McAfee SIEM Port Usage by Appliance

Transcription

1 McAfee SIEM Port Usage by Appliance Application Direction Port(s) Protocol Destination / Description ETM Enterprise Security Manager Active Directory out 389, 3268 tcp Active Directory. Port 3268 is used for LDAP. Backup In/out 445,111,2049 tcp/udp EDB Backup and Restore CIFS use 445; NFS uses 111 and 2049 out tcp Port used to communicate to ensure compliance HTTP out 80 tcp/udp Rules Server - HTTPS in/out tcp/udp Client login & OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. RADIUS in/out 1812 tcp/udp Radius SMTP out 25 tcp/udp Alerts and Reports in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp All McAfee appliances and to access command line. WHOIS out 43 tcp/udp Whois lookups. ERC - Event Receiver out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, ELM and to access command line. ELM Enterprise Log Manager Data Archival in/out 445,111,2049 tcp/udp Data storage destination CIFS use 445; NFS uses 111 and 2049; out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, Receiver and to access command line. sftp in/out 23 tcp/udp Allow sftp client to access raw log files. ADM Application Data Monitor out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line.

2 ACE Advance Correlation Engine out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line. DEM Database Event Monitor for SIEM out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From Nitro ESM, Administrative

3 Below are the ports that data sources defined to a Event Receiver would typically use. This may be an incomplete list depending on new data sources that were added after the publication of this document. Data Sources Description Port Protocol Cisco Mars 993 tcp Cisco ASA NSEL User configurable. tcp Cisco RDEP. User configurable. Tcp estreamer 8302 tcp Flat File 21,,80,445,111,2049 CIFS uses 445; NFS uses 111 and 2049; SCP & SFTP use ; HTTP uses 80; FTP uses 21 tcp IBMTivoli ID Mgr (sql pull). User configurable. tcp IPFIX 4739 udp/tcp itron 21 tcp McAfee Event Agent User configurable. tcp/udp McAfee NSM User configurable. tcp mssql pull User configurable. Various data source use this. tcp/udp mysql User configurable. tcp/udp netflow 2055, User configurable. udp McAfee NSM 3306 (sql pull). User configurable. tcp McAfee 8. User configurable. tcp OPSEC User configurable. tcp Oracle 1521 tcp Postgres DB 5432 tcp SDEE tcp/udp SilverSpring 21 tcp Sophos 1127 tcp syslog 514 tcp/udp Vmware vcenter tcp WMI 135,139, Windows 2000 will use 139 & W2K3 and above will us 139. W2K3 and below will use dynamic port range W2K8 and above will use dynamic port range tcp/udp

4 Vulnerability Assessment udp SQL 205,1433 tcp/udp HTTPS tcp/udp SCP tcp/udp FTP 20,21 tcp/udp NFS 2049, 3780 tcp/udp For outbound Actions (NOTE: The ports listed here are the defaults and can be changes in the ESM GUI) epo 8 tcp NVM 3800 tcp NSM tcp

5 ETM to External Sources Active Directory Backup Rules & GTI RADIUS SMTP WHOIS ACE Correlation Appliance Rules and Risk Engines Original Events flow from ESM CE Events flow to ESM ACE 389, ,111, Rules & GTI connect to Call home connects to ACE to External Sources GUI via HTTPS 80 & ETM ETM Stores parsed event s in EDB Hosts GUI Central point for all administration - - DEM Passively Monitors DB Traffic DEM DEM to External Sources SPAN Access to see DB Events Span Port Event Receiver Parses Events Normalizes Events Aggregates Events Parsed to ETM Raw to ELM - - Event Receiver - ADM Passively Monitors Application Traffic Inspects Layer 3 & layer 7 ADM ERC to External Sources ELM Stores Raw Events Full Text Indexing User definable storage User definable Compression ELM ERC to VA Sources FTP NFS SQL SCP Updated and as of v9.4 ADM to External Sources 20, , , 1433 SPAN Access to see Events ERC to Data Sources See Page 3 of this document for a complete list. ELM to External Sources Data Archival iscsi sftp 445,111, , Span Port