McAfee M-1250 - Network Security Platform Configuration Manual
  1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Firewall
  5. M-1250 - Network Security Platform
  6. Configuration manual
McAfee M-1250 - Network Security Platform Configuration Manual

McAfee M-1250 - Network Security Platform Configuration Manual

Ips configuration guide version 5.1
Hide thumbs Also See for M-1250 - Network Security Platform:
Table of Contents

Advertisement

Quick Links

See also: Manual
McAfee® Network Security Platform
Network Security Manager
version 5.1
McAfee
®
Network Protection
Industry-leading network security solutions
IPS Configuration Guide
revision 10.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the M-1250 - Network Security Platform and is the answer not in the manual?

Questions and answers

Related Manuals for McAfee M-1250 - Network Security Platform

Summary of Contents for McAfee M-1250 - Network Security Platform

  • Page 1 IPS Configuration Guide revision 10.0 McAfee® Network Security Platform Network Security Manager version 5.1 McAfee ® Network Protection Industry-leading network security solutions...
  • Page 2 GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.

  • Page 3: Table Of Contents

    Contents Preface ......................v Introducing McAfee Network Security Platform................v About the guide ..........................v Audience ............................v Conventions used in this guide .....................vi Related documentation ........................vii Contacting Technical Support ..................... viii Chapter 1 Overview of IPS settings ............1 Configuring and setting rule-based policies ..................
  • Page 4 Restoring an archive ......................131 Exporting an archive ......................133 Archiving alerts using dbadmin.bat ..................133 Restoring alerts using dbadmin.bat..................134 Manager database maintenance....................136 Capacity planning.......................136 Alert Data Pruning......................140 Manager Pruning........................142 Setting up alert notifications ...................... 143 Viewing alert notification details ..................143 Forwarding alerts to an SNMP server ................144 Forwarding alerts to a Syslog server..................146 Specifying email or pager parameters ................150 Specifying script parameters....................152...

  • Page 5: Preface

    This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support. Introducing McAfee Network Security Platform ®...

  • Page 6: Conventions Used In This Guide

    McAfee® Network Security Platform 5.1 Preface not necessarily familiar with NAC or IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks. Conventions used in this guide This document uses the following typographical conventions: Convention Example...

  • Page 7: Related Documentation

    McAfee® Network Security Platform 5.1 Preface Related documentation The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides. • Quick Tour • Manager Installation Guide • 4.1 to 5.1 Upgrade Guide •...

  • Page 8: Contacting Technical Support

    Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

  • Page 9: Chapter 1 Overview Of Ips Settings

    ® ® Sensor [formerly McAfee IntruShield Sensor]. Policy configuration is available to users ® with a Security Expert or Super User role. When policies are applied, McAfee Network ® ® Security Platform [formerly McAfee IntruShield ] generates alerts; you can then use the Threat Analyzer to view the resulting alerts.

  • Page 10: Responding To Detected Attacks

    SMTP. Each include rule you add broadens the scope of your detection. Responding to detected attacks When a McAfee Network Security Sensor (Sensor) detects activity to be in violation of a configured policy, a preset response from the Sensor is integral to the protection or prevention process.

  • Page 11: Sensor Actions

    Overview of IPS settings Tip: McAfee recommends using Wireshark( formerly known as Ethereal) for packet log viewing. Ethereal is a network protocol analyzer for Unix and Windows servers that enables you to examine the data captured by your Network Security Sensor.

  • Page 12: How Network Security Platform Calculates Severity Level

    McAfee® Network Security Platform 5.1 Overview of IPS settings How Network Security Platform calculates severity level Network Security Platform assigns a default severity (high, medium, or low) to every attack in its attack database. Severity is based on the immediate effect, or impact, on the target system.
  • Page 13 McAfee® Network Security Platform 5.1 Overview of IPS settings Category Threat Type Range Used in Network Security Platform Exploits Protocol Violation Buffer Overflow Shellcode Execution Remote Access Privileged Access Probe Evasion Attempt Arbitrary Command Execution Code/Script Execution Trojan DDoS Agent Activity...

  • Page 14: Chapter 2 Managing Ips Settings

    IPS policy and Reconnaissance policies that ® have been assigned to the various resources of your McAfee Network Security Platform. Policies are listed per Sensor, interface, and sub-interface. From the root domain, you can see policies assigned to all child domains.

  • Page 15: Configuring And Managing Policies

    Default Inline IPS policy operates by default when McAfee Network Security Platform is initialized. You can use a provided rule set/policy in its existing state, clone and customize it to fit your needs, or you can create new rule sets/policies then apply to the resources in your protected network.

  • Page 16: Managing Policies With Ips Policy Editor

    McAfee® Network Security Platform 5.1 Managing IPS settings Managing policies with IPS Policy Editor IPS Policy Editor action enables the use of the ultimate refining tool for IPS policy management. The Policy Editor brings together defining alert filters and rule sets for final customization before deployment.
  • Page 17 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 3: IPS Policy List Add an IPS Policy Policy window opens with the tab selected. Type a name for your policy. If you want this policy to be applicable in all created child...
  • Page 18 Inbound refers to traffic destined for the internal network, and outbound refers to traffic destined for the external network. McAfee recommends applying different rule sets for inbound and outbound traffic for the following reason: traffic coming into a network area,...
  • Page 19 McAfee recommends applying different rule sets for inbound and outbound traffic for the following reason: traffic coming into a network area, such as the DMZ, may only require DMZ rule set, while traffic leaving the DMZ may be headed for external networks, thus a more generic rule set such as the Default rule set better protects the outbound traffic.
  • Page 20 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 6: Add An IPS Policy Dialog - Exploit Tab View / Edit View the attacks for a protocol by selecting a row and clicking You can sort the attacks by clicking any of the following topic columns: Attack Enabled : enforcement status of attack.
  • Page 21 Figure 8: Attack Filter - Drop Down List All Selected Attacks : Displays all attacks without any filter. Attacks Recommended by McAfee for Blocking : Displays attacks that are recommended for blocking by McAfee. Attacks Eligible for IPS Quarantine : Displays a list of attacks that are eligible for IPS iii.
  • Page 22 McAfee® Network Security Platform 5.1 Managing IPS settings Advanced Search : Allows you to search for attacks using parameters such as attack name, impacted applications, reference ID such as CVE or BugTraq, new attacks, and attacks based on the device family. For more information, see Using Advanced Search to locate attacks.
  • Page 23 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 10: Attack Signatures Display Benign Trigger Probability : probability attack signature will raise a false positive. Attack Direction : origin of flow; attack was either client or server initiated. Applications Impacted : lists the applications affected by the attack.
  • Page 24 McAfee® Network Security Platform 5.1 Managing IPS settings New Attacks Sensor Software Versions Search by Select the option of your choice in the field. A set of fields based on your selection will be displayed to help you narrow your search criteria.
  • Page 25 McAfee® Network Security Platform 5.1 Managing IPS settings To search for attacks based on New Attacks signature files New attacks Search by Select from the list. Search by New Attacks Under , select: Latest Sigset : To view new attack signature files in the latest download of signature set.
  • Page 26 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 13: Advanced Search - Search by Software Version Options Select Attacks by Sensor Software Version #1 and Version #2: Select your choice from the list: • All Versions • Both Version #1 and Version #2 •...
  • Page 27 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 14: Select Attacks by Software Versions - Choices Search Click . The attack list is displayed as per the selected Search criteria. Customizing responses for an exploit attack Logging Configure Attack Details for Attack Category: <protocol name>...
  • Page 28 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 15: Edit Attack Details For Attack - Dialog / Logging Tab Capture 128 Bytes of Attack Data Notice the check box. All TCP- and UDP-based detected attacks log up to 128 bytes of packet data in both receive and transmit directions by default.
  • Page 29 : helps you to enable/disable IPS Quarantine and ® McAfee Network Access Control (McAfee NAC) notification at Policy level. Note: For more information on configuring IPS Quarantine from policy editors, see IPS Quarantine configuration in Policy Editors (on page 109).
  • Page 30 McAfee® Network Security Platform 5.1 Managing IPS settings Unknown Note: For an attack where the direction is (typically seen when in Auto. Acknowledge SPAN or Hub mode), you must set for an Exploit or DoS attack Inbound in the direction to use this functionality.
  • Page 31 Network Security Platform provides enforcement of DoS traffic profiling by direction of the flow: Inbound, Outbound, or Bidirectional. You must enable attacks for each direction separately. McAfee recommends enabling all Learning Mode attacks, while analyzing your network thoroughly before enabling Threshold Mode attacks.
  • Page 32 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 19: Add An IPS Policy Dialog - DoS / Inbound / Learning Mode Response Sensitivity for All Learning Attacks Toggling the drop-down list sets the learning Medium High curve for the profile to be less (...
  • Page 33 McAfee® Network Security Platform 5.1 Managing IPS settings Attack Description : clicking this button opens the full attack description. Annotate Description : click to add your annotations for an attack in the attack encyclopedia. Benign Trigger Probability : chance that detection for the attack will trigger an alert falsely.
  • Page 34 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 22: Add An IPS Policy Dialog - DOS / Inbound / Threshold Mode View the attack details for the selected attack. See Customizing Denial of Service Step 3 (DoS) modes (on page 23), for field descriptions.
  • Page 35 McAfee® Network Security Platform 5.1 Managing IPS settings Threshold Mode Click to return to the attack list. If you customized a DoS threshold Custom attack, a check appears in the column for that attack. Enable Select the Threshold attack you customized and click to enforce detection.
  • Page 36 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 25: Policy Creation - Enter Comment Option Enter Comment Enter your comments in the field. Commit Click To view comments in the Audit log table You can view the comments by clicking on the description (hyperlink).
  • Page 37 McAfee® Network Security Platform 5.1 Managing IPS settings Click on the hyperlink to view the page. Figure 27: User Activity Audit - Logs Back Click to return to Audit log page. User annotations in the Attack Encyclopedia Annotate Description feature allows you to add your annotations for an attack in the attack encyclopedia.
  • Page 38 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 28: Edit Attack Details For Attack Dialog - Attack Desc. Button Annotations of Parent Admin Domain. Select Figure 29: Annotate Attack Description Dialog Append to : Adds new comments to the existing comments of the parent domain.
  • Page 39 McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The parent domain cannot view comments added by child domain. Note 3: As child domains cannot edit policies created by parent domains, child domains can create own policies or clone policies. Similarly, child domains are not allowed to edit parent annotations but can append or override them.
  • Page 40 McAfee® Network Security Platform 5.1 Managing IPS settings Note: Child annotations are displayed only in the domain created and its child domains. To override the parent domain annotations, do the following: Select the attack for customization. Annotate Desc Click Override...
  • Page 41 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 32: Attack Information & Description Attack Desc User Comments Click to view your annotations under section of the Attack encyclopedia. Cloning an IPS policy Cloning duplicates an existing policy, and is similar to a “save as” function. You can edit a Network Security Platform-provided policy.
  • Page 42 If you edit a Network Security Platform-provided policy and later want to recreate that policy as it was when provided by McAfee, simply add a new policy and apply the inbound and outbound rule set that matches the original policy you want to recreate.
  • Page 43 McAfee® Network Security Platform 5.1 Managing IPS settings Step 1 Step 6 Refer to through of Adding an IPS Policy (on page 8). Tip: Bulk editing is also useful for quickly customizing several attacks when either cloning or editing a policy.
  • Page 44 McAfee® Network Security Platform 5.1 Managing IPS settings Severity (Optional) Select the for all selected attacks from the drop-down list. If there are multiple attacks with different severities, respectively, this action assigns the same severity across all selected attacks. Sensor Response...
  • Page 45 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 36: Bulk Edit - Review Page Cancel Click to exit Bulk Editing without changes. Configure Click to confirm and save your Bulk Edit changes. You are returned to the Attack Detail for Attack Category window.

  • Page 46: Managing Policies With Reconnaissance Policy Editor

    For example, you have revision # 1, 2, and 3 of a policy. After reviewing, you modify revision #2 and save. The policy change is stored as revision #4. Version #0 indicates a policy created by McAfee or a policy upgraded from older versions of the Manager. Date The date when the revision was done.
  • Page 47 McAfee® Network Security Platform 5.1 Managing IPS settings current or further impacts, and the methods of notification that will help your team respond to malicious use of your network in the most expeditious time. The Reconnaissance Policy Editor provides the following actions: •...
  • Page 48 McAfee® Network Security Platform 5.1 Managing IPS settings Add a Reconnaissance Policy dialog opens with the attribute values of the selected policy. Figure 38: Add A Reconnaissance Policy Dialog Type a name for your policy. If you want this policy to be applicable in all created child...
  • Page 49 McAfee® Network Security Platform 5.1 Managing IPS settings Bulk Select two or more attacks (CTRL+Left-Click or SHIFT+Left-Click) and click Edit (on page 45) to make changes to more than one attack at a single time. Bulk editing is recommended for assigning the same response to multiple attacks at the same time.
  • Page 50 Syslog : sends a message to Syslog server. Note: You do not have to set a notification for every attack; rather, McAfee recommends you only set notifications for attacks that warrant your immediate attention. For more information on, enforcing notification by attack, follow the...
  • Page 51 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 43: Notifications Settings Click to accept the changes and enable the scan policy. The pop-up closes. A Add Reconnaissance Policy check appears in the Custom column of the “ ” window for the attack you modified.
  • Page 52 If you edit a Network Security Platform-provided policy and later want to recreate that policy as it was when provided by McAfee, simply add a new policy . For more information on Adding a new policy, see Adding a reconnaissance Policy (on page 39).
  • Page 53 McAfee® Network Security Platform 5.1 Managing IPS settings Using Bulk Edit for Reconnaissance Policy Bulk Edit Clicking on allows you to modify selected Reconnaissance Policies with specified attributes at the same time. This is similar to using Bulk Edit option for IPS Policies. For more information, see Modifying selected IPS policies using Bulk Edit (on page 34).

  • Page 54: Policy Assignment

    You can re-assign Reconnaissance policy only to Sensors, and not to Sensor interfaces/sub-interfaces. ® To reassign policies within the current admin domain/child admin domains in the McAfee Network Security Manager (Manager), do the following: Resource Tree IPS Settings > Policies > Policy Assignment...
  • Page 55 McAfee® Network Security Platform 5.1 Managing IPS settings Reconnaissance Policy, When you select the Reconnaissance policies applied to the resources under the admin domain/child domains are displayed. Assign Policy IPS Policy Tip: By default, page has the option selected. Sensor, When you choose the search results are filtered by Sensor resources.

  • Page 56: Managing Http Response Scanning

    Best Practices Guide achieve your protection goals. For performance information, see • McAfee recommends that you enable HTTP response processing on the outbound only traffic. Consider enabling HTTP response on the inbound traffic if you suspect that your internal Web Server is/could be compromised.
  • Page 57 McAfee® Network Security Platform 5.1 Managing IPS settings Device List > Sensor_name > Physical Sensor > Port Settings Go to page. Outside Network Inside Network Verify that port 1A is connected to and 1B is connected to Example 1 Port 1A on your Sensor is connected to the outside network and 1B is connected to your internal network [for example, a Web server].

  • Page 58: Configuring Advanced Policies

    McAfee® Network Security Platform 5.1 Managing IPS settings Steps: IPS Settings > Policies > HTTP Response Scanning IPS Settings > Sensor_Name > IPS Go to Sensor / IPS Failover Pair > HTTP Response Scanning page. Outbound Status Select 1A-1B under the to enable HTTP response detection on outbound traffic.

  • Page 59: Configuring Non-Standard Ports

    • Enabling and starting the Incident Generator service: (on page 67) install and start the Incident Generator service, which enables correlative analysis of alert incident ® conditions to further enhance your McAfee Network Security Platform security utilization. • Exporting policies (on page 74): save one or more custom (created/cloned) IPS policies and Reconnaissance policies from your Manager server to your client.
  • Page 60 McAfee® Network Security Platform 5.1 Managing IPS settings You may add more than one non-standard port per protocol; however, you can only add one port at a time. If multiple ports have been added for a single protocol, all of the entered non-standard ports appear in one entry.

  • Page 61: Managing Rule Sets With The Rule Set Editor

    McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > Advanced Policies > Non-standard Ports Click Select an entry. Edit Click Select the non-standard port to delete. Delete Click ; confirm deletion by clicking Download your changes to your Sensors by performing the steps in Updating the configuration of all Sensors (on page 154).
  • Page 62 . This is for personal or team reference. Include Only Attacks Recommended by McAfee for Blocking Select to include only attacks that McAfee recommends for blocking. Block (Drop Packet) Attacks Recommended by McAfee for Blocking Select to have these attacks blocked. Rules Select the tab.
  • Page 63 Network Security Sensor processes traffic using the ordered rules in the rule set. Note: McAfee recommends your first rule in a rule set be an Include rule. If you list an Exclude rule first, a later include rule may negate the exclusion.
  • Page 64 McAfee® Network Security Platform 5.1 Managing IPS settings Do one of the following: Select Specific Attacks To include only specific attacks to your rule set, select the Only Configure check box and click . A new pop-up opens. The Configure the Rule by Specific Attacks window enables users to select specific attacks rather than narrowing by environment parameters.
  • Page 65 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 59: Configure The Rule - Category Tab Protocol Click the tab. By default, all protocols are selected. The protocol tab lists the application protocols supported by Network Security Platform. Select All Protocols...
  • Page 66 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 61: Configure The Rule - OS Tab Application Click the tab. By default, all applications are selected. Select All Applications (Optional) To custom select applications, de-select the check box (box should then be empty). All applications are moved to the “Available Applications”...
  • Page 67 McAfee® Network Security Platform 5.1 Managing IPS settings Select (Optional) To custom select a minimum attack severity for a rule, de-select the All Severities Minimum Attack Severity check box (box should then be empty). From the drop-down list, select the lowest possible severity of attacks you want to include in/exclude from your rule.
  • Page 68 McAfee® Network Security Platform 5.1 Managing IPS settings Click when done with the configuration of this single rule. (You have made changes within the Configure the Rule tabs.) Go to the Insert a Rule at current position window to view a summary of the parameters you have set for the rule.
  • Page 69 McAfee® Network Security Platform 5.1 Managing IPS settings Editing a rule set Editing a rule set allows you to make the changes necessary to better define the environment you will be monitoring. Note 1: You can edit only the rule sets you have created; the pre-configured policies cannot be edited.
  • Page 70 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 65: IPS Policy List The button options for each are as follow: • : add a new entry. • Clone : copy an existing entry and save it under a new name.
  • Page 71 : a check mark in this field indicates the rule set/policy can be edited. Pre-configured rule sets and policies McAfee provides many pre-configured rule sets and policies for immediate application in a number of different network areas. Each pre-configured policy is matched with an identically named rule set designed to address the common attacks targeting specific network environments.
  • Page 72 McAfee® Network Security Platform 5.1 Managing IPS settings Rule Sets Designed to Protect Against: All attack types except for those Exploits using TFTP, Telnet, RIP, NETBIOS, NFS, and WINS. Inside Firewall All attack types except for those Exploits using TFTP, Telnet, and RIP.

  • Page 73: Managing Attack Responses Using Gare

    Network Security Platform is initialized. This policy automatically blocks the highest impact attacks that can be detected with high confidence as determined by McAfee. To address widely deployed attacks, McAfee also considers the popularity of certain attacks when deciding if they should be included in the Default Inline IPS policy.

  • Page 74: Setting Up Global Auto Acknowledgement

    The severity levels of the corresponding attacks • Whether the attacks are recommended by McAfee for blocking Using this feature, you can set up auto-acknowledgement for less critical attacks, so that you can focus more on the critical ones. This also prevents your Real Time Threat Analyzer from being flooded with insignificant alerts.

  • Page 75: Using The Incident Generator Service

    For example, if you specify 2 (Low) then Manager will consider all attacks with a severity level of 2 or less. The default value is 3 (Low). Specify whether you want to auto acknowledge attacks that are recommended by McAfee for blocking (RFB). The default selection is 'No'. Save Click to save the changes you made.
  • Page 76 You can only have one IG activation session open per Manager at a given time. Note 2: McAfee recommends that you run the IG from a client machine due to the system processing cycles required by IG. Running the IG on Manager server can seriously affect system performance.
  • Page 77 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 68: Incident Generator Details - Pre-Configuration Download Service Save File Download Click . Click in the dialog. Figure 69: Incident Generator File Download Dialog Save IGService.zip in the client machine. Figure 70: Saving IGService.zip...
  • Page 78 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 71: Incident Generator - Download Complete IGSetup.exe Double click Figure 72: Starting IGSetup.exe Click Extract all to extract the compressed files. Figure 73: Compressed Folders Warning Next Click in the Extraction Wizard's opening page.
  • Page 79 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 74: Extraction Wizard - Opening Page Show extracted files Extract the file to the desired location in the client machine, check Finish and click to view the extracted files. Figure 75: Extraction Complete Dialog IG_setup.exe...
  • Page 80 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 76: Extracted IG_setup.exe Run. Click Figure 77: Running the IG_setup The Incident Generator is installed and the Installation wizard screen appears. Figure 78: Installation wizard screen Follow onscreen instructions in the Installation Wizard to install Incident Generator in...
  • Page 81 (host) to stop the Incident Generator service. Uninstalling the Incident Generator service To uninstall the Incident Generator service, do the following: Start > Settings > Control Panel > Add/Remove Programs and select > McAfee Incident Go to Generator Remove Click to uninstall the service.

  • Page 82: Exporting And Importing Policies

    McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The Incident Generator service must be started or stopped only from the IPS Settings Advanced Policies Incident Generation Manager UI ( > > ). Using the Service Management Console of the operating system for this purpose will give unpredictable results.
  • Page 83 McAfee® Network Security Platform 5.1 Managing IPS settings Browse to the location on your client where you want to save the export file. Verify successful export by checking the destination for the exported file. The policy file is saved as an XML file, and it contains all of the policies you selected for export.
  • Page 84 McAfee® Network Security Platform 5.1 Managing IPS settings Comparing policies before importing To select policies before importing: Figure 83: Import Policy Difference Status Difference Select the policy you wish to import and click . The Policy Diff window appears. Policy Diff...
  • Page 85 McAfee® Network Security Platform 5.1 Managing IPS settings Statistical attack details Reconnaissance attack details The diff information between 2 policies is presented in different views, each differing in the depth of the diff information displayed. Snapshot: This view displays the differences at a high level; this view indicates the differences within the 6 logical groups.

  • Page 86: Managing Alert Filters And Attack Responses

    McAfee® Network Security Platform 5.1 Managing IPS settings displayed (with diff details) in the utility. This indicates that there are more than 100 differences in that section. Note 2: If the Outbound Policy is configured for one of the policies, then, the Outbound Policy details are not displayed - only name is displayed.
  • Page 87 McAfee® Network Security Platform 5.1 Managing IPS settings • View/edit alert filters (on page 81) • Delete alert filters (on page 81) Alert Filter List Alert Filter Editor on the tab displays with the following type of information: Field Description Alert Filter Name The name of the alert filter.
  • Page 88 McAfee® Network Security Platform 5.1 Managing IPS settings Name Enter the of the alert filter. Filter Type IPv4 Enter the . For example, Alert Filter IP Address Setting List To add the alert filter IP address, click under Add an Alert Filter Setting window displays.
  • Page 89 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 89: Alert Filter added to the list Commit Changes Alert Filter List Click . The alert filter is added to the Cloning alert filters To clone alert filters, do the following: IPS Settings >...

  • Page 90: Alert Filter Assignments

    McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > Alert Filters Select Alert Filter List Delete. From , select the alert filter you want to delete and click Network Security Platform prompts you to confirm that you want to delete the filters before it completes the request.
  • Page 91 McAfee® Network Security Platform 5.1 Managing IPS settings Field Description Protocol Shows which protocol is used in the attack. No. of Available Attacks The number of attacks for each protocol. Fields under the Reconnaissance Tab: Field Description Attack Name The Network Security Platform-designated name for the attack.

  • Page 92: Exporting Alert Filters

    You can filter the list of attacks based on the following criteria: All Selected Attacks To view all the attacks, select Attacks View attacks recommended for blocking by McAfee by selecting Recommended by McAfee for Blocking Attacks Eligible for IPS To view the attacks that are eligible for IPS Quarantine, select Quarantine.

  • Page 93: Setting Up Acls

    McAfee® Network Security Platform 5.1 Managing IPS settings Setting up ACLs You can create ACLs at the IPS Settings level and assign them to the corresponding Sensors, interfaces, and sub-interfaces. You can specify a unique name to an ACL when you create it.
  • Page 94 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 93: Applied ACL Detail The following fields are listed: Field Description • Resource: ACL applied to Sensor/port/interface/sub-interface ACL Name • Scope : ACL applied at level • Direction: ACL applied at direction •...
  • Page 95 McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > ACL > ACL Editor Select Figure 94: The ACL Editor Add an ACL Rule. Click to add a rule. A new dialog box opens titled Figure 95: Add An ACL Rule Dialog...
  • Page 96 McAfee® Network Security Platform 5.1 Managing IPS settings Note 1: The CIDR IP address field now enables you to enter IPv4 addresses in 4 different fields separated with dots. You can now enter the IP address value in the corresponding fields.
  • Page 97 Deny : (In-line Mode only) TCP Reset sent to source, destination, or both. Note: McAfee recommends permit and inspect rules for complete protection from potentially harmful traffic. Enable Intrusion Detection for traffic matching this rule : (Permit only) Specified traffic is always allowed to pass to the Sensor IPS inspection engine.
  • Page 98 McAfee® Network Security Platform 5.1 Managing IPS settings The ACL group management options with the ACL Group Editor are as follows: • Adding ACL groups (on page 90) • Cloning an ACL group (on page 93) • Viewing/Editing an ACL group (on page 93) •...
  • Page 99 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 97: ACL Group Editor Click Add an ACL Group dialog opens. Figure 98: Add An Acl Group Dialog: ACL Group Tab ACL Group Name Enter a name for the ACL group in the Visible to Child Admin Domain box is checked by default;...
  • Page 100 McAfee® Network Security Platform 5.1 Managing IPS settings Add / Remove Rules Click on Configure ACL Rules for ACL Group: A dialog opens. Select the ACL rule from the list. Remove Click to add rules; Click to remove the rules.
  • Page 101 McAfee® Network Security Platform 5.1 Managing IPS settings Cloning an ACL group To clone an ACL group, do the following: IPS Settings > ACL > ACL Group Editor Select ACL Group List Select an ACL group from the Clone Click to clone the selected ACL group.
  • Page 102 McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > ACL > ACL Group Editor Select Delete Select an ACL group and click A confirmation pop-up is displayed. Confirm deletion by clicking in the pop-up. Note: An ACL group cannot be deleted if it has been assigned to any Sensor/port/VIDS.
  • Page 103 McAfee® Network Security Platform 5.1 Managing IPS settings All Child Admin Domains - filters ACLs in all child admin domains for this admin domain. Displays all the ACLs/ACL Groups that are visible to current admin domain and all its child Admin domains.
  • Page 104 McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings From the Resource Tree, select icon for the required admin domain. ACL > ACL Assignments. Select Filter By Resource option, choose to filter the entries as per resources (Sensors, ports, interfaces or sub-interfaces).
  • Page 105 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 106: ADD / Remove Scope ACL Rules Dialog Then three tabs are displayed: • Select ACL/ ACL Groups - Here you can add or remove existing ACLs or ACL groups to the selected resource. This tab also allows you to manage ACLs or...
  • Page 106 McAfee® Network Security Platform 5.1 Managing IPS settings NAC Settings Note: The procedure for assigning ACLs from the node is similar to the procedure described above. The ACL Assignment tab in the NAC node can be NAC Settings >ACL >ACL Assignments.

  • Page 107: Acl Syslog Forwarder

    McAfee® Network Security Platform 5.1 Managing IPS settings To import an ACL file to the Manager, do the following: IPS Settings > ACL > Import. Select Indicate whether to skip duplicate ACL definitions by selecting the check box. Otherwise, leave the field unchecked.
  • Page 108 McAfee® Network Security Platform 5.1 Managing IPS settings Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) Severity Specify the of the ACL alerts that you want to be forwarded. The choices are:...

  • Page 109: Xml Converter Tool For Acl Rules

    When you install the Manager, the XML converter tool is seen as a batch file (aclxmlconverter.bat) in the diag folder within your Network Security Platform installation folder. (For example C:\Program Files\McAfee\ Network Security Manager\App\ diag folder) In the CSV file that you want to import, you need to provide the ACL rule information in a specific format.

  • Page 110: Using L3 Acls For Fragmented Traffic

    For more information on the XML converter tool for ACL rules, refer the README.txt in the diag folder within your Network Security Platform installation folder. (For example C:\Program Files\McAfee\ Network Security Manager \App\ diag folder\README.txt) Using L3 ACLs for fragmented traffic L3 ACLs allow you to selectively specify rules for a host (or network) based on which Network Security Platform skips reassembly handling of the fragmented traffic.
  • Page 111 McAfee® Network Security Platform 5.1 Managing IPS settings In Network Security Platform, three new protocols are provided to support L3 rules for ICMP, TCP and UDP, that is, L3-ICMP, L3-TCP and L3-UDP. The user-specified protocol numbers are not supported. Configuring L3 ACLs in the Manager From Manager, you can configure the L3 ACL protocols when you add the ACL rules.

  • Page 112: Enabling Secure Socket Layer (Ssl) Decryption

    McAfee® Network Security Platform 5.1 Managing IPS settings TCP Parameters Configuration TCP Flow Violation Permit In the page, from the drop-down, select out-of-order Figure 113: TCP Flow Violation Setting for L3 ACLs Limitations • TCP flow violation Permit out-of order...

  • Page 113: Enabling Ssl Decryption In Ips Settings Node

    McAfee® Network Security Platform 5.1 Managing IPS settings Enabling SSL decryption in IPS Settings node Enable action enables the SSL functionality of the IPS Sensor. SSL configuration includes enabling SSL decryption, enabling packet logging for SSL-encrypted attacks, setting the number of SSL flows to monitor simultaneously, and setting the session cache time.

  • Page 114: Importing Ssl Keys To The Sensors

    McAfee® Network Security Platform 5.1 Managing IPS settings Figure 114: SSL Configuration SSL Cache Time Type a value for the . This time relates to session resumption in SSL. The value represents the length in time a session is kept alive after the last connection closes.

  • Page 115: Managing The Imported Ssl Keys Of Sensors

    McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > SSL Decryption > Key Import Select Figure 115: Import SSL Keys Dialog Alias Name Type an . This name identifies the SSL key file in Manager. Passphrase Type a .

  • Page 116: Ips Quarantine Settings

    Click . Confirm the deletion. IPS Quarantine settings ® To protect your network from security threats, McAfee Network Security Platform provides the IPS Quarantine feature which quarantine and remediate the non-compliant network devices (or hosts) connecting to your network. When the Sensor detects attacks from a host on its configured monitoring port, a quarantine rule is created for the source IP address of the host.

  • Page 117: Ips Quarantine Configuration In Policy Editors

    McAfee® Network Security Platform 5.1 Managing IPS settings Note: The Sensor successfully quarantine/ remediate hosts only if you have enabled IPS Quarantine for specific attacks in the IPS Policy Editor. Also, you need to configure IPS Quarantine in the individual Sensor monitoring ports.
  • Page 118 McAfee® Network Security Platform 5.1 Managing IPS settings Edit Attack Detail IPS Quarantine / McAfee NAC Customize , under , select Figure 116: Edit Attack window, where you can enable IPS Quarantine Quarantine Note that the drop-down options are enabled.
  • Page 119 To just forward the attack details to McAfee NAC, select Quarantine Disabled in the field select To notify McAfee NAC and also use Network Security Platform for quarantining McAfee NAC Notification all attacking hosts regardless of their types, select and in the Quarantine...
  • Page 120 McAfee® Network Security Platform 5.1 Managing IPS settings Commit Click to save the changes. A message is displayed that the policy changes are committed to the Manager. If the modified policy is applied to a sensor, you need to update the sensor configuration, for the changes to be effective.
  • Page 121 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 121: Enabling quarantine and remediation for multiple attacks Configure the IPS Quarantine/McAfee NAC sections as described in Enabling IPS Quarantine in IPS Policy Editor (on page 109). Searching attacks eligible for IPS Quarantine Before configuring the attacks for IPS Quarantine, you can search attacks that are eligible for IPS Quarantine, from the IPS Policy Editor or GARE.
  • Page 122 IPS Quarantine for the selected protocol. Configure the IPS Quarantine/McAfee NAC sections as described in Enabling IPS Quarantine in IPS Policy Editor (on page 109). Considerations for IPS Quarantine rule creation...

  • Page 123: Ips Quarantine Configuration In Admin Domain

    McAfee® Network Security Platform 5.1 Managing IPS settings • The traditional ACLs permit certain traffic from a given host and are configured for IPS Quarantine. The traffic is routed through the IPS quarantine NAZ ACLs and if the quarantine drops the ACL, then the ACL is dropped. Thus, the IPS Quarantine drop gets precedence over a traditional ACL permit action.
  • Page 124 McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > IPS Quarantine > Network Objects In the Resource Tree, select To add a network object, select Figure 124: Adding network objects Add a Network Object , enter the following information: Name of the network object.
  • Page 125 McAfee® Network Security Platform 5.1 Managing IPS settings When the Sensor identifies attacks from a host, the host is quarantined and assigned to an IPS Quarantine Network Access Zone (or IPS Quarantine NAZ). This is based on the System Health Level of the host. The IPS Quarantine NAZ maps the access level provided to the host to its System Health Level.
  • Page 126 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 126: Configuring NAC ACL rules Manage NAC ACL Rules To add a new NAC ACL, select Select Figure 127: Adding a NAC ACL rule Add an ACL Rule In the window, enter the following values:...
  • Page 127 McAfee® Network Security Platform 5.1 Managing IPS settings Description Visible to Child Admin Domain Select the check box if you want the ACL to be visible to Child Admin Domains. Destination IP - IP address or CIDR Destination Protocol/ Port...
  • Page 128 McAfee® Network Security Platform 5.1 Managing IPS settings Syslog Server UDP Port. Enter the Facility to Use Priority to Use Select the Message Preference System default is by default set to Apply, Click and save the settings. After you save the settings, you get the option to create a customized message instead of system default.
  • Page 129 McAfee® Network Security Platform 5.1 Managing IPS settings Following are the steps for customizing IPS Quarantine browser message in the Manager: IPS Settings > IPS Quarantine > Browser Messages In the Resource Tree, select Figure 131: IPS Quarantine built-in browser message...
  • Page 130 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 133: Remediation Portal settings in the Manager Redirect to Enable the redirection of HTTP traffic to the Remediation Portal, by selecting a Remediation Portal? Remediation Portal IP Address Configure the Remediation Portal, by specifying the...

  • Page 131: Ips Quarantine Settings In The Threat Analyzer

    McAfee® Network Security Platform 5.1 Managing IPS settings • Enable quarantine of hosts, but disable remediation (or re-direction of HTTP requests) • Disable IPS Quarantine- when you choose this option, remediation is automatically disabled. Enabling HTTP traffic redirection: When you enable this configuration, the HTTP traffic from the host is re-directed to a Remediation Portal.
  • Page 132 McAfee® Network Security Platform 5.1 Managing IPS settings Following options are available for the IPS Quarantine in the Threat Analyzer: • Adding hosts for IPS Quarantine from Alerts page (on page 124) • Quarantine of hosts from Alert Details (on page 124) •...
  • Page 133 McAfee® Network Security Platform 5.1 Managing IPS settings Alert Details To add a host for quarantine from the view, do the following: Real-time Threat Analyzer Launch from the Manager. Alerts. All Alerts Select tab is displayed with the list of all the alerts.
  • Page 134 Manager and the present clock time. For more information, see NAC options in the Hosts page. Host Type The Host Type field is relevant for McAfee NAC-response- based Quarantine and Remediation. This field can be Managed Host or UnManaged Host or Not Applicable.
  • Page 135 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 138: IPS Quarantine settings from Hosts page Two options are displayed for IPS Quarantine: • Extend IPS Quarantine - extends the time for which a host is quarantined (Quarantine Duration). Following options are displayed:...

  • Page 136: Archiving Data

    You can also restore archived alerts and ® packet logs on the same or another McAfee Network Security Manager (Manager) server. Archiving tab enables the following actions: •...
  • Page 137 McAfee® Network Security Platform 5.1 Managing IPS settings Note: Archive your alerts and packet logs regularly. We recommend that you archive your alert data monthly, and that you discard alert and packet log information from your database every 90 days to manage your database size. Note that there is a 4GB size limitation for a single archive file.

  • Page 138: Scheduling Automatic Archival

    McAfee® Network Security Platform 5.1 Managing IPS settings Figure 142: Existing Archives List Existing Archives You can click an archived file (listed under ) to view the details. Export Optionally, select an archived file and click to download that file from Manager to your client.

  • Page 139: Restoring An Archive

    McAfee® Network Security Platform 5.1 Managing IPS settings IPS Settings > Archiving > Schedule Select Enable Scheduler Select to turn on the scheduling process. Hr:Min Specify the time of day ( ) for the process start time. Frequency Daily Weekly...
  • Page 140 McAfee® Network Security Platform 5.1 Managing IPS settings Existing Archives Restore Scroll down the page to the . Select an archival and click Figure 145: Existing Archives List Restore After clicking for either option, you are presented with a dialog box for filtering the alerts in the archival.

  • Page 141: Exporting An Archive

    Browse to the desired location and then click Archiving alerts using dbadmin.bat ® You can archive alerts and packet logs from either the McAfee Network Security Platform user interface or from the standalone database admin tool. However, you can avoid the additional workload on Manager server by using the database admin tool.

  • Page 142: Restoring Alerts Using Dbadmin.bat

    McAfee® Network Security Platform 5.1 Managing IPS settings To archive alerts and packet logs using the standalone Database admin tool: Navigate to <Network Security Platform install directory>\bin. Execute the dbadmin.bat file. The standalone tool opens. Archival > Alert Archival Select...
  • Page 143 McAfee® Network Security Platform 5.1 Managing IPS settings Navigate to <Network Security Platform install directory>\bin. Execute the dbadmin.bat file. The standalone tool opens. Archival > Alert Restore Select Figure 148: Database Admin Tools - Archival Alert Restore Tab Do one of the following:...

  • Page 144: Manager Database Maintenance

    • Managing Alert Data Pruning (on page 140): Manage and allocate disk space for the ® alerts that are stored in McAfee Network Security Manager (Manager) database. • Manager Pruning: (on page 142) Clear the attack and policy caches without restarting the Manager.
  • Page 145 McAfee® Network Security Platform 5.1 Managing IPS settings Figure 150: Capacity planning details Manager retrieves and displays the following data from the underlying database: • Date and Time for the Oldest Alert: displays the date and time • Total counts for...
  • Page 146 McAfee® Network Security Platform 5.1 Managing IPS settings • Alert with packet log = 650 bytes (average) Space for packet logs must also be allocated in your database. The frequency of generated logs is typically less than that of alerts, but a packet log is generally larger in size than an alert.
  • Page 147 McAfee® Network Security Platform 5.1 Managing IPS settings Note 2: The following graph and table estimate size based on alerts both with and without associated packet logs. Thus, the size of alert data has been estimated from both lab and live environments.

  • Page 148: Alert Data Pruning

    “Delete Alerts older than” field. For Alert & Packet Log Data, McAfee strongly recommends entering a large value (such as 90, thus 90 days is the default) in the “Delete Alerts older than” field.
  • Page 149 McAfee® Network Security Platform 5.1 Managing IPS settings To allocate less disk space for your calculations, type a number less than 30,000,000. Calculate Capacity To calculate disk space capacity, click the link. This calculator has specific fields related to determining the database allocation space required to maintain your alerts and packet logs.

  • Page 150: Manager Pruning

    Once you clear ® the caches, it may take a few minutes to open a policy in the McAfee Network Security Policy Editor [formerly IPS Policy Editor], because the applied policy must be re-cached.

  • Page 151: Setting Up Alert Notifications

    McAfee® Network Security Platform 5.1 Managing IPS settings • Cached Reconnaissance policies: The number of reconnaissance policies in Manager cache. • Names of Cached Reconnaissance policies : The names of reconnaissance policies in Manager cache. To clear the Manager Cache, do the following: IPS Settings >...

  • Page 152: Forwarding Alerts To An Snmp Server

    McAfee® Network Security Platform 5.1 Managing IPS settings Figure 155: Alert Notification Details Forwarding alerts to an SNMP server The IPS Settings > Alert Notification > SNMP action specifies a server to which alert information will be sent from Manager. You can configure more than one SNMP server to where you want to send alert messages.
  • Page 153 McAfee® Network Security Platform 5.1 Managing IPS settings Check Enable SNMP Forwarder (default is Yes) and click Apply. Click Add. Figure 157: SNMP Forwarder Configuration The Alert SNMP Forwarder window is displayed. Fill in the following fields: Field Description Current Admin Domain: Select this to send notifications for...

  • Page 154: Forwarding Alerts To A Syslog Server

    McAfee® Network Security Platform 5.1 Managing IPS settings Field Description Customize Community Define a customized SNMP community string, if there are more than one SNMP communities in the network. The following fields appear only when SNMP Version 3 is selected.
  • Page 155 McAfee® Network Security Platform 5.1 Managing IPS settings a third-party Syslog application. For Syslog forwarding, the root domain and parent domains have the option to include alerts from all applicable child domains. To enable Syslog forwarding of alerts, do the following: IPS Settings >...
  • Page 156 McAfee® Network Security Platform 5.1 Managing IPS settings Field Description Facilities Standard Syslog prioritization value. The choices are as follow • Security/authorization (code 4) • Security/authorization (code 10) • Log audit (note 1) • Log alert (note 1) • Clock daemon (note 2) •...
  • Page 157 McAfee® Network Security Platform 5.1 Managing IPS settings Message Preference Select the , or message template, to send as the Syslog forwarding message. The choices are: Field Description System Default The default message is a quick summary of an alert with two fields for easy recognition: Attack Name and Attack Severity.

  • Page 158: Specifying Email Or Pager Parameters

    McAfee® Network Security Platform 5.1 Managing IPS settings Specifying email or pager parameters Users can be alerted by email or pager when an alert is generated that matches a chosen severity or customized attack setting. Note 1: You must also identify a mail server for email notifications. For more...
  • Page 159 McAfee® Network Security Platform 5.1 Managing IPS settings Suppression Time Type a for the notification. The suppression time is the amount of time (minutes and seconds) to wait after an alert notification has been sent before sending another alert notification. The default and minimum value is 10 minutes and 0 seconds.

  • Page 160: Specifying Script Parameters

    McAfee® Network Security Platform 5.1 Managing IPS settings Item Description Custom typed text Selected tokens Email Alert Notification Mailing List Pager Alert Notification Mailing Add mailing lists to your List Edit . Click and type the email address that broadcasts to your email or pager recipients.
  • Page 161 McAfee® Network Security Platform 5.1 Managing IPS settings Note: Notifications are configured per admin domain. Figure 165: Script Notification Settings To enable alert notification by script IPS Settings > Alert Notification > Script Select Enable System Alert Notification Select the enabled status ( is enabled;...

  • Page 162: Updating The Configuration Of All Sensors

    McAfee® Network Security Platform 5.1 Managing IPS settings Edit Click Figure 166: Customize Script Notification Item Description Custom typed text Selected token Script Name Type a name for the script for Body For the section, type any text and select (click) the token fields for the attack information you want to see.
  • Page 163 McAfee® Network Security Platform 5.1 Managing IPS settings Signature updates have new and/or modified signatures that can apply to the attacks enforced in an applied policy. Policy changes update the Sensor in case of a newly applied policy, or changes made to the current enforced policy.

  • Page 164: Chapter 3 The Ips Sensor_Name Node

    H A P T E R The IPS Sensor_Name node Sensor_Name IPS Settings nodes under represent IPS-aware Sensors installed in your Sensor_Name network. Each node is a uniquely named (by you) instance of a Sensor. All Sensor_Name actions available at the resource level customize the settings for a specific Sensor.

  • Page 165: Alert Filter Assignments

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Managing policy across the IPS Sensor Policy tab enables you to set an alternate policy for a Sensor’s interfaces/sub- interfaces in cases where the original policy needs to be deleted. For example, you have...
  • Page 166 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node The Manager displays two tabs: Exploit and Reconnaissance. Figure 170: Edit Alert Filter Assignments Fields under the Exploit Tab: The Exploit tab has two sub-tabs: Inbound/Outbound. Both display the same fields but for incoming and outgoing attacks respectively.
  • Page 167 You can filter the list of attacks based on the following criteria: All Selected Attacks To view all the attacks, select Attacks View attacks recommended for blocking by McAfee by selecting Recommended by McAfee for Blocking Attacks Eligible for IPS To view the attacks that are eligible for IPS Quarantine, select Quarantine.

  • Page 168: Managing Http Response Scanning

    • You can enable it in each direction on an interface pair. • McAfee recommends that you enable HTTP response processing only if you anticipate malicious traffic activity on your Web server. • To minimize the potential performance impact on the Sensor, enable HTTP response...
  • Page 169 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 172: HTTP Response Scanning Setting Inbound Status Select 1A-1B under to enable HTTP response detection on inbound traffic. Example 2 Consider a reverse scenario where 1A is connected to the internet and 1B is connected to your internal network.

  • Page 170: Viewing The Dos Detection Status Of A Sensor

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Device List > Sensor_name > Physical Sensor > Port Settings Go to page. Outside Network Inside Network Verify that port 1A is connected to and 1B is connected to The table below summarizes the scenarios discussed above.

  • Page 171: Configuring Advanced Scanning

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node To view the DoS policies applied to a Sensor’s interfaces, do the following: IPS Settings/Sensor_Name > IPS Sensor > DoS Detection Status Select . The fields are as follows: Figure 173: DoS Detection Status DoS ID : the port ID or sub-interface name.

  • Page 172: Managing Non-Standard Ports

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Configuring IP settings (on page 172): Customize IPv4 and IPv6 alerting parameters. • Configuring alert suppression with packet log response (on page 176): Set a suppression threshold for multiple identical attacks (such as a flood) for a Source- Destination IP pair within the same VIPS (interface or sub-interface).

  • Page 173: Managing Dos Learning Mode Profiles

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Click Group Name Type a Primary Interface Select a from the drop-down list. The primary interface may be a port pair (1A and 1B) or a single port (3B). The primary interface determines the policy that is enforced by the group.
  • Page 174 48-hour learning time. Tip: McAfee recommends performing a “re-learn profile” when there is a network change (that is, moved Sensor from a lab environment to a production environment) or configuration change (changed the CIDR block of a sub-...
  • Page 175 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node There is no need to re-learn a profile when network traffic increases or decreases naturally over time (for example, an eCommerce site that is getting more and more customers, thus its Web traffic increases in parallel), since the Sensor can automatically adapt to it.

  • Page 176: Managing Dos Filters

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Manage DoS Profiles Click to return to the main screen to view your uploaded file. One file is uploaded for all interfaces, sub-interfaces, or DoS IDs of a Sensor. This file is listed in the “DoS Profiles Uploaded from Sensor to Manager”...

  • Page 177: Configuring Tcp Settings

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node measure. If the short-term volume is outside of the long-term volume, a Statistical attack type alert is raised. Once a Statistical alert has been raised, your Network Security Sensor can initiate an automatic or manual response to block all subsequent packets of the violated measure.
  • Page 178 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node TCP Settings You can customize the TCP parameter checks for a Sensor using the action IPS Settings Sensor_Name from the nodes. To edit a parameter, type/toggle a new value Update and click for that parameter.
  • Page 179 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node TCP Parameter Description TCP Flow Violation A packet received for a connection that does not exist, such as an ACK packet when no SYN for a connection has been received. Drop down choices: •...

  • Page 180: Configuring Ip Settings For Ipv4 And Ipv6 Traffic

    Set for DoS attack traffic only Configuring IP settings for IPv4 and IPv6 traffic You can use McAfee Network Security Platform 5.1 to parse IPv4 and IPv6 traffic for attacks (with the exception of DoS attacks in case of IPv6 traffic).
  • Page 181 To prevent system errors, McAfee recommends that only users with detailed knowledge of IP configure these settings. McAfee Network Security Platform 5.1 can handle tunneled traffic. For more information, see the section on Tunneled Traffic (on page 174). Note 1: IP parameters are effective only when the configured Sensor is deployed in in-line mode.
  • Page 182 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPv6 Parameters Configuration IPv6 Scanning Specify how the Sensor should process IPv6 traffic. • Drop all IPv6 traffic (inline only): The Sensor drops IPv6 traffic the inline mode. • Pass IPv6 traffic without scanning: The Sensor passes IPv6 packets but does not scan them for attacks.
  • Page 183 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node encapsulating a packet within another packet of a different protocol to enable the packet to pass through incompatible networks is called as tunneling. I-Series and M-series Network Security Sensors support 4 types of tunneled traffic. That is, these 4 types are parsed for attacks: •...

  • Page 184: Configuring Alert Suppression With Packet Log Response

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • In Network Security Platform 5.1.5.x, GRE tunneled traffic is also parsed. However, only I-4010, I-4000, I-3000 and all M-series Sensors can parse GRE tunneled traffic. Upgrade Guide The other Sensors just pass the traffic. See the for information on how to upgrade to Network Security Platform 5.1.5.x.
  • Page 185 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Correlate signatures for a single attack for [ ] seconds field notes the amount of time that the Sensor will correlate the signatures used to detect a suppressed attack instance. Many attacks have multiple signatures;...

  • Page 186: Os Fingerprinting

    Network Security Platform supports OS fingerprinting using two methods namely, • Fingerprinting with McAfee NAC: When a host plugs into the network, the Network Security Sensor works with McAfee NAC to ascertain the operating system on the machine. This is available only if System Health-based NAC is enabled on the Sensor.
  • Page 187 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing OS information Operating System (OS) information can be viewed in the Alerts page of the Threat IPS Settings > sensor_name > Advanced Analyzer when the passive OS option is enabled under Scanning >...

  • Page 188: Configuring Acl Rules In The Ips Sensor

    For non-TCP traffic • In instances where the stack has been modified OS information when McAfee NAC is enabled, is displayed in the Host page of the Threat Analyzer. This information is displayed in the column, and is available only for managed hosts Not Available and guest clients.

  • Page 189: Assigning Acl Rules In The Ips Sensor

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note: To view the anti-spoofing configurations of a Sensor, you can generate the Reports Guide ACL Assignments Report. For more information on this report, see the Figure 189: ACL Tab Assigning ACL rules in the IPS Sensor A Sensor ACL is useful for maximizing a Sensor’s detection and prevention capabilities by...
  • Page 190 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node ACL rules applied at the Sensor (Sensors) level are inherited by all interfaces and sub- interfaces of the Sensor. You can add more rules at the interface and sub-interface levels; however, you cannot delete inherited rules at the child levels. Even if no rules have been assigned at the Sensor level, you can assign rules at the interface and sub-interface levels.
  • Page 191 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Choose created rules: User can choose rules created at admin domain and apply them to the entity Rule Assignment The button options for are as follows: • Add Remove ACLs or ACL Groups : opens a dialog to select and manage ACL Rules / ACL Groups.
  • Page 192 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 191: Adding ACLs Manage ACL Select a rule/group from the list of groups or rules displayed, or click on rules to add new ACL rules/groups. For more information on creating ACL rules or groups , see Adding an ACL rule (on page 86) or Adding created rules to a group (on page 90).
  • Page 193 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing effective ACL rules You can view the complete description of an ACL rule /group created and assigned to a Sensor/port/sub-interface. Figure 192: Viewing Effective ACL rules The fields displayed are:...

  • Page 194: Editing Acl Log Settings

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPS Settings/Sensor_Name > ACL > ACL Assignments Select Effective ACL Rules In the tab, select an ACL rule. View Click Computing Number of ACL rules utilized per Sensor You can calculate the number of ACL rules being utilized per Sensor by adding all the rules configured at the Sensor-level, port-level, and sub-interface level.
  • Page 195 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPS Settings / Sensor_Name > ACL > ACL Logging Select from the IPS Settings node or Settings / Sensor_Name > ACL > ACL Logging from the IPS Settings node. The “Edit ACL Settings for Resource <Sensor-name>”...

  • Page 196: Enabling Ip Address Spoofing Detection

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Threshold settings Option Description Suppression interval The time span in which you accumulate instances of the same attack. This value acts as a timer; when the timer expires, the current instance is cleared to make room for a new suppression instance.
  • Page 197 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Any port pair in In-line Mode that has been segmented by CIDR addressing is eligible for IP spoofing detection. This includes any CIDR-segmented sub-interfaces of an eligible port pair. For example, port pair 1A-1B protects the 192.168.1.0/24 and 192.168.2.0/24 networks in In-line Mode.

  • Page 198: Traffic Management

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Commit Changes Ignore Changes Click to enable IP spoofing detection; click to abort. Commit Changes Once you select , the configuration is sent via SNMP to the Sensor; Update Configuration thus, you do not have to execute an for the Sensor.

  • Page 199: Configuring Traffic Management

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Network Security Platform provides three different traffic management techniques- Rate limiting, DiffServ tagging and VLAN 802.1p tagging. Rate limiting is used to control the rate of traffic sent or received on a network interface.
  • Page 200 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Enabling Traffic Management Settings (on page 192) • Adding Traffic Management Queues (on page 194) • Editing/Viewing Traffic Management Queues (on page 197) • Deleting Traffic Management Queues (on page 198) •...
  • Page 201 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 197: Setting DiffServ and VLAN to zero Suppose you have set the DiffServ tag value to zero for the unclassified traffic ( for example, Telnet) passing through the Sensor. In this case, if Telnet traffic reaches the Sensor with a DiffServ tag value of 10, then the Sensor tags the Telnet traffic with a zero value, and then passes it on to the external network device for DiffServ categorization.
  • Page 202 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note : For rate limiting queues, there can be a maximum of 64 entries per queue, where each entry is one of the selection criteria - defined Protocol, TCP port, UDP Port and IP Protocol number.
  • Page 203 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Field Description Name This field represents the name of the traffic management queue. The queue name is unique within a Sensor port. Note that the same name can be used for two queues corresponding to different ports of the same Sensor.
  • Page 204 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Name Enter a for the new traffic management queue. Type Rate Limit Bandwidth DiffServ VLAN 802.1p Select the of traffic management queue- Value Type Specify the for the above selected setting.
  • Page 205 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node TCP Port Specify a • Enter the port number or port range (for example, 5-10) to add to the desired >> port list and click • Selected Make changes, if necessary. To remove a port or port range from the Port <<...
  • Page 206 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 200: Edit Rate Limit Queue Here you can edit the traffic management queue configuration. Add Queue Note 1: The fields in this window are similar to the window that is used to add the rate limiting queues.

  • Page 207: Precedence In Traffic Management

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Delete Select one or more rate limit queues and click . Network Security Platform displays a confirmation dialog before it removes the traffic management configuration for the interface. Figure 201: Delete Rate Limit Click to delete the selected traffic management queue configuration.

  • Page 208: Considerations In Rate Limiting

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node If the Sensor is not able to identify a packet in terms of protocol or TCP/UDP ports defined for rate limiting, the rate limiting queues configured for IP Protocol Number are searched.
  • Page 209 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node SSL keys are not present in the Sensor When the Sensor is configured such that there are no SSL keys to decrypt the traffic, the HTTPS traffic reaching the Sensor is not decrypted into HTTP. Several scenarios are possible depending on the traffic and rate limiting rule configured.
  • Page 210 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sensor Restricted Ports M-8000 In the M-8000 Sensor, interconnect ports XC2, XC3, XC4 and XC5 cannot be used for configuring rate limiting. In an M-8000 failover pair, 3A and 3B are used as interconnect ports.

  • Page 211: Network Scenarios For Traffic Management

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node monitoring port(s) of each Sensor in a failover pair exceeds the configured bandwidth, each Sensor must see the configured traffic on its monitoring port(s) for rate limiting to occur. This is independent of the traffic that the peer Sensor might be monitoring.

  • Page 212: Enabling Ssl Decryption

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node internal network. Similarly, when the response HTTP traffic passing port 1A from the internal network, exceeds the configured rate limiting value of 5120 Kbps, the Sensor rate limits the traffic by dropping excess data packets. Only the configured traffic bandwidth value of 5120 Kbps is allowed to pass through port 1A to the Internet.

  • Page 213: Configuring Ssl Decryption In The Ips Sensor

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Getting Started For a description of SSL functionality in Network Security Platform, see the Guide The available actions in this group are: • Configuring the SSL functionality of a Sensor (on page 205): Enable SSL decryption and configure Sensor SSL parameters.

  • Page 214: Managing The Imported Ssl Keys Of A Sensor

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node SSL Cache Time Enter a value for the . This time relates to session resumption in SSL. The value represents the length in time a session is kept alive after the last connection closes.
  • Page 215 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node lost its key encryption key. In order to protect the imported keys both in transit and in escrow, Manager uses the public key of the Sensor’s public/private key pair. Network Security Platform supports PKCS12 keys with file suffixes “.pkcs12”, “.p12”, or “.pfx”.

  • Page 216: Configuring At The Interface Level

    Configuring at the interface level Configuring at the interface level involves enabling McAfee-NAC-based response action for the ports. For ports deployed in inline mode, you can enable McAfee NAC forwarding, Network Security Platform quarantine and remediation for each port in a port-pair. For ports deployed in tap and SPAN modes, you can only enable McAfee NAC forwarding.

  • Page 217: Ips Quarantine Settings In The Ips Sensor

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note: Forwarding attack details to McAfee NAC also depends on the McAfee NAC configuration at the policy level. For more information, see Configuration at the Policy Level. Figure 207: McAfee NAC Configuration at the port level...

  • Page 218: Nac Acl Logging In The Sensor For Ips Quarantine

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node NAC ACL Logging in the Sensor for IPS Quarantine Following steps explain NAC ACL Logging configurations for the Sensor from the Manager user interface: IPS Settings > IPS Sensor_Name > IPS Quarantine > NAC ACL...

  • Page 219: Sensor Port Settings For Ips Quarantine

    This time interval is called Suppression Interval. After the Suppression Interval, Network Security Platform can suppress IPS notifications to McAfee NAC server. While configuring NAC ACL Logging at the Sensor port level, you can configure the suppression settings for NAC as well.
  • Page 220 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Enable quarantine of hosts, but disable remediation (or re-direction of HTTP requests) • Disable IPS Quarantine- when you choose this option, remediation is automatically disabled. Enabling HTTP traffic redirection: When you enable this configuration, the HTTP traffic from the host is re-directed to a Remediation Portal.

  • Page 221: Setting Policy For Interfaces And Sub-Interfaces

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Item Description Interface Nodes, Port Pairs Interface Nodes, Single Ports Sub-interface Node Setting policy for interfaces and sub-interfaces Network Security Sensors allow for very granular policy application and enforcement: multiple IPS and denial of service policies can be enforced on a single port or port pair.

  • Page 222: Configuring General Interface Settings

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Full-duplex Tap and In-line modes require two physical ports, and each mode uses these two ports to form a single logical interface. Therefore, all configuration and policy decisions are made at a logical interface level.
  • Page 223 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Viewing interface details To view the details of an interface, select an interface node from the Resource Tree; the IPS Settings/Sensor_Name/Interface>IPS Interface “Interface Detail” dialog appears under >Summary. Figure 212: Interface Detail The dialog details are as follows: •...
  • Page 224 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node VLANs that you specify.More commonly, if you have used CIDR addressing in your network, changing the traffic type to CIDR helps you better protect specific networks/hosts in your system. For VLAN and CIDR interfaces, you are able to add the network IDs, either VLAN tags or CIDR addresses, in order to specify unique networks in your domain.For...
  • Page 225 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Bridge VLAN: enables the bridging of traffic between VLANS Important: When the Sensor is down, the traffic is forwarded through the peer port with the same VLAN ID with which it came to the Sensor. So, if your switches are not configured to handle such a scenario, the packets may get dropped.
  • Page 226 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 215: Add VLAN IDs Item Description Custom name, default is port number, this name appears in Resource Tree only appears in interface description dialog Add the required VLAN/CIDR IDs. For VLAN, you can type the VLAN tags by range or by individual ID. The valid range is 0 to 4095, and the maximum number of VLAN tags per interface is 254.
  • Page 227 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 216: Edit CIDR Interface Click Add to save your interface additions; click Cancel to abort. Download the changes to your Sensor interface by performing the steps in Updating the configuration of a Sensor.
  • Page 228 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sensors > Sensor_Name > Interface_Name > Manage Sub-interface. Select Figure 217: Manage Sub-interface Click Edit Note: To edit an existing sub-interface, select the sub-interface and click then follow the steps below. To delete a sub-interface, select the sub-interface...

  • Page 229: Scanning Policies At The Interface Level

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note 2: The maximum value in each field is 255. If you enter “.”, you are tabbed to next field. Note 3: Only numerical values between 0—9 are allowed. Special characters are not allowed.Pressing tab after the last field tabs you to select mask field.
  • Page 230 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Enabling IPS Policies on the interface All interfaces inherit a policy from the Sensor by default, and the Sensor inherits the policy IPS Policy IPS Settings > IPS Sensor _Name > Interface-x >...
  • Page 231 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Outbound traffic is that traffic sent by a system in your intranet, and is on the port marked “Inside” (that is, originating from inside the network) in In-line or Tap mode.
  • Page 232 DoS customization is key to protecting a specific host or server from a concentrated DoS or DDoS attack. McAfee Network Security Platform enables extremely granular DoS protection: you can have a single DoS policy applied and customized for an entire Sensor interface, or you can create custom DoS policies for several VLAN or CIDR hosts within an interface or sub- interface.
  • Page 233 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node If you customize DoS: Then... At the Interface level, for the entire You cannot create sub-interfaces for the interface or for a VLAN or CIDR ID interface. For a Dedicated interface, you (and a sub-interface has not been create DoS IDs here.
  • Page 234 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sample scenario: Custom DoS policy in a network In this example, suppose a Network Security Sensor is in SPAN mode, monitoring the traffic transmitting between the floors of a building. Sensor port 1A is the interface number.
  • Page 235 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Create multiple DoS policies for each VLAN ID in the network. In this instance, you can create unique DoS policies for VLAN 2, VLAN 4, and VLAN 5. All other traffic in the interface is protected against DoS by the inherited DoS policy settings;...
  • Page 236 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Create multiple DoS policies for each CIDR network ID and the rest of the interface’s traffic. In this instance, you can create unique DoS policies for 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, and “Entire 1A.”...
  • Page 237 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Second configuration Select VLAN (options were 1, 2, 3, or 4). Apply DoS to this VLAN Select (options are “Apply DoS to this VLAN” or “Apply DoS to CIDR in VLAN”).
  • Page 238 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node cannot Note: DoS policy be customized to the VLAN/CIDR IDs within an interface if you have already created sub-interfaces. For more information, on how to customize DoS policy for a sub-interface, see Customizing DoS policy for a sub-interface (on page 239).
  • Page 239 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node For Learning Mode, all attacks are Enabled by default. To disable an attack, Disable select a row from the table and click . To enable an attack, select a row from Enable the “Learning Attack List”...
  • Page 240 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node IPS Settings node. Likewise, alert filters associated at the Sensor is associated with all interface/sub-interface belonging to that Sensor. The steps for adding alert filters at the interface level is similar to that given in Managing Alert Filters and Attack Responses (on page 78).

  • Page 241: Adding Acls On The Interface

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node View (Optional) Select a Dos ID and click to display rate data for the measures in the DoS profile applied to the selected DoS ID. You can change the measure by toggling...

  • Page 242: Ips Sensor Sub-Interface Node

    McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Note 2: If you are revoking an interface from child domain (that has been delegated from the parent domain), with ACL configured, then an error message is displayed. You will have to delete the ACL first and then revoke the interface.
  • Page 243 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 230: Uniquely Named Sub-Interface Nodes Item Description Uniquely named Sub-interface nodes The sub-interface node is created at the interface node level and found by navigating to Settings > Sensor_Name > Interface-x > Sub-interface-x...
  • Page 244 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node • Managing the details of a sub-interface (on page 236) : Add/edit/delete IDs to those that already exist for a particular sub-interface. Viewing the details of a sub-interface IPS Sub-Interface > Summary action allows you to view the details configured for the sub- interface.
  • Page 245 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Edit Click Do one of the following: VLAN Bridge VLAN Add an ID by moving an ID from “Available” to “Allocated” by selecting the ID > and clicking the button. Remove an ID by moving an ID from “Allocated” to “Available” by selecting the <...
  • Page 246 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Figure 232: IPS Sub-Interface Tab Item Description Sensors node Interface node Sub-Interface Policies at the sub-interface level Each sub-interface created within an interface can have a specific IPS policy applied. For...
  • Page 247 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node You create a sub-interface, “File_Servers,” to protect networks 192.168.0.0/24 and 192.168.1.0/24 with a more appropriate policy. You create a File Server policy to protect “File_Servers.” Tip: The name “File_Servers” is used instead of a generic name such as “Sub- interface1”...
  • Page 248 Note: You do not have to set a notification for every attack; rather, McAfee recommends you only set notifications for attacks that warrant your immediate attention. For more information on how to enforce notification by attack, follow...
  • Page 249 McAfee® Network Security Platform 5.1 The IPS Sensor_Name node Sub-interface-x > Scanning > DoS Detection Status action provides operational details on the custom DoS policies applied to/within a sub-interface. DoS policy was inherited from the interface upon sub-interface creation, but may have changed due to one of the following conditions: •...

  • Page 250: Chapter 4 Understanding Attack Descriptions

    Figure 234: Attack Description Example The Attack Information & Description fields are as follows: • Name : McAfee Network Security Platform-designated name for an attack. • Vulnerability Type : type of inherent system flaw that can be exploited by attackers.

  • Page 251: Impact Categories

    McAfee® Network Security Platform 5.1 Understanding attack descriptions • Signature Count by Benign Trigger Probability : the number of signatures that have high, medium, or low benign trigger probabilities, respectively. The benign trigger probability is the chance that the signatures for an attack may trigger a false positive.

  • Page 252: Impact Subcategories

    McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Reconnaissan This type of activities is for the purpose of intelligence gathering to prepare for further attacks; for example, a port scan or probe conducted to enumerate or identify services and possible vulnerabilities.
  • Page 253 McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Buffer Overflow This kind of alerts indicates attempts at exploiting software vulnerabilities where manipulation of buffer spaces can result in overwriting of unintended memory areas. Such overwriting can have different consequences depending on if the areas are executable or not.
  • Page 254 McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Privileged Access Privileged access indicates the most serious type of successful exploitation, where unauthorized access to privileged accounts has been obtained. For example, a successful buffer overflow on a Unix server may open a root shell for the attacker.
  • Page 255 McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Unassigned This category is for attacks that fall outside the scope of the known subcategories in the Network Security Platform environment. For example, if an attacker comes along a Van Eck device and starts conducting Tempest attacks, “unassigned”...
  • Page 256 McAfee® Network Security Platform 5.1 Understanding attack descriptions Category Description Code execution A vulnerability which can be exploited by malicious people to compromise a user's system. An attacker can execute malicious programs or code on a user's system. Successful exploitation allows execution of arbitrary code and possibly takes complete control of the affected system.
  • Page 257 PUBs include spyware, adhere, and dialers, and are often downloaded in conjunction with a program that the user wants. McAfee differentiates PUBs from other types of malware, such as viruses, Trojans, and worms, which can be safely assumed to be unwanted by the...

  • Page 258: Index

    database alert threshold ........164 Index database sizing ............ 164 deny action............124 DoS ..............258 learning mode; ..........259 Access List ..........See ACL threshold mode; ..........259 ACL .............. 102, 104 DoS detection ..........259, 265 ACL groups ......107, 108, 110, 111 ACL Syslog Forwarder ......
  • Page 259 Egress traffic ........... 222 IP Protocol Number......... 222, 226 port level limitations......... 233 Manager ..............82 Queue entries..........226 McAfee NAC Queue Name........... 226 at Interface level ..........241 Queue Type ............ 226 multi sensor correlation ........282 Queues..........226, 229, 231 TCP Port ............

This manual is also suitable for:

Network security platform

Table of Contents