Interface Groups - McAfee M-1250 - Network Security Platform Deployment Manual
Deployment guide
Hide thumbs
Also See for M-1250 - Network Security Platform:
- Configuration manual (259 pages) ,
- Upgrade manual (58 pages) ,
- Manual (32 pages)
Table of Contents
Advertisement
McAfee® Network Security Platform 6.0
Sensor Deployment Modes
"Primary" versus "active"
You configure a Failover Pair using the Manager's Configuration page. You designate one
Sensor as the Primary Sensor and the other as Secondary. This designation is used
purely for configuration purposes and has no bearing on which Sensor considers itself
active.
Once configured, the two Sensors exchange information to determine their respective
roles; the Sensor that has been online the longest becomes the active Sensor. If they have
been online for exactly the same amount of time, the Sensor with the higher serial number
takes the active role. The Sensors communicate every second to determine if their peer is
available. If the failover pair cannot communicate with each other, each Sensor will
assume its peer Sensor is down, and both will issue alerts. If communication is re-
established, the two Sensors communicate to determine their respective failover roles.
When one Sensor is brought up well after the other, the new Sensor synchronizes state
with the old Sensor and builds on the synchronized state based on the packets received
on its monitoring and interconnect ports.
This Active-Active configuration provides the added benefit of supporting asymmetric
traffic flows (that is, when packets belonging to the same TCP/UDP flow are divided
across Sensors). Thus, the Network Security Platform failover pair will detect attacks even
when the traffic is asymmetric. This topic is discussed, in the section Interface groups (on
page 24).
Interface groups
An interface group, also known as port clustering in networking parlance, combines the
traffic processed on separate Sensor interfaces—or, in the case of a Failover Pair, on
separate Sensors—into a single logical interface for state and intrusion analysis.
Asymmetric routing is a good example of where an interface group is recommended. In
asymmetric routing, a TCP connection does not always send and receive along the same
network path. Therefore, a single-interface Sensor monitoring this transmission may only
see the traffic received, not the traffic sent in response; thus not seeing all data from a
transmission.
24
Advertisement
Table of Contents
