Beruflich Dokumente
Kultur Dokumente
revision 2.0
COPYRIGHT
Copyright 2001 - 2008 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
License Attributions
This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Contents
Preface ..................................................................................... iv
About this Guide............................................................................................................................iv Audience .......................................................................................................................................iv Conventions used in this guide .....................................................................................................iv Related Documentation.................................................................................................................vi Contacting Technical Support........................................................................................................vi
Index ........................................................................................ 13
iii
Preface
This preface provides a brief introduction to McAfee IntruShield IPS, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
Audience
This guide is intended for use by network technicians responsible for maintaining the IntruShield Security Manager (ISM) and analyzing and disseminating the resulting data. It is assumed that you are familiar with IPS-related tasks, the relationship between tasks, and the commands necessary to perform particular tasks.
iv
Convention
Example
Terms that identify fields, buttons, The Service field on the Properties tab specifies the tabs, options, selections, and name of the requested service. commands on the User Interface (UI) are shown in Arial Narrow bold font. Menu or action group selections are indicated using a right angle bracket. Procedures are presented as a series of numbered steps. Names of keys on the keyboard are denoted using UPPER CASE. Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font. Select My Company > Admin Domain > View Details.
1. On the Configuration tab, click Backup. Press ENTER. Type: setup and then press ENTER.
Variable information that you must Type: sensor-IP-address and then press ENTER. type based on your specific situation or environment is shown in italics. Parameters that you must supply are shown enclosed in angle brackets. Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation. Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Notes that provide related, but non-critical, information are denoted using this notation. set sensor ip <A.B.C.D>
Caution:
Warning:
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to IntruShield IPS Quick Reference Card for more information on these guides. IntruShield Manager Installation Guide IntruShield 3.1 to 4.1 Upgrade Guide IntruShield Getting Started Guide IntruShield Quick Tour IntruShield Planning & Deployment Guide IntruShield Sensor 1200 Product Guide IntruShield Sensor 1400 Product Guide IntruShield Sensor 2600 Product Guide IntruShield Sensor 2700 Product Guide IntruShield Sensor 3000 Product Guide IntruShield Sensor 4000 Product Guide IntruShield Sensor 4010 Product Guide IntruShield Configuration Basics Guide Administrative Domain Configuration Guide Manager Server Configuration Guide Policies Configuration Guide Sensor Configuration Guideusing CLI Sensor Configuration Guideusing ISM Sensor Configuration Guideusing ISM Wizard Alerts & System Health Monitoring Guide ISM Reports Guide IntruShield User-Defined Signatures Developer's Guide IntruShield Troubleshooting Guide IntruShield Attack Description Guide IntruShield Special Topics Guide Best Practices Denial-of-Service Sensor High Availability Custom Roles Creation In-line Sensor Deployment Virtualization IntruShield Gigabit Optical Fail-Open Bypass Kit Guide IntruShield Gigabit Copper Fail-Open Bypass Kit Guide
vi
Online
Contact McAfee Technical Support http://mysupport.mcafee.com. Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
vii
CHAPTER 1
1 2 3
Navigate to <IntruShield install directory>\bin. Execute the dbadmin.bat file. The standalone tool opens. Select Maintenance > Password Change.
Enter the current and new passwords in their respective fields. Ensure that you do not leave the password fields blank or reenter the current password as the new password again. Confirm the new password by entering it in the Confirm password field. Click OK. Enter the MySQL Root Password (that you specified during ISM installation). Click OK.
5 6 7 8
CHAPTER 2
Capacity planning
One of the first tasks to complete when you are deploying the IntruShield IPS is the installation and setup of your database. The database houses the alert and packet log data generated by your IntruShield sensors. The integrity and availability of this data is essential to a complete IntruShield IPS experience. Every network has slight architectural differences that make each deployment unique. When deploying a network IPS, you must take into consideration the following factors when planning the capacity of your database:
Aggregate Alert and Packet Log Volume From All Sensors: What is the volume in your network? A higher volume will require additional storage capacity. Lifetime of Alert And Packet Log Data: How long should you archive an alert? Maintaining your data for a long period of time (for example, one year) will require additional storage capacity to accommodate both old and new data. The following subsections provide useful information for determining the necessary capacity for alerts and packet logs in your database.
1 2 3
Click Reports from the ISM Home page. Select Executive Summary Report. Fill in the following fields to determine the average weekly alert rate:
Admin Domain: select the root admin domain (default). Sensor: select ALL SENSORS (default if you have more than one sensor). Alert Severity: make sure all three severities (Low, Medium, High) are checked. When all three are selected, Informational alerts are also included. Alert State: select View All Alerts. Both acknowledged and unacknowledged alerts are included for the specified time frame. Time Range: Choose Select alerts in the past: 1 Week(s). You do not need to adjust the Ending time fields. Get summary of: You do not have to adjust this field. Report Format: select a view of the report information from the following: HTML, PDF and Save as CSV.
Click Run Report once all of the above fields are set. This report displays your alert data in a presentation-style format (that is, tables and colored pie charts). The first pie chart details the Total Alerts Per Sensor. Simply add the totals from each sensor to determine the amount for one week.
Note 2: The following graph and table estimate size based on alerts both with and without associated packet logs. Thus, the size of alert data has been estimated from both lab and live environments.
Note 1: This threshold is purely for capacity planning purposes and does not reconfigure the size of your database. Note 2: If you are upgrading from 4.1 to later versions, then your previous set alert threshold capacity is retained.
CHAPTER 3
Note: Entering a very large value (such as 500, as in 500 days) is not recommended due to the capacity required to archive 500 days worth of alerts. Your requirements will determine the number of days you need to maintain alerts. If you must keep alerts for several hundred days, ensure that you have the necessary hard drive space on your ISM server, or back up your alert tables regularly as outlined in Database backup and recovery (on page 11).
Tip: You can use the purge.bat utility or the dbadmin.bat utility for alert and packet log data maintenance. Thus, if possible, do not schedule disk space maintenance with respect to alert and packet logs. Purge.bat utility: Provided with your ISM installation is the alert and packet log data maintenance utility, purge.bat ($IntruShield\bin\purge.bat). This utility enables on-demand deletion of alerts and packet log data from your database. Alerts and packet logs can be deleted that are older than a specified number of days, or if they have been marked for deletion via the Alert Manager tool. Using purge.bat, you can also automatically start the database tuning utility, dbtuning.bat, immediately after the purge is completed. This utility ensures your database is properly maintained for optimal continued use. For more information on running purge.bat, see Deleting alerts and packet Logs from the database using purge.bat (on page 8). For more information on database tuning, see Database tuning (on page 9).
Deleting alerts and packet Logs from the database using purge.bat
As detailed in Database maintenance and tuning (on page 7), an alternative to using the Disk Maintenance action for alert and packet log deletion is to delete these files using purge.bat. To do this, do the following: 1 2 Stop the ISM service. Do one of the following: Open your IntruShield installation folder and run purge.bat:
$IntruShield\bin\purge.bat.
Open a DOS prompt and type the following: C:\IntruShield\bin\purge.bat 3 Answer the following questions:
a.
Note: The ISM service must be disabled prior to using purge.bat. If the service is not disabled, the purge will not continue.
b.
Tip: You can perform DB tuning separately from the purge operation. For more on DB tuning, see Database tuning (on page 9).
c. d.
Please Enter The Age Of Alerts And PacketLog Data To Delete (Num Days). For example, to delete alerts/packet logs older than 90 days, type 90. Please Enter The Number of Days Of Data To Delete At A Time (Days Increments)?
Note: Incremental purging is available only on MySQL database installations. Incremental purging is useful in cases where log data is large. In cases where purging is aborted, data that has already been purged is not recovered.
e.
Do You Wish To Purge Alerts/PacketLogs That Have Been 'Marked For Delete' Through The Alert Manager? [This Operation Will Increase The Amount Of Time The Purge Operations Takes To Complete] (Y/N)?
f.
You are about to delete Alerts And PacketLog Data Older Than {X} Days. You Have Selected To [INCLUDE/EXCLUDE] 'Marked For Delete' Alerts/Packet Log Entries. Are you sure you want to proceed (Y/N)?
Database tuning
Over time, a relational database can experience performance issues if the data is not re-tuned on a recurring basis. By regularly diagnosing, repairing, and tuning your database internals, you can ensure optimal database performance. McAfee provides a set of ISM interface actions (Manager > Database Tuning) and a standalone utility, called dbadmin.bat, to maintain database performance. Note: You can also use dbtuning.bat to tune your IntruShield database. However, McAfee strongly encourages you to use dbadmin.bat for all your database administration tasks. The database tuning feature does the following: Defragments tables where rows/columns are split or have been deleted Re-sorts indexes Updates index statistics Computes query optimizer statistics Checks and repairs tables On a regular basis (minimum recommendation: one month), perform database tuning on your ISM server. Completion time is dependent on the number of alerts/packet logs in the database and the performance of your ISM servers physical hardware platform. Note: When you perform off-line database tuning, you must shut down the ISM service for proper performance. McAfee recommends scheduling this downtime for whenever you plan to re-tune the database. Your sensors can continue to operate and generate alerts because of built-in alert buffers. Tip: See TBM44 in the Technical Support KnowledgeBase.
10
CHAPTER 4
information. Backing up this data is useful for offline analysis. This option is not
enabled by default. Use the Backup Now action.
Note: For more information on all Backup tab actions, see Backing up and restoring data, Manager Server Configuration Guide.
Database archival
Archiving your database is also recommended for protection against hardware and software failures. Once saved, the archival is available for future or third-party (such as Crystal Reports) retrieval. Note: An archived database can be sent to Technical Support in the event of database issues.
11
McAfee recommends archiving your database to one of the following for added redundancy of system data, and to save ISM server disk space: A network-mapped drive CD-ROM/ DVD-ROM Multi-disc RAID storage on ISM server Database Replication Secure FTP
12
H
hash functions........................................................ 12
Index
A
Age Of Alerts ............................................................ 8 alert frequency ......................................................... 3 alert threshold capacity ............................................ 5 average alert rate ..................................................... 3
I
iv_packetlog table .................................................... 9
M
Multi-disc RAID storage ......................................... 11 MySQL ..................................................................... 1 MySQL Root password ............................................ 1
B
Backup Now ........................................................... 11 built-in alert buffers................................................... 9
O
off-line database tuning............................................ 9
C
capacity planning ..................................................... 3 crystal reports......................................................... 11
P
packet log................................................................. 3 packet log sizes ....................................................... 3 purge.bat utility..................................................... 7, 8
D
database alert threshold........................................... 5 database archival ................................................... 11 database backup restoration.................................. 12 database password .................................................. 1 database performance ............................................. 9 database replication ............................................... 11 database sizing ........................................................ 4 database space........................................................ 1 database tuning........................................................ 9 dbadmin.bat ....................................................... 9, 11 dbbackup.bat.......................................................... 11 dbtuning.bat ............................................................. 9 digital fingerprint..................................................... 12 Disk Space Maintenance ..................................... 5, 7
Q
query optimizer statistics.......................................... 9
S
scheduler operation time.......................................... 7
F
File Maintenance action ........................................... 7