Manualshelf

Installation guide

ManualsBrandsMcAfee ManualsOtherM3050 - Network Security Platform
11121314151617181920
McAfee® Network Security Platform 6.0
Determining optimal Sensor location
Preventing duplicate alerts
To prevent the failover Pair from forwarding the same alert twice, each node in the Pair
adheres to the following rules:
The Sensor that received the attack packet on its monitoring port sends the signature
alert to McAfee.
®
Network Security Manager (Manager). (The Sensor that gets a copy
of the attack packet from its failover peer does not send an alert.)
The Sensor forwarding the alert also takes the configured response action, such as
sending a TCP reset.
The Sensor that has been online the longest is responsible for sending all
reconnaissance and DoS alerts to the Manager.
In the event that both Sensors have been up for exactly the same amount time, the
Sensor with the higher value serial number will be responsible for sending all
reconnaissance and DoS alerts.
The reality check is that because the previous “stacked” configuration results in attacks
arriving on the monitoring ports of both Sensors (unless blocking is enabled), this
configuration will cause some duplicate alerts to be generated. The details are as follows:
There will be no issue with reconnaissance and DoS attacks because one Sensor in a
failover Pair is always dedicated to send these alerts.
There will be no issue with TCP signature attacks either, thanks to the stateful nature
of the scanning engine. That is, even though both Sensors will get the attack packet
on their monitoring ports, the second Sensor will actually get the packet on its failover
port first. When it subsequently gets the packet for a second time on its monitoring
port, the packet will be recognized and treated as a duplicate packet. The duplicate
packet will be forwarded along, but no alert will be generated.
However, because UDP and ICMP are not stateful, the same logic does not apply to
those packets. Instead, UDP and ICMP attacks will create duplicate alerts in this
configuration.
Summary
If the current network failover topology has been configured in a logical fashion, you will no
doubt see a pattern as you research the existing infrastructure. In this case, follow that
pattern when you add the Sensors. If the current topology does not follow a logical pattern,
address the issue before you consider adding Network Security Platform failover, and
avoid the possibility of Network Security Platform taking the blame for a flaw in the network
design.
10