Network Security Platform 8.1 8.1.7.5-8.1.3.43
Transcription
Network Security Platform 8.1 8.1.7.5-8.1.3.43
8.1.7.5-8.1.3.43-2.11.7 XC-Cluster Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. This maintenance release of Network Security Platform is to provide few enhancements and fixes on the Sensor software. • Network Security Manager software version: 8.1.7.5 • Signature Set: 8.6.28.4 1 • M-8000XC Sensor software version: 8.1.3.43 • XC-240 Load Balancer software version: 2.11.7 Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases and hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell‑based Manager Appliances. This version of 8.1 Manager software can be used to configure and manage the following hardware: • 7.1, 7.5 and 8.1 M‑series and Mxx30-series Sensors • 8.1 Virtual IPS Sensors • 7.1 and 8.1 NS-series Sensors • 7.1, 7.5 and 8.1 XC Cluster Appliances • 7.1, 7.5 and 8.1 NTBA Appliance software (Physical and Virtual) • 7.1 I-series Sensors Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. New features This release is to provide few bug fixes for some of the previously known Sensor software issues, and does not include any new feature. Enhancements This release of Network Security Platform includes the following enhancements: L3/L4 error count enhancement Previously, the error count for L3/L4 errors in a SPAN port could not be viewed even when the errors sometimes crossed the specified threshold limit. With this maintenance release, a new counter, getL3L4errorDropCount in the debug command show all datapath error-counters, provides the error count for the L3/L4 errors. 2 SNMP OID enhancement With this release, certain system parameters like the free memory, cache memory and buffer memory are monitored. The following SNMP OIDs are supported with regard to system monitoring: • Control Path System Free Memory 1.3.6.1.4.1.8962.2.1.3.1.4.1.1.1.1 • Control Path System Cached Memory 1.3.6.1.4.1.8962.2.1.3.1.4.1.1.2.1 • Control Path System Buffer Memory 1.3.6.1.4.1.8962.2.1.3.1.4.1.1.3.1 Syn cookie and rate limiting enhancement The M8000XC previously did not support syn cookies and rate limiting features. With this maintenance release, the M8000XC supports syn flood detection and blocking request feature. The rate limiting policy is also supported with this release. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # Issue Description 964765 The Manager using Apache Struts is vulnerable to CVE-2014-0094. 964715 The Botnet DAT update fails on multiple Sensors. 962218 The effective time for Firewall and QoS policies is based on the local time zone of the corresponding Sensor. 960959 The SNMP server setting configuration is not displayed after saving due to incorrect redirection. 960656 SNMP alert notification fails sometimes due to incorrect calculation of the Manager uptime. 959996 The Manager sends wrong port speed value to the Sensor while configuring monitoring port with SFP+. 959807 Alert filter in the Real-Time Threat Analyzer shows alerts from unknown country, irrespective of the source and destination countries selected. 959410 The Manager raises an "INFO" alert for malicious files before the files are sent to ATD for analysis, and "HIGH" alert after the files are confirmed to be malicious by ATD. Both alerts are generated with an "Acknowledged" flag. The "Acknowledged" flag remains the same irrespective of the severity of the alert which makes it difficult to differentiate the alerts generated. 959221 The Real-Time Threat Analyzer shows an error for multicast host IPv4 addresses while creating a new exception object. 957285 The Protection Profile page stops responding when opened in Chrome browser and eventually leads to Java crashing. 956340 The Manager fault for exceeding the 10,000 AD user groups limit is displayed incorrectly in the Manager. 3 ID # Issue Description 954516 The scheduled configuration backup cannot be restored completely due to inclusion of all the tables during backup. 953875 The password control settings displays the wrong error message "minimum number of Characters should be between 1 and 20". 952088 The Real-Time Threat Analyzer triggers attack by the host even after creating an exception object. 951549 The Manager's connection with XC-240 load balancer is not recovered if the link is down for more than 9 minutes. 950005 When "Layer 7" data is selected to be included in the Next Generation report for alert data, the report is generated for dates not included in the report schedule. 949576 Incorrect pop-up message is displayed when the SSL flow count entered is more than the maximum allowed limit. 949202 Scripts for alert notification does not execute if the attack-severity variable ($ATTACK_SEVERITY$) is used. 947428 The Fault Log report generates events for template Sensors of XC Cluster but no other Cluster members. 946781 The Chrome browser crashes when the Manager is opened in Windows 8.0 mode. The following table lists the low-severity Manager software issues: ID # Issue Description 962714 Malware archive fault message is misleading. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1012154 In rare scenarios, the Sensor either goes to layer2 or reboots when new configuration updates are deployed to the Sensor. 1007014 When the Sensor experiences abnormal reboot, or in a failover configuration if one of the Sensor reboots, then the front end processor gets stuck in rare scenarios. 1005048 The SNMP Get/Walk executed on the Sensor returns the SCP file server credentials. 4 992436 Firewall policy does not block some HTTPS applications. 982750 In a rare case scenario, there is traffic delay shortly after a signature or configuration update to the Sensor. 981250 Filename is missing in Malware Details section of alert details for GTI and ATD. 979110 When quarantine is enabled in the connection limiting policy, the first quarantined host is not released after the specified release time. 978286 ARP packets (matching the MAC flip flop event) are dropped which leads to network outage in rare scenarios. This happens when MAC flip flop attack is disabled and “Heuristic Web Application Server Protection(WASP)” is enabled on any interface of the Sensor. 977449 After a Sensor name change, the $IV_SENSOR_NAME$ flag is not updated until Sensor reboot. 973547 In rare scenario, when SSL decryption is enabled, the “show sensor-load” displays incorrect value of Sensor load. 973385 In rare scenario, the Sensor reboots due to memory corruption in the malware detection process. 970872 When the PDF emulator engine is configured for malware detection, the Sensor reboots in certain scenarios. ID # Issue Description 969760 The GTI queries fail during DNS resolution when the Sensor processes CNAME instead of A record of the proxy server. 969563 Layer 7 data are missing for alerts generated by ATD. 968947 The Sensor throughput value is displayed as 9GB for 1GB ports in the Manager. 966281 In rare scenarios, routers running EIGRP experience neighbor adjacency flap while the Sensor processes the EIGRP update packets. 965633 In rare scenarios, malware detection misses can happen while processing SMTP traffic. 963593 In rare scenarios, when malware policy is applied on the Sensor, the Sensor can suddenly reboot due to low memory resources. 961617 [Failover] In rare scenarios, the Sensor reboots during trace upload. 961429 In a rare scenario, the Sensor reboots with exception when snort signatures are present. 957346 Customizing the Flow Packet logging on the Manager causes excessive packet logging from the Sensor to the Manager. This leads to database tuning failure, alert archival failure etc. 957173 The Sensor causes RST packets to be sent out of order. 945675 In extremely rare scenario, the traffic is not forwarded because of internal switch buffer exhaustion. 943598 In rare scenario with SSL and malware functionality enabled, the SSL attacks are not detected. 941194 During signature set update, the “HTTP: Attempt to read password file” attack may go undetected for a very short time. 923295 The Sensor incorrectly raises the "HTTP: Web Application Server Attack Detected" alert occasionally, when a user edits or submits information in the internal web application. 908386 On rare occasions, the Application Visualization feature can cause database connectivity fault with the "sumBandwidth" error. 907976 In a failover pair after upgrade, the Active Fail-Open kit status switches between "Inline" and "Bypass". Resolved XC-240 software issues The following table lists the medium-severity XC-240 software issues: ID # Issue Description 876784 Management port will not be linked up when the Auto-negotiation feature is disabled. 876783 In case of XC-240 HA, synchronization might not happen for dynamic spare port. 876778 IPv6 address is not persisted on Management port with XC-240 reboot. 876775 Help required for commands. 876765 Changes to the CLI commands in XC-240. 876764 8-bit fragmented packets with VLAN header were being dropped by the Sensor. 876762 On rare occasions, the Manager might show incorrect link information when LBG is modified. 876760 Breaking and forming HA of XC-240 might result in HA not coming up. 5 Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Recommended Any of the following: Same as the minimum required. • Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), English operating system • Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), Japanese operating system • Windows Server 2012 Standard Edition (Server with a GUI) English operating system • Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system • Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system • Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system • Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system • Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 6 Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Same as minimum required. • Windows Server 2008 R2 – Standard or Enterprise Edition with SP1 English operating system • Windows Server 2008 R2 – Standard or Enterprise Edition with SP1 Japanese operating system • Windows Server 2012 Standard Edition (Server with a GUI) English operating system • Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system • Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system • Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system • Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system • Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software • ESXi 5.0 • ESXi 5.1 • ESXi 5.5 CPU Intel Xeon ® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2; Logical Processors – 8; Processor Speed – 2.00 GHz Memory Physical Memory: 16 GB Internal Disks 1 TB The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8: Minimum Operating system Recommended • Windows 7 English or Japanese • Windows 8 English or Japanese • Windows 8.1 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. RAM 2 GB 4 GB 7 Minimum Recommended CPU 1.5 GHz processor 1.5 GHz or faster Browser • Internet Explorer 9, 10 or 11 • Internet Explorer 11 • Mozilla Firefox • Mozilla Firefox 20.0 or above • Google Chrome (App mode in Windows 8 is not supported) • Google Chrome 24.0 or above If you are using Google Chrome, add the Manager certificate to the trusted certificate list. For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Browser • Lion Safari 6 or 7 • Mountain Lion For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software • 7.1 — 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14, 7.1.5.15 • 7.5 — 7.5.3.11, 7.5.5.6, 7.5.5.7, 7.5.5.10 • 8.1 — 8.1.3.4 M-8000XC Sensor software • 7.1 — 7.1.3.6, 7.1.3.51, 7.1.3.88, 7.1.3.106, 7.1.3.119 • 7.5 — 7.5.3.16, 7.5.3.30, 7.5.3.95, 7.5.3.108 • 8.1 — 8.1.3.5 XC-240 • 2.9.2 • 2.9.4 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: 8 • Manager software issues: KB81373 • XC-Cluster Sensor software issues: KB81377 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. Copyright © 2014 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 0A-00