HP TIPPINGPOINT NOU NAA NePIUGN) TRAINING COURSE Web Based Partner Certification TrainingABOUT THIS COURSE — Description + This course provides a technical introduction to the HP TippingPoint Intrusion Prevention Systems (IPS) and the Security Management System (SMS) + This course prepares the student to take the Partner Certification Exam - Audience + HP Security and Network Sales Partners + This course is suitable to those having no pre-existing knowledge of TippingPoint. + A strong background in networking technology and familiarity with switching and CLI operation is recommended - Duration + The course duration is approximately 2 hoursLEGAL NOTICE © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express yrranty statements accompanying such products and services. Nothin herein should be construed as constituting an additional warranty. HP ‘al not be liable for technical or editorial errors or omissions contained herein, This is an HP copyrighted work that may not be reproduced without the written permission of HP. Product of USACOURSE OBJECTIVES - Understand how to setup and configure HP TippingPoint IPS and SMS devices - Understand how to manage your IPS and SMS devices including updating Digital Vaccines and the IPS and SMS software - Understand how to create and apply security policies by configuring filters and applying security profiles to your IPS devices - Understand Events and Reporting from an IPS and SMS perspective — Understand how to troubleshoot and monitor the performance of an IPS devicCOURSE AGENDA ~ Introduction to the HP TippingPoint family of products ~ IPS setup and basic health / Administration - SMS setup, IPS management and Segment Groups ~ Basic filter management - Advanced filter management - High-Level Architecture ~ IPS Quarantine — SMS Responder - IP/ DNS Reputation ~ Performance, Maintenance & TroubleshootingINTRODUCTION TO HP TIPPINGPOINT SECURITY PRODUCTSINTRUSION PREVENTION SYSTEM BACKGROUND — Intrusion Prevention System + Sits in-line in the network flow Scans traffic as it passes and takes actions (block, ratelimit, alert) based on a configured policy «The IPS acts ike a “bumpinthewire” device (SEGMENT) - NoP oddresses = Layer 2 + Effectively patches you at the network level i - Capabilities of an IPS: + Perform as both a NETWORK device and as a SECURITY device + NO FALSE POSITIVES (don't block what you shouldn't) + Possess a flexible inspection engine to adapt to new threats + Provide for policy and filter updates in realtime (no network outage)COMMON IPS DEPLOYMENTS Aggregation Perimeter. ; Internet TOMbps.~‘1Gbps....1Ghps~10Gbps 1Gbps-10Gbps _nx1Gbps - nx10Ghps ®HP TIPPINGPOINT S-SERIES PRODUCTS IPS Platform Solutions Security Intelligence 10GE Networks, Core, Data ROBO, Perimeter, Zone Cys echoes ‘Management, Accessories DVlabs Services izletio, MSPe.. oa 2 ” DIGITAL ies 2Segrns ips 10 Sagres ie RE ian Cogs -Eregem Ron —o_- Se TWO 4 Seaman {ston 10am nap ig Unis -CenalDacbna, | Web Sta Osim Fes PI Rapa SUED THREAT =e ft ee” LIN Sling Samer bps Snes Taipan Biagard OFLaing) (RealTime Tea eigen = =P «aw § sw ___iGbcs: ti Seaneris | [Wiel Date Cot Seaiy &Vishiiy"| TP Reptaon- DNS RepuatonHARDWARE FEATURES $10/S110 /$330 HP TippingPoint $110/S330 4 x 10/100/1000 Segments / Built-In ZPHA HP TippingPoint $10 2 x 10/100/1000 Segments / Built-In ZPHAIPS S-SERIES TECHNICAL SPECIFICATIONS TippingPoint SEBON- Ue Uke ae Performance Network Throughput 750 Mbps + 1.5 Gbps +15 Gbps +15 Gbps Inspection Throughput > 750 Mbps + 1.5 Gbps + 3Gbps + 5 Gbps ‘Typical Latency + < 80 microseconds + < 80 microseconds + < 80 microseconds + < 80 microseconds ‘Concurrent Network + 6,500,000 + 6,500,000 + 10,000,000 + 10,000,000 Sessions ‘Connections/Sec + 115,000 + 115,000 + 230,000 + 230,000 Interfaces + 10x 1GBE Copper + 10x 1GbE Copper + 1x 1OGBE XFP + 1x 1OGbE XFP + 10x 1GBE SFP + 10x 1GbE SFP + Internal ZPHA + Internal ZPHA + 10 Total Segments + 10 Total Segments + 10x IGBE Copper + 10x 1GbE Copper + External ZPHA + External ZPHA + 10x IGbE SFP + 10x 1GbE SFP + 10 Total Segments + 10 Total Segments Power + External ZPHA. + External ZPHA + AC only * AConly + AC or DC + ACor DCHARDWARE FEATURES S660N AND $1400NHARDWARE FEATURES S2500N AND S5100N ZPHA Module 1GbE Segments 1GbE Segments LCD ZPHA LCD Bay (Fiber) (Copper) Screen Port Keypad Front Panel 40 GbE Segment Compect Console Port and Power eae anes aceon ert (Gagan ie pore Rear J Panel — Mounting Power Supply Powet Cord Juste Reset Button BracketHP TIPPINGPOINT MANAGEMENT ARCHITECTUR HP TippingPoint Threat SMS Java 2 " ‘Management Center GUI Client : = —— x Enterprise Management Element Mana @ sn IPS-PERIMETER —IPS-CORE IPS-DMZ is a cuPCNA NGG N|sDIGITAL VACCINE PROVIDES IPS FILTERS ay DIGITAL VACCINE Vulnerabilities Malicious Code (virus, Trojan, ete.) Spyware + Deep filter coverage DDoS Attacks + Weekly updates Reconnaissance Protocol Anomaly Policy (attachments, common pusswd, ett) Voir HP TippingPoint provides > 5500 filters SCADA with 4 recommended filter setsTHREAT MANAGEMENT CENTER (TMC) - Customer Web Portal (https://tmc.tippingpoint.com) +Make sure you / your team have an account + Provides access to important resources: - TOS & DV's = Documentation (manuals, seminars, hints & tips, etc) = Support moterials (RMA processing, knowledge base articles) « Account holders also receive email notifications for new DY’s and other support information - SMS / IPS automated updates + SMS and IPS devices can contact TMC directly for automated updates for both DV’s and IPS/SMS softwareTHREAT MANAGEMENT CENTER (TMC) - Navigate to the appropriate section of the TMC for DV, TOS, etc. fad Link to ThreatLinQ: Event aggregation service utilizing customer and HP TippingPoint attack data for global threat analysisHP THREATLING PORTAL — Helps customers make decisions about how, why, and when to enable different HP TippingPoint filters Cr a nQ Data sourced real-time by HP TippingPoint Light-House deployments & customer dataLaelIPS INITIAL SETUP WIZARD ~ Initial setup is done using a Setup Wizard + Accessed using the IPS console (115200, 8, N, 1) - What you need to know prior fo setting up the device: + Username and password for your super user account +IP Address of your IPS + Subnet Mask and Default Gateway + DNS settings (if you want the device to access TMC) — NOTE: The IPS will start up with a default security configuration This default security policy runs with all filters set to their default policy as defined by the DVLabs Team at HP TippingPoint (more on this later)IPS INITIAL SETUP WIZARD = PEresrtrerar 7 ltnitialize Email............ Initialize Remote Syslog Tore nser goes reste H Cee a a | ls En a 9 en] | Errore oT TippingPoint - Austin, Texas, USA - www.tippingpo et ae era rere rts Piety Connect to the IPS console and Digital Vaccine : 2.5.2.7721 BOSE cnsyer the setup wizards questions. Hardware Rev: A The wizard can also be run from the IPS LCD panel if you do not have Cote R OES Str US SCCMee ey le ace Oe OMe Om Cette eer cea eee TTS)IPS SETTING THE SECURITY LEVEL = Pett eee mets weeemeenepeemree Security Level sels user id and password policy in brackets{}. Please update any empty field] UME eee) ett are Tre ee) Coan ee ae eo es ees ee confira your settings, so don't worry if you AI AReOueaR eget Pe tae ee o> oe se ee Ce Se eS eee one an Serpe test So CMe srtiste ar er eee rae orn pester evra rtred - at least 1 numeric character Steer Sete tec ew ty Please specify a security level to be used for initial super-user name ek i te ee tomes eerste atstc cio cM eet stom et Saket) SoC eoo mcrCREATE INITIAL IPS SUPER USER ACCOUNT Eeeretsasters mics rard Sere ares es a Rese ce Mee sarees feta ere eta teers Name: superuser Seana arene nee ne at ae After Security Level, you will be asked fo create an initial super Coren ttre ert Loe ee user account Paver geeyco ns Cnet) Potato ee coerce Poe Seco OCs CeCe meer Oren ee ct After logging in, you will be asked for additional information. Peet Ces ae CCE oem sce tote ier cirIPS MANAGEMENT PORT IP ADDRESS | eee ess eect essere cert ae Oe ae see Cees ee Cece CCRC Jia network connection (e.g., a web browser) . Enter Management IPv4 Address [none]: 172.16.240.210 mee ppenegely tidemast gery mpi Setting the IP address of the ee ame eet resto g management port is most Sao ee ents reeves , | important. We can then aa manage via HTTPS and SSH eee ert ec Enter (A]ccept, [C]hange, or [E]xit without saving [C]: alRUNNING ‘SETU eres ee ee Sere ee cee a ed pees Cece Coes eats Eay Post eee Cesar Seance gt Pra Pry Pratt s@ece oC Ser Roasts ats Eay Portege a Rosa sorte sete ates Would you restrict SMS access? : Contac Conta Pere sges eas teeta sates aCe Prete cea eee ae ead Costar Pertes@es Te these eM Sites mes After the Setup , you are in the CLI, you may also connect to the CL using SSH Conta BtLOCAL SECURITY MANAGERLOCAL SECURITY MANAGER (LSM) Use https to access the LSM https:// Supported browsers IEv6+ and Firefox Browser checking can be disabled using IPS command: conft no server browser-check To login: use the username / password created during the initial setupLOCAL SECURITY MANAGER (LSM) Current User / Time Session timeout (configurable) aeenseneel TopegPont Home Icon - returns to BE on 2d System Summary Page System Summary -5100N_ Health IM Log Summary 5 08 5 5 os Product Specifications __| Main NavigationLSM SYSTEM SUMMARY TopnePont Comme Health Status (Click links for specifics) | System Summary -S100N Log Summary IPS filter hits: Block & Alert log Device Logs: System & Audit logIPS SYSTEM LOG — The System Log is accessible in multiple places: + Cll: show log system + LSM: Events > Logs > System Log — System Log contains Log ID, Log Entry Time, Security Level, Component, and Message + Logs can be downloaded, searched and reset ws syns vents systemIPS AUDIT LOG - The Audit Log contains: + Log ID, Log Entry Time, User, Access, IP Address, Interface, Component, Result and Action ~ The Audit Log can only be reset and viewed by a user with super-user privileges Ps ‘uit Log SystemIPS ALERT AND BLOCK LOG - Where to View Filter Events: + Alert Log: Show filters with Permit + Notify Action Sets + Block Log: Shows filters with Block + Notify Action Sets + Packet Trace: Filters with packet trace option set = Option for permit or blocks PS Beck Log SystemIPS PERFORMANCE AND PORT HEALTH Tepnefont Shows overall ingress traffic Shows ingress traffic by Segment / PortMANAGING IPS USER ACCOUNTS s ts User List von TOS Users Create up to 30 additional users ey rn) Edit / Delete Users 3 Access Levels: Super-user: All privileges, including ability to create / edit users and view / reset audit log Administrator: Can make configuration changes, can’t view / reset audit log Operator: As administrator but view only Create | care!Preferences wane General User Preferences axmun Seca wean fe Force Users Change Passware [s] MANAGING IPS USER PREFERENCES LSM inactivity timeout LSM page refresh time Password Security Level Initially set during OBE, controls usemame / password format Password Expiration policy Failed login behavior Note: Iris possible to lock youre out ofthe system due to excessive failed logins (alternative user / password recovery)UNDA CONFIGURATION Meson Hy4SMS FEATURE OVERVIEW - Device Management + Multiple IPS device management + Device configuration and health monitoring + Centralized device package management (DV/TOS) - Security Profile Management + Manage security profiles and distribution - Events/Reporting * Centalized event ecleton and reporting - Granular Access Control + Lock down user access to SMS resources — Integration + SMS APL «Syslog integration with SIM vendors + Quarantine integration - High-Availability Cluster OptionSUSE aleSMS SETUP WIZARD - SMS Setup + Similar to the IPS setup (except console settings: 9,600/8/N/1) - Things to have ahead of time + Super-user name and password + Management IP, subnet mask and default gateway + DNS (for TMC access) + NIP servers and time zone + NMS IP address information (SNMP trap receiver) + SMTP server settings information = For email notifications and reportsSMS INITIAL LOGIN - Connect a terminal cable and boot the SMS, type “SuperUser” at the te rere ae Cee Stc tg ee CoCr eee eine! Point Technologies SMS (version 3.0.0.7063 (Patch 2)) cee Ug csro I The default initial Username for the SMS is SuperUserSMS LICENSE AND SETUP WIZARD Read and accept the SMS software license pot teoicie Fwaiver of any subsequent breach of this License. his License will be [governed by and construed under the laws of the State of Massachusetts, United states, without reference to conflicts of laws principles. any dispute hese fer pee ober ye agp pr oan reece fry Pa eyo brought in Boston, Massachusetts (USA). If any provision of this License is held to be illegal, invalid or unenforceable, such invalidity will not affect the enforceability of any other provisions not held to be invalid, The aertres ecaen wae cr tae etr eso Tats eee ta saee tre keer tr Reeertr ee ete stot Meee st ere mst sce ee cece tty it may have, will be entitled to reimbursement for its legal expenses, Stet ase etter Ss Caterer ore ease MS Ae oa NLA eae Co ee eC aL) Dae MR besos Se sced een eer) roSECURITY LEVEL, USERNAME AND PASSWORD Choose Security Level and create your super user account name and password Pee st eC Merc tisC Mn or Ce Terre) Severna mrs tae veeserd Seem cee ts tired Se eCrtiaeecetts terse tr circ Steet a ete Cse evel: [0]-Weak, [1]-Basic, [2]~Recommended? <0,1,2>: 2 Please enter a user name that we will use to create your superuser account Spaces are not allowed Reet estore Do you wish to accept [SuperUser]? : y Pn eC CC ier or Cay Po oar Serie es ert sy SCC ee seers tt sy Sete eee teeter Romeo!SMS IP CONFIGURATION Choose IPv4 or IPv6 or dual-stack « Enter IP, Mask, Default Gateway & DNS toon Sern geese st eee ce etre with other devices on the management network outside of the local subnet Pose Rae ae eC OmnG ‘The Domain Name Service (DNS) server is used to resolve hostnames and Peat eee Ceres DX ee ron res MC isc ttt Retr sete ee DNS is used to resolve the RRC alee eertee scarcer TMC address and may also Default IPv4 Gateway: 172.16.240.1 pebimenntie trier ier be resolve IP addresses associated with filter events CNC i ec i CL aSSMS FINISHING THE WIZARD - Continue through the wizard, then reboot + Management speed/duplex, host name, Timekeeping, Server Options (ping, ssh, hitp, etc), SMTP, SNMP trap Thank you! The first step in the box setup is now complete. In order to finish the installation procedure, you must now download and install Sororities a othe tre Geek eee esc Reka ta Download the SMS client § vee il from the SMS via HTTPS eC ee emcee Cnr eal Pests) Meee CCT ots itt Pe eee oe ote CRs Secs You must reboot at the end of the setup wizard eC ee see ee Tse sty Ty) Reboot NOW: Are you sure? <[¥],N>:SUSEO NSNSMS WEB PAGE — Provides a central location for frequently-used options + SMS Client Installation + Reports + Documentation - User Guide - CLI Guide — External Interface Guide ~ Event Taxonomy (Web Services API) + Exports and Archives + TMC linkSMS WEB PAGE - CLIENT DOWNLOAD ~ Login to the SMS web interface and download the latest SMS client + hitps:// TippingPoint ‘ome Welcome to your SMS Reports Gut tho ltt ss cent BOE DocumentationLOGGING IN USING THE SMS CLIENT - The SMS client version must always match the SMS server version you are managing + You can install different SMS versions at the same time (select a different folder during the install process) + Drop down list shows previously selected SMS hosts Can be turned off for security purposes Selecting More provides options to login to multiple concurrent SMS servers wr Sogn OLE MERIT] Posen” STi Fe a } * TippingPoint |DASHBOARD AND MAIN WINDOWADMIN > GENERAL apply Patches SMS System / Audit Logs ‘SMS System / Port Health Update SMS Software & SMS can manage up to 25 IPS devices with the default licenseSERVER PROPERTIES > MANAGEMENT System Information Services *Ping is enabled by default Remote Syslog *Alows you to offoad all SMS ever's toon extemal syslog server (ypically an extemal SIM *Can also offload SMS/device Audit & pet |e system logsSERVER PROPERTIES > NETWORK SETTINGS Proxy Settings == Date / Time Settings Changes requite a reboot x= SMTP Settings DNS Settings For email alerts, and Required for TMC access emailing reportsSERVER PROPERTIES > AUTHENTICATION EE ster | ste - Only one external authentication-source possible at same timeSMS USER MANAGEMENT User list, shows all configured users Select New to add additional users. Current Active SessionsCREATING SMS USERS New Password CContrm Passwort Paseword Expres Pot ] ser mist change password upon next apn Permissions Provided by these Tabs Super User View audit log Manage SMS system properties Add IPS devices Manage Segment Groups Update or patch SMS software Shutdown reboot SMS Create user accounts Administrator Manage IPS devices (need permission) Manage Policies (need permission) Push DV/ TOS Operator ‘As Administrator but view onlyUSER PERMISSIONS — Users can be granted permissions to SMS resources (Profile, Device, Segment Groups) a few ways: + At user creation time, by a user with Super User privileges + Implicitly, by creation of an SMS resourceUSER PERMISSIONS - EXAMPLE — Doug can manage IPS #1 and IPS #2 - Bryan can edit the Core Policy and push to the Core Segment Group ~ Freddy can edit the DMZ Policy and push to the DMZ Segment Group Core DMZ ips#1 | IPS#2 | Segment | Segment wre en Group | Group ouey oney Doug a ga Bryan 4 4 Freddy 4MANAGING YOUR IPS DEVICES TporgPort si Add a new DeviceADDING A NEW DEVICE - To add a New Device, you must specify: + Device IP address, username and password + Device Group (ease of management) + Whether you want to synchronize the device to the current SMS time - Configuration options for Online Devices + Launch the device configuration dialog after adding + Clone an existing deviceALL DEVICES VIEW Each device has information here Information for all devices under SMS management, including TOS / DV versionSHELF LEVEL VIEW Crees Select Device node for Shelf Level ViewIPS BEHAVIOR UNDER SMS MANAGEMENT - LSM behavior when an IPS is managed by an SMS + Displays the message: “Device Under SMS Control” and most configuration items are disabled + Shows the IP Address and Serial Number of the SMS that is managing the IPS (DEVICE UNDER SMS CONTROL) NMS Settings Ce CoREMOVING THE IPS FROM SMS MANAGEMENT - To Disable Management + From the SMS: right click on the device and select Edit > Unmanage Device + From the LSM: System > Configuration > SMS/NMS. + From the IPS CLI: conf t no sms aes SMS & NMS [esse tean [Potomac —[Pecveam —[v05 Sivas LSM: Uncheck SMS ControlIPS BEHAVIOR WHEN RE-MANAGED BY SMS - To Enable Management Again + From the SMS, right click on the device and select Edit > Manage Device (you will need to re-authenticate) + From the LSM: System -> Configuration > SMS/NMS re-check the “Enabled” check box + You may also issue the CLI command: conf t sms - When an IPS is remanaged by an SMS + SMS will update health status + SMS discovers any configuration changes — IPS filter settings is not (more on this later) + SMS imports all IPS filter events that occurred whilst un-managedSEGMENT GROUPSSEGMENT GROUP CONCEPTS - Segment Groups are logical grouping of IPS Segments that can represent a similar policy enforcement point - Directionality for segments, allowing a different policy to be applied between AB versus BOA - Examples of Segment Groups: + Perimeter (IPS segment between the Internet and users) « Core (between users and core servers) + Inbound Perimeter (Port BA on Segment 1) + Outbound Perimeter (Port A>B on Segment 1) ~ Used for Profile management ~ Used for Events and ReportingSEGMENT GROUPS - EXAMPLE Segment Groups: Perimeter Core Core Servers E ee es ee ee) User Group A User Group B - 2 Segment Groups + Perimeter: between users and the Internet (segment 1) + Core: between users and core servers (segment 2)SEGMENT GROUP MANAGEMENT - There is a “Default” Segment Group on every SMS + The Default Segment Group can not be deleted « Newly managed device Segmenls ae placed inthe Default Group - A segment may only be a member of one Segment Group « New: creates a new Segment Group + Details: view details for an existing Segment Group + Edit Membership: move Segments into the Segment Group + Delete: deletes Group, segments are moved back to the Default Group Be tet Vew Tos He «> P Babee Segment Groupe (1) © Twongpont osSEGMENT GROUPS - NEW/EDIT - Name the Segment Group + Move segments to the right to add them to the current Segment Group, and to the left fo remove themEDITING PERMISSIONS - In order for Operators and Administrators to be able to interact with a Segment Group, you must grant permissions to your users Edit PermissionsSMS EVENT VIEWER Define your event query in this pane See the results hereUSING QUERY PANES - Use one or more criteria panes to build up the event search criteria + Filter Taxonomy criteria + Network, IPS / Segment criteria Time criteria - Use “Reset” Buttons to clear query parameters Additional Panes exist for other search criteriaSAVED QUERIES - Popular search queries can be saved + Select the saved query, then hit Refresh to get the latest data [Ee ES View Teo Heb ee (Figay &# 2BRIGHT CLICK OPTIONS - Right Click on an Event or Multiple Events «Copy, Export, View Packet Trace « View Event Details « Edit Filter / Filter Exception + Add comment fo event (searchable) « DNS, whois or ThreatlinQ lookup + Add IP Reputation eniry (more later) + Create SMS Response (more later) + Create Named Resource Cony fxport To Fle Reports Proie Event comment Trewtina epuiaton Create Response ‘Tabi ropetes.EVENT DETAILS - Event + Event number, hit count + Seveiy, custom comment - Segment / Device + IPSDevice + Segment (direction) - Network + Source / Destination Address + Source / Destination Port + Wheis DNS lookup option = Filter Information + Name, Number, Clasiction, Clegory, Profle, Taxonomy + OVE / Bugrag 1D + Deseripion = Copy Deails to Clipboard ~ EditFiterVIEW PACKET TRACE — Download traces from IPS ~ Packet Trace Viewer -« CROVIEW TRACES — When using the View Packet Trace function for the first time a configuration screen is triggeredamed Address Groups 2) LPR Png Format Sting Expt ‘SB. Bugbeer 8 Worm Network Popeaeton ne: FUP OS Figerorntng Probe lpr | 1450 WS-AFC: evenost os cel 688 ONS: uey Free BS0 Bxpot 2084 SB. Bugbear8 Worn network Propapsion eal 2064S Bugbear 8 Worm Network Propegeton SMS NAMED RESOURCES - Named objects used for configuration and events « Objects include: IP / CIDR, VLAN ID, email addresses fevers proms _nespenger_cevens |_Aamn Configured under Admin tab IP / CIDR can also be added by right clicking on event Event Viewer showing IP/CIDR named resourcesCONFIGURING NAMED RESOURCES - If you want Named Resources to show up in the event viewer: + Edit > Preferences > Events «Check “Enable Named Resources lookup for Events table”ADVANCED IPS MANAGEMENT Ales CeysDEVICE SUMMARY AND CONFIGURATIONDEVICES CONFIGURATION DIALOG ~ All PS sett RRRRRRRVVSRR Pes Reboot, Shutdown or Reset Filters Launch Browser to LSM or (resets IPS policy to factory defaults) SSH (e.g. Putty, teraterm, etc)MULTI DEVICE EDIT ~ Apply configuration settings to multiple devices - Available for: «Services: SSH, Telnet, HTTP(S), Encrypted Alert Channel, Device Retrieval Service AFC Settings: AFC Mode, AFC Event Severity slogging Mode *NMS: Community String, NMS Trap Destinations +Remote Syslog: System Log, Audit Log, Remote Syslog Server +Servers: DNS, Email ‘Time: Manual, SNTP, Time Zone, Daylight *TSE: TCP Timeout, Asymmetric, QuarantineSTARTING MULTI EDIT - Select multiple devices and start editing as you are used to do rane]DEVICES BEING MODIFIED - An overview of the devices involved in this ec edit shows up firstDEVICES WITH DIFFERENT CONFIGURATIONS - When the selected devices have different configurations for a parameter you will see a warning before editingDEVICE CONFIGURATION - MEMBER i Member Summary View Health, Configuration Summary & Device statusIPS NETWORK CONFIGURATION OVERVIEW — Network Port — physical Ethernet interface + Configure auto-negotiation, speed and duplex + Manage the Network Port - enable / disable, restart + Bound to a specific physical Segment ~ Physical Segment - pair of Network Ports + Configure name, Layer-2 Fallback setting and Link Down Synchronization setting - Note Network Ports [segment]IPS SEGMENT SETTINGS - Segment Name + Used in Events and Reporting ~ Intrinsic HA (Layer 2 Fallback) + Specifies whether this Segment will Block or Permit traffic when the device is in Layer 2 Fallback - Link Down Synchronization + Control behavior of Segment's physical Ports when one goes down + Hub: if Port A goes down, do not take down Port B + Breaker: if Port A goes down, take down Port B, and disable + Wire: if Port A goes down, take down Port B, if Port A comes back up, bring up Port BPORTS SETTINGS Force Speed / Duplex Disable unused ports Restart port (links down/up)INTRINSIC HA/LAYER 2 FALLBACK (L2F8) Normal ~ Failover mode for the IPS device, which disables all inspection ~ L2FB can be triggered by the user or automatically by the IPS Layer 2 Fallback IPS due to current conditions een ad +Manual - Why? me a -During TOS Update «During DV Update System Failure/lssueINTRINSIC HA Each Segment has a setting for Block/Permit « Inrinsic HA (L2FB} is a global seting tothe device + Each segment will behave os configured ‘00 Wl Systern Healtn OS Fomcan Layend Fallback 51008 1004 @ Syatem eam Pertormance Repace Dever ton > evceContperaton etwonsContgeatonLAYER 2 FALLBACK (L2FB) - BLOCK EXAMPLE - Network resiliency provided using some form of switch / routing protocol to select the most suitable path + Sponning Tree, RIP, OSPF, VRRP, etc - If primary path fails (detected by loss of update packets), then network will transition to secondary path ~ In this type of deployment, consider blocking traffic in L2FB « This will cause the network to transition to the secondary path, but still be inspected IPS 1 enters Layer-2 Fallback Segments configured to block traffic in L2FB Core IPS Network transitions, traffic continues to pass p pe? and be inspected by IPS 2 Consider configuring IPS 2 to permit traffic in L2FB in case both IPSs fallback simultaneouslyLINK DOWN SYNCHRONIZATION ~ Determines what to do with a segment Ethernet port, if link fails on its partner port + Hub: Do nothing, when link drops, partner port remains active + Wire: Drop partner link, until original restored + Breaker: Drop and disable partner until port is manually restaried - Configurable “waittime” for Wire and Breaker modes + Avoids possible network “flap” Assume Access switch transitions to secondary path on detection of link failure, by default in Hub mode, transition would not occur If wire mode selected, then 1B would also drop, causing switch to transition Core ~ Md tink Foire on 1 PS AccessZERO POWER HIGH AVAILABILITY (ZPHA) - Smart ZPHA removable module + Used for 10Gig Segments onthe CoreCortoller and 5100N/2500N + Plugs directly inthe device — Internal ZPHA + Some IPS modes (copper only) have buikin ZPHA capability + TippingPoint 10, TippingPoint 110 / 330 - ZPHA Chassis (shown below} + Modular based, cccommodating up to 5 medules (copper or ier + Conneds fo the IS using a USB cable (lr 5v power ony) USB port Each Module (Copper or Fiber and has four ports) Unused slotZPHA OPERATION - When ZPHA has power «Traffic flows through the IPS - When the ZPHA does not have power + Traffic bypasses the IPS - During reboots and TOS updates + The IPS will drop power to the ZPHA during update / reboot ~ Unless the IPS suppors hiss update / reboot more — USB connection PSI a forpower ** 7 7PHA is ke ontis lee) Connection made whenZPHA: CABLING CONSIDERATIONS DeviceA -————_ au a }——— DeviceB NetA AB NetB - When the ZPHA has power and traffic is shunted fo the IPS, Auto- MDI will handle any cabling issues - When the ZPHA is in by-pass mode, ensure the path from Device A to Device B (Orange Lines) has the proper cabling (straight through ys. cross over) + To negate MDI/MDLX or wiring issues, best practice is to deploy while IPS is powered off and ensure you have linkTIPPINGPOINT OPERATING SYSTEM (TOS) - TOS images may be imported into the SMS or downloaded directly from TMC by SMS - Updating the TOS is an important procedure because it involves a reboot of the IPS device(s) - On E-series and S-Series hardware models, the reboot process is hitless, and the device will honor the Intrinsic HA/L2FB setting for each segment during the code update - On Software models (10, 110 & 330) and legacy IPS devices, the update is not hitless, but the impact can be mitigated with a ZPHA (built in on the 10, 110 & 330)DEVICES > UPDATING THE TIPPINGPOINT OS TOS Inventory * Distributed to a single or multiple =| IPS devices (may use Device Groups) * Devices column shows how many devices are running a given TOS version Distribution Progress * View details for past or current TOS distributions * Stop a current distribution * Clear old distributionsDEVICES > UPDATING THE TIPPINGPOINT OS — - Import from local file system - Download from TMC + Choose version and select “Download” « Allvesions fr al device types are downloaded - Distribution « Speciic device groups} + All devices « Spal Badenan) Cag Misa c@ leg MesosDIGITAL VACCINEDIGITAL VACCINE OVERVIEW - The Digital Vaccine is a container holding thousands of Filters +Filters are organized info 12 categories (for ease of management) +Each individual Filter contains ~ Meta Information - Name, Description — Recommended setting (default policy) ~ Matching criteria (trigger & threat verification) Digital Vaccines are read-only (you don't configure the DV) — Only a single Digital Vaccine can be installed on an IPS at any given time + This is in addition to a custom DV, auxiliary DV or Rep DV which supplements the main primary DV - Only a single Digital Vaccine can be Active on SMS at a given time + SMS can have multiple DV’s in its inventory, but policy changes can only be applied to the filters contained within the Active DVIPS PROFILES OVERVIEW - An IPS Profile is a collection of Filter policy settings which determines whether a Filter is enabled or disabled, along with Notification and other options + IPS Profiles ore distributed to Segments + You can have muliple profiles wih diferent policies — Core vs Perimeter vs DMZ vs Voice + Each profile may have different filters enabled as required for that network location (Segment) ~ By default all Filters are controlled by their Category Setting and each Category set to Recommended + Filters can be controlled either by Category ~ Fa exal stig fe Spyware fo Block / Nol wll enable ll carer ard new pyar fies fo Black / Noll + Filters can also be overridden from their Category Setting — Alo negqain col lech individual i, wher Clegory woud be fo broad — Fer example enabling ICMP Echo Request o Perit / Not - You don't configure the Digital Vaccine, you control the Profile which accompanies itDIGITAL VACCINE + IPS PROFILE RELATIONSHIP Sed IOP Echo Request This iter dtc ping, HITP. Code Red (Code Red expos aber Enabled: Block / Noy crow in Microsc. imsaincea, Tiedt Dn Hidden variation injection.. Invelectual Property This iter detec afer MSRPC:SptenAcivoce ee Oe Wreaby Enabled: Block / Netty Thisfter deeds on oempio ro Spyware: Weaherag download WeatherBug, IPS Profile Vorb: Recrmerded 1164 Fler Enabled: ert + Naty RodetToce No Exceafons: None . _ Exceptions Elis: Recommended 5798 Filer Enabled: lock + Notly PocktTroces Yes Te mo 2/90 Spyware: Beck / Natty 5248 terialDIGITAL VACCINE INVENTORY TE Current Active DV DV Inventory Show's Active DV and list of other available DVs fy fesce Frcge [tte Yass [ttn | gr DV Distribution Progress Details DV distribution progress and historyDV IMPORT AND DOWNLOAD FROM TMC DV's can Imported from disk, or downloaded directly from TMC | TIN EreanrS | Distribute Distributes and installs selected DV to one or more IPS devices, which impacts inspection and possibly network / IPS performance Activate Activate only impacts the SMS (no change is made to the inline IPS devices), ‘SMS can only edit fiter policy from fiters contained within the Active DV DV's can optionally be Activated and Distributed as part of the download procedureDY DISTRIBUTION pa vacene Select which IPS devices to distribute the DV to Select Priority Note: High Priority could cause IPS performance issues Distribution statusPROFILE MANAGEMENTSECURITY POLICY CUSTOMIZATION ~ Even with a default security profile, customization is often required for different Segments or directions + Core vs Perimeter vs DMZ + Internet Inbound vs Internet Outbound ~ Filter customization examples + Expanded threats ~ Spyware, non-common OS / Application vulnerability or exploits * Access Policy / Bandwidth Management ~ Instant Messenger, PeertoPeer, Streaming Media, etc + Unique traffic mix or network - VolP, SCADA, etc + Customized filtering ~ Advanced DDoS, Traffic Management Filters, IP Reputation, ThresholdingSMS PROFILES TAB =< Profiles Tab IPS ProfilesIPS PROFILES SUMMARY - You can create multiple profiles — The default settings for a profile reflect the Digital Vaccine recommended setting where about 1/3 of all filters are set to FP prone Overview block oP ameen acer — Notice that every profile contains: & remeron + Profile Overview - + Profile Settings + Filters by Category 1 Weber + Traffic Management oS rxearuchre tection + Filter Search ea ite ueoenet - You may edit filters by + Category BB custom Shiets Packages: + Individually NEW - Create a new IPS Profile for each Segment Group + Perimeter Profile for the Perimeter Segment Group + Core Profile for the Core Segment Group + lis good practice to name the IPS Profile similar to the Segment Group to which it will be distributed to {helping to avoid distributing the wrong profile to the wrong group) - When creating new IPS Profiles + Provide name & Description (optional) + Once the Profile is created you can optionally ossgn user permissions To assign user permissions File > Permissions or “right-click” on a ProfileDEPLOYMENT MODE - Digital Vaccines contain deployment settings for filters that address specific types of deployments. — When you create a new profile, you can use the default deployment mode or choose from a list of recommended deployment modes. @ Create New Profle Name New-Profile Deployment Mode lEdoe lbetaur Description Icore Inhertance: perimeter (oe) CementINHERITANCE ~ Profiles can be set up with a hierarchy and profile attributes can be inherited. ~ Profiles with inherited setting CANNOT be edited if the main profile is locked. - For each profile in the hierarchy, the following items can be inherited from the profile in the next level up: * Application and Infrastructure Restrictions/Exceptions + Filters from the DV, Auxilary DV and Custom Packages + Performance Protection Restrictions + Reputation Exceptions [ create New Profile — * Category Settings " Edit FilterDISTRIBUTION OF PROFILES — Once you are finished editing Profiles, you need to Distribute it to a Segment or Segment Group for it to take effect + Anywhere you see the Distribute button, you may select it to distribute the profile Protein) es Peuge © “D Pesaaton duabase ne Select Profile, then Distribute = SSSELECT DESTINATIONS FOR PROFILE DISTRIBUTION You can select whether to Distribute the Profile to a Segment Group, single Segment or Device Generally you would distribute to a Segment Group Be careful to select the appropriate Priority, as this may impact your networkIMPORT / EXPORT - Easily propagate security policy from one SMS to another + Exporting and importing Profiles directly from another SMSADVANCED PROFILE MANAGEMENT NeseyADVANCED PROFILE MANAGEMENT TOPICS - Actions Sets - Policy by direction + For example Internet in-bound versus out-bound ~ Profile versioning, rollback and audit + Profile snapshots (Distribution & user) + Import / Exporting Profiles - Management of multiple Profiles + For example changing the same filter across multiple Profiles + Comparing Profile differences + Searching across multiple Profiles + Determining what Profile is running on which SegmentACTION SETSDEFAULT ACTION SETS - Block ~ Block + Notify ~ Block + Notify + Trace ~ Permit + Notify ~ Permit + Notify + Trace — Trust - Recommended - Custom Action Sets are needed for: + Reielimiting + Other notification types (i.e. snmp_trap, email, syslog) + Other packet racing needs (ie. only grab the header) + Additional options (.e. IPS Quarantine, TCPrese!)- Action Sets are shared across all Profiles + IPS Profiles > Shared Settings - Other Shared Settings include: + Notification Contacts (more later) + IPS Services Note: If you edit an existing Shared Setting, you must redistribute any Profile which uses itSPECIFY FLOW CONTROL Action Set Name Best practice is to use something descriptive Specify Flow Control Determines what to do with the traffic once a Filter matches i.e. block or permit or ratedimit More on Quarantine and Trust Flow control options laterCONFIGURING NOTIFICATIONS Management Console a Sends event to SMS, event is |@ also saved on IPS (alert log if 2 permit or block log if blocking | action) Remote Syslog Causes IPS to send a syslog Notification to the specified syslog server Best practice is to have SMS relay any syslog events to a 34 party logging system owtcabons SNe Email / SNMP Traps You can also have the IPS generate emails or SNMP trapsCONFIGURING PACKET TRACE Packet Trace You can optionally instruct the IPS to take a packet trace of the flow which caused the Filter to fire, but use sparingly Level Specifies how many bytes to capture Priority Storage retention priority for the packet traceNEW ACTION SETS Once created, new Action Sets are available for controlling Category settings and Filter Overrides A nenayenent rvoraion | Remote Syslog Za emote ayog serve i another channel at ‘sends ler aes tow sy8og server on your AE Nona geren: Netware AE Mtonagement Routes Bas BE Senices BB asc setngs System Loo 4H 00h Araabiy) Lona oc Set aus 2 c= — & sores vem Setoge 18 Sense Remote Syslog 1) | eal Block Block Notify Block + Notify + Trace Permt + Notify Pecmt + Notity + Trace Recommended Trust Note: If an Action Set calls for the IPS to generate a syslog message, then you must define a remote syslog server under Device Configuration From Devices Tab Right-click device ... Edit > Device ConfigurationPOLICY BY DIRECTIONPOLICY BY DIRECTION OVERVIEW Each physical IPS segment is actually defined as two virtual Segments to account directionality ADB & BA + The Profile distributed to the AB Segment can be different from the BA Segment - For example if Segment 1 is your Perimeter and you wanted fo support policy by direction: + Determine how its physically wired — You would first need fo determine how the Segment is physically wired, ond whether AB is out bound ys. in-bound + Create Two Segment Groups — It is best practice to create two Segment Groups say “Perimeter In-bound” and “Perimeter Outbound” and add the appropriate segments + Create Two IPS Profiles — You would then create two IPS Profiles, “Perimeter In-bound” and “Perimeter Ou+-bound” + You would edit the Filters in the Inbound and Outbound Profiles accordingly + Distribute the Perimeter In-bound Profile to the Perimeter In-bound Segment Groups ~ And same for Perimeter OutboundSEGMENT GROUPS Name “Perimeter Inbound” Add appropriate Segments to the group - in this case BA is inboundPROFILES Protes & _ a ‘rote vero | Sebedaud Dato Basan Profile inventory 2) = memenraceasom | [Mime Verson [wi 1) retneeOutewa me || [Coe Rate i gn i) Gedo es = - Create a Perimeter Inbound and Outbound Profile + Edit Filters accordingly - Then Distribute the two Profiles to the appropriate Segment GroupsDISTRIBUTE PROFILES TO SEGMENTS PS Prot ter-Inbound) a ete ~ Distribute Perimeterdnbound Profile to Perimeter-Inbound Segment ~ Distribute Perimeter-Outbound Profile to Perimeter-Outbound SegmentMANAGEMENT OF MULTIPLE PROFILESPROFILE COMPARE - At times you may wish to see the differences between two or more Profiles and determine what Filters are configured differently + For example between Perimeter Inbound and Perimeter Outbound - Profile Compare + Allows you to compare two or more Profiles and see the deltas between them ‘eet oveesPROFILE COMPARE DETAILS View just the differences Edit Filter directly from this screenPROFILE IMPORT / EXPORT « > F OV # oe trae toot [pot] reper _peens Bm Profle ventory (3) ane ‘Versen [Noa Darna nang Ca ore (sete) (com) [oot [ate Profiles may be Imported and Exported to / from SMS to an external storage medium + Useful for importing info another SMS + Persistent backup for old unused Profiles Imported Profiles can be merged into an existing Profile + Either preserving or replacing existing settingsGLOBAL SEARCH (ACROSS MULTIPLE PROFILES) eerste Search across all Profiles and edit the same filters(s} in multiple ProfilesPROFILE VERSIONING, ROLLBACK AND PNUD)PROFILE SNAPSHOTS - When distributing a Profile to your device, you get a snapshot of your profile called a Distribution Snapshot «+ This is a restore point, allowing you to rollback to this point at a later time + To rollback simply Acive / Distibute the required version + A User Snapshot may be created as well + Profile Versions Tab allows you to manage snapshot versionsPROFILE VERSIONS Ble Eat Yew Too tee » F ¢ eee = [o) 2S Major number increases at each distribution (if a change has been made) The minor number for each individual filter or category change changed which FilterWHICH PROFILES ARE APPLIED WHERE? Profile Distribution History + Profiles > > Proe Dikbuion Details - Device Network Configuration + Devices > > Nebvoe Cotiguation > Physical Segnens = Segment Group Details + Devices > Segment Groupe» ~ Ifyou unmanage / remanage an IPS, the SMS wil lese this information os it doesnt know if he profile was changedNON-DV FILTERS Meson Hy4DV FILTERS VS NON DV FILTERS - DV Filters + Filters which perform flow based inspection, against all pars of the traffic ~ Including packet header and flow payload + Filters are updated on a regular basis with a new DV —Non-DV Filters + Filters which statistically analyze flows or inspect at the IP header + Examples include ~ Traffic Management Filters ~ Advanced DDoSTRAFFIC MANAGEMENT FILTERSOVERVIEW Traffic Management Filters inspect at the IP header level + Source / Destination IP address eee + Source / Destination TCP / UDP port ® shared Settings. “Pies bo creme 8-Y Oetaut Configured within the applicable Profile Parmeter nbouns rote TG Protie overview Once matched traffic can be: ee + Blocked (silently — no notifications) + Allowed (traffic will be inspected against the DY) + Raie-limit (traffic will be inspected against the DV) bY ecinelar Oucnd Profie + Trust (no furher inspection occurs) Oat vce Auxry DV BD custom Shield Packages Traffic Management Filters obey Precedence ee seuaaraeae + Filters con be ordered ond are evaluated in sequence + Allow rules canbe used in conjunction wih Block opin hole P's within a larger network, for example: 1. low 172.16.240.10/32 2 Blck 172.16.240.0/24CREATE TRAFFIC MANAGEMENT FILTER Name / Comment (optional) Action Block / Allow / Trust / Rate Limit Note: Need to create Rate Limits Action Sets first Direction to apply this filter: A> B, BD Aor Both Traffic Definition Protocol (IP, TCP, UDP, ICMP) Trust / Block IP fragments SRC/DST IP (can use named resources)ADVANCED DDOSOVERVIEW - Provides protection against your publically available servers + Typically your DMZ - Advanced DDoS capabilities differ by IPS platform + SYN Flood Protection ~ Nelaform (v3.1 onward) ~ Series = 110/330 + Connection Flood & Established Connections/Second Attack ~ ESeresplatfoms only ~ The IPS must be deployed in a Symmetric network for ADDoS to function + IPS needs to inspect full 3-way TCP handshake + Must also disable Asymmetric mode TSE settingBACKGROUND: SYN FLOOD ATTACKS - Normal 3-way TCP - SYNFlood Attack handshake ~ Nacker sends many spoofed TCP SYN packels Connection SYN ~ Server never receives ACK Request Request + Comecion ble fis up quickly ”~ Acknowledged + New request oe ignered Connection Complete Cenecton aN Requests (spoofed IP) SYN+ACK CLIENT SERVER ATTACKER SERVERBACKGROUND: SYN PROXY - SYN Proxy + IPS mediates the session establishment - via SYN Proxy + Server only handles legitimate connections (Comecin CUNT IPS SERVER Request -——SYN___ Three-way SYNEACK__— Handshake | Connection Complete p——ACKASYMMETRIC MODE Right-click device and Edit configuration TSE Settings Under Asymmetric Network, uncheck Enabled dh SSR RROERRRCREATE ADVANCED DDOS FILTER Create New ADDoS Filter = {ZS | Profiles > Infrastructure Protection > Advanced DDoS Action eves Direction Protected designationsPLATFORM SPECIFIC E-Series Configuration Notification Threshold The IPS will only generate an event when rejected SYN's rise above this rate (note protection is immediate) ‘60e/12006724008:5000 Settings This sereon lets you contgure ODS pot ‘S000E models. The SYN Proxy Neticaton SMU Prog S-Series Configuration Enable SYN-Proxy S-Series can be enabled here E-Series is done under Devices Tab MB Fees Pacameters ‘6601114000/2500115100N Settings ‘et 0720082106990 Stings The sets a soca Teens: |500 | Syne per second (Range 1 - 10000)REPORTING FOR ADDOS SMS Reports Advanced DDoS report Note: slight delay in SMS report data gathering = Events ® Loos # Managed Streams # Heath © Reports LSM Reports DDoS report Note: useful for realtime reportsHIGH-LEVEL ARCHITECTURE Meson RCHy4THREAT SUPPRESSION ENGINE (TSE) - The HP TippingPoint TSE is flow based, a flow is defined by the following: + Source / Destination IP address + Source / Destination Port + IP Protocol - The TSE inspection engine performs easiest tasks first + For example Traffic Management Filters are easier than DV inspection filters - TM filters occur first + Flows must be complete and in sequence prior to inspection ~ P refragmerition ~ TOP resequencing + DV inspection can then occur on the refragmented/sequenced flow - Let's examine the art of filter writing, by using the Microsoft RPC DCOM buffer overflow vulnerability for our example: + Referenced in Microsoft security bulletin MSO3-026 + Exploited by both the Blaster and Nachi worms to name a fewMICROSOFT RPC DCOM OVERFLOW VULNERABILITY SERVER PACKETS FROM CLIENT Pkt ——, Server Port 135/tcp \) — BIND j= ~—- REQUEST | Interfaces Available: Interface: Function Call: > Pkt 2 IsystemActivator Opnum 4 00000140-0000- 0000-co00- y ova0cn00046 =) wo 7 + Function | ravers ; Pkt 3 ~ \\server\file Function call 4, contains a heap-based buffer overflow in the server parameter ®VULNERABILITY-SPECIFIC FILTERS - In EVERY attack, the following must be true to exploit the buffer overflow + TCP session established to appropriate port (135) + BIND is to the appropriate RPC interface + REQUEST is to appropriate function call (opnum=4) + SERVERNAME parameter must be longer than 44 characters - This guarantees no false positives and no false negatives \\server\filename becomes \\...44+ character buffer...\ filename ecm aloe aelolCNCN Mac M CR lec) : Requires powertul and fast filtering engineEXPLOIT-SPECIFIC FILTERS An exploitspecific filter detects the shellcode used in a particular exploit, which could lead to false positives / negatives + Example: The following hex string can be used to detect the MS Blaster worm: EB 19 5E 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 BF BB 92 7F 89 5A 1A CE Bl DE 7C El BE 32 - \\server\filename - becomes - \\...long buffer with shellcode.... filename Pros: Simple string match, easy to implement, suitable for weak engines Cea Com etl Rect Pale MOM RR elms icedHP TIPPINGPOINT ARCHITECTURE NOTIFICATION ENGINE TRIGGER |VERIFICATION| POLICY bv. PROFILE From SMS / LSM SMS/LSM syslog trap email FILTER MATCH DROP SsARCHITECTURE: BLOCK / RATE-LIMIT STREAMS - When the IPS blocks a flow, it will block all packets which share the same S-uple + Source / Destination IP address + Source / Destination Port + IP Protocol - This has a significant performance gains, as the IPS no longer needs to inspect the packets belonging to a Blocked flow + Blocked streams remain for 30 minutes by default + Changing a filter set to block to something else (permit or disable), will not clear a blocked stream ~ You may have to manually clear out a blocked steam - The same principle applies if the DV filter has an Action Set of Rate-LimitVIEWING BLOCKED STREAMS (SMS) IPS > Events Flush selected or All streamsCONFIGURE CONNECTION TABLE TIMEOUT (SMS) ~ Configure TCP Timeout - A timeout can be set for blocked/rate-limited streams - Default is 30 minutesIPS QUARANTINE NeseyIPS QUARANTINE OVERVIEW - Quarantine can be used to prevent an infected machine from accessing the network + ltcan optionally be used to inform the hosts user that something is wrong - When a host is Quarantined the IPS can: + Block, intercept or redirect hitp traffic + Block all other non-hitp traffic from that host ~ Not just the 5uple flow of a regular Filter block or block/notify - Quarantine behaves slightly different between platforms + NPlatform devices support: ~ Block + Quarantine (quarantine immediately) ~ Permit + Quarantine (can specify a threshold before quarantining) + Example: Quarantine after 5 hits in 2 minutes (ideal for failed login attempts) + Non NPlatform devices (10, 110, 330, 600E-5000E) — Only Block + Quarantine ~ Thresholding can be achieved by leveraging SMS ResponderIPS QUARANTINE OVERVIEW 1, Filter blocks worm fected PC Quarantir bam Browse to roeren Worm tries to read - Quarantine can be used to prevent an infected machine from spreading worms + Can also be used to inform the user that something is wrongIPS QUARANTINE CONFIGURATION Name Flow control: Quarantine - IPS Quarantine is configured as a Filter Action Set + Profiles > Shared SettingsIPS QUARANTINE CONFIGURATION Pere Rtgs - Configure required Notifications + All Notifications types are possible, along with Packet TracesIPS QUARANTINE CONFIGURATION Threshold hit count and period and what to do with the traffic until the threshold is reached. Web Requests Sock Note: only N-Platform supports Permit, all other devices only support block ‘edirect (to your own server) isplay quarantine web page IPS displays block page Choose what to do with other traffic - Configure Threshold and what to do with web requests and all other trafficIPS QUARANTINE CONFIGURATION Restrictions / Exceptions Quarantined Access Which IP CIDR can or can not be List of CIDRs which o quarantined. quarantined host can access for example a The Filter wil still match, this setting remediation servers determines whether to quarantine the host - Restrictions / Exceptions and Quarantined AccessIPS QUARANTINE Eo Cat Vow Too Hep e¢#o F fi eee z 2. = = ‘ced Some [fae Lmtd Stee | rie Steen] Oven on ade Fr ~ When traffic hits a Block + Quarantine filter: + ABlocked Stream is generated + A Quarantined Host is generated — Hosts can be released from Quarantine manually Or you con pn configure an automatic timeoutREPUTATION AND SMS RESPONDER Meson RCHy4REPUTATIONIP / DNS REPUTATION OVERVIEW - Allows the ability to create policy based on IP / DNS reputation « NPlafom only fate + For DNS reputation IPS must be in path between client and DNS server — Reputation data can be entered manually or sourced from TippingPoint with Reputation DV service + Manual entries: can be added individually, from event viewer, or imported from file (csv format) + Reputation DV service from TippingPoint — Reputation Filter determines what action to perform when traffic matches a reputation criteria + Configured as part of your IPS Profile (then distributed to appropriate Segment or Segment Group) + Reputation Filters can use any available Action Set = Including Block, Permit; Rate Limit & QuarantineIP / DNS REPUTATION OVERVIEW Reputation DV = Set Policy Based Upon *1Pv4 & Pv Address DV —~— * Reputation Score *DNS Name Hikes Lk Sear Herageneni een : * Device Type - exploit ‘Hepuaion source, malware host, information for each Boinet CnC, spam, etc Dec aici from Bad IP Addresses BlockedSMS RESPONDERSMS RESPONDER OVERVIEW — Responder (or Acive Response) i a mechanism where SMS can perform Action based on various Inputs = Inputs (also known as Response Initiation) + Monual for exemale from Event Viewer) + Thveshald [x number of hi in y timeframe} + IPS Quoranine occurence + External system integration (va on API cal) — Action (outcome of a Response) + Implement IPS quarantine + Switch disconnect or move to VLAN + Netifction «External system integtion + Custom Acton / Response (ly scriptable) Example Responder use-cases « Failed login attempts / conficker mitigation «Brute force web harvesting + DesMtop ticket syste inlegrafion {ie in response fo spyware filter hit)SMS RESPONDER LIFECYCLE START: Response Closed |_| a é Thrall ts <—— Event Viewer ieee cts \ — ps cuoratine ow ¥ External System = Marvel — External System ——> Timeout ———? e SMS Opens & “ J Syslog / trap Move to VLAN Exdemal System Web coll Email Swich Discomedt Response SMS Ferforms one or more ee IPS Quorontine Ce SSMAINTENANCE, gO) aN Oa TROUBLESHOOTING MesosMAINTENANCEDIGITAL VACCINE MAINTENANCE ~ Setting up Auto-DV download using the SMS is easy + Download from TMC + Activate in SMS + Distribute to all Devices + Note: This distribution will occur as soon as SMS detects the new DV on TMC ~ To Distribute new DV’s at a specific time, then: + Setup Auto Download + Setup Auto Activation + DO NOT set Auto Distribution — This would distribute the new DV immediately + Create a Digital Vaccine scheduleDIGITAL VACCINE SCHEDULED DISTRIBUTION Auto DV Activation Enable Auto DV Download Enable Auto DV Activation Disable Auto DV Distribution New Scheduled Distribution Name, Schedule, DV version IPS Device TargetsIPS SYSTEM SNAPSHOTS — System Snapshot is an IPS configuration backup + Which includes current Digital Vaccine + Once created you should export from the IPS — Either fo your laptop or SMS for safekeeping - Useful for: + Saving a known “good” configuration + Cloning configurations + Backup purposes (Disaster Recovery) — To restore a System Snapshot + The IPS model and TOS version must match exactly the device which it was created on + The snapshot must be imported to the IPS + The IPS will reboot when the Snapshot is restoredIPS SYSTEM SNAPSHOTS (USING SMS) IPS System Snapshots Managed under Devices Tab IPS > Device Configuration > System Update ‘Snapshot hos to be on the device before it can be restored Creates new snapshot || Import / Export from || Copy’s snapshot to / disk from SMS Restore (will reboot IPS)SMS DATABASE BACKUPS - SMS Database Backups + Backs up SMS database for disaster recovery purposes + Can be Scheduled or Immediate + Backup file can be stored locally or offloaded to NFS / SMB file share or sFTP/SCP + The backup file can be optionally encrypted + Time/date stamp can be added to the backup filename - SMS Database Backup Contents + SMS configuration information — AIISMS setings, all Devices under management + Device configuration — IPS configuration and snapshots from devices (if stored on the SMS) + Include Packages (Digital Vaccines & TOS images) ~ One or mere Digital Vaccines, zero or more TOS images + SMS event history (optional, could increase backup size to ~15GB)SMS DATABASE BACKUP EbeeronsSMS DATABASE BACKUP WIZARD Scheduled Backup Specify schedule name & recurrence : ~~SMS DATABASE BACKUP WIZARD Specify number of DV's / TOS images to include pecity whether to include event data (makes backup large ~15GB,SMS DATABASE BACKUP WIZARD Specify backup location Recommend off-box for disaster recovery purposesSMS DATABASE BACKUP WIZARDSMS HIGH AVAILABILITY (HA) ~ Configure two SMS devices - One will be the active SMS, the other the passive SMS ~ The two devices communicate over a secure channel fo exchange heartbeat and to synchronize data - This secure channel can be over the primary (management) or secondary (private) interface + NOTE: SMS servers have two NICs marked 1 (primary) and 2 (secondary) — The two devices can share a virtual IP + Active device responds to requests to the virtual IP ~ If the active device fails, the passive will take overSMS HIGH AVAILABILITY: USING PRIMARY LINK ‘SMS #1 Virtual Shared IP sms #2 172.16.240.20 172.16.240.22 172.16.24021 User Laptop Network: 172.16.240.0/24 172.16.240xIPS PASSWORD RESET PROCEDURE ~ To perform a password reset on an IPS: + Establish a terminal connection to the IPS (115200/8/N/1) + Reboot the IPS and watch for the word “Loading” (see screen shot on next page) + Type mkey before the “...” appears after the word “Loading” + If mkey is input at the right time, the IPS will request the following: = Security level ~ SuperUser name ~ SuperUser possword — NOTE: Since this procedure requires a reboot of the IPS device, be aware that traffic through the device may be interruptedIPS PASSWORD RESET PROCEDUR ~ IPS Serial Console + Enter mkey (no spaces, no CR/LF) = reser Me rte eee Ce CELL) Deflating res] Initialize Block Log eeereeeereeey Initialize Alert Log... enna Cote anos ePOOEEET ss] cereseseen a ane , arc Initialize Enail.... : arc Initialize Renote syslog es] Validating Certificate i i COON FD FT eee eee ee Let Dt NS tt Li iT 7 Paoetstr Oecd TippingPoint - Austin, Texas, USA - wew.tippingpoint.com mete peererrsy Pr eee Toe tr me Ci Cir r) Prerter a ert Cee eee ser Ty Pe Cee tT oe Peer Fs peeeteesIPS PASSWORD RESET PROCEDURE ~ Enter security level and new Username / Password + All other system configuration information remains the same cory Poort coe aj ‘TippingPoint - Austin, Texas, USA - wer. tippingpoint.com eee Eeererrs per reser eC Digital Vaccine : 2.5.2.7838 PASTE co mesCliea nc torlioy Prise red a Perey [Sennen enact ads Case ie ett et eres erence treet Oe eo erica ete ees eet ee eee rt ree te eet eo BC eee rcs tre ere mets Serra e tree erie! ere terr eae reenter ees ~ at least 1 non-alphanumeric character DO coe a eC mle nr ee Utero and password creation. As super-user, you can modify the security level eee reste cert MCs Me ears oe ett aa) eer eset mcd]SMS PASSWORD RECOVERY Ce ae cee ee a ow rey Ps! rnd 1 rans eens - Connect monitor & keyboard to SMS + Reboot and interrupt the boot process + Selec "Password Recovery” — Login to SMS using: + Username: SuperUser + Password: ~ Sat nbs canbe avd by pening one booedIPS: COMMAND LINE INTERFACE (CLI) OVERVIEW ~ Connecting to the CLI - Auto-complete + Terminal Cable + Press “tab key” for autocomplete 7 SSH «"shelab>" will get you “show" + Telnet (Must turn this on for Telnet access to be available) ~ Shortcuts - Cll basics + "conf t" for “configure terminal” + “help” — Run this command to enter the help. "" will enter the configuration mode + Ctl or “exit” to escape this modeIPS: CLI - TOP-LEVEL COMMANDS - Show commands: allows user to view IPS settings + “sh” for short + Example: "show conf hos” - Debug commands: for lower level troubleshooting + Exomple: “debug information memory” - Configure Terminal commands: make configuration changes + “conf t” for short + Commands take effect immediately, no saving required (are persistent) + Example: “configure terminal server http” - Snapshot commands: create and manage IPS snapshots - Other useful top-level commands + “reboot” restarts the IPS + “halt” gracefully halts the system in preparation for a “power off” + “setup” rerun the selup wizard + “traffic capture” capture traffic on inspection segmentsIPS FACTORY RESET — Login to the Cll as a user with super-user access «Type: debug factory-reset + When prompted, type “COMMIT” and press - NOTE: This command will remove: + All current configuration information + All log files + All User Accounts + All fier policies + Resets IPS to the factory delivered TOS and DV versions ~ Recovering after a Factory Reset + Re-Setup the device + Use an IPS system Snapshot and restore « Use on SMS to re-push IPS PolicySMS FACTORY RESET — The SMS Factory Reset only clears out the SMS database and leaves the software version intact rao ao ees peer er eCRT ere tc erprertre a oar etter es Bt are ey) jAuthorized users only. All activity may be monitored and reported. [Ot RCE Ser SUC ttre oa] eer eerie SMS-VM-33 SMS=> factoryreset ee COR ee ee Preteens ager rr Mwrc eter etre cra oat mere automatically reboot and OBE will be displayed when finished. Pewee eed een a eer) pe er eenam Cree Cae SET) pee erect eee ee eee atc Epeerionearear sy ena areas reser es anaesRESETTING IPS FILTERS ~ If you are experiencing issues with performance, or filter policy, you may elect to reset the IPS filters + In the SMS under the Device Configuration dialog + From the LSM, IPS > Preferences > Reset - Afterwards, you need to do the following + Recreate any virtual segments + Redistribute your profiles to the device IPS Preferences Configure Threat Suppression Engine (TSE) Connection Table 1000 seconds (90-1900 secondsdE OWN GsPERFORMANCE OVERVIEW ~ The HP TippingPoint IPS is built on a realtime operating system + Inspecting traffic is the highest priority + Other tasks are all lower priority ~ Block and Notify operations perform better than Permit and Notify operations + We are frst and foremost an IPS (‘Prevention’) and not an IDS (‘Detection’) - Overall system performance can be optimized automatically as well as through manual intervention ‘Automatic Optimization Manual Optimization + Layer 2 Fallback (Intrinsic HA) + Property size the device (rated throughput) + Performance Protection + Define Trust/Block TM Rules + Adaptive Filter Configuration + Create Exceptions + Disable poorly performing fiters + Use Blocks instead of Permits + Reduce Packet traces & notificationsLAYER 2 FALLBACK (INTRINSIC HA) Causes of automated Layer 2 Fallback + IPS system issues — Suspended Tasks — TSE Issues — Hardware and Software Watchdog timers « Excessive congestion (90% packet loss in less than 10 seconds) — Extreme over-subscription of the IPS DevicePERFORMANCE PROTECTION A Manageme ntrraton AB Managemen Network BE anagem Routes nar Bien Lopgig ode Bice ways © Disab congestes Congestion Percentage (IE %01w999) abi Te 00 seconds (80-3600) tthe made fe "Daable tcangeste’, eggng wilbe dabled forthe specfad amount Remote Sysiog ~ Sending notifications takes up CPU cycles — Notifications can be suspended automatically if experiencing congestion — Performance Protection settings + logging Mode: Always log / Disable if congested + Congestion Percentage: Defaul.0% - Range: 0.1% to 99.9% + Disable Time: Notification suppression time, Default: 600 seconds.ADAPTIVE FILTER CONFIGURATION - AFC ~ The IPS can protect against the adverse effects of a specific filter + Very dependent on individual customer traffic patterns ~ The IPS can disable individual filters under certain situations: + Threat Verification Timeout + A Trigger results in a lot of suspicion, but no matches and the IPS is experiencing congestion — AFC Settings: + Filter Settings - AFC may be turned on/off for specific filters as well + Global Settings - Auto or Manual — Default: Auto, which means that AFC is onPERFORMANCE OPTIMIZATION (MANUAL) - Optimization is only required if congestion is occurring or if an IPS is being operated close fo its maximum rated throughput + How to view amount of congestion + How to view amount of TSE throughput + How to view filter performance ~ The next few slides demonstrate the steps to consider when optimizing performance ...HOW MUCH TRAFFIC IS TRAVERSING THE IPS? ESCO SU estar prcr meet Oe) 1,335.0 (1,495.1) eee PCE CLL) eee Pe ee PY show np tier-stats - Look at Tier 1 Rx Mbps / Tx Mbps + Shows current and maximum throughput from all Segments ~ Recommend you run the command mulipl times « Hightevel watermark shown in parenthesis () ~ Reset on reboct or clear np tier-stats (NPlatfom ony) + Ensure traffic not too close to maximum rating for that deviceMONITORING THROUGHPUTLook how many packels are being dropped due to Congestion Run command more than once to see if congestion is increasing On N Platform its named Dropped instead of Congestion show np general statistics — These are always increasing values + Run the command multiple times within a given period + Congestion: shows packets dropped due to congestionMONITORING CONGESTION Health Packet StatsWHICH FILTERS ARE WORKING WELL (OR NOT)? show np rule-stats ~ Show the top 20 triggered filters - Which filters are triggering the most + Look for filters with high “% Total” Which fiers are working well + Look for filters with high "% Success” + 100% means each time a filter is triggered, a threat is found - Which filters are triggering, but not finding anything bad + Look for filters with zero "%6 Success” + Filters highlighted are candidates to be disabled = Large number of flows ~ Lero success + Note: they are candidates, os they may detect attacks in the future! oreo BtnCOMMON PERFORMANCE PROBLEMS CL bi i * Route rfc round the IS or eta bigger IS / CoreContoler Over subscribing the IPS with too > ieee oun Foes o bow much traffic + Could be newark MV ise Lt of out fede or fragmented — ARP Listing + show arp - TraceRoute + traceroute - Show Management Port Settings + show conf interface mgmtEthernetNO TRAFFIC PASSING? - Port Health + Link + Negotiation + L2FB Set to Block - Blocked Streams - Quarantined host entry ~ IP Reputation entry set to Block - Traffic Management Filter set to BlockPOLICY NOT WORKING? - Port Health + L2FB Set to Permit - Has Policy been distributed to proper segment - Filter Exception - Profile Exception ~ Traffic Management Filter set to TrustADDITIONAL RESOURCESTMC AND THREATLINQ - TMC « Male sure you ore signed up fo receive emails updates + Great source for up to date information on TippingPoint products, release notes, white papers, best practices guides, etc + Knowledge Base + Product Releases ~ ThreatlinQ + Helps with Policy decisions and dealing with timely/imminent threats + Blog Articles on current threats and how to deal with them + Top Attacks, Movers and Shakers « Highest rated policy filters + Note: Consider configuring your SMS to share info with Threatling (optin via Edit > Preference > Security)TIPPINGPOINT USER GROUP ~ List Server is hosted by University of North Carolina + Self help group, NOT run by TippingPoint + TippingPoint employees monitor the group along with many customers — How fo join + TippingPoint Users Group - htip://mail.unc.edu/lists/ + List Name is "tippingpoint" + Register and receive access by administratorTIPPINGPOINT SUPPORT - Phone Support + North America: +1 866 681 8324 + International: +1 512 681 8324 + Note: For certain regions there are direct numbers (see website) - Email address: tippingpoint support@hp.com ~ Things to Provide + Company name + Information to have handy ~ show version ~ model, TOS, DV and Cerificate Number ~ show log system [especially showing WARN, ERROR and CRIT) ~ show log audit + For performance issues ~ Packet Traces (for AFC fiers) ~ show Fersiots ~ show nlesiosTHANK YOU! Fe aaa Ne ici aie PE recat een