 200 ERP Level 3.71 Version 4.30 Supported Platform Matrix


Verizon Security Scan Powered by McAfee. Installation Guide for Home Users

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Priority Pro v17: Hardware and Supporting Systems

Avaya Video Conferencing Manager Deployment Guide

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

insync Installation Guide

How To Fix A Fault Notification On A Network Security Platform (Xc) (Xcus) (Network) (Networks) (Manual) (Manager) (Powerpoint) (Cisco) (Permanent

Transcription:

System Requirements and Architecture This document describes the system requirements for installing McAfee Vulnerability Manager 7.5 applications on your own servers. It also discusses possible deployment architectures, and describes which McAfee Vulnerability Manager 7.5 components should be installed on each server within each architecture. Number of servers required The number, type, and placement of product servers depend on the total amount of address space, total number of live devices, network topology, desired scan performance, network constraints, and network policies. Note: McAfee Vulnerability Manager supports only servers running English-language operating systems. The following matrix provides guidelines for determining the number of McAfee Vulnerability Manager servers. Number of Number of servers live IPs 0 2,500 One product server with an Allin-One configuration Notes Ideal for small networks and product evaluations 2,500 10,000 10,001 20,000 Two product servers: One configured as enterprise manager web portal and the other configured as a database, API server, scan controller, and a scan engine with additional components. Two product servers: One configured as enterprise manager web portal and the other configured as database, API server, scan controller, and scan engine with additional components. One product server configured as a dedicated scan engine. Very common configuration for small to mid-sized deployments Well-suited for large, distributed environments

Number of live IPs 20,001 - >100,000 Number of servers Three product servers: One configured as enterprise manager web portal, one configured as database, and one configured as API server, scan controller, and scan engine with additional components. n product servers configured as dedicated secondary scan engines. Notes Ideal for large, global, distributed and diverse networks Consider these factors: Number of IP addresses to be scanned. The primary factor is the number of IP addresses to be scanned. Small to medium-sized networks, as well as installations for product evaluation purposes, can deploy a single product server. Larger networks are better accommodated with additional hardware. Network connectivity to, and reachability of, all desired target environments. A scan engine must be able to reach its targets for the results to provide value. When placing scan engines, consider the networks that are to be scanned and place the scan engine so that it is able to reach the maximum number of assets with as few firewalls or packet filtering devices as possible. Firewall traversing. The purpose of a firewall is to restrict traffic to legitimate users and prohibit traffic that might be malicious. Depending upon the nature of the vulnerability and the discovery methodology, vulnerability scanning signatures might resemble malicious traffic and be blocked or filtered by a firewall or port filter. The result of such well-intentioned security devices might be that the quality of data returned from a vulnerability scan is adversely affected. For example, hosts behind a firewall might not be discovered correctly or at all, or a firewall might make it appear that every host behind the firewall is present when they are not. Another possible effect is that discovery and assessments might take longer to complete when having to traverse a firewall compared to scans that do not have to traverse firewalls. A common technique to mitigate the impact is to either avoid sending the assessment traffic through a firewall altogether, or to create an exception rule in the firewall rule base to allow any and all packets to and from the scan engine to traverse the firewall unaltered. 2

WAN links and latency. To ensure a manageable vulnerability assessment schedule, McAfee Vulnerability Manager employs various timing and monitoring components. Such components monitor the total time a thread has taken to run a check against a host. If a certain threshold is exceeded, the thread is terminated under the assumption that the host is down, or that packets have been lost in transit to or from the host. This technique is necessary to ensure that a scan is not in an infinite waiting state. Therefore, WAN links, or heavily congested networks in general, might need special consideration in a deployment. Tests have shown that scanning via WAN links with a latency of more than 150 milliseconds is likely to produce results of an improper quality. For example, a set of systems can only be reached via a WAN link, then consider placing a scan engine in the remote environment so scanning is done locally and not be subject to packet loss and timeouts that are common on a congested WAN link. Other network traffic (business-critical data/sessions). Any active scanning technology, such as McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager provides robust and detailed controls that allow customers to optimize the scanning behavior and speed of McAfee Vulnerability Manager. The product has default settings that have proved safe and effective in most networks. However, no matter how McAfee Vulnerability Manager is deployed and configured, you should always pay attention to network segments, WAN links, firewalls, and so on, where particularly important data is passing. Consider a remote site that is transmitting transactions from a website through a congested or slow WAN link during local business hours. Since this system only operates during certain hours, you should configure scans so that the environment is scanned while the web server is not processing transactions and not relying on bandwidth on the WAN link. Security or performance. When two product servers are used, McAfee recommends that you deploy the enterprise manager on one system and the other product components on the second system. This provides more security because the enterprise manager can be placed outside your firewall, so users can access it, while the second system can be placed inside the firewall to gather accurate data from scanned systems. However, having the scan engine and scan controller on the same system as the database can slow performance, based on the amount of data being processed. To improve performance when using two product servers, you could separate the scan engine and scan controller from the database. For example: the enterprise manager, scan engine, and scan controller on one system and the database and other McAfee Vulnerability Manager components on the second system. Hardware and software requirements This section covers the minimum hardware and software requirements for installing McAfee Vulnerability Manager. Note: When installing McAfee Vulnerability Manager on a server running Windows 2008 R2, you must either be logged in as the root administrator for the server or the Admin Approval Mode must be disabled. 3

Single server requirements These are the system requirements for installing McAfee Vulnerability Manager on a single server (All-in-One). If you are installing McAfee Vulnerability Manager on multiple servers, see Multiple Server requirements (page 5). Note: McAfee Vulnerability Manager components require an Internet Protocol version 4 (IPv4) address to properly communicate. Systems running product components must have an IPv4 address and can have an IPv6 address to facilitate scanning IPv6 targets. Single server system requirements Requirement Processor Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 160 GB Partition Dedicated system Yes Administrator account Disk partition formats NTFS Single server software requirements Microsoft Windows 2008 R2 Microsoft Windows 2008 R2 Service Pack 1 and later The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not function properly. Microsoft SQL Server Microsoft SQL Server 2005 Service Pack 4 and later (32-bit and 64-bit) Microsoft SQL Server 2008 Service Pack 1 and later (32-bit and 64-bit) Microsoft SQL Server 2008 R2 Service Pack 1 and later (32-bit and 64-bit) Microsoft SQL Express 2008 R2 Service Pack 1 and later (64-bit) Also: All Microsoft SQL and.net hotfixes and patches. McAfee recommends using 750 MB for the SQL memory setting. SQL Browser (SQL Express 2008 R2) 4

Additional software (covered by default Microsoft Windows and Microsoft SQL installations) IIS 7.5, including current IIS security patches MDAC 2.8 World Wide Web Publishing must be running SQL Client Tools Note: McAfee Vulnerability Manager does not support installing the database with.net 4.0. If you must use.net 4.0, install the database first. Note: If you change the network settings on the server running the scan engine, the system should be restarted or the scan components must be restarted. Multiple server requirements McAfee Vulnerability Manager consists of several components. Any McAfee Vulnerability Manager component requiring a minimum amount of system resources are listed below. If you are installing multiple McAfee Vulnerability Manager components on a single server, use the highest minimum system requirements as your guide. Operating system requirements for all McAfee Vulnerability Manager 7.5 servers Windows Server 2008 R2, without a service pack, or with Service Pack 1 or later. McAfee Vulnerability Manager only supports English operating systems. The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not function properly. Note: To ensure scan accuracy and device communication, McAfee recommends specifying a static IP address. Note: McAfee Vulnerability Manager components require an Internet Protocol version 4 (IPv4) address to properly communicate. Systems running product components must have an IPv4 address and can have an IPv6 address to facilitate scanning IPv6 targets. Enterprise manager system requirements Requirement Processor Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 80 GB Partition 5

Requirement Additional software IIS 7.5 Dedicated system Yes Current IIS security patches World Wide Web Publishing must be running Administrator account Disk partition formats NTFS Database system requirements Requirement Processor Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 160 GB Partition Tip: 250 GB of disk space is recommended for large networks. 4 GB Additional software Microsoft SQL Server 2005 SP4 and later (32-bit and 64-bit) Microsoft SQL Server 2008 SP1 and later (32-bit and 64-bit) Microsoft SQL Server 2008 R2 SP1 and later (32-bit and 64-bit) Also: All SQL hotfixes and patches All.NET hotfixes and patches Dedicated system Virtual memory Disk partition formats SQL server memory settings Note: Microsoft SQL Server Express 2008 R2 is not recommended for a distributed environment. Yes 4 GB minimum NTFS 900 MB 6

SQL server memory recommendations McAfee recommends using the following SQL memory settings: When the database is the only component on the system, set the Maximum SQL memory to 1.4 GB. When the database and the Report Server are both running on the same system, use 900 MB. When the database and the scan engine are both running on the same system, use 750 MB. Note: McAfee Vulnerability Manager does not support installing the database with.net 4.0. If you must use.net 4.0, install the database first. Scan engine system requirements Requirements Processor Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Virtual memory Disk partition formats Required services Recommended when running large scans 4 GB minimum NTFS NetBIOS over TCP/IP Note: Microsoft Windows does not allow the hostname and user name to be the same. Do not use FS as the hostname for the system running the scan engine. Note: If you change the network settings on the server running the scan engine, the system should be restarted or the scan components must be restarted. Scan controller system requirements Requirements 2 GB RAM 80 GB Partition 7

Requirements Additional software MDAC 2.8 SQL Client Tools Dedicated system No Note: The scan controller provides communication between the scan engines and the database. Configuration manager system requirements Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system No API server system requirements Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system No Notification service system requirements Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system No 8

Note: To provide notifications through email, this server must have access to the email relay server on your network. Data synchronization service system requirements Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system No Report engine system requirements Requirements 2 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Recommended for report-intensive environments Microsoft Windows Server 2003 support McAfee Vulnerability Manager 7.5 allows the use of Microsoft Windows Server 2003 for the scan controller and scan engine only, with some limitations. No support for Internet Protocol version 6 (IPv6) scanning No support for McAfee epolicy Orchestrator or McAfee Policy Auditor integration No support for McAfee Network Security Manager (NSM) integration. 9

Browser requirements Depending on the network settings, authorized users can access McAfee Vulnerability Manager through the web browser from anywhere. If you are upgrading to McAfee Vulnerability Manager 7.5, users should clear their web browser cache to ensure updated pages display properly. Individual browser requirements Microsoft Internet Explorer 8.0 or 9.0 running on a Microsoft Windows operating system. The recommended minimum screen resolution is 1024 x 768. Note: Searching for vulnerabilities in large reports might take a long time to complete. Use Microsoft Internet Explorer 9.0 for the best results. McAfee recommendations Install the latest service packs for your browser and operating system. Disable third-party pop-up blockers, web filters, and other extensions because these products can interfere with the ability to display certain pages in the enterprise manager. Install the Trusted Site Certificate for all users accessing the enterprise manager. Turn off Display intranet sites in compatibility View. Note: Large fonts are not supported in Internet Explorer. Disable Enhanced Security Configuration If you are using Microsoft Internet Explorer 9 and Microsoft Windows Server 2008 (or Windows Server 2008 R2) to access the enterprise manager, Enhanced Security Configuration should be disabled. 1 Select Start Administrative Tools Server Manager. 2 Under Security Information, click Configure IE ESC. 3 Under Administrators, select Off. Note: Don't disable the Enhanced Security Configuration for Users, unless nonadministrators use the Microsoft Windows Server 2008 (or Windows Server 2008 R2) system for accessing the portal. 4 Click OK. 5 Close the Server Manager window. 10

Network requirements McAfee Vulnerability Manager components use the network ports and protocols in the following tables. If there is a firewall separating components, these ports and protocols must be opened in your firewall configuration before installing McAfee Vulnerability Manager 7.5. The network requirements diagrams use a distributed deployment architecture to display communication paths. If you use a different deployment architecture, be sure to note which system is running a McAfee Vulnerability Manager component, and use the port number and communication path specified in the communication path tables. The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability Manager components and connecting to external components. External components include other databases, McAfee epo databases, LDAP or Active Directory servers, and external ticketing or issue management systems. Connecting McAfee Vulnerability Manager components Figure 1: Network requirements McAfee Vulnerability Manager component communication paths # Title Description System 1 Enterprise manager Enterprise manager 11

System 2 API service, scan controller, and scan engine Scan controller API server Scan engine Data synchronization service Notification service System 3 Database* Database Configuration manager System 4 Report server Report engine System 5 Scan Engine Scan engine Authenticated User 1 Assessment management search results Users log on to the enterprise manager. Ports: 443 or 80 SOAP over HTTPS or HTTP 2 Command and control Port: 3800 SOAP over HTTPS or HTTP 3 API service Port: 1433 (SSL over) TCP/IP 4 Scan data Port: 1433 (SSL over) TCP/IP 5 Data synchronization service** Port: 1433 (SSL over) TCP/IP 6 Notification service*** Port: 1433 (SSL over) TCP/IP 7 Scan data Port: 1433 (SSL over) TCP/IP 8 Report data Port: 1433 (SSL over) TCP/IP 9 Scan data (scan engine to scan controller) 10 Generating reports or changing report templates Ports: 3803 REST over HTTPS or HTTP Ports: 3802 REST over HTTPS or HTTP 11 Generated reports Ports: 443 or 80 12 REST over HTTPS or HTTP

12 Web browser traffic Ports: 443 or 80 HTTPS or HTTP *Changing the location of the configuration manager requires a communication path between the configuration manager and the database, using Port: 1433, (SSL over) TCP/IP. **Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. ***Changing the location of the notification service changes the communication path(s) displayed in this diagram. Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL over) TCP/IP. Connecting external components Figure 2: External component communications External component communication paths # Title Description System 2 API service, scan controller, and scan engine Scan controller API server Scan engine Data synchronization service Notification service A B External ticketing or issue management External SMTP server 13

C D External LDAP / Active Directory (AD) External McAfee epo Database 1 Notification service* Port: 162 SNMP 2 Notification service* Port: 161 SNMP 3 Notification service* Port: 25 4 Data synchronization service** 5 Data synchronization service** SMTP Port: 389 LDAP Port: 1433 (SSL over) TCP/IP *Changing the location of the notification service changes the communication path(s) displayed in this diagram. **Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. 14

Deployment architectures When installing McAfee Vulnerability Manager 7.5 components on multiple servers, use these general guidelines to help determine the best setup for your network: Dual-server architecture (on page 15) Three-server architecture (on page 16) Distributed server architecture (see "More than three servers" on page 17) Dual-server architecture This architecture is appropriate for small to medium (class C and class B) networks. The scan controller, scan engine and the database are installed on the same server; the enterprise manager is installed on its own server. This allows fast, efficient communication between the scan controller, scan engine, and database while a dedicated server runs the enterprise manager interface for your users. Figure 3: Dual server architecture System 1: Web portal Web portal Report engine System 2: Database and scan engine Scan controller Scan engine API server Notification service Data synchronization service Database Configuration Manager 15

Three-server architecture This architecture is designed for large, global enterprises, and is appropriate for scanning multiple class B and class A networks. In this configuration, all three components reside on individual servers. Figure 4: Three server architecture System 1: Web portal Web portal System 2: Scan engine Scan controller Scan engine API server Notification service Data synchronization service System 3: Database Database Report engine Configuration manager 16

More than three servers Larger, more complicated environments need multiple scan engines. Each engine generates scan traffic on their local network segments, and sends the resulting scan data back over the WAN to the database. This dramatically reduces the amount of traffic on the WAN resulting from network scans. Multiple scan engines can be added to this architecture. Figure 5: Distributed server architecture System 1: Web portal Web portal System 2: API server Scan controller Scan engine API server Notification service Data synchronization service System 4: Report server Report engine System 3: Database Database Configuration manager System 5: Scan engine Scan engine 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information