CP_R65.1_IPS-1_AdminGuide

8/3/2019 CP_R65.1_IPS-1_AdminGuide

1/186

IPS-1

Administration Guide

Version NGX R65.1

March 8, 2009


2/186


3/186

2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,

distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks

For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
http://www.checkpoint.com/copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.htmlhttp://www.checkpoint.com/copyright.html


4/186


5/186

Table of Contents 5

Contents

Preface About this Guide.............................................................................................. 10Who Should Use This Guide.............................................................................. 11

Summary of Contents ....................................................................................... 12

Related Documentation .................................................................................... 13

More Information ............................................................................................. 14

Feedback ........................................................................................................ 15

Chapter 1 IPS-1 OverviewIPS-1 Key Benefits .......................................................................................... 18

IPS-1 System Architecture................................................................................ 19

IPS-1 Deployment............................................................................................ 21

Working in the IPS-1 Management Dashboard .................................................... 22

Logging into the IPS-1 Management Server with the IPS-1 Dashboard ............. 22

Navigating the IPS-1 Management Dashboard Windows.................................. 23

The IPS-1 Management Dashboard Menus .................................................... 24

The IPS-1 Management Dashboard Toolbar ................................................... 25

Chapter 2 Managing the IPS-1 SystemOverview ......................................................................................................... 28

System Messages............................................................................................. 28

Installing Policies ............................................................................................ 29

Adding an Alerts Concentrator to the System ...................................................... 31

Adding an IPS-1 Sensor to the Management Server............................................. 33

User Accounts ................................................................................................. 35

User Accounts Overview .............................................................................. 35

Managing User Accounts ............................................................................. 35

Changing the Password................................................................................ 36

Unlocking a User Account ........................................................................... 36

Licensing ........................................................................................................ 38

Overview .................................................................................................... 38

Viewing License Summary ........................................................................... 38

Adding a License ........................................................................................ 39Maintaining Database Size................................................................................ 41

Space Management Overview ....................................................................... 41

Configuring Space Management ................................................................... 42

Reclaiming Database Space......................................................................... 43

Alerts Concentrator High Availability.................................................................. 45

Managing the IPS-1 Sensor .............................................................................. 47

Connecting to the IPS-1 Sensor.................................................................... 47

IPS-1 Sensor Modes.................................................................................... 47

Configuring Other Sensor Definitions ............................................................ 50Shutting Down or Restarting the IPS-1 Sensor............................................... 52


6/186


7/186

Table of Contents 7

Overview .................................................................................................. 140

Creating an Activity Level Graph................................................................. 140

Creating Pick Graphs................................................................................. 142

Creating a Top n Graph.............................................................................. 144

Saving Graphs .......................................................................................... 146

Printing a Graph ....................................................................................... 146

Customizing Alerts ......................................................................................... 147

Overview .................................................................................................. 147

Configuring Actions................................................................................... 147

Applying Actions to Alerts.......................................................................... 150

Changing an Alerts Displayed Priority......................................................... 151

Chapter 5 Vulnerability Detection and DefenseOverview ....................................................................................................... 154

Installing Network Vulnerability Data, and Dynamic Shielding ............................ 155

Viewing Vulnerabilities ................................................................................... 156

Investigating Vulnerabilities with the Distribution Graph .................................... 159

Distribution Graph Overview....................................................................... 159

Configuring the Distribution Graph ............................................................. 159

Investigation Examples.............................................................................. 160

Viewing Compromise Risk in the Alert Browser.................................................. 162Disabling Vulnerability Correlation ................................................................... 163

Chapter 6 Data Analysis with External ToolsOverview ....................................................................................................... 166

Setting up Reports ......................................................................................... 167

Creating an ODBC Data Source .................................................................. 167

Generating a Report ....................................................................................... 169

Report Template List...................................................................................... 173Integration with Eventia Analyzer..................................................................... 175

Introduction ............................................................................................. 175

Integrating with Eventia Analyzer................................................................ 175

Chapter 7 Backup and MigrationOverview ....................................................................................................... 180

Exporting IPS-1 Management Server Data ........................................................ 181

Exporting Data using the Dashboard ........................................................... 182Exporting Data using the Command Line..................................................... 182

Migrating Data using the Command Line..................................................... 184

Importing IPS-1 Management Server Data........................................................ 185


8/186

8


9/186

9

Preface PPreface

In This Chapter

About this Guide page 10

Who Should Use This Guide page 11

Summary of Contents page 12

Related Documentation page 13

More Information page 14Feedback page 15


10/186

About this Guide

10

About this GuideThe IPS-1 Administration Guide is a guide to configuring and using the IPS-1

system.

For deployment, installation and initial configuration instructions, see the Check

Point Installation and Upgrade Guide.


11/186

Who Should Use This Guide

Preface 11

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of:

System and network administration

Server operating systems


12/186

Summary of Contents

12

Summary of ContentsThis guide contains the following chapters:

Chapter Description

Chapter 1, IPS-1 Overview This chapter discusses IPS-1 deployment

components and an introduction to the IPS-1

Management Dashboard.

Chapter 2, Managing the

IPS-1 System

This chapter discusses configuration tasks, user

accounts, licensing, database maintenance, andsystem administration.

Chapter 3, Managing Attack

Detection and Prevention

This chapter discusses updating attack

signatures and managing protections.

Chapter 4, Alert Monitoring

and Analysis

This chapter discusses the IPS-1 Management

Dashboard windows and tools for alert

monitoring and analysis.

Chapter 5, VulnerabilityDetection and Defense

This chapter discusses network vulnerabilitydetection and analysis.

Chapter 6, Data Analysis

with External Tools

This chapter discusses creating reports with

Crystal Reports 11 from Business Objects.

Chapter 7, Backup and

Migration

This chapter discusses IPS-1 Management

Server data backup and migration.


13/186


14/186

More Information

14

More Information For additional technical information about Check Point products, consult

Check Points SecureKnowledge at http://support.checkpoint.com.

To view the latest version of this document in the Check Point User Center, go

to: http://support.checkpoint.com.
http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./


15/186

Feedback

Preface 15

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please

help us by sending your comments to:

[email protected]
mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback


16/186

Feedback

16


17/186

17

Chapter 1

IPS-1 OverviewIn This Chapter

IPS-1 Key Benefits page 18

IPS-1 System Architecture page 19

IPS-1 Deployment page 21

Working in the IPS-1 Management Dashboard page 22


18/186

IPS-1 Key Benefits

18

IPS-1 Key BenefitsThe IPS-1 Intrusion Prevention System provides accurate, high performance

protection against known and unknown attacks. You can customize its features tosuit your organization's particular needs. IPS-1 offers many benefits:

Trusted Intrusion Prevention

Smart intrusion detection

Customizable intrusion prevention

Customizable Confidence Indexing

Customizable attack signatures

Automatic attack signature updates

IPS Simplified

Quick deployment

Flexible deployment modes

Minimal-impact design

Centralized, scalable management

Customizable desktop GUI with real-time information and management

Dynamic Shielding

Presents network intelligence including OS and application information, CVE

vulnerabilities, and impact and remediation details.

Determines anomalous behavior, reduces false positives and recognizes and

dynamically shields vulnerable hosts against inevitable attacks.

IPS 1 S t A hit t


19/186

IPS-1 System Architecture

Chapter 1 IPS-1 Overview 19

IPS-1 System ArchitectureAn IPS-1 deployment includes the following components:

IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts

to the Alerts Concentrator.

Alerts Concentrator: Manages and receives alerts from a group of Sensors, and

stores the alerts in a MySQL database (included in the Alerts Concentrator

installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout

the network as needed.

IPS-1 Management Server: The central management server for the entiredeployment. Receives and correlates relevant alert information from the Alerts

Concentrator(s). Alert information is stored in a MySQL database, which is

included in the IPS-1 Management Server installation.

IPS-1Management Dashboard: Windows-based remote graphical user interface

(GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for

monitoring alerts. The IPS-1 Management Dashboard includes a number of

independent interlinked windows, primarily: Policy Manager for configuring protections and managing the entire IPS-1

system.

Alert Browser for viewing, tracking, and analyzing real-time alerts.

There are two deployment configurations for IPS-1:

Combined Deployment - An Alerts Concentrator is installed together with the

IPS-1 Management Server on the same computer. For this type of deployment,select IPS-1 Management Server (all components) during the installation.

Distributed Deployment - The IPS-1 Management Server connects to one or

more Alerts Concentrators installed on separate computers. For this type of

deployment, select IPS-1 Management Server (without AlertsConcentrator) during the installation.

The installation steps for each deployment configuration are found in the InitialConfiguration of Management Serverssection of the Check Point Installation and

Upgrade Guide Version R70.

IPS 1 System Architecture


20/186

IPS-1 System Architecture

20

The following diagram illustrates the components of the IPS-1 system architecture

with two Alerts Concentrators in a Distributed Deployment:

Figure 1-1 The IPS-1 System

IPS-1 Deployment


21/186

IPS 1 Deployment


IPS-1 DeploymentFor considerations for placement and topology of IPS-1 Sensors and of

management components, and for information on setting up the deployment, seethe Check Point Installation and Upgrade Guide.

For information on subsequent configuration of the various IPS-1 system

components, see in this document: Managing the IPS-1 System on page 27.

Working in the IPS-1 Management Dashboard


22/186

Working in the IPS 1 Management Dashboard

22

Working in the IPS-1 ManagementDashboard

Logging into the IPS-1 Management Server with

the IPS-1 Dashboard

To log into the IPS-1 Management Server with the IPS-1 Management Dashboard:

1. Use the following command to verify that the IPS-1 Server (or Alerts

Concentrator) processes are running:a. On SecurePlatform, enter expert mode by typing expert and pressing enter.

On other operating systems, login as root.

b. Run:

/etc/init.d/ips1 start

2. On the client computer, start the IPS-1 Management Dashboard. A login

window appears:

3. Type your username and password, and specify the IPS-1 Servers IP address or

resolvable hostname. By default, port number is 8443.

Logging into the IPS-1 Management Server with the IPS-1 Dashboard

page 22

Navigating the IPS-1 Management Dashboard Windows page 23

The IPS-1 Management Dashboard Menus page 24

The IPS-1 Management Dashboard Toolbar page 25

Navigating the IPS-1 Management Dashboard Windows


23/186

g g g


4. If you are trying to connect to the IPS-1 Server through a proxy server, expand

the login window by clicking More Options and check Use Proxy. Type the proxy

servers connection and authentication information. Note that for Digest Proxy

only HTTP is supported, not HTTPS.

Navigating the IPS-1 Management DashboardWindows

IPS-1 Management Dashboard windows can be accessed by clicking one of the

icons in the upper-right corner of the Management Dashboard. The windows can

also be accessed from the File and Management menus.

The IPS-1 Management Dashboard includes the following main windows:

Policy Manager: System, protection, and alert management.

To access Policy Manager from any other IPS-1 Management Dashboard

window, from the Management menu, select Policy.

Some parts of Policy Manager (especially in the System Settings tab) appear

only when Advanced Settings are enabled. To enable Advanced Settings, from

Policy Managers Policy Manager menu, point to Advanced, and select Show

Advanced Settings.Details of the tasks performed in Policy Manager can be found in Managing

the IPS-1 System on page 27, in Managing Attack Detection and Prevention

on page 65, and in other chapters.

Alert Browser, and other windows for alert monitoring and analysis.

Any of the alert monitoring and analysis windows can be accessed from the File

menu or toolbar of any IPS-1 Management Dashboard window.These windows are highly user-configurable. Details of the tasks performed in

these windows can be found in Alert Monitoring and Analysis on page 107,

and in other chapters.

Vulnerability Browser: Network risk assessment and analysis. The Vulnerability

Browser can be accessed from the File menu of any IPS-1 Management

Dashboard window, or from the Alert Browser toolbar. For details, see

Vulnerability Detection and Defense on page 153.

Note - The default username is admin.

When upgrading from a previous version of IPS-1, login with the pre-existing usernames.

The default username for prior versions of IPS-1 is nfr.

The IPS-1 Management Dashboard Menus


24/186

24

The IPS-1 Management Dashboard Menus

The menus for all main Dashboard windows are the same, except for the third

menu, which bears the same name as the window. For example, Policy ManagersPolicy Manager menu contains commands unique to Policy Manager.

The File menu contains the following commands:

Commands for launching new windows:

New Alert Browser

New History Browser

New Timeline

New Graph

New Vulnerability Browser

Commands for managing window views:

Open View

Delete View

Save View

Save View As

Window views include all customization settings, and are saved on the

IPS-1 Management Server. For details, see Saving Customized Views on

page 124.

Close: Closes the current window.

Exit Application: Closes all IPS-1 Management Dashboard windows.

The Tools menu contains the following commands:

System Status: Displays in a single window the activity and communication

status of the Alerts Concentrators and Sensors. For details, see System

Status in the IPS-1 Management Dashboard on page 58. User Preferences: Settings for using Reverse DNS lookup to display

hostnames in Alert Details and for viewing packet captures in a third-party

application. For details, see Viewing Alert Details on page 127 and

Packet Capture and Viewing on page 129.

Change Password: Enables a user to change his password. For details, see

Changing the Password on page 36.

The IPS-1 Management Dashboard Toolbar


25/186


The context-dependent menu contains commands relevant to each specific

window, such as Alert Browser, History Browser, Policy Manager etc., and

changes name according to the window which is open.

The Windows menu contains a listing of the open IPS-1 windows. This menudoes not appear in the Alert Browser which is opened after the initial login.

The Management menu contains the following commands:

Correlators: Opens the Correlators window. Correlators generate alerts based

on other alerts, from multiple connections and accross all IPS-1 Sensors.

For details, see System-Wide Attack Correlation on page 89.

Users: Manage user accounts. For details, see User Accounts on page 35.

Policy: Opens Policy Manager.

Space Management: Opens the Space Management window, for maintaining

database size. For details, see Maintaining Database Size on page 41.

The About menu contains the About command: Displays IPS-1 Management

Dashboard information.


On the left end of the toolbar, the Alert Browser and History Browser windows have

buttons unique to the Alert Browser and History Browser. For details on these

buttons, see Toolbar Buttons on page 112.

On the right end of the toolbar, all the main Management Dashboard windows have

the same buttons. These are:

Table 1-1

Opens an Alert Browser window. See The Alert Browser and History

Browser on page 109.

Allows you to view alert activity in graph form. See Creating Alert

Graphs on page 140.

Plots alert activity on timelines. See The Timeline Window on

page 134.



26/186

26

Opens the Vulnerability Browser. See Vulnerability Detection and

Defense on page 153.

Opens Policy Manager.

Displays the status of all IPS-1 Alerts Concentrators and IPS-1

Sensors. See System Status in the IPS-1 Management Dashboard on

page 58.

Table 1-1


27/186

27

Chapter 2

Managing the IPS-1 SystemIn This Chapter

Overview page 28

System Messages page 28

Installing Policies page 29

Adding an Alerts Concentrator to the System page 31

Adding an IPS-1 Sensor to the Management Server page 33

User Accounts page 35

Licensing page 38

Maintaining Database Size page 41

Alerts Concentrator High Availability page 45

Managing the IPS-1 Sensor page 47

Starting and Stopping the IPS-1 Servers page 56

Uninstalling the IPS-1 Servers page 57

Viewing System Status Information page 58

Overview


28/186

28

OverviewThis chapter describes configuration of an already installed and initially configured

IPS-1 system. For information on installing and initially configuring the IPS-1system, see the Check Point Installation and Upgrade Guide.

System Messages

IPS-1 System Messages report required and recommended management tasks. Toview the System Messages:

1. Open the Policy Manager.

2. Select the System Settings tab.

3. In the left-hand navigation tree, select System Messages.

Installing Policies


29/186

Chapter 2 Managing the IPS-1 System 29

Installing PoliciesMany of the management tasks in this chapter and the protection management

tasks in the next chapter, are performed in Policy Manager. In general, changesmade in Policy Manager are not saved to the IPS-1 Management Server or

transmitted to other IPS-1 system components until you Install Policy.

To Install a Policy:

1. In Policy Manager, from the File menu, select Install Policy. Or, click Install

Policy:

Installing Policies


30/186

30

The Install Policy window appears:

2. Select the Alerts Concentrator(s).

3. In most cases, select (on the bottom of the window) Install Policy on Sensors,

and (in the upper part of the window) select all Sensors. The "Install Policy on

Sensors" checkbox will be automatically selected when changes have been

made that require the Sensors to be updated.

4. Click OK.

Policy Manager changes to read-only while Policy is installed.

Note - If you leave any Alerts Concentrators or Sensors not selected, they will be excludedfrom subsequent automatic attack signature updates.

Adding an Alerts Concentrator to the System


31/186


Adding an Alerts Concentrator to the SystemTo add an Alerts Concentrator to the IPS-1 System, first install and set up the

Alerts Concentrator. For details, see the Check Point Installation and Upgrade Guide.

To then add the Alerts Concentrator to the IPS-1 system, in Policy Managers

Sensors and Concentrators tab, right-click in the left-hand navigation tree, and

select New Alerts Concentrator:

The New Alerts Concentrator window appears:

Adding an Alerts Concentrator to the System


32/186

32

Configure the Alerts Concentrator settings as follows:

1. In the Host field, type the Alerts Concentrators IP address or resolvable

hostname.

2. Type and confirm the activation key that you specified during the Alerts

Concentrator installation.

To reset the Activation Key on the Alerts Concentrator:

a. Log in to the Alerts Concentrator

b. Switch to the ips1 user using the su - ips1 command. In SecurePlatform,this must be done from expert mode.

c. Run the set_activation_key command to set the activation key.

3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator,

select Use Proxy and type the proxys connection and authenticationinformation.

4. Make sure Receive Alerts is On.

5. If this Alerts Concentrator or the IPS-1 Servers communication with it might be

slower than others, select Avoid this server for help text. When an Alert Browser

user right-clicks an alert and selects Alert Details, the IPS-1 Server first

attempts to retrieve the Help Text from another Alerts Concentrator.

6. Click OK.

The Alerts Concentrator is added.

Note - Entering the Alert Concentrators IP address is preferred to

better protect against DNS spoofing.

Adding an IPS-1 Sensor to the Management Server


33/186


Adding an IPS-1 Sensor to the ManagementServer

Before adding an IPS-1 Sensor to the IPS-1 Managment Server, the Sensor mustfirst be installed and configured as described in the Check Point Installation and

Upgrade Guide.

In Policy Manager, add the Sensor to the IPS-1 system, as follows:

1. In Policy Managers Sensors and Concentrators tab, select the Alerts

Concentrator to which you are adding the new Sensor and click New Sensor.

The Add New Sensor window appears:

2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.

3. Type the Sensors IP address or resolvable Hostname.

4. Type and confirm the Activation Key, as defined during Sensor installation or in

the Sensors Management Menu.

To reset the Activation key on an IPS-1 Sensor, run the cpconfig command. To

reset the Activation key on an IPS-1 Power Sensor, log in as the nfr user.

Adding an IPS-1 Sensor to the Management Server


34/186

34

5. Click Next.

6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect

from the list of Recently Used Values and use the arrow buttons in the middle of

the window to add, remove or change the order of the addresses in list ofSelected Host Types.

If your network does not appear in the Recently Used Values list, type the

network address and netmask information into the field at the bottom of the

window and press enter.

When all of your network addresses are listed in the Selected Host Types, click

Next.

7. Select the Local Broadcast Addresses for the protected networks from the

Recently Used Values and use the arrow buttons in the middle of the window to

add or remove addresses from the list of Selected Host Types.

If your broadcast address does not appear in the Recently Used Values list, type

the broadcast address into the field at the bottom of the window and press

enter.

When all of your broadcast addresses are listed in the Selected Host Types, clickNext.

8. Click New to assign descriptive names to your interfaces.

The Edit Interface Description window appears:

Enter the raw interface name as it is listed in the Sensor, and enter the

descriptive name that you want to assign to that interface. Click OK.

9. Once you have finished modifying the names of the interfaces, press Finish to

add the new Sensor to the Alerts Concentrator.

10. To apply the changes, click Install Policy.

User Accounts

U A t


35/186


User Accounts

In This Section

User Accounts Overview

Two kinds of users, with different permission levels, can log into the IPS-1

Management Server with the IPS-1 Management Dashboard, and use or manage the

IPS-1 system:

Administrator - full permissions.

Normal - specific, configurable permissions. These permissions are definedduring the creation of the user account or subsequently by editing the user

account.

One Administrator account is defined during IPS-1 Management Server installation.

Additional users of both kinds can be added from the IPS-1 Management

Dashboard.

User accounts can be created and managed by Administrators, or by Normal Users

who have been given the Edit User permission. The Edit User permission can be

limited to managing specific users. A user can never give permissions greater than

his own.

Managing User Accounts

To create or edit a user account:

1. From the Alert Browsers or Policy Managers Management menu, select Users.

User Accounts Overview page 35

Managing User Accounts page 35

Changing the Password page 36

Unlocking a User Account page 36

Note - Sensors for which a Normal user does not have permissions will not appear in Policy

Manager, the Alert Browser, Timeline windows, System Status, etc. However, the graphs

window (which displays raw counts of alerts) may still include counts of alerts from these

IPS-1 Sensors. Also, these application-level settings are irrelevant to any third-party toolwhich directly accesses the database, such as Crystal Reports.

Changing the Password

The Manage Users window appears


36/186

36

The Manage Users window appears:

2. Click New, or select an existing user and click Edit.

3. Type or verify the User Information, including:

The number of Connect Retries before a user submitting invalid

authentication information is locked out.

The user Role - Administrator or Normal (see above).

4. For a Normal user account, configure the User Permissions. Scroll over the rows

to see descriptions below.

5. Click OK.

The user account is configured.

The user can now change his password, as explained in the following section.

Changing the Password

After a user account is created, the user can change his password as follows:

1. From the Tools menu, select Change Password.

2. Type the current password, and type and confirm a new password.3. Click OK.

Unlocking a User Account

If a user submits invalid authentication information more than the number of

Connect Retries defined for his user account, he will be locked out. The account

can be unlocked in one of two ways:

Unlocking a User Account

An Administrator can unlock the locked users account as follows:


37/186


An Administrator can unlock the locked user s account, as follows:

1. From the Alert Browsers or Policy Managers Management menu, select

Users.

The Manage Users window appears.

2. Select the locked out user account, and Click Unlock Account.

If a sole Administrators account is locked out, the account must be unlocked

directly from the IPS-1 Management Servers command line, as follows:

1. Run:

cd /opt/CPips1-R65/ips1server/binset_ips1_passwd.sh

where is the user name of the account to be unlocked.

2. Type and confirm a new password.

Licensing

Licensing


38/186

38

Licensing

In This Section

Overview

The IPS-1 system requires three types of licenses, all of which can be obtained

from Check Points User Center:

An IPS-1 Management Server license to manage a specified maximum number

of IPS-1 Sensors. This license automatically licenses an Alerts Concentrator in

a Combined installation. Separate Alerts Concentrators are not included.

An Alerts Concentrator license for Alerts Concentrators not combined with the

IPS-1 Management Server.

IPS-1 Sensor licenses for each IPS-1 Sensor of a specified Sensor type.

Sensor types are defined for licensing purposes according to hardware model

numbers of Check Point preinstalled appliances. Note that adding Sensors to a

system, besides requiring additional Sensor licenses, may affect the required

type of IPS-1 Management Server license.

All three kinds of licenses are stored on the IPS-1 Management Server and must be

generated specifically for the IPS-1 Management Servers IP address.

The IPS-1 Management Dashboard does not require a license. However, without a

licensed IPS-1 Management Server, the IPS-1 Management Dashboard will function

only in Demo mode.

Viewing License SummaryTo view a summary of existing and missing licenses in an IPS-1 system:

1. From Policy Managers Policy Manager menu, select Licenses.

Overview page 38

Viewing License Summary page 38

Adding a License page 39

Adding a License

2. In the left-hand license list, select Licenses.


39/186


2. In the left hand license list, select Licenses.

Adding a License

To access the License Manager, from Policy Managers Policy Manager menu, select

Licenses.

The License Manager appears:


40/186

Maintaining Database Size

Maintaining Database Size


41/186


Maintaining Database SizeThe IPS-1 Management Server and Alerts Concentrators store and accumulate large

quantities of alert data in MySQL databases. To maintain performance, the

database must be efficiently configured and maintained.

In This Section

Space Management Overview

The IPS-1 Management Server and Alerts Concentrator databases holds event and

alert data generated by IPS-1. As with any system, the amount of space available

for data storage is limited. The Space Management tool enables maintaining as

much useful information as possible without exceeding disk storage limits.

For a rough estimate of appropriate database size, multiply the volume of

monitored traffic (in Gbps) by the number of months of alerts you plan to maintain.

The database size (in GB) should approach half of that product.

For example, if the Sensors that send alerts to a particular Alerts Concentrator

collectively monitor 5Gbps, and you want to maintain six months of back alerts, the

database should be 12-15 GB. However, appropriate database size is alsodependent on other factors, such as fine-tuning protections for your system to

minimize false positives.

The Space Management tool periodically checks the used space in the database.

When the used space exceeds a configurable Action Limit, Space Management

begins deleting the oldest packet capture data and alert records. Space

Management then continues deleting until the used space drops below a

configurable Clearance Limit.

Space Management Overview page 41

Configuring Space Management page 42

Reclaiming Database Space page 43

Note - As Space Management deletes data, it will attempt to retain all packet capture data.

Thus, it will delete packet capture data in proportion to the number of alert records in the

database.

Configuring Space Management

Configuring Space Management


42/186

42

g g p g

To configure Space Management:

1. From any IPS-1 Management Dashboard windows Management menu, selectSpace Management.

2. The Space Management window appears with a tab for the IPS-1 Management

Server and for each Alerts Concentrator:


43/186

Reclaiming Database Space

You can use the space recovery script to recover available database space for an

IPS 1 Alerts Concentrator and return it to the operating system for other uses


44/186

44

IPS-1 Alerts Concentrator and return it to the operating system for other uses.

Optionally, this script can also perform extensive checks and fixes and optimize

indexes.

To enable periodic execution during specified windows, you can execute the script

as a cron job.

To run the Space Recovery script:

1. Log in to the Alerts Concentrator host as the ips1 user (run: su - ips1).

2. From $IPS1DIR/alcr, run the following:

sdb-optimize.sh [-h] [-e]

The options are:

Warning - Run this script only if there is a large amount of free space that must be

recovered. When this script is run on an IPS-1 Alerts Concentrator, it may take several hours

to complete. The script shuts down the IPS-1 Alerts Concentrator (and, in a Combined

installation, the IPS-1 Management Server) while it runs, which means that the IPS-1

system will be inoperative during this period (except in a non-Combined installation withAlerts Concentrator High Availability). IPS-1 Sensors will continue to function and to buffer

alerts until the server is back online, but alerts will not be visible on the IPS-1 Management

Dashboard until the Alerts Concentrator is back online.

Note - There must be enough free space for the script to make a copy of the largest

database table - it skips any tables that are too big to copy.

Table 2-1

-h Provides detailed help text.

-e Performs a check for database errors and attempts to recover the data.

Note - The -e option lengthens the time the script takes to run.

Note - Alerts and events will not be written to the database while these scripts are executing.

Except with Alerts Concentrator High Availability, alerts will be queued on the Sensors until

the Alerts Concentrator is back online.

Alerts Concentrator High Availability

Alerts Concentrator High Availability


45/186


g yTo ensure continuity of information flow from IPS-1 Sensors to the IPS-1

Management Server in the event of an IPS-1 Alerts Concentrator failure, you can

configure an IPS-1 Sensor to report to a backup IPS-1 Alerts Concentrator. This

automatically redirects alerts and packet capture data to the backup Alerts

Concentrator if the primary Alerts Concentrator or the Sensors connection with it

fails. You can deploy the backup Alerts Concentrator in the same network as the

primary Alerts Concentrator.

If the primary Alerts Concentrator fails, the backup Alerts Concentrator becomes

active. Once a Sensor fails over to a backup Alerts Concentrator, it continues

communicating with that Alerts Concentrator until: 1) the backup Alerts

Concentrator fails; 2) the Sensor receives a quick restart command (includes

receiving a policy push); 3) the Sensor is rebooted. The Sensor then attempts to

communicate with the primary Alerts Concentrator.

The failover process is independent for each Sensor; in certain situations (such as

a network interruption) some Sensors from Group A in the illustration could be

communicating with Alerts Concentrator A and others with Alerts Concentrator B.

As shown in the following diagram, you can designate some IPS-1 Sensors active

Alerts Concentrator as the backup Alerts Concentrator for other Sensors.

Figure 2-1 Alerts Concentrator High Availability

The Sensors in group A send alert data to Alerts Concentrator A, and only in case

of Alert Concentrator As failure, to Alerts Concentrator B. The Sensors in group B

send alert data to Alerts Concentrator B, and only in case of Alert Concentrator Bs

failure, to Alerts Concentrator A.


46/186

Managing the IPS-1 Sensor

Managing the IPS-1 Sensor


47/186


In This Section

Connecting to the IPS-1 Sensor

You can run commands on the IPS-1 Sensor in one of three ways, depending on

hardware configuration:

A connected keyboard and monitor. A serial console (DTE to DTE), using terminal emulation software such as

HyperTerminal (from Windows) or Minicom (from Unix/Linux systems).

Connection parameters for Check Point appliances are:

For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1

stop bit (8N1).

For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no

hardware or software (xon/xoff) flow control

For third-party hardware connection parameters, see the third-party

documentation.

An SSH connection to the Sensors management interface (if sshd is

configured).

IPS-1 Sensor Modes

In This Section

Connecting to the IPS-1 Sensor page 47

IPS-1 Sensor Modes page 47

Configuring Other Sensor Definitions page 50

Shutting Down or Restarting the IPS-1 Sensor page 52

Deleting Backlogged Sensor Data page 53

Resolving IPS-1 Sensor Communications Issues page 53

Sensor Modes Overview page 48

Changing the Sensor Mode (Software) page 49

Changing the Sensor Mode (Hardware) page 49

IPS-1 Sensor Modes

Sensor Modes Overview

I IPS 1 S h ld b l d i li h ll f h ffi


48/186

48

In most cases, IPS-1 Sensors should be placed inline, so that all of the traffic to

be monitored flows through the IPS-1 Sensor. This enables intrusion prevention. In

this configuration, Sensors can drop traffic detected as an attack, according todefined and configurable confidence indexing.

In some cases, such as in a complex switching environment in a network core,

Sensors may need to be placed in passive mode, in which case they perform

intrusion detection only.

Inline Sensors behavior upon failure can be configured to either open, passing

through all traffic; or closed, severing the traffic path.Inline Sensors can be set to Monitor-Only (bridge) mode, to avoid the possibility of

blocking valid traffic. In bridge mode, you can track what the Sensor would have

done in prevention mode. You can fine-tune your prevention settings in bridge

mode, and later change to prevention mode.

The IPS-1 Sensor is configured for one of four different modes:

IDS (passive): intrusion detection (IDS) with no prevention. In this mode, everyinterface other than the management interface can be used for monitoring.

IPS Monitor-Only (inline, fail-open): inline mode without actual prevention.

Packets are returned to the network before processing for attack detection. In

fault conditions, all packets continue to be passed through.

You can use this mode to see which traffic would have been dropped in the

other IPS modes, making Monitor-Only mode useful during a system-tuning

period before switching to actual intrusion prevention. See Avoiding FalsePositives on page 73 for details.

Monitor-Only mode is also useful for checking whether an IPS-mode Sensor is

responsible for unexplained traffic dropping.

IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all

packets are temporarily dropped.

IPS (inline, fail-open): inline intrusion prevention. In fault conditions, interfacesrevert to bypass mode.

Fault conditions are:

The Sensor has not completing booting and initializing

The Sensor loses power, or other hardware failure (dependent on hardware

bypass NIC)

When the Sensor has crashed (dependent on hardware bypass NIC)

IPS-1 Sensor Modes

When an interface pair is in bypass mode, as a result of a failure, the bypass

interfaces in most Sensor models will act as a crossover connection between the


49/186


two systems on either side of the sensor. The four front-left copper interfaces on

the new 200C/F and new 500C/F will act as a straight-though connection when in

bypass mode. All other hardware bypass pairs act as crossover connections whenthey are in bypass mode

Changing the Sensor Mode (Software)

The IPS-1 Sensor mode is set during Sensor installation. To change the mode:

1. In Policy Managers Sensors and Concentrators tab, select the Sensor and click

Edit.

2. Select the desired mode, and click OK.

The IPS-1 Sensor is restarted in the new mode.

Changing the Sensor Mode (Hardware)

The IPS-1 Sensor 50 and Sensor 20 models are ordered and delivered as SKU "P",

for "IPS Monitor-Only" and "IPS (inline fail-open)" modes, or SKU "D", for "IPS

(inline, fail-closed)" and "IDS (passive)" modes. Switching between the two

configurations requires two steps in addition to changing the sensor's operatingmode in software: an internal hardware setting change and a BIOS change.

1. Change the position of the red hardware jumper switch on the system's

motherboard near the Ethernet ports on the front of the chassis.

For passthrough modes (monitor-only and fail-closed), the switch must be

positioned to the rear of the unit, near pins 6 & 7.

For non-passthrough modes (fail-closed and passive), the switch must bepositioned to the front of the unit, near pins 1 and 12.

2. Boot the Sensor.

Warning - When changing a Sensor from an IPS (inline) mode to IDS (passive) mode or from

IDS (passive) mode to an IPS (inline) mode, you MUST also reconfigure the cabling to

change its position within the network. Failure to do so may stop the flow of network traffic

or allow traffic to pass between the networks attached to the Sensor.

Configuring Other Sensor Definitions

3. Wait for the following message during the POST:

TO ENTER SETUP BEFORE BOOT


50/186

50

TO ENTER SETUP BEFORE BOOT

PRESS OR KEY

Press the key or press the , , and keys to enter the

systems BIOS Setup.

4. On the 'Integrated Peripherals' screen, "Onboard By-PASS Active" should be set

to "[Enabled]" for passthrough modes, and "[Disabled]" for non-passthrough

modes.

5. Exit the BIOS Setup and continue with the boot process.

Warranty note: Check Point will not void the warranty of units that have been

opened for this purpose. A Check Point SE is not required to make the change, but

Professional Services can be arranged if the customer elects not to make the

changes themselves.


In This Section

Regular (non-Power) IPS-1 Sensor Configuration

For regular (non-Power) IPS-1 Sensors, you can use the Check Point Configuration

Tool to configure the following values on the IPS-1 Sensor:

Inline interface pairs (ignored for Passive mode)

IP address of Alerts Concentrator(s)

Activation Key, with which the Alerts Concentrator is authenticated to the

Sensor.

Regular (non-Power) IPS-1 Sensor Configuration page 50

IPS-1 Power Sensor Configuration page 51

Note - Interfaces associated with hardware bypass NICs cannot be changed. The

information is displayed read-only.


To change any of these values:

1. On the IPS-1 Sensor, run:


51/186


,

cpconfig

2. Select Network Settings.

3. Select the relevant options.

4. When you are finished setting the options on the Sensor, return to the IPS-1

Management Dashboard. In Policy Managers Sensors and Concentrators tab,

select the Sensor and click Edit.

5. Make the change and click OK.

6. Install Policy.

The change is now defined both on the Sensor and in the IPS-1 Management

Server and Alerts Concentrator(s).

Other values, such as networking information, date and time, and host name, are

configured with SecurePlatforms System Configuration Tool, as follows:

1. On the Sensor, run:

sysconfig


3. When you are finished setting the options on the Sensor, if the changed value

is the Sensors hostname or IP address, return to the IPS-1 Management

Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor

and click Edit.


5. Install Policy.

The change is now defined both on the Sensor and in the IPS-1 Management

Server and Alerts Concentrator(s).

IPS-1 Power Sensor ConfigurationIPS-1 Power Sensor configuration is performed through its Management Menu, as

follows:

1. To access the Management Menu, log in to the Power Sensor as nfr. TheManagement Menu will appear.


Shutting Down or Restarting the IPS-1 Sensor

3. When you are finished setting the options on the Sensor, you may be prompted

to restart the Sensor for the changes to take effect.


52/186

52

4. If the changed value is the Sensors hostname or IP address, return to the

IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators

tab, select the Sensor and click Edit.


6. Install Policy.

Shutting Down or Restarting the IPS-1 Sensor

Direct CLI shutdown or reboot

On a regular (non-Power) IPS-1 Sensor, use SecurePlatforms shutdown or rebootcommand.

On an IPS-1 Power Sensor, log in as nfr and select Halt or Restart. In both cases,the operating system (not just Sensor processes) is completely shut down.

Remote Restart or Reboot

You can remotely restart the Sensor IPS-1 software or completely reboot the Sensor

machine, from the IPS-1 Management Dashboard. You can restart or reboot an

individual Sensor, or simultaneously all Sensors of a selected Alerts Concentrator.

To remotely restart or reboot one IPS-1 Sensor or all IPS-1 Sensors:

1. In Policy Managers Sensors and Concentrators tab, select and right-click anindividual Sensor, or an Alerts Concentrator.

2. Select one of the following:

Restart Sensors (all the Sensors of the selected Alerts Concentrator)

Reboot Sensors (all the Sensors of the selected Alerts Concentrator)

Restart Reboot

Note - Rebooting generates a progress window. Restarting produces no visible result.


53/186

Resolving IPS-1 Sensor Communications Issues

Table 2-2


54/186

54

The following table shows the link status of two systems (such as the Sensor and

the switch) connected using various duplex settings and a Gigabit network

interface.

Overriding Auto-Negotiation Settings for Power Sensors

To Override Auto-Negotiation Settings:

1. Type cpconfig and press enter. The Management Menu will appear.

2. Select Network.

3. Select Set interface media and duplex.

4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the

desired interface, and press Enter to display all settings for the interface.

5. Select a setting, and select Save.

System A System B Link Status

Auto Auto full-duplex

Auto full-duplex System A will fall back to half-duplex

since System B is not doing

auto-negotiation, and the systems will

fail to communicate properly

half-duplex System A will fall back to half-duplex

since System B is not doing

auto-negotiation, and the systems willfail to communicate properly

full-duplex full-duplex full-duplex

half-duplex half-duplex half-duplex

Table 2-3

System A System B Results

Auto Auto up

disabled disabled up

Auto disabled down

Resolving IPS-1 Sensor Communications Issues

Restoring Auto-Negotiation Settings

You can revert to auto-negotiation settings from the IPS-1 Sensor Management


55/186


Menu.

How to revert to auto-negotiation settings from IPS-1 Sensor

1. Type cpconfig and press enter. The Management Menu will appear.

2. Select Network.

3. Select Set interface media and duplex.

4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the

desired interface, and press Enter to display all settings for the interface.5. Select Auto, and select Save.


56/186

Uninstalling the IPS-1 Servers

Uninstalling the IPS-1 ServersTo uninstall the IPS-1 Management Server and/or Alerts Concentrator:


57/186


g

1. Stop the IPS-1 processes, as follows:a. On SecurePlatform, enter expert mode by typing expert and pressing enter.

On other operating systems, login as root.

b. Change to the ips1 user, by running:

su - ips1

c. Run:

ips1 -n stop

2. From outside the IPS-1 directories (/opt/CPips1-R65 and/var/opt/CPips1-R65), perform one of the following:

On SecurePlatform, run the following:

expert

rpm -e CPips1-R65 On Linux, run the following:

rpm -e CPips1-R65

On Solaris, run the following:

pkgrm CPips1-R65

All IPS-1 files and data are removed.

Viewing System Status Information

Viewing System Status Information

In This Section


58/186

58

In This Section

System Status in the IPS-1 Management Dashboard

In This Section

Viewing System Status in the IPS-1 ManagementDashboard

To view in a single window the activity and communication status of the Alerts

Concentrators and Sensors:

From the Alert Browsers Tools menu, select System Status; or, click the System

Status icon:

System Status in the IPS-1 Management Dashboard page 58

Viewing Sensor History page 61

Viewing the IPS-1 Status Monitor page 62

Viewing System Status in the IPS-1 Management Dashboard page 58

Alerts Concentrator Status Fields page 60

Sensor Status Fields page 61


Select All or select an item in the list on the left to view its status.


59/186


For explanations of the status fields, see the following sections.

You can copy information from Status windows to the clipboard, by using context

(right-click) menu commands.


Alerts Concentrator Status Fields

For an Alerts Concentrator, the following information is displayed:


60/186

60

Alerts Concentrator: Provides name of the server.

Connection Status: Provides status of the servers connection. Green meansthe connection is active. Red means the connection is inactive.

Sensor Name: Provides the name of the IPS-1 Sensor.

Status (of IPS-1 Sensor): Provides status of the IPS-1 Sensor.

Last Status Time: Provides the timestamp of the last message received from

the server.

Viewing Sensor History

Sensor Status Fields

For a Sensor, the following information is displayed:


61/186


Viewing Sensor HistoryTo view the history of an IPS-1 Sensor from a specified time frame:

1. Open the Sensors Status window, as explained in the previous section, System

Status in the IPS-1 Management Dashboard on page 58.

Viewing the IPS-1 Status Monitor

2. Click View History.


62/186

62

3. Select the desired Start and End Time, and click OK.

The Sensors history appears.


To view IPS-1 Sensor status information, run the following command on the Sensor:

ipsstats

The following information is displayed:

System start time: Date and time IPS-1 Sensor was last restarted

CPU: Average percentage of Sensor CPU capacity used in the last hour

Real Memory: Total installed and memory available

Virtual Memory: Total RAM + Virtual (Swap)

Disk Space: Total installed and disk space available

Packet Reception

Total: Number of packets since system start time

Current: Number of packets per second during the past two-second time

intervalAverage: Average number of packets seen per second in the last hour

Peak: Highest number of packets seen per second in the last hour


Protocols

Installed: Number of installed protocols

Loaded: Number of successfully loaded protocols


63/186


Failed: Number of protocols that failed to load

Protection Groups

Installed: Number of installed protection groups

Loaded: Number of successfully loaded protection groups

Failed: Number of protection groups that failed to load

Current time (located in the lower right-hand corner of the screen)

From the Status Monitor, press any key to display the Management Menu, or press

ctrl-c to return to the command line.

Note - The IPS-1 Sensor generates an alert if part of a protection package fails to

load. This usually means that the package has a syntax error or a required variable is

undefined.



64/186

64


65/186

65

Chapter 3Managing Attack Detection

and PreventionIn This Chapter

Overview page 66

Updating Attack Signatures page 67

Avoiding False Positives page 73

Managing Protections page 74

System-Wide Attack Correlation page 89

Overview

OverviewIn a typical multi-Sensor system, different IPS-1 Sensors are configured to detect

different exploits. This is accomplished by the administrator enabling certain


66/186

66

protections and disabling others. Enabled protections on IPS-1 Sensors in active,inline (non-passive, non-bridge) mode will block traffic identified as an attack, or

some protections can be set to Monitor-Only, to generate alerts without blocking

traffic. You can configure other aspects of the protections as well.

Configuration settings for IPS-1 Sensors (including system settings) are stored on

the IPS-1 Alerts Concentrators to which they report. Changes are made through the

Management Dashboard on the IPS-1 Management Server, from there sent to the

Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.

Updating Attack Signatures

Updating Attack SignaturesCheck Point is continuously updating attack detection code to combat evolving

threats. To keep your network security up-to-date, it is important to frequently


67/186

Chapter 3 Managing Attack Detection and Prevention 67

update attack signatures from Check Points online update server.

You can configure the system to automatically retrieve updates, and you can also

manually initiate an update from Check Points online update server or from locally

saved files, obtainable from Check Points User Center.

In This Section

Configuring Automatic Attack Signature Updates

To set automatic periodical attack signature updates from Check Points package

server:

1. From Policy Managers Policy Manager menu, select Auto-Update Settings. Or, in

Policy Managers Protection tab, in the left-hand navigation tree, select

Download Updates, and click Auto-Update Settings.

Note - A firewall situated between the IPS-1 Management Server and the Internet must be

configured to permit outbound TCP connections from the IPS-1 Management Server to

ips-packages.checkpoint.com on port 2013.

Configuring Automatic Attack Signature Updates page 67

Manually Updating Attack Signatures page 70


The following window appears:


68/186

68

2. Verify the Package Server and connection information, which should be:

Server Address: ips-packages.checkpoint.com

Server Port: 2013

3. If the IPS-1 Management Server is behind a proxy server, select Use Proxy and

type your proxy server connection and authentication information. Click Next.


The following window appears:


69/186


4. Select a frequency for automatic updates. Selecting an option other then

Disabled causes time and date fields (for the first update) to appear, as follows:

Manually Updating Attack Signatures


70/186

70

5. Schedule the first update as needed. To choose a date from a calendar, click

. For the first update to occur immediately, click Now.

6. Click Finish and close the Policy Manager. The first update will automatically

occur when specified, and will continue from then according to the specified

frequency. After each automatic update, the IPS-1 Management Server will

transmit the attack signatures to Alerts Concentrators and IPS-1 Sensors that

were selected when the last manual Install Policy was performed.

Manually Updating Attack SignaturesTo manually update attack signatures from Check Points package server or from

locally saved files, obtainable from Check Points user center:

From Policy Managers Policy Manager menu, select Online Update. Or, in Policy

Managers Protection tab, in the left-hand navigation tree, select Download Updates,

and click Online Update.


A two-page wizard will start, beginning with the Download Package page:


71/186


Configure the package update as follows:

1. Select an attack signature package source. In most cases, this should be Check

Points Package Server. Other options are: Local File - files that have been downloaded from Check Points user center to a local

drive on the Management Dashboard users computer or network. This is useful if the

IPS-1 Management Server cannot access the internet, or for users who have edited the

files N-Code. If you select to update from a file, browse to the file, click Next, and

proceed to step 4.

Management Server/Alerts Concentrator - uploads an Alerts Concentrators current attack

signatures to the IPS-1 Management Server. This is useful when one Alerts

Concentrator is more up-to-date than another, or on first setup of a newly installed

IPS-1 Management Server, as a temporary measure (a newly installed Alerts

Concentrator comes with a default set of attack signatures). If you select to upload

from an Alerts Concentrator, select the desired Alerts Concentrator, click Next, and

proceed to step 4. Remember to update the attack signatures as soon as possible

afterwards.

Skip Download - This option is not available if no attack signature package yet exists on

the IPS-1 Management Server.


2. Verify the Package Server information, which should be:

Server Address: ips-packages.checkpoint.com

Server Port: 2013

3 If the IPS 1 Management Server is behind a proxy server you may need to


72/186

72

3. If the IPS-1 Management Server is behind a proxy server, you may need toselect Use Proxy and type your proxy server connection and authentication

information. Click Next.

Once the packages are available, the Install Packages page appears:

4. Select protocols and protection groups for which to update attack signatures.

Information and file contents for selected protocols and protection groups is

displayed on the right.

When in doubt, it is better to install and then disable a package in Policy Manager, than to

not install it. Some protocols and protection groups depend on others being present to be

able to work.

When you complete this wizard, attack signatures will be updated only on the IPS-1 Management

Server. You will still need to install policy on the Alerts Concentrator(s) and IPS-1 Sensors.

Click Finish to initiate the update.

Avoiding False Positives

Avoiding False PositivesAs with any IPS system, before your protection settings are fully adapted to your

network, the risk of false positives may be greater than otherwise. For this reason,

it is recommended to start out with attack detection only and then gradually


73/186


it is recommended to start out with attack detection only, and then graduallyincrease the level of prevention.

The modes and settings below allow you to reduce prevention, thus minimizing the

risk of false positives. Of course, any reduction in prevention may increase the risk

of a successful attack.

Individual protection pages in Policy Managers Protection tab (the lowest-level

items in the Protection Settings navigation tree) contain protection description text,including per-protection assessments of the risk of a false positive.

Sensor Monitor-Only mode: In this mode, an inline IPS-1 Sensor generates

alerts without actually preventing traffic. For more details, see IPS-1 Sensor

Modes on page 47.

As preperation for changing the IPS-1 Sensor to a prevention modes, you can

enable special alerts to notify you when traffic would have been prevented with

the IPS-1 Sensor in other modes, as follows:

1. In Policy Managers Policy Manager menu, enable Show Advanced Settings.

2. In the System Settings tab, in the left-hand navigation tree, under Attack,

select Intrusion Prevention.

3. In the right-hand settings page, select Intrusion Prevention Notifications.

When you do change the IPS-1 Sensor to a prevention mode, remember to clear

Intrusion Prevention Notifications.

Whitelisting: Important hosts can be added to the Servers Whitelist or to the

Client Whitelist. Traffic from these hosts will be inspected for attacks but will

not be blocked if attacks are detected. For details, see Exempting Hosts from

Inspection or Prevention on page 87.

Monitor-Only protection setting: All or some protections can be set to Monitor

Only. For details, see Protection-Level Settings on page 82 and One-ClickConfiguration of All Protocols and Protections on page 83.

Confidence Indexing: By default, active protections that are not in Monitor-Only

mode drop traffic when confidence of it being an attack is least 50%. You can,

in individual protection pages, select Active upon Confidence (not available for

protection groups or protocols), and raise the Confidence value, for only

high-confidence attack traffic to be dropped. See Protection Modes on

page 81 for details.

Managing Protections

Managing Protections

In This Section

Overview page 74


74/186

74

Overview

In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect

different exploits. This is accomplished by enabling certain protections and

disabling others. Enabled protections on IPS-1 Sensors in inline active

(non-passive, non-bridge) mode will block traffic identified as an attack.

Alternatively, the protection can be set to Monitor-Only so that it generates alerts

without blocking traffic.

Some protections define an attack according to specific thresholds with default

values. You can fine-tune these protections according to your needs by changing

these values.

To easily configure protections for multiple IPS-1 Sensors, protection settings are

configured for a protection Profile, which is then installed on IPS-1 Sensors

associated with that profile. IPS-1 Sensors that should have similar protectionconfigurations should be associated with the same Profile. Similar Profiles can be

easily managed by cloning or copying settings.

Detection and prevention are also affected by system settings that apply to

protections in general, for each IPS-1 Sensor, or protection Profile. Most of these

have reasonable default values and are visible only when Advanced Settings are

enabled (from Policy Managers Policy Manager menu).

The Protection Overview feature enables viewing system-wide protection settings

and is a valuable tool for implementing protection throughout a complex

deployment. For details, see Viewing and Copying Comprehensive Protection

Settings on page 85.

Overview page 74

Managing Protection Profiles page 75

Configuring Protections page 77

Viewing and Copying Comprehensive Protection Settings page 85

Exempting Hosts from Inspection or Prevention page 87

Managing Protection Profiles

Configuration settings for IPS-1 Sensors (including system settings) are stored on

the IPS-1 Alerts Concentrators to which they report. Changes are made through the

Management Dashboard on the IPS-1 Management Server, from there sent to the

Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.


75/186




configured for a protection profile, which is then installed on IPS-1 Sensors

associated with that profile.

IPS-1 Sensors that should have similar protection configurations should be

associated with the same profile. Similar Profiles can be easily managed by cloning

or copying settings.

In This Section

Creating a New Profile

To create a new profile:

1. From Policy Managers Protection tab, select Profile Management.

2. Click New and select Create New Profile.

3. Type a name for the profile and click OK.

Managing Similar Profiles

You can create a profile with protection settings similar to an existing profile by

copying the profile of an existing profile and then modifying the settings. You can

either clone the original profile to create a new, identical profile, or copy its

settings onto an existing profile, overriding its original settings.

Creating a New Profile page 75

Managing Similar Profiles page 75

Associating an IPS-1 Sensor with a Profile page 76


Cloning a Profile

To create a new profile with settings identical to those of an existing profile, clone

the existing profile, as follows:



76/186

76

y g , g2. From the Profiles list, select a profile to be cloned.

3. Click New and select Clone Selected Profile.

4. Type a name for the new profile and click OK.

Copying a Profiles Settings onto an Existing Profile

To copy a profiles settings onto another profile, overriding its original settings:


2. From the Profiles list, select a profile to be copied and then right-click it.

Select Copy... Settings.

3. Select the target profile and then right-click it. Select Paste Settings from... .

Associating an IPS-1 Sensor with a Profile

To associate a IPS-1 Sensor with a particular protection profile:

1. From Policy Managers Protections tab, select Profile Assignment.

2. Select the IPS-1 Sensor and then right-click it. Select Edit Assigned Profile for....

3. Select the desired profile and click OK.

Configuring Protections


In This Section

Overview page 77


77/186


Overview

Protections are organized into a three-tier hierarchy:

Protocol: In most cases, a Protocol includes all the protections that are based

on analysis of traffic of a particular protocol. A few Protocols, such as

Authentication and Badfiles, perform specific types of analysis over most traffic

protocols.

Protection Group: A sub-group of a Protocol, including a number of related

protections. Some settings, such as numerical thresholds, are defined at the

protection group level for all the protections in the group. Protection: Detects, prevents, and alerts for a specific attack.

To view a categorized protection list, expand the Application Intelligence, Network

Security, or Web Intelligence heading in the navigation pane of Policy Managers

Protection tab:

In the above figure, AOL Instant Messenger and Authentication are protocols;

Authentication BE is a protection group; and alphanumpasswd_alert andalphapasswd_alert are protections.

If an item you expect to see is missing, either it may not be installed or it may only

be visible in advanced mode. To install it, update the attack signature package. See

Updating Attack Signatures on page 67 for details.

p g

Viewing Protection Information page 78

Protection Settings page 79


Selecting any list item displays its settings page in the right-hand pane, with

description text below. For example:


78/186

78


configured for a protection profile, which is then installed on IPS-1 Sensors

associated with that profile. For information on managing profiles, see Managing

Protection Profiles on page 75.

Viewing Protection InformationEach protocol, protection group and protection comes with informative description

text.

To view description text:

In Policy Managers Protection tab, under Protection Settings, select a protocol,

protection group, or protection. Description text appears in the lower-right pane:



79/186


Description text includes some or all of the following headings:

Overview

Corroberation and Leads

Why this is Important

Technical Information (including explanations for unique settings)

False Positives

References

You can also view file contents for protocols and for protection groups. In the

protocol or protection groups page, click Show Files.

Protection Settings

In This Section

Protection Settings Overview

Each protocol, protection group, or protection has various settings associated with

it. These settings are located on the protocol, protection group, or protection page.

Some settings are the same throughout different protocols and protections. These

are described in the following sections.

Protection Settings Overview page 79

Protection Modes page 81

Protection-Level Settings page 82

One-Click Configuration of All Protocols and Protections page 83


Other settings are unique to the specific protocol, protection group, or protection

and appear only on its page. For information on these settings, see the description

text in the lower-right pane of the Policy Manager window.

Note that some protections behavior are affected by general settings. These

include local network addresses, defined in IPS-1 Sensor properties (in PolicyManagers Sensors and Concentrators tab) and various per Profile settings found in


80/186

80

Manager s Sensors and Concentrators tab), and various per-Profile settings found in

Policy Managers System Settings tab.

Protocol settings affect all protection groups and protections under it. Protection

group settings affect all protections under it.

Settings are per protection profile. You can configure settings differently for

different profiles.

Settings do not take effect until you Install Policy on the IPS-1 Sensors.

To display settings for a specific protocol, protection group, or protection, for a

specific protection profile:

1. In Policy Managers Protection tab, under Application Intelligence, Network

Security, or Web Intelligence, select a protocol, protection group, or protection.

The select settings page appears in the upper-right pane:

2. In the Profile list, select a Profile.

The settings for the selected Profile are now displayed.


Protection Modes

Protection Modes determine whether protections will be applied to the traffic which

is seen by the IPS-1 Sensors. Protection Modes can be set for protocol, protection

group, and protection for each protection profile. Protection Modes are most

commonly changed on the protections.


81/186


Protection Modes include:

Active the protection will be applied to traffic seen by the IPS-1 Sensor

Active upon Confidence the protection will be applied to traffic seen by the

IPS-1 Sensor only if the traffic meets the Confidence Level set for the protection.This setting is not available on protocols or protection groups.

Inactive the protection will not be applied to traffic seen by the IPS-1 Sensor

Changing the Protection Mode of a protocol, protection group, or protection may

force the Protection Mode of its associated parent or children to change in order to

avoid conflicting settings. For example, setting a protection to Active or Active upon

Confidence automatically forces its parent protocol and protection group to Active as

well. Similarly, setting a protocol or protection group to Inactive automaticallyforces its children to Inactive as well.

When activating a protocol or protection group, the Protection Mode of its child

protections will revert to the setting that it was given last. Therefore, when

activating a protocol or protection group, the Protection Mode of the child

protections must be verified indivually to insure that each protection has the

desired Protection Mode.


In any protection page:

To activate a protection for the selected protection profile, select Active or

right-click on the Protection Mode cell and select Activate.

To configure Confidence Indexing for a protection, select Active upon

Confidence, or right-click on the Protection Mode cell and select Activate upon

Confidence and drag the slider to the desired confidence index For details


82/186

82

Confidence, and drag the slider to the desired confidence index. For details

regarding Confidence Indexing, see Avoiding False Positives on page 73.

To disable a protection for the selected protection profile, select Inactive or

right-click on the Protection Mode cell and select Deactivate.

After configuring settings, make sure to Install Policy.

Protection-Level Settings

The following settings appear on all protections (not protection group or protocol)

pages:

Monitor only - no protection: When selected, the protection generates alerts but

does not prevent traffic.

Add attackers to blacklist: This setting is visible only when Show AdvancedSettings is enabled in the Policy Manager menu. When enabled, source IP

addresses of attacks are blacklisted, causing subsequent traffic from those

addresses to be blocked.

The blacklisting lasts for the duration defined in Blacklist TCP (also

Advanced-Settings only), found in the System Settings tab under Attack >

Intrusion Prevention. The default duration is 0, and as long as the duration has

not been configured to a non-zero value, the option here is disabled. You canclick the link here to go directly to the Blacklist TCP setting.

Send TCP resets to attacker and victim (50%): This setting is visible only when

Show Advanced Settings is enabled in the Policy Manager menu. When selected,upon attacks, IPS-1 sends protocol-appropriate reset signals to the attack

source and destination IP addresses. For TCP, this is a TCP RST. For other IP

protocols, this is an ICMP Administratively Prohibited message.

50% means the reset signal is sent only for attacks for which the confidence

index is at least 50%.

Note - Blacklisting only takes effect for attacks over TCP (in other protocols, the attack

could be spoofed), and only if the host is not explicitly Whitelisted (in Advanced Settings

mode, in the Attack protocol).


Enable packet capture: When selected, attack packets are captured for viewing

from the Alert Details. For details, see Packet Capture and Viewing on

page 129.

There may be additional settings, unique to the specific protection. For information

on these settings, see the description text in the lower-right pane of the PolicyManager window.


83/186


g

After configurin

CP_R65.1_IPS-1_AdminGuide

Documents