M-6050 Sensor Product Guide revision 2.0 McAfee® IntruShield® IPS IntruShield M-6050 Sensor version 4.
COPYRIGHT Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved. TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.
Contents Preface ........................................................................................................... v Introducing McAfee IntruShield IPS .............................................................................................. v About this guide............................................................................................................................. v Audience ....................................................................................................
Cabling for in-line ........................................................................................................................ 20 Cabling for TAP mode ................................................................................................................. 21 Cabling for SPAN or hub mode ................................................................................................... 21 Cabling the Failover interconnection ports .......................................................
Preface This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
McAfee® IntruShield® IPS 4.1 Preface M-6050 Sensor Product Guide Contacting Technical Support • • • • • • Chapter 2: Before You Install contains system specifications, and the safety and usage requirements for the sensors. Chapter 3: Setting up an M-6050 describes the preliminary steps you must follow prior to configuring the sensor.
McAfee® IntruShield® IPS 4.1 Preface M-6050 Sensor Product Guide Conventions used in this guide • Special Topics Guide • Database Tuning • Best Practices • Denial-of-Service • Sensor High Availability • Custom Roles Creation • In-line Sensor Deployment • Virtualization • Troubleshooting Guide • Release Notes Additionally, you might want to refer to the Getting Started Guide or various configuration guides.
McAfee® IntruShield® IPS 4.1 Preface M-6050 Sensor Product Guide Conventions used in this guide Convention Example Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Warning: Notes that provide related, but non-critical, information are denoted using this notation.
CHAPTER 1 Overview This chapter provides an introduction to IntruShield sensors. About IntruShield sensors IntruShield sensors are high-performance, scalable, and flexible content processing appliances built for the accurate detection and prevention of intrusions, misuse, and distributed denial of service (DDoS) attacks.
McAfee® IntruShield® IPS 4.1 Overview M-6050 Sensor Product Guide M-6050 key features The IntruShield sensor is purpose-built for the monitoring of traffic across one or more network segments. For more information on IntruShield, see the Getting Started Guide. Following is an example of a network topology using Gigabit Ethernet throughput. In the illustration, IntruShield provides IPS and Alert Viewer protection to outsourced servers.
McAfee® IntruShield® IPS 4.1 Overview M-6050 Sensor Product Guide M-6050 physical description dull-duplex Ethernet segments or eight 1 Gigabit SPAN ports transmitting aggregated traffic.
McAfee® IntruShield® IPS 4.1 Overview M-6050 Sensor Product Guide M-6050 physical description 5 Eight 10 Gigabit small form-factor pluggable (XFP) 10 Gigabit Monitoring ports, which enable you to monitor eight SPAN ports, four full-duplex tapped segments, four segments in-line, or a combination (that is, two full-duplex segment, four SPAN ports). The Monitoring interfaces of the M-6050 work in stealth mode, meaning they have no IP address and are not visible on the monitored segment.
McAfee® IntruShield® IPS 4.1 Overview M-6050 Sensor Product Guide M-6050 physical description LED Status Description Pwr A (Power A) • OK • • ~AC Green Power Supply A is functioning. Amber Power Supply A is not functioning. Green Power Supply in AC mode. Green Power Supply B is functioning. Amber Power Supply B is not functioning. Green Power Supply in AC mode. Pwr B (Power B) • OK • • ~AC Note: If a power supply is not present, both green and amber LEDs are off.
McAfee® IntruShield® IPS 4.1 Overview M-6050 Sensor Product Guide M-6050 physical description LED Status Description Fail-Open Control Port Speed Green The link is enabled. Off The link is disabled. Fail-Open Control Port Link Amber There is an error. Off There is no error.
CHAPTER 2 Before You Install Usage Restrictions The following restrictions apply to the use and operation of an IntruShield sensor: • • • • You may not remove the outer shell of the sensor. Doing so will invalidate your warranty. The sensor appliance is not a general purpose workstation. McAfee prohibits the use of the sensor appliance for anything other than operating the IntruShield IPS.
McAfee® IntruShield® IPS 4.1 Before You Install M-6050 Sensor Product Guide Working with Fiber-Optic ports • To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting cables.
McAfee® IntruShield® IPS 4.1 Before You Install M-6050 Sensor Product Guide Unpacking the sensor Unpacking the sensor To unpack the sensor: 1 Place the sensor box as close to the installation site as possible. 2 Position the box with the text upright. 3 Open the top flaps of the box. 4 Remove the accessory box. 5 Verify you have received all parts. These parts are listed on the packing list and in Contents of the sensor box. 6 Pull out the packing material surrounding the sensor.
CHAPTER 3 Setting up an M-6050 This chapter describes the process of setting up a sensor to prepare it for configuration. Setup Overview Setting up a sensor involves the following steps: 1 Positioning the sensor. (See below.) 2 Installing interface modules (SFP and XFP). 3 Attaching power, network, and monitoring cables. (See Attaching Cables to the M-6050 sensor.) 4 Powering on the sensor. (See Powering on the sensor.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Positioning the sensor 2 Disassemble the slide rail by pulling the inner rail out and pushing the side latch in to separate. 3 Attach the inner rail to the chassis by fastening it with the screws provided. 4 Attach the ear to each side of the chassis. Mount L-shape and external rail to your rack frame. The adjustable end of the Lshape rail is intended for placement at the back of your rack.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Using the redundant power supply Using the redundant power supply A basic configuration of the M-6050 includes one hot swappable supply. You may install a second hot-swappable power supply (purchased separately from McAfee) for redundancy. Each of these modules has one handle for insertion or extraction from the unit as well as a release latch.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Cabling the sensor Removing the power supply To remove a power supply from the M-6050 (Optional—the power supplies are hotswappable): 1 Unplug the power cable from its power source and remove the power cable from the power supply. 2 Put on an antistatic wrist or ankle strap. Attach the strap to a bare metal surface of the chassis. 3 Push the release latch inward toward the handle.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Using Small Form-factor Pluggable modules module may be slightly different. Check the module manufacturer’s installation instructions for more details. For ease of installation, insert the module in the sensor while it is powered down and before placing it in a rack. Caution: To prevent eye damage, do not stare into open laser apertures.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Power-on the sensor Installing a module To install a module with a bail clasp, follow these steps: 1 Remove the module from its protective packaging. 2 Ensure the module is the correct model for your network. 3 Locate the label on the module and ensure that the alignment groove is down. Note: For SFP modules, turn the module so that its label is on top. For XFP modules, turn the module so that its label is on bottom.
McAfee® IntruShield® IPS 4.1 Setting up an M-6050 M-6050 Sensor Product Guide Powering off the sensor Note: If you are installing a redundant power supply, you should install it as described in Installing a power supply. For true redundant operation with the optional redundant power supply, McAfee recommends that you plug each supply into a different power circuit. The M-6050 sensor has no power switch. The sensor powers on as soon as one of its power cables is connected to a power source.
CHAPTER 4 Attaching Cables to the M-6050 Follow the steps outlined in this chapter to connect cables to the various ports on your sensor. Cabling the Console port The Console port is used for setup and configuration of the sensor. 1 For console connections, plug the DB9 Console cable supplied by McAfee into the Console port (labeled Console on the sensor front panel).
McAfee® IntruShield® IPS 4.1 Attaching Cables to the M-6050 M-6050 Sensor Product Guide Cabling the Response port Name Setting Baud rate 38400 Number of bits 8 Parity None Stop bits 1 Flow Control None Cabling the Response port The sensors’ Response ports are used to send responses to attacks; when operating in TAP or SPAN mode, for example, you cannot inject response packets via a tap. You must use a Response port.
McAfee® IntruShield® IPS 4.1 Attaching Cables to the M-6050 M-6050 Sensor Product Guide Cabling the Monitoring port 2 Connect the other end of the cable to the network device (for example, hub, switch, router) that in turn connects to the Manager server. Note: To isolate and protect your management traffic, McAfee strongly recommends using a separate, dedicated management subnet to interconnect the sensors and the Manager.
McAfee® IntruShield® IPS 4.1 Attaching Cables to the M-6050 M-6050 Sensor Product Guide Cabling for in-line Note: You cannot configure, for example, IA and 2A to work together as a pair. Figure 9: Port pair Default monitoring port speed settings Be sure that the switch/router ports connected to the sensor Monitoring ports match the sensor configuration.
McAfee® IntruShield® IPS 4.1 Attaching Cables to the M-6050 M-6050 Sensor Product Guide Cabling for TAP mode 1 Plug the cable appropriate for use with your Gigabit Ethernet into one of the ports labeled xA (for example, 1A). 2 Plug another cable into the peer of the port used in Step 1. This port will be labeled xB (for example, 1B). 3 Connect the other end of each cable to the network devices that you want to monitor.
McAfee® IntruShield® IPS 4.1 Attaching Cables to the M-6050 M-6050 Sensor Product Guide Using Fail-Open hardware To connect two M-6050s for failover: 1 Plug the cable appropriate for use with your XFP module into port 4A of the active sensor. 2 Connect the other end of the cable to port 4A of the standby sensor.
CHAPTER 5 Troubleshooting This section lists some common installation problems and their solutions. Problem Possible Cause Solution LED is off. The control cable has been disconnected. Check the control cable and ensure it is properly connected to both the sensor and the Bypass Switch. LED is off. The sensor is powered off. Restore sensor power. LED is off. The sensor port cable is disconnected. Check the sensor cable connections. Sensor is operational, but is not monitoring traffic.
APPENDIX A Sensor Technical Specifications The following table lists the specifications of the M-6050 sensor. Sensor Specifics Dimensions Description Without mounting ears/rails/cable management: • • • Width: 16.75 in. (41.91 cm) Height: 3.5 in. (8.89 cm) Depth: 30.00 in. (76.20 cm) Dimensions do not include cables or power cords. Weight 47 lbs (21.31 kg) Voltage Range 100-240VAC Frequency 50/60Hz Vibration, operating Sinusoidal: 3 to 500 Hz @ 0.15 gpk Random: 2.5 to 200 Hz @ 0.
APPENDIX B Regulatory, Compliance, and Safety Information The M-6050 meets the following standards: Sensor Regulatory, Safety, and Compliance Regulatory Products with the CE Marking are compliant with the 89/336/EEC and 73/23/EEC directives, which include the safety and EMC standards listed.
McAfee® IntruShield® IPS 4.
APPENDIX C Sensor Capacity The following table lists the sensor's capacity to handle data operations within the following categories: Operation Type Maximum Capacity Concurrent connections 1,000,000 Connections established per sec. 25,000 Concurrent SSL Flows (2.1.