Network Security Platform Active Fail

Active Fail-Open Kit Quick Start Guide
Revision B
McAfee Network Security Platform
McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming
traffic through a designated port pair. However, at times a Sensor might need to be turned
off for maintenance or its ports can go down because of an outage. At times like this, you
might want to continue allowing traffic to pass through without interruption. For such
requirements, you can consider an external device called a fail-open switch. The fail-open
switch can either be an active fail-open switch or a passive fail-open switch.
An active fail-open switch constantly monitors Sensor state. It does this by sending a
heartbeat signal through its ports. The heartbeat signal is sent through the one of the Monitor
ports and received through the other, indicating that the Sensor is functioning normally.
The table below shows you the various models of active fail-open switches.
Fail-open switch
SKU
NS-9x00 NS-7x00 M-8000,
M-6050
M-4050,
M-3050
M-2950,
M-2850
Active-Fiber
(850 nm)
IAC-AF85010-
Yes
Yes
Yes
Yes
No
IAC-AF131010- Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
IAC-AF131085- Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
KT1
10G (62.5 µm)
Active-Fiber
(1310 nm)
KT1
10G (8.5 µm)
Active-Fiber
(850 nm)
IAC-AF85062KT1
1G (62.5 µm)
Active-Fiber
(1310 nm)
KT1
1G (8.5 µm)
Active-Copper
IAC-AFOCG-
10/100/1000
module
KT2
Active Fail-Open
IAC-AFOCH-
Chassis
KT2
1
You must also make sure you have the requisite SFP/SFP+'s, or XFPs when making this choice.
Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table below gives
you some relevant details about both types of fiber optic fail-open switches. This is especially relevant
because you must determine the type of fiber that is used your organization network before you decide
which type of fail-open switch to use. Also, all product documentation for fail-open kits and decals on the
fail-open switches will repeatedly refer to these parameters. The table below shows you the differences
between single-mode and multi-mode fiber specifications.
Type
Fiber thickness
Wavelength range
Single mode (Long reach)
8.5 µm
1300 nm to 1550 nm
Multi-mode (Short reach)
50 µm or 62.5 µm
850 nm to 1300 nm
For more details about fail-open kits, refer the chapter, Fail-Open operation in Sensors in the
McAfee Network Security Platform IPS Administration Guide. Since this Quick Start Guide will
make references to information associated with that chapter, it will help to keep a copy of it
easily accessible before you begin installing and configuring your fail-open switch.
Working
To begin with, the Sensor and the fail-open switch need to be appropriately cabled with each other. The
Sensor ports are then configured for fail-open operation. For more details about configuring Sensor
monitoring ports, refer to the section, Configure Sensor Monitoring Ports on page 9.
After connecting and configuring the Sensor and fail-open switch, the switch begins to send a heartbeat
signal to the Sensor. Each heartbeat signal, once sent, returns from the Sensor to the fail-open switch.
When the fail-open switch does not receive this response from the Sensor for a specified period, the
switch removes the Sensor from the data path and begins to route traffic to the network through its own
ports.
A 1G fiber or a Copper fail-open switch sends a heartbeat signal every second. When the fail-open switch
does not receive a response for 3 seconds, it changes its working mode to "unknown" and begins to route
traffic through itself.
A 10G fiber fail-open switch sends a heartbeat signal every 10 milliseconds (ms). If the fail-open switch
does not receive a response from the Sensor for 100 ms, it removes the Sensor from the data path and
begins to route traffic through its own ports.
1
Inside the box
Every fail-open kit consists of a similar set of components. Although the type of cables and the
switch vary from one model to another, the list of items in the kit itself remains the same. The table
below provides you the list of items.
2
Qty Item
Description
1
•
10/100/1000 Copper fail-open module, or
•
1G 850 nm Fiber (62.5 µm) fail-open module, or
•
1G 1310 nm Fiber (8.5 µm) fail-open module, or
•
10G 850 nm Fiber (62.5 µm) fail-open module, or
•
10G 1310 nm Fiber (8.5 µm) fail-open module
Fail-Open switch module
1
Active Fail-Open switch 1U 1RU host hardware to plug in up to four fail-open switches in a
chassis for four fail-open
standard rack.
switches
2
Power supplies and cords
for the host system
One power supply acts as the primary and the other as the
redundant power supply in case of a failure
4
Copper: 3m RJ-45 to
RJ-45 cable
Connects the fail-open switch to network devices and the Sensor.
Fiber: 3m LC-LC
1
2
For a fiber fail-open kit, these cables will either be single
mode or multi-mode cables depending on the
requirements provided at the time of purchase.
RS232 RJ-11 programming Connects the fail-open switch to a computer to access the switch
cable
CLI that is used to configure switch parameters.
Install the active fail-open switch and chassis
Before you begin
•
Identify the rack in which you plan to install the fail-open chassis.
•
If you are using a physical Sensor, make sure that you are able to physically connect
the chassis with the monitoring ports.
You can install up to four fail-open switches in a single chassis.
You can install an active fail-open switch module in the chassis on the fly while the chassis
is powered on in the rack.
a
Install the ears of the chassis.
b
Slide the switch into one of the openings in the chassis, until the face plate of the switch rests
against the chassis.
3
c
Secure the switch to the chassis by inserting screws provided through the holes on the fail-open
switch face plate and into the panel.
If you are attempting to install a switch while the chassis is powered on, you must wait
for 4 seconds after inserting the switch and fastening its screws.
d
Place the 1U chassis against the front of a standard 19-inch rack.
e
Secure the chassis by inserting screws through holes on ears of the chassis (refer the Before you
begin instructions for this section).
f
(Optional) Install up to three additional switches by following these steps:
a
Remove screws holding each of the removable blank plates from the front of the chassis.
b
Follow steps 1 and 2 of this procedure for installing a switch in the chassis for additional
fail-open switches.
The fail-open switch is ready to be connected to a Sensor.
3
Remove an active fail-open switch from the chassis
Before you begin
You must make sure the fail-open switch is fully powered off before you attempt to remove
it from the chassis.
Follow the steps in this section to power off and remove the fail-open switch.
a
b
4
Power off the fail-open switch using the web interface or CLI command prompt.
•
If you are using the web interface, click the Rescue tab and check the Power Off checkbox in
the System Restore section. To access the web interface, refer Manage the fail-open switch
through a web interface on page 10.
•
If you are using the CLI command prompt, type power_off and press Enter. To access the
CLI command prompt, refer Configure fail-open switch parameters on page 7.
When the fail-open switch is powered off, remove the captive screws and slide it out of the
chassis.
4
Connections with the fail-open switch
To accurately detect attacks, a Sensor must be aware of which traffic is outside the network and
which traffic is inside. Identifying traffic direction is accomplished through the proper cabling of the
fail-open switch as well as appropriate port configuration of the Sensor monitoring ports in the
Manager. The switch LED indicates if traffic is passing to the Sensor.
Connect the fail-open switch to network devices
Callout
Description
1
10/100/1000 Copper fail-open switch module
2
Connection to network device (inside)
3
Connection to network device (outside)
4
Sensor monitoring port G3/1 (inside)
5
Sensor monitoring port G3/2 (outside)
6
Sensor monitoring ports on an NS9200.
The steps below provide steps for connections for both copper and fiber fail-open switches.
a
Plug the inside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 0 or Net 0
for copper or Network A (in a triangle) for fiber, on the fail-open switch.
b
Plug the other end of this cable to the corresponding network device.
c
Plug the outside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 1 or Net 1
for copper or Network B (in a triangle) for fiber, on the fail-open switch.
d
Plug the other end of this cable to the corresponding network device.
The fail-open switch is now connected to network devices for the inside network and outside
network. Your next step is to connect the fail-open switch to the Sensor.
5
(Either) Connect a copper fail-open switch
Before you begin
•
You will require two Cat 5/Cat 5e Ethernet cables to connect your fail-open switch to
the Sensor.
•
You will require two copper SFPs to be inserted into two corresponding blank ports on
the Sensor.
For more details about your Sensor, refer the Sensor Product Guide for the
appropriate model.
a
Connect a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP in port Gx/a or xA, where x
and a are port numbers.
b
Connect the other end of the cable into the labeled Port 0 on the fail-open switch.
c
Connect a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding Gx/b or xB peer port.(For
example, if you used G1/1 in step 1, plug the cable into port G1/2).
d
Connect the other end of the cable into the labeled Port 1 of the bypass switch.
With this cable configuration, Sensor Monitoring port G1/1 views traffic as originating inside the
network, and port G1/2 views traffic as originating outside the network. Note that this configuration
(G1/1 = outside, G1/2 = inside) must match the port configuration specified for this Sensor, and that
the ports must be configured as such.
(Or) Connect a fiber fail-open switch
Before you begin
•
You will require two LC-LC cables to connect your fail-open switch to the Sensor.
•
If you are connecting a 1-Gigabit fail-open switch, you will require two fiber SFPs to be
inserted into two corresponding blank ports on the Sensor.
•
If you are connecting a 10-Gigabit fail-open switch, you will require two fiber XFP/SFP
+s to be inserted into two corresponding blank ports on the Sensor.
For more details about the SFP/XFP/SFP+ compatible with your Sensor, refer
the Sensor Product Guide for the appropriate model.
a
Connect an LC-LC cable into the LC receptacle of port Gx/a or xA, where x and a are the
corresponding 1-Gigabit or 10-Gigabit port numbers.
b
Connect the other end of the LC cable into the LC receptacle labeled Monitor A of the fail-open
switch.
c
Connect an LC-LC cable into the corresponding Gx/b or xB peer port. (For example, if you used
G1/3 in step 1, plug the cable into port G1/4).
d
Connect the other end of this cable into the port labeled Monitor B of the fail-open switch.
With this cable configuration, Sensor Monitoring port G1/3 views traffic as originating inside the
network, and port G1/4 views traffic as originating outside the network. Note that this configuration
6
(G1/3 = outside, G1/4 = inside) must match the port configuration specified for this Sensor, and that
the ports must be configured as such.
5
Configure fail-open switch parameters
You can configure various parameters on your fail-open switch. All configuration options, status, and
statistics are accessible from the fail-open switch Command Line Interface (CLI). After you have
configured basic network settings – IP address, gateway, and subnet mask – you will be able to
access the fail-open switch through SSH. SSH is enabled on every fail-open switch by default and can
be disabled through the CLI.
Your fail-open switch only supports IPv4 addresses.
The steps below explain the configuration of parameters for your fail-open switch.
a
Connect an RJ-11 cable to the front of the module.
b
Connect the other end to a computer running a terminal emulation software such as
HyperTerminal or PuTTY.
c
Launch the terminal emulation software, and set the communications parameters as shown
below:
•
Baud rate: 9600
It is recommended not to alter the baud rate of the Management port.
d
•
Data bits: 8
•
Parity: None
•
Stop bits: 1
•
Flow control: None
Power up the fail-open switch.
The CLI banner and login prompt appear.
e
At the login prompt, type McAfee00 and press Enter.
f
At the password prompt, type McAfee00 and press Enter.
The fail-open switch CLI prompt appears.
g
Configure or modify parameters related to fail-open switch access and its ports using the
commands listed.
7
Command
Description
set_ip xxx.xxx.xxx.xxx
Configures fail-open switch IPv4 address.
Reboot the fail-open switch for the new IPv4 address to take
effect.
set_netmask
xxx.xxx.xxx.xxx
Configures fail-open switch subnet mask.
set_gateway
xxx.xxx.xxx.xxx
Configures default gateway IPv4 address.
Reboot the fail-open switch for the new subnet mask to take
effect.
Reboot the fail-open switch for the new gateway IPv4 address to
take effect.
set_link <port> <on/
off>
Sets the port of a 1G Copper fail-open switch to auto-negotiate.
set_link <port> off fd
100m
Sets the port to 100 Mbps full-duplex.
set_link <port>
<enable/
disable>_autoneg
Sets the port of a 1G Fiber fail-open switch to auto-negotiate.
For the <port> use mon0, mon1, net0, or net1.
For the <port> use the syntaxes specified above.
For the <port> use mon0, mon1, net0, or net1.
10G Fiber fail-open switches do not have such a command
since auto-negotiate is enabled by default.
h
Configure or modify parameters for other settings of the fail-open switch using these commands.
Command
Description
set_ssh_state <on/off>
Enables or disables the SSH status on the fail-open switch.
set_web_https_state <on/
off>
Enables or disables web access to the fail-open switch
interface.
set_snmp_srv_ip
Configures SNMP server IPv4 address.
The SNMP server IPv4 address can also be set in the web
interface.
set_trap <parameter> <on/
off>
i
8
Enables or disables the following SNMP traps:
•
appl fail – Application
state change.
•
net link – Network port
state change trap.
•
bypass – Bypass state
change trap.
•
error – Error
notification trap.
•
mon link – Monitoring
port state change
trap.
•
update – Update
complete trap.
View essential fail-open switch parameters using the commands listed. If your fail-open switch
parameters have never been configured before, you will see factory settings.
Command
Description
get_ip
Displays fail-open switch IPv4 address.
get_netmask
Displays fail-open switch subnet mask.
get_gateway
Displays default gateway address.
get_ssh_state
Displays the SSH status, which is enabled by default.
get_snmp_srv_ip
Displays the SNMP server IPv4 address.
get_params
Displays fail-open switch parameters.
get_web_https_state
Displays status of web access to the fail-open switch interface.
get_link <port>
Displays port status.
For the <port> use mon0, mon1, net0, or net1.
6
Configure Sensor Monitoring Ports
Before you begin
•
The Sensor must be set up with trust established with a Manager server.
•
The Sensor has a free port pair which can be deployed in in-line fail-open mode.
•
It is assumed that you have inserted necessary transceiver modules into the Sensor if
you have completed cabling the Sensor and fail-open switch.
When you set up a Sensor for the first time, its ports are disabled by default. The Sensor ports must
be manually configured for in-line fail-open operation.
a
In the Manager, go to Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.
b
Double-click port one of the configurable ports, say G2/1.
A configuration panel appears on the right side of the window.
c
Click the State drop-down and select Enabled.
You are asked whether you want to proceed since this configuration will also impact port G2/2.
d
Click Yes to proceed.
This enables port G2/1-G2/2.
e
Select the Auto Negotiate checkbox and make sure the Speed (Duplex) is set to 1 Gbps (Full).
f
Click the Mode drop-down and select In-line Fail-Open – Active.
g
Click the Placement drop-down and select Inside Network or Outside Network, depending on how you
want to configure your ports.
9
McAfee recommends choosing Gx/1 or xA as Inside Network and Gx/2 or xB as Outside Network.
h
Click Save.
The Sensor and fail-open switch are setup. When traffic passes through the ports, you will notice the
port link status changes to Up and turns green.
7
Manage the fail-open switch through a web interface
If you have configured an IPv4 address for your fail-open switch, you have the option to manage
your fail-open switch through a web-interface.
a
To access the fail-open switch web interface, enter the IPv4 address of the fail-open switch
which you have configured.
The fail-open switch web interface appears on the log on screen.
b
To log on, enter the default username and password, McAfee00 and McAfee00.
You are routed to the fail-open web interface landing page which shows you information about the
present settings configured in the fail-open switch. Configuration of necessary settings is explained in
the relevant sections.
8
Enable tap mode for the fail-open switch
Before you begin
•
Configure an IPv4 address for your fail-open switch.
•
Make sure you can access the fail-open switch web-interface using a web browser.
You are able to enable tap mode for your active fail-open switch if you use a tap to route network
traffic to the Sensor Monitoring ports.
a
10
Log on to the web interface of the active fail-open switch.
Use default credentials to access the web interface. For more information about the web
interface refer Fail-Open switch web interface.
b
Click the Bypass tab to access the Bypass configuration page.
c
Click the HB active mode drop down menu and select Off.
d
In the Active bypass section, select tap.
e
Click Apply to save your configuration.
You have set your active fail-open to tap mode of operation.
Return from tap mode to inline mode
a
Click the Bypass tab to access the bypass configuration page.
b
Click the HB Active mode drop-down menu and select On.
c
Click Apply to save your configuration.
You have reconfigured your fail-open switch to run in inline mode of operation.
9
Configure notification by SNMP traps
Before you begin
•
To configure SNMP traps, you will require a server that will act as an SNMP server. The
SNMP server can be any Windows or Linux system installed with an MIB browser such
as iReasoning.
•
Make sure your fail-open switch IP address can be reached within the network.
11
•
Make sure your SNMP server and fail-open switch are able to communicate.
•
In addition, you will need to obtain MIB files to decode alert codes sent by the
fail-open switch. These files are specific to the fail-open switch and can be obtained by
contacting Technical Support.
The SNMP feature of your fail-open switch can only be used to send notifications through
SNMP traps.
a
Connect an RJ-45 cable to the Management port at the back of the fail-open switch.
b
Connect the other end to a network device so that the SNMP server is reachable through the
network.
c
Copy the fail-open switch MIB files to a suitable location on the SNMP server.
d
Set up the fail-open switch IP address, network mask, and SNMP manager IP address by logging
on to the web interface. For details about the logging on to the web interface refer Manage the
fail-open switch through a web interface on page 10.
You are also able to configure various other parameters specific to SNMP traps. For
details about these commands, refer Configure fail-open switch parameters on page 7.
e
On the web interface, click the SNMP tab.
The SNMP configuration page appears.
f
To configure the SNMP server IPv4 address, enter it in the Server IP field.
The credentials used will be the default credentials for the fail-open switch.
12
g
(Optional) If you want to configure multiple SNMP accounts, in the SNMP trap account section select
set from the Operations drop-down.
If you do not configure additional SNMP trap accounts, all traps will be routed to the
main SNMP trap account you have setup here.
h
Enter the IPv4 address for the other account.
i
(Optional) You can specify an alternate SNMPv3 password for the additional SNMP server.
SNMP Community strings are used only by devices which support SNMPv1 and SNMPv2c
protocols. SNMPv3 uses username and password authentication, along with an
encryption key. You can configure a community string if the SNMP software you use
requires you to configure one regardless of the requirements in this user-interface.
j
Click Apply to save your configuration.
k
In the SNMP server, configure these settings to enable SNMPv3 traps for the active fail-open kit.
•
USM user: McAfee00
•
Auth password: McAfee00
•
Security level: auth, priv
•
Privacy algorithm: AES
•
Auth algorithm: SHA
•
Privacy password: McAfee00
l
Load MIB file. If you do not have the appropriate MIB file, contact McAfee Support.
m
Make sure the SNMP server and fail-open switch are able to communicate through the network.
You have configured your active fail-open switch to send SNMP traps to an SNMP server. You are also
provided the option to configure multiple SNMP trap accounts. Access the SNMP server to view
triggers.
10 Verify your installation
Follow these steps to make sure your setup is working as designed.
a
Check the icons in the Manager beside the ports you have configure as in-line fail-open passive.
They must show Up.
b
c
Check the Bypass LED on the Sensor.
LED status
Description
ON
The Sensor is in inline fail-open, inline fail-closed, SPAN, or TAP mode.
OFF
The Sensor is in bypass mode.
Check the PWR LEDs on the chassis.
13
Depending on which power source you use, you will see that PWR LED glowing.
d
Check the port status and operating mode status of the GE in-line fail-open ports.
The picture below shows you the fail-open switch in normal mode since the Sensor ports are
operating normally. When the fail-open switch in bypass mode since the Sensor ports have gone
down.
Item Description
NRM
Glows green when the Sensor is in normal mode of operation.
WDT Indicates watch dog timer. The Watch Dog Timer LED always blinks amber, whether the
fail-open switch is in normal or bypass mode.
The blink indicates that the heartbeat pulse is being sent through the fail-open
connection. The watchdog timer is always blinking, even when the fail-open switch is
bypassing the Sensor, because it is always sending and listening for the correct
heartbeat state from the Sensor monitoring ports.
BYP
Glows red when fail-open switch is in bypass mode of operation.
11 Troubleshooting
During normal in-line fail-open operation of the Sensor, fail-open switch constantly sends a heartbeat
signal to the Sensor. If this signal does not return to the fail-open switch within a programmed
interval, the fail-open switch removes the Sensor from the data path, and moves into bypass mode,
providing continuous data flow with little network interruption.
While the fail-open switch is in bypass mode, traffic passes directly through it, bypassing the Sensor.
When normal Sensor operation resumes, you might or might not need to manually re-enable the
monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's
failure.
The following section describes how to return the Sensor to in-line mode.
14
What happens when a Sensor fails?
When a Sensor fails with a fail-open switch in place, the following events occur in the stated order.
•
The Manager reports a Sensor in bad health or Port pair is in bypass mode error in the System Health pane.
•
The Sensor reboots and the fail-open switch begins forwarding traffic. All traffic now bypasses
the Sensor and flows through the fail-open switch with minimal traffic disruption.
A Sensor reboot breaks the link connecting the devices on either side of the Sensor and
requires the renegotiation of the network link between the two devices surrounding the
Sensor. Depending on the network equipment, this disruption ranges from a couple of
seconds to more than a minute with certain vendors' devices.
•
Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs:
•
If the reboot occurred during normal operation as described, the fail-open switch resumes
passing data through the Sensor and the Sensor returns to in-line fail-open mode.
•
If the reboot occurred due to an error, the fail-open switch continues to bypass the Sensor
until the administrator manually re-enables Sensor ports in the Manager.
After the ports are re-enabled, the fail-open switch resumes passing data through the
Sensor and the Sensor returns to in-line mode.
A brief link disruption is likely to occur while the links are renegotiated to place the
Sensor back in in-line mode.
•
The errors on the Manager disappear and normal health is reported.
Common problems and solutions
This section lists some common installation problems and their solutions.
Problem
Possible Cause
Solution
Network or link problems. Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
fail-open switch.
Sensor LED is off.
The Sensor is turned off.
Restore Sensor power.
The Sensor port cable is
disconnected.
Check the Sensor cable connections.
Sensor is operational, but Network device cables have Check the cables and ensure that they are
is not monitoring traffic.
been disconnected.
properly connected to both the network
devices and the fail-open switch.
The Sensor ports have not
been enabled in the Sensor. Ports are disabled on a Sensor failure; they
must be re-enabled in the Manager for the
Sensor monitoring to resume.
15
Problem
Possible Cause
Solution
Runts or giants errors on
switch and routers.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
fail-open switch.
The system fault “Switch
absent” appears on the
Operational Status page of
the Manager.
Improper cabling.
Ensure that the transmit and receive
cables are properly connected to the
fail-open switch.
Copyright © 2014 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
16
700-4420B00