Integration Guide Manager for use with epolicy Orchestrator 4.6
COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 Manager Integration Guide
Contents Preface 5 About this guide... 5 Audience... 5 Conventions... 5 Finding product documentation... 6 1 Introduction 7 Joint solution... 7 Joint solution benefits... 8 Manager visibility... 10 Architecture... 10 2 Manager epo extension 11 Asset information... 11 RSD API... 11 Extended table... 12 Additional device attributes ( Manager only)... 13 Queries... 13 Attributes per query... 16 3 Installation 17 Prerequisites... 17 TCP/IP communication... 17 Configure Manager Console database accessibility... 17 Install and configure the Manager epo extension... 18 Install the Manager epo extension... 18 Configure the Manager epo extension... 19 Configure a scheduled task for the epo Extension... 19 Verify Manager epo extension operation... 20 Populate the epo System Tree... 20 Manager Integration Guide 3
4 Manager Integration Guide
Preface This guide provides the information you need to configure, use, and maintain your McAfee product. About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who are responsible for configuring the product options on their systems, or for updating their systems. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Bold User input, Path, or Code Hypertext Note: Tip: Important/Caution: Warning/Danger: Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program; a code sample. A live link to a topic or to a website. Additional information, like an alternate method of accessing an option. Suggestions and recommendations. Valuable advice to protect your computer system, software installation, network, business, or data. Critical advice to prevent bodily harm when using a hardware product. Manager Integration Guide 5
Introduction Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access User documentation Do this 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 Manager Integration Guide
1 Introduction The successful integration of Manager and McAfee epolicy Orchestrator provides added network visibility for the enterprise, enabling comprehensive security, configuration, compliance, and risk management on the network. Contents Joint solution Manager Integration Guide 7
Introduction Joint solution Manager Architecture Joint solution You can t secure what you can t see. Through comprehensive real-time network, device, and user intelligence, Manager provides total network visibility to McAfee epolicy Orchestrator (McAfee epo ) software, enabling effective security and risk management for all devices across your entire network. Real-time awareness of all devices on a network is critical to maintaining a secure and compliant network, quantifying the risk exposure, and enabling faster corrective actions to mitigate risk. The business problem Despite major investments in technology, few organizations are able to maintain an up-to-date inventory or provide documentation about the devices connected to their networks. As a result, a knowledge gap exists between the perceived security state and the actual security state of the network. The outcome? and security measures are not fully applied, risk cannot be accurately determined, and organizations find themselves unable to manage devices they are not aware of. Manager: know what you are protecting Manager is an agentless software solution that works in real time to detect, identify, profile, and audit all devices connected to a network, whether physical or virtual, managed or unmanaged. Using a smart combination of passive and active network discovery technologies, it provides 24/7/365 network, device, and user intelligence. Manager maintains a realtime inventory of the devices connected to the network, their profiles, and the identities of those using the devices. With Manager, you get the information you need to maintain a clear picture of your dynamically changing network. According to a study, Manager detects as many as 20 percent to 50 percent more devices residing on a network than would have otherwise been accounted for. Manager is vendor agnostic and does not require any integration with your network infrastructure. Joint solution benefits Manager augments McAfee s visibility of devices connected to the network, enabling comprehensive security, configuration, compliance, and risk management on the network. McAfee has achieved this by integrating Manager with McAfee epo software, the centralized platform that manages all endpoint security and compliance solutions from McAfee. As part of the integration with the McAfee epo platform, Manager updates the McAfee epo asset database in near real-time, allowing the McAfee epo platform to maintain a more complete, accurate, and up-to-date inventory of the devices, their profiles, and the identities of those using the devices. Combining the data from existing McAfee solutions and Manager, the McAfee epo platform now becomes the single source of truth about the network. This integration provides the 8 Manager Integration Guide
Introduction Joint solution foundation for effectively managing security, compliance, and risk against all devices across your entire network. Integration Benefits Security measures can be fully applied Risk can be completely and accurately measured and assessed according to the actual state of the network Workflows can be defined as a response to changes on the network, and security and compliance status can be more effectively controlled Security solutions from McAfee, as well as from other McAfee Security Innovation Alliance (SIA) partners that leverage the McAfee epo asset database, can deliver more complete protection across the entire network Manager Integration Guide 9
Introduction Manager Manager Total network visibility with real-time network, device, and user intelligence Manager provides a 360 view into the actual state of your network security. It builds and maintains a complete and accurate inventory of ALL devices operating on the enterprise network. Utilizing unique profiling technology, Manager provides meaningful network, device and user intelligence, thereby reducing ambiguity and enabling better decision making based on accurate and in-depth audit information. Network, device, and user information is continuously collected to reflect the actual current state of the network. Manager detects 20%-50% of additional devices residing on an enterprise network, which otherwise would not be accounted for. Manager can integrate with your security ecosystem to enhance the operation of your existing security products and provide total network visibility with real-time network intelligence. The Manager s unique approach is an agentless solution; it does not require any integration with infrastructure components and is vendor agnostic. Architecture The Manager solution suite is a distributed application where Sensors are deployed in different organizational locations and report to a centralized console. A Sensor can be installed as an appliance and as a virtual appliance, and can be remotely deployed. The Manager Console is a software-based application that enables IT management to easily control multiple Manager Sensors deployed on multiple distributed networks. The Manager Console consolidates information from hundreds of Sensors into a unified management view using a single web-based user interface. The Manager Sensor and the Manager Console are software basedproducts shipped as an ISO image including the underlying hardened Linux operating system (based on the Debian Linux distribution) and the Manager application. 10 Manager Integration Guide
Manager epo extension Asset information 2 Manager epo extension The Manager epo extension is used to update the McAfee epo asset database in near real-time, allowing the McAfee epo platform to become the single source of truth about the network. The integration makes use of the rogue system detector (RSD) API. The Manager epo extension is used to communicate with the Manager BSA Console s PostgreSQL database on a regular basis (down to 1 minute intervals) and to receive delta updates about the network, its devices, and its users. Contents Asset information Queries Asset information RSD API The following device attributes are populated using the RSD API: Table 1: Attributes populated using the RSD API Attribute Name MAC Address IP Address OS Family OS Platform Description The MAC address of the device. The IP address or addresses of the device. The operating system family name (for example, Microsoft Windows). The underlying OS platform (a known epo platform, such as AIX, BSD, HP-UX, IRIX, Macintosh, Linux, Windows, Sun; OR a unique device capability detected by Manager, i.e., Switch, Router, Wireless, Printer, Print Server, VoIP, UPS, Firewall, Storage device, and KVM over IP, Mobile, and so on). Using the epo OS Platform field (or the Extended Table's Capability field), it is now possible to find all of the switches, the VoIP infrastructure, the printers, the mobile devices and so on. OS Version DNS Name The exact version of the operating system. The DNS name of the device. Manager Integration Guide 11
Manager epo extension Asset information Attribute Name NetBIOS Name Domain Name User Source ID Description The Windows NetBIOS name of the device (if applicable). The Windows domain name for the device. The username of the user using the device. An identifier linking the information to its source. Extended table Manager uses an extended table, created on epo using the RSD API, to populate additional attributes of a device and its user. Table 2: Additional attributes populated using the extended table Attribute Name Capability Offline / Online Status Authorization Switch IP Switch Port Physical Location VLAN ID Device Group Virtual Host Virtual Type First Name Last Name User Department Description The capability or function performed by the device (DHCP Server, DC, Printer, Router, Storage Device, Switch, Virtual Host, Virtual Guest, Mobile, and so on). The status of the device whether connected to the network (online), or not (offline). The authorization status of the devices. Authorization enables users to easily distinguish between known devices and unknown (rogue) devices. It also enables the detection of unauthorized (rogue) devices connecting to the network in real-time. The IP address of the switch to which the device is connected. The port number on the switch to which the device is connected. The physical location of the device. The VLAN ID of the device (if assigned). The group(s) a device is associated with (assigned by the user). The IP address of the Virtual Host machine hosting the Virtual Guest (applicable for virtual guests only). The type of the virtualization solution used (for example, VMware ESX server 3i 3.5.0). Applicable for virtual machines only. The first name of the actual name of the user logged on to the device. The last name of the actual name of the user logged on to the device. The user s department. 12 Manager Integration Guide
Manager epo extension Queries Attribute Name User Groups User Email Address Sensor IP / Name Services and Protocols* Software* Description The LDAP groups with which the user is associated. The email address of the user. The reporting Sensor. The device s available network services. Includes the identification of the service, protocol, server and version used. The software installed on the device. The information is formatted using CPE. Using the additional device and user attributes, populated into the extended table, it is possible to distinguish between virtual to physical assets, detect rogue devices, locate devices on the network, determine whether or not a device is connected to the network, and so on. Additional device attributes ( Manager only) The following attributes are currently available only from Manager: Table 3: Attributes available only from Manager Attribute Name Device Criticality Hardware Services and Processes Description The criticality level of the device (assigned by the user). The hardware used on the device. Running processes and services detected to be operating on the device. Queries To simplify the task of populating assets from the rogue system detection into the system tree, Manager has introduced a number of built-in queries. These queries can also be used as the basis for different reports. Table 4: Built-In Queries Query Group Query Name Description Android Devices Android Smartphones Android Tablets Lists Android-based devices. Lists Android Smartphones. Lists Android Tablets. Manager Integration Guide 13
Manager epo extension Queries Query Group Query Name Description Apple ios Devices Apple ipad Devices Apple iphones Blackberry Devices Blackbery Smartphones Blackberry Tablets Detected Devices DHCP Servers and Relays Domain Controllers Firewalls IP PBX KVM over IP Linux-based Devices Mac OS Devices Mcafee Asset Manager Sensors Microsoft Windows-based Devices Mobile Devices Network services per device Lists Apple ios-based devices. Lists Apple ipad devices. Lists Apple iphones. Lists Blackberry devices. Lists Blackberry Smartphones. Lists Blackberry Tablets. Lists all detected devices. Lists the DHCP servers in the monitored networks. Lists the domain controllers in the monitored networks. Lists the devices that have a personal firewall enabled. Lists the IP PBX (Voice over IP) devices in the monitored networks. Lists all KVM over IP devices in the monitored networks. Lists all Linux devices in the monitored networks. Lists all devices running Mac OS. Lists all Manager Sensors. Lists all devices running Microsoft operating systems. Lists all mobile devices. Lists the available network services per device. Includes the identification of the service, protocol, server and version used. 14 Manager Integration Guide
Manager epo extension Queries Query Group Query Name Description Network services per service name Print Servers Printers Routers Smartphones Software inventory per device Software inventory per software name Software inventory top 25 Storage Switches Tablets Uncontrolled Microsoft Windows Devices Unknown UPS Virtual Devices VoIP Phones Windows Phone Devices Lists the available network services per service name. Includes the identification of the service, protocol, server and version used. Lists all the print servers running in the monitored networks. Lists all the printers in the monitored networks. Lists all the routers in the monitored networks. Lists all Smartphones. Lists the software inventory per device. Lists the software inventory per software name. Lists the 25 most installed software programs. Lists all the storage devices in the monitored networks. Lists all switches in the monitored network. Lists all Tablets. Lists all devices running a Microsoft Windows operating system that the organization has no control over (either not part of the main organizational domain, or that their settings were modified not allowing remote auditing). Knowledge with regards to their existence or the state of their configuration is missing by the organization. Lists all the devices for which the operating system has not been recognized. Lists all UPS devices in the monitored network. Lists all the virtual host and guest devices in the monitored networks (VMware, XEN, Microsoft Hyper-V, and Virtual boxes). Lists all the voice over IP phones on the monitored networks. Lists all Windows phone devices. Manager Integration Guide 15
Manager epo extension Queries Query Group Query Name Description Wireless Access Points Lists all the Wireless access point devices. Attributes per query The following network, device, and user attributes are visible when using any query (except for switches and virtual device queries): Manager Sensor, Authorized, Capabilities, Last Detected IP Address, OS Family, OS Platform, OS Version, NetBIOS Name, DNS Name, VLAN ID, Last Detected MAC Address, Switch IP, Switch Port, Users, Domain and Device Group. The following columns are visible for the Switches query: Manager Sensor, Authorized, Capabilities, Last Detected IP Address, OS Family, OS Platform, OS Version, DNS Name, VLAN ID, Last Detected MAC Address, Switch IP, Switch Port and Device Group. The following columns are visible for the Virtual Devices query: Manager Sensor, Authorized, Capabilities, Last Detected IP Address, OS Family, OS Platform, OS Version, NetBIOS Name, DNS Name, VLAN ID, Last Detected MAC Address, Switch IP, Switch Port, Users, Domain, Device Group, Virtual Host and Virtual Type. Note The Last Detected IP Address, Last Detected MAC Address, and Users attributes are named by McAfee epo. 16 Manager Integration Guide
Installation Prerequisites 3 Installation Contents Prerequisites Install and configure the Manager epo extension Populate the epo System Tree Prerequisites TCP/IP communication Communication between the Manager epo extension and the Manager Console s PostgreSQL database is initiated by the extension on a regular basis. To allow communication from the McAfee epo server on which the Manager epo extension is installed to the Manager Console s database, verify that TCP port 5432 is allowed. Configure Manager Console database accessibility On default installations of the Manager Console, the PostgreSQL database is not exposed to remote communications due to hardened security. This section describes the configuration changes required to allow the Manager extension to connect to the database. Task 1 Log in to the Manager Console with the root user. 2 Open the file: /usr/lib/insightix/management/memory_conf/current_config/postgresql_add.conf for editing. 3 Add the following new line to the file: listen_addresses= '*' 4 Save your changes. 5 Switch to the Postgres user by issuing the following command: su postgres Manager Integration Guide 17
Installation Install and configure the Manager epo extension 6 Open the file: /etc/postgresql/9.1/main/pg_hba.conf for editing. 7 Under IPv4 local connections, add the following line if it does not exist: host all all 0.0.0.0/0 md5 8 Save your changes. 9 Switch back to the root user by executing the following command: exit 10 Stop the Manager Console by issuing the following command: monit stop all 11 Restart the PostgreSQL database by issuing the following command: /etc/init.d/postgresql-9.1 restart 12 Start the Manager Console by issuing the following commands: monit start all 13 Open the file: /usr/lib/insightix/management/conf/msconfig.properties then look for the username under the dbuser and for the database password under the dbpwd field. This password will later be used to configure the Manager epo extension. Install and configure the Manager epo extension The installation and configuration of the Manager epo extension is performed in the following stages: Install the Manager epo extension Configure the Manager epo extension Configure a scheduled task for the epo extension Verify Manager epo extension operation Install the Manager epo extension This section describes how to install the Manager epo extension. Task 1 Log in to the McAfee epo Server. 2 Select Menu Software Extensions. 18 Manager Integration Guide
Installation Install and configure the Manager epo extension 3 Click Install Extensions. 4 Click Browse, then select the Manager epo extension zip file. 5 Click OK to accept and close the popup window. 6 Click OK to install the extension under the Install Extensions window. The extension is added to the list of installed extensions. Configure the Manager epo extension This section describes how to perform the initial configuration of the Manager extension. Task 1 Select Menu Configuration Registered Servers to display the Registered Servers page. 2 Click New Server. The Description tab of the Registered Server Builder wizard is displayed. 3 From the Server Type dropdown list, select MAM Console Server. 4 In the Name field, enter a name for this server. 5 (Optional) In the Notes field, enter any relevant information, then click Next. The Details tab is displayed. 6 In the Database Server field, enter the Database server IP address or hostname. 7 Verify the following default settings appear: Database Name: mc Port Number: 5432 User Name: mc 8 In the Password field, enter the database password. 9 In the Time interval between full reloac cycles field, configure the interval (in hours) between reload cycles. (The default setting is 72 hours.) 10 Click Save. The Registered Servers page is displayed, listing the new Manager Console as a registered server. Configure a scheduled task for the epo extension This section describes how to configure the epo scheduled task for the Manager epo extension. Task 1 Select Menu Automation Server Tasks to display the Server Tasks page. 2 Click New Task. Manager Integration Guide 19
Installation Populate the epo System Tree The Description tab of the Server Task Builder is displayed. 3 In the Name field, enter a name for the task. 4 In the Schedule Status section, verify that Enable is selected, then click Next. The Actions tab is displayed. 5 From the 1. Actions dropdown list, select Manager Detected Systems. 6 From the Select the Server Name dropdown list, select Manager Console Server, then click Next. The Schedule tab is displayed. 7 From the Schedule Type dropdown list, select Advanced to enable specifying the scheduling interval for executing the task. 8 In the Start Date field, set the current date. 9 Verify that the End Date is set to No end date. The Schedule attribute is configured using a cron-like syntax. For example, to schedule the task to run every 15 minutes, use the following syntax: 00 0/15 * * *? 10 Click Next to display the Summary tab. 11 Verify that the task information is correct, then click Save. The new task appears in the Server Tasks tab, with the scheduled execution of the first run of the task is indicated in the Next Run column. You can manually force the run by clicking Run. Verify Manager epo extension operation This section describes how to verify the operation of the Manager epo extension. Task 1 Select Menu System Detected Systems to display the Detected Systems tab. This is where the information extracted from Manager is populated. 2 Verify that information is displayed. Populate the epo System Tree To enable McAfee epo to make use of the asset information provided by Manager, it must be populated into the System Tree. Task manual import 1 Select Menu System Detected Systems to display the Detected Systems tab. This is where the information extracted from Manager is populated. 2 Select the checkboxes of the devices that you want to import into the system tree. 3 Select Action Add to System Tree. Task automatic import 1 Select Menu Automation Server Tasks to display the Server Tasks page. 20 Manager Integration Guide
Installation Populate the epo System Tree 2 Click New Task to set a new task. 3 Set up a new automated task using the built-in Manager queries (i.e., Run Query), as described in Queries. 4 Repeat these steps until you have successfully populated the System Tree. Manager Integration Guide 21