Page 2
The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.
Contents Preface ..................v Introducing McAfee IntruShield IPS ....................v About this guide ..........................v Contents of this guide......................v Audience ............................vi Conventions used in this guide .....................vi Related Documentation........................vii Contacting Technical Support...................... viii Chapter 1 An introduction to IntruShield sensors ....1 What is an IntruShield sensor?......................
Page 4
Using fail-open hardware .....................21 Cabling for in-line mode....................... 22 Cabling for Tap mode ........................22 Cabling I-4000 GBIC ports in external Tap mode ..............22 Cabling for SPAN mode....................... 23 Cabling the I-4000 sensor to monitor in SPAN or hub mode ..........23 Cabling the failover interconnection ports................23 Index ..................
Preface This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
McAfee® IntruShield® IPS 4.1 Preface IntruShield Sensor 4000 Product Guide Audience • Chapter 4: Attaching Cables to the I-4000 Sensor (on page 18) describes how to attach monitoring and response cables to the sensor, and how to cable the sensor to operate in various operating modes.
McAfee® IntruShield® IPS 4.1 IntruShield Sensor 4000 Product Guide Related Documentation Convention Example Information that you must read Caution: before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.
Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
TCP connections, “scrubbing” malicious packets, and even blocking attack packets entirely before they reach the intended target. Sensor platforms McAfee offers multiple sensor platforms providing different bandwidth and deployment strategies.
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 4000 Product Guide The IntruShield 4000 sensor This document describes the I-4000 sensor. The IntruShield 4000 sensor The IntruShield 4000 sensor (the I-4000), designed for high-bandwidth links, is equipped to support two full-duplex Ethernet segments, or four SPAN ports transmitting no more than 2 Gbps for up to 2 Gbps of aggregated traffic.
. Power supply B is a hot-swappable, redundant power supply. This power supply also uses a standard IEC320-C13 port, and you can use the McAfee-provided cable or acquire one that meets your specific needs. The I-4000 does not have internal taps; it must be used with a 3rd party external tap to run in tapped mode.
Page 12
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 4000 Product Guide The IntruShield 4000 sensor Status Description Power A Green Power Supply A is functioning. Amber Power Supply A is not functioning. Power B Green Power Supply B is functioning.
Page 13
McAfee® IntruShield® IPS 4.1 An introduction to IntruShield sensors IntruShield Sensor 4000 Product Guide The IntruShield 4000 sensor Status Description Response Port Link Green The link is connected. The link is disconnected.
H A P T E R Before you install Sensor specifications, safety measures, unpacking a sensor This chapter describes best practices for deployment of IntruShield sensors on your network. Topics include system requirements, site planning, safety considerations for handling the sensor, and usage restrictions that apply to the sensor. I-4000 sensor specifications The following table lists the specifications of the I-4000 sensor.
McAfee® IntruShield® IPS 4.1 Before you install IntruShield Sensor 4000 Product Guide Safety measures considerations for IntruShield deployment, see Pre-deployment considerations, Planning and Deployment Guide Safety measures The safety measures given below apply to all sensor models unless otherwise specified. Carefully read the following warnings before you install the product.
• The sensor appliance is not a general purpose workstation. • McAfee prohibits the use of the sensor appliance for anything other than operating the IntruShield IPS. • McAfee prohibits the modification or installation of any hardware or software in the sensor appliance that is not part of the normal operation of the IntruShield IPS.
Page 19
Before you install IntruShield Sensor 4000 Product Guide Unpacking the sensor • one power cord. McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country-appropriate power cable. • one set of rack mounting ears •...
H A P T E R Setting up the I-4000 sensor prior to configuration This chapter describes the process of setting up a sensor prior to configuring it via the ISM. Setup overview Setting up a sensor involves the following steps: Positioning the sensor.
Figure 2: Attaching the mounting ears to the sensor chassis Mounting the I-4000 sensor in a rack McAfee recommends rack-mounting your sensors. The rack-mounting hardware included with the sensors is suitable for most 19-inch equipment racks and telco-type racks. For maintenance purposes, you should have access to the front and rear of the sensor.
McAfee® IntruShield® IPS 4.1 Setting up the I-4000 sensor prior to configuration IntruShield Sensor 4000 Product Guide Installing the I-4000 redundant power supply Mount the sensor by securing the ears to two posts or mounting strips in the rack. Because the ears bear the weight of the entire sensor, be sure to fasten the ears securely to the rack.
Note: For true redundant operation with the optional redundant power supply, McAfee recommends that you plug each supply into a different power circuit. For optimal protection, use uninterrupted power sources. Removing a power supply To remove a power supply from the I-4000 (Optional—the power...
Installing GBICs Installing GBICs A GBIC is a hot-swappable input/output device that plugs into a Gigabit Ethernet port, linking the module port with a fiber-optic network. Use only McAfee-approved GBICs either purchased from McAfee or from certified vendors. Note: To ensure compatibility, McAfee supports only those GBICs purchased through McAfee or from a McAfee-approved vendor.
The I-4000 sensor has no power switch. The sensor powers on as soon as one of its power cables is connected to a power source. Powering off the sensor McAfee recommends that you use the shutdown CLI command to halt the sensor Sensor before powering it down. For more information on CLI commands, see...
Follow the steps outlined in this chapter to connect cables to the various ports on your sensor. Cabling the Console port The Console port is used for setup and configuration of the sensor. For console connections, plug the DB9 Console cable supplied by McAfee into Console Console port (labeled on the sensor front panel).
Connect the other end of the cable to the network device (for example, hub, switch, router) that in turn connects to the ISM server. Note: To isolate and protect your management traffic, McAfee strongly recommends using a separate, dedicated management subnet to interconnect the sensors and the ISM.
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-4000 Sensor IntruShield Sensor 4000 Product Guide Cabling the Management port Cabling the I-4000 Monitoring ports Connect to the network devices you will be monitoring via the sensor Monitoring ports. You can deploy sensors in the operating modes shown in the following table.
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-4000 Sensor IntruShield Sensor 4000 Product Guide Cabling the Management port Default Monitoring port speed settings for I-4000 Be sure that the switch/router ports connected to the sensor Monitoring ports match the sensor configuration.
The I-4000 sensor’s GBIC ports must be used with a 3rd party external tap. Note: For a list of approved 3rd party vendors, see the KnowledgeBase at Mcafee Support Site https://mysupport.mcafee.com. External tap mode requires a port pair (for example, 1A and 1B).
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-4000 Sensor IntruShield Sensor 4000 Product Guide Cabling for SPAN mode Cabling for SPAN mode Cabling the I-4000 sensor to monitor in SPAN or hub mode When you monitor in SPAN or Hub mode, you do not need to use a port pair. You can use single ports.
Page 32
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-4000 Sensor IntruShield Sensor 4000 Product Guide Cabling for SPAN mode Plug the cable appropriate for use with your GBIC into port 2A of the active sensor. Connect the other end of the cable to port 2A of the standby sensor.
Page 33
McAfee® IntruShield® IPS 4.1 Attaching cables to the I-4000 Sensor IntruShield Sensor 4000 Product Guide Cabling for SPAN mode Caution 2: A very brief link disruption may also occur while the links between the sensor and each of the peer devices are renegotiated to place the sensor back in in-line mode.
failover ..............24 fan LED ..............4 Index flash LED ..............4 front panel LEDs ............4 10/100 ports GBIC Monitoring ports ..........2 10/100 Management port ........20 10/100 Monitoring ports Link LED ....... 4 10/100 Response port ........20 heat requirements ............
Page 35
tap mode ..............23 Temp LED ..............4 using fail-open hardware........25...