Page 2
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.
Contents Preface ..................v Introducing McAfee IntruShield IPS ....................v About this guide ..........................v Contents of this guide......................v Audience ............................vi Conventions used in this guide .....................vi Related Documentation........................vii Contacting Technical Support...................... viii Chapter 1 An introduction to IntruShield sensors ....1 What is an IntruShield sensor?......................
Page 4
Cabling for in-line mode....................... 25 Cabling the I-3000 to monitor in in-line mode ..............25 Cabling for Tap mode ........................26 Cabling the I-3000 SFP ports to monitor in external tap mode ..........26 Cabling for SPAN mode....................... 26 Cabling the I-3000 sensor to monitor in SPAN or hub mode ..........26 Cabling the failover interconnection ports................26 Index ..................
Preface This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
McAfee® IntruShield® IPS 4.1 Preface IntruShield Sensor 3000 Product Guide Audience • Chapter 4: Attaching Cables to the I-3000 Sensor (on page 21) describes how to attach monitoring and response cables to the sensor, and how to cable the sensor to operate in various operating modes.
McAfee® IntruShield® IPS 4.1 Preface IntruShield Sensor 3000 Product Guide Related Documentation Convention Example Information that you must read Caution: before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.
Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
TCP connections, “scrubbing” malicious packets, and even blocking attack packets entirely before they reach the intended target. Sensor platforms McAfee offers multiple sensor platforms providing different bandwidth and deployment strategies.
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 3000 Product Guide What is an IntruShield sensor? This document describes the I-3000 sensor. The IntruShield 3000 sensor The high-port-density IntruShield 3000 (the I-3000), designed for high-bandwidth links, is equipped to support six full-duplex Ethernet segments, or twelve SPAN ports transmitting no more than 1 Gbps for up to 1 Gbps of aggregated traffic.
Page 11
(optional, purchased separately). Power supply B is a hot- swappable, redundant power supply. This power supply also uses a standard IEC320-C13 port, and you can use the McAfee-provided cable or acquire one that meets your specific needs. The I-3000 does not have internal taps; it must be used with a 3rd party external tap to run in tapped mode.
Page 12
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 3000 Product Guide What is an IntruShield sensor? Status Description Power A Green Power Supply A is functioning. Amber Power Supply A is not functioning. Power B Green Power Supply B is functioning.
Page 13
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 3000 Product Guide What is an IntruShield sensor? Status Description Response Port Green The link is connected. Link The link is disconnected.
H A P T E R Before you install Sensor specifications, safety measures, unpacking a sensor This chapter describes best practices for deployment of IntruShield sensors on your network. Topics include system requirements, site planning, safety considerations for handling the sensor, and usage restrictions that apply to the sensor. I-3000 sensor specifications The following table lists the specifications of the I-3000 sensor.
McAfee® IntruShield® IPS 4.1 Before you install IntruShield Sensor 3000 Product Guide Network topology considerations Supported UDP Flows 750,000 DoS Profiles 5000 SYN rate (64-byte packets per second) 500,000 ACL Rules (refer to note below) 1000 Computing Number of ACL rules utilized per sensor You can calculate the number of ACL rules being utilized per sensor by adding all the rules configured at the sensor-level, port-level, and sub-interface level.
McAfee® IntruShield® IPS 4.1 Before you install IntruShield Sensor 3000 Product Guide Safety measures Safety measures The safety measures given below apply to all sensor models unless otherwise specified. Carefully read the following warnings before you install the product. Failure to observe these safety warnings could result in serious physical injury.
• The sensor appliance is not a general purpose workstation. • McAfee prohibits the use of the sensor appliance for anything other than operating the IntruShield IPS. • McAfee prohibits the modification or installation of any hardware or software in the sensor appliance that is not part of the normal operation of the IntruShield IPS.
Page 19
Before you install IntruShield Sensor 3000 Product Guide Unpacking the sensor • one power cord. McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country-appropriate power cable. • one set of rack mounting ears •...
H A P T E R Setting up the I-3000 sensor prior to configuration This chapter describes the process of setting up a sensor prior to configuring it via the ISM. Setup overview Setting up a sensor involves the following steps: Positioning the sensor.
Figure 2: Attaching the mounting ears to the sensor chassis Mounting the I-3000 sensor in a rack McAfee recommends rack-mounting your sensors. The rack-mounting hardware included with the sensors is suitable for most 19-inch equipment racks and telco-type racks. For maintenance purposes, you should have access to the front and rear of the sensor.
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration IntruShield Sensor 3000 Product Guide Installing the I-3000 redundant power supply Mount the sensor by securing the ears to two posts or mounting strips in the rack. Because the ears bear the weight of the entire sensor, be sure to fasten the ears securely to the rack.
Note: For true redundant operation with the optional redundant power supply, McAfee recommends that you plug each supply into a different power circuit. For optimal protection, use uninterrupted power sources. Removing a power supply To remove a power supply from the I-3000 (Optional—the power...
GBIC interfaces. Note: To ensure compatibility, McAfee supports only those SFP modules purchased through McAfee or from a McAfee-approved vendor. For a list of approved vendors, see the on-line KnowledgeBase, McAfee Support Site. https://mysupport.mcafee.com These installation instructions provide information for installing an SFP module that uses a bail clasp for securing the module in place in the sensor.
SFP module optical bore and save the plug for future use. Note: If you choose not to use the port, McAfee still recommends that you leave a SFP module in the slot.
Insert the SFP module plug into the module optical bore for protection. Connecting copper SFP for 10/100 Fast Ethernet ports In addition to fiber GBICs, McAfee supports copper SFPs for I-3000 and I-4010 sensors. I-3000 and I-4010 sensors, when packaged are set to 1 Gbps speed. When a copper...
Page 27
McAfee® IntruShield® IPS 4.1 Setting up the I-3000 sensor prior to configuration IntruShield Sensor 3000 Product Guide Installing SFP modules To connect a copper SFP Remove the SFP module from its protective packaging. Ensure the SFP module is the correct model for your network.
The I-3000 sensor has no power switch. The sensor powers on as soon as one of its power cables is connected to a power source. Powering off the sensor McAfee recommends that you use the shutdown CLI command to halt the sensor Sensor before powering it down. For more information on CLI commands, see...
Follow the steps outlined in this chapter to connect cables to the various ports on your sensor. Cabling the Console port The Console port is used for setup and configuration of the sensor. For console connections, plug the DB9 Console cable supplied by McAfee into Console Console port (labeled on the sensor front panel).
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling the Response ports Name Setting Baud rate 9600 Number of bits Parity None Stop bits Flow Control None Required settings for the modem are: •...
Connect the other end of the cable to the network device (for example, hub, switch, router) that in turn connects to the ISM server. Note: To isolate and protect your management traffic, McAfee strongly recommends using a separate, dedicated management subnet to interconnect the sensors and the ISM.
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling the Management port Port Pairs 1A and 1B 2A and 2B 3A and 3B 4A and 4B 5A and 5B 6A and 6B Note: You cannot configure, for example, IA and 2A to work together as a pair.
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling for in-line mode Cable types for routers, switches, hubs, and PCs The cabling instructions in this chapter: • Use a crossover Ethernet RJ45 cable to connect a router port to 10/100 Monitoring ports.
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling for Tap mode Cabling for Tap mode Cabling the I-3000 SFP ports to monitor in external tap mode TheI-3000 sensor’s SFP ports must be used with a 3rd-party external tap.
Page 35
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling for SPAN mode fail-over pair even if the Primary sensor has some of its monitoring port pairs in non- Inline (TAP/SPAN) mode is provided.
Page 36
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-3000 Sensor IntruShield Sensor 3000 Product Guide Cabling for SPAN mode Using fail-open hardware The Gigabit Fail-Open kit (sold separately) minimizes the potential risks of in-line IntruShield sensor failure on critical network links. Both Copper and Optical versions of the Kit are available.