Loading...

Knowledge Center


Enhanced Memory Allocation Enhancements in Network Security Platform to handle increasing Signature Set size
Technical Articles ID:   KB87554
Last Modified:  9/12/2019
Rated:


Environment

McAfee Network Security Manager
McAfee Network Security Platform (NSP) Signature Set
McAfee Network Security Sensor Appliance

Summary

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.

Overview

The Network Security Platform security researchers constantly monitor new vulnerabilities, and release signature set updates regularly to keep your network protection up-to-date. The security research team currently authors around 1,500 signatures every year. This amount corresponds to an 8% increase in demand for memory on the Sensors for signature processing. New attack definitions are critical from attack coverage point of view. But older hardware models are restricted in-memory capacity making it infeasible to scale higher.

Known Limitations
  • M-series Sensor models are already using the maximum memory capacity available for signature processing. So, the memory capacity for signature processing cannot be scaled higher on M-series Sensor models.
  • NS-series and Virtual IPS Sensors architecture allows higher signature processing capabilities. But, there is a need to revise memory allocations in software from time to time. Sensor images released in the recent past had an increased signature processing capacity. But there are customers who continue to use older Sensor software versions for too long. Those customers are at risk of facing signature download failures with a growing signature set.
  • The NS-series and Virtual IPS Sensors can support a higher number of attack definitions when compared to M-series. Having a single signature set across M-series, NS-series and Virtual IPS Sensors limits our ability to provide higher attack coverage on NS-series and Virtual IPS Sensors. The Manager lacks the ability to dynamically push more than one type of signature set across all managed devices.
Solution
  • Enhanced memory allocations for signature processing in NS-series and Virtual IPS Sensors with newer Sensor software images. The customers can use improved attack coverage with the growing signature set.
  • M-series Sensors are optimized to provide maximum attack coverage possible with the available hardware resources and Sensor software images.
  • The Manager has been enhanced to provide different signature set options to the Sensors. The users can select a signature set to be pushed to the Sensors among the options in the Manager. With this capability, the Manager can deploy a larger number of signatures to NS-series and Virtual IPS Sensors, while simultaneously providing a smaller number of signatures to M-series sensors.
Affected Environments
Network Security Sensor Appliance software:
  • 8.3
  • 8.2 (End of Life)
  • 8.1
Network Security Virtual IPS Software:
  • 9.1
  • 8.3
  • 8.2 (End of Life)
  • 8.1
Network Security Sensor hardware:
  • NS-series: NS9300, NS9200, NS9100, NS7300, NS7200, NS7100, NS5200, NS5100, NS3200, NS3100
  • NS-series Load Balancer: NS9300XC
  • M-series: M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, M-2750, M-1450, M-1250
  • Mxx30-series: M-8030, M-6030, M-4030, M-3030
  • M-series Load Balancer: M-8000XC
NOTES:
  • I-series Sensors reached End of Life on December 31, 2015.
  • NSP 7.1 reached End of Life on December 15, 2016, as announced on June 15, 2016. Customers are advised to upgrade to a supported version.
  • NSP 8.2 reached End of Life on March 1, 2017. Customers are advised to upgrade to a supported version.
  • The final 8.7.x.x Signature Set was released on March 13, 2018. McAfee will not release any further 8.7.x.x Signature Sets.
Impact
If you do not upgrade to the minimum recommended Sensor software versions, expect to encounter signature set deployment failure issues. This issue is because of a shortage of memory resources needed to process higher capacity signature sets on the Sensor. You might see update error Reason #42 or Reason #29 with the signature update failure. There is no impact on traffic handling because it uses a dedicated memory space that is separated from the memory allocated for signature set processing.

Recommendation
  • Upgrade your Network Security Manager to the latest 9.1 or 9.2 versions. These versions have built-in capacity for compiling and deploying signature sets based on signature set attack priority configured by the user.
  • Upgrades your Sensor models to the latest 9.2, 8.3, or 9.1 software versions with the memory enhancement.

Signature Set Attack Priorities Options​
The Attack Compilation page enables you to specify the type of attack definitions to be included in the IPS Policies for a specific Sensor.

To access the Attack Compilation page:
  1. Click Devices, <Admin Domain Name>, Devices, <Device Name>, Setup, Attack Compilation.
  2. Click Signature Set Attacks and configure the Signature Set Attack Priorities Options.
IMPORTANT: After an upgrade to the Manager with this feature, the M-series Sensor models no longer support the complete signature set. The only option to have complete signature set coverage is migration to NSseries or Virtual IPS Sensors.

The Signature Set Attack Priorities Options are more relevant as the signature set grows. Currently, McAfee has tagged attack definitions present in the signature set for the Manager to perform dynamic compilation of the signature set.

This functionality allows the Manager to have different-sized signature sets to make it work on both M-series and NS-series. Toward the end of Q3 2019, McAfee plans to add more attack definitions to the signature set, increasing the signature set size for NS-series. So, McAfee recommends that customers upgrade both Manager and Sensor, or at least the Manager, before it. Additional signatures, added beyond the current capacity, will carry a tag. The new Manager versions use it to filter attack definitions during signature compilation and deploy the correct-sized signature set to M-series. The IDT team makes sure that the less relevant signatures are tagged to be excluded from M-series and revise the Attack Priority from time to time.

The signature set compatibility with the Manager versions:
  • Signature set versions earlier than 9.8.42.3: Compatible with all Manager versions. But the signature set is not tagged as detailed above. This tagging is needed for Manager versions featuring dynamic compilation of signature sets.
    Without it, these managers cannot perform dynamic compilation and push a complete signature set to the Sensors.
  • Signature set 9.8.42.3 and later: Compatible with all Manager versions. But, if using Manager version 9.1.7.75 and earlier or 9.2.7.22 and earlier, you are likely to encounter signature set push failures.
    Expect to see the side effects by the end of Q3 as the IDT team starts adding more attacks definitions to the signature set that is targeted for NS series/VMs.
The Manager enhancement introduces the following new Signature Set Attack Priorities:
  • All: Includes all attack definitions in the signature set. The default signature set attack priority selected for NS-series and Virtual IPS Sensors and provides complete attack coverage. This priority option is not available on M-series sensors due to memory limitations.
NOTES: The Signature Set Attack Priorities option All is available only for NS-series and Virtual IPS Sensors.
  • High and Medium only: It comprises high and medium priority attacks in the signature set. This signature set attach priority s the default selected for M-series Sensors and provides partial attack coverage. It is also suitable for customers running older software versions on NS-series and Virtual IPS Sensor.
  • High only: It comprises of high priority signature set attacks. You can use this option to optimize Sensor resources on M-series Sensors or Sensor models running older Sensor software versions to support the latest signatures against most critical attacks.
  • The High Only signature set attack priority provides an attack coverage only against the most critical attacks.
  • To accommodate complete attack coverage using the All signature set attack priority, McAfee recommends migrating your M-series Sensors to the latest NS-series Sensors.

The table below lists the Sensor software versions with memory enhancement fixes. This upgrade in conjunction with Manager upgrade significantly reduces the likelihood of Sensors in the production environments running out of memory. It also provides maximum coverage against identified vulnerabilities on respective platforms. 

Table 1- Recommended Manager software versions capable of deploying signature set of different sizes to different managed devices.
Manager Version Manager Build
9.2 9.2.9.12
9.1 9.1.7.77
8.3 Upgrade to recommended 9.1 or 9.2 versions.
8.1 Upgrade to recommended 9.1 or 9.2 versions.

NOTE: Currently, Network Security Manager versions 9.2.9.x are not capable of deploying signature set of different sizes to different managed devices. So, they continue to push complete set of signatures to the devices managed using them. The dynamic compilation of signature set enhancement is included in the upcoming Manager update 9.2.9.x. This update is tentatively scheduled for Q3 2019.

Table 2 - Recommended Software Versions by Sensor Hardware Model and Supported Signature Set Priorities:​  
Sensor Major Version   Sensor Models   Signature Set Attack Priorities
 
All
 
High and Medium Only
 
High Only
9.2 NS-Series 9.2.5.72 and later Versions earlier than 9.2.5.72 Not applicable
Virtual IPS 9.2.7.26 and later Versions earlier than 9.2.7.26 to 9.2.7.10 Versions earlier than 9.2.7.10 (9.2.7.1 for AWS)
9.1
 
M-Series Not applicable 9.1.3.13 and later Versions earlier than 9.1.3.13
NS-Series 9.1.5.63 and later
9.1.17.4 or later(FIPS)
Versions earlier than 9.1.5.63 Not applicable
Virtual IPS 9.1.7.18 and later Versions earlier than 9.1.7.18 to 9.1.7.12 Versions earlier than 9.1.7.12
8.3
 
M-Series Not applicable 8.3.3.41 Versions earlier than 8.3.3.41
NS-Series 8.3.5.61 Versions earlier than 8.3.5.61 to 8.3.5.32 Versions earlier than 8.3.5.32
Virtual IPS N/A (Upgrade to 9.1.7.18/9.2.7.26 or later) N/A (Upgrade to 9.1.7.18/9.2.7.26 or later)  N/A (Upgrade to 9.1.7.18/9.2.7.26 or later)
8.1
 
M-Series Not applicable 8.1.3.139 Versions earlier than 8.1.3.139
NS-Series 8.1.5.223 Versions earlier than 8.1.5.223 to 8.1.5.210 Versions earlier than 8.1.5.210
Virtual IPS Not available
(Upgrade to 9.1.7.18/9.2.7.26 or later)
Not available
(Upgrade to 9.1.7.18/9.2.7.26 or later)
Not available
(Upgrade to 9.1.7.18/9.2.7.26 or later)

NOTE: McAfee strongly recommends you to upgrade the Manager and Sensor software to latest 9.1 or 9.2 versions by 30 September 2019.

NOTE: The Sensor software versions managed by a Linux-based Manager are as follows:
  • 9.2: Starting 9.2.5.72 and later
  • 9.1: Starting 9.1.3.13 and 9.1.5.56 versions and later
  • 8.3: 8.3.3.41 and 8.3.5.61 only
  • 8.1: 8.1.3.139 and 8.1.5.223 only
IMPORTANT: On May 7, 2019, the table above was updated according to the recent signature test result for MSeries Sensors, Virtual IPS, and NS-Series Sensors. If you are currently running a Sensor software version that is earlier than the versions listed above, you must upgrade to the minimum recommended versions. McAfee highly recommends that you upgrade to versions with the memory enhancement fixes.

Manual Signature Update

Short-term Signature Set option for customers using M-Series Sensors:
  • The NSP team releases another Signature Set (version 9.8.x.x.lite) every Tuesday with old, non-relevant attacks deleted.
  • This signature set will be released until M-Series End of Support on December 31, 2021.
  • The version number differs from the main 9.8.x.x Signature Set.
  • This Lite signature set is equivalent to "High Only" Signature Set Attack Priorities.
  • This Signature Set is not available from the update server for automatic downloads.
  • The Signature Set is posted to the Product Downloads site.
  • The Signature Set must be manually downloaded and applied to the Sensors.
  • The Signature Set can also be applied to Virtual IPS and NS-Series Sensors.
  • See Registered article KB91784 for the list of signatures removed from the Lite sigset. 
    The referenced article is available only to registered ServicePortal users.

    To view registered articles:
    1. Log on to the ServicePortal at http://support.mcafee.com.
    2. Type the article ID in the search field on the home page.
    3. Click Search or press Enter.
Short-term Medium Signature Set option for customers:
  • The NSP team will release a Medium Signature Set (version 9.8.x.x.medium ) every Tuesday, with old attacks deleted.
  • This Medium signature set equivalent to "High and Medium Only" Signature Set Attack Priorities.
  • This Signature Set is not available from the update server for automatic downloads.
  • The Signature Set is posted to the Product Downloads site.
  • The Signature Set must be manually downloaded and applied to the Sensors.
  • The Signature Set can also be applied to Virtual IPS and NS-Series Sensors.
  • See Registered article KB91785 for the list of signatures from removed from the medium sigset.
    The referenced article is available only to registered ServicePortal users.

    To view registered articles:
    1. Log on to the ServicePortal at http://support.mcafee.com.
    2. Type the article ID in the search field on the home page.
    3. Click Search or press Enter.
NOTES: 
  • Automatic signature downloads must be disabled. This memory limitation issue means that the Sensor software is not able to handle the full signature set. Having automatic downloads enabled can cause Signature Set pushes to fail.
  • Product Management actively works with the Sales team and customers to provide them with an upgrade path to the NS-Series Sensor.

Frequently Asked Questions:

What are the consequences if I am not willing to upgrade the Manager and Sensor software version?

Customers continuing with older software versions of Manager and Sensor software will likely experience signature push failures in the coming weeks/months with projected signature set coverage enhancement plans. The time it takes for the failures to appear depends on what Sensor software version the customer is running. 

How to can I avoid signature push failure if I am not willing to upgrade the Sensor software but I am considering upgrading the Manager software?
The latest Manager images allow deployment of smaller capacity/coverage signature set to the Sensor. With the new Manager versions, customers can choose High only signature priority for M-series, while configure High and Medium only OR High only signature set priority option on NS series. By choosing these signatures set deployment priority options, the customer networks are protected by most recent or relevant attacks as defined by the McAfee labs team.

When is the NSP signature set expected to grow and use additional signature processing capacity provided on Sensors?
McAfee expects the signature set to gradually grow from end Q3 through Q4 2019. This schedule provides adequate time to customers to upgrade both Sensor and Manager software versions or Manager software version to the latest software versions available.

Can the Manager support more than one Active Signature set due to this change?
The Manager continues to support one active signature set as before. But it can dynamically compile signature according to the signature set attack priority configured for that Sensor model and deploy signature sets of varying capacity to the sensor.

Do different signature sets being pushed to the Sensor imply the customer must use different policies?
Even with different signature set attack priorities being pushed to the Sensors managed in one Manager, the customers can continue to use same policies across Sensors.

What happens when in signature set Auto download and auto deploy scenario with the new Manager enhancement?
If the signature set is configured for auto-download and auto-deploy, the Manager still dynamically compiles signature sets depending on the Signature Set Attack Priority configured and pushes the same to sensors accordingly.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.