McAfee Enterprise Security Manager 10.2 1 Installation Overview 5 McAfee Enterprise Security Manager components 5 Configuration scenarios 6 McAfee ESM installation overview 8 2 Configure

Installation Guide

McAfee Enterprise Security Manager 10.2.0

COPYRIGHT

Copyright © 2017 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Security Manager 10.2.0 Installation Guide

Contents

1 Installation Overview 5McAfee Enterprise Security Manager components . . . . . . . . . . . . . . . . . . . . . . . 5Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6McAfee ESM installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Configure the VM 9Configure the VM network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Mount ESM on a virtual machine 11ESM VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Download the ESM VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Mount ESM on a VMware ESXi VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

VMware ESXi VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 12Mount the VMware ESXi virtual machine . . . . . . . . . . . . . . . . . . . . . . . 12

Mount ESM on a Linux KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Linux KVM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Deploy Linux KVM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Mount ESM on an AWS VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Using ESM with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Create the AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Create an ESM image and install it on AWS . . . . . . . . . . . . . . . . . . . . . . 15Configure ESM AWS connections . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Mount ESM on an AWS HVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Install ESM on AWS HVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Perform initial ESM configuration 21Log on to the McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Add devices to the ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Confirm in ESM that all devices appear . . . . . . . . . . . . . . . . . . . . . . . . . . 23Key a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Update a single device 25

6 Update the ESM system 27Prepare to update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Download the update files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Back up the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Back up McAfee ESM settings and system data . . . . . . . . . . . . . . . . . . . . 28Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . . 29

Identify and address special update scenarios . . . . . . . . . . . . . . . . . . . . . . . . 31Update devices (non-FIPS mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Update devices (FIPS mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Update high availability Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

McAfee Enterprise Security Manager 10.2.0 Installation Guide 3

Index 37

Contents


1 Installation Overview

Contents McAfee Enterprise Security Manager components Configuration scenarios McAfee ESM installation overview

McAfee Enterprise Security Manager componentsMcAfee ESM and its components are installed on your network and configured to identify vulnerabilities andthreats.

If a threat occurs, the ESM can:

• Notify you through the user interface, email, SNMP, or text message.

• Save the history of the threat for analysis.

• Automatically act on the threat based on configured policy.

McAfee ESM components include:

• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component or virtualmachine (VM) software installation, the McAfee ESM displays threat data, reputation feeds, and vulnerabilitystatus. It also shows a view of the systems, data, risks, and activities inside your enterprise.

• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, it collects upto tens of thousands of events per second, parses that data, and sends it to the ESM device(s).

• McAfee® Enterprise Log ManagerMcAfee Enterprise Log Manager (ELM) —Available as a hardwarecomponent or VM software installation, it collects, compresses, signs, and stores events to provide a provenaudit trail of activity.

• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores all events toprovide a proven audit trail of activity. The ELS searches events faster than the ELM because it uses indexes.

• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installation thatincludes both ELM and ERC.

• McAfee® Advanced Correlation Engine (McAfee® ACE) — Available as a hardware component or VM softwareinstallation that simplifies event correlation and startup to identify and score threat events in historical orreal time, using both rule- and risk-based .

• McAfee Application Data Monitor — A hardware component that monitors more than 500 knownapplications through the entire layer stack and captures full session detail of all violations.

• McAfee Database Event Monitor () — A hardware component that automates the collection, management,analysis, visualization, and reporting of database access for most database platforms.

1


• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, or ELS toexpand storage space.

In redundant solutions, one DAS device is required in each system. For example, two redundant ELMs requiretwo DAS devices.

• ESM Console — A computer with a browser used by security administrators to configure and manage theESM.

You might use just one combination ESM, or many of these components, depending on your environment.

For detailed configuration information, see the McAfee Enterprise Security Manager Product Guide.

Configuration scenarios You can configure McAfee ESM with just one combination ESM, or you can add components to identify threatsin a large enterprise network.

Adding components to your network environment allows you to increase performance, add functionality, andincrease event storage capability. For example, adding the following components or more advanced models ofan existing component can scale your network protection.

VM installed ESM combination devices have limits to the number of components that you can add.

• McAfee ACE — Increases the events-per-second (EPS) capability, logs, network flows, and contextualinformation sent to the ESM

• McAfee Application Data Monitor — Listens to layer 7 traffic on the network to monitor applications thatwould normally be missed using logging only, and it tracks the application transaction details you can store.

• DEM — Increases the database transactions you can store, how you access those transactions, anddiscovers unknown databases on the network for added security.

• ERC — Additional ERCs increase the EPS throughput from your network segments and the connected datasources.

The EPS throughput for an ERC depends on the model.

• ELM — The ELM increases the raw logs you can compress and store. The ELM is the only device that storesthe logs in compliant "Raw Format."

• ELS — The ELS, compared to the ELM, speeds searching event data using its index tags. But, it has a muchlower compression ratio than the ELM and is not meant to meet compliance requirements.

• ESM — Adding ESMs allows you to improve performance by sharding data and to prevent data loss byreplicating data.

Simple ESM scenario

This figure shows that one ESM device gives you visibility to network events.

1 Installation OverviewConfiguration scenarios


Complex ESM scenario

This figure shows how multiple ESM components give you visibility into events on a large enterprise network.Add ESM components as the network grows and the number of events increases.

Installation OverviewConfiguration scenarios 1


McAfee ESM installation overviewThis flowchart provides an overview of the steps required to install the ESM solution.

1 Installation OverviewMcAfee ESM installation overview


2 Configure the VM

Contents Configure the VM network interface Key the VM device

Configure the VM network interface

Task1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and a virtual LCD display appears.

2 Press Esc twice, then scroll down to MGT IP Conf and press Enter.

3 Set the ESM VM IP address.

a Scroll to Mgt1 and press Enter.

b Scroll to IP Address and press Enter.

c Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

4 Set the IP netmask address.

a Scroll to Netmask and press Enter.

b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

5 Set the network gateway IP address.

a Scroll to Gateway IP and press Enter.


2


6 Set the DNS IP address.

a Scroll to DNS1 IP and press Enter.


7 Configure DHCP.

a Scroll to DHCP and press Enter.

b Toggle the setting between Y(es) and N(o) , then press Enter to select the correct setting.

8 Quit and save your changes.

a Scroll to Done and press Enter to return to MGT IP Conf.

b Scroll to Save Changes and press Enter.

9 (Optional) If you are using FIPS mode, change the communication port.

a Press the down arrow twice, then press Enter.

b Scroll to Comm Port and press Enter.

c Change the port number, then press Enter.

Make note of the new port number; you'll need it when you key the device.

Key the VM deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network.

Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the actions

pane.

2 Enter the information requested on each page of the Add Device Wizard.

2 Configure the VMKey the VM device


3 Mount ESM on a virtual machine

Contents ESM VM system requirements Download the ESM VM image Mount ESM on a VMware ESXi VM Mount ESM on a Linux KVM Mount ESM on an AWS VM Mount ESM on an AWS HVM

ESM VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimumrequirements.

• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

• ESXi 5.0 or later

• Thick versus thin provisioning — You must decide the hard disk requirements for your server. The minimumrequirement is 250 GB. See the specifications for your VM product.

Download the ESM VM image

Before you beginYou must have your McAfee Grant Number to download the ESM software.

Task1 Use your browser to access the McAfee download site.

2 Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.

3 On the My Products page, scroll down the list and select a McAfee Enterprise Security Manager VM**download file.

The number in the download file name indicates the number of cores the ESM image allocates to the VM. Forexample, file "VM32" allocates 32 cores to the VM.

3


4 Select the Current Version tab and select the McAfee Enterprise Security Manager VM image.

5 Select an image file and save it to your local system. Make note of the file name and location; you will needthat information to mount the image.

Mount ESM on a VMware ESXi VM

Contents VMware ESXi VM requirements Mount the VMware ESXi virtual machine

VMware ESXi VM requirementsThe VMware ESXi VM must meet these minimum requirements.

• Processor — 4 cores, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or later

The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Manager VM4" supports 4 cores. You cannot add or subtract processors from the VM orchange the VM ID number.

• RAM — 4 GB (depends on the model)

• Disk — 250 (depends on the model)

Sharing CPU or RAM with other VMs impacts the ESXi VM performance.

• ESXI — 5.0 or later

You can select the hard disk requirement needs for your server. But, the VM requirement depends on themodel of the device (at least 250 GB). If you don't have a minimum of 250 GB available, you receive an errorwhen deploying the VM.

This disk space is for the operating system and does not include the space needed for the database or logs.

The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU or RAMrequirements with other VMs, the performance of the VM is impacted.

McAfee recommends setting the provisioning option to Thick.

Mount the VMware ESXi virtual machineOnce you mount and key a VMware ESXi VM, it mimics normal ESM operation.

Task1 Access the root of the CD drive (for CD installation) or download the ESX .ova files from the download site.

2 In vSphere Client, click the server IP address in the device tree.

3 Click File and select Deploy OVF Template.

4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networking option.

5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.

3 Mount ESM on a virtual machineMount ESM on a VMware ESXi VM


http://www.mcafee.com/us/downloads/downloads.aspx

6 Select the correct networking settings for your VMware ESXi network switches/adapters, then click Play tostart the VM.

7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Esc to activatethe menu.

8 Configure the network interface on the VM, save the changes before exiting the Menu window, then key thedevice. See McAfee Enterprise Security Manager Product Guide for details about keying the devices.

Mount ESM on a Linux KVM

Contents Linux KVM requirements Deploy Linux KVM ESM software

Linux KVM requirementsThe Linux KVM where you install the ESM software must meet these minimum requirements.

Minimum requirements

• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD DualAthlon64/Dual Opteron64 or higher (for processors)

The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM orchange the VM ID number.

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

Sharing CPU or RAM with other VMs impacts KVM performance.

• 2 Virtio Ethernet interfaces for ESM

• Receiver Class devices / 3 for IPS class devices

These interfaces use sequential MAC addresses.

• 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive

Deploy Linux KVM ESM softwareTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from the tarball (.tgzfile).

Task1 Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page.

The tarball contains sample config files.

2 Move the tarball file to the directory where you want the virtual hard drive to reside.

Mount ESM on a virtual machineMount ESM on a Linux KVM 3


https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz

tar –xf McAfee_ETM_VM4_250.tgz

To deploy multiple VMs of the same type in the same location, change the name of the virtual hard drive.

ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.

4 Create a VM on your KVM hypervisor using:

(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)

5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted the tarball.

Mount ESM on an AWS VM

Contents Using ESM with AWS Create the AWS Create an ESM image and install it on AWS Configure ESM AWS connections

Using ESM with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as a locallyconfigured McAfee ESM VM.

The basic steps to create an AWS server in your network with McAfee ESM include:

1 Get an AWS account from http://aws.amazon.com/.

2 Log on to the AWS Management Console and configure your AWS instance.

3 Install the ESM, ERC, ELM, ELS, or ACE software.

4 Configure the ESM device.

Create the AWSBefore you can install ESM on an AWS server, you must create the server with the proper settings and create aconnection to your enterprise network.

Before you beginYou must have an Amazon Web Services account.

This example, and the selected values, describe creating a simple ESM server. The values you select might bedifferent.

Task

1 Log on to the AWS console to display the AWS Console page.

2 Set the AWS data center region to the location closest to most of your networks.

3 Mount ESM on a virtual machineMount ESM on an AWS VM


http://aws.amazon.com/

3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose an AmazonMachine Image (AMI), and select the server instance Amazon Linux AMI.

This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to install theAWS/EC2 tools.

4 Open Step 2: Choose an Instance Type, select m3.large, then click Next: Configure Instance Details.

When choosing the Instance Type for a McAfee device, make sure to select the correct CPU count.

5 Click Next: Configure Instance Details to select the network to use while running your instance.

Make sure you are able to connect to your instance using:

• Public address

• Private address

You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Services from thedrop-down list.

6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon "build"instance.

The default for McAfee devices is 250 GB. You can add more volumes if you need them.

7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instance under the"Value" column.

8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:

• Create a new security group — A new security group limits who can log on to the instance.

Add your external-facing IP address range.

• Select existing security group.

9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.

Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.

10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.

11 Click Launch Instance and View Instances to confirm the status of the AWS server.

It might take 20–30 minutes before your instance is ready to access. When the Status Checks column next toyour new instance displays 2/2 checks, you are ready to start the installation process.

12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.

This IP address is needed to transfer the installer to the instance and to log on to.

You have created your AWS server. Continue with the AWS image creation and installation process.

Create an ESM image and install it on AWSInstalling ESM on an AWS server is different from installing the software on a physical server. These stepsdescribe the process.

Before you beginYou must have created the AWS server and connected to the server.

Mount ESM on a virtual machineMount ESM on an AWS VM 3


You must know the configured IP address of the AWS server.

Task1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.

For example, using Secure Copy Client, use this command to convert the key file and transfer it to the newAWS instance:

scp -i mykeypair.pem siem_install.sh [email protected]:

Using PuTTY Secure Copy Client, use this command to convert the file:

pscp -i mykeypair.pem siem_install.sh [email protected]>:

These are the variables in the previous examples:

• siem_install.sh — Conversion file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk for PuTTY orWinSCP.

2 Log on to the new AWS instance using SSH or PuTTY with this command:

ssh -i mykeypair.pem [email protected] are the variables in the example:

• mykeypair.pem — Convert SSH file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

3 Type this command to change to root, then press Enter:

sudo su

4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you were given,using these commands:

[root@<IP address> <ec2-user name>]# aws configure

AWS Access Key ID [None]: <Access Key ID>

AWS Secret Access Key [None]: <Secret Access Key>

Default region name [None]: (Leave blank, and press Enter)

Default output format [None] (Leave blank, and press Enter)

5 Confirm that the installation script is executable. If needed, use chmod. For example:

chmod u+x siem_install.sh



6 Create an AMI image and an instance with this command:

./siem_install.sh

If you see an error that says the keys were not defined, you can add the keys on the command line. Forexample:

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh

The AWS access key or the AWS Secret key were not defined

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W

<Secret Access Key>

To access Help for the output options:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h

install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2

install_McAfee_ETM_VM8.sh [options]

options:

-h, --help show brief help

-O AWS key

-W AWS Secret Key

Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of the output:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done

7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard, andterminate the running instance.

Terminating the instance destroys the instance.

8 Log on to AWS, click the AMIs sidebar and find the AMI that you created.

This AMI now has the name from the installation script. In this example, McAfee_ETM_VM8.

9 Right-click the AMI name and click Launch.

10 Go through the launch options, then click Launch. For McAfee type devices, the key pair step is not needed.Select Proceed without a key pair and click the acknowledgment.



11 Once the AMI is launched and goes through the "status checks", open a browser and navigate to theassigned IP address. For this example, type http:\\172-31-6-172\ in the browser.

All McAfee devices in AWS are enabled using DHCP and the IP address is assigned to them automatically.

The IP address that you navigate to depends on how you set up networking in the AWS. You can have aprivate IP address or public IP address. For long-term use, we recommend using a private IP address.

The first time you log on to the ESM, this warning indicates that you are in the cloud and need to confirm thefeatures you are licensed to use.

In this example, the hash has been obfuscated.

12 Click Email Hash to populate your default email client with the created hash.



13 Add your grant number to the email and send it.

A Hash Accepted dialog box indicates that your hash was successfully sent.

A Support Representative looks at your grant number and verifies the features you are licensed to have.They then send you a hash string back to overwrite the previously displayed hash string. When you clickSend, you can log on for the first time.

14 When you log on to the AWS again, overwrite the existing hash with the hash sent by McAfee, then click Send.

Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.

Configure ESM AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.

Before you beginYou must have created the AWS and installed ESM on the AWS.

Task

1 After you have completed the hash verification with McAfee, you can use your configured IP address toinitially log on to the ESM. See Log on to the McAfee ESM console for details.

2 Connect both physical and virtual devices to the ESM.

3 Confirm that all various ESM devices appear in ESM before configuring the devices.

4 Key the devices to complete the device configuration.



Mount ESM on an AWS HVM

Install ESM on AWS HVMMcAfee ESM is installed on AWS HVM using scripts. The SIEM Amazon EC2 installer scripts create AmazonMachine Images (AMIs) from which you can launch VM instances of devices. There is a separate installer foreach device (ETM, ERC, McAfee ACE, etc.) and each installer produces an AMI for that specific device.

Before you beginMake sure you have the installer script(s).

Task1 On the Amazon EC2 dashboard, select Instances in the left menu bar and then click Launch Instance.

2 Select Amazon Linux AMI.

3 On the Choose Instance Type screen, choose m3.medium or m4.large and click Next.

4 On the Configure Instance Details screen, click Next.

5 On the Add Storage screen, click Next.

6 On the Add Tags screen, click Next.

7 On the Configure Security Group screen, select Create or select a security group that allows you to have SSHaccess to the instance.

8 Click Review And Launch.

9 Click Launch.

10 Select a key pair that you have access to and click Launch Instances.

11 At the command prompt, type scp -i ~/my_key.pem install_hvm_etm_16.shec2-user@instance_ip_address:

The installer script is copied to the VM.

12 Log in by typing ssh -i ~/my_key.pem ec2-user@instance_ip_address.

13 Become root by typing sudo su.

14 Type aws configure.

a Enter the AWS Access Key.

b Enter the AWS Secret Key.

c Leave the other fields blank.

15 At the command prompt, type # ./install_hvm_ace_16.sh.

When the installer script has completed (15–20 minutes) a new AMI is registered in your AWS account. You canuse this AMI to launch a VM.

The Amazon Linux instance that was used to run the installer is no longer needed and can be terminated.

3 Mount ESM on a virtual machineMount ESM on an AWS HVM


4 Perform initial ESM configuration

Contents Log on to the McAfee ESM console Add devices to the ESM console Confirm in ESM that all devices appear Key a device

Log on to the McAfee ESM consoleLog on the console to begin configuring the systems and device settings.

Before you beginVerify whether you are required to operate the system in Federal Information Processing Standard(FIPS) mode. FIPS consists of publicly announced standards developed by the United States Federalgovernment. If you are required to meet these standards, you must operate this system in FIPSmode.

Task1 Open a web browser and go to the IP address you set when you configured the ESM network interface. For

example, if the ESM IP address is 172.016.001.140, type the following in your browser:

https:\\172.016.001.140\

2 Click Continue to site, if a self-signed certificate error appears for your browser.

3 Click Login, select the language for the console, then type the default user name and password.

• Default user name: NGCP

• Default password: security.4u

4 Click Login, read the End User License Agreement, then click Accept.

5 When prompted, change your user name and password, then click OK.

6 Select whether to enable FIPS mode and if you click Yes, click the additional confirmation.

If you must work in FIPS mode, enable it the first time you log on so that all future communication withMcAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to.

7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user name andpassword, which are needed for access to rule updates.

4


8 Perform initial ESM configuration:

a Select the language to be used for system logs.

b Select the time zone where this ESM is and the date format used with this account, then click Next.

9 Enter the server information for the ESM.

a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

c Under General Settings, type the gateway, DNS servers, and any additional information needed toconnect your ESM to your network.

d Click Next.

10 (Optional) If needed to connect through a proxy server, type its IP address, port number, credentials, and setthe local network setting, then click Next.

11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network. Whencompleted, click Next.

12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type these settings asneeded:

• NTP Server IP address

• Authentication Key

• Key ID

To achieve best results in the ESM, it’s important to have a common time reference across the enterprise. Asdefault, the ESM uses a set of Internet-based NTP servers. Enter your own enterprise NTP server, then clickNext.

13 To automatically check the ESM server for rule updates:

• Type your customer ID and password to verify your identity.

• Configure your Auto check interval in hours and minutes.

• Click Check Now or Manual Update.

14 Click Finish.

15 In the Network settings change dialog box, click Yes to restart the ESM service.

The restart takes about 90 seconds to complete. Then you might be required to log back on to the ESM.

Add devices to the ESM consoleAfter you set up and install the physical and virtual devices, add them to the ESM console.

Before you beginSet up and install the devices.

Complete the following steps only for a complex ESM installation with multiple ESM devices. Do not completethis task for a simple ESM installation using a combination ESM.

4 Perform initial ESM configurationAdd devices to the ESM console


Task1 On the system navigation tree, click Local ESM or a group.

2 Click .

3 Select the type of device you are adding, then click Next.

4 In the Device Name field, enter a unique name in this group, then click Next.

5 Provide the information requested:

• For McAfee ePO devices — Select a Receiver, type the credentials required to log on to the web interface,then click Next. To use for communicating with the database, type the settings.

Select Require user authentication to limit access to those users who have the user name and password forthe device.

• For all other devices — Type the target IP address or URL for the device.

6 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.

7 Enter a password for this device, then click Next.

ESM tests device communication and reports on the status of the connection.

Confirm in ESM that all devices appearIn the ESM console, confirm that all various ESM devices appear before you begin detailed configuration of thedevices.

For detailed information about performing these confirmation steps, see McAfee Enterprise Security ManagerProduct Guide.

Task

1 Log on to the McAfee ESM console, and find the System navigation pane to view the devices on the system.

2 Click Menu | Configuration to view the physical display.

3 Confirm that you can click the Add devices icon to see the devices that you installed in the racks andconfigured with their network settings.

Once the devices are added, you must key the device to enable communication and complete the installation.See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.

Key a deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network.

Perform initial ESM configurationConfirm in ESM that all devices appear 4


Task1 Log on to the ESM console using a browser. See Log on to the McAfee ESM console for details.

2 On the system navigation tree, click a device, then click the Properties icon .

3 Click Key Management | Key Device.

If the device has an established connection and can communicate with the ESM, the Key Device Wizard opens.

4 Type a new password for the device, then click Finish.

4 Perform initial ESM configurationKey a device


5 Update a single device

If the software on your device is out of date, upload a new version of the software from a file on the ESM oryour local computer.

Before you beginIf you have had your system for more than 30 days, you must obtain and install your permanentcredentials to access the updates.

If your system requires offline updates, download the update file from the McAfee download site.

If you must comply with Common Criteria and FIPS regulations, do not upgrade the ESM in this way.Call Technical Support to obtain a FIPS certified update.

Task1 On the system navigation tree, select a device, then click the Properties icon .

2 Click <device> Management, then select the Maintenance tab.

3 Select an update from the table or click Browse to locate the update software on your local system.

4 Click OK.

If you are updating a device using the device management Update Device option, this starts the updateprocess. If you are updating multiple devices using the Multi-Device Management option, this returns you to theMulti-Device Management page.

The device restarts with the updated software version.

5


5 Update a single device


6 Update the ESM system

Contents Prepare to update Identify and address special update scenarios Update devices (non-FIPS mode) Update devices (FIPS mode) Update high availability Receivers

Prepare to update

Contents Download the update files Back up the database Back up McAfee ESM settings and system data Check ERC high availability status

Download the update filesWhen the system is ready to upgrade, download the upgrade files to your local system.

Before you beginYou must have a grant number.

Task1 Go to the McAfee product download site.

2 Click Download, enter your grant number, type the letters as displayed, then submit.

3 Select McAfee Enterprise Security Manager and click the All Versions tab.

4 Download the release file to your local system.

Device type File

Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_10.2.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver (ESMREC) ESSREC_Update_10.2.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver andMcAfee Enterprise Log Manager (ENMELM), also known as aCombination Box

ESSREC_Update_10.2.0.signed.tgz

6


Back up the database1 Make sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and that you can

schedule the outage window for this update.

2 Complete a database backup of the ESM. Export or back up the following items to ensure ease of recovery ifan update renders a rule, event, or other content unusable:

Alarms: In System Properties, click Alarms, highlight each alarm, then click Export and save the file.

Watchlists: In System Properties, click Watchlists, highlight each watchlist, then click Export and save the file.

Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except Data Source,Windows Events, ESM, Normalization, Variable, and Preprocessor.1 In the Rule Types pane, click a rule type.

2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field, thenclick Refresh .

3 Highlight the rules, click File | Export | Rules, then save them in XML format.

Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules andcustom variables.

Type ofinformation

Details

Device typessupported

The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicates withdevices running ESM 9.6.x and higher. To check the model of your device, issue the cat /proc/cpuinfo command. The output includes the CPU number on the model name line.

Save receiversettings

Make sure all Receiver settings are saved before updating. If you don't save the settings, aproblem occurs that can cause issues on the receiver and other devices. Make sure allsettings for every device are saved before updating to any version.

Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up the updateof the ESM database:

• Set collection duration of events, flows, and logs to a longer pull time, allowing moretime for the rebuild. On the ESM console, click System Properties | Events, Flows & Logs,then set Auto check interval.

• Turn off collection of events, flows, and logs until the rebuild finishes. Complete thisstep only if the number of events and flows sent to the ESM is low. On the ESM console,click System Properties | Events, Flows & Logs, then deselect Auto check interval.

Upgrade paths You must update prior versions to 9.6 or higher before you can update to 10.2.0.

UpgradeReceiver-HAdevices

To upgrade Receiver-HA devices, you must first check the Receiver's high availabilitystatus.

Make sure all device settings are saved before updating.

Back up McAfee ESM settings and system data

Before you beginComplete a full backup before any major version update to avoid data loss. A full backup contains:

• Settings for the ESM, ERC, DEM, ADM, and ACE devices.

ELM full backups only include configuration settings. The database settings must be backed upseparately or you lose all database connections to your local shares, remote shares, and SANs.

6 Update the ESM systemPrepare to update


• Stop CPService and then DBServer and create a copy of the contents of: /usr/local/ess/data/, /etc/NitroGuard, and other folders on a remote share.

If you encounter issues during the update, you can:

• Reinstall the software to the existing version.

• Reinstall the backup files.

• Try updating to the next version again.

Backups are only compatible with the current version of the ESM device. You can't install a backupof a previous version on an updated ESM device.

Task1 On the system navigation tree, select System Properties, then click ESM Management | Maintenance | Backup.

2 Define the settings for the backup then click OK.

Option Definition

BackupFrequency

When new ESM devices are added to the system, the Backup & Restore function is enabledto perform a backup every seven days. You can change the frequency or disable backup.

Backup Data For Select what you want to include in the backup.

Backup Location Select where you want the backup saved:• ESM — Saved on McAfee ESM and accessed on the File Maintenance page.

• Remote Location — Saved in the location you define in the fields that become active. If yousave a copy of the ESM and all system data manually, you must select this option.

When you back up to a CIFS share, use a slash (/) in the remote path field.

Backup Now Manually back up ESM settings and events, flows, and logs (if selected). Click Close whenthe backup is completed successfully.

Full Backup Now Manually save a copy of the device settings and the system data. This can't be saved toMcAfee ESM, so you must select Remote Location in the Backup Location field and enter thelocation information.

Using the Common Internet File System (CIFS) share type with Samba server versionsgreater than 3.2 can result in data loss.

Check ERC high availability statusIf your system includes high-availability receivers, check to ensure IP addresses will not be duplicated.

Before you beginYou must have Administrator privileges to complete this task.

Task1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .

2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.

Update the ESM systemPrepare to update 6


3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the command lineinterface on both ERCs. The resulting information shows the status of this ERC and what this ERC thinks thestatus of the other ERC is. It looks similar to this:

OK

hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no

4 Verify the following in the status:

• The first line of the response is OK.

• Host name is the same as the host name on the command line minus the ERC model number.

• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode is secondary.

• The next two lines show the host names of the ERCs in the HA pair and list the running status of eachERC. The status for both is online.

• corosync= shows the running status of corosync, which should be running.

• hi_bit is no on one ERC and yes on the other ERC.

Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set to the samevalue, call McAfee Support before upgrading to correct this misconfigured setting.

5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.

6 Verify the following in the data that is generated:

• The MAC addresses on eth0 and eth1 are unique on both ERCs.

• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP address on eth1.

If both HA ERCs are set to the same value, call Technical support before upgrading to correct thismisconfigured setting.

This spot check ensures the system is functional and that no duplication of IP addresses exists, which meansthat the devices can be updated.

6 Update the ESM systemPrepare to update


Identify and address special update scenariosIn special situations, you must take additional steps before or after updating.

Task1 If you are installing a new McAfee ESM model:

a Register your hardware within 30 days to ensure that you receive policy, parser, and rule updates as partof your maintenance contract. If you don't register, you can't receive updates.

b To get your permanent user name and password, email [email protected] with the followinginformation:

• McAfee grant number • Contact name

• Account name • Contact email address

• Address

2 If you need offline rule updates:

a Open a web browser and go to http://www.mcafee.com/us/downloads/downloads.aspx.

b Click Download, enter your grant number, type the letters as displayed, then submit.

c Select McAfee Enterprise Security Manager and click the All Versions tab.

d Download the rules for your version of McAfee ESM.

3 If you experience device communication issues during the update process:

If you updated a McAfee device before updating McAfee ESM or the ESM is in the middle of upgrading, thismessage might appear: The device must be upgraded before the operation can be performed. Verify thatMcAfee ESM has the correct version.

a On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon

.

b Click Connection, then click Status.

c Retry the operation that resulted in the message.

4 If your system includes a McAfee ePO with Policy Auditor, refresh it.

a If you are not on an all-in-one device, upgrade the McAfee Event Receiver where the McAfee ePO deviceis connected.

b On the McAfee ESM console, click ePO Properties | Device Management, then click Refresh.

You can set up auto-retrieval on the Device Management tab.

c Click Receiver Properties, and then select the Vulnerability Assessment tab.

d Click Write.

e Repeat step b to get VA data on the McAfee ESM.

f Log off the McAfee ESM console, then log on.

5 Check the status of the ELM database rebuild process.

Indexing your ELM management database can require additional time, depending on your ELM model. Forexample, the number of storage pools you have, the amount of data sent from logging devices, and your

Update the ESM systemIdentify and address special update scenarios 6


network bandwidth can increase the time it takes to complete indexing. But, this background task minimallyimpacts your performance and, when complete, provides improved querying on your historical data.

a Go to ELM Properties | ELM Information.

b If the message Database is rebuilding appears in the Active Status field, do not stop or start the ELMdatabase. The system indexes all new ELM data on the sending device before sending that data to theELM.

c If you have event receiver logging to the ELM and they are near maximum capacity, contact Support.

6• Caution

• Data loss may result if you turn off a device during a rebuild.

• Do not turn off a device during a rebuild.

If you are updating a redundant ELM:

a Upgrade the standby ELM.

b Update the active ELM.

c On the system navigation tree, select the standby ELM and go to ELM Properties | ELM Redundancy | Return toService.

d Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMs display an OKstatus.

e If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, the standby ELMstatus changes to OK, redundant ELM resync is 100% complete. You might need to click Refresh several times.

Update devices (non-FIPS mode)Update the ESM and its devices, then rewrite the device settings and roll out policy.

Before you begin

• Read the release notes.

• Make sure that your system is running version 9.6 or later.

• If you recently upgraded, make sure that the database rebuild is complete.

• Make sure that you have communication with each device in the system.

• Get the manual rules update file from the McAfee download site.

When updating, all active collectors stop collecting data until you rewrite the device settings and roll out thepolicy.

Task

1 Update standalone ESM devices first, then ESM combo devices.

a On the dashboard, select the ESM on the system navigation tree, then click the Properties icon.

b Click ESM Management, then select the Maintenance tab.

c Click Update ESM.

6 Update the ESM systemUpdate devices (non-FIPS mode)


d Select an update from the table or click Browse to locate the update software on your local system.

e Click OK.

2 Wait until the database build is complete.

3 Update the ELM.

a From the dashboard, select the device on the system navigation tree, then click the Properties icon.

b Click <device> Management, then select the Maintenance tab.

c Click Update ELM.


e Click OK.

4 Update Receiver, ACE, DEM, and ADM devices.

If your system includes high availability receivers, use the Update high availability receivers process.



c Click Update <device>.


e Click OK.

The update process starts and can take several hours.

5 Apply updated rules.

a On the system navigation tree, select the ESM, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

6 Rewrite McAfee Event Receiver or ESM/Event Receiver combo settings.

a On the dashboard, select the device in the system navigation tree, then click the Properties icon.

b Click Data Sources | Write.

c Click Vulnerability Assessment | Write.

7 Rewrite ACE settings.


b Click Risk Correlation Management | Write.

c Click Historical | Enable Historical Correlation | Apply. If it's already selected, deselect it, select it again, thenclick Apply.

d Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select itagain, then click Apply.

Update the ESM systemUpdate devices (non-FIPS mode) 6


8 Rewrite DEM or ADM settings.


b Click Virtual Devices | Write.

c For database servers: Click Database Servers | Write.

9 Roll out the policy to all updated devices.

10 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

11 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Update devices (FIPS mode)

Before you begin• Read the release notes.

• Make sure that your system is running version 9.6 or later.

• If you recently updated, verify that the database rebuild is complete.

• Get the manual rules update file from the McAfee download site.

When updating, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting data until yourewrite the device settings and roll out the policy.

Failure to update the devices before updating the ESM when in FIPS mode can affect ELM log collection.

Task1 Update standalone ELM devices.


b Click ELM Management, then select the Maintenance tab.

c Click Update ELM.

d Select an update from the table or click to locate the update software on your local system.

e Click OK.

2 BrowseUpdate the McAfee Event Receiver, ACE, DEM, and ADM.

If your system includes high availability receivers, use the Update high availability receivers process.



c Click Update <device>.


e Click OK.

6 Update the ESM systemUpdate devices (FIPS mode)


3 Update ESMs and combo devices.


b Click ESM Management, then select the Maintenance tab.

c Click Update ESM.


e Click OK.

The update process starts and can take several hours.

4 Verify that you have communication with the devices.

5 Apply the updated rules.

a On the system navigation tree, select the system, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

6 Rewrite McAfee Event Receiver or ESM/Event Receiver combo settings.


b Click Data Sources | Write.

c Click Vulnerability Assessment | Write.

7 Rewrite ACE settings.


b Click Risk Correlation Management | Write.

c Click Historical | Enable Historical Correlation | Apply. If it's already selected, deselect it, select it again, thenclick Apply.

d Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select itagain, then click Apply.

8 Rewrite DEM or ADM settings.


b Click Virtual Devices | Write.

c For database servers: Click Database Servers | Write.

9 Roll out the policy to all updated devices.

10 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

11 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Update the ESM systemUpdate devices (FIPS mode) 6


Update high availability ReceiversUpdate both Receivers, starting with the secondary Receiver.

Task1 On the system navigation tree, select the Receiver-HA device, then click the Properties icon .

2 Set the primary Receiver to No Preference, which allows you to use the Fail-Over option.

3 Update the secondary Receiver.

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The Receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary Receiver, then click OK.

4 Change the secondary Receiver to primary by clicking High Availability | Fail-Over.

5 Update the other Receiver.

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The Receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary Receiver, then click OK.

6 Update the ESM systemUpdate high availability Receivers


Index

AAmazon Web Services

configure connections 19

create the AWS 14

installation overview 14

AWS, See Amazon Web Services

Cconsole

add device 22

Ddevices

add device 22

add to console 22

EEPS, See events per second ERC

simple and complex network scenarios 6

events per seconddetermines ERC throughput 6

Kkey

initial device configuration 23

KVMdeploy 13

requirements 13

SSecurity Analyst

in ESM scenarios 6

Vvirtual machine

configure 9requirements 12


0-00

Documents

McAfee Enterprise Security Manager 10.2 1 Installation Overview 5 McAfee Enterprise Security Manager components 5 Configuration scenarios 6 McAfee ESM installation overview 8 2 Configure