Intel Security / McAfee network appliance - anyone played with them?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

explosivelobster

New Member
Jul 28, 2018
24
2
3
This is a bit hopeful, but does anyone have any experience with Intel Security / McAfee network appliances? There doesn't seem to be a lot (well, any) information on the web about how they are put together. In particular I am trying to find information / reverse engineer the front network ports.

I picked up a McAfee NS5200 from a disposals company cheap and it's a 1U rackmount device with Intel S2600CW2R motherboard (E5-2620v3 & 2x8GB DDR4) with a huge funky network board up front that I can't make sense of. An Intel PCIe x16 card is fitted (silkscreened 'Intel greenlite', 2 mystery chips and a huge solid copper heatsink) which spits out an SFF-8087 cable to the network board (silkscreened 'Intel Security ASSY500-1178-01'), which also has connections from the motherboard serial and LPC busses. The network board exposes a pair of 10GbE SFP+ but there is also 8x GbE and 12x SFP ports with bypass relays, I'd like to be able to use the latter 2 if possible.

The chassis covered the VGA & RMM4 management ports, so a few minutes with a dremel and these are now revealed and I get video output. I've not investigated the original linux based OS yet, but I've dumped out the PCI devices from a Linux USB stick, those on the network board are:

Code:
05:00.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
06:01.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
06:02.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
06:03.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
06:04.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
06:05.0 PCI bridge [0604]: Microsemi / PMC / IDT PES24T6G2 PCI Express Gen2 Switch [111d:806e] (rev 02)
07:00.0 Ethernet controller [0200]: Broadcom Inc. and subsidiaries Device [14e4:b151] (rev 01)
07:00.1 Ethernet controller [0200]: Broadcom Inc. and subsidiaries Device [14e4:b151] (rev 01)
08:00.0 RAM memory [0500]: Xilinx Corporation Default PCIe endpoint ID [10ee:0007]
0c:00.0 Ethernet controller [0200]: Intel Corporation 82599 10 Gigabit Dual Port Backplane Connection [8086:10f8] (rev 01)
0c:00.1 Ethernet controller [0200]: Intel Corporation 82599 10 Gigabit Dual Port Backplane Connection [8086:10f8] (rev 01)
I can identify the PES24T6G2 switch and the Xilinx Spartan 6 device, but the remaining chips have heatsinks very well adhered to them so not sure what they are and I don't really want to risk removing the sinks. The broadcom devices are a bit of a mystery, as only the Intel 82599 show under Linux.

I don't understand what the mystery card is doing - I guess it's converting & sending PCIe over the SAS cable to the daughterboard and into the switch, but I don't understand why it's necessary to do this vs just a passive cable. It appears to be a very well built board so it would be a shame not to be able to use all the bells and whistles on it.

Images at NS5200

Thanks :)
 
Last edited:

explosivelobster

New Member
Jul 28, 2018
24
2
3
Does that require a subscription to run it ?
I imagine so, I presume that is why it was disposed of in the first place - it's only ~3 years old...
I want to image the original OS SSD before I try messing with it, as I don't have any login / credentials I will have to do some poking.
 

cookiesowns

Active Member
Feb 12, 2016
234
83
28
28
Do you have any more of these? I’d love to tinker with that network breakout board.

presumably it looks like it’s a x16 retimer/reclocker, with a breakoutport to the front board.
 

explosivelobster

New Member
Jul 28, 2018
24
2
3
Do you have any more of these? I’d love to tinker with that network breakout board.
Sadly just this one, and I've not seen any sold previously either, hence why I'm a bit kid gloves with it!

Doing a bit more poking it looks like the front GbE ports are intended for passthrough, and it looks like either the FPGA or another ASIC would be doing the threat scanning. I've extracted some fpga software and what looks like a firmware image for the Spartan 6 but given this thing is supposed to do 1Gbps filtering, I'm surprised that FPGA is up to the job...

I will try and pop the heatsinks off after it's been on a while and the adhesive softened, especially the silver heatsink behind the SFP cages as that's got to be prime candidate for what's doing the inline packet inspection.

Unfortunately the appliance doesn't seem to complete it's boot, and I've not yet had time to throw a serial cable on it to see if there is more data than presented over VGA though (seems to hang and be unresponsive to keyboard input).
 

explosivelobster

New Member
Jul 28, 2018
24
2
3
OK this thing is straight up weird, I had assumed the 10GbE controller I saw on lspci were the 2 SFP+ up front, but looks like that isn't the case. The PCIe card has 2 chips:
  • Intel JL82599ES - Intel® 82599ES 10 Gigabit Ethernet Controller
  • Intel SLK96 - Intel® DH8925 Platform Controller Hub
The motherboard is also set to PCIe bifurcation on the slot it's in (6), x8/x4/x4 so I presume 1 to each chip then another over the SAS cable to the PCIe switch.

The 3 black heatsink chips on the network board are BCM54685B0KPBG - Octal PHY?, and the silver chip is a BCM56151A0KFSBG - as best I can tell a 48gbps switch chip!

So I guess it's probably 2 10GbE from the PCIe card into the Broadcom switch chip (it's proximity to the 'SAS' cable also suggests this), then 1 10GbE out to the front SFP+ and a bunch of GbE to the SFP/RJ45 ports.

Can't figure out what the PCIe switch chip is for though?

Going to play with the front ports a bit see if they do act like there's a built in switch...
 
Last edited:

oddball

Active Member
May 18, 2018
206
121
43
42
Looks like an IPS. https://kc.mcafee.com/resources/sit...SP_NS5x00_Sensor_Product_Guide_revH_en-us.pdf

So traffic enters, is filtered by the rule set and passes back out.

You can always reset the password on these things if you have physical access. Here is the procedure for another product. How to recover the Network Security Sensor password using Netboot

I’ve had to reset some Juniper gear like this. You jump into the loader, boot from tftp and go from there.

This looks like a really cool product.
 

explosivelobster

New Member
Jul 28, 2018
24
2
3
Yep it's an IPS alright. Sadly the images on that link are behind a paywall. Though ideally I'd like to repurpose / tinker with it rather than restore it to how it used to be.

I can access the shadow password file so can either crack or reset that, but I'm not sure if it's even getting that far in the boot process to have web/SSH ports opened.

Certainly an interesting device and quite unlike any other network security appliance I've ever torn down before anyway!
 

cookiesowns

Active Member
Feb 12, 2016
234
83
28
28
Can you post pictures of the PCB layout? I'm curious. I can somewhat picture in my head, but I'd like to do a block diagram for them.
 

oddball

Active Member
May 18, 2018
206
121
43
42
My guess is the mystery PCI card is an encryption card, can do SSL decryption in hardware.
 

explosivelobster

New Member
Jul 28, 2018
24
2
3
My guess is the mystery PCI card is an encryption card, can do SSL decryption in hardware.
The card turns out to be a dual 10GbE adapter + DH8925, the latter does seem to be used in crypto offload cards so I presume that's what it is being used for in this system...