McAfee Network Security Platform

Transcription

1 Network Security Platform v5.1 Page 1 McAfee Network Security Platform [formerly McAfee IntruShield ] Release Version 5.1 (Document was revised on 11/26/09) Software versions in this release This document applies only to the following software versions. Network Security Manager Image for Windows Server 2003/MySQL Signature set Network Security Sensor M-6050/ M-8000 image Network Security Sensor M-3050/ M-4050 image Network Security Sensor M-2750 image Network Security Sensor M-1250/ M-1450 image This 5.1 maintenance release is for addressing Manager software issues. This version of 5.1 Manager software can be used to configure and manage I-series, M-series, and N-series Sensors.

2 Network Security Platform v5.1 Page 2 Contents 1 What s new in this release s resolved in this release Resolved Sensor software issues Resolved Manager software issues Known outstanding issues Known Sensor software issues Known Manager software issues Installation and upgrade notes Technical assistance and problem reporting M ore Information... 10

3 Network Security Platform v5.1 Page 3 1 What s new in this release This section details the additions and/or enhancements delivered with this 5.1 Release. Support for Integration with Foundstone 6.8 With this release of 5.1, the Manager supports integration with Foundstone version 6.8. Coverage of new TCP\IP vulnerabilities This release of Network Security Platform covers the new TCP/IP vulnerabilities, including the ones disclosed in Microsoft Security Bulletins MS These vulnerabilities could allow an attacker to cause a Denial-of-Service (DoS) or execute code remotely on a compromised machine. The corresponding attack IDs of the vulnerabilities covered and related details are given below. Note: For protection against the following attacks, you need Sensor software / and Signature set version or above. 1. AID 0x00009d00 TCP: Small Window Flow Detected: This alert indicates the presence of a TCP flow with a very small window size advertised by the client. Multiple such flows can potentially lead to resource exhaustion on the server. This alert indicates a component attack. The correlated attack ID is 0x Please refer to KB60305 for more details. The vulnerabilities covered by this attack signature are: CVE TCP/IP Zero Window Size Vulnerability CVE TCP/IP Orphaned Connections Vulnerability For the details on these vulnerabilities, you can go to or 2. AID 0x TCP: Small Window DoS: This alert indicates an attempt to exploit a DoS vulnerability by sending multiple TCP flows to a victim server with a very small client receive window size in the TCP header. This alert indicates a correlated attack. The component attack ID is 0x00009d00. Please refer to KB60305 for more details. 3. AID 0x00009e00 TCP: 3-Way Handshake PAWS Fail DoS: This alert indicates an attempt to establish a TCP flow that will fail the "PROTECT AGAINST WRAPPED SEQUENCE NUMBERS" (PAWS) test. This can potentially lead to resource exhaustion or even code execution on the victim machine. The vulnerability covered by this attack signature is CVE TCP/IP Timestamps Code Execution Vulnerability. 4. AID 0x00009b00 TCP: SYN Packet Fixed Options Header: This alert indicates the presence of a TCP Syn packet with a fixed options pattern. It has been observed that an exploit tool can send such packets that can potentially lead to a DoS condition. This alert indicates a component attack. The correlated attack ID is 0x Please refer to KB60305 for more details. 5. AID 0x TCP: SYN Packet Fixed Header Options DoS: This alert indicates that someone is attempting to DoS the victim by sending TCP SYN packets with fixed options in the header. This alert indicates a correlated attack. The component attack ID is 0x00009b00. Please refer to KB60305 for more details. Detection of attacks related to Conficker worm AID 0x45d09300 WORM: Conficker Activity Detected: This update provides accurate coverage for the detection of Conficker communication over TCP/UDP protocols. The detection logic uses the port generation algorithm used by Conficker worm. For further details, go to: Support for forwarding ICMP checksum error Earlier the CLI command set tcpudpchecksumerrorr forward could be used for forwarding TCP and UDP packets alone. With this release, this CLI command can be used to forward ICMP checksum errors as well.

4 Network Security Platform v5.1 Page 4 Enabling layer2 forwarding on ports and VLANs This release of 5.1 provides new CLI commands to support layer2 forwarding. No security functions will be applied for packets forwarded with layer2 forward. McAfee recommends using layer2 forwarding for high latency applications. Enable or disable TCP port for Layer2 forwarding This command enables or disables a single port or a range of TCP ports. The first port number is the mandatory port number. The second port number is an optional port number, which will act as a range. Syntax: layer2 forward tcp (enable disable) < > [< >] For example: layer2 forward tcp enable 5 will enable port layer2 forwarding on TCP port 5 alone. While layer2 forward tcp enable 5 10 will enable layer2 forwarding on TCP ports from 5 to 10. Enable or disable UDP port for Layer2 forwarding This command enables or disables a single port or a range of UDP ports. The first port number is the mandatory port number. The second port number is an optional port number, which will act as a range. Syntax: layer2 forward udp (enable disable) < > [< >] For example: layer2 forward tcp enable 5, will enable port layer2 forwarding on UDP port 5 alone. While layer2 forward tcp enable 5 10 will enable layer2 forwarding on UDP ports from 5 to 10. Enable or disable VLAN id for Layer2 forwarding This command enables or disables a single VLAN ID or a range of VLAN ID on all interfaces available on the Sensor. The first ID is the mandatory VLAN ID. The second VLAN ID is optional, which will act as a range. Syntax: layer2 forward vlan (enable disable) <0-4095> [<0-4095>] For example: layer2 forward vlan enable 5, will enable port layer2 forwarding on VLAN 5 alone on all interfaces. While layer2 forward vlan enable 5 10 will enable layer2 forwarding on VLAN within the range of 5 to 10 on all interfaces. Remove Layer2 forwarding on VLAN id or TCP/UDP port This command will remove all the ports or VLANs that are enabled for layer2 forwarding. For TCP/UDP, it will remove all the port numbers from 0 to that were enabled and also disable the layer2 forwarding feature for TCP. Similarly for VLAN all the 0 to 4095 VLAN ID are cleared and the feature is disabled. Syntax: layer2 forward clear (all tcp udp vlan) Show layer2 forward for port and vlan When show layer2 forward all is provided it will show all the TCP/UDP ports and the VLAN IDs (separated by comma) that are enabled for layer2 forwarding. The show layer2 forward returns the same result as show layer2 forward all. Syntax: show layer2 forward (all tcp udp vlan <cr>) Enable or disable VLAN on specific interface for Layer2 forwarding This command enables or disables the VLAN on the interface as specified by the interface parameter. Syntax: layer2 forward vlan (enable disable) <0-4095> interface (all 1A-1B 2A-2B.) For example: layer2 forward vlan enable 5 interface 3A-3B will enable port layer2 forwarding on VLAN 5 on interface 3A-3B. Enable or disable range of VLAN on specific interface for Layer2 forwarding This command enables or disables the range of VLANs on the interface as specified by the interface parameter. The first number represents the start of the range, while the second number represents the end. Syntax: layer2 forward vlan (enable disable) <0-4095> <0-4095> interface (all 1A- 1B 2A-2B.)

5 Network Security Platform v5.1 Page 5 For example: layer2 forward vlan enable 5 10 interface 3A-3B will enable layer2 forwarding on VLAN within the range 5 to 10 on interface 3A-3B. 2 s resolved in this release The following table contains issues resolved in this release of Network Security Platform Resolved Sensor software issues Unless specified otherwise, the resolved Sensor software issues listed below are applicable to all M-series Sensor models: High severity Sensor software issues / In failover setups, there is a chance of packet drops on the sensor after running under high load for few weeks [M-8000] Incorrect ACL action with Permit and Ignore ACLs There is a chance of a Sensor reboot when a certain rare sequence of TCP fragments is received at the Sensor [M-1250/M-1450] Sensors in a failover pair reboot occasionally because of an internal Sensor error Excessive flapping of log channel and alert channel may cause the Sensor to reboot Possibility of a Sensor to reboot when a lot of alert and packet logs are being sent to the Manager and the user is trying to deinstall the Sensor [M-4050] When ICMP packets with a certain pattern in the payload are received over a long period of time, it can cause a traffic outage If alert throttling is enabled, the Sensor sends packet logs for throttled alerts to the Manager after the number of packet logs exceed 100,000. The additional packet logs could fill up the Manager database and cause out-of-memory errors While using the third-party NMS feature, if excessive SNMPv3 authentication failures occur, the Sensor reboots due to the Sensor running out of memory Some enhancements done to the SSH protocol (first released in signature sets / ), exposed an error condition in the Sensor software that could cause performance/latency issues on the Sensors when parsing certain types of SSH traffic The show mem-usage command does not display the attack marker usage properly Attack Markers Exhausted counters are getting incremented. Medium severity Sensor software issues [M-8000] ICMP timeouts are seen when fragments with jumbo packets are sent through the Sensor.

6 Network Security Platform v5.1 Page 6 Medium severity Sensor software issues [M-1250/M-1450] The flash LED comes on and stays during startup when no Compact Flash is in the slot [M6050] 1 Gigabit fiber ports fail to link up when the operating mode is changed from TAP to in-line or vice-versa W32/Conficker.C Response Detected" reported attack could be a false positive alert with certain type of traffic / [M-8000] The Sensor with ports configured in fail-open can occasionally reboot after an upgrade to the latest Sensor software Resource exhaustion causes packet logging to stop when certain type of traffic is received for a long duration On rare occasions, the Sensor could reboot after a file transfer of size more than 4 GB. Low severity Sensor software issues The Sensor could occasionally report Link Failure false positive messages on the response port [M-8000] "Off/HdrLen Error Drop Count" could be reported incorrectly on 14B The Sensor sends suppressed alerts only after the Sensor configuration is updated or after disabling suppression [M-1250/M-1450] The shutdown command behavior is not consistent between M-1250 and M-1450 Sensors. 2.2 Resolved Manager software issues High severity Manager software issues The Manager server has high CPU utilization when IPS Quarantine is enabled for all attacks. Medium severity Manager software issues The Threat Analyzer is disconnected after running for a few hours when using a 64bit OS In an MDR setup, when one of the Managers is down for an extended period, then upon restart, synchronization of the missing alerts and packet logs with its Peer Manager does not happen correctly The Historical Threat Analyzer is having issue with loading 500,000 alerts Unable to disable the "Backup Files" deletion option under the Manager > Maintenance page Relevancy data is displayed as N/A in the Syslog message.

7 Network Security Platform v5.1 Page 7 Medium severity Manager software issues In the Threat Analyzer Port Throughput utilization monitor, the mouse-over summary displays an incorrect data when the value is greater than 2Gbps The UDS Editor alters the OFFSET and DEPTH field values when the signature is saved The dbtuning.bat file does not work on some Windows systems In the Real-time Threat Analyzer, the Does not equal condition for filtering IPs under the Display Filter criteria does not work correctly Unable to upload the logon banner from a path that has non-english characters Unable to choose the default policy at the time of editing a child domain if the policy was created at the child domain level The scheduled backup process is running on a daily basis when configured as weekly The modification time of unacknowledged faults is modified after a restart of the Manager service The status for an offline signature set download is displayed as "In progress" for a long time. 3 Known outstanding issues The following tables contain the known, outstanding issues for this release of Network Security Platform Known Sensor software issues High severity Sensor issues Workaround Rate limiting does not work on M-8000 S ports. Medium severity Sensor issues Workaround [NAC] When multiple interfaces are active on a host simultaneously, and a single Sensor sees traffic from the same host, NAC can be done only on traffic from one of the interfaces. Ensure that your NAC configuration is enabled for only one interface on the Sensor [McAfee NAC] The OS information for MAC hosts are displayed as Unknown instead of Unmanageable Fragmented packets within tunneled traffic are dropped when both inner and outer headers are fragmented. Disable tunneling using "set parsetunneledtraffic disable" ACLs do not work when applied to tunneled traffic Attack detection does not work for tunneled flows containing MPLS or double VLAN tagged packets When TACACS+ is used with a 64 character encryption key, remote authentication fails.. Use a key of 63 characters or less Only in the case of copper SFPs set to 1Gbps w/auto-negotiation, ports Reconfigure using ISM to

8 Network Security Platform v5.1 Page 8 Medium severity Sensor issues Workaround can come up at 100Mbp or 10Mbps depending on the behavior of the peer device. All other configurations (fiber SFPs and 10Mbps or 100Mbps copper set to auto-negotiation) result in behavior that matches the documentation. If the peer device supports the configured speed the link comes up, otherwise it does not Some stats displayed by the sensor CLI command show inlinepktdropstats are not cleared when the clrstats command is entered at the CLI. match peer port setting. 3.2 Known Manager software issues High severity Manager issues Workaround [IPS] After upgrading from 4.1 to 5.1, the configurations for alert filters and rule sets created in the Central Manager [before upgrade] are not pushed to the Manager automatically (Client on Windows 2003 and IE 6.0) Any Export/Import functionality closes the Configuration Tool window. The rule sets and alert filters created before upgrade can be pushed to the Manager by forcibly doing Full Synchronization through Central Manager. This functionality is currently unavailable when using the ISM client on a Windows 2003 system. Use Windows XP instead. If you wish to use Windows 2003, use IE 7.0 as your browser. Medium severity Manager issues ID Summary Workaround [NAC] On changing the NAZ policy on the Threat Analyzer for a VPN Host, the new NAZ policy name is not dynamically updated on the Threat Analyzer, but gets correctly updated on the Sensor. Restart the Threat Analyzer [IPS] On importing the sensor configuration into the Manager, the IPv4 Fragment Reassembly field is not correctly updated [IPS] "Synchronization Required" (Manager List -> Policy Synchronization tab) status is not becoming true when Alert filters / Rule Sets are created in the Central Manager after upgrade. Reason column also remains blank. Manually change the setting for IPv4 Fragment Reassembly after import [NAC] The backup AD for a domain in the user identity store is not used for role derivation lookup if the primary AD for the same domain is down [NAC] OS information for unmanageable hosts is not displayed in the Threat Analyzer Hosts page When users with system security roles access the Manager using the Central Manager, and attempts to add/modify configurations, a blank

9 Network Security Platform v5.1 Page 9 Medium severity Manager issues ID Summary Workaround page is displayed [IPS] Received the anomsnmpgetnexttimeddosendtime exception while accessing the Manage DoS Filters page In Alert Manager preferences, when the Max row limit value is increased, it requires a restart for the changes to take effect [IPS] The Resource Tree does not refresh after changing from span to inline mode [IPS] In Alert Manager, description for Host Intrusion Prevention alerts is blank [IPS] Bulk editing a very large number of attacks causes 100% CPU utilization In some instances, the faultlog table may not get updated (for example, a fault persists after acknowledgement) Archive files larger than 4GB become corrupted due to.zip file format limitations. Restart the Alert Manager. Perform a manual refresh after changing the mode.... Any time you create an archive, validate the archive on a separate machine before deleting alerts and packet logs that have been archived. An archive file larger than 4GB is very likely corrupted. Low severity Manager issues Workaround The Threat Analyzer displays the session time as "Not Available" for quarantined hosts after a sensor reboot [IPS] SNMP Traps are not including all details for UDS attacks. 4 Installation and upgrade notes The following table provides the Network Security Platform components versions supported for upgrading to this release of 5.1 Sensor and Manager software: Manager image M-6050, M-8000 Sensor Image M-3050, M-4050 Sensor Image M-2750 Sensor Image M-1250/M-1450 Sensor Image or above or above , or above or above or above or above or Upgrade from the 4.1 version of the Sensor software is not applicable for the following models: M-1250, M-1450, M-2750, M-3050, M-4050 If you have 4.1 M-6050/M-8000 Sensors in your setup, and are planning to upgrade to 5.1, note that features such as VLAN bridging and parsing of GRE tunneled traffic are not supported on M-series Sensors in 5.1.

10 Network Security Platform v5.1 Page 10 5 Technical assistance and problem reporting Technical support may request certain information from you to assist you in troubleshooting. A description of this information is provided in On-line Contact McAfee Technical Support at Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates Via Phone Technical Support is available 7:00am to 5:00pm PST Monday-Friday. 24x7 Technical Support is available for customers with PrimeSupport Priority or Enterprise service contracts. Phone: (US Toll Free) or (Outside US) Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a username and password for the online case submission. 6 More Information To view the complete Network Security Platform 5.1 Documentation, 1. Go to 2. Click Read Product Documentation. 3. To view sensor related information, under Product categories, select: Network Security Sensor Hardware - select the sensor model number followed by version as 5.1 Network Security Sensor Software - select the version as Similarly, to view Manager related information, under Product categories, select: Network Security Manager Software Refer the table below if you are looking for more information on Network Security Platform 5.1: Information regarding Information on the immediate previous 5.1 releases: / [/M-8000/M-6050/M-4050/ M-3050/M-2750, M-1450/ M-1250] [I-series] [N-450] Features introduced in the previous 5.1 releases Resolved/known issues in previous versions of 5.1 Sensor/Manager/Signature Set requirements Sensor requirements Where can I find? Go to > Read Product Documentation > Network Security Sensor Software / Network Security Manager Software. Look for marked with the released Sensor and Manager software versions in the title. Refer the for the corresponding version. Refer the for the corresponding version. Refer the corresponding Sensor Product Guide for the sensor model that you have purchased.

11 Network Security Platform v5.1 Page 11 Information regarding Compatibility with 3rd-Party tools Database requirements Manager system and client requirements Additional server requirements License requirements Upgrade instructions Sensor CLI commands Supported protocols list Providing a diagnostics trace for a sensor Where can I find? 4.1 to 5.1 Upgrade Guide Sensor CLI Guide Go to > Search the KnowledgeBase > KB Troubleshooting Guide