McAfee Enterprise Security Manager 9.5 · · 2015-02-18Identifying network cables ... 3 Setting...

Installation Guide

McAfee Enterprise Security Manager 9.5.0

COPYRIGHT

Copyright © 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Security Manager 9.5.0 Installation Guide

http://www.intelsecurity.com

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7

2 Installing McAfee ESM devices 9Preparing to install McAfee ESM devices . . . . . . . . . . . . . . . . . . . . . . . . . 9

Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . 9Inspect packaging and device . . . . . . . . . . . . . . . . . . . . . . . . . . 10Identifying a location for installation . . . . . . . . . . . . . . . . . . . . . . . 10

Connect and start the devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Identifying connector and equipment types . . . . . . . . . . . . . . . . . . . . 12Identifying network cables . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Identifying network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Setting up McAfee ESM devices 23Configure the network interface on the Nitro IPS . . . . . . . . . . . . . . . . . . . . . 23Configure the network interface on the Receiver, ELM, and ACE . . . . . . . . . . . . . . . 24Configure the network interface on the DEM and ADM . . . . . . . . . . . . . . . . . . . 24Configure the network interface on the ESM . . . . . . . . . . . . . . . . . . . . . . . 25Configure for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Log on to McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

A About FIPS mode 29FIPS mode information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Select FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Check FIPS integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Adding a keyed device in FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Backup and restore information for a device in FIPS mode . . . . . . . . . . . . . . 32Enable communication with multiple ESM devices in FIPS mode . . . . . . . . . . . . 33

Troubleshooting FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

B VM ESXi requirements 37VM models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Stripe the storage drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Install the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configure the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

C Install the qLogic 2460 or 2562 SAN adapters 43

D Install DAS 45

McAfee Enterprise Security Manager 9.5.0 Installation Guide 3

E Installing devices in a rack 47Install AXXVRAIL rail set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Remove the chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

F Regulatory notices 53

Index 57

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.


Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

2 In the Knowledge Base pane, click a content source:

• Product Documentation to find user documentation

• Technical Articles to find KnowledgeBase articles

3 Select Do not clear my filters.

4 Enter a product, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1Introduction

This guide describes how to install and set up these devices:

• McAfee® Nitro Intrusion Prevention System(IPS)

• McAfee Enterprise Log Manager (ELM)

• McAfee® Enterprise Security Manager(McAfee ESM)

• McAfee Advanced Correlation Editor (ACE)

• McAfee Event Receiver • McAfee Direct Attached Storage (DAS)

• McAfee ESM/Event Receiver (ESMREC) • McAfee Receiver/ELM (ELMERC)

• McAfee Database Event Monitor (DEM) • McAfee ESM/Receiver/ELM (ESMELM)

• McAfee Application Data Monitor (ADM)

It is divided into two main sections:

• Installing a McAfee ESM device, which provides you with the steps to follow to inspect, mount,connect, and start the device.

• Setting up a McAfee ESM device, which describes how to configure the network interface for eachdevice type, configure for IPv6, log on to the McAfee ESM console, and key the device.

1


1 Introduction


2Installing McAfee ESM devices

You must install your McAfee devices before you can use them to protect your network from intrusionsor collect network data. These installation instructions apply to all current models of McAfee ESMdevices.

Contents Preparing to install McAfee ESM devices Connect and start the devices

Preparing to install McAfee ESM devicesBefore you install devices, verify that your system meets minimum requirements and that theequipment was not damaged during shipping. Select the location to set up the equipment.

Hardware and software requirementsYour system must meet the minimum hardware and software requirements.

System requirements

• Processor — P4 class (not Celeron) or higher (Mobile/Xeon/Core2,Corei3/5/7) or AMD AM2 class orhigher (Turion64/Athlon64/Opteron64,A4/6/8)

• RAM — 1.5 GB

• Windows Operating System — Windows 2000, Windows XP, Windows 2003 Server, Windows Vista,Windows 2008 Server, Windows Server 2012, Windows 7, Windows 8, Windows 8.1

• Browser — Internet Explorer 7.x or later, Mozilla Firefox 3.0.0.0 or later, Google Chrome12.0.742.91 or later

• Flash Player — Version 11.2.x.x or later

ESM features use pop-up windows when uploading or downloading files. Disable the pop-up blocker forthe IP address or host name of your ESM.

2


Virtual Machine requirements

• Processor — 8 cores 64-bit, Dual Core2/Nehalem, or higher or AMD Dual Athlon64/Dual Opteron64or higher

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

• ESXi 5.0 or later

• Thick versus thin provisioning — You must decide the hard disk requirements needed for yourserver. The minimum requirement is 250 GB unless the VM purchased has more. See thespecifications for your VM product.

The ENMELM VM uses many features that require CPU and RAM. If the ESXi environment shares theCPU/RAM requirements with other VMs, the performance of the ENMELM VM is impacted. Make surethat you include what the CPU and RAM need within the requirements.

Inspect packaging and deviceBefore installing your equipment, make sure that there is no sign of damage or tampering.

Task1 As soon as you receive your device, inspect the packaging and the device for signs of damage or

mishandling.

If you are performing a FIPS installation, inspect the tamper-evident packing tape that is securingthe shipping container. If there is evidence of tampering, contact McAfee Support immediately forinstructions, and do not install the product.

2 Verify that all items listed on the packing slip are included in the package.

3 When performing a FIPS installation, find the tamper-evident seal in the shipping container'saccessories package. Apply the seal so it completely blocks the USB ports, preventing their usewithout leaving evidence of tampering (see Diagram 1).

Diagram 1: Placement of third tamper-evident seal.

Contact McAfee Support immediately if not fully satisfied with the inspection.

Identifying a location for installationYou must analyze your existing network and identify a network and physical location for your device.Proper location selection impacts the effective use of your devices.

When selecting a location for your devices:

2 Installing McAfee ESM devicesPreparing to install McAfee ESM devices


• Install your ESM device in a network location where it can manage devices and be accessible byany systems accessing the ESM. If direct communication between devices managed by the ESM orsystems running ESM is not possible, configure your network to route network traffic betweenthem.

• Place the Nitro IPS device between the trusted and untrusted sides of your network. Trusted is theside you want to protect and untrusted is the side you intend to leave unprotected. For example,you could locate your Nitro IPS between your firewall (untrusted side) and your switch (trustedside). Because network configurations vary greatly, the location you select depends on yourindividual security requirements and network environment.

This equipment is intended for installation in a restricted-access location.

• Your Receiver and DEM devices must be accessible to the devices they are monitoring. If directcommunication isn't possible, you must configure your network to allow proper routing of networktraffic between them.

Connect and start the devicesAfter inspecting the device and identifying the preferred location for installation, perform the steps inthis section to install it.

Task1 Mount the device.

To protect the device and the cabling from accidental damage or disconnection, mount the device ina rack (see Appendix F - Install AXXVRAIL rail set).

a Prepare a space for the device in the mounting location.

b Mount the device securely in the location you selected.

2 Connect the power supply to the device. Properly install and ground the equipment in accordancewith this instruction manual and national, state, and local codes.

We highly recommend connecting all ESM devices to an uninterruptible power supply (UPS).Redundant power cords and power modules operating at normal conditions balances the load sharethrough its parallel design, resulting in a reliable power system. Since the Nitro IPS device is inline,it must be connected to a UPS.

3 Start the device.

a Cable with turn off and make sure that traffic is passing.

b Turn on the device.

4 Select the network cable.

Installing McAfee ESM devicesConnect and start the devices 2


5 Connect the cables to the untrusted and trusted ports. If you are connecting fiber cables, removethe cable and network connector covers only when you are ready to connect the cables.

6 Verify the connectivity of the device by pinging from the trusted side of your network to a valid IPaddress on the untrusted side.

See also Identifying connector and equipment types on page 12Identifying network cables on page 12Identifying network ports on page 13

Identifying connector and equipment typesYou can connect your Nitro IPS device to the network using either copper or fiber connectors,depending on the model of your device.

Table 2-1 Connection type per device

Nitro IPS model Connector type

TX RJ-45 (Copper)

SX LC-Multimode (Fiber)

LX LC-Singlemode (Fiber)

Connect your ESM, Receiver, and DEM devices to the network using copper connectors, and identifythe copper or fiber cables by looking at the connectors. The CAT5 copper cable has RJ-45 connectors(1) while LC fiber cable uses fiber connectors (2).

We recommend using CAT5 or higher for your copper connection. For gigabit connection, werecommend CAT5e.

Equipment type

There are two types of equipment you can connect your ESM devices to: Data Circuit-TerminatingEquipment (DCE) and Data Terminal Equipment (DTE). Firewall and routers are DTE and switches areDCE. The ESM devices are DTE.

Identifying network cablesIf your device uses a fiber connection, you must select the fiber cables and connect them to the ports.If your device uses a copper connection, use either a straight-through or a crossover copper cable.

To connect an ESM device RJ-45 port to DCE, use a straight-through cable. To connect to a DTE, use acrossover cable. To distinguish between a straight-through and crossover cable, hold the two ends ofthe cable as illustrated:

2 Installing McAfee ESM devicesConnect and start the devices


On a straight-through cable, the colored wires are the same sequence at both ends. On a crossovercable, the first (far left) colored wire at one end is the same color as the third wire at the other end ofthe cable.

Identifying network portsAfter identifying the cables you need for your network, identify the ports in the McAfee device that youconnect these cables to.

Always turn off any laser sources before you inspect fiber connectors, optical components, orbulkheads. Fiber optic laser radiation might be emitted from connected fiber cables or connectors. Donot stare directly into fiber optic equipment. Always keep a protective cap on unplugged fiberconnectors.

The devices contain management ports so they can be managed from McAfee ESM. In addition, yourNitro IPS and ADM devices contain trusted and untrusted ports to connect the device to the trustedand untrusted sides of your network.

To identify the management ports and the trusted and untrusted ports on all your devices, see thistable.

Device type Model number Figure

ACE ACE-2600 or 3450 2-8

ADM APM-1250, 1260 2-1

APM-3450, 3460 2-3

DEM DSM-2600 or 3450 2-3

DSM-4600 2-4

ELM ELM-4600, 5600 or 6000 2-8

ELM/Receiver ELMERC-2600, 3450, or 4600 2-8

ESM/ELM ENMELM- 4600, 5600, or 6000 2-8

ESM or ESM/Receiver combo ETM-5600, 6000, X4, or X6 2-8

DAS-10, 25, 50, or 100 2-9

IPS NTP-1250 2-2

NTP-2600, 3450-4BTX 2-3

NTP-2600, 3450-8BTX 2-4

NTP-2600, 3450-4BSX 2-5



Device type Model number Figure

NTP-3450-2BSX 2-6

McAfee Reporter ERU-5600 2-8

Receiver ERC-1250,1260 2-2

ERC-2600, 3450, or 4600 2-7

Receiver-HA 1U HA - ERC-1250-HA, 1260-HA 2-10, 2-11

2U HA - ERC-2600 or 4600-HA 2-12, 2-13

1 IPMI 4 Trusted

2 Mgmt 2 5 Untrusted

3 Mgmt 1

Figure 2-1 NTP-1250

1 IPMI

2 Mgmt 2

3 Mgmt 1

For APM-1250 and 1260 devices, ports 4-7 are collection (sniffer) ports not management ports.

For ERC-1250 devices, ports 4-7 are additional management ports.

Figure 2-2 ERC-1250, APM-1250, 1260



1 Trusted 5 Unused

2 Untrusted 6 Unused

3 Mgmt 1 7 Unused

4 Mgmt 2

Figure 2-3 NTP-2600/3450-4BTX, 3460

1 Trusted 6 Mgmt 2


3 Trusted 8 Unused


5 Mgmt 1

Figure 2-4 NTP-2600/3450-8BTX, DSM-4600

1 Trusted

2 Untrusted



3 Mgmt 1

4 Mgmt 2

Figure 2-5 NTP-2600/3450-4BSX

1 Trusted

2 Untrusted

3 Mgmt 1

4 Mgmt 2

Figure 2-6 NTP-3450-2BSX

1 IPMI NIC 5 Mgmt

2 HB 6 Data



3 Mgmt 2 7 IPMI

4 Mgmt 3

For DSM-2600/3450 and APM-3450/3460devices, ports 4-7 are collection (sniffer) ports notmanagement ports.

Figure 2-7 ERC-2600/3450/4600, DSM-2600/3450, and APM-3450/3460



1 Mgmt 1

2 Mgmt 2

Figure 2-8 ETM-5600/6000/X4/X6, ELMERC-2600/3450/4600, ELM-4600/5600/6000, ACE-2600/3450, ENMELM-4600/5600/6000, ERU-5600

Figure 2-9 DAS data cables



1 Primary IPMI 4 Secondary IPMI

2 Mgmt 2 5 Heart Beat (HB)

3 Mgmt 1 6 Mgmt 3

Figure 2-10 Step 1: Create connection between 1U HA receivers

1 IPMI 5 MGMT4 (eth3)

2 MGMT2 (eth1) 6 MGMT5 (eth4)




4 MGMT3 (eth2)

Figure 2-11 Step 2: Connect 1U HA receivers to the network switch/router






4 MGMT3 (eth2)

Figure 2-12 Step 1: Create connection between 2U HA receivers




4 MGMT3 (eth2)

Figure 2-13 Step 2: Connect 2U HA receivers to the network switch/router

See also Identifying a location for installation on page 10



3Setting up McAfee ESM devices

Setting up the devices is essential for proper operation. To set them up, configure IPv6 and thenetwork interface for each device type, and log on to McAfee ESM.

Contents Configure the network interface on the Nitro IPS Configure the network interface on the Receiver, ELM, and ACE Configure the network interface on the DEM and ADM Configure the network interface on the ESM Configure for IPv6 Log on to McAfee ESM console

Configure the network interface on the Nitro IPSFollow these steps to configure your IP information.

Before you beginTurn on the Nitro IPS and ensure that the boot process is complete. Attach a monitor andkeyboard to the device.

Task1 Press Alt + F1 to go to the LCD page, then press Esc twice.

2 Scroll down to MGT IP Conf and press Enter.

3 Select Mgt 1 and press Enter.

4 On the Active menu, select IP Address and press Enter.

5 Set the value and press Enter.

6 Scroll down to Netmask and set the value.

7 Scroll down to Done and press Enter.

8 Scroll down to Gateway and press Enter.

3


9 Set the gateway address, scroll down to Done, and press Enter.

10 Scroll down to Port Number, set the value, and press Enter.

Make note of the new port number and enter it when keying the device. If the system operates inFIPS mode, do not change the communication port number.

11 Scroll down to Save Changes and press Enter.

Configure the network interface on the Receiver, ELM, and ACEFollow these steps to configure the network interface on a Receiver, ELM, or ACE device.

Before you beginAttach a monitor and keyboard to the device.

Task1 Press Alt + F1 to go to the LCD page, press Esc twice, then scroll down to MGT IP Conf and press Enter.

2 Select Mgt 1 and press Enter, then select IP Address and press Enter.






8 Scroll down to DNS 1, press Enter, and set the value.


10 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number. Enter it when keying the device. Do not change the TCPcommunication port.


Configure the network interface on the DEM and ADMFollow these steps to configure the network interface on a DEM or ADM device.



2 Scroll down to MGT IP Conf and press Enter.


3 Setting up McAfee ESM devicesConfigure the network interface on the Receiver, ELM, and ACE


4 On the Active menu, select IP Address and press Enter.






10 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number and enter it when keying the device. Do not change the TCPcommunication port.


Configure the network interface on the ESMFollow these steps to configure the network interface on an ESM.

Before you beginTurn on the ESM and make sure that the restart process is complete, then attach a monitorand keyboard to the device.

Task1 Press Alt + F1 to go to the LCD page, press Esc twice, then scroll down to MGT IP Conf and press Enter.

2 Select Mgt 1 and press Enter, then select IP Address and press Enter.






8 Scroll down to DNS 1, press Enter, and set the value.



Setting up McAfee ESM devicesConfigure the network interface on the ESM 3


Configure for IPv6If you want to use IPv6 on any of your devices and your network supports IPv6 stateless autoconfiguration, configure your system to manage IPv6.


To manually configure an address for the ESM, see the Network Settings section in the McAfeeEnterprise Security ManagerProduct Guide. To manually configure an address for each type of device,see the Interfaces section for the specific device.


2 Scroll down to IPv6 Config and press Enter.


4 Scroll down to Save and press Enter.

5 To locate the automatically configured IPv6 address:

a Start the device and wait for the menu to load.

b Scroll down to MGT IP Conf and press Enter.

c Scroll down to IPv6 Global and press Enter.

d Confirm the IPv6 address, then press Enter to return to the menu.

e Scroll down to Done and press Enter.

f Scroll down to Cancel Changes and press Enter.

Log on to McAfee ESM consoleWhen you have installed and set up ESM and devices, you can log on the console to begin configuringthe system and device settings.

Before you beginVerify whether you are required to operate the system in FIPS mode (see Step 5).

Task1 Open a web browser on your client computer and go to the IP address you set when you configured

the network interface.

2 Click Login, select the language for the console, then type the default user name and password.

• Default user name: NGCP

• Default password: security.4u

3 Click Login, read the End User License Agreement, then click Accept.

4 When prompted, change your user name and password, then click OK.

3 Setting up McAfee ESM devicesConfigure for IPv6


5 Select whether to enable FIPS mode.

If you must work in FIPS mode, enable it the first time you log on so all future communication withMcAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to. For moreinformation on FIPS, see Appendix A.

6 Follow the instructions that appear to obtain your user name and password, which are necessaryfor access to rule updates.

7 Perform initial ESM configuration:

a Select the language to be used for system logs.

b Select the time zone this ESM is in and the date format to be used with this account, then clickNext.

c Define the settings on the five Initial ESM Configuration wizard pages, clicking the Help icon oneach page for instructions.

8 Click OK.

You are ready to key and configure the devices. See the McAfee Enterprise Security Manager ProductGuide.

Setting up McAfee ESM devicesLog on to McAfee ESM console 3


3 Setting up McAfee ESM devicesLog on to McAfee ESM console


AAbout FIPS mode

The Federal Information Processing Standard (FIPS) consists of publicly announced standardsdeveloped by the United States Federal government. If you are required to meet these standards, youmust operate this system in FIPS mode.

FIPS mode must be selected the first time you log on to the system and can't subsequently be changed.

Contents FIPS mode information Select FIPS mode Check FIPS integrity Adding a keyed device in FIPS mode Troubleshooting FIPS mode


FIPS mode informationDue to FIPS regulations, some ESM features aren't available, some available features are notcompliant, and some features are only available when in FIPS mode. These features are notedthroughout the document and are listed here.

Featurestatus

Description

Removedfeatures

• High Availability Receivers.

• GUI Terminal.

• Ability to communicate with the device using SSH protocol.

• On the device console, the root shell is replaced by a device management menu.

Featuresavailable only inFIPS mode

• There are four user roles that do not overlap: User, Power User, Audit Admin, and Key &Certificate Admin.

• All Properties pages have a Self-Test option that allows you to verify that the system isoperating successfully in FIPS mode.

• If FIPS failure occurs, a status flag is added to the system navigation tree to reflectthis failure.

• All Properties pages have a View option that, when clicked, opens the FIPS Identity Tokenpage. It displays a value that must be compared to the value shown in thosesections of the document to ensure that FIPS hasn't been compromised.

• On System Properties | Users and Groups | Privileges | Edit Group, the page includes the FIPSEncryption Self Test privilege, which gives the group members the authorization to runFIPS self-tests.

• When you click Import Key or Export Key on IPS Properties | Key Management, you areprompted to select the type of key you want to import or export.

• On the Add Device Wizard, TCP protocol is always set to Port 22. The SSH port can bechanged.

Select FIPS modeThe first time you log on to the system you are prompted to select whether you want the system tooperate in FIPS mode. Once this selection is made, it can't be changed.

TaskFor option definitions, click ? in the interface.

1 The first time you log on to the ESM:

a In the Username field, type NGCP.

b In the Password field, type security.4u.

You are prompted to change your password.

2 Enter and confirm your new password.

A About FIPS modeFIPS mode information


3 On the Enable FIPS page, click Yes.

The Enable FIPS warning displays information requesting confirmation that you want this system tooperate in FIPS mode permanently.

4 Click Yes to confirm your selection.

Check FIPS integrityIf you are operating in FIPS mode, FIPS 140-2 requires software integrity testing on a regular basis.This testing must be performed on the system and each device.


1 On the system navigation tree, select System Properties, and make sure that System Information isselected.

2 Do any of the following.

Inthisfield...

Do this...

FIPSStatus

View the results of the most recent FIPS self-test performed on the ESM.

Test orFIPSSelf-Test

Run the FIPS self-tests, which test the integrity of the algorithms used within thecrypto-executable. The results can be viewed on the Message Log.

If the FIPS self-test fails, FIPS is compromised or device failure is occurring. Contact McAfeeSupport.

View orFIPSIdentity

Open the FIPS Identity Token page to perform power-up software integrity testing. Compare thevalue below to the public key that appears on this page:

If this value and the public key don't match, FIPS is compromised. Contact McAfee Support.

About FIPS modeCheck FIPS integrity A


Adding a keyed device in FIPS mode There are two methods in FIPS mode to add a device that has already been keyed to an ESM. Thisterminology and file extensions are useful as you follow these processes.

Terminology

• Device key — Contains the management rights that an ESM has for a device, and is not used forcrypto.

• Public key — The ESM public SSH communication key, which is stored in the authorized keys table ofa device.

• Private key — The ESM private SSH communication key, which is used by the SSH executable on anESM to establish the SSH connection with a device.

• Primary ESM — The ESM that was originally used to register the device.

• Secondary ESM — The additional ESM that communicates with the device.

File extensions for the different export files

• .exk — Contains the device key.

• .puk — Contains the public key.

• .prk — Contains the private key and the device key.

Backup and restore information for a device in FIPS modeThis method is used to back up and restore communication information for a device on the ESM.

It is primarily intended for use in the event of a failure that requires ESM replacement. If thecommunication information is not exported prior to the failure, communication with the device can't bere-established. This method exports and imports the .prk file.

The private key for the primary ESM is used by the secondary ESM to establish communication withthe device initially. Once communication is established, the secondary ESM copies its public key to thedevice's authorized keys table. The secondary ESM then erases the private key for the primary ESM,and initiates communication with its own public or private key pair.

A About FIPS modeAdding a keyed device in FIPS mode


Action Steps

Export the .prkfile from theprimary ESM

1 On the system navigation tree of the primary ESM, select the device withcommunication information you want to back up, then click the Properties icon.

2 Select Key Management, then click Export Key.

3 Select Backup SSH Private key, then click Next.

4 Type and confirm a password, then set the expiration date.

After the expiration date passes, the person who imports the key is unable tocommunicate with the device until another key is exported with a future expirationdate. If you select Never Expire, the key never expires if imported into another ESM.

5 Click OK, select the location to save the .prk file created by the ESM, then log outof the primary ESM.

Add a device tothe secondaryESM and importthe .prk file

1 On the system navigation tree of the secondary device, select the system orgroup level node you want to add the device to.

2 From the actions toolbar, click Add Device.

3 Select the type of device that you want to add, then click Next.

4 Enter a name for the device that is unique in this group, then click Next.

5 Enter the target IP address of the device, enter the FIPS communication port,then click Next.

6 Click Import Key, browse to the previously exported .prk file, then click Upload.

Type the password specified when this key was initially exported.

7 Log out of the secondary ESM.

Enable communication with multiple ESM devices in FIPS modeYou can allow multiple ESMs to communicate with the same device by exporting and importing .pukand .exk files.

This method uses two export and import processes. First, the primary ESM is used to import thesecondary ESM device exported .puk file and send the contained secondary ESM public key to thedevice, thus allowing both ESM devices to communicate with the device. Second, the device's .exk fileis exported from the primary ESM and imported into the secondary ESM, thus giving the secondaryESM the ability to communicate with the device.

About FIPS modeAdding a keyed device in FIPS mode A


Action Steps

Export the .puk filefrom the secondaryESM

1 On the System Properties page of the secondary ESM, select ESM Management.

2 Click Export SSH, then select the location to save the .puk file.

3 Click Save, then log out.

Import the .puk fileto the primary ESM

1 In the system navigation tree of the primary ESM, select the device you wantto configure.

2 Click the Properties icon, then select Key Management.

3 Click Manage SSH Keys.

4 Click Import, select the .puk file, then click Upload.

5 Click OK, then log out of the primary ESM.

Export thedevice's .exk filefrom the primaryESM

1 In the system navigation tree of the primary ESM, select the device you wantto configure.

2 Click the Properties icon, then select Key Management.

3 Click Export Key, select the backup device key, then click Next.

4 Type and confirm a password, then set the expiration date.

After the expiration date passes, the person who imports the key is unable tocommunicate with the device until another key is exported with a futureexpiration date. If you select Never Expire, the key never expires if imported intoanother ESM.

5 Select the .exk file privileges, then click OK.

6 Select the location to save this file, then log out of the primary ESM.

Import the .exk fileto the secondaryESM

1 In the system navigation tree of the secondary device, select the system orgroup level node that you want to add the device to.

2 From the actions toolbar, click Add Device.

3 Select the type of device you want to add, then click Next.

4 Enter a name for the device that's unique to this group, then click Next.

5 Click Import Key, then browse to the .exk file.

6 Click Upload and enter the password that was specified when this key wasinitially exported.

7 Log out of the secondary ESM.

A About FIPS modeAdding a keyed device in FIPS mode


Troubleshooting FIPS modeIssues might arise when operating the ESM in FIPS mode.

Issue Description and resolution

Can't talk tothe ESM

• Check the LCD on the front of the device. If it says FIPS Failure, contact McAfeeSupport.

• Check for an error condition through the HTTP interface by viewing the ESM FIPSSelf-test webpage in a browser.- If a single digit 0 is displayed, indicating that the device has failed a FIPS self-test,reboot the ESM device and attempt to correct the problem. If the failure conditionpersists, contact Support for further instructions.

- If a single digit 1 is displayed, the communication problem is not due to FIPSfailure. Contact Support for further troubleshooting steps.

Can't talk tothe device

• If there is a status flag next to the device on the system navigation tree, place thecursor over it. If it says FIPS Failure, contact McAfee Support by going to the supportportal.

• Follow the description under the Can't talk to the ESM issue.

The file is invaliderror whenadding adevice

You cannot export a key from a non-FIPS device and then import it to a deviceoperating in FIPS mode. Also, you cannot export a key from an FIPS device and thenimport it to a non-FIPS device. This error appears when you attempt either scenario.

About FIPS modeTroubleshooting FIPS mode A


A About FIPS modeTroubleshooting FIPS mode


BVM ESXi requirements

The VM must meet the following minimum requirements.

• Processor — 8 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher or AMDDual Athlon64/Dual Opteron64 or later

• RAM — Depends on the model (4 GB or more)

• Disk — Depends on the model (250 GB or more)

• ESXI — 5.0 or later

You can select the hard disk requirement needs for your server. But, the VM requirement depends onthe model of the device (250 GB or more). If you don't have a minimum of 250 GB available, youreceive an error when deploying the VM.

The VM uses many features that require CPU and RAM. If the ESXi environment in any way shares theCPU or RAM requirements with other VMs, the performance of the VM is impacted. Plan CPU and RAMneeds within the requirements outlined here.

McAfee recommends setting the provisioning option to Thick.

Contents VM models Stripe the storage drive Install the virtual machine Configure the virtual machine Key the VM device


VM modelsThis table lists the available VM models, how many events per second (EPS) each model can process,the recommended mechanical storage, the storage capacity of the solid-state drive (SSD), and therequirements for the platform that runs the VM.

Modelnumber

EPScapacity Mechanical storage SSD Platform requirements

ELU4ELU12

1,0005,000

Recommended VMenvironment of 250GBRecommended VM

Environment of 500GB minimum

None240 GBminimum

VMware ESX/ESXi Server v.5.x+,8 processor cores

(Intel® Xeon® Processor E5 or E7),4 GB of memory



ENU4ENU12

ENU32

1,500*40,000*

85,000*

Recommended VMenvironment of 250GB

Recommended VMenvironment of 500GB minimum

Recommended VMenvironment of 2 TBminimum

None

480 GBminimum

3 TBminimum







ELM4

ELM12

ELM32

1,500*

30,000*

70,000*



Recommended VMenvironment of 2 TBminimum

None

480 GBminimum

3 TBminimum







B VM ESXi requirementsVM models


Modelnumber

EPScapacity Mechanical storage SSD Platform requirements

EV2

EV5

EV10

500

5,000

15,000

Recommended VMEnvironment of 250GB

Recommended VMEnvironment of 500GB minimum

Recommended VMEnvironment of 2 TBminimum

None

480 GBminimum

3 TBminimum







ELMERCVM4

ELMERCVM12

1,500

5,000

Recommended VMEnvironment of 250GB

Recommended VMEnvironment of 500GB minimum

None

240 GBminimum





ACV12

ACV32

<30,000*

<80,000*



480 GBminimum

3 TBminimum





APM4

APM12

250 Mbps

500 Mbps



None

480 GBminimum





VM ESXi requirementsVM models B


Stripe the storage driveIf the model is more than 250 GB and needs the 256 MB to 2 MB setting, stripe the virtual machine'sstorage drive.

Task1 Select the ESX server, click the Configuration tab, then click Storage in the Hardware section.

The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU/RAMrequirements with other VMs, the performance of the VM is impacted. Plan CPU and RAM needswithin the requirements.

2 Click Add Storage, then select Disk/LUN.

3 Select an available disk, then select the correct option for your available disk space. Use 'Free space'for an existing drive or Use all available partitions for an available drive.

You can select the hard disk requirement needs for your server but the requirement for the VM is500 GB. If you do not have 500 GB available, you receive an error when deploying the VM. McAfeerecommends setting the provisioning to Thick.

4 Give the storage drive a name, then select 512 GB, Block size: 2 MB on the Maximum file size drop-down listto make sure that the 500-GB drive space is available.

Install the virtual machineOnce you install and key a VM, it mimics normal ESM operation.

Before you beginVerify that your equipment meets minimum requirements.

Task1 Access the root of the CD drive (for CD installation) or download the files provided by McAfee

support to the local computer.

2 In vSphere Client, click the server IP address in the device tree.

3 Click File and select Deploy OVF Template.

4 Designate the name, the folder to install the VM, the disk provisioning setting, and the VM Networkingoption.

5 Deploy the files to the ESXi server, select the VM, and ensure the following are set on the Edit VirtualMachine setting.

6 Select the correct networking settings for your ESXi network switches/adapters, then click Play tostart the VM.

7 Using the VM menu, set MGT1 IP, netmask, gateway, and DNS addresses, then press Esc toactivate the menu.

8 Configure the network interface on the VM, save the changes before exiting the Menu window, thenkey the device.

B VM ESXi requirementsStripe the storage drive


Configure the virtual machineOnce you have installed the VM, configure the network interface.

Task1 Click Esc, then scroll down to MGT IP Conf on the LCD and click Enter twice.

2 Set the IP address using the arrows to change the value of the current digit and to switch betweendigits, then click Enter.

3 Scroll to Netmask and set it using the arrows.

4 Scroll to Done and click Enter. Then scroll to Gateway and click Enter.

5 Set the gateway address using the arrows, then scroll down to Done and click Enter.

6 Scroll down to DNS1, click Enter, then select the DNS server address using the arrows.


8 To change the communication port when the system is in FIPS mode (see About FIPS Mode), pressthe down arrow twice, then press Enter.

Do not change the TCP communication port.

9 Change the port number, then press Enter.

Make note of the new port number. Enter it when keying the device.

10 Scroll to Save Changes and click Enter.

Key the VM deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network (see Installing McAfee ESM devices).


1 On the system navigation tree, click the system or a group, then click the Add Device icon in theactions pane.

2 Enter the information requested on each page of the Add Device Wizard (see Add devices to the ESMconsole in the McAfee Enterprise Security Manager Product Guide).

VM ESXi requirementsConfigure the virtual machine B


B VM ESXi requirementsKey the VM device


CInstall the qLogic 2460 or 2562 SANadapters

The qLogic QLE2460 is a single, Fibre Channel PCIe x4 adapter, rated at 4 GB. The QLE2562 is asingle, Fiber Channel PCIe x8 adapter, rated at 8 GB. They can connect directly to the SAN device orthrough a SAN switch.

Before you begin• Make sure that the SAN device or SAN switch you are attaching to auto-negotiates.

• Make sure that the SAN administrator allocates and creates space on the SAN andassigns it to the channel where the qLogic adaptor is attached. Use the World Wide PortName (WWPN) for the adaptor. The WWPN is on the adapter's card, anti-static bag, andbox.

Task1 Turn off the device where you are installing the SAN adapter.

2 Insert the adapter, then place the device back on the rack and connect the cables.

For a 3U device, insert the adapter in the slot closest to the protective memory cover.

The adapter BIOS boot message informs you that the adapter is installed and functioning. If you donot see this message or if the card does not have red, yellow, or green lights, the card is notrecognized. If so, make sure that the card is seated correctly or insert it into a different PCI slot.

3 Start the device.

The operating environment detects it and loads the QLAXXX driver. The Mounting Storage Facilitiesmessage displays OK and continues starting.

4 Using the ESM console, key the device.

When the device is keyed, the Properties page includes the SAN Volumes option.


C Install the qLogic 2460 or 2562 SAN adapters


DInstall DAS

The DAS is an add-on device to a 4xxx/5xxx/6xxx series ESM or ELM.

The DAS unit ships with a chassis and an LSI 9280-8e RAID card for:

• ETM-5205 • ENMELM-4600

• ETM-5510 • ENMELM-5205

• ETM-5600 • ENMELM-5510

• ETM-5750 • ENMELM-5600

• ETM-6000 • ENMELM-6000

• ETM-X3 • ELM-4600

• ETM-X4 • ELM-5205

• ETM-X5 • ELM-5510

• ETM-X6 • ELM-5600

• ESMREC-5205 • ELM-5750

• ESMREC-5510 • ELM-6000

Task1 Turn off the ESM following a normal shutdown procedure.

2 Pull the device from the rack and open the top case. You might need to remove a small screw atthe front or rear of the top case.

3 Install the LSI 9280-8e RAID card in slot 4 of the ESM.

• For devices with an orange face, if the Areca or 3Ware RAID card is in slot 4, move the RAIDcard to slot 6. If the McAfee ESM device has an Areca or 3Ware RAID card and also has an SSDcard installed, install the LSI 9280-8e RAID card in slot 5.

• For devices with a black face, install the card in an open slot.

4 Replace the top on the McAfee ESM and reinsert it back in the rack.


5 Insert the cable connectors into slot 1 and slot 2 on the LSI 9280-8e RAID card external slots. Thecable clicks into place.

6 Verify that all drives are fully inserted in the DAS, then attach the inner rails to the DAS device andinsert the device into the rack.

7 Insert the data cables into the first and third slots on the rear of the DAS device. The cables clickinto place.

8 Insert power cables, then turn on the DAS device.

9A test light appears for all drives. The drive with the red light is the “hot spare” for the DAS.

10 Turn on the McAfee ESM device and look for the LSI 9280-8e RAID card BIOS utility.

The DAS device is preformatted and doesn't require configuring a RAID set on the device. If you seea RAID not present message, call McAfee support to create the RAID.

11 Log on and run a df –h command to make sure that you have a /das1_hd drive.

On System Properties of the ESM console, the Hardware field on the System Information tab reflects theincreased size of the hard drive labeled /data_hd.

D Install DAS


EInstalling devices in a rack

We recommend installing devices in a rack to protect the devices and the cabling from accidentaldamage or getting disconnected.

Contents Install AXXVRAIL rail set Remove the chassis


Install AXXVRAIL rail setAn AXXVRAIL rail set is shipped with each device so you can install it in a rack.

Task1 Install rails in the rack.

a Pull the release button (F) to remove the inner member (D) from the slides.

ComponentsA - front bracket

B - outer member

C - rear bracket

D - inner member

E - safety locking pin

F - release button

E Installing devices in a rackInstall AXXVRAIL rail set


b Align the brackets to the wanted vertical position on the rack, then insert the fasteners.

c Move the ball retainer to the front of the slides.

Installing devices in a rackInstall AXXVRAIL rail set E


2 Install the chassis.

a Align the inner member key holes to standoffs on the chassis.

b Move the inner member in the direction shown in the following picture.

c Install the chassis to the fixed slides by pulling the release button in the inner member torelease the lock and allow the chassis to close.

E Installing devices in a rackInstall AXXVRAIL rail set


Remove the chassisYou can remove the chassis from the rails.

Task1 Fully extend the slides until the slides are in a locked position.

2 Pull the release button to release the lock and disconnect the inner member from the slides.

3 Press the safety locking pin to release the inner member from the chassis.

Installing devices in a rackRemove the chassis E


E Installing devices in a rackRemove the chassis


FRegulatory notices

This regulatory information applies to the different platforms you might use.

Table F-1 SuperMicro-based platforms

McAfee 1U McAfee 2U or 3U

Electromagnetic emissions FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

Electromagnetic immunity EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4--4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4--4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

Safety EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

Table F-2 DAS-based platforms

DAS-50, DAS-100

Input voltage 100/240 VAC

Input frequency 50/60 Hz

Power supply 1400 W X3

Power consumption 472W@120VAC

461W@240VAC

Amps (Max) 9.4A

Altitude (Max) -45 to 9,500 feet


Table F-2 DAS-based platforms (continued)

DAS-50, DAS-100

Temperature (Max) 10º to 35º C (operating)

-40º to 70º C (non-operating)

Altitude -45 to 9500 feet (operating) -45 to 25,000 feet (non-operating)

BTU BTU/HR 1609

Humidity Operating — 10% to 85%

(non-condensing)

non-operating — 10% to 90%

Table F-3 Intel-based platform 1U

Parameter Limits

Operating temperature +10° C to +35° C with the maximum rate of change not to exceed10° C per hour

Non-operating temperature -40° C to +70°

Non-operating humidity 90%, non-condensing at 35° C

Acoustic noise Sound Power: 7.0 BA in an idle state at typical office ambienttemperature. (23 +/- 2 degrees C)

Shock, operating Half sine, 2 g peak, 11 msec

Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/sec (≧ 40 lbs to > 80lbs)

Shock, packaged Non-palletized free fall in height 24 inches (≧40 lbs to > 80 lbs)

Shock, operating Half sine, 2 g peak, 11 mSec

Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random

ESD +/-12kV for air discharge and 8K for contact

System cooling requirement inBTU/Hr

1660 BTU/hour

Table F-4 Intel-based platform 2U

Parameter Limits

Temperature Operating • ASHRAE Class A2 — Continuous operation. 10°C to 35°C(50°F to 95°F) with the maximum rate of change not toexceed 10°C per hour.

• ASHRAE Class A3 — Includes operation up to 40°C for up to900 hrs per year

• ASHRAE Class A4 — Includes operation up to 45°C for up to90 hrs per year

Shipping -40°C to 70°C (-40°F to 158°F)

Altitude (Operating) Support operation up to 3050 m with ASHRAE class deratings

Humidity (Shipping) 50% to 90%, non-condensing with a maximum wet bulb of28°C (at temperatures from 25°C to 35°C)

Shock Operating Half sine, 2 g, 11 mSec

Unpackaged Trapezoidal, 25 g, velocity change is based on packaged weight

F Regulatory notices


Table F-4 Intel-based platform 2U (continued)

Parameter Limits

Packaged Product Weight: ≥ 40 to < 80

Non-palletized free fall height = 18 inches

Palletized (single product) free fall height = NA

Vibration 5 Hz to 500 Hz2.20 g RMS random

Packaged 5 Hz to 500 Hz1.09 g RMS random

AC-DC Voltage 90 Hz to 132 V and 180 V to 264 V

Frequency 47 Hz to 63 Hz

Source Interrupt No loss of data for power line drop-out of 12 mSec

Surge non-operatingand operating

Unidirectional

Regulatory notices F


F Regulatory notices


Index

Aabout this guide 5ACE, configure network interface 24

ADM, configure network interface 24

AXXVRAIL railsinstall 48

remove chassis 51

Ccables, identify network 12

connect device 11

connector type, identify 12

conventions and icons used in this guide 5

DDAS, install 45

DEM, configure network interface 24

device, inspect 10

devicesconnect 11

set up 23

start 11

devices, identify network ports 13

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

EELM, configure network interface 24

equipment type, identify 12

ESM, configure network interface 25

export and importexk file 33

puk file 33

Ffile extensions for export files 32

FIPSenable 26

FIPS modebackup information 32

FIPS mode (continued)check integrity 31

communicate with multiple ESM devices 33

enable 30

features available only in FIPS mode 30

file extensions 32

keyed device, add 32

non-compliant available features 30

removed features 30

restore information 32

select 30

terminology 32

troubleshoot 35

Hhardware, minimum requirements 9

Iinspect packaging and device 10

installidentify location 10

install deviceprepare to 9

IPv6, configure 26

Llocation for installation 10

log on to ESM console 26

MMcAfee ServicePortal, accessing 6minimum requirements for hardware and software 9

Nnetwork cables, identify 12

network interfaceconfigure DEM and ADM 24

configure ESM 25

configure Nitro IPS 23

network interface, configureACE 24

ELM 24


network interface, configure (continued)Receiver 24

network ports, identify for each device 13

Nitro IPS, configure network interface 23

Ppackaging, inspect 10

password for ESM console 26

platforms, regulatory notices for 53

ports, identify network for each device 13

QqLogic 2460 SAN adapter, install 43

RReceiver, configure network interface 24

regulatory notices for platforms 53

SSAN adapter, install 43

ServicePortal, finding product documentation 6software, minimum requirements 9start device 11

Ttechnical support, finding product information 6troubleshoot FIPS mode 35

Uuser name for ESM console 26

Vvirtual machine

configure 41

install 40

key 41

requirements 37

strip storage drive 40

VM models 38

VM requirements 38

Index


McAfee Enterprise Security Manager 9.5 · · 2015-02-18Identifying network cables ... 3 Setting...

Documents

Transcript of McAfee Enterprise Security Manager 9.5 · · 2015-02-18Identifying network cables ... 3 Setting...