Course Details
Objectives
- Planning the deployment.
- Installing and configuring the Manager.
- Managing users and resources.
- Configuring and managing policies.
- Analyzing and responding to threats.
- Tuning your security policies for maximum effectiveness.
Outline
Module 1: Welcome
- About the Course
- Acronyms and Terms
- Course Logistics
- Locating Resources on McAfee Business Website
- McAfee Product Training
- McAfee Foundstone Security Education
- ServicePortal
- Security Content Release Notes
- Product Enhancement Request
- Business Community
- Helpful Links
- Classroom Lab Topology
Module 2: Introduction to Network Intrusion Prevention
- Security Threats: The Increasing Risks
- What are Threats and Attacks?
- Common Attack Types
- Motivation and Contributing Factors for Attacks
- Comparing Intrusion Detection and Prevention
- Types of Intrusion Prevention Systems
- Why a Network IPS is Important
- Network Security Platform Overview
- New This Release
- Solution Components
- Attack Detection Framework
- Traffic Normalization
- Ten Steps to Using NSP
- Beyond Intrusion Prevention
Module 3: Planning a McAfee Network Security Platform Deployment
- Choosing a Deployment Option
- Deployment Requirements and Recommendations
- NSM Server Requirements
- NSM Client Requirements
- Windows Display and Browser Settings
- Virtual Server Minimum Requirements
- Virtual Machine Requirements
- NSP 8X Sensor Support
- NSP Server Ports
- Desktop Firewall Requirements
- Using Anti-virus Software with the NSM
- Wireshark
- Single and Central NSM Deployment
- Determining Database Requirements
- Sensor Deployments
- Determining Sensor Placement
Determining Number of Sensors
- High Availability and Disaster Recovery
- Implementation Process Checklist
Module 4: Getting Started
- Logging into Manager Interface
- Manager Installation Wizard
- Verifying Access to Manager Interface
- Operational Monitors
- Security Monitors
- Navigating Manager Interface
- Managing Dashboard Monitors
- Setting up Basic Features
- Manager Disaster Recovery (MDR) Overview
- Configuring MDR Pair
- Central Manager Overview
- Defining Trust with Central Manager Proxy Server
- Configuring Proxy Server
- IPS Event Notification Overview
- Viewing Summary of IPS Events
- Simple Network Management Protocol (SNMP) Overview
- Configuring SNMP Notification
- Syslog Notification Overview
- Configuring Syslog Notification
- E-mail Server and Notification Overview
- Configuring E-mail Server and Notification
- Configuring Script Notification
- Fault Notification Overview
- Configuring Fault Notification
- Configuring Common Settings for Faults
- Access Events Notification Overview
- User Activity Overview
- Configuring User Activity: SNMP
- Configuring User Activity: Syslog
- Global Threat Intelligence Overview
- GTI Integration Requirements
- Enabling GTI Integration
Module 5: User Management
- User Management Overview
- Minimum Account Configuration
- Role Assignment Overview
- Viewing Roles and Privileges
- Editing the Default Root Admin User
- Adding, Editing, and Deleting Users
- Verifying User Credentials
- Creating a Custom Role
- Assigning Domains and Roles
- Managing My Account
- Managing GUI Access
- Viewing User Activity
- Configuring Banner Text and Image
- Configuring Session Controls
- Configuring Password Controls
- Specifying Audit Settings
- Authentication
- Summary of Authentication Configuration
- LDAP External Authentication
- Configuring LDAP (Up to 4 Servers)
- Assigning LDAP Authentication
- RADIUS External Authentication
- Configuring RADIUS External Authentication
- Assigning RADIUS Authentication
Module 6: Administrative Domains
- Administrative Domains Overview
- Admin Domain’s Hierarchical Structure
- How Admin Domains Work
- Managing Admin Domains
- Editing the Root Admin Domain
- Adding a Child Admin Domain
- Adding Users to a Child Domain
Module 7: Network Security Sensor Overview
- M-Series Sensor Portfolio
- NS-Series Sensor Portfolio
- Virtual IPS-series Sensor Portfolio
- Primary Function of Sensor
- Respond
- Inspect
- Classify
- Capture
- Virtualization (Sub-Interfaces)
- Secure Socket Layer (SSL) Decryption
- Acceleration and Operation
- Operating Modes
- Fail-close and Fail-Open (In-line Only)
- Multi-Port Monitoring
- Interface Groups (Port Clustering)
- High Availability
- Large Networks: Perimeter, Core, Internal Placement
- Best Practices
Module 8: Network Security Sensor Overview
- Installing Physical Sensors
- Installing Virtual Sensor
- Managing Sensors
- Devices Page: Global Tab
- Devices Page: Device Tab
- Installing Sensors in Manager
- Establishing Trust
- Downloading Signature Sets
- Reviewing Device Summary
- Viewing/Editing Physical Ports
- Port Types
- Name Resolution
- Network Time Protocol (NTP)
- Proxy Server
- Activity Reports and Logs Review
- CLI Logging
- IPS Event Logging
- Alerting Options
- Remote Access: TACACS+
- Remote Access: NMS Users and Devices
- Customizing Logon Banner
- Special Configurations
- High Availability
- ATD Integration Overview
- DXL Integration Overview
- Maintenance
- Deploying Pending Changes
- Deploying Device Software
- Troubleshooting
- Performance Monitoring
Module 9: Virtualization
- Virtualization (Sub-interfaces) Overview
- Valid interface Types
- Before and After
- VLAN and CIDR Logical Configuration
- Bridge VLAN
- Policy Application
- Determining Direction
- VLAN Tagging
- Double-VLAN Tagging
- CIDR Block Options
- Configuring VLAN Virtual Interface
- Configuring CDIR Virtual Interface
- Configuring Bridge VLAN Virtual Interface
- VLAN Sub-Interface Configuration
- CDIR Sub-Interface Configuration
Module 10: Policies Configuraion
- Intrusion Prevention Overview
- What are Policies?
- Policy Terms and Concepts
- Signatures
- Attack Definitions
- Types IPS Policies
- Policy Assignment
- Inheritance
- How Policies are Applied
- Policy Management Overview
- Adding IPS Policy for Admin Domain
- Copying or Editing IPS Policy for Admin Domain
- Deleting IPS Policy for Admin Domain
- Adding IPS Policy for Interface
- Editing IPS Policy for Interface
- Using IPS Policies Page
- Defining Properties
- Viewing Attack Definitions
- Assigning Policies
- Using Policy Manager
- Interfaces Tab
- Deploying Changes
- Managing Policy Versions
- Deleting Policy
- Policy Import and Export
- Managing Legacy Reconnaissance Policies
- Reconnaissance Attack Settings Merge Utility
Module 11: Policy Customization
- How Attacks Definitions Work
- Traffic Processing and Analysis
- Attack Definitions Tab
- Attack Categories and Severity
- Attack Protection Categories
- Attack Definitions Tab: Customizing Your View
- Attack Definitions Tab: Quick Search, Sort, Columns, Groups, Filters, and Detail
- Attacks Detail Pane: Description
- Benign Trigger Probability (BTP)
- Attacks Detail Pane: Settings Tab
- Managing Policy Groups
Module 12: Threat Explorer
- Analyzing Threats
- Customizing Threat Analyzer View
- Analyzing Source and Destination IP Addresses
- Top Attacks
- Top Attackers
- Top Targets
- Top Applications
- Top Attack Executables
- Top Malware
- Guidelines
Module 13: Advanced Malware Protection
- Advanced Malware Detection Overview
- Malware Engines
- Policy Management Overview
- Advanced Malware Policies Configuration Overview
- Using Advanced Malware Policies Page
- Using Policy Manager
- Malware Policy Parameters
- File Types
- Blacklist/Whitelist Engine
- TIE/GTI File Reputation Engine
- PDF and Flash Analysis Engines
- Gateway Anti-Malware Engine
- ATD Engine
- McAfee Cloud Engine
- Malware Engine Analysis Sequence
- Confidence Level
- Action Thresholds
- Analyzing Malware
- Malware Analysis Overview
- Top Malware Detections Monitor
- Malware Detections Page
- Archiving Malware Files
- Best Practices
Module 14: Advanced Botnet Detection
- Advanced Botnet Detection Overview
- Zero-day and Targeted Botnet Detection
- Heuristics
- Examples of Implemented Heuristics
- Known Botnet Detection
- C&C Server/Callback Detection
- DNS Response Packet Inspection
- Whitelisted and Blacklisted Domains Detection
- Example: Blacklist Domain Detection
- Inspection Options Policies
- How Inspection Option Policies Work
- Policy Management Overview
- Inspection Options Policies Configuration Overview
- Properties Tab
- Inspection Options Tab
- Configuring Traffic Inspection
- Configuring Advanced Botnet Detection
- Advanced Botnet Detection Options
- Legacy Malware Detection Options
- Assigning Policies to Sensor Resources
- Deploying Changes
- Analyzing Botnets
- Top Active Botnets Monitor
- Active Botnets Page: Organization
Module 15: Denial of Service Configuration
- Module 15: Denial of Service Attacks
- Evolution of DoS Attacks
- Types of DoS Attacks
- Volume-based Attacks
- DoS Learning Mode
- DoS Learning Attacks
- Customizing DoS Learning Attack
- Managing DoS Learning Profiles
- DoS Threshold Mode
- Configuring Thresholds for Volumebased Attacks
- Connection Limiting Policies
- Adding Connection Limiting Policy
- Rate Limiting (QoS Policies)
- QoS and Rate Limiting Configuration Overview
- Adding QoS Policy
- Configuring Rate Limiting Rules
- Protocol Settings
- Configuring Protocol Settings
- Anti-Spoofing
- Stateful TCP Engine
- DNS Protection Command
- Case Studies
Module 16: Endpoint Reputation
- Global Threat Intelligence Review
- IP Reputation
- Policy Management Overview
- IP Reputation Configuration Overview
- Endpoint Reputation Analysis Options
- Deploying Changes
Module 17: Web Server Protection
- Web Server Protection Overview
- How Web Server Heuristic Analysis Works
- Policy Management Overview
- Heuristic Web Application Server Inspection Configuration Overview
- Prerequisite: SSL Decryption
- Private SSL certificates
- Prerequisite: Required Attacks
- Configuring Web Server Heuristic Analysis
- DoS Protection for Web Servers
- Layer 7 DoS Protection for Web Servers
- Web Server – DoS Prevention Configuration Overview
- Configuring Web Server – DoS Prevention
- Assigning Policies to Sensor Resources
Module 18: Firewall Policy Configuration
- Firewall Policy Overview
- Managing Firewall Policies
- Prerequisite: SSL Decryption
- Using Firewall Policies Page
- Using Policy Manager
- Rule Objects Overview
- Adding Rule Object
- Stateless Access Rules
- User-based Access Rules
- Application Identification
- Policy Export and Policy Import
- Firewall Access Logging
- Firewall Access Events
- Firewall Policy Definitions Configuration Report
Module 19: Threat Analyzer
- Threat Analyzer Overview
- Launching Threat Analyzer
- Menu Bar
- Dashboard Page
- NSP Health Dashboard
- Viewing Details for Pie Slice
- Deploying Pending Changes
- IPS Dashboard
- Viewing Details for Pie Slice
- Viewing Attacks Over Time
- Viewing Consolidated Attacks
- NTBA Dashboard
- Applications and GTI View Dashboard
- Adding Dashboards and Monitors
- Customizing the Dashboard Tabs
- Adding a Dashboard
- Adding a Monitor
- Alerts Page
- Viewing Alert Detail
- Managing Alerts
- Right-click Options
- Example Ignore Rule
- Endpoints Page
- Forensics Page
- Preferences Page
Module 20: Policy Tuning
- What is Tuning?
- Why Implement Tuning?
- Prior to Tuning
- Two Phases of Policy Tuning
- False Positives and Noise
- Identifying False Positives
- Steps for Reducing False Positives
- Preventing False Positives
- Start with High-Volume Attacks
- Looking for Patterns
- Preventing Future False Positives
- Disabling Attacks and Alerts
- Adding Low Severity Attacks to Process
- Excessive Alerts
- High-Level Bottom-up Approach
- Analyzing Event
- Sorting by Attack Name
- Case Studies
Module 21: Report Generation
- Reports Overview
- Role Assignment
- Reporting Preferences
- Configuration Reports Overview
- Running Configuration Report
- Next Generation Reports Overview
- Running Default Next Generation Report
- Adding, Duplicating, Editing Next Generation Report
- Traditional Reports Overview
- Running a Traditional Report
- Adding User Defined Report
- Configuring Report Automation
- Viewing Automatically-Generated Reports
Module 22: Operational Status
- Operational Monitors Overview
- Device Summary Monitor
- Manager Summary
- Messages from McAfee Monitor
- Running Tasks Monitor
- System Health Monitor
- Managing Faults
- Viewing Manager Faults from Dashboard
- Viewing Device Faults from Dashboard
- Viewing Faults from Manage Page
- Alert Relevance
- Viewing Alert Relevance
- System Log
- Viewing System Log
- Exporting System Log
- Running Tasks
- Viewing User Activity Log
Module 23: Database Maintenance
- Maintenance Overview
- Archiving Malware Files
- Backing Up Data
- Automating Database Backup
- Viewing Scheduler Detail
- Exporting Backup Files
- Deleting Backup Files
- Database Tuning Overview
- Tuning Now
- Automating Tuning
- Enabling and Defining Alert Pruning
- Calculating Maximum Alert Quantity
- Configuring File and Database Pruning
- Data Archiving
- Archiving Data Now
- Automating Archiving Data
- Export Archives
- Restoring Archive
Target Audience
- System and network administrators, security personnel, auditors, and/or consultants concerned with network and system security should take this course.
Prerequisites
- It is recommended that students have a working knowledge of Microsoft Windows administration, system administration concepts, a basic understanding of computer security concepts, and a general understanding of Internet services.