nsp integration guide 5.1

Integration Guiderevision 1.0

McAfee® Network Protection Industry-leading network security solutions

McAfee® Network Security Platform version 5.1

COPYRIGHT Copyright ® 2001 - 2008 McAfee, Inc. All Rights Reserved.

TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi ([email protected]), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

Issued SEPTEMBER 2008 / Integration Guide

700-1812-00/ 1.0 - English

http://www.openssl.org/

http://www.apache.org/

http://www.apache.org/licenses/LICENSE-2.0.txt

http://www.python.org/

http://www.extreme.indiana.edu/

mailto:[email protected]

http://www.modssl.org/

http://www.boost.org/libs/bind/bind.html

http://www.boost.org/




http://www.housemarque.com/

Contents

Preface ........................................................................................................... v Introducing McAfee Network Security Platform............................................................................. v About this Guide............................................................................................................................ v Audience ....................................................................................................................................... v Related Documentation.................................................................................................................vi Conventions used in this guide .....................................................................................................vi Contacting Technical Support ......................................................................................................vii

Chapter 1 Integration with McAfee ePO...................................................... 1 Configuring the ePO server details ............................................................................................... 1 Querying host details from the ePO server ................................................................................... 4

Viewing details of Source and Destination Hosts...................................................................5 Viewing host details using IP address....................................................................................9

Chapter 2 Integration with McAfee Host Intrusion Prevention............... 15 Configuring Host Intrusion Prevention details ............................................................................. 15 Adding a Host Intrusion Prevention Sensor ................................................................................ 17 Configuring the Host Intrusion Prevention Sensor in ePO .......................................................... 18

Chapter 3 Integration with Foundstone .................................................... 20 McAfee Network Security Platform - Foundstone integration ..................................................... 20

Foundstone installation ........................................................................................................22 Menu options for Foundstone configuration.........................................................................23 Configuring Foundstone settings in Manager ......................................................................24 Using Foundstone Configuration Wizard .............................................................................32

Relevance analysis of attacks..................................................................................................... 32 Menu options for Relevance Analysis ..................................................................................32 Configuring relevance analysis in Manager .........................................................................33 Using Relevance Configuration Wizard ...............................................................................40 Fault messages for Foundstone Scheduler .........................................................................41

Troubleshooting options .............................................................................................................. 42 Reloading Foundstone cache ..............................................................................................43 Resetting relevancy cache ...................................................................................................43 Resubmitting database updates...........................................................................................43

Support for Foundstone custom certificates................................................................................ 44 Requesting a Foundstone scan from Threat Analyzer................................................................ 44

Viewing Foundstone scans ..................................................................................................46 Foundstone scan option.......................................................................................................47 Rescanning the host ............................................................................................................50 Concurrent scans .................................................................................................................50 Fault messages for Foundstone on-demand scan...............................................................50 Foundstone scan from Hosts page ......................................................................................51 Network scenarios for Foundstone scan..............................................................................52

Chapter 4 Integration with McAfee NAC ................................................... 55 How hosts are classified.............................................................................................................. 55 How this integration worked in Network Security Platform 4.1.................................................... 56 Integration requirements ............................................................................................................. 57

Supported versions ..............................................................................................................57 Required ePO/McAfee NAC details .....................................................................................57

Integrating a Sensor and the McAfee NAC server ...................................................................... 58 Configuration at the admin domain level..............................................................................58 Establishing trust between a Sensor and McAfee NAC/ePO server....................................59

iii

Viewing McAfee NAC-related details .......................................................................................... 60 Viewing McAfee NAC-related Operational Status messages ..............................................61 Viewing McAfee NAC details using Manager reports ..........................................................61

Index ............................................................................................................. 63

iv

Preface This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC) and network Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks.

McAfee Network Security Platform combines real-time detection and prevention to provide the most comprehensive and effective network IPS in the market.

What do you want to do?

• Learn more about McAfee Network Security Platform components. • Learn how to Get Started. • Learn about the Home page and interaction with the Manager interface.

About this Guide

This guide gives you the functionality and configurations related to the integration of Network Security Platform with other products of the McAfee such as McAfee ePolicy Orchestrator® (ePO), McAfee® Host Intrusion Prevention[formerly McAfee® Entercept], Foundstone and McAfee® Network Access Control.

Audience

This guide is intended for use by network technicians and maintenance personnel responsible for installing, configuring, and maintaining McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and McAfee® Network Security Sensors [formerly McAfee® IntruShield® Sensors], but is not necessarily familiar with IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks.

v

McAfee® Network Security Platform 5.1 Preface

Related Documentation

The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides.

• Quick Tour • Manager Installation Guide • 4.1 to 5.1 Upgrade Guide • Getting Started Guide • IPS Deployment Guide • Manager Configuration Basics Guide • Administrative Domain Configuration Guide • Manager Server Configuration Guide • Sensor CLI Guide • Sensor Configuration Guide • IPS Configuration Guide • NAC Configuration Guide • System Status Monitoring Guide • Reports Guide • User-Defined Signatures Guide • Central Manager Administrator's Guide • Best Practices Guide • Troubleshooting Guide • I-1200 Sensor Product Guide • I-1400 Sensor Product Guide • I-2700 Sensor Product Guide • I-3000 Sensor Product Guide • I-4000 Sensor Product Guide • I-4010 Sensor Product Guide • Gigabit Optical Fail-Open Bypass Kit Guide • Gigabit Copper Fail-Open Bypass Kit Guide • Special Topics Guide—In-line Sensor Deployment • Special Topics Guide—Sensor High Availability • Special Topics Guide—Virtualization • Special Topics Guide—Denial-of-Service

Conventions used in this guide

This document uses the following typographical conventions:

vi


Convention Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font.

The Service field on the Properties tab specifies the name of the requested service.

Menu or action group selections are indicated using a right angle bracket.

Select My Company > Admin Domain > View Details.

Procedures are presented as a series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font.

Type: setup and then press ENTER.

Variable information that you must type based on your specific situation or environment is shown in italics.

Type: Sensor-IP-address and then press ENTER.

Parameters that you must supply are shown enclosed in angle brackets.

set Sensor ip <A.B.C.D>

Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.

Caution:

Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation.

Warning:

Notes that provide related, but non-critical, information are denoted using this notation.

Note:

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

vii


Online Contact McAfee Technical Support http://mysupport.mcafee.com.

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

viii

http://mysupport.mcafee.com/

http://www.mcafee.com/us/about/contact/index.html

C H A P T E R 1

Integration with McAfee ePO McAfee ePolicy Orchestrator® (ePO) is a scalable platform for centralized policy management and enforcement of your system security products such as anti-virus, desktop firewall, and anti-spyware applications. You can integrate McAfee® Network Security Platform [formerly McAfee® IntruShield®] 5.1 with ePO 4.0. The integration enables you to query the ePO server from the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] for viewing details of a network host.

For more information on ePO, see the McAfee ePO Product Guide. You can download the guide from http://www.mcafee.com/us/enterprise/downloads/index.html http://www.mcafee.com/us/enterprise/downloads/index.html.

Integrating the McAfee Network Security Manager (Manager) and ePO enables you to send queries to the ePO server to obtain details of the hosts on your network. The details that are fetched from the ePO server include the host type, host name, user name, operating system details, top10 anti-virus events, and the details of system security products installed on the host. These details are displayed in the Threat Analyzer. If you have installed McAfee® Host Intrusion Prevention [formerly McAfee® Entercept] as part of your ePO installation, then you can also view the last 10 Host Intrusion Prevention events for a specific host. These details provide increased visibility and relevance for security administrators performing forensic investigation of security events seen on the network. When you are reviewing alert details for a host in the Threat Analyzer, you can mouse over an IP address in the Alerts page to display essential host data such host name, current user, and OS version.

For more information on McAfee Host Intrusion Prevention events, see McAfee Host Intrusion Prevention Product Guide. You can download the guide from http://www.mcafee.com/us/enterprise/downloads/index.html http://www.mcafee.com/us/enterprise/downloads/index.html.

Consider the following scenario to understand how McAfee Network Security Platform-ePO integration works:

You notice in the Threat Analyzer that a host in your network is port scanning the other hosts. You want to know more details about the source of these attacks. You can then right-click on an alert and see the details of the source IP. The Manager sends queries to the ePO server, and displays the details of the host in the Threat Analyzer. From these details, you may realize for example, that VirusScan (McAfee's antivirus application) is outdated. Looking at the host name, you may also realize that it is the server that was taken off the network sometime back. Therefore, the VirusScan was not updated during this period.

Configuring the ePO server details

The integration between the Manager and the ePO server is with the help of an extension file, which needs to be installed on the ePO server. You can download the extension file from the Manager. Before you configure the ePO server settings, you need to install the

1

http://www.mcafee.com/us/enterprise/downloads/index.html




McAfee® Network Security Platform 5.1 Integration with McAfee ePO

extension file on the ePO server. Following this, you need to configure the ePO server settings on the Manager.

To integrate the Manager with ePO, perform the following steps:

1 Log onto the Manager. 2 Navigate to Configuration > Integration > ePolicy Orchestrator > Server Settings.

The ePO Server Settings page is displayed.

Figure 1: Configuring ePO Server Settings

3 Click the ePO Extension link. 4 Save NSMExtension.zip to a location for later retrieval. 5 Log onto the ePO console.

The ePO console Home page is displayed.

2


6 Navigate to Configuration > Extensions > Install Extension page. 7 Browse and select NSMExtension.zip from the location mentioned in step 4.

Once installed, the Manager is listed under the Extensions list. For more details on installation procedure for extension files, refer ePO documentation.

Figure 2: Installing NSMExtension.zip on the ePO console

8 Close the ePO console and return to the Manager. 9 Navigate to Configure > Integration > ePolicy Orchestrator > Server Settings. 10 Specify the ePO Server details as described in the following table.

Field Description

Server Name / IP Address

Enter the name or the IP of the ePO server running the extension file. Note that this ePO server should have the details of the hosts covered by the admin domain.

Contact your ePO administrator for the server name and IP.

Server Port Specify the HTTPS listening port on the ePO server that will be used for the Manager-ePO communication. Contact your ePO administrator for the port number.

User Name Enter the username to be used while connecting to the ePO server.

McAfee recommends you use a local ePO user account with View-only permissions.

Password Enter the password for connecting to the ePO server.

3


11 Click Test Connection to ensure that the Extension file is installed and started on the ePO server.

12 If the connection is up, then click Save to save the configuration. 13 Navigate to Configure > Integration > ePolicy Orchestrator > Enable.

Figure 3: Enabling querying to the ePO Server

14 Select Yes under the Enable detailed host query option. 15 (Optional) Select Yes under the Enable mouse-over host summary option.

Enabling this option allows you to mouse over an IP address in the Threat Analyzer Alerts page to display a summary of essential host data such as, host name, current user, and OS version. The summary is visible in the Alerts page only when ePO integration is also enabled in the Manager.

Configuring the ePO server for separate admin domains You can enable or disable the Manager-ePO integration for an admin domain. If you enable the Manager-ePO integration for an admin domain, then you can view the details for the hosts of that admin domain from the Threat Analyzer.

If you have more than one instance of ePO, then the admin domains can be configured to different ePO servers. However, you should plan your deployment in such a way that an admin domain is configured with the appropriate ePO server. For example, if you have an exclusive ePO server for your Branch Office, then the Branch Office Admin Domain should be configured to the Branch Office ePO server.

Note: For more information on ePO refer to ePO documentation.

Querying host details from the ePO server

After you enable Network Security Platform-ePO integration at an admin domain level, you can query for and view the details of the corresponding network hosts using the Threat Analyzer. If you have installed McAfee Host Intrusion Prevention software and if the Host

4


Intrusion Prevention is running on the host, then you can view the top 10 Host Intrusion Prevention events for a host as well.

Consider the following example. My Company is the root admin domain and HR and Finance are its child domains. Sensor-HR and Sensor-Fin are the respective McAfee® Network Security Sensors [formerly McAfee® IntruShield® Sensors] of the two child domains. Assume that the Manager-ePO integration is enabled only for Finance. For an attack detected by Sensor-Fin, you can view the details of the source and destination hosts from the Threat Analyzer because ePO integration is enabled for the Finance admin domain.

Note that for you to view the details, that information should be available on the ePO server. For example, if an attack is from outside your network, then your ePO server may not have any information about this source host.

A host can belong to one of the following three types:

• Managed Hosts: These are hosts currently managed by an ePO agent. • Unmanaged Hosts: These are hosts recognized by ePO but are not currently

managed by any ePO agent. • Unrecognized Hosts: These are hosts about which ePO has no information. In the

Threat Analyzer, an unrecognized host is represented by a series of ellipses (- - -). You can view the details of the source and destination hosts in an alert. Alternatively, you can also enter the IP address and get the details from the ePO server. See Viewing Host Details using IP Address (on page 9). These details may enable you to troubleshoot and fix any security-related issues in those hosts. In the Threat Analyzer, you can view the details of managed and unmanaged hosts but not for unrecognized hosts.

Note: If you modify the ePO server settings, re-launch the Threat Analyzer to view the host details.

Viewing details of Source and Destination Hosts

To view the details of the source or destination host in an alert:

1 Launch the Real-time or Historical Threat Analyzer. 2 Click Alerts.

Right-click an alert, select ePO Host Information and then, select View Source Details or View Destination Details. You can also right-click on many alerts and query the server. An informational message is displayed stating that the ePO query is successful.

Figure 4: ePO Message

5


You should have enabled Network Security Platform-ePO integration at the domain level to see the ePO option in the right-click menu. You can query many IP address at a single time. For example, RFC-Overflow alert has 11 destination addresses. You can query all of them using a single query.

Note: You can query the ePO server for host information from the Alerts page as well as Hosts page. Right-click on an IP on the Hosts page and select View ePO Information. The Manager notifies you if your ePO query is successful and then allows you to navigate to the Host Forensics page to display the query results.

3 Click Yes. The Host Forensics page with the summary of the host details is displayed. The name or the IP address of the ePO server is also displayed in parentheses next to ePO Host Information.

Figure 5: Summarized host details from ePO

4 For a managed or unmanaged host, double-click a row of information in the ePO Host Information section to view the additional details. The details are displayed in a tabbed region named after the host's IP address. If a double-click does not display the additional details then it could be that the host is an unrecognized host or you had earlier queried for the same managed/unmanaged host and the tabbed region for the host is still available.

6


See Additional Details for Managed Hosts (on page 11) and Additional Details for Unmanaged Hosts (on page 13).

Figure 6: Additional details - managed host

7


Figure 7: Latest Events Tab

Note: You can also view the details of source and destination hosts from the Hosts page.

Right-click options in the Host Forensics page You can select an ePO query and right-click to view the following:

• View Details: Viewing additional details of managed/unmanaged hosts. • Query again: Querying the host once again. • Delete: Deleting the queried host information. • Delete All: Deleting all rows in the host information section.

8


Viewing mouse-over summary

You can mouse over an IP address in the Alerts page to display a summary of essential host data, such host name, user, and OS version.

Figure 8: Mouse over summary of a host

You need to enable this option from the Enable ePO Integration page. The summary is visible in the Alerts page only when ePO integration is also enabled in the Manager.

Viewing host details using IP address

You can query using a host's IP address in the Host Forensics page to view the details of the host. You can view the details of up to 100 hosts at a time. If the number of queries exceeds 100, then the earliest row of detail is deleted.

To view host details using the IP address:

9


1 Launch the Real-time or Historical Threat Analyzer. 2 Click Host Forensics. 3 Enter the IP address. 4 Select the admin domain name that is configured to the ePO database. 5 Click Query now.

The source or destination IP is listed in the ePO Host Information section of the Host Forensics page. The name or the IP address of the ePO server is also displayed in parentheses next to ePO Host Information.

Note: If you are querying an unknown host and then click on that row for information (the row has only dashes displayed), a pop-up message is shown stating that the data is not available.

Figure 9: Summarized host details from ePO

6 For a managed or unmanaged host, double-click a row of information in the ePO Host Information section to view the additional details. See Additional Details for Managed Hosts (on page 11) and Additional Details for Unmanaged Hosts (on page 13).

Figure 10: Additional details - unmanaged host

Note: When you double-click on a row of information, then the details are displayed in a tabbed region named after the host's IP address. If double-click does not display the additional details then it could be that the host is unrecognized or you had earlier queried for the same managed/unmanaged host and the tabbed region for the host is still available.

10


Additional details for managed hosts

For managed and unmanaged hosts, you can double-click on a row of information in the Summary tabbed region of the Host Forensics page to view additional details. These additional details are related to the point-products installed by ePO on the host. If you have installed Host Intrusion Prevention and if it is also running on the host, then you can view the last 10 Host Intrusion Prevention event in the host as well. Note that the last 10 events displayed are sorted based on their severity levels.

Note: A Host Intrusion Prevention event is an alert generated by Host Intrusion Prevention regarding an activity on the host. For more information, see McAfee Host Intrusion Prevention documentation.

Based on the additional details and the events, you can tune the security applications on the host for the best possible protection.

You can view the following are the details for the managed hosts under the Host Information tab:

Field Description

Host Name Name of the managed host.

IP address IP address of the managed host.

MAC Address The Media Access Control address of the host.

Host Type A managed host is one that has an ePO agent to manage its point-products.

Operating system The version of the operating system. For example: Windows 2003 (5.2 - Service Pack 2)

User (s) The operating system user names of the host.

Domain / workgroup The domain or workgroup to which the host belongs.

Source ePO server IP address of the queried ePO server.

Information query time Displays the time when the Manager sent the query to the ePO server.

Last McAfee Agent Update Last Agent reported time to ePO.

Installed Products

Network Security Platform <version number)

Point-products installed by ePO on the host. For example, it can be VirusScan or Host Intrusion Prevention. The version of the product installed is displayed in parenthesis

Engine Version Version of the product's engine, if applicable.

DAT Version Version of the DAT file of the product, if applicable.

Click the Latest Events tab to view the following information on the latest 10 Host Intrusion Prevention and anti-virus events.

11


Last 10 AntiVirus Events

Event Time Date and time when the event was received by the anti-virus agent.

Threat Name The name of the threat that caused the event to appear

Threat Type The type of the threat that triggered the event.

Action Taken Action taken by the anti-virus agent on the reported event.

File Path The path to the affected file that caused the event.

Analyzer Detection Method The method used to detect the anti-virus event.

Last 10 Host Intrusion Prevention Events

Time Date and time when the event was received by the Host Intrusion Prevention agent.

Signature Name The name of the signature that caused the event to appear.

Signature ID The ID of the Host Intrusion Prevention signature that caused the event to appear.

Severity The severity level of the Host Intrusion Prevention event.

User The user at the time the event was initiated.

Process The application process that triggered the event.

Source IP Source IP address for the event.

Reaction The reaction set to take place when the event is triggered.

Launching the ePO console

The Host Forensics page allows you to view additional details for a host by launching the ePO console from the Threat Analyzer itself.

1 Launch the Real-time or Historical Threat Analyzer. 2 Click Host Forensics. 3 Enter an IP address and click Query now. 4 Double-click on a managed host.

A detailed view of Host information page is displayed.

12


5 Click Open ePO console.

Figure 11: Host details

The actions that you can do on the ePO console will be based on the privileges assigned to the user credentials that you enter during the ePO server configuration.

Additional details for Unmanaged Hosts

Unmanaged hosts do not have an ePO agent to manage their point-products. The following are the additional details that you can view for unmanaged hosts:

13


Field Description

DNS DNS name of the host.

NetBIOS name NetBIOS name of the host.

IP Address IP address of the host.

MAC Address MAC address of host.

Host Type The reason why the host is unmanaged. For example: No ePO installed, agent inactive.

Last detection time The date and time when the host was detected on the network.

Operating system The operating system platform on the host. For example: Windows 2003.

User (s) Operating system user names of the host.

Source ePO server The IP of the ePO server that sent the unmanaged host details.

14

C H A P T E R 2

Integration with McAfee Host Intrusion Prevention McAfee® Network Security Platform 5.1 integrates with McAfee® Host Intrusion Prevention version 7.0.

Host Intrusion Prevention is a Host-based intrusion prevention system, which prevents external and internal attacks on the hosts in the network, thus protecting services and applications running on them.

Host Intrusion Prevention is now completely integrated with ePO 4.0. McAfee® Network Security Manager (Manager) uses an ePO extension file to obtain real-time Host Intrusion Prevention events from the ePO server. The extension file (NSMExtension.zip) needs to be downloaded from the Manager, and installed on the ePO server using the ePO console. Once the extension file is installed on the ePO console, ensure that the Host Intrusion Prevention extension is also installed on the ePO server.

Within the Manager's context, the Host Intrusion Prevention integration functions like a McAfee® Network Security Sensor (Sensor). In other words, Manager treats the ePO server running the server portion of the Host Intrusion Prevention software as a special type of Sensor. That is, the Manager receives the events information from Host Intrusion Prevention, incorporates these events into its database and provides these events for further viewing/actions in the Threat Analyzer and reports, like any other Network Security Platform alert.

Configure the Host Intrusion Prevention Sensor in the Manager by providing a name and a shared secret key. You need to then configure that Manager’s IP address and the shared secret on the ePO server console as well. Once trust is established, the Host Intrusion Prevention Sensor is displayed in the Resource tree, Device List node of the Manager.

The Host Intrusion Prevention events are displayed in the Real–time Threat Analyzer. You can display only the Host Intrusion Prevention alerts by selecting Sensor from the Group By drill down in the Alert page and perform sorting and filtering on the events.

Note 1: Only Host Intrusion Prevention's IPS events are sent to the Manager.

Note 2: IPS Quarantine is not applicable to Host Intrusion Prevention events in the Threat Analyzer.

In case of MDR pair, the Host Intrusion Prevention alerts are sent to both the active and the standby Manager.

Configuring Host Intrusion Prevention details

To integrate the Manager with Host Intrusion Prevention, perform the following steps:

1 Log onto the Manager. 2 Navigate to Configuration > Integration > ePO Orchestrator > Server Settings.

The ePO Server Settings page is displayed.

15

McAfee® Network Security Platform 5.1 Integration with McAfee Host Intrusion Prevention

3 Click the ePO Extension link. 4 Save NSMExtension.zip to a location for later retrieval. 5 Log onto the ePO console.

The ePO console Home page is displayed. 6 Navigate to Configuration > Extensions > Install Extension page. 7 Browse and select the ePO extension file from the location mentioned in step 4.

Once installed, the Manager is listed under the Extensions list.

Figure 12: Installing NSMExtension.zip on the ePO console

8 Verify on the ePO console that the Host Intrusion Prevention extension is installed.

Figure 13: Host Intrusion Prevention extension in ePO

16


Adding a Host Intrusion Prevention Sensor

Installation of a Host Intrusion Prevention Sensor is similar to adding a Sensor. Perform the following steps:

1 Click Device List > Sensors. 2 Click Add.

The Add New Sensor page is displayed.

Figure 14: Adding a Host Intrusion Prevention Sensor

3 Type a unique name at Sensor Name to identify the HIPs Management Server in Manager. The name can contain up to 25 alphanumeric (upper or lower case letters and numbers) characters, including hyphens, underscores, and periods. The name must begin with a letter.

4 Select the Sensor Type as Host Intrusion Prevention. 5 Type a password at Shared Secret for verifying the Manager-Host Intrusion Prevention

communication. The secret must be a minimum of 8 characters in length and can contain up to 25 alphanumeric (upper or lower case letters and numbers) characters, including hyphens, underscores, and periods. The secret cannot start with an exclamation mark nor have any spaces.

Note: The exact, case-sensitive Sensor Name and Shared Secret must also be entered on the ePO console for Host Intrusion Prevention integration.

6 (Optional) Type the Contact Information and Location. 7 Click Submit to begin the Manager-ePO server handshake process.

Note: You need to configure the Host Intrusion Prevention Sensor details on the ePO console as well to establish trust. See Configuring Host Intrusion Prevention details (on page 15).

Once trust is established, the Host Intrusion Prevention Sensor is displayed in the Resource tree / Device List.

17


Configuring the Host Intrusion Prevention Sensor in ePO

To configure a Host Intrusion Prevention Sensor on the ePO server and establish trust between the Manager and ePO, perform the following steps:

1 Log onto the ePO console. The ePO console Home page displays.

2 Navigate to Configuration > Server Settings page. 3 Browse and select Network Security Manager Settings.

4 Click Edit.

Note: You need to stop the Scheduler before editing existing settings.

18


The Edit Manager Settings page displays.

5 Enter the following to configure the Manager's IP:

Field Description

Host Intrusion Prevention Sensor name The Sensor name that must match with the Host Intrusion Prevention Sensor name entered in the Manager.

Manager IP The IP of the Manager server on which the Host Intrusion Prevention Sensor is to be configured.

Shared key The shared secret key that must match with the shared secret entered in the Manager.

Init channel port The port the Manager uses to exchange configuration information with the Sensor.

Alert channel port The port on which the Manager listens for Sensor alerts.

Packet channel port The port the Manager uses for sending the signature ID mapping information.

6 Click Save to save changes and return to the previous page. 7 In the Status field, click Start.

The trust establishment is initiated between the Manager and the ePO server. 8 Use this page to view the Status of the Sensor installation. 9 You can also view the Number of events sent to the Manager by Host Intrusion

Prevention.

19

C H A P T E R 3

Integration with Foundstone Vulnerability assessment is the automated process of pro-actively identifying vulnerabilities of computing systems in a network, to determine security threats in the network. Vulnerability scanner software automates the vulnerability discovery process, by remotely assessing your network and finding the vulnerabilities in the systems.

McAfee® Network Security Platform provides integration with other vulnerability scanners such as Nessus Security Scanner and Foundstone Enterprise. You can request remote scans, and use the vulnerability assessment reports from the scanners to determine the relevance of attacks on the hosts.

Following sections give information about:

• McAfee Network Security Platform - Foundstone integration (on page 20) (configuration and functionalities)

• Relevance analysis of attacks (on page 32) • Troubleshooting options (on page 42) • Support for Foundstone custom certificates (on page 44)

McAfee Network Security Platform - Foundstone integration

Network Security Platform has been integrated with Foundstone Enterprise vulnerability scanner.

There are two main components to this enhanced integration.

First, users can schedule the import of Foundstone scan data into Network Security Platform, to provide automated updating of IPS-event data relevancy. Second, users can initiate a Foundstone on-demand scan of a single or group of IP addresses directly from the Threat Analyzer console. This provides a simple way for security administrators to access near real-time updates of host vulnerability details, and improved focus on critical events.

20

McAfee® Network Security Platform 5.1 Integration with Foundstone

The figure below gives an overview of the Network Security Platform-Foundstone integration.

Figure 15: Network Security Platform-Foundstone integration

This integration provides the following major functionalities in McAfee® Network Security Manager (Manager):

On-demand scan

You can request a Foundstone scan from Threat Analyzer, by selecting the Source/Destination IP address of the host.

When you request a Foundstone on-demand scan, the selected host IP address is passed from the Threat Analyzer to the Manager web-tier, which connects and establishes trust with the FoundScan engine. This initiates the scan for the requested host IP address.

The FoundScan engine scans the host, and provides the vulnerability assessment data to Manager. This data is processed and stored in the Manager database. The vulnerability data is also updated in the cache maintained in Threat Analyzer client, so that all open Threat Analyzers have visibility to the recently invoked on-demand scans. For requesting an on-demand scan from Threat Analyzer, you need to configure Foundstone settings in Manager (on page 24)

Note: For more information on using the on-demand scan functionality from Threat Analyzer, see Requesting a Foundstone scan from Threat Analyzer (on page 44).

21


Automatic import of Foundstone reports via the Scheduler in Manager

The vulnerability report from Foundstone database can be imported via the Foundstone Scheduler (on page 37) in Manager. Reports can be scheduled on a daily or weekly basis. Imported vulnerability data will be stored in the Manager database, and also updated in the relevancy cache used for relevancy analysis of attacks.

Manual import of Foundstone reports via Manager

You can manually import reports from Foundstone, and store them in your local machine. Manager client passes the imported vulnerability data into the vulnerability assessment module in the Manager server. This data is processed and stored in the Manager database in Network Security Platform format (on page 37). For more information, see Manually importing scan reports (on page 34).

Relevance analysis of attacks

Once you have imported vulnerability reports into the Manager database, you can determine the vulnerability relevance for real-time alerts. For more information, see Relevance analysis of attacks (on page 32).

Foundstone installation

Before configuring Foundstone from Manager, you should have Foundstone Enterprise (Version 5.x or 6.x) installed in your system.

Foundstone Enterprise has the following major components:

• Foundstone Enterprise Manager - which represents the browser-based user interface of the system.

• Scan engine (on page 28) - used to scan hosts for vulnerability assessment. • Foundstone database server (on page 26) - is the data repository for Foundstone

Enterprise containing information about organization settings, scan configurations, workgroups, user account information and scan results.

• Foundstone Certificate Manager (FCM) server (on page 44)- hosts the Foundstone Certificate Management tool used for custom certificates.

In an actual Foundstone deployment, you can deploy Foundstone Enterprise Manager, Foundstone console, one or more FoundScan engines and Foundstone database.

Note: For more information on the system requirements for different Foundstone Enterprise deployment scenarios, see Foundstone Enterprise Administrator Guide.

Configuring Foundstone servers to use DNS Server The server(s) used for Foundstone deployment should be configured to use Domain Name System (DNS) Server. Foundstone server must be defined as a record within the DNS zone.

Also make sure to configure the client machines used for on-demand scans, to use the DNS Server.

Without the above configurations, the Foundstone on-demand scans from Threat Analyzer will result in error, due to incorrect name resolution.

22


Using the Fully Qualified Domain Name (FQDN) for FoundScan Engine The Foundstone Enterprise Manager connects to a FoundScan Engine for different tasks such as performing scans, viewing reports etc.

When you install Foundstone Enterprise Manager, you will be prompted to enter the IP address, NetBIOS name or DNS resolvable name for the FoundScan Server.

McAfee recommends you to use a static IP address or Fully Qualified Domain Name (FQDN) of the local machine, where you are installing Foundstone Enterprise Manager. The default value (MYHOST, as seen in the figure above) is not recommended.

Note: A Fully Qualified Domain Name (FQDN) consists of a host name and a domain name. For example, for a device with a hostname of "myhost" and domain name of "example.com", the Fully Qualified Domain Name is "myhost.example.com". In this example, .com is the top-level domain.

Menu options for Foundstone configuration

To configure Foundstone settings in Manager, in the Resource Tree, select Root Admin Domain > Integration > Foundstone.

23


Following menu options are displayed:

Figure 16: Menu options for configuring Foundstone in NSM

Item Menu option Description

1 Foundstone contains the sub-menu options to configure Foundstone settings.

2 Summary to view the details of Foundstone configuration in Manager.

3 Enable to enable Foundstone scanning in Threat Analyzer.

4 Database to configure the Foundstone database settings.

5 Scan Engine to configure FoundScan Engine settings.

6 Scans to add scan configurations in Manager.

7 Troubleshooting contains troubleshooting options like reloading Foundstone cache, resetting relevancy cache, and re-submitting database updates.

Note: The menu options explained above are mentioned as Foundstone menu options throughout this document.

Configuring Foundstone settings in Manager

The Foundstone configuration settings allow Manager to connect directly to the FoundScan engine servers and database.

You can configure the settings in two ways:

1 Manually navigating the configuration screens 2 Using the Foundstone Configuration Wizard

Manually navigating the configuration screens Following steps are essential for manually configuring Foundstone settings (in the given order):

• Enabling Foundstone scanning (on page 25) - First step required for successfully using the Foundstone on-demand scan functionality from Threat Analyzer.

• Configuring Foundstone database settings (on page 26) - This step is essential for Manager to connect to the Foundstone database server, and import the required information from the database.

• Configuring FoundScan engine settings (on page 28) - Manager uses scan engine information to initiate Foundstone scans from Threat Analyzer.

24


• Adding Foundstone scan configurations (on page 29)- If the IP address of the scanned host falls within any of the scan configurations added to Manager, that scan configuration is used for on-demand scan of the host from Threat Analyzer. This step completes the configuration settings for Foundstone in Manager.

Using the Foundstone Configuration Wizard The Foundstone Configuration Wizard (on page 32) helps you to navigate the screens in the desired sequence.

(Select My Company (Root Admin Domain) > Integration > Foundstone > Summary > Run Configuration Wizard to start the Foundstone Configuration Wizard)

Figure 17: Accessing Foundstone Configuration Wizard from Summary page

Enabling Foundstone scanning

Enabling Foundstone scanning is the first step in configuring Foundstone from Manager.

To enable Foundstone scanning in Manager, do the following:

1 Select Enable from Foundstone menu options (on page 23) (Selection path: Root Admin Domain > Integration > Foundstone > Enable).

2 The Enable Foundstone Scanning page is displayed.

Figure 18: Enabling Foundstone scanning in NSM- first page for configuration

25


3 In Enable Foundstone scanning? option, select Yes to enable configuration of Foundstone settings in Manager.

4 Click Save. The screen is refreshed and you get a message that the changes have been successfully updated.

Configuring Foundstone database settings

The second essential step in Foundstone configuration is configuring the Foundstone database settings.

Using these settings, Manager connects to the Foundstone database to get relevance information, scan configuration details, scan engine details and vulnerability data for scanned hosts. The required data is fetched directly from the Foundstone database using stored procedures specific to Manager.

Tip: Make sure that you have enabled Foundstone scanning (on page 25) before configuring Foundstone Database Settings.

To configure Foundstone database settings, do the following:

1 Select Database from Foundstone menu options (on page 23). (Selection path: Root Admin Domain > Integration > Foundstone > Database).

Figure 19: Configuring Foundstone database settings in NSM

26


2 In Database Settings window, enter Server Name / IP Address of the Foundstone database. 3 Enter Database Type. You can choose Default database or a Custom database. 4 When you choose Database Type as Default, note that Database Settings window displays

the following default values for three fields as given below: Server Port as 1433, SSL Type as Require, and Database Name as Faultline.

If you select the Default option, go to step 9. 5 When the Database Type is selected as Custom, you can enter custom values in Server

Port, SSL Type and Database Name fields. If you select the Custom option, go to step 6. 6 Enter Server Port for the Foundstone database server. 7 Select SSL Type.

SSL Type Description

Off SSL is not requested or used; this is the default

Request SSL is requested; if the server does not support it, then a plain connection is used

Require SSL is requested; if the server does not support it, then an exception is thrown

Authenticate Same as Require, except that the Foundstone server's certificate is signed by a trusted Certifying Authority (for example, VeriSign or DigiCert).

8 Enter the name of the Foundstone database server in Database Name. 9 Next, you can select three different authentication types for logging into Foundstone

database - SQL Authentication, Windows Domain OR Windows Workgroup. In all these authentication types, User Name and Password refer to those of the Foundstone database server that is used in the configuration.

10 In the case of SQL Authentication, a. enter User Name, b. and Password

11 In the case of Windows Domain Authentication, a. enter User Name, b. enter Password, c. and Logon Domain, in the respective fields.

Note: Logon Domain represents the network domain for the Windows NT system. This field is exclusively for Windows Domain Authentication.

12 In the case of Windows Workgroup, a. enter User Name, b. enter Password, c. and Server Name of the Windows Workgroup server, in the respective fields.

13 Click on Test Connection to check the availability of Foundstone database connection.

Note: The login credentials (username and password) for both type of authentications should be given db_owner access rights in the Foundstone database. This is essential for Manager to establish connection with

27


Foundstone database, and automatically install stored procedures in the Foundstone database.

Note that when Foundstone database settings are configured for the first time, Manager automatically installs the Foundstone database with required tables and stored procedures that are used for retrieving information.

Next step is to configure the scan engine settings in Manager.

Configuring FoundScan engine settings

FoundScan engine (also known as engine, scan engine, or FoundScan Console) is the component of Foundstone system that scans the hosts in your network for vulnerabilities.

Network Security Platform-Foundstone integration supports two versions (5.x and 6.x) of FoundScan engine. In Manager, configuration settings for the scan engine include the engine version and login credentials to the scan engine server. Manager uses these settings to initiate vulnerability assessment scans from Threat Analyzer.

Tip: Before configuring Scan Engine Settings, you should enable Foundstone scanning (on page 25) and configure Foundstone database settings (on page 26).

To configure the scan engine settings, do the following:

1 Select Scan Engine from Foundstone menu options (on page 23). (Selection path: Root Admin Domain > Integration > Foundstone > Scan Engine).

2 In Scan Engine Settings window, select Engine Version as 5.x or 6.x.

Note: In the Scan Engine Settings window, 5.x indicates Foundstone 5.0 version, and 6.x indicates Foundstone 6.0 or 6.5 versions.

3 Enter the User Name and Password for the scan engine server.

Figure 20: Configuring scan engine settings in NSM

Note: Username and password entered here should have full access rights in the scan engine server. This is essential for successfully initiating Foundstone on-demand scans from Threat Analyzer.

28


4 Click Save, to save your settings. Next step is to add the scan configurations to Manager.

Adding Foundstone scan configurations

You can define scan configurations (also known as scans) in the Foundstone system for different host IP address ranges, and then add them to Manager.

When you add a scan configuration to Manager, it is checked whether this scan configuration exists in the Foundstone database. If the scan configuration exists, then it is saved in the Manager database. The scan configuration is also updated in the Manager cache.

Manager cache basically contains the scan configuration ID and the IP ranges defined in the scan configuration. When the user requests for an on-demand scan of a host IP from Threat Analyzer, the requested IP address is matched with the cached IP addresses, and the appropriate scan configuration ID is selected. Then, the scan configuration associated with the scan configuration ID is used to scan the host IP.

Important pre-requisite: You need to run the scan configuration defined in the FoundScan engine once, before adding a scan configuration to Manager. Each scan configuration defined in Foundstone is associated with a FoundScan engine. When you run the scan configuration for the first time at the Foundstone side, the FoundScan engine in which the scan configuration was last executed, gets associated with that scan configuration. This step is essential for successfully adding the scan configuration to Manager.

Tip: It is recommended that you define a common user in the organizations defined in the Foundstone side. Ensure that this user has full access privileges to FoundScan engine. Through this user, you can conveniently access the various scan configurations defined in all the organizations in Foundstone. This will ease the access of scan configurations defined in Foundstone. For more information about organizations and scan configurations, see Working with Scans, Foundstone Enterprise Administrator Guide.

To add a scan configuration in Manager, do the following:

29


1 Select Scans from Foundstone menu options (on page 23). (Selection path: Root Admin Domain > Integration > Foundstone > Scans). The Add Foundstone Scans page is displayed.

Figure 21: Scan Configuration Details page

Note: You can delete individual scan configurations or multiple scan configurations from Add Foundstone Scans page. Select Delete, to delete a scan configuration. For deleting multiple scan configurations, select the required checkboxes, and then select Delete.

2 To add a scan configuration, click Add. The Add a Scan dialog is displayed.

Figure 22: Adding Foundstone Scan Configuration to NSM

Add a Scan dialog allows you to enter scan configurations, equivalent to already defined configurations in FoundScan engine for the different host IP address ranges.

30


3 Enter Organization or Workgroup name. 4 Enter a Scan Name. 5 Select Set As Default ?, if you want to set this scan configuration as the default one.

Tip: You can set the required scan configuration as the default one, using Set As Default option.

6 If required, enter a description of the scan configuration in Description. 7 Select Submit. The Add Foundstone Scans page displays all the scan configurations that

are added to Manager. The configuration steps for Foundstone are complete at this point. If the Threat Analyzer is running, restart it for the changes to be effective.

Viewing Foundstone configuration details

To view the Foundstone configuration details in Manager, do the following:

Select Root Admin Domain > Integration > Foundstone > Summary. The Summary page is displayed.

Figure 23: Foundstone configuration details page in NSM

This page shows the details of Foundstone configuration such as status of Foundstone scan enabled/disabled, Foundstone database settings, FoundScan engine settings, and list of scan configurations added to the Manager.

Note that the changes saved in all the pages related to Foundstone configuration is reflected in Summary page. When you click on the individual links, you are re-directed to the respective pages.

You can also configure Foundstone settings using Run Configuration Wizard in Summary page. This is explained in the following section.

31


Using Foundstone Configuration Wizard

You can use the Foundstone Configuration Wizard for configuring Foundstone settings from Manager.

1 Select Root Admin Domain > Integration > Foundstone > Summary. 2 In the Summary page, select Run Configuration Wizard. 3 The wizard displays the following pages in order:

• Enable Foundstone Scanning (on page 25) • Database Settings (on page 26) • Scan Engine Settings (on page 28) • Add Foundstone Scans (on page 29)

4 Use Next > or < Back buttons to navigate through the pages. 5 There are four configuration steps in total. Select Finish at the end of the fourth step. 6 If the Threat Analyzer is running, restart it for the changes to be effective.

Relevance analysis of attacks

Relevance analysis involves the analysis of the vulnerability relevance of real-time alerts, using the vulnerability data imported to Manager database. The imported vulnerability data can be from Foundstone or other supported vulnerability scanners (on page 36) such as Nessus.

Vulnerability assessment reports from the scanners contain vulnerabilities detected in a specific host(s) in the network. For example, a vulnerability assessment report will display that the host 10.1.1.x is vulnerable to buffer overflow attack, along with the CVE ID /BugTraq ID of the attack. Manager uses the imported scan report to determine whether the host identified, is vulnerable to that particular attack.

The attack cache in Manager stores the CVE ID of the attacks detected by the McAfee® Network Security Sensor (Sensor). In the case of relevance analysis, the CVE ID of the vulnerability in the imported report is compared to the CVE ID in the attack cache in Manager. If a matching record is found, the corresponding alert is marked as Relevant. This record is used by the alert correlation module during alert processing to check for the relevancy type, and also used to update the Vulnerability Relevance field in Threat Analyzer.

The status of relevance analysis can be viewed in the Details page of Threat Analyzer, by enabling Vulnerability Relevance field in the Preferences page. The status can be 'Relevant', 'Unknown', or 'Not Applicable'.

You can also view the alerts sorted by Vulnerability Relevance category in the Details page. For more information, see Drilldown: Sorting alerts by categories and Drilldown: Detail view, System Status Monitoring Guide.

Marking alerts from vulnerable hosts as relevant, helps the network administrator to easily view and sort alerts by relative relevance.

Menu options for Relevance Analysis

To configure relevance analysis in Manager, in the Resource Tree, select Root Admin Domain > Integration > Relevance.

32


Following menu options are displayed:

Figure 24: Menu options for Relevance Analysis

Item Menu option Description

1 Relevance contains the sub-menu options to configure relevance analysis settings.

2 Summary to view the details of relevance analysis configuration in Manager.

3 Enable to enable relevance analysis in Threat Analyzer.

4 Manual Import to manually import vulnerability scanner reports to Manager database.

5 Automation to schedule automatic import of Foundstone vulnerability reports to Manager database.

6 Database to configure the Foundstone database settings for relevance analysis.

7 Scans to add scan configurations in Manager.

8 Troubleshooting contains troubleshooting options like reloading Foundstone cache, resetting relevancy cache, and re-submitting database updates.

Note: The menu options explained above are mentioned as Relevance menu options throughout this document.

Configuring relevance analysis in Manager

You can configure the Relevance settings in Manager in two ways:

1 Manually navigating the configuration screens 2 Using the Relevance Configuration Wizard

Manually navigating the configuration screens Following steps are essential for configuring Relevance settings in Manager (in the given order):

• Enabling attack relevance analysis (on page 34) • Manual import of scan reports (on page 34) • Automatic import of scan reports (on page 37) • Foundstone database settings for relevance analysis (on page 38) • Adding scan configurations for relevance analysis (on page 39)

33


Using the Relevance Configuration Wizard You can also use the Relevance Configuration Wizard (on page 40) for the configuration tasks listed above.

Note: For relevance analysis of attacks, you need to enable relevance analysis (on page 34), and import scan reports manually (on page 34) or automatically (on page 37) to Manager.

Enabling attack relevance analysis

This is the first essential step in configuring Manager for relevance analysis.

To enable relevance analysis, do the following:

1 Select Enable from Relevance menu options (on page 32) (Selection path: Root Admin Domain > Integration > Relevance > Enable).

2 The Enable Relevance Analysis page is displayed. 3 In the Enable attack relevance analysis? option, select Yes to enable relevance analysis

configuration in Manager.

Figure 25: Enabling relevance analysis in NSM

4 Click Save to save your settings. The screen is refreshed and you get an update that the changes have been updated.

Manually importing scan reports

You can manually import scanner reports from supported scanners like NessusWX (on page 36) or Foundstone to the Manager. For importing other third-party vulnerability scanner reports (like Qualys or nCircle), you need to convert the report to the Network Security Platform format (on page 37).

Refer the DTD included with Network Security Platform (GenVulReportFlat.dtd) when converting your XML-based format to the Network Security Platform format.

To manually import a vulnerability scanner report in Manager, do the following:

34


1 Select Manual Import from Relevance menu options (on page 32) (Selection path: Root Admin Domain > Integration > Relevance > Manual Import).

Figure 26: Manually importing vulnerability scanner reports to NSM

2 In Import Scan Reports Manually, select Add. The Import A Scan Report web page dialog is displayed.

Figure 27: Web dialog to import vulnerability scanner reports to NSM

35


3 Select a Report Type ( NessusWX , Foundstone, Network Security Platform ) from the drop-down list. Note that the report can be from any of the supported scanners or formats (on page 36).

4 Type a Short Description corresponding to the selected scanner report type. 5 Click Browse... and choose a Report file. You can select a report file from the local

machine. 6 To import the report to Manager database, select Enable on import? checkbox. 7 Click Load VA Data to import the scanner report. 8 The scanner report is imported to Manager database, and displayed in the Import Scan

Reports Manually window.

Note: The imported report is stored in Manager database in Network Security Platform format (on page 37). In the Import Scan Reports Manually window, if you select the link in File Name field, you can view the report in Network Security Platform format in a separate window.

Supported vulnerability scanners and formats

Network Security Platform supports the following vulnerability scanner versions and report formats:

Scanners supported Scanner version Report format

NessusWX (on page 36) 1.4.5x plain text

Foundstone Enterprise (on page 37)

5.x, 6.x.

Note that 6.x indicates Foundstone 6.0 or 6.5 versions.

5.x indicates 5.0 version.

XML

Third party vulnerability scanners (for example, Qualys, nCircle)

Network Security Platform format (on page 37)

Vulnerability reports from the above scanners can be imported to Manager, as explained before.

NessusWX

Nessus is an open-source vulnerability assessment scanner that follows a client/server model. The Nessus server (nessusd) only runs on UNIX, but there are Nessus clients available for both UNIX and Windows.

Network Security Platform supports the popular Windows client, NessusWX. Note that NessusWX reports should be saved as plain text, since in this case, Network Security Platform supports only plain text format.

36


McAfee Foundstone

McAfee Foundstone Enterprise is a vulnerability assessment (VA) platform for automated discovery and prioritization of system vulnerabilities and threats in an enterprise network.

Network Security Platform supports Foundstone reports in the XML format only. Foundstone XML reports include assessments sorted by hostname (Host_Data.xml) and risk (Risk_Data.xml). Network Security Platform supports both these formats.

You can manually (on page 34) or automatically import (on page 37) Foundstone scan reports to Manager.

Network Security Platform format

Customers who use third-party vulnerability scanners (for example, Qualys and nCircle) can manually import the corresponding scanner reports to Manager.

But for successfully importing and viewing these scanner reports in Manager, the third party reports should be converted to an intermediate XML format, as per the Document Type Definition (DTD) provided by Network Security Platform. This XML format is known as Network Security Platform format.

Note: Refer the DTD included with Network Security Platform (GenVulReportFlat.dtd) when converting your XML-based format to the Network Security Platform format.

Why Network Security Platform format is used? Since, there is no industry standard for the format of vulnerability assessment reports, Network Security Platform converts all imported reports into the Network Security Platform format. In this way, support for new report formats can be added without having to change the way the Alert Correlation Engine works. The converted report and its metadata are stored in a new table called iv_vul_record in the Manager database, which is saved as part of the standard backup and MDR synchronization processes.

Automatic report import using Scheduler

For importing scanned vulnerability reports from Foundstone database to Manager database, you can use the Foundstone Scheduler (also known as Scheduler) in Manager.

Note: Automatic report import using scheduler is possible only for Foundstone reports. For other scanners, only manual report import (on page 34) is possible.

During the automatic import process, the scheduler invokes a stored procedure in the Vulnerability database, which returns all the vulnerability data to the Manager database. The vulnerability data retrieved corresponds to the scan configuration that was used for vulnerability assessment. Manager retrieves the relevance information based on the last import time of the scheduler.

To configure the Foundstone Scheduler, do the following:

37


1 Select Automation from Relevance menu options (on page 32) (Selection path: Root Admin Domain > Integration > Relevance > Automation). The Foundstone Scheduler window is displayed.

Figure 28: Foundstone Scheduler in NSM

2 Select Yes in Automate the import process?, to enable the automatic import of reports by scheduler.

3 To schedule the frequency of import on a weekly/daily basis, select Daily or Weekly import options in Frequency.

4 Select the start time for scheduler operation, from Start At. 5 If you want to import the vulnerability data from Foundstone immediately, select Import

Now! The page is refreshed, and a message is displayed that vulnerability data is successfully imported from Foundstone database.

6 Click Apply , to save your settings. The page is refreshed, and a message is displayed that the settings are successfully updated.

Note: The Scheduler provides two options to import the vulnerability data from Foundstone database to Manager database: immediate import of data using the Import Now!, and regular scheduled import of vulnerability data on a daily or weekly basis.

Tip: For more information on the error messages, see Fault messages for Foundstone Scheduler (on page 41).

Next step is to configure Foundstone database settings in Manager, for relevance analysis.

Foundstone database settings for relevance analysis

To retrieve the relevance information from Foundstone database, it is essential to configure the Foundstone database settings in Manager.

Following steps are essential for configuring Foundstone database settings:

38


1 Select Database link from Relevance menu options (on page 32) (Selection path: Root Admin Domain > Integration > Relevance > Database).

2 Database Settings window for relevance analysis configuration is displayed. 3 The fields in the Database Settings window are similar to that for Foundstone settings

configuration. For configuring the Database Settings window, see Configuring Foundstone database settings (on page 26).

Next step is to add scan configurations to Manager, for relevance analysis.

Adding scan configurations for relevance analysis

Scan configurations defined in Foundstone needs to be added to Manager. This is required for initiating Foundstone scans from the Threat Analyzer. When a Foundstone on-demand scan is initiated from the Threat Analyzer, depending on the host IP address, the appropriate scan configuration in Manager is used to scan the host.

When you enable relevance analysis, Manager automatically imports the latest results for each Foundstone scan, and uses them for relevance analysis.

Following steps are essential for adding scan configurations:

1 Select Scans link from Relevance menu options (on page 32) (Selection path: Root Admin Domain > Integration > Relevance > Scans).

2 The Add Foundstone Scans page for relevance analysis is displayed. 3 The fields in the Add Foundstone Scans window are similar to that for Foundstone

settings configuration. For details, see Adding Foundstone scan configurations to Manager (on page 29). Note that you need to satisfy the important pre-requisite before adding a scan configuration to Manager.

Viewing relevance configuration details

To view the relevance configuration details in Manager , do the following:

39


Select Root Admin Domain > Integration > Relevance > Summary. The Relevance View Details page is displayed.

Figure 29: Viewing relevance configuration details

This page shows the details of relevance configuration such as status of relevance analysis enabled/disabled, Foundstone database settings, and the list of scan configurations added to Manager for relevance analysis.

Note that the changes saved in all the pages related to relevance configuration are reflected in Relevance View Details page. When you click on the individual links, you are re-directed to the respective pages.

You can also configure relevance settings using Run Configuration Wizard in Relevance View Details. This is explained in the following section.

Using Relevance Configuration Wizard

You can use the Relevance Configuration Wizard for configuring relevance settings from Manager.

40


1 Select Root Admin Domain > Integration > Relevance > Summary. 2 In Relevance View Details, select Run Configuration Wizard. 3 The wizard displays the following pages in order:

• Enable (on page 34) • Manual import (on page 34) • Automation (on page 37) • Database (on page 38) • Scans (on page 39)

4 Use Next > or < Back buttons to navigate through the pages. 5 There are five configuration steps in total. Select Finish at the end of the fifth step. 6 If the Threat Analyzer is running, restart it for the changes to be effective.

Fault messages for Foundstone Scheduler

Following table list the fault messages associated with Scheduler report import process:

Fault displayed Severity Description

Vulnerability data import from Foundstone database was successful

Informational This message indicates that the vulnerability data import from Foundstone database by the Scheduler (on page 37), is successful.

Scheduled Foundstone vulnerability data import failed

Critical This message indicates that the vulnerability data import by the Scheduler from Foundstone database, has failed.

When you click on the fault links, you can view the details of the fault, and also the possible actions for correcting the fault.

Figure 30: Fault detail for "Vulnerability data import successful"

41


Figure 31: Fault detail for "Scheduled vulnerability data import failed"

Troubleshooting options

Following troubleshooting options are available with respect to Network Security Platform-Foundstone integration and Relevance Analysis:

• Reloading Foundstone cache (on page 43) - if the added scan configurations are suspected as missing from Manager,

• Resetting the relevancy cache (on page 43) - if you wish to reload the data in Manager Relevancy Cache, that is presently used by Manager for relevance analysis,

• Updating the Foundstone database again (on page 43) - if you are suspect that the Foundstone database is not updated with the required tables and stored procedures that are required for importing information from Foundstone database to Manager database.

To access the Troubleshooting options in Manager,

• Select Root Admin Domain > Integration > Foundstone > Troubleshooting or, • Select Root Admin Domain > Integration > Relevance > Troubleshooting

Figure 32: Troubleshooting options for Network Security Platform-Foundstone integration

42


Reloading Foundstone cache

The reload cache tab helps you to load the Foundstone web cache in Manager with the most recent scan configurations retrieved from Foundstone.

To reload the Foundstone cache in Manager, do the following:

1 Make sure that you have enabled Foundstone configuration and added the scan configurations to Manager.

2 You can access Cache page in two ways: From Foundstone configuration settings- select Root Admin Domain > Integration >

Foundstone > Troubleshooting From Relevance settings- select Root Admin Domain > Integration > Relevance >

Troubleshooting 3 Select Reload Scan Cache, to update the Vulnerability web cache in Manager with the

latest scan configurations from Foundstone. A message is displayed that the reload is successful.

The Reload Scan Cache button will not be visible in the Troubleshooting link for the reasons provided in the following table.

# Reason Solution

1 Foundstone configuration is disabled Enable Foundstone configuration (on page 25)

2 Foundstone scan configurations are not added to Manager

Add scan configurations to Manager (on page 29)

Resetting relevancy cache

If you want to update the relevancy cache in Manager, reset the cache from the troubleshooting options.

Following steps are essential for resetting the relevancy cache:

1 Select Root Admin Domain > Integration > Relevance > Troubleshooting. 2 Select Reset Relevancy Cache. A message is displayed that the relevancy cache was

successfully reloaded.

Resubmitting database updates

When the Foundstone database settings (on page 26) are configured, Manager automatically updates Foundstone database with tables and stored procedures that are required to retrieve relevance information from the database.

If you find that database is not properly updated with the required tables and stored procedures, you can resubmit the updates to the Foundstone database from Manager. You need to select Root Admin Domain > Integration > Foundstone > Troubleshooting or, Root Admin Domain > Integration > Relevance > Troubleshooting for this purpose.

Select Resubmit Database Updates, to resubmit the updates to the Foundstone database.

43


Support for Foundstone custom certificates

In order to use Foundstone custom certificates, you should run the Foundstone Certificate Management tool or FCM tool which generates the custom client certificates. Third-party SOAP clients can use the custom client certificates for SSL client authentication with FoundScan engine.

Note: For more information about FCM tool installation and importing custom certificates to java keystore, refer the FSCustomCerts-Readme.txt file in the following path in Manager server: //Network Security Platform/config/fscerts/

For more information about creating custom client certificates using FCM tool, see Working with SSL certificates, Foundstone Configuration Manager Guide.

Requesting a Foundstone scan from Threat Analyzer

The on-demand scan functionality helps you to scan hosts using Foundstone based on the source or destination IP addresses, in the Real-time and Historical Threat Analyzers.

When you request a Foundstone on-demand scan, the selected host IP address is passed from the Threat Analyzer to the Manager web-tier, which connects and establishes trust with the FoundScan engine. This initiates the scan of the requested host IP address.

Note: On an average, the FoundScan engine takes 4 minutes to scan the host for vulnerabilities.

The FoundScan engine scans the host, and provides the vulnerability assessment data to Manager over a SOAP/SSL response. The vulnerability data is processed and stored in the McAfee® Network Security Manager (Manager) database. This data is also updated in the cache maintained in Threat Analyzer client.

For requesting an on-demand scan from Threat Analyzer, you need to configure Foundstone settings in Manager client interface. For more information, see Configuring Foundstone settings in Manager.

44


On-demand scan from Threat Analyzer You can request a Foundstone on-demand scan on individual alerts from the Detail menu in Threat Analyzer. Right click the alert, and select Foundstone > Scan Source IP or Foundstone > Scan Destination IP option.

Figure 33: Foundstone On-Demand Scan From Threat Analyzer

Source IP is the IP address of the machine which is suspected to generate attack to your network. The Source IP can be a machine outside your network or within your network. You can select Scan Source IP option to scan the machine which is suspected to attack other machines in your network.

Destination IP is the IP address of the machine which is suspected to be attacked by another machine in the network. You can select Scan Destination IP option to scan the machine which is suspected to be infected by attack.

Note: Network Security Platform-Foundstone integration supports scanning of IPv4 host addresses only.

When you select either options (Scan Source IP or Scan Destination IP), a pop-up dialog is displayed that the scan request is submitted. Details regarding host IP address and the scan configuration that is used to scan the IP, is also displayed in the pop-up.

Figure 34: Message pop-up after a Foundstone on-demand scan is submitted in the Threat Analyzer

45


If you want to view the scan results, select Yes. You are re-directed to the Host Forensics page.

If the IP address does not fall under any of the defined scans, then a message pop-up is displayed. The message shows that the default scan configuration (defined in Manager) will be used to scan this IP.

Figure 35: Pop-up message displayed, when the IP address does not fall in the range of defined scan configurations

Here again, if you want to view the scan results, select Yes, and you are re-directed to the Host Forensics.

For more information on Foundstone on-demand scan, see the section, On-demand scan of hosts (on page 52).

Viewing Foundstone scans

The Host Forensics page in Threat Analyzer indicates the progress of the Foundstone scans of alerts from the Threat Analyzer.

To view the list of all Foundstone scan processes, select Host Forensics from the Threat Analyzer. The list is displayed under Summary > Foundstone Host Information, as shown below.

Figure 36: Foundstone Host Information window showing the scan progress

Following information is displayed in the Foundstone Host Information section.

46


Field Name Description

Target IP The IP address of the host which is scanned

Scan start time Starting time of the Foundstone scan

Status This field shows the status of completion of the Foundstone scan. In general, the following scan status are displayed.

Depending on the progress of the scan, Status field displays the following:

Status Description

Queued The Queued status indicates that requested Foundstone scans are queued.

%n Complete The percentage of completion of the scan, where n ranges from 0 to 100.

Retrieved This status indicates that the Foundstone scan is complete, and the host vulnerability information is available to the user (to be viewed).

Failed Foundstone scan has failed.

Scan TimedOut If a scan takes more then 30 minutes, Manager cancels the scan by setting the status to Scan TimedOut.

Note: Foundstone scan results displayed in the Status field are stored in the cache. Note that when Manager is restarted, the scan results are not seen in the Status field. In case, you want to view the scan results for the same host, you need to scan the host once again from the Host Forensics page.

Foundstone scan option

You can also scan a host by entering the host IP address in the Scan field in Foundstone Host Information section, and then selecting Scan button, as shown below.

Figure 37: Scan option in Foundstone Host Information page

Note that the Scan button is enabled only when you completely fill in the IP address.

47


If you want to see the detailed scan result for a host that was scanned, select the required scan, and right click on it.

Figure 38: Option to view the details of the Foundstone on-demand scan

Select Show Details option. Here the message pops up depending on two conditions:

• If the scan is in progress, a pop-up is displayed in the same screen, with the percentage level of completion (a value between 0 and 100).

Figure 39: Scan status for Foundstone scan -in-progress

• Suppose the scan is complete and status is seen as Retrieved. If you right-click on the scan, and select Show Details, a new Vulnerability Information window is displayed next to Summary tab. The Vulnerability Information window displays details such as the total number of vulnerabilities found, scan configuration for the on-demand scan, and details of the vulnerabilities identified in the host.

48


By default, the vulnerabilities are sorted in the order of severity and are displayed in a tabular format. Each row in the table contains additional vulnerability details such as severity, vulnerability name, vulnerability description, recommendation details that lists the steps or patches that needs to be applied to the identified vulnerability, CVE ID and IAVA (Information Assurance Vulnerability Alert) Reference Number.

Figure 40: Vulnerability Information page

Note: For a scanned host, the actual information in Vulnerability Information page (such as target IP, CVE or BugTraq ID) is stored in the Manager database. Note that the information is not stored in the format for display in the Vulnerability Information page. So, when you restart Manager, this information is not seen in the Vulnerability Information page. In the Vulnerability Information window, when you click on the CVE ID link for a vulnerability, you are re-directed to the CVE page (http://cve.mitre.org), as shown below.

Figure 41: Re-direction to http://cve.mitre.org/ from Vulnerability Information page

49

http://cve.mitre.org/

http://cve.mitre.org/


Tip: You can also just double-click on any scan in the Foundstone Host Information page, and get the above Vulnerability Information window.

Rescanning the host

You can rescan the host which was once scanned by Foundstone. Right-click the scan in the Foundstone Host Information page, and select Rescan.

Figure 42: Option to initiate rescan of the host IP

The host will be scanned once again by Foundstone, and the vulnerability information is retrieved and displayed as before.

Concurrent scans

Threat Analyzer supports concurrent Foundstone scans. You can define the number of concurrent scans required in the ems.properties file in the path //<local drive>/Network Security Platform/config.

By default the maximum poolsize (maxpoolsize) for concurrent scans is set to three in the ems.properties file, as shown below.

iv.fs.threadpool.maxpoolsize=3

Note: Maxpoolsize represents total number of threads available in the ThreadPool. (ThreadPool is a component for working with pools of threads and asynchronously executing tasks.)

If the number of scan requests exceeds the maxpoolsize, these scan requests are queued and processed depending on the free pool size.

Note: It is recommended to run three concurrent Foundstone scans from Manager, for optimal results.

For network scenario on concurrent scans, see Concurrent scan of hosts (on page 53).

Fault messages for Foundstone on-demand scan

The following table shows the fault messages associated with Foundstone on-demand scan:

50


Fault displayed Severity Description

On-demand scan failed because connection was refused to FoundScan engine

Critical This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown.

For more information on using Fully Qualified Domain Name, see Foundstone Installation.

You can view the faults from the Operational Status menu in Manager.

When you click on the fault link, you can view the details of the fault and the possible actions to be taken to correct the fault. The fault detail for "on-demand scan failed" is shown below.

Figure 43: Fault Detail Page

Foundstone scan from Hosts page

In the Hosts page, you can request for a Foundstone scan.

To request a Foundstone scan from Hosts page, do the following:

51


1 From the Threat Analyzer, select Hosts. Right click on an entry. 2 To initiate an on-demand scan of the selected IP address, select Start Foundstone Scan.

Figure 44: Foundstone scan from Hosts page

If the IP address does not fall under any of the defined scans in Manager, then a message pop-up shows that the default scan configuration (defined in Manager) will be used to scan the IP.

3 In the pop-up message, select Yes if you want to view the scan results. You are re-directed to the Host Forensics page.

Network scenarios for Foundstone scan

In this section, you can find network scenarios related to:

• On-demand scan of hosts • Concurrent scan of hosts

On-demand scan of hosts

While reviewing the alerts in Real-time or Historical Threat Analyzer, assume that you want to:

• view the current status of a particular host listed in the list of alerts • scan the particular host using Foundstone, from the Threat Analyzer • know the relevancy of the scanned alert/event. This is possible by the on-demand scan functionality in the Threat Analyzer for individual alerts.

You can request for a Foundstone scan from the Threat Analyzer, by selecting either the Source IP address or the Destination IP address of the host to be scanned. The status of the scan - whether the scan is relevant, is displayed in the Threat Analyzer.

You can maintain up to N number of scan information (N default is 100) in the Threat Analyzer.

52


Concurrent scan of hosts

The following section explains why you need to define a scan configuration in Manager for concurrent on-demand scans.

Scenario: Consider the scenario, where you want the on-demand scan of three host IP addresses from Manager. Assume that the host IP addresses do not fall in the IP ranges specified by any of the scan configurations defined in Manager. Also, you have not defined any scan configuration in Manager.

Scan process when scan configuration is not defined: In Foundstone, when you request for multiple on-demand scans, all the scans are executed with the default scan configuration and with the same name, that is, QuickScan_<User Name>. This is because, the same user name that you used to login to Foundstone gets associated with the three scan names. Since all the three scans have the same name, only one of three concurrent scans is successfully completed. That is, FoundScan engine does not permit concurrent scans to be run with the same scan name.

Similar behavior can be seen if multiple on-demand scans are executed from the Threat Analyzer. All the scans executed from Threat Analyzer will have the same name QuickScan_<User Name>. For example, if you have logged into Foundstone as admin, then the scan configuration names for all the three hosts will be QuickScan_admin.

In the scenario described above, when you initiate three concurrent on-demand scans without any scan configuration defined in Manager, FoundScan engine uses its default scan configuration for scanning the hosts, with the default scan name "QuickScan_<User Name>". The three scans will have the same name, for the reason mentioned earlier. The first scan will be executed successfully, and the remaining two scans result in concurrent task exception. Therefore, using the FoundScan default scan configuration settings, you cannot run concurrent on-demand scans from Threat Analyzer.

Recommended solution: Hence it is recommended that for concurrent scans, you should define at least one scan configuration in FoundScan engine and add the same to Manager. This scan configuration will be used as the default one. If more than one scan configuration is defined in Manager, you can change the default scan settings.

Note: For more information on setting the default scan, see Adding Foundstone scan configurations (on page 29).

When you have defined the default scan configuration in Manager as well as in Foundstone, and when the concurrent on-demand scans are requested, Manager will make use of the scan configuration ID and set a unique name for each host that is scanned.

Manager creates scan name in the format Network Security Platform_<Actual Scan Name>_Thread-N where N=1,2,3,.. etc. Each scan configuration name will be different, for example, the scan names will be Network Security Platform_<Actual Scan Name>_Thread-1, Network Security Platform_<Actual Scan Name>_Thread-2 and Network Security Platform_<Actual Scan Name>_Thread-3. So, all the concurrent scans are successfully completed.

53


When any one scan in the execution pool completes its task, the next scan request waiting in queue for execution is pushed into the execution pool for execution. The scan requests are executed in order or First In First Out (FIFO).

Note 1: Threads are created in Manager depending upon the threadpool size. If the threadpool size is set to 3, three worker threads (Thread-1,Thread-2 and Thread-3) are created in the pool to service the scan requests. If the threadpool size is set to 3, and if more then 3 concurrent scans requests are sent to FoundScan engine, only 3 scans will be executed in the engine, and the rest of the other scan requests are queued.

Note 2: Before adding to Manager, you need to run the newly defined scan configuration at least once in the FoundScan engine. Each scan configuration defined in Foundstone is associated with a FoundScan engine. When you run the scan configuration for the first time at the Foundstone side, the FoundScan engine in which the scan configuration is executed, gets associated with that scan configuration. This step is essential for successfully adding the scan configuration to Manager.

54

C H A P T E R 4

Integration with McAfee NAC Using the McAfee® Network Security Sensor (Sensor) you can enforce network access control (NAC) based on system health, user identity, or both. For system-health-based NAC, the Sensors depend on McAfee Network Access Control (McAfee NAC) for posture assessment. The Sensors send the details to the McAfee NAC server when they detect a new host on the network. Then McAfee NAC and McAfee® Network Security Platform collaborate to enforce NAC for the hosts.

Post-admission to the network, there could be hosts generating unwanted traffic. If you have configured IPS Quarantine, then the Sensor can quarantine and enforce remediation. In addition, it can also notify the McAfee NAC server about the offending hosts so that you can use McAfee NAC to enforce quarantine and remediation. This extends the role of McAfee NAC into post-admission control as well.

For such collaboration between McAfee Network Security Platform and McAfee NAC, the Sensors and the McAfee NAC server should be able to communicate with each other.

Note: Network Security Platform - McAfee NAC integration means enabling trusted communication between a Sensor and the ePO server on which McAfee NAC is installed.

McAfee NAC and Network Security Platform enforce NAC depending on how you have configured them. This document deals only with the configuration required to make the Sensors and McAfee NAC communicate with each other.

For information on how to configure NAC in Network Security Platform, see the NAC Configuration Guide.

For information on how to quarantine and remediate attacking hosts using Network Security Platform, see the IPS Configuration Guide.

For information on how to configure NAC in McAfee NAC, see the latest McAfee NAC documentation.

This chapter assumes that you have successfully installed Network Security Platform and McAfee NAC, and that you are familiar with both the products.

How hosts are classified

Managed hosts As per Network Security Platform, a managed host is one that has McAfee NAC Client installed and operating properly. McAfee NAC Client is the agent that scans the host for posture assessment and updates the McAfee NAC server of its findings. For more information, refer to the latest NAC Configuration Guide.

55

McAfee® Network Security Platform 5.1 Integration with McAfee NAC

Unmanaged hosts An unmanaged host is one that has the McAfee NAC Guest Client instead of the McAfee NAC Client. When hosts without the McAfee NAC Client are detected on the network, they can be redirected to a portal from where they can download and install the McAfee NAC Guest Client.

Unmanageable hosts An unmanageable host is one that does not meet the installation or operating requirements for using the McAfee NAC Client or the McAfee NAC Guest Client; for example, an operating system not supported by McAfee NAC.

To know installation and operating requirements for using McAfee NAC Client and Guest Client, refer to the latest McAfee NAC documentation.

How this integration worked in Network Security Platform 4.1

If you had integrated Network Security Platform 4.1 and McAfee NAC earlier, then note that following:

• Network Security Platform 5.1 integrates only with McAfee NAC 3.0 and ePO 4.0. See Supported versions (on page 57).

• After you upgrade, if you want the McAfee NAC notification to work as in 4.1, then you need to do the following: Purchase a NAC license. If you do not have one, contact McAfee Support with the serial number of the Sensors that you want to integrate with McAfee NAC server. You need a NAC license to configure the ePO server settings and establish the trust between a Sensor and the McAfee NAC server.

Reconfigure ePO server settings (on page 58) and establish a trust (on page 59) between the Sensors and the McAfee NAC server. The trust established in 4.1 is lost post-upgrade and you need to re-establish the trust.

Enable a NAC feature at the port level. The NAC feature could be Standard NAC, DHCP NAC, IBAC, or Standard plus IBAC. See the NAC Configuration Guide

Note: In Network Security Platform 4.1, you were able to configure McAfee NAC notification per port. Currently, this notification at the port level is enabled by default , if you configure any NAC feature at a port level.

• Unlike in 4.1, McAfee NAC notification works even if there are layer 3 devices between the corresponding Sensor port and the attacking hosts.

• In Network Security Platform 5.1, NAC features are available only for ports deployed in in-line mode. Therefore, McAfee NAC Notification is available only for in-line ports unlike in 4.1, where it was available for in-line, SPAN, and Tap ports.

• IPv6 traffic is not supported for this integration. That is, a Sensor does not contact the McAfee NAC server regarding an IPv6 host.

56

Integration requirements

This section discusses the details that you would need to enable communication between a Sensor and the McAfee NAC server.

Supported versions

For a successful integration, you should have installed the following in your network:

Product Minimum version supported

McAfee® Network Security Manager (Manager)

5.1.1.5

Sensor Software 5.1.1.16

ePO 4.0.0.1113.9 (requires 4.0 base installation)

Rogue System Detector 2.0.0.405.2

McAfee NAC 3.0.0.585.3

Note: You should install Rogue System Detector and then McAfee NAC.

Important: You can integrate Network Security Platform with the McAfee NAC-ePO integrated server or with a stand-alone McAfee NAC server. However, if you are to use your Windows logon credentials for logging on to the ePO server, then you can only integrate with the McAfee NAC-ePO integrated server.

Required ePO/McAfee NAC details

This section discusses the McAfee NAC details that you would need when you configure the integration.

ePO Server IP Address: You need to specify the IP address of the ePO server on which McAfee NAC is installed.

Important: You can integrate Network Security Platform with the McAfee NAC-ePO integrated server or with a stand-alone McAfee NAC server. However, if you are to use your Windows logon credentials for logging on to the ePO server, then you can only integrate Network Security Platform with the McAfee NAC-ePO integrated server.

Sensor-to-Server Install Port: The port number that a Sensor should use when it establishes trust with the McAfee NAC (ePO) server. The minimum port number that can be used is 1 and the maximum port number that can be used id 65535. The default port number is 8443. Contact your McAfee NAC server administrator for more information.

Sensor-to-Server Communications Port: The port number that you want a Sensor to use for its trusted communication with the McAfee NAC server. The default port number is 8444. Contact your McAfee NAC server administrator for more information.

57


Server-to-Sensor Communications Port: The port on the Sensor on which it listens for asynchronous messages from McAfee NAC Server. The default port number is 8445.

Agent GUID Port: The port number that you want a Sensor to use for its communication with the McAfee NAC Client or the Guest Client installed on a host. The default value is 8444.

ePO user name and password: ePO user name and password which has administrator privileges. Sensors need them to establish trust with the ePO/McAfee NAC server.

McAfee NAC Server Root Certificate: This is the self-signed electronic certificate that comes as part of your McAfee NAC installation. Store this certificate file at a location from where you can access it. You need to import it into the Manager, and the Manager will then push it to the Sensor automatically. This certificate is needed only if you want the Sensor to authenticate the McAfee NAC server.

Note: You can find this certificate (root.pem) in the ePO install directory. By default it is stored at \Server\extensions\installed\NAC\<McAfee NAC Version>\keystore.

For configurations required on the McAfee NAC side, see the latest version of NAC Configuration Guide.

Integrating a Sensor and the McAfee NAC server

Integrating a Sensor and the McAfee NAC server enables the Sensor to communicate with the McAfee NAC/ePO server as well as the McAfee NAC Clients and Guest Clients installed on the hosts on your network.

Before you begin to configure ePO server settings, make sure you meet the requirements mentioned in Integration requirements (on page 57).

For the integration to work, you need to complete the following three steps:

1 Enter the details of the ePO server in the Manager for an admin domain. The details include the ePO IP, port numbers for communication etc. See Configuration at the Admin Domain Level (on page 58).

2 Establish a trust between the ePO server and Sensors in the admin domain. See Establishing trust between a Sensor and McAfee NAC/ePO server (on page 59).

3 Enable NAC (DHCP or Standard) at the port level. For the details, see the NAC Configuration Guide.

Configuration at the admin domain level

At the admin-domain level, you can view and edit the ePO server settings. If it is a child admin domain, you can inherit the parent admin domain's configuration or have a different configuration.

To configure ePO server settings:

58

1 From the Resource Tree, go to Admin-Domain-Name > System Health > McAfee NAC. 2 In System Health Policies, configure the System Health Policies for managed and

unmanaged hosts from the respective links. 3 Specify the ePO Server Settings and click Save. For a detailed description of the fields

in this page, see Required ePO/McAfee NAC details (on page 57).

Note: From the ePO Server Settings page, you can log on ePO to manage the Managed System Health Policies or the Unmanaged System Health Policy. These policies are required if you are using the system-health-based NAC features in Network Security Platform.

When you edit the ePO server settings at the admin domain level after establishing a trust, then a warning message is displayed in the Operational Status page for the corresponding Sensors. Then you need to re-establish the trust.

To view the warning details, click on the n/n link in the Warning column of the Operational Status page. For information on how to access and use the Operational Status page, see the System Status Monitoring Guide.

Establishing trust between a Sensor and McAfee NAC/ePO server

To establish trust between a Sensor and McAfee NAC/ePO server:

1 From the Resource Tree, go to Admin-Domain-Name > NAC Settings > Sensor-Name > NAC Sensor > McAfee NAC.

Note: In System Health Policies, configure the System Health Policies for managed and unmanaged hosts from the respective links.

2 Click Install McAfee NAC. If the Sensor is not active then this button is not available. 3 Verify the ePO Server settings. To modify these settings, click the Configure link to go

to the ePO Server Settings page. 4 Enter the ePO user name and password. 5 Select Require McAfee NAC Server Root Certificate? if you want to push the McAfee NAC

server root certificate to the Sensor for it to authenticate the McAfee NAC server. If you select this, then complete step 6; else go to step 7.

6 McAfee NAC Server Root Certificate Status indicates if the certificate is already present in the Sensor. To push the root certificate to the Sensor, enter the path for the root certificate file or browse for it and click Import. To remove an existing certificate from the Sensor, click Remove Certificate.

7 Click Establish Trust. After you establish trust between a Sensor and the ePO server, you can use the following Sensor CLI commands for verification:

• Show: You can use this command to view the ePO configuration details for a particular Sensor. This helps you to make sure that the ePO configuration details are present in the Sensor.

• Status: You can use this command to check if trust has been established and also whether McAfee NAC root certificate is present in the Sensor.

For information on how to use Sensor CLI commands, see Sensor CLI Guide.

59


Note:

When you upgrade McAfee NAC, first uninstall the trust, upgrade McAfee NAC, and then re-establish the trust.

If a new Client Identification Request Setup is generated in McAfee NAC then you need to re-establish the trust. Client Identification Request Setup is the shared key that is used to validate communication between the Sensors, McAfee NAC server, and McAfee NAC Clients. For more information on this key, see the latest McAfee NAC documentation.

If you have your Sensors in a failover pair, then both the Sensors should have a valid NAC license. Also, you must install McAfee NAC for each member Sensor separately. The McAfee NAC settings of the primary Sensor applies to the secondary as well.

If a Sensor is not able to communicate with the McAfee NAC server, it could be because of:

• SSL connection error • HTTP response error • The ePO server IP is incorrect • The ePO logon credentials are incorrect • An error occurred at the McAfee NAC server when processing the notification

forwarded to it by the Sensor Connection between the Sensor and the McAfee NAC server timed out To uninstall the communication between a Sensor and the McAfee NAC server:

1 From the Resource Tree, go to Admin-Domain-Name > NAC Settings > Sensor-Name > NAC Sensor > McAfee NAC.

2 Click Uninstall McAfee NAC.

Important: After you establish the trust, you need to enable NAC (System Health based NAC, IBAC, or IBAC with System Health based NAC) at the port level for the Sensor to even notify McAfee NAC about hosts generating attacks. See the NAC Configuration Guide.

Viewing McAfee NAC-related details

This section discusses how to use the Operational Status page and the Network Security Platform reports to view the integration details.

Note: This section discusses only about viewing integration details in the Manager. For information on how to view the details regarding IPS Quarantine or NAC, see the corresponding sections.

60

Viewing McAfee NAC-related Operational Status messages

After you establish trust, when a Sensor is unable to communicate with the McAfee NAC server, it sends a fault message to the Manager of severity Critical. The Condition Type field in the Fault Detail page displays the reason for the communication failure.

Condition Type Description

Connect Error/Timeout The McAfee NAC server is not reachable and the communication was timed out.

SSL Error An SSL protocol error occurred.

McAfee NAC Server Error

There was an error at the McAfee NAC server when it was processing the alert forwarded by the Sensor.

HTTP Response Error There was an error in the HTTP response from the McAfee NAC server.

URI Incorrect The HTTP post URI is incorrect.

ReinstallOnUpdate The ePO server settings have been updated after trust was established. You need to re-establish trust.

When the fault is rectified, the fault message is cleared in the Operational Status page.

Viewing McAfee NAC details using Manager reports

This section discusses the reports that display McAfee NAC-related details.

NAC Admin Configuration report

You can use the NAC Admin Configuration Report to view the McAfee NAC configuration details for a selected admin domain. The following are the McAfee NAC-related details displayed in the NAC Admin Configuration report:

• ePO Server IP address • Sensor-to-Server Install Port • Sensor-to-Server Communications Port • Server-to-Sensor Communications Port For information on these fields, see Required ePO/McAfee NAC details (on page 57).

61


For more information on the NAC Admin Configuration report and how to generate it, see Reports Guide.

NAC Sensor Configuration report

Using the NAC Sensor Configuration Report, you can see if the trust is established with the ePO/McAfee NAC server as well as the ePO server IP.

For more information on reports, see Reports Guide.

62

Index

A admin domain level ................................................ 59

Anonymous SSL Port............................................. 57

B Bug Track ID .......................................................... 20

C custom client certificates ........................................ 44

E ePO Console.......................................................... 12

ePO Integration ........................................................ 1

ePO database ..................................................... 1

managed hosts................................................ 5, 9

F Foundstone installation .......................................... 22

Foundstone Integration .......................................... 20

attack relevance analysis .................................. 34

automatic import................................................ 37

concurrent scans ............................................... 53

correlation of alerts............................................ 20

CVE ID ........................................................ 20, 44

Database Settings ............................................. 26

database updates.............................................. 43

Foundstone Configuration ................................. 32

Foundstone Configuration Wizard..................... 32

Foundstone scan............................................... 44

Foundstone Scheduler ...................................... 37

Import Frequency .............................................. 37

Installing Foundstone ........................................ 22

IntruShield attack definition module .................. 20

IntruShield-Foundstone integration ................... 20

manual import ................................................... 34

menu options............................................... 23, 32

On-demand scan......................................... 44, 53

Organization Name ........................................... 29

Relevance Analysis............. 32, 33, 34, 37, 38, 39

Relevance Configuration Wizard ...................... 40

relevancy cache ................................................ 43

reloading Foundstone cache............................. 43

report format...................................................... 36

Risk level........................................................... 44

Scan Configuration............................................ 29

Scan Destination IP........................................... 44

Scan Engine Settings........................................ 28

Scan Name ....................................................... 29

Scan Source IP ................................................. 44

scanner versions............................................... 36

Scheduler Operation Time ................................ 37

SSL Type .......................................................... 26

Test Connection ................................................ 26

troubleshooting options............................... 42, 43

View Scheduler Detail ....................................... 37

Vulnerability assessment .................................. 20

Vulnerability Cache ........................................... 20

Vulnerability reports .......................................... 37

H Host Forensics ......................................................... 5

M managed hosts ...................................................... 11

Managed hosts ...................................................... 11

McAfee NAC

Anonymous SSL Port........................................ 57

at Sensor level .................................................. 59

in reports ........................................................... 62

Server IP Address............................................. 57

trusted SSL port ................................................ 57

N Network Security Platform format .............. 34, 36, 37

R root certificate......................................................... 57

S sensor level ............................................................ 59

Server IP Address .................................................. 57

supported vulnerability scanners...................... 36, 37

T trusted SSL port ..................................................... 57

U Unmanaged hosts .................................................. 13

nsp integration guide 5.1

Documents