Brokers can be arranged into a hierarchy to provide failover protection. When supporting multiple regions or data centers, additional brokers can be added to service those areas. The goal is to minimize WAN communication and network latency. When multiple brokers are present within the DXL topology, all brokers must be defined in a Parent-Child relationship. Hubs supply load balancing and high availability in an Active-Active configuration. When clients connect to a hub, the client will randomly choose a specific DXL broker and switch-on failure.
The general rule is that any broker that has children should be configured as a hub to prevent a single point of failure. DXL clients maintain a persistent connection to their brokers. The closest broker is then determined via ICMP hop counts. If ICMP is disabled in the environment, the client will simply round-robin the brokers. The settings with the DXL client policy can be modified to restrict clients to connect only to a specific broker, hub, or branch of the fabric.
Service zones are groups of brokers that allow you to control how requests are routed on the fabric. For example, if you have multiple McAfee Threat Intelligence Exchange servers and brokers across geographical locations, you can create service zones that contain brokers and services.
Clients connected to a broker in a service zone access services in that zone first. If those services are not available, the broker routes the request to services in other zones. Services like McAfee Threat Intelligence Exchange must have a policy that restricts them to one specific hub to enforce the distribution of services across the fabric.
The number of brokers needed is determined by the geographic and network configuration of the customer. For details on the supported virtualization methods for the server, refer to KB The first two McAfee Threat Intelligence Exchange servers installed will automatically have an operation mode assigned, namely, primary and secondary instances.
For each additional server instance, you need to manually configure the operation mode after completing the installation. All server appliances can also be configured to include the DXL broker. This is done during the initial configuration wizard.
For the new deployment, it is advisable to configure the McAfee Threat Intelligence Exchange server to also include a DXL broker, unless there are firewalls or other limitations. This setting is optional. File and certificate reputations are determined at the time a file is executed on a managed system. The reputation and file metadata are provided to the McAfee Threat Intelligence Exchange server via one of the available reputation provider sources.
These sources can be any of the currently available DXL-enabled products including:. The McAfee Threat Intelligence Exchange database can store reputation data for any file type, however the file types analyzed and submitted depend on the file types supported by the installed point products.
The specific workflow used to determine a file or certificate reputation also depends on the available reputation providers within the environment. McAfee Threat Intelligence Exchange stores reputation results as a value between 0 and Each numerical score maps to a reputation result as follows:. This is the reputation that can be manually set within McAfee ePO and is used to mark files or certificates with a specific user-defined reputation.
It can be used to override an existing local or GTI-based reputation. The composite reputation is the potential effective reputation score based on all available definitive reputations. If none of the above apply, the composite reputation reflects the associated GTI certificate reputation. In the event there is not an associated GTI certificate reputation available, the composite reputation reflects the definitive reputation using the following order:.
See KB for additional details and examples. An unknown reputation is displayed when the reputation score is determined to be 50, falling into the middle of the scale.
These are files where there is not enough data to set a confirmed trusted or confirmed malicious reputation. It is expected that all McAfee Threat Intelligence Exchange environments mark some files with the unknown reputation score.
Follow KB for guidance on managing unknown reputations. If there is an error on a specific primary or secondary server instance, it is highlighted in red. Verifies database size, local connections, and maintenance executions. Errors will be displayed if:. This verifies if the replication of the database is running. This is applicable only to secondary and secondary-reporting server instances. The replication of the database between the primary and each secondary can fall out of sync under conditions where there is high network latency between the primary and the secondary.
In these scenarios, the replication can be reset by running the following command on each secondary: bash replication-monitoring —c reset. This check is applicable to all server instances, except secondary-reporting server instances. If the server requires using a proxy for the internet connection, check that it is properly configured through the assigned McAfee Threat Intelligence Exchange server policy.
This returns the status of the cache mode regarding initialization, the percentage of usage, and the number of objects saved. This verifies if the connection to McAfee Advanced Threat Defense is enabled and properly configured. How do I manage the information it is collecting? See the recommended workflow in KB The DXL client upgrades are managed by the platform package installed as part of upgrading the server version. Before upgrading servers or DXL broker appliances, validate the embedded DXL client version being installed and confirm that the DXL extensions are the same versions or newer.
Two certificates validate McAfee TLS chains, including a primary expiring in and a secondary expiring on May 30, If either certificate, or both, are present in your environment, TLS will function correctly prior to May 30, After May 30, , only the primary certificate will be valid.
Out of an abundance of caution McAfee is informing customers of this impending event. Generally, certificates are auto-updated through operation systems and customers will not be impacted.
However, in environments where automatic management of root certificates is disabled and the primary certificate has not been manually deployed, customers will potentially be impacted. KB provides information on how to verify and install the primary certificate. Failure to have a valid certificate will cause product issues including reduced detection efficacy. Subscribe to KB to receive updates. Data Sheet.
Threat Intelligence Exchange Support. Service Requests Search Knowledge Center. Components McAfee Threat Intelligence Exchange Server This runs a PostgreSQL database that stores information about file and certificate reputations that it receives from the available reputation providers within the environment and cloud-based sources such as McAfee Global Threat Intelligence.
McAfee Threat Intelligence Exchange Client The client allows you to determine what happens when a file with a malicious or unknown reputation is detected in your environment. Operation Modes Multiple McAfee Threat Intelligence Exchange server appliances can be deployed into different operation modes to offer scaling and fail-over capabilities.
Operation modes: Primary: Holds and writes the McAfee Threat Intelligence Exchange server database and replicates the updates to all the secondary instances. There can be only one primary server at a time. A primary server provides queries at the same time it aggregates updates from replicas and pushes out database changes. Write-Only Primary: Only serves to aggregate changes and push out updates. It includes file metadata and reputation update requests.
This mode does not process endpoint requests, therefore if primary write-only servers are present, there must be at least one secondary instance.
In a large network, it is recommended to have a McAfee Threat Intelligence Exchange write-only primary server dedicated to processing updates and settings. Secondary: Processes DXL requests exactly like a primary instance using a database that is replicated from the primary server. It does not process reputation requests. Reputation Cache: In-memory cache synchronized through DXL minimizes network requirements and provides endpoint operational reputation services.
The reputation cache rebuilds after rebooting because it resides in memory. The reputation cache mode server role requires a specific DXL topology configuration. Supercharge Endpoint Protection Broader threat intelligence helps make accurate file execution decisions and customize policies based on risk tolerance. Gain Immediate Visibility Enable better decision-making to handle never-before-seen and potentially malicious files.
Combine Threat Intelligence Combine and share threat information from McAfee Global Threat Intelligence, third parties, and locally collected data from your security solutions. Share Threat Data Share real-time security intelligence among endpoint, gateway, network, and data center security solutions.
Case Study Banco Delta. Case Study Multinational Software Company. Data Sheet Download. More Information Contact Us. Business Home Products Security Management.
0コメント