Professional Documents
Culture Documents
March 8, 2009
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Contents
Preface
About this Guide.............................................................................................. 10 Who Should Use This Guide.............................................................................. 11 Summary of Contents ....................................................................................... 12 Related Documentation .................................................................................... 13 More Information ............................................................................................. 14 Feedback ........................................................................................................ 15
Chapter 1
IPS-1 Overview
IPS-1 Key Benefits .......................................................................................... 18 IPS-1 System Architecture................................................................................ 19 IPS-1 Deployment............................................................................................ 21 Working in the IPS-1 Management Dashboard .................................................... 22 Logging into the IPS-1 Management Server with the IPS-1 Dashboard ............. 22 Navigating the IPS-1 Management Dashboard Windows.................................. 23 The IPS-1 Management Dashboard Menus .................................................... 24 The IPS-1 Management Dashboard Toolbar ................................................... 25
Chapter 2
Table of Contents
Deleting Backlogged Sensor Data ................................................................. 53 Resolving IPS-1 Sensor Communications Issues ............................................ 53 Starting and Stopping the IPS-1 Servers ............................................................ 56 Uninstalling the IPS-1 Servers .......................................................................... 57 Viewing System Status Information.................................................................... 58 System Status in the IPS-1 Management Dashboard ...................................... 58 Viewing Sensor History ................................................................................ 61 Viewing the IPS-1 Status Monitor ................................................................. 62
Chapter 3
Chapter 4
Overview .................................................................................................. 140 Creating an Activity Level Graph ................................................................. 140 Creating Pick Graphs................................................................................. 142 Creating a Top n Graph.............................................................................. 144 Saving Graphs .......................................................................................... 146 Printing a Graph ....................................................................................... 146 Customizing Alerts ......................................................................................... 147 Overview .................................................................................................. 147 Configuring Actions................................................................................... 147 Applying Actions to Alerts .......................................................................... 150 Changing an Alerts Displayed Priority......................................................... 151
Chapter 5
Chapter 6
Chapter 7
Table of Contents
Preface
Preface
P
page 10 page 11 page 12 page 13 page 14 page 15
In This Chapter
About this Guide Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
10
Preface
11
Summary of Contents
Summary of Contents
This guide contains the following chapters: Chapter Chapter 1, IPS-1 Overview Description This chapter discusses IPS-1 deployment components and an introduction to the IPS-1 Management Dashboard. This chapter discusses configuration tasks, user accounts, licensing, database maintenance, and system administration. This chapter discusses updating attack signatures and managing protections. This chapter discusses the IPS-1 Management Dashboard windows and tools for alert monitoring and analysis. This chapter discusses network vulnerability detection and analysis. This chapter discusses creating reports with Crystal Reports 11 from Business Objects. This chapter discusses IPS-1 Management Server data backup and migration.
Chapter 2, Managing the IPS-1 System Chapter 3, Managing Attack Detection and Prevention Chapter 4, Alert Monitoring and Analysis Chapter 5, Vulnerability Detection and Defense Chapter 6, Data Analysis with External Tools Chapter 7, Backup and Migration
12
Related Documentation
Related Documentation
IPS-1 information can be found in the following documents: IPS-1 Release Notes Check Point Installation and Upgrade Guide IPS-1 Administration Guide (this document) Customizing IPS-1 Protections (advanced)
Preface
13
More Information
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at http://support.checkpoint.com. To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.
14
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
Preface
15
Feedback
16
1
page 18 page 19 page 21 page 22
17
IPS Simplified
Quick deployment Flexible deployment modes Minimal-impact design Centralized, scalable management Customizable desktop GUI with real-time information and management
Dynamic Shielding
Presents network intelligence including OS and application information, CVE vulnerabilities, and impact and remediation details. Determines anomalous behavior, reduces false positives and recognizes and dynamically shields vulnerable hosts against inevitable attacks.
18
There are two deployment configurations for IPS-1: Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer. For this type of deployment, select IPS-1 Management Server (all components) during the installation. Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers. For this type of deployment, select IPS-1 Management Server (without Alerts Concentrator) during the installation.
The installation steps for each deployment configuration are found in the Initial Configuration of Management Servers section of the Check Point Installation and Upgrade Guide Version R70.
Chapter 1
IPS-1 Overview
19
The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment:
Figure 1-1 The IPS-1 System
20
IPS-1 Deployment
IPS-1 Deployment
For considerations for placement and topology of IPS-1 Sensors and of management components, and for information on setting up the deployment, see the Check Point Installation and Upgrade Guide. For information on subsequent configuration of the various IPS-1 system components, see in this document: Managing the IPS-1 System on page 27.
Chapter 1
IPS-1 Overview
21
Logging into the IPS-1 Management Server with the IPS-1 Dashboard
To log into the IPS-1 Management Server with the IPS-1 Management Dashboard: 1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run:
/etc/init.d/ips1 start
2. On the client computer, start the IPS-1 Management Dashboard. A login window appears:
3. Type your username and password, and specify the IPS-1 Servers IP address or resolvable hostname. By default, port number is 8443.
22
Note - The default username is admin. When upgrading from a previous version of IPS-1, login with the pre-existing usernames. The default username for prior versions of IPS-1 is nfr.
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy servers connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS.
Chapter 1
IPS-1 Overview
23
Commands for managing window views: Open View Delete View Save View Save View As
Window views include all customization settings, and are saved on the IPS-1 Management Server. For details, see Saving Customized Views on page 124. Close: Closes the current window. Exit Application: Closes all IPS-1 Management Dashboard windows.
The Tools menu contains the following commands: System Status: Displays in a single window the activity and communication status of the Alerts Concentrators and Sensors. For details, see System Status in the IPS-1 Management Dashboard on page 58. User Preferences: Settings for using Reverse DNS lookup to display hostnames in Alert Details and for viewing packet captures in a third-party application. For details, see Viewing Alert Details on page 127 and Packet Capture and Viewing on page 129. Change Password: Enables a user to change his password. For details, see Changing the Password on page 36.
24
The context-dependent menu contains commands relevant to each specific window, such as Alert Browser, History Browser, Policy Manager etc., and changes name according to the window which is open. The Windows menu contains a listing of the open IPS-1 windows. This menu does not appear in the Alert Browser which is opened after the initial login. The Management menu contains the following commands: Correlators: Opens the Correlators window. Correlators generate alerts based on other alerts, from multiple connections and accross all IPS-1 Sensors. For details, see System-Wide Attack Correlation on page 89. Users: Manage user accounts. For details, see User Accounts on page 35. Policy: Opens Policy Manager. Space Management: Opens the Space Management window, for maintaining database size. For details, see Maintaining Database Size on page 41.
The About menu contains the About command: Displays IPS-1 Management Dashboard information.
Opens an Alert Browser window. See The Alert Browser and History Browser on page 109. Allows you to view alert activity in graph form. See Creating Alert Graphs on page 140. Plots alert activity on timelines. See The Timeline Window on page 134.
Chapter 1
IPS-1 Overview
25
Opens the Vulnerability Browser. See Vulnerability Detection and Defense on page 153. Opens Policy Manager. Displays the status of all IPS-1 Alerts Concentrators and IPS-1 Sensors. See System Status in the IPS-1 Management Dashboard on page 58.
26
27
Overview
Overview
This chapter describes configuration of an already installed and initially configured IPS-1 system. For information on installing and initially configuring the IPS-1 system, see the Check Point Installation and Upgrade Guide.
System Messages
IPS-1 System Messages report required and recommended management tasks. To view the System Messages: 1. Open the Policy Manager. 2. Select the System Settings tab. 3. In the left-hand navigation tree, select System Messages.
28
Installing Policies
Installing Policies
Many of the management tasks in this chapter and the protection management tasks in the next chapter, are performed in Policy Manager. In general, changes made in Policy Manager are not saved to the IPS-1 Management Server or transmitted to other IPS-1 system components until you Install Policy. To Install a Policy: 1. In Policy Manager, from the File menu, select Install Policy. Or, click Install Policy:
Chapter 2
29
Installing Policies
2. Select the Alerts Concentrator(s). 3. In most cases, select (on the bottom of the window) Install Policy on Sensors, and (in the upper part of the window) select all Sensors. The "Install Policy on Sensors" checkbox will be automatically selected when changes have been made that require the Sensors to be updated.
Note - If you leave any Alerts Concentrators or Sensors not selected, they will be excluded from subsequent automatic attack signature updates.
30
Chapter 2
31
Configure the Alerts Concentrator settings as follows: 1. In the Host field, type the Alerts Concentrators IP address or resolvable hostname.
Note - Entering the Alert Concentrators IP address is preferred to better protect against DNS spoofing.
2. Type and confirm the activation key that you specified during the Alerts Concentrator installation. To reset the Activation Key on the Alerts Concentrator: a. Log in to the Alerts Concentrator b. Switch to the ips1 user using the su - ips1 command. In SecurePlatform, this must be done from expert mode. c. Run the set_activation_key command to set the activation key. 3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxys connection and authentication information. 4. Make sure Receive Alerts is On. 5. If this Alerts Concentrator or the IPS-1 Servers communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator. 6. Click OK. The Alerts Concentrator is added.
32
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next. 3. Type the Sensors IP address or resolvable Hostname. 4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensors Management Menu. To reset the Activation key on an IPS-1 Sensor, run the cpconfig command. To reset the Activation key on an IPS-1 Power Sensor, log in as the nfr user.
Chapter 2
33
5. Click Next. 6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types. If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter. When all of your network addresses are listed in the Selected Host Types, click Next. 7. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types. If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter. When all of your broadcast addresses are listed in the Selected Host Types, click Next. 8. Click New to assign descriptive names to your interfaces. The Edit Interface Description window appears:
Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK. 9. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator. 10. To apply the changes, click Install Policy.
34
User Accounts
User Accounts
In This Section
User Accounts Overview Managing User Accounts Changing the Password Unlocking a User Account page 35 page 35 page 36 page 36
One Administrator account is defined during IPS-1 Management Server installation. Additional users of both kinds can be added from the IPS-1 Management Dashboard. User accounts can be created and managed by Administrators, or by Normal Users who have been given the Edit User permission. The Edit User permission can be limited to managing specific users. A user can never give permissions greater than his own.
Note - Sensors for which a Normal user does not have permissions will not appear in Policy Manager, the Alert Browser, Timeline windows, System Status, etc. However, the graphs window (which displays raw counts of alerts) may still include counts of alerts from these IPS-1 Sensors. Also, these application-level settings are irrelevant to any third-party tool which directly accesses the database, such as Crystal Reports.
Chapter 2
35
2. Click New, or select an existing user and click Edit. 3. Type or verify the User Information, including: The number of Connect Retries before a user submitting invalid authentication information is locked out. The user Role - Administrator or Normal (see above).
4. For a Normal user account, configure the User Permissions. Scroll over the rows to see descriptions below. 5. Click OK. The user account is configured. The user can now change his password, as explained in the following section.
36
An Administrator can unlock the locked users account, as follows: 1. From the Alert Browsers or Policy Managers Management menu, select Users. The Manage Users window appears. 2. Select the locked out user account, and Click Unlock Account.
If a sole Administrators account is locked out, the account must be unlocked directly from the IPS-1 Management Servers command line, as follows: 1. Run:
Chapter 2
37
Licensing
Licensing
In This Section
Overview Viewing License Summary Adding a License page 38 page 38 page 39
Overview
The IPS-1 system requires three types of licenses, all of which can be obtained from Check Points User Center: An IPS-1 Management Server license to manage a specified maximum number of IPS-1 Sensors. This license automatically licenses an Alerts Concentrator in a Combined installation. Separate Alerts Concentrators are not included. An Alerts Concentrator license for Alerts Concentrators not combined with the IPS-1 Management Server. IPS-1 Sensor licenses for each IPS-1 Sensor of a specified Sensor type. Sensor types are defined for licensing purposes according to hardware model numbers of Check Point preinstalled appliances. Note that adding Sensors to a system, besides requiring additional Sensor licenses, may affect the required type of IPS-1 Management Server license. All three kinds of licenses are stored on the IPS-1 Management Server and must be generated specifically for the IPS-1 Management Servers IP address. The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Management Dashboard will function only in Demo mode.
38
Adding a License
Adding a License
To access the License Manager, from Policy Managers Policy Manager menu, select Licenses. The License Manager appears:
Chapter 2
39
Adding a License
To add a license: 1. Copy your license string, obtained from Check Points user center, to the clipboard. A license string will include the following: cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx 2. In the License Manager, click Add.
3. Populate the fields by clicking Paste License. Click OK. The added license appears in the license list.
40
In This Section
Space Management Overview Configuring Space Management Reclaiming Database Space page 41 page 42 page 43
Note - As Space Management deletes data, it will attempt to retain all packet capture data. Thus, it will delete packet capture data in proportion to the number of alert records in the database.
Chapter 2
41
42
3. Set the following values for the IPS-1 Management Server and for each Alerts Concentrator: Maximum Space: the maximum amount of space available to the database. The Maximum Space should be a value smaller than the available free space in the partition or slice where the database resides. Action Limit: the percentage of Maximum Space used before Space Management begins removing alert data. Clearance Limit: the percentage of maximum space at which Space Management stops removing alerts. The Clearance Limit must be smaller then the Action Limit. Check period (Alerts Concentrator only): interval between times Space Management checks the used space. For a heavily loaded, large network, checking should be a smaller value but no less than 1 minute.
4. In the IPS-1 Management Server tab, select Enable Automatic Space Management, unless you dont want Space Management to operate automatically on the IPS-1 Management Server. In that case, you can manually initiate Space Management operation by clicking Remove Old Alerts Now. 5. Click Save.
Chapter 2
43
You can use the space recovery script to recover available database space for an IPS-1 Alerts Concentrator and return it to the operating system for other uses. Optionally, this script can also perform extensive checks and fixes and optimize indexes. To enable periodic execution during specified windows, you can execute the script as a cron job.
Warning - Run this script only if there is a large amount of free space that must be recovered. When this script is run on an IPS-1 Alerts Concentrator, it may take several hours to complete. The script shuts down the IPS-1 Alerts Concentrator (and, in a Combined installation, the IPS-1 Management Server) while it runs, which means that the IPS-1 system will be inoperative during this period (except in a non-Combined installation with Alerts Concentrator High Availability). IPS-1 Sensors will continue to function and to buffer alerts until the server is back online, but alerts will not be visible on the IPS-1 Management Dashboard until the Alerts Concentrator is back online. Note - There must be enough free space for the script to make a copy of the largest database table - it skips any tables that are too big to copy.
To run the Space Recovery script: 1. Log in to the Alerts Concentrator host as the ips1 user (run: su - ips1). 2. From $IPS1DIR/alcr, run the following:
-h -e
Provides detailed help text. Performs a check for database errors and attempts to recover the data.
Note - The -e option lengthens the time the script takes to run.
Note - Alerts and events will not be written to the database while these scripts are executing. Except with Alerts Concentrator High Availability, alerts will be queued on the Sensors until the Alerts Concentrator is back online.
44
The Sensors in group A send alert data to Alerts Concentrator A, and only in case of Alert Concentrator As failure, to Alerts Concentrator B. The Sensors in group B send alert data to Alerts Concentrator B, and only in case of Alert Concentrator Bs failure, to Alerts Concentrator A.
Chapter 2
45
To configure Alerts Concentrator High Availability, perform the following for each IPS-1 Sensor: 1. The Sensor itself must be configured for Alerts Concentrator High Availability. If this was not done during Sensor installation, do configure it as follows:
nfr user.
cpconfig
b. Select Network Settings. c. Select Configure IPS-1 Mgmt Server / Alerts Concentrator. d. Type the IP addresses of the active Alerts Concentrator and of the second Alerts Concentrator. The second Alerts Concentrator will function as a backup until failure of the first Alerts Concentrator. e. Type and confirm the activation key configured in the Alerts Concentrators. f. Select Save.
g. Select Return to main menu. 2. Log into the IPS-1 Management Server with the IPS-1 Management Dashboard, and add the Sensor to the second Alerts Concentrator, as follows: a. In Policy Managers Sensors and Concentrators tab, select and right-click the second Alerts Concentrator. Select Add Existing Sensor. b. Select the appropriate Sensor, and click OK, and OK.
46
For third-party hardware connection parameters, see the third-party documentation. An SSH connection to the Sensors management interface (if sshd is configured).
The Sensor has not completing booting and initializing The Sensor loses power, or other hardware failure (dependent on hardware bypass NIC) When the Sensor has crashed (dependent on hardware bypass NIC)
When an interface pair is in bypass mode, as a result of a failure, the bypass interfaces in most Sensor models will act as a crossover connection between the two systems on either side of the sensor. The four front-left copper interfaces on the new 200C/F and new 500C/F will act as a straight-though connection when in bypass mode. All other hardware bypass pairs act as crossover connections when they are in bypass mode
Chapter 2
49
Note - Interfaces associated with hardware bypass NICs cannot be changed. The information is displayed read-only.
IP address of Alerts Concentrator(s) Activation Key, with which the Alerts Concentrator is authenticated to the Sensor.
50
cpconfig
2. Select Network Settings. 3. Select the relevant options. 4. When you are finished setting the options on the Sensor, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s). Other values, such as networking information, date and time, and host name, are configured with SecurePlatforms System Configuration Tool, as follows: 1. On the Sensor, run:
sysconfig
2. Select the relevant options. 3. When you are finished setting the options on the Sensor, if the changed value is the Sensors hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 4. Make the change and click OK. 5. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s).
Chapter 2
51
3. When you are finished setting the options on the Sensor, you may be prompted to restart the Sensor for the changes to take effect. 4. If the changed value is the Sensors hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy.
52
cpconfig
Or, on an IPS-1 Power Sensor, log in as nfr. The Management Menu will appear. 2. Select Purge all data, and press y to confirm.
Introduction
If your IPS-1 Sensor and IPS-1 Alerts Concentrator are communicating through a switch, you may need to configure the switch and IPS-1 Sensor interface link speed and duplex settings manually. A duplex mismatch will not necessarily prevent all communication. However, it will cause severe performance and communication issues. This section explains how to deal with broken auto-negotiation implementations between interface cards. However, there is rarely a need to disable auto-negotiation. The results of duplex setting mismatch depend on the interface speed. The following table shows the results of two systems (such as the Sensor and the switch) connected using various duplex settings and a 10/100 Mbps network interface.
Chapter 2
53
Table 2-2
Link Status full-duplex System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly full-duplex half-duplex
half-duplex
full-duplex half-duplex
full-duplex half-duplex
The following table shows the link status of two systems (such as the Sensor and the switch) connected using various duplex settings and a Gigabit network interface.
Table 2-3
Results up up down
54
Chapter 2
55
56
su - ips1
c. Run:
ips1 -n stop
2. From outside the IPS-1 directories (/opt/CPips1-R65 and /var/opt/CPips1-R65), perform one of the following: On SecurePlatform, run the following:
rpm -e CPips1-R65
On Solaris, run the following:
pkgrm CPips1-R65
All IPS-1 files and data are removed.
Chapter 2
57
58
Select All or select an item in the list on the left to view its status.
For explanations of the status fields, see the following sections. You can copy information from Status windows to the clipboard, by using context (right-click) menu commands.
Chapter 2
59
Alerts Concentrator: Provides name of the server. Connection Status: Provides status of the servers connection. Green means the connection is active. Red means the connection is inactive. Sensor Name: Provides the name of the IPS-1 Sensor. Status (of IPS-1 Sensor): Provides status of the IPS-1 Sensor. Last Status Time: Provides the timestamp of the last message received from the server.
60
Chapter 2
61
3. Select the desired Start and End Time, and click OK. The Sensors history appears.
ipsstats
The following information is displayed:
System start time: Date and time IPS-1 Sensor was last restarted CPU: Average percentage of Sensor CPU capacity used in the last hour Real Memory: Total installed and memory available Virtual Memory: Total RAM + Virtual (Swap) Disk Space: Total installed and disk space available Packet Reception Total: Number of packets since system start time Current: Number of packets per second during the past two-second time interval Average: Average number of packets seen per second in the last hour Peak: Highest number of packets seen per second in the last hour
62
Protocols Installed: Number of installed protocols Loaded: Number of successfully loaded protocols Failed: Number of protocols that failed to load
Note - The IPS-1 Sensor generates an alert if part of a protection package fails to load. This usually means that the package has a syntax error or a required variable is undefined.
Protection Groups Installed: Number of installed protection groups Loaded: Number of successfully loaded protection groups Failed: Number of protection groups that failed to load
From the Status Monitor, press any key to display the Management Menu, or press ctrl-c to return to the command line.
Chapter 2
63
64
65
Overview
Overview
In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by the administrator enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in active, inline (non-passive, non-bridge) mode will block traffic identified as an attack, or some protections can be set to Monitor-Only, to generate alerts without blocking traffic. You can configure other aspects of the protections as well. Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.
66
In This Section
Configuring Automatic Attack Signature Updates Manually Updating Attack Signatures page 67 page 70
Chapter 3
67
2. Verify the Package Server and connection information, which should be: Server Address: ips-packages.checkpoint.com Server Port: 2013
3. If the IPS-1 Management Server is behind a proxy server, select Use Proxy and type your proxy server connection and authentication information. Click Next.
68
4. Select a frequency for automatic updates. Selecting an option other then Disabled causes time and date fields (for the first update) to appear, as follows:
Chapter 3
69
5. Schedule the first update as needed. To choose a date from a calendar, click . For the first update to occur immediately, click Now. 6. Click Finish and close the Policy Manager. The first update will automatically occur when specified, and will continue from then according to the specified frequency. After each automatic update, the IPS-1 Management Server will transmit the attack signatures to Alerts Concentrators and IPS-1 Sensors that were selected when the last manual Install Policy was performed.
70
A two-page wizard will start, beginning with the Download Package page:
1. Select an attack signature package source. In most cases, this should be Check Points Package Server. Other options are:
Local File - files that have been downloaded from Check Points user center to a local drive on the Management Dashboard users computer or network. This is useful if the IPS-1 Management Server cannot access the internet, or for users who have edited the files N-Code. If you select to update from a file, browse to the file, click Next, and proceed to step 4. Management Server/Alerts Concentrator - uploads an Alerts Concentrators current attack signatures to the IPS-1 Management Server. This is useful when one Alerts Concentrator is more up-to-date than another, or on first setup of a newly installed IPS-1 Management Server, as a temporary measure (a newly installed Alerts Concentrator comes with a default set of attack signatures). If you select to upload from an Alerts Concentrator, select the desired Alerts Concentrator, click Next, and proceed to step 4. Remember to update the attack signatures as soon as possible afterwards. Skip Download - This option is not available if no attack signature package yet exists on the IPS-1 Management Server.
Chapter 3
71
3. If the IPS-1 Management Server is behind a proxy server, you may need to select Use Proxy and type your proxy server connection and authentication information. Click Next. Once the packages are available, the Install Packages page appears:
4. Select protocols and protection groups for which to update attack signatures. Information and file contents for selected protocols and protection groups is displayed on the right.
When in doubt, it is better to install and then disable a package in Policy Manager, than to not install it. Some protocols and protection groups depend on others being present to be able to work. When you complete this wizard, attack signatures will be updated only on the IPS-1 Management Server. You will still need to install policy on the Alerts Concentrator(s) and IPS-1 Sensors.
72
Chapter 3
73
Managing Protections
Managing Protections
In This Section
Overview Managing Protection Profiles Configuring Protections Viewing and Copying Comprehensive Protection Settings Exempting Hosts from Inspection or Prevention page 74 page 75 page 77 page 85 page 87
Overview
In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in inline active (non-passive, non-bridge) mode will block traffic identified as an attack. Alternatively, the protection can be set to Monitor-Only so that it generates alerts without blocking traffic. Some protections define an attack according to specific thresholds with default values. You can fine-tune these protections according to your needs by changing these values. To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection Profile, which is then installed on IPS-1 Sensors associated with that profile. IPS-1 Sensors that should have similar protection configurations should be associated with the same Profile. Similar Profiles can be easily managed by cloning or copying settings. Detection and prevention are also affected by system settings that apply to protections in general, for each IPS-1 Sensor, or protection Profile. Most of these have reasonable default values and are visible only when Advanced Settings are enabled (from Policy Managers Policy Manager menu). The Protection Overview feature enables viewing system-wide protection settings and is a valuable tool for implementing protection throughout a complex deployment. For details, see Viewing and Copying Comprehensive Protection Settings on page 85.
74
Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.
In This Section
Creating a New Profile Managing Similar Profiles Associating an IPS-1 Sensor with a Profile page 75 page 75 page 76
Chapter 3
75
Cloning a Profile
To create a new profile with settings identical to those of an existing profile, clone the existing profile, as follows: 1. From Policy Managers Protection tab, select Profile Management. 2. From the Profiles list, select a profile to be cloned. 3. Click New and select Clone Selected Profile.
3. Select the target profile and then right-click it. Select Paste Settings from... .
Configuring Protections
Configuring Protections
In This Section
Overview Viewing Protection Information Protection Settings page 77 page 78 page 79
Overview
Protections are organized into a three-tier hierarchy: Protocol: In most cases, a Protocol includes all the protections that are based on analysis of traffic of a particular protocol. A few Protocols, such as Authentication and Badfiles, perform specific types of analysis over most traffic protocols. Protection Group: A sub-group of a Protocol, including a number of related protections. Some settings, such as numerical thresholds, are defined at the protection group level for all the protections in the group. Protection: Detects, prevents, and alerts for a specific attack.
To view a categorized protection list, expand the Application Intelligence, Network Security, or Web Intelligence heading in the navigation pane of Policy Managers Protection tab:
In the above figure, AOL Instant Messenger and Authentication are protocols; Authentication BE is a protection group; and alphanumpasswd_alert and alphapasswd_alert are protections. If an item you expect to see is missing, either it may not be installed or it may only be visible in advanced mode. To install it, update the attack signature package. See Updating Attack Signatures on page 67 for details.
Chapter 3
77
Configuring Protections
Selecting any list item displays its settings page in the right-hand pane, with description text below. For example:
To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection profile, which is then installed on IPS-1 Sensors associated with that profile. For information on managing profiles, see Managing Protection Profiles on page 75.
78
Configuring Protections
Description text includes some or all of the following headings: Overview Corroberation and Leads Why this is Important Technical Information (including explanations for unique settings) False Positives References
You can also view file contents for protocols and for protection groups. In the protocol or protection groups page, click Show Files.
Protection Settings
In This Section
Protection Settings Overview Protection Modes Protection-Level Settings One-Click Configuration of All Protocols and Protections page 79 page 81 page 82 page 83
Chapter 3
79
Configuring Protections
Other settings are unique to the specific protocol, protection group, or protection and appear only on its page. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. Note that some protections behavior are affected by general settings. These include local network addresses, defined in IPS-1 Sensor properties (in Policy Managers Sensors and Concentrators tab), and various per-Profile settings found in Policy Managers System Settings tab. Protocol settings affect all protection groups and protections under it. Protection group settings affect all protections under it. Settings are per protection profile. You can configure settings differently for different profiles. Settings do not take effect until you Install Policy on the IPS-1 Sensors. To display settings for a specific protocol, protection group, or protection, for a specific protection profile: 1. In Policy Managers Protection tab, under Application Intelligence, Network Security, or Web Intelligence, select a protocol, protection group, or protection. The select settings page appears in the upper-right pane:
2. In the Profile list, select a Profile. The settings for the selected Profile are now displayed.
80
Configuring Protections
Protection Modes
Protection Modes determine whether protections will be applied to the traffic which is seen by the IPS-1 Sensors. Protection Modes can be set for protocol, protection group, and protection for each protection profile. Protection Modes are most commonly changed on the protections.
Protection Modes include: Active the protection will be applied to traffic seen by the IPS-1 Sensor Active upon Confidence the protection will be applied to traffic seen by the IPS-1 Sensor only if the traffic meets the Confidence Level set for the protection. This setting is not available on protocols or protection groups. Inactive the protection will not be applied to traffic seen by the IPS-1 Sensor Changing the Protection Mode of a protocol, protection group, or protection may force the Protection Mode of its associated parent or children to change in order to avoid conflicting settings. For example, setting a protection to Active or Active upon Confidence automatically forces its parent protocol and protection group to Active as well. Similarly, setting a protocol or protection group to Inactive automatically forces its children to Inactive as well. When activating a protocol or protection group, the Protection Mode of its child protections will revert to the setting that it was given last. Therefore, when activating a protocol or protection group, the Protection Mode of the child protections must be verified indivually to insure that each protection has the desired Protection Mode.
Chapter 3
81
Configuring Protections
In any protection page: To activate a protection for the selected protection profile, select Active or right-click on the Protection Mode cell and select Activate. To configure Confidence Indexing for a protection, select Active upon Confidence, or right-click on the Protection Mode cell and select Activate upon Confidence, and drag the slider to the desired confidence index. For details regarding Confidence Indexing, see Avoiding False Positives on page 73. To disable a protection for the selected protection profile, select Inactive or right-click on the Protection Mode cell and select Deactivate.
Protection-Level Settings
The following settings appear on all protections (not protection group or protocol) pages: Monitor only - no protection: When selected, the protection generates alerts but does not prevent traffic. Add attackers to blacklist: This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When enabled, source IP addresses of attacks are blacklisted, causing subsequent traffic from those addresses to be blocked. The blacklisting lasts for the duration defined in Blacklist TCP (also Advanced-Settings only), found in the System Settings tab under Attack > Intrusion Prevention. The default duration is 0, and as long as the duration has not been configured to a non-zero value, the option here is disabled. You can click the link here to go directly to the Blacklist TCP setting.
Note - Blacklisting only takes effect for attacks over TCP (in other protocols, the attack could be spoofed), and only if the host is not explicitly Whitelisted (in Advanced Settings mode, in the Attack protocol).
Send TCP resets to attacker and victim (50%): This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When selected, upon attacks, IPS-1 sends protocol-appropriate reset signals to the attack source and destination IP addresses. For TCP, this is a TCP RST. For other IP protocols, this is an ICMP Administratively Prohibited message. 50% means the reset signal is sent only for attacks for which the confidence index is at least 50%.
82
Configuring Protections
Enable packet capture: When selected, attack packets are captured for viewing from the Alert Details. For details, see Packet Capture and Viewing on page 129.
There may be additional settings, unique to the specific protection. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. After configuring settings, make sure to Install Policy.
4. The following actions are available: Deactivate: For the selected profile, disables all protections. Activate: For the selected profile, enables all available protections. Monitor Only: For the selected profile, sets all enabled protections to Monitor Only, so that alerts are generated but attacks are not prevented.
Chapter 3 Managing Attack Detection and Prevention 83
Configuring Protections
Remove Monitor Only: For the selected profile, clears the Monitor Only setting from all protections, so that enabled protections can prevent attack traffic. Reset: For the selected profile, resets protection setting to the default configuration.
84
Many Variables represent numeric or checkbox settings from the protection group and protection pages of Protection Settings (in Policy Managers Protection tab). Others are under-the-hood values that are not directly edited in Protection Settings. Each protocol or protection group row shows whether it is Active or Inactive, for each protection profile. If a protection groups setting is: Inactive, the Variables associated with it show: (Protection Inactive). Changing the higher-level setting to Active will cause the Variable row to display its value or checkbox. You can change settings directly from Protection Overview, by selecting and right-clicking a cell. If a protocol name appears in red, it is because a change has been made under that protocol and it has not yet been saved, Install Policy has not been performed at all in which case the change has not been saved to the IPS-1 Management Server, or Install Policy was performed but only to the IPS-1 Management Server, not to the Alerts Concentrator. Additional Protection Overview features and components are visible when Show Advanced Settings is enabled from the Policy Manager menu.
86
In This Section
Exempting a Hosts Traffic from Inspection Exempting a Hosts Traffic from Prevention page 87 page 87
Chapter 3
87
4. Add the hosts IP address to Selected Host Types, either by typing the address and pressing Enter, or by moving it from Recently Used Values. 5. Click OK. 6. Install Policy.
88
Correlators Overview
You can define alerts to be triggered based on a global view of the traffic passing through all the IPS-1 Sensors in an IPS-1 system, rather than just by individual connections passing through a single IPS-1 Sensor. This is acheived by using Correlators. A Correlator triggers an alert or a specified action when the IPS-1 Management Server receives multiple alerts of specified criteria within a certain timeframe. Whereas regular protections are limited to analyzing the traffic going through a single IPS-1 Sensor, Correlators can detect patterns within the alerts of an entire IPS-1 system. A regular protection runs on an IPS-1 Sensor and its Alerts Action (see Customizing Alerts on page 147) runs on the Alerts Concentrators. Correlators, on the other hand, run on the IPS-1 Management Server, monitoring alerts from all IPS-1 Sensors through all Alerts Concentrators. This means that an external command to be activated by a correlator must also be on the IPS-1 Management Server host. Correlators initiate actions when they receive a specified number of alerts matching specific criteria within a specified time window. For example, a Correlator could issue an alert if it receives fifty alerts about traffic from the same Source IP within two minutes. Correlators maintain a count of the alerts they see that meet their criteria. If the count reaches the specified threshold within a specified time period, the correlator triggers the specified action. If the time window ends without the count reaching the threshold, the count is reset to zero. There are five types of correlators: Cluster correlators watch for alerts containing identical values within specified fields - for example, all alerts containing the same alert source signatures, regardless of what the actual value is.
Chapter 3
89
Defining Correlators
Boolean correlators watch for alerts that contain a specified value - for example, all alerts containing a specific source IP address and a specific destination port. Secondary Correlators are either Cluster or Boolean Correlators that apply their criteria only to an alert subset forwarded to them by another Correlator. The first Correlator needs to be configured to forward its matching alerts to the Secondary Correlator. The combined result is that the Secondary Correlators specified action is activated if and only if the alerts meeting the criteria and threshold of the first (forwarding) Correlator meet the criteria (Cluster or Boolean) and threshold of the Secondary Correlator. Scan Correlators behave like Secondary Correlators, monitoring only alerts forwarded to them. The Scan Correlator watches for alerts containing different values within specified fields (scan behavior). This can be useful in conjunction with a Cluster Correlator. For example, to identify a port scan, a Cluster Correlator could be defined to forward alerts with the same destination IP to a Scan Correlator, which would watch for alerts with different destination ports. The Vulnerability Correlator is predefined and usually should not be edited. It correlates Nessus Scan vulnerability data with new alerts, allowing the Alert Browser to assign a compromise risk index to each alert. Compromise risk is an assessment of how successful an attack would be, based on Nessus data. For information on the Vulnerability Correlator, see Disabling Vulnerability Correlation on page 163.
Defining Correlators
In This Section
Defining a Cluster Correlator (Regular or Secondary) Defining a Boolean Correlator (Regular or Secondary) Defining a Scan Correlator page 90 page 94 page 99
90
Defining Correlators
2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Cluster Correlator or Secondary Cluster Correlator. Click OK.
4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted.
Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window.
Chapter 3
91
Defining Correlators
5. In the Cluster Correlator tab, select each criterion you want the correlator to use for matching. For example, if you check Alert Source, the correlator will monitor alerts with the same source.
6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser.
92
Defining Correlators
7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator.
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK. 10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster.
Chapter 3 Managing Attack Detection and Prevention 93
Defining Correlators
To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
94
Defining Correlators
3. If you are creating a new correlator, type a name and select Boolean Correlator or Secondary Boolean Correlator. Click OK.
4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted.
Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window.
Chapter 3
95
Defining Correlators
Create an evaluation statement using the provided tool buttons, dropdown lists, and text box (mouse over each button to see a tooltip). The available operators are:
Table 3-1
Is equal to Is not equal to Is greater than Is less than Is greater than or equal to Is less than or equal to Is within the specified netmask value (used for IP addresses only) Is not within the specified netmask value (used for IP adresses only) EXAMPLE 1 The following statement would cause the correlator to trigger for alerts where the source IP address is 192.168.2.3.
96
Defining Correlators
You can create more complex evaluation statements by combining multiple clauses and joining them with AND or OR logical operators. Use the following tool buttons to create complex evaluation statements: To insert another clause. To delete an existing clause. To move a clause up in the list of multiple clauses. To move a clause down in the list of multiple clauses. EXAMPLE 2 The following statement causes the correlator to match on all alerts where the destination port is 88 and the IP Protocol is not EIGRP.
Note - When you insert a NOT operator or a parenthesis within a clause, it will display in the statement window. To remove a NOT operator or a parenthesis, click the appropriate tool button (for example, the tool button that has the exclamation point with the slash through it removes the NOT operator).
6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser.
Chapter 3
97
Defining Correlators
7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator.
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK.
98
Defining Correlators
10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster correlator. To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Scan Correlator. Click OK.
Chapter 3
99
Defining Correlators
4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted.
Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window.
100
Defining Correlators
5. In the Scan Correlator tab, select the fields which should be monitored to detect scans.
6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser.
Chapter 3
Defining Correlators
7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator.
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK.
102
Defining Correlators
10. For the Scan Correlator to function, alerts need to be forwarded to it from another cluster. To forward alerts to a Scan Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Scan Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
Chapter 3
In This Section
IPS-1 Firewall GUI Policy Settings page 104 page 105
104
Policy Settings
4. Click Edit. The Rule Editor opens. 5. Click New to add a rule. To edit a value in the rule, click a cell. Then select or enter the relevant value(s). You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. See Macros on page 105. To change the logical Rule order according to which the IPS-1 Sensor will examine traffic, change the order of the Rules by selecting rules and clicking the Up and Down buttons.
Macros
You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. To create a Macro: 1. In the Macros tab, click New. 2. Select the type of values to be included in the sets and type a name for the Macro. 3. Click the Macro Value cell. 4. Type a single value and press Enter or click to open a value editor.
The Macro will now appear in value editors for relevant rule values.
Policy Settings
In newer IPS-1 Sensors, use Policy Settings to configure firewall functionality. For regular (non-Power) Sentivist and IPS-1 Sensors of versions 5.0-5.0.6, firewall functionality is more easily configured in the IPS-1 Firewall GUI. See IPS-1 Firewall GUI on page 104 for details.
Chapter 3
Policy Settings
Warning - This functionality is for advanced users and is very resource-intensive. Use it only as neccessary.
To configure Policy Settings: 1. In Policy Managers Policy Manager menu, point to Advanced and enable Show Advanced Settings. 2. In the Protection tab, in the left-hand navigation tree, under Network Security, expand Policy Settings and select Policy Configuration Settings. 3. Read the help text information in the lower-right pane. Follow the instructions to configure rules in Policy Configuration Settings. 4. Install Policy.
106
107
Overview
Overview
The IPS-1 Management Dashboard incorporates a number of different windows in which you can monitor alert activity. These are: Alert Browser and History Browser: Display detailed alerts in a customizable window of spreadsheet-type rows of alerts. The Alert Browser displays streaming, filterable alerts as they are generated and received. History Browser snapshots are frozen versions of the Alert Browser, showing alerts for a specified time frame. The Alert Browser and History Browser incorporate management tools for alert analysis. Timelines: Display multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for comparison between multiple alert categories. Graphs: Customizable graphs depicting total or categorized alert activity level by time, or alert value frequency by specified alert fields. All graphs change dynamically as alerts come in, and can be frozen as a saved snapshot or printed.
108
In This Section
The Alert Browser Window Working in the Alert Browser Viewing History Browser Snapshots page 110 page 113 page 125
Chapter 4
In This Section
Window Areas Hiding Window Panels Toolbar Buttons page 111 page 111 page 112
110
Window Areas
The main window areas are: All Alerts panel: Each row represents an alert or group of alerts received by the IPS-1 Management Dashboard. Each column displays values for a particular field. You can customize the fields (columns). See Adding or Removing Columns on page 114. Hold panel: The held alerts panel displays alerts that you have selected to hold for the current session. Show only / Hide these alerts field trees (on the left): Used to filter the alerts that appear in the alerts panel. See Filtering Alerts by Field Values on page 120) Status Summary. This area in the lower left-hand corner of the window shows the distribution of current alerts by priority (red=high; yellow=medium; green=low):
Chapter 4
Toolbar Buttons
In additions to the buttons on the right end of the toolbar, which are common to all of the main IPS-1 Management Dashboard windows, the Alert Browser toolbar contains the following buttons:
Table 4-1
Undo a change to the filter tree. Redo an undone filter change. Interrupt loading alerts. Split into panels of alerts grouped by priority. Mark selected alert(s) as read. Unmark as read - remove read mark from selected alert(s) Display alerts for prevented attacks in a separate panel. Display ignored (filtered out) alerts in a separate panel. Change the time span for displayed alerts. Create a History Browser snapshot of the Alert Browsers current time period.
112
Chapter 4
In this example, the highest level of ordering would be by priority. Same-priority alerts would be internally arranged by Protocol Name; same-Name alerts by Destination IP, and so on. This configuration allows a user to easily locate a particular alert and determine which hosts have been attacked. Alerts are shaded in different shades of gray, indicating grouping of data values. Groups of rows with like values are similarly shaded. The shading is useful in quickly discovering patterns of alerts. To move a column, drag the column heading. To toggle between the ascending and descending sort order for a column, click the column heading. To add or remove a column, see below.
114
2. From the list of available fields, select the desired ones. Click OK. Newly added columns appear to the right of existing ones, keeping the current alert order intact. You can also add or remove columns by right-clicking any column heading and selecting Show/Hide Columns. You can also remove a column by right-clicking its heading and then selecting Hide <field> Column. Available alert fields are:
Table 4-2
Column Description An identifier for the alert type, unique across all databases An identifier for this specific alert, unique in the IPS-1 Management Server database The IPS-1 component, typically a Sensor, that generated the alert The Alerts Concentrator that recorded the alert
Chapter 4
Column Description Alert source type - one of the following: Network: an alert related to network traffic, from the Alerts Concentrator, based on information from the Sensor Correlator: an alert related to network traffic, based on a Correlation by the IPS-1 Management Server System: a system message from the Sensor or the Alerts Concentrator IPS-1 Management Server: a system message from the IPS-1 Management Server Audit: an audit alert from the Alerts Concentrator Indicates whether an alert has comments A list of CVE IDs, if any, associated with a particular attack. A CVE ID is the ID of a particular vulnerability as defined by the U.S. National Institute of Standards and Technology's <http://csrc.nist.gov/> (NIST) National Vulnerability Database <http://nvd.nist.gov/> (NVD). An assessment of how successful an attack would be based on Vulnerability data. To populate this field, you must have uploaded vulnertability data - see Vulnerability Detection and Defense on page 153. See Viewing Compromise Risk in the Alert Browser on page 162. The likelihood that the Protection has detected an actual attack or problem, rather than being a false positive The time and date that the alert was stored in the alert database The alert description The traffics destination IP address The operating system of the traffics destination The traffics destination port number The file name from the traffic, when the alert was caused by a file-related protection IPv4 or IPv6 The traffics IP protocol
Compromise Risk
Confidence Level Create Date Description Destination Address Destination OS Destination Port File Name IP Family IP Protocol
116
Column Name Impact Packet Interface Prevented Priority Protection Group Protection Name Protocol Read By Sense Time Sensor Mode
Column Description The possible impact of the activity that generated the alert, such as Denial of Service or Information Gathering The Sensor interface into which the traffic entered Whether the traffic that triggered the alert was prevented The alert priority: High (red), Medium (yellow), or Low (green) The protection group that detected the attack The protection that detected the attack, or system message name The Protocol that the Protection Group belongs to, as grouped in Policy Manager Username and main IP of user who marked the alert as read The time the IPS-1 Sensor generated the alert The mode of the Sensor that generated the alert - one of the following: IDS (passive) IPS (inline, fail-closed) IPS (inline, fail-open) IPS Monitor-Only (inline, fail-open) Unavailable (a legacy mode) The traffics source IP address The operating system of the traffics source The traffics source port Username from the traffic; typically available when the alert is from an authentication-related protection The traffics Vlan ID
Chapter 4
Alert Grouping
The Alert Browser can group similar alerts together into one row, according to configurable criteria. By default, Alert Grouping is disabled. When Alert Grouping is enabled, a Count column appears as the first column of the Alert Browser. This column contains the number of alerts that have been combined into the row, and a plus sign (+) with which you can expand the grouped alerts. The grouped alerts can then be collapsed with the (-) sign. In the alert field columns of the combined row, the values are those of the first alert. The configurable Grouping Level value defines grouping behavior. If the Grouping Level is set to n, Alert Grouping combines into one row alerts with identical values in the first n fields. For example, if Priority is the first column, and Alert Name is the second, and the Grouping Level is 2, then all alerts that have the same priority and name will be grouped into a single row. You can change grouping behavior either by rearranging columns or by changing the Grouping Level.
Figure 4-2 Alert Grouping
In the above figure, the Grouping Level is 3, so grouped alerts have identical Priority, Protocol, and Protection Group.
118
To enable Alert Grouping: 1. Arrange columns so that fields you want grouped for identical values are on the left. 2. Do one of the following: From the Alert Browser menu, select Alert Grouping. Select a Grouping Level, and click OK. Right-click in an alert, on the right-most column you want grouped for identical values, and select Group To <field>.
Chapter 4
2. Select the time span (number and units) and click OK. If you made the time span longer than it previously was, you may have to wait as additional alerts are loaded.
120
Overview
By default, IPS-1 Management Dashboard displays all alerts received by the IPS-1 Management Server within the defined time span. You can filter alerts according to any combination of alert field values. For a particular Filter Field, you can either defined Filter-In values, to view only alerts with those values, or Filter-Out values, to exclude alerts with those values. Filter-In values are defined using the upper filter tree, whereas Filter-Out values are defined using the lower filter tree. For example, if you want to see only medium and high priority alerts from one particular Server, you could define that servers IP address as a Filter-In value for the Src Addr field, and Low as a Filter-Out value for the Priority field.
To clear all filters and bring back all alerts, below the upper filter tree, click Clear.
Chapter 4
The value is added to the filter tree in red and already selected. 3. Click Apply.
122
A new window appears with a panel displaying only alerts with the specified value.
Note - Existing values in the target tree will not be automatically removed. An existing value with the same name as a pasted one, but a different setting (enabled/disabled), will be overwritten.
Chapter 4
Only alerts from the last ten minutes appear in the ignored alerts panel. To remove the panel, click the button again.
When naming a view, the Save View As window gives the option of making it the default View, the view which is displayed when the Alert Browser is opened:
In This Section
Launching a History Browser Opening a History Browser Window from a Timeline Changing the History Browser Time Frame page 125 page 125 page 126
To open a History Browser window with default settings, from the File menu, select New History Browser.
Chapter 4
1. From an active timeline window, drag a selection box around alerts on a segment of a timeline. 2. Right-click in the selection box, and select View Selected Alerts. The desired History Browser opens. To open a History Browser window from a timeline alert cluster: 1. In an active timeline window, enable Cluster Alerts and set the clustering Resolution. 2. Double-click an alert cluster. The desired History Browser opens.
126
Chapter 4
The fields shown in Alert Details depend on the alert type. In general, all fields from the alert browser are shown, including hidden fields. After a brief pause, additional fields may become visible as they are retrieved from the Alerts Concentrator. With Alert Grouping, Alert Details for a grouped row will display information for the first alert. The other alerts of the group will appear in an additional pane of the Alert Details window:
128
From Alert Details, you can do one of the following: Copy the entire window contents to the clipboard (if you then paste to a spreadsheet application such as MS Excel, only the Details section will be pasted). Show Raw Packets: see Packet Capture and Viewing on page 129. View Vulnerability Info: this feature is enabled only if vulnerability data has been uploaded. See Vulnerability Detection and Defense on page 153.
You can enable the traffics source hostname to appear in the Alert Details, as follows: 1. From the Tools menu, select User Preferences. 2. Under Alert Details, select Allow reverse DNS lookup. 3. Click OK.
Chapter 4
Path to Packet Capture Utility: a path to the executable for the packet capture utility. Working Directory: Specifies where the packet capture files will be stored.
3. Click OK. 4. In Policy Managers System Settings tab, in the left-hand navigation tree, select General Profile Settings. 5. For each defined protection profile (for example: Default_Protection): a. Under Profile, select the protection profile. b. Under Other Critical Information, for Number of Packets to capture per attack, click , and type the number of packets to be captured. c. Click OK. 6. For each enabled protection that you want to capture packets, in Policy Managers Protection tab, navigate to the protections page, and select Enable Packet Capture. 7. Install Policy on all Sensors.
130
Holding an Alert
Holding an Alert
As you view alerts, you can put one or more aside, or hold them, for further investigation. Held alerts are copied to a separate panel of the Alerts Browser or History Browser. They are held until the end of the current session and are not affected by the time-frame limits or other filters of non-held alerts. As with all Alert Browser / History Browser panels, you can hide the Hold panel. At the bottom of the panel, click the up arrow. To hold an alert, right-click it and select Hold. To remove an alert from the Hold panel, right-click it and select Remove Hold.
To mark an alert as read, right-click the alert and select Mark as Read, or select the alert and, in the toolbar, click the Mark as Read button: . To hide alerts that are marked as Read: 1. In the Hide these Alerts panel, select Read By. 2. Right-click on Read By and select New Read By.
Chapter 4
Annotating Alerts
3. In the field under the Read By Entry list, type *@* and press enter. 4. Click OK. 5. Click Apply. Alerts that have been read by anyone are now filtered out of the Alert Browser. To remove the strikethrough from an alert, right-click the alert and select Unmark as Read, or select the alert and, in the toolbar, click the Unmark as Read button: . Both commands can also be accessed from the Alert Browser menu.
Annotating Alerts
You can add comments to one or more alerts for future reference, as follows: 1. Select one or more alerts, right-click them and select Annotate.
Figure 4-5 New Annotation
132
Annotating Alerts
3. To add more alerts to the annotation, click Add Alerts. Select alerts and click Add Alerts. To remove an alert from the annotation, select the alert and click Remove Alerts. 4. Click OK. To see or edit the annotation for an alert, right-click on the alert and select Annotate again. To see a checkmark in the Alert Browser for each annotated alert, display the Annotation column.
Chapter 4
Overview
The Timeline window displays multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for easy comparison between multiple alert categories.
134
Alerts are color-coded according to Priority: Red: High Yellow: Medium Green: Low
You can scroll the view along the timelines to view past history. Use the scroll arrow buttons at the top of the window to move backward and forward along the timeline.
Each timeline can be filtered separately, enabling separate categories of alerts. For details see Filtering Timelines on page 138. A Timeline Configuration Wizard prompts for your network and server address, and accordingly creates a Default set of timelines. Timelines can then be customized, or you can create your own timelines. For details see Creating the Default Timeline Set on page 136. You can add, remove, copy and paste, rename and rearrange timelines. To access these commands, select and right-click an individual timeline. Sets of configured timelines can be saved as views, similar to the Alert Browser. To manage views, use commands from the File menu. Alerts along timelines can be individually represented, or clustered. For details see Clustering Timeline Alerts on page 138.
The first time the Timeline window is opened, the Timeline Configuration wizard appears. You can subsequently access the wizard from the Timeline menu. For details see the following section, Creating the Default Timeline Set on page 136.
Chapter 4
136
To create some or all of the above timelines: 1. Open a Timeline window. The first time the Timeline window is opened, the Timeline Configuration wizard appears. Otherwise, access the wizard from the Timeline menu.
2. In each wizard page, type network addresses, Add them, and click Next. The Timeline Configuration wizard pages prompt for the following network addresses: Internal Network Email server DNS server FTP server Web server Other server: In this page, type a name for the Server Type as well.
3. In the Save View page, type a name for the view, and choose whether this should be the default view for Timeline windows. 4. Click Finish. The configured Default Timeline set appears.
Chapter 4
138
Chapter 4
Overview
You can create customizable alert graphs. Graphs change dynamically as alerts come in, and can be frozen as a saved snapshot, or printed. There are three types of alert graphs: An Activity Level graph plots total alert activity level by time. A Pick Graph plots alert activity level by time, limited to alerts with a specific value for a particular alert field. You can simultaneously view multiple Pick Graphs for a specified alert field. For example, you could compare the alert activity levels for three different source IPs. A Top n Graph is a bar graph that plots alert frequency by specified alert values. For example, the top three most-active source IPs.
140
To create an Activity Level graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button:
2. In the left-hand list tree, select Activity Level. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
Chapter 4
4. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Graph is green for alert counts less than: When the highest alert count in the displayed graph is less than this number, the entire graph becomes green. Otherwise, it is yellow or red. Graph is yellow for alert counts less than: When the highest alert count in the displayed graph is less than this number, but equal to or more than the previous setting, the entire graph becomes yellow. If it is equal to or more than this number, it is red. Show as Area Graph: When selected, the area under the graph line is filled.
5. Click OK.
142
To create a Pick graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button:
2. In the left-hand list tree, under Pick Graphs, select an alert field. 3. For each value to be plotted in a Pick Graph, do the following: a. Right-click in the graph area and select Add <field>. b. Type or select the desired value. c. To choose the graph color for this value, click Choose the color. Select a color, and click OK. d. Click OK.
Chapter 4
4. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
5. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Appearance: One of the following: Area Graph: The area under the graph line is filled. Note that with multiple graphs, they will hide parts of one another. Stacking Area Graph: The area under the graph line is filled, and graphs stack on top of each other. Note that Y values for upper graphs are aggregated values. Plot Graph: Regular line graphs.
6. Click OK. An alternitave way of creating a Pick graph is from the Alert Browser / History Browser. Right-click a cell with a value you want to plot on a Pick graph, and select Graph <field> (<value>). You can then continue to add values as in the above procedure.
144
To create a Top n Graph graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph, or from the toolbar click the Graphs button:
2. In the left-hand list tree, under Top n Graphs, select an alert field. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
Chapter 4
Saving Graphs
4. Set the following: Include alerts that have occurred within the last: Only alerts from this time span are considered or displayed. Show counts for items that are in the top: This is the n value - the n most-occuring values are displayed.
5. Click OK.
Saving Graphs
Saving a Graph View
You can save and later reopen graph views, similarly to the Alert Browser, History Browser, and Timeline window. This way you can retain graph settings for future alerts. Access these commands from the File menu.
Printing a Graph
To print a graph, from the Graph menu, select Print. Or, right-click in the graph area, and select Print.
146
Customizing Alerts
Customizing Alerts
In This Section
Overview Configuring Actions Applying Actions to Alerts Changing an Alerts Displayed Priority page 147 page 147 page 150 page 151
Overview
You can customize the IPS-1 system so that the Alerts Concentrator issues notifications other than the standard alerts to be viewed in the Alert Browser. The Alerts Concentrator can perform the following kinds of Actions along with issuing standard alerts: Send an Email to specified recipients Send an SNMP trap Execute a generic external application
Any of the above actions can be defined to be performed along with any system alert. In addition to logging, Custom Actions can be applied to an individual alert, or simultaneously to a whole group of alerts. There are predefined Alert groups, with the alerts grouped by protocol, and you can also create your own custom alert groups to which you can then apply custom Actions. System alerts can also be customized by changing their displayed Priority.
Configuring Actions
This section discusses creating or modifying Alert Actions, which can then be applied to alerts or to alert groups, as discussed in Applying Actions to Alerts on page 150. Note that modifying an existing Action will affect any alerts or alert groups to which the Action is already applied.
Chapter 4
Configuring Actions
To create or modify an Action: 1. Click the Alert Actions tab. If the Alert Actions tab does not appear in Policy Manager, enable Advanced Settings from the Policy Manager menu. 2. In the left-hand Alerts tree, select a group or an alert, and click Edit Actions.
3. Select an existing Action and click Properties; or, click New Action, select one of the following Action types, and click OK: Email - Send an email to specified recipients (not available on SecurePlatform) SNMP Trap - Send an SNMP trap with the following information: Object ID: 1.3.6.1.4.1.4811.0.<Trap ID> . <Trap ID> is user-defined when creating the SNMP Trap Alert Action. Alert source IP address of the host that caused the alert. Community authentication string: user-defined when creating the SNMP Trap Alert Action. System up time: set to 0:00:00.00 . Trap source: 1.3.6.1.4.1.4811.0.1 . Message: 1.3.6.1.4.1.4811.0.2 .
4. Type or modify the Action properties, which are explained in the following section. In an pre-existing Action, you cannot change the Action name. 5. Click OK, and OK. Install Policy to save changes.
148
Configuring Actions
Chapter 4
b. Type a name for the group, and click OK. The group appears under User-Defined Groups. c. Select the group you just created, and click Add Alerts. d. Select all alerts to be added to the group, and click OK. To modify an existing group: a. In the left-hand Alerts tree, select an existing group from under User-Defined Groups. b. To add alerts to the group, click Add Alerts. To remove an alert from the group, select the alert and click Remove.
150
5. Move one or more Actions from the Available Actions list to Applied Actions 6. Click OK, and Install Policy to save changes. You can later modify the Action, as explained in Configuring Actions on page 147.
Note - An Action applied to an alert group is displayed only at the group level, and does not appear when an individual alert from the group is selected, even though the Action will be performed for that alert.
Chapter 4
152
153
Overview
Overview
You can proactively protect your network by scanning your network to search for vulnerabilities that might be exploited by an attacker. The vulnerability data obtained from the scan can be used by the IPS-1 system in the following three ways: Dynamic Shielding: IPS-1 can check protection settings at vulnerability data upload time, to prevent discovered vulnerabilities from being exploited. Dynamic Shielding can be configured to change protection settings automatically, to prompt for user approval before changing protection settings, or to just issue alerts to the Alert Browser for unprotected vulnerabilities. Vulnerability Browser: An IPS-1 Management Dashboard window that displays detailed scan results, enabling you to accordingly determine which attacks against known vulnerabilities should be detected and prevented by the IPS-1 Sensors, and to accordingly configure Sensor protections. Compromise Risk: The Alert Browser can be enabled to display for each alert its Compromise Risk factor, based on your networks vulnerability to the attack.
Vulnerabilities are idenified with CVEs. A CVE is a unique identifying number for a specific type of vulnerability. CVE numbers are defined by the U.S. National Institute of Standards and Technology (NIST: http://csrc.nist.gov/) in its National Vulnerability Database (NVD: http://nvd.nist.gov. To take advantage of these features, use the third-party Nessus network vulnerability scanner to scan your network and create a scan result file. IPS-1 can then take advantage of the vulnerability data in this file. Nessus is currently owned and developed by Tenable Network Security. Nessus is neither provided nor supported by Check Point.
154
Chapter 5
Viewing Vulnerabilities
Viewing Vulnerabilities
The features discussed in this section are available only when network vulnerability data has been collected and installed in IPS-1, as explained in Installing Network Vulnerability Data, and Dynamic Shielding on page 155. You can view full vulnerability data in the Vulnerability Browser. To open the Vulnerability Browser, from the File menu, select New Vulnerability Browser. Or, click the Vulnerability Browser icon:
156
In the upper part of the Vulnerability Browser, vulnerability details are displayed. You can filter displayed vulnerabilities with the left-hand filter trees, in the same way alerts are filtered in the Alert Browser. You can rearrange column order by dragging column headings.
Chapter 5 Vulnerability Detection and Defense 157
Viewing Vulnerabilities
For information on the Distribution Graph in the lower-right corner of the Vulnerability Browser, see Investigating Vulnerabilities with the Distribution Graph on page 159. The Information Pane to the left of the Distribution Graph contains the following information: A description of the vulnerability. This description is identical to the information in the Scan Data column for the selected vulnerability. Distribution Graph details. These details are the same as the yellow text that appears together with the Distribution Graph. To understand these details, see Investigating Vulnerabilities with the Distribution Graph on page 159.
158
Chapter 5
Investigation Examples
3. Find a vulnerability with the desired constraining values in the Constraint fields, and click the last (right-most) of the constraining values. In the above example, find a vulnerability with Confidence=3, Risk Factor=High, and click its Risk Factor cell (the cell with High). The Distribution Graph immediately displays the desired distribution. In the above example, The Distribution Graph analyzes all the vulnerabilities of Confidence=3, Risk Factor=High, and displays the distribution of those vulnerabilities by Service Name. The largest section of the pie represents the services causing the most high-confidence, high-risk vulnerabilities. Each section of the Distribution Graph pie represents one value of the Distribution Factor. The section representing the value in the selected vulnerability extends beyond the circumfrence of the circle. The number of vulnerabilities with each value appears on its representative section, near the circle center. Above the graph itself is text describing the graph. The text describes the total number of vulnerabilities analyzed, the number of different values of the Distribution Factor, and the Constraints that determined which vulnerabilities were analyzed. This text appears also in the second part of the Information Pane.
Investigation Examples
The following examples describe some common security questions and methods for investigating them with the Distribution Graph.
160
Investigation Examples
Example 1
What services on the network are causing problems; and for these services, which vulnerabilities need to be fixed? Put columns in the following order: Confidence, Service Name, and CVE. Select a cell with 3 in the confidence column to activate the Distribution Graph by Service Name for definite (high-confidence) vulnerabilities. See which service has the largest section, and select a cell with that service name, in a vulnerability with Confidence of 3. The Distribution Graph will display the distribution of definite vulnerabilities for that service.
Example 2
Where are the high-risk security holes in the network? Put the columns in the following order: confidence, risk factor, severity, and IP address. Select a high severity cell in a row with a high risk factor and high confidence. The Distribution Graph will show which hosts have the most such vulnerabilities.
Chapter 5
162
Note - This is an advanced feature most users will not need. Usually, the Vulnerability Correlator should not be edited.
To edit the Vulnerability Correlator: 1. From the Management menu, select Correlators. 2. Select the vulnerability correlator, and click Edit. 3. To completely disable vulnerability correlation, in the Description tab, select No. 4. In the Vulnerability Correlator tab, you can disable vulnerability correlation for a Sensor or for an alert by clearing its checkbox. To disable an alert only for a particular Sensor, expand the tree for the alert, and under the alert clear the Sensor. 5. Click OK.
Chapter 5
164
165
Overview
Overview
The information in the IPS-1 database can be used to create reports with Crystal Reports XI from Business Objects. Check Point provides an assortment of pre-defined report templates. You can use these report templates as they are or modify them to suit your needs. These report templates, along with the MySQL ODBC drivers, are on your IPS-1 Management CD-ROM.
166
Setting up Reports
Setting up Reports
Follow the instructions below to create an ODBC data source for reports. Before starting: Obtain and install Crystal Reports XI: Professional, Developer, or Advanced edition. These are the only editions supported for creating an IPS-1 report. Make sure that the Alerts Concentrator is running.
rep_useradd <name>
where <name> is the desired username. c. At the prompts, type and retype a password. 2. On the computer on which Crystal Reports is installed, install MyODBC-commercial-3.51.12-win32.msi from the IPS-1 CD (under windows\CPipsClient\odbc). The My ODBC Setup wizard starts. Follow instructions to complete installation. 3. Go to Start > Control Panel > Administrative Tools > Data Sources (ODBC). 4. In the System DSN (or File DSN) tab, click Add. 5. From the driver list, select MySQL ODBC 3.51 Driver. Click Finish. The Connector/ODBC Add Data Source window appears:
Chapter 6
6. In the Connect Options tab, type the following information: Port : 55555
7. In the Login tab, type the following information: Data Source Name: (example: IPS-1DS) Description: (optional) Server: resolvable hostname or IP Address of the IPS-1 Management Server User: the username created in step 1. Password: the password for the above username. Database: the name of the IPS-1 database, usually: esdb
8. Click Test to make sure you can properly connect to the data source. If configuration is successful, a message appears telling you so. Click OK.
168
Generating a Report
Generating a Report
1. The Reports folder from the IPS-1 CD is copied into the Alerts Concentrators installation directory during installation. You can access the Crystal 11 report templates from there, or on the CD, under windows\CPipsClient\reports. 2. Double-click on a report filename to launch Crystal Reports v11. 3. From the menu bar, select Database > Set Datasource Location. The Set Datasource Location window appears. 4. In the bottom panel of the window, expand Create New Connection > ODBC (RDO). The ODBC (RDO) window appears. 5. Select the data source you created in the previous section (in the example: IPS-1DS), and Click Next. If prompted, enter the database username and password. Click Finish. 6. In the top panel of the Set Datasource Location window, select the database icon. In the bottom panel, select the one you created (in the example: IPS-1DS). Click Update. The datasource location in the top panel now reflects your database server:
Chapter 6
Generating a Report
Some report templates may contain sub-report templates. For example, the Alert List report contains sub-reports. When you set the datasource location to generate the report, you must also make sure the sub-report's Current Data Source is updated.
The Enter Values window appears. Available fields depend on the selected report. 9. Enter values, and click OK. The report appears.
170
You can now exit or save your report. Note that saving the report will retain your datasource location configurations. If you choose not to save the report, you will have to set your datasource next time the report is opened. To view a sub-report, click its link.
Chapter 6
Figure 6-3
172
Report Alert Details Alert List Alerts by Date Alerts by Day of the Week Alerts by Hour Alerts by Month Alerts by Package Alerts by Package by Sensor Alerts by Priority Alerts by Year Bottom Alerts Bottom Alert Sources Bottom Destination IPs Bottom Destination Ports Bottom Packages Bottom Sensors Bottom Source IPs Bottom Source Ports Bottom Source Hosts Bottom Vulnerable Hosts Generic Cover Page Report ICMP Alerts Security Summary Reports Services by Priority TCP Alerts TOP Alerts TOP Alert Sources
Report Description Generates details about an alert or alerts Generates a list of alerts Generates alert by date Generates alerts by date Generates alerts by hour Generates alerts by month Generates alerts by package Generates alerts by Protocol and IPS-1 Sensor Generates alerts by priority Generates alerts by year Generates bottom n alerts Generates bottom n alert sources Generates bottom n destination IPs Generates bottom n destination ports Generates bottom n Protocols Generates bottom n Sensors Generates bottom n source IPs Generates bottom n source ports Generates bottom n source hosts Generates bottom n vulnerable hosts Generates a generic report cover Generates ICMP alerts Generates summary reports Generates services by priority Generates TCP alerts Generates top n alerts Generates top n alert sources
Chapter 6
Report Top Destination IPs Top Destination Ports Top Packages Top Sensors Top Source IPs Top Source Ports Top Vulnerable Host UDP Alerts Vulnerability by Host Vulnerability by Severity
Report Description Generates top n destination IPs Generates top n destination ports Generates top n packages Generates top n Sensors Generates top n source IPs Generates top n source ports Generates top n vulnerable hosts Generates UDP Alerts Generates vulnerabilities by host Generates vulnerabilities by Severity
174
Introduction
Eventia Analyzer can be used to process IPS-1 Management Server alerts by parsing, normalizing and extracting relevant log fields from syslog messages generated by the IPS-1 Management Server. Adding IPS-1 support to Eventia Analyzer requires modifications on both the Eventia Analyzer server and the IPS-1 Management Server. IPS-1 support on the Eventia Analyzer server is enabled via a dynamic update. Eventia Analyzer server (R63 and up) enables downloads of new and modified events and parsing definition updates from Check Point User Center. The support for IPS-1 was first included as part of dynamic update revision No. 3 of the event and parsing definitions. Dynamic updates are cummulative; an updated Eventia Analyzer server with a more recent update (revision 3 and up) includes the support for IPS-1. A manual process must be performed on the IPS-1 Management Server. The process includes a Perl script that is be downloaded and stored on the IPS-1 Management Server.
Chapter 6
3. Grant the Eventia1 user execute permissions using the following command:
176
Note - Perform a Dynamic Update only for Eventia Analyzer servers updated with a Policy and parsing preceding revision 3 update):
1. Open Eventia Analyzer SmartConsole. 2. Select Dynamic Update from the Actions menu. The Check Point User Center login window appears. 3. Enter your User Center username and password and click 'OK'. The Dialog window opens. 4. From the Available Updates list, select Update Parsing Definitions.
Note - Updating the Event Policy is not required for IPS-1 integration.
5. Click Update Now. The relevant files are retrieved from the User Center and IPS-1 parsing files are updated in Eventia Analyzer and all Log Servers installed on Eventia components. 6. Install Policy.
Chapter 6
Note - Undo last policy update applies to Policy Updates only and not to all updates.
If logs are being sent, tcpdump can be used for troubleshooting using the command /usr/sbin/tcpdump.
178
7
page 180 page 181 page 185
179
Overview
Overview
The IPS-1 Management Server can be backed up by exporting its data into Java Archive (.jar) files. The data can then be restored or migrated by importing the .jar files into the same or a new IPS-1 Management Server. The export and import tools are provided in the IPS-1 Management Dashboard.
Note - The exported data does not include Alert Details and raw packets, which are stored only on the Alerts Concentrator.
Three types of data can be exported: Alerts Policy Settings Vulnerability Data
Each type requires a separate .jar file. For a complete backup or migration, create all three. You can choose to export the alerts from a particular time frame. This is useful if you want to do periodic backups.
180
In This Section
Exporting Data using the Dashboard Exporting Data using the Command Line Migrating Data using the Command Line page 182 page 182 page 184
Chapter 7
2. Set a name for the .jar file, and whether to overwrite an existing file. 3. Select the data type to export. 4. If you are exporting Alerts, define the time frame for the alerts to be exported. 5. Click OK. The .jar file is created on the IPS-1 Management Server in:
/opt/CPips1-R65/ips1server/server/default/data/archive
182
3. Change to the ips1 user: "su - ips1" 4. Export Policy settings using the following command:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u [db_user] -w {db_password] -h localhost -p 55555 -d esdb -f /opt/CPips1-R65/ips1server/server/default/data/archive/[file_name] -j /opt/CPips1-R65/ips1server
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/CPips1-R65/ips1server
5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/CPips1-R65/ips1server -v
6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/CPips1-R65/ips1server -a -t 01012008 01022008
7. Start the IPS-1 Management Server. For scheduling backups, include the commands above in a shell script and use crond to invoke the script on a periodic basis
Chapter 7
java -jar ips1server/server/default/lib/upgradetools.jar -m -u [old_db_user] -w [old_db_password] -h [old_db_host IP] -p 55555 -d esdb -f [/opt/CPips1-R65/ips1server/server/default/data/archive/[new dest_file_name.jar] -j /opt/CPips1-R65/ips1server
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/CPips1-R65/ips1server
5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/CPips1-R65/ips1server -v
6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours.
184
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/CPips1-R65/ips1server -a -t 01012008 01022008
7. Start the IPS-1 Management Server on the target machine and continue with Importing IPS-1 Management Server Data.
/opt/CPips1-R65/ips1server/server/default/data/archive
2. From Policy Managers Policy Manager menu, select Import. The Database Import window appears:
3. Select a .jar file. Import the Policy Settings, the Vulnerability Data and Alerts, in that order. 4. Click OK.
Chapter 7
186