Module 3:

Planning
McAfee® Network Security
Platform Deployment

McAfee Network Security Platform 10.1 Administration

McAfee Confidential

© 2020 McAfee M03 - 1 McAfee Confidential

 Module Goals
What you will Learn

By the end of this module you should be able to:

 Describe deployment options.

 Identify solution requirements.
 Describe Sensor deployment.
 Describe the key deployment considerations.

McAfee Confidential Education Services 2

The McAfee® Network Security Manager (Manager or NSM) is the central management component for the
McAfee® Network Security Platform (NSP).
What You Will Learn
In this module, you will learn about deployment planning considerations, such as the deployment options and
solution requirements.
Module Goals
The module goals are:
 Define deployment options.
 Identify solution requirements.
 Describe Sensor deployment.
 Describe the key deployment considerations.

© 2020 McAfee M03 - 2 McAfee Confidential

Choosing a Deployment Option
Two Paths

Manager Appliance Customer-supplied Server

 Preloaded software  Self-installed software
 Fully-configured  Configuration required
 Non-proprietary platform
 Proprietary
(off-the-shelf )
(purchased from McAfee)

The Manager Appliance is a 1-U rack dense chassis with an Intel Processor.
Refer to the McAfee.com for more information about the appliance.

McAfee Confidential Education Services 3

NSP supports two deployment Manager (NSM) paths. The customer-supplied server deployment path is the focus of this
module and course.
Network Security Manager Appliance
The appliance is ordered from McAfee. This unit is preloaded with the NSM software for rapid deployment. This appliance
is part of the McAfee Network Security Platform Intrusion Prevention System. The appliance is a 1-U rack dense chassis
with an Intel Processor.
Appliances
McAfee recommended that you use Intel-based appliance models instead.
Customer-Supplied Server Deployment
With a customer-supplied server deployment, the NSM software is manually installed on a supported 64-bit Windows
Server or a supported virtual platform. There is more setup required; however, there is more flexibility with the platform
choice, and the platform is open (non-proprietary). Customer-supplied hardware and software must meet the
specifications for the NSM release planned for installation.

© 2020 McAfee M03 - 3 McAfee Confidential

Deployment Requirements and Recommendations
Customer-supplied Server Deployment

Required: Recommended:
Server:  Anti-virus and firewall software for
 Manager (NSM) server with embedded windows based Manager
NSP-supplied MariaDB database.  Optional: Virtual infrastructure.
 Supported web browser.
 Static IP addresses for NSM server.

Client:
 Packet log viewing program (protocol
analyzer), such as Wireshark.
 Client Machine.
 Supported web browser.
Sensors
 One or more Sensors.
 Static IP addresses for Sensors.

McAfee Confidential Education Services 4

This slide highlights base platform requirements and recommendations for a customer-supplied server deployment.

You must have Administrator/root privileges on your Windows server to properly install the Manager software, as well as
the installation of an embedded MariaDB database for Windows Managers during Manager installation.

NOTE: Do NOT install the NSM software on a domain controller.

© 2020 McAfee M03 - 4 McAfee Confidential

NSM Server Requirements

Disk
300 GB (minimum); 500 GB or more (recommended)
space

Processor Server model processor, such as Intel® Xeon®

Memory 16 GB (minimum); 32 GB or more (recommended)

Monitor 32-bit color, 1440 x 900 display (minimum)

Network 1 Gbps card (minimum); 1 Gbps card (recommended)

McAfee Confidential Education Services 5

The NSM software runs on a dedicated Windows server. The larger your deployment, the more high-end your NSM server
should be. Many NSP issues result from an under-powered NSM server. It is recommended that you exceed the minimum
recommendations, wherever possible.

© 2020 McAfee M03 - 5 McAfee Confidential

NSM Server Requirements (Continued)

 Windows Server 2016 Standard Edition (recommended)

 Windows Server 2012 Standard or Datacenter Edition
OS
 Windows Server 2012 R2 Standard or Datacenter Edition
 Windows Server 2016 Standard Edition or Datacenter

Linux  McAfee Linux Operating System (MLOS)

 NSM-supplied version of MariaDB

Database
 Embedded on the target server

 The MariaDB must be a dedicated one that is installed on the Manager.

 If you have MariaDB previously installed on the Manager server, uninstall the previous version
and install the Network Security Platform version.

McAfee Confidential Education Services 6

The recommended operating system is Windows Server 2016 Standard Edition operating system.
At minimum these operating systems are supported:
 Windows Server 2012 Standard Edition English operating system
 Windows Server 2012 Standard Edition Japanese operating system
 Windows Server 2012 Datacenter Edition English operating system
 Windows Server 2012 Datacenter Edition Japanese operating system
 Windows Server 2012 R2 Standard Edition English operating system
 Windows Server 2012 R2 Standard Edition Japanese operating system
 Windows Server 2012 R2 Datacenter Edition English operating system
 Windows Server 2012 R2 Datacenter Edition Japanese operating system
 Windows Server 2016 Standard Edition English operating system
 Windows Server 2016 Standard Edition Japanese operating system
 Windows Server 2016 Datacenter Edition English operating system
 Windows Server 2016 Datacenter Edition Japanese operating system
 Windows Server 2019 Standard Edition English operating system
 Windows Server 2019 Standard Edition Japanese operating system
 Windows Server 2019 Datacenter Edition English operating system
 Windows Server 2019 Datacenter Edition Japanese operating system
Note: Only X64 architecture is supported.

MLOS: McAfee Linux Operating System (MLOS) is a McAfee proprietary, standardized Linux-based platform on
which various McAfee security appliances are built.

Database requirements
The Manager requires communication with database for the archiving and retrieving of data.
The Manager installation set includes a database for installation (that is, embedded on the target Manager server). You
must use the supported operating system listed under Server requirements and must use the Network Security Platform-
supplied version of MariaDB (currently 10.3.13) and J-connector version 2.4.0. The MariaDB must be a dedicated one that
is installed on the Manager.
If you have MariaDB previously installed on the Manager server, uninstall the previous version and install the Network
Security Platform version.
For more information on MariaDB refer to https://mariadb.com/.

© 2020 McAfee M03 - 6 McAfee Confidential

NSM Client Requirements

Processor 1.5 GHz (minimum); 2.4 GHz or faster (recommended)

Memory 8 GB (minimum); 16 GB recommended

Windows:
 Mozilla Firefox 70.0 or above
Browser  Google Chrome 76.0 or above
Mac:
 Safari 8 or 9

Windows:
 Windows 10 - English or Japanese
 Any operating systems mentioned for the Manager Server
OS  Display language must be the same as the Manager Server
Mac:
 Yosemite
 El Capitan

Monitor 32-bit color, 1440 x 900 display (minimum)

McAfee Confidential Education Services 7

The requirements for the NSM Client are listed below. The NSM Client connects to the server using a supported web
browser.
The following lists the 10.1 Manager/Central Manager client requirements when using Windows 10:
 Operating system – Windows 10, English or Japanese (minimum)
 Windows 10, version 1903 English or Japanese (recommended)
The display language of the Manager client must be same as that of the Manager server operating system.
 RAM – 8 GB (minimum), 16 GB (recommended)
 CPU – 1.5 GHz processor (minimum), 2.4 GHz or faster (recommended)
 Monitor – 32-bit color, 1440 x 900 display setting 1920 x 1080 (or above)
Browser – minimum
 Mozilla Firefox
 Google Chrome
To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list.
Browser – recommended
 Mozilla Firefox 70.0 or later
 Google Chrome 76.0 or later
For the Manager/Central Manager client, in addition to Windows 10, you can also use the operating systems
mentioned for the Manager server.
The following are Central Manager and Manager client requirements when using Mac:
Mac operating system
 Yosemite
 El Capitan
Browser – Safari 8 or 9

© 2020 McAfee M03 - 7 McAfee Confidential

Windows Display and Browser Settings
Guidelines

 Set monitor display to 32-bit color.

 Set monitor’s screen area to 1440 x 900 pixels.

 Turn off automatic update settings in your browser.

 Ensure the browser does not cache pages.

 To avoid the certificate mismatch error and security warning, add the Manager web certificate to
the trusted certificate list.

You experience better performance in your configuration and data-forensic tasks by connecting to the
NSM from a browser on the client machine.

McAfee Confidential Education Services 8

Monitor Display
Right-click on the Desktop and select Screen Resolution and go to Advanced Settings > Monitor, and configure Colors to
True Color (32bit).
Monitor Screen Area
Right-click on the Desktop and selection Screen Resolution. Set Resolution to 1440 x 900.

© 2020 McAfee M03 - 8 McAfee Confidential

Virtual Server Minimum Requirements

Virtualization  ESXi 6.5 Update 3

software  ESXi 6.7 Update 3

Intel Xeon® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2;

Processor
Logical Processors – 8; Processor Speed – 2.00 GHz

Memory 16 GB – 32 GB recommended

Internal
300 GB minimum; 500 GB or more recommended
disks

McAfee Confidential Education Services 9

We have looked at the requirements for deployment on a physical server. The table shows system requirements for
hosting the NSP Central NSM/NSM server on a VMware platform.

© 2020 McAfee M03 - 9 McAfee Confidential

Virtual Machine Requirements

 Windows Server 2012 R2 Standard or Datacenter Edition (Server with a GUI)

English OS
OS  Windows Server 2012 R2 Standard or Datacenter Edition (Server with a GUI)
Japanese OS
NOTE: Windows Server 2012 R2 Standard Edition is recommended.

Linux McAfee Linux Operating System (MLOS)

Virtual processors 2 minimum; more than 2 recommended

Memory 16 GB minimum; 32 GB or more recommended

Disk space 300 GB minimum; 500 GB or more recommended

McAfee Confidential Education Services 10

The virtual machine requirements are shown in the table. Remember, it is recommended to exceed the minimum
requirements, if possible.

© 2020 McAfee M03 - 10 McAfee Confidential

NSP Sensor Support

Model NSP 9.2 NSP10.1

M-series Sensors EOL, but still supported

NS-series Sensors  

Virtual IPS Sensors  

For more information, refer to the KB87925 – Current Network Security Platform software version information (last
modified December 9, 2019). Also refer to the KB91760 – End of Life for Network Security Platform NS9100, NS9200,
NS9300, and NS9500 Sensor Appliances (last modified October 14, 2019).

McAfee Confidential Education Services 11

With this release of 10.1, NS3500 Sensors supports 200 Mbps throughput.
For this release of 10.1, heterogeneous environment with Virtual IPS Sensors for NSX, AWS, Azure, and OCI are not
supported.

Continued on the next page…

© 2020 McAfee M03 - 11 McAfee Confidential

Hidden

McAfee Confidential Education Services 12

Upgrade paths for Sensor software versions (continued)

Minimum required Sensor software versions

NS-series (NS3100, NS3200, NS3500, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300):

NS9500 Sensor (Standalone):

Continued on the next page…

© 2020 McAfee M03 - 12 McAfee Confidential

Hidden

McAfee Confidential Education Services 13

NS9500 Sensor (Stacked):

NS3500 Sensor:

NS-series (NS7150, NS7250, NS7350):

Continued on the next page…

© 2020 McAfee M03 - 13 McAfee Confidential

Hidden

McAfee Confidential Education Services 14

End of Life for Network Security Platform NS9100, NS9200, and NS9300 Sensor Appliances – KB91760

McAfee announces the End of Sale for Network Security Platform NS9100, NS9200, and NS9300 Sensor appliances
effective October 14,2019. As of this date, the appliances will no longer be available for purchase.

Network Security Platform NS9100, NS9200, and NS9300 Sensor appliances will reach End of Life (EOL) and End of Support
on September 30, 2024. Existing Sensor appliance customers will receive support until that date, in accordance with the
Enterprise Products End of Life Policy.

NOTE: This notice is not applicable to federal customers and the product will be available on the federal price book while
supplies last.

These appliances have been replaced with Network Security Platform NS9500 series Sensor appliances as follows:

NS-9100 -> NS9500-10

NS-9200 -> NS9500-20
NS-9300 -> NS9500-40

For the NS9500, we decoupled the hardware and software licenses to help future proof hardware upgrades by supporting
throughput-based entitlements. The above mapping is platform to platform, rather than SKU to SKU.

For more information about all SKUs that are reaching End of Sale, refer to the McAfee Product & Technology Support
Lifecycle page.

McAfee announces the End of Sale for McAfee Network Security Sensor Appliances. The End of Sale date was December
31, 2016. As of this date, the M-Series family of products and associated accessories was no longer available for purchase.

Continued on the next page…

© 2020 McAfee M03 - 14 McAfee Confidential

Hidden

McAfee Confidential Education Services 15

M-Series will reach End of Life and End of Support on December 31, 2021. Existing M-Series Sensor Appliance customers
will receive support until that date, in accordance with the Enterprise Products End of Life Policy.

The replacement product is McAfee Network Security Platform NS-Series Appliances.

For product lifecycle details, refer to the McAfee Product and Technology Support Lifecycle page at:
http://www.mcafee.com/us/support/support-eol.aspx.

For End of Life (EOL) policy details, refer to the Corporate Products EOL policy at: https://www.mcafee.com/enterprise/en-
us/assets/misc/support-policy-product-support-eol.pdf.

This section details the requirements to upgrade the Sensor software to 10.1. In this section, the term Sensor
refers to NS-series Sensors unless otherwise specified.

Note: If you are using a hot-fix release, contact McAfee Support for the recommended upgrade path.

You must first purchase a license to enable outbound SSL decryption feature. To obtain a demo license for outbound SSL
decryption, contact MB Licensing. An email containing the license will be sent from MB Licensing. If
you are a first time user, you must register with your email ID and Grant number to log in to the portal. In the Service
Portal, click Patches and Downloads to register and log in to the portal.

© 2020 McAfee M03 - 15 McAfee Confidential

NSP Server Ports
Port Type Description
22 TCP SSH (Remote console access)
25 TCP NSM to SMTP Server
49 TCP Sensor to TACACS+ server
162 UDP NSM to SNMP server
389 TCP NSM to LDAP server (no SSL)
NSM 1 to NSM 2 (Secure communication for MDR)
443 TCP NSM 2 to NSM 1 (Secure communication for MDR)
NSM to NTBA Appliance (bidirectional)

514 UDP or TCP NSM to Syslog server (Syslog forwarding/ACL logging)

636 TCP NSM to LDAP server (SSL)

8443 TCP ePO Console Communication

Be sure to notify IT of port requirements, especially if you plan to use non-standard ports.

McAfee Confidential Education Services 16

The table shows the ports that are used on the NSP server. It is recommended that you use the Sensor and NSM
management port on the same internal network for security and management reasons.

Alert: The NSP product documentation states the need to disable other web services prior to installing the NSM. This is
because the NSM server has to integrate with the Apache server, which is shipped along with the NSM installation package.
Because other web services use port 80 and 443, the NSM installation fails if the other Web Services are not disabled,
because it cannot run the Apache server.
Continued on the next page.

Close all open programs, including email, the Administrative Tools > Services window, and instant
messaging before installation to avoid port conflicts. A port conflict may prevent the application from
binding to the port in question because it will already be in use.

Note: The Manager is a standalone system and should not have other applications installed.

Refer to the KB Ports and traffic destinations used by Network Security Platform – KB59342.

© 2020 McAfee M03 - 16 McAfee Confidential

NSP Server Ports (Continued)

Port Type Description

1812 UDP NSM to RADIUS server

3306 TCP Internal to NSM to connect to the MariaDB database. You can use externally to
connect to the database
4166 UDP Command Channel. UDP source port to bind IPv4 and IPv6 (Java 1.7u45 and
higher) NSM <-> Sensor (bidirectional)
4167 UDP Command Channel. UDP source port number for the SNMPv3 command
channel (Cannot be used to bind IPv4 and IPv6)
8007 TCP Tomcat A JP 12 – Internal to NSM

8009 TCP Tomcat A JP 13 – Internal to NSM

8500 UDP Command Channel. NSM to Sensor Communication (Default SNMPv3 port)
(bidirectional)
8501 TCP Install Port. Sensor to NSM Communication (bidirectional)

8502 TCP Alert Channel (Control Channel). Sensor to NSM Communication (bidirectional)

McAfee Confidential Education Services 17

Ports 4166 and 4167

Manager uses port 4167 as the UDP source port to bind for IPv4 and port 4166 for IPv6. If you have Sensors behind a
firewall, you need to update your firewall rules accordingly such that ports 4167 and 4166 are open for the SNMP
command channel to function between those Sensors and the Manager. This applies to a local firewall running on the
Manager server as well.

© 2020 McAfee M03 - 17 McAfee Confidential

NSP Server Ports (Continued)

Port Type Description

8503 TCP Packet Log Channel. Sensor to NSM Communication (bidirectional)
8504 TCP File Transfer Channel. Sensor to NSM Communication
(bidirectional)
8506 TCP Install channel. 2048-bit encryption (bidirectional)
8507 TCP Alert/control channel. 2048-bit encryption (bidirectional)
8508 TCP Packet log channel. 2048-bit encryption (bidirectional)
8509 TCP Bulk file transfer channel. 2048-bit encryption (bidirectional)
8510 TCP Bulk file transfer channel.1024-bit encryption (bidirectional)
8551 TCP Lumos Nameserver – Internal to NSM (RMI/IIOP)
8552 TCP JONAS Nameserver – Internal to NSM (RMI)

McAfee Confidential Education Services 18

2048-bit Encryption
The NSM and Sensor have so far established trust using 1024-bit certificates. With the growing need for enhanced security,
this connection is being upgraded to be encrypted using 2048-bit certificates. NSP 8.1 and later support heterogeneous
environments, which accommodate both 1024-bit and 2048-bit encryption. The NSM is both 1024 and 2048-bit capable and
can manage Sensors running on 2048-bit capable and/or 1024-bit capable software versions.
The upgrade from 1024-bit to 2048-bit encryption is done automatically with no user intervention necessary. Once done,
use the status command to view the encryption type, and show command to view the ports used for 2048-bit encryption.

1024-bit Encryption
When a Sensor with software that does not support 2048-bit encryption is loaded and the NSM is upgraded to a version
that supports 2048-bit encryption, the Sensor can establish trust with the NSM using 1024-bit certificates.

© 2020 McAfee M03 - 18 McAfee Confidential

Desktop Firewall Requirements
Desktop Firewall Recommended

 Deny connections not initiated by localhost.

 Make sure required ports are open:

 UDP: 4166, 4167, and 8500.
 TCP: 22, 443, 8501, 8502, 8503, 8504, 8506, 8507, 8508, and 8555.
 Block connections to ports 3306, 8007, 8009, 8551, and 8552.
 To ensure there no ports open other than what is required, use a scanning tool.

If you use non-standard ports, ensure that those ports are also open on the firewall.

McAfee Confidential Education Services 19

A desktop firewall on the NSM server is recommended. Certain ports are used by the components of McAfee Network
Security Platform. Some of these are required for Manager -- Sensor and Manager client-server communication. All
remaining unnecessary ports should be closed.
If a firewall resides between the Sensor, NSM, or administrative client, which includes a local firewall on the NSM, the
following ports must be opened:
 UDP ports 4166, 4167, and 8500
 TCP ports 22, 443, 80, 8501-8510, and 8555

It is strongly recommended that you configure a packet-filtering firewall to block connections to ports 8551, 8552, 3306,
8005, 8007, 8009, and 8552 of your NSM server. The firewall can either be a host-based or network-based. Configure the
firewall to deny connections to these ports if the connections are not initiated by the localhost. The only connections
allowed are those from the NSM server itself (localhost); for example, if another machine attempts to connect to port 8551,
8552, 3306, 8005, 8007 and 8009, the firewall must automatically block any packets sent. If you need assistance in blocking
ports, contact Technical Support.

Note: If you use non-default ports for the install port, alert port, and log port, ensure that these ports are also open on the
firewall.

McAfee recommended you not to change the firewall settings in the Linux based Manager.
Use a scanning tool such as Vulnerability Manager to ensure that there are no ports open other than what is required.

© 2020 McAfee M03 - 19 McAfee Confidential

Using Anti-Virus Software with the NSM
Possible Conflicts with NSM Operations

Exclude:
<NSM installation directory>\MariaDB\ and its sub-folders.
<NSM installation directory>\App\temp\tftpin\malware\ and its sub-folders.

 Anti-virus software might scan every temporary file created in the NSM installation directory,
slowing performance.
 Endpoint Security may delete essential MariaDB files, if \MariaDB\ and its sub-folders are not
excluded.
 Make sure firewall is not blocking SMTP.

McAfee Confidential Education Services 20

Some of the NSM's operations might conflict with the scanning processes of McAfee VirusScan Enterprise (VSE) or any
other anti-virus software running on the NSM.
Folder Exclusions
The anti-virus software might scan every temporary file created in the NSM installation directory, which might slow down
the NSM's performance. Be sure to exclude the NSM installation directory and its sub-directories from the anti-virus
scanning processes, specifically these folders:
 <NSM installation directory>\MariaDB\ and its sub-folders. If these folders are not excluded, VirusScan may
delete essential MariaDB files.
 <NSM installation directory>\App\temp\tftpin\malware\ and its sub-folders.
SMTP Connections
By default, VirusScan blocks all outbound connections over TCP port 25. This helps reduce the risk of a compromised host
propagating a worm over SMTP using a homemade mail client. VirusScan avoids blocking outbound SMTP connections
from legitimate mail clients, such as Outlook and Eudora, by including the processes used by these products in an
exclusion list.
The NSM takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification and run VirusScan
8X or above, you must add the java.exe to the list of excluded processes. If you do not explicitly create the exclusion within
VirusScan Enterprise (VSE), you see a Mailer Unreachable error in the NSM Operational Status to each time the NSM
attempts to connect to its configured mail server.

Continued on the next page…

© 2020 McAfee M03 - 20 McAfee Confidential

Hidden

McAfee Confidential Education Services 21

To add the exclusion, follow these steps:

1. Launch the VirusScan Console.
2. Right-click the task called Access Protection and choose Properties from the right-click menu.
3. Highlight the rule called Prevent mass mailing worms from sending mail.
4. Click Edit.
5. Append java.exe to the list of Processes to Exclude.
6. Click OK to save the changes.

© 2020 McAfee M03 - 21 McAfee Confidential

 Wireshark
www.wireshark.org or www.wireshark.com

Protocol analyzer such as Wireshark is recommended to capture packets for network

troubleshooting and analysis.

McAfee Confidential Education Services 22

Install a packet log viewing program to be used in conjunction with the Attack Log interface. Your packet log
viewer, also known as a protocol analyzer, must support library packet capture (libpcap) format. This viewing
program must be installed on each client you intend to use to remotely log onto the Manager to view packet
logs.
Wireshark (formerly known as Ethereal) is recommended for packet log viewing. WireShark is a network
protocol analyzer for Windows servers that enables you to examine the data captured by your Sensors. For
information on downloading and using Ethereal, go to www.wireshark.com.

Note: Installation of third-party applications is not supported in the Linux based Manager.

© 2020 McAfee M03 - 22 McAfee Confidential

Single and Central NSM Deployments
Different from MDR Deployment

Single NSM Central NSM

Manager of
Managers

NSM NSM NSM

A Central NSM is not the same as having a NSM Disaster Recovery (MDR) configuration. An MDR configuration enables
you to have a standby NSM in case where the primary NSM fails.

McAfee Confidential Education Services 23

There are two NSM deployment options: Single NSM or a Central NSM.

Single NSM
With a Single NSM deployment, there is a single NSP server in the network that runs the NSM interface. NSP Clients access
the NSM interface from this single server.

Central NSM
The Central NSM is a centralized system managing multiple NSMs. The Central NSM architecture consists of a Central NSM,
which is interconnected to various NSMs. Central NSM manages configurations and pushes them globally to NSMs.
Configurations are pushed to the Sensors indirectly through NSMs.

If you have a large Sensor deployment (for example, 200 Sensors deployed across various geographic locations), consider
using a Central NSM at your organization's headquarters and deploy a dedicated NSM for each region. Each NSM handles
the daily device operations for all Sensors configured to it.

When you use a Central NSM, your regional/local NSMs can add their own region-specific rules, but cannot modify any
configuration established by the Central NSM. Configuration updates to the Sensors must be applied through the local
NSMs.

© 2020 McAfee M03 - 23 McAfee Confidential

Central NSM Deployment
Benefits

 Single sign-on mechanism.

 Management hierarchy that centralizes policy creation, management, and

distribution.

McAfee Confidential Education Services 24

The Central NSM provides a single sign-on mechanism to manage the authentication of global users across all NSMs.

In addition, a Central NSM allows users to create a management hierarchy that centralizes policy creation, management,
and distribution across multiple NSMs. For example, you can create a policy in the Central Manager and synchronize across
all NSMs added to that Central Manager. This avoids manual customization of policy at every Manager.

Reminder: A Central NSM installation is not the same as Manager Disaster Recovery (MDR) configuration. An MDR
configuration enables you to have a standby NSM available in cases where the Primary NSM fails. The MDR feature is
available for deployments where the following conditions are met:
 Two NSMs (called Primary and Secondary) are available. The Primary is in active mode and the secondary in
standby mode.
 The Primary and Secondary use the same NSM software release version.
 The Primary and Secondary NSMs share the same database structure.
 This feature is discussed in more detail later in the course.

© 2020 McAfee M03 - 24 McAfee Confidential

Determining Database Requirements
Considerations

 Requirements vary, depending on deployment

scenario.

 Aggregate alert and packet log volume from all

Sensors:
 Alert with no packet log = 350 bytes (average).
 Alert with packet log = 1300 bytes (average).

 Larger Sensor deployments require more

space than small Sensor deployment.

 Lifetime of alert/packet log data.

Maintaining data for a long period of time (for example, one year) requires additional storage capacity to accommodate
both old and new data.

McAfee Confidential Education Services 25

The database houses the alert and packet log data that your Sensors generate, as well as system files, logs, and so forth.
The integrity and availability of this data is essential to ensure proper system operation.
The amount of space required for your database is governed by many factors, mostly unique to the deployment scenario.
These factors determine the amount of data you want to retain in the database and the time for which the data has to be
retained.
Things to consider while determining your database size requirements are:
 Aggregate alert and packet log volume from all Sensors: Many Sensors amount to higher alert volume and
require additional storage capacity. Note that an alert is roughly 2048 bytes on average, while a packet log is
approximately 1300 bytes.
 Lifetime of alert and packet log data: You need to consider the time before you archive or delete an alert.
Maintaining your data for a long period of time (for example, one year) requires additional storage capacity to
accommodate both old and new data.
As a best practice, McAfee recommended archiving and deleting old alert data regularly, and attempting to keep your active
database size to about 60 GB.
For more information, refer to the the Capacity Planning section in McAfee Network Security Platform Manager Administration
Guide.

© 2020 McAfee M03 - 25 McAfee Confidential

Determining Database Requirements (Continued)
Example: One year of storage

Alerts/Week (no packet) DB Size (One Year) in GB

10,000 0.3

50,000 1.7

100,000 3.3

200,000 6.7

500,000 16.7

1,000,000 33.4

McAfee Confidential Education Services 26

For comparison, generation of 10,000 alerts per week is low, while 1,000,000 alert per week is high. If you are generating
1,000,000 alerts per week, it is recommended that you check your applied NSP policies to determine if you are applying a
policy that is an exact match for your protected network environment.

© 2020 McAfee M03 - 26 McAfee Confidential

Sensor Deployments
Workflow

 Pre-installation:  Installation:
 Stagger your Sensor deployment in  Have a computer available for direct console
phases. connection to the Sensor for initial
 Know traffic capacities at the points configuration.
where Sensor is located.  Configure name, network, secret key,
 Choose Sensor location and establish trust.
deployment modes.  Ensure you have HyperTerminal or PuTTY.
 Identify capacity limitations.
 Ensure network connectivity between the
 Determine location (domain) in the NSM and the Sensor.
NSM.
 Know what adjacent devices to connect to
 For physical Sensors, ensure there is for network monitoring.
appropriate rack space and power.
 Build a test plan.

McAfee Confidential Education Services 27

To install a new Sensor, you should have the appropriate rack space and power in place. Once you unpack the Sensor, you
install the slide rail, add ears to the Sensor and mount the Sensor. More than one person should assist since some Sensors
are very heavy. For those Sensors with removable power supplies, remove the power supplies before mounting. There is a
quick start guide that covers all the steps in getting the Sensor initially up and running.
After a Sensor is in place, additional information is needed to complete the install, including:
 Ports used
 Port-to-Sensor connections
 Basic network configuration information such as name, IP address,
 Secret key for establishing trust

© 2020 McAfee M03 - 27 McAfee Confidential

Sensor Deployments (Continued)
Scalable for Growth

Branch Site Enterprise Campus Data Center

Large network with many access points, file servers, and machines in use may require a larger
level of deployment than small office with single access point and few machines.

McAfee Confidential Education Services 28

The NSP is built with growth in mind. The NSP can manage multiple Sensors, and your Sensor infrastructure can scale in
performance from 100 Mbps to multi gigabits per second for monitoring network segments. McAfee gives you alternatives
in connectivity from branch offices to internal network segments to the very core of your data center.

The size of your network and performance/bandwidth requirements determine the number and type of Sensors required
to successfully and efficiently protect your network. A large network with many access points, file servers, and machines in
use may require a greater number of Sensors with performance/bandwidth capabilities than a small branch office with a
single access point and few network machines.

© 2020 McAfee M03 - 28 McAfee Confidential

Determining Sensor Placement

 Individual Company Decision

 Network size
 Critical servers
 Links and access points
 Monitoring at perimeter
 Security policy
 Traffic flow

When deploying Sensors, it is recommended to plan for 50 percent over the current
speed.

McAfee Confidential Education Services 29

Sensor placement is an individual company decision. Some things to consider are what assets you want to protect, the
configuration of your network, the location of your aggregation points, the type of traffic, traffic routing, and so on.
Existing Network Infrastructure and Corporate Security Policy
Understanding your network and corporate environment is the most difficult part, and probably the bulk of the work in
effective IPS deployment. It encompasses the following.
 Network topology
 Network address space being monitored
 Statically assigned server addresses
 VLAN
 Dynamic Host Configuration Protocol (DHCP)-assigned addresses
 Operating systems running on your servers
 Applications running on your servers
 Corporate security policy
Network Size
The size of your network determines the number of Sensors required to successfully and efficiently protect your network. A
large network with many access points, file servers, and machines in use may require a larger level of IPS deployment than
a small office with just a single access point and few machines. You must also factor in the redundancy requirements for
your network.

Continued on the next page.

© 2020 McAfee M03 - 29 McAfee Confidential

Hidden

McAfee Confidential Education Services 30

Access Points
You are only as strong as your weakest link. Intrusions coming in from the Internet are important to combat, but misuse
and intrusions attempted through the extranets or inside the corporate network are equally as critical to defend against. In
fact, research statistics show that insiders are the most common source of attacks.
Critical Servers
File servers containing financial, personnel, and other confidential information need protection from those people wishing
to exploit your critical information. These machines are extremely appealing targets. And, as discussed in the previous
section, insiders pose a threat that must be addressed.
Consider whether you need different levels of security for different parts of the organization. Assess how much of your
sensitive material is on-line, where it is located, and who has access to that material. In addition, estimate the typical
volume of network traffic generated by these systems. If you have already designed the sensor placement, show this on the
network diagram.
Traffic Flow
Bandwidth and traffic flow are crucial to running a successful enterprise network. Bandwidth requirements vary in an
enterprise network, as different applications and business functions have different needs. Bandwidth utilization on the
network segments that you need to monitor determine what type of Sensor will work best for you. NSP offers multiple
sensors providing different bandwidths.
Monitoring of Security Operations
To successfully defend against intrusions, McAfee recommended dedicated monitoring of the security system. Network
intrusions can happen at any given moment, so having a dedicated 24-hour-a-day prevention system make the security
solution complete and effective.
Monitoring at the Perimeter
Deployment at the perimeter does not protect you from internal attacks, which are some of the most common source of
attacks. Perimeter monitoring is also useless if a network has multiple ISP connections at multiple locations (such as one
Internet connection in New York and one in San Jose) and if you expect to see asymmetric traffic routing (that is, incoming
traffic comes through New York and outgoing traffic goes out through San Jose). The IPS simply will not see all the traffic to
maintain state and detect attacks. Deployment in front of the servers that you want to protect both detects attacks from
internal users and deals effectively with the geographically diverse asymmetric routing issue.

© 2020 McAfee M03 - 30 McAfee Confidential

Determining Sensor Placement (Continued)
Example Topology

Internet

Manufacturing
VoIP

ERP CRM
Sensor
Sensor

DMZ Sensor
Sales Core/Backbone
Engineering

Internal
Perimeter

McAfee Confidential Education Services 31

NSP can protect your entire enterprise by locating Sensors in the appropriate places in the network. The figure is a high
level example of a possible topology.
 Perimeter: Block external attacks from getting into your network. You can place it in front of or behind the firewall,
as well as protect your Demilitarized Zone (DMZ) servers from malicious attacks.
 Internal: Define different policies of protection depending upon the group’s needs with one device. If Engineering
encounters an attack, the Sensor can quarantine the problem to just that segment.
 Core/Backbone: Protect critical core servers in the data center and protect your high-speed backbone.

© 2020 McAfee M03 - 31 McAfee Confidential

Determining Number of Sensors
Can 100 Sensors Actually be Supported?

How many Sensors can be

deployed with one NSM?

McAfee Confidential Education Services 32

McAfee states that the Windows-based NSM and the Global Edition can support up to 100 Sensors, so can 100 Sensors
actually be supported? It depends.

© 2020 McAfee M03 - 32 McAfee Confidential

Determining Number of Sensors (Continued)
Answer

 Highly dependent upon existing network factors and

deployment options.
 No specific X=N response.
 General rule is not to exceed 50 Sensors for any given
NSM.

 The Sensor and NSM exchange information generally every two minutes to verify the Sensor
status is Up (operating).

 When the manager detects the first poll failure, it reduces the polling interval to every 30
seconds to verify the status of the communication channel and eliminate the possibility of a
failed poll due to packet loss.
 If the Sensor is still un-reachable after 10 minutes, the polling frequency reverts to its normal
value of two minutes.

McAfee Confidential Education Services 33

The number of Sensors you can effectively deploy with a single NSM is highly dependent on interrelated factors, so no
single solution works for all environments. Some factors depend on the Sensor’s implementation and how much alert
traffic the network generates. Others factors involve the size of the installation.
Consider:
 Number of updates per Sensor. Signature set and policy update times take progressively longer with each new
Sensor.
 Number of alerts and packet logs. The number of alert and packet logs sent to the NSM is the true bottleneck for the
number of Sensors that a NSM can support. Under normal circumstances, the NSM should not receive more than
150 events per second. If this rate continues for a long period of time, the NSM becomes backlogged and is not be
able to keep up with event processing.
 Non-tuned policies. Non-tuned policies have the potential to overload NSM resources with inbound alerts.
 System limitations, such as the number of Virtual IDS (VIDS) supported.
Rule: This answer is highly dependent upon existing network factors and deployment options. There is no specific X=N
response. A general rule of thumb is not to exceed 50 Sensors for any given NSM.
Note: The Sensor and NSM exchange information generally every two minutes to verify the Sensor status is Up (operating).
This is done to avoid issues such as a lost packet causing a failure alert. If the Sensor is still un-reachable after 10 minutes,
the polling frequency reverts to its normal value of two minutes.

© 2020 McAfee M03 - 33 McAfee Confidential

High Availability and Disaster Recovery
Large Sensor Deployments

Primary Secondary
(Active) (Standby)
NSM NSM

Alert packet log

connections with Alert packet log
data connections with
data

Sensors

McAfee Confidential Education Services 34

Sometimes the worst happens. In this age, where outages to IT systems can cost millions of dollars in lost
revenue, lost productivity, and legal issues, every organization must face the near certainty of a system failure
occurring at a future date. Anticipating these events and planning corrective courses of action is now a
prerequisite to business success. Most organizations now employ some manner of business continuity
planning (BCP), a subset of which is disaster recovery planning (DRP). To this end, Network Security Platform
has long provided a Sensor high-availability configuration; but what if the worst should happen to your
Manager server?
Most companies are not willing to rely on the manual method of Manager data archival, restoration of
backups, and importing of exported policies to recover their Manager as part of their IPS DRP.
With the MDR configuration, two NSM servers are deployed as part of NSP. One host is configured as the Primary system;
the other as the Secondary. If the Primary Manager is found to be unavailable during health check, the Secondary Manager
switches over after defined time interval expires.
Enter the MDR feature. With MDR, two Manager servers are deployed as part of Network Security Platform.
One host is configured as the Primary system; the other as the Secondary. Each uses the same major release
Manager software with mirrored databases; however, the two hosts’ hardware configuration does not need to
be identical. The Secondary Manager can be deployed anywhere—for example, at a disaster recovery site, far
from the Primary Manager.
The Primary Manager is the active Manager by default; this Manager communicates with the Update Server,
pushes configuration data to the Sensors, and receives alerts from the Sensors.
The Secondary Manager remains in a standby state by default. While in standby mode it monitors the health
status of the Primary Manager and retrieves Sensor configuration information from the Primary Manager at
configured intervals of time.

Note:
The Secondary Manager is a warm standby system; it will not guarantee state synchronization with the Primary Manager. It
does update configuration information at regular intervals (every 15 minutes), but it does not maintain state. (You can also
manually update Secondary Manager configuration rather than waiting for the automatic update.)

Continued on the next page…

© 2020 McAfee M03 - 34 McAfee Confidential

Hidden

McAfee Confidential Education Services 35

An MDR pair can manage both hardware Sensors as well as Virtual Sensors deployed in an AWS environment.
A Sensor connected to an MDR pair maintains communication with both Managers at all times. The Sensor sends alerts,
packet logs to both the Managers. Real-time synchronization between the MDR pair ensures that the data present in the
active mode is exactly mirrored in the standby.
In case one of the Managers goes down, then after it comes up, it will be updated with the missed alerts and packet log
data during the next synchronization from the peer Manager. This synchronization restores the missed alerts and packet
log data only from previous 24 hours. The maximum number of alerts and packet logs restored with synchronization is
10,000.
Sensors can only be added to an active Manager. (A new Sensor added to the active Manager in an MDR pair establishes
trust first with the Primary Sensor, and then attempts on its own to establish trust with the Secondary).

© 2020 McAfee M03 - 35 McAfee Confidential

Manager Disaster Recovery (MDR)
Switchover

 Can be manual/voluntary or involuntary.

 The Secondary Manager performs regular “health checks” on the Primary Manager.
 Once the Secondary Manager is active, the Primary moves to standby.
 All “in-flight transactions” are lost upon failover from Primary to Secondary Manager.
 Once the Primary Manager has recovered, you can switch control back to the Primary system.
 After switch-back, alert and packet log data is copied from Secondary to Primary Manager.
 Recommended against making any configuration modifications on the Secondary Manager.
 You have a choice whether to retain the configuration on the Primary or overwrite with
changes made on the Secondary.

McAfee Confidential Education Services 36

Switchover, or failover from the Primary to the Secondary, can be manual/voluntary or involuntary.
Note: In a situation where you have planned manual downtime and the downtime is expected to be brief,
McAfee recommended that you manually suspend MDR, preventing the Secondary Manager from taking over
and becoming active. You can then resume MDR when the downtime period is over.
The Secondary Manager performs regular “health checks” on the Primary Manager. If the Primary Manager is
found to be unavailable during a health check by the Secondary Manager, the Secondary Manager waits for a
configurable time interval. If the Primary Manager is still unavailable after that time period elapses, control
then switches over to the Secondary Manager.
Note: You can switch over to the Secondary manually, as well.
Once the Secondary Manager is active, the Primary moves to standby. The Sensors are made aware of the
switchover, communicate with the Secondary Manager, and the system continues to function without
interruption.
All “in-flight transactions” are lost upon failover from Primary to Secondary Manager. For instance, if the
Primary Manager failed while a user was in the middle of a policy edit, the Secondary Manager will not be able
to resume the policy edit.
Note: The MDR feature, in fact, assumes that the Secondary Manager is a standby system, and that it will NOT
assume control indefinitely. The Primary Manager should be diagnosed and repaired, and be brought back
online.
While the Secondary Manager is active, McAfee recommended against making any configuration modifications
on the Secondary Manager, as these modifications could cause potential data synchronization problems when
the Primary Manager is resurrected.
Once the Primary Manager has recovered, you can switch control back to the Primary system. During this
switch back, if you have made configuration changes on the Secondary, you have a choice whether to retain
the configuration on the Primary or overwrite with changes made on the Secondary. After switch-back, alert
and packet log data is copied from Secondary to Primary Manager, and can be viewed in the Attack Log page.
Data is re-synchronized, the Sensors return to communicating with the Primary, and the system is restored
with the Primary Manager active and the Secondary Manager in standby mode.
Note: You can easily dissolve the MDR relationship between the two Managers and return either Manager to
stand-alone mode.

© 2020 McAfee M03 - 36 McAfee Confidential

Implementation Process
Final Considerations

 Consider back-up and recovery plans.

 Identify test systems.
 Consider product.
 Ensure end-user communications.
 Apply software updates.
 Perform validation testing.
 Consider change control phases and processes.

McAfee Confidential Education Services 37

Some final considerations to ensure a successful deployment are listed below.

 Consider back-up and recovery plans: Ensure client servers and applications servers are properly configured to
revert to the previous state in the event of any problems occurring from the actual application installation.
 Identify test systems: Identify test systems to use to test the initial deployment. Do not deploy NSP into a
production environment, without testing the deployment first.
 Consider conflicts with existing products: Refer to the product documentation for potential issues with other
products working in the same environment, and any incompatibilities; for example, if you plan to use an existing
server to host the NSM software, make sure the server meets the platform requirements for NSP.
 Ensure end-use communications: Identify personnel to inform of changes to the environment; for example, advise
IT of NSP port usage, (especially if using non-standard ports) and IP addresses.
 Apply software updates: Apply available software updates to your installation prior to full implementation. This
includes Microsoft operating system updates and patches.
 Perform validation testing: Identify the tests necessary to ensure proper system performance. This includes any
metrics used to measure success.
 Consider change control phases and processes: Change control processes ensure that changes proposed to your
environment’s information resources are reviewed, authorized, tested, implemented and released in a controlled
manner. This process and relevant procedures are dependent on your company’s requirements. Refer to the the next
page for more information about change control.
Continued on the next page.

© 2020 McAfee M03 - 37 McAfee Confidential

Hidden

McAfee Confidential Education Services 38

Change Control

Change control process typically includes the following phases:

 Preparing for change: Preparation, assessment and strategy development.
 Managing change: Detailed planning and change management implementation.
 Reinforcing change: Data gathering, corrective action, and celebrating successes.
 Operational procedures for each of these phases should be developed to include, among others:
‐ Identifying, prioritizing, and implementing the change.
Key considerations for a change control strategy are:
 Defining requirements
 Determining inter-dependencies and compliance checks
 Assessing impacts
 Testing
 Evaluating user acceptance
 Planning releases
 Documenting changes
 Monitoring effects
 Defining roles and responsibilities
 Outlining emergency change details

© 2020 McAfee M03 - 38 McAfee Confidential

Check your Learning
Fill in the Blank(s)

You are evaluating an existing Windows server to identify if it meets the hardware and software
requirements for NSM. The local administrator wants to use an instant messaging system to
communicate with remote administrators. Is this a supported configuration? Explain your answer.

_____________________________

McAfee Confidential Education Services 39

and Recommendations.
programs such as instant messaging or other non-secure Internet functions. Refer to the Deployment Requirements
Answer: The configuration is not supported. Use a dedicated server. Do not use the NSM server for non-secure

© 2020 McAfee M03 - 39 McAfee Confidential

Check your Learning
True – False

You experience better performance in your configuration and data-

forensic tasks by connecting to the NSM from a browser on the client
machine.

A. True
B. False

McAfee Confidential Education Services 40

Answer: A. True. Refer to the Windows Display and Browser Settings.

© 2020 McAfee M03 - 40 McAfee Confidential

Check your Learning
Multiple choice: Choose the Correct Answer(s)

You have 200 Sensors deployed across various geographic locations and want
local and regional NSP administrators to be able to add their own region-
specific rules. Which deployment type best meets your needs?

A. Central NSM
B. Manager Disaster Recovery (MDR)
C. Update Server

McAfee Confidential Education Services 41

Answer: A. Central NSM. Refer to the Single and Central NSM Deployments.

© 2020 McAfee M03 - 41 McAfee Confidential

Check your Learning
Fill in the Blank(s)

You want to connect to the NSM server from a MAC with a Safari 6 or above
browser. Is this supported?

________________________________________________________________

McAfee Confidential Education Services 42

supported.) Refer to the NSM Client Requirements.

browsers are: Mozilla Firefox 20.0 or above, and Google Chrome 24.0 or above (App mode in Windows 8 is not
Answer: You can connect to the NSM server from a MAC with a Safari 6 or above browser. Supported Windows

© 2020 McAfee M03 - 42 McAfee Confidential

Check your Learning
Fill in the Blank(s)

As part of your business continuity planning, you want to ensure operation of

your NSP environment. What NSP configuration best meets your needs?
Explain your answer.
________________________________________________________________

McAfee Confidential Education Services 43

expires. Refer to the High Availability and Disaster Recovery.

found to be unavailable during health check, the Secondary Manager switches over after defined time interval
Answer: The NSP Manager Disaster Recovery (MDR) configuration best meets your needs. If Primary Manager is

© 2020 McAfee M03 - 43 McAfee Confidential

 Review
Key Points

 The NSM software can be manually installed on a supported 64-bit Windows Server or a supported
virtual platform or purchased from McAfee as pre-loaded software on a fully-configured Manager
Appliance.

 The NSM requires communication with MariaDB database for the archiving and retrieval of data.

 Protocol analyzer such as Wireshark is recommended to review packets for network

troubleshooting and analysis.

 There are two NSM deployment options: Single NSM or Central NSM.

 The NSP can manage multiple Sensors, and your Sensor infrastructure can scale in performance
from 100 Mbps to multi gigabits per second for monitoring network segments.

 NSP offers a high-availability Manager Disaster Recovery (MDR) configuration.

McAfee Confidential Education Services 44

The slide highlights key points for this module. There is no lab for this module.

© 2020 McAfee M03 - 44 McAfee Confidential

Lab Exercises
Lab 3: Network Security Platform Manager Installation

Goals:
 Install the NSP Manager Console / Lab
Environment.
 Log onto the Manager using Desktop NSM
Short-cut.
 Log onto the Manager using Mozilla Firefox.
 Setup Demo-Run.bat to Simulate Lab
Attacks.
 Launch the Demo-Run.bat and Confirm
Alerts.
 Troubleshoot the Demo Installation.
Estimated Duration:
 45 minutes

Refer to the lab guide for the instructions.

McAfee Confidential Education Services 45

© 2020 McAfee M03 - 45 McAfee Confidential

 McAfee and the McAfee logo, Network Security Platform are trademarks or registered trademarks of McAfee or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2020 McAfee,.

McAfee Confidential. McAfee restricts the distribution of this training material to unauthorized audiences.

© 2020 McAfee M03 - 46 McAfee Confidential