Upload
nguyenhanh
View
229
Download
9
Embed Size (px)
Citation preview
Installation Guide
McAfee Enterprise Security Manager10.0.0
COPYRIGHT
© 2017 Intel Corporation
TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.
2 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Contents
Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Installation overview 7McAfee Enterprise Security Manager components . . . . . . . . . . . . . . . . . . . . . 7Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8McAfee ESM installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Installing McAfee ESM devices 13ESM console hardware and software requirements . . . . . . . . . . . . . . . . . . . . 13Identifying a location for installation . . . . . . . . . . . . . . . . . . . . . . . . . . 13Hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Inspect packaging and device . . . . . . . . . . . . . . . . . . . . . . . . . . 14Mount hardware in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Mounting ESM software on a VM 27Mounting ESM VM image overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 27ESM VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Download the ESM VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29VMware ESXi VM ESM software mounting . . . . . . . . . . . . . . . . . . . . . . . . 30
VMware ESXi VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . 30Mount the VMware ESXi virtual machine . . . . . . . . . . . . . . . . . . . . . 30
Linux KVM ESM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Linux KVM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Deploy Linux KVM ESM software . . . . . . . . . . . . . . . . . . . . . . . . 31
Configure the VM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configure the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . 32Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Installing ESM on AWS 35Using ESM with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create the AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create an ESM image and install it on AWS . . . . . . . . . . . . . . . . . . . . . . . 37Configure ESM AWS connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Setting up McAfee ESM network connections 41Configure the ESM network interface . . . . . . . . . . . . . . . . . . . . . . . . . 41Configure the ERC, ELM, ELS, or ACE network interface . . . . . . . . . . . . . . . . . . 42Configure the DEM or ADM network interface . . . . . . . . . . . . . . . . . . . . . . 43
6 Initial ESM logon and configuration 45Log on to the McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
McAfee Enterprise Security Manager 10.0.0 Installation Guide 3
Connecting devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Add devices to the ESM console . . . . . . . . . . . . . . . . . . . . . . . . . 47
Confirm in ESM that all devices appear . . . . . . . . . . . . . . . . . . . . . . . . . 47Key a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7 Upgrading McAfee ESM software 49What you have and what you need . . . . . . . . . . . . . . . . . . . . . . . . . . 49Preparing to upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Back up ESM settings and system data . . . . . . . . . . . . . . . . . . . . . . 53Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . 54
Special upgrade scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Download the upgrade files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Upgrade the software on a device . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Upgrade the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Upgrade ESM, ESMREC, or ENMELM . . . . . . . . . . . . . . . . . . . . . . . . . . 60Upgrade HA Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Available VA vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
A Alternative installation scenarios 63Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS . . . . . . . . . . . . . . 63Install DAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Common Criteria evaluated configuration . . . . . . . . . . . . . . . . . . . . . . . . 65Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
B Enabling FIPS mode 69Select FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Index 71
Contents
4 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents About this guide Find product documentation
About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.
AudienceMcAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
ConventionsThis guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis
Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product
McAfee Enterprise Security Manager 10.0.0 Installation Guide 5
Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.
Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
PrefaceFind product documentation
6 McAfee Enterprise Security Manager 10.0.0 Installation Guide
1 Installation overview
This document provides an overview of McAfee®
Enterprise Security Manager (McAfee ESM)components, how to install and cable the hardware components. Plus, it describes how to mount thesoftware on a virtual machine (VM), or upgrade the software on existing components, and how toinitially configure the components on your network.
Contents McAfee Enterprise Security Manager components Configuration scenarios McAfee ESM installation overview
McAfee Enterprise Security Manager componentsMcAfee ESM and its components are installed in your network and configured to identifyvulnerabilities, and threats.
If a threat occurs, the ESM can:
• Notify you using the user interface, email, SNMP, or a text message.
• Save the history of the threat for analysis.
• Automatically act on the treat based on configured policy.
The McAfee ESM components include:
• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component orVirtual Machine (VM) software installation, the McAfee ESM displays threat data, reputation feeds,and vulnerability status and a view of the systems, data, risks, and activities inside your enterprise.
• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, itcollects up to tens of thousands of events per second, parses that data, and sends it to the ESMdevices.
• McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM softwareinstallation, it collects, compresses, signs, and stores all events to provide a proven audit trail ofactivity.
• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores allevents to provide a proven audit trail of activity. The ELS searches the events faster using itsindexes.
• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installationthat includes both ELM and ERC.
• McAfee Advanced Correlation Editor (ACE) — Available as a hardware component or VM softwareinstallation that simplifies event correlation and startup to identify and score threat events inhistorical or real time, using both rule- and risk-based logic.
1
McAfee Enterprise Security Manager 10.0.0 Installation Guide 7
• McAfee Application Data Monitor (ADM) — A hardware component that monitors more than 500known applications through the whole layer stack and captures full session detail of all violations.
• McAfee Database Event Monitor (DEM) — A hardware component that automates the collection,management, analysis, visualization, and reporting of database access for most databaseplatforms.
• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, orELS to expand storage space.
In redundant solutions, one DAS device is required in each system. For example, two redundantESMs and two redundant ELMs require four DAS devices.
• ESM Console — A computer with a browser used to configure and manage the ESM by securityadministrators.
You might use just one combination ESM, or many of these components, depending on yourenvironment.
For detailed configuration information, see the McAfee Enterprise Security Manager Product Guide.
Configuration scenarios You can configure McAfee ESM with just one combination ESM, or you can add components to identifythreats in a large enterprise network.
Adding components to your network environment allows you to increase performance, addfunctionality, and increase event storage capability. For example, adding the following components ormore advanced models of an existing component can scale your network protection.
VM installed ESM combination devices have limits to the number of components that you can add.
• ACE — Increases the events-per-second (EPS) capability, logs, network flows, and contextualinformation sent to the ESM
• ADM — Listens to layer 7 traffic on the network to monitor applications that would normally bemissed using logging only, and it tracks the application transaction details you can store.
• DEM — Increases the database transactions you can store, how you access those transactions, anddiscovers unknown databases on the network for added security.
• ERC — Additional ERCs increase the EPS throughput from your network segments and theconnected data sources.
The EPS throughput for an ERC depends on the model.
• ELM — The ELM increases the raw logs you can compress and store. The ELM is the only devicethat stores the logs in compliant "Raw Format."
• ELS — The ELS, compared to the ELM, speeds searching event data using its index tags. But, it hasa much lower compression ratio than the ELM and is not meant to meet compliance requirements.
• ESM — Adding a redundant ESM allows you to quickly switch to the standby ESM if the active ESMever fails or needs maintenance.
Simple ESM scenario
This figure shows that one ESM device allows you to gain visibility to your network events.
1 Installation overviewConfiguration scenarios
8 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Complex ESM scenario
This figure shows a large enterprise network uses multiple ESM components to gain visibility into yournetwork events. As the network grows and your events increase, you can add ESM components.
Installation overviewConfiguration scenarios 1
McAfee Enterprise Security Manager 10.0.0 Installation Guide 9
McAfee ESM installation overviewThis flowchart provides an overview of the steps required to install the ESM solution.
1 Installation overviewMcAfee ESM installation overview
10 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Installation overviewMcAfee ESM installation overview 1
McAfee Enterprise Security Manager 10.0.0 Installation Guide 11
1 Installation overviewMcAfee ESM installation overview
12 McAfee Enterprise Security Manager 10.0.0 Installation Guide
2 Installing McAfee ESM devices
Installing your McAfee devices requires mounting them in the rack, cabling the devices, and poweringthem on. These installation instructions apply to all current models of McAfee ESM devices.
Contents ESM console hardware and software requirements Identifying a location for installation Hardware setup
ESM console hardware and software requirementsThe system you use for the McAfee ESM console must meet these minimum hardware and softwarerequirements.
• Processor — P4 class (not Celeron) or higher (Mobile/Xeon/Core2,Corei3/5/7) or AMD AM2 class orhigher (Turion64/Athlon64/Opteron64,A4/6/8)
• RAM — 1.5 GB
• Windows operating system — Windows 2000, Windows XP, Windows 2003 Server, Windows Vista,Windows Server 2008, Windows Server 2012, Windows 7, Windows 8, Windows 8.1, and Windows10
• Browser — Internet Explorer 11 or later, Mozilla Firefox 42 or later, Google Chrome 48 or later
• Flash Player — Version 11.2.x.x or later
ESM features use pop-up windows when uploading or downloading files. Disable the pop-up blocker forthe IP address or host name of your ESM.
Identifying a location for installationYou must analyze your existing network and identify the network and physical location for yourdevices. Proper location impacts the effective use of your devices.
When selecting a location for your devices:
2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 13
• Install your ESM device in a network location where it can manage devices and be accessible byany systems needing to reach it. If direct communication is restricted between devices managed bythe ESM and systems running ESM, configure your network to route network traffic between them.
• Install the ESM device in a secure location that is only accessible by network security personnel.
• Your Receiver must be accessible to the devices it monitors. If direct communication isn't possible,you must configure your network to allow proper routing of network traffic between them.
Hardware setupThese are the steps needed to physically install, connect, and power on your ESM devices.
Tasks• Inspect packaging and device on page 14
Before installing your equipment, make sure that there is no sign of damage or tampering.
Inspect packaging and deviceBefore installing your equipment, make sure that there is no sign of damage or tampering.
Task1 When you receive your device, inspect the packaging and the device for signs of damage or
tampering, including the tamper-evident packing tape that is securing the shipping container.
If there is any sign of damage, mishandling, or tampering contact McAfee Support immediately forinstructions, and do not install the product.
2 Verify that the package contains all items listed on the packing slip.
3 When performing a FIPS installation, find the tamper-evident seal in the shipping container'saccessories package. Apply the seal so it completely blocks the USB ports, preventing their usewithout leaving evidence of tampering.
Figure 2-1 USB tamper seal
Contact Technical Support immediately if not fully satisfied with the inspection.
Mount hardware in a rackMount your ESM devices in a rack to protect them and their cabling from damage or from beingdisconnected.
2 Installing McAfee ESM devicesHardware setup
14 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Tasks• Install AXXVRAIL rail set on page 15
An AXXVRAIL rail set is shipped with each device so you can install it in a rack.
• Remove the chassis on page 19You can remove the chassis from the rails to replace or move the device.
• Connect to network and start the devices on page 19After installing the devices, make the network connections and power on the devices.
Install AXXVRAIL rail setAn AXXVRAIL rail set is shipped with each device so you can install it in a rack.
The default rail set we ship is designed to work in most racking systems. If that rail system does notwork, you might need to buy a rail system designed for your server cabinet.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 15
Task1 Install rails in the rack.
a Pull the release button (F) to remove the inner member (D) from the slides.
ComponentsA - front bracket
B - outer member
C - rear bracket
D - inner member
E - safety locking pin
F - release button
2 Installing McAfee ESM devicesHardware setup
16 McAfee Enterprise Security Manager 10.0.0 Installation Guide
b Align the brackets to a vertical position on the rack, then insert the fasteners.
c Move the ball retainer to the front of the slides.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 17
2 Install the chassis.
a Align the inner member key holes to standoffs on the chassis.
b Move the inner member in the direction shown in the following picture.
c Install the chassis to the fixed slides by pulling the release button in the inner member torelease the lock and allow the chassis to close.
2 Installing McAfee ESM devicesHardware setup
18 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Remove the chassisYou can remove the chassis from the rails to replace or move the device.
Task1 Fully extend the slides until the slides are in a locked position.
2 Pull the release button to release the lock and disconnect the inner member from the slides.
3 Press the safety locking pin to release the inner member from the chassis.
Connect to network and start the devicesAfter installing the devices, make the network connections and power on the devices.
Tasks• Connector and equipment types on page 19
You can connect your ESM devices to the network using standard Ethernet copper cables.
• Connect power and start devices on page 26Connecting the power and startup process is similar for all ESM hardware components.
Connector and equipment typesYou can connect your ESM devices to the network using standard Ethernet copper cables.
Connect your ESM, Receiver, ADM, and DEM devices to the network using copper connectors. TheCAT5 copper cables have RJ-45 connectors. Use CAT5 or higher for your copper connections. Forgigabit connections, use CAT5e.
The ADM and DEM require a network Switch Port Analyzer (SPAN) or Test Access Point (TAP) connectionto listen to the network traffic. This means that the connected switch must mirror the traffic from otherswitch ports usually on the connected switch.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 19
You can connect Data Circuit-Terminating Equipment (DCE) and Data Terminal Equipment (DTE) toyour ESM devices.
• Firewall and routers are DTE and switches are DCE.
• ESM devices are DTE.
Network cablesThe ESM devices all use copper cable connections. They use either straight-through or crossovercopper RJ-45 male cables.
• To connect an ESM device RJ-45 port to DCE, use a straight-through cable.
• To connect to a DTE, use a crossover cable.
To distinguish between a straight-through and crossover cable, hold the two ends of the cable asshown:
• On a straight-through cable, the colored wires are the same sequence at both ends.
• On a crossover cable, the first (far left) colored wire at one end is the same color as the third wireat the other end of the cable.
Network portsIdentify the ports on the McAfee devices and connect those cables.
The devices contain management ports so they can be managed from McAfee ESM.
The following images identify the management and collection ports.
1U ERC and ADM connections
2 Installing McAfee ESM devicesHardware setup
20 McAfee Enterprise Security Manager 10.0.0 Installation Guide
IPMI Port
Eth0 Connection varies by device:• ERC — MGMT 1
• ADM — MGMT 2
Eth1 Connection varies by device:• ERC — MGMT 2
• ADM — MGMT 1
Eth5 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Eth4 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Eth3 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Eth2 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Monitor connection
1U ERC HA connections
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 21
For HA:• Primary — IPMI Port to secondary Eth5 port, 1 of 4-port NIC
• Secondary — IPMI Port to primary Eth5 port, 1 of 4-port NIC
Eth0 MGMT 1 configured with unique IP addresses
Eth1 MGMT 2 (Data port) configured with a shared IP address
Eth5 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port
• Secondary — Port 1 of 4-port NIC to primary IPMI port
Eth4 Heartbeat connection between HA devices
Eth3 Not used
Eth2 Not used
Monitor connection
2U ERC connections
Eth7 HA reserved for IPMI connection
Eth6 HA reserved for Heartbeat
Eth5 Can be used as addition MGMT port Shown on graphical user interface as "Interface 6
Eth4 Can be used as addition MGMT port Shown on graphical user interface as "Interface 5
Eth0 MGMT 1 Shown on graphical user interface as "Interface 1"
2 Installing McAfee ESM devicesHardware setup
22 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Eth1 Can be used as addition MGMT port Shown on graphical user interface as "Interface 2"
Eth2 Can be used as addition MGMT port Shown on graphical user interface as "Interface 3"
Eth3 Can be used as addition MGMT port Shown on graphical user interface as "Interface 4"
Monitor connection
IPMI Port
2U ERC HA connections
Eth7 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port
• Secondary — Port 1 of 4-port NIC to primary IPMI port
Eth6 Heartbeat connection
Eth5 Can be used as addition MGMT port
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 23
Eth4 Can be used as addition MGMT port
Eth0 MGMT 1 configured with unique IP addresses
Eth1 MGMT 2 (Data port) configured with shared IP address
Eth2 Can be used as addition MGMT port
Eth3 Can be used as addition MGMT port
For HA:• Primary — Port 1 of 4-port NIC secondary IPMI port
• Secondary — IPMI port to primary port 1 of 4-port NIC
2U ADM connections
Eth7 SPAN or TAP port
Eth6 SPAN or TAP port
Eth5 SPAN or TAP port
Eth4 SPAN or TAP port
Eth0 MGMT 1 Shown on graphical user interface as "Interface 1"
Eth1 Can be used as addition MGMT port Shown on graphical user interface as "Interface 2"
Eth2 Can be used as addition MGMT port Shown on graphical user interface as "Interface 3"
Eth3 Can be used as addition MGMT port Shown on graphical user interface as "Interface 4"
2 Installing McAfee ESM devicesHardware setup
24 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Monitor connection
IPMI Port
2U DEM connections
Eth4 through Ether7 SPAN or TAP ports
Eth0 MGMT 1
Eth1 MGMT 2
Eth2 and Eth3 Collection (sniffer) ports
Monitor connection
IPMI Port
2U ETM, ELMERC, ELM, ELS, ACE, and ENMELC connections
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.0.0 Installation Guide 25
Eth0 MGMT 1
Eth1 MGMT 2
Monitor connection
IPMI Port
DAS data cable connections
Typical DAS SAS input connections
Typical DAS SAS output connections
See also Identifying a location for installation on page 13
Connect power and start devicesConnecting the power and startup process is similar for all ESM hardware components.
Task1 Connect the power supply cable to the power source. Properly install and ground the equipment
properly to comply with national, state, and local codes.
Connect all ESM devices to separate uninterruptible power supplies (UPS). Connecting redundantpower cords and power modules operating at normal conditions balances the load share through itsparallel design, resulting in a reliable power system.
2 Turn on the device.
2 Installing McAfee ESM devicesHardware setup
26 McAfee Enterprise Security Manager 10.0.0 Installation Guide
3 Mounting ESM software on a VM
You can mount the McAfee ESM software on an ESXi VM or on Linux Kernel-based Virtual Machine(KVM) servers.
Contents Mounting ESM VM image overview ESM VM system requirements Download the ESM VM image VMware ESXi VM ESM software mounting Linux KVM ESM installation Configure the VM ESM software
Mounting ESM VM image overviewMounting the ESM software on a VM is similar for an VMware ESXi VM and a Linux KVM.
This flowchart shows the major tasks used to install and configure the different VM software.
3
McAfee Enterprise Security Manager 10.0.0 Installation Guide 27
ESM VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimumrequirements.
• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64or higher
• RAM — Depends on the model (4 GB or more)
3 Mounting ESM software on a VMESM VM system requirements
28 McAfee Enterprise Security Manager 10.0.0 Installation Guide
• Disk space — Depends on the model (250 GB or more)
• ESXi 5.0 or later
• Thick versus thin provisioning — You must decide the hard disk requirements for your server. Theminimum requirement is 250 GB unless the VM purchased has more. See the specifications foryour VM product.
Thick vs thin disk provisioning — When you configure your VM disk space, use thick provisioning, ifyou have the actual disk space available on your ESXi server. Using thin provisioning saves disk spacebut there is a slight performance impact and you must be careful to never fill that disk space tocapacity.
Download the ESM VM imageDownloading the ESM software VM image is similar for the ESXi VM and a Linux KVM.
Before you beginYou must have your McAfee Grant Number to download the ESM software VM image fromthe download site.
Task1 Use your browser and this URL to access the McAfee download site:
Product Downloads, Free Security Trials & Tools
2 Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.
3 On the My Products page, scroll down the list and click one of the McAfee Enterprise Security Mgr VM**downloads.
The number in the download file name indicates the number of cores the ESM image allocates to theVM. For example, file "VM32" allocates 32 cores to the VM.
4 Click Current Version tab and select the McAfee Enterprise Security Mgr VM image.
5 Select one of these downloads:
• KVM Image — To download the tarball image file for a Linux Kernal VM
• OVF Deployment File — To download the .ova file for the VMware vSphere ESXi client.
6 Save the image file to a location on your local system.
Now you can install or deploy the VM image file to create your ESM VM.
Mounting ESM software on a VMDownload the ESM VM image 3
McAfee Enterprise Security Manager 10.0.0 Installation Guide 29
VMware ESXi VM ESM software mountingAfter you have downloaded the ESM software, perform these tasks to mount the software on aVMware ESXi VM.
VMware ESXi VM requirementsThe VMware ESXi VM must meet these minimum requirements.
• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMDDual Athlon64/Dual Opteron64 or later
The number of CPU cores the image supports is indicated in the image filename. For example, image"McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processorsfrom the VM or change the VM ID number.
• RAM — 4 GB minimum (depends on the model)
• Disk — 250 minimum (depends on the model)
Sharing CPU or RAM with other VMs impacts the ESXi VM performance.
• ESXI — 5.0 or later
You can select the hard disk requirement needs for your server. But, the VM requirement depends onthe model of the device (at least 250 GB). If you don't have a minimum of 250 GB available, youreceive an error when deploying the VM.
This disk space is for the operating system and does not include the space needed for the database orlogs.
The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU orRAM requirements with other VMs, the performance of the VM is impacted.
McAfee recommends setting the provisioning option to Thick.
Mount the VMware ESXi virtual machineOnce you mount and key a VMware ESXi VM, it mimics normal ESM operation.
Task1 Access the root of the CD drive (for CD installation) or download the ESX .ova files from the
download site.
2 In vSphere Client, click the server IP address in the device tree.
3 Click File and select Deploy OVF Template.
4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networkingoption.
5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.
6 Select the correct networking settings for your VMware ESXi network switches/adapters, then clickPlay to start the VM.
3 Mounting ESM software on a VMVMware ESXi VM ESM software mounting
30 McAfee Enterprise Security Manager 10.0.0 Installation Guide
7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Escto activate the menu.
8 Configure the network interface on the VM, save the changes before exiting the Menu window, thenkey the device. See McAfee Enterprise Security Manager Product Guide for details about keying thedevices.
Linux KVM ESM installationAfter you have downloaded the ESM software, perform these tasks to install the software on a LinuxKVM
Linux KVM requirementsThe Linux KVM where you install the ESM software must meet these minimum requirements.
Minimum requirements
• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMDDual Athlon64/Dual Opteron64 or higher (for processors)
The number of CPU cores the image supports is indicated in the image filename. For example, image"McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processorsfrom the VM or change the VM ID number.
• RAM — Depends on the model (4 GB or more)
• Disk space — Depends on the model (250 GB or more)
Sharing CPU or RAM with other VMs impacts KVM performance.
• 2 Virtio Ethernet interfaces for ESM
• Receiver Class devices / 3 for IPS class devices
These interfaces use sequential MAC addresses.
• 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive
Deploy Linux KVM ESM softwareTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from thetarball (.tgz file).
Task1 Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page.
The tarball contains sample config files.
2 Move the tarball file to the directory where you want the virtual hard drive to reside.
Mounting ESM software on a VMLinux KVM ESM installation 3
McAfee Enterprise Security Manager 10.0.0 Installation Guide 31
3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz
tar –xf McAfee_ETM_VM4_250.tgz
To deploy multiple VMs of the same type in the same location, change the name of the virtual harddrive.
ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.
4 Create a VM on your KVM hypervisor using:
(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)
5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted thetarball.
Configure the VM ESM softwareOne you have mounted the ESM software on the VM, you must configure the VM network interfaceconnection, connect to the ESM using the ESM console, then key the device to establish a connection.
Tasks
• Configure the virtual machine on page 32Once you have mounted the ESM software on the VM, configure the network interface.
• Key the VM device on page 33You must key the device to establish a link between the device and the ESM.
Configure the virtual machineOnce you have mounted the ESM software on the VM, configure the network interface.
Task
1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) pageappears.
2 To start the configuration, press Esc twice, then scroll down to MGT IP Conf and press Enter.
3 To set the ESM VM IP address:
a Scroll down to Mgt1 and press Enter.
b Scroll down to IP Address and press Enter.
c Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.
3 Mounting ESM software on a VMConfigure the VM ESM software
32 McAfee Enterprise Security Manager 10.0.0 Installation Guide
4 To set the IP netmask address:
a Scroll down to Netmask and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.
5 To set the network gateway IP address:
a Scroll down to Gateway IP and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.
6 To set the DNS IP address:
a Scroll down to DNS1 IP and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.
7 To configure whether to use DHCP:
a Scroll down to DHCP and press Enter.
b Toggle the setting between Y(es) and N(o) , press Enter to select the correct setting.
8 To quit and save your changes:
a Scroll down to Done and press Enter to return to MGT IP Conf.
b Scroll down to Save Changes and press Enter.
9 Optional steps to configure FIPS, to change the communication port, press the down arrow twice,then press Enter.
a Scroll down to Comm Port and press Enter.
b Change the port number, then press Enter.
Make note of the new port number; you'll need it when you key the device.
10 See Log on to the McAfee ESM console to begin configuring the ESM VM settings.
11 See Key the VM device to add the SSH key tp the EM VM.
To complete the configuration, log on to the ESM console using the configured the IP address and yourbrowser.
Key the VM deviceYou must key the device to establish a link between the device and the ESM.
Before you beginPhysically connect the device to your network. see Installing McAfee ESM devices fordetails.
Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the
actions pane.
2 Enter the information requested on each page of the Add Device Wizard.
Mounting ESM software on a VMConfigure the VM ESM software 3
McAfee Enterprise Security Manager 10.0.0 Installation Guide 33
3 Mounting ESM software on a VMConfigure the VM ESM software
34 McAfee Enterprise Security Manager 10.0.0 Installation Guide
4 Installing ESM on AWS
Installing McAfee ESM on an Amazon Web Services (AWS) virtual server eliminates the chance ofhardware failure.
Contents Using ESM with AWS Create the AWS Create an ESM image and install it on AWS Configure ESM AWS connections
Using ESM with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as alocally configured McAfee ESM VM.
The basic steps to create an AWS server in your network with McAfee ESM include:
1 Get an AWS account from http://aws.amazon.com/.
2 Log on to the AWS Management Console and configure your AWS instance.
3 Install the ESM, ERC, ELM, ELS, or ACE software.
4 Configure the ESM device.
Create the AWSBefore you can install ESM on an AWS server, you must create the server with the proper settings andcreate a connection to your enterprise network.
Before you beginYou must have an Amazon Web Services account.
This example, and the selected values, describe creating a simple ESM server. The values you selectmight be different.
4
McAfee Enterprise Security Manager 10.0.0 Installation Guide 35
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Log on to the AWS console to display the AWS Console page.
2 Set the AWS data center region to the location closest to most of your networks.
3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose anAmazon Machine Image (AMI), and select the server instance Amazon Linux AMI.
This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to installthe AWS/EC2 tools.
4 Open Step 2: Choose an Instance Type, select m3.large, then click Next: Configure Instance Details.
When choosing the Instance Type for a McAfee device, make sure to select the correct CPU count.
5 Click Next: Configure Instance Details to select the network to use while running your instance.
Make sure you are able to connect to your instance using:
• Public address
• Private address
You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Servicesfrom the drop-down list.
6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon"build" instance.
The default for McAfee devices is 250 GB. You can add more volumes if you need them.
7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instanceunder the "Value" column.
8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:
• Create a new security group — A new security group limits who can log on to the instance.
Add your external-facing IP address range.
• Select existing security group.
9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.
Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.
10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.
11 Click Launch Instance and View Instances to confirm the status of the AWS server.
It might take 20–30 minutes before your instance is ready to access. When the Status Checkscolumn next to your new instance displays 2/2 checks, you are ready to start the installation process.
12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.
This IP address is needed to transfer the installer to the instance and to log on to.
You have created your AWS server. Continue with the AWS image creation and installation process.
4 Installing ESM on AWSCreate the AWS
36 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Create an ESM image and install it on AWSInstalling ESM on an AWS server is different from installing the software on a physical server. Thesesteps describe the process.
Before you beginYou must have created the AWS server and connected to the server.
You must know the configured IP address of the AWS server.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.
For example, using Secure Copy Client, use this command to convert the key file and transfer it tothe new AWS instance:
scp -i mykeypair.pem siem_install.sh [email protected]:
Using PuTTY Secure Copy Client, use this command to convert the file:
pscp -i mykeypair.pem siem_install.sh [email protected]>:
These are the variables in the previous examples:
• siem_install.sh — Conversion file name
• ec2-user — User name
• cc.dd.ee.ff — IP address
For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk forPuTTY or WinSCP. For more information, see this Amazon help page https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.
To download and install the PuTTY SSH and telnet client, see http://www.putty.org/.
2 Log on to the new AWS instance using SSH or PuTTY with this command:
ssh -i mykeypair.pem [email protected] are the variables in the example:
• mykeypair.pem — Convert SSH file name
• ec2-user — User name
• cc.dd.ee.ff — IP address
3 Type this command to change to root, then press Enter:
sudo su
Installing ESM on AWSCreate an ESM image and install it on AWS 4
McAfee Enterprise Security Manager 10.0.0 Installation Guide 37
4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you weregiven, using these commands:
[root@<IP address> <ec2-user name>]# aws configure
AWS Access Key ID [None]: <Access Key ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: (Leave blank, and press Enter)
Default output format [None] (Leave blank, and press Enter)
For more information about these keys, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html.
5 Confirm that the installation script is executable. If needed, use chmod. For example:
chmod u+x siem_install.sh
6 Create an AMI image and an instance with this command:
./siem_install.sh
If you see an error that says the keys were not defined, you can add the keys on the commandline. For example:
[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh
The AWS access key or the AWS Secret key were not defined
[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W
<Secret Access Key>
To access Help for the output options:
[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h
install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2
install_McAfee_ETM_VM8.sh [options]
options:
-h, --help show brief help
-O AWS key
-W AWS Secret Key
Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of theoutput:
[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done
4 Installing ESM on AWSCreate an ESM image and install it on AWS
38 McAfee Enterprise Security Manager 10.0.0 Installation Guide
7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard,and terminate the running instance.
Terminating the instance destroys the instance.
8 Log on to AWS, click the AMIs sidebar and find the AMI that you created.
This AMI now has the name from the installation script. In this example, McAfee_ETM_VM8.
9 Right-click the AMI name and click Launch.
10 Go through the launch options, then click Launch. For McAfee type devices, the key pair step is notneeded. Select Proceed without a key pair and click the acknowledgment.
11 Once the AMI is launched and goes through the "status checks", open a browser and navigate tothe assigned IP address. For this example, type http:\\172-31-6-172\ in the browser.
All McAfee devices in AWS are enabled using DHCP and the IP address is assigned to themautomatically.
The IP address that you navigate to depends on how you set up networking in the AWS. You canhave a private IP address or public IP address. For long-term use, we recommend using a private IPaddress.
The first time you log on to the ESM, this warning indicates that you are in the cloud and need toconfirm the features you are licensed to use.
In this example, the hash has been obfuscated.
12 Click Email Hash to populate your default email client with the created hash.
Installing ESM on AWSCreate an ESM image and install it on AWS 4
McAfee Enterprise Security Manager 10.0.0 Installation Guide 39
13 Add your grant number to the email and send it.
A Hash Accepted dialog box indicates that your hash was successfully sent.
A Support Representative looks at your grant number and verifies the features you are licensed tohave. They then send you a hash string back to overwrite the previously displayed hash string.When you click Send, you can log on for the first time.
14 When you log on to the AWS again, overwrite the existing hash with the hash sent by McAfee, thenclick Send.
Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.
Configure ESM AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.
Before you beginYou must have created the AWS and installed ESM on the AWS.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 After you have completed the hash verification with McAfee, you can use your configured IPaddress to initially log on to the ESM. See Log on to the McAfee ESM console for details.
2 Connect both physical and virtual devices to the ESM.
3 Confirm that all various ESM devices appear in ESM before configuring the devices.
4 Key the devices to complete the device configuration.
4 Installing ESM on AWSConfigure ESM AWS connections
40 McAfee Enterprise Security Manager 10.0.0 Installation Guide
5 Setting up McAfee ESM networkconnections
Once the ESM device is installed and turned on, you must configure the network interface connectionfor each device before it can connect to the McAfee ESM.
Contents Configure the ESM network interface Configure the ERC, ELM, ELS, or ACE network interface Configure the DEM or ADM network interface
Configure the ESM network interface Configure the network interface on an ESM.
Task
1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) pageappears.
2 Press Alt + F1 to go to the menu at the top left corner of the screen, press Esc twice, then scrolldown to MGT IP Conf and press Enter.
3 Select Mgt 1 and press Enter, then select IP Address and press Enter.
4 Set the value and press Enter.
5 Scroll down to Netmask and set the value.
6 Scroll down to Done and press Enter.
7 Scroll down to Gateway and press Enter.
8 Set the gateway address, scroll down to Done, and press Enter.
9 Scroll down to DNS 1, press Enter, and set the value.
5
McAfee Enterprise Security Manager 10.0.0 Installation Guide 41
10 Scroll down to Done and press Enter.
11 Scroll down to Save Changes and press Enter.
12 Log on to the McAfee ESM console to begin configuring the systems and device settings.
Configure the ERC, ELM, ELS, or ACE network interfaceConfigure the network interface on an ERC, ELM, ELS, or ACE device.
Task1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) pageappears.
2 Press Alt + F1 to go to the menu at the top left-hand corner of the screen, press Esc twice, thenscroll down to MGT IP Conf and press Enter.
3 Select Mgt 1 and press Enter, then select IP Address and press Enter.
To configure an IPv6 address, scroll down to IPv6 Config.
4 Set the value and press Enter.
5 Scroll down to Netmask and set the value.
6 Scroll down to Done and press Enter.
7 Scroll down to Gateway and press Enter.
8 Set the gateway address, scroll down to Done, and press Enter.
9 Scroll down to DNS 1, press Enter, and set the value.
10 Scroll down to Done and press Enter.
11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.
Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.
12 Scroll down to Save Changes and press Enter.
5 Setting up McAfee ESM network connectionsConfigure the ERC, ELM, ELS, or ACE network interface
42 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Configure the DEM or ADM network interfaceConfigure the network interface on a DEM or ADM device.
Task1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) pageappears.
2 Press Alt + F1 to go to the menu at the top left corner of the screen, then press Esc twice.
3 Scroll down to MGT IP Conf and press Enter.
4 Select Mgt 1 and press Enter.
5 On the Active menu, select IP Address and press Enter.
To configure an IPv6 address, scroll down to IPv6 Config.
6 Set the value and press Enter.
7 Scroll down to Netmask and set the value.
8 Scroll down to Done and press Enter.
9 Scroll down to Gateway and press Enter.
10 Set the gateway address, scroll down to Done, and press Enter.
11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.
Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.
12 Scroll down to Save Changes and press Enter.
Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface 5
McAfee Enterprise Security Manager 10.0.0 Installation Guide 43
5 Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface
44 McAfee Enterprise Security Manager 10.0.0 Installation Guide
6 Initial ESM logon and configuration
Once the ESM devices are connected to the network and their interface connections configured, youcan log on to the ESM console and finish the initial configuration.
See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.
Contents Log on to the McAfee ESM console Connecting devices Confirm in ESM that all devices appear Key a device
Log on to the McAfee ESM consoleLog on the console to begin configuring the systems and device settings.
Before you beginVerify whether you are required to operate the system in Federal Information ProcessingStandard (FIPS) mode.
Task1 Open a web browser on a client computer and go to the IP address you set when you configured
the ESM network interface. For example, if the ESM IP address is 172.016.001.140, type thefollowing in your browser:
https:\\172.016.001.140\
2 Click Continue to site, if a self-signed certificate error appears for your browser.
3 Click Login, select the language for the console, then type the default user name and password.
• Default user name: NGCP
• Default password: security.4u
4 Click Login, read the End User License Agreement, then click Accept.
5 When prompted, change your user name and password, then click OK.
6 Select whether to enable FIPS mode and if you select Yes, click the additional confirmation.
If you must work in FIPS mode, enable it the first time you log on so that all future communicationwith McAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to. For moreinformation about FIPS, see Appendix B.
6
McAfee Enterprise Security Manager 10.0.0 Installation Guide 45
7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user nameand password, which are needed for access to rule updates.
8 Perform initial ESM configuration:
a Select the language to be used for system logs.
b Select the time zone where this ESM is and the date format used with this account, then clickNext.
9 Enter the server information for the ESM.
a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.
b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, clickAdvanced.
c Under General Settings, type the gateway, DNS servers, and any additional information neededto connect your ESM to your network.
d Click Next.
10 (Optional) If needed to connect through a proxy server, type its IP address, port number,credentials, and set the local network setting, then click Next.
11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network.When completed, click Next.
12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type thesesettings as needed:
• NTP Server IP address
• Authentication Key
• Key ID
To achieve best results in the ESM, it’s important to have a common time reference across theenterprise. As default, the ESM uses a set of Internet-based NTP servers. Enter your ownenterprise NTP server, then click Next.
13 To automatically check the ESM server for rule updates:
• Type your customer ID and password to verify your identity.
• Configure your Auto check interval in hours and minutes.
• Click Check Now or Manual Update.
14 Click Finish.
15 In the Network settings change dialog box, click Yes to restart the ESM service.
The restart takes about 90 seconds to complete. Then you might be required to log back on to theESM.
6 Initial ESM logon and configurationLog on to the McAfee ESM console
46 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Connecting devicesTo enable application and database monitoring, advanced rule- and risk-based correlation, andcompliance reporting, connect both physical and virtual devices to McAfee ESM.
Add devices to the ESM consoleAfter you set up and install the physical and virtual devices, add them to the ESM console.
Before you beginSet up and install the devices.
These steps are only needed to add devices to an ESM in a complex ESM installation with multiple ESMdevices. You don't need to perform this task with a simple ESM installation using a combination ESM.
Task1 On the system navigation tree, click Local ESM or a group.
2 On the actions toolbar, click .
3 Select the type of device you are adding, then click Next.
4 In the Device Name field, enter a name that is unique in this group, then click Next.
5 Provide the information requested:
• For McAfee ePO devices — Select a Receiver, type the credentials required to log on to the webinterface, then click Next. To use for communicating with the database, type the settings.
Select Require user authentication to limit access to those users who have the user name andpassword for the device.
• For all other devices — Type the target IP address or URL for the device.
6 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.
7 Enter a password for this device, then click Next.
The ESM tests device communication and reports on the status of the connection.
Confirm in ESM that all devices appearIn the ESM console, confirm that all various ESM devices appear before you begin detailedconfiguration of the devices.
For detailed information about performing these confirmation steps, see McAfee Enterprise SecurityManager Product Guide.
Initial ESM logon and configurationConnecting devices 6
McAfee Enterprise Security Manager 10.0.0 Installation Guide 47
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Log on to the McAfee ESM console, and find the System navigation pane to view the devices on thesystem.
2 Click Menu | Configuration to view the physical display.
3 Confirm that you can click the Add devices icon to see the devices that you installed in the racksand configured with their network settings.
Once the devices are added, you must key the device to enable communication and complete theinstallation. See the McAfee Enterprise Security Manager Product Guide for detailed deviceconfiguration.
Key a deviceYou must key the device to establish a link between the device and the ESM.
Before you beginPhysically connect the device to your network.
Task1 Log on to the ESM console using a browser. See Log on to the McAfee ESM console for details.
2 On the system navigation tree, click a device, then click the Properties icon .
3 Click Key Management | Key Device.
If the device has an established connection and can communicate with the ESM, the Key Device Wizardopens.
4 Type a new password for the device, then click Finish.
6 Initial ESM logon and configurationKey a device
48 McAfee Enterprise Security Manager 10.0.0 Installation Guide
7 Upgrading McAfee ESM software
Upgrading the software on your ESM devices provides, for example new and upgrading features,interface changes, or support for additional browsers and browser versions.
To prepare your systems for the upgrading, download the files for the components, then upgrade themin the order described.
Contents What you have and what you need Preparing to upgrade Special upgrade scenarios Download the upgrade files Upgrade the software on a device Upgrade the system Upgrade ESM, ESMREC, or ENMELM Upgrade HA Receivers Available VA vendors
What you have and what you need List the current security software and hardware that you have on your network.
Complete the following network questionnaire, before you begin upgrading your McAfee ESM devicesand software.
McAfee Security Professional Services requires this same information to help you order and configureyour existing network security.
7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 49
Current network questionnaire
Questions Enter information
Which McAfee ESM devices do you have? Enter the quantity:• Enterprise Security Manager (ESM) — ________
• Event Receiver (ERC) — ________
• Receiver and ELM Combination (ELMERC) — ________
• Enterprise Log Manager (ELM) — ________
• Enterprise Log Search (ELS) — ________
• Advanced Correlation Engine (ACE) — ________
• Direct Attached Storage (DAS) — ________
• Application Data Monitor (ADM) — ________
• Database Event Monitor (DEM) — ________
• Storage Area Network (SAN) card — ________
Do you have an All-in-One McAfee ESM? Yes
No
Will you need an ACE tointegrate with your ESM?
Yes
No
Is your McAfee ESM solution installed ona virtual machine (VM), physical devices,or a combination of both?
Virtual Machine (VM)
Physical device
Combination of VM and devices
What are the model numbers of yourESM components?
Enter the model number:• ESM — _____________________________
• ELM — _____________________________
• ERC — _____________________________
• ACE — _____________________________
Do you have a hierarchical architecture? Yes
No
In addition to port 22, canyou open port 9092between your ERCs andESMs?
Yes
No
In addition to port 22, canyou open port 2181between your ELSs andESMs?
Yes
No
Are you, or will you be, a ManagedSecurity Service Provider (MSSP)?
Yes
No
7 Upgrading McAfee ESM softwareWhat you have and what you need
50 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Questions Enter information
What is your current events per second(EPS) by device?
Enter the count:• ESM — ________ EPS
count• ERC — ________ EPS
count
• ELM — ________ EPScount
• ERC — ________ EPScount
• ELS — ________ EPScount
What software version are you runningon your ESM?
You must be using McAfee ESMversion 9.6 to upgrade to version10.0.
Version — _______
What browsers are you using for yourESM console?
Chrome version 48 or higher
Firefox version 42 or higher
Internet Explorer version 11 or higher
Preparing to upgradeYou must do several things before you can upgrade your ESM devices.
1 Make sure that the ESM database rebuild from a previous build (9.6.0 or later) is complete, andthat you can schedule the outage window for this upgrade.
2 Complete a database backup of the ESM. Export or back up the following items to ensure ease ofrecovery if an upgrade renders a rule, event, or other content unusable:
Alarms: On the System Properties dialog box, click Alarms, highlight each alarm, then click Exportand save the file.
Watchlists: On the System Properties dialog box, click Watchlists, highlight each watchlist, then clickExport and save the file.
Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except DataSource, Windows Events, ESM, Normalization, Variable, and Preprocessor.1 In the Rule Types pane, click a rule type.
2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field,then click Refresh. .
3 Highlight the rules, click File | Export | Rules, then save them in XML format.
Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rulesand custom variables.
Upgrading McAfee ESM softwarePreparing to upgrade 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 51
3 Make sure that the soft RAID subsystem is running with two active drives. Issue the cat /proc/mdstat command in one of these ways:
• On the ESM console, click System Properties | ESM Management | Terminal, then click Write and type thecommand.
• SSH into the ESM.
• Connect a monitor and keyboard to the device.
If the output looks like the following example, the RAID is functioning properly and you canproceed with the upgrade.
Personalities : [raid1]md_d127 : active raid1 sda[0](W) sdb[1](W) 488386496 blocks [2/2][UU]Unused devices: <none>
The [UU] code identifies active drives. If it shows [_U] or [U_], a drive is not part of the RAID.You must contact Technical Support before upgrading.
Type ofinformation
Details
Device typessupported
The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicateswith 9.6.0 devices. To check the model of your device, issue the cat /proc/cpuinfo command. The output includes the CPU number on the model name line.
Device removal Before upgrading the ESM, Event Receiver, or ENMELM, remove all device modelsspecified and virtual IP addresses for the specified Nitro IPS models. Otherwise, amessage appears on the Login page and the message log states that this problemoccurred, and that the upgrade failed. ESM also fails to upgrade and notations areplaced in the device message log.
To remove a virtual IPS, select the device in the system navigation tree and clickthe Properties icon . Select Device Configuration | Virtual Devices, then select the existingvirtual devices and click Remove. Click Write to write the settings to the IPS.
You must roll out the policy from the 9.6.0 ESM, Event Receiver, or ENMELM to theIPS device, otherwise the IPS remains in bypass mode and no traffic is inspected.
Save receiversettings
Make sure all Receiver settings are saved before updating from versions 9.x, to9.6, then to 10. If you don't save the settings, a problem occurs that can causeissues on the receiver and other devices. Make sure all settings for every deviceare saved before updating to any version.
Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up theupgrade of the ESM database:
• Set collection duration of events, flows, and logs to a longer pull time, allowingmore time for the rebuild. On the ESM console, click System Properties | Events, Flows &Logs, then set Auto check interval.
• Turn off collection of events, flows, and logs until the rebuild finishes. Completethis step only if the number of events and flows sent to the ESM is low. On theESM console, click System Properties | Events, Flows & Logs, then deselect Auto checkinterval.
7 Upgrading McAfee ESM softwarePreparing to upgrade
52 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Type ofinformation
Details
Upgrade paths • You can upgrade to 10.0.0 directly from 9.6.0 or later.
• You must upgrade versions before 9.6.0 following this path:8.2.x > 8.3.x > 8.4.2 > 8.5.6 > 9.0.2 > 9.2.1 > 9.4.2 or later > 9.6.0 or later >10.0
UpgradeReceiver-HAdevices
To upgrade Receiver-HA devices, you must first check the Receiver's highavailability status.
Make sure all device settings are saved before updating to any version.
Back up ESM settings and system dataBack up and save the ESM configuration files before you start any software upgrades.
When you add an ESM device, Backup & Restore is enabled to back up every seven days. You can disableit or changes the default settings. See KB article, Backup process for McAfee [ESM] devices for details.
We recommend you make a Full Backup of all devices before you start an upgrade. A full backupcontains:
• Settings for the ESM, ERC, DEM, ADM, and ACE devices.
ELM full backups only include configuration settings. The database settings must be backed upseparately or you lose all database connections to your local shares, remote shares, and SANs.
• Stop CPService and then DBServer and create a copy of the contents of: /usr/local/ess/data/, /etc/NitroGuard, and other folders on a remote share.
If anything goes wrong during the upgrade, you can:
• Reinstall the software to the existing version.
• Reinstall the backup files.
• Try upgrading to the next version again.
Backups are only compatible with the current version of the ESM device. You can't install a backup of aprevious version on an upgraded ESM device.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select System Properties, then click ESM Management | Maintenance | Backup.
2 Define the settings for the backup.
3 Click OK to close the Backup & Restore page.
Table 7-1 Option definitions
Option Definition
BackupFrequency
When new ESM devices are added to the system, the Backup & Restore function isenabled to perform a backup every seven days. You can change the frequency ordisable backup.
Backup Data For Select what you want to include in the backup.
Upgrading McAfee ESM softwarePreparing to upgrade 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 53
Table 7-1 Option definitions (continued)
Option Definition
Backup Location Select where you want the backup saved:• ESM — It is saved on the ESM and accessed on the File Maintenance page.
• Remote Location — It is saved in the location you define in the fields that becomeactive. If you are saving a copy of the ESM and all system data manually, youmust select this option.
When you back up to a CIFS share, use a slash (/) in the remote path field.
Backup Now Manually back up ESM settings and events, flows, and logs (if selected). Click Closewhen the backup is completed successfully.
Full Backup Now Manually save a copy of the device settings and the system data. This can't besaved to the ESM, so you must select Remote Location in the Backup Location field andenter the location information.
We highly recommended you make a full backup before any major version updateto avaoid data loss.
Using the Common Internet File System (CIFS) share type with Samba serverversions greater than 3.2 can result in data loss.
Check ERC high availability statusDetermine the status of a high availability (HA) ERC pair before performing an upgrade.
Before you beginYou must have Administrator privileges to complete this task.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .
2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.
3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the commandline interface on both ERCs. The resulting information shows the status of this ERC and what thisERC thinks the status of the other ERC is. It looks similar to this:
OK
hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no
4 Verify the following in the status:
• The first line of the response is OK.
• Host name is the same as the host name on the command line minus the ERC model number.
7 Upgrading McAfee ESM softwarePreparing to upgrade
54 McAfee Enterprise Security Manager 10.0.0 Installation Guide
• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode issecondary.
• The next two lines show the host names of the ERCs in the HA pair and list the running status ofeach ERC. The status for both is online.
• corosync= shows the running status of corosync, which should be running.
• hi_bit is no on one ERC and yes on the other ERC.
Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set tothe same value, call McAfee Support before upgrading to correct this misconfigured setting.
5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.
6 Verify the following in the data that is generated:
• The MAC addresses on eth0 and eth1 are unique on both ERCs.
• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP addresson eth1.
If both HA ERCs are set to the same value, call Technical support before upgrading to correctthis misconfigured setting.
This spot check ensures the system is functional and that no duplication of IP addresses exists, whichmeans that the devices can be upgraded.
Special upgrade scenariosIn special situations, you must take additional steps before or after upgrading.
Situation Action
Installing a newMcAfee ESMmodel
Register your hardware in 30 days to ensure that you receive policy, parser, andrule updates as part of your maintenance contract. If you don't register, you can'treceive upgrades.To get your permanent user name and password, email [email protected] the following information:• McAfee grant number • Contact name
• Account name • Contact email address
• Address
Obtaining offlinerule updates
1 Go to Product Downloads, Free Security Trials & Tools.
2 In the upper right corner, click Download, enter your grant number, type theletters displayed, then click Submit. Go.
3 Select the user type/role, then I can select the software to download.
4 Read the license agreement, then click I Agree.The available update files appear by each ESM version.
5 Download the rules for the version of your ESM.
Upgrading McAfee ESM softwareSpecial upgrade scenarios 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 55
Situation Action
Resolving devicecommunicationissues
If you upgraded a McAfee device before upgrading the ESM or the ESM is in themiddle of upgrading, this message might appear: The device needs to beupgraded to 10.0.0 before the operation can be performed. Verify that the ESMhas the correct version.1 On the ESM console, select the device in the system navigation tree, then click
the Properties icon .
2 Click Connection, then click Status.
3 Retry the operation that resulted in the message.
Upgrading aredundant ESM
Upgrade the primary ESM first, then upgrade the redundant ESM.
1 On the primary ESM, select the ESM on the navigation tree and click theProperties icon.
2 Click Events, Flows & Logs and deselect Auto check interval.
3 After upgrading the redundant ESM, re-enable the collection of events, flows,and logs on the primary ESM.
McAfee ePO withPolicy Auditor
If the McAfee ePO device is already on the ESM, you must refresh it.1 If you are not on an all-in-one device, upgrade the Receiver where the McAfee
ePO device is connected.
2 On the ESM console, click ePO Properties | Device Management, then click Refresh.
You can set up auto-retrieval on the Device Management tab.
3 Click Receiver Properties, then click the Vulnerability Assessment tab.
4 Click Write.
5 Repeat step 2 to get VA data on the ESM.
6 Log off the ESM console, then log back on.
Upgrading HighAvailability (HA)Receivers
Before you upgrade, set your preferred primary Receiver to No Preference, whichallows you to use the Fail-Over option.
The upgrade process requires the user to upgrade the secondary Receiver, clickFail-Over, then upgrade the new secondary Receiver. In this way, a primaryReceiver is collecting data throughout the process, ensuring minimal data loss.After you upgrade both Receivers, reapply your preferred primary Receiver.
7 Upgrading McAfee ESM softwareSpecial upgrade scenarios
56 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Situation Action
Rebuilding theELM managementdatabase
Indexing your ELM management database might require additional time,depending on your ELM model. For example, the number of storage pools youhave, the amount of data sent from logging devices, and your networkbandwidth can increase the time it takes to complete the indexing.
But, this background task minimally impacts your performance and, whencomplete, provides improved querying on your historical data.
To check the status of the rebuild, go to ELM Properties | ELM Information. If themessage Database is rebuilding appears in the Active Status field, do not stop orstart the ELM database. The system indexes all new ELM data on the sendingdevice before sending that data to the ELM.
If you have Receivers logging to the ELM and they are near maximum capacity,contact Technical Support.
Upgrading aredundant ELM
Upgrade the standby ELM first, then upgrade the active ELM.
Never power off a device during a rebuild.
The upgrade process suspends the ELM redundancy. After upgrading both ELMs,you must restart the ELM redundancy.1 Upgrade the standby ELM.
2 Upgrade the active ELM.
3 On the system navigation tree, select the standby ELM and go to ELM Properties |ELM Redundancy, then click Return to Service.
4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standbyELMs display an OK status.
5 If the standby ELM displays a Not OK status, click Refresh again. After a fewminutes, the standby ELM status changes to OK, redundant ELM resync is 100%complete. You might need to click Refresh several times.
Download the upgrade filesWhen the system is ready to upgrade, download the upgrade files to your local system.
Task1 Go to the McAfee Product Downloads website and enter your customer grant number in the Download My
Products field. Then, click Search.
2 Select the device you want to upgrade.
3 Select the correct link (MFE <device name> v10.0.0), read the McAfee license agreement, thenclick I Agree.
4 Download these files to your local system:
Device type File name
McAfee Enterprise Security Manager (ESM or ETM) ESS_Update_10.0.0.signed.tgz
McAfee Enterprise Security Manager and Log Manager(ENMELM or ESMREC)
ESSREC_Update_10.0.0.signed.tgz
McAfee Event Receiver (ERC or ELMERC) RECEIVER_Update_10.0.0.signed.tgz
Upgrading McAfee ESM softwareDownload the upgrade files 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 57
Device type File name
McAfee Database Event Monitor (DEM) DBM_Update_10.0.0.signed.tgz
McAfee Advanced Correlation Engine (ACE) RECEIVER_Update_10.0.0.signed.tgz
McAfee Application Data Monitor (ADM) APM_Update_10.0.0.signed.tgz
McAfee Enterprise Log Manager (ELM)
ELM devices must be version 9.6 or later before upgrading to10.0.0.
RECEIVER_Update_10.0.0.signed.tgz
McAfee Enterprise Log Search (ELS) RECEIVER_Update_10.0.0.signed.tgz
These files are now ready to be used to upgrade your ESM and devices.
Upgrade the software on a deviceIf the software on your device is out of date, upload a new version of the software from a file on theESM or your local computer.
Before you beginIf you have had your system for more than 30 days, you must obtain and install yourpermanent credentials to access the updates.
If you must comply with Common Criteria and FIPS regulations, do not upgrade the ESM inthis way. Call Technical support to obtain a FIPS certified update.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select a device, then click the Properties icon .
2 Click device Management | Update Device.
3 Select an update from the table or click Browse to locate the update software on your local system.
The device restarts with the updated software version.
Table 7-2 Option definitions
Option Definition
File Name Select one of the updates listed.
Browse Browse to a file obtained from a McAfee security engineer or from the McAfee rules andupdates server.
OK If you are updating a device using the device management Update Device option, this startsthe update process. If you are updating multiple devices using the Multi-Device Managementoption, this returns you to the Multi-Device Management page.
7 Upgrading McAfee ESM softwareUpgrade the software on a device
58 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Upgrade the systemUpgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade,rewrite the device settings and roll out the policy.
Before you begin• Review Preparing to upgrade and Special upgrade situations.
• Make sure that your system is running version 9.6 or later.
• If you recently upgraded to 9.6, verify that the database rebuild is complete.
When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collectingdata until you rewrite the device settings and roll out the policy.
Task1 Depending on your FIPS mode, upgrade all devices in the following order.
For details about upgrading the ESM and devices, see Upgrade ESM, ESMREC, or ENMELM andUpgrade devices.
Mode Order
Non-FIPS 1 Upgrade the ESM first, then the ESMREC or ENMELM.
2 Wait for the database to build.
3 Upgrade the ELM or ELMERC.
4 Upgrade the Event Receiver, ACE, DEM, and ADM.
This process is different if you are upgrading a redundant ESM.
FIPS 1 Upgrade the ELM or ELMERC.
2 Upgrade the Event Receiver, ACE, DEM, and ADM.
3 Upgrade the ESM, ESMREC, or ENMELM. You can begin when all device upgradesstart.
Failure to upgrade the devices before upgrading the ESM when in FIPS mode can affectELM log collection.
2 Verify that you have communication with the devices.
3 Download the manual rules update to the ESM.
4 Apply the updated rules.
a On the system navigation tree, select the system, then click the Properties icon .
b On the System Information page, click Rules Update, then click Manual Update.
c Browse to the update file, click Upload, then click OK.
Upgrading McAfee ESM softwareUpgrade the system 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 59
5 Follow this process to rewrite device settings for each device, so that all 10.0.0 settings areapplied.
a On the ESM console, select the device in the system navigation tree, then click the Propertiesicon.
b Follow these steps for each device.
Device type Process
Event Receiver orESM/EventReceiver combo
• For data sources: Click Data Sources | Write.
• For VA sources: Click Vulnerability Assessment | Write.
ACE • For risk correlation: Click Risk Correlation Management | Write.
• For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it'salready selected, deselect it, select it again, then click Apply.
• For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and clickApply. If it's already selected, deselect it, select it again, then click Apply.
DEM or ADM • For virtual devices (ADM): Click Virtual Devices | Write.
• For database servers: Click Database Servers | Write.
6 Roll out the policy to all upgraded devices.
7 To take the selected device out of bypass mode, click Device Configuration | Interfaces.
8 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).
Upgrade ESM, ESMREC, or ENMELMWhen your system is ready, upgrade your ESM, ESMREC, or ENMELM.
Before you begin• Complete the steps in the Instructions for upgrading section.
• Verify that all devices attached to the ESM are supported.
Task1 On the ESM console, select the ESM device, then click the Properties icon .
2 Select ESM Management, then click Update ESM.
3 On the Select Software Update File page, browse to one of these files.
Device type File
Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_10.0.0.signed.tgz
McAfee Enterprise Security Manager with a built-in Receiver(ESMREC)
ESSREC_Update_10.0.0.signed.tgz
McAfee Enterprise Security Manager with a built-in Receiverand McAfee Enterprise Log Manager (ENMELM), also knownas a Combination Box
ESSREC_Update_10.0.0.signed.tgz
7 Upgrading McAfee ESM softwareUpgrade ESM, ESMREC, or ENMELM
60 McAfee Enterprise Security Manager 10.0.0 Installation Guide
4 Select the file, then click Upload.
You are informed that the ESM restarts and there is a loss of connection for all users.
5 Click Yes to continue, and when prompted to close the browser, click OK.
The upgrade begins, and can take several hours.
6 When the upgrade is complete, log back on to the console through a new browser session.
Upgrade HA ReceiversThe Receiver-HA upgrade process upgrades both Receivers sequentially, starting with the secondaryReceiver.
Before you beginBefore starting the upgrade process, complete the Check Receiver high availability statusprocess to make sure that the Receiver-HA devices are ready to be upgraded. Failure to doso can result in problems with the device upgrade and downtime.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select the Receiver-HA device, then click the Properties icon .
2 Upgrade the secondary Receiver:
a Click Receiver Management, then select Secondary.
b Click Update Device, then select or browse to the file you want to use and click OK.
The Receiver restarts and the version of software is updated.
c On Receiver Properties, click High Availability | Return to Service.
d Select the secondary Receiver, then click OK.
3 Change the secondary Receiver to primary by clicking High Availability | Fail-Over.
4 Upgrade the new secondary Receiver by repeating step 2.
Available VA vendorsThe ESM can integrate with these VA vendors.
VA vendor Version
Digital Defense Frontline 5.1.1.4
eEye REM (REM events server) 3.7.9.1721
Upgrading McAfee ESM softwareUpgrade HA Receivers 7
McAfee Enterprise Security Manager 10.0.0 Installation Guide 61
VA vendor Version
eEye Retina
The eEye Retina VA source is like the Nessus data source. Youcan use scp, ftp, nfs, or cifs to grab the .rtd files. You mustmanually copy the .rtd files to an scp, ftp, or nfs share to pullthem. The .rtd files are normally located in the Retina Scansdirectory.
5.13.0, Audits: 2400
McAfee Vulnerability Manager 6.8, 7.0
Critical Watch FusionVM 4-2011.6.1.48
LanGuard 10.2
Lumension Support PatchLink SecurityManagement Console 6.4.5 andlater
nCircle 6.8.1.6
Nessus Support Tenable Nessus versions3.2.1.1 and 4.2 and file formatsNBE, .nessus (XMLv2), and .nessus(XMLv1); also, OpenNessus 3.2.1XML format
NGS
OpenVAS 3.0, 4.0
Qualys
Rapid7 Nexpose — Recommended VA partner vendor
Rapid7 Metasploit Pro — Recommended VA partner vendor
You can deduce the severity of a Metasploit exploit that startswith the name Nexpose by adding a Rapid7 VA source to thesame Receiver. If it can't be deduced, the default severity is100.
4.1.4-Update 1, file format XML
Saint
GFI Languard
NGS SQuirrel
iScan Online?
Tripwire/nCircle IPS360?
7 Upgrading McAfee ESM softwareAvailable VA vendors
62 McAfee Enterprise Security Manager 10.0.0 Installation Guide
A Alternative installation scenarios
Use this information to configure specific adapters and other important information.
Contents Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS Install DAS Common Criteria evaluated configuration Regulatory notices
Install the qLogic 2460 or 2562 SAN adapters on the ELM orELS
The qLogic QLE2460 is a single, Fibre Channel PCIe x4 adapter, rated at atransfer rate of 4-GB. TheQLE2562 is a single, Fiber Channel PCIe x8 adapter, rated at 8 GB. They can connect directly to theSAN device or through a SAN switch.
Before you begin• Make sure that the SAN device or SAN switch you are attaching to auto-negotiates.
• Make sure that the SAN administrator allocates and creates space on the SAN andassigns it to the channel where the qLogic adaptor is attached. Use the World Wide PortName (WWPN) for the adaptor. The WWPN is on the adapter's card, anti-static bag, andbox.
Task1 Turn off the device where you are installing the SAN adapter.
2 Insert the adapter, then place the device back on the rack and connect the cables.
For a 3U device, insert the adapter in the slot closest to the protective memory cover.
The adapter BIOS boot message informs you that the adapter is installed and functioning. If you donot see this message or if the card does not have red, yellow, or green lights, the card is notrecognized. If so, make sure that the card is seated correctly or insert it into a different PCI slot.
3 Start the device.
The operating environment detects it and loads the QLAXXX driver. The Mounting Storage Facilitiesmessage displays OK and continues.
4 Using the ESM console, key the device.
When the device is keyed, the Properties page includes the SAN Volumes option.
McAfee Enterprise Security Manager 10.0.0 Installation Guide 63
Install DASThe direct attached storage (DAS) adapter is an add-on device to a 4xxx/5xxx/6xxx series ESM orELM.
The DAS unit ships with a chassis and an LSI 9280-8e RAID card for:
• ETM-5205 • ENMELM-5205
• ETM-5510 • ENMELM-5510
• ETM-5600 • ENMELM-5600
• ETM-5750 • ENMELM-6000
• ETM-6000 • ELM-4600
• ETM-X3 • ELM-5205
• ETM-X4 • ELM-5510
• ETM-X5 • ELM-5600
• ETM-X6 • ELM-5750
• ESMREC-5205 • ELM-6000
• ESMREC-5510 • ELS-<TBD>
• ENMELM-4600
You can add a DAS (50 TB or 100 TB), to provide additional storage. These instructions are the samefor ESM, ELM, or ELS chassis.
Task1 Turn off the device following a normal shutdown procedure.
2 Pull the device from the rack and open the top case. You might need to remove a small screw atthe front or rear of the top case.
3 Depending on your chassis, install the DAS card in one of these slots.
• For 1U or 3U, install LSI 9280-4e RAID card in slot 4
• For 2U, install LSI 9280-4e RAID card in slot 1
4 Depending on your chassis, install the DAS cables into these slots:
• For ESM, ELM, or ELS, insert cables into slots 1 and 2 of the card.
• For DAS, insert cables into slots 1 and 3 of the card.
5 Install the LSI 9280-8e RAID card in slot 4 of the ESM.
• For devices with an orange face, if the Areca or 3Ware RAID card is in slot 4, move it to slot 6.If the McAfee ESM device has an Areca or 3Ware RAID card and also has an SSD card installed,install the LSI 9280-8e RAID card in slot 5.
• For devices with a black face, install the card in an open slot.
6 Insert power cables, then turn on the device.
7 Enter BIOS utility and look for the LSI 9280-8e RAID card BIOS utility.
8 Exit BIOS utility and verify DAS disk space with the command: df –h
A Alternative installation scenariosInstall DAS
64 McAfee Enterprise Security Manager 10.0.0 Installation Guide
On System Properties of the ESM console, the Hardware field on the System Information tab reflects theincreased size of the hard drive labeled /data_hd.
Common Criteria evaluated configurationThe McAfee device needs to be installed, configured, and operated in a specific way to be incompliance with the Common Criteria evaluated configuration. Consider these requirements when youare setting up your system.
Type Requirements
Physicaland virtualmachine
The McAfee device must be:• Protected from unauthorized physical modification.
• Located in controlled access facilities, which prevent unauthorized physical access.
Intendedusage
The McAfee device must:• To be able to perform its functions, have access to all network traffic.
• Be managed to allow for address changes in the network traffic that the Target ofEvaluation (TOE) monitors.
• Be scaled to the network traffic that it monitors.
Personnel • There must be one or more competent individuals assigned to manage the McAfeedevice and the security of the information it contains. Onsite assistance withinstallation and configuration and onsite training for the operation of the device isprovided by McAfee engineers for each McAfee customer.
• The authorized administrators are not careless, willfully negligent, or hostile, andfollow and abide by the instructions provided by the McAfee device documentation.
• Only authorized users can access the McAfee device.
• Those responsible for the McAfee device must ensure that all access credentials areprotected by users in a manner that is consistent with IT security.
Other • Do not apply software updates to the McAfee device because it results in aconfiguration other than the Common Criteria-evaluated configuration. ContactTechnical Support to obtain a certified update.
• Enabling the Login Security feature with a RADIUS server results in securecommunication. The IT environment provides for secure transmission of data betweenthe TOE and external entities and external sources. A RADIUS server providesexternal authentication services.
• Using the Smart Dashboard functionality of the Check Point firewall console is not part ofthe TOE.
• Using Snort Barnyard is not part of the TOE.
• Using the MEF Client is not part of the TOE.
• Using the Remedy Ticket System is not part of the TOE.
Regulatory noticesThis regulatory information applies to the different platforms you might use.
Alternative installation scenariosCommon Criteria evaluated configuration A
McAfee Enterprise Security Manager 10.0.0 Installation Guide 65
Table A-1 SuperMicro-based platforms
McAfee 1U McAfee 2U or 3U
Electromagnetic emissions FCC Class B, EN 55022 Class B,
EN 61000-3-2/-3-3
CISPR 22 Class B
FCC Class B, EN 55022 Class B,
EN 61000-3-2/-3-3
CISPR 22 Class B
Electromagnetic immunity EN 55024/CISPR 24,
(EN 61000-4-2, EN 61000-4-3,
EN 61000-4-4, EN 61000-4-5,
EN 61000-4-6, EN 61000-4-8,
EN 61000-4-11) 55024
EN 55024/CISPR 24,
(EN 61000-4-2, EN 61000-4-3,
EN 61000-4--4, EN 61000-4-5,
EN 61000-4-6, EN 61000-4-8,
EN 61000-4-11) 55024
Safety EN 60950/IEC 60950-Compliant,
UL Listed (USA)
CUL Listed (Canada)
TUV Certified (Germany)
CE Marking (Europe)
EN 60950/IEC 60950-Compliant,
UL Listed (USA)
CUL Listed (Canada)
TUV Certified (Germany)
CE Marking (Europe)
Table A-2 DAS-based platforms
DAS-50, DAS-100
Input voltage 100/240 VAC
Input frequency 50/60 Hz
Power supply 1400 W X3
Power consumption 472W@120VAC
461W@240VAC
Amps (Max) 9.4A
Altitude (Max) –45 to 9,500 feet
Temperature (Max) 10º to 35º C (operating)
–40º to 70º C (non-operating)
Altitude –45 to 9500 feet (operating) –45 to 25,000 feet (non-operating)
BTU BTU/HR 1609
Humidity Operating — 10% to 85%
(non-condensing)
non-operating — 10% to 90%
Table A-3 Intel-based platform 1U
Parameter Limits
Operating temperature +10° C to +35° C with the maximum rate of change not to exceed10° C per hour
Non-operating temperature –40° C to +70°
Non-operating humidity 90%, non-condensing at 35° C
Acoustic noise Sound Power: 7.0 BA in an idle state at typical office ambienttemperature. (23 ± 2 degrees C)
A Alternative installation scenariosRegulatory notices
66 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Table A-3 Intel-based platform 1U (continued)
Parameter Limits
Shock, operating Half sine, 2-g peak, 11 msec
Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/sec (≧ 40 lbs to > 80lbs)
Shock, packaged Non-palletized free fall in height 24 inches (≧40 lbs to > 80 lbs)
Shock, operating Half sine, 2-g peak, 11 mSec
Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random
ESD ±12 kV for air discharge and 8 K for contact
System cooling requirement inBTU/Hr
1660 BTU/hour
Table A-4 Intel-based platform 2U
Parameter Limits
Temperature Operating • ASHRAE Class A2 — Continuous operation. 10°C to 35°C(50°F to 95°F) with the maximum rate of change not toexceed 10°C per hour.
• ASHRAE Class A3 — Includes operation up to 40°C for up to900 hrs per year
• ASHRAE Class A4 — Includes operation up to 45°C for up to90 hrs per year
Shipping –40°C to 70°C (–40°F to 158°F)
Altitude (Operating) Support operation up to 3050 m with ASHRAE class deratings
Humidity (Shipping) 50% to 90%, non-condensing with a maximum wet bulb of28°C (at temperatures from 25°C to 35°C)
Shock Operating Half sine, 2 g, 11 mSec
Unpackaged Trapezoidal, 25 g, velocity change is based on packaged weight
Packaged Product Weight: ≥ 40 to < 80
Non-palletized free fall height = 18 inches
Palletized (single product) free fall height = NA
Vibration 5 Hz to 500 Hz2.20 g RMS random
Packaged 5 Hz to 500 Hz1.09 g RMS random
AC-DC Voltage 90 Hz to 132 V and 180 V to 264 V
Frequency 47 Hz to 63 Hz
Source Interrupt No loss of data for power line drop-out of 12 mSec
Surge non-operatingand operating
Unidirectional
Alternative installation scenariosRegulatory notices A
McAfee Enterprise Security Manager 10.0.0 Installation Guide 67
A Alternative installation scenariosRegulatory notices
68 McAfee Enterprise Security Manager 10.0.0 Installation Guide
B Enabling FIPS mode
The Federal Information Processing Standard (FIPS) consists of publicly announced standardsdeveloped by the United States Federal government. If you are required to meet these standards, youmust operate this system in FIPS mode.
FIPS mode must be selected the first time you log on to the system and can't be changed later.
Select FIPS modeThe first time you log on to the system you are prompted to select whether you want the system tooperate in FIPS mode. Once this selection is made, it can't be changed.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 The first time you log on to the ESM:
a In the Username field, type NGCP.
b In the Password field, type security.4u.
You are prompted to change your password.
2 Enter and confirm your new password.
3 On the Enable FIPS page, click Yes.
The Enable FIPS warning displays information requesting confirmation that you want this system tooperate in FIPS mode permanently.
4 Click Yes to confirm your selection.
McAfee Enterprise Security Manager 10.0.0 Installation Guide 69
B Enabling FIPS modeSelect FIPS mode
70 McAfee Enterprise Security Manager 10.0.0 Installation Guide
Index
Aabout this guide 5ACE, configure network interface 42
ADM, configure network interface 43
Amazon Web Servicesconfigure connections 40
create the AWS 35
install ESM 37
installation overview 35
AWS, See Amazon Web Services AXXVRAIL rails
install 15
remove chassis 19
Bback up
ESM settings 53
browsersused during planning 49
Ccables, identify network 20
Common Criteria configuration 65
communication issue between device and ESM 55
connect device 19
connector type, identify 19
consoleadd device 47
initial log in 45
conventions and icons used in this guide 5
DDAS, install 64
DEM, configure network interface 43
devicesadd device 47
add to console 47
connect 19, 26
identify network ports 20
inspect 14
remove 51
remove from rack 19
devices (continued)rewrite settings 59
set up 41
software, update 58
start 19, 26
types supported 51
update software 58
documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5
download upgrade files 57
EELM, configure network interface 42
EPS, See events per second equipment type, identify 19
ERCsimple and complex network scenarios 8
ERC-HAcheck status 54
error message when upgrading device 55
ESMback up settings 53
configure network interface 41
installing new 55
redundant ESM 53
upgrade 60
events per seconddetermines ERC throughput 8per device 49
FFIPS mode
enable 45, 69
select 69
Hhardware, minimum requirements 13
Iinspect packaging and device 14
McAfee Enterprise Security Manager 10.0.0 Installation Guide 71
install deviceidentify location 13
overview 10
rack mount 15
Kkey
initial device configuration 48
virtual machine 33
KVMdeploy 31
requirements 31
Llocation for installation 13
log on to ESM console 45
MManaged Security Service Provider, during planning 49
McAfee ServicePortal, accessing 6minimum requirements for hardware and software 13
MSSP, See Managed Security Service Provider
Nnetwork cables
connect 20
identify type 19
network cables, identify 20
network interfaceconfigure DEM and ADM 43
configure ESM 41
network interface, configureACE 42
ELM 42
Receiver 42
network ports, identify for each device 20
network time protocol, configure 45
NTP, See network time protocol
Ooffline rule updates, obtain 55
Ppackaging, inspect 14
password for ESM console 45
planningquestionnaire 49
platforms, regulatory notices for 65
portsidentify network for each device 20
used during planning 49
ports, identify network for each device 20
QqLogic 2460 SAN adapter, install 63
Rrebuild time 51
Receiver-HAcabling 20
upgrade 61
Receiver-HA, upgrade 51
Receiver, configure network interface 42
redundant ESMset up 53
upgrade 55
regulatory notices for platforms 65
remove a device 51
rewrite device settings 59
rule updates, obtain offline 55
SSAN adapter, install 63
Security Analystin ESM scenarios 8
ServicePortal, finding product documentation 6software
minimum requirements 13
update device 58
start device 19, 26
statusERC-HA 54
supported devices 51
syslog type, used during planning 49
Ttechnical support, finding product information 6time to rebuild 51
Uuninterruptible power supply connection 26
update device software 58
upgradedownload files 57
ENMELM 60
ESM 60
ESMREC 60
path 51
prepare to 51
Receiver-HA 51, 61
redundant ESM 55
upgrade the systemFIPS mode 59
UPS, See uninterruptible power supply user name for ESM console 45
Index
72 McAfee Enterprise Security Manager 10.0.0 Installation Guide
VVA vendors available on ESM 61
virtual machineconfigure 32
install 30
key 33
virtual machine (continued)overview flowchart 27
planning 49
requirements 30
VM, See virtual machine
Index
McAfee Enterprise Security Manager 10.0.0 Installation Guide 73
0-00