McAfee® Network Security Platform: Network Security Manager version 5.1 docx

About this Guide This guide provides step-by-step instructions for the successful installation of the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] i

Manager Installation Guide

revision 7.0

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform

Network Security Manager version 5.1

COPYRIGHT

Copyright ® 2001 - 2010 McAfee, Inc All Rights Reserved No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc and/or its affiliates in the US and/or other countries The color red in connection with security is distinctive of McAfee brand products All other registered and unregistered trademarks herein are the sole property of their respective owners

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE) IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ) * Cryptographic software written by Eric A Young and software written by Tim J Hudson * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users For any such software covered under the GPL, the source code is made available on this CD If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier * Software written by Douglas W Sauder * Software developed by the Apache Software Foundation ( http://www.apache.org/ ) A copy of the license agreement for this software can be found at

www.apache.org/licenses/LICENSE-2.0.txt * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc * Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper, (C) 1998, 1999, 2000 * Software copyrighted by Expat maintainers * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000 * Software copyrighted by Gunnar Ritter * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003 * Software copyrighted by Gisle Aas (C) 1995-2003 * Software copyrighted by Michael A Chase, (C) 1999-2000 * Software copyrighted by Neil Winton, (C) 1995-1996 * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992 * Software copyrighted by Sean M Burke, (C) 1999, 2000 * Software copyrighted

by Martijn Koster, (C) 1995 * Software copyrighted by Brad Appleton, (C) 1996-1999 * Software copyrighted by Michael G Schwern, (C) 2001 * Software copyrighted by Graham Barr, (C) 1998 * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000 * Software copyrighted by Frodo Looijaard, (C) 1997 * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003 A copy of the license agreement for this software can be found at www.python.org * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002 * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G Siek (C) 1997-2000 University of Notre Dame * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002 * Software copyrighted by Stephen Purcell, (C) 2001 * Software developed by the Indiana University Extreme! Lab

( http://www.extreme.indiana.edu/ ) * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003 * Software developed by the University of California, Berkeley and its contributors * Software developed by Ralf S Engelschall < rse@engelschall.com > for use in the mod_ssl project (http:// www.modssl.org/ ) * Software copyrighted by Kevlin Henney, (C) 2000-2002 * Software copyrighted by Peter Dimov and Multi Media Ltd (C) 2001, 2002 * Software copyrighted by David Abrahams, (C) 2001,

2002 See http://www.boost.org/libs/bind/bind.html for documentation * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000 * Software copyrighted by Boost.org, (C) 1999-2002 * Software copyrighted by Nicolai M Josuttis, (C) 1999 * Software copyrighted by Jeremy Siek, (C) 1999-2001 * Software copyrighted by Daryle Walker, (C) 2001 * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002 * Software copyrighted by Samuel Krempp, (C) 2001 See

http://www.boost.org for updates, documentation, and revision history * Software copyrighted by Doug Gregor ( gregod@cs.rpi.edu ), (C) 2001, 2002 * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000 * Software copyrighted by Jens Maurer, (C) 2000, 2001 * Software copyrighted by Jaakko Järvi ( jaakko.jarvi@cs.utu.fi ), (C) 1999, 2000 * Software copyrighted by Ronald Garcia, (C) 2002 * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001 * Software copyrighted by Stephen Cleary ( shammah@voyager.net ), (C) 2000 * Software copyrighted by Housemarque Oy < http://www.housemarque.com >, (C) 2001 * Software copyrighted by Paul Moore, (C)

1999 * Software copyrighted by Dr John Maddock, (C) 1998-2002 * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999 * Software copyrighted by Peter Dimov, (C) 2001, 2002 * Software copyrighted by Jeremy Siek and John R Bandela, (C) 2001 * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002 * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992 * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003 * Software copyrighted by Sparta, Inc., (C) 2003-2004 * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004 * Software copyrighted by Simon Josefsson, (C) 2003 * Software copyrighted by Thomas Jacob, (C) 2003-2004 * Software copyrighted by Advanced Software Engineering Limited, (C)

2004 * Software copyrighted by Todd C Miller, (C) 1998 * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek

Contents

Preface v

Introducing McAfee Network Security Platform v

About this Guide v

Audience v

Conventions used in this guide v

Related Documentation vi

Contacting Technical Support vii

Chapter 1 Introduction to McAfee Network Security Platform 1

About the Network Security Manager 1

Manager components 1

Update Server 3

Chapter 2 About Network Security Central Manager 5

Chapter 3 Preparing for installation 6

Pre-requisites 6

General settings 6

Other third-party applications 7

Browser display settings (Windows) 7

Server requirements 7

Client system requirements 10

Java Runtime Environment (JRE) requirement 10

Database requirements 10

Pre-installation recommendations 11

Planning for installation 11

Functional requirements 12

Using anti-virus software with the Manager 12

User interface responsiveness 13

Chapter 4 Installing and upgrading the Central Manager/Manager 14

Installing the Manager 14

Manager installation with Local Service account privileges 24

Installing the Central Manager 25

Sensor license types 25

Adding a Sensor license 26

Manually Assigning a Sensor License 27

Java installation for client systems 28

Updating or upgrading in Network Security Platform 28

Upgrading your software 29

Updating your signature set or Sensor software 29

Adding a Sensor 29

Chapter 5 Working with Manager software 30

Starting Network Security Manager 30

Accessing Manager from a client machine 31

Logging onto Network Security Manager 31

Properly shutting down Network Security Manager services 32

Starting Network Security Central Manager 35

Logging onto Central Manager 36

Properly shutting down Central Manager 37

Chapter 6 Authenticating Access to the Manager using CAC 40

Chapter 7 Uninstalling the Manager 43

Uninstalling using Add/Remove Programs 43

Uninstalling via script 45

Index 46

Preface

This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized It also provides information such

as the supporting documents for this guide and how to contact McAfee Technical Support

Introducing McAfee Network Security Platform

McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC) and network Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks

McAfee Network Security Platform combines real-time detection and prevention to provide the most comprehensive and effective network IPS in the market

About this Guide

This guide provides step-by-step instructions for the successful installation of the McAfee®

Network Security Manager [formerly McAfee® IntruShield® Security Manager] interface software When the McAfee Network Security Manager (Manager) software is installed on your target server, you can configure your security system by sending commands through the Manager to all installed McAfee® Network Security Sensors [formerly McAfee®

Audience

This guide is intended for use by network technicians and maintenance personnel responsible for installing, configuring, and maintaining the Manager and the McAfee Network Security Sensors (Sensors), but is not necessarily familiar with NAC or IPS-related tasks, the relationship between tasks, or the commands necessary to perform particular tasks

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial N3arrow

bold font

The Service field on the Properties tab specifies the name of the requested service

Menu or action group selections are indicated using a right angle bracket

Select My Company > Admin Domain > Summary.

Procedures are presented as a series of numbered steps

On the Configuration tab, click Backup

Names of keys on the keyboard are denoted

Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font

Type: setup and then press ENTER

Variable information that you must type based

on your specific situation or environment is

set Sensor ip <A.B.C.D>

Information that you must read before beginning a procedure or that you to negative consequences of certain actions, such as loss

of data is denoted using this notation

 Getting Started Guide

 Administrative Domain Configuration Guide

 Sensor Configuration Guide

 IPS Configuration Guide

McAfee® Network Security Platform 5.1 Preface

 System Status Monitoring Guide

 Central Manager Administrator's Guide

 Best Practices Guide

 Gigabit Optical Fail-Open Bypass Kit Guide

 Gigabit Copper Fail-Open Bypass Kit Guide

 Special Topics Guide—Sensor High Availability

 Special Topics Guide—Virtualization

 Special Topics Guide—Denial-of-Service Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates

Phone

Technical Support is available 7:00 A.M to 5:00 P.M PST Monday-Friday Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts Global phone contact numbers can be found at McAfee Contact Information

C H A P T E R 1

Introduction to McAfee Network Security Platform

This section provides a brief introduction to the components of the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and the part it plays in the overall McAfee® Network Security Platform [formerly McAfee® IntruShield®] The complete McAfee Network Security Platform is a combination of network appliances and software built for Network Access Control (NAC) as well as accurate detection and prevention of intrusions, denial of service (DoS) and distributed denial of service (DDoS) attacks, and network misuse Network Security Platform combines real-time detection and prevention for the most comprehensive and effective network security system

About the Network Security Manager

McAfee Network Security Manager (Manager) consists of hardware and software resources that are used to configure and manage your Network Security Platform deployment

Note: From version 5.1.17.2 or above, you do not require a license file to use the

Manager For more details on licenses, refer to the Chapter Licensing in the Best Practices Guide.

Manager components

Manager is a term that represents the hardware and software resources that are used to configure and manage Network Security Platform The Manager consists of the following components:

 One of the following hardware/OS server platform (on page 2):

 Microsoft Windows Server 2003 - SP2, (32 or 64 bit) Standard Edition, English

 Microsoft Windows Server 2003 - R2, (32 or 64 bit) Standard Edition, Japanese

 Microsoft Windows Server 2008 - R2, (64 bit) Standard Edition, English Note that this platform is supported only for fresh installations of Manager 5.1.11.22 or above

 the Manager software (on page 2

 a back end database (on page 3) to persist data (MySQL version 5.0.91)

McAfee® Network Security Platform 5.1 Introduction to McAfee Network Security Platform

 a connection to the McAfee® Network Security Update Server [formerly IPS Update Server] (on page 3

Manager server platform

The Manager server is a dedicated Windows Server hosting the Manager software You can remotely access the Network Security Platform user interface from a Windows XP or Windows 7 system using Internet Explorer 6.0, 7.0, or 8.0

Sensors use a built-in 10/100 Management port to communicate with the Manager server You can connect a segment from a Sensor Management port directly to the Manager server; however, this means you can only receive information from one Sensor (typically, your server has only one 10/100 network port) During Sensor configuration, described in the Sensor CLI Guide, you will establish communication between your Sensor(s) and your Manager server

Manager software

The Manager software has a Web-based user interface for configuring and managing the Network Security Platform Network Security Platform users connect to the Manager server from a Windows XP or Windows 7 system using the Internet Explorer browser program The Network Security Platform user interface runs with Internet Explorer versions 6.0, 7.0, and 8.0 The Manager functions are configured and managed through a GUI application, the Network Security Platform user interface, which includes complementary interfaces for system status, system configuration, report generation, and fault

management All interfaces are logically parts of the Manager program

Manager has five components:

 Manager Home The Manager Home page is the first screen displayed after the user logs

on to the system The Manager Home page displays Operational Status-that is, whether all components of the system are functioning properly, the number of unacknowledged alerts in the system, and the configuration options available to the current user Options available within the Manager Home page are determined by the current user's assigned role(s) The Manager Home page is refreshed every 5 seconds by default

 Operational Status The Operational Status page displays the status of Manager, database, and any deployed Sensors; including all system faults

 Configuration The Configuration page provides all system configuration options, and facilitates the configuration of your Sensors, failover pairs of Sensors, administrative domains, users, roles, Network Access Control (NAC), attack policies and responses, user-created signatures, and system reports Access to various activities, such as user management, system configuration, or policy management is based on the current user's role(s) and privileges For more information on NAC configuration, see

NAC Configuration Guide

 Threat Analyzer The Threat Analyzer page displays the hosts detected on your network

as well as the detected security events that violate your configured security policies The Threat Analyzer provides powerful drill-down capabilities to enable you to see all

of the details on a particular alert, including its type, source and destination addresses, and packet logs where applicable

 Reports Users can generate reports for the security events detected by the system and reports on system configuration Reports can be generated manually or automatically, saved for later viewing, and/or e-mailed to specific individuals

Other key features of Manager include:

 The Incident Generator: The Incident Generator enables creation of attack incident conditions, which, when met, provide real-time correlative analysis of attacks Once incidents are generated, view them using the Incident Viewer, which is within the Threat Analyzer tool

For more information on Manager components, see Manager Server Configuration Guide

 Integration with other McAfee products: You can integrate Network Security Platform with other McAfee products such as McAfee ePolicy Orchestrator (ePO), McAfee®

Host Intrusion Prevention [formerly McAfee® Entercept] , and so on Then Network Security Platform collaborates with these products to provide you with a

comprehensive network security solution For details, see Integration Guide

 Integration with third-party products: Network Security Platform enables the use of multiple third-party products for analyzing faults, alerts, and generated packet logs

 Fault/Alert forwarding and viewing: You have the option to forward all fault management events and actions, as well as IPS alerts to a third-party application This enables you to integrate with third-party products that provide trouble ticketing, messaging, or any other response tools you may wish to incorporate Fault and/or alert forwarding can be sent to the following ways:

- Syslog Server: forward IPS alerts and system faults

- SNMP Server (NMS): forward IPS alerts and system faults

- Java API: forward IPS alerts

- Crystal Reports: view alert data from database via email, pager, or script

 Packet log viewing: view logged packets/flows using third-party software, such as Ethereal

Manager database

The Manager server operates with an RDBMS (relational database management system) for storing persistent configuration information and event data The compatible database is MySQL (current version 5.0.91)

The Manager server for Windows (only) includes a MySQL database that can be installed (embedded) on the target Windows server during Manager software installation

Your MySQL database can be tuned on-demand or by a set schedule via Manager user interface configuration Tuning promotes optimum performance by defragmenting split tables, re-sorting and updating indexes, computing query optimizer statistics, and checking and repairing tables

To graphically administrate and view your MySQL database, you can download the MySQL administrator from the MySQL Web site http://dev.mysql.com/downloads/gui-tools

Update Server

For your Network Security Platform to properly detect and protect against malicious activity, the Manager and Sensors must be frequently updated with the latest signatures and software patches available Thus, the Network Security Platform team constantly researches and develops performance-enhancing software and attack-detecting signatures that combat the latest in hacking, misuse, and denials of service (DoS) When a

McAfee® Network Security Platform 5.1 Introduction to McAfee Network Security Platform

signature update is developed and released Since new vulnerabilities are discovered regularly, signature updates are released frequently

New signatures and patches are made available to customers via the McAfee Network Security Update Server (Update Server) The Update Server is a McAfee owned and operated file server that houses updated signature and software files for Managers and Sensors in customer installations The Update Server securely provides fully automated, real-time signature updates without requiring any manual intervention

Note: Communication between Manager and the Update Server is SSL-secured

Configuring software and attack signature updates

You configure interaction with the Update Server using the Manager Configuration page You can pull updates from the Update Server on demand or you can schedule update downloads With scheduled downloads, the Manager polls the Update Server (over the Internet) at the desired frequency If an update has been posted, that update is registered

as “Available” in the Manager interface for on-demand downloaded Once downloaded to the Manager, you can immediately download (via an encrypted connection) the update to deployed Sensors or deploy the update based on a Sensor update schedule you define Acceptance of a download is at the discretion of the administrator

You have a total of five update options:

 Automatic update to Manager, manual update from Manager to Sensors This option enables Manager server to receive updates automatically, but allows the administrator to selectively apply the updates to the Sensors

 Manual update to Manager, automatic update from Manager to Sensors This option enables the administrator to select updates manually, but once the update is selected, it is applied

to the Sensors automatically, without reboot

 Fully manual update This option allows the security administrator to determine which signature update to apply per update, and when to push the update out to the Sensor(s) You may wish to manually update the system when you make some configuration change, such as updating a policy or response

 Fully automatic update This option enables every update to pass directly from the Update Server to the Manager, and from the Manager to the Sensor(s) without any

intervention by the security administrator Note that fully automatic updating still happens according to scheduled intervals

 Real-time update This option is similar to fully automatic updating However, rather than wait for a scheduled interval, the update is pushed directly from Update Server to Manager to Sensor No device needs to be rebooted; the Sensor does not stop monitoring traffic during the update, and the update is active as soon as it is applied to the Sensor

C H A P T E R 2

About Network Security Central Manager

From release 4.1, McAfee® Network Security Platform [formerly McAfee® IntruShield®] provides a centralized, “manager of managers” capability, named McAfee® Network Security Central Manager [formerly McAfee® IntruShield® Command Center]

McAfee Network Security Central Manager (Central Manager) allows users to create a management hierarchy that centralizes policy creation, management, and distribution across multiple McAfee® Network Security Managers [formerly McAfee® IntruShield®

Security Managers] For example, a policy can be created in Central Manager and synchronized across all McAfee Network Security Managers (Managers) added to that Central Manager This avoids manual customization of policy at every Manager Central Manager provides you with a single sign-on mechanism to manage the authentication of global users across all Managers McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor] configuration and threat analysis tasks are performed at the Manager level

C H A P T E R 3

Preparing for installation

This section describes the McAfee® Network Security Manager (Manager) hardware and software requirements and pre-installation tasks you should perform prior to installing the software

Unless explicitly stated, the information in this chapter applies to both the McAfee®

Network Security Central Manager [formerly McAfee® IntruShield® Command Center] and Manager though the sections refer to Manager

General settings

 McAfee recommends you use a dedicated server, hardened for security, and placed

on its own subnet This server should not be used for programs like instant messaging

or other non-secure Internet functions

 You must have Administrator/root privileges on your Windows server to properly install the Manager software, as well as the installation of an embedded MySQL database for Windows Managers during Manager installation

 It is essential that you synchronize the time on the Manager server with the current time To keep time from drifting, use a timeserver If the time is changed on the Manager server, the Manager will lose connectivity with all McAfee® Network Security Sensors (Sensors) and the McAfee® Network Security Update Server [formerly IPS Update Server] because SSL is time sensitive

 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary Managers is less than 60 seconds (If the spread between the two exceeds more than two minutes, communication with the Sensors will be lost

Tip: For more information about setting up a time server on Windows Server 2003 SP2, see the following Microsoft KnowledgeBase article:

http://support.microsoft.com/kb/816042 http://support.microsoft.com/kb/816042//

Note: Once you have set your server time and installed the Manager, do not change the time on the Manager server for any reason Changing the time may result in errors that could lead to loss of data

Other third-party applications

Install a packet log viewing program to be used in conjunction with the Threat Analyzer interface Your packet log viewer, also known as a protocol analyzer, must support library packet capture (libpcap) format This viewing program must be installed on each client you intend to remotely log onto the Manager from and view packet logs

Wireshark (formerly known as Ethereal) is recommended for packet log viewing WireShark is a network protocol analyzer for Windows servers that enables you to examine the data captured by your Sensors For information on downloading and using Ethereal, go to

www.wireshark.com http://www.wireshark.org

Browser display settings (Windows)

 The Manager is viewed via client browser session Only Windows XP and Windows 7 clients are supported using Internet Explorer 6.0, 7.0, or 8.0 Both 32 and 64-bit Internet Explorer 8.0 are supported

 Set your display to 32-bit or higher by selecting Start > Settings > Control Panel > Display > Setting, and configuring the “Colors” field to True Color (32bit)

 McAfee recommends setting your monitor’s “Screen Area” to

1024 x 768 pixels This can be done by changing the display settings at:

Start > Settings > Control Panel > Display > Settings

 When working with the Manager using Internet Explorer, your browser should check for newer versions of stored pages By default, Internet Explorer is set to automatically check for newer stored page versions To check this function, open your IE browser and go to Tools > Internet Options > General, click the Settings button under “Temporary Internet files” or "Browsing history" and under “Check for newer versions of stored

pages:” select any of the four choices except for Never Selecting Never will cache Manager interface pages that require frequent updating, and not refreshing these pages may lead to system errors

Server requirements

The following are the system requirements for a Manager server running with a MySQL database

McAfee® Network Security Platform 5.1 Preparing for installation

Minimum Recommended

 Microsoft Windows Server 2003 - SP2, (32 or 64 bit) Standard Edition, English

 Microsoft Windows Server 2003 - R2, (32 or 64 bit) Standard Edition, Japanese

 Microsoft Windows Server 2008 - R2, (64 bit) Standard Edition, English

Note that this platform is supported only from Central Manager/Manager 5.1.11.22 and above

Note: For 64-bit, only X64 architecture is supported

For Japanese, only Central Manager/Manager of version 5.1.11.x and above are supported on 64-bit

Any one of the following:

 Windows Server 2008 - R2, (64 bit) Standard Edition, English

 Windows Server 2003 R2 (Standard Edition), Japanese OS (64 bit)

Memory  2GB or higher for 32-bit

requirement

cache

Monitor 32-bit color, 1024 x 768 display setting 1280 x 1024

Hosting the Manager on a VMware platform

The following are the system requirements for hosting Manager server on a VMware platform

Minimum Recommended

 Microsoft Windows Server

2003 - SP2, (32 or 64 bit) Standard Edition, English

 Microsoft Windows Server

2003 - R2, (32 or 64 bit) Standard Edition, Japanese

 Microsoft Windows Server

2008 - R2, (64 bit) Standard Edition, English Note that this platform is supported only for fresh installations of Manager 5.1.11.22 or above

Note: For 64-bit, only X64 architecture is supported

For Japanese, only Central Manager/Manager of version 5.1.11.x and above are supported on 64-bit

Same as the minimum requirement

Processors – 2; Logical Processors – 8; Processor Speed – 2.00GHz

McAfee® Network Security Platform 5.1 Preparing for installation

Client system requirements

The following table contains the minimum system requirements that you need to access the Central Manager or the Manager from a client system

Minimum

Windows 7

Both 32 and 64 bit Internet Explorer 8.0 are supported

Note: Internet Explorer is the supported browser for all clients Internet Explorer, by default, has pop-up blocking enabled You must disable pop-up blocking to log on to the Manager or the Central Manager

Java Runtime Environment (JRE) requirement

When you first log onto the Manager, you are prompted to install a version of JRE on the client machine (if it is not already installed) This version of the JRE software is required for operation of various components within Manager including the Threat Analyzer and the User-Defined Signature Editor Refer the Release Notes for the current JRE version

Note: If you are using both 32-bit and 64-bit Internet Explorer 8.0 to access the Manager from the same machine, then you are prompted to install the 32-bit as well

as the 64-bit JRE

Note: If you have a MySQL database previously installed on the target server, uninstall the previous version and install the Network Security Platform version

Pre-installation recommendations

These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the information gathered from individual interviews with some of the most seasoned McAfee Network Security Platform System Engineers at McAfee

Planning for installation

Before installation, ensure that you complete the following tasks:

 The server, on which McAfee® Network Security Manager [formerly McAfee®

IntruShield® Security Manager] software will be installed, should be configured and ready to be placed online

 You must have administrator privileges for McAfee Network Security Manager (Manager) server

 This server should be dedicated, hardened for security, and placed on its own subnet This server should not be used for programs like instant messaging or other non-secure Internet functions

 Make sure the server meets at least the minimum requirements as mentioned in Server requirements (on page 7)

 Make sure the Windows operating system required for this version of the Manager software is installed as defined by the system requirements in the version’s release notes The same holds true for the Windows Operating System required for the client(s)

 Ensure the proper static IP address has been assigned to the Manager server For the Manager server, McAfee strongly recommends assigning a static IP against using DHCP for IP assignment

 If applicable, configure name resolution for the Manager

 Ensure that all parties have agreed to the solution design, including the location and mode of all McAfee® Network Security Sensors [formerly McAfee® IntruShield®

Sensors], the use of sub-interfaces or interface groups, and if and how the Manager will be connected to the production network

 Get the required license file and grant number Note that you do not require a license file for using Manager/Central Manager version 5.1.17.2 or above

 Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs Ensure these are approved hardware from McAfee or a supported vendor Ensure that the required number of Network Security Platform dongles, which ship with the McAfee Network Security Sensors (Sensors), are available

 Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly connected to a firewall, router, or end node Otherwise, standard patch cables are required for the Fast Ethernet ports

 If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to mirror them

 Allocate the proper static IP addresses for the Sensor For the Sensors, you cannot assign IPs using DHCP

 Identify hosts that may cause false positives, for example, HTTP cache servers, DNS servers, mail relays, SNMP managers, and vulnerability scanners

McAfee® Network Security Platform 5.1 Preparing for installation

Functional requirements

Following are the functional requirements to be taken care of:

 Install Wireshark (formerly known as Ethereal http://www.wireshark.com

http://www.wireshark.org) on the client PCs Ethereal is a network protocol analyzer for Unix and Windows servers, used to analyze the packet logs created by Sensors

 Ensure the correct version of JRE is installed on the client system, as described in the Release Notes This can save a lot of time during deployment

 Determine a way in which Manager maintains the correct time To keep time from drifting, for example, point the Manager server to an NTP timeserver (If the time is changed on the Manager server, the Manager will lose connectivity with all Sensors and the McAfee® Network Security Update Server [formerly IPS Update Server] because SSL is time sensitive.)

 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary Managers is less than 60 seconds (If the spread between the two exceeds more than two minutes, communication with the Sensors will be lost.)

 If you are upgrading from a previous version, we recommend that you follow the instructions in the respective version’s release notes or, if one is available for your

release, Upgrade Guide

Using anti-virus software with the Manager

If you plan to install anti-virus software such as McAfee VirusScan on the Manager, be sure the Central Manager or Manager installation directory and its sub-directories are excluded from the anti-virus scanning processes This is because the temporary files created in the installation directory may conflict with the anti-virus scanner The anti-virus software may also delete essential MySQL files

McAfee VirusScan and SMTP notification

From 8.0i, VirusScan includes an option (enabled by default) to block all outbound connections over TCP port 25 This helps reduce the risk of a compromised host propagating a worm over SMTP using a homemade mail client

VirusScan avoids blocking outbound SMTP connections from legitimate mail clients, such

as Outlook and Eudora, by including the processes used by these products in an exclusion list In other words, VirusScan ships with a list of processes it will allow to create outbound TCP port 25 connections; all other processes are denied that access

The Manager takes advantage of the JavaMail API to send SMTP notifications If you enable SMTP notification and also run VirusScan 8.0i or above, you must therefore add java.exe to the list of excluded processes If you do not explicitly create the exclusion within VirusScan, you will see a Mailer Unreachable error in the Manager Operational Status

to each time the Manager attempts to connect to its configured mail server

To add the exclusion, follow these steps:

1 Launch the VirusScan Console

2 Right-click the task called Access Protection and choose Properties

3 Highlight the rule called Prevent mass mailing worms from sending mail

4 Click Edit

5 Append java.exe to the list of Processes to Exclude

6 Click OK to save the changes

User interface responsiveness

The responsiveness of the user interface, the Threat Analyzer in particular, has a lasting effect on your overall product satisfaction

In this section we suggest some easy but essential steps, to ensure that Network Security Platform responsiveness is optimal:

 During Manager software installation, use the recommended values for memory and connection allocation

 You will experience better performance in your configuration and data forensic tasks

by connecting to the Manager from a browser on a client machine Performance may

be slow if you connect to the Manager using a browser on the server machine itself

 Perform monthly or semi-monthly database purging and tuning The greater the quantity of alert records stored in the database, the longer it will take the user interface to parse through those records for display in the Threat Analyzer The default Network Security Platform settings err on the side of caution and leave alerts (and their packet logs) in the database until the user explicitly decides to remove them However, most users can safely remove alerts after 30 days

Caution: It is imperative that you tune the MySQL database after each purge operation Otherwise, the purge process will fragment the database, which can lead to significant performance degradation

 Defragment the disks on the Manager on a routine basis, with the exception of the MySQL directory The more often you run your defragmenter, the quicker the process will be Consider defragmenting the disks at least once a month

Warning: Do NOT attempt to defragment the MySQL directory using an O/S defrag utility To defragment MySQL tables, use a MySQL-specific utility, myisamchk available in the <mysqlinstallation>\bin directory

 Limit the quantity of alerts to view when launching the Threat Analyzer This will reduce the total quantity of records the user interface must parse and therefore potentially result in a faster initial response on startup

 When scheduling certain Manager actions (backups, file maintenance, archivals, database tuning), set a time for each that is unique and is a minimum of an hour after/before other scheduled actions Do not run scheduled actions concurrently

C H A P T E R 4

Installing and upgrading the Central Manager/Manager

This section contains installation instructions for the McAfee® Network Security Manager (Manager) software on your Windows server, including the installation of a MySQL database Unless explicitly stated, the information in this chapter applies to both the McAfee® Network Security Central Manager [formerly McAfee® IntruShield® Command Center] and Manager though the sections refer to Manager

Caution: Close all open programs, including email, the Administrative Tools > Services

window, and instant messaging to avoid port conflicts A port conflict may cause the Manager program to incur a BIND error on startup, hence failing initialization

Close any open browsers and restart your server after installation is complete Open browsers may be caching old class files and cause conflicts

IIS (Internet Information Server) and PWS (Personal Web Server) must be disabled or uninstalled from the target server

The following are the high-level steps for installing and starting the Manager:

1 Prepare your target server for Manager software installation See Preparing for installation (on page 6)

2 Install the Manager software See Installing the Manager (on page 14)

3 Start the Manager program During initial client login from the Manager server or a client machine, Java runtime engine software (provided) must be installed for proper program functionality See Starting the Manager software (on page 30)

Installing the Manager

The steps presented are for installation of the Network Security Central Manager/Network Security Manager software on a Windows Server meeting the requirements mentioned in Server requirements (on page 7)

The following procedure prompts you to submit program and icon locations, including the location and access information of your database Please read each step carefully before proceeding to the next

Note 1: Ensure that the Pre-requisites (on page 6) have been met and your target server has been prepared before commencing installation

Note 2: You can exit the setup program by clicking Cancel in the setup wizard Upon cancellation, all temporary setup files are removed, restoring your server to its same state prior to installation

Note 3: After you complete a step, click Next; click Previous to go one step back in the installation process

Note 4: Unless specified during installation, Network Security Manager is installed

Note 6: This note is relevant if you are installing the Central Manager or the Manager on a 64-bit OS Before you begin to install, make sure the Windows Regional and Language Options are configured accordingly For example, if you are installing it on Windows Server 2003 R2 (Standard Edition), Japanese 64 bit OS, ensure that the Windows Regional and Language Options are configured for Japanese If not, the Installation Wizard will treat the server as a 32-bit machine

1 Log onto your Windows server as Administrator and close all open programs

2 Insert the Manager CD-ROM into the appropriate drive or, if you downloaded the software, double-click the executable file The Installation Wizard starts with an introduction screen

Figure 1: Manager Installation Wizard - Welcome screen

Note: If the Installation Wizard does not automatically appear, locate and open the Network Security Platform CD-ROM in My Computer, then find and double-click the setup.exe file

3 Confirm your acknowledgement of the License Agreement by selecting “I accept the terms of the License Agreement.” You will not be able to continue the installation if you do not select this option

McAfee® Network Security Platform 5.1 Installing and upgrading the Central Manager/Manager

Figure 2: Manager Installation Wizard - License Agreement

4 Select the Manager type to choose installation of either Network Security Manager or Network Security Central Manager

For an upgrade, Network Security Manager or Network Security Central Manager is displayed accordingly which you cannot change

Figure 3: Select Manager type

Note: The Network Security Central Manager once installed cannot be converted to Network Security Manager and vice versa

5 Choose a folder where you want to install the Manager software

For a first-time installation, the default location is C:\Program Files\McAfee\Network Security Manager\App For an upgrade, it is the same location as that of the earlier version

 Restore Default Folder: resets the installation folder to the default location

 Choose: Browse to a different location

Caution: Installing the Manager software on a network-mapped drive may result in improper installation

The Manager software cannot be installed to a directory path containing special characters such as a comma (,), equal sign (=), or pound sign (#)

Figure 4: Manager Installation Wizard - Choose Install Folder

6 Choose a location for the Manager shortcut icon:

 In a new Program Group: enter the name for the new program folder where you want

to place the Manager icon: “Manager” is the default

 In an existing Program Group: select an existing program folder from the list where you want to place the Manager icon

The Create Icons for All Users is automatically selected if you select a common program folder

 In the Start Menu: select to place the Manager icon in your Start menu

 On the Desktop: select to place the Manager icon on your Desktop

 In the Quick Launch Bar: select to place the Manager icon on your Quick Launch Bar

 Other: select a different Programs folder to place the Manager icon The default is C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\Network Security Manager for Manager and C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\Network Security Central Manager for Central Manager

 Don’t Create Icons: skip the creation of Manager icon The Manager program is listed only within its directory folder

 Create Icons for All Users: Select this if you want the Manager icon to be available to all users logging on to the Manager server (including users without Windows administrator privileges) This is similar to NT domain administration where more than user may log onto a workstation and use it with varying access roles

McAfee® Network Security Platform 5.1 Installing and upgrading the Central Manager/Manager

Figure 5: Manager Installation Wizard - Choose Shortcut Folder

7 Set the following:

 Database Type is displayed as MySQL

A MySQL database is provided on the Manager CD-ROM for installation and use

by Windows Manager servers only You must use the provided MySQL version The database must reside on the same server as the Manager

Provide the database connection information as follows:

 Database Name: Type a name for your database It is recommended you keep the default entry of “lf” intact

 Database User: Type a user name for database-Manager communication; this account name is used by the Manager This account enables communication between the database and the Manager When typing a user name, observe the following rules:

- The MySQL database user name can be a combination of alphabets [both uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }"

- The first character must be a letter

- Do not use null or empty characters

- Do not use more than 16 characters

 Database Password: Type a password for the database-Manager communication account This password relates to the Database User account

- The MySQL database password can be a combination of alphabets [both uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }"

- Do not use null or empty characters

Important: This password is not the root password for database management; the root password is added/entered in Step 9

 MySQL Installation Directory: Type or browse to the absolute location of your selected Manager database For a first-time installation, the default location is: C:\program files\McAfee\Network Security Manager\MySQL For upgrades, the default location

is the previous installation directory You can type or browse to a location different from the default

Figure 6: Manager Installation Wizard - Customize Installation

8 Click Next

Note:If you are creating a new database, Network Security Platform will ask you, through a pop-up window, to confirm that you really want to create a new database Click Continue to continue with the installation

Figure 7: New MySQL Installation

9 Type the root password for your database If this is the initial installation, type a root password and then type it again to confirm The MySQL Root Password is required for root access configuration privileges for your MySQL database

 Use a combination of alphabets [both uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }"

 Do not use null or empty characters

Tip: For security reasons, you can set a MySQL Root Password that is different from the Database Password in Step 7