Network Security Platform Copper Passive Fail-Open

Network Security Platform Copper Passive Fail-Open
10/100/1000 Copper Passive Fail-open Bypass Kit Guide
Revision C
McAfee® Network Security Platform
The 10/100/1000 passive fail-open bypass kit (the kit) minimizes the potential risks of
in-line Network Security Sensor (Sensor) failure on critical network links.
The 10/100/1000 monitoring ports on Sensors are fail-closed; thus, if the Sensor is
deployed in-line, a hardware failure results in network downtime. Fail-open operation for GE
ports requires the use of the optional external bypass switch provided in the kit.
With the bypass switch in place, normal Sensor operation supplies power to the switch via a
control cable. While the Sensor is operating, the switch is “on” and routes all traffic directly
through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state:
in-line traffic continues to flow through the network link, but is no longer routed through the
Sensor. After the Sensor resumes normal operation, the switch returns to the “on” state,
and again enabling in-line monitoring.
The kit contains a bypass switch and all the connectivity components to connect the switch
to the GE monitoring ports of any Sensor model, and to connect a control cable between the
Sensor and the switch. Additional cables may be required to connect the bypass switch to
your other network devices (routers, switches), and you may not require all the components
included in the kit (for example, you will use only one of the two types of control cable
included in the kit).
This document describes the contents of the kit; how to install the kit for all Sensor models
with 10/100/1000 ports, or small form-factor pluggable (SFP) ports; how the kit functions;
and what to expect during normal use.
1
Kit contents
The following external hardware is shipped with the Copper Fail-Open Kit:
Qty Item
Description
1
Gigabit fail-open Bypass
Switch
1000Base-T switch; connects to the GE ports of all
Sensor models either directly through the Sensor's
built-in control port.
1
19-inch rack-mount panel 1RU mounting hardware to mount up to three Bypass
for 3 switches
Switches in a standard rack
1
Gigabit fail-open cable
Connects the Fail-Open control port to one or two
Bypass Switch(es)
1
Qty Item
Description
4
3-meter RJ45 - RJ45
cables
Connects the Bypass Switch to the peer network
device and to the Sensor
1
3-meter RJ45 - RJ11
cable
Connects the Bypass Switch to a built-in Sensor
Fail-Open Control port .
Depending on the Sensor model and port type, certain Sensor ports have built-in corresponding
Fail-Open Control ports.
2
Connecting the Fail-Open Kit to a Sensor
The Bypass Switch connects to any Sensor model with Gigabit Ethernet (GE) ports; and the physical
connection differs by Sensor model and port pair, as explained in this section.
Connecting the switch to Sensors with SFP ports
Connect the switch to any of the M-series Sensor model. For example, the M-3050/M-4050 Sensors
each have eight SFP GE monitoring ports (four pairs), and each model supports up to four kits.
Fail-open switch connected to ports 3A-3B
This diagram shows a switch connected to one of the first four port pairs; thus the switch is
controlled via the corresponding Fail-Open Control port, X1.
Figure 1 Fail-open switch connected to ports 3A-3B
2
3
Item
Description
1
Fail-Open Bypass Switch
2
Fail-Open Control Ports (RJ11 connection)
3
Control port on Bypass Switch (RJ45 connection)
4
RJ45 - RJ11 cable
5
Connection to network device
6
Connection to network device
7
PTx/SRx (inside) connection to port 3A of the Sensor (copper SFP)
8
STx/PRx (outside) connection to port 3B of the Sensor (copper SFP)
Installing the Bypass Switch on a rack
You can install between one and three Bypass Switches onto the Bypass Switch rack-mount panel.
The rack-mount panel described in this section is included in the Fail-Open Kit.
This procedure is optional; if you do not wish to install the Bypass Switch on a rack, you
may set the switch directly on top of the Sensor or another network device.
Install the switch on the rack-mount panel
a
Slide the switch into the center opening in the rack-mount panel, until the faceplate of the
switch rests against the panel.
b
Secure the switch to the rack-mount panel by inserting the screws through the holes on the
switch faceplate and into the panel.
Additional Bypass Switches can be installed without removing the rack-mount panel
from the rack.
3
To install up to two additional switches:
1
Remove the screws holding one of the removable blank plates from the front of the panel.
2
Follow the procedure for installing a switch in the rack-mount panel for the additional
Bypass Switch(es).
Install the panel and switch(es) on a rack
4
a
Place the 1U panel against the front of a standard 19-inch rack.
b
Secure the rack-mount panel by inserting the screws (included with the rack-mount panel)
through the holes on front of the panel and the sides of the rack.
Installing the fail-open bypass switch
To accurately detect attacks, the Sensor must be aware of which traffic is outside the network and
which traffic is inside. Identifying traffic direction is accomplished via proper cabling of the Bypass
Switch as well as proper port configuration of the Sensor Monitoring ports in the McAfee® Network
Security Manager (Manager).
For information on how to configure Sensor ports via the Manager, see McAfee Network
Security Platform IPS Administration Guide.
In addition to the RJ45 Control port, the Fail-Open Module has four RJ45 connectivity ports.The two
on the left have A and B labels above the ports and a Network label below the port. These connect
to your network devices.
The two on the right have A and B labels above the ports and a Monitor label below the port. These
connect to the Sensor.
4
Field
Description
1
To Sensor Fail-Open Control port.
2
To Network Device (inside)
3
To Network Device (outside)
4
PTx/SRx - inside (plugs into Sensor port xA)
5
STx/PRx - outside (plugs into Sensor port xB)
Connecting the Bypass Switch to a Network Device
a
Plug an inside network cable connector into the Network port labeled A on the bypass switch.
b
Plug the other end of this cable into the corresponding network device.
c
Plug an outside network cable into the Network port labeled B on the bypass switch.
d
Plug the other end of this cable into the corresponding network device.
Connecting the Bypass Switch to a Sensor with SFP ports
a
Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP in port xA, where x is 1-6.
b
Plug the other end of the cable into the Monitor port labeled A of the bypass switch.
c
Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding xB peer port. (For example,
if you used 2A in step 1, plug the cable into port 2B).
d
Plug the other end of the cable into the Monitor port labeled B of the bypass switch.
With this cable configuration, Sensor Monitoring port 1A views traffic as originating
inside the network, and port 1B views traffic as originating outside the network. Note that
this configuration (1A = outside, 1B = inside) must match the port configuration
specified for this Sensor, and that the ports must be enabled. For more information, on
Port configuration accomplished via Manager, see McAfee Network Security Platform IPS
Administration Guide.
Configuring the Sensor Monitoring Ports
You configure the Sensor's monitoring ports from the McAfee® Network Security Manager (Manager)
interface. The port configuration must match the cabling of the switch, the ports must be set to
"In-line Fail-Open" and the ports must be enabled.
5
To view/configure the settings of your monitoring ports:
a
In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup |
Physical Ports | Monitoring Ports.
b
Click a numbered port (for example 10A) from Monitoring Ports pane.
A pop-up displays current port settings.
6
c
Indicate whether you are using a McAfee Certified module.
d
Select the State to Enabled.
e
In the Operation section, select Mode as In-line Fail-Open Passive.
f
In the same section, select Placement as Inside (internal) or Outside (external).
g
Click Save to commit your configuration.
5
h
Click OK to confirm that you the configuration on port 10B too.
i
Repeat for any other ports you need to configure.
j
Download the changes to your Sensor by performing the steps in Deploy pending changes to a
device in the McAfee Network Security Platform Manager Administration Guide.
Verify proper installation
After the Bypass Switch has been connected to the network and the Sensor, check the switch's LED
to verify that the switch is receiving power from the Sensor. Check the port status and operating
mode status in the McAfee® Network Security Manager (Manager) interface to ensure that the port is
enabled and is in the In-Line Fail-Open mode.
Status LED on the Bypass Switch
The indicator is adjacent to the Control port on the Bypass Switch.
Light Status
ON
Switch is receiving power from the Sensor and traffic is passing to the Sensor.
OFF
The switch is in bypass mode; it is not receiving power and is not passing network traffic to
the Sensor.
Port and operating mode status
The port status and operating mode status for GE In-line Fail-open mode are detailed as follows:
In-line Fail-Open
Port Status
Port color on Operating Mode Status
the virtual
Sensor
In-line Fail-Open
Port Status
Green
The in-line fail-open device is in in-line fail-open mode.
In-line Bypass
Yellow
The in-line fail-open device is in in-line bypass mode. The
bypass switch has been activated. The Sensor does not
monitor during this time.
Unknown
Orange
Unable to get the status of the in-line fail-open device from
Sensor. Check the Operational Status.
7
In-line Fail-Open
Port Status
Port color on Operating Mode Status
the virtual
Sensor
Switch Absent
Red
Fail-open control is not present, control cable is not present, or
bypass switch is not present. Verify that all three components
are connected properly. If everything is connected correctly,
check the Operational Status.
N/A
Gray
Not Applicable; the operating mode is not in in-line fail-open
mode.
If you encounter any problems, see Common Problems and Solutions.
6
Troubleshooting
How does the Bypass Kit work?
During normal Sensor in-line, fail-open operation, the Fail-Open or built-in Control port (depending
on which controls the bypass switch) supplies power and a heartbeat signal to the bypass switch. If
this signal is not presented within its programmed four-second interval, the Fail-Open bypass switch
removes the Sensor from the data path, and moves into bypass mode, providing continuous data
flow with little network interruption.
While the Sensor is in bypass mode, traffic passes directly through the switch, bypassing the Sensor.
When normal Sensor operation resumes, you may or may not need to manually re-enable the
monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's
failure.
The following section describes how to return the Sensor to in-line mode.
Moving from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following:
•
Manual Sensor reboot
•
Sensor error
Manual Sensor reboot
Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image
or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual
intervention is necessary. When the switch receives power and a heartbeat signal from the Sensor, it
sends traffic through the Sensor and the Sensor resumes monitoring traffic in in-line mode.
Sensor error
If the Sensor reboots due to internal error, hardware failure, removal of the Bypass Switch during
normal operation or disruption of the Sensor or Bypass switch cables during Sensor operation, the
Monitoring ports connected to the Bypass Switch are automatically disabled. You must re-enable
the ports via the Manager to resume monitoring mode. When the ports are re-enabled, the
Sensor resumes monitoring traffic in in-line mode.
8
What happens in a Sensor failure?
When a Sensor fails with the Bypass Kit in place, the following events occur in the order shown.
a
The Manager reports a "Sensor in bad health" or "Port pair is in bypass mode" error in the
Operational Status pane.
b
The Sensor reboots and Bypass Switch begins forwarding traffic. All traffic then bypasses the
Sensor and flows across the Bypass Switch with minimal traffic disruption.
A Sensor reboot breaks the link connecting the devices on either side of the Sensor and
requires the renegotiation of the network link between the two devices surrounding the
Sensor. Depending on the network equipment, this disruption should range from a
couple of seconds to more than a minute with certain vendors' devices.
c
Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs:
1)
If the reboot happened during normal activity as described above, the Bypass Switch
resumes passing data through the Sensor and the Sensor returns to in-line mode.
2)
If the reboot occurred due to an error, the Bypass Switch will continue to bypass the Sensor
until the Sensor ports are re-enabled from the Manager.
After the ports are re-enabled, the Bypass Switch resumes passing data through the Sensor and
the Sensor returns to in-line mode.
A very brief link disruption might occur while the links are renegotiated to place the
Sensor back in in-line mode.
d
The errors on the Manager are cleared and normal health is reported.
Common Problems and Solutions
This section lists some common installation problems and their solutions.
Problem
Possible Cause
Solution
LED is off.
The control cable has been
disconnected
Check the control cable and ensure it is
properly connected to both the Sensor and
the Bypass Switch.
LED is off.
The Sensor is powered off.
Restore Sensor power
LED is off.
The Sensor port cable is
disconnected.
Check the Sensor cable connections.
Sensor is operational,
but is not monitoring
traffic
Network device cables
have been disconnected.
Check the cables and ensure they are
properly connected to both the network
devices and the Bypass Switch.
Sensor is operational,
but is not monitoring
traffic.
The Sensor ports have not
been enabled in the
Manager.
The Sensor will not monitor traffic on the
ports unless the ports are enabled in the
Manager. Ports are disabled in a Sensor
failure; they must be re-enabled for Sensor
monitoring to resume.
9
Problem
Possible Cause
Solution
Network or link
problems.
Improper cabling or port
configuration.
Ensure that the transmit and receive cables
are properly connected to the Bypass
Switch.
Runts or giants errors on Improper cabling or port
switch and routers.
configuration.
Ensure that the transmit and receive cables
are properly connected to the Bypass
Switch.
The system fault "Switch The control cable has been
absent" appears in the
disconnected.
Manager Operational
Status window.
Check the control cable and ensure it is
properly connected to both the Sensor and
the Bypass Switch.
Copyright © 2014 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
10
700-3602C00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement