Me Ec User Group Epo Best Practices

7/28/2019 Me Ec User Group Epo Best Practices

1/34

McAfee ePolicy Orchestrator 4.5Best Practices

McAfee User Group meeting organized byMEEC

Sumeet Gohri

Mid-Atlantic Sales Engineer


2/34

Agenda

9:30 am 9:45 am Welcome

9:45 am - 11:00 am ePO11:00 am 11:15 - Break

11:15 11:45 Firewall11:45 - 12:30 Lunch

12:30 1:15 GTI1:15 1:30 Q&A Closing remarks

December 2, 2010

2


3/34

3

December 3, 20103

2008

Virus and Bots PUP Trojan

Unprecedented Malware Growth

Malware Growth (Main Variations)

2,400,000

2,600,000

2,800,000

3,000,000

3,200,000

400,000

800,000

200,000

600,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

2,200,000

2009

Source: McAfee Labs3December 2, 2010


4/34

Cost to Value Relationship

V

alue

Secure Compliant Proactive Optimized

Ad

ditivecost

The relationship to cost and security diverge duringprogression to the proactive and optimized states

Organizational Maturity

December 2, 2010

4


5/34

System Security

Network IPS

Email Security

Web Security

Network DLP

Firewall

Mobile Data Protection

McAfee Security Leadership Across the Board

Integra

ted

Challengers Leaders

AbilitytoE

xecute

Completeness of Vision

Firewall E-mail

DLP

Web

IPS

System SecurityMobile Data

Protection

December 2, 2010

5


6/34

System Security

Network IPS

Email Security

Web Security

Network DLP

Firewall

Mobile Data Protection

Integra

ted

McAfee Security Leadership Across the Board

Challengers Leaders

AbilitytoE

xecute

Completeness of Vision

Firewall E-mail

DLP

Web

IPS

System SecurityMobile Data

Protection

December 2, 2010

6


7/34

McAfee Labs300+ dedicated threat researchers

Global Threat

Intelligence

Founded in 1995

First global 24/7 emergency response team in the industry

1,400 people in R&D with more than 300 dedicated threat researchers worldwide

McAfee Labs has analyzed hundreds of thousands of threats and was first todiscover some of the highest profile threats: MyDoom, Sasser, Blaster

December 2, 2010

7


8/34

Network

Network DLP

E-mail Security

Web Security

Firewall/UTM

IPS

NAC

Behavioral Analysis

Vulnerability Mgmt.

Remediation

Policy Auditing

Risk and Compliance

Vulnerabilities andReports

Vulnerabilities andReports

Agents andPoliciesAgents andPolicies

McAfee Integrated Security Platform

McAfeeAgent

Endpoint

Data Protection

Host DLP

Endpoint Encryption

Device Control

Anti-Virus & Anti-Spyware

Email AV & Anti-Spam

Desktop Firewall

Host IPS

NAC

Policy Auditing

SiteAdvisor

Macintosh AV

Linux AV

Agent deployment Configuration Updates

Policy settings Alerts and Reporting

Single Agent Single Console

ePO

EventsandReports

Artemis | Software-as-a-Service (SaaS)

SIA Ecosystem December 2, 2010

8


9/34

McAfees Open Platform for Security Risk ManagementIndustry Leadership to Drive Better Protection, Greater Compliance and Lower TCO

SIA Associate Partner

SIA Technology Partner(McAfee Compatible)

December 2, 2010

9


10/34

Cost to Value Relationship

V

alue

Secure Compliant Proactive Optimized

Ad

ditivecost

Where is my organization?

Organizational Maturity

December 2, 2010

10


11/34

Agenda

Introductions

ePo 4.5, a brief overview

How to size the ePo server infrastructure

How to upgrade/migrate to ePo 4.5 server

How do I check for performance issues on my ePo Server

Tricks and tips on optimizing ePo performance

Enabling Global Threat Intelligence in AV policy Agent Deployment

VSE 8.7 Policy Best Practices

December 2, 2010McAfee User Group meeting organized by MEEC11


12/34

ePo Management ConsoleIntuitive Web Based Security Management



13/34

13

McAfee ePolicy OrchestratorKey Feature Overview

McAfee ePolicy Orchestor

End-to-End Visibility

Single point of reference acrossnetworks and systems

Personalized Command Center

Tune work environment to optimizeefficiencies

Drillable Dashboards and ActionableReports

Immediate insight to action slashesresponse times

Role-based Access Control Distribute administration and

information

Rogue System Detection

Identify and manage all networkedassets to lower risk

Powerful Workflows

Automate common routines, streamlineprocesses across systems

Flexible Architecture

Can scale from managing a handful ofmachines to very large enterprises

Extensible Framework

Increase value of existing securityassets, optimize for future needs

December 2, 2010McAfee User Group meeting organized by MEEC


14/34

McAfee Security Integration Architecture

ePO Agent

Encryption

Anti-Virus

Anti-S

pyware

Desk

topFW

HostIPS

N

AC

DeviceC

ontrol/DLP

ePolicy Orchestrator

ManagementConsole

NetworkVM

Secure EmailGateway

Network IPS/

NAC

TOPS Endpoint

McAfee SecureInnovation Alliance (SIA)

and future technologies

Firewall

TOPS Data

Policy

Auditor

Secure WebGateway

Data Loss Prev.

EncryptedUSB

SolidCore

DeviceControl



15/34

AvertLabsTre

atData

Security that Spans the Network to the Endpoint

ePO

Network Security Endpoint Security

ToPS

ToPS

Advanced

VirusScan & Anti-Spyware

HIPS & Firewall

McAfee Site Advisor

Host Policy Auditor

Network Access Control

GroupShield for Mail

Host DLP

Host Encryption

ToPS

For Data

Network Security Platform

Vulnerability Manager

Network Data Loss Prevention

Secure Web Gateway

Secure Mail Gateway

Network User Behavior

Change Control

Integrity MonitorApplication Control

Change Reconciliation

SolidCore

Holistic Security Not Disparate Solutions

Risk Advisor

Single Management Console to manage Endpoint security

and integration with Network SecurityDecember 2, 2010McAfee User Group meeting organized by MEEC15


16/34

McAfee Global Threat Intelligence

McAfee Labs

Reputation Technologies Trusted Source Artemis

Local Protection

Network ReputationEmail ReputationWeb Reputation

File Reputation

Network Security Web Security Email Security Endpoint

December 2, 201016


17/34

Artemis (GTI) Technology

User receives

new file viae-mail or Web

1

No detection withexisting DATs, butthe file is suspicious

2

Fingerprint of file

is created and sentusing Artemis

3

Artemis reviews thisfingerprint and otherinputs statistically

across threat landscape

4

VirusScan processesinformation andremoves threat

6

Artemis identifiesthreat and notifiesclient

5

Internet

Artemis is enabled on the endpoint without any additional client side install

Artemis



18/34

Enabling Artemis (GTI) Cloud Lookup

By leveraging Cloud Based threat intelligence customers can protectthemselves from potential Zero Day attacks.

Extremely easy to enable

Level of Heuristic check can be throttled

Uses standard DNS mechanism to perform lookups

Provides Zero Day protection from unknown malware

Provides protection from emerging threats

Not dependent on DAT updates to be effective

No impact on performance of the endpoint

No customer data is transferred to McAfee

18 December 2, 2010McAfee User Group meeting organized by MEEC


19/34

ePo Infrastructure Sizing

Can I install ePO and my SQLserver on the same physicalhardware?

Can I use a VM environment forePO or my SQL Server?

Can ePO use an existing SQLServer that has other Databases onit for ePO?

How should I partition my drives onePO and SQL?



20/34

Installing ePo on a Single Server vs MultipleServers

ePo can be hosted on a single server, where SQL DB is installedlocally. There are certain considerations to keep in mind when

sizing hardware.

Single Server configurations can scale up to 5K to 10K nodes,depending on the environment and products managed.

McAfee recommends optimizing disk sizing on the server to

enhance performance, (ex hosting DB on a separate disk) If using ePo to manage products in addition to AV, ASPY, HIPS,

it is recommended that SQL server to be hosted separately.

Plan ahead by sizing ePo Server appropriately if you plan to

roll out additional McAfee ePo managed modules like HDLP,Disc Encryption, Device Control, Site Advisor etc.



21/34

Installing ePo in a Virtualized Environment

McAfee supports ePo installs in a virtualenvironment(s)

ePo scales up to 25k to 30k nodes in a VirtualEnvironment

Beyond 25k to 30K range the disk performancebecomes a bottle neck

Ensure that, when managing around 30K nodes,

dedicated physical discs are used with assignedCPU priority

McAfee recommends not to host ePo database ona virtualized SQL server when node count isaround or exceeds 30K

Many of our customers are successfully hostingtheir ePo environments virtually without anyproblems



22/34

Hosting ePO DB on a shared SQL server

Shared SQL servers can be used to host ePo DB, fewconsideration when doing this:

On a shared server ePo will be competing for resources with otherapplications, so ensure that the DB sizing is appropriate.

Sudden spikes in DB server usage by other hosted applicationcan impact the ePo performance.

McAfee recommends a node limit of 20k, beyond which a

dedicated SQL server for the ePo may be more appropriate forthe environment

Keep in mind that that operationally you may have to work withSQL DBAs when ePo server is hosted on a shared server,including getting them involved with potential troubleshooting.

Ensure that DB and schema updates can be applied to the ePodatabase on a shared server.



23/34

Disk configuration for ePo Deployment

Disk configuration and partitioningis rarely an issue below 5K nodes

When using a single server

configuration a separate discs arerecommended for the OS, SQLand ePo Application

Disc performance is a critical

factor for ePo performance, sowhen using RAID, higherperformance Arrays like RAID 1 RAID 10 are preferred.



24/34

Recommended Configuration Recap

Node Count ePO & SQL on

same server

VM Server ePO DB on a

shared SQLserver

100-5k Yes Optional Optional

5k-25k Optional Optional Optional

25k75k NotRecommended

NotRecommended

NotRecommended

75k+ No No No



25/34

Server Hardware, OS & DB Recommendations

Less is better, ePo can scale to 200K plus nodes so maintainingmultiple instances of ePo will add to the overall work load.

CPU, RAM and Disc Performance are critical for ePo, as in case of

any other application. Use 64bit software where possible and if you have hardware that

support 64Bit OS and apps.

Very small organizations (up to 500 nodes) can use SQL Express that

has 4GB DB size limit

RAM CPU and HDD Sizing



26/34

Distributed Repositories

Leverage distributed repositories to savebandwidth

Better performance when uploading DATs and

patches Lightweight hosting requirements

FTP, UNC, HTTP supported

Super Agents can be used as a part of

distribution infrastructure

Typical hosting agents are, file & print servers,FTP servers, UNC shares.

Can be hosted in a DMZ environment



27/34

In Place Upgrade to ePo 4.5

If you want to upgrade to 4.5 from 3.x, then you have toupgrade to 4.0 and then on to ePo4.5

Ensure that your hardware and software specs are inline with therequirements for ePo 4.5

Decommission any unused repositories

Clean out any unused or redundant policies

Clean out old and unused user accounts.

Remove the client and server tasks that are not being used

Purge events that are more than 60 days old

Back up, re-index and defrag the Database and ensure that it hasenough space

Backup your ePo system and DB Backup the system certs

If possible, do a demo upgrade in a VM enviornment



28/34

Moving ePo server to a different platform

Key to moving from one physical ePo server toanother is to follow the procedure in KB Article 66616.

The main steps to accomplish the migration is to

Back up the ePo Database

Backup the Agent Keys and SSL Certs

Install the ePo Application and SQL server on the new box Ensure that new ePo server has the same IP and DNS name as the

old ePo server

Attach the backup DB to the SQL on the new box

Apply the SSL Certs and Agent keys to the new ePo Server Disconnect the old ePo server from the network

Connect the new ePo server to the network and monitor activity.



29/34

McAfee Agent Deployment

Deploying ePO agent to the endpoint, what are my options?

Active Directory

Login Scripts

Pre installed with the enterprise desktop/laptop image

Using 3rd party tools ie: Tivoli, SMS, BMC

Self Serve HTTP, FTP, UNC shares

The ePO Agent is a small 5Mb package

Additional packages are pushed from ePO once ePO Agent checks

back to ePO Server

29 December 2, 2010McAfee User Group meeting organized by MEEC


30/34

Is my ePo Server having a performance issue ??

Have you looked at the performancecounters for the ePo underPerformance Monitor ?

Total number of Open ePo Agentconnections should not exceed 200(250 max) typical value should bearound 30

Processed events per second is

consistently high.

The files in the events folderC:\Program Files\McAfee\ePolicy Orchestrator\DB\Events

is consistently high and getting higher.

Throttle down Agent to Server CommInterval (ASCI) from default 60 mins

Additionally flag ePo server processesas low risk processes in AV policy.



31/34

Maintaining ePo Database

Use Server Tasks under Automation tabto purge old events and logs

Purging events based on time Purging events based on type

Purging events based on a query

Deleting inactive assets

Deleting machines with duplicate GUID

Backup the ePo DB and transaction log Re-index the DB on a regular basis

Rebuild the DB on a regular basis



32/34

Tuning VSE 8.7 policies

Enable Access Protection and prevent services frombeing stopped

Ensure, when applying policy for Server, use Server

profile Enable Buffer Overflow Protection policy and enforce

protection

Use different scanning policies for high-risk, low-risk

and default processes Enable client task to scan memory at least once a day

Enable GTI lookups

Scriptscan (KB65382)

Daily scan task to check memory for rootkits andrunning process



33/34

McAfees Open Platform for Security Risk Management

Industry Leadership to Drive Better Protection, Greater Compliance & Lower TCO



34/34

Thank YouMcAfee Sales TeamDerrick [email protected]

Sumeet Gohri

[email protected]

Questions ??

Documents

Me Ec User Group Epo Best Practices