McAfee Intrushield Training

Course Details

Course Code

TRN-INTV-101-TCL

Duration

3 days

Objectives

• Install, configure, and administer McAfee® IntruShield® sensors
• Install and configure McAfee® IntruShield® Manager
• Configure monitor ports
• Change the port pair for outside/inside network
• Manage administrative domains, users, and roles
• Define and configure Alert Viewer for historical attacks
• Define and configure Alert Viewer in historical consolidated
• Drilldown into Alert Viewer categories
• Enable and start incident-generator service
• Describe how to generate the three categories of reports
• Manage policies with the policy editor and Alert Viewer
• Configure filtering for policies
• Configure ACLs on policies
• Configure a VLAN or CIDR interface
• Define a reconnaissance policy
• Define a single denial of service (DoS) policy
• Describe administrative functions
• Describe how to configure MDR
• Describe how to configure RADIUS & LDAP authentication

Prerequisites

• Working knowledge of system administration concepts
• Basic understanding of computer security concepts

Course Agenda

Day 1

Overview

Become an intrusion prevention expert through hands-on labs that simulate real-world situations and get most out of your investment in McAfee IntruShield.

McAfee IntruShield overview

• Trend:The vanishing perimeter
• The evolving threat landscape
• Attacks
• Detecting attacks
• What is an intrusion detection system?
• IntruShield sensor appliances
• IntruShield Security Management System
• IntruShield architecture
• IntruShield features and deployment flexibility
• Overview of intrusion prevention

Day 2

Overview

Become an intrusion prevention expert through hands-on labs that simulate real-world situations and get most out of your investment in McAfee IntruShield.

Policies

• Define an IntruShield policy
• Expectations
• What is a policy?
• Preconfigured rule sets and policies
• Rules for policies
• Attack categories and severity range
• Sensor actions
• Notifications
• Configuration
• Alert filter editor
• Managing alert filters
• Rule set editor
• Managing rule sets
• Adding a rule set
• Rule sets example
• Building rule sets by attack names
• A note on rule set creation RFB attacks
• Policy editor
• Managing policies
• Cloning a policy
• Applying rule sets
• Customizing exploit attacks
• Attack search capabilities
• Customizing exploit attack enforcement
• Setting responses for attacks
• DoS: Learning and threshold modes
• Configuring a reconnaissance policy
• Attack descriptions
• Signatures
• Attacks
• Invalid flow alerting
• Finding policies in the Manager interface
• Policies/alert filters: Export/import
• Viewing applied policies
• Reassigning applied policies
• The global attack response editor (GARE)
• Indication of customization
• Putting it all together
• Lab: Defining a reconnaissance policy
• Lab: Policy tuning
• Lab: Reassigning a policy

Configuring virtual IDS

• Define virtual IDS
• Virtual internal firewall
• Internal firewall protection
• Granular policy management
• VLAN/CIDR logical diagram overview
• Port versus interface
• Viewing interface details
• Changing interface type
• Adding VLANs
• Defining and verifying VLAN interfaces
• Applied policies and VLANs
• Details of a VLAN interface
• Assigning a VLAN to a child domain
• Creating and verifying a VLAN sub-interface
• Pushing changes to a sensor
• Defining a CIDR interface
• Assigning a CIDR block
• Combination CIDR interface
• Allocating CIDR sub-interface
• Adding a range
• Example of a CIDR block allocation error
• Sub-interface details
• interface VLAN and CIDR limits
• Lab: Creating a VLAN and CIDR interfaces
• Lab: Apply different policies to multiple sub-interfaces
• Lab: Virtualization lab
• Lab: Interface group lab

Configuring ACLs

• ACL overview
• Access control lists
• ACL configuration
• Advantages over a typical ACL
• Rule creation
• Adding ACLs
• Source IP/destination IP
• Matching protocol/port number
• Response action
• Hierarchical ACL configuration
• Sensor, port, interface, sub-interface rules
• ACLs in span or tap mode
• Logging and ACL logging suppression
• Suppression example
• Recommendations for ACLs
• Enabling IP address anti-spoofing
• IP spoofing detection
• IP spoofing  CIDR
• Alternative to CIDR
• IPv6 blocking
• Lab: Accessing control lists

Configuring DoS

• What is distributed DoS?
• DoS/DDoS IntruShield approach
• DoS policy and traffic
• IntruShield DoS prevention
• DoS/DDoS attack tool and exploit signatures
• Learning mode
• Response sensitivity
• Short-term profile
• Categorical anomalies imbalance
• Volume anomalies: Self-learning algorithm
• Percentiles
• Threshold mode, value, and interval
• Manage DoS profiles
• DDoS detection status
• Viewing DoS profiles
• DoS terminology and DoS ID
• Customizing modes
• DoS ID limits
• Describe how to add DoS policies to sub-interfaces
• Managing DoS/DDoS response actions
• DoS detection, profiles, and filters
• Policy inheritance
• Viewing a DoS/DDoS alert: Alert Viewer
• Lab: Configuring DoS policies
• Lab: Denial of services

Alert Viewer

• Define Alert Viewer
• Alert cache and database
• Describe how to acknowledge alerts
• Describe how to sort alerts
• Real-time versus historical
• Viewer panels
• Drilldown views
• Acknowledging alerts
• Configuring
• Entercept, host sweep, port scan, and simple threshold alerts
• Response tab
• Editing attack properties: Policy level and GARE
• Evidence report
• NSLookup
• File, drilldown, tools, and Microsoft® Windows® Manager
• System health
• Preferences
• Detail panel and watch list
• SSL proxy configuration and troubleshooting
• Scripts: Content
• JavaScripts
• Troubleshooting script syntax
• Life cycle of an alert
• Lab: Working with the Alert Viewer
• Lab: Configuring preferences
• Lab: Examine system health
• Lab: Sample drilldown scenario

Day 3

Overview

Become an intrusion prevention expert through hands-on labs that simulate real-world situations and get most out of your investment in McAfee IntruShield.

Incident generation and incident viewer

• Define incident generation
• Configure the Incident Generator Service
• View incidents
• Assign Incident Viewer workflow to a user
• Starting the generator service
• Configuring incident generator file
• Viewing incidents
• Viewer work overflow
• Lab: Enabling and starting incident generator service

Report Generator

• Describe the Report Generator tool
• Define the configuration report output
• Define scheduled reports
• IDS, configuration, and scheduled reports
• Lab: Generating reports

Update Server

• McAfee® Update Server
• Signature update process
• Downloading software and signature sets
• Scheduling updates: Polling and scheduled “pushing”
• Importing
• Setting update server authentication
• Updating sensors
• Policy and configuration
• Software

System administration

• Describe system administration and configuration
• User audit
• System log
• Notifications
• SNMP and syslog forwarding
• System fault messages
• Managing nonstandard ports
• Response action settings
• Advanced TCP/IP settings
• SSL decryption
• Alert suppression
• Maintenance tasks
• Entercept integration

Tuning IntruShield

• Process of tuning
• Identifying false positives
• Filtering
• Steps to tuning
• Tuning examples

Troubleshooting

• Describe steps to harden the IntruShield Manager
• Gather troubleshooting tips from the IntruShield knowledge base
• Backup, restore, and tune the database
• Changing parameters
• Adding MySQL users

Configuring user-defined signatures

• Describe a user-defined signature (UDS)
• Describe IntruShield approach to UDS
• Describe the process for creating a UDS
• UDS configuration and editor
• Creating a new signature
• Lab: Creating a UDS

Schedule and Registration

View our online course schedule and registration information.