TippingPoint Advanced Technical Security Products Training Course

Version 3.1

TippingPoint Training Programs

TippingPoint provides comprehensive, collaborative training aimed to provide handson experience with the most powerful networkbased intrusion prevention system in the world

http://www.tippingpoint.com/training
2

Advanced Class Lab Materials

You will need a laptop to perform the labs
Or pair up with someone who has one

Advanced Class Lab Guide IP Address Assignment Sheet (with login details) Electronic Materials from http://<ip of download server>
Advanced class slides (in PDF format) Windows Tools (Putty, Wireshark, Kiwi, etc) Latest Digital Vaccines TippingPoint OS images Marketing Materials (datasheets, product photos, etc) Product Documentation (manuals, MIB files, etc)

Course Objectives
Understand how to setup and configure TippingPoint IPS and SMS devices Understand how to manage your IPS and SMS devices including updating Digital Vaccines and the IPS and SMS software Understand how to create and apply security policies by configuring filters and applying security profiles to your IPS devices Understand Events and Reporting from an IPS and SMS perspective Understand how to troubleshoot and monitor the performance of an IPS device
4

Class Introductions
Instructor
Freddy Saenz, Senior Systems Engineer, Trainining
[email protected]

Student introductions
Name, company, and location Role Networking and security background Experience with TippingPoint products Objective for taking this class

Class Agenda
Introduction to the TippingPoint family of products IPS setup and basic health / administration SMS setup, IPS management and Segment Groups Basic filter management Advanced filter management Architecture & Performance IPS quarantine SMS Responder IP / DNS Reputation Maintenance & Troubleshooting

Class Schedule and Logistics

9:00 AM to ~5:00 PM each day Breaks
Morning break Lunch Afternoon break

An Introduction to the Overall TippingPoint Solution and IPS Setup

Version 3.1

Intrusion Prevention System Background

Intrusion Prevention System
Sits in-line in the network flow Scans traffic as it passes and takes actions (block, rate-limit, alert) based on a configured policy The IPS acts like a bump-in-the-wire device (SEGMENT)
No IP addresses Layer 2 Easy deployment

Effectively patches you at the network level

Capabilities of an IPS:
Perform as both a NETWORK device and as a SECURITY device NO FALSE POSITIVES (dont block what you shouldnt) Possess a flexible inspection engine to adapt to new threats Provide for policy and filter updates in real-time (no network outage)
9

Common IPS Deployments

Access Aggregation
Core Network

Core

Perimeter
(1.5 1000Mbps)

WAN Perimeter

Internet
DMZ
DMZ Web Servers & Apps

Departmental Zones

Data Center
Data Center Servers, Apps & Data

Windows & Linux Blades

VPN

Remote Offices

Shared Tape Shared Storage

10Mbps 1Gbps

1Gbps 10Gbps

1Gbps 10Gbps

nx1Gbps nx10Gbps
10

TippingPoint Product Portfolio

Inspection Throughput
20 Mbps 100 Mbps / 300 Mbps 600E: 1200E: 2400E: 5000E: 660N: 1400N: 2500N: 5100N: 600 Mbps 1.2 Gbps 2.0 Gbps 5 Gbps 750 Mbps 1.5 Gbps 3 Gbps 5 Gbps

Model

Segments

TippingPoint 10 TippingPoint 110 / 330

2 x Segments 4 x Segments

E-Series
600E, 1200E, 2400E, 5000E

4 x Segments
(Copper, Fiber or 50/50 mix)

10 x 1 Gig Segments
(5 x Copper + 5 x SFP)

N-Platform
660N, 1400N, 2500N, 5100N

1 x 10G Segment
(2500N/5100N only)

CoreController SMS
Security Management System

20 Gig
(load balancing)

3 x 10G Segments

11

N-Platform Hardware Overview

10G SmartZPHA Module

(Option for 2500N / 5100N only)

LCD & Keypad 10G Segment

(2500N / 5100N only)

10 x 1G Segments
(5 x Copper + 5 x SFP)

Serial Console (RJ45)

(115,200/8/N/1 used for initial setup)

Removable Compact Flash

(user data)

Out-of-Band Management Port

(10/100/1000 Ethernet)
12

E-Series Hardware Overview

Segment 1 Port A Segment 1 Port B

LCD & Keypad Serial Console (DB9)

(115,200/8/N/1 used for initial setup)

Out-of-Band Management Port

(10/100 Ethernet)

13

10 / 110 / 330 Hardware Overview

TippingPoint 110 / 330
4 x 10/100/1000 Segments / In-Built ZPHA

TippingPoint 10
2 x 10/100/1000 Segments / In-Built ZPHA

14

TippingPoint Management Architecture

TippingPoint Threat Management Center SMS Java GUI Client

Enterprise Management Element Management

Security Management System (SMS) external server Local Security Manager (LSM) (IPS Web Interface)

Location 1

Location 2

Location N

CLI Terminal, SSH, Telnet

15

TippingPoint Digital Vaccine (DV)

Digital Vaccine
Our term for new filter updates Twice-weekly updates (sometimes more often when circumstances call for it) Immediate protection via a default Digital Vaccine with Recommended settings for all filters New Digital Vaccines may be automatically downloaded from the TippingPoint Threat Management Center No network down time filter updates happen in real-time

16

Digital Vaccine Process DVLabs

Customer Requests SANS CERT Vendor Advisories Bugtraq VulnWatch PacketStorm Securiteam Internally discovered Vulnerabilities ZeroDay Initiative ( www.zerodayinitiative.com )*

Raw Intelligence Feeds

@RISK
DV Labs - Research

Weekly Report
The SANS @RISK newsletter is available for free at: http://www.sans.org/newsletters/risk/ DVLabs - http://dvlabs.tippingpoint.com/ Info on DV team DV Team blog DVLabs advisories Digital Vaccines are delivered via Akamai for resiliency and redundancy
17

Vaccine Creation

Threat Management Center (TMC)

Customer Web Portal (https://tmc.tippingpoint.com)
Make sure you / your team have an account Provides access to important resources:
TOS & DVs Documentation (manuals, seminars, hints & tips, etc) Support materials (RMA processing, knowledge base articles)

Account holders also receive email notifications for new DVs and other support information

SMS / IPS automated updates

SMS and IPS devices can contact TMC directly for automated updates for both DVs and IPS/SMS software

18

Threat Management Center (TMC)

Navigate to the appropriate section of the TMC for DV, TOS, etc.

Link to ThreatLinQ: Event aggregation service utilizing customer and TippingPoint attack data for global threat analysis
19

ThreatLinQ Portal
Helps customers make decisions about how, why, and when to enable different TippingPoint filters
Data sourced real-time by TippingPoint Light-House deployments & customer data

Top Attacks Top Policy Filters Top Attack Sources World Map View Blogs & RSS feeds
20

IPS Initial Setup Wizard

Initial setup is done using a Setup Wizard
Accessed using the IPS console (115200, 8, N, 1)

What you need to know prior to setting up the device:

Username and password for your super user account IP Address of your IPS (refer to the IP sheet) Subnet mask and default gateway DNS settings (if you want the device to access TMC)

NOTE: The IPS will start up with a default security configuration

This default security policy runs with all filters set to their default policy as defined by the DVLabs at TippingPoint (more on this later)
21

IPS Initial Setup Wizard

Connect to the IPS console and answer the setup wizards questions The wizard can also be run from the IPS LCD panel if you do not have console access

22

IPS Setting the Security Level

Security Level sets user id and password policy (length & characters) We recommend using Level 2
23

Create Initial IPS Super User Account

After Security Level, you will be asked to create an initial super user account

24

IPS Management Port IP Address

Login with the new super user account you just created to begin the Setup Wizard

Setting the IP address of the management port is most important. We can then manage via HTTPS and SSH

25

Running setup again

After the Setup , you are in the CLI, you may also connect to the CLI using SSH
26

IPS Web Interface Local Security Manager

Use https to access the LSM https://<ip address of your IPS>

Supported browsers IEv6+ and Firefox Browser checking can be disabled using IPS CLI command: conf t no browser-check

To login: use the username / password created during the initial setup

27

Local Security Manager (LSM)

Current User / Time Session timeout (configurable) Home Icon returns to System Summary Page

Main Navigation
28

LSM System Summary

Health Status (Click links for specifics)

Log Summary IPS filter hits: Block & Alert log Device Logs: System & Audit log
29

IPS System Log

The System Log is accessible in multiple places:
CLI: show log system LSM: Events Logs System Log

System Log contains Log ID, Log Entry Time, Security Level, Component, and Message
Logs can be downloaded, searched and reset

30

IPS Audit Log

The Audit Log contains:
Log ID, Log Entry Time, User, Access, IP Address, Interface, Component, Result and Action

The Audit Log can only be reset and viewed by a user with super-user privileges

31

IPS Alert and Block Log

Where to View Filter Events:
Alert Log: Show filters with Permit + Notify Action Sets Block Log: Shows filters with Block + Notify Action Sets Packet Trace: Filters with packet trace option set
Option for permit or blocks

32

IPS Performance and Port Health

Shows ingress traffic by Segment / Port

33

Managing IPS User Accounts

Create up to 30 additional users

Edit / Delete Users 3 Access Levels: Super-user: All privileges, including ability to create / edit users and view / reset audit log Administrator: Can make configuration changes, cant view / reset audit log Operator: As administrator but view only
34

Managing IPS User Preferences

LSM inactivity timeout LSM page refresh time

Password Security Level Initially set during OBE, controls username / password format Password Expiration policy

Failed login behavior

Note: It is possible to lock yourself out of the system due to excessive failed logins (alternative user / password recovery)

35

Lab Network Overview

Station 1
IPS

Station 2
IPS

Station n
IPS

Tomahawk

Tomahawk

Tomahawk

Management Network

SMS

management network attack network attack ethernet

172.16.240.0/24 10.0.0.0/8 Student Laptops (DHCP)

36

Tomahawk Details
Linux server with three NICs
Two are connected to IPS One is connected to management network

Server is running an open source application known as Tomahawk

Very similar to TCP replay Can generate clean and attack traffic through the IPS by replaying select PCAPs
Tomahawk

Student logs in via SSH to the Tomahawk over the management network and run a number of scripts
attacks 10 perf_http_rate 100

Student

37

Lab #1: Initial Setup of IPS

Refer to the Lab Guide, and complete Lab #1
Connect to the IPS console and perform initial setup Verify IPS connectivity using SSH & HTTPS Run attacks from your Tomahawk Create IPS user accounts

38

SMS Setup, Device Management, Segment Groups

Version 3.1

SMS Feature Overview

Device Management
Multiple IPS device management Device configuration and health monitoring Centralized device package management (DV/TOS)

Security Profiles
Security Profile management and distribution

Events/Reporting
Centralized event collection and reporting

Granular Access Control

Lock down user access to SMS resources

Integration
SMS API Syslog integration with SIM vendors Quarantine integration

High-Availability Cluster Option

40

SMS Setup Wizard

SMS Setup
Similar to the IPS setup (except console settings: 9,600/8/N/1)

Things to have ahead of time

Super-user name and password Management IP, subnet mask and default gateway DNS (for TMC access) NTP servers and time zone NMS IP address information (SNMP trap receiver) SMTP server settings information
For email notifications and reports

41

SMS Initial Login

Connect a terminal cable and boot the SMS, type SuperUser at the prompt:

The default initial Username for the SMS is SuperUser

42

SMS License and Setup Wizard

Read and accept the SMS software license

43

Security Level, Username and Password

Choose Security Level and create your super user account name and password

44

SMS IP Configuration
Choose IPv4 or IPv6 or dual-stack
Enter IP, Mask, Default Gateway & DNS

DNS is used to resolve the TMC address and may also be resolve IP addresses associated with filter events

45

SMS Finishing the wizard

Continue through the wizard, then reboot
Management speed/duplex, host name, Timekeeping, Server Options (ping, ssh, http, etc), SMTP, SNMP trap

Download the SMS client from the SMS via HTTPS

You must reboot at the end of the setup wizard

46

SMS Web Page - Client Download

Login to the SMS web interface and download the latest SMS client
https://<ip of SMS>

47

Logging in using the SMS Client

The SMS client version must always match the SMS server version you are managing
You can install different SMS versions at the same time (select a different folder during the install process)
Drop down list shows previously selected SMS hosts Can be turned off for security purposes Selecting More provides options to login to multiple concurrent SMS servers
48

SMS Client Dashboard and Main Window

Multiple SMS Tabs

49

SMS Client: Admin

General
Reboot / Shutdown the SMS

Update SMS Software & apply Patches SMS System / Audit Logs SMS System / Port Health

SMS can manage up to 25 IPS devices with the default license

50

SMS Server Properties

Management

System Information

Server Properties

Services
As of 3.1 Ping is enabled by default

Remote Syslog
Allows you to offload all SMS events to an external syslog server (typically an external SIM) Can also offload SMS/device Audit & system logs
51

SMS Server Properties Settings

Network

SMS IP Settings

Date / Time Settings

Changes require a reboot

SMTP Settings
For email alerts, and emailing reports

DNS Settings
Required for TMC access

52

SMS User Management

User list, shows all configured users

Select New to add additional users

Current Active Sessions

53

Creating SMS Users

Permissions Provided by these Tabs Super User Role View audit log Manage SMS system properties Add IPS devices Manage Segment Groups Update or patch SMS software Shutdown / reboot SMS Create user accounts Administrator Manage IPS devices (need permission) Manage Policies (need permission) Push DV / TOS (need permission) Operator As Administrator but view only

54

User Permissions Example

Bob can manage IPS #1 and IPS #2 John can edit the Core Policy and push to the Core Segment Group Chris can edit the DMZ Policy and push to the DMZ Segment Group Permissions can be granted in one of two ways:
User perspective: when adding a new user account to the SMS Resource perspective: when adding a new device, profile or segment group
IPS #1 IPS #2 Core Segment Group DMZ Segment Group Core Policy DMZ Policy

Bob John Chris

55

User Permissions
Users can be granted permissions to SMS resources (Profile, Device, Segment Groups) a few ways:
At user creation time, by a user with SuperUser privileges Implicitly, by creation of an SMS resource (Profile or Segment Group Administrators only)

56

Granting a User Permissions to a Resource

A user may also be granted permission to access an SMS resource, by going to the resource and adding permissions directly Permission dialogs exist for Profiles, Segment Groups and Devices
Menu bar: Edit->Permissions Context menu: right click on device
57

Editing Resource Permissions

When editing Permissions for a given resource, choose Administrator and Operator users
Super User users already have rights to all SMS resources

58

Adding and Managing your IPS devices

Add a new Device

59

Adding a New Device

To add a New Device, you must specify:
Device IP address, username and password Device Group Whether you want to synchronize the device to the current SMS time

Configuration options for Online Devices

Launch the device configuration dialog after adding Clone an existing device

Device Groups allow you to group devices for ease of management

60

All Devices View

Each device has drill down information here on the left

Information for all devices under SMS management, including TOS / DV version
61

Shelf Level View

Select Device node for Shelf Level View

62

IPS Behavior under SMS Management

LSM behavior when an IPS is managed by an SMS
Displays the message: Device Under SMS Control and most configuration items are disabled Shows the IP Address and Serial Number of the SMS that is managing the IPS

63

Removing the IPS from SMS Management

To Disable Management
From the SMS: right click on the device and select Edit Unmanage Device From the LSM: System Configuration SMS/NMS From the IPS CLI: conf t no sms

LSM: Uncheck SMS Control

64

IPS Behavior when re-managed by SMS

To Enable Management Again
From the SMS, right click on the device and select Edit Manage Device (you will need to re-authenticate) From the LSM: System Configuration SMS/NMS recheck the Enabled check box You may also issue the CLI command: conf t sms

When an IPS is re-managed by an SMS

SMS will update health status SMS discovers any configuration changes
IPS filter settings is not (more on this later)

SMS imports all IPS filter events that occurred whilst unmanaged
65

Segment Group Concepts

Segment Groups are logical grouping of IPS Segments that can represent a similar policy enforcement point IPS version 2.5 introduced directionality for segments, allowing a different policy to be applied between A B versus B A Examples of Segment Groups:
Perimeter (IPS segment between the Internet and users) Core (between users and core servers) Inbound Perimeter (Port B A on Segment 1) Outbound Perimeter (Port A B on Segment 1)

Used for Profile management Used for Events and Reporting

66

Segment Groups Example

Segment Groups: Perimeter Core

Internet

Core Servers

User Group A

User Group B

2 Segment Groups
Perimeter: between users and the Internet (segment 1) Core: between users and core servers (segment 2)
67

Segment Group Management (Devices Tab)

There is a Default Segment Group on every SMS
The Default Segment Group can not be deleted Newly managed device Segments are placed in the Default Group

A segment may only be a member of one Segment Group

New: creates a new Segment Group Details: view details for an existing Segment Group Edit Membership: move Segments into the Segment Group Delete: deletes Group, segments are moved back to the Default Group

68

Segment Groups New/Edit

Name the Segment Group
Move segments to the right to add them to the current Segment Group, and to the left to remove them

69

Updating Permissions for a Segment Group

In order for Operators and Administrators to be able to interact with a Segment Group, you must grant permissions to your users

Edit Permissions

70

SMS Event Viewer

Define your event query in this pane

Choose the time period for the events

See the results here

71

Event Viewer: Using Query Panes

Use one or more criteria panes to build up the event search criteria
Filter Taxonomy criteria Network, IPS / Segment criteria Time criteria

Use Reset Buttons to clear query parameters

Additional Panes exist for other search criteria

72

Event Viewer: Time Range Pane

Real-time: display events as they arrive Relative Time
Last Minute, 5 Minutes, 15 Minutes, 30 Minutes, Hour, Day, Week, Month

Absolute Time
Specify Start and End Time

Controls
Refresh Button executes a query Cancel Button cancels an already executed query

73

Event Viewer: Saved Queries

Popular search queries can be saved
Select the saved query, then hit Refresh to get the latest data

74

Event Viewer: Right Click Options

Right Click on an Event or Multiple Events
Copy, Export, View Packet Trace View Event Details Edit Filter / Filter Exception Add comment to event (searchable) DNS, whois or ThreatLinQ lookup Add IP Reputation entry (more later) Create SMS Response (more later) Create Named Resource

test footer

75

Event Viewer: Event Details

Event
Event number, hit count Severity, custom comment

Segment / Device
IPSDevice Segment (direction)

Network
Source / Destination Address Source / Destination Port Whois DNS lookup option

Filter Information
Name, Number, Classification, Category, Profile, Taxonomy CVE / Bugtraq ID Description

Copy Details to Clipboard Edit Filter

76

SMS Named Resources

Named objects used for configuration and events
Objects include: IP / CIDR, VLAN ID, email addresses
Configured under Admin tab IP / CIDR can also be added by right clicking on event

Event Viewer showing IP/CIDR named resources

77

Configuring the Event Viewer to resolve Named Resources

If you want Named Resources to show up in the event viewer:
Edit > Preferences > Events Check Enable Named Resources lookup for Events table

78

Lab #2: SMS Client & Device Management

Install the SMS Java Client
Download it from the SMS web page https://<sms_ip_addr>
Note: select a different install directory if you do not want it to overwrite an existing client installation

Manage your IPS using SMS

Add your IPS device Create Segment Groups and Named Resources Investigate IPS behavior when under management Review SMS Audit & System logs

79

Advanced Device Management with SMS

Version 3.1

Device Summary and Configuration

To Edit Device configuration

81

Devices Configuration Dialog

All IPS settings are editable via this dialog

Reboot, Shutdown or Reset Filters (resets IPS policy to factory defaults)

Launch Browser to LSM or SSH (e.g. Putty, teraterm, etc)

82

Device Configuration Member Summary

Member Summary View Health, Configuration Summary & Device status

83

IPS Network Configuration Overview

Network Port physical Ethernet interface
Configure auto-negotiation, speed and duplex Manage the Network Port enable / disable, restart Bound to a specific physical Segment

Physical Segment pair of Network Ports

Configure name, Layer-2 Fallback setting and Link Down Synchronization setting

Note
Traffic entering on a Network Port will exit ONLY on the other Network Port in the Segment
Network Ports Segment

84

IPS Segment Settings

Segment Name
Used in Events and Reporting

Intrinsic HA (Layer 2 Fallback)

Specifies whether this Segment will Block or Permit traffic when the device is in Layer 2 Fallback

Link Down Synchronization

Control behavior of Segments physical Ports when one goes down Hub: if Port A goes down, do not take down Port B Breaker: if Port A goes down, take down Port B, and disable Wire: if Port A goes down, take down Port B, if Port A comes back up, bring up Port B
85

Network Configuration > Segment Settings

86

Network Configuration > Ports Settings

Force Speed / Duplex Disable unused ports Restart port (links down/up)

87

Network Configuration in LSM

Similar configuration may be done via the LSM
Segments Network Ports

88

Intrinsic HA/Layer 2 Fallback (L2FB)

Failover mode for the IPS device, which disables all inspection L2FB can be triggered by the user or automatically by the IPS due to current conditions
Manual Why? During TOS Update During DV Update System Failure/Issue
Normal Processing
IPS
Inspection Engine

Internet

Users

Layer 2 Fallback
IPS
Inspection Engine

Internet

Users

89

Intrinsic HA Configuring and Monitoring in the SMS

Each Segment has a setting for Block/Permit
Intrinsic HA (L2FB) is a global setting to the device Each segment will behave as configured

90

Intrinsic HA in the LSM

91

Layer 2 Fallback (L2FB) Block Example

Network resiliency provided using some form of switch / routing protocol to select the most suitable path
Spanning Tree, RIP, OSPF, VRRP, etc

If primary path fails (detected by loss of update packets), then network will transition to secondary path In this type of deployment, consider blocking traffic in L2FB
This will cause the network to transition to the secondary path, but still be inspected
IPS 1 enters Layer-2 Fallback Segments configured to block traffic in L2FB
A

Core IPS
IPS 2 B B

Core
A Layer-2 Fallback IPS 1

A A

Network transitions, traffic continues to pass and be inspected by IPS 2 Consider configuring IPS 2 to permit traffic in L2FB in case both IPSs fallback simultaneously

!
B

Access
92

IPS: Link Down Synchronization

Determines what to do with a segment Ethernet port, if link fails on its partner port
Hub: Do nothing, when link drops, partner port remains active Breaker: Drop and disable partner until port is manually restarted Wire: Drop partner link, until original restored

Configurable wait-time for Wire and Breaker modes

Avoids possible network flap
Assume Access switch transitions to secondary path on detection of link failure, by default in Hub mode, transition would not occur
A

Core IPS
IPS 4 B B

Core
A

A A B

If wire mode selected, then 1B would also drop, causing switch to transition

Link Failure on 1A IPS 3

Access
93

Zero Power High Availability (ZPHA)

Zero Power High Availability (ZPHA)
ZPHA is an external device, purchased from TippingPoint
NOTE: ZPHA is internal to the 10, 110 and 330

The External ZPHA is powered by the IPS USB port The ZPHA bypasses the IPS during
TOS updates (if device does not support hitless OS update) Power outages IPS 1 Hardware upgrades USB connection
for power

ZPHA
Connection made when USB link drops power

Internet

Users

94

ZPHA: Cabling Considerations

Device A
Net A A B Net B

Device B

When the ZPHA has power and traffic is shunted to the IPS, Auto-MDI will handle any cabling issues When the ZPHA is in by-pass mode, ensure the path from Device A to Device B (Orange Lines) has the proper cabling (straight through vs. cross over)
To negate MDI/MDI-X or wiring issues, best practice is to deploy while IPS is powered off and ensure you have link
95

TippingPoint Operating System (TOS)

TOS images may be imported into the SMS or downloaded from directly from TMC by SMS Updating the TOS is an important procedure because it involves a reboot of the IPS device(s) On E-series hardware models (600E-5000E), and NPlatform, the reboot process is hitless, and the device will honor the Intrinsic HA/L2FB setting for each segment during the code update On Software models (10, 110 & 330) and legacy IPS devices, the update is not hitless, but the impact can be mitigated with a ZPHA (built in on the 10, 110 & 330)
96

Devices > Updating the TippingPoint OS

TOS Inventory
Distributed to a single or multiple IPS devices (may use Device Groups) Devices column shows how many devices are running a given TOS version

Distribution Progress
View details for past or current TOS distributions Stop a current distribution Clear old distributions

97

Devices > Updating the TippingPoint OS

Import from local file system Download from TMC Choose version and select Download All versions for all device types are downloaded Distribution Specific device group(s) All devices Specific device

98

Updating the TOS / DV using LSM

TOS updates may also be done in the LSM To Install a TOS image, navigate to
System Update TOS/DV Update screen

Note: Use same process to update the Digital Vaccine

99

Lab #3: Advanced IPS Management

Investigate Segment behavior in Intrinsic HA / L2FB
Configure Segment 1 to Permit All in Layer 2 Fallback, then run attacks from your Tomahawk Configure Segment 1 to Block All and re-run attacks

Upgrade your IPS software to the specified TOS

100

Basic Filter Policy and Digital Vaccine

Version 3.1

Policy Overview: Digital Vaccine

The Digital Vaccine is a container holding thousands of Filters
Filters are organized into 12 categories (for ease of management) Each individual Filter contains
Meta Information Name, Description Recommended setting (default policy) Matching criteria (trigger & threat verification)

Digital Vaccines are read-only (you dont configure the DV)

Only a single Digital Vaccine can be installed on an IPS at any given time
This is in addition to a custom DV or auxiliary DV which supplements the main primary DV

Only a single Digital Vaccine can be Active on SMS at a given time

SMS can have multiple DVs in its inventory, but policy changes can only be applied to the filters contained within the Active DV
102

Policy Overview: IPS Profiles

An IPS Profile is a collection of Filter policy settings which determines whether a Filter is enabled or disabled, along with Notification and other options
IPS Profiles are distributed to Segments or Segment Groups You can have multiple profiles with different policies
Core vs Perimeter vs DMZ vs Voice

Each profile may have different filters enabled as required for that network location (Segment)

By default all Filters are controlled by their Category Setting and each Category set to Recommended
Filters can be controlled either by Category
For example setting the Spyware to Block / Notify will enable all current and new spyware filters to Block / Notify

Filters can also be overridden from their Category Setting

Allows fine-grain control of each individual filter, where Category would be too broad For example enabling ICMP Echo Request to Permit / Notify

You dont configure the Digital Vaccine, you control the Profile which accompanies it
103

Digital Vaccine + IPS Profile Relationship

Digital Vaccine Contents (Active)
Filter # 0164 0260 3798 2289 Name ICMP Echo Request HTTP: Code Red HTTP: SQL Injection.. MS-RPC: ISystemActivator Spyware: WeatherBug Description This filter detects ping Code Red exploits a buffer overflow in Microsoft This filter detects the string variation of SQL injection.. This filter detects buffer overflow MS03-026 .. This filter detects an attempt to download WeatherBug.. Category Security Policy Exploits Security Policy Vulnerability Recommended Setting Disabled Enabled: Block / Notify Disabled Enabled: Block / Notify Trigger / Threat Verification

Hidden
Intellectual Property

3248

Spyware

Disabled

IPS Profile
Category Setting Vulnerability: Recommended Exploits: Recommended Spyware: Block / Notify Filter Overrides 0164 3798 3248 Filter Filter Filter Enabled: Permit + Notify Enabled: Block + Notify Disabled Packet Trace: No Packet Trace: Yes Exceptions: None Exceptions: 172.16.240.2/32

104

Security Policy Customization

Even with a default security profile, customization is often required for different Segments or directions
Core vs Perimeter vs DMZ Internet Inbound vs Internet Outbound

Filter customization examples

Expanded threats
Spyware, non-common OS / Application vulnerability or exploits

Access Policy / Bandwidth Management

Instant Messenger, Peer-to-Peer, Streaming Media, etc

Unique traffic mix or network

VoIP, SCADA, etc

Customized filtering
Advanced DDoS, Traffic Management Filters, IP Reputation, Thresholding
105

SMS Profiles Tab

Profiles Tab

IPS Profiles

Digital Vaccines

106

Digital Vaccine: Auto DV & Inventory

Current Active DV Auto DV Settings

DVs can be downloaded & Activated automatically

DV Inventory
Shows Active DV and list of other available DVs

DV Distribution Progress
Details DV distribution progress and history
107

DV Import and Download from TMC

DVs can Imported from disk, or downloaded directly from TMC

Distribute
Distributes and installs selected DV to one or more IPS devices, which impacts inspection and possibly network / IPS performance

Activate
Activate only impacts the SMS (no change is made to the inline IPS devices). SMS can only edit filter policy from filters contained within the Active DV

DVs can optionally be Activated and Distributed as part of the download procedure
108

DV Distribution

Select which IPS devices to distribute the DV to

Select Priority Note: High Priority could cause IPS performance issues Distribution status
109

IPS Profiles

Profile Inventory
Shows all available Profiles

Create New IPS Profile

Distribution Progress
Current progress & history
110

IPS Profiles > NEW

Create a new IPS Profile for each Segment Group
Perimeter Profile for the Perimeter Segment Group Core Profile for the Core Segment Group Its good practice to name the IPS Profile similar to the Segment Group to which it will be distributed to (helping to avoid distributing the wrong profile to the wrong group)

When creating new IPS Profiles

Provide name & Description (optional) Once the Profile is created you can optionally assign user permissions

To assign user permissions

File > Permissions or right-click on a Profile
111

Editing IPS Profiles

Once you have created your new profile, you may edit the policy The default settings for a profile reflect the Digital Vaccine recommended setting where about 1/3 of all filters are set to block Notice that every profile contains: Profile Overview Profile Settings Filters by Category Traffic Management Filter Search You may edit filters by Category Individually
112

Editing Filters by Category

Default Profile Settings
All filters controlled by Category All Categories set to Recommended This means each filter enabled depending on its Recommended Setting
As assigned by TippingPoint DV Labs

To change a Category setting

Expand the appropriate Profile (from the left hand navigation) Select either Application, Infrastructure or Performance Protection

113

Editing Filters by Category, Continued

You can select the required Action Set for your desired Category

In this example, were choosing to Block + Notify all Spyware Filters

114

Identifying Individual Filters to Edit

You may identify individual filters two ways: By Category
Select a category of interest to find and edit filters from within that category

By Searching Filter criteria:

Filter Name or Description Severity State Control: Category or Filter Action Sets: Block, Permit or Rate Limit Classification Protocol Platform
115

Finding Filters By Category

Choose a Category (Example: Spyware) Edit filter(s) by highlighting the filter(s) and clicking the Edit button or by right-clicking on the filter(s) and choosing Edit Create Exceptions, view Actions Set, view Related Events

116

Finding Filters Search

Use Search to find for filters, press Search button to start search
Filter Criteria Name, Description, Severity, Category, Filter State Additional Criteria Action Set, Exceptions, New / Modified, Filter comment Filter Taxonomy Classification, Protocol, OS / Platform

Save filter search query and Reset All for new searches

117

Editing Filters
Select one or more Filters then right-click, select Edit

You can also use the Edit button

118

Editing Filters

Override the Category Setting by choosing an Action Set for the Filter

Optionally add Filter specific IP Exceptions (filter wont match)

119

Editing Filters: From the Event Viewer

Filters can be edited directly from the Event Viewer
Right-Click on an event, then Profile > Edit Filter

120

Distribution of Profiles
Once you are finished editing Profiles, you need to Distribute it to a Segment or Segment Group for it to take effect
Anywhere you see the Distribute button, you may select it to distribute the profile

Select Profile, then Distribute

121

Select Destinations for Profile Distribution

You can select whether to Distribute the Profile to a Segment Group, single Segment or Device

Generally you would distribute to a Segment Group

Be careful to select the appropriate Priority, as this may impact your network

122

Lab #4: Basic Filter Policy & DV Management

Distribute the latest Digital Vaccine to your IPS Create an IPS Profile
Edit the CrazzyNet Filter Distribute the Profile to your Segment Group

Create SMS Reports for Top Attacks

123

Advanced Profile Management

Version 3.1

Default Action Sets

Block Block + Notify Block + Notify + Trace Permit + Notify Permit + Notify + Trace Trust Recommended

Additional Action Sets are needed for:

Rate-limiting Other notification types (i.e. snmp_trap, email, syslog) Other packet tracing needs (i.e. only grab the header) Additional block options (i.e. IPS Quarantine, TCP-reset)
125

Creating new Action Sets

Action Sets are shared across all Profiles
IPS Profiles > Shared Settings

Other Shared Settings include:

Notification Contacts (more later) IPS Services

Note: If you edit an existing Shared Setting, you must redistribute any Profile which uses it

126

New Action Sets: Flow Control

Action Set Name Best practice is to use something descriptive Specify Flow Control Determines what to do with the traffic once a Filter matches i.e. block or permit or rate-limit More on Quarantine and Trust Flow control options later

127

New Action Sets: Notifications

Management Console Sends event to SMS, event is also saved on IPS (alert log if permit or block log if blocking action) Remote Syslog Causes IPS to send a syslog notification to the specified syslog server Best practice is to have SMS relay any syslog events to a 3rd party logging system Email / SNMP Traps You can also have the IPS generate emails or SNMP traps
128

New Action Sets: Packet Trace

Packet Trace You can optionally instruct the IPS to take a packet trace of the flow which caused the Filter to fire, but use sparingly Level Specifies how many bytes to capture Priority Storage retention priority for the packet trace

129

New Action Sets

Once created, new Action Sets are available for controlling Category settings and Filter Overrides

Note: If an Action Set calls for the IPS to generate a syslog message, then you must define a remote syslog server under Device Configuration From Devices Tab Right-click device Edit > Device Configuration
130

Advanced Profile Management Topics

Policy by direction
For example Internet in-bound versus out-bound

Policy by VLAN or CIDR Profile versioning, rollback and audit

Profile snapshots (Distribution & user) Import / Exporting Profiles

Management of multiple Profiles

For example changing the same filter across multiple Profiles Comparing Profile differences Searching across multiple Profiles

Scheduled Distributions Determining what Profile is running on which Segment LSM Profile Management
Importing Profiles from the IPS
131

Policy by Direction
Each physical IPS segment is actually defined as two virtual Segments to account directionality A B & B A
The Profile distributed to the A B Segment can be different from the B A Segment

For example if Segment 1 is your Perimeter and you wanted to support policy by direction:
Determine how its physically wired
You would first need to determine how the Segment is physically wired, and whether A B is out-bound vs. in-bound

Create Two Segment Groups

It is best practice to create two Segment Groups say Perimeter In-bound and Perimeter Out-bound and add the appropriate segments

Create Two IPS Profiles

You would then create two IPS Profiles, Perimeter In-bound and Perimeter Out-bound

You would edit the Filters in the In-bound and Out-bound Profiles accordingly Distribute the Perimeter In-bound Profile to the Perimeter In-bound Segment Groups
And same for Perimeter Out-bound
132

Policy by Direction: Segment Groups

Name Perimeter Inbound

Add appropriate Segments to the group in this case B A is inbound

133

Policy by Direction: Profiles

Create a Perimeter Inbound and Outbound Profile
Edit Filters accordingly

Then Distribute the two Profiles to the appropriate Segment Groups

134

Profile Operations: Profile Compare

At times you may wish to see the differences between two or more Profiles and determine what Filters are configured differently
For example between Perimeter Inbound and Perimeter Outbound

Profile Compare
Allows you to compare two or more Profiles and see the deltas between them

135

Profile Compare Details

View just the differences Edit Filter directly from this screen

136

Profile Operations: Profile Import / Export

Profiles may be Imported and Exported to / from SMS to an external storage medium
Useful for importing into another SMS Persistent backup for old unused Profiles

Imported Profiles can be merged into an existing Profile

Either preserving or replacing existing settings

137

Global Search (across multiple Profiles)

Search across all Profiles and edit the same filters(s) in multiple Profiles

138

Profile Snapshots
When distributing a Profile to your device, you get a snapshot of your profile called a Distribution Snapshot
This is a restore point, allowing you to roll-back to this point at a later time To roll-back simply Active / Distribute the required version A User Snapshot may be created as well Profile Versions Tab allows you to manage snapshot versions

139

Profile Versions

Major number increases at each distribution (if a change has been made) The minor number for each individual filter or category change

Full audit Details of who changed which Filter

140

Which profiles are applied where?

Profile Distribution History
Profiles Devices Devices <specific profile> <specific device> Segment Groups Profile Distribution Details Network Configuration <specific segment group> Physical Segments

Device Network Configuration Segment Group Details If you un-manage / re-manage an IPS, the SMS will lose this information as it doesnt know if the profile was changed

141

Security Profiles in LSM

Edit Existing Profile

Create New Profile

142

LSM: Create Security Profile

Profile Name Category Settings

Create Profile

143

LSM: Filter Overrides

Once your Profile is created, you can edit it and create Filter Overrides to configure an individual filter to be different from its Category Setting

144

LSM: Filter Overrides > Search

Use filter search capability to identify filters to override

Once found, add Filter to Profile

145

LSM: Filter Overrides

Now the Filter is added to the override list, you can configure it to be different from its Category Setting

146

LSM: Editing Filter Overrides

General Information Filter name & number, Category, Severity, description & Recommended Setting

Action / State Use Category or Override Enable / disable filter Action Set

AFC & Exceptions More on AFCs later

147

LSM: Apply Profile to Virtual Segment

Profile to Segment mapping differs by IPS platform
E-Series: defined when you create the Security Profile N-Platform: separate screen under Network > Virtual Segments

Specify the Incoming / Outgoing Virtual Ports

Select Profile

Add Virtual Segment

148

LSM: Creating new Action Sets

If needed Action Sets can be created in the LSM IPS > Action Sets

149

SMS: Importing a Profile from the IPS

Filter changes do not synchronize when you re-manage your IPS
You have to determine which takes precedence, the Profile setting on the SMS or IPS If SMS then re-distribute your SMS Profiles to Segment Groups If the IPS takes precedence, you have to import them
Devices Tab > IPS > Network Configuration

150

Lab #5: Advanced Filter Policy

Create Syslog contact & Action Set Update your Segment Groups for directionality Create Inbound & Outbound IPS Profiles
Edit the Crazzy Net Filter using your new Action Set Distribute both Profiles to the appropriate Segment Groups

Edit Filters using the IPS LSM

IPS web interface called Local Security Manager or LSM Import updated Profile to SMS

151

Non-DV Filters
Version 3.1

Non-DV Filter Definition

DV Filters
Filters which perform flow based inspection, against all parts of the traffic
Including packet header and flow payload

Filters are updated on a regular basis with a new DV

Non-DV Filters
Filters which statistically analyze flows or inspect at the IP header Examples include
Traffic Management Filters Advanced DDoS IP Reputation
153

Traffic Management Filters

Traffic Management Filters inspect at the IP header level
Source / Destination IP address Source / Destination TCP / UDP port IP Protocol

Configured within the applicable Profile Once matched traffic can be:
Blocked (silently no notifications) Allowed (traffic will be inspected against the DV) Rate-limit (traffic will be inspected against the DV) Trust (no further inspection occurs)

Traffic Management Filters obey Precedence

Filters can be ordered and are evaluated in sequence Allow rules can be used in conjunction with Block to pin hole IPs within a larger network, for example:
1. 2. Allow 172.16.240.10/32 Block 172.16.240.0/24
154

Traffic Management Filter Configuration

Name / Comment (optional)

Action Block / Allow / Trust / Rate Limit

Note: Need to create Rate Limits Action Sets first

Direction to apply this filter: A B, B A or Both Traffic Definition Protocol (IP, TCP, UDP, ICMP) Trust / Block IP fragments SRC/DST IP (can use named resources)
155

Advanced DDoS
Provides protection against your publically available servers
Typically your DMZ

Advanced DDoS capabilities differ by IPS platform

SYN Flood Protection
N-Platform (v3.1 onwards) E-Series 110/330

Connection Flood & Established Connections/Second Attack

E-Series platforms only

The IPS must be deployed in a Symmetric network for ADDoS to function

IPS needs to inspect full 3-way TCP handshake Must also disable Asymmetric mode TSE setting
156

Background: SYN Flood Attacks

Normal 3-way TCP handshake

Connection Request SYN Request Acknowledged

SYN-Flood Attack
Attacker sends many spoofed TCP SYN packets Server never receives ACK
Connection table fills up quickly New requests are ignored
Connection Requests (spoofed IP) SYN

SYN+ACK Connection Complete ACK

Data

SYN+ACK

CLIENT

SERVER

ATTACKER

SERVER
157

Background: SYN Proxy

SYN Proxy
IPS mediates the session establishment via SYN Proxy Server only handles legitimate connections
Connection Request Three-way Handshake

CLIENT
SYN SYN+ACK

IPS

SERVER

Connection Complete

ACK

SYN SYN+ACK ACK Data

158

Advanced DDoS: Asymmetric Mode

Right-click device and Edit configuration

TSE Settings Under Asymmetric Network, uncheck Enabled

159

Advanced DDoS: New Filter

Create New ADDoS Filter Profiles > Infrastructure Protection > Advanced DDoS

Name Action Direction Protected designations

160

Advanced DDoS: New Filter

E-Series Configuration

Notification Threshold
The IPS will only generate an event when rejected SYNs rise above this rate (note protection is immediate)

N-Platform Configuration

Enable SYN-Proxy
N-Platform can be enabled here E-Series is done under Devices Tab

161

Reporting for ADDoS & Rate Limits

SMS Reports
Rate Limit (by device or rate) Advanced DDoS report Note: slight delay in SMS report data gathering

LSM Reports
Rate Limit & DDoS report Note: useful for real-time reports

162

Lab #6: Non-DV Filters

Traffic Management Filters
Create a TM Filter to rate-limit inbound web traffic (TCP/80) Create TM Filter to Trust Tomahawk traffic

Run Rate-Limit SMS Report Create TM Filter to Block all Tomahawk traffic (optional) Note: Ensure you remove all TM Filters when finished

163

High-Level Architecture & Performance

Version 3.1

Threat Suppression Engine (TSE)

The TippingPoint TSE is flow based, a flow is defined by the following:
Source / Destination IP address Source / Destination Port IP Protocol

The TSE inspection engine performs easiest tasks first

For example Traffic Management Filters are easier than DV inspection filters TM filters occur first Flows must be complete and in sequence prior to inspection
IP re-fragmentation TCP re-sequencing

DV inspection can then occur on the re-fragmented/sequenced flow

Lets examine the art of filter writing, by using the Microsoft RPC DCOM buffer overflow vulnerability for our example:
Referenced in Microsoft security bulletin MS03-026 Exploited by both the Blaster and Nachi worms to name a few
165

Microsoft RPC DCOM Overflow Vulnerability

SERVER
Server Port 135/tcp BIND
Interfaces Available:
e1af8308-5d1f-11c9-91a4-08002b14a0fa 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b 975201b0-59ca-11d0-a8d5-00a0c90d8051 e60c73e6-88f9-11cf-9af1-0020af6e72f4 99fcfec4-5260-101b-bbcb-00aa0021347a b9e79e60-3d52-11ce-aaa1-00006901293f 412f241e-c12a-11ce-abff-0020af6e7a17 00000136-0000-0000-c000-000000000046 c6f3ee72-ce7e-11d1-b71e-00c04fc3111a 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 000001a0-0000-0000-c000-000000000046 v3.0 v1.1 v1.0 v2.0 v0.0 v0.2 v0.2 v0.0 v1.0 v0.0 v0.0

PACKETS FROM CLIENT

Pkt 1 REQUEST
Function Call: Opnum 4

Interface: ISystemActivator
000001a0-00000000-c000000000000046 v0.0

Pkt 2

Function Arguments \\server\file

Pkt 3

Function call 4, contains a heap-based buffer overflow in the server parameter

166

Vulnerability-Specific Filters
In EVERY attack, the following must be true to exploit the buffer overflow
TCP session established to appropriate port (135) BIND is to the appropriate RPC interface REQUEST is to appropriate function call (opnum=4) SERVERNAME parameter must be longer than 44 characters

This guarantees no false positives and no false negatives

\\server\filename becomes \\...44+ character buffer...\filename

Pros: Proactive protection, very precise, hard to evade Cons: Requires powerful and fast filtering engine
167

Exploit-Specific Filters
An exploit-specific filter detects the shellcode used in a particular exploit, which could lead to false positives / negatives
Example: The following hex string can be used to detect the MS Blaster worm:
EB 19 5E 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32

\\server\filename becomes \\...long buffer with shellcode...\filename

Pros: Simple string match, easy to implement, suitable for weak engines Cons: Reactive, possible false positives / negatives, blind if exploit modified
168

TippingPoint Architecture

Flow Table

Packet Header Processing

Suspicious

Flow Control

DROP

DROP

Threat Verification
MGMT
TRIGGER DV VERIFICATION POLICY NOTIFICATION ENGINE

DROP

PROFILE

FILTER MATCH

From SMS / LSM

SMS/LSM syslog trap email

169

Architecture: Block / Rate-Limit Streams

When the IPS blocks a flow, it will block all packets which share the same 5-tuple
Source / Destination IP address Source / Destination Port IP Protocol

This has a significant perform gains, as the IPS no longer needs to inspect the packets belonging to a blocked flow
Blocked streams remain for 30 minutes by default Changing a filter set to block to something else (permit or disable), will not clear a blocked stream
You may have to manually clear out a blocked stream

The same principle applies if the DV filter has an Action Set of Rate-Limit
170

Viewing blocked streams using SMS

5 Tuple

IPS > Events

Flush selected or All streams

171

Viewing blocked streams using LSM

Select to flush

172

Performance Overview
The TippingPoint IPS is built on a real-time operating system
Inspecting traffic is the highest priority Other tasks are all lower priority

Block and Notify operations perform better than Permit and Notify operations
We are first and foremost an IPS (Prevention) and not an IDS (Detection)

Overall system performance can be optimized automatically as well as through manual intervention
Automatic Optimization Manual Optimization Properly size the device (rated throughput) Define Trust/Block TM Rules Create Exceptions Disable poorly performing filters Use Blocks instead of Permits Reduce Packet traces & notifications
173

Layer 2 Fallback (Intrinsic HA) Performance Protection Adaptive Filter Configuration

Layer 2 Fallback (Intrinsic HA)

Causes of automated Layer 2 Fallback
IPS system issues
Suspended Tasks TSE Issues Hardware and Software Watchdog timers

Excessive congestion (90% packet loss in less than 10 seconds)

Extreme over-subscription of the IPS Device

174

Performance Protection
Sending notifications takes up CPU cycles Notifications can be suspended automatically if experiencing congestion Performance Protection settings
Logging Mode: Always log / Disable if congested Congestion Percentage: Default:1.0% Range: 0.1% to 99.9% Disable Time: Notification suppression time, Default: 600 seconds

175

Adaptive Filter Configuration - AFC

The IPS can protect against the adverse effects of a specific filter Very dependent on individual customer traffic patterns The IPS can disable individual filters under certain situations: Threat Verification Timeout A Trigger results in a lot of suspicion, but no matches and the IPS is experiencing congestion AFC Settings: Filter Settings AFC may be turned on/off for specific filters as well Global Settings Auto or Manual
Default: Auto, which means that AFC is on

176

Performance Optimization (Manual)

Optimization is only required if congestion is occurring or if an IPS is being operated close to its maximum rated throughput How to view amount of congestion How to view amount of TSE throughput How to view filter performance The next few slides demonstrate the steps to consider when optimizing performance

177

How much traffic is traversing the IPS?

show np tier stats Look at Tier 1 Rx Mbps / Tx Mbps
Shows current and maximum throughput from all Segments
Recommend you run the command multiple times

High-level watermark shown in parenthesis ()

Reset on reboot or clear np tier stats (N-Platform only)

Ensure traffic not too close to maximum rating for that device

178

Monitoring Throughput

179

Is the IPS experiencing Congestion?

show np general statistics These are always increasing values
Run the command multiple times within a given period Congestion: shows packets dropped due to congestion

Look how many packets are being dropped due to Congestion Run command more than once to see if congestion is increasing On N-Platform its named Dropped instead of Congestion

180

Monitoring Congestion

181

Which filters are working well (or not)?

show np rule-stats
Show the top 20 triggered filters Which filters are triggering the most Look for filters with high % Total Which filters are working well Look for filters with high % Success 100% means each time a filter is triggered, a threat is found Which filters are triggering, but not finding anything bad Look for filters with zero % Success Filters highlighted are candidates to be disabled
Large number of flows Zero success

Note: they are candidates, as they may detect attacks in the future!

182

Common Performance Problems

Problem
Over subscribing the IPS with too much traffic Lots of out of order or fragmented packets Congestion when distributing Profiles or updating DVs Congestion during peak network load

Solution
Route traffic around the IPS or get a bigger IPS / CoreController Use inspection by-pass rules (N-Platform only) Could be a network MTU issue Lots of IP in IP traffic Trust fragmented traffic between trusted servers Check that you do not have high-priority enabled Distribute at a quieter time Place device into L2FB, then distribute, then remove L2FB Ensure you apply filters only where needed (i.e. VoIP filters only on voice vlan) Disable filters which you know you no longer need (patched, dont use application / OS, old vulnerability, etc) Use show np rule-stats to identify filter candidates to disable Consider using traffic management trust rules to trust backups or other trusted bulk transfer applications Check you dont have excessive Permit + Notifies, packet traces or email notifications Look to set filters which are firing to Block only (ie SQL slammer) Review other solutions above
183

IPS Enters Performance Protection

IPS Quarantine, Reputation & SMS Responder

Version 3.1

IPS Quarantine Overview

Quarantine can be used to prevent an infected machine from accessing the network
It can optionally be used to inform the hosts user that something is wrong

When a host is Quarantined the IPS can:

Block, intercept or redirect http traffic Block all other non-http traffic from that host
Not just the 5-tuple flow of a regular Filter block or block/notify

Quarantine behaves slightly different between platforms

N-Platform devices support:
Block + Quarantine (quarantine immediately) Permit + Quarantine (can specify a threshold before quarantining)
IE Quarantine after 5 hits in 2 minutes (ideal for failed login attempts)

Non N-Platform devices (10, 110, 330, 600E-5000E)

Only Block + Quarantine Thresholding can be achieved by leveraging SMS Responder
185

IPS Quarantine Overview

Quarantine can be used to prevent an infected machine from spreading worms
Can also be used to inform the user that something is wrong
1. 2. Filter blocks worm Infected PC Quarantined

Browse to www.google.com.. .

Worm tries to spread

Corporate Network
walk-in worm Infected PC

Internet

186

IPS Quarantine Configuration

IPS Quarantine is configured as a Filter Action Set
Profiles > Shared Settings

Name

Flow control: Quarantine

187

IPS Quarantine Configuration

Configure required Notifications
All Notifications types are possible, along with Packet Traces

188

IPS Quarantine Configuration

Configure Threshold and what to do with web requests and all other traffic
Threshold hit count and period and what to do with the traffic until the threshold is reached. Web Requests Block Redirect (to your own server) Display quarantine web page * IPS displays block page Note: only N-Platform supports Permit, all other devices only support block

Choose what to do with other traffic

189

IPS Quarantine Configuration

Restrictions / Exceptions and Quarantined Access

Restrictions / Exceptions Which IP CIDR can or can not be quarantined. The Filter will still match, this setting determines whether to quarantine the host

Quarantined Access List of CIDRs which a quarantined host can access for example a remediation servers

190

IPS Quarantine
When traffic hits a Block + Quarantine filter:
A Blocked Stream is generated A Quarantined Host is generated

Hosts can be released from Quarantine manually

Or you can configure an automatic timeout

191

IPS Quarantine Threshold Example

N-Platform ONLY

N-Platform allows the ability to perform Permit thresholds for Quarantine

This is ideal for blocking excessive failed login attempts

192

IP / DNS REPUTATION

193

IP / DNS Reputation Overview

Allows the ability to create policy based on IP / DNS reputation
N-Platform only feature For DNS reputation IPS must be in path between client and DNS server

Reputation data can be entered manually or sourced from TippingPoint with Reputation DV service
Manual entries: can be added individually, from event viewer, or imported from file (csv format) Reputation DV service from TippingPoint (future)

Reputation Filter determines what action to perform when traffic matches a reputation criteria
Configured as part of your IPS Profile (then distributed to appropriate Segment or Segment Group) Reputation Filters can use any available Action Set
Including Block, Permit, Rate Limit & Quarantine
194

IP / DNS Reputation Overview

Reputation DV IPv4 & IPv6 Address DNS Name Reputation information for each Set Policy Based Upon Reputation Score Locale (Country) Device Type - exploit source, malware host, Botnet CnC, spam, etc

Security Management System

Access Switch

Internet IPS Platform

Requests to Bad DNS Domains Blocked

Traffic from Bad IP Addresses Blocked

195

Reputation Database Example

IP / DNS 58.24.0.1 58.192.0.5 204.79.230.53 62.212.96.43 62.217.0.154 24.48.224.120 Type Botnet Hacker Spammer Hacker Hacker Hacker Country China China UK France France USA Score 9 10 6 9 10 3

Each database entry can optionally contain a tag You can create your own tag categories
Type, score, country, etc

Categories can be defined as

List, numeric range, date, Boolean, free form text
196

Reputation: Tag Categories

Name

Type
Text, Numeric, List, Boolean, Date

197

Reputation: List Tag Category Example

Name: Country Type: List

List Entries

198

Reputation Database: Import / Add Entries

User Provided Entries

Once your tags are defined, you can start entering or importing your entries

199

Reputation Database: Adding Entries

Add or Import from File

Add Entry
IP Address / DNS domain Reputation Data

Importing from CSV file

62.201.128.219,Country,France,Score,7,Type,Hacker,Validated,TRUE 62.210.0.1,Country,France,Score,8,Type,Hacker,Validated,FALSE 62.212.96.219,Country,France,Score,9,Type,Hacker,Validated,TRUE 62.217.0.219,Country,France,Score,10,Type,Hacker,Validated,FALSE 24.40.96.219,Country,USA,Score,1,Type,Botnet,Validated,TRUE 24.40.128.218,Country,USA,Score,2,Type,Botnet,Validated,FALSE 24.40.192.219,Country,USA,Score,3,Type,Botnet,Validated,TRUE 24.41.0.218,Country,USA,Score,4,Type,Botnet,Validated,FALSE
200

Reputation Database: Search

You can search the Reputation database by criteria
For example: all Chinese & French botnets with a score >= 7

201

Reputation: Profile Settings

Profile > Infrastructure Protection > Reputation
Click New to create new Reputation Filter

Reputation Settings
Match against source, destination or both addresses Block or Permit while performing database lookup

202

Reputation: New Filter

Name Action Set

Reputation Criteria

203

Reputation: Events

204

SMS RESPONDER

205

SMS Responder Overview

Responder (or Active Response) is a mechanism where SMS can perform Action based on various Inputs Inputs (also known as Response Initiation)
Manual (for example from Event Viewer) Threshold (x number of hits in y timeframe) IPS Quarantine occurrence External system integration (via an API call) Implement IPS quarantine Switch disconnect or move to VLAN Notification External system integration Custom Action / Response (fully scriptable)

Action (outcome of a Response)

Example Responder use-cases

Failed login attempts / conficker mitigation Brute force web harvesting Desktop ticket system integration (i.e. in response to spyware filter hit)
206

SMS Responder Lifecycle

START: Response Closed
Response Closed
Threshold of filter hits Event Viewer IPS Quarantine External System

Actions (close)

SMS Performs closing Actions

Response Triggered (open)

Manual External System Timeout

Response Triggered (close)

Response Opened

SMS Opens Response SMS Performs one or more Actions

IPS Quarantine External System Web call Move to VLAN Email Switch Disconnect
207

Actions (open)
Syslog / trap

SMS Responder Example (Simple)

Manual Response (from Event Viewer)
Useful if you quickly want to block a host
1. Select Responder tab

2. Choose Policies

3. Click New

208

Responder: Initiation

1. Policy Name

2. Policy Initiation

209

Responder: Inclusions / Exclusions

Enter Inclusions / Exclusions

In our case Allow Any IP Address

210

Responder: Actions

2. Select IPS Quarantine

3. Click OK 1. Click Add Action 4. Finish

211

Responder: Create Manual Response

From the SMS Event Viewer From the Responder Tab

212

Lab #7: IPS Quarantine and Event Viewer

IPS Quarantine
Create DMZ Segment Group & Profile Create new IPS Action Set for Block + Quarantine Edit ICMP Echo Request Filter #0164 Distribute Profile & Test

Create Filter Exception using SMS Event Viewer

213

Lab Network Re-Wire

Before After

Tomahawk Tomahawk

Student

Student

Student connects directly to Tomahawk via management network

Student traffic passes through IPS when connecting to Tomahawk via management network
214

RESPONDER THRESHOLDS (TIME PERMITTING)

SMS Responder Correlation & Thresholding

215

SMS Responder Example (Advanced)

Your organization wishes to block excessive pings Excessive = more than 20 pings in 2 minutes If threshold is exceeded, then block the attacker for 3 minutes Step #1 Create Active Response Policy Enable Correlation & Thresholding for 20 in 2 minutes Specify timeout of 3 minutes Specify Actions IPS Quarantine Step #2 Create IPS Action Set Under shared settings Set filter action to Permit, specify SMS Active Response policy just created in Step #1 Step #3 Edit filter & Chose Action Set & Distribute Profile Edit filter 0164: ICMP Echo Request Choose Action Set from Step #2 Distribute
216

SMS Responder Example (Advanced)

Specify Initiation & Timeout

Enable Correlation & Thresholding

Automatic Timeout after 3 minutes

217

SMS Responder Example (Advanced)

Specify Inclusions & Exclusions

218

SMS Responder Example (Advanced)

Configure Threshold 20 hits in 2 minutes

219

SMS Responder Example (Advanced)

Add Responder Actions

220

SMS Responder Example (Advanced)

If using IPS Quarantine as a Responder Action, you must specify which devices will implement the Action

221

SMS Responder Example (Advanced)

Create new Filter Action Set (Profiles > Shared Settings)

Were using Permit for Flow Control As we want SMS Responder to determine if / when to block

222

SMS Responder Example (Advanced)

We must tie this Action Set to the desired SMS Responder Policy

223

What happens now

Now you configure the appropriate filter with this Action Set If someone pings the victim excessively
The IPS will generate hits for Filter #0164 The SMS sees the filter hits (because we checked Permit and Notify in the Action Set)

The SMS Responder Policy receives the filter hit (because we checked appropriate Responder policy in the Action Set)
The Responder Policy will eventually become Active because more than 20 hits will be seen within 2 minutes

The policy will go into effect, and the IPS devices will be told to Quarantine the attacking IP address
224

Lab #8: SMS Responder

Block Excessive Pings using SMS Responder
Trigger on 20 pings in 2 minutes Automatically close response after 3 minutes Create new IPS Action Set to use Responder Policy
Apply to ICMP Echo Request Filter 0164

Experiment blocking hosts using a Manual Response

225

Ongoing Maintenance, Troubleshooting and Additional Resources

Version 3.1

Digital Vaccine Maintenance

Setting up Auto-DV download using the SMS is easy
Download from TMC Activate in SMS Distribute to all Devices Note: This distribution will occur as soon as SMS detects the new DV on TMC

To Distribute new DVs at a specific time, then:

Setup Auto Download Setup Auto Activation DO NOT set Auto Distribution
This would distribute the new DV immediately

Create a Digital Vaccine schedule

227

Digital Vaccine Scheduled Distribution

Auto DV Activation
Enable Auto DV Download Enable Auto DV Activation Disable Auto DV Distribution

New Scheduled Distribution

Name, Schedule, DV version IPS Device Targets

228

IPS System Snapshots

System Snapshot is an IPS configuration backup
Which includes current Digital Vaccine Once created you should export from the IPS
Either to your laptop or SMS for safekeeping

Useful for:
Saving a known good configuration Cloning configurations Backup purposes (Disaster Recovery)

To restore a System Snapshot

The IPS model and TOS version must match exactly the device which it was created on The snapshot must be imported to the IPS The IPS will reboot when the Snapshot is restored
229

IPS System Snapshots (using SMS)

IPS System Snapshots
Managed under Devices Tab IPS > Device Configuration > System Update

Snapshot has to be on the device before it can be restored

Creates new snapshot on IPS

Import / Export from disk

Copys snapshot to / from SMS

Restore (will reboot IPS)

230

IPS System Snapshots (using LSM)

Snapshots can also be managing using the LSM
And CLI snapshot create <name>

231

SMS Database Backups

SMS Database Backups
Backs up SMS database for disaster recovery purposes Can be Scheduled or Immediate Backup file can be stored locally or offloaded to NFS / SMB file share or sFTP/SCP The backup file can be optionally encrypted Time/date stamp can be added to the backup filename

SMS Database Backup Contents

SMS configuration information
All SMS settings, all Devices under management

Device configuration
IPS configuration and snapshots from devices (if stored on the SMS)

Include Packages (Digital Vaccines & TOS images)

One or more Digital Vaccines, zero or more TOS images

SMS event history (optional, could increase backup size to ~15GB)

232

SMS Database Backup

233

SMS Database Backup Wizard

Scheduled Backup
Specify schedule name & recurrence

234

SMS Database Backup Wizard

Specify number of DVs / TOS images to include

Specify whether to include event data (makes backup large ~15GB)

235

SMS Database Backup Wizard

Specify backup location

Recommend off-box for disaster recovery purposes

236

SMS Database Backup Wizard

237

SMS High Availability (HA)

Configure two SMS devices One will be the active SMS, the other the passive SMS The two devices communicate over a secure channel to exchange heartbeat and to synchronize data This secure channel can be over the primary (management) or secondary (private) interface
NOTE: SMS servers have two NICs marked 1 (primary) and 2 (secondary)

The two devices can share a virtual IP

Active device responds to requests to the virtual IP

If the active device fails, the passive will take over

238

SMS High Availability: Using Primary Link

SMS #1 192.168.1.20

Optional Virtual Shared IP 192.168.1.22 sync HB

SMS #2 192.168.1.21

sync HB User Laptop 192.168.1.x

239

IPS Password Reset Procedure

To perform a password reset on an IPS:
Establish a terminal connection to the IPS (115200/8/N/1) Reboot the IPS and watch for the word Loading (see screen shot on next page) Type mkey before the appears after the word Loading If mkey is input at the right time, the IPS will request the following:
Security level SuperUser name SuperUser password

NOTE: Since this procedure requires a reboot of the IPS device, be aware that traffic through the device may be interrupted
240

IPS Password Reset Procedure

IPS Serial Console
Enter mkey (no spaces, no CR/LF)

Type mkey here

241

IPS Password Reset Procedure

Enter security level and new Username / Password
All other system configuration information remains the same

242

SMS Password Recovery

Connect monitor & keyboard to SMS
Reboot and interrupt the boot process Select Password Recovery

Login to SMS using:

Username: SuperUser Password: <SMS Serial Number>
Serial number can be found by pressing <ALT><F12> once booted

243

IPS: Command Line Interface (CLI) Overview

Connecting to the CLI
Terminal Cable SSH Telnet (Must turn this on for Telnet access to be available)

CLI basics
help Run this command to enter the help mode ? will display sub-commands or usage information
show ? for example

Sticky commands
conf t <enter> will enter the configuration mode Ctrl-c or exit to escape this mode

Auto-complete
Press tab key for auto-complete sh<tab> will get you show

Shortcuts
conf t for configure terminal sh for show
244

IPS: CLI Top-Level Commands

Show commands: allows user to view IPS settings
sh for short Example: show conf host

Debug commands: for lower level troubleshooting

Example: debug information memory

Configure Terminal commands: make configuration changes

conf t for short Commands take effect immediately, no saving required (are persistent) Example: configure terminal server http

Snapshot commands: create and manage IPS snapshots Other useful top-level commands
reboot restarts the IPS halt gracefully halts the system in preparation for a power off setup re-run the setup wizard traffic-capture capture traffic on inspection segments
245

IPS Factory Reset

Login to the CLI as a user with super-user access Type: debug factory-reset
When prompted, type COMMIT and press <enter>

NOTE: This command will remove:

All current configuration information All log files All User Accounts All filter policies Resets IPS to the factory delivered TOS and DV versions

Recovering after a Factory Reset

Re-Setup the device Use an IPS system Snapshot and restore Use an SMS to re-push IPS Policy
246

SMS Factory Reset

The SMS Factory Reset only clears out the SMS database and leaves the software version intact

247

Resetting IPS Filters

If you are experiencing issues with performance, or filter policy, you may elect to reset the IPS filters
In the SMS under the Device Configuration dialog From the LSM, IPS Preferences Reset

Afterwards, you need to do the following

Recreate any virtual segments Re-distribute your profiles to the device

248

Troubleshooting: IPS Management Port

Ping
ping <address>

ARP Listing
show arp

TraceRoute
traceroute

Show Management Port Settings

show conf interface mgmtEthernet

249

Troubleshooting: No traffic passing

Port Health
Link Negotiation L2FB Set to Block

Blocked Streams Quarantined host entry IP Reputation entry set to Block Traffic Management Filter set to Block

250

Troubleshooting: Policy not working

Port Health
L2FB Set to Permit

Has Policy been distributed to proper segment Filter Exception Profile Exception Traffic Management Filter set to Trust

251

Resources: TMC and ThreatLinQ

TMC
Make sure you are signed up to receive emails updates Great source for up to date information on TippingPoint products, release notes, white papers, best practices guides, etc Knowledge Base Product Releases

ThreatLinQ
Helps with Policy decisions and dealing with timely/imminent threats Blog Articles on current threats and how to deal with them Top Attacks, Movers and Shakers Highest rated policy filters Note: Consider configuring your SMS to share info with Threatlinq (opt-in via Edit Preference Security)
252

Resources: TippingPoint User Group

List Server is hosted by University of North Carolina
Self help group, NOT run by TippingPoint TippingPoint employees monitor the group along with many customers

How to join
TippingPoint Users Group - http://mail.unc.edu/lists/ List Name is "tippingpoint" Register and receive access by administrator

253

Resources: TippingPoint Support

Phone Support
North America: +1 866 681 8324 International: +1 512 681 8324 Note: For certain regions there are direct numbers (see website)

Email address: [email protected] Things to Provide

Company name Information to have handy
show version model, TOS, DV and Certificate Number show log system (especially showing WARN, ERROR and CRIT) show log audit

For performance issues

Packet Traces (for AFC filters) show tier-stats show rule-stats
254

THANK YOU!

http://www.tippingpoint.com/training
255