Network Security Platform 1-Gigabit Optical Passive Fail

Network Security Platform 1-Gigabit Optical Passive Fail
1 Gigabit Optical Passive Fail-open Bypass Kit Guide
Revision C
McAfee® Network Security Platform
The Gigabit Optical Fail-Open Bypass Kit (the Kit) minimizes the potential risks of in-line
Network Security Sensor failure on critical network links.
The Gigabit Ethernet (GE) Monitoring ports on Network Security Sensors (Sensors) are fail
closed; thus, if the Sensor is deployed in-line, a hardware failure results in network
downtime. Fail-open operation for GE ports requires the use of the optional external Bypass
Switch provided in the Kit.
With the Bypass Switch in place, normal Sensor operation supplies power to the switch via a
control cable. While the Sensor is operating, the switch is "on" and routes all traffic directly
through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state:
in-line traffic continues to flow through the network link, but is no longer routed through the
Sensor. After the Sensor resumes normal operation, the switch returns to the "on" state,
once again enabling in-line monitoring.
The Kit contains a Bypass Switch and all the connectivity components to connect the switch
to the GE Monitoring ports of any Sensor model, and to connect a control cable between the
Sensor and the switch. Additional cables may be required to connect the Bypass Switch to
your other network devices (routers, switches), and you may not require all the components
included in the Kit (for example, you will use only one of the two types of Control cable
included in the Kit).
This document describes the contents of the Kit; how to install the Kit for all M-series
Sensor models with GE ports, either standard GBIC or Small Form-factor Pluggable (SFP)
ports; how the Kit functions; and what to expect during normal use.
You may not require all the components included in the Kit (for example, you will
use only one of the two types of Control cable included in the Kit).
1
Single-Mode vs. Multimode
There are two models of the Kit: one for single-mode fiber networks and one for
multimode fiber networks. Before installing your Bypass Switch, ensure that the Kit
type is compatible with your network fiber type; each model functions properly only
with its specific fiber type. The contents and installation procedures for both Kit models
are the same.
1
2
Kit contents
The following external hardware is shipped in both models of the Fail-Open Kit:
Qty Item
Description
1
19-inch rack-mount panel
for 3 switches
1RU mounting hardware to mount up to three bypass switches in
a standard rack.
1
Gigabit Fail-Open Cable
Connects the fail-open control to one or two bypass switch(es).
2
SC-SC cable
Standard cable (multimode or single-mode, depending on the Kit.)
4
4-inch cable LC-SC
Converter (multimode or single-mode, depending on the Kit.)
1
3-meter RJ45 - RJ11 cable
Connects the bypass switch to a built-in Sensor Fail-Open Control
port (M-3050/M-4050 Sensors only.)
2
LC-LC cable
(multimode or single-mode,depending on the Kit.)
You may need to provide some of the following cables, depending on your Sensor model and network
devices:
3
•
RJ45 - RJ45 cable to connect the bypass switch.
•
LC-LC cables, to connect the bypass switch to Sensor LC Monitoring ports.
•
SC-SC cables, to connect to network devices with SC-type ports depending on the Sensor model
and port type.
Connecting the Fail-Open Kit to a Sensor
The Bypass Switch connects to any Sensor model with Gigabit Ethernet (GE) ports; and the physical
connection differs by Sensor model and port pair, as explained in this section.
Connecting the switch to Sensors with LC-type ports
Connect the switch to any of the M-series Sensor model. For example, the M-3050/M-4050 Sensors
each have twelve LC-type Monitoring ports (six pairs), and each model supports up to four kits.
Fail-open switch connected to ports 1A-1B
This diagram shows a switch connected to one of the first four port pairs; thus the switch is
controlled via the corresponding Fail-Open Control port, X1.
2
4
Item
Description
1
Fail-Open Bypass Switch
2
Fail-Open Control Port X1 (RJ11 connection)
3
Control port on Bypass Switch (RJ45 connection)
4
RJ45 - RJ11 cable
5
Connection to network device (LC connection)
6
Connection to network device (LC connection)
7
PTx/SRx (inside) connection to port 1A (LC connection)
8
STx/PRx (outside) connection to port 1B (LC connection)
Installing the Bypass Switch on a rack
You can install between one and three Bypass Switches onto the Bypass Switch rack-mount panel.
The rack-mount panel described in this section is included in the Fail-Open Kit.
This procedure is optional; if you do not wish to install the Bypass Switch on a rack, you
may set the switch directly on top of the Sensor or another network device.
3
Install the switch in the rack-mount panel
a
Slide the switch into the center opening in the rack-mount panel, until the faceplate of the
switch rests against the panel.
b
Secure the switch to the rack-mount panel by inserting the screws through the holes on the
switch faceplate and into the panel.
Additional Bypass Switches can be installed without removing the rack-mount panel
from the rack.
To install up to two additional switches:
1
Remove the screws holding one of the removable blank plates from the front of the panel.
2
Follow the procedure for installing a switch in the rack-mount panel for the additional
Bypass Switch(es).
Install the panel and switch(es) on a rack
5
a
Place the 1U panel against the front of a standard 19-inch rack.
b
Secure the rack-mount panel by inserting the screws (included with the rack-mount panel)
through the holes on front of the panel and the sides of the rack.
Installing the Fail-Open Bypass Switch
To accurately detect attacks, the Sensor must be aware of which traffic is outside the network and
which traffic is inside. Identifying traffic direction is accomplished via proper cabling of the Bypass
Switch as well as proper port configuration of the Sensor Monitoring ports in the Manager.
For information on how to configure Sensor ports via the Manager, see McAfee Network
Security Platform IPS Administration Guide.
In addition to the RJ45 Control port, the Fail-Open Module has four RJ45 connectivity ports.The two
on the left have A and B labels above the ports and a Network label below the port (not shown in
the following diagram). These connect to your network devices.
The two on the right have A and B labels above the ports and a Monitor label below the port (not
shown in the following diagram). These connect to the Sensor.
4
Field
Description
1
To Sensor Fail-Open Control port
2
To Network Device (inside)
3
To Network Device (outside)
4
PTx/SRx - inside (plugs into Sensor port xA)
5
STx/PRx - outside (plugs into Sensor port xB)
Connecting the Bypass Switch to a Network Device
a
Plug an inside network cable connector into the Network LC receptacle labeled A (in a triangle) on
the Bypass Switch.
b
Plug the other end of this cable into the corresponding network device.
c
Plug an outside network cable into the Network LC receptacle labeled B (in a triangle) on the Bypass
Switch.
If the network device requires an SC connection, use the LC-SC adaptor and SC-SC
cable included in the Kit.
d
Plug the other end of this cable into the corresponding network device.
Connecting the Bypass Switch to a Sensor with LC ports
a
Plug an LC-LC cable labeled PTx/SRx (inside) into the LC receptacle of port xA, where x is 1-6.
b
Plug the other end of the LC cable into the Monitor LC receptacle labeled A (no triangle) of the
Bypass Switch.
5
c
Plug an LC-LC cable labeled STx/PRx (outside) into the corresponding xB peer port. (For example,
if you used 2A in step 1, plug the cable into port 2B).
d
Plug the other end of this cable into the Monitor port labeled B of the Bypass Switch.
With this cable configuration, Sensor Monitoring port 1A views traffic as originating
inside the network, and port 1B views traffic as originating outside the network. Note that
this configuration (1A = outside, 1B = inside) must match the port configuration
specified for this Sensor, and that the ports must be enabled. Port configuration is
accomplished via Manager, and described in the McAfee Network Security Platform IPS
Administration Guide.
Connecting the switch to a Sensor with SC-type ports
a
Plug the SC end of an SC-LC cable labeled STx/PRx (outside) into the SC receptacle of port xA.
b
Plug the LC end of the cable into the Monitor LC receptacle labeled A (no triangle).
c
Plug the SC end of an SC-LC cable labeled PTx/SRx (inside) into the corresponding xB peer port.
(For example, if you used 2A in step 1, plug the cable into port 2B).
Make sure that you cable inbound and outbound traffic correctly, matching the port
configuration for these two ports on the Sensor.
d
Plug the other end of this cable into the Monitor port labeled B of the Bypass Switch.
Configuring the Sensor Monitoring Ports
You configure the Sensor's monitoring ports from the Manager interface. The port configuration must
match the cabling of the switch, the ports must be set to "In-line Fail-Open" and the ports must be
enabled.
6
To view/configure the settings of your monitoring ports:
a
In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup |
Physical Ports | Monitoring Ports.
b
Click a numbered port (for example 10A) from Monitoring Ports pane.
A pop-up displays current port settings.
c
Indicate whether you are using a McAfee Certified module.
d
Select the State to Enabled.
e
In the Operation section, select Mode as In-line Fail-Open Passive.
f
In the same section, select Placement as Inside (internal) or Outside (external).
g
Click Save to commit your configuration.
7
6
h
Click OK to confirm that you the configuration on port 10B too.
i
Repeat for any other ports you need to configure.
j
Download the changes to your Sensor by performing the steps in Deploy pending changes to a
device in the McAfee Network Security Platform Manager Administration Guide.
Verify proper installation
After the Bypass Switch has been connected to the network and the Sensor, check the switch's LED
to verify that the switch is receiving power from the Sensor. Check the port status and operating
mode status in the McAfee® Network Security Manager (Manager) interface to ensure that the port is
enabled and is in the In-Line Fail-Open mode.
Status LED on the Bypass Switch
The indicator is adjacent to the Control port on the Bypass Switch.
Light Status
ON
Switch is receiving power from the Sensor and traffic is passing to the Sensor.
OFF
The switch is in bypass mode; it is not receiving power and is not passing network traffic to
the Sensor.
Port and operating mode status
The port status and operating mode status for GE In-line Fail-open mode are detailed as follows:
8
In-line Fail-Open
Port Status
Port color on Operating Mode Status
the virtual
Sensor
In-line Fail-Open
Port Status
Green
The in-line fail-open device is in in-line fail-open mode.
In-line Bypass
Yellow
The in-line fail-open device is in in-line bypass mode. The
bypass switch has been activated. The Sensor does not
monitor during this time.
Unknown
Orange
Unable to get the status of the in-line fail-open device from
Sensor. Check the Operational Status.
In-line Fail-Open
Port Status
Port color on Operating Mode Status
the virtual
Sensor
Switch Absent
Red
Fail-open control is not present, control cable is not present, or
bypass switch is not present. Verify that all three components
are connected properly. If everything is connected correctly,
check the Operational Status.
N/A
Gray
Not Applicable; the operating mode is not in in-line fail-open
mode.
If you encounter any problems, see Common Problems and Solutions.
7
Troubleshooting
How does the Bypass Kit work?
During normal Sensor in-line, fail-open operation, the Fail-Open or built-in Control port (depending
on which controls the bypass switch) supplies power and a heartbeat signal to the bypass switch. If
this signal is not presented within its programmed four-second interval, the Fail-Open bypass switch
removes the Sensor from the data path, and moves into bypass mode, providing continuous data
flow with little network interruption.
While the Sensor is in bypass mode, traffic passes directly through the switch, bypassing the Sensor.
When normal Sensor operation resumes, you may or may not need to manually re-enable the
monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's
failure.
The following section describes how to return the Sensor to in-line mode.
Moving from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following:
•
Manual Sensor reboot
•
Sensor error
What happens in a Sensor failure?
When a Sensor fails with the Bypass Kit in place, the following events occur in the order shown.
a
The Manager reports a "Sensor in bad health" or "Port pair is in bypass mode" error in the
Operational Status pane.
b
The Sensor reboots and Bypass Switch begins forwarding traffic. All traffic then bypasses the
Sensor and flows across the Bypass Switch with minimal traffic disruption.
A Sensor reboot breaks the link connecting the devices on either side of the Sensor and
requires the renegotiation of the network link between the two devices surrounding the
Sensor. Depending on the network equipment, this disruption should range from a
couple of seconds to more than a minute with certain vendors' devices.
9
c
Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs:
1)
If the reboot happened during normal activity as described above, the Bypass Switch
resumes passing data through the Sensor and the Sensor returns to in-line mode.
2)
If the reboot occurred due to an error, the Bypass Switch will continue to bypass the Sensor
until the Sensor ports are re-enabled from the Manager.
After the ports are re-enabled, the Bypass Switch resumes passing data through the Sensor and
the Sensor returns to in-line mode.
A very brief link disruption might occur while the links are renegotiated to place the
Sensor back in in-line mode.
d
The errors on the Manager are cleared and normal health is reported.
Common Problems and Solutions
This section lists some common installation problems and their solutions.
10
Problem
Possible Cause
Solution
LED is off.
The control cable has been
disconnected
Check the control cable and ensure it is
properly connected to both the Sensor and
the Bypass Switch.
LED is off.
The Sensor is powered off.
Restore Sensor power
LED is off.
The Sensor port cable is
disconnected.
Check the Sensor cable connections.
Sensor is operational,
but is not monitoring
traffic
Network device cables
have been disconnected.
Check the cables and ensure they are
properly connected to both the network
devices and the Bypass Switch.
Sensor is operational,
but is not monitoring
traffic.
The Sensor ports have not
been enabled in the
Manager.
The Sensor will not monitor traffic on the
ports unless the ports are enabled in the
Manager. Ports are disabled in a Sensor
failure; they must be re-enabled for Sensor
monitoring to resume.
Network or link
problems.
Improper cabling or port
configuration.
Ensure that the transmit and receive cables
are properly connected to the Bypass
Switch.
Runts or giants errors on Improper cabling or port
switch and routers.
configuration.
Ensure that the transmit and receive cables
are properly connected to the Bypass
Switch.
The system fault "Switch The control cable has been
absent" appears in the
disconnected.
Manager Operational
Status window.
Check the control cable and ensure it is
properly connected to both the Sensor and
the Bypass Switch.
11
Copyright © 2014 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
12
700-3603C00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement