Technical Brief McAfee Real Time Command McAfee® Real Time Command is a security management platform that allows for the retrieval and distribution of information on large enterprise networks, built around a peer-to-peer architecture designed to expedite those processes. This document is intended for administrators of McAfee Real Time Command and process reviewers within organizations installing McAfee Real Time Command. It describes the components, communication pathways, security architecture, and functionality of the system. Note: To get the most out of Basic Components as SCCM or Tivoli, login scripts, and network this document, we recommend McAfee Real Time Command is comprised of a access control (NAC) policies. Additionally, the that you first review the peer-to-peer client architecture that is controlled client can be deployed via the McAfee Real Time Welcome to McAfee Real Time Command document or the by a single McAfee Real Time Command server Command console itself. component. The system is managed through the Console User Guide. The McAfee Real Time Command Console user McAfee Real Time Command Console interface. interface (UI) is provided through an HTTP (or The McAfee Real Time Command server HTTPS) interface, and can be accessed through all component is installed on a Microsoft Windows major web browsers that support Adobe Flash/ server running an SQL server database. The Flex. McAfee Real Time Command console users McAfee Real Time Command server package use their Active Directory credentials, coupled with includes an Apache HTTP server with a PHP management rights granted within McAfee Real database interface to the SQL server, which Time Command, to log into the console. together host the console web interface used by administrators to manage McAfee Real Time The Peer-to-Peer Network Command. In addition, the McAfee Real Time McAfee Real Time Command is built around Command server hosts a McAfee Real Time a patent pending peer-to-peer architecture, Command server service, which handles all which allows the system to scale to hundreds communication with the clients. of thousands of clients with a single server, and provides nearly real-time data with latency The McAfee Real Time Command client measured in seconds, regardless of the scale of component is installed on each asset managed by the network. Clients are able to build this network McAfee Real Time Command. During installation, with no manual interaction of any kind from the the client is given the address or DNS name of administrators in the environment. the server, as well as a public key that allows it to authenticate that all traffic it sees on the peer- To establish this peer-to-peer network after they to-peer network originated at the server. Other have been installed, clients contact the server than that common information, which is the same periodically. Based on a very small amount of on every client in the environment, no per-client data that the server provides them about the information must be provided during installation peers in their vicinity, clients automatically start or thereafter. determining which peer clients around them are the best choices to receive data from and route Clients may be installed using a variety of methods, data to. Clients are then able to keep the network depending on the presence and availability of intact through aggressive routing around clients those methods in the environment. Common that are removed or are unable to communicate methods include Microsoft Active Directory/Group effectively, clients that come online can be quickly Policy Object, software distribution systems such added, and the server can be used to “reflect” The registration interaction is initiated by the around network-level blockages such as firewall clients on a schedule, which may be set using the blocks in core backbone routing. settings capability described later. The interaction is extremely lightweight and involves the client The result of the process can be imagined as a connecting to the server and providing a number “ring” of clients, with each client having a single of status statistics (whether it has had trouble client that is feeding information to it, and a single connecting to its peers, how many peers it has client to which it is feeding information. A McAfee talked to recently, and more), and providing the Real Time Command peer-to-peer ring can contain server with a set of hash values, which represent hundreds of thousands of clients. all of the information that the client currently In a reasonably functional McAfee Real Time knows about the global configuration state (which Command deployment, the peer-to-peer ring can sensors have been defined, all settings values, deliver any new piece of information (questions, which questions the client has answered, and actions, sensors, settings, and more as described which actions have been executed). The server below) to every client in the environment in a responds with the locations of a number of clients minute or less, regardless of the scale of the that are proximate to the client to help with the network. This is possible because of extensive establishment of the peer-to-peer network. The optimization in the client communications server also provides a confirmation that the global architecture, which allows a single message to be configuration state known by the client is up to serially transmitted through more than 100 clients date, or that it is not. If it is not, the server and per second in real networks with average LAN client determine which pieces of configuration latency. Furthermore, because the messages being information are out of date, and then update the transmitted around the peer-to-peer ring are client. All settings information provided to the quite small, the ring can transmit more than 100 client is delivered digitally signed by the server messages per second to every node in the network and is validated by the client using the public key without any appreciable load on the assets installed with it. themselves or on the network infrastructure. The server can comfortably sustain more than 200 registrations per second, as well as its Component Interactions other functions. To understand the different communication pathways in the system, it is helpful to analyze the All registration interactions occur over a single stimuli that cause each type to occur. There are configurable port (by default 17472) and are five major types of communication within McAfee initiated by the client to the server. Real Time Command. They are: 2. Questions 1. Registration Administrators who wish to collect information 2. Questions about clients in the environment can do so using 3. Actions the question message. Upon creation, a question 4. Settings is initially recorded into the SQL database on the 5. Sensors server, where it is noticed by the McAfee Real We will review each of the communication types Time Command server service. When the McAfee in detail. Real Time Command server service determines that a new question has been asked, it queues 1. Registration that question for clients that subsequently register. The purpose of the registration process is to allow When the next client registers and submits its the server to keep a basic record of which clients hash values to determine whether it has seen all exist in the environment and where they are in questions in the network, the server will respond relation to the other clients that are currently that in fact there is a new question and provides online. It also serves as a way to “seed” the peer- the client with the definition of that question. to-peer network with new commands, such as the questions, actions, settings, and sensors that will The actual format of the question message is be described in the following sections. divided into three parts. First, there is the question definition, which provides the clients all the information necessary to determine what is being asked. Questions like “Can you provide computer question, they will be notified that their state is up to names and IP addresses of computers running date, and the question will not be delivered to them. application Firefox.exe in the EMEA region?” can Note that the peer-to-peer process occurs over a be encoded to allow the clients to determine single configurable port (by default 17472), and what pieces of data are being requested and what the reporting of the “full” report is done from the computers should be supplying them. last client to the server over a configurable port After the question definition, there is the answer (by default 17472). section of the message. This is blank when the 3. Actions question is delivered to the client upon registration In addition to being able to collect data from the Finally, there is the signature, which contains the entire environment in seconds using questions, digital signature generated by the server when McAfee Real Time Command also offers the the question is generated. The signature validates ability to take action or make modifications. The both the contents of the question definition and McAfee Real Time Command solution provides a time window during which the message is the ability to deploy packages that consist of a considered valid. Clients can use their public key command line call and an optional set of files to confirm that the question definition originated needed by the configured command line call. For on the server. example, if administrators needed to uninstall The client will first validate the signature against an application, patch a third-party application, or the question definition, and, if it is valid, will make changes to a Windows registry key, they process the question definition on itself to could create a package, upload any needed files determine if it is a client that should provide an by the action, and deploy it to any or all machines answer based on the question’s targeting, and in the environment.