McAfee Cloud Workload Security 5.0 · · 2018-01-102 Select IAM to load the Identity and Access Management (IAM) dashboard. 3 From the Users section, click Create New Users. 4 Type

Installation GuideRevision B

McAfee Cloud Workload Security 5.0.0

COPYRIGHT

Copyright © 2018 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Cloud Workload Security 5.0.0 Installation Guide

Contents

1 Installation of Cloud Workload Security 5Cloud Workload Security packages and McAfee suites . . . . . . . . . . . . . . . . . . . . . 5Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Installing the Cloud Workload Security extension . . . . . . . . . . . . . . . . . . . . . . . 6

Download and install the extension manually . . . . . . . . . . . . . . . . . . . . . 6Install the extension through Software Manager . . . . . . . . . . . . . . . . . . . . 6Configure a deployment task for Linux group of systems . . . . . . . . . . . . . . . . . 6Extension list on McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Uninstall the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Configuring cloud accounts and your security products 9Register an AWS cloud account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Create an AWS user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Create a user permission policy . . . . . . . . . . . . . . . . . . . . . . . . . . 10Assign the policy to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Register an AWS account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuring Microsoft Azure cloud accounts . . . . . . . . . . . . . . . . . . . . . . . . 15Create an application in the Microsoft Azure console . . . . . . . . . . . . . . . . . . 15Create an application using PowerShell script . . . . . . . . . . . . . . . . . . . . . 15Finding Subscription ID, Tenant ID, and Client ID . . . . . . . . . . . . . . . . . . . . 17Configure client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Set delegated permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Assign the application to your subscription . . . . . . . . . . . . . . . . . . . . . . 18Register a Microsoft Azure account . . . . . . . . . . . . . . . . . . . . . . . . . 19

Register a VMware vSphere account from the Accounts pane . . . . . . . . . . . . . . . . . . 21Register a McAfee Network Security Manager account . . . . . . . . . . . . . . . . . . . . . 22

Download the Virtual Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Install the Virtual Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring your security products and viewing reports . . . . . . . . . . . . . . . . . . . . 24

McAfee Cloud Workload Security 5.0.0 Installation Guide 3

Contents


1 Installation of Cloud Workload Security

McAfee® Cloud Workload Security is packaged in public, hybrid, and private variants to support different cloudvendor accounts. Install any of these Cloud Workload Security extensions on the McAfee

®

ePolicy Orchestrator®

(McAfee®

ePO™

) server to deploy and configure your McAfee products based on your requirements.

Contents Cloud Workload Security packages and McAfee suites Requirements Installing the Cloud Workload Security extension Uninstall the extensions

Cloud Workload Security packages and McAfee suitesCloud Workload Security is packaged in public, hybrid, and private variants to support different cloud vendoraccounts.

Table 1-1 Cloud Workload Security packages

Cloud Workload Security variant Supported cloud vendors Package names

Cloud Workload Security for Publiccloud

AWS and Microsoft Azure Cloud_Workload_Security_Public_5.0.0

Cloud Workload Security for Privatecloud

VMware vSphere Cloud_Workload_Security_Private_5.0.0

Cloud Workload Security for Hybridcloud

VMware vSphere, AWS, andMicrosoft Azure

Cloud_Workload_Security_Hybrid_5.0.0

Cloud Workload Security package includes a license extension. You must install the license extension to enabletraffic discovery, traffic assessment, traffic visualization, and Network Security account registration.

RequirementsTo install the Cloud Workload Security extension, make sure that you have the compatible versions of McAfeeePO, McAfee Agent, and browsers.

Component Version

McAfee ePO 5.3.3, 5.9 (EPO590HF1208662), and 5.9.1

McAfee Agent 5.0.5 and later. For more information, see KB90062.

Browsers • Google Chrome 62.0 and later

• Internet Explorer 11

1


https://kc.mcafee.com/corporate/index?page=content&id=KB90062

Installing the Cloud Workload Security extensionYou can install the Cloud Workload Security extension with the Software Manager utility on McAfee ePO, or bydownloading and installing the extension from the McAfee download site.

Download and install the extension manuallyDownload and install the Public Cloud Security package on the McAfee ePO server.

Task1 From the McAfee download site (http://www.mcafee.com/us/downloads/), use your grant number and select

your suite.

2 From the products listed, select and download Common UI 1.3 and your Cloud Workload Security variant.

3 Log on to the McAfee ePO server as an administrator.

4 Select Menu | Software | Extensions | Install Extension.

5 Browse to and select the extension file, then click OK.

Install Common UI 1.3 first, then install Cloud Workload Security.

The Install Extension page displays the extension names and version details.

Install the extension through Software ManagerUse McAfee ePO Software Manager to install the Cloud Workload Security extension.

Task1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Software, then click Software Manager.

3 From Software (by Label) | Messaging & Web Security, select Common UI 1.3 on McAfee ePO and then click Check InAll.

4 From Software (by Label) | Endpoint Security, select your Cloud Workload Security 5.0 variant and then click CheckIn All.

Configure a deployment task for Linux group of systemsCreate a deployment task to remove the Assurance Information module Linux client from target systems in theSystem Tree.

Task1 From the System Tree, select the Assigned Client Tasks tab.

2 Select Actions | New Client Task Assignment.

3 Select Product as McAfee Agent, and Task Type as Product Deployment.

4 Select a name for your task and click Create New Task.

5 Select the Target Platforms as Linux, Products and Components as Assurance Information Module 2.0.0.595, and Action asRemove.

6 Click Save.

1 Installation of Cloud Workload SecurityInstalling the Cloud Workload Security extension


http://www.mcafee.com/us/downloads/

Extension list on McAfee ePOAfter installing the Cloud Workload Security extension, you can see these extensions by selecting Menu |Extensions | McAfee | Data Center Security.

• CWS License extension • Data Center Assessment

• Data Center Visualization • vSphere Connector

• Data Protection for Cloud • Data Center Metering

• AWS Connector • MDCC

• Azure Connector

Uninstall the extensionsRemove Cloud Workload Security software extensions from the McAfee ePO server in the Extensions.

Delete your cloud account from the McAfee ePO server by selecting Menu | Configuration | Registered Servers, andselecting Actions | Delete.


2 Select Menu | Software | Extensions.

3 In the left pane, select Data Center Security group, then select the extensions in this order and click Remove.

1 CWS License extension 6 Data Center Assessment

2 Data Center Visualization 7 vSphere Connector

3 Data Protection for Cloud 8 Data Center Metering

4 AWS Connector 9 MDCC

5 Azure Connector

Delete your cloud account from the McAfee ePO server by selecting Menu | Configuration | Registered Servers,and selecting Actions | Delete.

Installation of Cloud Workload SecurityUninstall the extensions 1


1 Installation of Cloud Workload SecurityUninstall the extensions


2 Configuring cloud accounts and your securityproducts

You must register your cloud accounts with McAfee ePO to establish a connection with the McAfee ePO server.McAfee ePO then discovers, imports, and displays the cloud asset information on a single page.

After registering the cloud accounts on the Cloud Workload Security visualization page, you can view:

• Virtual networks and firewall (security group) information of your virtual machines in Cloud WorkloadSecurity.

• Imported VMs and virtualization properties on the McAfee ePO System Tree.

• Security products installed on every virtual instance.

Contents Register an AWS cloud account Configuring Microsoft Azure cloud accounts Register a VMware vSphere account from the Accounts pane Register a McAfee Network Security Manager account Configuring your security products and viewing reports

Register an AWS cloud accountYou must register your AWS cloud accounts on McAfee ePO. Cloud Workload Security offers three levels ofprivileges when registering an AWS account. You can configure your AWS account according to yourrequirements.

Create an AWS userOn the Amazon Web Services management console, create an AWS user with Access Key ID and Secret AccessKey configured.

Task1 Log on to your Amazon Web Services management console.

2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 From the Users section, click Create New Users.

4 Type a name for the user and select Generate an access key for each user.

5 Click Create.

6 Click Download Credentials and save the CSV file. These credentials contain both the Access Key ID and theSecret Access Key.

2


Create a user permission policyCreate a policy with minimum required permissions for a user to use Cloud Workload Security.


2 From the Policies section, click Create New Policy.

3 From Create Policy, click Create Your Own Policy.

4 Type a name and description.

5 Configure your AWS account using policies based on the required privilege.

Policy for EC2 discovery/visibilityThese set of rules will allow you to create an AWS user with limited privilege user permission policy to discoverEC2 assets and read firewall rules.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ]}

Policy for remediation of Security GroupsThese set of rules will allow you to create an AWS user with the privileges for the remediation of SecurityGroups.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:CreateTags" ], "Resource": [ "*" ] } ]}

2 Configuring cloud accounts and your security productsRegister an AWS cloud account


Policy to enable Network Traffic DiscoveryThese set of rules will allow the AWS user to enable network traffic flow logs at VPC levels. This policy allowsCloud Workload Security to discover network traffic logs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateLogStream", "logs:PutLogEvents", "iam:GetUser", "ec2:CreateFlowLogs", "ec2:DeleteFlowLogs" ], "Resource": [ "*" ] } ]}

Create an IAM role with flow logs for your AWS accountAn IAM role with flow log policies enables you to access the IP traffic flow in your virtual networks. You can viewthe IP traffic flows of your Virtual networks in the Cloud Workload Security.


2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 Enter this name McafeeFlowLogger for your role, and then choose Next.

4 On the Select Role Type page next to Amazon EC2, click Select.

5 On the Attach Policy page, click Next Step.

6 On the Review page, make a note of the ARN for your role.

7 Select Create Role.

8 Type a name for your role.

9 Under Permissions, expand the Inline Policies section, and then select Click here.

10 Select Custom Policy, and click Select.

Configuring cloud accounts and your security productsRegister an AWS cloud account 2


11 Copy this policy and paste it in the Policy Document window. Enter a name for your policy in Policy Name, thenclick Apply Policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ]}

12 Select Edit Trust Relationship. Delete any existing policy document.

13 Copy and paste this policy, and click Update Trust Policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}

Policy for workload shut downThese set of rules will allow you to shut down the selected workload as a remediation measure.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:StopInstances", "Resource": "*" } ]}

Assign the policy to a userAssign the required policy to the user on the Amazon Web Services management console to provide necessarypermissions to the user.

Before you begin• Ensure that you have created a new user.

• Ensure that you have created the required permissions policy.




2 On the AWS services page, click IAM from the Security, Identity & Compliance section.

3 In the left panel, select the user from the Users section.

4 On the Summary page, select the policy that you created, then click Attach Policy.

5 Go back to the Summary page, then click the Security Credentials tab.

6 Click Create access key.

Secret access key is generated when you create the Access key. Use the access key and the secret access keywhen registering your cloud account using McAfee ePO.

Register an AWS accountRegister an AWS account with McAfee ePO so that McAfee ePO can communicate with the AWS cloud.

Before you beginEnsure that these conditions are met:

• You have your AWS account and its details ready.

• AWS users have an access key ID and a secret access key set up for them in the AWS console.

• AWS users have permissions to use Cloud Workload Security.

• To view IP traffic flows in your virtual network, the account you are registering with McAfee ePOhas an IAM role with flow log policies.

• You installed the Cloud Workload Security extension on McAfee ePO.

• Your McAfee ePO system date and time are synchronized with the current date and time.


2 Select Menu | Systems | Cloud Workload Security, to open the Cloud Workload Security page.

3 From the Accounts pane, click Add Account, to open the Registered Cloud Account pane.

Configuring cloud accounts and your security productsRegister an AWS cloud account 2


4 From the Select Account Type drop-down list, select Amazon Web Service and type these details.

Option Definition

Name A name for the AWS account in McAfee ePO. Account names can include characters a–z, A–Z, 0–9, and [_.–], without space.

Access Key ID Type the access key ID used by AWS connector to log on to AWS.

Each user can be configured to have an Access Key ID in AWS console. For details, seeCreate an AWS user.

Secret Key ID Type the secret access key used by AWS connector to log on to AWS.

Each user can be configured to have a Secret Access key in AWS console. For details,see Create an AWS user.

Enable TrafficDiscovery

Select to discover and view traffic flow logs for instances in your AWS accounts.

Assessment Policy Click Assessment Policy to select the policy to be applied to your AWS account, or click

to go to the Policy Catalog page to create or select a policy.

McAfee ePO Tags(seperated bycommas)

List of McAfee ePO tags that are applied on VMs discovered for this AWS account. Tagname can include characters a–z, A–Z, 0–9, and [_.–], with space. For details about Tagusage, see the product documentation for McAfee ePO.

Sync Interval (InMinutes)

Specify the interval for McAfee ePO to AWS synchronization (the default value is 5minutes. The maximum value is 60 minutes). If you specify the sync interval as 5minutes, the next sync is scheduled 5 minutes after the completion of the currentsync.

5 Enable GovCloud if the AWS account belongs to the AWS GovCloud (US) region. For other users, leave itdeselected.

6 Enable Enable Traffic Discovery if you want to view traffic details for your instances.

7 (Optional) Windows Domain Logon Credentials: type the credentials to deploy the McAfee Agent package.

Make sure that the McAfee ePO server and the VMs in the AWS cloud can communicate with each other.

8 Click Test Connection to validate the account details and verify the connection to the AWS cloud.

9 Click Submit to register the cloud account.

This action registers the AWS cloud and imports all discovered VMs, which are unmanaged, into the SystemTree. The instances are imported with the structure and hierarchy of the AWS cloud. The VMs that arealready added and managed by McAfee ePO are retained with the existing policy settings.

10 View the imported VMs:

• Select Menu | Systems | Cloud Workload Security on McAfee ePO to view, assess, and remediate your cloudasset information.

• Select Menu | System Tree in McAfee ePO. You can find your AWS account under the group AWS. The virtualmachines from AWS are logically grouped with the hierarchy AWS | Cloud account name | Region | Availabiltyzone | instances.



Configuring Microsoft Azure cloud accountsYou can configure and register your Microsoft Azure account on McAfee ePO, then view your cloud accountdetails in the System Tree and on the Cloud Workload Security dashboard.

Create an application in the Microsoft Azure consoleCreate an application in Microsoft Azure Active Directory to access the resources in your subscription. Thisapplication will allow you to create default roles only.


• You have installed Azure Resource Manager modules in Microsoft Azure PowerShell.

• You have registered Microsoft.insights provider under User Account | My Permissions | Resourceprovider status.

You can get your client ID, tenant ID, and configure your Client key after creating the application.

Task

1 Log on to the Microsoft Azure portal and select Active Directory from the left pane.

2 Select the directory that you want to use for creating the application.

3 Click Applications and then click Add.

4 On the What do you want to do? page, select Add an application my organization is developing.

5 Type a name for your application and select WEB APPLICATION AND/OR WEB API and click Next.

6 Type the properties for your application. For SIGN-ON URL, give the URI to a website that describes yourapplication. The existence of the website is not validated. For APP ID URI, provide the URI that identifies yourapplication. The uniqueness or existence of the endpoint is not validated.

7 Click Complete to create your application.

Create an application using PowerShell scriptCreate an application using power shell scripts to create custom roles. You can access the tenant ID, client ID,and client key from the automatically generated MicrosoftAzurecloudaccountdetails.txt file.


• You have installed Azure Resource Manager modules in Microsoft Azure PowerShell.

• You have registered Microsoft.insights provider under User Account | My Permissions | Resourceprovider status.

For more information about Azure PoweShell, see https://docs.microsoft.com/en-us/powershell/azure/overview?view=azurermps-5.1.1 and KB87316.

Task

1 Download the required PowerShell script and copy it to the PowerShell installation folder.

Ensure that you have downloaded the correct script according to your Cloud Workload Security version.

2 Log on to PowerShell as administrator.

Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts 2


https://docs.microsoft.com/en-us/powershell/azure/overview?view=azurermps-5.1.1

https://docs.microsoft.com/en-us/powershell/azure/overview?view=azurermps-5.1.1

https://kc.mcafee.com/corporate/index?page=content&id=KB87316

3 Enter cd "PowerShell directory path" to change the directory.

4 Enter .\ MicrosoftAzure_Prerequisite.ps1 to run the script.

5 Enter the required parameters according to your subscription.

You must register Microsoft.insights provider for traffic discovery.

• For a single logged on user, select one of these in the Register Cloud Accounts window.

• McAfee CWS Basic — This set of rules allows you to discover Azure instances and Network SecurityGroups (NSG) rules.

• McAfee CWS Advanced — This set of rules allows you to discover Azure instances and NSG rules, andremediate NSG rules.

• For multiple subscriptions associated with one account:

• Create a web application for:

• Selected subscriptions

• All subscriptions

• In the Register Cloud Accounts window, select:

• McAfee CWS Basic

• McAfee CWS Advanced

NSG flow logs allow Network Watcher to view information about the traffic in the NSG. When NetworkWatcher is enabled, the retention period set by Cloud Workload Security for NSG flow logs is 15 days. Youcan reconfigure the retention period under Network Watcher in the Azure portal. For more information, seehttps://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal.

2 Configuring cloud accounts and your security productsConfiguring Microsoft Azure cloud accounts


https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

Finding Subscription ID, Tenant ID, and Client IDAfter creating your application, you can make a note of the subscription ID, tenant ID and client ID.

• The subscription ID for your Microsoft Azure account is listed in Subscriptions | SUBSCRIPTION ID.

• Select the application that you created and click the Configure to see your Client ID.

• Click VIEW ENDPOINTS to see App Endpoints page.

Your tenant ID is given after the URLs for all the attributes in this page.



Configure client keyConfigure your client key on Microsoft Azure Active Directory for your application.

Before you beginEnsure that you have created an application in your Microsoft Azure Active Directory.

Task1 Log on to the Microsoft Azure portal.

2 Select the application that you created and click Configure.

3 Scroll down to the Keys section and select how long you would like your password to be valid.

4 Select the duration and click Save to create the key.

Copy the key displayed in the application. You will not be able to retrieve it after you leave this page.

Set delegated permissionsSet the delegated permissions to access the web APIs from the registered account.

Before you beginEnsure that you have created your application.

Task1 Log on to the Microsoft Azure portal.

2 Select the application that you created, then click Configure.

3 Select Add Application.

4 From the list in the Name field, select Windows Service Management API, then click Complete.

5 From Permissions to other applications, for Windows Azure Service Management, set the Delegated Permission as AccessAzure Service Management as organization.

Assign the application to your subscriptionAssign a role to your application and also assign it to your Microsoft Azure subscription.

Before you begin• You created an application in the Microsoft Azure console.

• You configured Client key for your application and set the delegated permissions.

Task1 On the Microsoft Azure console, click Subscription.

2 Select your subscription, and click Access icon.

3 Click Add | Select a role and select your role as Contributor.

4 Click Add users and search for your application, click Select and click OK.

Your application is assigned to your subscription.



Register a Microsoft Azure accountRegister a Microsoft Azure account with McAfee ePO so that McAfee ePO can communicate with the MicrosoftAzure cloud.


• You have your Microsoft Azure account and its details ready.

• You have created an application in the Microsoft Azure console.

• You have got the Client ID and Tenant ID from the Microsoft Azure console after creating theapplication.

• You have configured the Client key for your application.

• You have set the delegated permissions for your application.

• You have assigned the newly created application to a role and to your Microsoft Azure cloudaccount subscription.

• You have installed the Cloud Workload Security extension on McAfee ePO.

• Your McAfee ePO system date and time are synchronized with the current date and time.






4 From the Select Account Type drop-down list, select Microsoft Azure, then type the details.

Option Definition

Account Name Specify a name for the cloud account in McAfee ePO. Account names can includecharacters a–z, A–Z, 0–9, and [_.–], without space.

Azure Endpoint Specify the URL of Microsoft Azure endpoint.

For Microsoft Azure cloud account, the endpoint is pre-populated. Do not change theendpoint URL unless confirmed by the cloud provider.

Subscription ID Specify the subscription ID of your account. For details, see Where to find SubscriptionID, Tenant ID, and Client ID.

Tenant ID Specify the unique ID of the organization in Microsoft Active Directory. For details, seeWhere to find Subscription ID, Tenant ID, and Client ID.

Client ID Specify the unique ID of the application. For details, see Where to find Subscription ID,Tenant ID, and Client ID.

Client Key Specify the client key of the application. For details, see Configure Client Key.

Assessment Policy Click Assessment Policy to select the policy to be applied to your Azure account, or click

to go to the Policy Catalog page to create or select a policy.

McAfee ePO Tags(seperated bycommas)

Specify McAfee ePO tag that is applied on the VMs discovered for this cloud account.Tag name can include characters a–z, A–Z, 0–9, and [_.–], with space. For details aboutTag usage, see the product documentation for McAfee ePO.

Sync interval (InMinutes)

Specify the interval for McAfee ePO to the cloud synchronization (the default value is 5minutes. The maximum value is 60 minutes). If you specify the sync interval as 5minutes, the next sync is scheduled 5 minutes after the completion of the currentsync.


6 Click Test Connection to validate the account details and verify the connection to the cloud.


This action registers the Microsoft Azure cloud account and imports all discovered VMs, which areunmanaged, into the System Tree. The instances are imported with the structure and hierarchy of the Azurecloud.

The VMs that are already added and managed by McAfee ePO are retained with the existing policy settings.


• Select Menu | Systems | Cloud Workload Security on McAfee ePO to view, assess, and remediate your cloudasset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your account underthe group Azure. The VMs from each Microsoft Azure account are logically grouped under differentgeographical zones in McAfee ePO.



Register a VMware vSphere account from the Accounts paneRegister a VMware vSphere account with McAfee ePO so that McAfee ePO communicates with the VMwarevCenter, which manages the ESXi servers.

Before you beginEnsure that:

• The VMware vCenter server that manages the ESXi servers is configured to host the guest VMs.

• The Cloud Workload Security extension is installed on McAfee ePO.

Task1 Log on to McAfee ePO as an administrator.



4 From the Select Account Type drop-down list, select VMware vSphere.

5 On the vCenter Account Details page, type these details.

Option Definition

Account Name A name for the vCenter account in McAfee ePO. Account names can includecharacters a–z, A–Z, 0–9, and [_.–], without space.

Server Address Specify the URL of VMware VSphere endpoint.

vCenter Username Type the vCenter user name to log on to VSphere.

vCenter Password Type the vCenter password to log on to VSphere.

Assessment Policy Click Assessment Policy to select the policy to be applied to your vCenter account, or

click to go to Policy Catalog page to create or select a policy.

McAfee ePO Tags(seperated by commas)

List of McAfee ePO tags that are applied on VMs discovered for this vCenteraccount. Tag name can include characters a–z, A–Z, 0–9, and [_.–], with space. Fordetails about Tag usage, see McAfee ePO product documentation.

Port Specify the port name.

Sync Interval (InMinutes)

Specify the interval for McAfee ePO to vCenter synchronization (the default value is5 minutes. The maximum value is 60 minutes). If you specify the sync interval as 5minutes, the next sync is scheduled 5 minutes after the completion of the currentsync.


Make sure that the McAfee ePO server and the VMs in the vSphere cloud can communicate with each other.

7 Click Test Connection to validate VMware vCenter account details and verify the connection to the VMwarevCenter, then click Next to open the vCenter Summary page.

The summary page has vCenter, vCNS, and NSX summary.

Configuring cloud accounts and your security productsRegister a VMware vSphere account from the Accounts pane 2



This action registers the VMware vCenter and imports all discovered virtual machines, which areunmanaged, into the McAfee ePO System Tree. The instances are imported with the similar structure andhierarchy present in VMware vCenter.

The virtual machines that are already added and managed by McAfee ePO are retained with the existingpolicy settings, but the virtualization properties for these machines are added.


• Select Menu | Systems | Cloud Workload Security on McAfee ePO to view your cloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your vCenter accountunder the group vSphere. The clusters and hosts from vCenter are logically grouped under each DataCenter group in McAfee ePO.

Register a McAfee Network Security Manager accountRegister a McAfee Network Security Manager account with McAfee ePO so that McAfee ePO can communicatewith the Network Security Manager server.

Before you beginEnsure that:

• You have your Network Security Manager account and its details ready.

• You installed the Cloud Workload Security License extension on McAfee ePO.

After registering your Network Security Manager account, you can deploy vNSP probe to your cloudinfrastructure using Cloud Workload Security.



3 From the Network Security Account pane, click Add Account, to open the Register Security Account pane.

4 From the Select Account Type drop-down list, select NSM Account, and type these details.

Option Definition

NSM Server Name Specify the name of the NSM server.

NSM Server IP Specify the IP address of the NSM server.

User Name Specify the user name of your account.

Password Specify the password of your account.

5 Click Submit to register your account.

The synchronisation between Cloud Workload Security and the Network Security Manager account occurswith the AWS account.

You can deploy McAfee Agent to the registered VMs to manage product installation and network security ofthe virtual instances on McAfee ePO.

2 Configuring cloud accounts and your security productsRegister a McAfee Network Security Manager account


Tasks• Download the Virtual Probe on page 23

A Virtual Probe has to be installed on every instance that has to be protected by Network SecurityPlatform. In order to install a Virtual Probe, you will have to first download the Probe Installationscript from the McAfee ePO server.

• Install the Virtual Probe on page 23The procedure to install a Virtual Probe on your virtual machine is different for different operatingsystems running on it. This section provides the installation steps for Linux and Windows virtualmachines.

Download the Virtual ProbeA Virtual Probe has to be installed on every instance that has to be protected by Network Security Platform. Inorder to install a Virtual Probe, you will have to first download the Probe Installation script from the McAfee ePOserver.

Before you beginYou installed the Cloud Workload Security License extension on McAfee ePO.

Task1 Log on to McAfee ePO as an administrator.

2 Select Menu | Systems | Cloud Workload Security.

3 Select your workload from Systems, then select an instance from the instance list under Total Workloads to viewthe properties of your virtual systems from your cloud account.

4 From Network Intrusion Prevention under the Workload Details pane, click Download to download the Probe Installerfor vNSP.

5 The Probe Installation Package with the <file name> will be downloaded onto your machine.

Install the Virtual ProbeThe procedure to install a Virtual Probe on your virtual machine is different for different operating systemsrunning on it. This section provides the installation steps for Linux and Windows virtual machines.

Task1 On your client system, run the downloaded script:

• Windows client system — Open Windows PowerShell and run the script.

• Linux client system — Launch the terminal Shell prompt and run the script.

The McAfee Agent versions that are available depend on which McAfee Agent installation packages arechecked in to the Master Repository.

Configuring cloud accounts and your security productsRegister a McAfee Network Security Manager account 2


2 If you are using Amazon Web Services and deploying new EC2, copy the generated script and paste it intothe User Data field.

This allows you to launch existing Amazon Machine Images (AMI's) and automatically install and activate theVirtual probe at startup. The new instances must be able to access the McAfee ePO server specified in thedeployment script.

You can now select the virtual instance and install Network Intrusion Prevention using Cloud Workload Securityin McAfee ePO.

Configuring your security products and viewing reportsAfter installing the Cloud Workload Security extension and registering cloud accounts, you must complete thesetasks to configure the security products on your McAfee ePO server.

1 Configure your firewall policies in Policy Catalog and assign them to required systems.

2 View your cloud account information from Menu | Systems | Cloud Workload Security.

This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructure assetsand their hierarchy. The Total Workloads pane highlights any immediate issues or violations on your workloadbased on firewall settings or assigned policy settings.

3 After visualizing cloud account structure and seeing which systems are at risk, you can activate any missingprotection with a few clicks.

• Manage your instances by installing McAfee Agent.

• Install other McAfee products on your instances.

4 Secure the instances in your network by correcting your firewall settings.

5 You can see the encryption status of your AWS volumes in the Cloud Workload Security dashboard.

6 To encrypt volumes, deploy McAfee Data Protection for Cloud to your managed systems with the productdeployment client task.

7 Select Data Protection for Cloud to see that it displays all zones from your registered AWS cloud account. Youcan encrypt volumes from here.

8 Track the usage of AWS and Microsoft Azure cloud VMs using the metering feature. You can get a monthlyreport of your usage hours for your cloud instances. You can also create custom queries to display thisinformation.

9 Select Dashboards | Public Cloud to see the security summary of your EC2 instances and EBS volumes.

You can also see details about Data Centers, OS Distribution, Anti-Malware Status, Security Incidents, Host Firewall Status,File Integrity Monitoring Status, Data Protection Per Cloud VM, Instance Assesment Report, and Usage Metering Report.

2 Configuring cloud accounts and your security productsConfiguring your security products and viewing reports


0B00

Documents

McAfee Cloud Workload Security 5.0 · · 2018-01-102 Select IAM to load the Identity and Access Management (IAM) dashboard. 3 From the Users section, click Create New Users. 4 Type