5 Best Practices
Sumeet Gohri Mid-Atlantic Sales Engineer
Agenda
9:30 am 9:45 am Welcome 9:45 am - 11:00 am ePO 11:00 am 11:15 - Break 11:15 11:45 Firewall 11:45 - 12:30 Lunch 12:30 1:15 GTI 1:15 1:30 Q&A Closing remarks
2 December 2, 2010
PUP
Trojan
Secure
Compliant
Proactive
Optimized
Organizational Maturity The relationship to cost and security diverge during progression to the proactive and optimized states
4 December 2, 2010
Additive cost
Value
IPS
5 December 2, 2010
Integrated
Email Security
IPS
6 December 2, 2010
Integrated
Email Security
McAfee Labs
300+ dedicated threat researchers
Founded in 1995 First global 24/7 emergency response team in the industry 1,400 people in R&D with more than 300 dedicated threat researchers worldwide McAfee Labs has analyzed hundreds of thousands of threats and was first to discover some of the highest profile threats: MyDoom, Sasser, Blaster
7 December 2, 2010
Software-as-a-Service (SaaS)
ePO
Network
E-mail Security Web Security Network DLP IPS Firewall/UTM NAC Behavioral Analysis
McAfee Agent
Data Protection
Endpoint Encryption Device Control Host DLP
SIA Ecosystem
December 2, 2010
Secure
Compliant
Proactive
Optimized
10 December 2, 2010
Additive cost
Value
Agenda
Introductions ePo 4.5, a brief overview How to size the ePo server infrastructure How to upgrade/migrate to ePo 4.5 server How do I check for performance issues on my ePo Server Tricks and tips on optimizing ePo performance Enabling Global Threat Intelligence in AV policy Agent Deployment VSE 8.7 Policy Best Practices
11
December 2, 2010
12
December 2, 2010
Flexible Architecture
Can scale from managing a handful of machines to very large enterprises
Extensible Framework
Increase value of existing security assets, optimize for future needs
December 2, 2010 13
ePO Agent
Device Control/DLP Encrypted USB Device Control Policy Auditor Anti-Spyware Desktop FW Encryption Anti-Virus SolidCore Host IPS
NAC
Firewall
Network Security
Network Security Platform
Endpoint Security
VirusScan & Anti-Spyware HIPS & Firewall
ToPS
Single Management Console to manage Endpoint security and integration with Network Security
15 McAfee User Group meeting organized by MEEC December 2, 2010
Vulnerability Manager Network Data Loss Prevention Secure Web Gateway Secure Mail Gateway Network User Behavior
ePO
McAfee Site Advisor GroupShield for Mail Network Access Control Host Policy Auditor Host DLP Host Encryption Integrity Monitor Application Control Change Control Change Reconciliation
ToPS Advanced
Risk Advisor
SolidCore
McAfee Labs
Network Reputation
Web Reputation
Email Reputation
File Reputation
Reputation Technologies
Trusted Source
Artemis
Network Security
16 Local Protection
Web Security
Email Security
December 2, 2010
Endpoint
Internet
3 6 VirusScan processes information and removes threat
No detection with existing DATs, but the file is suspicious Fingerprint of file is created and sent using Artemis Artemis reviews this fingerprint and other inputs statistically across threat landscape
Artemis
4
17
December 2, 2010
18
December 2, 2010
19
December 2, 2010
20
December 2, 2010
21
December 2, 2010
22
December 2, 2010
23
December 2, 2010
Node Count
ePO & SQL on VM Server same server Yes Optional Optional Optional
24
December 2, 2010
25
December 2, 2010
Distributed Repositories
Leverage distributed repositories to save bandwidth Better performance when uploading DATs and patches Lightweight hosting requirements FTP, UNC, HTTP supported Super Agents can be used as a part of distribution infrastructure Typical hosting agents are, file & print servers, FTP servers, UNC shares. Can be hosted in a DMZ environment
26
December 2, 2010
In Place Upgrade to ePo 4.5 If you want to upgrade to 4.5 from 3.x, then you have to upgrade to 4.0 and then on to ePo4.5
Ensure that your hardware and software specs are inline with the requirements for ePo 4.5 Decommission any unused repositories Clean out any unused or redundant policies Clean out old and unused user accounts. Remove the client and server tasks that are not being used Purge events that are more than 60 days old Back up, re-index and defrag the Database and ensure that it has enough space Backup your ePo system and DB Backup the system certs If possible, do a demo upgrade in a VM enviornment
27
December 2, 2010
Key to moving from one physical ePo server to another is to follow the procedure in KB Article 66616. The main steps to accomplish the migration is to
Back up the ePo Database Backup the Agent Keys and SSL Certs Install the ePo Application and SQL server on the new box Ensure that new ePo server has the same IP and DNS name as the old ePo server Attach the backup DB to the SQL on the new box Apply the SSL Certs and Agent keys to the new ePo Server Disconnect the old ePo server from the network Connect the new ePo server to the network and monitor activity.
28
December 2, 2010
The ePO Agent is a small 5Mb package Additional packages are pushed from ePO once ePO Agent checks back to ePO Server
29
December 2, 2010
is consistently high and getting higher. Throttle down Agent to Server Comm Interval (ASCI) from default 60 mins Additionally flag ePo server processes as low risk processes in AV policy.
30 McAfee User Group meeting organized by MEEC December 2, 2010
Deleting inactive assets Deleting machines with duplicate GUID Backup the ePo DB and transaction log Re-index the DB on a regular basis Rebuild the DB on a regular basis
31
December 2, 2010
32
December 2, 2010
33
December 2, 2010
Questions ??
Thank You
McAfee Sales Team
Derrick Honea derrick_honea@mcafee.com Sumeet Gohri sumeet_gohri@mcafee.com