Network Security Platform I

Network Security Platform I
I-4010 Sensor Product Guide
Revision A
McAfee® Network Security Platform
COPYRIGHT
Copyright © 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Contents
Preface
About this guide . . . . . . . . . . . .
Audience . . . . . . . . . . . .
Conventions . . . . . . . . . . .
What's in this guide . . . . . . . .
Find product documentation . . . . . . . .
1
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Setting up the Sensor prior to configuration
Cable the Console port . . . . . . . . . . . . . . . . . . . . .
Cable the Auxiliary port . . . . . . . . . . . . . . . . . . . .
Cable the Response ports . . . . . . . . . . . . . . . . . . .
Cabling information for the fail-open control ports . . . . . . . . . .
Cable the Management port . . . . . . . . . . . . . . . . . . .
About cabling the Monitoring ports . . . . . . . . . . . . . . . .
How to use peer ports . . . . . . . . . . . . . . . . . .
. 11
12
. 12
13
13
. 14
. 14
15
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Attaching cables to the Sensor
McAfee® Network Security Platform
7
7
7
7
11
. .
. .
. .
. .
. .
. .
. .
Setup overview . . . . . . . . . . . . . . . . . . . . . . . .
Position the Sensor . . . . . . . . . . . . . . . . . . . . . .
Install the ears on the chassis . . . . . . . . . . . . . . .
Redundant power supply for the Sensor . . . . . . . . . . . . . .
Install a power supply . . . . . . . . . . . . . . . . . .
Remove a power supply . . . . . . . . . . . . . . . . .
Installation of SFP modules . . . . . . . . . . . . . . . . . . .
Installing an SFP module for I-4010 . . . . . . . . . . . .
Remove an SFP module . . . . . . . . . . . . . . . . .
Copper SFPs for 10/100/1000 Fast Ethernet ports . . . . . . .
Cable the Sensor . . . . . . . . . . . . . . . . . . . . . . .
Power on the Sensor . . . . . . . . . . . . . . . . . . . . .
Power off the Sensor . . . . . . . . . . . . . . . . . .
4
5
5
5
6
6
7
. .
. .
. .
. .
Before you install
I-4010 Sensor specifications . . . . . . . . . . . . . . .
Network topology considerations . . . . . . . . . . . . . .
Safety measures . . . . . . . . . . . . . . . . . . . .
About fiber-optic ports . . . . . . . . . . . . . . .
Usage restrictions . . . . . . . . . . . . . . . . . . . .
Unpack the Sensor . . . . . . . . . . . . . . . . . . .
Contents of the Sensor box . . . . . . . . . . . . .
3
.
.
.
.
.
Introducing Network Security Sensors
What is a Network Security Sensor? . . . . . . . . . . . . .
Functions of a Sensor . . . . . . . . . . . . . . .
Sensor platforms . . . . . . . . . . . . . . . . .
About the Network Security Platform I-4010 Sensor . . .
2
.
.
.
.
.
15
. 15
16
. 17
. 17
. 18
. 18
. 18
. 19
19
. 21
. 21
. 21
23
. .
. .
. .
. .
. .
. .
. .
23
. 24
. 24
24
25
. 25
. 25
I-4010 Sensor Product Guide
3
Contents
Cable
Cable
Cable
Cable
Default Monitoring port speed settings . . . . . . . . . . . .
Cable types for routers, switches, hubs, and PCs . . . . . . . .
About the fail-open hardware . . . . . . . . . . . . . . . .
the Sensor to monitor in in-line mode . . . . . . . . . . . . .
the Sensor SFP ports to monitor in external tap mode . . . . . .
the Sensor to monitor in SPAN or hub mode . . . . . . . . . .
the failover interconnection ports . . . . . . . . . . . . . . .
Cable Sensors for failover . . . . . . . . . . . . . . . . .
About the Gigabit Fail-Open kit . . . . . . . . . . . . . . .
Index
4
McAfee® Network Security Platform
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
26
26
26
27
27
27
28
28
29
31
I-4010 Sensor Product Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold
Text that is strongly emphasized.
User input or Path
Commands and other text that the user types; the path of a folder or program.
Code
A code sample.
User interface
Words in the user interface including options, menus, buttons, and dialog
boxes.
Hypertext blue
A live link to a topic or to a website.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
5
Preface
Find product documentation
What's in this guide
This guide contains information necessary to setup your I-4010 Sensor model. This information
includes guiding you through preconfiguring, cabling, and troubleshooting your Sensor.
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
6
McAfee® Network Security Platform
I-4010 Sensor Product Guide
1
Introducing Network Security Sensors
This section describes the McAfee® Network Security Sensor (Sensor) in detail.
What is a Network Security Sensor?
A McAfee® Network Security Sensor (Sensor) is a high-performance, scalable, and flexible content
processing appliance built for the accurate detection and prevention of intrusions, misuse, and
distributed denial of service (DDoS) attacks.
Sensors are specifically designed to handle traffic at wire speed, efficiently inspect and detect
intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any
enterprise environment. When deployed at key network access points, a Sensor provides real-time
traffic monitoring to detect malicious activity, and respond to the malicious activity as configured by
the administrator.
Once deployed and once communication is established, Sensors are configured and managed through
the McAfee® Network Security Manager (Manager) server.
The process of configuring a Sensor and establishing communication with the Manager is described in
later chapters of this guide. The Manager server is described in detail in the Getting Started Guide.
Functions of a Sensor
The primary function of a McAfee® Network Security Sensor (Sensor) is to analyze traffic on selected
network segments and to respond when an attack is detected. The Sensor examines the header and
data portion of every network packet, looking for patterns and behavior in the network traffic that
indicate malicious activity. The Sensor examines packets according to user-configured policies, or rule
sets, which determine what attacks to watch for, and how to respond with countermeasures if an
attack is detected.
If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform
many types of attack responses, including generating alerts and packet logs, resetting TCP
connections, "scrubbing" malicious packets, and even blocking attack packets entirely before they
reach the intended target.
Sensor platforms
McAfee offers multiple Sensor platforms providing different bandwidth and deployment strategies. This
document describes the I-4010 Sensor.
About the Network Security Platform I-4010 Sensor
The high-port-density Network Security Platform I-4010 Sensor, designed for high-bandwidth links, is
equipped to support six full-duplex Ethernet segments, or twelve SPAN ports for up to 2 Gbps of
aggregated traffic.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
7
1
Introducing Network Security Sensors
What is a Network Security Sensor?
Ports on the I-4010 Sensor
Figure 1-1 The I-4010 Sensor
Name Description
1
Management port
2
Console port
3
Auxiliary port
4
SFP Gigabit Ethernet Monitoring ports or Failover interconnection ports (6A and 6B only).
5
Response ports
6
Fail-Open Control ports
7
External Compact Flash port
8
Power Supply A
9
Power Supply B
The Sensor is a 2RU box, and is equipped with the following ports:
1
One 10/100 Management port, which is used for communication with the Manager server. You
will assign an IP address to this Ethernet port during installation.
2
One RS-232C Console port, which is used to set up and configure the Sensor.
3
One RS-232C Auxiliary port, which may be used to dial in remotely to set up and configure the
Sensor.
4
Twelve small form-factor pluggable (SFP) Gigabit Monitoring ports, which enable you to
monitor twelve SPAN ports, six full-duplex tapped segments, six segments in-line, or a
combination, for example, three full-duplex segments and six SPAN ports. The Monitoring
interfaces of the I-4010 work in stealth mode, meaning they have no IP address and are not visible
on the monitored segment. If you choose to run in failover mode, ports 6A and 6B are used to
interconnect with the peer Sensor.
The gigabit ports of the Sensor running in in-line mode fail-close, meaning that if the Sensor fails, it
will interrupt/block data flow. Fail-open functionality requires either the Layer 2 Passthru feature,
described in detail in the Device Administration Guide or the hardware Fail-Open Bypass kit for
Gigabit ports, described in Cable the failover interconnection ports section.
8
5
Four RJ45 Response ports, which, when you're operating in SPAN mode, enable you to inject
response packets back through a switch or router.
6
Four RJ-11 Fail-Open Control ports, designed for use the Optical Fail-Open Bypass kit. The
ports are marked X1, X2, X3, and X4 and are used in conjunction with ports 1A/1B, 2A/2B, 3A/3B,
and 4A/4B, respectively. (Fail-open control for ports 5A/5B and 6A/6B is managed through the
Compact Flash port).
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Introducing Network Security Sensors
What is a Network Security Sensor?
1
7
One External Compact Flash port. This port is used for two purposes. It is used to control
optional fail-open hardware as described in the Gigabit Optical Fail-Open Bypass Kit Guide. It is
also used in troubleshooting situations where the Sensor's internal flash is corrupted and you must
reboot the Sensor through the external compact flash. For more information, see the on-line
KnowledgeBase at McAfee Support Site.
8
Power Supply A (included). Power supply A is included with each Sensor. The supply uses a
standard IEC port (IEC320-C13). McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3
wire). International customers must procure a country-appropriate power cable.
9
Power Supply B (optional, purchased separately). Power supply B is a hot-swappable, redundant
power supply. This power supply also uses a standard IEC320-C13 port, and you can use the
McAfee-provided cable or acquire one that meets your specific needs.
The Sensor does not have internal taps; it must be used with a 3rd party external tap to run in tap mode.
Front panel LEDs on the Sensor
The front panel LEDs provide status information for the health of the Sensor and the activity on its
ports. The following table describes the Sensor front panel LEDs:
LED
Status Description
Power A
Green
Power Supply A is functioning.
Amber Power Supply A is not functioning.
Power B
Green
Power Supply B is functioning.
Amber Power Supply B is not functioning.
If power supply is not present, both green and amber LEDs are off.
Management Port Speed Amber The port speed is 100 Mbps .
Management Port Link
Sys
Off
The port speed is 10 Mbps.
Green
The link is connected.
Off
The link is disconnected.
Green
Sensor is operating.
Amber Sensor is booting.
Fan OK
Fan 1
Green
All three fans are operating.
Off
Indicates one or more fan has failed.
Off
Fan 1 is operating.
Amber Fan 1 is not operating.
Fan 2
Off
Fan 2 is operating.
Amber Fan 2 is not operating.
Fan 3
Off
Fan 3 is operating.
Amber Fan 3 is not operating.
Temp
Green
Inlet air temperature measured inside chassis is normal. (Chassis
Amber temperature OK.)
Inlet air temperature measured inside chassis is too hot. (Chassis
temperature too hot.)
McAfee® Network Security Platform
I-4010 Sensor Product Guide
9
1
Introducing Network Security Sensors
What is a Network Security Sensor?
LED
Status Description
Flash
Green
Off
Gigabit Ports Act
Gigabit Ports Link
Response Port Speed
Response Port Link
10
Activity on external compact flash, for example, the Fail-Open
Controller has been inserted.
No activity on external compact flash.
Amber Data transferring.
Off
No data transferring.
Green
The link is connected.
Off
The link is disconnected.
Amber The port speed is 100 Mbps.
Off
The port speed is 10 Mbps.
Green
The link is connected.
Off
The link is disconnected.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
2
Before you install
This chapter describes the best practices for deployment of Sensors on your network. Topics discussed
include system requirements, site planning, safety considerations for handling the Sensor, and usage
restrictions that apply to the Sensor.
Contents
I-4010 Sensor specifications
Network topology considerations
Safety measures
Usage restrictions
Unpack the Sensor
I-4010 Sensor specifications
The following table lists the specifications of the Sensor:
Sensor Specifications
Description
Dimensions
Without mounting ears/cable management:
• width: 17.44 in. (44.30 cm.)
• height: 3.44 in. (8.74 cm.)
• depth: 23.00 in. (58.42 cm.)
With mounting ears/cable management:
• width: 18.94 in. (48.11 cm.)
• height: 3.44 in. (8.74 cm.)
• depth: 24.00 in. (60.96 cm.)
Dimensions do not include cables or power cords.
Weight
38.01 lb. (17.24 kg.)
Voltage Range
100-240 VAC
Frequency
50/60 Hz
Vibration, operating
5 to 200 Hz, 0.5g (1 oct/min)
Vibration, non-operating
5 to 200 Hz, 1g (1 oct/min)
200 to 500 Hz, 2g (1 oct/min)
Power requirements
McAfee® Network Security Platform
350 W
I-4010 Sensor Product Guide
11
2
Before you install
Network topology considerations
Sensor Specifications
Description
Ambient Temperature Range (Non-condensing)
Operating
0C(32F) to 40C(104F)
Non-operating
-40C(-40F) to 70C(158F)
Relative Humidity (Non-condensing)
Operating
10%-90% non-condensing
Non-operating
5% to 95% non-condensing
System Heat Dissipation
1194.3 BTU/hr
Airflow
200 lfm (1 m/s)
Altitude
Sea level to 10,000 ft (3050 m)
Throughput
2 Gbps
Cabling Specifications:
Note the following cabling specifications for the Sensor:
•
Category 5 Enhanced (Cat 5e) cable is required for transmission speeds up to 1 Gigabit per second
(Gigabit Ethernet).
•
For Ethernet networks running at 10 or 100 Mbps, Category 5 (Cat 5) OR Cat 5e cable can be used.
Throughout this guide, cabling specifications is mentioned as Cat 5/Cat 5e.
Network topology considerations
Deployment of McAfee® Network Security Platform [formerly McAfee® IntruShield®] network intrusion
prevention system requires basic knowledge of your network to help determine the level of
configuration and amount of installed Sensors and Managers required to protect your network.
The Sensor is purpose-built for the monitoring of traffic across one or more network segments. For
more information on the network topology considerations for Network Security Platform deployment,
see the IPS Administration Guide.
Safety measures
The safety measures given below apply to all Sensor models unless otherwise specified. Carefully read
the following warnings before you install the product.
Failure to observe these safety warnings could result in serious physical injury.
Warnings:
12
•
Read the installation instructions before you connect the system to its power source.
•
To remove all power from the Sensor, unplug all power cords, including the redundant power cord.
•
Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Before you install
Usage restrictions
2
•
Before working on equipment that is connected to power lines, remove jewelry including rings,
necklaces, and watches. Metal objects will heat up when connected to power and ground, and can
cause serious burns or weld the metal object to the terminals.
•
This equipment is intended to be grounded. Ensure that the host is connected to earth ground
during normal use.
•
Do not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
•
Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place.
Blank faceplates and cover panels prevent exposure to hazardous voltages and currents inside the
chassis, contain electromagnetic interference (EMI) that might disrupt other equipment, and direct
the flow of cooling air through the chassis.
•
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to
telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain
TNV circuits. Some LAN and WAN ports both use RJ45 connectors. Use caution when connecting
cables.
•
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used
in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful
interference in which case the users will be required to correct the interference at their own expense.
About fiber-optic ports
The Sensor uses fiber-optic connectors for its 12 Monitoring ports. The connector type is a Small
Form-Factor Pluggable (SFP) fiber optic connector that is LC-Duplex compatible.
•
Fiber-optic ports (for example, FDDI, OC-3, OC-12, OC-48, ATM, GBIC, and 100BaseFX) are
considered Class 1 laser or Class 1 LED ports.
•
These products have been tested and found to comply with Class 1 limits of IEC 60825-1, IEC
60825-2, EN 60825-1, EN 60825-2, and 21CFR1040.
To avoid exposure to radiation, do not stare into the aperture of a fiber-optic port. Invisible radiation
might be emitted from the aperture of the port when no fiber cable is connected.
•
Only FDA registered, EN 60825-1 and IEC 60825-1 certified Class 1 SFP laser transceivers are
acceptable for use with the Sensor.
Usage restrictions
The following restrictions apply to the use and operation of a Sensor:
•
You may not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
•
The Sensor appliance is not a general purpose workstation.
•
McAfee prohibits the use of the Sensor appliance for anything other than operating Network
Security Platform.
•
McAfee prohibits the modification or installation of any hardware or software on the Sensor
appliance that is not part of the normal operation of Network Security Platform.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
13
2
Before you install
Unpack the Sensor
Unpack the Sensor
Task
1
Place the Sensor box as close to the installation site as possible.
2
Position the box with the text upright.
3
Open the top flaps of the box.
4
Remove the accessory box.
5
Verify you have received all parts.
These parts are listed on the packing list and in the Contents of the Sensor box section.
6
Pull out the packing material surrounding the Sensor.
7
Remove the Sensor from the anti-static bag.
8
Save the box and packing materials for later use in case you need to move or ship the Sensor.
Contents of the Sensor box
The following accessories are shipped in the Sensor box:
14
•
One Sensor.
•
One CD-ROM containing the Sensor software and on-line documentation.
•
One power cord. McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3 wire).
International customers must procure a country-appropriate power cable.
•
One set of rack mounting ears.
•
One printed Quick Start Guide.
•
Release Notes.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
3
Setting up the Sensor prior to
configuration
This chapter describes the process of setting up a Sensor prior to configuring it through the McAfee®
Network Security Manager (Manager).
Contents
Setup overview
Position the Sensor
Redundant power supply for the Sensor
Installation of SFP modules
Cable the Sensor
Power on the Sensor
Setup overview
Task
1
Position the Sensor.
2
Install the GBICs.
3
Attach the power, network, and monitoring cables.
4
Power on the Sensor.
Once you have set up and powered on the Sensor, you can proceed with the configuration.
See also
Cable the Sensor on page 21
Power on the Sensor on page 21
Position the Sensor
Place the Sensor in a physically secure location, close to the switches or routers it will be monitoring.
Ideally, the Sensor should be located within a standard communications rack.
The Sensor is a 2RU (2 rack unit). To mount the Sensor on a rack, you will attach two mounting ears
to the Sensor, then mount the ears to the rack. The Sensor ears attach to either the front or the
middle of the chassis.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
15
3
Setting up the Sensor prior to configuration
Position the Sensor
Install the ears on the chassis
Before you begin
Before you install the ears on the chassis, make sure that power is OFF. Remove the power
cable and all network interface cables from the Sensor.
Each rack-mounting ear has holes that match up with holes in the chassis.
Task
1
Verify that you have all the parts you will need: two chassis ears and twelve Phillips flathead screws.
2
Attach the first chassis ear to the right side of the chassis.
Use a Phillips screwdriver to secure the Phillips flathead screws to the chassis.
3
Repeat this procedure for the other ear.
Figure 3-1 Attaching the mounting ears to the Sensor chassis
Mount the Sensor on a rack
McAfee recommends rack-mounting your Sensors. The rack-mounting hardware included with the
Sensors is suitable for most 19-inch equipment racks and telco-type racks. For maintenance purposes,
you should have access to the front and rear of the Sensor.
Before you mount the Sensor on the rack, make sure that power is OFF. Remove the power cable and all
network interface cables from the Sensor
Rack-mount the Sensor by securing the rack mount ears to two posts or mounting strips on the rack.
The ears secure the Sensor to two rack posts, and the rest of the Sensor is cantilevered off the ears.
You need two people to install the Sensor in the rack—one person to hold the Sensor and one person to
secure it to the rack.
16
McAfee® Network Security Platform
I-4010 Sensor Product Guide
3
Setting up the Sensor prior to configuration
Redundant power supply for the Sensor
Mount the Sensor by securing the ears to two posts or mounting strips on the rack. Because the ears
bear the weight of the entire Sensor, be sure to fasten the ears securely to the rack.
Figure 3-2 Mounting the I-4010 Sensor on a rack
Redundant power supply for the Sensor
A basic configuration of the Sensor includes one hot-swappable power supply. If you require, you may
purchase a second hot-swappable power supply from McAfee,and install it for redundancy. Each of
these modules has one handle for insertion or extraction from the unit and a fastening screw.
Install a power supply
Task
1
Unpack the power supply from its shipping carton.
2
Remove the faceplate panel covering the power supply slot.
The faceplate panel should remain in place unless a power supply is in the power supply slot. Do not
operate the Sensor without the faceplate panel in place.
3
Place the power supply in the slot with the cable outlet facing front and on the left side of the
faceplate.
Figure 3-3 Installing a power supply
4
Slide in the power supply until it makes contact with the backplane, then push firmly to mate the
connectors solidly with the backplane.
5
Secure the power supply's front panel to the Sensor chassis using the mounting screw on the left of
the power supply's front panel.
For true redundant operation with the optional redundant power supply, McAfee recommends that
you plug each supply into a different power circuit. For optimal protection, use uninterrupted power
sources.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
17
3
Setting up the Sensor prior to configuration
Installation of SFP modules
Remove a power supply
This section explains how to remove a power supply from the Sensor (optional—the power supplies
are hot-swappable). To avoid data interruption, do not power off both power supplies on an in-line
Sensor, or the Sensor shuts down and all data traffic stops. Power off only the power supply you are
replacing.
Task
1
Unplug the power cable from its power source and remove the power cable from the power supply.
2
Put on an antistatic wrist or ankle strap.
3
Attach the wrist or ankle strap to a bare metal surface of the chassis.
4
Unscrew the screws connecting the mounting bracket and remove the bracket from the front the
power supply.
5
Squeeze the handle of the power supply and pull it out.
6
Use faceplate panels to protect unused slots from dust and reduce electromagnetic radiation.
7
Replace the mounting bracket.
To remove all power from the Sensor, unplug all power cords.
Installation of SFP modules
The Small Form-factor Pluggable (SFP) module is a hot-swappable input/output device that plugs into
an LC-type Gigabit Ethernet port, linking the module port with a copper or fiber-optic network. SFP
optical interfaces are less than half the size of GBIC interfaces.
To ensure compatibility, McAfee supports only those SFP modules purchased through McAfee or from a
McAfee-approved vendor. For a list of approved vendors, see the on-line KnowledgeBase, McAfee
Support Site.
These installation instructions provide information for installing an SFP module that uses a bail clasp
for securing the module in place in the Sensor. Your SFP module may be slightly different. Check the
SFP module manufacturer's installation instructions for more details.
For ease of installation, insert the SFP GBIC module in the Sensor while it is powered down and before
placing it on a rack.
To prevent eye damage, do not stare into open laser apertures.
Installing an SFP module for I-4010
This section provides the steps to install an SFP module with a bail clasp.
Task
18
1
Remove the SFP module from its protective packaging.
2
Ensure the SFP module is the correct model for your network.
3
Locate the label on the SFP module and turn the module so that its label is on top and the
alignment groove is down.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Setting up the Sensor prior to configuration
Installation of SFP modules
4
3
Grip the sides of the module with your thumb and forefinger and insert the SFP module into the
module socket.
SFP modules are keyed to prevent incorrect insertion.
Figure 3-4 Inserting an SFP module into a Monitoring port on the I-4010 sensor
5
Insert the SFP module into Sensor Monitoring ports 1A/B, 2A/2B, 3A/3B, 4A/4B, 5A/5B, or 6A/6B.
Slide the module until you hear a click indicating that it is properly inserted into the slot.
6
Lock the SFP module by pushing the bail clasp up into place.
7
SFP modules generally have a protective plug in the optical bore. When you are ready to attach the
network interface cable, remove the plug from the SFP module optical bore and save the plug for
future use.
If you choose not to use a port, McAfee still recommends that you leave an SFP module in the slot.
Remove an SFP module
This chapter provides the steps to remove an SFP module with a bail clasp.
Task
1
Disconnect the network fiber-optic cable from the SFP module.
2
Release the module from the slot by pulling the bail-clasp out of its locked position.
3
Slide the SFP module out of the slot.
4
Insert the SFP module plug into the module optical bore for protection.
Copper SFPs for 10/100/1000 Fast Ethernet ports
In addition to fiber GBICs, McAfee supports copper SFPs for I-3000 and I-4010 Sensors.
I-3000 and I-4010 Sensors, when packaged are set to 1 Gbps speed. When a copper SFP is used, the
port speed can be set to 10/100/1000/10-auto/100-auto/1000-auto Mbps, whereas when a fiber SFP
is used the speed can be set to 1 Gbps or 1 Gbps-auto.
Figure 3-5 Copper SFP
McAfee recommends you to use Mcafee-branded SFPs with your Sensors.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
19
3
Setting up the Sensor prior to configuration
Installation of SFP modules
Connect a copper SFP
Task
1
Remove the SFP module from its protective packaging.
2
Ensure the SFP module is the correct model for your network.
3
Locate the label on the SFP module and turn the module so that its label is on top and the
alignment groove is down.
4
Grip the sides of the module with your thumb and fore finger and insert SFP module into the
module socket.
SFP modules are keyed to prevent incorrect insertion.
5
Insert the copper SFP Sensor Monitoring ports 1A/B, 2A/2B, 3A/3B, 4A/4B, 5A/5B, or 6A/6B. Slide
the module until you hear a click indicating that it is properly inserted into the slot.
Physical installation of the copper SFP has to be done to use this functionality. Once you have
plugged in the copper SFP, you can change the speed and other configurations in the Manager.
Figure 3-6 Connecting a copper SFP
6
Lock the SFP module by pushing the bail clasp up into place.
7
Connect the network cable in the port.
8
In the Manager, go to root admin domain | Device List | Device_Name node | Physical Device | Port Settings.
9
Select the port where the SFP has been connected.
10 Change the speed and port settings to 10/100/1000/10-auto/100-auto1000-auto.
Check the LED turns green on the Sensor.
11 Click OK.
If the SFP has been pulled and put back into the ports, the port has to be disabled and enabled to
restore the configuration settings. For more information on configuring monitoring port settings from
Manager, see Device Administration Guide.
Remove a copper SFP
This section provides the steps for removing an SFP module with a bail clasp.
20
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Setting up the Sensor prior to configuration
Cable the Sensor
3
Task
1
Disconnect the network straight Ethernet RJ45 cable from the SFP module.
2
Release the module from the slot by pulling the bail clasp out of its locked position.
3
Slide the SFP module out of the slot.
Cable the Sensor
Follow the steps outlined in the Attaching Cables to the Sensor chapter to connect cables to the
monitoring, response, console, and management ports on your Sensor.
See also
Attaching cables to the Sensor on page 3
Power on the Sensor
Do not attempt to power on the Sensor until you have installed the Sensor on a rack, made all
necessary network connections, and connected the power cable to the power supply. Then:
1
Connect the power cable to the Sensor power supply.
2
Connect the power cable to a power source.
If you are installing a redundant power supply, you should install it as described in Installing a power
supply. For true redundant operation with the optional redundant power supply, McAfee recommends
that you plug each supply into a different power circuit.
The Sensor has no power switch. The Sensor powers on as soon as you connect one of its power
cables to a power source.
Power off the Sensor
Network Security Platform recommends that you use the shutdown CLI command to halt the Sensor
before powering it down. For more information on CLI commands, see CLI Guide.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
21
3
Setting up the Sensor prior to configuration
Power on the Sensor
22
McAfee® Network Security Platform
I-4010 Sensor Product Guide
4
Attaching cables to the Sensor
Follow the steps outlined in this chapter to connect cables to the various ports on your Sensor.
Contents
Cable the Console port
Cable the Auxiliary port
Cable the Response ports
Cabling information for the fail-open control ports
Cable the Management port
About cabling the Monitoring ports
Cable the Sensor to monitor in in-line mode
Cable the Sensor SFP ports to monitor in external tap mode
Cable the Sensor to monitor in SPAN or hub mode
Cable the failover interconnection ports
Cable the Console port
The Console port is used for setup and configuration of the Sensor.
Task
1
For console connections, plug the DB9 Console cable supplied by McAfee into the Console port
(labeled Console on the Sensor front panel).
2
Connect the other end of the Console port cable directly to a COM port of the PC or terminal server
you will use to configure the Sensor.
For example, it could be a PC running correctly configured Windows HyperTerminal software. You
must connect directly to the console for initial configuration.
Required settings for HyperTerminal are:
3
Name
Setting
Baud rate
9600
Number of bits
8
Parity
None
Stop bits
1
Flow Control
None
Power on the Sensor.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
23
4
Attaching cables to the Sensor
Cable the Auxiliary port
Cable the Auxiliary port
The Auxiliary (Aux) port is used for modem access to the Sensor for setup and configuration. However,
you cannot use a modem the first time you configure a Sensor.
Task
1
For modem connections, plug a straight-through modem cable into the Auxiliary port (labeled Aux
on the Sensor front panel).
2
Connect a modem to the Aux port.
3
Connect a telephone line to the modem.
Required settings for the Aux port are:
Name
Setting
Baud rate
9600
Number of bits
8
Parity
None
Stop bits
1
Flow Control
None
Required settings for the modem are:
•
9600 bps port speed
•
Answer after 1 ring
•
Save the configuration to NVRAM.
Cable the Response ports
The Sensor's Response ports are used to send responses to attacks when operating in SPAN or tap
mode. You must use a Response port to inject response packets to the switches or routers.
Task
1
Plug a Cat 5/Cat 5e cable into the Response port (labeled Rx on the Sensor front panel).
2
Connect the other end of the cable to the network device (for example, hub, switch, router)
through which you want to respond to attacks.
Cabling information for the fail-open control ports
Fail-open functionality for the GE Monitoring ports is accomplished through the Gigabit Fail-open
Bypass Kit, sold separately. Both copper and optical versions are available. Note the following:
24
•
For 10/100 Mpbs port speed setting, use the copper Bypass Kit. For more information, see Gigabit
Copper Fail Open Kit Guide.
•
For 1 Gbps port speed setting, you can use either the optical Bypass Kit or the copper Bypass Kit.
•
Installation and troubleshooting instructions for a Kit can be found in the kit's documentation. More
details on fail-open operation with the kit is available in Using fail-open hardware. For more
information, see the documentation that accompanies the Kit.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Attaching cables to the Sensor
Cable the Management port
4
See also
About the Gigabit Fail-Open kit on page 29
Cable the Management port
The Management (Mgmt) port is used for communication with the Manager server.
To isolate and protect your management traffic, McAfee strongly recommends using a separate,
dedicated management subnet to interconnect the Sensors and the Manager.
Task
1
Plug a Cat 5/Cat 5e cable into the Management port (labeled Mgmt on the Sensor front panel).
2
Connect the other end of the cable to the network device (for example, hub, switch, router) that in
turn connects to the Manager server.
About cabling the Monitoring ports
Monitoring ports connect to the network devices you will be monitoring through the Sensor. You can
deploy the Sensors in the following modes:
•
In-line mode (fail-close)
•
SPAN or Hub mode
•
In-line mode (fail-open)
•
Failover
•
External tap mode (GBIC ports)
See also
Cable the Sensor to monitor in in-line mode on page 27
About the Gigabit Fail-Open kit on page 29
Cable the Sensor SFP ports to monitor in external tap mode on page 27
Cable Sensors for failover on page 28
How to use peer ports
All full-duplex Sensor deployment modes require the use of two peer monitoring ports on the Sensor.
On the Sensors, the numbered ports are wired in pairs to accommodate the traffic.
The following SFP Gigabit Ethernet ports are coupled and must be used together:
Port Pairs
1A and 1B
2A and 2B
3A and 3B
4A and 4B
McAfee® Network Security Platform
I-4010 Sensor Product Guide
25
4
Attaching cables to the Sensor
About cabling the Monitoring ports
Port Pairs
5A and 5B
6A and 6B
You cannot configure, for example, IA and 2A to work together as a pair.
Figure 4-1 Peer ports on an I-4010
Default Monitoring port speed settings
Make sure that the switch/router ports connected to the Sensor Monitoring ports match the Sensor
configuration.
Monitoring Ports
Operating Mode
Speed/Duplex Setting
SFP ports
SPAN
Auto-negotiation is ON
Tap
Auto-negotiation is ON
In-line
Auto-negotiation is ON
Cable types for routers, switches, hubs, and PCs
This section describes the types of cables that you require to connect the Sensor to other network
devices.
•
Use a crossover Ethernet RJ45 cable to connect a router port to 10/100 Monitoring ports.
•
Use a straight-through Ethernet RJ45 cable to connect a switch/hub port to 10/100 Monitoring ports.
•
Use a crossover Ethernet RJ45 cable to connect a router port to PC to the Sensor Management port.
You should also use a crossover Ethernet RJ45 cable to connect a PC to the Sensor monitoring port.
About the fail-open hardware
For fail-open functionality, you can use the optional Gigabit Fail-Open Bypass Kit. This kit contains a
bypass switch and the equipment needed to connect the switch to the Sensor. This kit is sold separately.
26
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Attaching cables to the Sensor
Cable the Sensor to monitor in in-line mode
4
Cable the Sensor to monitor in in-line mode
In-line mode requires that you use a pair of Sensor ports as described in How to use peer ports.
Cabling Sensors for in-line mode requires a brief network interruption as you insert it in the flow of
network traffic. To avoid extended network downtime, you should cable a Sensor for in-line mode after
you have completed all other configuration tasks.
The I-4010's GBIC ports are by default configured to fail-close when running in in-line mode, meaning
they stop the flow of traffic if the Sensor fails. To allow traffic to flow uninterrupted during Sensor
failure, you must use the gigabit fail-open kit and cable the Sensor's monitoring ports for fail-open
functionality. For more information, see About the Gigabit Fail-Open kit.
Task
1
Plug the cable appropriate for use with your SFP module into one of the Monitoring ports, for
example, 1A.
2
Plug another cable into the peer of the port used in Step 1.
3
Connect the other end of each cable to the network devices that you want to monitor.
For example, if you plan to monitor traffic between a switch and a router, connect the cable
connected to 1A to the router and the one connected to 1B to the switch.
See also
How to use peer ports on page 25
About the Gigabit Fail-Open kit on page 29
Cable types for routers, switches, hubs, and PCs on page 26
Cable the Sensor SFP ports to monitor in external tap mode
The Sensor's SFP ports must be used with a 3rd-party external tap. For a list of approved 3rd-party
tap vendors, see the on-line KnowledgeBase, McAfee Support Site.
Task
1
Plug the cable appropriate for use with your SFP module into one of the Monitoring ports, for
example, port 1A.
2
Plug another cable into the corresponding peer Monitoring port.
3
Connect the other end of each cable to the tap.
4
Connect the network devices that you want to monitor, to the tap.
See also
Cable types for routers, switches, hubs, and PCs on page 26
How to use peer ports on page 25
Cable the Sensor to monitor in SPAN or hub mode
When you monitor in SPAN or Hub mode, you can use single ports.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
27
4
Attaching cables to the Sensor
Cable the failover interconnection ports
Task
1
Plug an LC-type fiber optic cable into one of the monitoring ports.
2
Connect the other end of the cable to the SPAN port or the hub.
See Cable types for routers, switches, hubs, and PCs to determine which cable type to use with
which type of network device.
See also
Cable types for routers, switches, hubs, and PCs on page 26
How to use peer ports on page 25
Cable the failover interconnection ports
Fail-over requires connecting two identical Sensors (same model, same software) through an
interconnection cable or cables.
Previously, the creation of Sensor fail-over pair was allowed only if all the primary Sensor's Monitoring
port pairs were in in-line mode. Now, the flexibility to create a fail-over pair even if the primary Sensor
has some of its monitoring port pairs in non-Inline (tap/SPAN) mode. For example, you may have port
pairs 1A-1B and 2A-2B configured in in-line mode and ports 3A and 4A configured in SPAN mode.
TCP reset is not supported when connected in tap mode.
Cable Sensors for failover
Monitoring ports 6A-and 6B are the interconnection ports on the Sensor. A failover cable is the only
additional hardware required to support failover communication between two Sensors.
When 6A-6B interconnection ports are connected in failover mode with 10 or 100 Mpbs speed value,
during failover creation the ports will be updated to 1 Gpbs speed value.
Task
28
1
Plug the cable appropriate for use with your GBIC into port 6A of the active Sensor.
2
Connect the other end of the cable to port 6A of the standby Sensor.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Attaching cables to the Sensor
Cable the failover interconnection ports
3
Plug the cable appropriate for use with your GBIC into port 6B of the active Sensor.
4
Connect the other end of the cable to port 6B of the standby Sensor.
4
Figure 4-2 Cabling I-4010 sensors for Failover
About the Gigabit Fail-Open kit
The Gigabit Fail-Open kit (sold separately) minimizes the potential risks of in-line Sensor failure on
critical network links. Both copper and optical versions of the kit are available.
The Gigabit Ethernet (GE) Monitoring ports on the Sensors are configured to fail close by default;
thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open
operation for GE ports requires the use of the optional external Bypass Switch provided in the Kit.
With the Bypass Switch in place, normal Sensor operation supplies power to the switch through a
control cable. While the Sensor is operating, the switch is "on" and routes all traffic directly through
the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic
continues to flow through the network link, but is no longer routed through the Sensor. Even after the
Sensor comes back online, the ports configured as fail-open remain in bypass mode until you manually
put them back to fail-open.
Note that Sensor outage breaks the link connecting the devices on either side of the Sensor for a brief
moment and requires the renegotiation of the network link between the two peer devices connected to
the Sensor. Depending on the network equipment, this disruption introduced by the renegotiation of the
link layer between the two peer devices may range from a couple of seconds to more than a minute
with certain vendors' devices.
A very brief link disruption may also occur while the links between the Sensor and each of the peer
devices are renegotiated to place the Sensor back in in-line mode. This outage, again, varies depending
on the device, and can range from a few seconds to more than a minute.
Installation and troubleshooting instructions for the Kit can be found in the Quick Start Guide that
accompanies the kit. For more information, see Gigabit Optical Fail-Open Bypass Kit Guide and Gigabit
Copper Fail-Open Bypass Kit Guide.
McAfee® Network Security Platform
I-4010 Sensor Product Guide
29
4
Attaching cables to the Sensor
Cable the failover interconnection ports
30
McAfee® Network Security Platform
I-4010 Sensor Product Guide
Index
A
I
about this guide 5
installing SFPs 18, 19
C
M
cabling 24
cabling Fail-Open control ports 24, 26
cabling for failover 7, 28
cabling for monitoring ports 25
cabling instructions 21
cabling SFP ports 27
cabling the auxiliary port 24
cabling the console port 23
chasis 16
connecting to sensor 25, 26
conventions and icons used in this guide 5
McAfee ServicePortal, accessing 6
mounting the sensor 16
P
ports on the I-4010 8
powering the sensor 17, 21
S
sensor responsibilities 7
ServicePortal, finding product documentation 6
T
D
documentation
audience for this guide 5
product-specific, finding 6
typographical conventions and icons 5
F
fail-open functionality 7, 11, 15, 23, 28
fiber optics 13, 15
Technical Support, finding product information 6
Temp LED 9
U
using Copper SFP
connecting Copper SFP 20
removing Copper SFP 7, 12–14, 20
using fail-open hardware 15, 17, 18, 21, 29
H
heat requirements 11, 26, 27
McAfee® Network Security Platform
I-4010 Sensor Product Guide
31
700-3595A00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement