Upload
hangoc
View
319
Download
4
Embed Size (px)
Citation preview
Installation Guide
McAfee Enterprise Security Manager 10.1.0
COPYRIGHT
© 2017 McAfee LLC
TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, Foundstone, McAfee LiveSafe, McAfee QuickClean, McAfee SECURE,SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, TrustedSource, VirusScan are trademarks of McAfee LLC or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Contents
Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Installation overview 7McAfee Enterprise Security Manager components . . . . . . . . . . . . . . . . . . . . . . . 7Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8McAfee ESM installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Installing McAfee ESM devices 13ESM console hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . 13Identifying a location for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Inspect packaging and device . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Mount hardware in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Mounting ESM software on a VM 25Mounting ESM VM image overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25ESM VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Download the ESM VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27VMware ESXi VM ESM software mounting . . . . . . . . . . . . . . . . . . . . . . . . . 28
VMware ESXi VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 28Mount the VMware ESXi virtual machine . . . . . . . . . . . . . . . . . . . . . . . 28
Linux KVM ESM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Linux KVM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Deploy Linux KVM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure the VM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Installing ESM on AWS 33Using ESM with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create the AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create an ESM image and install it on AWS . . . . . . . . . . . . . . . . . . . . . . . . . 35Configure ESM AWS connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5 Setting up McAfee ESM network connections 39Configure the ESM network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configure the ERC, ELM, ELS, or ACE network interface . . . . . . . . . . . . . . . . . . . . . 40Configure the DEM or ADM network interface . . . . . . . . . . . . . . . . . . . . . . . . 41
6 Initial ESM logon and configuration 43Log on to the McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
McAfee Enterprise Security Manager 10.1.0 Installation Guide 3
Connecting devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Add devices to the ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Confirm in ESM that all devices appear . . . . . . . . . . . . . . . . . . . . . . . . . . 45Key a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7 Upgrading McAfee ESM software 47What you have and what you need . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Preparing to upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Back up ESM settings and system data . . . . . . . . . . . . . . . . . . . . . . . 50Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . . 51
Special upgrade scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Download the upgrade files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Upgrade the software on a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Upgrade the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Upgrade ESM, ESMREC, or ENMELM . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Upgrade HA Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Available VA vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
A Alternative installation scenarios 61Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS . . . . . . . . . . . . . . . . . 61Install DAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Common Criteria evaluated configuration . . . . . . . . . . . . . . . . . . . . . . . . . 63Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
B Enabling FIPS mode 67Select FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Index 69
Contents
4 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents About this guide Find product documentation
About this guideThis information describes the guide's target audience, the typographical conventions and icons used in thisguide, and how the guide is organized.
AudienceMcAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
ConventionsThis guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis
Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or provide analternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation, network,business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product
McAfee Enterprise Security Manager 10.1.0 Installation Guide 5
Find product documentationOn the ServicePortal, you can find information about a released product, including product documentation,technical articles, and more.
Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
PrefaceFind product documentation
6 McAfee Enterprise Security Manager 10.1.0 Installation Guide
1 Installation overview
This document provides an overview of McAfee®
Enterprise Security Manager (McAfee ESM) components andinstructions on how to install and cable the hardware components. It also describes how to deploy the softwareon a virtual machine (VM) or upgrade the software on existing components, and how to configure thecomponents initially on your network.
Contents McAfee Enterprise Security Manager components Configuration scenarios McAfee ESM installation overview
McAfee Enterprise Security Manager componentsMcAfee ESM and its components are installed in your network and configured to identify vulnerabilities, andthreats.
If a threat occurs, the ESM can:
• Notify you using the user interface, email, SNMP, or a text message.
• Save the history of the threat for analysis.
• Automatically act on the treat based on configured policy.
The McAfee ESM components include:
• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component or VirtualMachine (VM) software installation, the McAfee ESM displays threat data, reputation feeds, and vulnerabilitystatus and a view of the systems, data, risks, and activities inside your enterprise.
• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, it collects upto tens of thousands of events per second, parses that data, and sends it to the ESM devices.
• McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM software installation, itcollects, compresses, signs, and stores all events to provide a proven audit trail of activity.
• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores all events toprovide a proven audit trail of activity. The ELS searches the events faster using its indexes.
• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installation thatincludes both ELM and ERC.
• McAfee Advanced Correlation Editor (ACE) — Available as a hardware component or VM software installationthat simplifies event correlation and startup to identify and score threat events in historical or real time,using both rule- and risk-based logic.
• McAfee Application Data Monitor (ADM) — A hardware component that monitors more than 500 knownapplications through the whole layer stack and captures full session detail of all violations.
1
McAfee Enterprise Security Manager 10.1.0 Installation Guide 7
• McAfee Database Event Monitor (DEM) — A hardware component that automates the collection,management, analysis, visualization, and reporting of database access for most database platforms.
• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, or ELS toexpand storage space.
In redundant solutions, one DAS device is required in each system. For example, two redundant ESMs andtwo redundant ELMs require four DAS devices.
• ESM Console — A computer with a browser used to configure and manage the ESM by securityadministrators.
You might use just one combination ESM, or many of these components, depending on your environment.
For detailed configuration information, see the McAfee Enterprise Security Manager Product Guide.
Configuration scenarios You can configure McAfee ESM with just one combination ESM, or you can add components to identify threatsin a large enterprise network.
Adding components to your network environment allows you to increase performance, add functionality, andincrease event storage capability. For example, adding the following components or more advanced models ofan existing component can scale your network protection.
VM installed ESM combination devices have limits to the number of components that you can add.
• ACE — Increases the events-per-second (EPS) capability, logs, network flows, and contextual informationsent to the ESM
• ADM — Listens to layer 7 traffic on the network to monitor applications that would normally be missedusing logging only, and it tracks the application transaction details you can store.
• DEM — Increases the database transactions you can store, how you access those transactions, anddiscovers unknown databases on the network for added security.
• ERC — Additional ERCs increase the EPS throughput from your network segments and the connected datasources.
The EPS throughput for an ERC depends on the model.
• ELM — The ELM increases the raw logs you can compress and store. The ELM is the only device that storesthe logs in compliant "Raw Format."
• ELS — The ELS, compared to the ELM, speeds searching event data using its index tags. But, it has a muchlower compression ratio than the ELM and is not meant to meet compliance requirements.
• ESM — Adding a redundant ESM allows you to quickly switch to the standby ESM if the active ESM ever failsor needs maintenance.
Simple ESM scenario
This figure shows that one ESM device allows you to gain visibility to your network events.
1 Installation overviewConfiguration scenarios
8 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Complex ESM scenario
This figure shows a large enterprise network uses multiple ESM components to gain visibility into your networkevents. As the network grows and your events increase, you can add ESM components.
Installation overviewConfiguration scenarios 1
McAfee Enterprise Security Manager 10.1.0 Installation Guide 9
McAfee ESM installation overviewThis flowchart provides an overview of the steps required to install the ESM solution.
1 Installation overviewMcAfee ESM installation overview
10 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Installation overviewMcAfee ESM installation overview 1
McAfee Enterprise Security Manager 10.1.0 Installation Guide 11
1 Installation overviewMcAfee ESM installation overview
12 McAfee Enterprise Security Manager 10.1.0 Installation Guide
2 Installing McAfee ESM devices
Installing your McAfee devices requires mounting them in the rack, cabling the devices, and powering them on.These installation instructions apply to all current models of McAfee ESM devices.
Contents ESM console hardware and software requirements Identifying a location for installation Hardware setup
ESM console hardware and software requirementsThe system you use for the McAfee ESM console must meet these minimum hardware and softwarerequirements.
• Processor — P4 class (not Celeron) or higher (Mobile/Xeon/Core2,Corei3/5/7) or AMD AM2 class or higher(Turion64/Athlon64/Opteron64,A4/6/8)
• RAM — 1.5 GB
• Windows operating system — Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, WindowsServer 2008, Windows Server 2012, Windows 7, Windows 8, Windows 8.1, and Windows 10
• Browser — Internet Explorer 11 or later, Mozilla Firefox 42 or later, Google Chrome 48 or later
• Flash Player — Version 11.2.x.x or later
ESM features use pop-up windows when uploading or downloading files. Disable the pop-up blocker for the IPaddress or host name of your ESM.
Identifying a location for installationYou must analyze your existing network and identify the network and physical location for your devices. Properlocation impacts the effective use of your devices.
When selecting a location for your devices:
2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 13
• Install your ESM device in a network location where it can manage devices and be accessible by any systemsneeding to reach it. If direct communication is restricted between devices managed by the ESM and systemsrunning ESM, configure your network to route network traffic between them.
• Install the ESM device in a secure location that is only accessible by network security personnel.
• Your Receiver must be accessible to the devices it monitors. If direct communication isn't possible, you mustconfigure your network to allow proper routing of network traffic between them.
Hardware setupThese are the steps needed to physically install, connect, and power on your ESM devices.
Tasks• Inspect packaging and device on page 14
Before installing your equipment, make sure that there is no sign of damage or tampering.
Inspect packaging and deviceBefore installing your equipment, make sure that there is no sign of damage or tampering.
Task1 When you receive your device, inspect the packaging and the device for signs of damage or tampering,
including the tamper-evident packing tape that is securing the shipping container.
If there is any sign of damage, mishandling, or tampering contact McAfee Support immediately forinstructions, and do not install the product.
2 Verify that the package contains all items listed on the packing slip.
3 When performing a FIPS installation, find the tamper-evident seal in the shipping container's accessoriespackage. Apply the seal so it completely blocks the USB ports, preventing their use without leaving evidenceof tampering.
Figure 2-1 USB tamper seal
Contact Technical Support immediately if not fully satisfied with the inspection.
Mount hardware in a rackMount your ESM devices in a rack to protect them and their cabling from damage or from being disconnected.
2 Installing McAfee ESM devicesHardware setup
14 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Tasks• Install AXXVRAIL rail set on page 15
An AXXVRAIL rail set is shipped with each device so you can install it in a rack.
• Remove the chassis on page 19You can remove the chassis from the rails to replace or move the device.
• Connect to network and start the devices on page 19After installing the devices, make the network connections and power on the devices.
Install AXXVRAIL rail setAn AXXVRAIL rail set is shipped with each device so you can install it in a rack.
The default rail set we ship is designed to work in most racking systems. If that rail system does not work, youmight need to buy a rail system designed for your server cabinet.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 15
Task1 Install rails in the rack.
a Pull the release button (F) to remove the inner member (D) from the slides.
ComponentsA - front bracket
B - outer member
C - rear bracket
D - inner member
E - safety locking pin
F - release button
2 Installing McAfee ESM devicesHardware setup
16 McAfee Enterprise Security Manager 10.1.0 Installation Guide
b Align the brackets to a vertical position on the rack, then insert the fasteners.
c Move the ball retainer to the front of the slides.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 17
2 Install the chassis.
a Align the inner member key holes to standoffs on the chassis.
b Move the inner member in the direction shown in the following picture.
c Install the chassis to the fixed slides by pulling the release button in the inner member to release the lockand allow the chassis to close.
2 Installing McAfee ESM devicesHardware setup
18 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Remove the chassisYou can remove the chassis from the rails to replace or move the device.
Task1 Fully extend the slides until the slides are in a locked position.
2 Pull the release button to release the lock and disconnect the inner member from the slides.
3 Press the safety locking pin to release the inner member from the chassis.
Connect to network and start the devicesAfter installing the devices, make the network connections and power on the devices.
Tasks• Connector and equipment types on page 19
You can connect your ESM devices to the network using standard Ethernet copper cables.
• Connect power and start devices on page 24Connecting the power and startup process is similar for all ESM hardware components.
Connector and equipment typesYou can connect your ESM devices to the network using standard Ethernet copper cables.
Connect your ESM, Receiver, ADM, and DEM devices to the network using copper connectors. The CAT5 coppercables have RJ-45 connectors. Use CAT5 or higher for your copper connections. For gigabit connections, useCAT5e.
The ADM and DEM require a network Switch Port Analyzer (SPAN) or Test Access Point (TAP) connection to listento the network traffic. This means that the connected switch must mirror the traffic from other switch portsusually on the connected switch.
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 19
You can connect Data Circuit-Terminating Equipment (DCE) and Data Terminal Equipment (DTE) to your ESMdevices.
• Firewall and routers are DTE and switches are DCE.
• ESM devices are DTE.
Network cablesThe ESM devices all use copper cable connections. They use either straight-through or crossover copper RJ-45male cables.
• To connect an ESM device RJ-45 port to DCE, use a straight-through cable.
• To connect to a DTE, use a crossover cable.
To distinguish between a straight-through and crossover cable, hold the two ends of the cable as shown:
• On a straight-through cable, the colored wires are the same sequence at both ends.
• On a crossover cable, the first (far left) colored wire at one end is the same color as the third wire at theother end of the cable.
Network portsIdentify the ports on the McAfee devices and connect those cables.
The devices contain management ports so they can be managed from McAfee ESM.
The following images identify the management and collection ports.
1U ERC
2 Installing McAfee ESM devicesHardware setup
20 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Monitor connection
Eth0 Connection varies by device:• ERC — MGMT 1
• ADM — MGMT 2
Eth1 Connection varies by device:• ERC — MGMT 2
• ADM — MGMT 1
Eth5 IPMI, use as follows:
• For non-HA configurations, use for remote management access
• For ERC, used for HA configuration connection
Eth4 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Eth3 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
Eth2 Connection varies by device:• ERC — Can be used as addition MGMT port
• ADM — Collection (sniffer) ports
1U ERC HA connections
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 21
Monitor connection
Eth0 MGMT 1 configured with unique IP addresses
Eth1 MGMT 2 (Data port) configured with a shared IP address
Eth5 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port
• Secondary — Port 1 of 4-port NIC to primary IPMI port
Eth4 For HA:• Primary — IPMI Port to secondary Eth5 port, 1 of 4-port NIC
• Secondary — IPMI Port to primary Eth5 port, 1 of 4-port NIC
Eth3 Heartbeat connection between HA devices
Eth2 Not used
Not used
2U ERC
Eth7 HA reserved for IPMI connection
Eth6 HA reserved for Heartbeat
Eth5 Can be used as addition MGMT port Shown on graphical user interface as"Interface 6
Eth4 IPMI, use as follows:
• For non-HA configurations, use for remotemanagement access
• For ERC, used for HA configuration connection
Shown on graphical user interface as"Interface 5
Eth0 MGMT 1 Shown on graphical user interface as"Interface 1"
2 Installing McAfee ESM devicesHardware setup
22 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Eth1 Can be used as addition MGMT port Shown on graphical user interface as"Interface 2"
Eth2 Can be used as addition MGMT port Shown on graphical user interface as"Interface 3"
Eth3 Can be used as addition MGMT port Shown on graphical user interface as"Interface 4"
2U ERC HA connections
Eth7 Can be used as addition MGMT port
Eth6 MGMT 1 configured with unique IP addresses
Eth5 Can be used as addition MGMT port
Eth4 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port
• Secondary — Port 1 of 4-port NIC to primary IPMI port
Eth0 For HA:• Primary — Port 1 of 4-port NIC secondary IPMI port
• Secondary — IPMI port to primary port 1 of 4-port NIC
Installing McAfee ESM devicesHardware setup 2
McAfee Enterprise Security Manager 10.1.0 Installation Guide 23
Eth1 Heartbeat connection
Eth2 Can be used as addition MGMT port
Eth3 Can be used as addition MGMT port
See also Identifying a location for installation on page 13
Connect power and start devicesConnecting the power and startup process is similar for all ESM hardware components.
Task1 Connect the power supply cable to the power source. Properly install and ground the equipment properly to
comply with national, state, and local codes.
Connect all ESM devices to separate uninterruptible power supplies (UPS). Connecting redundant powercords and power modules operating at normal conditions balances the load share through its parallel design,resulting in a reliable power system.
2 Turn on the device.
2 Installing McAfee ESM devicesHardware setup
24 McAfee Enterprise Security Manager 10.1.0 Installation Guide
3 Mounting ESM software on a VM
You can mount the McAfee ESM software on an ESXi VM or on Linux Kernel-based Virtual Machine (KVM)servers.
Contents Mounting ESM VM image overview ESM VM system requirements Download the ESM VM image VMware ESXi VM ESM software mounting Linux KVM ESM installation Configure the VM ESM software
Mounting ESM VM image overviewMounting the ESM software on a VM is similar for an VMware ESXi VM and a Linux KVM.
This flowchart shows the major tasks used to install and configure the different VM software.
3
McAfee Enterprise Security Manager 10.1.0 Installation Guide 25
ESM VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimumrequirements.
• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher
• RAM — Depends on the model (4 GB or more)
• Disk space — Depends on the model (250 GB or more)
3 Mounting ESM software on a VMESM VM system requirements
26 McAfee Enterprise Security Manager 10.1.0 Installation Guide
• ESXi 5.0 or later
• Thick versus thin provisioning — You must decide the hard disk requirements for your server. The minimumrequirement is 250 GB unless the VM purchased has more. See the specifications for your VM product.
Thick vs thin disk provisioning — When you configure your VM disk space, use thick provisioning, if you have theactual disk space available on your ESXi server. Using thin provisioning saves disk space but there is a slightperformance impact and you must be careful to never fill that disk space to capacity.
Download the ESM VM imageDownloading the ESM software VM image is similar for the ESXi VM and a Linux KVM.
Before you beginYou must have your McAfee Grant Number to download the ESM software VM image from thedownload site.
Task1 Use your browser and this URL to access the McAfee download site:
Product Downloads, Free Security Trials & Tools
2 Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.
3 On the My Products page, scroll down the list and click one of the McAfee Enterprise Security Mgr VM**downloads.
The number in the download file name indicates the number of cores the ESM image allocates to the VM. Forexample, file "VM32" allocates 32 cores to the VM.
4 Click Current Version tab and select the McAfee Enterprise Security Mgr VM image.
5 Select one of these downloads:
• KVM Image — To download the tarball image file for a Linux Kernal VM
• OVF Deployment File — To download the .ova file for the VMware vSphere ESXi client.
6 Save the image file to a location on your local system.
Now you can install or deploy the VM image file to create your ESM VM.
Mounting ESM software on a VMDownload the ESM VM image 3
McAfee Enterprise Security Manager 10.1.0 Installation Guide 27
VMware ESXi VM ESM software mountingAfter you have downloaded the ESM software, perform these tasks to mount the software on a VMware ESXiVM.
VMware ESXi VM requirementsThe VMware ESXi VM must meet these minimum requirements.
• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD DualAthlon64/Dual Opteron64 or later
The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM orchange the VM ID number.
• RAM — 4 GB minimum (depends on the model)
• Disk — 250 minimum (depends on the model)
Sharing CPU or RAM with other VMs impacts the ESXi VM performance.
• ESXI — 5.0 or later
You can select the hard disk requirement needs for your server. But, the VM requirement depends on themodel of the device (at least 250 GB). If you don't have a minimum of 250 GB available, you receive an errorwhen deploying the VM.
This disk space is for the operating system and does not include the space needed for the database or logs.
The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU or RAMrequirements with other VMs, the performance of the VM is impacted.
McAfee recommends setting the provisioning option to Thick.
Mount the VMware ESXi virtual machineOnce you mount and key a VMware ESXi VM, it mimics normal ESM operation.
Task1 Access the root of the CD drive (for CD installation) or download the ESX .ova files from the download site.
2 In vSphere Client, click the server IP address in the device tree.
3 Click File and select Deploy OVF Template.
4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networking option.
5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.
6 Select the correct networking settings for your VMware ESXi network switches/adapters, then click Play tostart the VM.
7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Esc to activatethe menu.
8 Configure the network interface on the VM, save the changes before exiting the Menu window, then key thedevice. See McAfee Enterprise Security Manager Product Guide for details about keying the devices.
3 Mounting ESM software on a VMVMware ESXi VM ESM software mounting
28 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Linux KVM ESM installationAfter you have downloaded the ESM software, perform these tasks to install the software on a Linux KVM
Linux KVM requirementsThe Linux KVM where you install the ESM software must meet these minimum requirements.
Minimum requirements
• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD DualAthlon64/Dual Opteron64 or higher (for processors)
The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM orchange the VM ID number.
• RAM — Depends on the model (4 GB or more)
• Disk space — Depends on the model (250 GB or more)
Sharing CPU or RAM with other VMs impacts KVM performance.
• 2 Virtio Ethernet interfaces for ESM
• Receiver Class devices / 3 for IPS class devices
These interfaces use sequential MAC addresses.
• 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive
Deploy Linux KVM ESM softwareTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from the tarball (.tgzfile).
Task1 Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page.
The tarball contains sample config files.
2 Move the tarball file to the directory where you want the virtual hard drive to reside.
3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz
tar –xf McAfee_ETM_VM4_250.tgz
To deploy multiple VMs of the same type in the same location, change the name of the virtual hard drive.
ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.
4 Create a VM on your KVM hypervisor using:
(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)
5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted the tarball.
Mounting ESM software on a VMLinux KVM ESM installation 3
McAfee Enterprise Security Manager 10.1.0 Installation Guide 29
Configure the VM ESM softwareOne you have mounted the ESM software on the VM, you must configure the VM network interface connection,connect to the ESM using the ESM console, then key the device to establish a connection.
Tasks
• Configure the virtual machine on page 30Once you have mounted the ESM software on the VM, configure the network interface.
• Key the VM device on page 31You must key the device to establish a link between the device and the ESM.
Configure the virtual machineOnce you have mounted the ESM software on the VM, configure the network interface.
Task
1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) page appears.
2 To start the configuration, press Esc twice, then scroll down to MGT IP Conf and press Enter.
3 To set the ESM VM IP address:
a Scroll down to Mgt1 and press Enter.
b Scroll down to IP Address and press Enter.
c Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.
4 To set the IP netmask address:
a Scroll down to Netmask and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.
5 To set the network gateway IP address:
a Scroll down to Gateway IP and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.
6 To set the DNS IP address:
a Scroll down to DNS1 IP and press Enter.
b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.
3 Mounting ESM software on a VMConfigure the VM ESM software
30 McAfee Enterprise Security Manager 10.1.0 Installation Guide
7 To configure whether to use DHCP:
a Scroll down to DHCP and press Enter.
b Toggle the setting between Y(es) and N(o) , press Enter to select the correct setting.
8 To quit and save your changes:
a Scroll down to Done and press Enter to return to MGT IP Conf.
b Scroll down to Save Changes and press Enter.
9 Optional steps to configure FIPS, to change the communication port, press the down arrow twice, then pressEnter.
a Scroll down to Comm Port and press Enter.
b Change the port number, then press Enter.
Make note of the new port number; you'll need it when you key the device.
10 See Log on to the McAfee ESM console to begin configuring the ESM VM settings.
11 See Key the VM device to add the SSH key tp the EM VM.
To complete the configuration, log on to the ESM console using the configured the IP address and your browser.
Key the VM deviceYou must key the device to establish a link between the device and the ESM.
Before you beginPhysically connect the device to your network. see Installing McAfee ESM devices for details.
Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the actions
pane.
2 Enter the information requested on each page of the Add Device Wizard.
Mounting ESM software on a VMConfigure the VM ESM software 3
McAfee Enterprise Security Manager 10.1.0 Installation Guide 31
3 Mounting ESM software on a VMConfigure the VM ESM software
32 McAfee Enterprise Security Manager 10.1.0 Installation Guide
4 Installing ESM on AWS
Installing McAfee ESM on an Amazon Web Services (AWS) virtual server eliminates the chance of hardwarefailure.
Contents Using ESM with AWS Create the AWS Create an ESM image and install it on AWS Configure ESM AWS connections
Using ESM with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as a locallyconfigured McAfee ESM VM.
The basic steps to create an AWS server in your network with McAfee ESM include:
1 Get an AWS account from http://aws.amazon.com/.
2 Log on to the AWS Management Console and configure your AWS instance.
3 Install the ESM, ERC, ELM, ELS, or ACE software.
4 Configure the ESM device.
Create the AWSBefore you can install ESM on an AWS server, you must create the server with the proper settings and create aconnection to your enterprise network.
Before you beginYou must have an Amazon Web Services account.
This example, and the selected values, describe creating a simple ESM server. The values you select might bedifferent.
4
McAfee Enterprise Security Manager 10.1.0 Installation Guide 33
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Log on to the AWS console to display the AWS Console page.
2 Set the AWS data center region to the location closest to most of your networks.
3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose an AmazonMachine Image (AMI), and select the server instance Amazon Linux AMI.
This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to install theAWS/EC2 tools.
4 Open Step 2: Choose an Instance Type, select m3.large, then click Next: Configure Instance Details.
When choosing the Instance Type for a McAfee device, make sure to select the correct CPU count.
5 Click Next: Configure Instance Details to select the network to use while running your instance.
Make sure you are able to connect to your instance using:
• Public address
• Private address
You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Services from thedrop-down list.
6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon "build"instance.
The default for McAfee devices is 250 GB. You can add more volumes if you need them.
7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instance under the"Value" column.
8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:
• Create a new security group — A new security group limits who can log on to the instance.
Add your external-facing IP address range.
• Select existing security group.
9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.
Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.
10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.
11 Click Launch Instance and View Instances to confirm the status of the AWS server.
It might take 20–30 minutes before your instance is ready to access. When the Status Checks column next toyour new instance displays 2/2 checks, you are ready to start the installation process.
12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.
This IP address is needed to transfer the installer to the instance and to log on to.
You have created your AWS server. Continue with the AWS image creation and installation process.
4 Installing ESM on AWSCreate the AWS
34 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Create an ESM image and install it on AWSInstalling ESM on an AWS server is different from installing the software on a physical server. These stepsdescribe the process.
Before you beginYou must have created the AWS server and connected to the server.
You must know the configured IP address of the AWS server.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.
For example, using Secure Copy Client, use this command to convert the key file and transfer it to the newAWS instance:
scp -i mykeypair.pem siem_install.sh [email protected]:
Using PuTTY Secure Copy Client, use this command to convert the file:
pscp -i mykeypair.pem siem_install.sh [email protected]>:
These are the variables in the previous examples:
• siem_install.sh — Conversion file name
• ec2-user — User name
• cc.dd.ee.ff — IP address
For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk for PuTTY orWinSCP. For more information, see this Amazon help page https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.
To download and install the PuTTY SSH and telnet client, see http://www.putty.org/.
2 Log on to the new AWS instance using SSH or PuTTY with this command:
ssh -i mykeypair.pem [email protected] are the variables in the example:
• mykeypair.pem — Convert SSH file name
• ec2-user — User name
• cc.dd.ee.ff — IP address
3 Type this command to change to root, then press Enter:
sudo su
Installing ESM on AWSCreate an ESM image and install it on AWS 4
McAfee Enterprise Security Manager 10.1.0 Installation Guide 35
4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you were given,using these commands:
[root@<IP address> <ec2-user name>]# aws configure
AWS Access Key ID [None]: <Access Key ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: (Leave blank, and press Enter)
Default output format [None] (Leave blank, and press Enter)
For more information about these keys, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html.
5 Confirm that the installation script is executable. If needed, use chmod. For example:
chmod u+x siem_install.sh
6 Create an AMI image and an instance with this command:
./siem_install.sh
If you see an error that says the keys were not defined, you can add the keys on the command line. Forexample:
[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh
The AWS access key or the AWS Secret key were not defined
[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W
<Secret Access Key>
To access Help for the output options:
[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h
install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2
install_McAfee_ETM_VM8.sh [options]
options:
-h, --help show brief help
-O AWS key
-W AWS Secret Key
Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of the output:
[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done
4 Installing ESM on AWSCreate an ESM image and install it on AWS
36 McAfee Enterprise Security Manager 10.1.0 Installation Guide
7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard, andterminate the running instance.
Terminating the instance destroys the instance.
8 Log on to AWS, click the AMIs sidebar and find the AMI that you created.
This AMI now has the name from the installation script. In this example, McAfee_ETM_VM8.
9 Right-click the AMI name and click Launch.
10 Go through the launch options, then click Launch. For McAfee type devices, the key pair step is not needed.Select Proceed without a key pair and click the acknowledgment.
11 Once the AMI is launched and goes through the "status checks", open a browser and navigate to theassigned IP address. For this example, type http:\\172-31-6-172\ in the browser.
All McAfee devices in AWS are enabled using DHCP and the IP address is assigned to them automatically.
The IP address that you navigate to depends on how you set up networking in the AWS. You can have aprivate IP address or public IP address. For long-term use, we recommend using a private IP address.
The first time you log on to the ESM, this warning indicates that you are in the cloud and need to confirm thefeatures you are licensed to use.
In this example, the hash has been obfuscated.
12 Click Email Hash to populate your default email client with the created hash.
Installing ESM on AWSCreate an ESM image and install it on AWS 4
McAfee Enterprise Security Manager 10.1.0 Installation Guide 37
13 Add your grant number to the email and send it.
A Hash Accepted dialog box indicates that your hash was successfully sent.
A Support Representative looks at your grant number and verifies the features you are licensed to have.They then send you a hash string back to overwrite the previously displayed hash string. When you clickSend, you can log on for the first time.
14 When you log on to the AWS again, overwrite the existing hash with the hash sent by McAfee, then click Send.
Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.
Configure ESM AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.
Before you beginYou must have created the AWS and installed ESM on the AWS.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 After you have completed the hash verification with McAfee, you can use your configured IP address toinitially log on to the ESM. See Log on to the McAfee ESM console for details.
2 Connect both physical and virtual devices to the ESM.
3 Confirm that all various ESM devices appear in ESM before configuring the devices.
4 Key the devices to complete the device configuration.
4 Installing ESM on AWSConfigure ESM AWS connections
38 McAfee Enterprise Security Manager 10.1.0 Installation Guide
5 Setting up McAfee ESM network connections
Once the ESM device is installed and turned on, you must configure the network interface connection for eachdevice before it can connect to the McAfee ESM.
Contents Configure the ESM network interface Configure the ERC, ELM, ELS, or ACE network interface Configure the DEM or ADM network interface
Configure the ESM network interface Configure the network interface on an ESM.
Task1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) page appears.
2 Press Alt + F1 to go to the menu at the top left corner of the screen, press Esc twice, then scroll down to MGTIP Conf and press Enter.
3 Select Mgt 1 and press Enter, then select IP Address and press Enter.
4 Set the value and press Enter.
5 Scroll down to Netmask and set the value.
6 Scroll down to Done and press Enter.
7 Scroll down to Gateway and press Enter.
8 Set the gateway address, scroll down to Done, and press Enter.
9 Scroll down to DNS 1, press Enter, and set the value.
10 Scroll down to Done and press Enter.
5
McAfee Enterprise Security Manager 10.1.0 Installation Guide 39
11 Scroll down to Save Changes and press Enter.
12 Log on to the McAfee ESM console to begin configuring the systems and device settings.
Configure the ERC, ELM, ELS, or ACE network interfaceConfigure the network interface on an ERC, ELM, ELS, or ACE device.
Task1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) page appears.
2 Press Alt + F1 to go to the menu at the top left-hand corner of the screen, press Esc twice, then scroll downto MGT IP Conf and press Enter.
3 Select Mgt 1 and press Enter, then select IP Address and press Enter.
To configure an IPv6 address, scroll down to IPv6 Config.
4 Set the value and press Enter.
5 Scroll down to Netmask and set the value.
6 Scroll down to Done and press Enter.
7 Scroll down to Gateway and press Enter.
8 Set the gateway address, scroll down to Done, and press Enter.
9 Scroll down to DNS 1, press Enter, and set the value.
10 Scroll down to Done and press Enter.
11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.
Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.
12 Scroll down to Save Changes and press Enter.
5 Setting up McAfee ESM network connectionsConfigure the ERC, ELM, ELS, or ACE network interface
40 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Configure the DEM or ADM network interfaceConfigure the network interface on a DEM or ADM device.
Task1 Connect a monitor and keyboard to the device and power it on.
The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) page appears.
2 Press Alt + F1 to go to the menu at the top left corner of the screen, then press Esc twice.
3 Scroll down to MGT IP Conf and press Enter.
4 Select Mgt 1 and press Enter.
5 On the Active menu, select IP Address and press Enter.
To configure an IPv6 address, scroll down to IPv6 Config.
6 Set the value and press Enter.
7 Scroll down to Netmask and set the value.
8 Scroll down to Done and press Enter.
9 Scroll down to Gateway and press Enter.
10 Set the gateway address, scroll down to Done, and press Enter.
11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.
Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.
12 Scroll down to Save Changes and press Enter.
Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface 5
McAfee Enterprise Security Manager 10.1.0 Installation Guide 41
5 Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface
42 McAfee Enterprise Security Manager 10.1.0 Installation Guide
6 Initial ESM logon and configuration
Once the ESM devices are connected to the network and their interface connections configured, you can log onto the ESM console and finish the initial configuration.
See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.
Contents Log on to the McAfee ESM console Connecting devices Confirm in ESM that all devices appear Key a device
Log on to the McAfee ESM consoleLog on the console to begin configuring the systems and device settings.
Before you beginVerify whether you are required to operate the system in Federal Information Processing Standard(FIPS) mode.
Task1 Open a web browser on a client computer and go to the IP address you set when you configured the ESM
network interface. For example, if the ESM IP address is 172.016.001.140, type the following in your browser:
https:\\172.016.001.140\
2 Click Continue to site, if a self-signed certificate error appears for your browser.
3 Click Login, select the language for the console, then type the default user name and password.
• Default user name: NGCP
• Default password: security.4u
4 Click Login, read the End User License Agreement, then click Accept.
5 When prompted, change your user name and password, then click OK.
6 Select whether to enable FIPS mode and if you select Yes, click the additional confirmation.
If you must work in FIPS mode, enable it the first time you log on so that all future communication withMcAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to. For more informationabout FIPS, see Appendix B.
6
McAfee Enterprise Security Manager 10.1.0 Installation Guide 43
7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user name andpassword, which are needed for access to rule updates.
8 Perform initial ESM configuration:
a Select the language to be used for system logs.
b Select the time zone where this ESM is and the date format used with this account, then click Next.
9 Enter the server information for the ESM.
a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.
b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.
c Under General Settings, type the gateway, DNS servers, and any additional information needed toconnect your ESM to your network.
d Click Next.
10 (Optional) If needed to connect through a proxy server, type its IP address, port number, credentials, and setthe local network setting, then click Next.
11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network. Whencompleted, click Next.
12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type these settings asneeded:
• NTP Server IP address
• Authentication Key
• Key ID
To achieve best results in the ESM, it’s important to have a common time reference across the enterprise. Asdefault, the ESM uses a set of Internet-based NTP servers. Enter your own enterprise NTP server, then clickNext.
13 To automatically check the ESM server for rule updates:
• Type your customer ID and password to verify your identity.
• Configure your Auto check interval in hours and minutes.
• Click Check Now or Manual Update.
14 Click Finish.
15 In the Network settings change dialog box, click Yes to restart the ESM service.
The restart takes about 90 seconds to complete. Then you might be required to log back on to the ESM.
6 Initial ESM logon and configurationLog on to the McAfee ESM console
44 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Connecting devicesTo enable application and database monitoring, advanced rule- and risk-based correlation, and compliancereporting, connect both physical and virtual devices to McAfee ESM.
Add devices to the ESM consoleAfter you set up and install the physical and virtual devices, add them to the ESM console.
Before you beginSet up and install the devices.
Complete the following steps only for a complex ESM installation with multiple ESM devices. Do not completethis task for a simple ESM installation using a combination ESM.
Task1 On the system navigation tree, click Local ESM or a group.
2 Click .
3 Select the type of device you are adding, then click Next.
4 In the Device Name field, enter a unique name in this group, then click Next.
5 Provide the information requested:
• For McAfee ePO devices — Select a Receiver, type the credentials required to log on to the web interface,then click Next. To use for communicating with the database, type the settings.
Select Require user authentication to limit access to those users who have the user name and password forthe device.
• For all other devices — Type the target IP address or URL for the device.
6 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.
7 Enter a password for this device, then click Next.
ESM tests device communication and reports on the status of the connection.
Confirm in ESM that all devices appearIn the ESM console, confirm that all various ESM devices appear before you begin detailed configuration of thedevices.For detailed information about performing these confirmation steps, see McAfee Enterprise Security ManagerProduct Guide.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 Log on to the McAfee ESM console, and find the System navigation pane to view the devices on the system.
2 Click Menu | Configuration to view the physical display.
3 Confirm that you can click the Add devices icon to see the devices that you installed in the racks andconfigured with their network settings.
Initial ESM logon and configurationConnecting devices 6
McAfee Enterprise Security Manager 10.1.0 Installation Guide 45
Once the devices are added, you must key the device to enable communication and complete the installation.See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.
Key a deviceYou must key the device to establish a link between the device and the ESM.
Before you beginPhysically connect the device to your network.
Task1 Log on to the ESM console using a browser. See Log on to the McAfee ESM console for details.
2 On the system navigation tree, click a device, then click the Properties icon .
3 Click Key Management | Key Device.
If the device has an established connection and can communicate with the ESM, the Key Device Wizard opens.
4 Type a new password for the device, then click Finish.
6 Initial ESM logon and configurationKey a device
46 McAfee Enterprise Security Manager 10.1.0 Installation Guide
7 Upgrading McAfee ESM software
Upgrading the software on your ESM devices provides, for example new and upgrading features, interfacechanges, or support for additional browsers and browser versions.
To prepare your systems for the upgrading, download the files for the components, then upgrade them in theorder described.
Contents What you have and what you need Preparing to upgrade Special upgrade scenarios Download the upgrade files Upgrade the software on a device Upgrade the system Upgrade ESM, ESMREC, or ENMELM Upgrade HA Receivers Available VA vendors
What you have and what you need List the current security software and hardware that you have on your network.
Complete the following network questionnaire, before you begin upgrading your McAfee ESM devices andsoftware.
McAfee Security Professional Services requires this same information to help you order and configure yourexisting network security.
7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 47
Current network questionnaire
Questions Enter information
Which McAfee ESM devices do you have? Enter the quantity:• Enterprise Security Manager (ESM) — ________
• Event Receiver (ERC) — ________
• Receiver and ELM Combination (ELMERC) — ________
• Enterprise Log Manager (ELM) — ________
• Enterprise Log Search (ELS) — ________
• Advanced Correlation Engine (ACE) — ________
• Direct Attached Storage (DAS) — ________
• Application Data Monitor (ADM) — ________
• Database Event Monitor (DEM) — ________
• Storage Area Network (SAN) card — ________
Do you have an All-in-One McAfee ESM? Yes
No
Will you need an ACE to integratewith your ESM?
Yes
No
Is your McAfee ESM solution installed on a virtualmachine (VM), physical devices, or a combinationof both?
Virtual Machine (VM)
Physical device
Combination of VM and devices
What are the model numbers of your ESMcomponents?
Enter the model number:• ESM — _____________________________
• ELM — _____________________________
• ERC — _____________________________
• ACE — _____________________________
Do you have a hierarchical architecture? Yes
No
In addition to port 22, can youopen port 9092 between yourERCs and ESMs?
Yes
No
In addition to port 22, can youopen port 2181 between yourELSs and ESMs?
Yes
No
Are you, or will you be, a Managed SecurityService Provider (MSSP)?
Yes
No
7 Upgrading McAfee ESM softwareWhat you have and what you need
48 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Questions Enter information
What is your current events per second (EPS) bydevice?
Enter the count:• ESM — ________ EPS
count• ERC — ________ EPS
count
• ELM — ________ EPScount
• ERC — ________ EPScount
• ELS — ________ EPScount
What software version are you running on yourESM?
You must be using McAfee ESM version 9.6to upgrade to version 10.0.
Version — _______
What browsers are you using for your ESMconsole?
Chrome version 48 or higher
Firefox version 42 or higher
Internet Explorer version 11 or higher
Preparing to upgradeYou must do several things before you can upgrade your ESM devices.
1 Make sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and that you canschedule the outage window for this upgrade.
2 Complete a database backup of the ESM. Export or back up the following items to ensure ease of recovery ifan upgrade renders a rule, event, or other content unusable:
Alarms: In System Properties, click Alarms, highlight each alarm, then click Export and save the file.
Watchlists: In System Properties, click Watchlists, highlight each watchlist, then click Export and save the file.
Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except Data Source,Windows Events, ESM, Normalization, Variable, and Preprocessor.1 In the Rule Types pane, click a rule type.
2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field, thenclick Refresh .
3 Highlight the rules, click File | Export | Rules, then save them in XML format.
Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules andcustom variables.
Type ofinformation
Details
Device typessupported
The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicates with9.6.x devices. To check the model of your device, issue the cat /proc/cpuinfocommand. The output includes the CPU number on the model name line.
Save receiversettings
Make sure all Receiver settings are saved before updating from versions 9.x to 9.6.x. If youdon't save the settings, a problem occurs that can cause issues on the receiver and otherdevices. Make sure all settings for every device are saved before updating to any version.
Upgrading McAfee ESM softwarePreparing to upgrade 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 49
Type ofinformation
Details
Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up the upgradeof the ESM database:
• Set collection duration of events, flows, and logs to a longer pull time, allowing moretime for the rebuild. On the ESM console, click System Properties | Events, Flows & Logs,then set Auto check interval.
• Turn off collection of events, flows, and logs until the rebuild finishes. Complete thisstep only if the number of events and flows sent to the ESM is low. On the ESM console,click System Properties | Events, Flows & Logs, then deselect Auto check interval.
Upgrade paths You must upgrade prior versions to 9.4.2 or later before you can upgrade to the 9.6.xrelease.
UpgradeReceiver-HAdevices
To upgrade Receiver-HA devices, you must first check the Receiver's high availabilitystatus.
Make sure all device settings are saved before updating to any version.
Back up ESM settings and system dataBack up and save the ESM configuration files before you start any software upgrades.
When you add an ESM device, Backup & Restore is enabled to back up every seven days. You can disable it orchanges the default settings. See KB article, Backup process for McAfee [ESM] devices for details.
We recommend you make a Full Backup of all devices before you start an upgrade. A full backup contains:
• Settings for the ESM, ERC, DEM, ADM, and ACE devices.
ELM full backups only include configuration settings. The database settings must be backed up separately oryou lose all database connections to your local shares, remote shares, and SANs.
• Stop CPService and then DBServer and create a copy of the contents of: /usr/local/ess/data/, /etc/NitroGuard, and other folders on a remote share.
If anything goes wrong during the upgrade, you can:
• Reinstall the software to the existing version.
• Reinstall the backup files.
• Try upgrading to the next version again.
Backups are only compatible with the current version of the ESM device. You can't install a backup of a previousversion on an upgraded ESM device.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select System Properties, then click ESM Management | Maintenance | Backup.
2 Define the settings for the backup.
3 Click OK to close the Backup & Restore page.
7 Upgrading McAfee ESM softwarePreparing to upgrade
50 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Table 7-1 Option definitions
Option Definition
BackupFrequency
When new ESM devices are added to the system, the Backup & Restore function is enabledto perform a backup every seven days. You can change the frequency or disable backup.
Backup Data For Select what you want to include in the backup.
Backup Location Select where you want the backup saved:• ESM — It is saved on the ESM and accessed on the File Maintenance page.
• Remote Location — It is saved in the location you define in the fields that become active. Ifyou are saving a copy of the ESM and all system data manually, you must select thisoption.
When you back up to a CIFS share, use a slash (/) in the remote path field.
Backup Now Manually back up ESM settings and events, flows, and logs (if selected). Click Close whenthe backup is completed successfully.
Full Backup Now Manually save a copy of the device settings and the system data. This can't be saved tothe ESM, so you must select Remote Location in the Backup Location field and enter thelocation information.
We highly recommended you make a full backup before any major version update toavaoid data loss.
Using the Common Internet File System (CIFS) share type with Samba server versionsgreater than 3.2 can result in data loss.
Check ERC high availability statusDetermine the status of a high availability (HA) ERC pair before performing an upgrade.
Before you beginYou must have Administrator privileges to complete this task.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .
2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.
3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the command lineinterface on both ERCs. The resulting information shows the status of this ERC and what this ERC thinks thestatus of the other ERC is. It looks similar to this:
OK
hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no
Upgrading McAfee ESM softwarePreparing to upgrade 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 51
4 Verify the following in the status:
• The first line of the response is OK.
• Host name is the same as the host name on the command line minus the ERC model number.
• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode is secondary.
• The next two lines show the host names of the ERCs in the HA pair and list the running status of eachERC. The status for both is online.
• corosync= shows the running status of corosync, which should be running.
• hi_bit is no on one ERC and yes on the other ERC.
Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set to the samevalue, call McAfee Support before upgrading to correct this misconfigured setting.
5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.
6 Verify the following in the data that is generated:
• The MAC addresses on eth0 and eth1 are unique on both ERCs.
• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP address on eth1.
If both HA ERCs are set to the same value, call Technical support before upgrading to correct thismisconfigured setting.
This spot check ensures the system is functional and that no duplication of IP addresses exists, which meansthat the devices can be upgraded.
Special upgrade scenariosIn special situations, you must take additional steps before or after upgrading.
Situation Action
Installing a newMcAfee ESM model
Register your hardware in 30 days to ensure that you receive policy, parser, and ruleupdates as part of your maintenance contract. If you don't register, you can't receiveupgrades.To get your permanent user name and password, email [email protected] with thefollowing information:• McAfee grant number • Contact name
• Account name • Contact email address
• Address
Obtaining offlinerule updates
1 Go to Product Downloads, Free Security Trials, and Tools.
2 Click Download, enter your grant number, type the letters as displayed, then submit.
3 Select McAfee Enterprise Security Manager and click the All Versions tab.
4 Download the rules for your version of McAfee ESM.
7 Upgrading McAfee ESM softwareSpecial upgrade scenarios
52 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Situation Action
Resolving devicecommunicationissues
If you upgraded a McAfee device before upgrading McAfee ESM or the ESM is in themiddle of upgrading, this message might appear: The device needs to be upgraded beforethe operation can be performed. Verify that McAfee ESM has the correct version.
1 On the McAfee ESM console, select the device in the system navigation tree, then click
the Properties icon .
2 Click Connection, then click Status.
3 Retry the operation that resulted in the message.
Upgrading aredundant ESM
Upgrade the primary McAfee ESM first, then upgrade the redundant McAfee ESM.
1 On the primary McAfee ESM, select the ESM on the navigation tree and click theProperties icon.
2 Click Events, Flows & Logs and deselect Auto check interval.
3 After upgrading the redundant McAfee ESM, re-enable the collection of events, flows,and logs on the primary McAfee ESM.
McAfee ePO withPolicy Auditor
If the McAfee ePO device is already on the McAfee ESM, you must refresh it.
1 If you are not on an all-in-one device, upgrade the McAfee Event Receiver where theMcAfee ePO device is connected.
2 On the McAfee ESM console, click ePO Properties | Device Management, then click Refresh.
You can set up auto-retrieval on the Device Management tab.
3 Click Receiver Properties, then click the Vulnerability Assessment tab.
4 Click Write.
5 Repeat step 2 to get VA data on the McAfee ESM.
6 Log off the McAfee ESM console, then log back on.
Upgrading highavailability (HA)Event Receivers
Before you upgrade, set your preferred primary Event Receiver to No Preference, whichallows you to use the Fail-Over option.
You must upgrade the secondary Event Receiver, click Fail-Over, then upgrade the newsecondary Event Receiver. In this way, a primary Event Receiver collects data throughoutthe process, ensuring minimal data loss. After you upgrade both Event Receivers, reapplyyour preferred primary Event Receiver.
Upgrading McAfee ESM softwareSpecial upgrade scenarios 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 53
Situation Action
Rebuilding the ELMmanagementdatabase
Indexing your ELM management database can require additional time, depending onyour ELM model. For example, the number of storage pools you have, the amount ofdata sent from logging devices, and your network bandwidth can increase the time ittakes to complete indexing.
But, this background task minimally impacts your performance and, when complete,provides improved querying on your historical data.
To check the status of the rebuild, go to ELM Properties | ELM Information.
If the message Database is rebuilding appears in the Active Status field, do not stop or startthe ELM database. The system indexes all new ELM data on the sending device beforesending that data to the ELM.
If you have event receiver logging to the ELM and they are near maximum capacity,contact Support.
Upgrading aredundant ELM
Upgrade the standby ELM first, then upgrade the active ELM.
Never turn off a device during a rebuild.
The upgrade process suspends the ELM redundancy. After upgrading both ELMs, youmust restart the ELM redundancy.
1 Upgrade the standby ELM.
2 Upgrade the active ELM.
3 On the system navigation tree, select the standby ELM and go to ELM Properties | ELMRedundancy | Return to Service.
4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMsdisplay an OK status.
5 If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, thestandby ELM status changes to OK, redundant ELM resync is 100% complete. You might needto click Refresh several times.
Download the upgrade filesWhen the system is ready to upgrade, download the upgrade files to your local system.
Task1 Go to Product Downloads, Free Security Trials, and Tools.
2 Click Download, enter your grant number, type the letters as displayed, then submit.
3 Select McAfee Enterprise Security Manager and click the All Versions tab.
4 Download the release file to your local system, then upgrade your ESM and devices.
7 Upgrading McAfee ESM softwareDownload the upgrade files
54 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Upgrade the software on a deviceIf the software on your device is out of date, upload a new version of the software from a file on the ESM oryour local computer.
Before you beginIf you have had your system for more than 30 days, you must obtain and install your permanentcredentials to access the updates.
If you must comply with Common Criteria and FIPS regulations, do not upgrade the ESM in this way.Call Technical support to obtain a FIPS certified update.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select a device, then click the Properties icon .
2 Click device Management | Update Device.
3 Select an update from the table or click Browse to locate the update software on your local system.
The device restarts with the updated software version.
Table 7-2 Option definitions
Option Definition
File Name Select one of the updates listed.
Browse Browse to a file obtained from a McAfee security engineer or from the McAfee rules and updatesserver.
OK If you are updating a device using the device management Update Device option, this starts the updateprocess. If you are updating multiple devices using the Multi-Device Management option, this returns youto the Multi-Device Management page.
Upgrade the systemUpgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade, rewrite thedevice settings and roll out the policy.
Before you begin• Read the entire release notes before beginning the upgrade.
• Make sure that your system is running version 9.6 or later.
• If you recently upgraded to 9.6, verify that the database rebuild is complete.
When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting data until yourewrite the device settings and roll out the policy.
Task1 Depending on your FIPS mode, upgrade all devices in the following order.
Upgrading McAfee ESM softwareUpgrade the software on a device 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 55
Mode Order
Non-FIPS 1 Upgrade standalone ESMs first, then ESM combo devices you might have.
2 Wait for the database to build.
3 Upgrade the ELM.
4 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.
This process differs from the process to upgrade a redundant ESM.
FIPS 1 Upgrade standalone ELMs.
2 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.
3 Upgrade ESM, Event Receiver, or ELM combo devices. You can begin when all device upgradesstart.
Failure to upgrade the devices before upgrading McAfee ESM when in FIPS mode can affect ELMlog collection.
2 Verify that you have communication with the devices.
3 Download the manual rules update to McAfee ESM.
4 Apply the updated rules.
a On the system navigation tree, select the system, then click the Properties icon .
b On the System Information page, click Rules Update, then click Manual Update.
c Browse to the update file, click Upload, then click OK.
5 To rewrite device settings for each device, follow this process to apply all release settings.
a On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon.
b Follow these steps for each device.
Device type Process
McAfee EventReceiver or ESM/Event Receivercombo
• For data sources: Click Data Sources | Write.
• For VA sources: Click Vulnerability Assessment | Write.
ACE • For risk correlation: Click Risk Correlation Management | Write.
• For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it'salready selected, deselect it, select it again, then click Apply.
• For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and click Apply.If it's already selected, deselect it, select it again, then click Apply.
DEM or ADM • For virtual devices (ADM): Click Virtual Devices | Write.
• For database servers: Click Database Servers | Write.
6 Roll out the policy to all upgraded devices.
7 Upgrading McAfee ESM softwareUpgrade the system
56 McAfee Enterprise Security Manager 10.1.0 Installation Guide
7 To take the selected device out of bypass mode, click Device Configuration | Interfaces.
8 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).
Upgrade ESM, ESMREC, or ENMELMWhen your system is ready, upgrade your ESM, ESMREC, or ENMELM.
Before you begin• Complete the steps in the Instructions for upgrading section.
• Verify that all devices attached to the ESM are supported.
Task1 On the ESM console, select the ESM device, then click the Properties icon .
2 Select ESM Management, then click Update ESM.
3 On the Select Software Update File page, browse to one of these files.
Device type File
Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_10.0.0.signed.tgz
McAfee Enterprise Security Manager with a built-in Receiver (ESMREC) ESSREC_Update_10.0.0.signed.tgz
McAfee Enterprise Security Manager with a built-in Receiver andMcAfee Enterprise Log Manager (ENMELM), also known as aCombination Box
ESSREC_Update_10.0.0.signed.tgz
4 Select the file, then click Upload.
You are informed that the ESM restarts and there is a loss of connection for all users.
5 Click Yes to continue, and when prompted to close the browser, click OK.
The upgrade begins, and can take several hours.
6 When the upgrade is complete, log back on to the console through a new browser session.
Upgrade HA ReceiversThe Receiver-HA upgrade process upgrades both Receivers sequentially, starting with the secondary Receiver.
Before you beginBefore starting the upgrade process, complete the Check Receiver high availability status process tomake sure that the Receiver-HA devices are ready to be upgraded. Failure to do so can result inproblems with the device upgrade and downtime.
Upgrading McAfee ESM softwareUpgrade ESM, ESMREC, or ENMELM 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 57
TaskFor details about product features, usage, and best practices, click ? or Help.
1 On the system navigation tree, select the Receiver-HA device, then click the Properties icon .
2 Upgrade the secondary Receiver:
a Click Receiver Management, then select Secondary.
b Click Update Device, then select or browse to the file you want to use and click OK.
The Receiver restarts and the version of software is updated.
c On Receiver Properties, click High Availability | Return to Service.
d Select the secondary Receiver, then click OK.
3 Change the secondary Receiver to primary by clicking High Availability | Fail-Over.
4 Upgrade the new secondary Receiver by repeating step 2.
Available VA vendorsThe ESM can integrate with these VA vendors.
VA vendor Version
Digital Defense Frontline 5.1.1.4
eEye REM (REM events server) 3.7.9.1721
eEye Retina
The eEye Retina VA source is like the Nessus data source. You can usescp, ftp, nfs, or cifs to grab the .rtd files. You must manually copythe .rtd files to an scp, ftp, or nfs share to pull them. The .rtd files arenormally located in the Retina Scans directory.
5.13.0, Audits: 2400
McAfee Vulnerability Manager 6.8, 7.0
Critical Watch FusionVM 4-2011.6.1.48
LanGuard 10.2
Lumension Support PatchLink SecurityManagement Console 6.4.5 and later
nCircle 6.8.1.6
Nessus Support Tenable Nessus versions3.2.1.1 and 4.2 and file formatsNBE, .nessus (XMLv2), and .nessus(XMLv1); also, OpenNessus 3.2.1 XMLformat
NGS
OpenVAS 3.0, 4.0
Qualys
Rapid7 Nexpose — Recommended VA partner vendor
7 Upgrading McAfee ESM softwareAvailable VA vendors
58 McAfee Enterprise Security Manager 10.1.0 Installation Guide
VA vendor Version
Rapid7 Metasploit Pro — Recommended VA partner vendor
You can deduce the severity of a Metasploit exploit that starts withthe name Nexpose by adding a Rapid7 VA source to the sameReceiver. If it can't be deduced, the default severity is 100.
4.1.4-Update 1, file format XML
Saint
GFI Languard
NGS SQuirrel
iScan Online?
Tripwire/nCircle IPS360?
Upgrading McAfee ESM softwareAvailable VA vendors 7
McAfee Enterprise Security Manager 10.1.0 Installation Guide 59
7 Upgrading McAfee ESM softwareAvailable VA vendors
60 McAfee Enterprise Security Manager 10.1.0 Installation Guide
A Alternative installation scenarios
Use this information to configure specific adapters and other important information.
Contents Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS Install DAS Common Criteria evaluated configuration Regulatory notices
Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELSThe qLogic QLE2460 is a single, Fibre Channel PCIe x4 adapter, rated at atransfer rate of 4-GB. The QLE2562 is asingle, Fiber Channel PCIe x8 adapter, rated at 8 GB. They can connect directly to the SAN device or through aSAN switch.
Before you begin• Make sure that the SAN device or SAN switch you are attaching to auto-negotiates.
• Make sure that the SAN administrator allocates and creates space on the SAN and assigns it tothe channel where the qLogic adaptor is attached. Use the World Wide Port Name (WWPN) forthe adaptor. The WWPN is on the adapter's card, anti-static bag, and box.
Task1 Turn off the device where you are installing the SAN adapter.
2 Insert the adapter, then place the device back on the rack and connect the cables.
For a 3U device, insert the adapter in the slot closest to the protective memory cover.
The adapter BIOS boot message informs you that the adapter is installed and functioning. If you do not seethis message or if the card does not have red, yellow, or green lights, the card is not recognized. If so, makesure that the card is seated correctly or insert it into a different PCI slot.
3 Start the device.
The operating environment detects it and loads the QLAXXX driver. The Mounting Storage Facilities messagedisplays OK and continues.
4 Using the ESM console, key the device.
When the device is keyed, the Properties page includes the SAN Volumes option.
McAfee Enterprise Security Manager 10.1.0 Installation Guide 61
Install DASThe direct attached storage (DAS) adapter is an add-on device to a 4xxx/5xxx/6xxx series ESM or ELM.
The DAS unit ships with a chassis and an LSI 9280-8e RAID card for:
• ETM-5205 • ENMELM-5205
• ETM-5510 • ENMELM-5510
• ETM-5600 • ENMELM-5600
• ETM-5750 • ENMELM-6000
• ETM-6000 • ELM-4600
• ETM-X3 • ELM-5205
• ETM-X4 • ELM-5510
• ETM-X5 • ELM-5600
• ETM-X6 • ELM-5750
• ESMREC-5205 • ELM-6000
• ESMREC-5510 • ELS-<TBD>
• ENMELM-4600
You can add a DAS (50 TB or 100 TB), to provide additional storage. These instructions are the same for ESM,ELM, or ELS chassis.
Task1 Turn off the device following a normal shutdown procedure.
2 Pull the device from the rack and open the top case. You might need to remove a small screw at the front orrear of the top case.
3 Depending on your chassis, install the DAS card in one of these slots.
• For 1U or 3U, install LSI 9280-4e RAID card in slot 4
• For 2U, install LSI 9280-4e RAID card in slot 1
4 Depending on your chassis, install the DAS cables into these slots:
• For ESM, ELM, or ELS, insert cables into slots 1 and 2 of the card.
• For DAS, insert cables into slots 1 and 3 of the card.
5 Install the LSI 9280-8e RAID card in slot 4 of the ESM.
• For devices with an orange face, if the Areca or 3Ware RAID card is in slot 4, move it to slot 6. If theMcAfee ESM device has an Areca or 3Ware RAID card and also has an SSD card installed, install the LSI9280-8e RAID card in slot 5.
• For devices with a black face, install the card in an open slot.
6 Insert power cables, then turn on the device.
7 Enter BIOS utility and look for the LSI 9280-8e RAID card BIOS utility.
8 Exit BIOS utility and verify DAS disk space with the command: df –h
A Alternative installation scenariosInstall DAS
62 McAfee Enterprise Security Manager 10.1.0 Installation Guide
On System Properties of the ESM console, the Hardware field on the System Information tab reflects the increased sizeof the hard drive labeled /data_hd.
Common Criteria evaluated configurationThe McAfee device needs to be installed, configured, and operated in a specific way to be in compliance withthe Common Criteria evaluated configuration. Consider these requirements when you are setting up yoursystem.
Type Requirements
Physical andvirtualmachine
The McAfee device must be:• Protected from unauthorized physical modification.
• Located in controlled access facilities, which prevent unauthorized physical access.
Intendedusage
The McAfee device must:• To be able to perform its functions, have access to all network traffic.
• Be managed to allow for address changes in the network traffic that the Target of Evaluation(TOE) monitors.
• Be scaled to the network traffic that it monitors.
Personnel • There must be one or more competent individuals assigned to manage the McAfee deviceand the security of the information it contains. Onsite assistance with installation andconfiguration and onsite training for the operation of the device is provided by McAfeeengineers for each McAfee customer.
• The authorized administrators are not careless, willfully negligent, or hostile, and follow andabide by the instructions provided by the McAfee device documentation.
• Only authorized users can access the McAfee device.
• Those responsible for the McAfee device must ensure that all access credentials are protectedby users in a manner that is consistent with IT security.
Other • Do not apply software updates to the McAfee device because it results in a configurationother than the Common Criteria-evaluated configuration. Contact Technical Support to obtaina certified update.
• Enabling the Login Security feature with a RADIUS server results in secure communication. TheIT environment provides for secure transmission of data between the TOE and externalentities and external sources. A RADIUS server provides external authentication services.
• Using the Smart Dashboard functionality of the Check Point firewall console is not part of theTOE.
• Using Snort Barnyard is not part of the TOE.
• Using the MEF Client is not part of the TOE.
• Using the Remedy Ticket System is not part of the TOE.
Regulatory noticesThis regulatory information applies to the different platforms you might use.
Alternative installation scenariosCommon Criteria evaluated configuration A
McAfee Enterprise Security Manager 10.1.0 Installation Guide 63
Table A-1 SuperMicro-based platforms
McAfee 1U McAfee 2U or 3U
Electromagnetic emissions FCC Class B, EN 55022 Class B,
EN 61000-3-2/-3-3
CISPR 22 Class B
FCC Class B, EN 55022 Class B,
EN 61000-3-2/-3-3
CISPR 22 Class B
Electromagnetic immunity EN 55024/CISPR 24,
(EN 61000-4-2, EN 61000-4-3,
EN 61000-4-4, EN 61000-4-5,
EN 61000-4-6, EN 61000-4-8,
EN 61000-4-11) 55024
EN 55024/CISPR 24,
(EN 61000-4-2, EN 61000-4-3,
EN 61000-4--4, EN 61000-4-5,
EN 61000-4-6, EN 61000-4-8,
EN 61000-4-11) 55024
Safety EN 60950/IEC 60950-Compliant,
UL Listed (USA)
CUL Listed (Canada)
TUV Certified (Germany)
CE Marking (Europe)
EN 60950/IEC 60950-Compliant,
UL Listed (USA)
CUL Listed (Canada)
TUV Certified (Germany)
CE Marking (Europe)
Table A-2 DAS-based platforms
DAS-50, DAS-100
Input voltage 100/240 VAC
Input frequency 50/60 Hz
Power supply 1400 W X3
Power consumption 472W@120VAC
461W@240VAC
Amps (Max) 9.4A
Altitude (Max) –45 to 9,500 feet
Temperature (Max) 10º to 35º C (operating)
–40º to 70º C (non-operating)
Altitude –45 to 9500 feet (operating) –45 to 25,000 feet (non-operating)
BTU BTU/HR 1609
Humidity Operating — 10% to 85%
(non-condensing)
non-operating — 10% to 90%
Table A-3 Intel-based platform 1U
Parameter Limits
Operating temperature +10° C to +35° C with the maximum rate of change not to exceed 10° C perhour
Non-operating temperature –40° C to +70°
Non-operating humidity 90%, non-condensing at 35° C
Acoustic noise Sound Power: 7.0 BA in an idle state at typical office ambient temperature.(23 ± 2 degrees C)
A Alternative installation scenariosRegulatory notices
64 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Table A-3 Intel-based platform 1U (continued)
Parameter Limits
Shock, operating Half sine, 2-g peak, 11 msec
Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/sec (≧ 40 lbs to > 80 lbs)
Shock, packaged Non-palletized free fall in height 24 inches (≧40 lbs to > 80 lbs)
Shock, operating Half sine, 2-g peak, 11 mSec
Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random
ESD ±12 kV for air discharge and 8 K for contact
System cooling requirement inBTU/Hr
1660 BTU/hour
Table A-4 Intel-based platform 2U
Parameter Limits
Temperature Operating • ASHRAE Class A2 — Continuous operation. 10°C to 35°C (50°F to95°F) with the maximum rate of change not to exceed 10°C per hour.
• ASHRAE Class A3 — Includes operation up to 40°C for up to 900 hrsper year
• ASHRAE Class A4 — Includes operation up to 45°C for up to 90 hrsper year
Shipping –40°C to 70°C (–40°F to 158°F)
Altitude (Operating) Support operation up to 3050 m with ASHRAE class deratings
Humidity (Shipping) 50% to 90%, non-condensing with a maximum wet bulb of 28°C (attemperatures from 25°C to 35°C)
Shock Operating Half sine, 2 g, 11 mSec
Unpackaged Trapezoidal, 25 g, velocity change is based on packaged weight
Packaged Product Weight: ≥ 40 to < 80
Non-palletized free fall height = 18 inches
Palletized (single product) free fall height = NA
Vibration 5 Hz to 500 Hz2.20 g RMS random
Packaged 5 Hz to 500 Hz1.09 g RMS random
AC-DC Voltage 90 Hz to 132 V and 180 V to 264 V
Frequency 47 Hz to 63 Hz
Source Interrupt No loss of data for power line drop-out of 12 mSec
Surge non-operatingand operating
Unidirectional
Alternative installation scenariosRegulatory notices A
McAfee Enterprise Security Manager 10.1.0 Installation Guide 65
A Alternative installation scenariosRegulatory notices
66 McAfee Enterprise Security Manager 10.1.0 Installation Guide
B Enabling FIPS mode
The Federal Information Processing Standard (FIPS) consists of publicly announced standards developed by theUnited States Federal government. If you are required to meet these standards, you must operate this systemin FIPS mode.
FIPS mode must be selected the first time you log on to the system and can't be changed later.
Select FIPS modeThe first time you log on to the system you are prompted to select whether you want the system to operate inFIPS mode. Once this selection is made, it can't be changed.
TaskFor details about product features, usage, and best practices, click ? or Help.
1 The first time you log on to the ESM:
a In the Username field, type NGCP.
b In the Password field, type security.4u.
You are prompted to change your password.
2 Enter and confirm your new password.
3 On the Enable FIPS page, click Yes.
The Enable FIPS warning displays information requesting confirmation that you want this system to operatein FIPS mode permanently.
4 Click Yes to confirm your selection.
McAfee Enterprise Security Manager 10.1.0 Installation Guide 67
B Enabling FIPS modeSelect FIPS mode
68 McAfee Enterprise Security Manager 10.1.0 Installation Guide
Index
Aabout this guide 5ACE, configure network interface 40
ADM, configure network interface 41
Amazon Web Servicesconfigure connections 38
create the AWS 33
install ESM 35
installation overview 33
AWS, See Amazon Web Services AXXVRAIL rails
install 15
remove chassis 19
Bback up
ESM settings 50
browsersused during planning 47
Ccables, identify network 20
Common Criteria configuration 63
communication issue between device and ESM 52
connect device 19
connector type, identify 19
consoleadd device 45
initial log in 43
conventions and icons used in this guide 5
DDAS, install 62
DEM, configure network interface 41
devicesadd device 45
add to console 45
connect 19, 24
identify network ports 20
inspect 14
remove 49
remove from rack 19
devices (continued)rewrite settings 55
set up 39
software, update 55
start 19, 24
types supported 49
update software 55
documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5
download upgrade files 54
EELM, configure network interface 40
EPS, See events per second equipment type, identify 19
ERCsimple and complex network scenarios 8
ERC-HAcheck status 51
error message when upgrading device 52
ESMback up settings 50
configure network interface 39
installing new 52
redundant ESM 50
upgrade 57
events per seconddetermines ERC throughput 8per device 47
FFIPS mode
enable 43, 67
select 67
Hhardware, minimum requirements 13
Iinspect packaging and device 14
McAfee Enterprise Security Manager 10.1.0 Installation Guide 69
install deviceidentify location 13
overview 10
rack mount 15
Kkey
initial device configuration 46
virtual machine 31
KVMdeploy 29
requirements 29
Llocation for installation 13
log on to ESM console 43
MManaged Security Service Provider, during planning 47
McAfee ServicePortal, accessing 6minimum requirements for hardware and software 13
MSSP, See Managed Security Service Provider
Nnetwork cables
connect 20
identify type 19
network cables, identify 20
network interfaceconfigure DEM and ADM 41
configure ESM 39
network interface, configureACE 40
ELM 40
Receiver 40
network ports, identify for each device 20
network time protocol, configure 43
NTP, See network time protocol
Ooffline rule updates, obtain 52
Ppackaging, inspect 14
password for ESM console 43
planningquestionnaire 47
platforms, regulatory notices for 63
portsidentify network for each device 20
used during planning 47
ports, identify network for each device 20
QqLogic 2460 SAN adapter, install 61
Rrebuild time 49
Receiver-HAcabling 20
upgrade 57
Receiver-HA, upgrade 49
Receiver, configure network interface 40
redundant ESMset up 50
upgrade 52
regulatory notices for platforms 63
remove a device 49
rewrite device settings 55
rule updates, obtain offline 52
SSAN adapter, install 61
Security Analystin ESM scenarios 8
ServicePortal, finding product documentation 6software
minimum requirements 13
update device 55
start device 19, 24
statusERC-HA 51
supported devices 49
syslog type, used during planning 47
Ttechnical support, finding product information 6time to rebuild 49
Uuninterruptible power supply connection 24
update device software 55
upgradedownload files 54
ENMELM 57
ESM 57
ESMREC 57
path 49
prepare to 49
Receiver-HA 49, 57
redundant ESM 52
upgrade the systemFIPS mode 55
UPS, See uninterruptible power supply user name for ESM console 43
Index
70 McAfee Enterprise Security Manager 10.1.0 Installation Guide
VVA vendors available on ESM 58
virtual machineconfigure 30
install 28
key 31
virtual machine (continued)overview flowchart 25
planning 47
requirements 28
VM, See virtual machine
Index
McAfee Enterprise Security Manager 10.1.0 Installation Guide 71
0-00