Transcription
M-3050/M-4050 Sensor Product GuideRevision BMcAfee Network Security Platform
COPYRIGHTCopyright 2014 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.comTRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
Contents1Preface5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55566Overview7About Network Security Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . .Functions of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network topology considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .M-3050/M-4050 key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .M-3050/M-4050 physical description . . . . . . . . . . . . . . . . . . . . . . . . . .Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Front and back panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . .2Before you install15Usage restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Safety measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .About fiber-optic ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents of the box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Unpack the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Setting up the SensorAttaching Cables to the Sensor151516171719Setup overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How to position the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install the rails and ears on the chassis and rack . . . . . . . . . . . . . . . . . .Mount the Sensor on a rack . . . . . . . . . . . . . . . . . . . . . . . . . .Remove a Sensor from the rack . . . . . . . . . . . . . . . . . . . . . . . . .Redundant power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install the power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove the power supply . . . . . . . . . . . . . . . . . . . . . . . . . . .Cable the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Small form-factor pluggable modules . . . . . . . . . . . . . . . . . . . . . . . . . .SFP modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .XFP modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install a module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove a module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Power on the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Power off the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e the Console port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Cable the Auxiliary port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Connect the cable to the Response port . . . . . . . . . . . . . . . . . . . . . . . . . 28McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide3
ContentsAbout the fail-open port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cable the Management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .About connecting cables to the Monitoring ports . . . . . . . . . . . . . . . . . . . . .How to use peer ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Default Monitoring port speed settings . . . . . . . . . . . . . . . . . . . . . .Cable types for routers, switches, hubs, and PCs . . . . . . . . . . . . . . . . . .Connect the cables for in-line mode . . . . . . . . . . . . . . . . . . . . . . . . . .Connect the cables for tap mode . . . . . . . . . . . . . . . . . . . . . . . . . . .Connect the cables for SPAN or hub mode . . . . . . . . . . . . . . . . . . . . . . . .Cable the fail-over interconnection ports . . . . . . . . . . . . . . . . . . . . . . . .How does the fail-open function work . . . . . . . . . . . . . . . . . . . . . . . . .429292929303030313131325Troubleshooting the Sensor356Sensor technical specifications37ARegulatory, compliance, and safety information39Index41McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
PrefaceThis guide provides the information you need to configure, use, and maintain your McAfee product.ContentsAbout this guideFind product documentationAbout this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.AudienceMcAfee documentation is carefully researched and written for the target audience.The information in this guide is intended primarily for: Administrators — People who implement and enforce the company's security program. Users — People who use the computer where the software is running and can access some or all ofits features.ConventionsThis guide uses these typographical conventions and icons.Book title, term,emphasisTitle of a book, chapter, or topic; a new term; emphasis.BoldText that is strongly emphasized.User input, code,messageCommands and other text that the user types; a code sample; a displayedmessage.Interface textWords from the product interface like options, menus, buttons, and dialogboxes.Hypertext blueA link to a topic or to an external website.Note: Additional information, like an alternate method of accessing anoption.McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide5
PrefaceFind product documentationTip: Suggestions and recommendations.Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.Warning: Critical advice to prevent bodily harm when using a hardwareproduct.What's in this guideThis guide contains information necessary to setup your M-3050/M-4050 Sensor model. Thisinformation includes guiding you through preconfiguring, cabling, and troubleshooting your Sensor.Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.Task1Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.2Under Self Service, access the type of information you need:To access.Do this.User documentation1 Click Product Documentation.2 Select a product, then select a version.3 Select a product document.KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.6McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
1OverviewThis chapter provides an overview of McAfee Network Security Sensors in general and the M-3050/M-4050 Sensor model in particular.ContentsAbout Network Security SensorsFunctions of a SensorNetwork topology considerationsM-3050/M-4050 key featuresM-3050/M-4050 physical descriptionAbout Network Security SensorsMcAfee Network Security Sensors (Sensors) are high-performance, scalable, and flexible contentprocessing appliances built for the accurate detection and prevention of: network intrusions network misuse Distributed Denial-of-Service (DDoS) attacksSensors are specifically designed to handle traffic at wire speed, efficiently inspect and detectintrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of anyenterprise environment. When deployed at key network access points, the Sensor provides real-timetraffic monitoring to detect malicious activity and respond to the malicious activity as configured bythe administrator.After you deploy a Sensor successfully, you configure and manage it using the McAfee NetworkSecurity Manager (Manager). The process of configuring a Sensor and establishing communicationwith the Manager is described in the subsequent chapters of this guide. For the details about theManager, see the McAfee Network Security Platform Getting Started Guide.McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide7
1OverviewFunctions of a SensorFunctions of a SensorThe primary function of a McAfee Network Security Sensor (Sensor) is to analyze traffic on selectednetwork segments and to respond when an attack is detected. The Sensor examines the header anddata portion of every network packet, looking for patterns and behavior in the network traffic thatindicate malicious activity. The Sensor examines packets according to user-configured policies, or rulesets, which determine what attacks to watch for, and how to respond with countermeasures if anattack is detected.If an attack is detected, a Sensor responds according to its configured policy. Sensor can performmany types of attack responses, including generating alerts and packet logs, resetting TCPconnections, "scrubbing" malicious packets, and even blocking attack packets entirely before theyreach the intended target.Network topology considerationsDeployment of a Sensor requires knowledge of your network to help determine the level ofconfiguration and the number of installed Sensors. You also need to determine the number of McAfee ePolicy Orchestrator (McAfee ePO) /McAfee NAC servers required to protect your network. The Sensoris purpose-built for the monitoring of traffic across one or more network segments. For moreinformation, see the McAfee Network Security Platform Getting Started Guide.8McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
OverviewM-3050/M-4050 key features1Following is an example of a network topology using Gigabit Ethernet throughput. In the illustration,McAfee Network Security Platform (formerly McAfee IntruShield ) provides IPS protection tooutsourced servers. High port-density and virtualization provides a highly scalable solution, whileNetwork Security Platform protects against Web and eCommerce mail server exploits.Figure 1-1 A sample Network Security Platform deploymentM-3050/M-4050 key featuresThe M-3050/M-4050 Sensor includes the following features:M-3050M-40504 -10-GbE XFP4 -10-GbE XFP8 SFP ports (10/100/1000 copper or 1 GbE fiber)8 SFP ports (10/100/1000 copper or 1 GbE fiber)1 10/100/1000 Base-T Management port1 10/100/1000 Base-T Management port1 Response port1 Response portHot-swappable SFP/XFP modulesHot-swappable SFP/XFP modulesMcAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide9
1OverviewM-3050/M-4050 physical descriptionM-3050M-4050Dual power supplyDual power supply3 Fan units (that are field replaceable)3 Fan units (that are field replaceable)It has 2 XLRs (A/B) host entriesIt has 3 XLRs (A/B/C) host entriesPower slots for fail-open kitPower slots for fail-open kitM-3050/M-4050 physical descriptionThe high-port density M-3050/M-4050, is designed for high bandwidth links, and is equipped tosupport two 10 Gigabit full-duplex Ethernet segments or four 10 Gigabit SPAN ports transmittingaggregated traffic. Additionally, it supports four 1 Gigabit full-duplex Ethernet segments or eight 1Gigabit SPAN ports transmitting aggregated traffic.PortsThe M-3050/M-4050 is a 2RU (2 rack unit) and is equipped with the following components:Figure 1-2 An M-3050/M-4050 Sensor10ItemDescription1Power Supply A2Power Supply B3RS-232C Console port4RS-232C Auxiliary port5RJ-11 Fail-Open Control ports6SFP Gigabit Ethernet Monitoring ports7XFP 10 Gigabit Ethernet Monitoring ports8Compact Flash port9RJ-45 Response portMcAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
1OverviewM-3050/M-4050 physical descriptionItemDescription1010/100/1000 Management port11Back panel LEDs (3)1Power Supply A. Power supply A is included with each Sensor. The supply uses a standard IECport (IEC320-C13). McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3 wire).International customers must procure a country-appropriate power cable.2Power Supply B (optional, purchased separately). Power supply B is a hot-swappable, redundantpower supply. This power supply also uses a standard IEC320-C13 port, and you can useMcAfee-provided cable or acquire one that meets your specific needs.3One RS-232C Console port, which is used to set up and configure the Sensor.4One RS-232C Auxiliary port, which may be used to dial in remotely to set up and configure theSensor.5Six RJ-11 Fail-Open Control ports, designed for use with the Optical Fail-Open Bypass kit. Theports are marked X1, X2, X3, X4, X5, X6, (1A-1B to 6A-6B respectively.)6Eight small form-factor pluggable (SFP) 1 Gigabit Monitoring ports, which enable you tomonitor eight SPAN ports, four full-duplex tapped segments, four segments in-line, or acombination (that is, for example, two full-duplex segment and four SPAN ports).7Four 10 Gigabit small form-factor pluggable (XFP) 10 Gigabit Monitoring ports, whichenable you to monitor four SPAN ports, two full-duplex tapped segments, two segments in-line, ora combination (that is, for example, one full-duplex segment and two SPAN ports).The Monitoring interfaces of the M-3050/M-4050 work in stealth mode, meaning they have no IPaddress and are not visible on the monitored segment.If you choose to run in failover mode, port 2A is used to interconnect with a standby Sensor.The gigabit ports of the M-3050/M-4050 when deployed in in-line, fail-close, meaning that if theSensor fails, it will interrupt/block data flow. Fail-open functionality requires either the Layer 2Passthru feature or the hardware Gigabit Fail-Open Bypass kit for Gigabit ports. The Layer 2Passthru feature is described in detail in the McAfee Network Security Platform DeviceAdministration Guide.8One External Compact Flash port. This port is used only for flash recovery purposes. That is,this port is used in troubleshooting situations where the Sensor's internal flash is corrupted andyou need to reboot the Sensor through the external compact flash. For more information, see theon-line KnowledgeBase at http://mysupport.mcafee.com/Eservice/. Click Search the KnowledgeBase.9One RJ-45 Response port, which, when you're operating in SPAN or tap mode, enables you toinject response packets back through a switch or router.10 One RJ-45 10/100/1000 Management port, which is used for communication with theManager server. You can assign an IP address to this port during installation.The M-3050/M-4050 does not have internal taps; you must use it with a third-party external tap torun it in tap mode.Front and back panel LEDsThe front panel LEDs provide status information for the health of the Sensor and the activity on itsports. The following table describes the M-3050/M-4050 front panel LEDs.McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide11
1OverviewM-3050/M-4050 physical descriptionLEDStatus DescriptionPwr A (Power A)OKGreenPower Supply A is functioning.Amber Power Supply A is not functioning. ACGreenPower Supply in AC mode.GreenPower Supply B is functioning.Pwr B (Power B)OKAmber Power Supply B is not functioning.Green ACPower Supply in AC mode.If a power supply is not present, both green and amber LEDs are off.Management Port SpeedGreenThe port speed is 1000 Mbps.Amber The port speed is 100 Mbps.Management Port LinkSysOffThe port speed is 10 Mbps.GreenThe link is connected.OffThe link is disconnected.GreenSensor is operating.Amber Sensor is booting. (It could also indicate a system failure).FanGreenAll three fans are operating.Amber One or more of the fans has failed.TempGreenInlet air temperature measured inside chassis is normal.Amber (Chassis temperature OK).Inlet air temperature measured inside chassis is too hot.(Chassis temperature too hot).FlashGreenActivity on external compact flash.OffNo activity on external compact flash.Gigabit Ports (SFP / XFP) Act Amber Data transferring.OffNo data transferring.Gigabit Ports (SFP / XFP)LinkGreenThe link is connected.OffThe link is disconnected.Response Port SpeedGreenThe port speed is 1000 Mbps.Amber The port speed is 100 Mbps.Response Port LinkFail-Open Control FOFail-Open Control Port ErrOffThe port speed is 10 Mbps.GreenThe link is connected.OffThe link is disconnected.GreenThe Sensor is providing power to the fail-open kit.OffThe Sensor is not providing power to the fail-open kit.Amber The fail-open control cable is disconnected or the Sensor isoperating in bypass mode.OffThere is no error.12McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
OverviewM-3050/M-4050 physical description1The three back panel LEDs provide information regarding the Sensor fans.LEDStatusDescriptionFan LEDOFFThe fan is functioning properly.AmberThe fan has malfunctioned.McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide13
1OverviewM-3050/M-4050 physical description14McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide
2Before you installThis chapter describes the best practices for deployment of Sensors in your network. Topics includethe safety considerations for handling the Sensor, usage restrictions that apply to the Sensor model,and the contents that are shipped along with the Sensor.ContentsUsage restrictionsSafety measuresAbout fiber-optic portsContents of the boxUnpack the SensorUsage restrictionsThe following restrictions apply to the use and operation of a Sensor: You should not remove the outer shell of the Sensor. Doing so will invalidate your warranty. The Sensor appliance is not a general purpose workstation. McAfee prohibits the use of the Sensor appliance for anything other than operating NetworkSecurity Platform. McAfee prohibits the modification or installation of any hardware or software on the Sensorappliance that is not part of the normal operation of Network Security Platform.Safety measuresPlease read the following warnings before you install the Sensor. These safety measures apply to allSensor models unless otherwise noted. Failure to observe these safety warnings could result in seriousphysical injury.McAfee Network Security PlatformM-3050/M-4050 Sensor Product Guide15
2Before you installAbout fiber-optic
You also need to determine the number of McAfee ePolicy Orchestrator (McAfee ePO) /McAfee NAC servers required to protect your network. The Sensor is purpose-built for the monitoring of traffic across one or more network segments. For more information, see the McAfee Network Security Plat
![First Revision No. 147-NFPA 20-2013 [ Global Input ]](/img/4/20-a15-fim-aaa-fd-frstatements.jpg)
