Technical Brief
McAfee® Real Time Command is a security management platform that allows for the retrieval and distribution of information on large enterprise networks, built around a peer-to-peer architecture designed to expedite those processes. This document is intended for administrators of McAfee Real Time Command and process reviewers within organizations installing McAfee Real Time Command. It describes the components, communication pathways, security architecture, and functionality of the system.
Note: To get the most out of Basic Components as SCCM or Tivoli, login scripts, and network this document, we recommend McAfee Real Time Command is comprised of a access control (NAC) policies. Additionally, the that you first review the peer-to-peer client architecture that is controlled client can be deployed via the McAfee Real Time Welcome to McAfee Real Time Command document or the by a single McAfee Real Time Command server Command console itself. component. The system is managed through the Console User Guide. The McAfee Real Time Command Console user McAfee Real Time Command Console interface. interface (UI) is provided through an HTTP (or The McAfee Real Time Command server HTTPS) interface, and can be accessed through all component is installed on a Microsoft Windows major web browsers that support Adobe Flash/ server running an SQL server database. The Flex. McAfee Real Time Command console users McAfee Real Time Command server package use their Active Directory credentials, coupled with includes an Apache HTTP server with a PHP management rights granted within McAfee Real database interface to the SQL server, which Time Command, to log into the console. together host the console web interface used by administrators to manage McAfee Real Time The Peer-to-Peer Network Command. In addition, the McAfee Real Time McAfee Real Time Command is built around Command server hosts a McAfee Real Time a patent pending peer-to-peer architecture, Command server service, which handles all which allows the system to scale to hundreds communication with the clients. of thousands of clients with a single server, and provides nearly real-time data with latency The McAfee Real Time Command client measured in seconds, regardless of the scale of component is installed on each asset managed by the network. Clients are able to build this network McAfee Real Time Command. During installation, with no manual interaction of any kind from the the client is given the address or DNS name of administrators in the environment. the server, as well as a public key that allows it to authenticate that all traffic it sees on the peer- To establish this peer-to-peer network after they to-peer network originated at the server. Other have been installed, clients contact the server than that common information, which is the same periodically. Based on a very small amount of on every client in the environment, no per-client data that the server provides them about the information must be provided during installation peers in their vicinity, clients automatically start or thereafter. determining which peer clients around them are the best choices to receive data from and route Clients may be installed using a variety of methods, data to. Clients are then able to keep the network depending on the presence and availability of intact through aggressive routing around clients those methods in the environment. Common that are removed or are unable to communicate methods include Microsoft Active Directory/Group effectively, clients that come online can be quickly Policy Object, software distribution systems such added, and the server can be used to “reflect” The registration interaction is initiated by the around network-level blockages such as firewall clients on a schedule, which may be set using the blocks in core backbone routing. settings capability described later. The interaction is extremely lightweight and involves the client The result of the process can be imagined as a connecting to the server and providing a number “ring” of clients, with each client having a single of status statistics (whether it has had trouble client that is feeding information to it, and a single connecting to its peers, how many peers it has client to which it is feeding information. A McAfee talked to recently, and more), and providing the Real Time Command peer-to-peer ring can contain server with a set of hash values, which represent hundreds of thousands of clients. all of the information that the client currently In a reasonably functional McAfee Real Time knows about the global configuration state (which Command deployment, the peer-to-peer ring can sensors have been defined, all settings values, deliver any new piece of information (questions, which questions the client has answered, and actions, sensors, settings, and more as described which actions have been executed). The server below) to every client in the environment in a responds with the locations of a number of clients minute or less, regardless of the scale of the that are proximate to the client to help with the network. This is possible because of extensive establishment of the peer-to-peer network. The optimization in the client communications server also provides a confirmation that the global architecture, which allows a single message to be configuration state known by the client is up to serially transmitted through more than 100 clients date, or that it is not. If it is not, the server and per second in real networks with average LAN client determine which pieces of configuration latency. Furthermore, because the messages being information are out of date, and then update the transmitted around the peer-to-peer ring are client. All settings information provided to the quite small, the ring can transmit more than 100 client is delivered digitally signed by the server messages per second to every node in the network and is validated by the client using the public key without any appreciable load on the assets installed with it. themselves or on the network infrastructure. The server can comfortably sustain more than 200 registrations per second, as well as its Component Interactions other functions. To understand the different communication pathways in the system, it is helpful to analyze the All registration interactions occur over a single stimuli that cause each type to occur. There are configurable port (by default 17472) and are five major types of communication within McAfee initiated by the client to the server. Real Time Command. They are: 2. Questions 1. Registration Administrators who wish to collect information 2. Questions about clients in the environment can do so using 3. Actions the question message. Upon creation, a question 4. Settings is initially recorded into the SQL database on the 5. Sensors server, where it is noticed by the McAfee Real We will review each of the communication types Time Command server service. When the McAfee in detail. Real Time Command server service determines that a new question has been asked, it queues 1. Registration that question for clients that subsequently register. The purpose of the registration process is to allow When the next client registers and submits its the server to keep a basic record of which clients hash values to determine whether it has seen all exist in the environment and where they are in questions in the network, the server will respond relation to the other clients that are currently that in fact there is a new question and provides online. It also serves as a way to “seed” the peer- the client with the definition of that question. to-peer network with new commands, such as the questions, actions, settings, and sensors that will The actual format of the question message is be described in the following sections. divided into three parts. First, there is the question definition, which provides the clients all the information necessary to determine what is being asked. Questions like “Can you provide computer question, they will be notified that their state is up to names and IP addresses of computers running date, and the question will not be delivered to them. application Firefox.exe in the EMEA region?” can Note that the peer-to-peer process occurs over a be encoded to allow the clients to determine single configurable port (by default 17472), and what pieces of data are being requested and what the reporting of the “full” report is done from the computers should be supplying them. last client to the server over a configurable port After the question definition, there is the answer (by default 17472). section of the message. This is blank when the 3. Actions question is delivered to the client upon registration In addition to being able to collect data from the Finally, there is the signature, which contains the entire environment in seconds using questions, digital signature generated by the server when McAfee Real Time Command also offers the the question is generated. The signature validates ability to take action or make modifications. The both the contents of the question definition and McAfee Real Time Command solution provides a time window during which the message is the ability to deploy packages that consist of a considered valid. Clients can use their public key command line call and an optional set of files to confirm that the question definition originated needed by the configured command line call. For on the server. example, if administrators needed to uninstall The client will first validate the signature against an application, patch a third-party application, or the question definition, and, if it is valid, will make changes to a Windows registry key, they process the question definition on itself to could create a package, upload any needed files determine if it is a client that should provide an by the action, and deploy it to any or all machines answer based on the question’s targeting, and in the environment. if so, what the answer is. The client will then Package files are distributed and cached in pieces, add its answer to the answer section. Once it or “shards,” which allows the McAfee Real has completed that process, it will forward the Time Command system to distribute package message along to its nearest peer. files efficiently throughout the “ring” of peer The next client will examine the question in the clients. When a client begins downloading a file, same way, and, after verifying the signature and completed shards are immediately passed along processing the question definition, it will submit to its peer. Also, when each client completes a its answer in the answer section as well. Note that package file download, it will take a randomly if the answer is the same as an answer that has selected set of shards and cache them so that been provided by another client in the answer there is a high statistical likelihood that any section, the client answering will simply increment package file can be reconstituted from cached a counter on that answer, allowing for efficient shards found in the peer ring. Subsequently, when storage of the answers. a client sees a new action that requires files that the peer ring has, it simply requests the shards This process continues until either the answer needed to reconstitute the files from its peers section is “full” (by default, 1,000 unique answers without having to download the file or files again have been provided), a certain number of clients from the server. have touched the message (by default 100), or a client who has already seen the question and has As with questions, each action and package is already answered it is reached. In any of those signed by the server and validated by the client cases, the question and its answers are reported to prior to any action execution. When a client the server, where the answers are submitted into receives an action or package from the server, it is the database for view by the console administrators. validated to ensure authenticity. When subsequent clients register with the server, Actions can be executed immediately or at a they will receive the question if they have not yet specified time and can be set to reoccur at a seen it, based on the hash interaction described specified frequency or when a certain policy above. However, if they have already seen the is triggered. 4. Settings action described in the message, then forwards it The McAfee Real Time Command system has a around the ring until it reaches a client that has number of settings that control the behavior of already seen the sensor message, at which point components in the network. Examples include it is killed. bandwidth caps on the clients, timing on retries for different types of messages, and all of the Component Load other “configurable” options that have been The McAfee Real Time Command client is designed mentioned in this document. McAfee Real Time to use less than 1% of the CPU on average and Command enables administrators to change these to limit itself to a fixed number of messages per settings through the peer-to-peer environment. second (100 by default) that it will process. The message limiter serves to smooth the amount of When a setting is first changed, the change is peer-to-peer traffic being generated to ensure made in the database and is then pushed out that even if a burst of questions or sensors are to the clients as part of the registration process. issued, the network consumption remains within The first client that sees the setting will validate acceptable levels. In addition, since the vast majority the signature on the setting message, and, if it of the traffic in the system is generated on the LAN is valid, will proceed to change its local settings by peers communicating directly with each other, accordingly. It will then forward the setting on to very little WAN bandwidth is consumed—with the the next client in the peer-to-peer ring; that client exception being reports posted to the server or will do the same, and so on. The setting message peer-to-peer traffic where one peer is at the end will be killed when it reaches a client that has of a subnet and therefore must reach outside the already seen that setting update. subnet to find its nearest peer. 5. Sensors The McAfee Real Time Command server is Sensors are the mechanism by which McAfee Real extremely scalable with the number of clients, as Time Command clients determine the local values the vast majority (well over 99% by default) of that they have for questions that are asked of traffic is peer-to-peer, rather than client to server. them. Sensors come with a name, an evaluation method, a script, and an evaluation Interval. Security/Rights Sensors may be defined in a variety of ways, The McAfee Real Time Command security model including WMI, VBScript, PowerShell, and relies on a digital signature that accompanies Linux Shell. Sensors are defined for a variety of each piece of content as it travels around the hardware, software, networks, environments, network, which allows each client to validate that operating systems, and other characteristics of the any changes that it makes to sensors or settings computer. By default, hundreds of sensors come and any questions that it answers originated out of the box, but the system easily allows for the at the server. The signed content includes an creation of new or modification of existing sensors. expiration (configurable), to prevent replay attacks. Signatures are generated using the ECDSA To clarify, let’s say that one property that we were elliptic curve algorithm over F_p, with the NIST- interested in being able to ask questions about recommended prime p521 and a SHA-512 hash. is the Active Directory domain that a computer belongs to. Its definition could look like this: Key rotation can be enabled to allow the enterprise to prevent brute-force cracking of the Name: Active Directory Domain keys. The frequency of the key rotation is a setting Evaluation Method: Windows Management controlled by the enterprise. (Note: All signing, Instrumentation (WMI) as well as key management, is automatically Script: select Domain from win32_ComputerSystem performed by the server component. No Evaluation Interval: One hour management of the key infrastructure is required Note that in the example above, we are executing by the enterprise.) a WMI query every hour to get the domain. Login to the console user interface, where all The sensor message, similar to the settings and changes are initiated, is done using the Active questions messages, are digitally signed by the Directory credentials of the administrator, which server. Similar to the setting message, after the are tied to a particular user role in McAfee Real first client downloads it, it performs the sensor Time Command. Roles and, therefore, users can be restricted in their rights to only be able to see Furthermore, to ensure that only particular users particular types of computers or computers that are able to create particular types of content, the user has Active Directory administrative rights McAfee Real Time Command implements role- on. This enables McAfee Real Time Command to based editing rights. With a granularity that allows restrict a particular user role, for example, to only particular roles to have the ability to edit sensors, be able to see Windows servers in the UK running settings, questions, and users separately, the IIS. In addition, particular roles can have only a enterprise can segment those abilities to ensure subset of sensors available to them. For example, appropriate change management controls. a particular role for antivirus administrators could allow them to only ask about computer names, Conclusion antivirus definition levels, and locations. (Note: Further information can be found at Although the McAfee Real Time Command console www.mcafee.com/realtime. is logged in using Active Directory credentials, it is possible to give a user rights on clients that they do not have Active Directory rights on. As such, computers that are in different domains from the server or are not in domains at all, can be managed through McAfee Real Time Command.
2821 Mission College Boulevard McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other Santa Clara, CA 95054 countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are 888 847 8766 provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. www.mcafee.com Copyright © 2014 McAfee, Inc. 60957brf_rt-command-tanium_0214_fnl_ETMG