INTR Mcafee Intrushield IPS Getting Started Guide 315

Getting Started Guiderevision 3.0

McAfee

McAfee IntruShield IPS System IntruShield Security Management System version 3.1

Network Protection Industry-leading intrusion prevention solutions

COPYRIGHT Copyright 2001 - 2006 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABL E ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi ([email protected]), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek..

Issued JANUARY 2007 / Getting Started Guide 700-1246-00 / 3.0 English

iii

Contents

Preface ........................................................................................................... v Introducing the McAfee IntruShield IPS System ........................................................................... v

1 Intrusion Prevention and IntruShield...................................................... 1 What is an attack?......................................................................................................................... 1 What is an Intrusion Detection System (IDS)? .............................................................................. 3 What is an Intrusion Prevention System (IPS)? ............................................................................ 4 Detection and prevention with IntruShield..................................................................................... 6

2 IntruShield System Basics ....................................................................... 7 IntruShield system components .................................................................................................... 7 The IntruShield Security Management system.............................................................................. 8 IPS Update Server ...................................................................................................................... 11 Modes of sensor deployment ...................................................................................................... 12 Manager Disaster Recovery (MDR) ............................................................................................ 17 Entercept Integration ................................................................................................................... 19

3 Basics of Using IntruShield ................................................................... 21 Deciding where to deploy sensors and in what operating mode................................................. 21 Setting up your sensors............................................................................................................... 22 Establish sensor-to-Manager communication ............................................................................. 23 Viewing and working with data generated by IntruShield............................................................ 24 Configuring your deployment using the Manager ....................................................................... 25 Updating your signatures and software....................................................................................... 26 Tuning your deployment.............................................................................................................. 27

4 Pre-Installation Considerations............................................................. 28 Pre-deployment questions........................................................................................................... 28

5 IntruShield Sensor Deployment Modes ................................................ 33 Flexible deployment options........................................................................................................ 33 Deploying sensors in in-line mode .............................................................................................. 35 Deploying sensors in tap mode................................................................................................... 38 SPAN port and hub monitoring.................................................................................................... 41 High-Availability........................................................................................................................... 43 Interface groups .......................................................................................................................... 44

6 Working with IntruShield Resources .................................................... 46 IntruShield resources .................................................................................................................. 46 Relationship between sensors and resources in the Resource Tree.......................................... 49

7 Administrative Domains ......................................................................... 53 What is an administrative domain? ............................................................................................. 53 Admin domain hierarchy.............................................................................................................. 55 Alert and fault notification and forwarding ................................................................................... 56

8 Working with Security Policies.............................................................. 58

What are security policies? ......................................................................................................... 58 Policy application......................................................................................................................... 58 Pre-configured policies................................................................................................................ 62 Configuring policies in IntruShield ............................................................................................... 64 Exporting and importing policies ................................................................................................. 67 Policy inheritance ........................................................................................................................ 67 Response management .............................................................................................................. 68 Denial of Service (DoS) modes ................................................................................................... 72 Countering SYN floods with SYN cookies................................................................................... 73 Access control lists...................................................................................................................... 74 IP spoofing detection................................................................................................................... 75 ARP spoofing detection............................................................................................................... 76 Decrypting SSL for IPS inspection .............................................................................................. 76 Vulnerability assessment............................................................................................................. 78

9 Managing Users in IntruShield .............................................................. 79 User management in IntruShield................................................................................................. 79 Roles within IntruShield............................................................................................................... 80

10 Working with Alerts .............................................................................. 83 What are alerts? .......................................................................................................................... 83 About the Incident Generator ...................................................................................................... 89 About Reports ............................................................................................................................. 90 Alert and packet log archival ....................................................................................................... 91

11 Deployment for Beginner, Intermediate, and Advanced Users........ 93 Deployment flexibility................................................................................................................... 93 Deployment scenario for beginners............................................................................................. 93 Deployment scenario for intermediate users............................................................................... 94 Deployment scenario for advanced users ................................................................................... 94

Index ............................................................................................................. 96

iv

Preface This preface introduces the material covered in this Guide.

Introducing the McAfee IntruShield IPS System

McAfee IntruShield delivers the most comprehensive, accurate, and scalable network IPS solution for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks.

The IntruShield system combines real-time detection and prevention for the most comprehensive and effective network security system on the market.

What do you want to do?

Learn more about McAfee IntruShield system components (on page 7) Learn how to get started Learn about the Home page and interaction with the IntruShield Manager

interface

Related documentation

The following documents and on-line help are companions to this guide. Some documents are in PDF format, some printed, and others are integrated with the Manager user interface.

v

McAfee IntruShield IPS System 3.1 Getting Started Guide Introducing the McAfee IntruShield IPS System

Document Type of Information Location

System setup and installation overview

Quick Start Guides Printed, located in product boxes

INTR_( Quick_Guide.pdf)

Product overview Getting Started Guide Adobe Acrobat format, located on the product CDs

Product concepts (INTR_Getting_Started_31.pdf) Deployment best practices

Sensor description Sensor Product Guides Adobe Acrobat format, located on the product CDs

Sensor setup ( Prod_Guide_31.pdf) Cabling the sensor e.g., INTR_I-1200_Prod_Guide_31.pdf

System troubleshooting IntruShield Troubleshooting Guide Adobe Acrobat format, located on the product CDs INTR_Troubleshooting_31.pdf

System requirements Adobe Acrobat format, located on the product CDs

Sensor Configuration Guide Installing and initializing a sensor (INTR_Sensor_Config_31.pdf)

Upgrading or replacing a sensor Removing a sensor Sensor Command Line Interface (CLI) reference System requirements Release Notes Printed, located in the

product box Resolved issues Known issues Technical support Last-minute additions or changes to the product or documentation.

Conventions used in this guide

This document uses the following typographical conventions:

vi


Convention Example

Procedures are presented as a series of numbered steps.

1. On the Configuration tab, click Backup.

Terms that identify elements, options, selections, and commands on the screen are shown in bold.

The Service Properties field on the tab specifies the name of the requested service.

Sensors > Configuration > Add/Delete Sensor.Menu or action group selections are indicated using a right angle bracket.

Select

Type: setup and then press ENTER.Characters that you must type exactly are shown in a typewriter font.

exitKeywords and values that you must type exactly as printed are shown in a typewriter font.

set sensor name Variable values are shown in italics. set sensor ip Parameters that you must supply are shown enclosed

in angle brackets.

Caution:Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.

Warning:Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation.

Note:Notes that provide related, but non-critical, information are denoted using this notation.

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

On-line Contact McAfee Technical Support (http://mysupport.nai.com).

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at http://mysupport.nai.com/priority_contacts.asp (http://mysupport.nai.com/priority_contacts.asp).

vii


Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

viii

C H A P T E R 1

Intrusion Prevention and IntruShield In the early days of computers, information stored on a computer was very difficult to get to without physical access to the computer itself. In those days, you hired security guards to deter intruders, put a sturdy lock on the door, turned on the security alarm, and your data was safe and sound. Attacks on the data was expensive, usually physical, and required great planning and technical savvy.

Unfortunately, the many advances in technology changed all that. Back then, intrusion or attacks on computers was viewed as something unlikely, infeasible. These days a corporate network is prey even to pre-teens sitting in their bedrooms at home. The Internet is crawling with people from all walks of life who are continuously trying to test the security of various systems and networks. Some are simply seeking some sort of intellectual high, while others are fueled by more treacherous motives, such as revenge or stealing for profit.

It is now much more important to make sure all of the doors and windows to your network are locked, the alarm is turned on, and that your security system knows what to look for. Because these days the question of intrusion is no longer if it will happen, but . when

What is an attack?

An attack is any unauthorized action taken with the intent of hindering, damaging, incapacitating, or breaching the security of a network. An attack typically prepares for or carries out threats to your critical assets.

Some attempts to infiltrate a network are relatively harmless, but others can bring the network to a grinding halt and cripple a business. Individuals who intrude on or attack a system are known by a number of names, but are generally referred to as crackers, or more popularly, hackers. In this documentation set, these individuals are referred to as attackers.

is the discovery of an attack or intrusion. Intrusion detection Intrusion prevention is blocking an attack before it reaches its target. Attacks are actions performed by an attacker that pose a threat to the security state of a protected entity in terms of confidentiality, integrity, authenticity, availability, authorization, and access policies. Attacks can be active, wherein the goal is to directly exploit some vulnerability in a system or software package. In contrast, passive attacks generally consist of monitoring or eavesdropping on traffic with the intention of viewing or capturing sensitive data. The result of a successful active attack is an intrusiondisruption of the normal services, unauthorized access, and/or some form of tampering with the system.

Intrusion detection can also identify security-related events in a system that may not be triggered by an attack, such as server malfunctions.

1

McAfee IntruShield IPS System 3.1 Intrusion Prevention and IntruShieldGetting Started Guide What is an attack?

When attackers attack

When attackers attack a network, they abuse rules established by the network. The rules are broken in a way that makes the attack appear to be a normal transmission.

Active attacks can generally be divided into the following categories:

ExploitsAn exploit is an attempt by an attacker to take advantage of hidden features or bugs in a system in order to gain unauthorized access. Examples include buffer overflows, directory traversal, and DNS cache poisoning.

Denial-of-service (DoS) and Distributed Denial-of-service (DDoS) attacks In a DoS attack, the attacker attempts to crash a service (or the machine), overload network links, overload the CPU, or fill up the disk. The attacker does not always try to gain information, but to simply act as a vandal to prevent you from making use of your machine. Ping floods and Smurf attacks are examples of DoS attacks. DDoS attacks usually consist of DoS attacks orchestrated by attackers covertly controlling many, sometimes hundreds, of different machines. Reconnaissance These include host sweeps, TCP or UDP port scans, e-mail recons, brute force password guessing, and possibly indexing of public Web servers to find CGI holes or other system vulnerabilities that might later be exploited. Policy Violations All activities for which the underlying traffic content may not be malicious by itself, but are explicitly forbidden by the usage policies of the network as defined by a security policy. These can include protocol violations wherein packets do not conform to network protocol standards. (For example, they are incorrectly structured, have an invalid combination of flags set, or contain incorrect values.) Examples might include TCP packets with their SYN and RST flags enabled, or an IP packet whose specified length doesnt match its actual length. A protocol violation can be an indication of a possible attack, but can also be triggered by buggy software or hardware.

Some attackers are looking for specific information or targeting a specific company. Others are simply seeking an easy target. Some are advanced users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to start the script theyre playing with.

Regardless of their skill level, they all share a common strategy: use tools to search the entire Internet for a specific weakness, then exploit that weakness. Sooner or later they find someone vulnerable. Anyone can be a target in a search, at any timefrom established companies with networks developed over decades, to companies whose network has been up for two days. Sooner or later, you will be probed.

Because networks are typically running 24 hours a day, attacks can occur at any time. Attacks often occur at night when domestic attackers who have day jobs, go to school, or do other things during the day that preclude attacking. Attacks can also occur during the day when it is evening in other parts of the world, such as Eastern Europe and Korea, which have become origins of numerous attacks.

Detecting attacks

Early intrusion detection was performed strictly using pattern matching schemes. Most attackers implement techniques that are tried, true, and well known in the security community. Unless the attacker is writing his own tools, she/he must rely on available, existing tools, each of which has limitations peculiar to its particular design. Thus, from the victim's point of view, all attacks using such tools will look basically the

2

McAfee IntruShield IPS System 3.1 Intrusion Prevention and IntruShieldGetting Started Guide What is an Intrusion Detection System (IDS)?

same. For example, seeing default.ida in the URL field of an HTTP packet along with a specific pattern in the URL argument name field implies a Code Red attack and thus fits a standardor signatureattack pattern.

Pattern matching relies upon knowing all of the ways the rules can be broken, and works by comparing network traffic to a database of attack patterns, which are called

.signatures Signature-based detection, also known as misuse detection or rule-based detection, attempts to capture the manifestation of attacks in signatures and, if configured to do so, apply specific countermeasures based on each signature. This is very effective for known attacks with well-known signatures.

However, this method of detection is flawed in three ways: first, it works only for known attacks. Attackers tend to be clever, and they continuously create new ways to hack a system, which quickly outdates the pattern-matching database. Second, pattern matching uses significant computing cycles to work effectively, and this can be exploited by hackers through overloading, which obscures the pattern-matching systems visibility. Relying on signature detection alone leaves you unprotected against new or especially complex attacks.

Anomaly detection is another detection method, used to more effectively protect against unknown, or first-strike attacks. Anomaly detection attempts to capture the long-term normal behavior of the protected system in profiles (specifications of the behavior of traffic over a short- or long-term), and sends an alarm when significant deviation from the normal behavior is discovered. Profiles are created using statistical measures or other behavior specifications that can be applied to multiple platforms and operating systems. There are multiple learning disciplines that make it possible to create and maintain profiles statistical, neural nets, fuzzy logic, genetic, and so forth. Anomaly detection is particularly useful when confronted with distributed denial of service (DDoS) and slow-scans attacks, which can affect a system over an extended period of time.

Another special method of detection is denial of service (DoS) detection. A DoS attack disrupts service to a network or computer, and often occurs at the firewall or in the DMZ, particularly DMZ Web and mail servers. There are two ways to detect DoS attacks. First, there is threshold-based detection, wherein the IDS monitors for traffic volumes exceeding a threshold pre-configured by a network administrator. (This method requires you to fully understand your typical traffic pattern in order to pick good threshold values, otherwise it can produce a lot of false alarms due to traffic fluctuations, such as flash crowdse.g., everyone logging on the network at 9 a.m.or other legitimate increased traffic.) The second method is by learned behaviorlearning long-term normal behavior and comparing it to short-term observed behavior. Combining the methods greatly improves the reliability of detection.

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is software or a hardware/software combination that attempts to detect and respond to attempted intrusions into a system or network. An IDS complements firewalls or anti-virus software by providing thorough network packet content inspection and protecting against attacks embedded within what a firewall might perceive as seemingly benign network traffic.

There are several classifications of IDS.

3

McAfee IntruShield IPS System 3.1 Intrusion Prevention and IntruShieldGetting Started Guide What is an Intrusion Prevention System (IPS)?

Host- or Network-based. A host-based IDS is concerned with what is happening on each individual computer or host and is able to detect such things as repeated failed access attempts or changes to critical system files. A network-based IDS (NIDS) examines all of the packets flowing through your network. A NIDS is able to understand all of the details of many protocols such as headers or protocol fields within a packet and can thus detect maliciously crafted traffic content. There are various types of network-based IDSthese can take the form of software agents running at various points throughout the network, or hardware sensors placed at strategic locations to examine network traffic. Signature, Anomaly, and Denial of Service detection. Another classification describes the types of misuse that an IDS detects. As described in the section Detecting attacks (on page 2), signature detection techniques systematically scan network traffic looking for signature patterns of known attacks, comparing these patterns against an extensive database of signatures. Anomaly detection determines a baseline of normal behavior of network traffic, and then attempts to detect intrusions by noting significant departures from normal behavior. Signature-based detection concentrates on known attack patterns, while anomaly detection is best at picking up new or unknown attacks. Denial of Service (DoS) attack detection characterizes normal traffic using pre-programmed thresholds or real-time, self-learning distributions, and then using this data to detect what might constitute a maliciously excessive consumption of network bandwidth, host processing cycles or other resources. Passive, reactive, or preventive IDS. Passive intrusion detection systems sniff packets as they traverse your network. They can detect the potential security breach, log the information about the attack, and raise an alert. Reactive systems are designed to respond to the intrusionfor example, by logging off a user or by reprogramming the firewall to disallow network traffic from a suspected hostile source. Both types of technology enable you to respond only after the attack has occurred. A preventive system sits in the path of your network traffic and thus is able to detect and drop hostile packets before they reach their target.

What is an Intrusion Prevention System (IPS)?

The IntruShield system is a network-based Intrusion Prevention System (IPS) that combines network sensor appliances and management software for the accurate detection and prevention of known attacks using signature detection, unknown (first strike) attacks using anomaly detection, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. The IntruShield IPS couples real-time IDS with preventionthe ability to block attacks before they reach their targetto offer the most powerful, comprehensive and effective network security system in the market.

IntruShield offers multi-gigabit performance, flexible deployment, robust scalability, and easy-to-use intrusion detection and prevention.

4

McAfee IntruShield IPS System 3.1 Intrusion Prevention and IntruShieldGetting Started Guide What is an Intrusion Prevention System (IPS)?

Comprehensive Intrusion Detection. IntruShield is the only comprehensive network-based IPS solution available. Only IntruShield encompasses all of todays applicable IPS technologies to allow customers to detect known (using signatures), new/unknown (using anomaly techniques) and Denial-of-Service (DoS) attacks (using hybrid algorithms employing statistical and heuristic methods). The combination of these techniques significantly increases the capability and accuracy of the IPS. The majority of current products are exclusively signature-based and have little to no anomaly or DoS detection capabilities. No product on the market has the breadth or depth of coverage of IntruShield. For example, IntruShield can inspect SSL traffic and HTTP response traffic. In addition, IntruShield also detects attacks with unprecedented accuracy thanks to:

Full protocol analysis and state tracking Multi-trigger, multi-field pattern matching Hardware acceleration to deliver wire-speed detection IntruShields ability to see all of the traffic in a variety of deployment modes,

including active/active, active/passive, and asymmetrically-routed traffic environments.

Intrusion Prevention. IntruShield can run in-line, so you can mediate the traffic flow and block malicious traffic before reaching its target. Current IDS products operate in a monitoring-only mode (operating as a sniffer) and cannot effectively and reliably block the malicious traffic before the damage is done. In sniffing mode, you see the attack at the same time it hits the target. You can apply some countermeasures, like TCP resets and firewall rule reconfiguration, but these are reactive actions. When running in-line, IntruShield can proactively drop malicious packets and not pass them through the network, so they never reach their target. In addition to dropping malicious traffic, IntruShield provides packet scrubbing functionality to remove protocol inconsistencies resulting from varying interpretations of the TCP/IP specification, which can be used by hackers to evade IDS systems and other security devices. Flexible Deployment Options. Existing products were designed when shared media networks were common and are not easy to deploy in today's switched environments. Furthermore, the IntruShield product line allows customers to protect today's higher speed network segments ranging from 100Mbps up to multi-Gbps, whereas current products are primarily limited to sub-100Mpbs environments. IntruShield provides wire-speed monitoring and analysis up to multi-Gbps network segments in three flexible modes of deployment, enabling you to easily integrate it into your network and adapt to any network or security changes that you may encounter in the future. Some IntruShield sensor models contains built-in 10/100Mbps Ethernet taps, thus making it extremely easy to switch between tap and in-line modes through software reconfiguration; no physical rewiring is required. The multi-port configuration of all IntruShield sensors empowers comprehensive network-wide IDS deployment with significantly fewer sensors. Virtual IPS . Most products enable you to implement a single security policy per sensor. IntruShields Virtualization feature (called VIDS or VIPS) enables you to segment an IntruShield sensor into a large number of virtual sensors with each implementing a custom security policy, including individualized attack selection and associated response actions. This capability allows you to implement and enforce a heterogeneous set of security policies with a single sensor, better serving the differing security needs within an organization. It further reduces the number of sensors required for a network-wide IPS deployment, and it reduces the number of irrelevant alerts.

5

McAfee IntruShield IPS System 3.1 Intrusion Prevention and IntruShieldGetting Started Guide Detection and prevention with IntruShield

High-Availability. Sensors support high-availability deployment, using stateful sensor failover between two hot-standby sensors. The sensors are interconnected, copy traffic between themselves, and maintain synchronization. If one sensor fails, the standby sensor automatically takes over and continues to monitor the traffic with no loss of session state or degradation of protection level. IntruShield also supports Manager disaster recovery. If, for any reason, the primary Manager goes off-line, its secondary can automatically take its place, processing alerts and managing sensor configuration. Scalable IPS Management. A scalable Web-based architecture allows customers to efficiently manage their IPS deployment while reducing operational costs. The configurable IntruShield real-time signature and software update mechanism automates the process of keeping the complete system current with little or no human intervention, thus reducing on-going operating costs.

Detection and prevention with IntruShield

Detection with the IntruShield IPS goes beyond the simple string matching used in many current IDS signature engines. IntruShield sensors analyze and validate the traffic to its basic protocol elements and inspect specific protocol fields to improve accuracy, while maintaining full flow and application state. The sensors perform IP fragment reassembly and TCP stream reassembly, and perform thorough protocol analysis all the way up to the Application Layer. The signature engine searches in a flow for multiple triggers (that is, sub-signatures) in multiple fields of a protocol using IntruShields embedded signature files to increase the precision by which an attack can be unambiguously detected.

Once the packet is captured, it is analyzed into its corresponding protocol fields. The sensor analyzes a frame completely and thoroughly from Layers two through seven, and understands the semantics of the protocol fields even at the Application Layer. After it analyzes the protocols, it verifies that the packet conforms to the protocol specification. IntruShield then passes the parsed packet through its DoS, Signature, and Anomaly detection engines. This enables IntruShield to be very efficient in terms of packet processing because the packet is peeled only once and then fed to the corresponding detection engines. All these processes are hardware-accelerated to provide the required wire-speed performance.

If the detection engines detect something, they pass an alert and corresponding data to the Management process that is running on the sensor. The Management process can then trigger the appropriate response, based on policy, and send alerts to the central IntruShield Manager platform. This response can include averting the attack entirely. If an IntruShield sensor is running in in-line mode on the network, you can enable blocking, which causes the sensor to drop the attack so that the attack never reaches its goal.

6

C H A P T E R 2

IntruShield System Basics This section provides an overview of the system and its components.

IntruShield system components

The IntruShield system consists of the following major components:

IntruShield sensor appliances. (on page 7) the IntruShield Security Management System (on page 8), with its Web-based

graphical user interface. the IntruShield Update Server (on page 11).

IntruShield sensors

IntruShield sensors are high-performance, scalable, and flexible content processing appliances built for the accurate detection and prevention of intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. IntruShield sensors are specifically designed to handle traffic at wire-speed, efficiently inspect and detect intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any enterprise environment. When deployed at key network access points, an IntruShield sensor provides real-time traffic monitoring to detect malicious activity and respond to the malicious activity as configured by the administrator.

Once deployed and once communication is established, sensors are configured and managed via the central IntruShield Manager server, described in the section The IntruShield Security Management system (on page 8).

Sensor functionality

The primary function of an IntruShield sensor is to analyze traffic on selected network segments and to respond when an attack is detected. The sensor examines the header and data portion of every network packet, looking for patterns and behavior in the network traffic that indicate malicious activity. The sensor examines packets according to user-configured policies, or rule sets, which determine what attacks to watch for, and how to react with countermeasures if an attack is detected.

If an attack is detected, the sensor raises an alert to describe the event, and responds according to its configured policy. Sensors can perform many types of attack responses, including generating alerts and packet logs, resetting TCP connections, blocking traffic at firewalls, scrubbing malicious packets, and even dropping packets entirely before they reach their target.

7

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide The IntruShield Security Management system

McAfee offers several types of sensor platforms providing different bandwidth and deployment strategies. These are the , IntruShield 1200 1400, 2600, 2700, 3000, 4000, and 4010 sensors.

Each sensor is described in its own Sensor Product Guide.

IntruShield Sensor Information Monitoring Ports Response

PortsFailover Port(s)

Sensor Aggregate 10/100 Base-T

GBIC SFP GBIC

Internal Taps

10/100 Base-T Posts UsedPerformance

I-1200 100Mbps 2 Yes 1 Response port

I-1400 200Mbps 4 Yes 1 Response port

I-2600 600Mbps 6 2 Yes 3 4A I-2700 600Mbps 6 2 Yes 3 4A I-3000 1Gbps 12 No 2 HA1 and HA2

(6A and 6B) I-4000 2Gbps 4 No 2 2A and 2B I-4010 2Gbps 12 No 2 HA1 and HA2

(6A and 6B)

4 Fail-open Control Ports (I-3000 and I-4010 only)

1 10/100 Base-T Management Port

1 Console Port and 1 Auxiliary Port

Redundant power supply (I-2700, I-3000, I-4000, I-4010)

The IntruShield Security Management system

The IntruShield Security Management (ISM) system consists of the hardware and software resources that are used to configure and manage your IntruShield deployment.

There are three software versions of the ISM system:

McAfee IntruShield Global Manager best suited for global IPS deployments of more than six sensors. The Global Manager is supported on Windows Server 2003 (Standard Edition). McAfee IntruShield Manager can support large or distributed deployments of up to six sensors. IntruShield Manager is supported on Windows Server 2003 (Standard Edition). McAfee IntruShield Manager Starter can support two sensors. IntruShield Manager Starter is supported on Windows Server 2003 (Standard Edition).

Note: This document uses the term Manager to describe either version.

8


Functionally, the products are otherwise identical. The license file provided to you by McAfee determines which version of ISM you install.

Manager components

The IntruShield Manager is a term that represents the hardware and software resources that are used to configure and manage the IntruShield system. The Manager consists of the following components:

a hardware/OS server platform (Microsoft Windows Server 2003, Standard Edition).

the Manager software (on page 8). a backend database (on page 10) to persist data (MySQL or Oracle9i). a connection to the IntruShield Update Server (on page 11).

The Manager server platform

The IntruShield Manager server is a dedicated Windows Server 2003 system running the Manager software. You remotely access the Manager interface from a Windows XP system using an Internet Explorer browser session.

IntruShield sensors use a built-in 10/100 Management port to communicate with the Manager server. You can connect a segment from a sensor Management port directly to the Manager; however, this means you can only receive information from one sensor (typically, your server has only one 10/100 network port). McAfee recommends using a separate, dedicated management subnet to interconnect the sensors and the Manager to isolate and protect your management traffic. During sensor configuration, described in the Sensor Configuration Guide, you will establish communication between your sensor(s) and your Manager server.

The IntruShield Manager Software

The IntruShield Manager software has a Web-based user interface for configuring and managing the IntruShield system. IntruShield users connect to the Manager server from a Windows XP system using the Internet Explorer browser program. The Manager interface runs with Internet Explorer version 5.5 or later. The Manager functions are configured and managed through a GUI application, the Manager interface, which includes complementary interfaces for system status, system configuration, report generation, and fault management. All interfaces are logically parts of the Manager program.

The Manager has five components:

Manager Home page . The Manager Home page is the first screen displayed after the user logs on to the system. The Manager Home page displays system health-i.e., whether all components of the system are functioning properly, the number of unacknowledged alerts in the system, and the configuration options available to the current user. Options available within the Manager Home page are determined by the current user's assigned role(s). System Health . The System Health page displays the status of the Manager, database, and any deployed sensors; including all system faults.

9


Configuration page . The Configuration page provides all system configuration options, and facilitates the configuration of your sensors, failover pairs of sensors, administrative domains, users, roles, attack policies and responses, user-created signatures, and system reports. Access to various activities, such as user management, system configuration, or policy management is based on the current user's role(s) and privileges. Alert Manager . The Alert Manager page displays detected security events that violate your configured security policies. The Alert Manager provides powerful drill-down capabilities to enable you to see all of the details on a particular alert, including its type, source and destination addresses, and packet logs where applicable. Reports. Users can generate reports for the security events detected by the system and reports on system configuration. Reports can be generated manually or automatically, saved for later viewing, and/or emailed to specific individuals.

Other key features of the Manager include:

The Incident Generator: The Incident Generator enables creation of attack incident conditions, which, when met, provide real-time correlative analysis of attacks. Once incidents are generated, view them using the Incident Viewer, which is within the Alert Manager tool.

Note: For more detailed information on IntruShield Manager components, see the Manager Configuration Guide.

Integration with third-party products: IntruShield enables the use of multiple third-party products for analyzing faults, alerts, and generated packet logs. Fault/Alert forwarding and viewing: You have the option to forward all fault

management events and actions, as well as IPS alerts to a third-party application. This enables you to integrate with third-party products that provide trouble ticketing, messaging, or any other response tools you may wish to incorporate. Fault and/or alert forwarding can be sent to the following ways: -Syslog Server: forward IPS alerts and system faults -SNMP Server (NMS): forward IPS alerts and system faults -Java API: forward IPS alerts -Crystal Reports: view alert data from database via email, email pager, or script

Packet log viewing: view logged packets/flows using third-party software, such as Ethereal.

The Manager database

The IntruShield Manager server operates with an RDBMS (relational database management system) for storing persistent configuration information and event data. The compatible databases are as follow:

MySQL: The IntruShield Manager for Windows (only) includes a MySQL database that can be installed (embedded) on the target Windows server during Manager software installation. Your MySQL database can be tuned on-demand or by a set schedule via Manager interface configuration. Tuning promotes optimum performance by defragmenting split tables, re-sorting and updating indexes, computing query optimizer statistics, and checking and repairing tables.

10

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide IPS Update Server

To graphically administrate and view your MySQL database, you can download the MySQL administrator at the http://dev.mysql.com/downloads/administrator. http://dev.mysql.com/downloads/administratorOracle9 i: You can use an Oracle9i database that is running on a remote Solaris server with IntruShield Global Manager only. McAfee recommends that you employ an Oracle DBA for all database-related maintenance and management. For recommendations on deploying an Oracle database for IntruShield, see the Oracle9i Deployment Guide, available on the product CD.

IPS Update Server

For your IntruShield IPS to properly detect and protect against malicious activity, the Manager and sensors must be frequently updated with the latest signatures and software patches available. Thus, the IntruShield team constantly researches and develops performance-enhancing software and attack-detecting signatures that combat the latest in hacking, misuse, and denials of service (DoS). When a severe-impact attack happens that cannot be detected with the current signatures, a new signature update is developed and released. Since new vulnerabilities are discovered regularly, signature updates are released frequently.

New signatures and patches are made available to customers via the IntruShield Update Server. The IPS Update Server is a McAfee-owned and -operated file server that houses updated signature and software files for IntruShield Managers and sensors in customer installations. The IPS Update Server securely provides fully automated, real-time signature updates without requiring any manual intervention.

Note: Communication between the Manager and the Update Server is SSL-secured.

You have the following options for obtaining updates from the IPS Update Server:

Tip: To configure Update Server settings from the Manager interface, refer to the . Manager Configuration Guide

1 Connecting directly from your Manager server (via Manager interface action). 2 Connecting via proxy server (via Manager interface action). You will then

authenticate as in option 1. 3 Connecting from any Windows XP system via browser, downloading updates to

that system, and then importing the update to the Manager. This method can provide your Manager server with the safest defense against Internet attacks since no Internet connection is used by your Manager server. The import feature is a Manager interface action.

4 Connecting from any Windows XP system via browser, downloading software updates to a TFTP server, and then loading the updates directly onto the sensor using the sensors command line interface (CLI). This is for sensor software updates only. Refer to the Sensor Configuration Guide.

11

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide Modes of sensor deployment

Configuring software and attack signature updates

You configure interaction with the IPS Update Server using the Managers Configuration page. You can pull updates from the Update Server on demand or you can schedule update downloads. With scheduled downloads, the Manager polls the Update Server (over the Internet) at the desired frequency. If an update has been posted, that update is registered as Available in the Manager interface for on-demand downloaded. Once downloaded to the Manager, you can immediately download (via an encrypted connection) the update to deployed sensors or deploy the update based on a sensor update schedule you define. Acceptance of a download is at the discretion of the administrator.

You have a total of five update options:

Automatic update to the Manager, manual update from the Manager to sensors. This option enables the Manager server to receive updates automatically, but allows the administrator to selectively apply the updates to the sensors. Manual update to the Manager, automatic update from the Manager to sensors. This option enables the administrator to select updates manually, but once the update is selected, it is applied to the sensors automatically, without reboot.

Fully manual update. This option allows the security manager to determine per update which signature update to apply and when to push the update out to the sensor(s); in essence, the management system is completely customizable. You may wish to manually update the system when you make some configuration change, such as updating a policy or response. Fully automatic update. This option enables every update to pass directly from the Update Server to the IntruShield Manager, and from the IntruShield Manager to the IntruShield sensor(s) without any intervention by the security administrator. Note that fully automatic updating still happens according to scheduled intervals. Real-time update. This option is similar to fully automatic updating. However, rather than wait for a scheduled interval, the update is pushed directly from Update Server to Manager to sensor. No device needs to be rebooted; the sensor does not stop monitoring traffic during the update, and the update is active as soon as it is applied to the sensor.

Modes of sensor deployment

With todays complex network configurations, deploying sensors at all of the necessary points of protection in your network can become both very complex and very expensive. The IntruShield system makes deployment easy and cost-effective by requiring fewer sensors and offering several flexible modes of sensor deployment:

In-line mode (on page 13) Tap mode (on page 13) SPAN operating mode (on page 13) Failover (high-availability) via in-line mode (on page 15) Port clustering (interface groups) (on page 16) IntruShield sensors, by default, are configured to operate in in-line mode. The operating mode can be changed via the Manager interface.

Each of these modes is described briefly below and in more detail in IntruShield Sensor Deployment Modes (on page 33).

12


Note: Although the sensors are configured to run in-line by default, many new IntruShield users choose to operate in SPAN mode initially, and then move to tap or in-line mode later as they become more familiar with the product and are ready to tune their deployments.

In-line mode

, illustrated in the following figureIn-line Mode , places a sensor directly in the network traffic path, inspecting all traffic at wire-speed as it passes through the sensor. In-line mode enables you to run the sensor in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets can be dealt with immediately; you can actively drop malicious packets because the sensor is physically in the path of all network traffic. This enables you to actually prevent an attack from reaching its target. You cannot prevent attacks from reaching their target in any other deployment mode.

All IntruShield sensor ports are configured to run in-line by default; when a sensor comes online for the first time, it is in in-line mode. IntruShield sensors are also configured to block certain attacks by default. Thus an IntruShield system can begin blocking attacks right out-of-the-box.

All IntruShield sensor models can be deployed in In-line Mode, and all offer the option of operating in fail-open or fail-closed mode when monitoring traffic in-line.

Note: Fail-open and fail-close refer to whether or not the sensor will allow traffic to continue to pass in the event of port or sensor failure. For more information on these options, refer to Fail-open versus fail-closed (on page 37).

Figure 1: In-line mode

For more information about deploying sensors, see the section IntruShield Sensor Deployment Modes (on page 33).

SPAN operating mode

Most current IDS products are deployed in SPAN mode. An advantage of deploying sensors in SPAN mode is that it merely requires connecting the sensor and reconfiguring a setting on the switchthus it is also the operating mode chosen by most beginning IntruShield users. Other modes of sensor deploymentin-line mode or tap modeinvolve connecting the sensors within the flow of traffic, which requires brief network downtime. Thus most beginners prefer to get used to IntruShield while operating in SPAN mode, to tweak and tune their systems, and move to tap or in-line mode later.

13


The Switch Port Analyzer (SPAN) port on a switch is designed specifically for security monitoring so that an attached network analyzerlike a sensor or a sniffercan receive a copy of every single packet that is sent from one host to another through the switch. The SPAN port forwards all incoming and outgoing traffic within the switch to a predetermined port where the sensor or a sniffer is connected. This is called port forwarding or port mirroring, and it allows an attached device to monitor all traffic of that switch.

The downside of monitoring via a SPAN port is that it is very easy to saturate a SPAN port. A SPAN port really only operates in a half-duplex mode (transmit to the sensor only), so the maximum bandwidth the port can handle is 100Mbps (when using a Fast Ethernet port), and when you exceed the 100Mbps limit of the port, you are not copying all the packets seen on the switch. When all packets are not copied to the IDS, the IDS can report false alarms or miss real attacks. In addition, most switches only support one or two SPAN ports and there is a lot of competition for them (e.g., for RMON probes, sniffers, etc.).

SPAN mode is also a sniffing mode, whichunlike in-line modedoes not enable you to prevent attacks from reaching their targets.

Figure 2: SPAN Port Monitoring

Tap mode

Note: While the figure in SPAN operating mode (on page 13) demonstrates that you can issue response packets via the sensors response ports, some switches allow response packets to be injected by an IPS back through the SPAN port.

Tap mode, illustrated in the following figure, works through installation of an external fiber tap (for GBIC ports) or built-in internal taps (for 10/100 Monitoring ports). An IntruShield sensor deployed in tap mode monitors or sniffs the packet information as it traverses the full-duplex network segment.

14


Full-duplex taps split a link into separate transmit and receive channels. IntruShield sensors provide multiple sensor ports, wired in pairs to accommodate full-duplex taps.

The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks. Like SPAN mode, Tap mode is passive; the sensor essentially sees malicious traffic as it passes.

Figure 3: Full-duplex Tap Mode

Note: You cannot inject response packets back through an external tap, so IntruShield sensors offer Response ports through which a response packet (such as a TCP reset) can be injected to close a malicious connection. Sometimes the attacker can succeed in causing the intended damage when the attack packet reaches its intended victim host before the TCP reset closes the connection. Hence, in-line mode is more effective in preventing an attack.

About taps

A tap is a device that permits unimpeded traffic flow while simultaneously copying all the traffic from a full-duplex link and sending the information to a sensor for analysis. Taps are used to monitor full-duplex links, and they split the link into separate transmit and receive channels. To monitor the two channels that the tap produces, you use two monitoring interfaces on the sensor; one interface monitors the transmit channel, one monitors the receive channelneither monitoring interface transmits back to the tap.

Note: You cannot inject response packets back through a tap; you must connect a sensor response port to another device, namely a switch or router, to respond to malicious packets.

Taps are hardwired to the sensor. One sensor can monitor traffic from multiple taps without degradation or overloading up to the specified maximums.

15


Failover (high-availability) via in-line mode

Enterprises often deploy fully redundant networks to maintain high network availability. In a redundant network, also known as an active/passive or active/standby configuration, two identical machines are deployed; one is designated as the active machine that performs the task while the other(s) is in standby in case of the active machines failure. If the active machine fails, it fails over to the standby machine. System redundancy ensures the network is always available even if the hardware fails.

This reduces lapses in service to employees and customers that may lead to loss of productivity and revenue. IntruShield sensors are built to meet the needs of redundant networks. When running sensors in-line, the option is available to you to use one sensor as an active unit, with an identical sensor standing by, should the active sensor fail. Both sensors share full state, so that the information on the standby sensor is always current. Latency is very minimal; less, in fact, than many other devices providing failover, such as firewalls.

For more information on deploying sensors for high availability, see the section High-Availability (on page 43).

Port clustering (interface groups)

Port clustering, referred to as Interface Groups in the IntruShield Manager interface, enables multiple ports on a single sensor to be grouped together for effective traffic monitoring, particularly useful for asymmetrically routed networks. You cluster ports when you want the traffic across multiple interfaces to be analyzed as if it were a single interface. Asymmetric networks are common in load balancing and active/passive configurations, and a complete transmission may be received on one segment, but depart on another. Thus keeping state of asymmetric transmissions is essential for successfully monitoring the traffic. Interface groups normalize the impact of traffic flows split across multiple interfaces, thus maintaining state to avoid information loss.

Once configured, an interface group appears in the Configuration pages Resource Tree as a single interface node (icon) under the sensor where the ports are located. All of the ports that make up the interface are configured as one logical entity, keeping the configuration consistent.

16

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide Manager Disaster Recovery (MDR)

When is clustering used?

If a company has two different active paths to and from the Internet passing through two different sensor interfaces, for example, the traffic on each path will be analyzed independently. If a single communication flow is divided across paths, each interface will receive and analyze part of the conversation and therefor be susceptible to false positives and false negatives. When you create an interface group that contains both interfaces, you allow the sensor to receive and properly analyze the entire communication.

Figure 4: Port Clustering

Manager Disaster Recovery (MDR)

Sometimes the worst happens. In this age, where outages to IT systems can cost millions of dollars in lost revenue, lost productivity, and legal issues, every organization must face the near certainty of a system failure occurring at a future date. Anticipating these events and planning corrective courses of action is now a prerequisite to business success. Most organizations now employ some manner of business continuity planning (BCP), a subset of which is disaster recovery planning (DRP). To this end, IntruShield has long provided a sensor high-availability configuration; but what if the worst should happen to your Manager server? Most companies are not willing to rely on the manual method of Manager data archival, restoration of backups, and importing of exported policies to recover their Manager as part of their IPS DRP.

Enter the MDR feature. With MDR, two Manager servers are deployed as part of the overall IntruShield system. One host is configured as the Primary system; the other as the Secondary. Each uses the same major release Manager software with mirrored databases; however, the two hosts hardware configuration does not need to

17

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide Manager Disaster Recovery (MDR)

be identical. The Secondary Manager can be deployed anywherefor example, at a disaster recovery site, far from the Primary Manager.

The Primary Manager is the active Manager by default; this Manager communicates with the IPS Update Server, pushes configuration data to the sensors, and receives alerts from the sensors.

The Secondary Manager remains in a standby state by default. While in standby mode it monitors the health status of the Primary Manager and retrieves sensor configuration information from the Primary Manager at configured intervals of time.

Note: The standby Manager receives no data from the sensors while in standby mode.

The Secondary Manager is a warm standby system; it will not guarantee state synchronization with the Primary Manager. It does update configuration information at regular intervals (every 15 minutes), but it does not maintain state. (You can also manually update Secondary Manager configuration rather than waiting for the automatic update.)

The sensor, for its part, maintains a connection with both Managers; however, only the active Manager can control sensors and receive alert data, and sensors can only be added to an active Manager. (A new sensor added to the active Manager in an MDR pair establishes trust first with the Primary Sensor, and then attempts on its own to establish trust with the Secondary.)

Primary(Active)Manager

Secondary(Standby)Manager

Sensors in the deployment

Alert, packet logconnectionswithout dataAlert, packet log

connectionswith data

Figure 5: An MDR pairs communication with sensors

Switchover

Switchover, or failover from the Primary to the Secondary, can be manual/voluntary or involuntary.

Note: In a situation where you have planned manual downtime and the downtime is expected to be brief, McAfee recommends that you manually suspend MDR,

18

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide Entercept Integration

preventing the Secondary sensor from taking over and becoming active. You can then resume MDR when the downtime period is over.

The Secondary Manager performs regular health checks on the Primary Manager. If the Primary Manager is found to be unavailable during a health check by the Secondary Manager, the Secondary Manager waits for a configurable time interval. If the Primary Manager is still unavailable after that time period elapses, control then switches over to the Secondary Manager.

Note: You can switch over the Secondary manually, as well.

Once the Secondary Manager is active, the Primary moves to standby. The sensors are made aware of the switchover, communicate with the Secondary Manager, and the system continues to function without interruption.

All in-flight transactions are lost upon failover from Primary to Secondary Manager. For instance, if the Primary Manager failed while a user was in the middle of a policy edit, the Secondary Manager will not be able to resume the policy edit.

Note: The MDR feature, in fact, assumes that the Secondary Manager is a standby system, and that it will NOT assume control indefinitely. The Primary Manager should be diagnosed and repaired, and be brought back online.

While the Secondary Manager is active, McAfee recommends against making any configuration modifications on the Secondary Manager, as these modifications could cause potential data synchronization problems when the Primary Manager is resurrected.

Once the Primary Manager has recovered, you can switch control back to the Primary system. During this switch back, if you have made configuration changes on the Secondary, you have a choice whether to retain the configuration on the Primary or overwrite with changes made on the Secondary. Data is re-synchronized, the sensors return to communicating with the Primary, and the system is restored with the Primary Manager active and the Secondary Manager in standby mode.

Note: You can easily dissolve the MDR relationship between the two Managers and return either Manager to stand-alone mode.

For more information on MDR, see the . Manager Configuration Guide

Entercept Integration

McAfee Entercept is a host-based intrusion prevention system (HIPS). IntruShield can accept alerts forwarded by an Entercept Management Server, thereby centralizing management of both products.

Within the IntruShield context, the Entercept Manager functions like an IntruShield sensor. That is, it forwards events to the Manager, which the Manager incorporates into its database. Entercept events can therefore be viewed and manipulated like any other IntruShield alert in the Alert Manager.

Entercept provides a software development kit (SDK) for Java called the Entercept Integration Framework, for sending alert information to third-party products, in this case, IntruShield. The Manager formats Entercept alert information automatically for viewing in the Alert Manager and Reports.

19

McAfee IntruShield IPS System 3.1 IntruShield System BasicsGetting Started Guide Entercept Integration

The Entercept Integration Framework, or Integrator, can be run as a service or standalone Java application on the Entercept Management Server system. If run as a service, no interface is presented for the Integrator after communication is established between Entercept and the Manager. The service runs as long as the Entercept Management Server system is up. If run as an application, a Java application window displays the up-time, number of alerts sent, and so forth. If the application window is closed, alerts are not sent until the application is restarted.

Each time a new Entercept event occurs, the Manager passes the alert to the Integrator, which forwards selected information in real time or in batches.

To configure Entercept integration, refer to Chapter 9: Sensors, Failover Pair,& Entercept Nodes of the . Manager Configuration Guide

20

C H A P T E R 3

Basics of Using IntruShield This section provides a high-level overview of system usage.

The tasks described in this chapter provide pointers to more detailed information in the other books of the McAfee IntruShield IPS System documentation set.

Note: Most of your interaction with the IntruShield system is via the IntruShield Manager.

The process of setting up and running an IntruShield system falls into these basic stages:

1 Deciding where to deploy sensors and in what operating mode 2 Setting up your sensors 3 Installing the Manager software and establishing sensor-to-Manager

communication 4 Configuring your deployment using the Manager 5 Updating your signatures and software 6 Viewing and working with data generated by IntruShield 7 Tuning your deployment Each of these stages consists of a number of tasks; some are simple, some are complex. You will generally perform steps 1 through 3 only once per sensor.

Deciding where to deploy sensors and in what operating mode

Where you deploy your sensors and which sensor model to use depends on your network topology, the amount of traffic on the network, and your security goals, which ideally are specified in your companys security policy.

Determine where you will place the sensors. This is an individual decision your company will need to make. Questions to ask yourself in making this decision are covered at a high level in Pre-Installation Considerations (on page 28). Some things to consider are what assets you want to protect, the configuration of your network, the location of your aggregation points, the type of traffic, how the traffic is routed, and so on. Establish a naming convention for your sensors. The sensor name is used to identify the sensor in the Manager interface, in certain reports, and in the alert data generated by the sensor. McAfee recommends you establish a naming convention that is easy to interpret by anyone working with the IntruShield deployment. Once you name a sensor, you cannot rename it without de-installing and reinstalling it.

21

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide Setting up your sensors

Setting up your sensors

The process of setting up a sensor is described below at a high level. You perform these tasks on the sensor.

Note: For detailed instructions on these tasks, see the Sensor Configuration Guide.

1 Position the sensor. Unpack the sensor and place on a sturdy, level counter top. Attach the provided rack mounting ears to the sensor. Install the sensor in a rack. The I-1200, I-1400 and I-2600 are 1-RU boxes;

the I-2700, I-3000, I-4000 and I-4010 are 2-RU boxes. 2 Install any additional hardware. Install GBICs or SFP GBICs (not included) in the GBIC slots. GBIC slots per sensor mode Sensor model Number of slots

I-2600 2

I-2700 2

I-3000 12 (SFP slots)

I-4000 4

I-4010 12 (SFP slots)

Note: To ensure compatibility, McAfee supports only those GBIC or SFP GBIC modules purchased through McAfee or from a McAfee-approved vendor. For a list of approved vendors, see the on-line KnowledgeBase https://mysupport.nai.com.

(Optional) If you have purchased a redundant power supply for the I-4000 or I-4010, install the power supply.

22

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide Establish sensor-to-Manager communication

Models supporting a redundant power supply Sensor model Power supply

I-1200 1 internal

I-1400 1 internal

I-2600 1 internal

I-2700 1 included

1 redundant available separately

I-3000 1 included


I-4000 1 included


I-4010 1 included


3 Cable the sensor for configuration. Attach network cables to the sensor as described in each sensors Product

Guide. You must cable the sensor Management and Console ports, respectively, to communicate with the Manager server and the console machine you will use to configure the sensor. You can cable the sensor Monitoring and Response ports at a later time.

Power on the sensor to initialize it.

Establish sensor-to-Manager communication

The process of setting up a sensor is described below at a high level.

1 Set up the Manager software on the server machine. Install the Manager software on the server machine. This process is

described in detail in the Manager Installation Guide. Start the Manager software as described in the Manager Configuration

Guide. You can establish communication with a sensor via the Manager server or from a browser on a client machine that can connect to the Manager server.

McAfee recommends you connect to the Manager server via browser session from a separate client machine to perform your configuration tasks.

You can choose a specific policy to apply by default to the Root Admin Domain (and thus all monitoring interfaces on the sensor). By default, the provided Default policy is applied to all of your sensor ports upon sensor addition.

Note: For a description of admin domains, see Administrative Domains (on page 53). For a discussion of policies, see Working with Security Policies (on page 58).

23

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide Viewing and working with data generated by IntruShield

Whatever policy youve specified will apply until you make specific changes; the Default policy gets you up and running quickly. Most users tune their policies over time, in conjunction with VIPS, to best suit their environments and reduce the number of irrelevant alerts.

Open the System Configuration tool and add the sensor, providing the sensor with a name and a shared secret key value. This process is described in detail in Chapter 8 of the . Manager Configuration Guide

2 Configure the sensor. From a serial console connected physically or logically to the sensor,

configure the sensor with network identification information (i.e., IP address, IP address of the Manager server, and so on), and configure it with the same case-sensitive name and shared secret key value you provided in the Manager.

Note: For detailed instructions on configuring the sensor using the sensor CLI, see the Sensor Configuration Guide.

3 Verify communication between the sensor and the Manager. Verify on the sensor CLI the health of the sensor and that sensor has

established communication with the Manager. Use the status command. Verify in the Manager interface that a node representing the sensor appears

in the Resource Tree under the Sensors node. Viewing the Resource Tree is described in The Resource Tree (on page 47).

4 Troubleshoot any problems you run into. If you run into any problems, check your configuration settings, and ensure

that theyre correct. For some troubleshooting tips, see the Troubleshooting chapter of the Sensor Configuration Guide.

5 Verify the operating mode of the ports on your sensor. Your IntruShield sensor ports are configured by default for monitoring in in-

line mode; that is, connected via a port pair on the sensor to a segment of your network. If youve cabled the sensor to monitor in in-line mode, check your settings to make sure everything is correct. Verifying port configuration is described in detail in Chapter 9: Sensors, Failover Pair,& Entercept Nodes of the Manager Configuration Guide.

Viewing and working with data generated by IntruShield

Once youve completed the steps in the previous sections, youre up and running. While actively monitoring network traffic, your sensor will generate alerts for traffic that is in violation of the set security policy.

IntruShield displays a summary view of the count of alerts in the Manager Home page, organized by severity (High, Medium, Low, and Informational). IntruShield provides two tools for examining and viewing the alerts:

The Alert Manager enables you to drill down to the details of an alert such as what triggered the alert, when, what sensor detected it, the source IP address of the attack that triggered the alert, the destination IP address of the attack, and so on. You use the Alert Manager to perform forensic analysis on the alert to help you tune the IntruShield system, provide better responses to attacks, and otherwise shore up your defenses.

24

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide Configuring your deployment using the Manager

The Reports Main page provides you detailed reports based on your alerts, and reports on your IntruShield configuration. You can use these reports to communicate incidents to other members of your team and to your management.

Note: Both tools are described in detail in the . Manager Configuration Guide

Configuring your deployment using the Manager

Once youre up and running and reviewing the data generated by the system, you can further configure and maintain your system. For example, you can do the following:

Apply security policies to each interface of your multi-port IntruShield sensor (instead of applying one policy to all interfaces, as when you chose the default policy in Establish sensor-to-Manager communication (on page 22)). You can ensure all of your interfaces use policies specifically for the areas of your network they are monitoring. For example, you can apply the Web Server policy to one interface, a Mail Server policy to another, the Internal Segment policy to another, and so on. For more on the provided policies, see IntruShield policies (on page 58). Configure responses to alerts. Developing a system of actions, alerts, and logs based on impact severity is recommended for effective network security. For example, you can configure IntruShield to send a page or an email notification, execute a script, disconnect a TCP connection, send an ICMP Host Not Reachable

message to the attack source for ICMP transmissions, or send address-blocking filters to a firewall. For more information on response actions, see Response management (on page 68). For information on configuring pager, email, or script notification, or configuring a firewall response, see Chapter 5: Administrative Domain Nodes of the Manager Configuration Guide. Filter alerts. An alert filter limits the number of alerts generated by the system by excluding certain Source and Destination IP address parameters. If these address parameters are detected in a packet, the packet is not analyzed further (and is automatically forwarded when in In-line Mode). For more information on alert filters, see Chapter 7: Policies Node of the Manager . Configuration GuideView the systems health. The System Health page details the functional status for all of your installed IntruShield system components. Messages are generated to detail system faults experienced by your IntruShield Manager, sensors, or database. For more information, see Chapter 13: System Health of the Manager

. Configuration GuideView a ports performance. The Performance Statistics action enables you to view performance data for a port on a sensor. The data collected is a reflection of the traffic that has passed through the port. For more information, see Chapter 10: Sensors_Name Node of the

. Manager Configuration Guide Back up all or part of your Manager configuration information to your server or

other location. IntruShield provides three backup options: All Tables : all IntruShield data (configuration, audit, and alert). Config Tables: all information related to system configuration, such as port configuration, users, admin domains, policies for all IntruShield resources in all domains.

Audit and Alert Tables : all information related to user activity and alerts.

25

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide Updating your signatures and software

Note: The All Tables and Audit and Alert Tables options can be rather large in size, depending upon the amount of alert data in your database. McAfee recommends saving these types of backups to an alternate location. For information on how to back up your data, see Chapter 6: Manager Node of the . Manager Configuration Guide

Updating your signatures and software

An essential element to a reliable IPS is updating the system signature and software images. McAfee periodically releases new Manager software and sensor signature and software images, and makes these updates available via the IntruShield Update Server to registered support customers.

Figure 6: Update Options

Note: Manager software installation includes a default signature set image. There are several options for loading updates to your Manager and sensors.

26

McAfee IntruShield IPS System 3.1 Basics of Using IntruShieldGetting Started Guide

Documents

INTR Mcafee Intrushield IPS Getting Started Guide 315