McAfee® Network Protection: Industry-leading network security solutions pot

14 Saving Configuration Reports ...16 ACL Assignments Report ...16 ACL Definitions Report...18 Admin Domain and Users Report ...18 Alert Filters Report ...20 Faults Report...21 Integrati

Trang 1

McAfee ®

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform Network Security Manager

version 5.1

Trang 2

COPYRIGHT

Copyright ® 2001 - 2010 McAfee, Inc All Rights Reserved No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc and/or its affiliates in the US and/or other countries The color red in connection with security is distinctive of McAfee brand products All other registered and unregistered trademarks herein are the sole property of their respective owners

LICENSE AND PATENT INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING

OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE) IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ) * Cryptographic software written by Eric A Young and software written by Tim J Hudson * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users For any such software covered under the GPL, the source code is made available on this CD If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier * Software written by Douglas W Sauder * Software developed by the Apache Software Foundation ( http://www.apache.org/ ) A copy of the license agreement for this software can be found at

www.apache.org/licenses/LICENSE-2.0.txt * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc * Software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper, (C) 1998, 1999, 2000 * Software copyrighted by Expat maintainers * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000 * Software copyrighted by Gunnar Ritter * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003 * Software copyrighted by Gisle Aas (C) 1995-2003 * Software copyrighted by Michael A Chase, (C) 1999-2000 * Software copyrighted by Neil Winton, (C) 1995-1996 * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992 * Software copyrighted by Sean M Burke, (C) 1999, 2000 * Software copyrighted

by Martijn Koster, (C) 1995 * Software copyrighted by Brad Appleton, (C) 1996-1999 * Software copyrighted by Michael G Schwern, (C) 2001 * Software copyrighted by Graham Barr, (C) 1998 * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000 * Software copyrighted by Frodo Looijaard, (C) 1997 * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003 A copy of the license agreement for this software can be found at www.python.org * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002 * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G Siek (C) 1997-2000 University of Notre Dame * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002 * Software copyrighted by Stephen Purcell, (C) 2001 * Software developed by the Indiana University Extreme! Lab

( http://www.extreme.indiana.edu/ ) * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003 * Software developed by the University of California, Berkeley and its contributors * Software developed by Ralf S Engelschall < rse@engelschall.com > for use in the mod_ssl project (http:// www.modssl.org/ ) * Software copyrighted by Kevlin Henney, (C) 2000-2002 * Software copyrighted by Peter Dimov and Multi Media Ltd (C) 2001, 2002 * Software copyrighted by David Abrahams, (C) 2001,

2002 See http://www.boost.org/libs/bind/bind.html for documentation * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000 * Software copyrighted by Boost.org, (C) 1999-2002 * Software copyrighted by Nicolai M Josuttis, (C) 1999 * Software copyrighted by Jeremy Siek, (C) 1999-2001 * Software copyrighted by Daryle Walker, (C) 2001 * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002 * Software copyrighted by Samuel Krempp, (C) 2001 See

http://www.boost.org for updates, documentation, and revision history * Software copyrighted by Doug Gregor ( gregod@cs.rpi.edu ), (C) 2001, 2002 * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000 * Software copyrighted by Jens Maurer, (C) 2000, 2001 * Software copyrighted by Jaakko Järvi ( jaakko.jarvi@cs.utu.fi ), (C) 1999, 2000 * Software copyrighted by Ronald Garcia, (C) 2002 * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001 * Software copyrighted by Stephen Cleary ( shammah@voyager.net ), (C) 2000 * Software copyrighted by Housemarque Oy < http://www.housemarque.com >, (C) 2001 * Software copyrighted by Paul Moore, (C)

1999 * Software copyrighted by Dr John Maddock, (C) 1998-2002 * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999 * Software copyrighted by Peter Dimov, (C) 2001, 2002 * Software copyrighted by Jeremy Siek and John R Bandela, (C) 2001 * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002 * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992 * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003 * Software copyrighted by Sparta, Inc., (C) 2003-2004 * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004 * Software copyrighted by Simon Josefsson, (C) 2003 * Software copyrighted by Thomas Jacob, (C) 2003-2004 * Software copyrighted by Advanced Software Engineering Limited, (C)

2004 * Software copyrighted by Todd C Miller, (C) 1998 * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek

Trang 3

Contents

Preface iv

Introducing McAfee Network Security Platform iv

About this Guide iv

Audience v

Conventions used in this guide v

Related Documentation

The following documents and on-line help are companions to this guide Refer to Quick Tour

for more information on these guides

 Quick Tour

 Manager Installation Guide

 4.1 to 5.1 Upgrade Guide

 Getting Started Guide

 IPS Deployment Guide

 Manager Configuration Basics Guide

 Administrative Domain Configuration Guide

 Manager Server Configuration Guide

 Sensor CLI Guide

 Sensor Configuration Guide

 IPS Configuration Guide

 NAC Configuration Guide

 Integration Guide

 System Status Monitoring Guide

 User-Defined Signatures Guide

 Central Manager Administrator's Guide

 Best Practices Guide

 Troubleshooting Guide

 I-1200 Sensor Product Guide

 Gigabit Optical Fail-Open Bypass Kit Guide

 Gigabit Copper Fail-Open Bypass Kit Guide

 Special Topics Guide—In-line Sensor Deployment

 Special Topics Guide—Sensor High Availability

 Special Topics Guide—Virtualization

 Special Topics Guide—Denial-of-Service Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Trang 7

Online

Contact McAfee Technical Support http://mysupport.mcafee.com

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates

Phone

Technical Support is available 7:00 A.M to 5:00 P.M PST Monday-Friday Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts Global phone contact numbers can be found at McAfee Contact Information

Trang 9

Figure 1: Accessing Reports from the homepage

1 Click to access the Reports main page

Access to the Reports Main page is based on user roles By definition, report generation is available for Super User, Security Expert, and Operator roles Access is also restricted by admin domain; for example, a user with access to a child domain only cannot view data or templates that require root or higher-level domain access

Reports Main page

Clicking Reports from the Manager Home page opens the Reports Main page

The following options are available on the Reports Main page:

 Next Generation (on page 5): generate customized reports You can choose the type

of data to base the report on, the fields that you would like to display, whether to display data in table, bar chart, or a pie chart, etc

 Traditional Reports: generate reports based on pre-defined conditions You can generate traditional reports under two categories: Configuration and IPS

 The Traditional-Configuration (on page 14) reports are based on specific type of information like the configuration of Manager, policies, alerts, and summaries of current Manager and Sensor software versions These reports provide an updated result of the different configurations set on Manager and Sensors

 The Traditional-IPS Events (on page 51) reports provide details of alerts generated by Network Security Sensors as well as Host Intrusion Prevention Sensors They are basically summaries generated with data like attack name, attack type, time of alert and IP address

 Scheduled (on page 71): schedule report to run automatically and mail to recipients

on a daily or weekly basis

Trang 10

 Sent Reports (on page 77): view a list of reports generated and mailed to recipients

 General Settings (on page 79): edit report header footer, schedule for running the report, recipient's list for sending the generated reports etc

Figure 2: Reports main page

The report generation time is the time displayed when a report generation is initiated This

is displayed according to the time zone

Note: Click Back to navigate to the Reports Main page from a generated report page You can view reports in Japanese, Korean, Chinese Simplified, and Chinese Traditional For more information, see Localization of Reports (on page 2

Trang 11

You can select the language in the Language field in the Reports Main page The Reports Main page is displayed in English the first time you access it Subsequently, it is displayed

in the language that you last chose

Figure 3: Language field in the Reports Main page

Note 1: If you are accessing Manager from a client machine, you need to install East Asian characters else such characters in the reports appear as square boxes

or question marks To install the East Asian characters, go to Settings -> Control Panel-> Regional and Language options -> Languages -> select "Install files for East Asian languages", Install "Asian Language Characters" and then restart the machine

Note 2: To view the PDF version of the localized reports, you need the required fonts in your Acrobat Reader The first time you attempt to view the PDF version, Acrobat Reader attempts to update with the required fonts

You can specify the language for the recipients of scheduled reports, and the scheduled reports are generated in those languages For example, if you have scheduled the Executive Summary Report with 5 recipients (one recipient for each language including English), then this report is generated in all the 5 languages at the specified time and the appropriate version is emailed to the recipients That is, the Japanese recipient receives the Japanese version of the report

Trang 12

The data retrieved from the database is displayed in the language in which it is stored in the database, and this data is independent of the language that you choose in the Reports Main page For example, if a saved report was generated in English, you cannot view it Japanese by choosing Japanese in the Report Main page To do this, you need to add another recipient for this report with the language as Japanese

Figure 4: Language field in the Add Recipient page

In the following pages, you can enter text in the language that you had chosen:

 Add Report Template (Description)

 Edit Report Template (Description)

 Add Recipient (First Name and Last Name)

 Edit Recipient (First Name and Last Name) The following table provides the extent of localization in the Reports module:

Category Extent of Localization

User-configurable data retrieved from the database

Not localized

Data that is not user-configurable Fully localized Informational messages Fully localized

Help and Documentation Available in English only Text in charts and graphs Partially localized

Trang 13

Category Extent of Localization

Numeric, monetary, and metric Partially localized Data input through keyboard Partially localized

Next Generation Reports

The Next Generation report option allows you to generate customized reports You can make selections such as the type of data to base the report on, the format in which you want the data to be presented such as table, bar chart, or a pie chart, etc From a list of fields that are applicable for a report, you can select the fields that you wish to display; you can also specify the conditions that must be met to include the information for those fields

in the report

You can then save the query that you have just built for later use You can also generate the report immediately or schedule it to run automatically by setting options like the period

to be considered for displaying data, report output format etc

Next Generation reports can be generated from the Reports menu in the Manager

When you select the Reports menu in the Manager Home page, the Next Generation page displays the Saved Reports on the left pane by default

Figure 5: Next Generation Page

Next Generation Saved Reports The Saved Reports pane lists three types of saved reports:

 McAfee Default Report: These are reports that are listed by default which can only be duplicated and run but cannot be edited or deleted

Trang 14

 Derived from “{report name of McAfee Default Report}”: These are reports that are duplicates

of McAfee Default Report This has the options of Duplicate, Edit, Run and Delete But editing of these reports allows user to edit only the data filter

 User Defined Report: These are reports which are created when you click New from the main screen of Next Generation Report

Next Generation Default Reports

The Next Generation Default reports available under Saved Reports are:

 Default- Attack URL Info: A list of URL information of the attacks

 Default - IPS Quarantine History: A list of hosts in quarantine because they have attempted

an intrusion

 Default - High Sensor Throughput Utilization: Status of Sensor throughput utilization threshold

 Default - High Sensor TCP / UDP Flow Utilization: Status of TCP/UDP flow utilization

 Default - Top 10 Attacks: The top 10 attacks by attack count

They are generated from the query structure illustrated below:

Select Col1, Col2 - Presentation from table - Data Source where (Condition Expression) - Data Filter

Creating a Duplicate Report

To Generate a duplicate report:

1 Select a report to be duplicated from the Saved Reports

2 Click Duplicate.

Figure 6: Reports main page

Trang 15

3 Type the name of the duplicate report in the Name field

4 Click OK

Figure 7: Duplicate report displayed under Saved Reports

Now, the name of the duplicate report gets included under Saved Reports

5 Click Edit to define the parameters to be used forgenerating the report

For example, if you are creating a duplicate Default - Attack URL Info report, you can choose to filter data based on the following parameters:

 Admin Domain

 Sensor

 Interface

6 Click Save.

Generating Next Generation User Defined Report

You can create a new report with a choice of data source, presentation and filter

1 To create a new report, select New This option can be seen in the bottom left corner of

Next Generation page

Figure 8: New Reports - Data source selection

Trang 16

You need to select the data sources for the report Data sources represent the database tables from where information is retrieved to generate the report There are three selection options for data sources: Alert information, Host Event and Sensor Performance

1 Click Next to set the display options for the report Report can be displayed as a Table, Bar Chart or Pie Chart

Figure 9: Diplay options for new Report

2 Select the columns of choice that you want to include in the report output by selecting rows in the left panel

Figure 10: New Report - Data source page

Trang 17

3 Select a row in the left panel to view the Data Filter options

Figure 11: New Report - Data filter setting

You can enhance the filter options for the fields selected in step 4 from the Data Filter

options Use the + and - options to add or delete conditions

When you finish the selections, you can save your report query using Save You can also run the report directly without saving by clicking the Run Once option

Figure 12: Saving a Flexible Report

4 In the Save Query page, you need to enter a Name and Description for the Query You can also select the following options in the Save Query:

Trang 18

 Automate Report Generation

 Report Frequency

 Events to Display

 Report Format

5 Select Finish, to save the query

6 The report is saved and displayed in the Saved Reports section of the Next Generation

page

7 Select the report, and then click Run Once to view the Run Query

Figure 13: Run options for the new Report

Trang 19

8 In the Run Query, enter the Data Options and the Report Format Click Run, to run the report query The generated report is displayed in the selected report format

Figure 14: New Report - Bar chart selection output

When the Bar Chart display option is selected, the output contains both the bar chart and table If you select the Pie Chart option, the Pie Chart and the table are displayed If there are no alerts, only the table is displayed

Data Display Order:

Alert table Data is displayed in

descending order

Data is displayed in descending order

Data is displayed in ascending order Host Event table Data is displayed in

ascending order

Data is displayed in ascending order

Data is displayed in ascending order Once the User Defined Report is saved, you cannot change its data source

Generating a period specific report on Sensor performance

Follow this procedure to generate a period specific Next Generation report on Sensor performance

Trang 20

1 Select the Reports icon from the ManagerHome page

2 Click Next Generation

3 Click New at the bottom of the left pane

4 Select the Hourly radio button under Sensor Performance in the data source page Daily, Weekly and Monthly period specific reports can be generated by selecting the Daily, Weekly or Monthly radio buttons

Figure 15: Hourly Data Source Selection

5 Click Next

6 Click Table under display options (the only option for this report) and click Next

Figure 16: Sensor Performance Report - Table Display Option

Trang 21

7 Click the desired fields in the Available Fields pane to move it to the Selected Fields pane (You can click the left/right arrow buttons on each columns to change the position of the column You can click on the X button on each column to remove the column) Click Next

Figure 17: Data Source - Selected Fields for Report

8 Click the properties listed on the left pane and move them to the right pane to reduce the quantity of information shown in the report Click Run Once to run the report, click Save to save the report

Figure 18: Data Source with Property Selection

Trang 22

9 Select one of the Data Options (either query for the day or between two dates or for a selected period in the past Select the report format (HTML, PDF, Save as CSV or Save as HTML) and click Run

Figure 19: Next Generation Report - Run Query Choices

10 The hourly report is generated

Figure 20: New User Defined Report

Traditional-Configuration Reports

Traditional-Configuration Reports are based on pre-defined conditions and detail your system configuration settings

Trang 23

You can generate these reports to view your current software and signature versions, the configuration and status of a McAfee®

Network Security Sensor [formerly McAfee®IntruShield®

Sensor], policy settings, and so forth The report generation time is the time displayed when a report has been executed This is displayed according to the time zone

Several pre-formatted reports are provided for simple information gathering

Figure 21: Configuration Reports

The available configuration reports are:

 ACL Assignments Report (on page 16): provides a detailed view of the ACL rules and ACL groups that are created and applied to Sensor, interface and sub-interface levels

 ACL Definitions Report (on page 18): provides a detailed view of the ACL rules configured for one or more McAfee Network Security Sensors (Sensors)

 Admin Domain and Users Report (on page 18): information on the admin domains and users controlled through your Manager

 Alert Filters Report (on page 20): information on all of the alert filters available for policy application

 Faults Report (on page 21): information on Manager and Sensor fault logs

 Integration Summary Report (on page 22): provides a summary of configurations done in the Manager to integrate with other McAfee products such as, ePO and Vulnerability Manager

 Intrusion Policy (on page 26): provides a detailed view of the policies—Exploit, Reconnaissance, and DoS—applied to one or more admin domains

 IPS Configuration Summary Report (on page 27): provides a detailed view of the IPS configuration settings made by the user

 IPS Policy Assignment Report (on page 32): provides a detailed view of the IPS policies available for application

Trang 24

 IPS Policy Details Report (on page 33): provides a detailed view of the IPS policies available for application

 IPS Sensor Report (on page 32): information on the policies applied to one or more Sensors

 Manager Report (on page 35): configuration information related to the notification mail server, proxy server, and MDR

 NAC Configuration Summary Report (on page 38): gives the details of the NAC configuration at the admin domain level

 NAC Sensor Report (on page 39): gives the details of the NAC configuration in the Sensor monitoring ports

 Performance Monitoring - Admin Domain Configuration Report (on page 41): displays information on admin domain wise configuration made in the Manager

 Performance Monitoring - Sensor Configuration Report (on page 42): displays information on Sensor configuration settings made in the Manager

 Reconnaissance Policy Report (on page 43): information on all the Reconnaissance policies available for application

 Rule Set Report (on page 44): information on all of the rule sets available for application

 Traffic Management Report (on page 45): details the traffic management configuration information for each port on one or more Sensors

 User Activity Report (on page 48): information on the actions performed by Network Security Platform users

 Version Summary Report (on page 50): information on the versions of software and signatures in use

Note: For more information on IPS Reports, see IPS Reports (on page 51) section

Saving Configuration Reports

To save a Configuration Report, select the Output Format: HTML, PDF, Save as CSV or Save as HTML You can then click Save and specify a location where to save the file

If you select PDF, a PDF file format displays on the Report page You need Adobe Acrobat 7.0 or later to view reports in PDF The recommended viewing size for the PDF version of

a report is “Actual Size” or 100% If you want to save the PDF of a report, McAfee recommends customizing the file name for later recognition If you want to keep the generated file name, check the length of the name If you had de-selected Day/Time Detected from the Fields of Interest section of a report generation template, the default file name would be “ViewReport.pdf.”

If you select Save as CSV, a dialog box displays prompting you for the file name and location You can specify an appropriate file name and location and click Save to save the report in CSV format You can open or view using Microsoft Excel

ACL Assignments Report The ACL Assignments Report provides a detailed view of the ACL rules and IP spoofing enablement status configured for one or more Sensors

To generate an ACL Assignments Report, do the following:

Trang 25

1 Select the Reports icon from the Manager Home page

2 Click Traditional > Configuration > ACL Assignments

Figure 22: Sensor ACL Configuration Report Options

3 Select one or more Sensors

Tip: Sensor ACL Reports can be very long when multiple Sensors are selected McAfee recommends selecting a single Sensor for ease of readability

4 Select one or more of the following based on what information you want to see in the report:

 Anti-spoofing: Lists all anti-spoofing rules for the selected Sensor

 Sensor Level Rules: Lists the ACL rules, both inbound and outbound, configured at the Sensor level

 Port Level Rules: Lists the ACL rules, both inbound and outbound, configured at the port or interface level

 Local Level Rules: Lists the ACL rules, both inbound and outbound, configured at the local or sub-interface level

5 Select the Output Format

6 Click Submit The generated information is separated by direction of traffic (inbound versus outbound) in which ACL rules have been configured

Figure 23: Sensor ACL Configuration Report

Trang 26

ACL Definitions Report The ACL Definitions Report provides a detailed view of the ACL rules and ACL groups that are created and applied to the Sensor, interface and sub-interface levels

To generate an ACL Definitions Report, do the following:

2 Click Traditional > Configuration > ACL Definitions

Figure 24: ACL Report Options

3 Select a domain from the Admin Domain list

4 Select one or more ACL Names or ACL Group from the list

6 Click Submit

Figure 25: ACL Report Result

Admin Domain and Users Report The Admin Domain and Users Report provides information on the admin domains and users created and configured using the Manager Information presented reflects the basic settings for each resource (admin domain and user)

To generate an Admin Domain and User Report Report, do the following:

2 Click Traditional > Configuration > Admin Domains and Users

3 Click Submit

Trang 27

Figure 26: Admin Domain Configuration Report

The field descriptions for each table in this report are as follows:

 Admin Domain Information

 Name: Name of an admin domain

 Contact Information: The name and email of the main user to contact for the domain

 Child Admin Domain Allowed? : Whether a child domain can be configured for the domain A tick mark indicates that child domain configuration is allowed For the root admin domain, this is always allowed

 Add Sensor Allowed? : Whether a Sensor can be added to the domain A tick mark indicates that Sensors can be added to the domain For the root admin domain, this is always allowed

 User Information

 Name: Name of a user

 Contact Information: Email address for the user

 Creator Domain: The admin domain where the user was created

 Login ID: The user’s ID for logging into Manager

 Role(s): The user’s role(s) with the corresponding domains in parentheses

 SNMP Forwarder Information

 Admin Domain: All current domains

 Notification Type: The type of data to deliver, either Alert or Fault

 IP Address: The address of the target SNMP server

 Destination Port Number: The target server’s SNMP listening port

 SNMP Version: The version supported by your SNMP server Version options are

Trang 28

 Admin Domain: All current domains

 Syslog Forwarder Enabled: syslog forwarder has been enabled or disabled

 Child Domain Notification Enabled: whether child notification has been enabled

 Syslog server: Syslog server is enabled

 Port: Port on which it is forwarded

 IPS Quarantine Enabled: IPS Quarantine enabled or disabled

Alert Filters Report The Alert Filters Report provides a detailed view of the alert filters available for application Alert filter information includes address exclusion information configured for each user-customized filter

To generate a report displaying all current Alert Filter Editor filters, do the following:

2 Click Traditional > Configuration > Alert Filters

Figure 27: Alert Filter Report Options

3 Select an Admin Domain.

4 Select one or more Alert Filters This drop-down displays the filters applied to the selected admin domain as well as the filters applied to its parent domains However, for the parent-domain filters to be displayed in this list, they must be visible to their child domains For more information,

see Adding an Alert Filter, Administrative Domain Configuration Guide

6 Click Submit

Figure 28: Alert Filter Report

Trang 29

Faults Report The Faults Report enables you to see the details of Sensor and Manager faults that have occurred in the past Reports can be generated based on the fault name, its creation time, its fault severity, or by the Sensor ID

To generate a Faults Report, do the following:

2 Click Traditional > Configuration > Faults

3 Specify the following to narrow down the scope of your report:

Figure 29: Configure Fault Log

 Fault Source: Choose Sensor and/or Network Security Platform Manager to find faults on your Sensor and/or Manager, respectively

 Admin Domain: Choose an admin domain on which to run the report This is enabled only if the selected Fault Source is Sensor

 Include Child Admin Domains: Select this to include child admin domains as part of the fault log report This is enabled only if the selected Fault Source is Sensor

 Sensor: Choose one or all Sensors on which to run the report If you have selected

Include Child Admin Domains, Sensors in the child admin domains of the selected admin domain are also displayed

 Fault Severity: Choose one or more of the following:

Trang 30

 Select Faults for this day (yyyy/mm/dd): Displays faults for a selected day

 Select Faults between these dates (yyyy/mm/dd hh:mm:ss): Displays faults between the Begin Date and the End Date

 Select Faults in the past: Displays faults for the specified period and ending at the specified time The default is the current time

Note: Faults with creation date previous to the Begin date may get displayed too, implying that the particular fault had occurred before the begin data and re-occurred again between the Begin and End date

 Report Format

 Organized by: Specify how you want the information to be organized in the report Choices are Severity, Fault Name, Sensor, or Create Time For example, if you choose Severity, then the information is organized by fault name in the reverse alphabetical order Create Time is the fault generation time

4 Click Run Report to generate the report

Figure 30: Fault Log Report

Note: Only 5000 faults can be processed for a report If more than 5000 faults are involved, a note is displayed recommending you to narrow down the scope of your report

Integration Summary Report The Integration Summary Report provides a summary of configurations done in the Manager to integrate with other McAfee products such as, ePO and Vulnerability Manager

Trang 31

To generate an Integrated Summary Report, do the following:

2 Click Traditional > Configuration > Integration Summary

4 Click Submit

Figure 31: Integration Summary Report

The Integration Summary Report displays the following details:

1 ePO Integration

2 Vulnerability Manager Configuration

3 Scan Engine Settings

4 Database Settings

Trang 32

5 Relevance Details

6 Manual Scan Reports

7 Database Settings

8 Automated Vulnerability Manager Scan

9 Host Intrusion Prevention

ePO Integration

The integration between the Manager and the ePO server is done with the help of an extension file After the installation of the extension file, the detail is listed in this report and its fields are described in the following table:

Admin Domain The selected admin domain for the summary report to be

generated

Details Host Quest Displays details of the Host Quest which can be enabled or

disabled

Mouse-over Host Summary

Displays mouse-over details of the Host Summary which can be enabled or disabled

Server Name IP Address

The name or the IP of the ePO server running the extension file Note that this ePO server should have the details of the hosts covered by the admin domain.Contact your ePO administrator for the server name and IP

Server Port Specify the HTTPS listening port on the ePO server that

will be used for the Manager-ePO communication Contact your ePO administrator for the port number

User Name The username to be used while connecting to the ePO

server.McAfee recommends you use a local ePO user account with View-only permissions

Note: For more information on ePO refer to ePO documentation

Vulnerability Manager Configuration

The Vulnerability Manager configuration settings allow Manager to connect directly to the Scan engine servers and database Enabling Vulnerability Manager scanning is the first step in configuring Vulnerability Manager from Manager

Note: For more information on Vulnerability Manager Configuration refer to Vulnerability Manager documentation

Scan Engine Settings

Scan engine is the component of Vulnerability Manager system that scans the hosts in your network for vulnerabilities

Network Security Platform-Vulnerability Manager integration supports two versions (6.7 and 6.8) of Scan engine In Manager, configuration settings for the scan engine include the engine version and login credentials to the scan engine server Manager uses these settings to initiate vulnerability assessment scans from Threat Analyzer

Trang 33

Relevance Details

Relevance analysis involves the analysis of the vulnerability relevance of real-time alerts, using the vulnerability data imported to Manager database

Manual Scan Reports

The details of the manually scanned reports are displayed in this report and its fields are described in the following table:

Description

File Name Name of the report file

Report Type This can be plain text, XML or Network Security

Platform format

Description Description of the report file

Scan Time Time of the Vulnerability Manager scan

State This field shows the status of completion of the

Vulnerability Manager scan For example, the scan status can be queued, complete, retrieved etc

Automated Vulnerability Manager Scan Reports

The details of the automated scanned reports are displayed in this report and its fields are described in the following table:

Description

Organization or Work Group

These two fields are created in the Vulnerability Manager side that is used to scan

Scan Name The name of the scan organization or workgroup

Description The details of the scanned file

Host Intrusion Prevention

The details of prevented intruders are displayed in this report and its fields are described in the following table:

Trang 34

Description

Description The details of the intruder

Intrusion Policy Report The Intrusion Policy Report provides a detailed view of the policies—Exploit, Reconnaissance, and DoS—applied to one or more admin domains Policy information includes severity, responses, thresholds, notifications, and other information configured for each attack whether from a pre-configured or user-customized policy Also, you can view rule set, alert filter, and DoS ID settings for all of the policies applied within an admin domain The “Customized Attacks” option consolidates all user-customized attacks into one section for easy viewing

To generate an Intrusion Policy report for an admin domain, do the following:

2 Click Traditional > Configuration > Intrusion Policy

Figure 32: Admin Domain Policy Configuration Report Options

3 Select an Admin Domain

4 Select one or more of the following based on what information you want to see in the report:

 IPS Policy Detail

Trang 35

Figure 33: Admin Domain Policy Configuration Report

IPS Configuration Summary Report The IPS Configuration Summary Report provides a detailed view of the IPS configuration settings made by the user This includes SNMP Forwarder Information, Alert Syslog Forwarder Information, ACL Syslog Forwarder Information, Alert Filter Details, IPS Quarantine information, Network Objects, Network Access Zones, Syslog Forwarding, Remediation Portal, IPS Settings and IPS Quarantine Information can be displayed for any selected admin domain in either html, pdf or csv formats

To generate a report displaying a summary of IPS configuration settings, do the following:

2 Click Traditional > Configuration > IPS Configuration Summary

Figure 34: IPS Configuration Summary Report Options

3 Select an Admin Domain

5 Click Submit

Trang 36

Figure 35: IPS Configuration Summary Report

For the selected Admin Domain, IPS Configuration Summary report gives the following IPS configuration details:

SNMP Forwarder Information

SNMP Forwarder Information specifies the server to which alert information will be sent from Manager You can configure more than one SNMP server to where you want to send alert messages The field details are described in the following table:

Trang 37

Field Name Description

IP Address IP address of the target SNMP server which can be IPv4 or IPv6

address

Destination Port Number

The target server's SNMP listening port

SNMP Version Version of SNMP running on the target SNMP server Version options

are 1, 2c, Both 1 and 2c, and 3

SNMP Forwarder Information

The SNMP server to where you want to send alert messages

Syslog Forwarder Enabled Syslog forwarder has been enabled or disabled Child Domain Notification Enabled Child notification has been enabled

Syslog Server (Host Name Or IP Address)

Syslog server is enabled

Alert Syslog Forwarder Information

Alert Syslog Forwarder Information enables the forwarding of Network Security Platform alerts to a Syslog Server Syslog forwarding enables you to view the forwarded alerts from

a third-party Syslog application The field details are described in the following table:

Syslog Forwarder Enabled Syslog forwarder has been enabled or disabled Child Domain Notification Enabled Child notification has been enabled

Syslog Server (Host Name Or IP Address)

Syslog server is enabled

IPS Quarantine Enabled IPS Quarantine enabled or disabled

ACL Syslog Forwarder Information

It is an optional ACL feature that will log packets that are dropped or permitted based on your ACL rule(s) The Sensor forwards ACL logs to Manager, where they are formatted and converted to Syslog messages and sent to the configured Syslog server The field details are described in the following table:

Alert Filters Details

You can create alert filters at the IPS Settings node The Manager applies alert filters at the interface/sub-interface levels only Alert Filters associated at the IPS Settings node for

a domain level get associated with all Sensors belonging to that Domain Similarly, alert filters associated at the Sensor are associated with all interface/sub-interface belonging to that Sensor The field details are described in the following table:

Trang 38

Alert Filter Name The name of the alert filter

Type The type of IP address This can be IPv4 or IPv6

No of IP Address The number of IP address settings for the filter

IPS Quarantine

To protect your network from security threats, McAfee®

Network Security Platform provides the IPS Quarantine feature which quarantine and remediate the non-compliant network devices

(or hosts) connecting to your network

Network Objects

Network objects provide a convenient way of grouping together IP addresses, VLAN, CIDR or MAC addresses The field details are described in the following table:

Field Name

Description

Name The name of the network type object

Type This indicates the four different types of network address types that can

be listed together in a network object

 IP Address

 Network Address ( CIDR )

 MAC Address

 VLAN Value Enter the Value for the Type selected

Network Access Zone

Network Access Zones are a set of ACL rules that define the zone of network access provided to a host subjected to IPS Quarantine

The field details are described in the following table:

Description The description of NAC ACL

Trang 39

Syslog Syslog forwarder has been enabled or disabled

Name Host Name of the Syslog Server where alerts will be sent

Facility Standard Syslog prioritization value The choices are as follow:

 Security/authorization (code 4)

 Security/authorization (code 10)

 Log audit (note 1)

 Log alert (note 1)

 Clock daemon (note 2)

 Local user 0 (local0)

 Local user 7 (local7) Priority The severity level of a higher or lesser priority

Remediation Portal

To make the quarantined host clean of malicious traffic and thus compliant to the security policies of the network, Network Security Platform provides remediation by re-directing the HTTP traffic from the host to a Remediation Portal

Remediation Portal State

Enable the redirection of HTTP traffic to the Remediation Portal

Remediation Portal IP Address

Configure the Remediation Portal, by specifying the Remediation Portal IP Address

Remediation Portal URL Configure the Remediation Portal, by specifying the

Remediation Portal URL

Trang 40

Field Name

Description

Type The IP address, IPv4 Network, Network Object, MAC address, or OUI of

the networks or hosts

Value Enter the Value for the Type selected

Description The description of the hosts or network from NAC enforcement

IPS Policy Assignment Report The IPS Policy Assignment provides a detailed view of the policies - Exploit, Reconnaissance, and DoS - applied to one or more Sensors Policy information includes severity, responses, thresholds, notifications, and other information configured for each attack whether from a pre-configured or user-customized policy Also, you can view rule set, alert filter, and DoS ID settings for all of the policies applied within a Sensor The Customized Attacks option consolidates all user-customized attacks into one section for easy viewing

To generate an IPS Policy Assignment report for a Sensor, do the following:

2 Click Traditional > Configuration > IPS Policy Assignment

Figure 36: Sensor Policy Configuration Report Options

3 Select one or more Sensors

Tip: Sensor Policy Configuration Reports can be very long when multiple Sensors are selected McAfee recommends selecting a single Sensor for ease

Tiêu đề	McAfee® Network Protection: Industry-leading network security solutions
Trường học	McAfee Inc.
Chuyên ngành	Network Security
Thể loại	reports guide
Năm xuất bản	2010

Định dạng
Số trang	89
Dung lượng	3,21 MB