New features This release of Network Security Platform includes the following new features: Suricata Snort support McAfee Snort engine is the existing Snort engine available in Network Security Platform that performs attack detection. With release 9.2, you can use Suricata Snort engine as well. The Suricata Snort engine provides a dedicated Snort environment which supports most of the third-party Snort constructs that are available in the public domain. This allows you to import most of the custom and third-party Snort rules without modification. To enable the preferred Snort engine at the admin domain level, go to Devices → <Admin Domain Name> → Global → IPS Device Settings → Advanced Device Settings. To enable the preferred Snort engine at device level, go to Devices → <Admin Domain Name> → Devices → <Device Name> → Setup → Advanced → Advanced Device Settings. The Advanced Device Settings page at the global and device levels allow you to select the Snort engine you prefer to use. Note: McAfee Snort engine is selected by default. For more information on the supported constructs, see McAfee Network Security Platform 9.2 Custom Attack Definitions Guide. Outbound SSL decryption As web content increasingly becomes encrypted with SSL, so does the need to inspect and analyze encrypted traffic. Network Security Platform IPS Sensors are equipped to decrypt SSL packets for inspection and respond in case of an attack. For outbound SSL traffic, when you access a secure server using SSL, the Sensor acts as a proxy between the client and the server. The Sensor intercepts the client request and forwards the request to the server as the client. The server receives the request and sends its certificate to the Sensor. The Sensor then validates the server certificate using Trusted CA Certificates and the trusted resigning certificates to create a secure communication channel. You can enable outbound SSL decryption at the domain level or the device level. Note: You must first purchase a license to enable outbound SSL decryption feature. To obtain a license for outbound SSL decryption, contact MB Licensing. An email containing the license will be sent from MB Licensing. The 220.127.116.11 Sensor software version for outbound SSL decryption is available at Patches and Downloads. If you are a first time user, you must register with your email ID and Grant number to log in to the portal. In the Service Portal, click Patches and Downloads to register and log in to the portal. To enable outbound SSL decryption at the domain level, go to Devices → <Admin Domain Name> → Global → IPS Device Settings → SSL Decryption. To enable outbound SSL decryption at the device level, go to Devices → <Admin Domain Name> → Devices → <Device Name> → Setup → SSL Decryption. Notes: You can configure Outbound SSL only on NS9100, NS9200, NS7200, and NS7300 Sensor version 9.2 or later. To enable outbound SSL decryption, you will require a license. Send a mail to MB Licensing to receive a license. You must first upgrade to Sensor software version 18.104.22.168 and then upgrade to 22.214.171.124 for using Outbound SSL irrespective of whether you are upgrading your existing deployment or installing 9.2 for the first time. Outbound SSL Decryption is disabled by default. Jumbo frame parsing is automatically disabled when Outbound SSL Decryption is enabled. The Sensor decrypts outbound SSL traffic only on TCP port 443. Outbound SSL Decryption is not supported on non-standard ports. Ensure that the trust between the Manager and the Sensor is established using 2048-bit encryption and not 1024-bit encryption. If you are using a firewall in your network ensure that the ports (listed in the table below) used to establish trust using 2048-bit certificates are open. Port Description 8506 Install channel (TCP) 8507 Alert channel (TCP) 8508 Packet log channel (TCP) Re-signing Certificates You have an option to either import your own re-signing certificates or to use the default re-signing certificates bundled with the Manager. To upload Re-signing Certificates for outbound SSL traffic, go to Devices → <Admin Domain Name> → Global → IPS Device Settings → SSL Decryption → Re-Signing Certificate. Once the client sends a request to access a secure server using SSL, the Sensor acts as a proxy between the client and the server. The server receives the request and sends its certificate to the Sensor. The Sensor then validates the server certificate which uses Trusted CA Certificates and the trusted resigning certificates to create a secure communication channel. The Sensor uses the trusted re-signing certificate to encrypt traffic between the Sensor and the client. You can configure your own customized trusted certificate and untrusted certificate issued by the Certificate Authority (CA) in the Re-Signing Certificates tab. Trusted CA Certificates The Trusted CA Certificates tab displays the list of digital certificates issued by CAs which the Sensor uses when validating the certificates from the server. The difference between Re-Signing Certificates and Trusted CA Certificates is as follows: When the Sensor acts as a proxy for the server to the internal clients being protected, it uses the Re-Signing Certificates to maintain end to end validation of the external servers' trustworthiness. When the Sensor acts as a proxy for the client to the external servers, it uses the Trusted CA Certificates to validate the external servers' trustworthiness. The Sensor has a default set of trusted CA certificates. You could also import additional trusted CA certificates if any. To upload Trusted CA Certificates for outbound SSL traffic, go to Devices → <Admin Domain Name> → Global → IPS Device Settings → SSL Decryption → Trusted CA Certificates. Note: Trusted CA Certificates can be managed only at the root admin domain. Various fault messages related to SSL decryption are generated in the System Faults page. To view the faults, go to Manager → <Admin Domain Name> → Troubleshooting → System Faults. For example, an imported re-signing certificate might have become invalid. This causes the client browser to raise a certificate error. For more information on fault messages, see McAfee Network Security Platform 9.2 Troubleshooting Guide. SSL Decryption Exceptions SSL Decryption Exceptions provide a way to skip decryption of flows that would normally be decrypted. You can exclude certain outbound SSL traffic from decryption based on source or destination IP address, destination domain name, and URL category. For example, if you have an internal domain located at a different geographical location, then you can create an exception for that domain so that the SSL traffic is not decrypted. To manage outbound SSL decryption exceptions, go to Policy → <Admin Domain Name> → Intrusion Prevention → Exceptions → SSL Decryption Exceptions. Export and import of SSL decryption Exceptions The SSL decryption exceptions list can be exported and imported. You can export the list and reimport it only between the same versions of the Manager. The SSL decryption exceptions list is exported as a .xml file. To import SSL decryption exceptions list, go to Policy → <Admin Domain Name> → Intrusion Prevention → Advanced → Policy Import → SSL Decryption Exceptions. To export SSL decryption exceptions list, go to Policy → <Admin Domain Name> → Intrusion Prevention → Advanced → Policy Export → SSL Decryption Exceptions. For more information on Outbound SSL Decryption, see McAfee Network Security Platform 9.2 IPS Administration Guide Inbound SSL Decryption using DHE/ECDHE ciphers Users are now moving to a more secure cipher suite like the DHE (Diffie-Hellman), ECDHE (Elliptic Curve Diffie-Hellman) ciphers. The RSA cipher suites have vulnerabilities and hence, there is a requirement to use stronger ciphers for secure connections. In case of inbound SSL decryption for DHE/ECDHE cipher suites, McAfee SSL Agent is installed in the web servers to be protected. The Agent passes the keys to the Sensor every time a connection is established with the web server. In the Agent based approach for inbound SSL decryption, the Network Security Platform IPS Sensor is placed between the client and server. When the client sends a request to the web server, the Sensor intercepts the connection. The Sensor then initiates a connection with the server. The Agent and the Sensor communicates over the management port for session key exchange. You can specify the number of concurrent connections between the Sensor and Agent in the Manager. The IP address of the web server should be added in the Manager which allows the server to communicate with the Sensor for inbound decryption. Telemetry data is collected for the number of Agents deployed on the web servers. Note: You can download the McAfee SSL Agent from the McAfee Download Server. The link is available in the SSL Decryption page in the Manager. You can log into the Download Server using your Grant Number. The SSL Agent download file is available under Utilities & Connectors in the Download Server. The web server to be protected should have the Agent installed on it. In case of DHE/ECDHE ciphers suites since the public keys are dynamically generated, the Agent passes the keys to the Sensor every time a new connection is established. When the traffic flows through the Sensor, the keys are already available in the Sensor which helps in inspecting the traffic. When an attack is detected, the Sensor generates an alert in the Manager. To enable inbound SSL decryption at the domain level, go to Devices → <Admin Domain Name> → Global → IPS Device Settings → SSL Decryption. To enable inbound SSL decryption at the device level, go to Devices → <Admin Domain Name> → Devices → <Device Name> → Setup → SSL Decryption. Notes: Inbound SSL decryption using the Agent method is supported only on NS9x00, NS7x00, and NS5x00 series Sensors. One Agent must be installed per web server to be protected. Any number of Agents can be installed across different web servers. When you disable an enabled inbound SSL decryption feature, you must uninstall the Agent manually from the web servers. In case of a failover pair, IP addresses of both the primary and secondary Sensors must be available in the Agent. Port 8501 must be opened for communication between the Agent and the Sensor. For more information on Inbound SSL Decryption using DHE/ECDHE ciphers, see McAfee Network Security Platform 9.2 IPS Administration Guide. Traffic Statistics In release 9.2, the Traffic Statistics page has been enhanced to display the statistics for inbound SSL Decryption as well. To view the SSL Decryption statistics, navigate to Devices → <Admin Domain Name> → Devices → <Device Name> → Troubleshooting → Traffic Statistics → SSL Decryption. For SSL decryption, the Traffic Statistics page displays the following data: Inbound Statistics: This tab displays the count for the following for SSL traffic: Recycled SSL Flows - Total number of SSL flows that are not used recently and freed by the Sensor. SSL Flow Allocation Errors - Total number of SSL flows the Sensor could not allocate due to resource unavailability. Skipped SSL Flows Due to Flow Allocation Errors - Indicates total SSL flows that were skipped as the Sensor could not process them due to resource unavailability. Packets Received from Unknown SSL Flows - Total number of SSL packets received that did not have a corresponding SSL flow. SSL Flows Using Unsupported Diffie-Hellman Cipher Suite - SSL flows that are negotiated and not decrypted by the Sensor due to unsupported ciphers DH cipher suite in the traffic. SSL Flows Using Unsupported Export Cipher - Total flows with SSLv3/TLS export cipher that are negotiated and not decrypted by the Sensor due to unsupported RSA cipher suite. SSL Flows Using Unsupported or Unknown Cipher - Total flows with unsupported or unknown ciphers. Shared Key Lookup Hits - Displays the number of times the Sensor uses the session key table provided by the Agent to decrypt inbound traffic using Diffie-Hellman cipher suite. Internal Web Server Certificate Matches: This tab displays the count for unmatched and matched certificates for inbound SSL traffic. For more information on traffic statistics, see McAfee Network Security Platform 9.2 IPS Administration Guide Integration with Private Global Threat Intelligence (GTI) Cloud With this release, Network Security Platform supports integration with McAfee Private Global Threat Intelligence (GTI) Cloud. The Private GTI Cloud offers the option to utilize McAfee’s GTI information in your private cloud environment. You can configure Private GTI Cloud to provide reputation scores to the malware files. Network Security Platform Sensors can be configured to send threat information to the Private GTI Cloud instead of the Public GTI Cloud. File reputation and IP reputation scores is retrieved from the private cloud based on which rules and policies can be configured to prevent attacks. To configure the GTI Private Cloud, go to Manager → <Admin Domain Name> → Integration → GTI. Telemetry You can configure the telemetry information sent to the McAfee GTI Cloud. When McAfee GTI Cloud is enabled, information about alerts, features, Sensor version, and Manager version are sent to GTI cloud. You can view the details sent to GTI Cloud from the Manager. In previous releases, the telemetry information sent to McAfee GTI Cloud can be viewed in the GTI integration page. With release 9.2, telemetry information can be viewed under Manager → <Admin Domain Name> → Setup → Telemetry. The options to configure the information sent to McAfee GTI Cloud remains the same. When enabled, the show gti config CLI command is enhanced to display the configuration details for Private GTI cloud. For more information about telemetry, see McAfee Network Security Platform 9.2 Integration Guide. Device Manager The Device Manager page provides information about all the devices configured in the Manager. It lists the device information, software, health, status, and so on. NS-series Sensors, M-series Sensors, Mxx30 Sensors, Virtual IPS Sensors, NTBA Appliances, and HIPS devices are displayed in the Device Manager page. It displays the devices configured in an admin domain including the devices configured in the child admin domains. You can view the faults generated for the devices and directly navigate to the System Faults page to view the faults. Note: The Device Manager page does not display details for XC Cluster devices. For more information on Device Manager, see McAfee Network Security Platform 9.2 Manager Administration Guide.