USER MANUAL. Version 2.2. SL-1000 Cyber Defense Platform. December

Transcription

1 USER MANUAL SL-1000 Cyber Defense Platform Version 2.2 December

2 Table of Contents 1. INTRODUCTION REPUTATION BASED DETECTION INTRUSION DETECTION AND PREVENTION MONITORING AND LOGGING HARDWARE INSTALLATION PHYSICAL INSTALLATION PORT LOCATION MANAGEMENT PORT REQUIRED OPEN NETWORK PORTS... 7 Threat Intelligence Updates... 7 Threat Commander SIEM... 8 Solida Notify and Notifications ACCESSING THE WEB APPLICATIONS LOGIN SCREEN DASHBOARD LICENSE KEY CONFIGURING THE APPLIANCE ETHERNET PORT CONFIGURATION APPLIANCE NAME CHANGING THE DEFAULT I.P. ADDRESS MANAGING USERS RECOVERING LOST PASSWORDS DEEP PACKET INSPECTION CONFIGURATION NOTIFICATION Setting Up Notification Notification Instant Critical Current Addr New Addr Event Notification s REPUTATION THREAT LIST UPDATES About Tor Exit Nodes SET MOBILE APPLICATION PASSWORD SETTING THE TIME ZONE REPUTATION BASED DETECTION OVERVIEW DGA LIST LIST UPDATES INTRUSION DETECTION AND PREVENTION RULES RULE OVERVIEW RULE LIST EXPORT RULE FILE IMPORT RULE FILE RULE SETS ACTIVATING A RULE SET OPERATING MODE

3 6.8 CREATING CUSTOM RULES RULE ID EVENTS AND EVENT SEVERITY EVENT OVERVIEW EVENT SEVERITY Low severity (colored green in the GUI) Medium severity (colored orange in the GUI) Critical severity (colored red in the GUI) SOURCE AND DESTINATION IP ADDRESSES RESPONDING TO CRITICAL EVENTS SYSTEM SOFTWARE AND LICENSE KEY UPDATES SOFTWARE UPDATES SUPPORT BUNDLE GENERATION UPLOADING A LICENSE FILE CONFIGURE SSL CERTIFICATE SUPPORT BUNDLE GENERATION GENERATING A SUPPORT BUNDLE DOWNLOADING A SUPPORT BUNDLE DATA LOGGING PACKET LOGGING DROPPED PACKET LOGGING EVENT LOGGING FLOW LOGGING HTTP LOGGING DOWNLOADING LOG FILES DELETING LOG FILES REMOTE MONITORING THREAT COMMANDER REMOTE MONITORING INTRODUCTION SETTING UP THREAT COMMANDER REMOTE MONITORING SOLIDA NOTIFY SMARTPHONE REMOTE MONITORING INTRODUCTION

4 1. Introduction This manual contains instructions for how to configure and use the following Solida System Cyber Defense Platform: SL-1000 Dual Gigabit Ethernet ports The SL-1000 cyber defense platform represents the latest in cyber defense technology. It combines functionality otherwise requiring several different devices. This platform offers reputation based detection, intrusion detection and prevention, network traffic monitoring and packet logging. The next sections will describe what some of these features mean for your network. 1.1 Reputation Based Detection Solida Systems provides reputation threat intelligence in the form of a data feed hosted in the cloud. This threat feed is updated hourly and includes malicious URLs, domain names and IP addresses. These are harvested from various international threat intelligence sources. The threat feed includes information about current threats such as ransomware, phishing sites, trojans and many other threat categories. 1.2 Intrusion Detection and Prevention Intrusion detection and prevention is implemented through a rule engine and deep packet inspection (DPI). Solida Systems provide pre-defined rules and rule sets through the cloud based threat feed. A simple and intuitive configuration page is provided for users interested in writing custom rules. 1.3 Monitoring and Logging Tools are available to facilitate monitoring and evidence collection. Logs and evidence files are written in PCAP format and are compatible with most industry standard analysis tools. 4

5 2. Hardware Installation 2.1 Physical Installation For the appliance to work as designed it must be installed immediately after the Internet router and in front of any firewall. It is very important that the appliance is installed IN FRONT of any firewall. This way the appliance will be able to see all incoming and outgoing packets on the Internet and gain full exposure to the threat environment. The Internet External Router Server s Switch Solida Device Firewal l Workstations Switch Figure 2.1 Typical Installation For larger networks it might be necessary to protect multiple sections of the network with dedicated security appliances. For those installations make sure that the WAN port is connected upwards (towards the Internet router side). Conversely make sure the LAN side is connected to the sub-partitioned network. In some rare cases the main switch in the network might use PPPoE for its communication with the Internet router. All Solida System appliances have support for this type of configuration. 5

6 2.2 Port Location The appliances include a set of four Gigabit Ethernet ports. They are located at the back of the appliance. Port0 Port1 Management Port Figure 2.1 SL-1000 backside view. The Ethernet ports to the right side in the back are the high-speed ports used for the network traffic and for the management. The connectors to the left (USB, VGA, COM) are not used and must be left unplugged. The appliance includes a 12 Volt power supply. Connect this power source to the small circular connector on the bottom left side. The high-speed Ethernet ports are named Port 0 and Port 1 on the SL The management port is marked MGNT The default factory configuration for the high-speed Ethernet ports is: Port 0 Port 1 Port 2 Port 3 (WAN) (LAN1) (LAN2) (LAN3) WAN side LAN side MGNT Unused Internet connected router LAN side network switch Configuration and monitoring 2.3 Management Port The management port is used for two purposes: Accessing the configuration utility and the monitoring utility is done through this port. The management port is also used for updating the threat list data and for communicating with other appliances in a high availability configuration. It is very important that the management port always has Internet access. This is typically 6

7 accomplished by connecting the management port to a switch in the LAN side of the network being protected. The default IP address for the management port is Please refer to the following chapter on how to change this IP address. The management port IP settings configuration window includes a button labeled Test Connection. Pressing this button will generate a ping to an IP address on the Internet. If this ping receives a response it can be assumed the management port has proper access to the Internet. If no response to this ping is detected, the management port does not have the required access to the Internet. In this case it will be necessary to troubleshoot the installation and retry this test until a proper connection is made. 2.4 Required Open Network Ports The appliance needs to be able to connect with Solida Systems cloud server to retrieve threat intelligence updates and occasional software updates. It is very important that this connection is working correctly. Without a proper connection, the appliance will still function, but the threat intelligence will not be updated and the remote monitoring tools will not be functional. The domain name for this cloud server is cloudhost.solidasystems.com. The server is set up with a fixed IP address. This IP address can be obtained by using nslookup (windows) or the dig tool (Linux), if it needs to be provided to a firewall. In case a firewall is deployed in the network, it is not required to open up any ports for incoming traffic from the Internet. All communication is initiated from within the appliance. The only exception to this would be if the user elects to access the GUI applications from outside the network over the Internet without the use of a VPN connection. This is possible but not recommended. When several ports are opened up in the firewall it might result in a security weakness. The reputation threat list updates configuration window includes a button labeled Test Connection. When pressing this button, the appliance will try to connect with Solida s cloud server the exact same way it would do for an update of the threat intelligence. If this test fails, the installation must be checked to identify the cause of the failure. This test must complete successfully for the appliance to be able to download the threat intelligence data and function as designed. Threat Intelligence Updates The threat intelligence updates are performed as follows: If port 22 (SSH port) is opened in the network for outgoing traffic towards the Internet, all threat intelligence data will be downloaded over this port. If outgoing traffic over port 22 is blocked by a firewall, then the appliance will default to using port 443 (HTTPS) port for its threat intelligence download. 7

8 It is VERY IMPORTANT that one of these two paths are opened. Otherwise the appliance will not be able to perform its hourly threat feed updates. Threat Commander SIEM The Threat Commander SIEM and remote monitoring tool require either port 22 or port 443 to be opened for outgoing communication towards the Internet. The appliance will also use one of these ports when it pushes event data and log files to the server that is hosting Threat Commander Solida Notify and Notifications The mobile phone application, Solida Notify, uses either outgoing port 22 or port 443 for its event data push needs. If notification is enabled, this communication also takes place on either outgoing port 22 or port 443 towards the Internet. 8

9 3. Accessing the Web Applications The appliances contain two different software applications. One application is used for system configuration and another for monitoring. These applications are both accessed through the appliance management port. Both applications are accessed over HTTPS. This makes it secure in case a user wants to monitor an application from outside the LAN or over the Internet. 3.1 Login Screen To access the configuration and monitoring applications, connect the management port to a switch on the LAN side of the network. Open a browser on a computer connected to the same network. Enter the MGNT port IP address in the browser as follows: If everything is configured correctly, a login page will appear in the browser window. Figure 3.1 Login screen Enter the supplied user name and password to log in. Some networks might use another IP address range other than x.x, for example x.x. If this is the case it will be required to change the management port's IP address before the appliance is connected to the LAN side switch. 3.2 Dashboard After a successful login the dashboard will be displayed. The screenshot below shows an example of what the dashboard will look like: 9

10 Figure 3.2 Dashboard example The dashboard displays useful information about the device. System Status This window contains information regarding the identification of the sensor, license status, general status and current port configuration. Sensor - A factory set identification string of the platform. Name - A user settable platform name Licensed Until - Expiration date for the license key Status - Devise status, OK or Bypass Mode Port x - Configured mode and link status for each port Event Graphs Three graphs that show the number of events for the current days 24 hour periods. Packet Events Displays all events registered by the platform. The different tabs allow for filtering the events in different categories for a more detailed overview. The drop down menu in the table header allows for selecting events that were logged at a previous date. Events are written to files that are date and time stamped for easy identification. Clicking on an event in the event list causes a pop-up window to appear. This window contains additional information relating to the event. 10

11 3.3 License Key All Solida security platforms require a license key to be able to access various features in the device. Cyber Threat Intelligence The Cyber Threat Intelligence (CTI) is license controlled. The platforms access this intelligence from a CTI cloud server controlled by Solida. All new platforms come with a factory installed 12- month license key for the CTI. Before the initial 12 month time period runs out is it required to purchase a new license key for an additional 12-month period. Please contact your sales representative regarding the purchase of a new license key. Threat Commander SIEM Threat Commander is a cloud based SIEM tool that makes it possible to remotely monitor and manage multiple Solida cyber defense platforms. Support for Threat Commander in the platforms is enabled with a license key. Each license key is valid for 12-months. Please refer to the section named System Software and License Key Updates later in this manual for how to update a license key. To purchase license keys please contact your local sales representative. 11

12 4. Configuring The Appliance The configuration page contains several different user configurable areas. Each configuration window includes a help button that provides a detailed help for the option. 4.1 Ethernet Port Configuration The two network packet transferring ports, port 0 and 1 can be configured to either face the Internet side or the LAN side. It makes no technical difference how these ports are configured. It is recommended to keep the factory default setting. Figure 4.1 Ethernet Port Configuration Operating Mode The only supported operation mode is Single LAN/WAN ports. Port 0 usage Selects if port 0 should be facing the Internet side or the LAN side. Port 1 usage Selects if port 0 should be facing the Internet side or the LAN side. 4.2 Appliance Name An appliance should be given a name. The name can be used as an identifier if more than one appliance is installed in a network or if Treat Commander will be used for multi appliance monitoring. The name can refer to the appliance geographical location or be a simple name such as solida_1. The below figure shows how to set the application name: 12

13 Figure 4.2 Setting the appliance name. Enter the desired name and press the Activate button. 4.3 Changing the Default I.P. Address To change the default IP address for the management port, directly connect a computer with the appliance through an Ethernet cable. Make sure the computer's IP address is set manually since direct connecting bypasses any DHCP server. Start the configuration utility by entering the default IP address into the browser ( Select Configuration from the Application drop-down box. Then press the Login button. Log into the application and then navigate to the page named Configuration. Locate the box labeled Change Management Port IP Settings. Change the IP address, netmask and gateway fields to match the ones used in the network. In some networks it might be required to use a local corporate DNS server rather than a public one. In these cases, enter the IP address for the local DNS server in the DNS server field. The appliance will use this IP address for resolving the domain for the cloud based threat intelligence data feed. Once the Activate button is pressed, the appliance will be reconfigured with this new address information. Note that it will take up to a minute for this reconfiguration to complete. A countdown timer pop-up window will appear and show a 30 second countdown after a change is activated. An example is shown below: 13

14 Figure 4.3 Change management port IP setting box. Once the configuration of the new IP addresses is complete, remove the directly connected computer and connect the appliance to the LAN side switch. The configuration window includes a button labeled Test Connection. Pressing this button will generate a ping to an IP address on the Internet. If this ping receives a response it can be assumed the management port has proper access to the Internet. If no response to this ping is detected, the management port does not have the required access to the Internet. In this case it will be necessary to troubleshoot the installation and retry this test until a proper connection is made. 4.4 Managing Users The first time the user logs into either Web application, a default factory administrator username and password will be used. After the first login it is recommended to create new users that will be allowed to log in to the applications. It is also strongly recommended to change the default administrator login password to something other than the default serial number. Creating and managing the user credentials is done through the configuration application. First navigate to the Configuration page and then locate the box named Manage Users. Figure 4.4 Manage users window. To create a new user, press the button labeled Add User and enter the new credentials in the indicated fields. 14

15 Figure 4.5 Adding a new user The drop down menu at the bottom of the Add New User window contains two options: Monitoring Only and Configuration & Monitoring. Select Monitoring Only for users that are only allowed to log into the monitoring application. The monitoring application does not allow for changing any configuration parameters or modifying the detection rules. Enter a password recovery address in the field. This is very important because without entering a valid address in this field it will not be possible to recover a forgotten password. 4.5 Recovering Lost Passwords To recover a forgotten password it is VERY important to set up a working address in the Add New User window when setting up new administrator users. This is described in the previous section. Note that it is only possible to recover passwords from users with administrator privileges. To recover a monitor only user, an administrator must first log in and manually reset the password for the monitor only user. To recover and reset a password, click on the link Forgot password? in the login window. The following popup-window will be displayed: 15

16 Figure 4.6 Recover when an administrator password is forgotten. Enter the user name for which the administrator account password should be recovered. Then enter the previously configured recovery address. This address MUST exactly match the address entered when creating the administrator user. If a different address is entered, no password recovery will take place. Allow up to 10 minutes for the auto-generated password recovery to be delivered. 4.6 Deep Packet Inspection Configuration Deep packet inspection (DPI) refers to the process that inspects all incoming and outgoing network packets. The factory default setting applies DPI on all packets, including incoming and outgoing packets. Only under very special circumstances should the factory default be changed. Changing the factory default will prohibit the appliance from detecting all possible malwares and other threats. To change the factory default setting, start the configuration utility and navigate to Configuration. Locate the block titled Deep Packet Inspection Configuration. It will look as shown in the picture below. 16

17 Figure 4.7 Deep packet inspection configuration window. The following settings are available: Packets from the Internet - Inspect all packets (Factory default) - Disable Inspection Packets from the LAN - Inspect all packets (Factory default) - Disable Inspection Malformed Packets - Drop all malformed packets (Factory default) - Do not drop malformed packets Hackers sometimes intentionally generate network packets that are malformed. The reason might be to try and confuse, or even crash the system stacks in the computers connected to the network. Letting the appliances drop these packets guarantees that they will not cause any damage in the protected LAN Notification The appliances have support for sending regular s containing information about the number of events in the system and their severity. This is a useful feature since it will not be required to constantly monitor the appliance through the monitoring application Setting Up Notification To set up notification, login to the configuration application and navigate to Admin Configuration. Locate the box called Notifications. The box will look as follows: 17

18 Figure 4.8 notification setup box Notification This dropdown box contains four options. Disabled Enabled, once per day Enabled, once per 6 hours Enabled, once per hour - notification disabled. - Generates one per day with event information. - Generates four s per day with event information. - Generates one per hour with event information Instant Critical This option, if enabled, will send out one each time a critical event is generated. These critical events require user intervention. Therefore it is important that such events are forwarded to the user with minimum delay Current Addr This text box shows the current address, or addresses in use, assuming this feature is enabled. This address will be the recipient for the event status s New Addr Enter a valid address into this box. This is the new address that will be used to receive these s. Note that it is possible to enter two addresses. Make sure they are separated by a comma character. Once the above fields have been filled in, press the Activate button. This will activate the new configuration Event Notification s The event notification s are short but contain vital information a user will need. 18

19 Figure 4.9 Example of an event notification . The most recent events for the past hour and the past 6 hours are shown separately to give a clearer overview of the current status. Critical events require immediate user intervention and are therefore marked clearly as critical for easy identification. 4.8 Reputation Threat List Updates The Solida appliances obtain their threat information by downloading proprietary threat list from a cloud-based server. There are three categories of lists. They are domain reputation blacklist, IP reputation blacklist and Tor exit node list. The factory default is to allow for all these lists to be included in the cloud updates. Changing this factory default should only be done in very special cases. Disabling a list results in the possibility of malicious packets being able to penetrate the network and cause escalating damage. The default update frequency for the threat intelligence is once per hour. The update frequency can also be set to once per 24 hours. Changing the update frequency to 24 hours should only be done in very special cases. One such case is when the Internet connection is provided through a satellite link. Downloading data over a satellite link is expensive so using the 24-hour download frequency might be a more affordable choice. To change the factory default setting, start the configuration utility and navigate to Configuration. Locate the block titled Reputation Threat List Updates. It will look as shown in

20 the picture below. Figure 4.10 Reputation threat list updates window The following settings are available: Domain Reputation Blacklist - Enabled update once per hour (default) - Enabled update once per 24 hours - Disabled IP Reputation Blacklist - Enabled update once per hour (default) - Enabled update once per 24 hours - Disabled Tor Exit Nodes - Enabled update once per hour (default) - Enabled update once per 24 hours - Disabled The reputation threat list updates configuration window includes a button labeled Test Connection. When pressing this button, the appliance will try to connect with Solida s cloud server the exact same way it would do for an update of the threat intelligence. If this test fails, the installation must be checked to identify the cause of the failure. This test must complete successfully for the appliance to be able to download the threat intelligence data and function as designed About Tor Exit Nodes The Tor exit nodes list contain IP addresses of known Tor network end point IP addresses. It is common by hackers to use Tor exit nodes for their attack traffic to mask its origin. In some rare cases, the use of the Tor network is valid. Examples would be in countries that censor their citizens Internet traffic. In those circumstances the Tor network can be used to circumvent such censorship. Then it is recommended to disable the inclusion of Tor endpoints in the IP blacklist. 20

21 4.9 Set Mobile Application Password The appliance can be monitored with a mobile phone application called Solida Notify. This application requires a password to log into the cloud server that will provide the events and notifications to the application Figure 4.11 Setting the mobile application password 4.10 Setting The Time Zone The appliance use time stamps for various events. Therefore it is required to set the time zone, which the appliance is operating in. Figure 4.12 Setting the time zone Select the desired time zone and press the Activate button. 21

22 5. Reputation Based Detection 5.1 Overview The most basic form of intrusion and malware detection goes under the category of reputationbased detection. This type of detection is performed by attempting to identify communication with unfriendly hosts on the Internet. These are ones that are believed to be malicious, based upon a reputation for previous or ongoing malicious activities. Reputation based detection is performed by comparing requested IP addresses or domain names, against a reputation list of hosts with negative reputations. Solida appliances allow for downloading lists based on domain names and IP addresses. The data in these lists are processed and stored in hash tables, so that fast lookups can be performed against them in real time. These lists are automatically downloaded from a cloud-based service provided by Solida Systems. Both DNS queries and HTTP requests are monitored and compared against the reputation list. If a hit is detected the request can be either flagged as suspicious or completely dropped. It is important to recognize that a hit in a reputation blacklist doesn t always mean a host is malicious. Hosts that were previously infected might have been cleaned up, and the maintainers of the reputation lists might not yet have registered this. 5.2 DGA List The most important data in the threat-feed, is the list of Domain Generation Algorithm (DGA) generated domain names. Many ramsomware and other serious malware, use DGAs to generate a large number of domain names. These domain names are used to try and connect with their command and control servers (C2). The large number of auto generated domain names makes it difficult to track and shut down these C2 servers. Most DGA engines use time as the deciding factor for what domain name to generate. Using this method, a hacker will be able to predict what domain names their malware will generate. So they can be ready when the malware attempts to connect to it at any given time. When the hacker decides it is time to provide C2 access to his malware. The hacker simply registers a domain name with a commercial DNS service, for a domain that the malware DGA will generate in the near future. When the malware tries this specific DGA generated domain, a connection will suddenly be made. At that point the malware knows it has found its C2 server. The Solida threat list contains a very large amount of DGA domain names. These domain names are generated from actual DGA engines, harvested from malwares collected from the Internet. These DGA engines are running in a server, generating their time based domain names. This way it is possible to know in advance what domain names similar malwares will generate in the wild at 22

23 any given point in time. The threat feed contains in average 750,000 domain names, covering a time window of UTC 48 hours to UTC + 24 hours. This gives a 72-hour sliding window that covers all time zones worldwide. These domain names are written to a blacklist in the security appliances. All outgoing DNS queries and URLs are verified against this list and dropped if a match is found. 5.3 List Updates The reputation lists are constantly being updated through a cloud based threat feed offered by Solida. The appliance automatically connects with this cloud service once every hour, to download new updated versions of the lists. This guarantees that the appliance always contains information, about the latest threats seen in the wild. To monitor the list update process and the list sizes, start the configuration application and navigate to Threat Intelligence Threat Lists. A similar page is available at the same location in the monitoring application. The page will look as follows: Figure 5.1 Threat lists overview In the box named Reputation List Control Center the following information is provided: Next cloud update Shows the time at which the next list update will be performed. DGA Ransomware Entries The number of DGA generated domain names in this list. 23

24 Domain Reputation Entries The number of domain names in this list. IP Reputation Entries The number of IP addresses (both IPv4 and IPv6) in this list. TOR endpoints The number of Tor endpoints provided this list is included. The above threat lists are not user modifiable. 24

25 6. Intrusion Detection and Prevention Rules 6.1 Rule Overview To protect against intrusion attacks, Solida appliances rely on a rule engine that can perform deep packet inspection (DPI) of Ethernet packets, flowing through the appliance. The DPI engine can inspect all packets and look for signatures and any combination of data patterns, such as port scans, OS finger printing and vulnerability scans. The DPI engine is controlled by detection rules. These rules instruct the DPI engine what to look for in the packets and what action to take if a pattern match is detected. Solida provides a set of system rules that includes protection from many types of penetration attempts. An expert user can also create custom rules. Writing custom rules requires detailed knowledge of rule writing, and the different types of packets flowing over a network. Such custom rules can be created using the rule editor in the Solida configuration application. In most cases it is recommended to use the system rules provided by Solida through the threat feed. 6.2 Rule List Detection rules can be created and edited trough the configuration application. Start the application and navigate to Rule List. This will show a list over all available rules in the appliance. Figure 6.1 Rule list in the configuration utility. 25

26 The column named Category shows what rules are Solida system rules and which rules that have been created by the user. 6.3 Export Rule File (This feature is for advanced users only) The button labeled Export rule file allows for exporting a text file containing all the rules in the appliance. This text file is written in JSON format and can be opened and reviewed in a text editor. 6.4 Import Rule File (This feature is for advanced users only) The button labeled Import rule file allows for importing a JSON formatted text file containing one or more rules. Note that it is not possible to import system rules. System rules are those rules with the category field showing system and the rule id in the 1xxyyyzzz range. If system rules are part of the imported rules they will be overwritten by the current system rules received by the regular threat intelligence downloads from the cloud host. 6.5 Rule Sets A rule set is a collection of rules. Multiple rule sets can be created, each containing a different set of rules. The appliance can be activated with one single rule set. Once a rule set has been activated, the appliance will start its packet scanning using all the rules included in the rule set. To display and create rule sets, start the configuration utility and navigate to Rule Sets. This will show a list over all available rule sets. 26

27 Figure 6.2 Rule set list in the GUI configuration utility. 6.6 Activating a Rule Set To activate a rule set, select the rule set by clicking on its row in the GUI. Then click the Activate Ruleset button. This will perform an implicit sanity check of all the included rules, and then upload these rules to the appliance. Once this activation completes, the appliance will start using the new rules immediately. 6.7 Operating Mode When trialing a new rule set, it is possible to set the appliance to monitor mode. The rule set page contains a drop down menu where the desired operating mode can be selected. In monitor mode all network packets are scanned using the rules as well as the reputation detection lists, but no packets will be dropped. Alerts will still be generated the same way as in normal operation mode. This allows the user to check a new rule set to make sure it behaves as expected. Once the user is satisfied with the new rule set, set the operating mode back to Normal Mode 6.8 Creating Custom Rules It is beyond this manual to explain in detail how to write custom rules. Please refer to the many tutorials and documentation available on the Internet on how to write detection rules. A rule is created using the configuration application. Start the application and navigate to the 27

28 Rule List page. This page will display a list of all rules currently available in the appliance. At the top left side of this page a blue button labeled + Add rule is located. To create a new custom rule, simply click this button. A new window will pop up called Create Custom Rule. Figure 6.3 Create a custom rule pop-up window. This window contains five tabs. Each tab contains different optional rule parameters. These parameters can be filled in to define the new rules behavior. For a detailed description of each rule option, please press the help button located in the lower left corner of the pop-up window. 6.9 Rule Id The most important parameter of each rule is the Rule Id. Each rule must have a unique rule id that identifies the rule. The rule id consists of 9 numbers. It is common practice to group rules into categories. As an example, the first thee numbers identifies the general type of rule. For example UDP rules, TCP rules, ICMP rules. The next three digits identify the type of threat the rule concerns. The last three digits could be a general identifier that is incremented by one for each rule in the category. A rule id starting with a 1, for example , is reserved for system rules. All system rules have a rule id starting with a 1. It is not possible to make modifications to the system rules. They can however be copied and turned into a new custom rule. 28

29 7. Events and Event Severity 7.1 Event Overview Each time a network packet registers a hit with a blacklist entry or a detection rule, an event is generated. An event contains information that describes what caused the event to be generated. The IP address of the offending packet is included, as well as a short description of the meaning of the event and a timestamp. Events are stored in a database in the appliance to allow for tracking and statistics gathering. Events are also written to log files that can easily be downloaded from the appliance through the GUI. These event files can then be correlated with other down loadable packet log files, so that a security analyst can investigate the root cause of the event. Events can be monitored using the built-in monitoring application. Figure 7.1 Event summary view in the GUI monitoring application. Located in the right side of the Packet Events bar is a drop down list. This list shows available event files in the appliance. Events are written into files that are rotated to avoid them growing too large. Event files are rotated on a daily basis (at midnight) or once an event file reaches 10 Mbytes in size. A rotated event file will have a time stamp appended to its file name. 29

30 7.2 Event Severity Events are grouped into three categories depending on their severity, which are Low, medium and critical. Clicking on an event in the table will pop up a new window containing a further explanation of the cause of the event Low severity (colored green in the GUI) These events are typically generated by trying to visit known phishing sites, or sites containing various types of malware. The appliance will automatically drop these network packets. This will prevent malware from infecting the protected network. These events require no further action from the user Medium severity (colored orange in the GUI) Events with a medium severity rating include known C2 domains, domains with severe drive-by malware, Trojans and more. Network packets destined to these domains will be automatically dropped, in an effort to maintain network integrity. These events require no further action from the user Critical severity (colored red in the GUI) Critical events will be generated if the appliance detects malicious activities occurring inside the network. This would indicate the network has been compromised. Where malware is already present that requires user intervention to remove. Examples of such events are DNS queries generated by a ransomware DGA engine, or malwares trying to connect with a C2 server. All network packets resulting in critical events will be automatically dropped, to mitigate further infection to the network. The event includes the source and destination IP addresses of the offending packets. Which allows for prompt identification of the infected computer on the network. The user will be required to remove the malware from the infected computer using a suitable removal tool. All events can be viewed using the monitor application, included with the appliances. Optionally, s containing the event count and severity can be automatically generated and sent out. A mobile phone application is also available, that allows the user to monitor events in real time. 7.3 Source and Destination IP Addresses Each rule event includes the source and destination IP addresses, of the packet that generated the 30

31 rule hit. Logging these IP addresses allows for a more detailed examination of the source of the threat. The Internet offers many whois services where an IP address can be entered for analysis. This information also includes geographical information regarding an IP address. 31

32 8. Responding To Critical Events (Please contact Solida for a special document regarding event analytics) A majority of all events will require no further action by the user. These events are marked with a low or medium severity. Critical events require immediate user intervention. Examples of such events are the DGA events. They will be generated if ransomware infects a computer in the network. In this case it is extremely important to remove the infected computer from the rest of the network. Some advanced ransomwares are capable of propagate through the network and infect additional computers. The critical events will be listed with the source and destination IP addresses visible. Use the destination IP address from the event and match that with a computer in the LAN that uses this IP address. This is the computer that has become infected. Disconnect this computer from the rest of the network. Once the infected computer has been removed from the network, use Google to search for any available removal tools. 32

33 9. System Software and License Key Updates Solida Systems will occasionally release updated system software for the appliances. These releases might contain bug fixes as well as new features. New releases are published to the cloud for distribution. The appliances will automatically check with the cloud server, to see if any new updates are available. The user can decide if the appliance should be updated or not. It is not required to perform any updates, unless it is specifically said so in the features text for the release. 9.1 Software Updates The appliance s internal software can be updated by performing a few simple steps. New software releases are pushed up to Solida s cloud server and automatically distributed out to the appliances. To check for a new software release or to perform an update, start the configuration application and navigate to Software Updates in the menu side bar. This will present the following window: Figure 9.1 Software update GUI window. The upper System Control Center box contains the following: Firmware version JSOSD version - Displays the currently active internal firmware version number. - Displays the version of the current security OS daemon. The lower box titled Solida Software Versions Available For Updates contains a list of available software updates. The list will only include versions that are later than the version currently running in the appliance. 33

34 To perform an update, simply double click on the row with the desired new version. Please note it will take as long as 5 minutes for a software update to complete. During this time no network traffic will be able to flow through the appliance. After the update has completed, please reset the browser history to guarantee the browser will display the latest version of the web utilities. 9.2 Support Bundle Generation The button named Generate Support Bundle starts a support feature that collects useful information from the appliance. See the Support Bundle Generation chapter for further information regarding this. 9.3 Uploading A License File The appliance license can be updated by a few simple steps. Solida provides new license keys in the form of a small text file. The text string in this file is an encrypted license string that the appliance will decrypt and interpret. To update the license key, press the button labeled Upload License File and follow the instructions. Note that it is now also possible to update the licenses using the remote monitoring tool Threat Commander. License keys can be supplied in bulk to allow for a simple update operation of several appliances concurrently. 9.4 Configure SSL Certificate The appliance will use an SSL certificate while communicating with the various cloud servers. Solida preloads an SSL certificate on all appliances before they ship out. In some cases it might be needed to replace this SSL certificate with another SSL certificate. 34

35 10. Support Bundle Generation A support bundle is a compressed file that contains critical system files and data. A support bundle should only be generated after a request from Solida Systems, or the local distributor. A support bundle is typically only generated if the appliance is having difficulties performing as expected. The files in the support bundle will help a support engineer to determine the cause of a problem Generating a support bundle To generate a support bundle, start the configuration application on the appliance experiencing a problem. Navigate to Software Updates. This will display a window that contains a blue button with the text Generate Support Bundle. Pressing this button, and answering Yes in the confirmation box, will start generating a support bundle. Note that it might take up to 5 minutes or more for the bundle generation to complete Downloading a Support Bundle Once a support bundle has been generated, it will be placed in a directory called support in the log file storage area. Figure 10.1 Log File Management window with support directory opened. To download a support bundle file, start the configuration application and navigate to Log File management. Then click on the support directory icon in the file viewer. This will display all available support bundles that are ready to be downloaded. 35

36 Please note it will take up to 5 minutes for a new support bundle to appear in this directory. 36

37 11. Data Logging The appliances have a wide selection of logging options. The factory default is to log all rule events as well as all dropped network packets but the user has the option to enable further logging, including full packet capture. Network packet data is written to the log files in the industry standard PCAP format. This makes it possible to use tools such as Wireshark to open these files, and perform analysis on the packet content. All log files can be downloaded by clicking on them in the Log File management window. IMPORTANT! Event logging and drop logging should always be enabled. This will make it possible to investigate in detail what events occurred in the appliance and how does the packets look like that triggered the event. Turning on additional logging options will have a degrading effect on overall packet processing performance Packet Logging Packet logging will log every single packet passing through the appliance. This mode is typically only used during troubleshooting of the network. The resulting log files can become very large so it is important to select an appropriate rollover option to avoid filling up the disk space in the appliance. Packet logging should be disabled during normal usage. Figure 11.1 Full packet logging configuration window Warning! Full packet logging should ONLY be enabled under special circumstances such as investigating unusual traffic patterns. Full packet logging records all packets in PCAP format and 37

38 write this data into files. These files will grow in size very fast and consume a significant amount of SSD storage space Dropped Packet Logging This logging option should always be enabled in the appliance. This option will log all network packets that are dropped by the appliance. Packets will be dropped by the rule engine as well as by the reputation detection engine. This logging option is enabled by default. These log files can be used during forensic analysis to determine the exact reason a packet was dropped. Figure 11.2 Dropped packet logging 11.3 Event Logging Event logging is enabled by default. The resulting log files contain information about all events occurring in the appliance. These log files are automatically rotated at midnight so it is easy to identify the day and time a certain event happened. The default settings are as shown in the picture below: Figure 11.3 Event logging configuration window. 38

39 11.4 Flow Logging Flow logging logs information about the source and destination for the packets. The data includes the source and destination IP addresses, the source and destination port numbers, the protocol version, the total packet lengths and a time stamp. Important! Enabling flow logging will generate a large amount of data stored in files on the SSD device. This feature should only be enabled under special circumstances and for a short time period only (less than 24 hours). The default settings are as shown in the picture below: Figure 11.4 Flow Logging Configuration Window 11.5 HTTP Logging This option allows for logging all domain names that are being accessed through browsers in the network. Figure 11.5 HTTP logging configuration window 39

40 11.6 Downloading Log Files Log files can be downloaded using either the configuration application or the monitoring application. To download a log file, navigate to the Log File Management menu option. This will open up a file management interface as shown in the picture below: Figure 11.4 Log file management window. Each category of log file will be stored in its own dedicated directory. Open the directory containing the desired log file to download. Then double click on the log file. A popup window will ask for a final confirmation before the file download starts Deleting Log Files The log files can easily be deleted if needed. Navigate into a log file directory. To delete a file within the directory, right-click on the file and select Delete. The file will be permanently deleted from the appliance. It is also possible to rename a log file. Right-click on the file to rename it. Even though possible, never delete a log file directory. Please note that some log files become very large. The appliance has limited space for log files. Therefore always download important log files and save them away outside the appliance. The appliance performs log rotation, which means older log files will be deleted if needed by the appliance. Log files older than 99 days will automatically deleted by the appliance. It is not possible to recover deleted log files. 40

41 12. Remote Monitoring 12.1 Threat Commander Remote Monitoring Introduction Multiple security appliances can be monitored in near real time using a utility called Threat Commander. All the different available appliance models can be mixed and monitored together. Threat Commander can be installed in the cloud or on a dedicated reporting server with a fixed IP address. If the appliance is configured to be monitored with Threat Commander, all security related events will be pushed up to the reporting server. Log files, including the system log file, will also be pushed up to allow the user to download these files remotely Setting Up Threat Commander Remote Monitoring Enabling remote monitoring in an appliance is a simple operation. The below picture shows the configuration window and its options: Figure 12.1 Remote monitoring configuration Server Name Login Username - The domain name for the reporting server. - User name the appliance will use when logging in to the reporting server 41

42 Login Pawssword logging in to the reporting server. - The password the appliance will use when The button labeled Test Connection will make a connection attempt with the Threat Commander server. Use this test to confirm the appliance is able to connect with Threat Commander. If this test fails, check any firewall setting and make sure it is possible to connect with Threat Commander over port 22 or Solida Notify Smartphone Remote Monitoring Introduction A mobile phone application is available for download on the App Store and Playstor. The name of this application is SolidaNotify. Search for SolidaNotify on App Store/Playstor and the application can be downloaded for free. To activate support for Solida Notify in the appliance, press the button labeled Start Monitoring. Once activated the appliance will start pushing up event data to Solida s cloud server. This event data will then be pulled down by the mobile phone application. For information about how to set up and operate Solida Notify, please see the user manual named Apple IOS and Android Mobile Phone Applications downloadable from Solida s website. As previously described in the configuration section, it is required to set a password for accessing event data through the Solida Notify applications. Navigate to Admin->Configuration in the configuration GUI tool. The below window will be presented for selecting a password. Figure 12.2 Setting a Solida Notify password. Use this password when setting up Solida Notify on a mobile phone. 42