McAfee Asset Manager Sensor

(1)

Installation Guide

McAfee Asset Manager Sensor

(2)

COPYRIGHT

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

(3)

Preface

This document is provided in order to assist in the successful installation of the McAfee Asset Manager Sensor software.

About this guide

The document includes general information about the system, and describes the requirements and procedures for installing the McAfee Asset Sensor software.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is primarily intended for:

 Administrators — People who implement and enforce the company's security program.

 Users — People who are responsible for configuring the product options on their systems, or

for updating their systems.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input, Path, or

Code Commands and other text that the user types; the path of a folder or _{program; a code sample.}

Hypertext A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

(8)

Introducing the McAfee Asset Manager Solution Suite Finding product documentation

network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

What’s in this guide

This guide is organized to help you find the information you need.

 Chapter 1, The McAfee Asset Manager Solution Suite – Describes the McAfee Asset Manager Solution Suite and its architecture.

 Chapter 2, Installation Requirements – Details the installation prerequisites.

 Chapter 3, Installing the McAfee Asset Manager Sensor – Describes how to install the McAfee Asset Manager Sensor.

 Chapter 4, Installing McAfee Asset Manager Sensor on VMware ESX Servers – Describes how to configure the networking of a VMware ESX server in preparation for installing McAfee Asset Manager Sensor on a virtual machine.

 Chapter 5, Accessing the McAfee Asset Manager Sensor – Describes how to access the McAfee Asset Manager Sensor.

 Chapter 6, McAfee Asset Manager Sensor Post-Installation Configuration – Describes the McAfee Asset Manager Sensor Post Installation Configuration.

 Chapter 7, Remote Sensor Settings (Optional) – Describes the Remote Sensor settings.

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need:

To access… Do this…

User documentation 1 Click Product Documentation.

2 Select a Product, then select a Version. 3 Select a product document.

KnowledgeBase  Click Search the KnowledgeBase for answers to your product questions.

 Click Browse the KnowledgeBase for articles listed by product and version.

(9)

1

Introducing the McAfee Asset Manager

Solution Suite

This chapter introduces the McAfee Asset Manager Solution Suite and its architecture. Contents

 The McAfee Asset Manager Solution Suite

The McAfee Asset Manager Solution Suite

Total Network Visibility with Real-Time Network, Device, and User Intelligence

McAfee Asset Manager provides a 360° view into the actual state of your network security. It builds and maintains a complete and accurate inventory of ALL devices operating on the enterprise network. Utilizing unique profiling technology, McAfee Asset Manager provides meaningful network, device and user intelligence, thereby reducing ambiguity and enabling better decision making based on accurate and in-depth audit information. Network information is continuously collected to reflect the actual current state of the network. McAfee Asset Manager detects 20%-50% of additional devices residing on an enterprise network, which otherwise would not be accounted for.

McAfee Asset Manager automatically performs security configuration audits based on the asset classification information collected, simplifying the process of conducting network-wide security configuration audits. McAfee Asset Manager provides efficient security compliance tracking and auditing procedures, highlighting the gap between the actual security configurations of devices to industry best practices.

McAfee Asset Manager can integrate with your security ecosystem to enhance the operation of your existing security products and provide total network visibility with real-time network intelligence. The McAfee Asset Manager takes a unique approach and is an agentless solution; it does not require any integration with infrastructure components and is vendor agnostic.

Architecture

The McAfee Asset Manager Solution Suite is a distributed application where Sensors are deployed in different organizational locations and report to a centralized console. A Sensor can be installed as an appliance and as a virtual appliance, and also supports remote deployment.

The McAfee Asset Manager Console is a software-based application that enables IT management to easily control multiple McAfee Asset Manager Sensors deployed on multiple distributed networks. The McAfee Asset Manager Console consolidates information from hundreds of Sensors into a unified management view using a single web-based user interface.

(10)

Introducing the McAfee Asset Manager Solution Suite The McAfee Asset Manager Solution Suite

The McAfee Asset Manager Sensor and the McAfee Asset Manager Console are software

based-products shipped as an ISO image including an underlying hardened Linux operating system (based on the Debian Linux distribution) and the McAfee Asset Manager application.

Installation method

The McAfee Asset Manager suite is a software ISO image that can be used to install both the McAfee Asset Manager Sensor and the McAfee Asset Manager Console.

Note _{Installing both the MAM console and sensor on the same machine is not a supported} deployment option for production environments.

(11)

2

Installation Requirements

This chapter details the minimum hardware platform requirements. Contents

 Installation checklist  Installation requirements

Installation checklist

For successful installation of the McAfee Asset Manager Sensor, it is important to adhere to the guidelines set forth in this installation checklist.

Hardware

 Physical or virtual appliance with appropriate hardware specification  Hardware compatibility with MAM platform in case of a physical appliance

Network

 A span port configured on a switch that terminates layer-2 traffic of the networks to be monitored (more than a single span port can be used with additional passive network

interfaces). The span port should mirror traffic coming in and going out of the networks to be monitored

 A regular switch port on a switch part of a network to be monitored, or a Trunk port allowing layer-2 access to the VLANs/subnets

Other configuration

 SNMP community string(s) to allow read-only access to managed switches operating on the network

 A single IP address and its related network configuration, or an IP address on each VLAN/subnet

 Credentials that allow probing VMware ESX servers, Microsoft Windows and *NIX-based operating systems (optional)

 Credentials that allow probing an Active Directory server (optional)

Client-side requirements

 JAVA JRE Version 6.0 or above

(12)

Installation Requirements Installation requirements

Installation requirements

For successful installation of the McAfee Asset Manager Sensor, it is important to adhere to the guidelines set forth in the following sections.

Hardware specifications

For general sizing guidelines and hardeware requirements, please refer to the "MAM v6.5 General Sizing Guidelines" document.

Networking

McAfee Asset Manager Sensor uses two types of NICs:

 The first type is used to perform surgical active probing. It is called the Active network interface. The first Active network interface is also used for the management user interface.  The second type is used to observe network traffic coming in to and going out of monitored

networks. Such a NIC receives network traffic and does not transmit any. It is called the Passive network interface and should be connected to a switch span/mirror port.

McAfee Asset Manager Sensor should be connected using at least two NICs, an active NIC and a passive NIC. Depending on the network structure and topology, it can also use several active and/or passive NICs.

Note _{For profiling mobile devices, the wireless networks should be configured for bridged mode.}

Passive network interface card

Passive NICs need to be connected to a central switch, passively receiving network traffic coming in and out of all of the monitored network(s) using the switch’s span port (i.e., mirroring port). The information received through the passive NICs must include network traffic, layer-2 and above, coming in and out of all of the monitored network(s); therefore the passive NICs need to be connected to a central switch (the Core switch in many cases) that terminates layer-2 traffic.

The passive NICs can handle up to 1 Gbit/sec of network traffic.

Note _{An NIC used as a passive interface should be a 10/100/1000 Mbit/s NIC. A 10/100} Mbit/s NIC can be used only when less than 100 Mbit/s of traffic is expected to pass through it.

Active network interface card

Regular port

When a single network is monitored by McAfee Asset Manager Sensor, the active NIC must be

connected to one of the switches that is part of the monitored network and be assigned an IP address belonging to the monitored IP network.

When multiple networks are monitored, the IP address assigned to the active NIC must belong to one of the monitored networks. The IP address assigned to the McAfee Asset Manager Sensor must be allowed to send query packets to any device on any monitored network.

(13)

In a multi-VLAN environment, the IP address assigned to the McAfee Asset Manager Sensor must belong to one of the monitored VLANs, and must be allowed to send query packets to any device on any monitored VLAN.

Trunk port

If the active NIC is connected to a Trunk switch port, the active NIC should be assigned an IP address on each monitored VLAN. One of the VLANs is designated as the default VLAN and its IP address must be allowed to send query packets to any device on any other VLAN.

Note

The NIC used as an active interface should be a 10/100 Mbit/s NIC. A faster card may be used.

McAfee Asset Manager Sensor supports the configuration of sub-interfaces on non-trunked active interfaces.

Network requirements

3 A span port configured on a switch that terminates layer-2 traffic of networks to be monitored

(more than a single span port can be used with additional passive network interfaces if needed). The span port should mirror traffic coming in and out of the networks to be monitored.

4 A regular switch port on a switch part of a network to be monitored, or a Trunk port allowing

layer-2 access to VLANs/Subnets (multiple active interfaces may also be used if needed).

Switch access (SNMP configuration)

The McAfee Asset Manager Sensor requires read-only access to all managed switches in order to provide a complete physical network topology map, and location-related information for the devices it monitors.

The following conditions must be met as part of the SNMP configuration:

 The SNMP protocol must be enabled on all switches (v1, v2, or v3) operating on a network.  The McAfee Asset Manager Sensor must have the ability and permission to query all of the

manageable switches operating on the network.

 The SNMP community strings for read-only access used with the switches must be configured for the McAfee Asset Manager Sensor (in the Configuration module). The SNMP v1 public community string is defined by default.

Note _{Probing switches with SNMP traffic can be turned off. It is controlled by a system} parameter, SNMP Queries Enabled, located under Configuration > System Parameters > Real-Time. By-default this setting is set to Yes. Changing its value to No disables sending SNMP queries. Note that if set to No, the topology and device location will not be available.

Refer to the McAfee Asset Manager Sensor FAQ for more information on how to verify (and troubleshoot) the correct SNMP community strings information and the switches' willingness to communicate with the McAfee Asset Manager Sensor.

Client-side requirements

The following are the prerequisites for a computer accessing the web interface of the McAfee Asset Manager Sensor:

(14)

1 Java JRE Version 6.0 or above must be installed on the client system and configured in the

browser in order to access the McAfee Asset Manager Sensor and enjoy the full capabilities of the GUI. To install Java, refer to http://www.java.com.

2 Microsoft Internet Explorer 7.x/8.x/9.x.

Information required for installation

The initial configuration of the McAfee Asset Manager Sensor requires the configuration of a single active interface. The active interface may be configured as:

 Static: A static IP address is assigned to the NIC.

 Trunk: The NIC is connected to a switch trunk port.

 Trunk (Native VLAN): The NIC is connected to a switch trunk port using the VLAN ID, which is

designated as native (i.e., will not use the 802.1Q encapsulation for packets sent on the trunk).

Non-trunked network interface (“static”)

The following information must be configured as part of the initial installation process for a non-trunked network interface:

 IP address and network configuration information: The McAfee Asset Manager Sensor must have an IP address for at least one of its active NICs. This IP address must be a static IP address.

 Additional networking parameters must be configured, such as the network address mask and the default gateway’s IP address.

Trunked network interface

The following information must be configured when the active NIC is connected to a trunk switch port:  The VLAN ID of the VLAN to be used by the active NIC

 Knowledge whether or not this VLAN ID acts as the Native VLAN for the network  Network configuration information:

 IP Address

 Network address mask

 The default gateway’s IP address for this VLAN

Additional information

The following information is required after the initial install:

 Any network configuration-related information required to configure the rest of the NICs (which interface(s) will be configured as passive, continuing the configuration of the trunked active NIC, configuring additional active cards whether static or trunked, and so on). The

configuration can be performed in the Configuration > Network > TCP/IP page of the McAfee Asset Manager Sensor GUI.

(15)

 SNMP community strings for the switches operating on the network. The SNMP community strings used with manageable switches operating on the network must be configured for the McAfee Asset Manager Sensor in the Configuration module of the web interface after the initial installation of the system.

 Credentials that allow probing VMware ESX servers, Microsoft Windows and *NIX-based operating systems for deep auditing (optional).

 Credentials that allow probing an active directory server (if applicable) in order to retrieve additional user-related information about an identified logged on user (optional).

(16)

(17)

Install the McAfee Asset Manager Sensor Install the McAfee Asset Manager Sensor software

3

Install the McAfee Asset Manager Sensor

This chapter describes how to install the McAfee Asset Manager Sensor. Contents

 Install the McAfee Asset Manager Sensor software

Install the McAfee Asset Manager Sensor software

Before you begin

 Verify that all of the prerequisites detailed in Chapter 2, Installation Prerequisites, have been met.

Task

1 Verify that the BIOS Setup is configured to boot from the CD ROM/DVD. 2 Insert the installation CD into the CD-ROM/DVD drive.

3 Boot the system.

After the operating system has loaded, the Installation page is displayed.

4 Select the Install option from the menu for graphical installation mode.

Note _{The advanced and Text Install options should only be used by McAfee personnel for} debugging purposes.

The “Detect Network Hardware” page is displayed. When the network hardware detection process is complete, the Welcome to the McAfee Asset Manager Installer screen is displayed.

5 Click Continue to acknowledge formatting the drive prior to the software installation.

Note

Formatting the disk is mandatory for the installation.

6 Set the password for the root user.

The Software selection page is displayed.

7 For the McAfee Asset Manager Sensor installation, select McAfee Asset Manager Sensor, then click Continue.

(18)

8 In the Configuring Sensor screen, enter the name of the physical location of the McAfee Asset

Manager Sensor, then click Continue. The End User License Agreement is displayed.

9 Read the license agreement carefully, then click Continue.

The License confirmation page is displayed.

10 Select Yes to confirm your agreement to the license terms, then click Continue to begin the

installation process.

The installation process begins. After a few minutes, the computer ejects the CD and automatically reboots.

When the computer restarts and the system boots for the first time, the Initial IP Configurator screen is displayed.

Note

To navigate within the configuration screens, use the arrow keys, the TAB key, and the

Enter key.

11 Select Yes to allow the installation system to attempt enumerating network settings, enabling the

automatic configuration of key networking parameters. Otherwise select No to continue. When Yes is selected, the network settings are automatically enumerated.

The active NIC configuration screen is displayed (regardless of the selection made).

Note _{The initial configuration of the McAfee Asset Manager Sensor mandates configuring a} single active network interface. After the initial install, all other network configuration is to be performed in the Configuration > Network > TCP/IP page of the McAfee Asset Manager Sensor GUI.

12 Press <Enter> to list the interfaces available for configuration. Use the arrow keys to navigate and

select the interface you want to configure, then press <Enter> again.

13 Press Tab to move to the Interface Options and select the required interface type:

 Static: A static IP address is assigned to the NIC.

 Trunk: The NIC is connected to a switch trunk port.

 Trunk (Native): The NIC is connected to a switch trunk port using the VLAN ID, which is

designated as native (i.e., it will not use 802.1Q encapsulation for packets sent on the trunk). Note _{McAfee Asset Manager Sensor supports the configuration of multiple active NICs, or}

one or more trunk ports.

McAfee Asset Manager Sensor supports the configuration of multiple passive NICs.

14 Press the TAB key to select and configure the remaining required network configuration

parameters: IP address, Netmask, default gateway and, if needed, the VLAN ID.

15 Select Next. The DNS Configuration page is displayed.

16 Type the IP address of your primary DNS server under Primary DNS IP Address. 17 If using a secondary DNS server, type its IP address under Secondary DNS IP Address.

18 Insert the fully qualified domain name of your DNS domain under Fully Qualified Domain Name (FQDN). 19 Select Next. The Time Configuration screen is displayed.

(19)

20 In the Time Configuration page, type the IP address or the hostname of your NTP server under NTP Server IP Address/Name.

21 Select either the Time Zone or the Country where the McAfee Asset Manager Sensor is installed to

correctly align the time zone of the McAfee Asset Manager Sensor.

(20)

(21)

4

Installing McAfee Asset Manager Sensor

on VMware ESX servers

This chapter describes how to configure the networking of a VMware ESX server in preparation for installing McAfee Asset Manager Sensor on a virtual machine.

Contents

 Configuring the passive network interface  Modifying the vSwitch configuration

 Configuring the active NIC (VLAN trunk)

 Creating a virtual machine for the McAfee Asset Manager Sensor

 Installing the software

Configuring the passive network interface

This section describes how to create a vSwitch to be used for passive monitoring or as an active VLAN Trunk.

Task

1 Log in to the VMware VI Client, then select the server from the inventory panel.

The hardware configuration page for this server is displayed.

2 Click the Configuration tab, then click Networking. 3 Click the Add Networking link.

4 On the right side of Add Network Wizard screen, click Add Networking.

The virtual switches are presented in an overview and details layout.

5 Accept the default connection type, Virtual Machines, then click Next. 6 In the Network Access screen, select Create a virtual switch, then click Next.

7 In the Connection Settings screen, enter 4095 in the VLAN ID field; the port group will receive network

(22)

Installing McAfee Asset Manager Sensor on VMware ESX servers Modifying the vSwitch configuration

Modifying the vSwitch configuration

Task

The hardware configuration page for the server is displayed.

2 Click the Configuration tab, then click Networking.

3 On the right side of the window, select the vSwitch that you want to edit, then click Properties. 4 In the vSwitch Properties dialog box, select the network adapter to change the configured speed, then

click Edit.

5 Select 1000Mb, Full Duplex.

6 In the Properties dialog box for the vSwitch, click the Security tab.

7 In the Policy Exceptions pane, accept the Layer2 Security policy exception for Promiscuous Mode by

selecting Accept.

Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSwitch that are allowed under the VLAN policy for the port group to which the adapter is connected.

8 Click OK.

Configuring the active NIC (VLAN trunk)

Task

The hardware configuration page for the server is displayed.

2 Click the Configuration tab, then click Networking. 3 Click the Add Networking link.

4 On the right side of Add Network Wizard screen, click Add Networking.

The virtual switches are presented in an overview and details layout.

5 Accept the default connection type, Virtual Machines, then click Next. 6 In the Network Access screen, select Create a virtual switch, then click Next.

7 In the Connection Settings screen, enter 4095 in the VLAN ID field; the port group will receive network

(23)

Installing McAfee Asset Manager Sensor on VMware ESX servers Creating a virtual machine for the McAfee Asset Manager Sensor

Creating a virtual machine for the McAfee Asset Manager

Sensor

Task

1 From the Virtual Center client, click Inventory in the navigation bar.

2 From the Inventory list, select the managed host to which you want to add the new virtual

machine.

3 Select File > New > Virtual Machine.

4 In the New Virtual Machine wizard, select Custom, then click Next. 5 Type a virtual machine name, then click Next.

6 Select a folder, then click Next.

7 Select the resource pool from the list, then click Next. 8 Select a datastore, then click Next.

9 From the Guest operating system dropdown list, select Other, then click Next.

10 Set the number of virtual processors to be used by the virtual machine, then click Next.

11 Configure the virtual machine’s memory size, then click Next. (The minimum recommended size is

1GB.)

12 Select the previously created networks to connect to by selecting the names of the networks (NIC

1 to Passive and NIC 2 to Active), select Connect to them at power on, then click Next.

13 Select the LSI Logic SCSI adapter to be used for the virtual machine. 14 Select the Virtual Disk type, then click Next.

Note _{You can store virtual machine data in a new virtual disk, an existing virtual disk, or a} mapped storage area network (SAN) logical unit number (LUN).

To create a new virtual disk, you must select the size of the virtual disk. The minimum recommended size is 8 GB.

15 Specify a datastore location for the disk, then click Next.

16 Select the virtual device node and disk mode for the virtual disk. (SCSI(0:0))

17 If you select Independent disk mode, select Persistent as the type (meaning that changes are

immediately and permanently written to the disk).

(24)

Installing McAfee Asset Manager Sensor on VMware ESX servers Installing the software

Installing the software

McAfee Asset Manager Sensor can be installed on the virtual machine using either the McAfee Asset Manager installation CD-ROM or an ISO image file.

Task

1 Using the Virtual Machine Settings editor, connect the virtual machine’s CD-ROM drive to the ISO

image file and power on the virtual machine.

2 Follow the instructions provided earlier in this guide to complete the installation. For details, refer

to 3.2 Installing the McAfee Asset Manager Sensor on Dedicated Hardware.

Note _{It may be necessary to change the boot order in the virtual machine BIOS so that the} virtual machine attempts to boot from the CD/DVD drive/device before trying other boot devices. To do so, press F2 when prompted during the virtual machine startup.

(25)

5

Accessing the McAfee Asset Manager

Sensor

This chapter describes how to access the McAfee Asset Manager Sensor. Contents

 Accessing the McAfee Asset Manager Sensor

Accessing the McAfee Asset Manager Sensor

Once the McAfee Asset Manager Sensor software has been installed, you are ready to access the application.

Note _{If the McAfee Asset Manager Sensor is located behind a firewall, access to the IP} address of the system using TCP ports 22 (SSH), 443 (web access), and 18000 (viewing topology data) must be allowed through the firewall in order to successfully access and use the system.

Task

1 Using Microsoft Internet Explorer 7.x/8.x/9.x, browse to https://<IP address of the McAfee Asset Manager Sensor> and press <Enter>. The McAfee Asset Manager Sensor Login page is displayed.

2 Enter your username and password in the designated fields, then click Login. By default, the Dashboard module of McAfee Asset Manager Sensor is displayed.

Note _{By default, one user account is defined in the system with administrative privileges,} which allows the user to perform configuration changes (username admin). By default, the passwords for the admin user account is Password@5. To prevent unauthorized access, it is highly recommended that you change this password as soon as possible.

(26)

Accessing the McAfee Asset Manager Sensor Accessing the McAfee Asset Manager Sensor

(27)

6

McAfee Asset Manager Sensor

post-installation configuration

This chapter describes the MAM Sensor Post Installation Configuration. Contents

 Post-installation configuration  Networking

 Network configuration

(28)

McAfee Asset Manager Sensor post-installation configuration Active network services detection (optional)

 DNS settings

 Topology discovery related configurations  Define external network settings

Active network services detection (optional)

The McAfee Asset Manager Sensor can perform network services audit both passively and actively. Following the initial installation of the McAfee Asset Manager sensor, the active network services detection mechanism is disabled by default and should be explicitly enabled if needed.

Enable active network services detection

You can enable the active network services detection mechanism. Task

1 Select Audit on the module selection bar to display the Audit module. The Servers Audit tab is

displayed.

2 Select Enable Active Network Services Detection. 3 Click Save.

 Deep audit (optional)

 Active Directory credentials (optional)  Post-installation information verification

Post-installation configuration

This section describes the steps that need to be taken to configure the McAfee Asset Manager Sensor following installation, including the following configurations:

 Networking  DNS Settings

 Topology Discovery related configuration  SNMP community strings

 External networks (if needed)  Deep Audit (optional)

(29)

McAfee Asset Manager Sensor post-installation configuration Networking

Networking

After the initial installation, the McAfee Asset Manager Sensor is configured with a single active interface.

You can perform additional networking configurations in the Configuration > Network > TCP/IP page of the McAfee Asset Manager Sensor GUI and verify their operation.

The McAfee Asset Manager Sensor can be configured to use multiple passive and active NICs. The configuration is done in the Configuration > Network > TCP/IP page.

Note _{Any changes made to the configuration of the network settings mandate a restart} without persistency whereby the system starts recollecting information after it has restarted.

The user must log in to the McAfee Asset Manager Sensor UI within 3 minutes after the system has restarted. This is to prevent a rollback to the previous configuration. If errors were included in the configuration changes, this mechanism allows reverting to the previous network configuration.

Network configuration

A user with the necessary permissions can configure any of the available network interfaces listed in the Network Connections table in the Interface column.

The following types of network interfaces can be configured:  Static: A static IP address is assigned to the NIC.

 Sub-interface: An additional IP address is assigned to the NIC.

 Trunk: The interface is connected to a switch trunk port.

 Trunk (Native): The interface is connected to a switch trunk port and is using the VLAN ID, which

is designated as native (i.e., will not use the 802.1Q encapsulation for packets sent on the trunk).

 Disabled: The interface is disabled.

Configure a passive interface

This section describes how to configure a NIC to be used as a passive interface. Task

1 In the Configuration module, select the Network tab.

2 In the TCP/IP page, click the name of the interface to be configured as passive.

The Connection Configuration window for the interface is displayed.

3 Set the interface type to Passive, then click Update.

4 Click Save, then restart the McAfee Asset Manager Sensor.

Note _{You can configure all the required network interfaces and then save the configuration} and restart.

(30)

McAfee Asset Manager Sensor post-installation configuration Network configuration

Configure a static interface

This section describes how to configure a static network interface, meaning that static IP address is assigned to the network interface card.

Task

2 In the TCP/IP page, click the name of the interface to be configured as static.

The Connection Configuration dialog box for the interface is displayed.

3 Set the interface type to Static.

4 Insert the IP Address, the Netmask, and the Default Gateway for this interface. 5 Click Update.

Note

You can configure all the required network interfaces and then save the configuration and restart.

Configure a trunked interface

You can configure a network interface that is connected to a switch trunk port. Task

2 In the TCP/IP page, click on an interface you want to configure as trunk. The Connection Configuration

window for the interface is displayed.

3 Set the interface type to Trunked, then click Update. 4 The interface type now has changed to Trunked.

5 To configure an interface on a specific VLAN click Trunked under the interface’s type. The VLAN Settings window appears.

6 Fill in the VLAN ID with which this interface is to be associated, the IP Address, the Netmask, and the Default Gateway.

7 (Optional) If the VLAN ID associated with this interface is to be configured as the Native VLAN for

this trunk, set Native VLAN to True.

8 Click Update to list the information.

Note

You can configure all the required network interfaces and then save the configuration and restart.

(31)

McAfee Asset Manager Sensor post-installation configuration Network configuration

Configure a sub-interface

You can configure a sub-interface, meaning that an additional IP address is assigned to the network interface card.

Task

2 In the TCP/IP page, click the name of the interface under which the sub-interface is to be added.

The Connection Configuration window for the interface is displayed.

3 Click Add Interface to add a sub-interface configuration for the interface you had selected. 4 Insert the IP Address, the Netmask, and the Default Gateway for this sub-interface.

5 Click Update.

Configure an interface as disabled

You can configure a specific sub-interface as disabled. Task

2 In the TCP/IP page, click the name of the interface to be configured as disabled. The Connection

Configuration window for the interface is displayed.

3 Set the interface type to Disabled, then click Update.

Note _{You can configure all the required network interfaces and then save the configuration} and restart.

Remove an interface configuration

You can remove an interface configuration that is no longer valid. Task

2 In the TCP/IP page, select the checkbox of the interface you want to remove. 3 Click Remove Selected.

Edit the configuration

If you have administrative privileges, you can access the Configuration > Network > TCP/IP page at any time and change the configuration of the network interfaces.

(32)

McAfee Asset Manager Sensor post-installation configuration Networking configuration verification

Networking configuration verification

This section provides information on how to manually verify the correct configuration of the NICs. Note

McAfee Asset Manager Sensor verifies the connectivity of the NICs defined as active when saving the configuration in the Configuration > Network > TCP/IP tab. Per active interface, the system tests the configuration by verifying whether the default gateway configured for the interface responds or not. If the default gateway does not respond, a yellow exclamation icon is displayed in the network configuration screen to flag the issue.

Verify the initial network configuration

This section describes how to verify the initial configuration of the active interface configured during the installation of the system.

Task

1 Issue the ping command from the console (for example, against your default gateway’s IP

address) to confirm that the McAfee Asset Manager Sensor is successfully attached to the network.

2 If the ping command fails:

 Verify the configuration of the NIC by using the following command and examining its output (with the following example eth1 is the active NIC):

root@mam:~# more /etc/network/interfaces auto lo

iface lo inet loopback

auto eth0

iface eth0 inet manual

pre-up ifconfig eth0 up post-down ifconfig eth0 down

auto eth1

iface eth1 inet static address 192.168.1.100 netmask 255.255.255.0 gateway 192.168.1.99 broadcast 192.168.1.255

 If needed, reconfigure the active NIC using the pic3 command.  Verify your new configuration by issuing the following command:

(33)

 Stop the McAfee Asset Manager Sensor software: monit stop all

 Stop the Linux operating system’s networking services: /etc/init.d/networking stop

 Start the Linux operating system’s networking services: /etc/init.d/networking start

 Start the McAfee Asset Manager Sensor software: monit start all

 Re-issue the ping command from the console (for example, against your default gateway’s IP address) to confirm that the McAfee Asset Manager Sensor is successfully attached to the network.

Verify the NIC configuration

After completing the network configuration (in the McAfee Asset Manager Sensor Configuration > Network >

TCP/IP screen), you can verify the configuration of the various NICs from the system’s console.

Multi-NIC configuration

This section describes how to verify a multi-NIC configuration. Task

1 Log in to the McAfee Asset Manager Sensor from its console or with SSH using the root

credentials.

2 Issue the ifconfig command and view the output. The output needs to include at least three

interfaces by default: eth1, eth0, and lo. If either eth0 or eth1 are not present, one of the NICs is not recognized by the installation. Replace the card and perform the installation again (it is recommended to use Intel-based NICs). One of the NICs should be assigned a static IP address; the second NIC must not have an IP address and should be configured in promiscuous mode.

3 View the output of the ifconfig command to verify that the interface that is configured in

promiscuous mode passively receives traffic. Examine the RX bytes and TX bytes statistics for the network interface. The TX bytes (transmitted bytes) statistics should be zero (TX bytes: 0 (0.0 b)), where the RX bytes should show numbers (RX bytes:1289582104 (1.2 GiB)). Issue the ifconfig command again and verify these numbers progress. In the following example, eth0 is configured as the passive NIC.

root@mam:~# ifconfig

eth0 Link encap:Ethernet HWaddr 00:03:47:07:60:B6

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:159617863 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000

(34)

eth1 Link encap:Ethernet HWaddr 00:03:47:E1:2A:B8

inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:3878650 errors:0 dropped:0 overruns:0 frame:0 TX packets:1267992 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000

RX bytes:534027530 (509.2 MiB) TX bytes:223132911 (212.7 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1

RX bytes:5969910 (5.6 MiB) TX bytes:5969910 (5.6 MiB) Note

The output displayed in this example matches a configuration of a single passive interface (eth0) and a single active interface (eth1).

VLAN trunk configuration

Task

credentials.

2 Issue the ifconfig command and view the output. The output needs to include at least three

interfaces by default: eth1, eth0, and lo. If either eth0 or eth1 are not present, one of the NICs is not recognized by the installation. Replace the card and perform the installation again (it is

recommended to use Intel-based NICs).

One of the NICs should be configured as a VLAN Trunk. The interface should have sub-interfaces configured per-VLAN (i.e., if the interface is eth1, its sub-interface for VLAN 3 would be eth1.3). All of the sub-interfaces should be each assigned a static IP address, where the interface itself must not be assigned an IP address. The second NIC must not have an IP address and should be configured in promiscuous mode.

3 View the output of the ifconfig command to verify that the interface which is configured in

promiscuous mode passively receives traffic. Examine the RX bytes and TX bytes statistics for the network interface. The TX bytes (transmitted bytes) statistics should be zero (TX bytes: 0 (0.0 b)), where the RX bytes should show numbers (RX bytes:1289582104 (1.2 GiB)). Issue the ifconfig command again and verify these numbers progress. In the following example, eth0 is configured as the passive NIC.

(35)

root@mam:~# ifconfig

RX bytes:1289582104 (1.2 GiB) TX bytes:0 (0.0 b)

RX bytes:1489582104 (1.4 GiB) TX bytes:0 (0.0 b)

eth1.3 Link encap:Ethernet HWaddr 00:03:47:E1:2A:B8

eth1.5 Link encap:Ethernet HWaddr 00:03:47:E2:2B:B8

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1

(36)

Active interface configuration testing

This section describes how to test the configuration of the various active interfaces.

Verify Multi-NIC configuration

It is important to verify proper configuration of the active interface(s). Task

1 Issue the ping command from the console against a selected device on each subnet the McAfee

Asset Manager Sensor is attached to using an active interface (for example, against your default gateway’s IP address) to confirm that the McAfee Asset Manager Sensor is successfully attached to these networks.

 Verify the configurationn of the NIC by using the following command and examining its output (in the following example eth1 is the active NIC):

root@mam:~# more /etc/network/interfaces auto lo

iface lo inet loopback

auto eth0

iface eth0 inet manual

pre-up ifconfig eth0 up post-down ifconfig eth0 down

auto eth1

iface eth1 inet static address 192.168.1.100 netmask 255.255.255.0 gateway 192.168.1.99 broadcast 192.168.1.255

 If needed, re-configure the active NIC using the pic3 command.  Verify your new configuration by issuing the following command:

more /etc/network/interfaces

(37)

monit stop all

 Start the Linux operating system’s networking services: /etc/init.d/networking restart

Verify VLAN trunk configuration

It is important to verify proper configuration of the active NIC configured as a VLAN Trunk. Task

1 Issue the ping command from the console against a selected device on each subnet the McAfee

Asset Manager Sensor is configured on (for example, against your default gateway’s IP address) to confirm that the McAfee Asset Manager Sensor is successfully attached to the network.

2 Examine the output of the arp -a command. Each local IP address you have ping-ed should be

represented with the output (meaning the local interface of that subnet is the one which had issued the packets).

 Verify the configuration of the NIC by using the pic3 command.  If needed, re-configure the active NIC using the pic3 command.  Verify your new configuration by issuing the following command:

more /etc/network/interfaces

 Stop the McAfee Asset Manager Sensor software: monit stop all

 Start the Linux operating system’s networking services: /etc/init.d/networking restart

Examine network traffic received by a passive interface(s)

You can verify the configuration by examining the traffic received by a passive interface(s).

credentials.

(38)

3 Use the command to save the traffic received by a passive interface:

PCAP_USE_PFSRING=YES tcpdump –xnvve –s 2000 –i <interface> –w <filename>

4 Stop the tcpdump command by pressing CTRL+C.

5 Examine the traffic received by the interface using the following command:

tcpdump –xnvve –s 2000–r <dumpfile name> | more

Problems with the configuration of the switch span port may stem from the following factors:  If all of the destination IP addresses of the IP packets received target the IP address x.x.x.255,

then the passive interface receives only broadcast traffic and the span port is not set correctly. Reconfigure the switch’s span port and verify that the passive interface is properly attached to it. Perform the checks again to verify that the passive interface now receives the required traffic.

 The MAC addresses observed represents merely two devices. The span port is configured to mirror the traffic that passes between two routers. Reconfigure the switch’s span port and verify that the passive interface is properly attached to it. Perform the checks again to verify that the passive interface now receives the required traffic.

When no exceptions are detected in the network traffic received by the passive interface, restart the McAfee Asset Manager Sensor by issuing the following command:

monit start all

Visual identification of passive interface problems

Improper configuration of the passive interface may be detected using the McAfee Asset Manager Sensor GUI, as follows:

 If multiple networks should be monitored by the passive interface but the inventory module shows devices from the active NIC’s network only.

(39)

McAfee Asset Manager Sensor post-installation configuration DNS settings

DNS settings

You can verify the DNS settings in the Configuration | Network | DNS page.

Configure DNS resolution

The McAfee Asset Manager Sensor can be configured to resolve IP addresses to their respective DNS names, if these exist.

Task

1 In the Configuration module, select the Network tab, then click DNS.

2 In the DNS Configuration page, select Enable DNS resolution, then and enter the IP address of the DNS in

the DNS Server fields.

3 Click Save to apply and save the configuration.

Topology discovery related configurations

SNMP community strings

The global and specific SNMP community strings are defined in the Configuration | Topology tab.

Configure SNMP

In order for the McAfee Asset Manager Sensor to successfully discover the physical network topology of monitored networks, it must have SNMP read access to switches operating on the network.

Various parameters essential for the physical network topology discovery process can be configured in the Configuration |Topology | Credentials page, including:

 The default SNMP protocol version and the exact SNMP read-only community string to use by default when a switch is detected (can be more than one).

 The IP address, the SNMP protocol version, and the exact SNMP read-only community string to use for specific switches not identified automatically by the system.

 The SNMP protocol version and/or the SNMP read-only community string to use when querying a specific switch.

 The SNMP protocol version and community string to use when sending SNMP traps from switches to the McAfee Asset Manager Sensor.

The Topology Credentials page is also used to verify the information used to query a certain switch allows the McAfee Asset Manager Sensor to collect the required information.

Note _{Queried switches must comply with SNMP MIB-II.}

Global Credentials table

The Global Credentials table is used to configure the SNMP protocol version and community string to use by default when a new switch is detected by the system. A user can configure more than a single

(40)

McAfee Asset Manager Sensor post-installation configuration Topology discovery related configurations

entry, as there may be multiple configurations and various SNMP protocol versions configured, by default, across a network.

Global credentials entries are executed according to their order in the Global Credentials table. A higher entry is used before a lower entry.

Add global credentials

You can add credentials to the Global Credentials table. Task

1 Select Configuration on the module selection bar. The Topology tab of the Configuration module is

displayed.

2 Click Credentials to display the SNMP Strings page.

3 Select the SNMP protocol version to use from the SNMP Version dropdown list, and enter the SNMP

read-only community string to use in the Community String field. If required, enter additional relevant data such as username, password and passphrase.

4 Click Add. 5 Click Save.

Note _{By default, the system is configured to use SNMP protocol version 1, with public as the} default SNMP community string.

Remove global credentials

You can remove credentials from the Global Credentials table. Task

displayed.

3 Select the global credentials entry to be removed, then click Remove. 4 Click Save.

Determine the order of global credential entries

You can change the order in which the global credential entries are executed by changing the order in which they appear in the Global Credentials table. A higher entry is used before a lower entry.

Task

displayed.

3 To change the order of the global credential, select the global credentials entry to be moved. 4 Click the up arrow or down arrow to change the location of the entry in the list, thereby changing

the order of execution of the selected entry.

(41)

Switch Configuration table

The Switches table includes the IP address, the SNMP protocol version, and the SNMP read-only community string of any switches manually configured by the user. It also includes the operating system of the switch, and indicates whether or not the switch was successfully queried by the system the last time the Topology Discovery process was run. A user can add an entry to the Switches table for any switch that was not identified by the system, and can configure the SNMP protocol version and community string to use when querying the switch.

The default SNMP protocol version used by the system is version 1. The default SNMP read-only community string used by the system is public.

Add a switch or edit switch information

You can add an individual switch to the Individual Credentials table or edit existing switch information. Task

displayed.

2 Click Credentials button, then select the Switches link to display the Switches’ individual credentials

page.

3 Add an entry for a switch (or change an existing entry) as follows:

 In the empty cells above the Switch IP Address header, enter the IP address of the switch.  Select the SNMP version from the adjacent dropdown list.

 In the field above the Community String header, enter the SNMP read-only community string.  Click Apply. The switch information is added.

 Click Save.

Remove a switch from the Switches table

You can remove a switch from the Switches table. Task

displayed.

2 Click Credentials button, then select the Switches link to display the Switches’ individual credentials

page.

3 Select the entry to be removed from the Switches table, then click Remove. 4 Click Save.

Note

After a switch is added to the list of switches and the changes are saved, a Test button appears. Clicking the Test button verifies whether that the system can access the switch using the credentials listed.

Test a switch

For each switch entry in the Switch table list there is a Test button, which can be used to verify whether the system can access the switch using the SNMP credentials listed.

(42)

Task

displayed.

2 Click Switches to display the Monitored Switches page.

3 In the Switches table, click the Test button for the switch that is to be tested.

The McAfee Asset Manager Sensor probes the switch and an icon indicating the status of the test is displayed in the Test column as follows:

 A green icon, , indicates that the switch has been successfully queried and the SNMP credentials are correct.

 A yellow icon, , indicates that the switch has been successfully queried with the supplied SNMP community string credentials but that the necessary information for the physical network topology discovery process was not provided by the switch.

 A red icon, , indicates that the test has failed and that there is a problem with either the credentials listed for the switch or with access from the McAfee Asset Manager Sensor to the switch.

Note _{Switches that were added manually can also be tested from Switches individual} credentials section, located under the Configuration module, Topology tab under the

switches link

SNMP traps

The SNMP Traps page is used to configure the SNMP protocol version and community strings to use when SNMP traps are to be sent from switches to the Sensor.

Add SNMP trap credentials

You can add SNMP trap credentials to the configuration. Task

displayed.

2 Click Credentials, then select the SNMP Traps page.

3 Select the SNMP protocol version from the SNMP dropdown list, and enter the SNMP read-only

community string to use in the Community String field. If required, enter additional relevant data such as username, password and passphrase.

Remove SNMP trap credentials

You can remove SNMP trap credentials to the configuration. Task

(43)

McAfee Asset Manager Sensor post-installation configuration Define external network settings

2 Click Credentials, then select the SNMP Traps page.

3 Select the SNMP Traps credentials entry to be removed, then click Remove. 4 Click Save.

Define external network settings

Configuring a Management network (as an External network) is required in case switches are managed using a dedicated separate network that is not directly monitored by the McAfee Asset Manager Sensor.

The McAfee Asset Manager Sensor can also be used as a Remote Sensor to monitor small external sites that are not covered by the span port of the local site in order to provide real-time visibility to those sites. This capability reduces the number of Sensors required for large organizations and eliminates the need to install a Sensor at each small remote branch.

The Topology | Ext. Networks page is used for configuring external networks to be monitored by McAfee Asset Manager Sensor, by providing the IP address of switches residing on the external network, or by providing the external network’s subnet.

Configure external networks by IP address

You can configure the IP address of switches residing on the External network in the Ext. Networks | IP

Conf. page.

Task

displayed.

2 Click Ext. Networks, then select IP Conf. to display the External Networks Configuration by IP Address

list.

3 In the fields above the IP Address header, enter the IP address of the external switch.

Note _{If the IP address of the switch is on a different subnet than the External network itself,} enter the subnet in addition to the IP address.

Note

To delete an entry in the External Network Configuration table, select the checkbox, then click Remove.

Configure external networks by subnet

You can configure the IP address of switches residing on the External network in the Ext. Networks | Subnet

McAfee Asset Manager Sensor

Installation Guide

McAfee Asset Manager Sensor

Contents

Preface

About this guide

Related Documents

Audience

Conventions

What’s in this guide

Finding product documentation

1

Introducing the McAfee Asset Manager

Solution Suite

The McAfee Asset Manager Solution Suite

Architecture

Installation method

2

Installation Requirements

Installation checklist

Installation requirements

Hardware specifications

Networking

Passive network interface card

Active network interface card

Switch access (SNMP configuration)

Client-side requirements

Information required for installation

Non-trunked network interface (“static”)

Trunked network interface

Additional information

3

Install the McAfee Asset Manager Sensor

Install the McAfee Asset Manager Sensor software

4

Installing McAfee Asset Manager Sensor

on VMware ESX servers

Configuring the passive network interface

Modifying the vSwitch configuration

Configuring the active NIC (VLAN trunk)

Creating a virtual machine for the McAfee Asset Manager

Sensor

Installing the software

5

Accessing the McAfee Asset Manager

Sensor

Accessing the McAfee Asset Manager Sensor

6

McAfee Asset Manager Sensor

post-installation configuration

Active network services detection (optional)

Enable active network services detection

Post-installation configuration

Networking

Network configuration

Configure a passive interface

Configure a static interface

Configure a trunked interface

Configure a sub-interface

Configure an interface as disabled

Remove an interface configuration

Edit the configuration

Networking configuration verification

Verify the initial network configuration

Verify the NIC configuration

Multi-NIC configuration

VLAN trunk configuration

Active interface configuration testing

Verify Multi-NIC configuration

Verify VLAN trunk configuration

Examine network traffic received by a passive interface(s)

Visual identification of passive interface problems

DNS settings

Configure DNS resolution

Topology discovery related configurations

SNMP community strings

Configure SNMP

Global Credentials table

Switch Configuration table

Test a switch