McAfee epolicy Orchestrator Software

Similar documents
McAfee Host Intrusion Prevention 8.0

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

Migration Guide. McAfee File and Removable Media Protection 5.0.0

McAfee Firewall Enterprise epolicy Orchestrator Extension

McAfee Boot Attestation Service 3.5.0

McAfee Endpoint Security

Best Practices Guide. Amazon OpsWorks and Data Center Connector for AWS

Boot Attestation Service 3.0.0

McAfee Data Protection for Cloud 1.0.1

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

Data Loss Prevention Discover 11.0

McAfee Content Security Reporter Installation Guide. (McAfee epolicy Orchestrator)

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

McAfee File and Removable Media Protection Installation Guide

Addendum. McAfee Virtual Advanced Threat Defense

McAfee Network Security Platform

McAfee Enterprise Mobility Management 12.0 Software

Archiving Service. Exchange server setup (2010) Secure Gateway (SEG) Service Administrative Guides

McAfee SiteAdvisor Enterprise 3.5.0

McAfee Change Control and McAfee Application Control 8.0.0

McAfee epolicy Orchestrator 5.9.1

Scripting Guide. McAfee Drive Encryption 7.2.0

McAfee MVISION Endpoint 1808 Installation Guide

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

McAfee File and Removable Media Protection 6.0.0

McAfee Rogue System Detection 5.0.0

McAfee Management of Native Encryption 3.0.0

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Endpoint 1811 Installation Guide

McAfee Content Security Reporter 2.6.x Installation Guide

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

McAfee Change Control and McAfee Application Control 6.1.4

McAfee Endpoint Upgrade Assistant 2.3.x Product Guide

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

Installation Guide. McAfee epolicy Orchestrator Software. Draft for Beta

Installation Guide. McAfee Web Gateway Cloud Service

McAfee Network Security Platform 8.1

Hardware Guide. McAfee MVM3200 Appliance

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator 5.9.0)

McAfee MVISION Mobile Microsoft Intune Integration Guide

Installation Guide. McAfee Endpoint Security for Servers 5.0.0

Product Guide. McAfee Endpoint Upgrade Assistant 1.4.0

McAfee Policy Auditor 6.2.2

Installation Guide. McAfee Enterprise Mobility Management 10.1

McAfee Client Proxy Installation Guide

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator)

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Rogue System Detection 5.0.5

McAfee Content Security Reporter 2.6.x Migration Guide

Migration Guide. McAfee Content Security Reporter 2.4.0

McAfee Drive Encryption Client Transfer Migration Guide. (McAfee epolicy Orchestrator)

Product Guide Revision A. McAfee Client Proxy 2.3.2

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

McAfee MVISION Mobile Citrix XenMobile Integration Guide

Product Guide Revision A. Endpoint Intelligence Agent 2.2.0

McAfee Network Security Platform 8.3

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee Application Control Windows Installation Guide. (Unmanaged)

McAfee Endpoint Security for Linux Threat Prevention Interface Reference Guide

McAfee Active Response 2.0.0

Product Guide. McAfee SiteAdvisor Enterprise 3.5 Patch2

McAfee MVISION Mobile IBM MaaS360 Integration Guide

Reference Guide. McAfee Security for Microsoft Exchange 8.6.0

Account Management. Administrator Guide. Secure Gateway (SEG) Service Administrative Guides. Revised August 2013

Cloud Workload Discovery 4.5.1

McAfee Client Proxy Product Guide

McAfee Network Security Platform

Addendum. McAfee Virtual Advanced Threat Defense

McAfee MVISION Mobile Silverback Integration Guide

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

Product Guide Revision A. McAfee Customer Submission Tool 2.4.0

McAfee Network Security Platform

McAfee Endpoint Security for Servers Product Guide. (McAfee epolicy Orchestrator)

Product Guide. McAfee GetClean. version 2.0

McAfee Investigator Product Guide

McAfee Endpoint Security Threat Prevention Installation Guide - Linux

Firewall Enterprise epolicy Orchestrator

McAfee Application Control Windows Installation Guide

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee Endpoint Security Threat Prevention Installation Guide - macos

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee File and Removable Media Protection Product Guide

McAfee Endpoint Security for Servers Product Guide

McAfee MVISION Mobile AirWatch Integration Guide

McAfee Application Control 8.0.0

McAfee Data Loss Prevention Endpoint

McAfee MVISION Mobile MobileIron Integration Guide

Product Guide. McAfee Web Gateway Cloud Service

Product Guide. McAfee Web Gateway Cloud Service

McAfee MVISION Mobile epo Extension Product Guide

Revision A. McAfee Data Loss Prevention Endpoint 11.1.x Installation Guide

Release Notes for McAfee(R) Security for Microsoft Exchange(TM) Version 8.0 Copyright (C) 2013 McAfee, Inc. All Rights Reserved

McAfee Data Exchange Layer Product Guide. (McAfee epolicy Orchestrator)

McAfee. Deployment and User Guide. epo 4 / Endpoint Encryption

McAfee Network Security Platform 8.1

McAfee Cloud Identity Manager

McAfee MVISION Mobile Threat Detection Android App Product Guide

Transcription:

User Guide McAfee epolicy Orchestrator 5.3.0 Software

COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee epolicy Orchestrator 5.3.0 Software User Guide

Contents Preface 5 About this guide.................................. 5 Audience.................................. 5 Conventions................................. 5 Find product documentation.............................. 6 1 Introduction to FIPS 7 FIPS basics.................................... 7 FIPS mode..................................... 8 The cryptographic boundary............................. 8 2 Installing and upgrading McAfee epo in FIPS mode 9 Installing McAfee epo in FIPS mode.......................... 9 Upgrade from an earlier FIPS-compliant McAfee epo server................. 10 Restoring McAfee epo server in FIPS mode....................... 10 Verify that your McAfee epo server is in FIPS mode.................... 10 A McAfee epo operating modes 11 Index 13 McAfee epolicy Orchestrator 5.3.0 Software User Guide 3

Contents 4 McAfee epolicy Orchestrator 5.3.0 Software User Guide

Preface This document provides information you need to install and maintain McAfee epolicy Orchestrator (McAfee epo ) in FIPS mode. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Security officers People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee epolicy Orchestrator 5.3.0 Software User Guide 5

Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 6 McAfee epolicy Orchestrator 5.3.0 Software User Guide

1 Introduction to FIPS McAfee epolicy Orchestrator (McAfee epo ) provides an operating mode with a higher level of security for environments that require it. This mode (FIPS mode) follows security guidelines detailed in section 140 of the Federal Information Processing Standard (FIPS). Contents FIPS basics FIPS mode The cryptographic boundary FIPS basics The United States Government developed the Federal Information Processing Standards (FIPS) to define procedures, architecture, algorithms, and other techniques used in computer systems. FIPS 140-2 is a government standard for encryption and cryptographic modules where each individual encryption component in the overall solution requires an independent certification. Federal Information Processing Standard 140-2 specifies requirements for hardware and software products that implement cryptographic functionality. FIPS 140-2 is applicable to "all Federal agencies that use cryptographic-based security systems to protect sensitive [but unclassified] information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104 106." The "-2" in FIPS 140-2 denotes the revision of the standard. The full FIPS text is available online from the National Institute of Standards and Technology (NIST). FIPS 140-2 cryptographic modules and certification McAfee leverages these RSA cryptographic modules to meet the requirements for FIPS-compliance. Table 1-1 Validated FIPS 140-2 cryptographic modules used by McAfee epo Cryptographic Module RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.0.1 RSA BSAFE Crypto-J JSAFE and JCE (JCM) 6.1 OpenSSL FIPS Object Module 1.2.3 This module is used only for TLS communication between McAfee epo and the McAfee Agent. Certificate number Link 2056 http://csrc.nist.gov/groups/stm/cmvp/ documents/140-1/1401val2013.htm#2056 2057 http://csrc.nist.gov/groups/stm/cmvp/ documents/140-1/1401val2013.htm#2057 1051 http://csrc.nist.gov/groups/stm/cmvp/ documents/140-1/1401val2008.htm#1051 McAfee epolicy Orchestrator 5.3.0 Software User Guide 7

1 Introduction to FIPS FIPS mode FIPS mode A McAfee epo server running in FIPS mode is FIPS-compliant. The decision to run McAfee epo server in FIPS mode is made at installation and can't be changed. In FIPS mode, McAfee epo: Places extra constraints on the types of security methods allowed Performs extra tests on startup Allows connections only from FIPS-compliant versions of the McAfee Agent. Reasons to use McAfee epo in FIPS mode Your organization might need to use McAfee epo in FIPS mode if you fall into one of these categories: You are a US Government organization required to operate FIPS 140-2 compliant cryptographic models per FISMA or other Federal, State, or local regulations. Your organization requires the use of standardized and independently evaluated cryptographic modules per Company policy. Reasons to not install McAfee epo in FIPS mode Don't use McAfee epo in FIPS mode if you fall into one of these categories: You integrate with legacy systems or products that do not support McAfee epo in FIPS mode. Your organizational polices allow you to choose which products or cryptographic modules to operate in FIPS mode. For example, an organization might elect not to operate McAfee epo in FIPS mode, and only operate McAfee Drive Encryption on mobile computers in FIPS mode. The cryptographic boundary FIPS compliance requires a physical or logical separation between the interfaces by which critical security parameters enter and leave the cryptographic module and all other interfaces. McAfee epo creates this separation by creating a boundary around the cryptographic module. An approved set of interfaces is used to access the modules inside the boundary. No other mechanism to access these modules is allowed or provided when in FIPS mode. Modules within the boundary perform these processes: FIPS-validated security methods performing cryptography, hashing, and related services running within McAfee epo Startup and verification testing required by FIPS Extension and executable signature verification TLS connection management Cryptographic API wrapping utilities Some older versions of McAfee products use non-fips-compliant ways to access McAfee epo cryptography and hashing services. Because these products violate the cryptographic boundary, they cannot be used in FIPS mode. Check new versions of McAfee products for further information on FIPS compliance as they are released. 8 McAfee epolicy Orchestrator 5.3.0 Software User Guide

2 Installing and upgrading McAfee epo in FIPS mode Follow these instructions to install McAfee epo in FIPS mode, or to upgrade an existing FIPS mode installation. There is no supported way to migrate a McAfee epo server out of FIPS mode. This can only be done with a complete McAfee epo uninstall and reinstall. Because this process deletes the data in your databases, make sure that your environment requires FIPS mode before proceeding. Contents Installing McAfee epo in FIPS mode Upgrade from an earlier FIPS-compliant McAfee epo server Restoring McAfee epo server in FIPS mode Verify that your McAfee epo server is in FIPS mode Installing McAfee epo in FIPS mode installing McAfee epo in FIPS mode follows the same basic procedure as outlined in the installation guide. However, FIPS mode installation requires that you run the Setup.exe installer from the command line, adding a command-line option. Task 1 In a command window, change directories to the folder containing the McAfee epo installer. 2 Invoke the installer with the command setup.exe ENABLEFIPSMODE=1. 3 Continue with the installation using the instructions in the McAfee epolicy Orchestrator Installation Guide. Do not change the default setting for the agent-server secure communication (ASSC) port. Leave it set as enabled on port 443. In FIPS mode, the agents communicate with the McAfee epo server using this ASSC secure port. McAfee epolicy Orchestrator 5.3.0 Software User Guide 9

2 Installing and upgrading McAfee epo in FIPS mode Upgrade from an earlier FIPS-compliant McAfee epo server Upgrade from an earlier FIPS-compliant McAfee epo server Upgrading McAfee epo with FIPS mode enabled follows the same basic procedure as outlined in the McAfee epolicy Orchestrator Installation Guide. However, FIPS mode upgrades require you to run the Setup.exe installer from the command line, adding a command-line option. Before you begin If your existing McAfee epo server isn't running in FIPS mode, perform a complete reinstallation to change to FIPS mode. When you install McAfee epo in FIPS mode, you can't restore a McAfee epo database from a previous non-fips McAfee epo server. Task 1 In a command window, change directories to the folder containing the new McAfee epo installer. 2 Invoke the installer with the command setup.exe ENABLEFIPSMODE=1. 3 Continue with the installation using the instructions in the McAfee epolicy Orchestrator Installation Guide. Restoring McAfee epo server in FIPS mode You can restore a McAfee epo server in FIPS mode only if the server was previously running in FIPS mode. You can't restore a McAfee epo server that wasn't in FIPS mode as a FIPS mode McAfee epo server. The McAfee epo software and database must be re-installed as a new instance of McAfee epo. The complete McAfee epo reinstallation is required because all existing signed and encrypted content was signed with non-fips mode keys. Also, the database contains content encrypted with non-fips mode keys and can't be decrypted with the FIPS mode keys. Verify that your McAfee epo server is in FIPS mode View the server.ini file make sure that your McAfee epo server is running in FIPS mode. Task 1 Use a text editor to open the server.ini file. The server.ini file is located in your McAfee epo installation directory: <epoinstalldirectory>\db \server.ini. 2 Look for the FipsMode value. This value indicates the server operating mode: FipsMode=0 The server is in Mixed (normal) mode. Repeat the installation or upgrade process to put your server in FIPS mode. FipsMode=1 The server is in FIPS mode. FipsMode=2 The server is in Transition mode. After your agent-server communication security keys are updated, the server runs in FIPS mode. 10 McAfee epolicy Orchestrator 5.3.0 Software User Guide

A McAfee epo operating modes Depending on your environment and installation choices, McAfee epo operates in one of three modes: FIPS, Transition, or Mixed. The mode that a McAfee epo server runs in is determined during installation or upgrade and can't be changed. FIPS mode A McAfee epo server runs in FIPS mode after a clean installation with FIPS mode enabled. In FIPS mode, McAfee epo: Places extra constraints on the types of security methods allowed Performs additional tests on startup Allows connections only from a FIPS-compliant version of the McAfee Agent Transition mode After upgrading from a previous version of McAfee epo software that uses an external FIPS-validated cryptographic module (for example, McAfee epo 4.5.7), the software runs in Transition mode. McAfee epo continues running in Transition mode until all previous agent-server communication key material has been replaced. After this material has been replaced, the software runs in FIPS mode. In Transition mode, McAfee epo generates only 3,072-bit SHA-256 certificates and 2,048-bit SHA-256 agent-server communication keys. McAfee Agent versions earlier than 4.6.0 and existing McAfee products that were connecting to the McAfee epo server before the upgrade continue to function. New McAfee Agent products that understand the larger key sizes use the larger, more secure FIPS-compliant certificate keys. After all deprecated keys are removed from the database, the McAfee epo server runs in FIPS mode. However, existing SSL certificates continue to be lower strength than the certificates included in the most recent FIPS recommendations. In Transition mode, McAfee epo still follows the constraints and tests listed for FIPS mode, but relaxes the version restrictions on agents and managed products. Mixed mode This mode is a standard McAfee epo installation not running in FIPS mode. In Mixed mode, McAfee epo does not follow the constraints and tests described for FIPS mode, and is not compliant with FIPS levels of security. Your managed systems are still secure, but the certificates and Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are different. McAfee epolicy Orchestrator 5.3.0 Software User Guide 11

A McAfee epo operating modes 12 McAfee epolicy Orchestrator 5.3.0 Software User Guide

Index A about this guide 5 C command-line option 9, 10 conventions and icons used in this guide 5 cryptographic boundary definition 8 how products violate it 8 D documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5 F Federal Information Processing Standard, See FIPS FIPS about 7 compliance 8 online availability 7 FIPS mode 7, 8 definition 11 installing McAfee epo in 9 reasons to not install 8 reasons to use 8 restoring McAfee epo in 10 upgrading McAfee epo in 9, 10 verifying 10 installation (continued) FIPS mode 9 M McAfee ServicePortal, accessing 6 Mixed mode definition 11 O operating modes 11 R restoring 10 S server.ini file 10 ServicePortal, finding product documentation 6 T technical support, finding product information 6 Transition mode definition 11 U upgrades command-line option 10 FIPS mode 10 I installation command-line option 9 McAfee epolicy Orchestrator 5.3.0 Software User Guide 13

0-00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback