Beruflich Dokumente
Kultur Dokumente
revision 4.0
COPYRIGHT
Copyright 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
License Attributions
This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Contents
Preface .......................................................................................................... iv
Introducing McAfee Network Security Platform.............................................................................iv About this guide.............................................................................................................................iv Audience ....................................................................................................................................... v Conventions used in this guide ..................................................................................................... v Related documentation .................................................................................................................vi Contacting Technical Support ......................................................................................................vii
Index ............................................................................................................. 45
iii
Preface
Preface
This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
The following are some of the tasks discussed in this Guide: Managing the root and child admin domains in your Network Security Platform installation. Managing the Alert Filters for an admin domain. Managing alert and fault notification setup for an admin domain. Managing the users in an admin domain. Configuring TACACS+ servers for the McAfee Network Security Sensors [formerly McAfee IntruShield Sensors] in an admin domain. Managing NMS users and IP addresses for the McAfee Network Security Sensors (Sensors) in an admin domain. This guide explains how to perform the above-mentioned tasks using the Configuration page of McAfee Network Security Manager (Manager). For a detailed description of the
iv
Preface
Configuration page and information on how to use this page, see Manager Configuration Basics
Guide.
Audience
This guide is intended for use by network technicians and maintenance personnel responsible for installing, configuring, and maintaining Manager and Sensors, but is not necessarily familiar with IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks.
Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font. Menu or action group selections are indicated using a right angle bracket. Procedures are presented as a series of numbered steps. Names of keys on the keyboard are denoted using UPPER CASE. Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font.
The Service field on the Properties tab specifies the name of the requested service.
1. In the Resource Tree, select NAC Settings. Press ENTER. Type: setup and then press ENTER.
Variable information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. situation or environment is shown in italics. Parameters that you must supply are shown enclosed in angle brackets. Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation. set Sensor ip <A.B.C.D>
Caution:
Preface
Convention
Example
Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Notes that provide related, but non-critical, information are denoted using this notation.
Warning:
Note:
Related documentation
The following documents and on-line help are companions to this guide. Refer to Quick Tour for more information on these guides. Quick Tour Manager Installation Guide 4.1 to 5.1 Upgrade Guide Getting Started Guide IPS Deployment Guide Manager Configuration Basics Guide Manager Server Configuration Guide Sensor CLI Guide Sensor Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide User-Defined Signatures Guide Central Manager Administrator's Guide Best Practices Guide Troubleshooting Guide I-1200 Sensor Product Guide I-1400 Sensor Product Guide I-2700 Sensor Product Guide I-3000 Sensor Product Guide I-4000 Sensor Product Guide I-4010 Sensor Product Guide M-8000 Sensor Product Guide M-6050 Sensor Product Guide M-3050/M-4050 Sensor Product Guide M-2750 Sensor Product Guide
vi
Preface
M-1250/M-1450 Sensor Product Guide N-450 Sensor Product Guide Gigabit Optical Fail-Open Bypass Kit Guide Gigabit Copper Fail-Open Bypass Kit Guide Special Topics GuideIn-line Sensor Deployment Special Topics GuideSensor High Availability Special Topics GuideVirtualization Special Topics GuideDenial-of-Service
Online
Contact McAfee Technical Support http://mysupport.mcafee.com. Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
vii
CHAPTER 1
Child domains
Creating child domains enables you to delegate, monitor, and/or configure the McAfee Network Security Sensors [formerly McAfee IntruShield Sensors] in that sub-domain to entities more familiar with the sub-domains environment. You are not required to subdivide your admin domains into child domains; however, if you want to delegate
responsibilities for managing Network Security Platform resources among multiple individuals within your organization, you do so by creating child domains. To delegate responsibilities, you create child admin domains and user accounts, giving each user a role that defines how the user can interact with the resources in the child admin domain. For example, suppose you manage three McAfee Network Security Sensors (Sensors). You can create a child domain and allocate a single port (1A) from one of your Sensors to that domain. You can create a user and assign that person a Super User role in only that domain; that user has no role in the root domain, and therefore cannot see or configure root domain resources. The child domains Super User has been delegated full management responsibilities for the allocated interface. Note: For more information on roles, see Roles (on page 15). A users role determines his/her view of the Resource Tree; only resources the user is permitted to view are displayed in the tree. In the figure below, if a user is a Super User of the HR admin domain, the Resource Tree shows the HR domain at the top of the tree and all of its children; it does not display the root admin domain nor any other child domains of the root. A child admin domain, such as HR, in left side of the figure below, can have other child admin domains created within, as seen with the child domain HR SF. Any domain with child domains is a parent; thus, a child domain can be a parent to other child domains. When you create a child domain you can enable or disable it to be a parent for other domains (enabled by default). The root can always have child domains.
Item
Description
1 2 3 4
Root admin domain, parent domain of HR and QA Child domain of My Company, parent of HR SF Child domain of HR Child domain of My Company
You configure admin domain node names, including that of the root, during domain creation. In the previous example, the HR and QA admin domains were created under the root domain; HR SF was created under the HR domain node. It is important to understand the relationship between parent and child admin domains because child admin domains inherit policies from parent admin domains, and users inherit the same privileges in the child domains as enabled by their roles in the parent domain. Note: Throughout this guide, named admin domain instances are represented as Admin-Domain-Name >. In the above figure, the root Admin-Domain-Name is My Company, which is the default root admin-Domain-Name.
CHAPTER 2
2 3
Click Add. Type the required information. The red asterisks (*) denote required fields.
Field
Description
Enter a unique name for identifying the domain. For an enterprise, naming your domain after the specific network segment, department, or building is suggested: HR, Finance, Bldg1, Bldg1-Floor2. Enter the name of the person responsible for the domain. This person should be someone who can be reached in case of emergency or other domain questions. The email address of the Contact Person.
Email Address
The following fields set restrictions on the child admin domain being created:
Field Description
If you select this check box, the administrator of the domain you are currently creating can create child admin domains for the domain. If you create a child admin domain and disallow the creation of further child admin domains, the new child domain cannot have its own children due to rule inheritance.
If you select this check box, the administrator of the domain you are currently creating can add, edit, or delete physical Sensors. Otherwise, the domain is only permitted interface or sub-interface resources as allocated in Step 5. If you create a child admin domain and disallow the adding of physical Sensors, any children of the new child domain are also disallowed from adding physical Sensors due to rule inheritance.
For the IPS mode and IPS with NAC mode, two additional fields are displayed -Default IPS Policy and Default Reconnaissance Policy.
Field Description
Sets the default IPS Policy to be inherited by child admin domain resources. Several pre-configured policies are provided that encompass different network environments. Sets the default Reconnaissance policy to be inherited by child admin domains.
6 7 8
Select a Sensor from the drop-down list to allocate interfaces/sub-interfaces to the child domain. You can allocate interfaces/sub-interfaces from one or more Sensors.
Select an interface/sub-interface from the chosen Sensor. Click Allocate. You may only select one interface from one Sensor at a time. Note: VLAN and CIDR VIDS are not supported on N-450 Sensors. For CIDR and VLAN interfaces, you can allocate one or more IDs to a child admin domain. For CIDR, you can allocate CIDR IP addresses that you have not already entered into the interface, as long as these addresses are within the CIDR network address you specified. For example in the following figure, you could allocate 192.168.0.0/24, or you could enter an address such as 192.168.0.1 at IP Address and a Mask Length of 32, click Add To List, then Add to allocate this division of interface 3B to the new domain. Note 1: The CIDR IP address field now enables you to enter IPv4 addresses in 4 different fields separated with dots. You can enter the IP address value in the corresponding fields. Note 2: The maximum value in each field is 255. If you enter ., you are tabbed to next field.
Note 3: Only numerical values between 09 are allowed. Special characters are not allowed. Pressing tab after the last field tabs you to select mask field.
Repeat until you have allocated all the interfaces you require. Note: When viewing the new domain node in the Resource Tree, the Sensor_Name node(s) is not available for configuration, just the allocated interface/sub-interface node(s).
10 Click Finish in the Unallocated Interface List page. The child admin domain you created appears at the bottom of the resource list of the domain in which it was created.
To edit a domains details or allocate/revoke more interfaces to an existing child admin domain
1 Select the appropriate (named) parent domain by navigating to Admin-Domain-Name > Admin Domain > Admin Domains.
2 3 4 5
Select the child domain to be edited from the parents Admin Domains List table. Click Edit. Change any of the general information fields that require updating/editing in the Edit Admin Domain page. Click Next.
Do one of the following: Select a Sensor and an interface and then click Allocate to allocate more interfaces to the child domain. Select an already allocated interface and click Revoke to remove the interface(s) from the child domain. Click Finish.
1 2
Select My Company > Admin Domain > Admin Domains. Select the root admin domain (My Company) from the Admin Domains List page in the McAfee Network Security Manager (Manager). For McAfee Network Security Central Manager (Central Manager) there is only one admin domain, whose details are displayed. Click Edit. Clear the Admin Domain Name and type your new domain name. Clear the Contact Person Name and type a name. This typically would be the Super User. Clear the Email Address and type a new email address. Optionally, change the fields that require updating/editing. Click Save. In the Resource Tree, the root domain name changes from My Company to the name you provided.
3 4 5 6 7 8
Note: An admin domain with resources such as Sensors and interfaces cannot be deleted until all resources have been removed.
10
CHAPTER 3
The User tab has the following actions: Manage Users (on page 11): Create, edit, and delete users. Manage Roles (on page 16): Assign roles to users within an existing admin domain. Manage My Account (on page 24): View the account information for the logged in user.
Managing users
The Manage Users action enables the creation, editing, and deletion of users. The following subsections describe these functions: Adding a user (on page 12): Add a new user. Editing users (on page 14): Edit a previously created user entry. Changing the default administrator super user username/password (on page 14): Edit the default system username and password for system protection.
11
Deleting users (on page 14): Delete a previously created user entry.
Note: The User List only displays the users created within the current admin domain and any of its children. This list does not display users that were created in a higher admin domain level even if an administrator has a role in that higher admin domain regardless of role. If a users name is not displayed, the viewing user needs to move to the admin domain level where the user was created in order to administer that user. Admin domain viewing is role dependent.
Adding a user
To add a new user and optionally assign a domain role, do the following: 1 2 3 Select Admin-Domain-Name > Users > Users. Click Add. Fill in the required fields. The Password must be a minimum of eight (8) characters in length. Password parameters that can be used are as follow: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: 0 1 2 3 4 5 6 7 8 9 32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . < > ? / Note: If RADIUS or LDAP (Active Directory) authentication is enabled, you must also select the type of authentication to use for this new user.
12
Use the following format for the LDAP User DN: uid=userName,ou=People,dc=DomainName,dc=com If using Active Directory, use the following format: userloginname@domain.com or cn=userName,ou=People,dc=DomainName,dc=com Use a valid DN, as LDAP authentication may not operate correctly without a valid DN. Consult with your system administrator to obtain the correct DN for your LDAP server.
RADIUS: select one of the following RADIUS authentication protocols. If you select this option, also type a valid RADIUS ID, which will be used for authenticating your
5 6
settings against the RADIUS server. RADIUS using PAP (Password Authentication Protocol) RADIUS using the CHAP (Challenge Handshake Authentication Protocol) RADIUS using the EAP-MD5 (Extensible Authentication Protocol-MD5) Click Save; click Cancel to abort. Answer the following prompt: The user created does not have any role. Do you wish to assign role now? Click Ok to assign a role. Click Cancel to save the user without an assigned role. You may want to wait to assign a role to a user if you have not yet determined what tasks you want the user to perform. Tip: For steps on assigning a domain role, see Assigning a role to a user in a domain (on page 17).
13
7 8
Click Done. A table displays all users with roles in the current domain. Select Users > Users to view your newly added user.
Editing users
To edit an existing user, do the following: 1 2 3 4 5 Select Admin-Domain-Name > Users > Users. Select a user. Click Edit. Type your changes in the appropriate fields. Click Save.
10 Click Save to keep these changes and eliminate the default (admin/admin123) combination.
Deleting users
To delete an existing user account, do the following: 1 2 3 4 Select Admin-Domain-Name > Users > Users. Select a user. Click Delete. A pop-up with the following message appears: You are about to permanently delete this record. Do you wish to continue? Click OK to delete the user record; click Cancel to abort.
14
Defining roles
A role is a group of actions that a user is allowed to perform within a given administrative domain. Network Security Platform provides role-based authorization to the users. Users authenticate themselves by logging into the Manager. For an admin domain, you can create users and assign roles to the users in the Manager. You can also create users in the child admin domains and assign roles to them. The role privilege indicates the actions that are allowed for a user with assigned with the particular role. Each role has role privileges with Read Write, or Read Only (RW or RO) permissions. For example, Reports RW allows the user with that role to have Read and Write permissions for the Reports in the Manager. Note that users created for an admin domain are specific to that domain. But roles can be assigned to the users across domains. That is, you can assign a role to a user in one domain, and another role to the same user in the corresponding child domain. The following table lists the various role types along with the corresponding role description.
Role Description
NAC Administrator IPS Administrator Guest Portal Account Manager NOC Operator Report Generator Security Expert System Administrator Super User
Administer the Network Access Control environment Administer the intrusion prevention environment Administer local Guest Portal user accounts Monitor the security environment Run reports Administer the NAC and IPS environments Administer the Manager and the Device List Full rights. Super Users must manage themselves within the domain(s) they reside. The user cannot log on to Manager. This is the state when a user is first created but is yet to be assigned any role.
No Role
Custom Roles
Custom roles can be created in the Manager, and assigned to users. For more information, see Creating custom roles (on page 18).
15
16
6 7 8
17
18
From the Resource Tree, select Admin Domain > Users > Custom Roles. Note: Custom Roles tab can be accessed only from the parent administrative domain.
In Custom Role Details, the default roles are listed as per the Manager mode (IPS, NAC or IPS with NAC mode). Note that the default roles cannot be edited or deleted.
Role privileges NAC mode
Role
IPS mode
NAC Administrator
Nil
Configure NAC Settings RW Home Operational Status RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Hosts RW Reports NAC RW
Configure NAC Settings RW Home Operational Status RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Hosts RW Reports NAC RW
19
Role
IPS mode
IPS Administrator
Configure IPS Settings RW Home Reports IPS RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW Nil
Configure IPS Settings RW Home Reports IPS RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW Configure Admin Domain RW Configure Admin User Accounts RO Configure Manager RW Configure Integration RO Configure Device List RW Configure Admin Domain RW Configure Admin User Accounts RO Configure Manager RW Configure Integration RO Configure Device List RW Configure IPS Settings RO Configure NAC Settings RO Home Reports IPS RW Reports NAC RW Operational Status RW TA Summary Dashboard IPS RO TA Summary Dashboard NAC RO TA Summary Dashboard General RO TA Alerts RO TA Hosts RO
System Administrator
Configure Admin Domain RW Configure Admin User Accounts RO Configure Manager RW Configure Integration RO Configure Device List RW
Configure IPS Settings RO Configure NAC Settings RO Home Home Reports IPS RW Reports NAC RW Operational Status RW Operational Status RW TA Summary Dashboard TA Summary Dashboard IPS RO NAC RO TA Summary Dashboard TA Summary Dashboard General RO General RO TA Alerts RO TA Alerts RO TA Hosts RO TA Hosts RO
Report Generator
Reports IPS RW
Reports NAC RW
20
Role
IPS mode
Super User
Configure Admin Domain RW Configure Admin User Accounts RW Configure Manager RW Configure Integration RW Configure Device List RW Configure IPS Settings RW Configure Guest Portal User creation RW Home Reports IPS RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
Configure Admin Domain RW Configure Admin User Accounts RW Configure Manager RW Configure Integration RW Configure Device List RW Configure NAC Settings RW Configure Guest Portal User creation RW Home Reports NAC RW Operational Status RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
Configure Admin Domain RW Configure Admin User Accounts RW Configure Manager RW Configure Integration RW Configure Device List RW Configure IPS Settings RW Configure NAC Settings RW Configure Guest Portal User creation RW Home Reports IPS RW Reports NAC RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
21
Role
IPS mode
NOC Operator
Home Reports IPS RO Operational Status RO TA Summary Dashboard IPS RO TA Summary Dashboard General RO TA Alerts RO TA Hosts RO
Home Reports NAC RO Operational Status RO TA Summary Dashboard NAC RO TA Summary Dashboard General RO TA Alerts RO TA Hosts RO Reports NAC RO
Home Reports IPS RO Reports NAC RO Operational Status RO TA Summary Dashboard IPS RO TA Summary Dashboard NAC RO TA Summary Dashboard General RO TA Alerts RO TA Hosts RO
Security Expert Configure Integration RW Configure Device List RO Configure IPS Settings RW Home Reports IPS RW Threat Analyzer RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts RO TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
Configure Integration RW Configure Device List RO Configure NAC Settings RW Home Reports NAC RW Threat Analyzer RW Operational Status RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts RO TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
Configure Integration RW Configure Device List RO Configure IPS Settings RW Configure NAC Settings RW Home Reports IPS RW Reports NAC RW Threat Analyzer RW Operational Status RW TA Summary Dashboard IPS RW TA Summary Dashboard NAC RW TA Summary Dashboard General RW TA Alerts RW TA Hosts RW TA Hosts RO TA Hosts Forensics ePolicy Orchestrator TA Hosts Forensics Foundstone
No Role
Nil
Nil
Nil
22
4 5
Enter Role Name and Description. Select and move the privileges that you want to assign to this new custom role, from the set of available privileges in Manager Privileges to Role Privileges. The Read, Write or Operate permissions (RO, RW, etc) for the privileges can be seen in the privilege name. Select Save, to save the changes.
23
1 2 3 4 5
From the Resource Tree, select Admin Domain > Users > Users. Select Add, to add a user. Enter the user information, and select Save. A pop-up is displayed asking if you want to assign a role to this user. Select OK. You are re-directed to Edit / View Role of Roles tab, where roles available by default as well as the custom roles created are listed.
6 7
Select the custom role from the list. Select Save, to save the changes. The assigned role is displayed in the Role Detail section, in the same window.
If you wish to change your information (password, address, and so forth), clear the appropriate field, type the new information, and click Save; click Cancel to exit without saving changes.
24
CHAPTER 4
25
ALL
All actions performed/recorded by the system. This includes all of the topics that follow. Only debug information for the system. Only configuration information, such as when an action is performed. Only system warning (high severity) information. Only system error (medium severity) information. Only crash/failure information. Or
Show INFO, WARN, ERROR, and FATAL. This range is useful when more detailed logs, including information and warnings, are desired. Show ERROR and FATAL. This range is useful when only errors and crash information are needed.
Select the desired range of dates. The Begin Date and End Date must be different times. Type a value for the Number of Messages to Display to limit the log output. The default value is 10. Click View Messages to view the log.
26
27
2 3 4
Select whether or not to include audit data from all child domains of the current domain (Include Child Admin Domains). Select a user to audit. The drop-down list displays the login IDs of the users currently logged in. (Select User(s) to Audit:) Select one or more Audit Categories. The Audit Categories are displayed as per the configured Manager modes. The table below shows the Audit Categories available for each Manager mode.
IPS Mode NAC Mode IPS with NAC mode
Admin Domain User Manager Sensor IPS Policy Report Update Server Operational Status Threat Analyzer Unspecified
Admin Domain User Manager Sensor Report Update Server Operational Status Threat Analyzer NAC Unspecified
Admin Domain User Manager Sensor IPS Policy Report Update Server Operational Status Threat Analyzer NAC Unspecified
5 6
Type the number of audit messages to show (Show x messages). The default is 10 messages. Select from one of the following time options:
Field Description
Up to Current Time Ending (All messages before this date will be displayed) Select Messages Between These Dates 7
Displays the requested number of most recent messages Specify the date and time before which you want to see the requested number of messages. That is, choosing this option displays the requested number of messages starting from this time and proceeding backwards. Select the desired range of dates for activity by a user.
Click View Messages to start the audit. The following figure displays an audit result. The fields are as follows:
Field Description
Include Child Admin Domains Actions performed by User Audit Categories Start Time End Time Number of Actions
All child domains of the current domain are included in the audit or not The user being audited. Audit categories selected while generating messages. Specified audit start time. Specified audit end time. Performed between Start Time and End Time.
28
Field
Description
When action was performed. Which action was performed. Username The audit category. Performed action. Status of performed action as either Success or Failure. Component affected by action.
29
Network Security Platform identifies the following as long-running activities: Signature set download from McAfee Update Server Signature set update on all active Sensors Sensor software download from McAfee Update Server Sensor software update on all Sensors Cumulative policies update due to signature set download or editing of overriding rules UDS Editor export to Manager Report generation Data Backup using Manager Data Restore using Manager Database dump transfer/import for an MDR pair Database tuning using Manager File maintenance Alert archival using Manager Archived alerts restore using Manager Alert data purge using Manager
Note: Note that Network Security Platform records the above mentioned activities for both scheduled as well as user initiated processes.
30
Note 1: Though all users can view the messages, only users with the role of Super User in the root Admin domain can acknowledge messages. Note 2: Child Admin Domain users can view only the latest 4 messages. Note 3: For Manager to be able to check the Update Server for messages, you should have authenticated your credentials with the Update Server. For more information on how to authenticate, see Setting authentication for communication with the Update Server. To view all unacknowledged messages:
31
From the Resource Tree, select Root Admin Domain > Logs > Messages from McAfee. Alternatively, click the View All Messages link on the home page. The Messages from McAfee window is displayed.
Note 1: Messages that are once acknowledged are not displayed again. Note 2: You can acknowledge 10 messages at a time. The first 10 selected messages are acknowledged. Note 3: The acknowledged messages are logged, and you can view this information in the User Activity Log report. For information on this report, see Audit Report, Reports Guide.
32
CHAPTER 5
33
34
2 3
Check Enable SNMP Forwarder (default is Yes) and click Apply. Click Add.
The Fault SNMP Forwarder window is displayed. 4 Fill in the following fields:
Field Description
Current Admin Domain: Send notifications for alerts in the current domain. Always enabled for the current domain. All Child Admin Domain(s): Include alerts for all child domains of t current domain.
IP address of the target SNMP server. This can be an IPv4 or IPv6 address.
35
Field
Description
Target servers SNMP listening port. The standard port for SNMP, 162, is pre-filled in the field. Version of SNMP running on the target SNMP server. Version options are 1, 2c, and Both 1 and 2c, and 3. Type an SNMP community string to protect your Network Security Platform data. SNMP community strings authenticate access to Management Information Base (MIB) objects and functions as embedded passwords. Choose the severity level for forwarding faults. The options are Critical, Error and above, Warning and above, and Informational and above. Choose the severity of alerts that will have information forwarded. Limiting your alert severities to Critical or Error and above is recommended for focused analysis.
Forward Faults
The following fields appear only when SNMP Version 3 is selected. Authoritative Engine ID Authentication Level: The authoritative (security) engineID used for SNMP version 3 REQUEST messages. This specifies the authentication level and has the following categories: No Authorization, No Privileges: Uses a user name match for authentication. Authorization, No Privileges: Provides authentication based on the MD5 or SHA algorithms Authorization, Privileges: Provides authentication based on the MD5 or SHA algorithms. It also provides encryption in addition authentication based on the DES or AES standards.
The following fields appear only when Authorization, No Privileges or Authorization and Privileges is selected in Authentication Level. Authentication Type Authentication Password Encryption Type Privacy Password 5 Click Apply. The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3 messages. The authentication pass phrase used for authenticating SNMP version 3 messages. The privacy protocol (DES or AES) used for encrypting SNMP version 3 messages. The privacy pass phrase used for encrypting SNMP version 3 message.
36
1 2 3
Select Admin-Domain-Name > Fault Notification > SNMP. Select the configured SNMP server instance from the SNMP Forwarder List page. Do one of the following:
a. b.
To edit the settings, click Edit, modify the fields as required, and then click Apply. To delete the settings, click Delete and then click OK to confirm the deletion.
The Fault Syslog Forwarder window is displayed. 2 Fill in the following fields:
Field Description
current domain.
37
Field
Description
Type either the Host IP Address or Host Name of the syslog server where alerts will be sent. For Host IP address, you can enter either IPv4 or IPv6 address. Port on the target server which is authorized to receive syslog messages. The standard port for syslog, 514, is pre-filled in the field. Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Security/authorization (code 10) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 2 (local2) Local user 3 (local3) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7)
Port
Facilities
Severity Mapping
You can map each fault severity (Informational, Error, Warning, and Critical) to one of the standard syslog severities listed below (default severity mappings are noted in parentheses):
Emergency: system is unusable Alert: action must be taken immediately Critical: (HIGH) critical conditions Error: error conditions Warning: (MEDIUM) warning conditions Notice: (LOW) normal but significant condition Informational: (INFORMATIONAL) informational messages Debug: debug-level messages
Forward Faults
Select the severity of the faults that you want to be forwarded to the syslog server. The options are:
Critical: only Critical faults Error and above: both Error and Critical faults Warning and above: Warning, Error, and Critical faults Informational and above: all faults
Click Apply. Note: You must click Apply before you will be able to customize the message format sent to your syslog server.
38
Select the Message Preference to send as the syslog forwarding message. The choices are:
System Default: the default message is a quick summary of a fault with two fields for
easy recognition: Attack Name and Attack Severity. A default message reads: Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$)
Customized: create a custom message. To create a custom message, do the
following: i. Click Edit to create a custom message. ii. Type a message and select (click) the parameters for the desired alert identification format. The following figure displays a custom message. You can type custom text in the Message field as well as click one or more of the provided elements below the field box. iii. Click Save when finished to return to the Fault Syslog Forwarder page. The Customized button is automatically selected after you have customized the Message Preference.
1 2
Custom typed text Selected token Caution: For syslog information to appear correctly, ensure that you use the dollar-sign ($) delimiter immediately before and after each element. Example: $ATTACK_TIME$
Click Apply.
39
To manage fault notification details, do the following: 1 2 Select Admin-Domain-Name > Fault Notification > Fault Notification Management. Fill in the following fields:
Enable Domain Notification
Current Admin Domain: send only faults for the current domain. This is always selected for the current domain. All Child Admin Domain(s): send faults for all child domains of the current domain. Delegated Sensor Faults: If the McAfee Network Security Sensor (Sensor) interfaces have been delegated to a child domain, faults can be set to display by the Admin domain in which the delegated interface resides, rather than by the domain where the Sensor is controlled. Sensor Level: faults based on Sensor-domain relationship. Interface Level: faults based on interface-domain relationship. Hysteresis Time: the amount of time to suppress system faults before forwarding. Note: Hysteresis can only be set within the root admin domain. 3 Click Apply.
40
Note 2: Email and pager notifications are configured per admin domain.
To enable email or pager fault notification, do the following: 1 2 3 Select Admin-Domain-Name > Fault Notification > Email or Admin-Domain-Name > Fault Notification > Pager. Select the enabled status (Enabled System Fault Notification). Yes is enabled; No is disabled. Select a fault Severity Level to be notified of:
Field Description
Notifies for all faults. Notifies for Warning, Error, and Critical faults.
Notifies for Error and Critical faults. Notifies only for Critical faults.
Select a Message Preference. The message preference is a preset response sent with the notification with information pertaining to the fault.
System Default: The system default message provides the notified admin with the
most basic fault details so that an immediate response can be made. Details include the fault type (severity) and the component source. The subject line of the default message contains the fault name. Note: You cannot edit the System Default message.
41
Customized: Type a message and select (click) the parameters for the desired attack identification format. The following figure displays a custom message. You can type custom text in the Subject field or Body section, as well as click one or more of the provided elements at Subject Line Content or Body Text to add to the description. When you are finished formatting your message template, click Save. The Customized button is selected if you have customized the message.
1 2 5 6 7
Custom typed text Selected tokens Click Apply to save your notification settings. Specify the email or email pager address of the intended recipient(s). Scroll to the bottom of the Email or Page Notification Settings page.
Click Add. Type an email address or email pager address. Click Save when complete. Repeat steps a through d to add additional recipient addresses.
42
To enable alert notification by script, do the following: 1 2 3 Select Admin-Domain-Name > Fault Notification > Script. Select the enabled status (Enable System Fault Notification). Yes is enabled; No is disabled. Select a Severity to be notified of:
Field Description
Informational and above Warning and above Error and above Critical 4
Notifies for all faults. Notifies for Warning, Error, and Critical faults. Notifies for Error and Critical faults. Notifies only for Critical faults.
Configure a Message Preference. The message preference is a preset response sent with the notification with information pertaining to the fault.
Customized: Type a message and select (click) the parameters for the desired attack identification format. For a script notification, do the following.
43
Click Edit. Type a name for the script at Script Name. For the Body section, type the text and select the token fields for the attack information you want to see. vii. Click Save to return to the notification form. The Customized button is selected and the script name you entered is displayed in the Script Notifications Settings page. The script is saved to your installation directory at: <Network Security Platform install directory>\temp\scripts\0\<script-name>. The script file name is appended with .bat. Click Apply to save your notification settings.
iv. v. vi.
44
Index
A
admin domains overview; ............................................................. 1 Root Admin Domain; ........................................... 4 Alert Filter Editor ...................................................... 4 authorization........................................................... 18
C
child domains ........................................................... 4 Working with child domains..................... 9, 10, 11 custom roles..................................................... 16, 19
F
fault notifications .................................................... 36
L
log information........................................................ 27 long running processes .................................... 32, 33
R
roles types of.............................................................. 18 root admin domain ................................................. 10
S
Super User privileges............................................. 17 Syslog forwarder .................................................... 40 system information logs ......................................... 27
U
user activity audit ................................................... 29 users ...................................................................... 15