Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide Part Number N450000567 Rev 001 Published September 2007
COPYRIGHT 2007 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Nokia reserves the right to make changes without further notice to any products herein. TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders. 070101 2 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
Nokia Contact Information Corporate Headquarters Web Site Telephone http://www.nokia.com 1-888-477-4566 or 1-650-625-2000 Fax 1-650-691-2170 Mail Address Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA Regional Contact Information Americas Nokia Inc. 313 Fairchild Drive Mountain View, CA 94043-2215 USA Tel: 1-877-997-9199 Outside USA and Canada: +1 512-437-7089 email: info.ipnetworking_americas@nokia.com Europe, Middle East, and Africa Nokia House, Summit Avenue Southwood, Farnborough Hampshire GU14 ONG UK Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email: info.ipnetworking_emea@nokia.com Asia-Pacific 438B Alexandra Road #07-00 Alexandra Technopark Singapore 119968 Tel: +65 6588 3364 email: info.ipnetworking_apac@nokia.com Nokia Customer Support Web Site: Email: Americas https://support.nokia.com/ tac.support@nokia.com Europe Voice: 1-888-361-5030 or 1-613-271-6721 Voice: +44 (0) 125-286-8900 Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897 050602 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 3
4 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
About This Document This document describes how to quickly set up a Nokia Intrusion Prevention with Sourcefire appliance to operate as a Sourcefire 3D Sensor on Nokia. It describes the minimum configuration you need to do to set up the appliance. For information on additional configuration you might want to perform, see the Nokia Intrusion Prevention with Sourcefire User s Guide, available on the product CD that came with your appliance. About Nokia Intrusion Prevention with Sourcefire Nokia Intrusion Prevention with Sourcefire combines intrusion and vulnerability management technologies to provide real-time network security. Based on the Sourcefire 3D System, Nokia Intrusion Prevention with Sourcefire enables you to access the condition of the network in real time, update and enforce policies, monitor and manage vulnerabilities, and respond quickly to security threats. Nokia Intrusion Prevention with Sourcefire consists of the following components: Sourcefire 3D Sensor on Nokia consists of the Sourcefire Sensor on Nokia application running on a Nokia Intrusion Prevention with Sourcefire appliance. A Sourcefire 3D Sensor on Nokia can be deployed to run any or all of the following: Sourcefire Intrusion Prevention System (IPS) IPS monitors your network for attacks that might affect the availability, integrity, or confidentiality of hosts on the network. Sourcefire Real-Time Network Awareness (RNA) RNA provides active realtime network discovery and vulnerability analysis. Sourcefire Real-Time User Awareness (RUA) RUA allows you to correlate threat, endpoint, and network intelligence with user identity information. Sourcefire Defense Center for Nokia a standalone server that provides correlation of intrusion events with network and host attributes and flow data, as well as scalable centralized management of distributed 3D Sensors. For more information about Nokia Intrusion Prevention with Sourcefire and its components, see the Nokia Intrusion Prevention with Sourcefire User s Guide. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 5
Before You Begin Plan Your Deployment Before you begin installing and configuring your Nokia appliance, plan how you will deploy the Nokia Intrusion Prevention with Sourcefire components as part of a network and enterprise security plan. The Nokia Intrusion Prevention with Sourcefire User s Guide provides information on intrusion prevention considerations, on network deployment scenarios, and on the use of network devices, such as hubs, switches, and taps, to connect your sensor. Set Up the Defense Center You should set up your Defense Center before you install and configure your 3D Sensors. To set up the Defense Center, see the first two chapters of the Sourcefire Defense Center for Nokia Installation Guide. This guide is available on the Documentation and Restore CD that is shipped with the Defense Center. Nokia appliances can be configured to synchronize time with an NTP time server. A recommended way to achieve time synchronization between 3D Sensors and the Defense Center is to configure the Defense Center to be an NTP server that can serve time to the sensors. To do so, when you configure the system policy for the Defense Center during the initial setup, set the Serve Time via NTP field to enabled. 6 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
Setup Overview The following figure presents an overview of the steps to follow when you set up a Nokia appliance to operate as a 3D Sensor. Each step is described in more detail in the following pages. Start 1 Install the appliance 2 Perform the initial configuration 3 Configure DNS 4 Configure system time 5 Enable Sourcefire Sensor software 6Set up communication with Defense Center 7 Add sensor to Defense Center 8 Install licenses 9 Update sensor software 10 Configure detection engine Setup Complete! Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 7
1 Install the Appliance The following procedure describes the main steps you need to take to install your appliance. If you need more help, refer to the appropriate Nokia IPxxx Intrusion Prevention with Sourcefire Installation Guide, which is available on the product CD that came with your appliance. To install the appliance 1. Check the contents of the carton against the packing list to make sure that you received all of the items you ordered. Store any packing material that you might require for later shipping. 2. Read any documents packed with the appliance. In addition, read the Release Notes for IPSO-LX, which is available on the CD that came with your appliance or on the Nokia support Web site. 3. Make a note of the serial number of the appliance, which is located on the Product Tracking I.D. Label on the bottom or side of the appliance. You will need the serial number to obtain a license for the Intrusion Prevention System (IPS) software. 4. Install the appliance in the equipment rack. 5. Connect the cables as follows: Connect the supplied RJ-45 cable to the console port. You need to have a console connection to perform the initial configuration. DHCP is not supported. Connect the cable for the management interface as follows: On a Nokia IP690 IPS, use the first or second port on slot 4. On a Nokia IP290 IPS or IP390 IPS, use any one of the built-in Ethernet ports. Connect cables to the remaining Gigabit Ethernet ports that you want to use as sensing interfaces. Because the Sourcefire application requires a dedicated management interface, the management interface cannot be used as a sensing interface. For more information on connecting sensing interfaces to network devices and on cabling, see the Nokia Intrusion Prevention with Sourcefire User s Guide, available on the product CD that came with your appliance. 8 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
2 Perform the Initial Configuration When you turn on your appliance for the first time, a console wizard automatically runs that prompts you to provide initial configuration information. The information you need to supply includes: The local hostname for the appliance. The name you choose can include alphanumeric characters, dashes (-), and periods (.). The case-sensitive password for the admin user account. The admin user has complete read/write privileges for all IPSO-LX features that can be configured through Nokia Network Voyager, a Web-based element management interface. The case-sensitive password for the root user account. The physical interface to be used for the management interface, its IP address, and network mask length. The IP address of the default gateway for the appliance. To perform the initial configuration 1. Establish a console connection to the appliance, using a terminal or terminal emulation program with the following port settings: 9600 bps 8 data bits No parity 1 stop bit 2. The initial configuration begins with the following prompt: Hostname? If the Hostname? prompt does not appear on the console, see the Nokia IPxxx Intrusion Prevention with Sourcefire Installation Guide for your appliance for troubleshooting suggestions. 3. Answer the prompts for hostname, user admin password, and user root password. 4. When you see the following message, type 1. You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) configure an interface using CLI after reboot Please enter a choice [ 1-2, q ]: Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 9
5. Select the physical interface that will be used for the management interface: Select an interface from the following for configuration: 1) eth1 2) eth2 3) eth3 4) eth4 5) quit this menu Enter choice [1-5]: The list of interfaces that you see depends on the NICs that are installed. Built-in port names take the form ethn, while ports on NICs take the form eth-snpn. For example, eth-s4p1 is the ethernet port in chassis slot 4, port 1. Type the number for the interface you want to configure. This interface should be the same interface as you connected the management cable to. 6. When prompted, enter the IP address and subnetwork mask length. 7. When you see the following message, type y (the default option): Do you wish to set the default route [ y ]? 8. When prompted, enter the IP address of the default router for this interface. 9. When prompted to configure speed and duplex mode, you can either: Configure speed and duplex mode, thereby turning off auto-negotiation. Do this if you do not want to use Ethernet auto-negotiation. Enter Return to bypass this step. Do this if you want to leave auto-negotiation on. 10. When asked to confirm the interface parameters, type y. The system will continue booting. When it is completed, the login prompt will appear. 10 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
3 Configure DNS After the appliance reboots, you are ready to continue configuring it by using Network Voyager. If you will be identifying the Defense Center that manages this sensor by hostname, rather than an IP address, you need to configure DNS and specify a DNS server. To use Network Voyager 1. Start a Web browser on a workstation that can connect to the appliance. 2. Enter the IP address you assigned to the management interface during the initial configuration. If you use HTTPS to make the connection, you need to enter the SSL port number, 8443. For example: https://10.10.10.10:8443. If you use HTTP, you are automatically redirected to HTTPS and the correct SSL port. You do not need to enter the port number. Because SSL is enabled, you will receive warning messages about the sample certificate on the system. Accept the connection. 3. Log in as admin and use the password that you assigned to the admin user. Note As part of configuring the appliance with Network Voyager, do not enable the network interfaces that will be used as sensing interfaces. The interfaces should be administratively down. The only interface that should be enabled is the management interface. To configure DNS 1. Choose System Configuration > DNS in the Network Voyager navigation tree. 2. Enter the following information into the following fields: Search list field enter a list of domain names that might be appended to names users enter when trying to connect. Separate each name with a space. The maximum length of the entire search list is 256 characters. The maximum number of items in the search list is 6. Server fields enter the IP address of a host running a DNS server. The optional secondary and tertiary servers are used if the primary (or secondary) server fails to respond. 3. Click Submit. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 11
4 Configure System Time You must ensure that time is synchronized between the Defense Center and the 3D Sensors it manages. Nokia recommends that you do so by configuring the appliance to use NTP for continuous time synchronization with an NTP time server. You can configure the Defense Center itself to be the NTP time server. Because it can take a while for the time synchronization to occur after you enable NTP, you might want to first manually set the time and date by accessing the NTP server once and then enable NTP for continuous time synchronization. To set system time once 1. Choose System Configuration > Time from the tree view. 2. Select the appropriate time zone in the Time Zone list box. 3. Either set the time manually or specify a time server: To set the time manually, enter the time and date units to change. You do not need to fill in all fields; blank fields default to their existing values. Specify hours in 24-hour format. To set the time using an NTP time server, enter the name or IP address of the time server in the NTP Time Server text box. Choosing this option sets the time once; it does not update the time on a regular basis. 4. Click Submit. To enable NTP 1. Choose Router Services > NTP from the tree view. 2. In the Add New NTP Server text field, enter the IP address for an NTP server and click Add. The server appears in the NTP Servers table. 3. Configure parameters for the server. Usually, you only need to select the Use check box and you can accept the default settings for all other parameters. 4. Add additional NTP servers if desired. 5. Click Enable NTP. 6. Click Submit. 12 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
5 Enable the Sourcefire Sensor on Nokia Software The Sourcefire Sensor on Nokia software comes preinstalled on your appliance. You need only to enable it. To enable the Sourcefire Sensor on Nokia software 1. Select System Configuration > Packages > Manage Packages from the tree view. 2. Click the Enable check box for the Sourcefire Sensor on Nokia package. 3. Click the Submit button. After a short wait, a message appears tell you that the package has been registered. Note Although the message suggests a reboot might be necessary, you do not need to reboot the sensor. After the Sourcefire Sensor on Nokia package is enabled, a link to the Sourcefire Sensor Configuration page appears in the Network Voyager tree view. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 13
6 Set Up Communications with Defense Center Establishing the connection between a 3D Sensor and the Defense Center is a two-step process. You need to: 1. Set up communications with the Defense Center on the sensor. 2. Add the sensor to the Defense Center. To set up communications on the sensor, you must specify the management interface to use, the IP address of the Defense Center, and provide registration information for security purposes. Once you have done this, you can add the sensor to the Defense Center, using the registration information you supplied on sensor. To set up communications with the Defense Center 1. Select the Sourcefire Sensor link from the tree view. 2. Provide the following information on the Sourcefire Sensor Configuration page: Management Interface the interface that will be used for Defense Center communications. You can choose only from the interfaces that are in the Up status. Management Host the IP address or host name of the Defense Center. Use a hostname rather than an IP address if your network uses DHCP to assign IP addresses. Registration ID an optional alphanumeric value you can define as an additional security check. If you specify an ID, you will have to provide this ID when you add the sensor to the Defense Center. This ID is useful in a network environment that uses network address translation and more than one host could have the same IP address. Registration Key a one-time-use registration key that you define and that you must provide when you add the sensor to the Defense Center. Management Port the TCP port number you want to use for communications between the Defense Center and the sensor. The default value is 8305/tcp. All appliances in your deployment should use the same port number. 3. Click the Submit button. 14 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
7 Add the 3D Sensor to the Defense Center You are now ready to add the 3D Sensor to the sensors managed by the Defense Center. After you complete this procedure, communications between the Defense Center and the sensor are established and you can start managing the sensor from the Defense Center. To add the sensor to the Defense Center 1. Log in to the Defense Center. 2. Select Operations from the main menu bar, then click Sensors. 3. On the Managed Sensors page, click New Sensors. 4. Provide the following information on the Sensor Administration page: Host the IP address of the sensor. Registration ID Enter the registration ID if you defined one. Registration Key Enter the registration key. Store Events and Packets Only on the Defense Center Because you can store data on only the Defense Center and not the sensor, this check box is selected automatically. You cannot change this setting for Sourcefire Sensors on Nokia. Prohibit Packet Transfer to the Defense Center You can prevent packet data from being stored on the Defense Center by checking this check box. Note If you elect to prohibit sending packet data, the data is not retained. Packet data is often important for forensic analysis. Add to Group Select the group, if any, you want the sensor to belong to. 5. Click the Add button. The sensor is added to the Defense Center. It can take up to two minutes for the Defense Center to verify the sensor heartbeat and establish communication. You can view the sensor status on the Defense Center Sensors page (Operations > Sensors). Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 15
8 Install the Licenses You cannot receive events from any 3D Sensor until the appropriate feature license is installed on the Defense Center. The licenses required are as follows: An IPS software license for each sensor the running the Sourcefire Intrusion Prevention System (IPS). An RNA Host license to receive RNA events from any sensor running Real-time Network Awareness (RNA). As long as the host limits are not exceeded, a single RNA Host license allows the Defense Center to receive events from multiple sensors. For example, if your Defense Center will be managing three different Sourcefire 3D Sensors on Nokia, with two of them running IPS and all three running RNA, then you must add two IPS software licenses and a single RNA Host license that is large enough to cover the number of hosts monitored by the three sensors in aggregate. An RUA license to receive RUA events from any sensor running Real-time User Awareness (RUA). As long as the user limits are not exceeded, a single RUA license allows the Defense Center to receive user login events from multiple sensors with RUA. Obtain and install a license as follows: 1. Use the Nokia serial number to obtain a license from the Web-based licensing center, as described in To obtain the license below. For an IPS software license, use the appliance serial number, which is available on the Product Tracking I.D. Label that is on the bottom or side of your sensor unit. For an RNA Host license or an RUA license, use the serial number you received in the entitlement email from Nokia. 2. Add the license to the Defense Center, as described in To add the license below. To obtain the license 1. From the Defense Center, select Operations > System Settings. The Information page appears. 2. On the Information page, click License. The License page appears. 3. On the License page, click Add New License. The Add Feature License page appears. 4. Click the Get License button. 16 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
The Licensing Center Web site appears. Note If your web browser cannot access the Internet, copy down the license key at the bottom of the Add Feature License page. Switch to a browser on a host that can access the Internet and go to https://www.keyserver.nokia.sourcefire.com. 5. Follow the on-screen instructions for obtaining a feature license. Note The Licensing Center Web site accepts 12-digit serial numbers only. Add leading zeros to your Nokia feature serial number to make it a 12-digit number. For example, for an IPS software license, add a leading zero to your appliance serial number. If your appliance serial number is 93060305299, enter it as 093060305299. 6. The feature license will be sent to you in an email. When you receive your license, you can then add it to the Defense Center as described in the next procedure. To add the license 1. Copy the license from the email. 2. Return to the Add Feature License page, if you are not already there. 3. In the License field, paste the license provided to you by email. 4. Click the Verify License button to make sure the license has been copied correctly and is valid. A message appears stating whether the license has been verified or not. 5. If the license has been verified, click the Submit License button. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 17
9 Update the Sensor Software Before you start modifying the sensor configuration and applying policies to the sensor, you should check for software updates and update the software if necessary. Sourcefire releases patches to the sensor software, vulnerability database updates (VDBs) for sensors running RNA, and security enhancement updates (SEUs) for IPS policies. If your Defense Center has an internet connection, you can download and install updates from the Defense Center. For downloading and installing sensor software patches and VDBs, go to Operations > Update. For SEU updates, go to Policy & Response > IPS > SEU. Sensor software updates, SEUs, and VDBs are also available for download at the Nokia Support Web site. You can then use the Defense Center to upload them and install them. For more information, see the Sourcefire 3D System for Nokia User Guide. 18 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
10 Configure the Detection Engines At this point, your Sourcefire 3D Sensor on Nokia is set up in the following default configuration: All the available network interfaces, excluding the management interface, are combined in a single passive interface set. (To be considered available, an interface must be administratively disabled.) A single IPS detection engine is created, which uses the default passive interface set. If the default configuration of your sensor matches your deployment needs, you can start receiving events from the sensor as soon as you apply a passive IPS policy to your detection engine. From the Defense Center, you can select Policy & Response > IPS > Detection & Prevention to create and apply a passive IPS policy. For more information, see Creating Intrusion Policies in the Sourcefire 3D System for Nokia User Guide. Changing the Default Configuration Your deployment might require a different configuration from the default configuration. For example, you might be deploying your sensor inline with fail open interfaces, which would require creating an inline with fail open interface set. Or you might want to also run RNA or RUA over the default passive interface set. To change the default configuration, you can: Edit the default interface set and create new interface sets. By removing interfaces from the default interface set, you make those interfaces available for inclusion in other interface sets that you create for example, an inline interface set. The new interface set can then be assigned to the default detection engine or to a new detection engine that you create. To begin configuring interface sets, select Operations > Configuration > Detection Engines > Interface Sets. Edit the existing default detection engine or create a new detection engine. For example, if you are deploying your sensor inline, you can edit the IPS default detection engine to use an inline interface set, rather than the default passive interface set. Or you can create a new detection engine to run RNA or RUA. To begin editing or creating detection engines, select Operations > Configuration > Detection Engines > Detection Engines. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 19
Note The number of detection engines available to you depends on which Nokia appliance model you are using. Create IPS or RNA policies. Before a detection engine can start sending IPS or RNA events to the Defense Center, it must have a policy installed. Default IPS policies are supplied that you can use as a basis for your IPS policy. You should also configure the RNA settings in the system policy. RUA detection engines do not require a policy. To begin creating or applying detection policies, select Policy & Response and then either IPS or RNA, depending on the type of policy. The Sourcefire 3D System for Nokia User Guide provides information on how to create and change interface sets, detection engines, and detection policies. 20 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide
For Further Information In addition to this guide, the following documentation is available on the CD that came with your Nokia appliance and on the Nokia Support Web site: Nokia Intrusion Prevention with Sourcefire User s Guide provides an overview of the Nokia Intrusion Prevention with Sourcefire components, describes how to plan the deployment of the components, and how to set up and manage a Sourcefire 3D Sensor on Nokia. Administrator s Guide for Nokia IPSO-LX describes how to configure and manage appliances running IPSO-LX. Release Notes for Nokia IPSO-LX contains a list of new features for the current Nokia IPSO-LX release, upgrade and initial configuration instructions, and known limitations. This document might be available only on the Nokia Support Web site. CLI Reference Guide for Nokia IPSO-LX describes the commands that you can implement from the command-line interface (CLI) for IPSO-LX. Nokia IPxxx Intrusion Prevention with Sourcefire Installation Guide describes how to install and maintain the appliance. The following documentation is available on the Documentation and Restore CD that came with your Sourcefire Defense Center for Nokia or on the Nokia Support Web site: Sourcefire Defense Center for Nokia Installation Guide describes how to install and initially configure the Defense Center. Sourcefire 3D System for Nokia User Guide describes how to use the Defense Center to manage sensors, create detection policies, evaluate intrusion events, and so on. Sourcefire 3D System for Nokia Release Notes describes known issues for the Defense Center for Nokia. This document might be available only on the Nokia Support Web site. Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 21
22 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide