You are on page 1of 35

TippingPoint X505 Training

IPS General Concepts and Configuration

IPS Objectives

> Upon completion of this module, you should be familiar with the following:
Firewall vs. IDS vs. IPS IPS Architecture Digital Vaccines IPS Filters Action Sets Quarantine Threat Suppression Engine (TSE) Firewall IPS Interaction Virtual IPS Segments

What about Firewalls?

> A firewall blocks traffic to ports (UDP or TCP) that are not offering public services
They offer little or no protection against attacks involving known allowed services such as SMB, HTTP, SMTP, IM, P2P, Spyware, Phishing Dont protect against internal threats: VPN, Wireless, Traveling Users, consultants, guests

> Many different firewall offerings with different features

Generally speaking all firewalls will inspect and take action on a packet traveling from one network interface to another. Vendor specific firewall features
> Layer3/4 stateful connection tracking and filtering > Network address translation > Virtual private network termination, IPSEC, etc. > SSL

What about Intrusion Detection Systems (IDS)?

> By design, an IDS detects malicious traffic > Listens to traffic promiscuously > Monitors packets on a network and alerts on possible suspicious activity.
Capable of detecting many types of network attacks.
> Lots of false positives by design > Since its not having to block traffic by definition, the signatures can be looser, thus generating false positives. > This generates more alert traffic and therefore, more work for administrator > Must chase each IDS alert and perform cleanup after each compromise. See The boy who cried wolf

Does nothing to counter attacks.

TippingPoint Customer Quote: IDS tells you what gun, and caliber bullet you were shot with. But it does nothing to stop the bullet.

And so we have the IPS

> Patch at the Network Level by taking the IDS idea and adding the ability to block an attack > Requirements:
Function inline with switch like speed, reliability, and performance Low Latency, Highly available Be both a network device and a security device NO False Positives Real time filter updates with zero downtime Flexible architecture that can provide multiple types of filtering and evolve with the changing attack spectrum Automatic Protection As little tuning as possible

Note: You cannot just add blocking ability to an IPS. Fundamental architecture changes need to be made. This is a completely new animal.

IPS Architecture
Alerts Filters Sweeps Floods Scans Exception Trigger Verification Rules Threat Verification Match Block

Event Generation


Software Hardware





Session State Connection Table


Packet Header Processing


Content Matching

Trigger Result

Flow Control

1. Connection Validation 2. Hdr Pre-processing /Pkt Validation 3. Stream Reassembly 4. Stream Content Inspection 5. Trigger Result 6. Threat Verification 7. Traffic Management



Packet & Flow Reassembly



Note: Hardware is emulated in the X505.

Filter Updates with TippingPoints Digital Vaccine Service

Raw Intelligence Feeds

SANS CERT Vendor Advisories Bugtraq VulnWatch PacketStorm Securiteam

Digital Vaccine Automatically Delivered to Customers

Vulnerability Analysis

Weekly Report

Vaccine Creation
Scalable distribution network using Akamais 9,700 servers in 56 countries

Digital Vaccine - Automatic Protection

> Digital Vaccine

Our term for new filter updates.
> An inoculation for your network.

Weekly updates (sometimes more often when circumstances arise.) Out of Box Protection via Recommended Setting for all filters
> For Example: Dangerous attacks are set to block by default

New updates automatically downloaded from the TippingPoint Threat Management Center No network down time Filter updates happen in real-time

IPS Filters

IPS Protected, but Customizable

The IPS out-of-the-box configuration recognizes and blocks malicious traffic that is known to be malicious at all times, under all conditions, in all network environments. However, customization is required for: > Security Policies (No rsh or rlogin from Internet) > Filter Exceptions (Exceptions for Legacy Servers) > Unique application mix (VoIP) > Traffic control using rate-limiting (P2P) > Traffic Thresholds > Traffic Management > Advanced DDoS (Syn Flood attacks)


TSE and Hierarchical Filtering

Check Packet Header Information: IP Address, Ports, ICMP Types, etc. Transport Layer Session Tracking Application Layer Session Tracking Context-sensitive string matches against payload Fine-grained application layer protocol decoding Complex Regular Expression Matching
Actions Notifications Blocked Streams Quarantine Packet Traces

What makes up a TippingPoint Filter?

Meta Information and User Settings are visible to the user via the LSM. Filter Information is masked from the user. User Settings constitute the security policy (or profile) for a given filter.

Meta Information Name Number Description Category Filter Information Source/Destinations Ports Trigger Verification User Settings (Policy/Profile) Filter or Category Control Enabled/Disabled Action Exceptions Filter Level AFC Settings

Individual Filter Details Settings

> Each Filter has a recommended setting > A filter can be under one of two types of control:
Category Control This filter will be controlled by its category settings
> Check what category a filter is in, and check Category Settings

Filter Control (Overide) This filter will be controlled by its own settings
> A filter can be Enabled/Disabled > A filter will have one action that executes when a packet matches the filter

> Exceptions can be created for a specific filter

Exceptions allow you to skip filter checking for specific source or destination IP addresses or ranges Define the IP addresses by CIDR block or by defining the IP address explicitly Useful for legacy server issues Improving Performance with certain applications (NFS, for example.)


Segment Specific Filter Settings

> Filters can be configured to apply only to a specific segment > Use the Copy Filter feature to do this


Default Filter Action Sets

> Action sets determine what the IPS does when a packet triggers a filter


IPS Action Sets


Action Sets

> An action set consists of Flow Control and other Settings

Flow Control
> Permit > Block > Rate Limit

Other Settings
> Optional Packet Trace (for Permit or Block only) > Optional Contacts (for Permit or Block only) Management Console Notifies the LSM and the SMS Syslog Sends notification to optional syslog server(s) Email Sends notification to optional email address(es)

> Example:
Block + Notify Flow Control = Block Optional Contacts = Management Console

Creating a New Action Set

> Note The action set name doesnt necessarily reflect what it does


Action Set Contacts

> Management Console - MGMT sends alerts to LSM and SMS

This contact is predefined for all default filters that want to send notifications to the SMS and LSM

> SMS - SNMP sends alerts to the SMS

Selecting this will only send alerts to the SMS

> LSM - Alert sends alerts to the LSM

Selecting this will only send alerts to the LSM

> Remote System Log sends alerts to a remote syslog server or servers.
Only use remote syslog on a secure, trusted network. Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol.

> Email sends alerts to an email address

To use e-mail contacts, you must have already supplied the mail server , domain, from, and to information.

Notification Contact

> Note The limit on the number of emails per minute works in conjunction with event aggregation.
The IPS limits the number of e-mail alerts sent in a minute. This feature supplements the currently used aggregation functionality in the IPS. The system by default allows the sending of ten (10) e-mail alerts per minute. On the first email alert, a 1 minute timer starts, counting the number of email alerts to send according to the configured limit. E-mail alerts beyond the limit in a minute are blocked. After one minute, the system resumes sending e-mail alerts. If any e-mail alerts were blocked during that minute, the system logs a message to the system log.


Action Sets Best Practices

> For user-defined action sets, check the action set before using it, since the name is not necessarily reflective of what the action set is doing. > Use Packet Traces and email notifications at a minimum
Packet Traces are useful for detailed forensic analysis, but shouldnt be used widely.

> Use and understand aggregation limits for all notifications. 1 minute is the default for all aggregations:
Email Syslog Management Console

> There is no purpose in creating an action set with flow control set to Permit and no notifications. Silent Action Set



> Replaces Blacklisting (from older versions of TP IPS) > Quarantine is now an available action that can be added to any Blocking action set
Web Request Control
> Block > Redirect > Show Web Page Show Filter name that caused Quarantine Show Filter description that caused Quarantine Show custom text User defined

Block/Permit all other traffic Quarantine can be limited to a specific group of addresses Certain addresses can be exempt from Quarantine Walled Garden support for specific IP addresses

> Source Address Blocking Only




Quarantined Addresses

> IP addresses that have been quarantined (either manually or via a filter action set) are displayed in the Quarantined Addresses section


Threat Suppression Engine


TSE Timers and Tables

> The following variables, timers, and tables are core to the operation of the IPS
TSE Connection Table
> Table timeout > Blocked Streams Flushing Single Flushing All > Quarantine Streams > Rate Limited Streams

TSE Adaptive Filtering Configuration TSE Adaptive Aggregation


TSE Connection Table

> The TSE is a flow based network security engine.

Each packet is identified as a member of a flow. A flow can have one or more packets. Each flow is tracked in the connection table on the IPS. A flow is uniquely identified by its packet header information
> > > > > IP protocol (ICMP, TCP, UDP, other) source IP address source ports (TCP or UDP) destination IP address destination ports (TCP or UDP)

Once classified, each packet is inspected by the appropriate set of protocol and application filters. If a packet flow is to be blocked (matches a block filter) its connection table entry is tagged as a blocked stream and any subsequent packets belonging to the same flow are discarded. If a packet flow is to be rate-limited (matches a rate-limit filter) its connection table entry is tagged as a rate-limited stream and any subsequent packets belonging to the same flow are rate limited according to the rate-limit action set.

TSE Connection Table Timeout

> The TSE global timer determines the amount of time that elapses before blocked streams are cleared from the connection table. Any incoming packets for a blocked stream are discarded immediately. Once cleared, new packets for that flow are passed to the TSE for filtering. > This timer should be left at its default value of 1800 seconds (30 minutes). > The effects of a filter change may be delayed, up to the value of this timer, for any blocked streams in the table that match the filter being changed.


Blocked Streams Table


Flushing Blocked Streams

> Maximum of 50 block streams are displayed > Use the search function to locate blocked streams that are not displayed > Note: The Reason Field is a link to the filter that fired, thus causing this blocked stream > Note:The Flush All button clears all blocked streams, not just the 50 displayed > Note: If you change a filter from Block to Permit, it is wise to flush the streams relating to that filter if you want the permit action to take place immediately


Security Zones

> X505 is fundamentally built on the concept of Security Zones Policy Enforcement Point

Security Zone

Security Zone

> Rule 101 remember this

Policy enforcement occurs between Security Zones Policy is not enforced within a Security Zone Policy Enforcement includes:
> Firewall > Content Filtering > IPS

Firewall IPS Interaction

> The firewall will always inspect packets first > Then the IPS will perform packet inspection


X505 IPS Segments


Virtual IPS Segment

> By default, there is only one virtual segment


> You must configure additional virtual segments if you wish to apply IPS functionality to inter-zone traffic > As soon as you configure a new IPS segment, traffic flowing between the two zones are subject to inspection by the configured filters


LAB 6 IPS Configuration