IPS-1. Administration Guide Version NGX R65.1

Transcription

1 IPS-1 Administration Guide Version NGX R65.1 March 8, 2009

2

3 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Please refer to for a list of our trademarks For third party notices, see

4

5 Contents Preface About this Guide Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback Chapter 1 Chapter 2 IPS-1 Overview IPS-1 Key Benefits IPS-1 System Architecture IPS-1 Deployment Working in the IPS-1 Management Dashboard Logging into the IPS-1 Management Server with the IPS-1 Dashboard Navigating the IPS-1 Management Dashboard Windows The IPS-1 Management Dashboard Menus The IPS-1 Management Dashboard Toolbar Managing the IPS-1 System Overview System Messages Installing Policies Adding an Alerts Concentrator to the System Adding an IPS-1 Sensor to the Management Server User Accounts User Accounts Overview Managing User Accounts Changing the Password Unlocking a User Account Licensing Overview Viewing License Summary Adding a License Maintaining Database Size Space Management Overview Configuring Space Management Reclaiming Database Space Alerts Concentrator High Availability Managing the IPS-1 Sensor Connecting to the IPS-1 Sensor IPS-1 Sensor Modes Configuring Other Sensor Definitions Shutting Down or Restarting the IPS-1 Sensor Table of Contents 5

6 Deleting Backlogged Sensor Data Resolving IPS-1 Sensor Communications Issues Starting and Stopping the IPS-1 Servers Uninstalling the IPS-1 Servers Viewing System Status Information System Status in the IPS-1 Management Dashboard Viewing Sensor History Viewing the IPS-1 Status Monitor Chapter 3 Chapter 4 Managing Attack Detection and Prevention Overview Updating Attack Signatures Configuring Automatic Attack Signature Updates Manually Updating Attack Signatures Avoiding False Positives Managing Protections Overview Managing Protection Profiles Configuring Protections Viewing and Copying Comprehensive Protection Settings Exempting Hosts from Inspection or Prevention System-Wide Attack Correlation Correlators Overview Defining Correlators Firewall-Style Access Control IPS-1 Firewall GUI Policy Settings Alert Monitoring and Analysis Overview The Alert Browser and History Browser The Alert Browser Window Working in the Alert Browser Viewing History Browser Snapshots Alert Management Tools Viewing Alert Details Packet Capture and Viewing Using Alerts to Modify Protection Settings Holding an Alert Marking Alerts as Read Annotating Alerts The Timeline Window Overview Opening the Timeline Window Creating the Default Timeline Set Configuring Timelines and Views Viewing Detailed Alerts from a Timeline Window Creating Alert Graphs

7 Overview Creating an Activity Level Graph Creating Pick Graphs Creating a Top n Graph Saving Graphs Printing a Graph Customizing Alerts Overview Configuring Actions Applying Actions to Alerts Changing an Alert s Displayed Priority Chapter 5 Chapter 6 Chapter 7 Vulnerability Detection and Defense Overview Installing Network Vulnerability Data, and Dynamic Shielding Viewing Vulnerabilities Investigating Vulnerabilities with the Distribution Graph Distribution Graph Overview Configuring the Distribution Graph Investigation Examples Viewing Compromise Risk in the Alert Browser Disabling Vulnerability Correlation Data Analysis with External Tools Overview Setting up Reports Creating an ODBC Data Source Generating a Report Report Template List Integration with Eventia Analyzer Introduction Integrating with Eventia Analyzer Backup and Migration Overview Exporting IPS-1 Management Server Data Exporting Data using the Dashboard Exporting Data using the Command Line Migrating Data using the Command Line Importing IPS-1 Management Server Data Table of Contents 7

8 8

9 Preface P Preface In This Chapter About this Guide page 10 Who Should Use This Guide page 11 Summary of Contents page 12 Related Documentation page 13 More Information page 14 Feedback page 15 9

10 About this Guide About this Guide The IPS-1 Administration Guide is a guide to configuring and using the IPS-1 system. For deployment, installation and initial configuration instructions, see the Check Point Installation and Upgrade Guide. 10

11 Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of: System and network administration Server operating systems Preface 11

12 Summary of Contents Summary of Contents This guide contains the following chapters: Chapter Chapter 1, IPS-1 Overview Chapter 2, Managing the IPS-1 System Chapter 3, Managing Attack Detection and Prevention Chapter 4, Alert Monitoring and Analysis Chapter 5, Vulnerability Detection and Defense Chapter 6, Data Analysis with External Tools Chapter 7, Backup and Migration Description This chapter discusses IPS-1 deployment components and an introduction to the IPS-1 Management Dashboard. This chapter discusses configuration tasks, user accounts, licensing, database maintenance, and system administration. This chapter discusses updating attack signatures and managing protections. This chapter discusses the IPS-1 Management Dashboard windows and tools for alert monitoring and analysis. This chapter discusses network vulnerability detection and analysis. This chapter discusses creating reports with Crystal Reports 11 from Business Objects. This chapter discusses IPS-1 Management Server data backup and migration. 12

13 Related Documentation Related Documentation IPS-1 information can be found in the following documents: IPS-1 Release Notes Check Point Installation and Upgrade Guide IPS-1 Administration Guide (this document) Customizing IPS-1 Protections (advanced) Preface 13

14 More Information More Information For additional technical information about Check Point products, consult Check Point s SecureKnowledge at To view the latest version of this document in the Check Point User Center, go to: 14

15 Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com Preface 15

16 Feedback 16

17 Chapter 1 IPS-1 Overview In This Chapter IPS-1 Key Benefits page 18 IPS-1 System Architecture page 19 IPS-1 Deployment page 21 Working in the IPS-1 Management Dashboard page 22 17

18 IPS-1 Key Benefits IPS-1 Key Benefits The IPS-1 Intrusion Prevention System provides accurate, high performance protection against known and unknown attacks. You can customize its features to suit your organization's particular needs. IPS-1 offers many benefits: Trusted Intrusion Prevention Smart intrusion detection Customizable intrusion prevention Customizable Confidence Indexing Customizable attack signatures Automatic attack signature updates IPS Simplified Quick deployment Flexible deployment modes Minimal-impact design Centralized, scalable management Customizable desktop GUI with real-time information and management Dynamic Shielding Presents network intelligence including OS and application information, CVE vulnerabilities, and impact and remediation details. Determines anomalous behavior, reduces false positives and recognizes and dynamically shields vulnerable hosts against inevitable attacks. 18

19 IPS-1 System Architecture An IPS-1 deployment includes the following components: IPS-1 System Architecture IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts to the Alerts Concentrator. Alerts Concentrator: Manages and receives alerts from a group of Sensors, and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed. IPS-1 Management Server: The central management server for the entire deployment. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert information is stored in a MySQL database, which is included in the IPS-1 Management Server installation. IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for monitoring alerts. The IPS-1 Management Dashboard includes a number of independent interlinked windows, primarily: Policy Manager for configuring protections and managing the entire IPS-1 system. Alert Browser for viewing, tracking, and analyzing real-time alerts. There are two deployment configurations for IPS-1: Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer. For this type of deployment, select IPS-1 Management Server (all components) during the installation. Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers. For this type of deployment, select IPS-1 Management Server (without Alerts Concentrator) during the installation. The installation steps for each deployment configuration are found in the Initial Configuration of Management Servers section of the Check Point Installation and Upgrade Guide Version R70. Chapter 1 IPS-1 Overview 19

20 IPS-1 System Architecture The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment: Figure 1-1 The IPS-1 System 20

21 IPS-1 Deployment IPS-1 Deployment For considerations for placement and topology of IPS-1 Sensors and of management components, and for information on setting up the deployment, see the Check Point Installation and Upgrade Guide. For information on subsequent configuration of the various IPS-1 system components, see in this document: Managing the IPS-1 System on page 27. Chapter 1 IPS-1 Overview 21

22 Working in the IPS-1 Management Dashboard Working in the IPS-1 Management Dashboard Logging into the IPS-1 Management Server with the IPS-1 Dashboard page 22 Navigating the IPS-1 Management Dashboard Windows page 23 The IPS-1 Management Dashboard Menus page 24 The IPS-1 Management Dashboard Toolbar page 25 Logging into the IPS-1 Management Server with the IPS-1 Dashboard To log into the IPS-1 Management Server with the IPS-1 Management Dashboard: 1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run: /etc/init.d/ips1 start 2. On the client computer, start the IPS-1 Management Dashboard. A login window appears: 3. Type your username and password, and specify the IPS-1 Server s IP address or resolvable hostname. By default, port number is

23 Navigating the IPS-1 Management Dashboard Windows Note - The default username is admin. When upgrading from a previous version of IPS-1, login with the pre-existing usernames. The default username for prior versions of IPS-1 is nfr. 4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy server s connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS. Navigating the IPS-1 Management Dashboard Windows IPS-1 Management Dashboard windows can be accessed by clicking one of the icons in the upper-right corner of the Management Dashboard. The windows can also be accessed from the File and Management menus. The IPS-1 Management Dashboard includes the following main windows: Policy Manager: System, protection, and alert management. To access Policy Manager from any other IPS-1 Management Dashboard window, from the Management menu, select Policy. Some parts of Policy Manager (especially in the System Settings tab) appear only when Advanced Settings are enabled. To enable Advanced Settings, from Policy Manager s Policy Manager menu, point to Advanced, and select Show Advanced Settings. Details of the tasks performed in Policy Manager can be found in Managing the IPS-1 System on page 27, in Managing Attack Detection and Prevention on page 65, and in other chapters. Alert Browser, and other windows for alert monitoring and analysis. Any of the alert monitoring and analysis windows can be accessed from the File menu or toolbar of any IPS-1 Management Dashboard window. These windows are highly user-configurable. Details of the tasks performed in these windows can be found in Alert Monitoring and Analysis on page 107, and in other chapters. Vulnerability Browser: Network risk assessment and analysis. The Vulnerability Browser can be accessed from the File menu of any IPS-1 Management Dashboard window, or from the Alert Browser toolbar. For details, see Vulnerability Detection and Defense on page 153. Chapter 1 IPS-1 Overview 23

24 The IPS-1 Management Dashboard Menus The IPS-1 Management Dashboard Menus The menus for all main Dashboard windows are the same, except for the third menu, which bears the same name as the window. For example, Policy Manager s Policy Manager menu contains commands unique to Policy Manager. The File menu contains the following commands: Commands for launching new windows: New Alert Browser New History Browser New Timeline New Graph New Vulnerability Browser Commands for managing window views: Open View Delete View Save View Save View As Window views include all customization settings, and are saved on the IPS-1 Management Server. For details, see Saving Customized Views on page 124. Close: Closes the current window. Exit Application: Closes all IPS-1 Management Dashboard windows. The Tools menu contains the following commands: System Status: Displays in a single window the activity and communication status of the Alerts Concentrators and Sensors. For details, see System Status in the IPS-1 Management Dashboard on page 58. User Preferences: Settings for using Reverse DNS lookup to display hostnames in Alert Details and for viewing packet captures in a third-party application. For details, see Viewing Alert Details on page 127 and Packet Capture and Viewing on page 129. Change Password: Enables a user to change his password. For details, see Changing the Password on page

25 The IPS-1 Management Dashboard Toolbar The context-dependent menu contains commands relevant to each specific window, such as Alert Browser, History Browser, Policy Manager etc., and changes name according to the window which is open. The Windows menu contains a listing of the open IPS-1 windows. This menu does not appear in the Alert Browser which is opened after the initial login. The Management menu contains the following commands: Correlators: Opens the Correlators window. Correlators generate alerts based on other alerts, from multiple connections and accross all IPS-1 Sensors. For details, see System-Wide Attack Correlation on page 89. Users: Manage user accounts. For details, see User Accounts on page 35. Policy: Opens Policy Manager. Space Management: Opens the Space Management window, for maintaining database size. For details, see Maintaining Database Size on page 41. The About menu contains the About command: Displays IPS-1 Management Dashboard information. The IPS-1 Management Dashboard Toolbar On the left end of the toolbar, the Alert Browser and History Browser windows have buttons unique to the Alert Browser and History Browser. For details on these buttons, see Toolbar Buttons on page 112. On the right end of the toolbar, all the main Management Dashboard windows have the same buttons. These are: Table 1-1 Opens an Alert Browser window. See The Alert Browser and History Browser on page 109. Allows you to view alert activity in graph form. See Creating Alert Graphs on page 140. Plots alert activity on timelines. See The Timeline Window on page 134. Chapter 1 IPS-1 Overview 25

26 The IPS-1 Management Dashboard Toolbar Table 1-1 Opens the Vulnerability Browser. See Vulnerability Detection and Defense on page 153. Opens Policy Manager. Displays the status of all IPS-1 Alerts Concentrators and IPS-1 Sensors. See System Status in the IPS-1 Management Dashboard on page

27 Chapter 2 Managing the IPS-1 System In This Chapter Overview page 28 System Messages page 28 Installing Policies page 29 Adding an Alerts Concentrator to the System page 31 Adding an IPS-1 Sensor to the Management Server page 33 User Accounts page 35 Licensing page 38 Maintaining Database Size page 41 Alerts Concentrator High Availability page 45 Managing the IPS-1 Sensor page 47 Starting and Stopping the IPS-1 Servers page 56 Uninstalling the IPS-1 Servers page 57 Viewing System Status Information page 58 27

28 Overview Overview This chapter describes configuration of an already installed and initially configured IPS-1 system. For information on installing and initially configuring the IPS-1 system, see the Check Point Installation and Upgrade Guide. System Messages IPS-1 System Messages report required and recommended management tasks. To view the System Messages: 1. Open the Policy Manager. 2. Select the System Settings tab. 3. In the left-hand navigation tree, select System Messages. 28

29 Installing Policies Installing Policies Many of the management tasks in this chapter and the protection management tasks in the next chapter, are performed in Policy Manager. In general, changes made in Policy Manager are not saved to the IPS-1 Management Server or transmitted to other IPS-1 system components until you Install Policy. To Install a Policy: 1. In Policy Manager, from the File menu, select Install Policy. Or, click Install Policy: Chapter 2 Managing the IPS-1 System 29

30 Installing Policies The Install Policy window appears: 2. Select the Alerts Concentrator(s). 3. In most cases, select (on the bottom of the window) Install Policy on Sensors, and (in the upper part of the window) select all Sensors. The "Install Policy on Sensors" checkbox will be automatically selected when changes have been made that require the Sensors to be updated. Note - If you leave any Alerts Concentrators or Sensors not selected, they will be excluded from subsequent automatic attack signature updates. 4. Click OK. Policy Manager changes to read-only while Policy is installed. 30

31 Adding an Alerts Concentrator to the System Adding an Alerts Concentrator to the System To add an Alerts Concentrator to the IPS-1 System, first install and set up the Alerts Concentrator. For details, see the Check Point Installation and Upgrade Guide. To then add the Alerts Concentrator to the IPS-1 system, in Policy Manager s Sensors and Concentrators tab, right-click in the left-hand navigation tree, and select New Alerts Concentrator: The New Alerts Concentrator window appears: Chapter 2 Managing the IPS-1 System 31

32 Adding an Alerts Concentrator to the System Configure the Alerts Concentrator settings as follows: 1. In the Host field, type the Alerts Concentrator s IP address or resolvable hostname. Note - Entering the Alert Concentrator s IP address is preferred to better protect against DNS spoofing. 2. Type and confirm the activation key that you specified during the Alerts Concentrator installation. To reset the Activation Key on the Alerts Concentrator: a. Log in to the Alerts Concentrator b. Switch to the ips1 user using the su - ips1 command. In SecurePlatform, this must be done from expert mode. c. Run the set_activation_key command to set the activation key. 3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxy s connection and authentication information. 4. Make sure Receive Alerts is On. 5. If this Alerts Concentrator or the IPS-1 Server s communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator. 6. Click OK. The Alerts Concentrator is added. 32

33 Adding an IPS-1 Sensor to the Management Server Adding an IPS-1 Sensor to the Management Server Before adding an IPS-1 Sensor to the IPS-1 Managment Server, the Sensor must first be installed and configured as described in the Check Point Installation and Upgrade Guide. In Policy Manager, add the Sensor to the IPS-1 system, as follows: 1. In Policy Manager s Sensors and Concentrators tab, select the Alerts Concentrator to which you are adding the new Sensor and click New Sensor. The Add New Sensor window appears: 2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next. 3. Type the Sensor s IP address or resolvable Hostname. 4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensor s Management Menu. To reset the Activation key on an IPS-1 Sensor, run the cpconfig command. To reset the Activation key on an IPS-1 Power Sensor, log in as the nfr user. Chapter 2 Managing the IPS-1 System 33

34 Adding an IPS-1 Sensor to the Management Server 5. Click Next. 6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types. If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter. When all of your network addresses are listed in the Selected Host Types, click Next. 7. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types. If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter. When all of your broadcast addresses are listed in the Selected Host Types, click Next. 8. Click New to assign descriptive names to your interfaces. The Edit Interface Description window appears: Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK. 9. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator. 10. To apply the changes, click Install Policy. 34

35 User Accounts User Accounts In This Section User Accounts Overview page 35 Managing User Accounts page 35 Changing the Password page 36 Unlocking a User Account page 36 User Accounts Overview Two kinds of users, with different permission levels, can log into the IPS-1 Management Server with the IPS-1 Management Dashboard, and use or manage the IPS-1 system: Administrator - full permissions. Normal - specific, configurable permissions. These permissions are defined during the creation of the user account or subsequently by editing the user account. One Administrator account is defined during IPS-1 Management Server installation. Additional users of both kinds can be added from the IPS-1 Management Dashboard. User accounts can be created and managed by Administrators, or by Normal Users who have been given the Edit User permission. The Edit User permission can be limited to managing specific users. A user can never give permissions greater than his own. Note - Sensors for which a Normal user does not have permissions will not appear in Policy Manager, the Alert Browser, Timeline windows, System Status, etc. However, the graphs window (which displays raw counts of alerts) may still include counts of alerts from these IPS-1 Sensors. Also, these application-level settings are irrelevant to any third-party tool which directly accesses the database, such as Crystal Reports. Managing User Accounts To create or edit a user account: 1. From the Alert Browser s or Policy Manager s Management menu, select Users. Chapter 2 Managing the IPS-1 System 35

36 Changing the Password The Manage Users window appears: 2. Click New, or select an existing user and click Edit. 3. Type or verify the User Information, including: The number of Connect Retries before a user submitting invalid authentication information is locked out. The user Role - Administrator or Normal (see above). 4. For a Normal user account, configure the User Permissions. Scroll over the rows to see descriptions below. 5. Click OK. The user account is configured. The user can now change his password, as explained in the following section. Changing the Password After a user account is created, the user can change his password as follows: 1. From the Tools menu, select Change Password. 2. Type the current password, and type and confirm a new password. 3. Click OK. Unlocking a User Account If a user submits invalid authentication information more than the number of Connect Retries defined for his user account, he will be locked out. The account can be unlocked in one of two ways: 36

37 Unlocking a User Account An Administrator can unlock the locked user s account, as follows: 1. From the Alert Browser s or Policy Manager s Management menu, select Users. The Manage Users window appears. 2. Select the locked out user account, and Click Unlock Account. If a sole Administrator s account is locked out, the account must be unlocked directly from the IPS-1 Management Server s command line, as follows: 1. Run: cd /opt/cpips1-r65/ips1server/bin set_ips1_passwd.sh <username> where <username> is the user name of the account to be unlocked. 2. Type and confirm a new password. Chapter 2 Managing the IPS-1 System 37

38 Licensing Licensing Overview In This Section Overview page 38 Viewing License Summary page 38 Adding a License page 39 The IPS-1 system requires three types of licenses, all of which can be obtained from Check Point s User Center: An IPS-1 Management Server license to manage a specified maximum number of IPS-1 Sensors. This license automatically licenses an Alerts Concentrator in a Combined installation. Separate Alerts Concentrators are not included. An Alerts Concentrator license for Alerts Concentrators not combined with the IPS-1 Management Server. IPS-1 Sensor licenses for each IPS-1 Sensor of a specified Sensor type. Sensor types are defined for licensing purposes according to hardware model numbers of Check Point preinstalled appliances. Note that adding Sensors to a system, besides requiring additional Sensor licenses, may affect the required type of IPS-1 Management Server license. All three kinds of licenses are stored on the IPS-1 Management Server and must be generated specifically for the IPS-1 Management Server s IP address. The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Management Dashboard will function only in Demo mode. Viewing License Summary To view a summary of existing and missing licenses in an IPS-1 system: 1. From Policy Manager s Policy Manager menu, select Licenses. 38

39 Adding a License 2. In the left-hand license list, select Licenses. Adding a License To access the License Manager, from Policy Manager s Policy Manager menu, select Licenses. The License Manager appears: Chapter 2 Managing the IPS-1 System 39

40 Adding a License To add a license: 1. Copy your license string, obtained from Check Point s user center, to the clipboard. A license string will include the following: cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx 2. In the License Manager, click Add. 3. Populate the fields by clicking Paste License. Click OK. The added license appears in the license list. 40

41 Maintaining Database Size Maintaining Database Size The IPS-1 Management Server and Alerts Concentrators store and accumulate large quantities of alert data in MySQL databases. To maintain performance, the database must be efficiently configured and maintained. In This Section Space Management Overview page 41 Configuring Space Management page 42 Reclaiming Database Space page 43 Space Management Overview The IPS-1 Management Server and Alerts Concentrator databases holds event and alert data generated by IPS-1. As with any system, the amount of space available for data storage is limited. The Space Management tool enables maintaining as much useful information as possible without exceeding disk storage limits. For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product. For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives. The Space Management tool periodically checks the used space in the database. When the used space exceeds a configurable Action Limit, Space Management begins deleting the oldest packet capture data and alert records. Space Management then continues deleting until the used space drops below a configurable Clearance Limit. Note - As Space Management deletes data, it will attempt to retain all packet capture data. Thus, it will delete packet capture data in proportion to the number of alert records in the database. Chapter 2 Managing the IPS-1 System 41

42 Configuring Space Management Configuring Space Management To configure Space Management: 1. From any IPS-1 Management Dashboard window s Management menu, select Space Management. 2. The Space Management window appears with a tab for the IPS-1 Management Server and for each Alerts Concentrator: 42

43 Reclaiming Database Space 3. Set the following values for the IPS-1 Management Server and for each Alerts Concentrator: Maximum Space: the maximum amount of space available to the database. The Maximum Space should be a value smaller than the available free space in the partition or slice where the database resides. Action Limit: the percentage of Maximum Space used before Space Management begins removing alert data. Clearance Limit: the percentage of maximum space at which Space Management stops removing alerts. The Clearance Limit must be smaller then the Action Limit. Check period (Alerts Concentrator only): interval between times Space Management checks the used space. For a heavily loaded, large network, checking should be a smaller value but no less than 1 minute. 4. In the IPS-1 Management Server tab, select Enable Automatic Space Management, unless you don t want Space Management to operate automatically on the IPS-1 Management Server. In that case, you can manually initiate Space Management operation by clicking Remove Old Alerts Now. 5. Click Save. Reclaiming Database Space The Space Management tool attempts to limit the IPS-1 Alerts Concentrator database size to the specified Maximum Space setting. However, the database can exceed this limit because of the way Space Management deletes records. Space Management frees space in individual tables that it cannot make available to the database as a whole because the space is still marked as used by the operating system. For example, when Space Management is finished, it may show 25GB of actual space set aside for the database and 2GB of free space. If the 2GB of space is available in the alert data table and IPS-1 Alerts Concentrator needs to write to the event data table, it cannot use the free space. As a result, it will claim additional space for event data, even if it results in the database size increasing beyond the specified Maximum Space. For this reason, you should set the maximum database size to be a value smaller than the available free space in the partition or slice where the database resides. Chapter 2 Managing the IPS-1 System 43

44 Reclaiming Database Space You can use the space recovery script to recover available database space for an IPS-1 Alerts Concentrator and return it to the operating system for other uses. Optionally, this script can also perform extensive checks and fixes and optimize indexes. To enable periodic execution during specified windows, you can execute the script as a cron job. Warning - Run this script only if there is a large amount of free space that must be recovered. When this script is run on an IPS-1 Alerts Concentrator, it may take several hours to complete. The script shuts down the IPS-1 Alerts Concentrator (and, in a Combined installation, the IPS-1 Management Server) while it runs, which means that the IPS-1 system will be inoperative during this period (except in a non-combined installation with Alerts Concentrator High Availability). IPS-1 Sensors will continue to function and to buffer alerts until the server is back online, but alerts will not be visible on the IPS-1 Management Dashboard until the Alerts Concentrator is back online. Note - There must be enough free space for the script to make a copy of the largest database table - it skips any tables that are too big to copy. To run the Space Recovery script: 1. Log in to the Alerts Concentrator host as the ips1 user (run: su - ips1). 2. From $IPS1DIR/alcr, run the following: sdb-optimize.sh [-h] [-e] The options are: Table 2-1 -h Provides detailed help text. -e Performs a check for database errors and attempts to recover the data. Note - The -e option lengthens the time the script takes to run. Note - Alerts and events will not be written to the database while these scripts are executing. Except with Alerts Concentrator High Availability, alerts will be queued on the Sensors until the Alerts Concentrator is back online. 44

45 Alerts Concentrator High Availability Alerts Concentrator High Availability To ensure continuity of information flow from IPS-1 Sensors to the IPS-1 Management Server in the event of an IPS-1 Alerts Concentrator failure, you can configure an IPS-1 Sensor to report to a backup IPS-1 Alerts Concentrator. This automatically redirects alerts and packet capture data to the backup Alerts Concentrator if the primary Alerts Concentrator or the Sensor s connection with it fails. You can deploy the backup Alerts Concentrator in the same network as the primary Alerts Concentrator. If the primary Alerts Concentrator fails, the backup Alerts Concentrator becomes active. Once a Sensor fails over to a backup Alerts Concentrator, it continues communicating with that Alerts Concentrator until: 1) the backup Alerts Concentrator fails; 2) the Sensor receives a quick restart command (includes receiving a policy push); 3) the Sensor is rebooted. The Sensor then attempts to communicate with the primary Alerts Concentrator. The failover process is independent for each Sensor; in certain situations (such as a network interruption) some Sensors from Group A in the illustration could be communicating with Alerts Concentrator A and others with Alerts Concentrator B. As shown in the following diagram, you can designate some IPS-1 Sensors active Alerts Concentrator as the backup Alerts Concentrator for other Sensors. Figure 2-1 Alerts Concentrator High Availability The Sensors in group A send alert data to Alerts Concentrator A, and only in case of Alert Concentrator A s failure, to Alerts Concentrator B. The Sensors in group B send alert data to Alerts Concentrator B, and only in case of Alert Concentrator B s failure, to Alerts Concentrator A. Chapter 2 Managing the IPS-1 System 45

46 Alerts Concentrator High Availability To configure Alerts Concentrator High Availability, perform the following for each IPS-1 Sensor: 1. The Sensor itself must be configured for Alerts Concentrator High Availability. If this was not done during Sensor installation, do configure it as follows: Note - On Power Sensors, first login as the nfr user. a. On the Sensor, run: cpconfig b. Select Network Settings. c. Select Configure IPS-1 Mgmt Server / Alerts Concentrator. d. Type the IP addresses of the active Alerts Concentrator and of the second Alerts Concentrator. The second Alerts Concentrator will function as a backup until failure of the first Alerts Concentrator. e. Type and confirm the activation key configured in the Alerts Concentrators. f. Select Save. g. Select Return to main menu. 2. Log into the IPS-1 Management Server with the IPS-1 Management Dashboard, and add the Sensor to the second Alerts Concentrator, as follows: a. In Policy Manager s Sensors and Concentrators tab, select and right-click the second Alerts Concentrator. Select Add Existing Sensor. b. Select the appropriate Sensor, and click OK, and OK. 46

47 Managing the IPS-1 Sensor Managing the IPS-1 Sensor In This Section Connecting to the IPS-1 Sensor page 47 IPS-1 Sensor Modes page 47 Configuring Other Sensor Definitions page 50 Shutting Down or Restarting the IPS-1 Sensor page 52 Deleting Backlogged Sensor Data page 53 Resolving IPS-1 Sensor Communications Issues page 53 Connecting to the IPS-1 Sensor You can run commands on the IPS-1 Sensor in one of three ways, depending on hardware configuration: A connected keyboard and monitor. A serial console (DTE to DTE), using terminal emulation software such as HyperTerminal (from Windows) or Minicom (from Unix/Linux systems). Connection parameters for Check Point appliances are: For a regular (non-power) IPS-1 Sensor appliance: 9600bps, no parity, 1 stop bit (8N1). For an IPS-1 Power Sensor: bps, 8 bit, no parity, 1 stop bit, no hardware or software (xon/xoff) flow control For third-party hardware connection parameters, see the third-party documentation. An SSH connection to the Sensor s management interface (if sshd is configured). IPS-1 Sensor Modes In This Section Sensor Modes Overview page 48 Changing the Sensor Mode (Software) page 49 Changing the Sensor Mode (Hardware) page 49 Chapter 2 Managing the IPS-1 System 47

48 IPS-1 Sensor Modes Sensor Modes Overview In most cases, IPS-1 Sensors should be placed inline, so that all of the traffic to be monitored flows through the IPS-1 Sensor. This enables intrusion prevention. In this configuration, Sensors can drop traffic detected as an attack, according to defined and configurable confidence indexing. In some cases, such as in a complex switching environment in a network core, Sensors may need to be placed in passive mode, in which case they perform intrusion detection only. Inline Sensors behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path. Inline Sensors can be set to Monitor-Only (bridge) mode, to avoid the possibility of blocking valid traffic. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode. The IPS-1 Sensor is configured for one of four different modes: IDS (passive): intrusion detection (IDS) with no prevention. In this mode, every interface other than the management interface can be used for monitoring. IPS Monitor-Only (inline, fail-open): inline mode without actual prevention. Packets are returned to the network before processing for attack detection. In fault conditions, all packets continue to be passed through. You can use this mode to see which traffic would have been dropped in the other IPS modes, making Monitor-Only mode useful during a system-tuning period before switching to actual intrusion prevention. See Avoiding False Positives on page 73 for details. Monitor-Only mode is also useful for checking whether an IPS-mode Sensor is responsible for unexplained traffic dropping. IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are temporarily dropped. IPS (inline, fail-open): inline intrusion prevention. In fault conditions, interfaces revert to bypass mode. Fault conditions are: The Sensor has not completing booting and initializing The Sensor loses power, or other hardware failure (dependent on hardware bypass NIC) When the Sensor has crashed (dependent on hardware bypass NIC) 48

49 IPS-1 Sensor Modes When an interface pair is in bypass mode, as a result of a failure, the bypass interfaces in most Sensor models will act as a crossover connection between the two systems on either side of the sensor. The four front-left copper interfaces on the new 200C/F and new 500C/F will act as a straight-though connection when in bypass mode. All other hardware bypass pairs act as crossover connections when they are in bypass mode Changing the Sensor Mode (Software) The IPS-1 Sensor mode is set during Sensor installation. To change the mode: 1. In Policy Manager s Sensors and Concentrators tab, select the Sensor and click Edit. 2. Select the desired mode, and click OK. Warning - When changing a Sensor from an IPS (inline) mode to IDS (passive) mode or from IDS (passive) mode to an IPS (inline) mode, you MUST also reconfigure the cabling to change its position within the network. Failure to do so may stop the flow of network traffic or allow traffic to pass between the networks attached to the Sensor. The IPS-1 Sensor is restarted in the new mode. Changing the Sensor Mode (Hardware) The IPS-1 Sensor 50 and Sensor 20 models are ordered and delivered as SKU "P", for "IPS Monitor-Only" and "IPS (inline fail-open)" modes, or SKU "D", for "IPS (inline, fail-closed)" and "IDS (passive)" modes. Switching between the two configurations requires two steps in addition to changing the sensor's operating mode in software: an internal hardware setting change and a BIOS change. 1. Change the position of the red hardware jumper switch on the system's motherboard near the Ethernet ports on the front of the chassis. For passthrough modes (monitor-only and fail-closed), the switch must be positioned to the rear of the unit, near pins 6 & 7. For non-passthrough modes (fail-closed and passive), the switch must be positioned to the front of the unit, near pins 1 and Boot the Sensor. Chapter 2 Managing the IPS-1 System 49

50 Configuring Other Sensor Definitions 3. Wait for the following message during the POST: TO ENTER SETUP BEFORE BOOT PRESS <CTRL-ALT-ESC> OR <DEL> KEY Press the <Del> key or press the <Ctrl>, <Alt>, and <Esc> keys to enter the system s BIOS Setup. 4. On the 'Integrated Peripherals' screen, "Onboard By-PASS Active" should be set to "[Enabled]" for passthrough modes, and "[Disabled]" for non-passthrough modes. 5. Exit the BIOS Setup and continue with the boot process. Warranty note: Check Point will not void the warranty of units that have been opened for this purpose. A Check Point SE is not required to make the change, but Professional Services can be arranged if the customer elects not to make the changes themselves. Configuring Other Sensor Definitions In This Section Regular (non-power) IPS-1 Sensor Configuration page 50 IPS-1 Power Sensor Configuration page 51 Regular (non-power) IPS-1 Sensor Configuration For regular (non-power) IPS-1 Sensors, you can use the Check Point Configuration Tool to configure the following values on the IPS-1 Sensor: Inline interface pairs (ignored for Passive mode) Note - Interfaces associated with hardware bypass NICs cannot be changed. The information is displayed read-only. IP address of Alerts Concentrator(s) Activation Key, with which the Alerts Concentrator is authenticated to the Sensor. 50

51 Configuring Other Sensor Definitions To change any of these values: 1. On the IPS-1 Sensor, run: cpconfig 2. Select Network Settings. 3. Select the relevant options. 4. When you are finished setting the options on the Sensor, return to the IPS-1 Management Dashboard. In Policy Manager s Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s). Other values, such as networking information, date and time, and host name, are configured with SecurePlatform s System Configuration Tool, as follows: 1. On the Sensor, run: sysconfig 2. Select the relevant options. 3. When you are finished setting the options on the Sensor, if the changed value is the Sensor s hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Manager s Sensors and Concentrators tab, select the Sensor and click Edit. 4. Make the change and click OK. 5. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s). IPS-1 Power Sensor Configuration IPS-1 Power Sensor configuration is performed through its Management Menu, as follows: 1. To access the Management Menu, log in to the Power Sensor as nfr. The Management Menu will appear. 2. Select the relevant options. Chapter 2 Managing the IPS-1 System 51

52 Shutting Down or Restarting the IPS-1 Sensor 3. When you are finished setting the options on the Sensor, you may be prompted to restart the Sensor for the changes to take effect. 4. If the changed value is the Sensor s hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Manager s Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy. Shutting Down or Restarting the IPS-1 Sensor Direct CLI shutdown or reboot On a regular (non-power) IPS-1 Sensor, use SecurePlatform s shutdown or reboot command. On an IPS-1 Power Sensor, log in as nfr and select Halt or Restart. In both cases, the operating system (not just Sensor processes) is completely shut down. Remote Restart or Reboot You can remotely restart the Sensor IPS-1 software or completely reboot the Sensor machine, from the IPS-1 Management Dashboard. You can restart or reboot an individual Sensor, or simultaneously all Sensors of a selected Alerts Concentrator. To remotely restart or reboot one IPS-1 Sensor or all IPS-1 Sensors: 1. In Policy Manager s Sensors and Concentrators tab, select and right-click an individual Sensor, or an Alerts Concentrator. 2. Select one of the following: Restart Sensors (all the Sensors of the selected Alerts Concentrator) Reboot Sensors (all the Sensors of the selected Alerts Concentrator) Restart <Name of Sensor> Reboot <Name of Sensor> Note - Rebooting generates a progress window. Restarting produces no visible result. 52

53 Deleting Backlogged Sensor Data Deleting Backlogged Sensor Data If an IPS-1 Sensor has been out of communication with the Alerts Concentrator for a long period of time, the Sensor may have accumulated a large amount of data, which can take a long time to transfer to the Alerts Concentrator. If you don t need the accumulated data, you may want to delete it from the Sensor, as follows: 1. On a regular (non-power) IPS-1 Sensor, run: cpconfig Or, on an IPS-1 Power Sensor, log in as nfr. The Management Menu will appear. 2. Select Purge all data, and press y to confirm. Resolving IPS-1 Sensor Communications Issues In This Section Introduction page 53 Overriding Auto-Negotiation Settings for Power Sensors page 54 Restoring Auto-Negotiation Settings page 55 Introduction If your IPS-1 Sensor and IPS-1 Alerts Concentrator are communicating through a switch, you may need to configure the switch and IPS-1 Sensor interface link speed and duplex settings manually. A duplex mismatch will not necessarily prevent all communication. However, it will cause severe performance and communication issues. This section explains how to deal with broken auto-negotiation implementations between interface cards. However, there is rarely a need to disable auto-negotiation. The results of duplex setting mismatch depend on the interface speed. The following table shows the results of two systems (such as the Sensor and the switch) connected using various duplex settings and a 10/100 Mbps network interface. Chapter 2 Managing the IPS-1 System 53

54 Resolving IPS-1 Sensor Communications Issues Table 2-2 System A System B Link Status Auto Auto full-duplex Auto full-duplex System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly half-duplex System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly full-duplex full-duplex full-duplex half-duplex half-duplex half-duplex The following table shows the link status of two systems (such as the Sensor and the switch) connected using various duplex settings and a Gigabit network interface. Table 2-3 System A System B Results Auto Auto up disabled disabled up Auto disabled down Overriding Auto-Negotiation Settings for Power Sensors To Override Auto-Negotiation Settings: 1. Type cpconfig and press enter. The Management Menu will appear. 2. Select Network. 3. Select Set interface media and duplex. 4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the desired interface, and press Enter to display all settings for the interface. 5. Select a setting, and select Save. 54

55 Restoring Auto-Negotiation Settings Resolving IPS-1 Sensor Communications Issues You can revert to auto-negotiation settings from the IPS-1 Sensor Management Menu. How to revert to auto-negotiation settings from IPS-1 Sensor 1. Type cpconfig and press enter. The Management Menu will appear. 2. Select Network. 3. Select Set interface media and duplex. 4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the desired interface, and press Enter to display all settings for the interface. 5. Select Auto, and select Save. Chapter 2 Managing the IPS-1 System 55

56 Starting and Stopping the IPS-1 Servers Starting and Stopping the IPS-1 Servers To start, stop or restart the IPS-1 Management Server or Alerts Concentrator: 1. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, change user to ips1 by entering su - ips1. 2. Run the desired command according to the following syntax: /etc/init.d/ips1 <start [alcr db ips1server] stop [alcr db ips1server] status> The options are: start: start the Alerts Concentrator (alcr), the database (db), the IPS-1 Management Server (ips1server), or, by default, everything stop: stop the Alerts Concentrator (alcr), the database (db), the IPS-1 Management Server (ips1server), or, by default, everything status: report on what is currently running The output of /etc/init.d/ips1 status looks like: The IPS-1 database (mysql) is running with process ID The IPS-1 Alerts Concentrator watchdog (nfrwatch) is running with process ID The IPS-1 Management Server is running with pid

57 Uninstalling the IPS-1 Servers To uninstall the IPS-1 Management Server and/or Alerts Concentrator: 1. Stop the IPS-1 processes, as follows: Uninstalling the IPS-1 Servers a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Change to the ips1 user, by running: su - ips1 c. Run: ips1 -n stop 2. From outside the IPS-1 directories (/opt/cpips1-r65 and /var/opt/cpips1-r65), perform one of the following: On SecurePlatform, run the following: expert rpm -e CPips1-R65 On Linux, run the following: rpm -e CPips1-R65 On Solaris, run the following: pkgrm CPips1-R65 All IPS-1 files and data are removed. Chapter 2 Managing the IPS-1 System 57

58 Viewing System Status Information Viewing System Status Information In This Section System Status in the IPS-1 Management Dashboard page 58 Viewing Sensor History page 61 Viewing the IPS-1 Status Monitor page 62 System Status in the IPS-1 Management Dashboard In This Section Viewing System Status in the IPS-1 Management Dashboard page 58 Alerts Concentrator Status Fields page 60 Sensor Status Fields page 61 Viewing System Status in the IPS-1 Management Dashboard To view in a single window the activity and communication status of the Alerts Concentrators and Sensors: From the Alert Browser s Tools menu, select System Status; or, click the System Status icon: 58

59 System Status in the IPS-1 Management Dashboard Select All or select an item in the list on the left to view its status. For explanations of the status fields, see the following sections. You can copy information from Status windows to the clipboard, by using context (right-click) menu commands. Chapter 2 Managing the IPS-1 System 59

60 System Status in the IPS-1 Management Dashboard Alerts Concentrator Status Fields For an Alerts Concentrator, the following information is displayed: Alerts Concentrator: Provides name of the server. Connection Status: Provides status of the server s connection. Green means the connection is active. Red means the connection is inactive. Sensor Name: Provides the name of the IPS-1 Sensor. Status (of IPS-1 Sensor): Provides status of the IPS-1 Sensor. Last Status Time: Provides the timestamp of the last message received from the server. 60

61 Viewing Sensor History Sensor Status Fields For a Sensor, the following information is displayed: Viewing Sensor History To view the history of an IPS-1 Sensor from a specified time frame: 1. Open the Sensor s Status window, as explained in the previous section, System Status in the IPS-1 Management Dashboard on page 58. Chapter 2 Managing the IPS-1 System 61

62 Viewing the IPS-1 Status Monitor 2. Click View History. 3. Select the desired Start and End Time, and click OK. The Sensor s history appears. Viewing the IPS-1 Status Monitor To view IPS-1 Sensor status information, run the following command on the Sensor: ipsstats The following information is displayed: System start time: Date and time IPS-1 Sensor was last restarted CPU: Average percentage of Sensor CPU capacity used in the last hour Real Memory: Total installed and memory available Virtual Memory: Total RAM + Virtual (Swap) Disk Space: Total installed and disk space available Packet Reception Total: Number of packets since system start time Current: Number of packets per second during the past two-second time interval Average: Average number of packets seen per second in the last hour Peak: Highest number of packets seen per second in the last hour 62

63 Viewing the IPS-1 Status Monitor Protocols Installed: Number of installed protocols Loaded: Number of successfully loaded protocols Failed: Number of protocols that failed to load Note - The IPS-1 Sensor generates an alert if part of a protection package fails to load. This usually means that the package has a syntax error or a required variable is undefined. Protection Groups Installed: Number of installed protection groups Loaded: Number of successfully loaded protection groups Failed: Number of protection groups that failed to load Current time (located in the lower right-hand corner of the screen) From the Status Monitor, press any key to display the Management Menu, or press ctrl-c to return to the command line. Chapter 2 Managing the IPS-1 System 63

64 Viewing the IPS-1 Status Monitor 64

65 Chapter 3 Managing Attack Detection and Prevention In This Chapter Overview page 66 Updating Attack Signatures page 67 Avoiding False Positives page 73 Managing Protections page 74 System-Wide Attack Correlation page 89 65

66 Overview Overview In a typical multi-sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by the administrator enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in active, inline (non-passive, non-bridge) mode will block traffic identified as an attack, or some protections can be set to Monitor-Only, to generate alerts without blocking traffic. You can configure other aspects of the protections as well. Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors. 66

67 Updating Attack Signatures Updating Attack Signatures Check Point is continuously updating attack detection code to combat evolving threats. To keep your network security up-to-date, it is important to frequently update attack signatures from Check Point s online update server. You can configure the system to automatically retrieve updates, and you can also manually initiate an update from Check Point s online update server or from locally saved files, obtainable from Check Point s User Center. Note - A firewall situated between the IPS-1 Management Server and the Internet must be configured to permit outbound TCP connections from the IPS-1 Management Server to ips-packages.checkpoint.com on port In This Section Configuring Automatic Attack Signature Updates page 67 Manually Updating Attack Signatures page 70 Configuring Automatic Attack Signature Updates To set automatic periodical attack signature updates from Check Point s package server: 1. From Policy Manager s Policy Manager menu, select Auto-Update Settings. Or, in Policy Manager s Protection tab, in the left-hand navigation tree, select Download Updates, and click Auto-Update Settings. Chapter 3 Managing Attack Detection and Prevention 67

68 Configuring Automatic Attack Signature Updates The following window appears: 2. Verify the Package Server and connection information, which should be: Server Address: ips-packages.checkpoint.com Server Port: If the IPS-1 Management Server is behind a proxy server, select Use Proxy and type your proxy server connection and authentication information. Click Next. 68

69 Configuring Automatic Attack Signature Updates The following window appears: 4. Select a frequency for automatic updates. Selecting an option other then Disabled causes time and date fields (for the first update) to appear, as follows: Chapter 3 Managing Attack Detection and Prevention 69

70 Manually Updating Attack Signatures 5. Schedule the first update as needed. To choose a date from a calendar, click. For the first update to occur immediately, click Now. 6. Click Finish and close the Policy Manager. The first update will automatically occur when specified, and will continue from then according to the specified frequency. After each automatic update, the IPS-1 Management Server will transmit the attack signatures to Alerts Concentrators and IPS-1 Sensors that were selected when the last manual Install Policy was performed. Manually Updating Attack Signatures To manually update attack signatures from Check Point s package server or from locally saved files, obtainable from Check Point s user center: From Policy Manager s Policy Manager menu, select Online Update. Or, in Policy Manager s Protection tab, in the left-hand navigation tree, select Download Updates, and click Online Update. 70

71 Manually Updating Attack Signatures A two-page wizard will start, beginning with the Download Package page: Configure the package update as follows: 1. Select an attack signature package source. In most cases, this should be Check Point s Package Server. Other options are: Local File - files that have been downloaded from Check Point s user center to a local drive on the Management Dashboard user s computer or network. This is useful if the IPS-1 Management Server cannot access the internet, or for users who have edited the files N-Code. If you select to update from a file, browse to the file, click Next, and proceed to step 4. Management Server/Alerts Concentrator - uploads an Alerts Concentrator s current attack signatures to the IPS-1 Management Server. This is useful when one Alerts Concentrator is more up-to-date than another, or on first setup of a newly installed IPS-1 Management Server, as a temporary measure (a newly installed Alerts Concentrator comes with a default set of attack signatures). If you select to upload from an Alerts Concentrator, select the desired Alerts Concentrator, click Next, and proceed to step 4. Remember to update the attack signatures as soon as possible afterwards. Skip Download - This option is not available if no attack signature package yet exists on the IPS-1 Management Server. Chapter 3 Managing Attack Detection and Prevention 71

72 Manually Updating Attack Signatures 2. Verify the Package Server information, which should be: Server Address: ips-packages.checkpoint.com Server Port: If the IPS-1 Management Server is behind a proxy server, you may need to select Use Proxy and type your proxy server connection and authentication information. Click Next. Once the packages are available, the Install Packages page appears: 4. Select protocols and protection groups for which to update attack signatures. Information and file contents for selected protocols and protection groups is displayed on the right. When in doubt, it is better to install and then disable a package in Policy Manager, than to not install it. Some protocols and protection groups depend on others being present to be able to work. When you complete this wizard, attack signatures will be updated only on the IPS-1 Management Server. You will still need to install policy on the Alerts Concentrator(s) and IPS-1 Sensors. Click Finish to initiate the update. 72

73 Avoiding False Positives Avoiding False Positives As with any IPS system, before your protection settings are fully adapted to your network, the risk of false positives may be greater than otherwise. For this reason, it is recommended to start out with attack detection only, and then gradually increase the level of prevention. The modes and settings below allow you to reduce prevention, thus minimizing the risk of false positives. Of course, any reduction in prevention may increase the risk of a successful attack. Individual protection pages in Policy Manager s Protection tab (the lowest-level items in the Protection Settings navigation tree) contain protection description text, including per-protection assessments of the risk of a false positive. Sensor Monitor-Only mode: In this mode, an inline IPS-1 Sensor generates alerts without actually preventing traffic. For more details, see IPS-1 Sensor Modes on page 47. As preperation for changing the IPS-1 Sensor to a prevention modes, you can enable special alerts to notify you when traffic would have been prevented with the IPS-1 Sensor in other modes, as follows: 1. In Policy Manager s Policy Manager menu, enable Show Advanced Settings. 2. In the System Settings tab, in the left-hand navigation tree, under Attack, select Intrusion Prevention. 3. In the right-hand settings page, select Intrusion Prevention Notifications. When you do change the IPS-1 Sensor to a prevention mode, remember to clear Intrusion Prevention Notifications. Whitelisting: Important hosts can be added to the Servers Whitelist or to the Client Whitelist. Traffic from these hosts will be inspected for attacks but will not be blocked if attacks are detected. For details, see Exempting Hosts from Inspection or Prevention on page 87. Monitor-Only protection setting: All or some protections can be set to Monitor Only. For details, see Protection-Level Settings on page 82 and One-Click Configuration of All Protocols and Protections on page 83. Confidence Indexing: By default, active protections that are not in Monitor-Only mode drop traffic when confidence of it being an attack is least 50%. You can, in individual protection pages, select Active upon Confidence (not available for protection groups or protocols), and raise the Confidence value, for only high-confidence attack traffic to be dropped. See Protection Modes on page 81 for details. Chapter 3 Managing Attack Detection and Prevention 73

74 Managing Protections Managing Protections Overview In This Section Overview page 74 Managing Protection Profiles page 75 Configuring Protections page 77 Viewing and Copying Comprehensive Protection Settings page 85 Exempting Hosts from Inspection or Prevention page 87 In a typical multi-sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in inline active (non-passive, non-bridge) mode will block traffic identified as an attack. Alternatively, the protection can be set to Monitor-Only so that it generates alerts without blocking traffic. Some protections define an attack according to specific thresholds with default values. You can fine-tune these protections according to your needs by changing these values. To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection Profile, which is then installed on IPS-1 Sensors associated with that profile. IPS-1 Sensors that should have similar protection configurations should be associated with the same Profile. Similar Profiles can be easily managed by cloning or copying settings. Detection and prevention are also affected by system settings that apply to protections in general, for each IPS-1 Sensor, or protection Profile. Most of these have reasonable default values and are visible only when Advanced Settings are enabled (from Policy Manager s Policy Manager menu). The Protection Overview feature enables viewing system-wide protection settings and is a valuable tool for implementing protection throughout a complex deployment. For details, see Viewing and Copying Comprehensive Protection Settings on page

75 Managing Protection Profiles Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors. Managing Protection Profiles To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection profile, which is then installed on IPS-1 Sensors associated with that profile. IPS-1 Sensors that should have similar protection configurations should be associated with the same profile. Similar Profiles can be easily managed by cloning or copying settings. In This Section Creating a New Profile page 75 Managing Similar Profiles page 75 Associating an IPS-1 Sensor with a Profile page 76 Creating a New Profile To create a new profile: 1. From Policy Manager s Protection tab, select Profile Management. 2. Click New and select Create New Profile. 3. Type a name for the profile and click OK. Managing Similar Profiles You can create a profile with protection settings similar to an existing profile by copying the profile of an existing profile and then modifying the settings. You can either clone the original profile to create a new, identical profile, or copy its settings onto an existing profile, overriding its original settings. Chapter 3 Managing Attack Detection and Prevention 75

76 Managing Protection Profiles Cloning a Profile To create a new profile with settings identical to those of an existing profile, clone the existing profile, as follows: 1. From Policy Manager s Protection tab, select Profile Management. 2. From the Profiles list, select a profile to be cloned. 3. Click New and select Clone Selected Profile. 4. Type a name for the new profile and click OK. Copying a Profile s Settings onto an Existing Profile To copy a profile s settings onto another profile, overriding its original settings: 1. From Policy Manager s Protection tab, select Profile Management. 2. From the Profiles list, select a profile to be copied and then right-click it. Select Copy... Settings. 3. Select the target profile and then right-click it. Select Paste Settings from.... Associating an IPS-1 Sensor with a Profile To associate a IPS-1 Sensor with a particular protection profile: 1. From Policy Manager s Protections tab, select Profile Assignment. 2. Select the IPS-1 Sensor and then right-click it. Select Edit Assigned Profile for Select the desired profile and click OK. 76

77 Configuring Protections Configuring Protections In This Section Overview page 77 Viewing Protection Information page 78 Protection Settings page 79 Overview Protections are organized into a three-tier hierarchy: Protocol: In most cases, a Protocol includes all the protections that are based on analysis of traffic of a particular protocol. A few Protocols, such as Authentication and Badfiles, perform specific types of analysis over most traffic protocols. Protection Group: A sub-group of a Protocol, including a number of related protections. Some settings, such as numerical thresholds, are defined at the protection group level for all the protections in the group. Protection: Detects, prevents, and alerts for a specific attack. To view a categorized protection list, expand the Application Intelligence, Network Security, or Web Intelligence heading in the navigation pane of Policy Manager s Protection tab: In the above figure, AOL Instant Messenger and Authentication are protocols; Authentication BE is a protection group; and alphanumpasswd_alert and alphapasswd_alert are protections. If an item you expect to see is missing, either it may not be installed or it may only be visible in advanced mode. To install it, update the attack signature package. See Updating Attack Signatures on page 67 for details. Chapter 3 Managing Attack Detection and Prevention 77

78 Configuring Protections Selecting any list item displays its settings page in the right-hand pane, with description text below. For example: To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection profile, which is then installed on IPS-1 Sensors associated with that profile. For information on managing profiles, see Managing Protection Profiles on page 75. Viewing Protection Information Each protocol, protection group and protection comes with informative description text. To view description text: In Policy Manager s Protection tab, under Protection Settings, select a protocol, protection group, or protection. Description text appears in the lower-right pane: 78

79 Configuring Protections Description text includes some or all of the following headings: Overview Corroberation and Leads Why this is Important Technical Information (including explanations for unique settings) False Positives References You can also view file contents for protocols and for protection groups. In the protocol or protection group s page, click Show Files. Protection Settings In This Section Protection Settings Overview page 79 Protection Modes page 81 Protection-Level Settings page 82 One-Click Configuration of All Protocols and Protections page 83 Protection Settings Overview Each protocol, protection group, or protection has various settings associated with it. These settings are located on the protocol, protection group, or protection page. Some settings are the same throughout different protocols and protections. These are described in the following sections. Chapter 3 Managing Attack Detection and Prevention 79

80 Configuring Protections Other settings are unique to the specific protocol, protection group, or protection and appear only on its page. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. Note that some protections behavior are affected by general settings. These include local network addresses, defined in IPS-1 Sensor properties (in Policy Manager s Sensors and Concentrators tab), and various per-profile settings found in Policy Manager s System Settings tab. Protocol settings affect all protection groups and protections under it. Protection group settings affect all protections under it. Settings are per protection profile. You can configure settings differently for different profiles. Settings do not take effect until you Install Policy on the IPS-1 Sensors. To display settings for a specific protocol, protection group, or protection, for a specific protection profile: 1. In Policy Manager s Protection tab, under Application Intelligence, Network Security, or Web Intelligence, select a protocol, protection group, or protection. The select settings page appears in the upper-right pane: 2. In the Profile list, select a Profile. The settings for the selected Profile are now displayed. 80

81 Configuring Protections Protection Modes Protection Modes determine whether protections will be applied to the traffic which is seen by the IPS-1 Sensors. Protection Modes can be set for protocol, protection group, and protection for each protection profile. Protection Modes are most commonly changed on the protections. Protection Modes include: Active the protection will be applied to traffic seen by the IPS-1 Sensor Active upon Confidence the protection will be applied to traffic seen by the IPS-1 Sensor only if the traffic meets the Confidence Level set for the protection. This setting is not available on protocols or protection groups. Inactive the protection will not be applied to traffic seen by the IPS-1 Sensor Changing the Protection Mode of a protocol, protection group, or protection may force the Protection Mode of its associated parent or children to change in order to avoid conflicting settings. For example, setting a protection to Active or Active upon Confidence automatically forces its parent protocol and protection group to Active as well. Similarly, setting a protocol or protection group to Inactive automatically forces its children to Inactive as well. When activating a protocol or protection group, the Protection Mode of its child protections will revert to the setting that it was given last. Therefore, when activating a protocol or protection group, the Protection Mode of the child protections must be verified indivually to insure that each protection has the desired Protection Mode. Chapter 3 Managing Attack Detection and Prevention 81

82 Configuring Protections In any protection page: To activate a protection for the selected protection profile, select Active or right-click on the Protection Mode cell and select Activate. To configure Confidence Indexing for a protection, select Active upon Confidence, or right-click on the Protection Mode cell and select Activate upon Confidence, and drag the slider to the desired confidence index. For details regarding Confidence Indexing, see Avoiding False Positives on page 73. To disable a protection for the selected protection profile, select Inactive or right-click on the Protection Mode cell and select Deactivate. After configuring settings, make sure to Install Policy. Protection-Level Settings The following settings appear on all protections (not protection group or protocol) pages: Monitor only - no protection: When selected, the protection generates alerts but does not prevent traffic. Add attackers to blacklist: This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When enabled, source IP addresses of attacks are blacklisted, causing subsequent traffic from those addresses to be blocked. The blacklisting lasts for the duration defined in Blacklist TCP (also Advanced-Settings only), found in the System Settings tab under Attack > Intrusion Prevention. The default duration is 0, and as long as the duration has not been configured to a non-zero value, the option here is disabled. You can click the link here to go directly to the Blacklist TCP setting. Note - Blacklisting only takes effect for attacks over TCP (in other protocols, the attack could be spoofed), and only if the host is not explicitly Whitelisted (in Advanced Settings mode, in the Attack protocol). Send TCP resets to attacker and victim (50%): This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When selected, upon attacks, IPS-1 sends protocol-appropriate reset signals to the attack source and destination IP addresses. For TCP, this is a TCP RST. For other IP protocols, this is an ICMP Administratively Prohibited message. 50% means the reset signal is sent only for attacks for which the confidence index is at least 50%. 82

83 Configuring Protections Enable packet capture: When selected, attack packets are captured for viewing from the Alert Details. For details, see Packet Capture and Viewing on page 129. There may be additional settings, unique to the specific protection. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. After configuring settings, make sure to Install Policy. One-Click Configuration of All Protocols and Protections You can perform one-click actions that change settings for all protocols and protections, on a per-profile basis, as follows: 1. In Policy Manager s Protection tab, in the left-hand navigation tree, select Profile Management. 2. From the profile list, select a protection profile. 3. Click Actions, and select General Configuration. 4. The following actions are available: Deactivate: For the selected profile, disables all protections. Activate: For the selected profile, enables all available protections. Monitor Only: For the selected profile, sets all enabled protections to Monitor Only, so that alerts are generated but attacks are not prevented. Chapter 3 Managing Attack Detection and Prevention 83

84 Configuring Protections Remove Monitor Only: For the selected profile, clears the Monitor Only setting from all protections, so that enabled protections can prevent attack traffic. Reset: For the selected profile, resets protection setting to the default configuration. 5. Click Close. 6. Install Policy. 84

85 Viewing and Copying Comprehensive Protection Settings Viewing and Copying Comprehensive Protection Settings In This Section Opening Protection Overview page 85 Understanding Protection Overview page 85 Copying Protection Overview page 86 Opening Protection Overview You can view in one window protection settings for all protections and across all protection profiles, in Protection Overview. To see Protection Overview: In Policy Manager s Protection tab, in the left-hand navigation tree, select Protection Overview. Understanding Protection Overview See the above section for an illustration of Protection Overview. The left-hand column lists all protection protocols, which can be expanded to show their respective protection groups, which can in turn be expanded to show their respective Variables. Chapter 3 Managing Attack Detection and Prevention 85

86 Viewing and Copying Comprehensive Protection Settings Many Variables represent numeric or checkbox settings from the protection group and protection pages of Protection Settings (in Policy Manager s Protection tab). Others are under-the-hood values that are not directly edited in Protection Settings. Each protocol or protection group row shows whether it is Active or Inactive, for each protection profile. If a protection group s setting is: Inactive, the Variables associated with it show: (Protection Inactive). Changing the higher-level setting to Active will cause the Variable row to display its value or checkbox. You can change settings directly from Protection Overview, by selecting and right-clicking a cell. If a protocol name appears in red, it is because a change has been made under that protocol and it has not yet been saved, Install Policy has not been performed at all in which case the change has not been saved to the IPS-1 Management Server, or Install Policy was performed but only to the IPS-1 Management Server, not to the Alerts Concentrator. Additional Protection Overview features and components are visible when Show Advanced Settings is enabled from the Policy Manager menu. Copying Protection Overview You can copy the visible rows to the clipboard, to then be pasted into third-party applications such as Microsoft Excel. To copy: Right-click a cell and select Copy Table. 86

87 Exempting Hosts from Inspection or Prevention Exempting Hosts from Inspection or Prevention You can exempt a host s traffic completely from inspection, or you can exempt them just from traffic prevention, while maintaining attack detection and alert generation. These exemptions can apply to traffic with the host as the source IP address, or as the destination IP address. In This Section Exempting a Host s Traffic from Inspection You can exempt a host s traffic completely from inspection. To exempt a host from inspection: 1. In Policy Manager s System Settings tab, select General Profile Settings. 2. Under Ignored Hosts, for either List of source addresses to ignore or List of destination addresses to ignore, click. 3. Add the host s IP address to Selected Host Types, either by typing the address and pressing Enter, or by moving it from Recently Used Values. 4. Click OK. Exempting a Host s Traffic from Inspection page 87 Exempting a Host s Traffic from Prevention page Install Policy. Exempting a Host s Traffic from Prevention You can exempt hosts just from traffic prevention, while maintaining attack detection and alert generation. This is called Whitelisting. The Servers Whitelist includes hosts for which traffic with the host as the destination IP is exempt. The Clients Whitelist includes hosts for which traffic with the host as the source IP is exempt. To exempt a host from prevention: 1. From Policy Manager s Policy Manager menu, enable Show Advance Settings. 2. In the System Settings tab, select General Profile Settings. 3. Under Allowed Hosts, for either Servers Whitelist or Clients Whitelist, click. Chapter 3 Managing Attack Detection and Prevention 87

88 Exempting Hosts from Inspection or Prevention 4. Add the host s IP address to Selected Host Types, either by typing the address and pressing Enter, or by moving it from Recently Used Values. 5. Click OK. 6. Install Policy. 88

89 System-Wide Attack Correlation System-Wide Attack Correlation In This Section Correlators Overview page 89 Defining Correlators page 90 Correlators Overview You can define alerts to be triggered based on a global view of the traffic passing through all the IPS-1 Sensors in an IPS-1 system, rather than just by individual connections passing through a single IPS-1 Sensor. This is acheived by using Correlators. A Correlator triggers an alert or a specified action when the IPS-1 Management Server receives multiple alerts of specified criteria within a certain timeframe. Whereas regular protections are limited to analyzing the traffic going through a single IPS-1 Sensor, Correlators can detect patterns within the alerts of an entire IPS-1 system. A regular protection runs on an IPS-1 Sensor and its Alerts Action (see Customizing Alerts on page 147) runs on the Alerts Concentrators. Correlators, on the other hand, run on the IPS-1 Management Server, monitoring alerts from all IPS-1 Sensors through all Alerts Concentrators. This means that an external command to be activated by a correlator must also be on the IPS-1 Management Server host. Correlators initiate actions when they receive a specified number of alerts matching specific criteria within a specified time window. For example, a Correlator could issue an alert if it receives fifty alerts about traffic from the same Source IP within two minutes. Correlators maintain a count of the alerts they see that meet their criteria. If the count reaches the specified threshold within a specified time period, the correlator triggers the specified action. If the time window ends without the count reaching the threshold, the count is reset to zero. There are five types of correlators: Cluster correlators watch for alerts containing identical values within specified fields - for example, all alerts containing the same alert source signatures, regardless of what the actual value is. Chapter 3 Managing Attack Detection and Prevention 89

90 Defining Correlators Boolean correlators watch for alerts that contain a specified value - for example, all alerts containing a specific source IP address and a specific destination port. Secondary Correlators are either Cluster or Boolean Correlators that apply their criteria only to an alert subset forwarded to them by another Correlator. The first Correlator needs to be configured to forward its matching alerts to the Secondary Correlator. The combined result is that the Secondary Correlator s specified action is activated if and only if the alerts meeting the criteria and threshold of the first (forwarding) Correlator meet the criteria (Cluster or Boolean) and threshold of the Secondary Correlator. Scan Correlators behave like Secondary Correlators, monitoring only alerts forwarded to them. The Scan Correlator watches for alerts containing different values within specified fields (scan behavior). This can be useful in conjunction with a Cluster Correlator. For example, to identify a port scan, a Cluster Correlator could be defined to forward alerts with the same destination IP to a Scan Correlator, which would watch for alerts with different destination ports. The Vulnerability Correlator is predefined and usually should not be edited. It correlates Nessus Scan vulnerability data with new alerts, allowing the Alert Browser to assign a compromise risk index to each alert. Compromise risk is an assessment of how successful an attack would be, based on Nessus data. For information on the Vulnerability Correlator, see Disabling Vulnerability Correlation on page 163. Defining Correlators In This Section Defining a Cluster Correlator (Regular or Secondary) page 90 Defining a Boolean Correlator (Regular or Secondary) page 94 Defining a Scan Correlator page 99 Defining a Cluster Correlator (Regular or Secondary) For an explanation of Secondary and regular Cluster Correlators, see Correlators Overview on page 89. To define a Cluster Correlator: 1. From the Management menu, select Correlators. The Correlators window appears. 90

91 Defining Correlators 2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Cluster Correlator or Secondary Cluster Correlator. Click OK. 4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted. Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window. Select Yes to enable the Correlator. Chapter 3 Managing Attack Detection and Prevention 91

92 Defining Correlators 5. In the Cluster Correlator tab, select each criterion you want the correlator to use for matching. For example, if you check Alert Source, the correlator will monitor alerts with the same source. 6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser. 92

93 Defining Correlators 7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator. 8. In the External Programs tab, define whether the correlator, when triggered, should activate a script. For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK. 10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster. Chapter 3 Managing Attack Detection and Prevention 93

94 Defining Correlators To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlator s Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK. Defining a Boolean Correlator (Regular or Secondary) For an explanation of Secondary and regular Boolean Correlators, see Correlators Overview on page 89. To define a Boolean Correlator: 1. From the Management menu, select Correlators. The Correlators window appears. 2. Click New, or select an existing correlator and click Edit. 94

95 Defining Correlators 3. If you are creating a new correlator, type a name and select Boolean Correlator or Secondary Boolean Correlator. Click OK. 4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted. Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window. Select Yes to enable the Correlator. Chapter 3 Managing Attack Detection and Prevention 95

96 Defining Correlators 5. In the Boolean correlator tab, define the criteria: Create an evaluation statement using the provided tool buttons, dropdown lists, and text box (mouse over each button to see a tooltip). The available operators are: Table 3-1 = Is equal to!= Is not equal to > Is greater than < Is less than >= Is greater than or equal to <= Is less than or equal to IN Is within the specified netmask value (used for IP addresses only) NI Is not within the specified netmask value (used for IP adresses only) EXAMPLE 1 The following statement would cause the correlator to trigger for alerts where the source IP address is

97 Defining Correlators You can create more complex evaluation statements by combining multiple clauses and joining them with AND or OR logical operators. Use the following tool buttons to create complex evaluation statements: To insert another clause. To delete an existing clause. To move a clause up in the list of multiple clauses. To move a clause down in the list of multiple clauses. EXAMPLE 2 The following statement causes the correlator to match on all alerts where the destination port is 88 and the IP Protocol is not EIGRP. Note - When you insert a NOT operator or a parenthesis within a clause, it will display in the statement window. To remove a NOT operator or a parenthesis, click the appropriate tool button (for example, the tool button that has the exclamation point with the slash through it removes the NOT operator). 6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser. Chapter 3 Managing Attack Detection and Prevention 97

98 Defining Correlators 7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator. 8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable. For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK. 98

99 Defining Correlators 10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster correlator. To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlator s Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK. Defining a Scan Correlator For an explanation of Scan Correlators, see Correlators Overview on page 89. To define a Scan Correlator: 1. From the Management menu, select Correlators. The Correlators window appears. 2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Scan Correlator. Click OK. Chapter 3 Managing Attack Detection and Prevention 99

100 Defining Correlators 4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted. Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window. Select Yes to enable the correlator. 100

101 Defining Correlators 5. In the Scan Correlator tab, select the fields which should be monitored to detect scans. 6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser. Chapter 3 Managing Attack Detection and Prevention 101

102 Defining Correlators 7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator. 8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable. For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK. 102

103 Defining Correlators 10. For the Scan Correlator to function, alerts need to be forwarded to it from another cluster. To forward alerts to a Scan Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlator s Alert Forwarding tab, select Forward Matching Alerts, and move the Scan Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK. Chapter 3 Managing Attack Detection and Prevention 103

104 Firewall-Style Access Control Firewall-Style Access Control IPS-1 enables firewall-style access control with inline IPS-1 Sensors at relevant network locations. For regular (non-power) Sentivist and IPS-1 Sensors of versions , the current version of IPS-1 management provides a firewall rule editor in GUI form. For details, see IPS-1 Firewall GUI on page 104. For Sentivist Sensors of versions prior to 5.0, for IPS-1 NGX Sensors, and for Power Sensors, firewall settings are configured only in the Policy Settings Protocol. For details, see Policy Settings on page 105. In This Section IPS-1 Firewall GUI page 104 Policy Settings page 105 IPS-1 Firewall GUI In newer IPS-1 Sensors, use the Rule Editor GUI for configuring Firewall access controls. This section is only for regular (non-power) Sentivist and IPS-1 Sensors of versions For Sentivist Sensors of versions prior to 5.0, IPS-1 NGX Sensors, or Power Sensors, see Policy Settings on page 105. Warning - This functionality is for advanced users and is very resource-intensive. Use it only as neccessary. Configuring IPS-1 Firewall To configure IPS-1 Firewall: 1. In Policy Manager s Policy Manager menu, point to Advanced, and enable Show Advanced Settings. 2. In the Protection tab, in the left-hand navigation tree, select IPS-1 Firewall. 3. In the profile list, select a protection profile. The firewall settings you configure will apply to IPS-1 Sensors associated with this profile. Existing rules, if any, appear in the lower pane. 104

105 Policy Settings 4. Click Edit. The Rule Editor opens. 5. Click New to add a rule. To edit a value in the rule, click a cell. Then select or enter the relevant value(s). You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. See Macros on page 105. To change the logical Rule order according to which the IPS-1 Sensor will examine traffic, change the order of the Rules by selecting rules and clicking the Up and Down buttons. 6. Click OK, and Install Policy. Macros You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. To create a Macro: 1. In the Macros tab, click New. 2. Select the type of values to be included in the sets and type a name for the Macro. 3. Click the Macro Value cell. 4. Type a single value and press Enter or click to open a value editor. The Macro will now appear in value editors for relevant rule values. Policy Settings In newer IPS-1 Sensors, use Policy Settings to configure firewall functionality. For regular (non-power) Sentivist and IPS-1 Sensors of versions , firewall functionality is more easily configured in the IPS-1 Firewall GUI. See IPS-1 Firewall GUI on page 104 for details. Chapter 3 Managing Attack Detection and Prevention 105

106 Policy Settings Warning - This functionality is for advanced users and is very resource-intensive. Use it only as neccessary. To configure Policy Settings: 1. In Policy Manager s Policy Manager menu, point to Advanced and enable Show Advanced Settings. 2. In the Protection tab, in the left-hand navigation tree, under Network Security, expand Policy Settings and select Policy Configuration Settings. 3. Read the help text information in the lower-right pane. Follow the instructions to configure rules in Policy Configuration Settings. 4. Install Policy. 106

107 Chapter 4 Alert Monitoring and Analysis In This Chapter Overview page 108 The Alert Browser and History Browser page 109 Alert Management Tools page 127 The Timeline Window page 134 Creating Alert Graphs page 140 Customizing Alerts page

108 Overview Overview The IPS-1 Management Dashboard incorporates a number of different windows in which you can monitor alert activity. These are: Alert Browser and History Browser: Display detailed alerts in a customizable window of spreadsheet-type rows of alerts. The Alert Browser displays streaming, filterable alerts as they are generated and received. History Browser snapshots are frozen versions of the Alert Browser, showing alerts for a specified time frame. The Alert Browser and History Browser incorporate management tools for alert analysis. Timelines: Display multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for comparison between multiple alert categories. Graphs: Customizable graphs depicting total or categorized alert activity level by time, or alert value frequency by specified alert fields. All graphs change dynamically as alerts come in, and can be frozen as a saved snapshot or printed. 108

109 The Alert Browser and History Browser The Alert Browser and History Browser The Alert Browser and History Browser display detailed alerts in a customizable window of spreadsheet-type rows of alerts. The Alert Browser displays streaming, filterable alerts as they are generated and received. History Browser snapshots are frozen versions of the Alert Browser, showing alerts for a specified time frame. The Alert Browser and History Browser incorporate management tools for alert analysis. In This Section The Alert Browser Window page 110 Working in the Alert Browser page 113 Viewing History Browser Snapshots page 125 Chapter 4 Alert Monitoring and Analysis 109

110 The Alert Browser Window The Alert Browser Window The Alert Browser appears when you log into the IPS-1 Management Server with the IPS-1 Management Dashboard: Figure 4-1 Alert Browser In This Section Window Areas page 111 Hiding Window Panels page 111 Toolbar Buttons page

111 Window Areas The main window areas are: The Alert Browser Window All Alerts panel: Each row represents an alert or group of alerts received by the IPS-1 Management Dashboard. Each column displays values for a particular field. You can customize the fields (columns). See Adding or Removing Columns on page 114. Hold panel: The held alerts panel displays alerts that you have selected to hold for the current session. Show only / Hide these alerts field trees (on the left): Used to filter the alerts that appear in the alerts panel. See Filtering Alerts by Field Values on page 120) Status Summary. This area in the lower left-hand corner of the window shows the distribution of current alerts by priority (red=high; yellow=medium; green=low): Hiding Window Panels Alert Browser window panels, including the filter trees, can be hidden or restored, by using the little arrow heads between panels. Chapter 4 Alert Monitoring and Analysis 111

112 The Alert Browser Window Toolbar Buttons In additions to the buttons on the right end of the toolbar, which are common to all of the main IPS-1 Management Dashboard windows, the Alert Browser toolbar contains the following buttons: Table 4-1 Undo a change to the filter tree. Redo an undone filter change. Interrupt loading alerts. Split into panels of alerts grouped by priority. Mark selected alert(s) as read. Unmark as read - remove read mark from selected alert(s) Display alerts for prevented attacks in a separate panel. Display ignored (filtered out) alerts in a separate panel. Change the time span for displayed alerts. Create a History Browser snapshot of the Alert Browser s current time period. 112

113 Working in the Alert Browser Working in the Alert Browser In This Section Organizing Alerts and Alert Field Columns page 113 Adding or Removing Columns page 114 Selecting Multiple Alerts page 117 Alert Grouping page 118 Splitting the Alert Browser Window by Priority page 119 Limiting the Number of Alerts page 120 Changing the Alerts Time Span page 120 Filtering Alerts by Field Values page 120 Viewing Ignored Alerts page 124 Saving Customized Views page 124 Copying Alerts to the Clipboard page 124 Organizing Alerts and Alert Field Columns Alerts in all panels follow the same column order. However, in some configurations, the column headings may not appear above all panels. Alerts are ordered according to a left-to-right hierarchy of columns. Alerts become ordered meaningfully when the column order reflects a meaningful hierarchy of data. Each field can be sorted in either ascending or descending order. An example of a common column order is: Priority Protocol Name Destination IP Destination Port Chapter 4 Alert Monitoring and Analysis 113

114 Working in the Alert Browser In this example, the highest level of ordering would be by priority. Same-priority alerts would be internally arranged by Protocol Name; same-name alerts by Destination IP, and so on. This configuration allows a user to easily locate a particular alert and determine which hosts have been attacked. Alerts are shaded in different shades of gray, indicating grouping of data values. Groups of rows with like values are similarly shaded. The shading is useful in quickly discovering patterns of alerts. To move a column, drag the column heading. To toggle between the ascending and descending sort order for a column, click the column heading. To add or remove a column, see below. Adding or Removing Columns Not all available alert fields are displayed by default. To add or remove alert field columns: 1. From the Alert Browser menu, select Show/Hide Columns: 114

115 Working in the Alert Browser 2. From the list of available fields, select the desired ones. Click OK. Newly added columns appear to the right of existing ones, keeping the current alert order intact. You can also add or remove columns by right-clicking any column heading and selecting Show/Hide Columns. You can also remove a column by right-clicking its heading and then selecting Hide <field> Column. Available alert fields are: Table 4-2 Column Name Alert GUID Alert ID Alert Origin Alert Source Column Description An identifier for the alert type, unique across all databases An identifier for this specific alert, unique in the IPS-1 Management Server database The IPS-1 component, typically a Sensor, that generated the alert The Alerts Concentrator that recorded the alert Chapter 4 Alert Monitoring and Analysis 115

116 Working in the Alert Browser Table 4-2 Column Name Alert Type Annotation CVE List Compromise Risk Confidence Level Create Date Description Destination Address Destination OS Destination Port File Name IP Family IP Protocol Column Description Alert source type - one of the following: Network: an alert related to network traffic, from the Alerts Concentrator, based on information from the Sensor Correlator: an alert related to network traffic, based on a Correlation by the IPS-1 Management Server System: a system message from the Sensor or the Alerts Concentrator IPS-1 Management Server: a system message from the IPS-1 Management Server Audit: an audit alert from the Alerts Concentrator Indicates whether an alert has comments A list of CVE IDs, if any, associated with a particular attack. A CVE ID is the ID of a particular vulnerability as defined by the U.S. National Institute of Standards and Technology's < (NIST) National Vulnerability Database < (NVD). An assessment of how successful an attack would be based on Vulnerability data. To populate this field, you must have uploaded vulnertability data - see Vulnerability Detection and Defense on page 153. See Viewing Compromise Risk in the Alert Browser on page 162. The likelihood that the Protection has detected an actual attack or problem, rather than being a false positive The time and date that the alert was stored in the alert database The alert description The traffic s destination IP address The operating system of the traffic s destination The traffic s destination port number The file name from the traffic, when the alert was caused by a file-related protection IPv4 or IPv6 The traffic s IP protocol 116

117 Working in the Alert Browser Table 4-2 Column Name Impact Packet Interface Prevented Priority Protection Group Protection Name Protocol Read By Sense Time Sensor Mode Source Address Source OS Source Port Username Virutal LAN ID Column Description The possible impact of the activity that generated the alert, such as Denial of Service or Information Gathering The Sensor interface into which the traffic entered Whether the traffic that triggered the alert was prevented The alert priority: High (red), Medium (yellow), or Low (green) The protection group that detected the attack The protection that detected the attack, or system message name The Protocol that the Protection Group belongs to, as grouped in Policy Manager Username and main IP of user who marked the alert as read The time the IPS-1 Sensor generated the alert The mode of the Sensor that generated the alert - one of the following: IDS (passive) IPS (inline, fail-closed) IPS (inline, fail-open) IPS Monitor-Only (inline, fail-open) Unavailable (a legacy mode) The traffic s source IP address The operating system of the traffic s source The traffic s source port Username from the traffic; typically available when the alert is from an authentication-related protection The traffic s Vlan ID Selecting Multiple Alerts To apply a menu or toolbar command to a block of alerts, click the first alert and then shift+left-click the last alert. To select multiple discontinuous alerts, control+left-click each alert. To apply a context-menu (right-click) command to the block of alerts, control+right-click the last one. Chapter 4 Alert Monitoring and Analysis 117

118 Working in the Alert Browser Alert Grouping The Alert Browser can group similar alerts together into one row, according to configurable criteria. By default, Alert Grouping is disabled. When Alert Grouping is enabled, a Count column appears as the first column of the Alert Browser. This column contains the number of alerts that have been combined into the row, and a plus sign (+) with which you can expand the grouped alerts. The grouped alerts can then be collapsed with the (-) sign. In the alert field columns of the combined row, the values are those of the first alert. The configurable Grouping Level value defines grouping behavior. If the Grouping Level is set to n, Alert Grouping combines into one row alerts with identical values in the first n fields. For example, if Priority is the first column, and Alert Name is the second, and the Grouping Level is 2, then all alerts that have the same priority and name will be grouped into a single row. You can change grouping behavior either by rearranging columns or by changing the Grouping Level. Figure 4-2 Alert Grouping In the above figure, the Grouping Level is 3, so grouped alerts have identical Priority, Protocol, and Protection Group. 118

119 Working in the Alert Browser To enable Alert Grouping: 1. Arrange columns so that fields you want grouped for identical values are on the left. 2. Do one of the following: From the Alert Browser menu, select Alert Grouping. Select a Grouping Level, and click OK. Right-click in an alert, on the right-most column you want grouped for identical values, and select Group To <field>. Splitting the Alert Browser Window by Priority Alerts can be separated into separate panes by priority. This causes alerts to be arranged by priority, but still lets you view all three priority levels in the same window. Alerts are displayed in four separate panels: one for each priority level and one for held alerts. You can scroll through each panel independently. To split the Alert Browser window into panes by priority, click the Split by Priority button: To revert to the previous appearance, click the button again. Chapter 4 Alert Monitoring and Analysis 119

120 Working in the Alert Browser Limiting the Number of Alerts Large numbers of alerts entering the IPS-1 Management Dashboard could exhaust memory resources. To avoid this problem, the Management Dashboard prevents more than a defined number of Maximum Alerts from entering. The maximum (and default) value is 30,000. In some cases, such as when running numerous Alert Browsers and Timelines, you should reduce the number. To change the number: 1. From the Alert Browser menu, select Maximum Alerts. 2. Type a value, and click OK. Changing the Alerts Time Span By default, IPS-1 Management Dashboard displays alerts that occurred within the past hour. To change the alerts Time Span: 1. From the Alert Browser menu, select Set Time Span (or click the Set Time Span button). s 2. Select the time span (number and units) and click OK. If you made the time span longer than it previously was, you may have to wait as additional alerts are loaded. Filtering Alerts by Field Values In This Section Overview page 121 Applying Filter-In Values page 121 Applying Filter-Out Values page 121 Undoing Filter Changes page 121 Applying Filter Values From an Alert page 122 Filtering-In a Single Value in a New Alert Browser Window page 122 Copying and Pasting Filter Settings page

121 Working in the Alert Browser Overview By default, IPS-1 Management Dashboard displays all alerts received by the IPS-1 Management Server within the defined time span. You can filter alerts according to any combination of alert field values. For a particular Filter Field, you can either defined Filter-In values, to view only alerts with those values, or Filter-Out values, to exclude alerts with those values. Filter-In values are defined using the upper filter tree, whereas Filter-Out values are defined using the lower filter tree. For example, if you want to see only medium and high priority alerts from one particular Server, you could define that server s IP address as a Filter-In value for the Src Addr field, and Low as a Filter-Out value for the Priority field. Applying Filter-In Values To define and apply Filter-In values: 1. In the upper filter tree, if the Filter Field has a plus sign (+) next to it, expand it to see already defined filter values. 2. Select values you want to view, and clear values to filter out. 3. To define an additional value to view, select and right-click the Filter Field. Type or select a value, and click OK. 4. Below the upper filter tree, click Apply. Applying Filter-Out Values To define and apply Filter-Out values: 1. In the lower filter tree, if the Filter Field has a plus sign (+) next to it, expand it to see already defined filter values. 2. Clear values you want to view, and select values to filter out. 3. To define an additional value to filter out, select and right-click the Filter Field. Type or select a value, and click OK. 4. Above the lower filter tree, click Apply. Undoing Filter Changes To undo filter changes, either clear filter values, or click undo You can do this multiple times to undo multiple filter changes. and then Apply. To clear all filters and bring back all alerts, below the upper filter tree, click Clear. Chapter 4 Alert Monitoring and Analysis 121

122 Working in the Alert Browser Applying Filter Values From an Alert If you have an actual alert with a value you want to filter in or filter out, you can define a filter according to that value, as follows: 1. Select and right-click the alert cell with the value to be filtered in or filtered out. 2. From the context menu, select Filter In <Field (<Value>)> or Filter Out <Field (<Value>)>, where <Field> is the Filter Field, and <Value> is the value to be filtered. The value is added to the filter tree in red and already selected. 3. Click Apply. Filtering-In a Single Value in a New Alert Browser Window You can, with one action, launch a new active Alert Browser window with filter settings adjusted to show only alerts with one particular value in a particular Filter Field. To open a new Alert Browser with a single value filtered-in: 1. Select and right-click an alert cell with the desired filter-in value. 2. From the context menu, select Track <Field (<Value>)>, where <Field> is the Filter Field and <Value> is the value to be filtered in. 122

123 Working in the Alert Browser A new window appears with a panel displaying only alerts with the specified value. Copying and Pasting Filter Settings You can copy and paste the filter values and settings (enabled or disabled) of one or more filter fields, between any two upper or lower filter trees of the Alert Browser, History Browser, or a Timeline. You can also paste the settings into a text files to be shared between users. To copy and paste filter values and settings: 1. In a filter tree, select one or more filter fields. You can right-click and select Select All. 2. Right-click and select Copy. 3. In another filter tree (in the same or a different window), right-click and select Paste. Note - Existing values in the target tree will not be automatically removed. An existing value with the same name as a pasted one, but a different setting (enabled/disabled), will be overwritten. Chapter 4 Alert Monitoring and Analysis 123

124 Working in the Alert Browser Viewing Ignored Alerts Alerts that have been removed from the display by filters are hidden, not deleted. You can view these alerts in a separate alert panel. To view these ignored alerts in a separate panel, click the Split by Ignored button. Only alerts from the last ten minutes appear in the ignored alerts panel. To remove the panel, click the button again. Saving Customized Views Once you have customized the Alert Browser window to suit your needs, you can save your column and filter settings and use them again by creating Views. You can have multiple Views open simultaneously. Views are saved on the IPS-1 Management Server and can be accessed from different IPS-1 Management Dashboard hosts. Views are saved by user and cannot be shared between users. Use the following File menu commands to manage Views: Open View Delete View Save View Save View As: Name and save a view When naming a view, the Save View As window gives the option of making it the default View, the view which is displayed when the Alert Browser is opened: Copying Alerts to the Clipboard You can copy one or more alerts, or individual cells, to the clipboard for use with other applications, such as MS Word or Excel. Copy commands are available from the context (right-click) menu. To select multiple alerts, see Selecting Multiple Alerts on page

125 Viewing History Browser Snapshots Viewing History Browser Snapshots History Browser snapshots are static versions of the Alert Browser, showing alerts for a specified time frame. Filtering and other Alert Browser features apply to History Browser as well. In This Section Launching a History Browser page 125 Opening a History Browser Window from a Timeline page 125 Changing the History Browser Time Frame page 126 Launching a History Browser You can open a History Browser window with current Alert Browser column, filter, time span and other settings; or with default settings. In both cases, the History Browser initially displays alerts from a static time frame ending in the time it was launched. Subsequently, you can change the time frame. To open a History Browser window with the current Alert Browser column and filter settings, in the Alert Browser, click the History Browser button: To open a History Browser window with default settings, from the File menu, select New History Browser. Opening a History Browser Window from a Timeline For information on Timelines, see The Timeline Window on page 134. You can, in one action, open a History Browser window from a timeline window for a time frame corresponding to an alert cluster or a segment of a timeline, filtered according to the timeline category. For example, from a timeline of inside-to-outside alerts, you can open a History Browser with filters set to show only inside-to-outside alerts, limited to alerts with Sense Times corresponding to an alert cluster or a selected segment of the timeline. To open a History Browser window from a timeline, for a time segment of the timeline: Chapter 4 Alert Monitoring and Analysis 125

126 Viewing History Browser Snapshots 1. From an active timeline window, drag a selection box around alerts on a segment of a timeline. 2. Right-click in the selection box, and select View Selected Alerts. The desired History Browser opens. To open a History Browser window from a timeline alert cluster: 1. In an active timeline window, enable Cluster Alerts and set the clustering Resolution. 2. Double-click an alert cluster. The desired History Browser opens. Changing the History Browser Time Frame To change the time range for the alerts being shown: 1. In the History Browser window, in the upper filter tree, expand Sense Time. 2. Clear or Remove the default Sense Time value. 3. Select and right-click Sense Time, and select New Sense Time. 4. Use the controls or type a Start Time and an End Time. To insert the current time into either field, click Now. 5. Click OK, and Apply. 126

127 Alert Management Tools Alert Management Tools In This Section Viewing Alert Details page 127 Packet Capture and Viewing page 129 Using Alerts to Modify Protection Settings page 130 Holding an Alert page 131 Marking Alerts as Read page 131 Annotating Alerts page 132 Viewing Alert Details You can view the complete details of an alert. To view complete alert details, in an Alert Browser, History Browser or Timeline, select and right-click an individual alert, then select Alert Details. Alternatively, double-click the alert. Chapter 4 Alert Monitoring and Analysis 127

128 Viewing Alert Details Figure 4-3 Alert Details window The fields shown in Alert Details depend on the alert type. In general, all fields from the alert browser are shown, including hidden fields. After a brief pause, additional fields may become visible as they are retrieved from the Alerts Concentrator. With Alert Grouping, Alert Details for a grouped row will display information for the first alert. The other alerts of the group will appear in an additional pane of the Alert Details window: 128

129 Packet Capture and Viewing Figure 4-4 Grouped Alerts Pane From Alert Details, you can do one of the following: Copy the entire window contents to the clipboard (if you then paste to a spreadsheet application such as MS Excel, only the Details section will be pasted). Show Raw Packets: see Packet Capture and Viewing on page 129. View Vulnerability Info: this feature is enabled only if vulnerability data has been uploaded. See Vulnerability Detection and Defense on page 153. You can enable the traffic s source hostname to appear in the Alert Details, as follows: 1. From the Tools menu, select User Preferences. 2. Under Alert Details, select Allow reverse DNS lookup. 3. Click OK. Packet Capture and Viewing You can view an alert s raw packets via Ethereal/Wireshark or any third-party packet capture utility that can accept PCAP files via command line. The utility must be installed on the machine running the IPS-1 Management Dashboard. You can configure which protections should capture packets, and for each protection profile, how many packets should then be captured. Setting Up Packet Capture and Viewing To set up viewing raw packets: 1. From the Tools menu, select User Preferences. 2. Under Packet Capture, provide the following: Chapter 4 Alert Monitoring and Analysis 129

130 Using Alerts to Modify Protection Settings Path to Packet Capture Utility: a path to the executable for the packet capture utility. Working Directory: Specifies where the packet capture files will be stored. 3. Click OK. 4. In Policy Manager s System Settings tab, in the left-hand navigation tree, select General Profile Settings. 5. For each defined protection profile (for example: Default_Protection): a. Under Profile, select the protection profile. b. Under Other Critical Information, for Number of Packets to capture per attack, click, and type the number of packets to be captured. c. Click OK. 6. For each enabled protection that you want to capture packets, in Policy Manager s Protection tab, navigate to the protection s page, and select Enable Packet Capture. 7. Install Policy on all Sensors. Viewing an Attack s Packets Once Packet capture and viewing has been set up, and alerts have been then generated, you can view the attack packets. To view an alert s attack packets: 1. In an Alert Browser, History Browser or Timeline window, double-click an individual alert to display Alert Details. 2. Click Show Raw Packets. Using Alerts to Modify Protection Settings IPS-1 Sensors generate alerts based on the configuration of the protections in the profile that is applied to the Sensor. Based on analysis of the alerts, you may decide that the protection settings must be modified to more effectively detect or prevent suspicious traffic. From an alert, SmartDefense allows you to display the protection settings page of the enforced profile. This feature allows you to quickly apply the lessons learned from an alert and immediately improve the effectiveness of your intrusion defenses. 130

131 Editing Protection Settings from an Alert Holding an Alert To edit the protection settings of the protection that generated a specific alert: 1. Open the IPS-1 Alert Browser or History Browser. 2. Select an alert. 3. Right-click and select Edit Protection Settings. The IPS-1 Policy Manager window appears displaying the protection that generated the alert, with the active profile selected. Holding an Alert As you view alerts, you can put one or more aside, or hold them, for further investigation. Held alerts are copied to a separate panel of the Alerts Browser or History Browser. They are held until the end of the current session and are not affected by the time-frame limits or other filters of non-held alerts. As with all Alert Browser / History Browser panels, you can hide the Hold panel. At the bottom of the panel, click the up arrow. To hold an alert, right-click it and select Hold. To remove an alert from the Hold panel, right-click it and select Remove Hold. Marking Alerts as Read When you are done reading an alert, you can mark it as read. A strikethrough will appear through an alert marked as read: To mark an alert as read, right-click the alert and select Mark as Read, or select the alert and, in the toolbar, click the Mark as Read button:. To hide alerts that are marked as Read: 1. In the Hide these Alerts panel, select Read By. 2. Right-click on Read By and select New Read By. Chapter 4 Alert Monitoring and Analysis 131

132 Annotating Alerts 3. In the field under the Read By Entry list, type and press enter. 4. Click OK. 5. Click Apply. Alerts that have been read by anyone are now filtered out of the Alert Browser. To remove the strikethrough from an alert, right-click the alert and select Unmark as Read, or select the alert and, in the toolbar, click the Unmark as Read button:. Both commands can also be accessed from the Alert Browser menu. Annotating Alerts You can add comments to one or more alerts for future reference, as follows: 1. Select one or more alerts, right-click them and select Annotate. Figure 4-5 New Annotation 2. Provide a title and select a status. Other fields are optional. 132

133 Annotating Alerts 3. To add more alerts to the annotation, click Add Alerts. Select alerts and click Add Alerts. To remove an alert from the annotation, select the alert and click Remove Alerts. 4. Click OK. To see or edit the annotation for an alert, right-click on the alert and select Annotate again. To see a checkmark in the Alert Browser for each annotated alert, display the Annotation column. Chapter 4 Alert Monitoring and Analysis 133

134 The Timeline Window The Timeline Window Overview In This Section Overview page 134 Opening the Timeline Window page 135 Creating the Default Timeline Set page 136 Configuring Timelines and Views page 138 Viewing Detailed Alerts from a Timeline Window page 139 The Timeline window displays multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for easy comparison between multiple alert categories. 134

135 Opening the Timeline Window Alerts are color-coded according to Priority: Red: High Yellow: Medium Green: Low You can scroll the view along the timelines to view past history. Use the scroll arrow buttons at the top of the window to move backward and forward along the timeline. Use the Return to Now button to return to the current time: Each timeline can be filtered separately, enabling separate categories of alerts. For details see Filtering Timelines on page 138. A Timeline Configuration Wizard prompts for your network and server address, and accordingly creates a Default set of timelines. Timelines can then be customized, or you can create your own timelines. For details see Creating the Default Timeline Set on page 136. You can add, remove, copy and paste, rename and rearrange timelines. To access these commands, select and right-click an individual timeline. Sets of configured timelines can be saved as views, similar to the Alert Browser. To manage views, use commands from the File menu. Alerts along timelines can be individually represented, or clustered. For details see Clustering Timeline Alerts on page 138. Opening the Timeline Window To open a timeline window, from the File menu, select New Timeline. Or, from any IPS-1 Management Dashboard window, click the Launch Timeline view button. The first time the Timeline window is opened, the Timeline Configuration wizard appears. You can subsequently access the wizard from the Timeline menu. For details see the following section, Creating the Default Timeline Set on page 136. Chapter 4 Alert Monitoring and Analysis 135

136 Creating the Default Timeline Set Creating the Default Timeline Set The Timeline Configuration wizard prompts for your network s values for filtering the alerts for the default set of timelines. Providing the wizard with all the requested values results in a Timeline view with the following Timelines: Network Alerts: Alerts related to network traffic, from the Alerts Concentrator, based on information from the Sensor. System Alerts: System messages from the Sensor or the Alerts Concentrator Correlator Alerts: Alerts related to network traffic, based on a Correlation of alerts by the IPS-1 Management Server Inside-to-Outside Alerts: Alerts triggered by traffic from the internal network to outside hosts. Outside-to-Inside Alerts: Alerts triggered by traffic from outside the internal network. Inside-to-Inside Alerts: Alerts triggered by traffic where both source and destination IP addressed are internal. Alerts triggered by traffic where the destination IP address is the server. DNS: Alerts triggered by traffic where the destination IP address is the DNS server. FTP: Alerts triggered by traffic where the destination IP address is the FTP server. Web: Alerts triggered by traffic where the destination IP address is the web server. The wizard also prompts for another special network name and address, and if provided, accordingly creates an additional timeline. Times and views can be further customized. 136

137 Creating the Default Timeline Set To create some or all of the above timelines: 1. Open a Timeline window. The first time the Timeline window is opened, the Timeline Configuration wizard appears. Otherwise, access the wizard from the Timeline menu. 2. In each wizard page, type network addresses, Add them, and click Next. The Timeline Configuration wizard pages prompt for the following network addresses: Internal Network server DNS server FTP server Web server Other server: In this page, type a name for the Server Type as well. 3. In the Save View page, type a name for the view, and choose whether this should be the default view for Timeline windows. 4. Click Finish. The configured Default Timeline set appears. Chapter 4 Alert Monitoring and Analysis 137

138 Configuring Timelines and Views Configuring Timelines and Views Filtering Timelines Each Timeline in a Timeline window can be configured by filtering the alerts it displays. Each Timeline has its own set of filters. To access a timeline s filter trees, above the filter trees, click the tab corresponding to the timeline. Use the filter trees in the same way as in the Alert Browser. For details, see Filtering Alerts by Field Values on page 120. Clustering Timeline Alerts Alerts along timelines can be individually represented, or clustered into small pie graphs. When alerts are clustered, each cluster pie section represents one Priority value - High (red), Medium (yellow), or Low (green). You can determine the clustering Resolution. Each cluster represents all of the alerts from a time span equal to the Resolution value. 138

139 Viewing Detailed Alerts from a Timeline Window To cluster alerts, select Cluster Alerts, and set the Resolution. Viewing Detailed Alerts from a Timeline Window You can view details for one or more alerts in a timeline window, by opening History Browser for them. For details, see Opening a History Browser Window from a Timeline on page 125. Alternitavely, you can copy alerts to the clipboard for export to external applications. Drag a selection box around a segment of a timeline, and then right-click in the box and select Copy Selected Alerts. Chapter 4 Alert Monitoring and Analysis 139

140 Creating Alert Graphs Creating Alert Graphs Overview In This Section Overview page 140 Creating an Activity Level Graph page 140 Creating Pick Graphs page 142 Creating a Top n Graph page 144 Saving Graphs page 146 Printing a Graph page 146 You can create customizable alert graphs. Graphs change dynamically as alerts come in, and can be frozen as a saved snapshot, or printed. There are three types of alert graphs: An Activity Level graph plots total alert activity level by time. A Pick Graph plots alert activity level by time, limited to alerts with a specific value for a particular alert field. You can simultaneously view multiple Pick Graphs for a specified alert field. For example, you could compare the alert activity levels for three different source IPs. A Top n Graph is a bar graph that plots alert frequency by specified alert values. For example, the top three most-active source IPs. You can save, configure and modify all of these graphs. Creating an Activity Level Graph An Activity Level graph plots total alert activity level by time. 140

141 Creating an Activity Level Graph To create an Activity Level graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button: 2. In the left-hand list tree, select Activity Level. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings. Chapter 4 Alert Monitoring and Analysis 141

142 Creating Pick Graphs 4. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Graph is green for alert counts less than: When the highest alert count in the displayed graph is less than this number, the entire graph becomes green. Otherwise, it is yellow or red. Graph is yellow for alert counts less than: When the highest alert count in the displayed graph is less than this number, but equal to or more than the previous setting, the entire graph becomes yellow. If it is equal to or more than this number, it is red. Show as Area Graph: When selected, the area under the graph line is filled. 5. Click OK. Creating Pick Graphs You can simultaneously view multiple Pick Graphs for a specified alert field. Each graph plots the activity level by time of alerts with a specific value for the alert field, for comparison purposes. For example, you could compare the alert activity levels for three different source IPs. 142

143 Creating Pick Graphs To create a Pick graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button: 2. In the left-hand list tree, under Pick Graphs, select an alert field. 3. For each value to be plotted in a Pick Graph, do the following: a. Right-click in the graph area and select Add <field>. b. Type or select the desired value. c. To choose the graph color for this value, click Choose the color. Select a color, and click OK. d. Click OK. Chapter 4 Alert Monitoring and Analysis 143

144 Creating a Top n Graph 4. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings. 5. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Appearance: One of the following: 6. Click OK. Area Graph: The area under the graph line is filled. Note that with multiple graphs, they will hide parts of one another. Stacking Area Graph: The area under the graph line is filled, and graphs stack on top of each other. Note that Y values for upper graphs are aggregated values. Plot Graph: Regular line graphs. An alternitave way of creating a Pick graph is from the Alert Browser / History Browser. Right-click a cell with a value you want to plot on a Pick graph, and select Graph <field> (<value>). You can then continue to add values as in the above procedure. Creating a Top n Graph A Top n Graph is a bar graph that plots the number of alerts over a specified time span, for each of the n most-occuring by specified alert values. For example, the top three (n=3) most-active source IPs. 144

145 Creating a Top n Graph To create a Top n Graph graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph, or from the toolbar click the Graphs button: 2. In the left-hand list tree, under Top n Graphs, select an alert field. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings. Chapter 4 Alert Monitoring and Analysis 145

146 Saving Graphs 4. Set the following: Include alerts that have occurred within the last: Only alerts from this time span are considered or displayed. Show counts for items that are in the top: This is the n value - the n most-occuring values are displayed. 5. Click OK. Saving Graphs Saving a Graph View You can save and later reopen graph views, similarly to the Alert Browser, History Browser, and Timeline window. This way you can retain graph settings for future alerts. Access these commands from the File menu. Saving a Graph Snapshot You can freeze a graph as a saved snapshot. From the Graph menu, select Save Image As. Or, right-click in the graph area, and select Save Image As. Printing a Graph To print a graph, from the Graph menu, select Print. Or, right-click in the graph area, and select Print. 146

147 Customizing Alerts Customizing Alerts Overview In This Section Overview page 147 Configuring Actions page 147 Applying Actions to Alerts page 150 Changing an Alert s Displayed Priority page 151 You can customize the IPS-1 system so that the Alerts Concentrator issues notifications other than the standard alerts to be viewed in the Alert Browser. The Alerts Concentrator can perform the following kinds of Actions along with issuing standard alerts: Send an to specified recipients Send an SNMP trap Execute a generic external application Any of the above actions can be defined to be performed along with any system alert. In addition to logging, Custom Actions can be applied to an individual alert, or simultaneously to a whole group of alerts. There are predefined Alert groups, with the alerts grouped by protocol, and you can also create your own custom alert groups to which you can then apply custom Actions. System alerts can also be customized by changing their displayed Priority. Configuring Actions This section discusses creating or modifying Alert Actions, which can then be applied to alerts or to alert groups, as discussed in Applying Actions to Alerts on page 150. Note that modifying an existing Action will affect any alerts or alert groups to which the Action is already applied. Chapter 4 Alert Monitoring and Analysis 147

148 Configuring Actions To create or modify an Action: 1. Click the Alert Actions tab. If the Alert Actions tab does not appear in Policy Manager, enable Advanced Settings from the Policy Manager menu. 2. In the left-hand Alerts tree, select a group or an alert, and click Edit Actions. 3. Select an existing Action and click Properties; or, click New Action, select one of the following Action types, and click OK: - Send an to specified recipients (not available on SecurePlatform) SNMP Trap - Send an SNMP trap with the following information: Object ID: <Trap ID>. <Trap ID> is user-defined when creating the SNMP Trap Alert Action. Alert source IP address of the host that caused the alert. Community authentication string: user-defined when creating the SNMP Trap Alert Action. System up time: set to 0:00: Trap source: Message: Generic - Execute a generic external application 4. Type or modify the Action properties, which are explained in the following section. In an pre-existing Action, you cannot change the Action name. 5. Click OK, and OK. Install Policy to save changes. 148

149 Action Property Fields Configuring Actions When you create or modify an Action, as explained in the previous section, the following fields appear for configuration: Action Property Fields Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Recipients - address (or addresses) to which the alert will be sent. Separate addresses with spaces. Subject - Subject line for the . Latency - The time, in seconds, after which the will be sent, even if Alerts/Message (the following field) has not been reached. Alerts/Message - When this number of alerts is collected, they will be grouped in a single and the will be sent, even if Latency (the previous field) has not been reached. SNMP Trap Action Property Fields Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Manager - The SNMP Manager's IP address (port 162). Community - The SNMP Manager's authentication string. Trap ID - Identifying number for this alert type. Make sure to use a different Trap ID for each SNMP Trap Action. Generic Action Property Fields Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Executable - Full path to an external program, executable by the ips1 user, on the Alerts Concentrator Arguments (optional) - command line arguments to be passed to the external program. Interval - The time, in seconds, after which the program will be executed, even if Alert Count (the following field) has not been reached. Alert Count - When this number of alerts is queued, the external program will be executed, even if the Interval (the previous field) has not been reached. Chapter 4 Alert Monitoring and Analysis 149

150 Applying Actions to Alerts Applying Actions to Alerts This section discusses applying an already defined Action to an alert or to a group of alerts. An Action that has been defined for one alert is then available to be applied to any alert or alert group. To define an Action, see Configuring Actions on page 147. To apply an Action to an alert or alert group: 1. If the Alert Actions tab does not appear in Policy Manager, enable Show Advanced Settings from the Policy Manager menu. 2. Click the Alert Actions tab. 3. If you want to apply an Action to a group that does not appear in the alert tree, create a new group. Or, you can modify an existing user-defined group. To create a new group: a. In the left-hand Alerts tree, select User-Defined Groups, and click New Group. b. Type a name for the group, and click OK. The group appears under User-Defined Groups. c. Select the group you just created, and click Add Alerts. d. Select all alerts to be added to the group, and click OK. To modify an existing group: a. In the left-hand Alerts tree, select an existing group from under User-Defined Groups. b. To add alerts to the group, click Add Alerts. To remove an alert from the group, select the alert and click Remove. 150

151 Changing an Alert s Displayed Priority 4. Select a group or an alert to which to apply an Action. Click Edit Actions. 5. Move one or more Actions from the Available Actions list to Applied Actions 6. Click OK, and Install Policy to save changes. You can later modify the Action, as explained in Configuring Actions on page 147. Note - An Action applied to an alert group is displayed only at the group level, and does not appear when an individual alert from the group is selected, even though the Action will be performed for that alert. Changing an Alert s Displayed Priority You can customize an alert by changing its displayed Priority, as follows: 1. In Policy Manager, if the Alert Actions tab does not appear, enable Show Advanced Settings from the Policy Manager menu. 2. In Policy Manager, Click the Alert Actions tab. 3. In the left-hand alerts tree, under Built-in Groups, expand the relevant protocol and select the desired alert. 4. In the right-hand Alert window, select the desired Priority Chapter 4 Alert Monitoring and Analysis 151

152 Changing an Alert s Displayed Priority 5. Install Policy to save the changes. 152

153 Chapter 5 Vulnerability Detection and Defense In This Chapter Overview page 154 Installing Network Vulnerability Data, and Dynamic Shielding page 155 Viewing Vulnerabilities page 156 Investigating Vulnerabilities with the Distribution Graph page 159 Viewing Compromise Risk in the Alert Browser page 162 Disabling Vulnerability Correlation page

154 Overview Overview You can proactively protect your network by scanning your network to search for vulnerabilities that might be exploited by an attacker. The vulnerability data obtained from the scan can be used by the IPS-1 system in the following three ways: Dynamic Shielding: IPS-1 can check protection settings at vulnerability data upload time, to prevent discovered vulnerabilities from being exploited. Dynamic Shielding can be configured to change protection settings automatically, to prompt for user approval before changing protection settings, or to just issue alerts to the Alert Browser for unprotected vulnerabilities. Vulnerability Browser: An IPS-1 Management Dashboard window that displays detailed scan results, enabling you to accordingly determine which attacks against known vulnerabilities should be detected and prevented by the IPS-1 Sensors, and to accordingly configure Sensor protections. Compromise Risk: The Alert Browser can be enabled to display for each alert its Compromise Risk factor, based on your network s vulnerability to the attack. Vulnerabilities are idenified with CVEs. A CVE is a unique identifying number for a specific type of vulnerability. CVE numbers are defined by the U.S. National Institute of Standards and Technology (NIST: in its National Vulnerability Database (NVD: To take advantage of these features, use the third-party Nessus network vulnerability scanner to scan your network and create a scan result file. IPS-1 can then take advantage of the vulnerability data in this file. Nessus is currently owned and developed by Tenable Network Security. Nessus is neither provided nor supported by Check Point. 154

155 Installing Network Vulnerability Data, and Dynamic Shielding Installing Network Vulnerability Data, and Dynamic Shielding To create vulnerability data to be uploaded into the IPS-1 system, use the third-party Nessus network vulnerability scanner to scan your network and create a scan result file in XML format. Nessus is currently owned and developed by Tenable Network Security, and obtainable at Nessus is neither provided nor supported by Check Point. Only XML files produced by Nessus version 2, from onwards, is supported. NBE files are not supported. Most Check Point testing has been done with output from Nessus through To prevent the scan itself from triggering alerts (and possibly being blocked by a Sensor!), add the hosts from which you are scanning to the list of source addresses to ignore, under General Profile Settings in Policy Manager s System Settings tab. With Dynamic Shielding, IPS-1 can change protection settings at vulnerability data upload time, to prevent discovered vulnerabilities from being exploited. Dynamic Shielding can be configured to change protection settings automatically, subject to user approval, or not at all. Once you have created the vulnerability data file, perform the following: 1. Configure Dynamic Shielding s behavior regarding changing protections: From Policy Manager s Policy Manager menu, go to Advanced > Dynamic Shield Configuration. In the left-hand tree, protocols are marked as to whether Dynamic Shielding will automatically change protection settings or not. A question mark indicates that Dynamic Shielding will prompt to change protection settings. To change Dynamic Shielding s behavior for all the protection groups of a protocol (or for all protocols), select the protocol (or All Protocols), change the setting, and click Apply. To save the changes, click OK. 2. From Policy Manager s Policy Manager menu, select Upload Nessus XML Vulnerability Scan. 3. Navigate to the vulnerability data file and select it. Click Open. 4. You are prompted as to whether during the upload alerts should be issued to the Alert Browser for unprotected vulnerabilities. Select Yes or No. Chapter 5 Vulnerability Detection and Defense 155

156 Viewing Vulnerabilities Viewing Vulnerabilities The features discussed in this section are available only when network vulnerability data has been collected and installed in IPS-1, as explained in Installing Network Vulnerability Data, and Dynamic Shielding on page 155. You can view full vulnerability data in the Vulnerability Browser. To open the Vulnerability Browser, from the File menu, select New Vulnerability Browser. Or, click the Vulnerability Browser icon: 156

157 Viewing Vulnerabilities Figure 5-1 The IPS-1 Vulnerability Browser In the upper part of the Vulnerability Browser, vulnerability details are displayed. You can filter displayed vulnerabilities with the left-hand filter trees, in the same way alerts are filtered in the Alert Browser. You can rearrange column order by dragging column headings. Chapter 5 Vulnerability Detection and Defense 157

158 Viewing Vulnerabilities For information on the Distribution Graph in the lower-right corner of the Vulnerability Browser, see Investigating Vulnerabilities with the Distribution Graph on page 159. The Information Pane to the left of the Distribution Graph contains the following information: A description of the vulnerability. This description is identical to the information in the Scan Data column for the selected vulnerability. Distribution Graph details. These details are the same as the yellow text that appears together with the Distribution Graph. To understand these details, see Investigating Vulnerabilities with the Distribution Graph on page

159 Investigating Vulnerabilities with the Distribution Graph Investigating Vulnerabilities with the Distribution Graph In This Section Distribution Graph Overview page 159 Configuring the Distribution Graph page 159 Investigation Examples page 160 Distribution Graph Overview The Distribution Graph, located in the lower-right corner of the Vulnerability Browser, enables locating specific security risks. It displays the distribution of vulnerabilities according to a specified Distribution Factor, while limiting the analysis to vulnerabilities with specified values in Constraint fields. For example, to show which services cause most of the high-confidence, high-risk vulnerabilities, and which services cause fewer such vulnerabilities, you can create a Distribution Graph with Service Name as its Distribution Factor, constrained to vulnerabilities with a Risk Factor value of High and a Confidence value of 3. The Distribution Graph s properties are determined by the selected cell of the selected vulnerability in the Vulnerability Browser. All the cells in the selected vulnerability up until and including the selected cell define the Constraint fields and values; the next column to the right defines the Distribution Factor for the graph. Configuring the Distribution Graph To create a Distribution Graph according to a desired Distribution Factor and desired Constraining values: 1. Arrange the Vulnerability Browser s columns so that the columns for the desired Constraint fields are first (left-most). In the example from the Distribution Graph Overview on page 159, Risk Factor and Confidence should be the first two columns. Their order does not matter; in continuing the example, we will assume Confidence and then Risk Factor. 2. Place the column for the desired Distribution Factor immediately after (to the right of) the Constraint field columns. In the above example, the column order would now be: Confidence, Risk Factor, Service Name. Chapter 5 Vulnerability Detection and Defense 159

160 Investigation Examples 3. Find a vulnerability with the desired constraining values in the Constraint fields, and click the last (right-most) of the constraining values. In the above example, find a vulnerability with Confidence=3, Risk Factor=High, and click its Risk Factor cell (the cell with High ). The Distribution Graph immediately displays the desired distribution. In the above example, The Distribution Graph analyzes all the vulnerabilities of Confidence=3, Risk Factor=High, and displays the distribution of those vulnerabilities by Service Name. The largest section of the pie represents the services causing the most high-confidence, high-risk vulnerabilities. Each section of the Distribution Graph pie represents one value of the Distribution Factor. The section representing the value in the selected vulnerability extends beyond the circumfrence of the circle. The number of vulnerabilities with each value appears on its representative section, near the circle center. Above the graph itself is text describing the graph. The text describes the total number of vulnerabilities analyzed, the number of different values of the Distribution Factor, and the Constraints that determined which vulnerabilities were analyzed. This text appears also in the second part of the Information Pane. Investigation Examples The following examples describe some common security questions and methods for investigating them with the Distribution Graph. 160

161 Example 1 Investigation Examples What services on the network are causing problems; and for these services, which vulnerabilities need to be fixed? Put columns in the following order: Confidence, Service Name, and CVE. Select a cell with 3 in the confidence column to activate the Distribution Graph by Service Name for definite (high-confidence) vulnerabilities. See which service has the largest section, and select a cell with that service name, in a vulnerability with Confidence of 3. The Distribution Graph will display the distribution of definite vulnerabilities for that service. Example 2 Where are the high-risk security holes in the network? Put the columns in the following order: confidence, risk factor, severity, and IP address. Select a high severity cell in a row with a high risk factor and high confidence. The Distribution Graph will show which hosts have the most such vulnerabilities. Chapter 5 Vulnerability Detection and Defense 161

162 Viewing Compromise Risk in the Alert Browser Viewing Compromise Risk in the Alert Browser The feature discussed in this section is available only when network vulnerability data has been collected and installed in IPS-1, as explained in Installing Network Vulnerability Data, and Dynamic Shielding on page 155. Once the vulnerability data has been imported, you can view each alerts s Compromise Risk factor in the Alert Browser. Compromise Risk is an assessment of how successful an attack is likely to be, based on vulnerability data. The importance of Compromise Risk is that an attack (even a high risk one) is less of a security risk if it is targeting a service that is not vulnerable to the attack (for example: an attack that tries to insert x86 instructions into a service that is running on SPARC architecture). To display Compromise Risk in the Alert Browser: 1. From the Alert Browser s Alert Browser menu, select Show/Hide Columns. 2. Select Compromise Risk. Click OK. 3. To save the view, from the File menu, select Save View. Correlated vulnerabilities appear in the Alert Browser in blue. 162

163 Disabling Vulnerability Correlation Disabling Vulnerability Correlation You can disable vulnerability correlation completely, for specific Sensors or for specific alerts, by editing the Vulnerability Correlator. Note - This is an advanced feature most users will not need. Usually, the Vulnerability Correlator should not be edited. To edit the Vulnerability Correlator: 1. From the Management menu, select Correlators. 2. Select the vulnerability correlator, and click Edit. 3. To completely disable vulnerability correlation, in the Description tab, select No. 4. In the Vulnerability Correlator tab, you can disable vulnerability correlation for a Sensor or for an alert by clearing its checkbox. To disable an alert only for a particular Sensor, expand the tree for the alert, and under the alert clear the Sensor. 5. Click OK. Chapter 5 Vulnerability Detection and Defense 163

164 Disabling Vulnerability Correlation 164

165 Chapter 6 Data Analysis with External Tools In This Chapter Overview page 166 Setting up Reports page 167 Generating a Report page 169 Report Template List page 173 Integration with Eventia Analyzer page

166 Overview Overview The information in the IPS-1 database can be used to create reports with Crystal Reports XI from Business Objects. Check Point provides an assortment of pre-defined report templates. You can use these report templates as they are or modify them to suit your needs. These report templates, along with the MySQL ODBC drivers, are on your IPS-1 Management CD-ROM. 166

167 Setting up Reports Follow the instructions below to create an ODBC data source for reports. Setting up Reports Before starting: Obtain and install Crystal Reports XI: Professional, Developer, or Advanced edition. These are the only editions supported for creating an IPS-1 report. Make sure that the Alerts Concentrator is running. Creating an ODBC Data Source 1. Create a database username and password for the user generating reports by performing the following on the IPS-1 Management Server: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run: rep_useradd <name> where <name> is the desired username. c. At the prompts, type and retype a password. 2. On the computer on which Crystal Reports is installed, install MyODBC-commercial win32.msi from the IPS-1 CD (under windows\cpipsclient\odbc). The My ODBC Setup wizard starts. Follow instructions to complete installation. 3. Go to Start > Control Panel > Administrative Tools > Data Sources (ODBC). 4. In the System DSN (or File DSN) tab, click Add. 5. From the driver list, select MySQL ODBC 3.51 Driver. Click Finish. The Connector/ODBC Add Data Source window appears: Chapter 6 Data Analysis with External Tools 167

168 Creating an ODBC Data Source 6. In the Connect Options tab, type the following information: Port : In the Login tab, type the following information: Data Source Name: (example: IPS-1DS) Description: (optional) Server: resolvable hostname or IP Address of the IPS-1 Management Server User: the username created in step 1. Password: the password for the above username. Database: the name of the IPS-1 database, usually: esdb 8. Click Test to make sure you can properly connect to the data source. If configuration is successful, a message appears telling you so. Click OK. 168

169 Generating a Report Generating a Report 1. The Reports folder from the IPS-1 CD is copied into the Alerts Concentrator s installation directory during installation. You can access the Crystal 11 report templates from there, or on the CD, under windows\cpipsclient\reports. 2. Double-click on a report filename to launch Crystal Reports v From the menu bar, select Database > Set Datasource Location. The Set Datasource Location window appears. 4. In the bottom panel of the window, expand Create New Connection > ODBC (RDO). The ODBC (RDO) window appears. 5. Select the data source you created in the previous section (in the example: IPS-1DS), and Click Next. If prompted, enter the database username and password. Click Finish. 6. In the top panel of the Set Datasource Location window, select the database icon. In the bottom panel, select the one you created (in the example: IPS-1DS). Click Update. The datasource location in the top panel now reflects your database server: Chapter 6 Data Analysis with External Tools 169

170 Generating a Report Some report templates may contain sub-report templates. For example, the Alert List report contains sub-reports. When you set the datasource location to generate the report, you must also make sure the sub-report's Current Data Source is updated. 7. Click Close. 8. In the main Crystal Reports window, click Refresh:. The Enter Values window appears. Available fields depend on the selected report. 9. Enter values, and click OK. The report appears. 170

171 Generating a Report Figure 6-1 Alerts by Date You can now exit or save your report. Note that saving the report will retain your datasource location configurations. If you choose not to save the report, you will have to set your datasource next time the report is opened. To view a sub-report, click its link. Chapter 6 Data Analysis with External Tools 171

172 Generating a Report Figure 6-2 Alerts List Example Figure 6-3 Alerts Details Sub-Report Example 172

173 Report Template List Report Template List The following reports can be generated in Crystal Reports. Table 6-1 Report Alert Details Alert List Alerts by Date Alerts by Day of the Week Alerts by Hour Alerts by Month Alerts by Package Alerts by Package by Sensor Alerts by Priority Alerts by Year Bottom Alerts Bottom Alert Sources Bottom Destination IPs Bottom Destination Ports Bottom Packages Bottom Sensors Bottom Source IPs Bottom Source Ports Bottom Source Hosts Bottom Vulnerable Hosts Generic Cover Page Report ICMP Alerts Security Summary Reports Services by Priority TCP Alerts TOP Alerts TOP Alert Sources Report Description Generates details about an alert or alerts Generates a list of alerts Generates alert by date Generates alerts by date Generates alerts by hour Generates alerts by month Generates alerts by package Generates alerts by Protocol and IPS-1 Sensor Generates alerts by priority Generates alerts by year Generates bottom n alerts Generates bottom n alert sources Generates bottom n destination IPs Generates bottom n destination ports Generates bottom n Protocols Generates bottom n Sensors Generates bottom n source IPs Generates bottom n source ports Generates bottom n source hosts Generates bottom n vulnerable hosts Generates a generic report cover Generates ICMP alerts Generates summary reports Generates services by priority Generates TCP alerts Generates top n alerts Generates top n alert sources Chapter 6 Data Analysis with External Tools 173

174 Report Template List Table 6-1 Report Top Destination IPs Top Destination Ports Top Packages Top Sensors Top Source IPs Top Source Ports Top Vulnerable Host UDP Alerts Vulnerability by Host Vulnerability by Severity Report Description Generates top n destination IPs Generates top n destination ports Generates top n packages Generates top n Sensors Generates top n source IPs Generates top n source ports Generates top n vulnerable hosts Generates UDP Alerts Generates vulnerabilities by host Generates vulnerabilities by Severity 174

175 Integration with Eventia Analyzer Integration with Eventia Analyzer In This Section Introduction page 175 Integrating with Eventia Analyzer page 175 Introduction Eventia Analyzer can be used to process IPS-1 Management Server alerts by parsing, normalizing and extracting relevant log fields from syslog messages generated by the IPS-1 Management Server. Adding IPS-1 support to Eventia Analyzer requires modifications on both the Eventia Analyzer server and the IPS-1 Management Server. IPS-1 support on the Eventia Analyzer server is enabled via a dynamic update. Eventia Analyzer server (R63 and up) enables downloads of new and modified events and parsing definition updates from Check Point User Center. The support for IPS-1 was first included as part of dynamic update revision No. 3 of the event and parsing definitions. Dynamic updates are cummulative; an updated Eventia Analyzer server with a more recent update (revision 3 and up) includes the support for IPS-1. A manual process must be performed on the IPS-1 Management Server. The process includes a Perl script that is be downloaded and stored on the IPS-1 Management Server. Integrating with Eventia Analyzer To enable IPS-1 Management Server to send Alerts to Eventia Analyzer: On the IPS-1 Management Server: 1. Download the integration utility for the specific IPS-1 Management Server platform from Eventia-IPS1_SecurePlatform Eventia-IPS1_Solaris 2. Save the downloaded file in the /opt/cpips1-r65/alcr/bin directory. Chapter 6 Data Analysis with External Tools 175

176 Integrating with Eventia Analyzer 3. Grant the Eventia1 user execute permissions using the following command: chmod og+rwx Eventia-IPS1_{Platform} 4. Use a DNS server that can resolve the Eventia Analyzer's hostname or modify the /etc/hosts file on the IPS-1 Management Server to enable resolution of the Eventia Analyzer's hostname using the entry: xxx.xxx.xxx.xxx -TAB- <AnalyzerServerName> 5. Modify the /etc/syslog.conf file on the IPS-1 Management Server so that all syslog messages from facility Local5 and priority notice will be forwarded to the Eventia Analyzer server using the entry: local5.notice 6. Restart the syslog service on the IPS-1 Management Server using the following command under the /sbin/ directory: %>service syslog restart On the IPS-1 Management Dashboard: 7. Use the IPS-1 Management Dashboard to connect to the IPS-1 Management Server. 8. Select Policy from the Management menu. The Policy Manager window appears. 9. In the Alert Actions tab of Policy Manager, expand the Built-in Groups. Right-click an Alert Group for which syslog messages should be generated and select Edit Actions. To send syslog messages for all alerts, right-click all and select Edit Actions. The Edit Actions for Alert Group all window appears. 10. Create a new Generic action by clicking the New Action button and choosing Generic from the Action Templates list. 11. In the New Generic Action window, modify the parameters: Action name: Eventia Executable: /opt/cpips1-r65/bin/eventia-ips1_{platform} Arguments: Interval: 15 Alert Count: Select the Eventia rule in the Available Actions list and move it to the Applied Actions list. Click OK. 176

177 Integrating with Eventia Analyzer 13. Install Policy. On the Eventia Analyzer Dashboard: Note - Perform a Dynamic Update only for Eventia Analyzer servers updated with a Policy and parsing preceding revision 3 update): 1. Open Eventia Analyzer SmartConsole. 2. Select Dynamic Update from the Actions menu. The Check Point User Center login window appears. 3. Enter your User Center username and password and click 'OK'. The Dialog window opens. 4. From the Available Updates list, select Update Parsing Definitions. Note - Updating the Event Policy is not required for IPS-1 integration. 5. Click Update Now. The relevant files are retrieved from the User Center and IPS-1 parsing files are updated in Eventia Analyzer and all Log Servers installed on Eventia components. 6. Install Policy. On External Log Server, if you have one: If you have an external log server that manually parses the third party product data, copy the $FWDIR/conf/syslog directory from the Eventia Analyzer Server to the same directory on the log server and run cpstop and cpstart. Revert the Dynamic Update to a Previous Version: 1. Open Eventia Analyzer SmartConsole. 2. Select Undo last policy update from the Actions menu. If you click Yes, the process brings the Event Policy back to its prior definition. Chapter 6 Data Analysis with External Tools 177

178 Integrating with Eventia Analyzer Note - Undo last policy update applies to Policy Updates only and not to all updates. If logs are being sent, tcpdump can be used for troubleshooting using the command /usr/sbin/tcpdump. 178

179 Chapter 7 Backup and Migration In This Chapter Overview page 180 Exporting IPS-1 Management Server Data page 181 Importing IPS-1 Management Server Data page

180 Overview Overview The IPS-1 Management Server can be backed up by exporting its data into Java Archive (.jar) files. The data can then be restored or migrated by importing the.jar files into the same or a new IPS-1 Management Server. The export and import tools are provided in the IPS-1 Management Dashboard. Note - The exported data does not include Alert Details and raw packets, which are stored only on the Alerts Concentrator. Three types of data can be exported: Alerts Policy Settings Vulnerability Data Each type requires a separate.jar file. For a complete backup or migration, create all three. You can choose to export the alerts from a particular time frame. This is useful if you want to do periodic backups. 180

181 Exporting IPS-1 Management Server Data Exporting IPS-1 Management Server Data IPS-1 data can be exported using the Policy Manager s Export function or through the command line. From the Dashboard, the user can export data to.jar files located on the IPS-1 Management Server. Once the export is performed, the.jar files can be copied to another server or backup media for disaster recovery. From the command line, the user can also schedule the data export process to create scheduled backups. The user can also export data directly to another IPS-1 Management Server using the command line. This is particularly useful when migrating an IPS-1 Management Server from one hardware platform to another. In This Section Exporting Data using the Dashboard page 182 Exporting Data using the Command Line page 182 Migrating Data using the Command Line page 184 Chapter 7 Backup and Migration 181

182 Exporting Data using the Dashboard Exporting Data using the Dashboard To export IPS-1 Management Server data to a.jar file using the Dashboard: 1. From Policy Manager s Policy Manager menu, select Export. The Export Data window appears: 2. Set a name for the.jar file, and whether to overwrite an existing file. 3. Select the data type to export. 4. If you are exporting Alerts, define the time frame for the alerts to be exported. 5. Click OK. The.jar file is created on the IPS-1 Management Server in: /opt/cpips1-r65/ips1server/server/default/data/archive Exporting Data using the Command Line To export IPS-1 Management Server data to a.jar file using the command line: 1. Stop the IPS-1 Management Server, but leave the MySQL database running. 2. Open a command-line console on the target machine as root 182

183 Exporting Data using the Command Line 3. Change to the ips1 user: "su - ips1" 4. Export Policy settings using the following command: java -jar ips1server/server/default/lib/upgradetools.jar -m -u [db_user] -w {db_password] -h localhost -p d esdb -f /opt/cpips1-r65/ips1server/server/default/data/archive/[file_name] -j /opt/cpips1-r65/ips1server For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/cpips1-r65/ips1server 5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/cpips1-r65/ips1server -v 6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours. For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/cpips1-r65/ips1server -a -t Start the IPS-1 Management Server. For scheduling backups, include the commands above in a shell script and use crond to invoke the script on a periodic basis Chapter 7 Backup and Migration 183

184 Migrating Data using the Command Line Migrating Data using the Command Line When migrating an IPS-1 Management Server to a new hardware platform, prepare the target machine with a fresh installation of the IPS-1 Management Server. The migration process requires network connectivity from the target machine to port on the source machine and that the original MySQL database will allow users to log in remotely from the target machine. To export IPS-1 Management Server data to a.jar file using the command line: 1. Stop the IPS-1 Management Server on the source and target machines, but leave the MySQL database running. 2. Open a command-line console on the new machine as root 3. Change to the ips1 user: "su - ips1" 4. Export Policy settings using the following command: java -jar ips1server/server/default/lib/upgradetools.jar -m -u [old_db_user] -w [old_db_password] -h [old_db_host IP] -p d esdb -f [/opt/cpips1-r65/ips1server/server/default/data/archive/[new dest_file_name.jar] -j /opt/cpips1-r65/ips1server For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/cpips1-r65/ips1server 5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/cpips1-r65/ips1server -v 6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours. 184

185 Importing IPS-1 Management Server Data For example: java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h p d esdb -f /opt/cpips1r65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/cpips1-r65/ips1server -a -t Start the IPS-1 Management Server on the target machine and continue with Importing IPS-1 Management Server Data. Importing IPS-1 Management Server Data Before importing, be aware that importing policy data causes an automatic user-informed restart of the IPS-1 Management Server. To import IPS-1 Management Server data from a.jar file: 1. If the.jar file has been moved from its original location, copy it to: /opt/cpips1-r65/ips1server/server/default/data/archive 2. From Policy Manager s Policy Manager menu, select Import. The Database Import window appears: 3. Select a.jar file. Import the Policy Settings, the Vulnerability Data and Alerts, in that order. 4. Click OK. Chapter 7 Backup and Migration 185