TippingPoint X505 Training

IPS IPS –– General Concepts and ConfigurationGeneral Concepts and Configuration

2

IPS – Objectives

> Upon completion of this module, you should be familiar with the following:— Firewall vs. IDS vs. IPS

— IPS Architecture

— Digital Vaccines

— IPS Filters

— Action Sets

— Quarantine

— Threat Suppression Engine (TSE)

— Firewall – IPS Interaction

— Virtual IPS Segments

3

What about Firewalls?

> A firewall blocks traffic to ports (UDP or TCP) that are not offering public services— They offer little or no protection against attacks involving known

allowed services such as SMB, HTTP, SMTP, IM, P2P, Spyware, Phishing

— Don’t protect against internal threats: VPN, Wireless, Traveling Users, consultants, guests

> Many different firewall offerings with different features –— Generally speaking all firewalls will inspect and take action on a packet

traveling from one network interface to another.

— Vendor specific firewall features –> Layer3/4 stateful connection tracking and filtering

> Network address translation

> Virtual private network termination, IPSEC, etc.

> SSL

4

What about Intrusion Detection Systems (IDS)?

> By design, an IDS detects malicious traffic

> Listens to traffic promiscuously

> Monitors packets on a network and alerts on “possible suspicious activity.”— Capable of detecting many types of network attacks.

> Lots of false positives by design

> Since it’s not having to block traffic by definition, the signatures can be “looser”, thus generating false positives.

> This generates more alert traffic and therefore, more work for administrator

> Must chase each IDS alert and perform cleanup after each compromise.

– See “The boy who cried wolf”

— Does nothing to “counter” attacks.TippingPoint Customer Quote:

“IDS tells you what gun, and caliber bullet you were shot with. But it does nothing to stop the bullet.”

5

And so we have the IPS…

> Patch at the Network Level by taking the IDS “idea” and adding the ability to block an attack

> Requirements:— Function inline with switch like speed, reliability, and performance –

Low Latency, Highly available

— Be both a network device and a security device

— NO False Positives

— Real time filter updates with zero downtime

— Flexible architecture that can provide multiple types of filtering and evolve with the changing attack spectrum

— Automatic Protection – As little tuning as possible

Note: You cannot just add blocking ability to an IPS. Fundamental architecture changes need to be made. This is a completely new “animal.”

6

IPS Architecture

Rules

Filters

Rules

Database

Block

Benign

Alerts

Packet & FlowReassembly

ContentMatching

Match

Swee

ps

Scan

s

Flood

s

Statistics Management

Exception Trigger Verification

Event Generation

FlowControl

ThreatVerification

TriggerResult

Drop

Software

Hardware

1 2 4 75

6

3

1. Connection Validation

2. Hdr Pre-processing /Pkt Validation

3. Stream Reassembly

4. Stream Content Inspection

5. Trigger Result

6. Threat Verification

7. Traffic Management

Drop

PacketHeader

Processing

Session StateConnection

Table

Drop

Note: “Hardware” is emulated in the X505.

7

Filter Updates with TippingPoint’sDigital Vaccine Service

• SANS• CERT• Vendor Advisories• Bugtraq• VulnWatch• PacketStorm• Securiteam

Vulnerability Analysis

Raw Intelligence Feeds

Vaccine Creation

Digital Vaccine Automatically Delivered to Customers

Scalable distribution network using Akamai’s 9,700 servers in 56 countries

@RISKWeekly Report

8

Digital Vaccine - Automatic Protection

> Digital Vaccine— Our term for new filter updates.

> “An inoculation for your network.”

— Weekly updates (sometimes more often when circumstances arise.)

— Out of Box Protection via “Recommended Setting” for all filters> For Example: Dangerous attacks are set to block by default

— New updates automatically downloaded from the TippingPoint Threat Management Center

— No network down time – Filter updates happen in real-time

9

IPS Filters

10

IPS – Protected, but Customizable

The IPS out-of-the-box configuration recognizes and blocks malicious traffic that is known to be malicious at all times, under all conditions, in all network environments.

However, customization is required for:

> Security Policies (No rsh or rlogin from Internet)

> Filter Exceptions (Exceptions for Legacy Servers)

> Unique application mix (VoIP)

> Traffic control using rate-limiting (P2P)

> Traffic Thresholds

> Traffic Management

> Advanced DDoS (Syn Flood attacks)

11

TSE and Hierarchical Filtering

Check Packet Header Information: IP Address, Ports, ICMP Types, etc.

Transport Layer Session Tracking

Application Layer Session Tracking

Context-sensitive string matches against payload

Fine-grained application layer protocol decoding

Complex Regular Expression Matching

Actions•Notifications•Blocked Streams•Quarantine•Packet Traces

12

What makes up a TippingPoint Filter?

Meta Information and User Settings are visible to the user via the LSM.

Filter Information is masked from the user.

User Settings constitute the security policy (or profile) for a given filter. •User Settings (Policy/Profile)

•Filter or Category Control•Enabled/Disabled

•Action•Exceptions•Filter Level AFC Settings

•Filter Information•Source/Destinations•Ports•Trigger•Verification

•Meta Information•Name•Number•Description•Category

13

Individual Filter Details – Settings

> Each Filter has a “recommended” setting

> A filter can be under one of two types of control:— Category Control – This filter will be controlled by it’s category settings

> Check what category a filter is in, and check “Category Settings”

— Filter Control (“Overide”)– This filter will be controlled by it’s own settings> A filter can be Enabled/Disabled

> A filter will have one action that “executes” when a packet matches the filter

> Exceptions can be created for a specific filter— Exceptions allow you to skip filter checking for specific source or destination IP

addresses or ranges

— Define the IP addresses by CIDR block or by defining the IP address explicitly

— Useful for legacy server “issues”

— Improving Performance with certain applications (NFS, for example.)

14

Segment Specific Filter Settings

> Filters can be configured to apply only to a specific segment

> Use the “Copy Filter” feature to do this

15

Default Filter “Action Sets”

> Action sets determine what the IPS does when a packet triggers afilter

16

IPS Action Sets

17

Action Sets

> An action set consists of Flow Control and other Settings— Flow Control

> Permit> Block> Rate Limit

— Other Settings> Optional Packet Trace (for Permit or Block only)> Optional Contacts (for Permit or Block only)

– Management Console – Notifies the LSM and the SMS– Syslog – Sends notification to optional syslog server(s)– Email – Sends notification to optional email address(es)

> Example:— Block + Notify— Flow Control = “Block”— Optional Contacts = “Management Console”

18

Creating a New Action Set

> Note – The action set name doesn’t necessarily reflect what it does

19

Action Set Contacts

> Management Console - MGMT – sends alerts to LSM and SMS— This contact is predefined for all default filters that want to send

notifications to the SMS and LSM

> SMS - SNMP – sends alerts to the SMS— Selecting this will only send alerts to the SMS

> LSM - Alert – sends alerts to the LSM— Selecting this will only send alerts to the LSM

> Remote System Log – sends alerts to a remote syslog server or servers. — Only use remote syslog on a secure, trusted network. Remote syslog, in

adherence to RFC 3164, sends clear text log messages using the UDP protocol.

> Email – sends alerts to an email address— To use e-mail contacts, you must have already supplied the mail server ,

domain, from, and to information.

20

Notification Contact

> Note – The limit on the number of emails per minute works in conjunction with event aggregation.— The IPS limits the number of e-mail alerts sent in a minute. This feature supplements the currently used

aggregation functionality in the IPS. The system by default allows the sending of ten (10) e-mail alerts per minute. On the first email alert, a 1 minute timer starts, counting the number of email alerts to send according to the configured limit. E-mail alerts beyond the limit in a minute are blocked. After one minute, the system resumes sending e-mail alerts. If any e-mail alerts were blocked during that minute, the system logs a message to the system log.

21

Action Sets – Best Practices

> For user-defined action sets, check the action set before using it, since the name is not necessarily reflective of what the action set is doing.

> Use Packet Traces and email notifications at a minimum— Packet Traces are useful for detailed forensic analysis, but shouldn’t be used widely.

> Use and understand aggregation limits for all notifications. 1 minute is the default for all aggregations:— Email

— Syslog

— Management Console

> There is no purpose in creating an action set with flow control set to Permit and no notifications. “Silent Action Set”

22

Quarantine

> Replaces Blacklisting (from older versions of TP IPS)

> Quarantine is now an available action that can be added to any Blocking action set— Web Request Control

> Block

> Redirect

> Show Web Page

– Show Filter name that caused Quarantine

– Show Filter description that caused Quarantine

– Show custom text – User defined

— Block/Permit all other traffic

— Quarantine can be limited to a specific group of addresses

— Certain addresses can be exempt from Quarantine

— “Walled Garden” support for specific IP addresses

> Source Address Blocking Only

23

Quarantine

24

Quarantined Addresses

> IP addresses that have been quarantined (either manually or via a filter action set) are displayed in the “Quarantined Addresses”section

25

Threat Suppression Engine

26

TSE – Timers and Tables

> The following variables, timers, and tables are core to the operation of the IPS –— TSE Connection Table

> Table timeout

> Blocked Streams

– Flushing Single

– Flushing All

> Quarantine Streams

> Rate Limited Streams

— TSE Adaptive Filtering Configuration

— TSE Adaptive Aggregation

27

TSE Connection Table

> The TSE is a “flow” based network security engine.— Each packet is identified as a member of a flow. A flow can have one or

more packets. Each flow is tracked in the “connection table” on the IPS.— A flow is uniquely identified by its packet header information –

> IP protocol (ICMP, TCP, UDP, other)> source IP address> source ports (TCP or UDP)> destination IP address> destination ports (TCP or UDP)

— Once classified, each packet is inspected by the appropriate set of protocol and application filters.

— If a packet flow is to be blocked (matches a block filter) its “connection table” entry is tagged as a “blocked stream” and any subsequent packets belonging to the same flow are discarded.

— If a packet flow is to be rate-limited (matches a rate-limit filter) its “connection table” entry is tagged as a “rate-limited stream” and any subsequent packets belonging to the same flow are rate limited according to the rate-limit action set.

28

TSE – Connection Table Timeout

> The TSE global timer determines the amount of time that elapses before “blocked streams” are cleared from the connection table. Any incoming packets for a “blocked stream” are discarded immediately. Once cleared, new packets for that flow are passed to the TSE for filtering.

> This timer should be left at its default value of 1800 seconds (30 minutes).

> The effects of a filter change may be delayed, up to the value of this timer, for any “blocked streams” in the table that match the filter being changed.

29

Blocked Streams Table

30

Flushing Blocked Streams

> Maximum of 50 block streams are displayed

> Use the “search” function to locate blocked streams that are not displayed

> Note: The Reason Field is a link to the filter that fired, thus causing this blocked stream

> Note:The “Flush All” button clears all blocked streams, not just the 50 displayed

> Note: If you change a filter from Block to Permit, it is wise to flush the streams relating to that filter if you want the permit action to take place immediately

31

Security Zones

> X505 is fundamentally built on the concept of Security Zones

Policy Enforcement Point

LANSecurity Zone

WANSecurity Zone

> Rule 101 – remember this …— Policy enforcement occurs between Security Zones

— Policy is not enforced within a Security Zone

— Policy Enforcement includes:> Firewall

> Content Filtering

> IPS

32

Firewall – IPS Interaction

> The firewall will always inspect packets first

> Then the IPS will perform packet inspection

33

X505 IPS Segments

34

Virtual IPS Segment

> By default, there is only one “virtual segment”— “LAN-WAN”

> You must configure additional virtual segments if you wish to apply IPS functionality to inter-zone traffic

> As soon as you configure a new IPS segment, traffic flowing between the two zones are subject to inspection by the configured filters

LAB 6IPS Configuration