McAfee ePolicy Orchestrator 4.

5 Best Practices
Sumeet Gohri Mid-Atlantic Sales Engineer

McAfee User Group meeting organized by MEEC

Agenda

9:30 am 9:45 am Welcome 9:45 am - 11:00 am ePO 11:00 am 11:15 - Break 11:15 11:45 Firewall 11:45 - 12:30 Lunch 12:30 1:15 GTI 1:15 1:30 Q&A Closing remarks
2 December 2, 2010

Unprecedented Malware Growth

Virus and Bots
3,200,000 3,000,000 2,800,000 2,600,000 2,400,000 2,200,000 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000

PUP

Trojan

2008 2009 Malware Growth (Main Variations)

3 3 Source: McAfee Labs December 3, 2010 December 2, 2010 3

Cost to Value Relationship

Secure

Compliant

Proactive

Optimized

Organizational Maturity The relationship to cost and security diverge during progression to the proactive and optimized states

4 December 2, 2010

Additive cost

Value

McAfee Security Leadership Across the Board

Challengers Leaders

System Security Network IPS

Ability to Execute
Mobile Data Protection DLP Web Firewall E-mail System Security

IPS

Web Security Network DLP Firewall

Mobile Data Protection

Completeness of Vision

5 December 2, 2010

Integrated

Email Security

McAfee Security Leadership Across the Board

Challengers Leaders

System Security Network IPS

Ability to Execute
Mobile Data Protection DLP Web Firewall E-mail System Security

IPS

Web Security Network DLP Firewall

Mobile Data Protection

Completeness of Vision

6 December 2, 2010

Integrated

Email Security

McAfee Labs
300+ dedicated threat researchers

Global Threat Intelligence

Founded in 1995 First global 24/7 emergency response team in the industry 1,400 people in R&D with more than 300 dedicated threat researchers worldwide McAfee Labs has analyzed hundreds of thousands of threats and was first to discover some of the highest profile threats: MyDoom, Sasser, Blaster
7 December 2, 2010

McAfee Integrated Security Platform

Artemis Endpoint
Anti-Virus & Anti-Spyware Email AV & Anti-Spam Desktop Firewall Host IPS SiteAdvisor NAC Policy Auditing Linux AV Macintosh AV Single Agent Single Console Agent deployment Configuration Updates Policy settings Alerts and Reporting

Software-as-a-Service (SaaS)

ePO

Network
E-mail Security Web Security Network DLP IPS Firewall/UTM NAC Behavioral Analysis

McAfee Agent

Risk and Compliance

Vulnerability Mgmt. Remediation Policy Auditing

Data Protection
Endpoint Encryption Device Control Host DLP

Agents and Policies

8

Events and Report s

Vulnerabilitie s and Reports

December 2, 2010

SIA Ecosystem

McAfees Open Platform for Security Risk Management

Industry Leadership to Drive Better Protection, Greater Compliance and Lower TCO

SIA Associate Partner SIA Technology Partner (McAfee Compatible) 9

December 2, 2010

Cost to Value Relationship

Secure

Compliant

Proactive

Optimized

Organizational Maturity Where is my organization?

10 December 2, 2010

Additive cost

Value

Agenda
Introductions ePo 4.5, a brief overview How to size the ePo server infrastructure How to upgrade/migrate to ePo 4.5 server How do I check for performance issues on my ePo Server Tricks and tips on optimizing ePo performance Enabling Global Threat Intelligence in AV policy Agent Deployment VSE 8.7 Policy Best Practices

11

McAfee User Group meeting organized by MEEC

December 2, 2010

ePo Management Console

Intuitive Web Based Security Management

12

McAfee User Group meeting organized by MEEC

December 2, 2010

McAfee ePolicy Orchestrator

Key Feature Overview
End-to-End Visibility
Single point of reference across networks and systems Rogue System Detection Identify and manage all networked assets to lower risk

Personalized Command Center

Tune work environment to optimize efficiencies

Powerful Workflows Automate common routines, streamline

processes across systems

Drillable Dashboards and Actionable Reports

Immediate insight to action slashes response times

Flexible Architecture
Can scale from managing a handful of machines to very large enterprises

Role-based Access Control

Distribute administration and information

Extensible Framework
Increase value of existing security assets, optimize for future needs

McAfee ePolicy Orchestor

McAfee User Group meeting organized by MEEC

December 2, 2010 13

McAfee Security Integration Architecture

Network VM

ePolicy Orchestrator Management Console

Network IPS/ NAC Secure Email Gateway Secure Web Gateway

ePO Agent
Device Control/DLP Encrypted USB Device Control Policy Auditor Anti-Spyware Desktop FW Encryption Anti-Virus SolidCore Host IPS

Data Loss Prev.

NAC

Firewall

TOPS Endpoint TOPS Data

14 McAfee User Group meeting organized by MEEC

McAfee Secure Innovation Alliance (SIA) and future technologies

December 2, 2010

Security that Spans the Network to the Endpoint

Holistic Security Not Disparate Solutions

Network Security
Network Security Platform

Endpoint Security
VirusScan & Anti-Spyware HIPS & Firewall

ToPS

Single Management Console to manage Endpoint security and integration with Network Security
15 McAfee User Group meeting organized by MEEC December 2, 2010

Avert Labs Treat Data

Vulnerability Manager Network Data Loss Prevention Secure Web Gateway Secure Mail Gateway Network User Behavior
ePO

McAfee Site Advisor GroupShield for Mail Network Access Control Host Policy Auditor Host DLP Host Encryption Integrity Monitor Application Control Change Control Change Reconciliation

ToPS Advanced

ToPS For Data

Risk Advisor

SolidCore

McAfee Global Threat Intelligence

McAfee Labs

Network Reputation

Web Reputation

Email Reputation

File Reputation

Reputation Technologies

Trusted Source

Artemis

Network Security
16 Local Protection

Web Security

Email Security
December 2, 2010

Endpoint

Artemis (GTI) Technology

Artemis is enabled on the endpoint without any additional client side install

User receives new file via e-mail or Web

Internet
3 6 VirusScan processes information and removes threat

No detection with existing DATs, but the file is suspicious Fingerprint of file is created and sent using Artemis Artemis reviews this fingerprint and other inputs statistically across threat landscape

Artemis
4

Artemis identifies threat and notifies client

17

McAfee User Group meeting organized by MEEC

December 2, 2010

Enabling Artemis (GTI) Cloud Lookup

By leveraging Cloud Based threat intelligence customers can protect themselves from potential Zero Day attacks. Extremely easy to enable Level of Heuristic check can be throttled Uses standard DNS mechanism to perform lookups Provides Zero Day protection from unknown malware Provides protection from emerging threats Not dependent on DAT updates to be effective No impact on performance of the endpoint No customer data is transferred to McAfee

18

McAfee User Group meeting organized by MEEC

December 2, 2010

ePo Infrastructure Sizing

Can I install ePO and my SQL server on the same physical hardware? Can I use a VM environment for ePO or my SQL Server? Can ePO use an existing SQL Server that has other Databases on it for ePO? How should I partition my drives on ePO and SQL?

19

McAfee User Group meeting organized by MEEC

December 2, 2010

Installing ePo on a Single Server vs Multiple Servers

ePo can be hosted on a single server, where SQL DB is installed locally. There are certain considerations to keep in mind when sizing hardware. Single Server configurations can scale up to 5K to 10K nodes, depending on the environment and products managed. McAfee recommends optimizing disk sizing on the server to enhance performance, (ex hosting DB on a separate disk) If using ePo to manage products in addition to AV, ASPY, HIPS, it is recommended that SQL server to be hosted separately. Plan ahead by sizing ePo Server appropriately if you plan to roll out additional McAfee ePo managed modules like HDLP, Disc Encryption, Device Control, Site Advisor etc.

20

McAfee User Group meeting organized by MEEC

December 2, 2010

Installing ePo in a Virtualized Environment

McAfee supports ePo installs in a virtual environment(s)

ePo scales up to 25k to 30k nodes in a Virtual Environment Beyond 25k to 30K range the disk performance becomes a bottle neck Ensure that, when managing around 30K nodes, dedicated physical discs are used with assigned CPU priority McAfee recommends not to host ePo database on a virtualized SQL server when node count is around or exceeds 30K Many of our customers are successfully hosting their ePo environments virtually without any problems

21

McAfee User Group meeting organized by MEEC

December 2, 2010

Hosting ePO DB on a shared SQL server

Shared SQL servers can be used to host ePo DB, few consideration when doing this: On a shared server ePo will be competing for resources with other applications, so ensure that the DB sizing is appropriate. Sudden spikes in DB server usage by other hosted application can impact the ePo performance. McAfee recommends a node limit of 20k, beyond which a dedicated SQL server for the ePo may be more appropriate for the environment Keep in mind that that operationally you may have to work with SQL DBAs when ePo server is hosted on a shared server, including getting them involved with potential troubleshooting. Ensure that DB and schema updates can be applied to the ePo database on a shared server.

22

McAfee User Group meeting organized by MEEC

December 2, 2010

Disk configuration for ePo Deployment

Disk configuration and partitioning is rarely an issue below 5K nodes When using a single server configuration a separate discs are recommended for the OS, SQL and ePo Application Disc performance is a critical factor for ePo performance, so when using RAID, higher performance Arrays like RAID 1 RAID 10 are preferred.

23

McAfee User Group meeting organized by MEEC

December 2, 2010

Recommended Configuration Recap

Node Count

ePO & SQL on VM Server same server Yes Optional Optional Optional

ePO DB on a shared SQL server Optional Optional

100-5k 5k-25k 25k75k 75k+

Not Not Not Recommended Recommended Recommended No No No

24

McAfee User Group meeting organized by MEEC

December 2, 2010

Server Hardware, OS & DB Recommendations

Less is better, ePo can scale to 200K plus nodes so maintaining multiple instances of ePo will add to the overall work load. CPU, RAM and Disc Performance are critical for ePo, as in case of any other application. Use 64bit software where possible and if you have hardware that support 64Bit OS and apps. Very small organizations (up to 500 nodes) can use SQL Express that has 4GB DB size limit
RAM CPU and HDD Sizing

25

McAfee User Group meeting organized by MEEC

December 2, 2010

Distributed Repositories
Leverage distributed repositories to save bandwidth Better performance when uploading DATs and patches Lightweight hosting requirements FTP, UNC, HTTP supported Super Agents can be used as a part of distribution infrastructure Typical hosting agents are, file & print servers, FTP servers, UNC shares. Can be hosted in a DMZ environment

26

McAfee User Group meeting organized by MEEC

December 2, 2010

In Place Upgrade to ePo 4.5 If you want to upgrade to 4.5 from 3.x, then you have to upgrade to 4.0 and then on to ePo4.5
Ensure that your hardware and software specs are inline with the requirements for ePo 4.5 Decommission any unused repositories Clean out any unused or redundant policies Clean out old and unused user accounts. Remove the client and server tasks that are not being used Purge events that are more than 60 days old Back up, re-index and defrag the Database and ensure that it has enough space Backup your ePo system and DB Backup the system certs If possible, do a demo upgrade in a VM enviornment

27

McAfee User Group meeting organized by MEEC

December 2, 2010

Moving ePo server to a different platform

Key to moving from one physical ePo server to another is to follow the procedure in KB Article 66616. The main steps to accomplish the migration is to
Back up the ePo Database Backup the Agent Keys and SSL Certs Install the ePo Application and SQL server on the new box Ensure that new ePo server has the same IP and DNS name as the old ePo server Attach the backup DB to the SQL on the new box Apply the SSL Certs and Agent keys to the new ePo Server Disconnect the old ePo server from the network Connect the new ePo server to the network and monitor activity.

28

McAfee User Group meeting organized by MEEC

December 2, 2010

McAfee Agent Deployment

Deploying ePO agent to the endpoint, what are my options? Active Directory Login Scripts Pre installed with the enterprise desktop/laptop image Using 3rd party tools ie: Tivoli, SMS, BMC Self Serve HTTP, FTP, UNC shares

The ePO Agent is a small 5Mb package Additional packages are pushed from ePO once ePO Agent checks back to ePO Server

29

McAfee User Group meeting organized by MEEC

December 2, 2010

Is my ePo Server having a performance issue ??

Have you looked at the performance counters for the ePo under Performance Monitor ?
Total number of Open ePo Agent connections should not exceed 200 (250 max) typical value should be around 30 Processed events per second is consistently high. The files in the events folder
C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events

is consistently high and getting higher. Throttle down Agent to Server Comm Interval (ASCI) from default 60 mins Additionally flag ePo server processes as low risk processes in AV policy.
30 McAfee User Group meeting organized by MEEC December 2, 2010

Maintaining ePo Database

Use Server Tasks under Automation tab to purge old events and logs
Purging events based on time Purging events based on type Purging events based on a query

Deleting inactive assets Deleting machines with duplicate GUID Backup the ePo DB and transaction log Re-index the DB on a regular basis Rebuild the DB on a regular basis

31

McAfee User Group meeting organized by MEEC

December 2, 2010

Tuning VSE 8.7 policies

Enable Access Protection and prevent services from being stopped Ensure, when applying policy for Server, use Server profile Enable Buffer Overflow Protection policy and enforce protection Use different scanning policies for high-risk, low-risk and default processes Enable client task to scan memory at least once a day Enable GTI lookups Scriptscan (KB65382) Daily scan task to check memory for rootkits and running process

32

McAfee User Group meeting organized by MEEC

December 2, 2010

McAfees Open Platform for Security Risk Management

Industry Leadership to Drive Better Protection, Greater Compliance & Lower TCO

33

McAfee User Group meeting organized by MEEC

December 2, 2010

Questions ??

Thank You
McAfee Sales Team
Derrick Honea derrick_honea@mcafee.com Sumeet Gohri sumeet_gohri@mcafee.com