McAfee epolicy Orchestrator 4.5 Best Practices Sumeet Gohri Mid-Atlantic Sales Engineer McAfee User Group meeting organized by MEEC
Agenda 9:30 am 9:45 am Welcome 9:45 am - 11:00 am epo 11:00 am 11:15 - Break 11:15 11:45 Firewall 11:45-12:30 Lunch 12:30 1:15 GTI 1:15 1:30 Q&A Closing remarks 2
Unprecedented Malware Growth Virus and Bots PUP Trojan 3,200,000 3,000,000 2,800,000 2,600,000 2,400,000 2,200,000 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 2008 2009 Malware Growth (Main Variations) 3 3 Source: McAfee Labs December 3, 2010 3
Cost to Value Relationship Secure Compliant Proactive Optimized Value Additive cost Organizational Maturity The relationship to cost and security diverge during progression to the proactive and optimized states 4
McAfee Security Leadership Across the Board Challengers Leaders System Security Network IPS Mobile Data Protection System Security Email Security Web Security Network DLP Integrated Ability to Execute Firewall DLP E-mail Web IPS Firewall Mobile Data Protection Completeness of Vision 5
McAfee Security Leadership Across the Board Challengers Leaders System Security Network IPS Mobile Data Protection System Security Email Security Web Security Network DLP Integrated Ability to Execute Firewall DLP E-mail Web IPS Firewall Mobile Data Protection Completeness of Vision 6
McAfee Labs 300+ dedicated threat researchers Global Threat Intelligence Founded in 1995 First global 24/7 emergency response team in the industry 1,400 people in R&D with more than 300 dedicated threat researchers worldwide McAfee Labs has analyzed hundreds of thousands of threats and was first to discover some of the highest profile threats: MyDoom, Sasser, Blaster 7
McAfee Integrated Security Platform Artemis Software-as-a-Service (SaaS) Endpoint Anti-Virus & Anti-Spyware Email AV & Anti-Spam Desktop Firewall Host IPS SiteAdvisor NAC Policy Auditing Macintosh AV Linux AV Data Protection Endpoint Encryption Device Control Host DLP McAfee Agent Agents and Policies epo Single Agent Single Console Agent deployment Configuration Updates Policy settings Alerts and Reporting Events and Report s Network E-mail Security Web Security Network DLP IPS Firewall/UTM NAC Behavioral Analysis Risk and Compliance Vulnerability Mgmt. Remediation Policy Auditing Vulnerabilitie s and Reports 8 SIA Ecosystem
McAfee s Open Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance and Lower TCO SIA Associate Partner SIA Technology Partner 9(McAfee Compatible)
Cost to Value Relationship Secure Compliant Proactive Optimized Value Additive cost Organizational Maturity Where is my organization? 10
Agenda Introductions epo 4.5, a brief overview How to size the epo server infrastructure How to upgrade/migrate to epo 4.5 server How do I check for performance issues on my epo Server Tricks and tips on optimizing epo performance Enabling Global Threat Intelligence in AV policy Agent Deployment VSE 8.7 Policy Best Practices 11
epo Management Console Intuitive Web Based Security Management 12
McAfee epolicy Orchestrator Key Feature Overview End-to-End Visibility Single point of reference across networks and systems Personalized Command Center Tune work environment to optimize efficiencies Drillable Dashboards and Actionable Reports Immediate insight to action slashes response times Role-based Access Control Distribute administration and information Rogue System Detection Identify and manage all networked assets to lower risk Powerful Workflows Automate common routines, streamline processes across systems Flexible Architecture Can scale from managing a handful of machines to very large enterprises Extensible Framework Increase value of existing security assets, optimize for future needs McAfee epolicy Orchestor 13
McAfee Security Integration Architecture epolicy Orchestrator Management Console epo Agent Network VM Network IPS/ NAC Secure Email Gateway Secure Web Gateway Anti-Virus Anti-Spyware Desktop FW Host IPS NAC Policy Auditor Device Control Encryption Device Control/DLP Encrypted USB TOPS Endpoint TOPS Data 14 SolidCore Data Loss Prev. Firewall McAfee Secure Innovation Alliance (SIA) and future technologies
Security that Spans the Network to the Endpoint Holistic Security Not Disparate Solutions Network Security Endpoint Security Avert Labs Treat Data Network Security Platform Vulnerability Manager Network Data Loss Prevention Secure Web Gateway Secure Mail Gateway Network User Behavior epo VirusScan & Anti-Spyware HIPS & Firewall McAfee Site Advisor GroupShield for Mail Network Access Control Host Policy Auditor Host DLP Host Encryption ToPS ToPS Advanced ToPS For Data Risk Advisor Integrity Monitor Application Control Change Control Change Reconciliation SolidCore 15 Single Management Console to manage Endpoint security and integration with Network Security
McAfee Global Threat Intelligence McAfee Labs Network Reputation Web Reputation Reputation Technologies Network Security 16 Local Protection Web Security Email Reputation File Reputation Artemis Trusted Source Email Security Endpoint
Artemis (GTI) Technology Artemis is enabled on the endpoint without any additional client side install Internet 1 User receives new file via e-mail or Web 2 No detection with existing DATs, but the file is suspicious 6 5 VirusScan processes information and removes threat Artemis identifies threat and notifies client Artemis 3 4 Fingerprint of file is created and sent using Artemis Artemis reviews this fingerprint and other inputs statistically across threat landscape 17
Enabling Artemis (GTI) Cloud Lookup By leveraging Cloud Based threat intelligence customers can protect themselves from potential Zero Day attacks. Extremely easy to enable Level of Heuristic check can be throttled Uses standard DNS mechanism to perform lookups Provides Zero Day protection from unknown malware Provides protection from emerging threats Not dependent on DAT updates to be effective No impact on performance of the endpoint No customer data is transferred to McAfee 18
epo Infrastructure Sizing Can I install epo and my SQL server on the same physical hardware? Can I use a VM environment for epo or my SQL Server? Can epo use an existing SQL Server that has other Databases on it for epo? How should I partition my drives on epo and SQL? 19
Installing epo on a Single Server vs Multiple Servers epo can be hosted on a single server, where SQL DB is installed locally. There are certain considerations to keep in mind when sizing hardware. Single Server configurations can scale up to 5K to 10K nodes, depending on the environment and products managed. McAfee recommends optimizing disk sizing on the server to enhance performance, (ex hosting DB on a separate disk) If using epo to manage products in addition to AV, ASPY, HIPS, it is recommended that SQL server to be hosted separately. Plan ahead by sizing epo Server appropriately if you plan to roll out additional McAfee epo managed modules like HDLP, Disc Encryption, Device Control, Site Advisor etc. 20
Installing epo in a Virtualized Environment McAfee supports epo installs in a virtual environment(s) epo scales up to 25k to 30k nodes in a Virtual Environment Beyond 25k to 30K range the disk performance becomes a bottle neck Ensure that, when managing around 30K nodes, dedicated physical discs are used with assigned CPU priority McAfee recommends not to host epo database on a virtualized SQL server when node count is around or exceeds 30K Many of our customers are successfully hosting their epo environments virtually without any problems 21
Hosting epo DB on a shared SQL server Shared SQL servers can be used to host epo DB, few consideration when doing this: On a shared server epo will be competing for resources with other applications, so ensure that the DB sizing is appropriate. Sudden spikes in DB server usage by other hosted application can impact the epo performance. McAfee recommends a node limit of 20k, beyond which a dedicated SQL server for the epo may be more appropriate for the environment Keep in mind that that operationally you may have to work with SQL DBAs when epo server is hosted on a shared server, including getting them involved with potential troubleshooting. Ensure that DB and schema updates can be applied to the epo database on a shared server. 22
Disk configuration for epo Deployment Disk configuration and partitioning is rarely an issue below 5K nodes When using a single server configuration a separate discs are recommended for the OS, SQL and epo Application Disc performance is a critical factor for epo performance, so when using RAID, higher performance Arrays like RAID 1 RAID 10 are preferred. 23
Recommended Configuration Recap Node Count epo & SQL on same server VM Server epo DB on a shared SQL server 100-5k Yes Optional Optional 5k-25k Optional Optional Optional 25k 75k Not Recommended Not Recommended 75k+ No No No Not Recommended 24
Server Hardware, OS & DB Recommendations Less is better, epo can scale to 200K plus nodes so maintaining multiple instances of epo will add to the overall work load. CPU, RAM and Disc Performance are critical for epo, as in case of any other application. Use 64bit software where possible and if you have hardware that support 64Bit OS and apps. Very small organizations (up to 500 nodes) can use SQL Express that has 4GB DB size limit RAM CPU and HDD Sizing 25
Distributed Repositories Leverage distributed repositories to save bandwidth Better performance when uploading DATs and patches Lightweight hosting requirements FTP, UNC, HTTP supported Super Agents can be used as a part of distribution infrastructure Typical hosting agents are, file & print servers, FTP servers, UNC shares. Can be hosted in a DMZ environment 26
In Place Upgrade to epo 4.5 If you want to upgrade to 4.5 from 3.x, then you have to upgrade to 4.0 and then on to epo4.5 Ensure that your hardware and software specs are inline with the requirements for epo 4.5 Decommission any unused repositories Clean out any unused or redundant policies Clean out old and unused user accounts. Remove the client and server tasks that are not being used Purge events that are more than 60 days old Back up, re-index and defrag the Database and ensure that it has enough space Backup your epo system and DB Backup the system certs If possible, do a demo upgrade in a VM enviornment 27
Moving epo server to a different platform Key to moving from one physical epo server to another is to follow the procedure in KB Article 66616. The main steps to accomplish the migration is to Back up the epo Database Backup the Agent Keys and SSL Certs Install the epo Application and SQL server on the new box Ensure that new epo server has the same IP and DNS name as the old epo server Attach the backup DB to the SQL on the new box Apply the SSL Certs and Agent keys to the new epo Server Disconnect the old epo server from the network Connect the new epo server to the network and monitor activity. 28
McAfee Agent Deployment Deploying epo agent to the endpoint, what are my options? Active Directory Login Scripts Pre installed with the enterprise desktop/laptop image Using 3 rd party tools ie: Tivoli, SMS, BMC Self Serve HTTP, FTP, UNC shares The epo Agent is a small 5Mb package Additional packages are pushed from epo once epo Agent checks back to epo Server 29
Is my epo Server having a performance issue?? Have you looked at the performance counters for the epo under Performance Monitor? Total number of Open epo Agent connections should not exceed 200 (250 max) typical value should be around 30 Processed events per second is consistently high. The files in the events folder C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events is consistently high and getting higher. Throttle down Agent to Server Comm Interval (ASCI) from default 60 mins Additionally flag epo server processes as low risk processes in AV policy. 30
Maintaining epo Database Use Server Tasks under Automation tab to purge old events and logs Purging events based on time Purging events based on type Purging events based on a query Deleting inactive assets Deleting machines with duplicate GUID Backup the epo DB and transaction log Re-index the DB on a regular basis Rebuild the DB on a regular basis 31
Tuning VSE 8.7 policies Enable Access Protection and prevent services from being stopped Ensure, when applying policy for Server, use Server profile Enable Buffer Overflow Protection policy and enforce protection Use different scanning policies for high-risk, low-risk and default processes Enable client task to scan memory at least once a day Enable GTI lookups Scriptscan (KB65382) Daily scan task to check memory for rootkits and running process 32
McAfee s Open Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance & Lower TCO 33
Questions?? Thank You McAfee Sales Team Derrick Honea derrick_honea@mcafee.com Sumeet Gohri sumeet_gohri@mcafee.com