McAfee Network Security Manager

Acronyms and Terms

NIPS: Network Intrusion Prevention System NSP: McAfee Network Security Platform MDR: Manager Disaster Recovery
GTI: Global threat Intelligence Sensor: Physical device

Current Setup:
– 1 NSM
– 2 Sensors (NS9200)

Device Details:


1. Database – Depending on hard drive, Memory etc. Maximum sensor 50 for 1 Manager.
– Note: You don’t want to put many sensor in manager.
2. Stop/Prevent/Detects happen in sensor.
3. Signature Detection –
Best practice to run (2:2 | 4:4) 2nd week tuesday and 4th week Thursday
4. TCP port 443 use for NSM 1 to NSM2 Secure Communication .
5. How many sensors can be deployed with NSM?
– In live and busy network 10-20 Sensors

High availability and Disaster Recovery  | Large Sensor Deployments

– NSM 1 and NSM 2 talk to each over every 1 minute.
– NSM 1 send update to NSM 2 every 15 minutes.
– If NSM 1 is unreachable after 5 minutes (Default Value), Sensor will verify then NSM 2 will act as secondary.
– NSM and Sensor talks every 2 minutes

If you need to setup NSM in different geo location required latency is below 100ms.

6. If you want to ensure operation of your NSP environment?
– Best meets to our need is Manager Disaster Recovery (HA)
7. If all NSM is down. All sensor alerts is saved on the sensor buffer (100kmax)

Difference of IDS and IPS
– IDS: Detects and report
– IPS: Detect, Report and stop.

Two NSM Deployment options:

Single NSM
– With a single NSM deployment, there is a single NSP server in the network the runs the NSM interface. NSP client access the NSM interface from this single server.

Central NSM
– The central NSM is a centralized system managing multiple NSMs. The central NSM architecture consist of a central NSM, which is interconnected to various NSMs. Central NSM manages configurations and pushes them globally to NSMs.

Determining Database Requirements
– Requirements vary, depending on deployment scenario.

How to Reset / Clear configuration on database.
– Follow the below photo for path


Public Key Infrastructure (Public and Private key)

Virtualization (Sub-interface)
– Create Vlan and CIDR Interface
– Apply different policies to multiple sub-interface

## Scenario: If we want flexibility in applying a unique policy for trunked traffic. To do this, you modify the properties for the port pairs g1/1-2 for your NS9200 in the Domain root admin domain.

1. Make sure you are logged in as the administrator.
2. Go to Menu bar > Device page.
3. Select Sensor (NS9200)
4. Select interface | Under interface, Click properties.
5. For Interface type, select VLAN from the drop-down list. Click OK on Message Prompt and alert.
6. Edit Vlan and save
7. Add Vlan Sub-interface and save
8. Configure CIDR (Select Interface then on drop down list select CIDR)
9. Add CIDR Sub-Interface

## We used CIDR addressing in our network if we want to segment network traffic to CIDR for more flexibility in applying multiple policies to traffic sub-flows.

Operating Modes
1. Switch Port Analyzer (SPAN | Mirror)
– SPAN port forwards incoming/outgoing to Sensor for monitoring
– Traffic is half-duplex.
– Response port sends TCP Reset
Note: SPAN Mode do not prevent attacks from reaching their target.
2. Test Access Point (TAP)
– Full Duplex
– Split into separate transmit and receive channel.
– The tap makes an exact copy of traffic on full-duplex Ethernet segment, and sends this information to the sensor analysis.
3. In-line
– Directly in line or in path

Every Pair port can be configure in different mode.

Note: We have Port Pair in PP 1 is inside 1 is outside. Ex. (pair g/1 and g/2)
SPAN mode do not prevent attacks from reaching their target

Fail-Close and Fail-Open (FOR IN-LINE ONLY)
Sometimes sensor is out of service. Default is Fail close.

This will be depending on your environment. In our case we are telco packet should always continue. But in Banking they use fail close because IPS is very important.

Recommended for asymmetric routing environment.

S1 sends state table to S2 real time so that if sensor 1 fail, Sensor 2 now all the transaction of your packet.
We need to use same model for HA setup and Crossover Fiber (TXRX/RXTX).

Note: Sensor always need to talk to manager. So we need to complete hardware requirements.

1. What if we are using old version, is it okay to upgrade to the latest version.
– We need to verify first if there’s no prerequisite on software version (Multipath upgrade). Verify first the release notes.
– If accidentally upgrade to wrong version (Manager/Sensor Upgrade) it will affect your system.

Ask your self before setting up (Placing your IPS)
1. What do we need to protect?
2. Where is the possible attack coming?

1. Tacacs+ (Up to 4 servers)
2. SNMP v3
3. Loggings

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s