Special Topics version 200510 ® ® McAfee IntruShield IPS System Best Practices McAfee Network Protection ® Industry-leading intrusion prevention solutions
COPYRIGHT © 2002 - 2005 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the McAfee, Inc. legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.
Table of Contents 1 IntruShield Best Practices 1 Contents of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Pre-installation considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Determining your database size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
® ® McAfee IntruShield IPS System 2.1 User-Defined Signatures Developer’s Guide Unsupported SSL functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sensor performance with HTTP Response processing. . . . . . . . . . . . . . . . . . . . . HTTP Response processing enabled for both inbound and outbound traffic . HTTP Response processing enabled in one direction only (inbound OR outbound) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 IntruShield Best Practices This document discusses recommended practices for using IntruShield most effectively. Topics covered include installation, tuning, rule set creation, connectivity and maintenance.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Pre-installation considerations Pre-installation considerations Hours and even days can be saved during the IntruShield installation and tuning process if you are fully prepared. The IntruShield Troubleshooting Guide spells out the list of tasks that you should complete before you schedule your IntruShield Manager software installation. The IntruShield Troubleshooting Guide is a new document as of release 3.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Deploying a large number of sensors Deploying a large number of sensors What is a “large number of sensors?” For the purpose of this document, we’ll break down deployment size into Small, Medium, Large, and Very Large.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Facilitating troubleshooting Alert Traffic - if “chatty” policies are deployed on the sensors, there is potential to starve ISM resources as the resulting alerts are passed to the Manager. The more sensors with high-volume alerting, the more data you will have to sift through as you tune your policies.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Ensuring connectivity between the sensor and other network devices This pushes the sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the sensor while bypassing the detection engine. Check to see whether your services are still affected; if they are, then you have eliminated certain sensor hardware issues; the problem could instead be a network issue or a configuration issue.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Ensuring connectivity between the sensor and other network devices Valid auto-negotiation and speed configurations The table below summarizes all possible settings of speed and duplex for IntruShield sensors and switch ports.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Ensuring connectivity between the sensor and other network devices Use the following commands to verify fixed interface settings on some Cisco devices that connect to IntruShield sensors: Cisco PIX® Firewall interface ethernet0 100full Cisco CSS 11000 interface ethernet-3 phy 100Mbits-FD Cisco Catalyst® 2900XL, 3500XL Series (Hybrid) interface FastEthernet0/2 duplex full speed 100 Cisco Catal
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Ensuring connectivity between the sensor and other network devices Counter Description Possible Causes Rcv-Err This is an indication that the receive buffer is full. This is an indication of excessive output rates of traffic. This is also an indication of the receive buffer being full. This counter should be zero unless there is excessive traffic through the switch.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Initial tuning Auto-negotiation Auto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issues mainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example, full-duplex mode and the other in half-duplex (also known as a duplex mismatch), errors and retransmissions can cause unpredictable behavior in the network.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Initial tuning Many of the top alerts seen on the initial deployment of a sensor will be common false positives seen in many environments. Typically, at the beginning of the tuning process, it will be evident that your network or security policy will affect the overall level of alerts. If, for instance, AOL IM is allowed traffic on the network then there might not be a need to alert on AOL IM set-up flows.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Initial tuning Sensor actions There are multiple sensor actions that are available for configuration per attack. These include: Dropping Further Packets: Only works in in-line mode. Will drop a detected attack packet and all subsequent packets in the same flow. Firewall Action: Sensor will communicate with a designated firewall to dynamically configure ACL's.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Creating rule sets Creating rule sets Proper creation of rule sets is essential to eliminating false positives and ensure maximum protection on your network. These best practices can assist when creating rules sets in the IntruShield Manager. Default Inline IPS A rule set is configured based on attack category, operating system, protocol, application, severity, and benign trigger probability options.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Maintenance, backup, and database tuning See Chapter 4 of the Manager Administrator’s Guide for more details on port clustering. Note Maintenance, backup, and database tuning Perform regular manual backups of your database using the Backup feature in the Manager software. Your configuration tables are saved by default once a week on Saturday. See Backup on page 15, for more information on backup best practices.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Maintenance, backup, and database tuning Alerts and disk space maintenance Disk space maintenance is an important task that must be completed to ensure efficient running of the Manager. In order to develop best practices for database maintenance it is important to understand the lifecycle of an alert. Alert states Alerts exist in one of three states: unacknowledged/acknowledged, and marked for deletion.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Maintenance, backup, and database tuning Purge.bat The purge.bat enables on-demand deletion of alerts and packet log data from your database. Alerts and packet logs can be deleted that are older than a specified number of days, or if they have been marked for deletion via the Alert Viewer tool. Purge.bat also offers to automatically start dbtuning.bat immediately after the purge is completed.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Access Control Lists (ACL) Test restoration of backups periodically to ensure that a backup was successful and valid. The best way to do this is to perform a “test” restore of the backup on a secondary, non-production Manager. The 'Config Tables' option backs up only tabled information relating to configured tasks. This option is enabled by default to occur every Saturday night.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Working on performance issues Working on performance issues Most performance issues are related to switch port configuration, duplex mismatches, link up/down situations, and data link errors.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices SSL best practices SSL best practices Note that there is a performance impact when using the SSL detection feature. The following are the SSL throughput measurements and test methodologies for the 2.1 release. SSL only traffic - throughput Session resumption for 4 out of 5 TCP connections 5 HTTP 1.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices SSL best practices I-2600 Max. SSL Connections / Sec. 100 200 SSL Throughput 25 Mbps 50 Mbps HTTP 1.1 Throughput 475 Mbps 350 Mbps Total Throughput 500 Mbps 400 Mbps I-3000 Max. SSL Connections / Sec. 200 400 SSL Throughput 50 Mbps 105 Mbps HTTP 1.1 Throughput 860 Mbps 475 Mbps Total Throughput 910 Mbps 580 Mbps Max. SSL Connections / Sec.
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Sensor performance with HTTP Response processing TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA Unsupported SSL functionality The following SSL functionalities are not supported: iPlanet Web servers Diffie-Hellman ciphe
McAfee® IntruShield® IPS System IntruShield Best Practices Special Topics: Best Practices Max. aggregate HTTP traffic (across entire sensor) Sensor performance with HTTP Response processing I-1200 I-1400 I-2600 I-2700 I-3000 I-4000 I-4010 72Mbps 129Mbps 200Mbps 210Mbps 430Mbps 740Mbps 860Mbps HTTP Response processing enabled in one direction only (inbound OR outbound) The following table shows sensor performance with HTTP response processing enabled for a single direction: Max.
