Installation guide

ManualsBrandsMcAfee ManualsOtherM3050 - Network Security Platform

Special Topics Guide—Sensor High Availability

revision 1.0

McAfee®

Network Protection

Industry-leading network security solutions

McAfee® Network Security Platform

Network Security Sensor

version 6.0

Summary of content (44 pages)

PAGE 1
Special Topics Guide—Sensor High Availability revision 1.0 McAfee® Network Security Platform Network Security Sensor version 6.
PAGE 2
COPYRIGHT Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
PAGE 3
Contents Preface ........................................................................................................... v Introducing McAfee Network Security Platform............................................................................. v About the Guide ............................................................................................................................ v Conventions used in this guide .......................................................................................
PAGE 4
Confirming Sensor communication ............................................................................................. 30 Testing failover setup .................................................................................................................. 31 Chapter 12 Network Scenarios for Sensor High Availability.................. 33 I-4010 Sensor in Load balanced Configuration ...........................................................................
PAGE 5
Preface This preface provides a brief introduction to the product, discusses the information in this document, and explains how this document is organized. It also provides information such as, the supporting documents for this guide and how to contact McAfee Technical Support.
PAGE 6
McAfee® Network Security Platform 6.0 Preface Convention Example Names of keys on the keyboard are denoted Press ENTER. using UPPER CASE. Text such as syntax, key words, and values that you must type exactly are denoted using Courier New font. Type: setup and then press ENTER. Variable information that you must type based on your specific situation or environment is shown in italics. Type: Sensor-IP-address and then press ENTER. Parameters that you must supply are shown enclosed in angle brackets.
PAGE 7
McAfee® Network Security Platform 6.
PAGE 8
McAfee® Network Security Platform 6.0 Preface Phone Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support.
PAGE 9
CHAPTER 1 Background Most networks today have some amount of in-built redundancy. However, the extent to which a network can withstand a failure varies, depending on the environment. For example, one setup might have two fully redundant paths to and from the Internet, whereas another might have Primary and Secondary firewalls, but single points of failure elsewhere. Network devices traditionally provide redundancy at Layer 2 or 3 of the OSI model.
PAGE 10
CHAPTER 2 Network Security Platform Failover Architecture McAfee® Network Security Platform was built with high availability in mind. In fact, those who initially become confused by the possibilities around McAfee Network Security Platform failover usually do so because the implementation is actually simpler than they assume initially.
PAGE 11
CHAPTER 3 Sensor Failover Implementation A typical McAfee® Network Security Platform failover implementation includes the following steps: • Understanding the current network topology • Determining optimal Sensor location • Configuring the ports on each Sensor • Physically installing the Sensors • Defining McAfee Network Security Platform failover Pair • Cabling the heartbeat connection • Verifying the failover configuration In the sections that follow, we will consider each of these points in detail.
PAGE 12
CHAPTER 4 Understanding the current network topology Understanding the current network topology is essential for the proper planning of McAfee® Network Security Platform failover solution. Rather, the more you understand about the existing data flow, the less likely you run into obstacles during implementation.
PAGE 13
McAfee® Network Security Platform 6.0 Understanding the current network topology A single path Some networks do not include much or any redundancy. In this case, there is one or more single points of failure. If one of the non-redundant devices fails, the connection to the Internet will fail as well. Most companies that choose to invest in a redundant Network Security Platform solution also invest in redundant paths to and from their network.
PAGE 14
CHAPTER 5 Determining optimal Sensor location The previous section is mostly intended as a point of reference. The good news is that McAfee® Network Security Platform failover process is often identical, whether the network failover configuration is active-active, with or without asymmetric routing, active-passive, or even made up of a single path. The details are as follows: • • • Both McAfee® Network Security Sensors (Sensors) in a failover Pair are always in an active state.
PAGE 15
McAfee® Network Security Platform 6.0 Determining optimal Sensor location The same basic rule applies to Network Security Platform failover. If the network currently has parallel firewalls connected to parallel switches, for example, it follows that you can introduce parallel Sensors between them. The following set of diagrams is a very simple “before and after,” to help clarify the logic: Figure 1: Determining optimal sensor location - Before Note: The dotted line represents a heartbeat link.
PAGE 16
McAfee® Network Security Platform 6.0 Determining optimal Sensor location Figure 2: Determining optimal sensor location - After The key is to ensure the redundant Sensors will be scanning the same traffic at the same point in the network. If you were to instead place one Sensor outside the firewall on one path and the other Sensor inside the firewall on the other path, the outcome is what developers like to refer to as “undefined.
PAGE 17
McAfee® Network Security Platform 6.0 Determining optimal Sensor location Instead, consider the configuration in Figure “Stack” configuration for a single path: Figure 3: Stack Configuration In this scenario, the Sensors are “stacked” (one after the other) in much the same way you might daisy chain a pair of switches. Note: A crossover cable is required to make the connection between the Sensor monitoring ports. These Sensors are configured to run inline, failopen, and function as a failover Pair.
PAGE 18
McAfee® Network Security Platform 6.0 Determining optimal Sensor location Preventing duplicate alerts To prevent the failover Pair from forwarding the same alert twice, each node in the Pair adheres to the following rules: • The Sensor that received the attack packet on its monitoring port sends the signature alert to McAfee.® Network Security Manager (Manager). (The Sensor that gets a copy of the attack packet from its failover peer does not send an alert.
PAGE 19
CHAPTER 6 Configuring the ports on each Sensor To function as a failover Pair, the two McAfee® Network Security Sensors (Sensors) must be the same model and have the same Sensor image (Sensor software version). Previously, you could create Sensor fail-over pair only if all the monitoring ports of the primary sensor were in Inline mode. Now, you can create Sensor fail-over pairs even if the monitoring ports are in different operating modes, that is some ports in Inline, some in SPAN, and some in Tap mode.
PAGE 20
McAfee® Network Security Platform 6.0 Configuring the ports on each Sensor If you choose to fail closed on an Ethernet port pair (not GBICs), the user interface will remind you to cable the ports with the Network Security Platform dongles. Note: McAfee® Network Security Platform dongles ship with the Sensors. Potential pitfall When you configure a failover Pair, you must designate a “Primary” and “Secondary” Sensor.
PAGE 21
McAfee® Network Security Platform 6.0 Configuring the ports on each Sensor bypass kit does not change to bypass mode. Instead, the port pair fails closed and the redundant link takes over. The details of optical bypass kits are currently beyond the scope of this document. See the documentation that accompanies the fail open kits (for example, the Gigabit Optical Fail-Open Bypass Kit Guide, which accompanies the Optical Fail-Open kit).
PAGE 22
CHAPTER 7 How dongles work Dongles, included with all 10/100-port McAfee® Network Security Sensors (Sensors), are required when a 10/100 Sensor port runs in SPAN or inline fail-closed mode. All 10/100 ports on the Sensors are standard 10/100 Base-T Ethernet ports.
PAGE 23
McAfee® Network Security Platform 6.0 How dongles work A group of mechanical relays actually resides between each port pair: Figure 6: Mechanical Relays The relays come into play when the Sensor is shut down. Specifically, the relays provide a path for the signals on pins 1, 2, 3, and 6 to continue to pass when the Sensor is powered off. In short, the relays ensure that the Sensor will fail open. It is important to note that the relays provide a path for the signals on pins 1, 2, 3, and 6 only.
PAGE 24
McAfee® Network Security Platform 6.0 How dongles work Again, the relays come into play when the Sensor is powered off: Figure 8: Mechanical Relay - Fail closed Because the relays only pass the signals on pins 1, 2, 3, and 6, however, the transmit signals on pins 4 and 5 are filtered out and the ports fail closed.
PAGE 25
McAfee® Network Security Platform 6.
PAGE 26
CHAPTER 8 Physically installing the Sensors Installing McAfee® Network Security Sensors (Sensors) at this point may seem premature. After all, you will no doubt perform tests once the failover pair has been configured. The logic here is to confirm connectivity and proper scanning with as few variables as possible. If basic connectivity and scanning prove to be fine now, but fail after configuring the failover pair, you at least know the issue is specific to the failover pair.
PAGE 27
McAfee® Network Security Platform 6.0 Physically installing the Sensors The “attack” looks as follows: Figure 13: FTP traversal “attack” The highlighted section is the command that actually trips the signature. The corresponding attack will look similar to the alert in Figure FTP traversal alert.
PAGE 28
McAfee® Network Security Platform 6.0 Physically installing the Sensors Figure 14: Show details of Specific attack If you are interested in HTTP tests, you can instead try the following URLs from your favorite browser: http://serveraddress/inetpub/scripts/root.exe http://serveraddress/inetpub/scripts/cmd.exe Note: These exploits are specific to IIS. Caution: These URLs are synonymous with Code Red and Nimda exploits, so they may trigger anti-virus software on the Web server as well.
PAGE 29
McAfee® Network Security Platform 6.0 Physically installing the Sensors Reality check - Asymmetric routing In the case in which the network has two active paths that route asymmetrically, these initial intrusion tests might not be successful and you may even see false positives. In such a case, you can instead temporarily assign the All inclusive with audit policy to the interface(s) at hand to help confirm the scanning process, or skip testing for now and hope all goes well in the steps to follow.
PAGE 30
CHAPTER 9 Defining the Network Security Platform Failover Pair Once McAfee® Network Security Sensors (Sensors) are known to be working independently, we are ready to define a failover Pair. It is by way of the failover Pair configuration that we ensure the Sensors share flow information under normal conditions and also fail over as required.
PAGE 31
McAfee® Network Security Platform 6.0 Defining the Network Security Platform Failover Pair Once complete, the display of the user interface will change to reflect the existence of the new failover pair: Figure 16: Update configuration A new failover pair node now exists in the resource tree (left pane) in Figure Failover Pair administration. That node contains icons for each interface taking part in the failover process. Also within the failover pair node is a list of its member Sensors.
PAGE 32
McAfee® Network Security Platform 6.
PAGE 33
CHAPTER 10 Cabling the heartbeat connection There is no standard heartbeat port across all McAfee® Network Security Sensor (Sensor) models. Instead, the port or ports you use to connect the two Sensors for failover depends directly on the model at hand.
PAGE 34
McAfee® Network Security Platform 6.0 Cabling the heartbeat connection GBIC cabling All Sensor models other than the I-1200 and I-1400 use a standard GBIC, Small Formfactor Pluggable (SFP) GBIC, or 10GbE Small Form-factor Pluggable (XFP) GBIC to make the heartbeat connection. Before you attempt to cable failover with a GBIC, complete the following steps: 1 Determine the appropriate GBIC (standard, SFP, or XFP) for the model at hand.
PAGE 35
McAfee® Network Security Platform 6.0 Cabling the heartbeat connection Important notes • • The monitoring ports and failover ports use the same GBIC. (There is no special GBIC required for the heartbeat connection.) All GBICs and fiber optic cables are sold separately from the Sensors. Note : McAfee only officially supports GBICs purchased from McAfee price list.
PAGE 36
McAfee® Network Security Platform 6.0 Cabling the heartbeat connection The key to a successful fiber optic connection is to make sure the cable is crossed between the Sensors: Figure 19: Running Cables In the previous photo, for example, the white connector is on the left side of the GBIC in the top Sensor and on the right side of the GBIC in the bottom Sensor.
PAGE 37
McAfee® Network Security Platform 6.0 Cabling the heartbeat connection cable connector type is indeed RJ45 and the maximum distance is that of standard twisted pair (100 meters). If desired, TX modules can be used to provide the failover connection. This is not traditionally done, however, because the SX modules are less expensive and have a greater maximum distance. Note: The TX module can only be used at 1000 Mbps: there is currently no option to run the TX module at 10/100 Mbps.
PAGE 38
CHAPTER 11 Verifying the failover configuration The final steps are to: • Confirm McAfee® Network Security Sensors (Sensors) are communicating over the heartbeat connection Test the failover setup • Confirming Sensor communication Once the failover pair has been configured, failover peer status errors will appear on the System Health Status page until you cable the heartbeat connection: Figure 20: Faults of Type: Warning Message for the Manager Item Description 1 Click link for specific fault detail
PAGE 39
McAfee® Network Security Platform 6.0 Verifying the failover configuration From within the CLI, you can instead run the command from either Sensor. The output includes the failover Enabled and Peer Status fields.
PAGE 40
McAfee® Network Security Platform 6.0 Verifying the failover configuration 1 Cold start both Sensors. 2 Reconnect the cabling between them. 3 Recreate the failover pair. 4 If GBICs are used, confirm that McAfee supplied them. Caution: Non-McAfee GBICs are known to create problems. If the GBICs used are not from McAfee pricelist, temporarily swap them out for those that are before spending more time troubleshooting.
PAGE 41
CHAPTER 12 Network Scenarios for Sensor High Availability In the below use-case scenarios, the term Active/Passive refers to network topology and not the Sensor High Availability (HA) configuration. In Sensor HA, both the Sensors are in Active/Active state meaning both the Sensors will process traffic received on their respective monitoring ports. I-4010 Sensor in Load balanced Configuration Scenario: Two I-4010 Sensors are in load-balanced configuration.
PAGE 42
McAfee® Network Security Platform 6.0 Network Scenarios for Sensor High Availability Solution: Each 4010 can scan up to 2 Gbps at any time -standalone or part of an HA pair. In the above case, the aggregate throughput for the pair would be 2Gbps - processed on each Sensor. As long as the traffic on the monitoring ports of the Sensor on both the active links stays at or below an aggregate rate of 2 Gbps, the deployment works fine.
PAGE 43
Hot Standby Router Protocol ................................... 1 I Index inline fail-open mode.............................................. 12 A active/active ............................................................. 4 M mechanical relays .................................................. 12 active/passive........................................................... 4 Assymetric Routing ................................................ 16 N C network scenarios ...................................
PAGE 44
V verifying failover configuration.......................... 24, 25 Virtual IP................................................................... 1 Virtual Router Redundancy Protocol........................