Network Security Platform 8.1

8.1.7.91-8.1.5.210 Manager-NS-series Release Notes Network Security Platform 8.1 Revision B Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. This maintenance release of Network Security Platform is to provide few fixes on the Manager and NS-series Sensor software. Release parameters Version Network Security Manager software version 8.1.7.91 Signature Set 8.7.99.4 NS-series Sensor software version 8.1.5.210 This version of 8.1 Manager software can be used to configure and manage the following hardware: Hardware NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) Virtual IPS Sensors (IPS-VM100 and IPS-VM600) 8.1 Virtual Security System Sensors (IPS-VM100-VSS) 8.1 Version 8.1 1

Hardware M-series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1 Mxx30-series Senors (M-3030, M-4030, M-6030, M-8030) 8.1 XC Cluster Appliances (XC-240) 8.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1 The above mentioned Network Security Platform software version support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.9.0, 5.3.2, 5.1.1 McAfee Global Threat Intelligence Compatible with all versions McAfee Advanced Threat Defense 3.8.0.29, 3.6.2.21 McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.6 McAfee Vulnerability Manager 7.5.10, 7.5.7 McAfee Host Intrusion Prevention 8.0 Version Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases or hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell-based Manager Appliances. New features This release of Network Security Platform includes the following new features: Integration with epo 5.9 This release of the Manager supports integration with McAfee epo version 5.9. 2

For more information, see McAfee Network Security Platform Integration Guide. Support for the 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps interface module This release of Network Security Platform provides support for the 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps with internal fail-open interface module. To install the 4-port RJ-45 interface module, download and install the latest 8.1 Sensor software from the McAfee Update Server [https://menshen1.intruvert.com/]. For more information, refer to the 4-port Interface Module Quick Start Guide. 4-port RJ-45 interface module supports only 1 Gbps/100 Mbps Copper Active Fail-Open Kit. Enhancements This release of Network Security Platform includes the following enhancement: Migration from SHA1 to SHA256 signing algorithm With this maintenance release, the Network Security Platform announces the deprecation of SHA1 certificates to sign Sensor-Manager communication and replaces this with SHA256 certificates for this signature. This results in more secure communication between the Sensor and the Manager. Previous Releases In Network Security Platform 7.x and early 8.1 deployments, both the Sensor and Manager certificates use 1024-bit RSA keys and is signed with Sha1WithRSAEncryption based signature. The Manager ports 8501, 8502, and 8503 serve the TLS channels from the Sensor. The cipher used by the Sensor and Manager is TLS1.0-RSA-AES128-SHA1. Starting release 8.1.7.5-8.1.5.14, the NS-series Sensor certificate uses 2048-bit RSA keys and Sha256WithRSAEncryption based signature, and the Manager certificate uses 2048-bit RSA keys but retains Sha1WithRSAEncryption based signature. The Manager ports 8506, 8507, and 8508 serve the TLS channels from the Sensor. The cipher used by the Sensor is TLS1.2-RSA-AES128-SHA1. Current Release From release 8.1.7.91-8.1.5.210, the Manager supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature. This release of the Manager reuses ports 8501, 8502, and 8503 to support this new posture that were previously allocated to certificates using 1024-bit RSA keys. Hence, after upgrading the Manager, Sensors deployed on these ports using 1024-bit RSA keys and weaker signatures will not support. NS7x00 and NS9x00 series Sensors should be running Sensor version 8.1.5.175 or above if you want to upgrade to Sensor version 8.1.5.210. The following table captures the migration of certificates. 3

Table 3-2 Ports used based on encryption keys, certificates, and cipher suites Manager Port Channel Description Sensor software with 2048-bit RSA keys, 2048-bit RSA keys, 1024-bit RSA keys, SHA256 certificate, and SHA1 certificate, and SHA1 certificate, and TLS1.2-RSA- TLS1.0-RSA- TLS1.0-RSA- AES128-SHA1 AES128-SHA1 AES128-SHA1 8501 Install Sensor Applicable Not Applicable Applicable 8502 Alert/Event Applicable Not Applicable Applicable 8503 Packet Log Applicable Not Applicable Applicable 8506 Install Sensor Not Applicable Applicable Not Applicable 8507 Alert/Event Not Applicable Applicable Not Applicable 8508 Packet Log Not Applicable Applicable Not Applicable 8504 File transfer Proprietary (file transfer channel) Proprietary (file transfer channel) Proprietary (file transfer channel) 8509 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption 8510 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption For more information, see McAfee Network Security Platform Upgrade Guide. Resolved issues The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # Issue Description 1185999 High-risk endpoints are not shown in the Manager. 1183929 Summary page of the failover peer displays two different names. 1179146 The attempt to add a username that includes an apostrophe in the Add a User page fails. 1173256 The Manager user interface fails to load in Internet Explorer version 11. 1172736 LDAP over SSL does not work after a Manager upgrade. 1165342 Quarantined hosts generate alerts in the Threat Analyzer. 1164024 Sensor performance alert causes alert channel to go down. 1153987 A difference exists between severity of detected alerts and configured severity 1150753 The Manager incorrectly considers a Sensor to be part of a failover pair. 1148771 The Manager is vulnerable to CVE-2016-5385. 1146980 The Devices tab does not display the tab options. 1146835 When an attack is blocked using the Recommended for Smart Blocking (RfSB) feature, its attack result in the SNMP trap displays [777] instead of "Smart Blocked". 1143464 Direct link to view the Sensor status on the System Health monitor of the Dashboard page is disabled. 4

ID # Issue Description 1143395 The "An internal application error occurred" message is displayed when trying to access the Global Threat Intelligence page. 1138335 Sensors show as disconnected in the Manager after the Manager service is restarted. 1132046 Old signature files are not getting deleted using the file pruning option. 1126704 The Manager command channel should request for TLS1.2 connection with NTBA. 1125670 SNMP trap shows incorrect port names. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1179570 Specific SSL attack flows are not getting detected. 1177690 The logstat mgmt command does not log the port information into a file. 1177479 Putting NS9300 Sensor into Layer 2 mode disrupts the traffic on all Trident ports. 1176966 Bidirectional Forwarding Detection (BFD) protocol is interrupted after a Sensor upgrade. 1174592 Configuration push on NS3200 fails with a split error. The failure occurs due to insufficient space. 1171375 The PDF engine does not scan files and displays an error. 1171194 The Sensor is vulnerable to NTPD vulnerability (VU#633847). 1170675 Network Security Platform forwards malformed packets to Advanced Threat Defense which results in the packets getting dropped. 1170217 Layer 7 special alerts are generated for disabled attacks in the IPS policy. 1166917 High L2 Error Drop alert is raised incorrectly in the Manager. 1166491 Unable to login to the secondary Sensor from the primary Sensor. 1164047 Filename and domain in URl path contain duplicate domain name information when submitted to Advanced Threat Defense. 1166244 [NS9300] When the Sensor is in Layer 2 and is brought out of it, the packets loop in High Availability environment. 1161908 Two newly installed Standalone Sensors display status as "Uninitialized". 1161600 The sensor-scan-during-update option is not preserved after a reboot. 1161470 Debug logs show the "Failed to send Keepalives to ATD" error. 1159776 Sensor vulnerability is reported with nessus scan. 1159229 Sensor fails to send packetlog information when the packetlog resources are not initialized. 1154129 Sensors do not collect interface throughput statistics. 1153541 The Sensor is unable to send a response to the Manager when a sample is submitted for dynamic analysis in Advanced Threat Defense. 1152648 Management process had an exception causing the Sensor to be in bad health. 1152635 exportsensorcerts command fails to export Sensor certificates. 1152472 The Sensor is vulnerable to NTPD vulnerability (VU#321640). 1151379 Interconnect port link state flaps. 1150815 events.log will not get persisted after Sensor reboot. 1149107 Port throughput utilization was wrongly calculated for ports with speed greater that 1G. 1146928 Alerts (TCP: Microsoft Windows TCP IP Driver Denial of Service) are getting generated due to incorrect packet length. 5

ID # Issue Description 1146237 Some ports go down when the deinstall and set sharedsecretkey commands are executed. 1145843 The Sensor reboots when multiple connection attempts between the Sensor and Advanced Threat Defense appliance or NTBA appliance fail. 1144821 In certain cases, the retransmitted TCP Ack packets with stale sequence number can cause attack detection to miss. 1144514 Default IP address, 192.168.100.100, is sometimes not available after you run the factorydefaults command. 1143423 [NS7x00] LEDs are not getting activated incorrectly though the traffic is getting forwarded. 1142942 Output for show powersupply command is unreliable, so the command is removed from CLI. 1142858 [NS9300] DNS packets gets duplicated multiple times when connected in a failover mode. 1141450 Sensor cannot quarantine the IPs that incorrectly match the ones on Trusted IP list. 1140973 [NS5x00, NS 7x00] Serial numbers for copper SFPs are not working when show coppersfpserialnumbers is executed. 1140389 Sensor cannot quarantine the IPs that incorrectly match the ones on Trusted IP list. 1139962 ICMP Nachi Attack is incorrectly raised. 1139745 [NS9300 HA] UDLD packets gets duplicated and sent on the incorrect interface causing the peer device to disable the UDLD enabled port. 1139476 The Sensor incorrectly raises the 'Pluggable interface absent Port' fault to the Manager even when XFP/SFP is present. 1139454 Sensor generates a false positive alert for the "IGMP: Fragmented IGMP Packet Attack" alert. 1138571 Connection Count of TCP/UDP on Next Generation report always shows "0". 1138004 With Layer3 off, the ARP packets were being sent by sensor with additional header causing the peer device to drop it. 1137501 The Sensor is vulnerable to NTPD vulnerability (VU#718152). 1137363 Authentication channel does not come up when you transition from MDR to standalone and when the secondary Manager which is in standby mode becomes the controlling (Active) Manager. 1136618 ISAKMP traffic is not dropped by the Sensor Firewall policy when it is configured to drop such packets. 1135590 In scenarios where the configuration changes are significantly larger than the previous configuration between Sensor diagnostic trace uploads, the Sensor may reboot. 1135169 The Sensor is vulnerable to Openssl vulnerabilities (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176). 1134703 [NS7x00, NS 5x00, NS 3x00] Links are flapping randomly because of incorrect internal ports timeout configuration. 1134418 In rare scenarios, when SSL decryption is enabled, internal resources of Sensor are exhausted, and the Sensor becomes unresponsive or reboots. 1133656 Block unsupported SSL/TLS connections. 1131958 Sensor will remain "in progress" if it is disconnected from the Manager during a configuration update. 1126938 [NS7100, NS7300] Packet capture fails in Sensors. 1126547 In certain scenarios during the processing of packets with permit flow violation, the Sensor fails to detect out of order packets. 1122077 The Sensor is vulnerable to CVE-2015-3197 OpenSSL vulnerability. 1119829 User role based firewall rule is not working because of incorrect translation within the sensor when attempting a match. 6

ID # Issue Description 1112291 [NS3x00] Malware attack detection not working. 1090900 Attack time in syslog is reported in 12 hour format without the AM/PM notation. 1053967 Under a certain rare condition, the Sensor may reboot due to hardware watchdog expiration. 1051747 The Sensor does not send traffic as a measure of bytes. Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Only x64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 Update 3 ESXi 6.0 Update 1 CPU Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Memory Internal Disks Physical Memory: 16 GB 1 TB 8

The following table lists the 8.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese Windows 10 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome is not supported since the NPAPI plug-in is disabled by default and will not be supported by Google going forward. This means that Java applet support is also disabled by default. Internet Explorer 11 Mozilla Firefox 41.0.2 or above In Mozilla Firefox version 52 and above the NPAPI plug-in is disabled and will not be supported by Mozilla going forward. This means that pages that uses Java in the Manager will not render properly on Mozilla Firefox version 52 and above. For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. 9

The following is the upgrade matrix supported for this release: Component Manager/Central Manager software NS-series Sensor software Minimum Software Version 8.1: 8.1.7.33, 8.1.7.52 (only for NS5x00), 8.1.7.73 (only for NS3x00), 8.1.7.82 NS9x00, NS7x00 8.1: 8.1.5.175 NS5x00 8.1: 8.1.5.154, 8.1.5.175 NS3x00 8.1: 8.1.5.170, 8.1.5.175 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 NS-series Sensor software issues: KB82173 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Custom Attacks Definition Guide Installation Guide XC Cluster Administration Guide Upgrade Guide Integration Guide Manager Administration Guide NTBA Administration Guide Manager API Reference Guide Best Practices Guide CLI Guide Troubleshooting Guide IPS Administration Guide 10

Copyright 2017 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00