FIPS Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. The FIPS-enabled software combination recommended by McAfee to use along with this release of NS-series Sensor software are as listed below: Release parameters Version Network Security Manager software version 8.1.19.18 Signature Set 8.7.99.4 NS-series Sensor software version 8.1.17.30 1
New features This release of Network Security Platform includes the following new features: Integration with epo 5.9 This release of the Manager supports integration with McAfee epo version 5.9. For more information, see McAfee Network Security Platform Integration Guide. Support for the 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps interface module This release of Network Security Platform provides support for the 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps with internal fail-open interface module. To install the 4-port RJ-45 interface module, download and install the latest 8.1 Sensor software from the McAfee Update Server [https://menshen1.intruvert.com/]. For more information, refer to the 4-port Interface Module Quick Start Guide. 4-port RJ-45 interface module supports only 1 Gbps/100 Mbps Copper Active Fail-Open Kit. Enhancements This release of Network Security Platform includes the following enhancement: Migration from SHA1 to SHA256 With this maintenance release, the Network Security Platform announces the deprecation of SHA1 Manager certificates in Sensor-Manager communication and replaces it with SHA256 Manager certificates for this signature. The Sensor certificates retain SHA256 based signatures. All new Manager installations support Sensor certificates with only SHA256 based signatures. However, if you are upgrading the Manager, the Sensor certificates supports both SHA1 and SHA256 based signatures. Previous Releases In Network Security Platform 7.x and early 8.1 deployments, both the Sensor and Manager certificates use 1024-bit RSA keys and is signed with Sha1WithRSAEncryption based signature. The Manager ports 8501, 8502, and 8503 serve the TLS channels from the Sensor. The cipher used by the Sensor and Manager is TLS1.0-RSA-AES128-SHA1. Starting 8.1.7.5-8.1.5.14 non-fips version, the NS-series Sensor certificate uses 2048-bit RSA keys and Sha256WithRSAEncryption based signature, and the Manager certificate uses 2048-bit RSA keys but retains Sha1WithRSAEncryption based signature. The Manager ports 8506, 8507, and 8508 serve the TLS channels from the Sensor. The cipher used by the Sensor is TLS1.2-RSA-AES128-SHA1. Current Release From 8.1.19.18-8.1.17.30 FIPS version, the Manager supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature. This release of the Manager reuses ports 8501, 8502, and 8503 to support this new posture that were previously allocated to certificates using 1024-bit RSA keys. Hence, after upgrading the Manager, the Sensors deployed on these ports use 1024-bit RSA keys and weaker signatures are not supported. However, if SSL decryption is enabled, the Sensor will not switch to the Manager ports 8501, 8502, and 8503. This happens because SSL server certificates imported into the Sensor need to be re-generated within the Manager. Therefore, you are expected to disable SSL decryption as a pre-requisite. 2
Perform the following steps to restore normal operation: 1 Prior to a Sensor upgrade, either uninstall and then re-install the Sensor. This restores the Sensor to default settings in which SSL decryption is disabled. OR Disable SSL decryption in the Manager. 2 Delete SSL server certificates for this Sensor from the Manager database. 3 Upgrade the Sensor software to switch to the Manager ports 8501, 8502, and 8503. 4 Re-enable SSL decryption feature in the Manager for this Sensor. Generate.p12 Certificates To generate.p12 certificates use the below OpenSSL command: openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <cert1.crt> -inkey <key1.key> -out <nsat1.p12> NS7x00 and NS9x00 series Sensors should be running Sensor version 8.1.5.175 or above if you want to upgrade to Sensor version 8.1.17.30. The following table captures the migration of certificates. Table 3-2 Ports used based on encryption keys, certificates, and cipher suites Manager Port Channel Description Sensor software with 2048-bit RSA keys, 2048-bit RSA keys, 1024-bit RSA keys, SHA256 certificate, and SHA1 certificate, and SHA1 certificate, and TLS1.2-RSA- TLS1.0-RSA- TLS1.0-RSA- AES128-SHA1 AES128-SHA1 AES128-SHA1 8501 Install Sensor Applicable Not Applicable Applicable 8502 Alert/Event Applicable Not Applicable Applicable 8503 Packet Log Applicable Not Applicable Applicable 8506 Install Sensor Not Applicable Applicable Not Applicable 8507 Alert/Event Not Applicable Applicable Not Applicable 8508 Packet Log Not Applicable Applicable Not Applicable 8504 File transfer Proprietary (file transfer channel) Proprietary (file transfer channel) Proprietary (file transfer channel) 8509 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption 8510 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption For more information, see McAfee Network Security Platform Upgrade Guide. NTBA Appliance 3
After an upgrade, trust between the NTBA Appliance and the Manager is lost due to the migration to SHA256 certificates. In order to re-establish trust between the NTBA Appliance and the Manager, you will need to remove the appliance from the Manager by running the deinstall command. After removing trust, run the set sensor sharedsecretkey command to re-establish the trust with the Manager using SHA256 certificates on ports 8501, 8502, and 8503. If your deployment had an integration with EIA, after re-establishing the trust you will need to once again integrate NTBA with EIA. Resolved issues The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # Issue Description 1185999 High-risk endpoints are not shown in the Manager. 1183929 Summary page of the failover peer displays two different names. 1179146 The attempt to add a username that includes an apostrophe in the Add a User page fails. 1173256 The Manager user interface fails to load in Internet Explorer version 11. 1172736 LDAP over SSL does not work after a Manager upgrade. 1165342 Quarantined hosts generate alerts in the Threat Analyzer. 1164024 Sensor performance alert causes alert channel to go down. 1153987 A difference exists between severity of detected alerts and configured severity 1150753 The Manager incorrectly considers a Sensor to be part of a failover pair. 1148771 The Manager is vulnerable to CVE-2016-5385. 1146980 The Devices tab does not display the tab options. 1146835 When an attack is blocked using the Recommended for Smart Blocking (RfSB) feature, its attack result in the SNMP trap displays [777] instead of "Smart Blocked". 1143464 Direct link to view the Sensor status on the System Health monitor of the Dashboard page is disabled. 1143395 The "An internal application error occurred" message is displayed when trying to access the Global Threat Intelligence page. 1138335 Sensors show as disconnected in the Manager after the Manager service is restarted. 1132046 Old signature files are not getting deleted using the file pruning option. 1126704 The Manager command channel should request for TLS1.2 connection with NTBA. 1125670 SNMP trap shows incorrect port names. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1179570 Specific SSL attack flows are not getting detected. 1177690 The logstat mgmt command does not log the port information into a file. 4
ID # Issue Description 1177479 Putting NS9300 Sensor into Layer 2 mode disrupts the traffic on all Trident ports. 1176966 Bidirectional Forwarding Detection (BFD) protocol is interrupted after a Sensor upgrade. 1174592 Configuration push on NS3200 fails with a split error. The failure occurs due to insufficient space. 1171375 The PDF engine does not scan files and displays an error. 1171194 The Sensor is vulnerable to NTPD vulnerability (VU#633847). 1170675 Network Security Platform forwards malformed packets to Advanced Threat Defense which results in the packets getting dropped. 1170217 Layer 7 special alerts are generated for disabled attacks in the IPS policy. 1166917 High L2 Error Drop alert is raised incorrectly in the Manager. 1166491 Unable to login to the secondary Sensor from the primary Sensor. 1164047 Filename and domain in URl path contain duplicate domain name information when submitted to Advanced Threat Defense. 1166244 [NS9300] When the Sensor is in Layer 2 and is brought out of it, the packets loop in High Availability environment. 1161908 Two newly installed Standalone Sensors display status as "Uninitialized". 1161600 The sensor-scan-during-update option is not preserved after a reboot. 1161470 Debug logs show the "Failed to send Keepalives to ATD" error. 1159776 Sensor vulnerability is reported with nessus scan. 1159229 Sensor fails to send packetlog information when the packetlog resources are not initialized. 1154129 Sensors do not collect interface throughput statistics. 1153541 The Sensor is unable to send a response to the Manager when a sample is submitted for dynamic analysis in Advanced Threat Defense. 1152648 Management process had an exception causing the Sensor to be in bad health. 1152635 exportsensorcerts command fails to export Sensor certificates. 1152472 The Sensor is vulnerable to NTPD vulnerability (VU#321640). 1151379 [NS9x00] Interconnect port link state flaps. 1150815 events.log will not get persisted after Sensor reboot. 1149107 Port throughput utilization was wrongly calculated for ports with speed greater that 1G. 1146928 Alerts (TCP: Microsoft Windows TCP IP Driver Denial of Service) are getting generated due to incorrect packet length. 1146237 Some ports go down when the deinstall and set sharedsecretkey commands are executed. 1145843 The Sensor reboots when multiple connection attempts between the Sensor and Advanced Threat Defense appliance or NTBA appliance fail. 1144821 In certain cases, the retransmitted TCP Ack packets with stale sequence number can cause attack detection to miss. 1144514 Default IP address, 192.168.100.100, is sometimes not available after you run the factorydefaults command. 1143423 [NS7x00] LEDs are not getting activated incorrectly though the traffic is getting forwarded. 1142942 Output for show powersupply command is unreliable, so the command is removed from CLI. 1142858 [NS9300] DNS packets gets duplicated multiple times when connected in a failover mode. 1141450 Sensor cannot quarantine the IPs that incorrectly match the ones on Trusted IP list. 1140973 [NS5x00, NS7x00] Serial numbers for copper SFPs are not working when show coppersfpserialnumbers is executed. 5
ID # Issue Description 1140389 Sensor cannot quarantine the IPs that incorrectly match the ones on Trusted IP list. 1139962 ICMP Nachi Attack is incorrectly raised. 1139745 [NS9300 HA] UDLD packets gets duplicated and sent on the incorrect interface causing the peer device to disable the UDLD enabled port. 1139476 The Sensor incorrectly raises the 'Pluggable interface absent Port' fault to the Manager even when XFP/SFP is present. 1139454 Sensor generates a false positive alert for the "IGMP: Fragmented IGMP Packet Attack" alert. 1138571 Connection Count of TCP/UDP on Next Generation report always shows "0". 1138004 With Layer3 off, the ARP packets were being sent by sensor with additional header causing the peer device to drop it. 1137501 The Sensor is vulnerable to NTPD vulnerability (VU#718152). 1137363 Authentication channel does not come up when you transition from MDR to standalone and when the secondary Manager which is in standby mode becomes the controlling (Active) Manager. 1136618 ISAKMP traffic is not dropped by the Sensor Firewall policy when it is configured to drop such packets. 1135590 In scenarios where the configuration changes are significantly larger than the previous configuration between Sensor diagnostic trace uploads, the Sensor may reboot. 1135169 The Sensor is vulnerable to OpenSSL vulnerabilities (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176). 1134703 [NS7x00, NS5x00, NS3x00] Links are flapping randomly because of incorrect internal ports timeout configuration. 1134418 In rare scenarios, when SSL decryption is enabled, internal resources of Sensor are exhausted, and the Sensor becomes unresponsive or reboots. 1133656 Block unsupported SSL/TLS connections. 1131958 Sensor will remain "in progress" if it is disconnected from the Manager during a configuration update. 1126938 [NS7100, NS7300] Packet capture fails in Sensors. 1126547 In certain scenarios during the processing of packets with permit flow violation, the Sensor fails to detect out of order packets. 1122077 The Sensor is vulnerable to CVE-2015-3197 OpenSSL vulnerability. 1119829 User role based firewall rule is not working because of incorrect translation within the sensor when attempting a match. 1112291 [NS3x00] Malware attack detection not working. 1090900 Attack time in syslog is reported in 12 hour format without the AM/PM notation. 1053967 Under a certain rare condition, the Sensor may reboot due to hardware watchdog expiration. 1051747 The Sensor does not send traffic as a measure of bytes. 6
Installation instructions Review the following before you install the Manager software: The following table lists the 8.1 Manager server requirements: OS Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English OS, SP1 (64 bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese OS, SP1 (64 bit) (Full Installation) Only X64 architecture is supported. Recommended Same as the minimum required. Memory 4GB 8GB CPU Server model processor such as Intel Xeon Same Disk space 40GB 80GB disk with 8MB memory cache or greater Network 100Mbps card 1000Mbps card Monitor 32-bit color, 1024 x 768 display setting 1280 x 1024 The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements for Central Manager/Manager Component Minimum OS Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition with SP1 (English) (64 bit) Windows Server 2008 R2 Standard or Enterprise Edition with SP1 (Japanese) (64 bit) Recommended Same as minimum required. Only X64 architecture is supported. Memory 4 GB 8 GB Virtual CPUs 2 2 or more Disk Space 40GB 80GB Table 5-2 VMware ESX server requirements for Central Manager/Manager Component Minimum Virtualization software VMWare ESX Server version 4.0 update 1 and version 4.1 ESXi 5.0 ESXi 5.1 CPU Intel Xeon CPU ES 5335 @ 2.00GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00GHz. Memory Internal Disks Physical Memory: 16GB 1 TB For the Manager client, in addition to Windows 7 and Windows XP, you can also use the operating systems mentioned for the Manager server. 7
For more information, see McAfee Network Security Platform Installation Guide. McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. Migrating the Manager This section shows you different scenarios of deployment from which you can migrate to 8.1.19.x. Table 5-3 Upgrade scenarios and associated considerations Current Manager version Intended Manager version 8.1.x.x (Non-FIPS Manager) 8.1.19.x (FIPS Manager in non-fips mode) Scenario-specific considerations Upgrade to 8.1.19.x and select non-fips mode during installation. 8.1.x.x (Non-FIPS Manager) 8.1.19.x (FIPS Manager in FIPS mode) This is not allowed. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 NS-series Sensor software issues: KB82173 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Custom Attacks Definition Guide Installation Guide XC Cluster Administration Guide Upgrade Guide Integration Guide Manager Administration Guide NTBA Administration Guide Manager API Reference Guide Best Practices Guide CLI Guide Troubleshooting Guide IPS Administration Guide 8
Copyright 2017 McAfee LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00