nsp gigabit optical fo kit 5.1

8/3/2019 NSP Gigabit Optical FO Kit 5.1

1/27

Gigabit Optical Fail-Open Bypass Kit Guiderevision 1.0

McAfee

Network ProtectionIndustry-leading network security solutions

McAfee Network Security PlatformNetwork Security Sensorversion 5.1


2/27

COPYRIGHT

Copyright 2001 - 2008 McAfee, Inc. All Rights Reserved.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTHTHE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGINGOR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITEFROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALLTHE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *

Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,

Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by

Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the

University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,

California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by

Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted

by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham

Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python

Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman

Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone

Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab

(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/). * Software

copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,

2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *

Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software

copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See

http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by

Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi ([email protected]), (C) 1999, 2000. *

Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen

Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C)

1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter

Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *

Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by

Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software

copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)

2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software

contributed to Berkeley by Chris Torek.

Issued SEPTEMBER 2008 / Gigabit Optical Fail-Open Bypass Kit Guide700-1825-00/ 1.0 - English
http://www.openssl.org/http://www.apache.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.python.org/http://www.extreme.indiana.edu/mailto:[email protected]://www.modssl.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.boost.org/mailto:[email protected]:[email protected]:[email protected]://www.housemarque.com/http://www.housemarque.com/mailto:[email protected]:[email protected]:[email protected]://www.boost.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.modssl.org/mailto:[email protected]://www.extreme.indiana.edu/http://www.python.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.apache.org/http://www.openssl.org/


3/27

Contents

Preface .......................................................................................................... ivIntroducing McAfee Network Security Platform.............................................................................ivAbout this guide.............................................................................................................................ivAudience ....................................................................................................................................... vConventions used in this guide ............... ............... ................ ................ ............... ................ ........ vRelated Documentation.................................................................................................................viContacting Technical Support ............... ................ ............... ................ ................ ............... ..........viAbout the Kit.................................................................................................. 1Single-Mode vs. Multimode................ ................ ................ ................ ................ ................ ........... 1Controlling the switch .............. ................ ................ ................ ................ ................ ................... ... 1Kit contents................ ................ ................ ................ ................ ............... ................ ..................... 1Connecting the Fail-Open Kit to a Sensor.................................................. 3Connecting the switch to sensors with LC-type ports ................ ................ ................ ................ ... 3

Fail-open switch connected to ports 1A-1B............................................................................3Fail-open switch connected to ports 5A-5B............................................................................4Connecting the switch to sensors with SC-type ports ............... ................ ................ .............6Fail-open switch connected to ports 1A-1B............................................................................6

Installing the Bypass Switch in a rack ........................................................ 8Install the switch in the rack-mount panel ............... ................ ............... ................ ................ ....... 8Install the panel and switch(es) in a rack ................ ............... ................ ................ ............... ........ 9Installing the Fail-Open Controller ............................................................ 10About the Fail-Open Controller.................. ................ ................ ................ ................ .................. 10Installing the Fail-Open Controller......... ................ ................ ................ ................. ................ ..... 11Installing the Fail-Open Bypass Switch.................................................... 12Installing the Fail-Open Switch......... ............... ................ ................ ................ ................ ............ 12Connecting the Bypass Switch to a Network Device ............... ................ ............... ............... ..... 13Connecting the Bypass Switch to a sensor with LC ports.. ................ ............... ................ .......... 13Connecting the switch to a sensor with SC-type ports.. ................ ............... ................ ............... 14Connecting the Control port of the switch to the sensor .............. ................ ................ ............... 14Configuring the sensor Monitoring Ports................................................. 15Verify proper installation............................................................................ 17Status LED on the Bypass Switch.......... ................ ................ ............... ................ ............... ....... 17Port and operating mode status .............. ................. ................ ................ ................ ................ ... 17Troubleshooting.......................................................................................... 19

Moving from bypass mode back to in-line mode............... ................ ............... ................ ........... 19

Manual Sensor reboot..........................................................................................................19Sensor error ................ ................ ................ ................ ................. ................ ................ ........19

What happens in a Sensor failure? ................ ................ ................ ................ ................ ............. 20Common Problems and Solutions.......... ................ ................ ................ ................ ................ ..... 20

iii


4/27

PrefaceThis preface provides a brief introduction to the product, discusses the information in thisdocument, and explains how this document is organized. It also provides information suchas the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfeeNetwork Security Platform [formerly McAfee IntruShield] delivers the mostcomprehensive, accurate, and scalable Network Access Control (NAC) and networkIntrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service

provider networks, while providing unmatched protection against spyware and known,zero-day, and encrypted attacks.

McAfee Network Security Platform combines real-time detection and prevention to providethe most comprehensive and effective network IPS in the market.

What do you want to do?

Learn more about McAfee Network Security Platform components.

Learn how to Get Started.

Learn about the Home page and interaction with the Manager interface.

About this guide

The Gigabit Optical Fail-Open Bypass Kit (the Kit) minimizes the potential risks of in-lineNetwork Security Sensor failure on critical network links.

The Gigabit Ethernet (GE) Monitoring ports on Network Security Sensors fail closed; thus,if the sensor is deployed in-line, a hardware failure results in network downtime. Fail-openoperation for GE ports requires the use of the optional external Bypass Switch provided inthe Kit.

With the Bypass Switch in place, normal sensor operation supplies power to the switch viaa control cable. While the sensor is operating, the switch is on and routes all trafficdirectly through the sensor. When the sensor fails, the switch automatically shifts to abypass state: in-line traffic continues to flow through the network link, but is no longer

routed through the sensor. Once the sensor resumes normal operation, the switch returnsto the on state, once again enabling in-line monitoring.

This document describes the contents of the Kit; how to install the Kit for all NetworkSecurity Sensor models with GE ports, either standard GBIC or Small Form-factorPluggable (SFP) ports; how the Kit functions; and what to expect during normal use.

iv


5/27

McAfee Network Security Platform 5.1 Preface

Audience

This guide is intended for use by network technicians and maintenance personnelresponsible for installing, configuring, and maintaining McAfeeNetwork Security Manager

[formerly McAfee IntruShield Security Manager], but is not necessarily familiar with dailyIPS-related tasks, the relationship between tasks, or the commands necessary to performparticular tasks.

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons, tabs, options,selections, and commands on the User

Interface (UI) are shown in Arial Narrow bold font.

The Service field on the Properties tab specifies thename of the requested service.

Menu or action group selections are indicatedusing a right angle bracket.

Select My Company > Admin Domain > View Details.

Procedures are presented as a series ofnumbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard are denotedusing UPPER CASE.

Press ENTER.

Text such as syntax, keywords, and values thatyou must type exactly are denoted usingCourier New font.

Type: setup and then press ENTER.

Variable information that you must type basedon your specific situation or environment isshown in italics.

Type: Sensor-IP-addressand then pressENTER.

Parameters that you must supply are shownenclosed in angle brackets.

set sensor ip

Information that you must read before beginninga procedure or that alerts you to negativeconsequences of certain actions, such as lossof data is denoted using this notation.

Caution:

Information that you must read to prevent injury,accidents from contact with electricity, or otherserious consequences is denoted using thisnotation.

Warning:

Notes that provide related, but non-critical,information are denoted using this notation.

Note:

v


6/27


Related Documentation

The following documents and on-line help are companions to this guide. Refer to QuickTour for more information on these guides.

Quick Tour

Manager Installation Guide

4.1 to 5.1 Upgrade Guide

Getting Started Guide

IPS Deployment Guide

Manager Configuration Basics Guide

Administrative Domain Configuration Guide

Manager Server Configuration Guide

Sensor CLI Guide

Sensor Configuration Guide

IPS Configuration Guide

NAC Configuration Guide Integration Guide

System Status Monitoring Guide

Reports Guide

User-Defined Signatures Guide

Central Manager Administrator's Guide

Best Practices Guide

Troubleshooting Guide

I-1200 Sensor Product Guide






Gigabit Copper Fail-Open Bypass Kit Guide

Special Topics GuideIn-line Sensor Deployment

Special Topics GuideSensor High Availability

Special Topics GuideVirtualization

Special Topics GuideDenial-of-Service

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

vi
http://mysupport.mcafee.com/http://mysupport.mcafee.com/


7/27


Registered customers can obtain up-to-date documentation, technical bulletins, and quicktips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can alsoresolve technical issues with the online case submit, software downloads, and signatureupdates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7Technical Support is available for customers with Gold or Platinum service contracts.Global phone contact numbers can be found at McAfee Contact Informationhttp://www.mcafee.com/us/about/contact/index.htmlpage.

Note: McAfee requires that you provide your GRANT ID and the serial number ofyour system when opening a ticket with Technical Support. You will be provided witha user name and password for the online case submission.

vii
http://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/about/contact/index.html


8/27

C H A P T E R 1

About the KitThe Kit contains a Bypass Switch and all the connectivity components to connect theswitch to the GE Monitoring ports of any sensor model, and to connect a control cablebetween the sensor and the switch. Additional cables may be required to connect theBypass Switch to your other network devices (routers, switches), and you may not requireall the components included in the Kit (for example, you will use only one of the two typesof Control cable included in the Kit).

Single-Mode vs. Multimode

There are two models of the Kit: one for single-mode fiber networks and one for multimodefiber networks. Before installing your Bypass Switch, ensure that the Kit type is compatiblewith your network fiber type; each model functions properly only with its specific fiber type.The contents and installation procedures for both Kit models are the same.

Controlling the switch

There is a different physical control requirement for the switch depending on the sensor

model and port type. Certain sensor ports have built-in corresponding Fail-Open Controlports; others require a Fail-Open Controller. This is discussed in more detail in the sectionConnecting the Fail-Open Kit to a sensor (on page 3) in this document.

Kit contents

The following external hardware is shipped in both models of the Fail-Open Kit:

1


9/27

McAfee Network Security Platform 5.1 About the Kit

Qty Item Description

1 Gigabit Fail-OpenController

Connects the kit to sensors with SC-type Monitoring ports,and ports 5A/5B and 6A/6B of sensors with LC-type ports.

1 Gigabit OpticalFail-Open BypassSwitch

Connects to the GE ports of all sensor models eitherdirectly through the sensors built-in control port orthroughthe Fail-Open Controller.

1 19-inchrack-mount panelfor 3 switches

1RU mounting hardware to mount up to three BypassSwitches in a standard rack

1 Gigabit Fail-OpenCable

Connects the Fail-Open Controller to one or two BypassSwitch(es).

2 SC-SC cable Standard cable (multimode or single-mode, depending onthe Kit)

4 4-inch cableLC-SC

Converter (multimode or single-mode, depending on theKit)

1 3-meter RJ45 -RJ11 cable

Connects the Bypass Switch to a built-in sensor Fail-OpenControl port (I-3000 and I-4010 sensors only).

2 LC-LC cable (multimode or single-mode,depending on the Kit)

You may need to provide some of the following cables, depending on your sensor modeland network devices:

RJ45 - RJ45 cable to connect the Bypass Switch to the Fail-Open Cable

LC-LC cables, to connect the Bypass Switch to sensor LC Monitoring ports

SC-SC cables, to connect to network devices with SC-type ports

2


10/27

C H A P T E R 2

Connecting the Fail-Open Kit to a SensorThe Bypass Switch connects to any Sensor model with Gigabit Ethernet (GE) ports; thephysical connection differs by Sensor model and port pair. This section illustrates the waysin which the switch can be connected to the different Sensor models.

Connecting the switch to sensors with LC-type ports

The I-4010 and I-3000 sensors each have twelve LC-type Monitoring ports (six pairs), andeach model supports up to six Kits.

Figure 1: The I-4010 Sensor

Item Description

1 Sensor ports 1A/1B - 4A/4B control the switchvia the built-in Fail-Open Control ports X1-X4,respectively.

2 Sensor ports 5A/5B - 6A/6B control the switchvia one Fail-Open Controller inserted into theCompact Flash port.

Fail-open switch connected to ports 1A-1B

This diagram shows a switch connected to one of the first four port pairs; thus the switch is

controlled via the corresponding Fail-Open Control port, X1.

3


11/27

McAfee Network Security Platform 5.1 Connecting the Fail-Open Kit to a Sensor

Figure 2: Fail-open switch connected to ports 1A-1B

Item Description

1 Fail-Open Bypass Switch

2 Fail-Open Control Port X1 (RJ11 connection)

3 Control port on Bypass Switch (RJ45connection)

4 RJ45 - RJ11 cable

5 Connection to network device (inside) (LCconnection)

6 Connection to network device (outside) (LCconnection)

7 PTx/SRx (inside) connection to port 1B (LCconnection)

8 STx/PRx (outside) connection to port 1A (LCconnection)


This diagram shows a switch connected to ports 5A/5B and controlled via a Fail-OpenController installed in the Compact Flash port.

4


12/27


Figure 3: Fail-open switch connected to ports 5A-5B

Item Description


2 Fail-Open Controller in Compact Flash port.

3 Fail-Open Control Cable, port A (RJ45connection). Port B is used to connect aswitch connected to 6A/6B.

4 Control port on Bypass Switch (RJ45connection)

5 RJ45 - RJ45 cable

6 Connection to network device (inside) (LCconnection)

7 Connection to network device (outside) (LCconnection)

8 PTx/SRx (inside) connection to port 5B(LCconnection)

9 STx/PRx (outside) connection to port 5A (LC

connection)

5


13/27


Connecting the switch to sensors with SC-type ports

Certain other sensor models have one or two SC Gigabit Ethernet Monitoring port pairs,and can support one or two Kits.

Figure 4: Sensors with SC-type Monitoring ports control the Bypass Switch (pictured is an I-4000sensor)

Item Description

1 Sensors with SC-type Monitoring ports controlthe Bypass Switch via one Fail-Open Controllerinserted into the Compact Flash port. Modelswith two port pairs can connect two Kits with asingle Controller.


The following diagram shows an SC-type GE port sensor with one Bypass Switchconnected to ports 1A/1B of the sensor, and controlled via a Fail-Open Controller installedin the sensors Compact Flash port.

Figure 5: Fail-open switch connected to ports 1A-1B on I-4000 sensor

6


14/27


Item Description


2 Fail-Open Controller in Compact Flash port

3 Fail-Open Control Cable, port A (RJ45 connection).Port B is used to connect a switch connected to2A/2B on an I-4000 sensor.

4 Control port on Bypass Switch (RJ45 connection)

5 RJ45 - RJ45 cable

6 Connection to network device (inside) (LC or SCconnection, depending on the device)

7 Connection to network device (outside) (LC or SCconnection, depending on the device)

8 PTx/SRx (inside) connection to port 1A (SC

connection)9 STx/PRx (outside) connection to port 1B (SC

connection)

Note: A second Bypass Switch can be controlled via the second RJ45 port (port B)on the Fail-Open Cable. Thus, one Fail-Open Controller can control up to twoswitches. Port A is used to control the switch connected to 1A/1B; Port B controlsthe switch connected to 2A/2B.

7


15/27

C H A P T E R 3

Installing the Bypass Switch in a rackYou can install between one and three Bypass Switches onto the Bypass Switchrack-mount panel. The rack-mount panel described in this section is included in theFail-Open Kit.

Tip: This procedure is optional; if you do not wish to install the Bypass Switch onto arack, you may set the switch directly on top of the Sensor or another network device.

Install the switch in the rack-mount panel

1 Slide the switch into the center opening in the rack-mount panel, until the faceplate ofthe switch rests against the panel.

2 Secure the switch to the rack-mount panel by inserting the screws through the holeson the switch faceplate and into the panel.

Note: Additional Bypass Switches can be installed without removing the rack-mountpanel from the rack.

To install up to two additional switches:

1 Remove the screws holding one of the removable blank plates from the front of thepanel.

2 Follow the procedure for installing a switch in the rack-mount panel for the additionalBypass Switch(es).

Figure 6: Install the switch in the rack-mount panel

8


16/27

McAfee Network Security Platform 5.1 Installing the Bypass Switch in a rack

Install the panel and switch(es) in a rack

1 Place the 1U panel against the front of a standard 19-inch rack.

2 Secure the rack-mount panel by inserting the screws (included with the rack-mountpanel) through the holes on front of the panel and the sides of the rack.

9


17/27

C H A P T E R 4

Installing the Fail-Open ControllerThe Gigabit Fail-Open Controller is a card that inserts into the Compact Flash port on thesensor. In-line fail-open service is available only when the Controller is in place in theCompact Flash port.

The Controller is used only to control the Bypass Switch for the following devices:

any sensor with SC-type Monitoring ports

ports 5A/5B and 6A/6B of sensors with LC-type Monitoring ports

Tip: If you are connecting the Bypass Switch to ports 1A/1B - 4A/4B of an LC-typesensor, you can skip to the next section.

About the Fail-Open Controller

The Fail-Open Controller connects to the Bypass Switch by means of the Fail-OpenCable.This cable has two RJ45 ports and provides both power and heartbeat signal to upto two Bypass Switches.

Figure 7: About the Fail-Open Controller

Item Description

1 Connects to the Fail-Open Controller

2 Port A, connects to Sensor ports 1A/1B or5A/5B, depending on Sensor model. (RJ45connection)

3 Port B, connects to Sensor ports 2A/2B or6A/6B, depending on Sensor model. (RJ45connection)

10


18/27

McAfee Network Security Platform 5.1 Installing the Fail-Open Controller

Installing the Fail-Open Controller

To cable the Controller:

1 Connect the Fail-Open Cable to the Controller as shown in the following graphic.

Figure 8: Installing the Fail-Open Controller

2 Insert the Controller into the Sensors Compact Flash port.

Note: Note that the Controller can be hot-swapped, or inserted/removed, whilethe Sensor is online. However, McAfee recommends that you cable the Sensorfor fail-open functionality while the Sensor is powered down. If the Sensor portsare enabled without the Controller in place, the Network Security Manager(Manager) will show the Bypass Switch as absent.

Figure 9: Installing the Fail-Open Controller

3 Connect the appropriate port of the Fail-Open Cable (A or B) to the Bypass Switchusing an RJ45-RJ45 cable as described below in Installing the Fail-Open Switch.

11


19/27

C H A P T E R 5

Installing the Fail-Open Bypass SwitchInstalling the fail-open bypass switch involves the following:

Installing the Fail-Open Switch (on page 12)

Connecting the Bypass Switch to a Network Device (on page 13)

Connecting the Bypass Switch to a sensor with LC ports (on page 13)

Connecting the switch to a sensor with SC-type ports (on page 14)

Connecting the Control port of the switch to the sensor (on page 14)

Installing the Fail-Open Switch

To accurately detect attacks, the sensor must be aware of which traffic is outside thenetwork and which traffic is inside. Identifying traffic direction is accomplished via propercabling of the Bypass Switch as well as proper port configuration of the sensor Monitoringports in the McAfee Network Security Manager (Manager).

Note: For information on how to configure sensor ports via the Manager, see SensorConfiguration Guide.

The Fail-Open Module has four LC receptacles.The two on the left haveA and B labelsabove the receptacles and a Network label below the receptacle (not shown in the followingdiagram). These connect to your network devices.

The two on the right have A and B labels above the receptacles and a Monitor label belowthe receptacle (not shown in the following diagram). These connect to the sensor.

Figure 10: Installing the Fail-Open Switch

12


20/27

McAfee Network Security Platform 5.1 Installing the Fail-Open Bypass Switch

Field Description

1 To Sensor Fail-Open Control port or Fail-Open Controller

2 To Network Device (inside)

3 To Network Device (outside)

4 PTx/SRx - inside (plugs into Sensor port xA)

5 STx/PRx - outside (plugs into Sensor port xB)

Connecting the Bypass Switch to a Network Device

1 Plug an inside network cable connector into the Network LC receptacle labeledA (in atriangle) on the Bypass Switch.

2 Plug the other end of this cable into the corresponding network device.

3 Plug an outside network cable into the Network LC receptacle labeled B (in a triangle) onthe Bypass Switch.

Note: If the network device requires an SC connection, use the LC-SC adaptorand SC-SC cable included in the Kit.

4 Plug the other end of this cable into the corresponding network device.

Connecting the Bypass Switch to a sensor with LC ports

1 Plug an LC-LC cable labeled PTx/SRx (inside) into the LC receptacle of port xA, where xis 1-4.

2 Plug the other end of the LC cable into the MonitorLC receptacle labeledA (notriangle) of the Bypass Switch.

3 Plug an LC-LC cable labeled STx/PRx (outside) into the corresponding xB peer port.(For example, if you used 2A in step 1, plug the cable into port 2B).

4 Plug the other end of this cable into the Monitorport labeled B of the Bypass Switch.

Note: With this cable configuration, sensor Monitoring port 1A views traffic asoriginating inside the network, and port 1B views traffic as originating outside thenetwork. Note that this configuration (1A = outside, 1B = inside) must match the portconfiguration specified for this sensor, and that the ports must be enabled. Portconfiguration is accomplished via Manager, and described in the Manager ServerConfiguration Guide.

13


21/27

McAfee Network Security Platform 5.1 Installing the Fail-Open Bypass Switch

Connecting the switch to a sensor with SC-type ports

1 Plug the SC end of an SC-LC cable labeled STx/PRx (outside) into the SC receptacleof port xA.

2 Plug the LC end of the cable into the MonitorLC receptacle labeledA (no triangle).

3 Plug the SC end of an SC-LC cable labeled PTx/SRx (inside) into the correspondingxB peer port. (For example, if you used 2A in step 1, plug the cable into port 2B).

Caution: Make sure that you cable inbound and outbound traffic correctly,matching the port configuration for these two ports on the sensor.

4 Plug the other end of this cable into the Monitorport labeled B of the Bypass Switch.

Connecting the Control port of the switch to the sensor

For sensors with SC-type ports:

1 Plug an RJ45 - RJ45 cable (not included in the Kit) into the Control port on the BypassSwitch.

2 Plug the other end of the cable into the appropriate port (A or B) on the Fail-OpenCable.

For the LC GE port sensors, ports 1A/1B - 4A/4B:

1 A three-meter control cable is included in the Kit. Plug the control cables larger(RJ45)connector into the Control port on the Bypass Switch.

2 Plug the cables smaller(RJ11) connector to the corresponding Fail-Open Control porton the sensor (X1-X4).

For ports 5A/5B, 6A/6B of sensors with LC-type ports:

1 Plug an RJ45 - RJ45 cable (not included in the Kit) into the Control port on the BypassSwitch.

2 Plug the other end of the cable into the appropriate port (A or B) on the Fail-OpenCable.

14


22/27

C H A P T E R 6

Configuring the sensor Monitoring PortsYou configure the sensors monitoring ports from the Manager interface. The portconfiguration must match the cabling of the switch, the ports must be set to In-lineFail-Open and the ports must be enabled.

To view/configure the settings of your monitoring ports:

1 In the Manager interface, select Sensor_Name > Sensor > Configure Ports.

2 Click a numbered port (for example 4A) from Monitoring Ports. A pop-up displays currentport settings.

Figure 11: Sensor Monitoring ports

15


23/27

McAfee Network Security Platform 5.1 Configuring the sensor Monitoring Ports

3 Select the Port Speed.

4 Select the Administrative Status to Enable (on).

5 Select In-line Fail-open (Port Pair) as the Operating Mode.

6 Confirm (Yes) that you have already connected the bypass switch and controller orcontrol cable.

Figure 12: Confirmation

7 Select the area of your network to which the current port is connected: Inside (internal)or Outside (external)

8 Click Ok.

9 Click Commit Changes.

10 Repeat for any other ports you need to configure.

11 Download the changes to your sensor by performing the steps in Updating theConfiguration of a Sensorin the Manager Server Configuration Guide.

16


24/27

C H A P T E R 7

Verify proper installationOnce the Bypass Switch has been connected to the network and the Sensor, check theswitchs green status LED to verify that the switch is receiving power from the Sensor andcheck the port status and operating mode status in the McAfee Network SecurityManager (Manager) interface to ensure that the port is enabled and in In-Line Fail-Openmode.

Status LED on the Bypass Switch

The green status indicator is located to the right of the Control port on the Bypass Switch.

Light Status

ON Switch is receiving power from the Sensorand traffic is passing to the Sensor.

OFF The switch is in bypass mode; it is notreceiving power and is not passing networktraffic to the Sensor

Port and operating mode status

The port status and operating mode status for GE In-line Fail-open mode are detailed asfollows:

In-line Fail-Open Port Status Port color on

the virtual

Sensor

Operating Mode Status

In-line Fail-Open Port Status Green The in-line fail-open device is in in-line fail-open mode.

In-line Bypass Yellow The in-line fail-open device is in in-line bypass mode.The bypass switch has been activated. The Sensordoes not monitor during this time.

Unknown Orange Unable to get the status of the in-line fail-open devicefrom Sensor. Check the Operational Status.

Switch Absent Red Fail-open controller is not present, controller cable is

not present, or bypass switch is not present. Verify thatall three components are connected properly. Ifeverything is connected correctly, check theOperational Status.

N/A Gray Not Applicable; the operating mode is not in in-linefail-open mode.

If you encounter any problems, see Common Problems and Solutions. (on page 20)

17


25/27

C H A P T E R 8

TroubleshootingHow does the Bypass Kit work?

During normal Sensor in-line, fail-open operation, the Fail-Open Controller or built-inControl port (depending on which controls the Bypass Switch) supplies power and aheartbeat signal to the Bypass Switch. If this signal is not presented within its programmedfour-second interval, the Fail-Open Bypass Switch removes the Sensor from the data path,and moves into bypass mode, providing continuous data flow with little networkinterruption.

While the Sensor is in bypass mode, traffic passes directly through the switch, bypassingthe Sensor.

When normal Sensor operation resumes, you may or may not need to manually re-enablethe monitoring ports from the Manager interface, depending on the activity leading up tothe Sensors failure.

The following section describes how to return the Sensor to in-line mode.

Moving from bypass mode back to in-line mode

Moving from bypass mode back to in-line mode involves the following:

Manual Sensor reboot (on page 19)

Sensor error (on page 19)

Manual Sensor reboot

Certain normal Sensor activity involves a reboot, such as installation of a new Sensorsoftware image or a manual reboot issued from the Manager. If the Sensor reboots duringnormal activity, no manual intervention is necessary. When the switch receives power anda heartbeat signal from the Sensor, it sends traffic through the Sensor and the Sensorresumes monitoring traffic in in-line mode.

Sensor error

If the Sensor reboots due to internal error, hardware failure, removal of the Bypass Switchduring normal operation or disruption of the Sensor or Bypass switch cables during Sensoroperation, the Monitoring ports connected to the Bypass Switch are automatically disabled.You must re-enable the ports via the Manager to r esume monitoring mode. When the ports arere-enabled, the Sensor resumes monitoring traffic in in-line mode.

19


26/27

McAfee Network Security Platform 5.1 Troubleshooting

What happens in a Sensor failure?

When a Sensor fails with the Bypass Kit in place, the following events occur in the ordershown.

1 The Manager reports a Sensor in bad health OR Port pair is in bypass mode errorin the Operational Status window.

2 The Sensor reboots and Bypass Switch begins forwarding traffic. All traffic thenbypasses the Sensor and flows across the Bypass Switch with minimal trafficdisruption.

Note: Note that a Sensor reboot breaks the link connecting the devices oneither side of the Sensor and requires the renegotiation of the network linkbetween the two devices surrounding the Sensor. Depending on the networkequipment, this disruption should range from a couple of seconds to more thana minute with certain vendors devices.

3 Upon reboot completion, the Sensor resumes its heartbeat, and one of the followingoccurs:

If the reboot happened during normal activity as described above, theBypass Switch resumes passing data through the Sensor and the Sensorreturns to in-line mode.

If the reboot occurred due to an error, the Bypass Switch will continue tobypass the Sensor until the Sensor ports are re-enabled from the Manager.

Once the ports are re-enabled, the Bypass Switch resumes passing data throughthe Sensor and the Sensor returns to in-line mode.

Note: A very brief link disruption might occur while the links are renegotiated toplace the Sensor back in in-line mode.

4 The errors on the Manager are cleared and normal health is reported.

Common Problems and Solutions

This section lists some common installation problems and their solutions.

Problem Possible Cause Solution

LED is off The control cable has beendisconnected

Check the control cable andensure it is properly connected toboth the Sensor and the BypassSwitch. This includes theFail-Open Controller; ensure it isproperly inserted in the CompactFlash port.

LED is off The Sensor is powered off Restore Sensor power

LED is off The Sensor port cable isdisconnected

Check the Sensor cableconnections.

20


27/27

McAfee Network Security Platform 5.1 Troubleshooting

Problem Possible Cause Solution

Sensor is operational, but is notmonitoring traffic

Network device cables havebeen disconnected

Check the cables and ensurethey are properly connected toboth the network devices and theBypass Switch.

Sensor is operational, but is notmonitoring traffic

The Sensor ports have notbeen enabled in the Manager.

The Sensor will not monitortraffic on the ports unless theports are enabled in theManager. Ports are disabled in aSensor failure; they must bere-enabled for Sensor monitoringto resume.

Network or link problems Improper cabling or portconfiguration.

Ensure that the transmit andreceive cables are properly

connected to the Bypass Switch.

Runts or giants errors on switch androuters

Improper cabling or portconfiguration.

Ensure that the transmit andreceive cables are properlyconnected to the Bypass Switch.

The system fault Switch absentappears in the Operational Statuspage of the Manager

The control cable has beendisconnected.

Check the control cable andensure it is properly connected toboth the Sensor and the BypassSwitch. This includes theFail-Open Controller; ensure it isproperly inserted in the CompactFlash port.

nsp gigabit optical fo kit 5.1

Documents