Administration Guide Version NGX R65.1: March 8, 2009

IPS-1
Administration Guide Version NGX R65.1
March 8, 2009
2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Contents
Preface
About this Guide.............................................................................................. 10 Who Should Use This Guide.............................................................................. 11 Summary of Contents ....................................................................................... 12 Related Documentation .................................................................................... 13 More Information ............................................................................................. 14 Feedback ........................................................................................................ 15
Chapter 1
IPS-1 Overview
IPS-1 Key Benefits .......................................................................................... 18 IPS-1 System Architecture................................................................................ 19 IPS-1 Deployment............................................................................................ 21 Working in the IPS-1 Management Dashboard .................................................... 22 Logging into the IPS-1 Management Server with the IPS-1 Dashboard ............. 22 Navigating the IPS-1 Management Dashboard Windows.................................. 23 The IPS-1 Management Dashboard Menus .................................................... 24 The IPS-1 Management Dashboard Toolbar ................................................... 25
Chapter 2
Managing the IPS-1 System

Overview ......................................................................................................... 28 System Messages............................................................................................. 28 Installing Policies ............................................................................................ 29 Adding an Alerts Concentrator to the System ...................................................... 31 Adding an IPS-1 Sensor to the Management Server............................................. 33 User Accounts ................................................................................................. 35 User Accounts Overview .............................................................................. 35 Managing User Accounts ............................................................................. 35 Changing the Password................................................................................ 36 Unlocking a User Account ........................................................................... 36 Licensing ........................................................................................................ 38 Overview .................................................................................................... 38 Viewing License Summary ........................................................................... 38 Adding a License ........................................................................................ 39 Maintaining Database Size................................................................................ 41 Space Management Overview ....................................................................... 41 Configuring Space Management ................................................................... 42 Reclaiming Database Space......................................................................... 43 Alerts Concentrator High Availability .................................................................. 45 Managing the IPS-1 Sensor .............................................................................. 47 Connecting to the IPS-1 Sensor.................................................................... 47 IPS-1 Sensor Modes.................................................................................... 47 Configuring Other Sensor Definitions ............................................................ 50 Shutting Down or Restarting the IPS-1 Sensor ............................................... 52
Table of Contents
Deleting Backlogged Sensor Data ................................................................. 53 Resolving IPS-1 Sensor Communications Issues ............................................ 53 Starting and Stopping the IPS-1 Servers ............................................................ 56 Uninstalling the IPS-1 Servers .......................................................................... 57 Viewing System Status Information.................................................................... 58 System Status in the IPS-1 Management Dashboard ...................................... 58 Viewing Sensor History ................................................................................ 61 Viewing the IPS-1 Status Monitor ................................................................. 62
Chapter 3
Managing Attack Detection and Prevention

Overview ......................................................................................................... 66 Updating Attack Signatures .............................................................................. 67 Configuring Automatic Attack Signature Updates ........................................... 67 Manually Updating Attack Signatures ........................................................... 70 Avoiding False Positives ................................................................................... 73 Managing Protections....................................................................................... 74 Overview .................................................................................................... 74 Managing Protection Profiles ....................................................................... 75 Configuring Protections ............................................................................... 77 Viewing and Copying Comprehensive Protection Settings ................................ 85 Exempting Hosts from Inspection or Prevention ............................................. 87 System-Wide Attack Correlation ........................................................................ 89 Correlators Overview.................................................................................... 89 Defining Correlators .................................................................................... 90 Firewall-Style Access Control .......................................................................... 104 IPS-1 Firewall GUI.................................................................................... 104 Policy Settings ......................................................................................... 105
Chapter 4
Alert Monitoring and Analysis

Overview ....................................................................................................... 108 The Alert Browser and History Browser............................................................. 109 The Alert Browser Window ......................................................................... 110 Working in the Alert Browser ...................................................................... 113 Viewing History Browser Snapshots............................................................. 125 Alert Management Tools ................................................................................. 127 Viewing Alert Details ................................................................................. 127 Packet Capture and Viewing....................................................................... 129 Using Alerts to Modify Protection Settings................................................... 130 Holding an Alert ....................................................................................... 131 Marking Alerts as Read.............................................................................. 131 Annotating Alerts ...................................................................................... 132 The Timeline Window..................................................................................... 134 Overview .................................................................................................. 134 Opening the Timeline Window.................................................................... 135 Creating the Default Timeline Set............................................................... 136 Configuring Timelines and Views ................................................................ 138 Viewing Detailed Alerts from a Timeline Window .......................................... 139 Creating Alert Graphs ..................................................................................... 140
Overview .................................................................................................. 140 Creating an Activity Level Graph ................................................................. 140 Creating Pick Graphs................................................................................. 142 Creating a Top n Graph.............................................................................. 144 Saving Graphs .......................................................................................... 146 Printing a Graph ....................................................................................... 146 Customizing Alerts ......................................................................................... 147 Overview .................................................................................................. 147 Configuring Actions................................................................................... 147 Applying Actions to Alerts .......................................................................... 150 Changing an Alerts Displayed Priority......................................................... 151
Chapter 5
Vulnerability Detection and Defense

Overview ....................................................................................................... 154 Installing Network Vulnerability Data, and Dynamic Shielding ............................ 155 Viewing Vulnerabilities ................................................................................... 156 Investigating Vulnerabilities with the Distribution Graph .................................... 159 Distribution Graph Overview....................................................................... 159 Configuring the Distribution Graph ............................................................. 159 Investigation Examples .............................................................................. 160 Viewing Compromise Risk in the Alert Browser.................................................. 162 Disabling Vulnerability Correlation ................................................................... 163
Chapter 6
Data Analysis with External Tools

Overview ....................................................................................................... 166 Setting up Reports ......................................................................................... 167 Creating an ODBC Data Source .................................................................. 167 Generating a Report ....................................................................................... 169 Report Template List...................................................................................... 173 Integration with Eventia Analyzer..................................................................... 175 Introduction ............................................................................................. 175 Integrating with Eventia Analyzer................................................................ 175
Chapter 7
Backup and Migration

Overview ....................................................................................................... 180 Exporting IPS-1 Management Server Data ........................................................ 181 Exporting Data using the Dashboard ........................................................... 182 Exporting Data using the Command Line ..................................................... 182 Migrating Data using the Command Line ..................................................... 184 Importing IPS-1 Management Server Data........................................................ 185
Table of Contents
Preface
Preface
P
page 10 page 11 page 12 page 13 page 14 page 15
In This Chapter
About this Guide Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
About this Guide
About this Guide

The IPS-1 Administration Guide is a guide to configuring and using the IPS-1 system. For deployment, installation and initial configuration instructions, see the Check Point Installation and Upgrade Guide.
10
Who Should Use This Guide
Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of: System and network administration Server operating systems
Preface
11
Summary of Contents
Summary of Contents
This guide contains the following chapters: Chapter Chapter 1, IPS-1 Overview Description This chapter discusses IPS-1 deployment components and an introduction to the IPS-1 Management Dashboard. This chapter discusses configuration tasks, user accounts, licensing, database maintenance, and system administration. This chapter discusses updating attack signatures and managing protections. This chapter discusses the IPS-1 Management Dashboard windows and tools for alert monitoring and analysis. This chapter discusses network vulnerability detection and analysis. This chapter discusses creating reports with Crystal Reports 11 from Business Objects. This chapter discusses IPS-1 Management Server data backup and migration.
Chapter 2, Managing the IPS-1 System Chapter 3, Managing Attack Detection and Prevention Chapter 4, Alert Monitoring and Analysis Chapter 5, Vulnerability Detection and Defense Chapter 6, Data Analysis with External Tools Chapter 7, Backup and Migration
12
Related Documentation
Related Documentation
IPS-1 information can be found in the following documents: IPS-1 Release Notes Check Point Installation and Upgrade Guide IPS-1 Administration Guide (this document) Customizing IPS-1 Protections (advanced)
Preface
13
More Information
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at http://support.checkpoint.com. To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.
14
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
Preface
15
Feedback
16
Chapter IPS-1 Overview

In This Chapter
IPS-1 Key Benefits IPS-1 System Architecture IPS-1 Deployment Working in the IPS-1 Management Dashboard
1
page 18 page 19 page 21 page 22
17
IPS-1 Key Benefits
IPS-1 Key Benefits

The IPS-1 Intrusion Prevention System provides accurate, high performance protection against known and unknown attacks. You can customize its features to suit your organization's particular needs. IPS-1 offers many benefits:
Trusted Intrusion Prevention

Smart intrusion detection Customizable intrusion prevention Customizable Confidence Indexing Customizable attack signatures Automatic attack signature updates
IPS Simplified
Quick deployment Flexible deployment modes Minimal-impact design Centralized, scalable management Customizable desktop GUI with real-time information and management
Dynamic Shielding
Presents network intelligence including OS and application information, CVE vulnerabilities, and impact and remediation details. Determines anomalous behavior, reduces false positives and recognizes and dynamically shields vulnerable hosts against inevitable attacks.
18
IPS-1 System Architecture

An IPS-1 deployment includes the following components: IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts to the Alerts Concentrator. Alerts Concentrator: Manages and receives alerts from a group of Sensors, and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed. IPS-1 Management Server: The central management server for the entire deployment. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert information is stored in a MySQL database, which is included in the IPS-1 Management Server installation. IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for monitoring alerts. The IPS-1 Management Dashboard includes a number of independent interlinked windows, primarily: Policy Manager for configuring protections and managing the entire IPS-1 system. Alert Browser for viewing, tracking, and analyzing real-time alerts.
There are two deployment configurations for IPS-1: Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer. For this type of deployment, select IPS-1 Management Server (all components) during the installation. Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers. For this type of deployment, select IPS-1 Management Server (without Alerts Concentrator) during the installation.
The installation steps for each deployment configuration are found in the Initial Configuration of Management Servers section of the Check Point Installation and Upgrade Guide Version R70.
Chapter 1
IPS-1 Overview
19
The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment:
Figure 1-1 The IPS-1 System
20
IPS-1 Deployment
IPS-1 Deployment
For considerations for placement and topology of IPS-1 Sensors and of management components, and for information on setting up the deployment, see the Check Point Installation and Upgrade Guide. For information on subsequent configuration of the various IPS-1 system components, see in this document: Managing the IPS-1 System on page 27.
Chapter 1
IPS-1 Overview
21
Working in the IPS-1 Management Dashboard
Working in the IPS-1 Management Dashboard

Logging into the IPS-1 Management Server with the IPS-1 Dashboard page 22 Navigating the IPS-1 Management Dashboard Windows The IPS-1 Management Dashboard Menus The IPS-1 Management Dashboard Toolbar page 23 page 24 page 25
Logging into the IPS-1 Management Server with the IPS-1 Dashboard
To log into the IPS-1 Management Server with the IPS-1 Management Dashboard: 1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run:
/etc/init.d/ips1 start
2. On the client computer, start the IPS-1 Management Dashboard. A login window appears:
3. Type your username and password, and specify the IPS-1 Servers IP address or resolvable hostname. By default, port number is 8443.
22
Navigating the IPS-1 Management Dashboard Windows
Note - The default username is admin. When upgrading from a previous version of IPS-1, login with the pre-existing usernames. The default username for prior versions of IPS-1 is nfr.
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy servers connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS.
Navigating the IPS-1 Management Dashboard Windows

IPS-1 Management Dashboard windows can be accessed by clicking one of the icons in the upper-right corner of the Management Dashboard. The windows can also be accessed from the File and Management menus. The IPS-1 Management Dashboard includes the following main windows: Policy Manager: System, protection, and alert management. To access Policy Manager from any other IPS-1 Management Dashboard window, from the Management menu, select Policy. Some parts of Policy Manager (especially in the System Settings tab) appear only when Advanced Settings are enabled. To enable Advanced Settings, from Policy Managers Policy Manager menu, point to Advanced, and select Show Advanced Settings. Details of the tasks performed in Policy Manager can be found in Managing the IPS-1 System on page 27, in Managing Attack Detection and Prevention on page 65, and in other chapters. Alert Browser, and other windows for alert monitoring and analysis. Any of the alert monitoring and analysis windows can be accessed from the File menu or toolbar of any IPS-1 Management Dashboard window. These windows are highly user-configurable. Details of the tasks performed in these windows can be found in Alert Monitoring and Analysis on page 107, and in other chapters. Vulnerability Browser: Network risk assessment and analysis. The Vulnerability Browser can be accessed from the File menu of any IPS-1 Management Dashboard window, or from the Alert Browser toolbar. For details, see Vulnerability Detection and Defense on page 153.
Chapter 1
IPS-1 Overview
23
The IPS-1 Management Dashboard Menus
The IPS-1 Management Dashboard Menus

The menus for all main Dashboard windows are the same, except for the third menu, which bears the same name as the window. For example, Policy Managers Policy Manager menu contains commands unique to Policy Manager. The File menu contains the following commands: Commands for launching new windows: New Alert Browser New History Browser New Timeline New Graph New Vulnerability Browser
Commands for managing window views: Open View Delete View Save View Save View As
Window views include all customization settings, and are saved on the IPS-1 Management Server. For details, see Saving Customized Views on page 124. Close: Closes the current window. Exit Application: Closes all IPS-1 Management Dashboard windows.
The Tools menu contains the following commands: System Status: Displays in a single window the activity and communication status of the Alerts Concentrators and Sensors. For details, see System Status in the IPS-1 Management Dashboard on page 58. User Preferences: Settings for using Reverse DNS lookup to display hostnames in Alert Details and for viewing packet captures in a third-party application. For details, see Viewing Alert Details on page 127 and Packet Capture and Viewing on page 129. Change Password: Enables a user to change his password. For details, see Changing the Password on page 36.
24
The IPS-1 Management Dashboard Toolbar
The context-dependent menu contains commands relevant to each specific window, such as Alert Browser, History Browser, Policy Manager etc., and changes name according to the window which is open. The Windows menu contains a listing of the open IPS-1 windows. This menu does not appear in the Alert Browser which is opened after the initial login. The Management menu contains the following commands: Correlators: Opens the Correlators window. Correlators generate alerts based on other alerts, from multiple connections and accross all IPS-1 Sensors. For details, see System-Wide Attack Correlation on page 89. Users: Manage user accounts. For details, see User Accounts on page 35. Policy: Opens Policy Manager. Space Management: Opens the Space Management window, for maintaining database size. For details, see Maintaining Database Size on page 41.
The About menu contains the About command: Displays IPS-1 Management Dashboard information.
The IPS-1 Management Dashboard Toolbar

On the left end of the toolbar, the Alert Browser and History Browser windows have buttons unique to the Alert Browser and History Browser. For details on these buttons, see Toolbar Buttons on page 112. On the right end of the toolbar, all the main Management Dashboard windows have the same buttons. These are:
Table 1-1
Opens an Alert Browser window. See The Alert Browser and History Browser on page 109. Allows you to view alert activity in graph form. See Creating Alert Graphs on page 140. Plots alert activity on timelines. See The Timeline Window on page 134.
Chapter 1
IPS-1 Overview
25
The IPS-1 Management Dashboard Toolbar Table 1-1
Opens the Vulnerability Browser. See Vulnerability Detection and Defense on page 153. Opens Policy Manager. Displays the status of all IPS-1 Alerts Concentrators and IPS-1 Sensors. See System Status in the IPS-1 Management Dashboard on page 58.
26
2 Chapter Managing the IPS-1 System

In This Chapter
Overview System Messages Installing Policies Adding an Alerts Concentrator to the System Adding an IPS-1 Sensor to the Management Server User Accounts Licensing Maintaining Database Size Alerts Concentrator High Availability Managing the IPS-1 Sensor Starting and Stopping the IPS-1 Servers Uninstalling the IPS-1 Servers Viewing System Status Information page 28 page 28 page 29 page 31 page 33 page 35 page 38 page 41 page 45 page 47 page 56 page 57 page 58
27
Overview
Overview
This chapter describes configuration of an already installed and initially configured IPS-1 system. For information on installing and initially configuring the IPS-1 system, see the Check Point Installation and Upgrade Guide.
System Messages
IPS-1 System Messages report required and recommended management tasks. To view the System Messages: 1. Open the Policy Manager. 2. Select the System Settings tab. 3. In the left-hand navigation tree, select System Messages.
28
Installing Policies
Installing Policies
Many of the management tasks in this chapter and the protection management tasks in the next chapter, are performed in Policy Manager. In general, changes made in Policy Manager are not saved to the IPS-1 Management Server or transmitted to other IPS-1 system components until you Install Policy. To Install a Policy: 1. In Policy Manager, from the File menu, select Install Policy. Or, click Install Policy:
Chapter 2
29
Installing Policies
The Install Policy window appears:
2. Select the Alerts Concentrator(s). 3. In most cases, select (on the bottom of the window) Install Policy on Sensors, and (in the upper part of the window) select all Sensors. The "Install Policy on Sensors" checkbox will be automatically selected when changes have been made that require the Sensors to be updated.
Note - If you leave any Alerts Concentrators or Sensors not selected, they will be excluded from subsequent automatic attack signature updates.
4. Click OK. Policy Manager changes to read-only while Policy is installed.
30
Adding an Alerts Concentrator to the System

To add an Alerts Concentrator to the IPS-1 System, first install and set up the Alerts Concentrator. For details, see the Check Point Installation and Upgrade Guide. To then add the Alerts Concentrator to the IPS-1 system, in Policy Managers Sensors and Concentrators tab, right-click in the left-hand navigation tree, and select New Alerts Concentrator:
The New Alerts Concentrator window appears:
Chapter 2
31
Configure the Alerts Concentrator settings as follows: 1. In the Host field, type the Alerts Concentrators IP address or resolvable hostname.
Note - Entering the Alert Concentrators IP address is preferred to better protect against DNS spoofing.
2. Type and confirm the activation key that you specified during the Alerts Concentrator installation. To reset the Activation Key on the Alerts Concentrator: a. Log in to the Alerts Concentrator b. Switch to the ips1 user using the su - ips1 command. In SecurePlatform, this must be done from expert mode. c. Run the set_activation_key command to set the activation key. 3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxys connection and authentication information. 4. Make sure Receive Alerts is On. 5. If this Alerts Concentrator or the IPS-1 Servers communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator. 6. Click OK. The Alerts Concentrator is added.
32
Adding an IPS-1 Sensor to the Management Server

Before adding an IPS-1 Sensor to the IPS-1 Managment Server, the Sensor must first be installed and configured as described in the Check Point Installation and Upgrade Guide. In Policy Manager, add the Sensor to the IPS-1 system, as follows: 1. In Policy Managers Sensors and Concentrators tab, select the Alerts Concentrator to which you are adding the new Sensor and click New Sensor. The Add New Sensor window appears:
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next. 3. Type the Sensors IP address or resolvable Hostname. 4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensors Management Menu. To reset the Activation key on an IPS-1 Sensor, run the cpconfig command. To reset the Activation key on an IPS-1 Power Sensor, log in as the nfr user.
Chapter 2
33
5. Click Next. 6. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types. If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter. When all of your network addresses are listed in the Selected Host Types, click Next. 7. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types. If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter. When all of your broadcast addresses are listed in the Selected Host Types, click Next. 8. Click New to assign descriptive names to your interfaces. The Edit Interface Description window appears:
Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK. 9. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator. 10. To apply the changes, click Install Policy.
34
User Accounts
User Accounts
In This Section
User Accounts Overview Managing User Accounts Changing the Password Unlocking a User Account page 35 page 35 page 36 page 36
User Accounts Overview

Two kinds of users, with different permission levels, can log into the IPS-1 Management Server with the IPS-1 Management Dashboard, and use or manage the IPS-1 system: Administrator - full permissions. Normal - specific, configurable permissions. These permissions are defined during the creation of the user account or subsequently by editing the user account.
One Administrator account is defined during IPS-1 Management Server installation. Additional users of both kinds can be added from the IPS-1 Management Dashboard. User accounts can be created and managed by Administrators, or by Normal Users who have been given the Edit User permission. The Edit User permission can be limited to managing specific users. A user can never give permissions greater than his own.
Note - Sensors for which a Normal user does not have permissions will not appear in Policy Manager, the Alert Browser, Timeline windows, System Status, etc. However, the graphs window (which displays raw counts of alerts) may still include counts of alerts from these IPS-1 Sensors. Also, these application-level settings are irrelevant to any third-party tool which directly accesses the database, such as Crystal Reports.
Managing User Accounts

To create or edit a user account: 1. From the Alert Browsers or Policy Managers Management menu, select Users.
Chapter 2
35
Changing the Password
The Manage Users window appears:
2. Click New, or select an existing user and click Edit. 3. Type or verify the User Information, including: The number of Connect Retries before a user submitting invalid authentication information is locked out. The user Role - Administrator or Normal (see above).
4. For a Normal user account, configure the User Permissions. Scroll over the rows to see descriptions below. 5. Click OK. The user account is configured. The user can now change his password, as explained in the following section.
Changing the Password

After a user account is created, the user can change his password as follows: 1. From the Tools menu, select Change Password. 2. Type the current password, and type and confirm a new password. 3. Click OK.
Unlocking a User Account

If a user submits invalid authentication information more than the number of Connect Retries defined for his user account, he will be locked out. The account can be unlocked in one of two ways:
36
Unlocking a User Account
An Administrator can unlock the locked users account, as follows: 1. From the Alert Browsers or Policy Managers Management menu, select Users. The Manage Users window appears. 2. Select the locked out user account, and Click Unlock Account.
If a sole Administrators account is locked out, the account must be unlocked directly from the IPS-1 Management Servers command line, as follows: 1. Run:
cd /opt/CPips1-R65/ips1server/bin set_ips1_passwd.sh <username>

where <username> is the user name of the account to be unlocked. 2. Type and confirm a new password.
Chapter 2
37
Licensing
Licensing
In This Section
Overview Viewing License Summary Adding a License page 38 page 38 page 39
Overview
The IPS-1 system requires three types of licenses, all of which can be obtained from Check Points User Center: An IPS-1 Management Server license to manage a specified maximum number of IPS-1 Sensors. This license automatically licenses an Alerts Concentrator in a Combined installation. Separate Alerts Concentrators are not included. An Alerts Concentrator license for Alerts Concentrators not combined with the IPS-1 Management Server. IPS-1 Sensor licenses for each IPS-1 Sensor of a specified Sensor type. Sensor types are defined for licensing purposes according to hardware model numbers of Check Point preinstalled appliances. Note that adding Sensors to a system, besides requiring additional Sensor licenses, may affect the required type of IPS-1 Management Server license. All three kinds of licenses are stored on the IPS-1 Management Server and must be generated specifically for the IPS-1 Management Servers IP address. The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Management Dashboard will function only in Demo mode.
Viewing License Summary

To view a summary of existing and missing licenses in an IPS-1 system: 1. From Policy Managers Policy Manager menu, select Licenses.
38
Adding a License
2. In the left-hand license list, select Licenses.
Adding a License
To access the License Manager, from Policy Managers Policy Manager menu, select Licenses. The License Manager appears:
Chapter 2
39
Adding a License
To add a license: 1. Copy your license string, obtained from Check Points user center, to the clipboard. A license string will include the following: cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx 2. In the License Manager, click Add.
3. Populate the fields by clicking Paste License. Click OK. The added license appears in the license list.
40
Maintaining Database Size
Maintaining Database Size

The IPS-1 Management Server and Alerts Concentrators store and accumulate large quantities of alert data in MySQL databases. To maintain performance, the database must be efficiently configured and maintained.
In This Section
Space Management Overview Configuring Space Management Reclaiming Database Space page 41 page 42 page 43
Space Management Overview

The IPS-1 Management Server and Alerts Concentrator databases holds event and alert data generated by IPS-1. As with any system, the amount of space available for data storage is limited. The Space Management tool enables maintaining as much useful information as possible without exceeding disk storage limits. For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product. For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be 12-15 GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives. The Space Management tool periodically checks the used space in the database. When the used space exceeds a configurable Action Limit, Space Management begins deleting the oldest packet capture data and alert records. Space Management then continues deleting until the used space drops below a configurable Clearance Limit.
Note - As Space Management deletes data, it will attempt to retain all packet capture data. Thus, it will delete packet capture data in proportion to the number of alert records in the database.
Chapter 2
41
Configuring Space Management
Configuring Space Management

To configure Space Management: 1. From any IPS-1 Management Dashboard windows Management menu, select Space Management. 2. The Space Management window appears with a tab for the IPS-1 Management Server and for each Alerts Concentrator:
42
Reclaiming Database Space
3. Set the following values for the IPS-1 Management Server and for each Alerts Concentrator: Maximum Space: the maximum amount of space available to the database. The Maximum Space should be a value smaller than the available free space in the partition or slice where the database resides. Action Limit: the percentage of Maximum Space used before Space Management begins removing alert data. Clearance Limit: the percentage of maximum space at which Space Management stops removing alerts. The Clearance Limit must be smaller then the Action Limit. Check period (Alerts Concentrator only): interval between times Space Management checks the used space. For a heavily loaded, large network, checking should be a smaller value but no less than 1 minute.
4. In the IPS-1 Management Server tab, select Enable Automatic Space Management, unless you dont want Space Management to operate automatically on the IPS-1 Management Server. In that case, you can manually initiate Space Management operation by clicking Remove Old Alerts Now. 5. Click Save.

The Space Management tool attempts to limit the IPS-1 Alerts Concentrator database size to the specified Maximum Space setting. However, the database can exceed this limit because of the way Space Management deletes records. Space Management frees space in individual tables that it cannot make available to the database as a whole because the space is still marked as used by the operating system. For example, when Space Management is finished, it may show 25GB of actual space set aside for the database and 2GB of free space. If the 2GB of space is available in the alert data table and IPS-1 Alerts Concentrator needs to write to the event data table, it cannot use the free space. As a result, it will claim additional space for event data, even if it results in the database size increasing beyond the specified Maximum Space. For this reason, you should set the maximum database size to be a value smaller than the available free space in the partition or slice where the database resides.
Chapter 2
43
You can use the space recovery script to recover available database space for an IPS-1 Alerts Concentrator and return it to the operating system for other uses. Optionally, this script can also perform extensive checks and fixes and optimize indexes. To enable periodic execution during specified windows, you can execute the script as a cron job.
Warning - Run this script only if there is a large amount of free space that must be recovered. When this script is run on an IPS-1 Alerts Concentrator, it may take several hours to complete. The script shuts down the IPS-1 Alerts Concentrator (and, in a Combined installation, the IPS-1 Management Server) while it runs, which means that the IPS-1 system will be inoperative during this period (except in a non-Combined installation with Alerts Concentrator High Availability). IPS-1 Sensors will continue to function and to buffer alerts until the server is back online, but alerts will not be visible on the IPS-1 Management Dashboard until the Alerts Concentrator is back online. Note - There must be enough free space for the script to make a copy of the largest database table - it skips any tables that are too big to copy.
To run the Space Recovery script: 1. Log in to the Alerts Concentrator host as the ips1 user (run: su - ips1). 2. From $IPS1DIR/alcr, run the following:
sdb-optimize.sh [-h] [-e]

The options are:
Table 2-1
-h -e
Provides detailed help text. Performs a check for database errors and attempts to recover the data.
Note - The -e option lengthens the time the script takes to run.
Note - Alerts and events will not be written to the database while these scripts are executing. Except with Alerts Concentrator High Availability, alerts will be queued on the Sensors until the Alerts Concentrator is back online.
44
Alerts Concentrator High Availability

To ensure continuity of information flow from IPS-1 Sensors to the IPS-1 Management Server in the event of an IPS-1 Alerts Concentrator failure, you can configure an IPS-1 Sensor to report to a backup IPS-1 Alerts Concentrator. This automatically redirects alerts and packet capture data to the backup Alerts Concentrator if the primary Alerts Concentrator or the Sensors connection with it fails. You can deploy the backup Alerts Concentrator in the same network as the primary Alerts Concentrator. If the primary Alerts Concentrator fails, the backup Alerts Concentrator becomes active. Once a Sensor fails over to a backup Alerts Concentrator, it continues communicating with that Alerts Concentrator until: 1) the backup Alerts Concentrator fails; 2) the Sensor receives a quick restart command (includes receiving a policy push); 3) the Sensor is rebooted. The Sensor then attempts to communicate with the primary Alerts Concentrator. The failover process is independent for each Sensor; in certain situations (such as a network interruption) some Sensors from Group A in the illustration could be communicating with Alerts Concentrator A and others with Alerts Concentrator B. As shown in the following diagram, you can designate some IPS-1 Sensors active Alerts Concentrator as the backup Alerts Concentrator for other Sensors.
Figure 2-1 Alerts Concentrator High Availability
The Sensors in group A send alert data to Alerts Concentrator A, and only in case of Alert Concentrator As failure, to Alerts Concentrator B. The Sensors in group B send alert data to Alerts Concentrator B, and only in case of Alert Concentrator Bs failure, to Alerts Concentrator A.
Chapter 2
45
To configure Alerts Concentrator High Availability, perform the following for each IPS-1 Sensor: 1. The Sensor itself must be configured for Alerts Concentrator High Availability. If this was not done during Sensor installation, do configure it as follows:
Note - On Power Sensors, first login as the
nfr user.
a. On the Sensor, run:
cpconfig
b. Select Network Settings. c. Select Configure IPS-1 Mgmt Server / Alerts Concentrator. d. Type the IP addresses of the active Alerts Concentrator and of the second Alerts Concentrator. The second Alerts Concentrator will function as a backup until failure of the first Alerts Concentrator. e. Type and confirm the activation key configured in the Alerts Concentrators. f. Select Save.
g. Select Return to main menu. 2. Log into the IPS-1 Management Server with the IPS-1 Management Dashboard, and add the Sensor to the second Alerts Concentrator, as follows: a. In Policy Managers Sensors and Concentrators tab, select and right-click the second Alerts Concentrator. Select Add Existing Sensor. b. Select the appropriate Sensor, and click OK, and OK.
46
Managing the IPS-1 Sensor
Managing the IPS-1 Sensor

In This Section
Connecting to the IPS-1 Sensor IPS-1 Sensor Modes Configuring Other Sensor Definitions Shutting Down or Restarting the IPS-1 Sensor Deleting Backlogged Sensor Data Resolving IPS-1 Sensor Communications Issues page 47 page 47 page 50 page 52 page 53 page 53
Connecting to the IPS-1 Sensor

You can run commands on the IPS-1 Sensor in one of three ways, depending on hardware configuration: A connected keyboard and monitor. A serial console (DTE to DTE), using terminal emulation software such as HyperTerminal (from Windows) or Minicom (from Unix/Linux systems). Connection parameters for Check Point appliances are: For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1 stop bit (8N1). For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no hardware or software (xon/xoff) flow control
For third-party hardware connection parameters, see the third-party documentation. An SSH connection to the Sensors management interface (if sshd is configured).
IPS-1 Sensor Modes

In This Section
Sensor Modes Overview Changing the Sensor Mode (Software) Changing the Sensor Mode (Hardware)
Chapter 2
page 48 page 49 page 49

Managing the IPS-1 System 47
IPS-1 Sensor Modes
Sensor Modes Overview

In most cases, IPS-1 Sensors should be placed inline, so that all of the traffic to be monitored flows through the IPS-1 Sensor. This enables intrusion prevention. In this configuration, Sensors can drop traffic detected as an attack, according to defined and configurable confidence indexing. In some cases, such as in a complex switching environment in a network core, Sensors may need to be placed in passive mode, in which case they perform intrusion detection only. Inline Sensors behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path. Inline Sensors can be set to Monitor-Only (bridge) mode, to avoid the possibility of blocking valid traffic. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode. The IPS-1 Sensor is configured for one of four different modes: IDS (passive): intrusion detection (IDS) with no prevention. In this mode, every interface other than the management interface can be used for monitoring. IPS Monitor-Only (inline, fail-open): inline mode without actual prevention. Packets are returned to the network before processing for attack detection. In fault conditions, all packets continue to be passed through. You can use this mode to see which traffic would have been dropped in the other IPS modes, making Monitor-Only mode useful during a system-tuning period before switching to actual intrusion prevention. See Avoiding False Positives on page 73 for details. Monitor-Only mode is also useful for checking whether an IPS-mode Sensor is responsible for unexplained traffic dropping. IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are temporarily dropped. IPS (inline, fail-open): inline intrusion prevention. In fault conditions, interfaces revert to bypass mode.
Fault conditions are:

48
The Sensor has not completing booting and initializing The Sensor loses power, or other hardware failure (dependent on hardware bypass NIC) When the Sensor has crashed (dependent on hardware bypass NIC)
IPS-1 Sensor Modes
When an interface pair is in bypass mode, as a result of a failure, the bypass interfaces in most Sensor models will act as a crossover connection between the two systems on either side of the sensor. The four front-left copper interfaces on the new 200C/F and new 500C/F will act as a straight-though connection when in bypass mode. All other hardware bypass pairs act as crossover connections when they are in bypass mode
Changing the Sensor Mode (Software)

The IPS-1 Sensor mode is set during Sensor installation. To change the mode: 1. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 2. Select the desired mode, and click OK.
Warning - When changing a Sensor from an IPS (inline) mode to IDS (passive) mode or from IDS (passive) mode to an IPS (inline) mode, you MUST also reconfigure the cabling to change its position within the network. Failure to do so may stop the flow of network traffic or allow traffic to pass between the networks attached to the Sensor.
The IPS-1 Sensor is restarted in the new mode.
Changing the Sensor Mode (Hardware)

The IPS-1 Sensor 50 and Sensor 20 models are ordered and delivered as SKU "P", for "IPS Monitor-Only" and "IPS (inline fail-open)" modes, or SKU "D", for "IPS (inline, fail-closed)" and "IDS (passive)" modes. Switching between the two configurations requires two steps in addition to changing the sensor's operating mode in software: an internal hardware setting change and a BIOS change. 1. Change the position of the red hardware jumper switch on the system's motherboard near the Ethernet ports on the front of the chassis. For passthrough modes (monitor-only and fail-closed), the switch must be positioned to the rear of the unit, near pins 6 & 7. For non-passthrough modes (fail-closed and passive), the switch must be positioned to the front of the unit, near pins 1 and 12.
2. Boot the Sensor.
Chapter 2
49
Configuring Other Sensor Definitions
3. Wait for the following message during the POST:
TO ENTER SETUP BEFORE BOOT PRESS <CTRL-ALT-ESC> OR <DEL> KEY

Press the <Del> key or press the <Ctrl>, <Alt>, and <Esc> keys to enter the systems BIOS Setup. 4. On the 'Integrated Peripherals' screen, "Onboard By-PASS Active" should be set to "[Enabled]" for passthrough modes, and "[Disabled]" for non-passthrough modes. 5. Exit the BIOS Setup and continue with the boot process. Warranty note: Check Point will not void the warranty of units that have been opened for this purpose. A Check Point SE is not required to make the change, but Professional Services can be arranged if the customer elects not to make the changes themselves.

In This Section
Regular (non-Power) IPS-1 Sensor Configuration IPS-1 Power Sensor Configuration page 50 page 51
Regular (non-Power) IPS-1 Sensor Configuration

For regular (non-Power) IPS-1 Sensors, you can use the Check Point Configuration Tool to configure the following values on the IPS-1 Sensor: Inline interface pairs (ignored for Passive mode)
Note - Interfaces associated with hardware bypass NICs cannot be changed. The information is displayed read-only.
IP address of Alerts Concentrator(s) Activation Key, with which the Alerts Concentrator is authenticated to the Sensor.
50
To change any of these values: 1. On the IPS-1 Sensor, run:
cpconfig
2. Select Network Settings. 3. Select the relevant options. 4. When you are finished setting the options on the Sensor, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s). Other values, such as networking information, date and time, and host name, are configured with SecurePlatforms System Configuration Tool, as follows: 1. On the Sensor, run:
sysconfig
2. Select the relevant options. 3. When you are finished setting the options on the Sensor, if the changed value is the Sensors hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 4. Make the change and click OK. 5. Install Policy. The change is now defined both on the Sensor and in the IPS-1 Management Server and Alerts Concentrator(s).
IPS-1 Power Sensor Configuration

IPS-1 Power Sensor configuration is performed through its Management Menu, as follows: 1. To access the Management Menu, log in to the Power Sensor as nfr. The Management Menu will appear. 2. Select the relevant options.
Chapter 2
51
Shutting Down or Restarting the IPS-1 Sensor
3. When you are finished setting the options on the Sensor, you may be prompted to restart the Sensor for the changes to take effect. 4. If the changed value is the Sensors hostname or IP address, return to the IPS-1 Management Dashboard. In Policy Managers Sensors and Concentrators tab, select the Sensor and click Edit. 5. Make the change and click OK. 6. Install Policy.
Shutting Down or Restarting the IPS-1 Sensor

Direct CLI shutdown or reboot
On a regular (non-Power) IPS-1 Sensor, use SecurePlatforms shutdown or reboot command. On an IPS-1 Power Sensor, log in as nfr and select Halt or Restart. In both cases, the operating system (not just Sensor processes) is completely shut down.
Remote Restart or Reboot

You can remotely restart the Sensor IPS-1 software or completely reboot the Sensor machine, from the IPS-1 Management Dashboard. You can restart or reboot an individual Sensor, or simultaneously all Sensors of a selected Alerts Concentrator. To remotely restart or reboot one IPS-1 Sensor or all IPS-1 Sensors: 1. In Policy Managers Sensors and Concentrators tab, select and right-click an individual Sensor, or an Alerts Concentrator. 2. Select one of the following: Restart Sensors (all the Sensors of the selected Alerts Concentrator) Reboot Sensors (all the Sensors of the selected Alerts Concentrator) Restart <Name of Sensor> Reboot <Name of Sensor>
Note - Rebooting generates a progress window. Restarting produces no visible result.
52
Deleting Backlogged Sensor Data
Deleting Backlogged Sensor Data

If an IPS-1 Sensor has been out of communication with the Alerts Concentrator for a long period of time, the Sensor may have accumulated a large amount of data, which can take a long time to transfer to the Alerts Concentrator. If you dont need the accumulated data, you may want to delete it from the Sensor, as follows: 1. On a regular (non-Power) IPS-1 Sensor, run:
cpconfig
Or, on an IPS-1 Power Sensor, log in as nfr. The Management Menu will appear. 2. Select Purge all data, and press y to confirm.
Resolving IPS-1 Sensor Communications Issues

In This Section
Introduction Overriding Auto-Negotiation Settings for Power Sensors Restoring Auto-Negotiation Settings page 53 page 54 page 55
Introduction
If your IPS-1 Sensor and IPS-1 Alerts Concentrator are communicating through a switch, you may need to configure the switch and IPS-1 Sensor interface link speed and duplex settings manually. A duplex mismatch will not necessarily prevent all communication. However, it will cause severe performance and communication issues. This section explains how to deal with broken auto-negotiation implementations between interface cards. However, there is rarely a need to disable auto-negotiation. The results of duplex setting mismatch depend on the interface speed. The following table shows the results of two systems (such as the Sensor and the switch) connected using various duplex settings and a 10/100 Mbps network interface.
Chapter 2
53
Table 2-2
System A Auto Auto
System B Auto full-duplex
Link Status full-duplex System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly System A will fall back to half-duplex since System B is not doing auto-negotiation, and the systems will fail to communicate properly full-duplex half-duplex
half-duplex
full-duplex half-duplex
full-duplex half-duplex
The following table shows the link status of two systems (such as the Sensor and the switch) connected using various duplex settings and a Gigabit network interface.
Table 2-3
System A Auto disabled Auto
System B Auto disabled disabled
Results up up down
Overriding Auto-Negotiation Settings for Power Sensors

To Override Auto-Negotiation Settings: 1. Type cpconfig and press enter. The Management Menu will appear. 2. Select Network. 3. Select Set interface media and duplex. 4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the desired interface, and press Enter to display all settings for the interface. 5. Select a setting, and select Save.
54
Restoring Auto-Negotiation Settings

You can revert to auto-negotiation settings from the IPS-1 Sensor Management Menu. How to revert to auto-negotiation settings from IPS-1 Sensor 1. Type cpconfig and press enter. The Management Menu will appear. 2. Select Network. 3. Select Set interface media and duplex. 4. Navigate (by using the arrow keys) to the Media/Duplex setting beside the desired interface, and press Enter to display all settings for the interface. 5. Select Auto, and select Save.
Chapter 2
55
Starting and Stopping the IPS-1 Servers
Starting and Stopping the IPS-1 Servers

To start, stop or restart the IPS-1 Management Server or Alerts Concentrator: 1. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, change user to ips1 by entering su - ips1. 2. Run the desired command according to the following syntax:
/etc/init.d/ips1 <start [alcr | db | ips1server] | stop [alcr | db | ips1server] | status>

The options are: start: start the Alerts Concentrator (alcr), the database (db), the IPS-1 Management Server (ips1server), or, by default, everything stop: stop the Alerts Concentrator (alcr), the database (db), the IPS-1 Management Server (ips1server), or, by default, everything status: report on what is currently running The output of /etc/init.d/ips1 status looks like:
The IPS-1 database (mysql) is running with process ID 5182. The IPS-1 Alerts Concentrator watchdog (nfrwatch) is running with process ID 5307. The IPS-1 Management Server is running with pid 5375.
56
Uninstalling the IPS-1 Servers
Uninstalling the IPS-1 Servers

To uninstall the IPS-1 Management Server and/or Alerts Concentrator: 1. Stop the IPS-1 processes, as follows: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Change to the ips1 user, by running:
su - ips1
c. Run:
ips1 -n stop
2. From outside the IPS-1 directories (/opt/CPips1-R65 and /var/opt/CPips1-R65), perform one of the following: On SecurePlatform, run the following:
expert rpm -e CPips1-R65

On Linux, run the following:
rpm -e CPips1-R65
On Solaris, run the following:
pkgrm CPips1-R65
All IPS-1 files and data are removed.
Chapter 2
57
Viewing System Status Information
Viewing System Status Information

In This Section
System Status in the IPS-1 Management Dashboard Viewing Sensor History Viewing the IPS-1 Status Monitor page 58 page 61 page 62
System Status in the IPS-1 Management Dashboard

In This Section
Viewing System Status in the IPS-1 Management Dashboard Alerts Concentrator Status Fields Sensor Status Fields page 58 page 60 page 61
Viewing System Status in the IPS-1 Management Dashboard

To view in a single window the activity and communication status of the Alerts Concentrators and Sensors: From the Alert Browsers Tools menu, select System Status; or, click the System Status icon:
58
Select All or select an item in the list on the left to view its status.
For explanations of the status fields, see the following sections. You can copy information from Status windows to the clipboard, by using context (right-click) menu commands.
Chapter 2
59
Alerts Concentrator Status Fields

For an Alerts Concentrator, the following information is displayed:
Alerts Concentrator: Provides name of the server. Connection Status: Provides status of the servers connection. Green means the connection is active. Red means the connection is inactive. Sensor Name: Provides the name of the IPS-1 Sensor. Status (of IPS-1 Sensor): Provides status of the IPS-1 Sensor. Last Status Time: Provides the timestamp of the last message received from the server.
60
Viewing Sensor History
Sensor Status Fields

For a Sensor, the following information is displayed:
Viewing Sensor History

To view the history of an IPS-1 Sensor from a specified time frame: 1. Open the Sensors Status window, as explained in the previous section, System Status in the IPS-1 Management Dashboard on page 58.
Chapter 2
61
Viewing the IPS-1 Status Monitor
2. Click View History.
3. Select the desired Start and End Time, and click OK. The Sensors history appears.

To view IPS-1 Sensor status information, run the following command on the Sensor:
ipsstats
The following information is displayed:
System start time: Date and time IPS-1 Sensor was last restarted CPU: Average percentage of Sensor CPU capacity used in the last hour Real Memory: Total installed and memory available Virtual Memory: Total RAM + Virtual (Swap) Disk Space: Total installed and disk space available Packet Reception Total: Number of packets since system start time Current: Number of packets per second during the past two-second time interval Average: Average number of packets seen per second in the last hour Peak: Highest number of packets seen per second in the last hour
62
Protocols Installed: Number of installed protocols Loaded: Number of successfully loaded protocols Failed: Number of protocols that failed to load
Note - The IPS-1 Sensor generates an alert if part of a protection package fails to load. This usually means that the package has a syntax error or a required variable is undefined.
Protection Groups Installed: Number of installed protection groups Loaded: Number of successfully loaded protection groups Failed: Number of protection groups that failed to load
Current time (located in the lower right-hand corner of the screen)
From the Status Monitor, press any key to display the Management Menu, or press ctrl-c to return to the command line.
Chapter 2
63
64
3 Chapter Managing Attack Detection and Prevention

In This Chapter
Overview Updating Attack Signatures Avoiding False Positives Managing Protections System-Wide Attack Correlation page 66 page 67 page 73 page 74 page 89
65
Overview
Overview
In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by the administrator enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in active, inline (non-passive, non-bridge) mode will block traffic identified as an attack, or some protections can be set to Monitor-Only, to generate alerts without blocking traffic. You can configure other aspects of the protections as well. Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.
66
Updating Attack Signatures
Updating Attack Signatures

Check Point is continuously updating attack detection code to combat evolving threats. To keep your network security up-to-date, it is important to frequently update attack signatures from Check Points online update server. You can configure the system to automatically retrieve updates, and you can also manually initiate an update from Check Points online update server or from locally saved files, obtainable from Check Points User Center.
Note - A firewall situated between the IPS-1 Management Server and the Internet must be configured to permit outbound TCP connections from the IPS-1 Management Server to ips-packages.checkpoint.com on port 2013.
In This Section
Configuring Automatic Attack Signature Updates Manually Updating Attack Signatures page 67 page 70
Configuring Automatic Attack Signature Updates

To set automatic periodical attack signature updates from Check Points package server: 1. From Policy Managers Policy Manager menu, select Auto-Update Settings. Or, in Policy Managers Protection tab, in the left-hand navigation tree, select Download Updates, and click Auto-Update Settings.
Chapter 3
67
The following window appears:
2. Verify the Package Server and connection information, which should be: Server Address: ips-packages.checkpoint.com Server Port: 2013
3. If the IPS-1 Management Server is behind a proxy server, select Use Proxy and type your proxy server connection and authentication information. Click Next.
68
The following window appears:
4. Select a frequency for automatic updates. Selecting an option other then Disabled causes time and date fields (for the first update) to appear, as follows:
Chapter 3
69
Manually Updating Attack Signatures
5. Schedule the first update as needed. To choose a date from a calendar, click . For the first update to occur immediately, click Now. 6. Click Finish and close the Policy Manager. The first update will automatically occur when specified, and will continue from then according to the specified frequency. After each automatic update, the IPS-1 Management Server will transmit the attack signatures to Alerts Concentrators and IPS-1 Sensors that were selected when the last manual Install Policy was performed.

To manually update attack signatures from Check Points package server or from locally saved files, obtainable from Check Points user center: From Policy Managers Policy Manager menu, select Online Update. Or, in Policy Managers Protection tab, in the left-hand navigation tree, select Download Updates, and click Online Update.
70
A two-page wizard will start, beginning with the Download Package page:
Configure the package update as follows:
1. Select an attack signature package source. In most cases, this should be Check Points Package Server. Other options are:
Local File - files that have been downloaded from Check Points user center to a local drive on the Management Dashboard users computer or network. This is useful if the IPS-1 Management Server cannot access the internet, or for users who have edited the files N-Code. If you select to update from a file, browse to the file, click Next, and proceed to step 4. Management Server/Alerts Concentrator - uploads an Alerts Concentrators current attack signatures to the IPS-1 Management Server. This is useful when one Alerts Concentrator is more up-to-date than another, or on first setup of a newly installed IPS-1 Management Server, as a temporary measure (a newly installed Alerts Concentrator comes with a default set of attack signatures). If you select to upload from an Alerts Concentrator, select the desired Alerts Concentrator, click Next, and proceed to step 4. Remember to update the attack signatures as soon as possible afterwards. Skip Download - This option is not available if no attack signature package yet exists on the IPS-1 Management Server.
Chapter 3
71
2. Verify the Package Server information, which should be:

Server Address: ips-packages.checkpoint.com Server Port: 2013
3. If the IPS-1 Management Server is behind a proxy server, you may need to select Use Proxy and type your proxy server connection and authentication information. Click Next. Once the packages are available, the Install Packages page appears:
4. Select protocols and protection groups for which to update attack signatures. Information and file contents for selected protocols and protection groups is displayed on the right.
When in doubt, it is better to install and then disable a package in Policy Manager, than to not install it. Some protocols and protection groups depend on others being present to be able to work. When you complete this wizard, attack signatures will be updated only on the IPS-1 Management Server. You will still need to install policy on the Alerts Concentrator(s) and IPS-1 Sensors.
Click Finish to initiate the update.
72
Avoiding False Positives
Avoiding False Positives

As with any IPS system, before your protection settings are fully adapted to your network, the risk of false positives may be greater than otherwise. For this reason, it is recommended to start out with attack detection only, and then gradually increase the level of prevention. The modes and settings below allow you to reduce prevention, thus minimizing the risk of false positives. Of course, any reduction in prevention may increase the risk of a successful attack. Individual protection pages in Policy Managers Protection tab (the lowest-level items in the Protection Settings navigation tree) contain protection description text, including per-protection assessments of the risk of a false positive. Sensor Monitor-Only mode: In this mode, an inline IPS-1 Sensor generates alerts without actually preventing traffic. For more details, see IPS-1 Sensor Modes on page 47. As preperation for changing the IPS-1 Sensor to a prevention modes, you can enable special alerts to notify you when traffic would have been prevented with the IPS-1 Sensor in other modes, as follows: 1. In Policy Managers Policy Manager menu, enable Show Advanced Settings. 2. In the System Settings tab, in the left-hand navigation tree, under Attack, select Intrusion Prevention. 3. In the right-hand settings page, select Intrusion Prevention Notifications. When you do change the IPS-1 Sensor to a prevention mode, remember to clear Intrusion Prevention Notifications. Whitelisting: Important hosts can be added to the Servers Whitelist or to the Client Whitelist. Traffic from these hosts will be inspected for attacks but will not be blocked if attacks are detected. For details, see Exempting Hosts from Inspection or Prevention on page 87. Monitor-Only protection setting: All or some protections can be set to Monitor Only. For details, see Protection-Level Settings on page 82 and One-Click Configuration of All Protocols and Protections on page 83. Confidence Indexing: By default, active protections that are not in Monitor-Only mode drop traffic when confidence of it being an attack is least 50%. You can, in individual protection pages, select Active upon Confidence (not available for protection groups or protocols), and raise the Confidence value, for only high-confidence attack traffic to be dropped. See Protection Modes on page 81 for details.
Chapter 3
73
Managing Protections
Managing Protections
In This Section
Overview Managing Protection Profiles Configuring Protections Viewing and Copying Comprehensive Protection Settings Exempting Hosts from Inspection or Prevention page 74 page 75 page 77 page 85 page 87
Overview
In a typical multi-Sensor system, different IPS-1 Sensors are configured to detect different exploits. This is accomplished by enabling certain protections and disabling others. Enabled protections on IPS-1 Sensors in inline active (non-passive, non-bridge) mode will block traffic identified as an attack. Alternatively, the protection can be set to Monitor-Only so that it generates alerts without blocking traffic. Some protections define an attack according to specific thresholds with default values. You can fine-tune these protections according to your needs by changing these values. To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection Profile, which is then installed on IPS-1 Sensors associated with that profile. IPS-1 Sensors that should have similar protection configurations should be associated with the same Profile. Similar Profiles can be easily managed by cloning or copying settings. Detection and prevention are also affected by system settings that apply to protections in general, for each IPS-1 Sensor, or protection Profile. Most of these have reasonable default values and are visible only when Advanced Settings are enabled (from Policy Managers Policy Manager menu). The Protection Overview feature enables viewing system-wide protection settings and is a valuable tool for implementing protection throughout a complex deployment. For details, see Viewing and Copying Comprehensive Protection Settings on page 85.
74
Managing Protection Profiles
Configuration settings for IPS-1 Sensors (including system settings) are stored on the IPS-1 Alerts Concentrators to which they report. Changes are made through the Management Dashboard on the IPS-1 Management Server, from there sent to the Alerts Concentrator, and then mirrored out to individual IPS-1 Sensors.

To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection profile, which is then installed on IPS-1 Sensors associated with that profile. IPS-1 Sensors that should have similar protection configurations should be associated with the same profile. Similar Profiles can be easily managed by cloning or copying settings.
In This Section
Creating a New Profile Managing Similar Profiles Associating an IPS-1 Sensor with a Profile page 75 page 75 page 76
Creating a New Profile

To create a new profile: 1. From Policy Managers Protection tab, select Profile Management. 2. Click New and select Create New Profile.
3. Type a name for the profile and click OK.
Managing Similar Profiles

You can create a profile with protection settings similar to an existing profile by copying the profile of an existing profile and then modifying the settings. You can either clone the original profile to create a new, identical profile, or copy its settings onto an existing profile, overriding its original settings.
Chapter 3
75
Cloning a Profile
To create a new profile with settings identical to those of an existing profile, clone the existing profile, as follows: 1. From Policy Managers Protection tab, select Profile Management. 2. From the Profiles list, select a profile to be cloned. 3. Click New and select Clone Selected Profile.
4. Type a name for the new profile and click OK.
Copying a Profiles Settings onto an Existing Profile

To copy a profiles settings onto another profile, overriding its original settings: 1. From Policy Managers Protection tab, select Profile Management. 2. From the Profiles list, select a profile to be copied and then right-click it. Select Copy... Settings.
3. Select the target profile and then right-click it. Select Paste Settings from... .
Associating an IPS-1 Sensor with a Profile

To associate a IPS-1 Sensor with a particular protection profile: 1. From Policy Managers Protections tab, select Profile Assignment. 2. Select the IPS-1 Sensor and then right-click it. Select Edit Assigned Profile for... .
3. Select the desired profile and click OK.

76
Configuring Protections
In This Section
Overview Viewing Protection Information Protection Settings page 77 page 78 page 79
Overview
Protections are organized into a three-tier hierarchy: Protocol: In most cases, a Protocol includes all the protections that are based on analysis of traffic of a particular protocol. A few Protocols, such as Authentication and Badfiles, perform specific types of analysis over most traffic protocols. Protection Group: A sub-group of a Protocol, including a number of related protections. Some settings, such as numerical thresholds, are defined at the protection group level for all the protections in the group. Protection: Detects, prevents, and alerts for a specific attack.
To view a categorized protection list, expand the Application Intelligence, Network Security, or Web Intelligence heading in the navigation pane of Policy Managers Protection tab:
In the above figure, AOL Instant Messenger and Authentication are protocols; Authentication BE is a protection group; and alphanumpasswd_alert and alphapasswd_alert are protections. If an item you expect to see is missing, either it may not be installed or it may only be visible in advanced mode. To install it, update the attack signature package. See Updating Attack Signatures on page 67 for details.
Chapter 3
77
Selecting any list item displays its settings page in the right-hand pane, with description text below. For example:
To easily configure protections for multiple IPS-1 Sensors, protection settings are configured for a protection profile, which is then installed on IPS-1 Sensors associated with that profile. For information on managing profiles, see Managing Protection Profiles on page 75.
Viewing Protection Information

Each protocol, protection group and protection comes with informative description text. To view description text: In Policy Managers Protection tab, under Protection Settings, select a protocol, protection group, or protection. Description text appears in the lower-right pane:
78
Description text includes some or all of the following headings: Overview Corroberation and Leads Why this is Important Technical Information (including explanations for unique settings) False Positives References
You can also view file contents for protocols and for protection groups. In the protocol or protection groups page, click Show Files.
Protection Settings
In This Section
Protection Settings Overview Protection Modes Protection-Level Settings One-Click Configuration of All Protocols and Protections page 79 page 81 page 82 page 83
Protection Settings Overview

Each protocol, protection group, or protection has various settings associated with it. These settings are located on the protocol, protection group, or protection page. Some settings are the same throughout different protocols and protections. These are described in the following sections.
Chapter 3
79
Other settings are unique to the specific protocol, protection group, or protection and appear only on its page. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. Note that some protections behavior are affected by general settings. These include local network addresses, defined in IPS-1 Sensor properties (in Policy Managers Sensors and Concentrators tab), and various per-Profile settings found in Policy Managers System Settings tab. Protocol settings affect all protection groups and protections under it. Protection group settings affect all protections under it. Settings are per protection profile. You can configure settings differently for different profiles. Settings do not take effect until you Install Policy on the IPS-1 Sensors. To display settings for a specific protocol, protection group, or protection, for a specific protection profile: 1. In Policy Managers Protection tab, under Application Intelligence, Network Security, or Web Intelligence, select a protocol, protection group, or protection. The select settings page appears in the upper-right pane:
2. In the Profile list, select a Profile. The settings for the selected Profile are now displayed.
80
Protection Modes
Protection Modes determine whether protections will be applied to the traffic which is seen by the IPS-1 Sensors. Protection Modes can be set for protocol, protection group, and protection for each protection profile. Protection Modes are most commonly changed on the protections.
Protection Modes include: Active the protection will be applied to traffic seen by the IPS-1 Sensor Active upon Confidence the protection will be applied to traffic seen by the IPS-1 Sensor only if the traffic meets the Confidence Level set for the protection. This setting is not available on protocols or protection groups. Inactive the protection will not be applied to traffic seen by the IPS-1 Sensor Changing the Protection Mode of a protocol, protection group, or protection may force the Protection Mode of its associated parent or children to change in order to avoid conflicting settings. For example, setting a protection to Active or Active upon Confidence automatically forces its parent protocol and protection group to Active as well. Similarly, setting a protocol or protection group to Inactive automatically forces its children to Inactive as well. When activating a protocol or protection group, the Protection Mode of its child protections will revert to the setting that it was given last. Therefore, when activating a protocol or protection group, the Protection Mode of the child protections must be verified indivually to insure that each protection has the desired Protection Mode.
Chapter 3
81
In any protection page: To activate a protection for the selected protection profile, select Active or right-click on the Protection Mode cell and select Activate. To configure Confidence Indexing for a protection, select Active upon Confidence, or right-click on the Protection Mode cell and select Activate upon Confidence, and drag the slider to the desired confidence index. For details regarding Confidence Indexing, see Avoiding False Positives on page 73. To disable a protection for the selected protection profile, select Inactive or right-click on the Protection Mode cell and select Deactivate.
After configuring settings, make sure to Install Policy.
Protection-Level Settings
The following settings appear on all protections (not protection group or protocol) pages: Monitor only - no protection: When selected, the protection generates alerts but does not prevent traffic. Add attackers to blacklist: This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When enabled, source IP addresses of attacks are blacklisted, causing subsequent traffic from those addresses to be blocked. The blacklisting lasts for the duration defined in Blacklist TCP (also Advanced-Settings only), found in the System Settings tab under Attack > Intrusion Prevention. The default duration is 0, and as long as the duration has not been configured to a non-zero value, the option here is disabled. You can click the link here to go directly to the Blacklist TCP setting.
Note - Blacklisting only takes effect for attacks over TCP (in other protocols, the attack could be spoofed), and only if the host is not explicitly Whitelisted (in Advanced Settings mode, in the Attack protocol).
Send TCP resets to attacker and victim (50%): This setting is visible only when Show Advanced Settings is enabled in the Policy Manager menu. When selected, upon attacks, IPS-1 sends protocol-appropriate reset signals to the attack source and destination IP addresses. For TCP, this is a TCP RST. For other IP protocols, this is an ICMP Administratively Prohibited message. 50% means the reset signal is sent only for attacks for which the confidence index is at least 50%.
82
Enable packet capture: When selected, attack packets are captured for viewing from the Alert Details. For details, see Packet Capture and Viewing on page 129.
There may be additional settings, unique to the specific protection. For information on these settings, see the description text in the lower-right pane of the Policy Manager window. After configuring settings, make sure to Install Policy.
One-Click Configuration of All Protocols and Protections

You can perform one-click actions that change settings for all protocols and protections, on a per-profile basis, as follows: 1. In Policy Managers Protection tab, in the left-hand navigation tree, select Profile Management. 2. From the profile list, select a protection profile. 3. Click Actions, and select General Configuration.
4. The following actions are available: Deactivate: For the selected profile, disables all protections. Activate: For the selected profile, enables all available protections. Monitor Only: For the selected profile, sets all enabled protections to Monitor Only, so that alerts are generated but attacks are not prevented.
Chapter 3 Managing Attack Detection and Prevention 83
Remove Monitor Only: For the selected profile, clears the Monitor Only setting from all protections, so that enabled protections can prevent attack traffic. Reset: For the selected profile, resets protection setting to the default configuration.
5. Click Close. 6. Install Policy.
84
Viewing and Copying Comprehensive Protection Settings

In This Section
Opening Protection Overview Understanding Protection Overview Copying Protection Overview page 85 page 85 page 86
Opening Protection Overview

You can view in one window protection settings for all protections and across all protection profiles, in Protection Overview. To see Protection Overview: In Policy Managers Protection tab, in the left-hand navigation tree, select Protection Overview.
Understanding Protection Overview

See the above section for an illustration of Protection Overview. The left-hand column lists all protection protocols, which can be expanded to show their respective protection groups, which can in turn be expanded to show their respective Variables.
Many Variables represent numeric or checkbox settings from the protection group and protection pages of Protection Settings (in Policy Managers Protection tab). Others are under-the-hood values that are not directly edited in Protection Settings. Each protocol or protection group row shows whether it is Active or Inactive, for each protection profile. If a protection groups setting is: Inactive, the Variables associated with it show: (Protection Inactive). Changing the higher-level setting to Active will cause the Variable row to display its value or checkbox. You can change settings directly from Protection Overview, by selecting and right-clicking a cell. If a protocol name appears in red, it is because a change has been made under that protocol and it has not yet been saved, Install Policy has not been performed at all in which case the change has not been saved to the IPS-1 Management Server, or Install Policy was performed but only to the IPS-1 Management Server, not to the Alerts Concentrator. Additional Protection Overview features and components are visible when Show Advanced Settings is enabled from the Policy Manager menu.
Copying Protection Overview

You can copy the visible rows to the clipboard, to then be pasted into third-party applications such as Microsoft Excel. To copy: Right-click a cell and select Copy Table.
86
Exempting Hosts from Inspection or Prevention

You can exempt a hosts traffic completely from inspection, or you can exempt them just from traffic prevention, while maintaining attack detection and alert generation. These exemptions can apply to traffic with the host as the source IP address, or as the destination IP address.
In This Section
Exempting a Hosts Traffic from Inspection Exempting a Hosts Traffic from Prevention page 87 page 87
Exempting a Hosts Traffic from Inspection

You can exempt a hosts traffic completely from inspection. To exempt a host from inspection: 1. In Policy Managers System Settings tab, select General Profile Settings. 2. Under Ignored Hosts, for either List of source addresses to ignore or List of destination addresses to ignore, click . 3. Add the hosts IP address to Selected Host Types, either by typing the address and pressing Enter, or by moving it from Recently Used Values. 4. Click OK. 5. Install Policy.
Exempting a Hosts Traffic from Prevention

You can exempt hosts just from traffic prevention, while maintaining attack detection and alert generation. This is called Whitelisting. The Servers Whitelist includes hosts for which traffic with the host as the destination IP is exempt. The Clients Whitelist includes hosts for which traffic with the host as the source IP is exempt. To exempt a host from prevention: 1. From Policy Managers Policy Manager menu, enable Show Advance Settings. 2. In the System Settings tab, select General Profile Settings. 3. Under Allowed Hosts, for either Servers Whitelist or Clients Whitelist, click .
Chapter 3
87
4. Add the hosts IP address to Selected Host Types, either by typing the address and pressing Enter, or by moving it from Recently Used Values. 5. Click OK. 6. Install Policy.
88
System-Wide Attack Correlation
System-Wide Attack Correlation

In This Section
Correlators Overview Defining Correlators page 89 page 90
Correlators Overview
You can define alerts to be triggered based on a global view of the traffic passing through all the IPS-1 Sensors in an IPS-1 system, rather than just by individual connections passing through a single IPS-1 Sensor. This is acheived by using Correlators. A Correlator triggers an alert or a specified action when the IPS-1 Management Server receives multiple alerts of specified criteria within a certain timeframe. Whereas regular protections are limited to analyzing the traffic going through a single IPS-1 Sensor, Correlators can detect patterns within the alerts of an entire IPS-1 system. A regular protection runs on an IPS-1 Sensor and its Alerts Action (see Customizing Alerts on page 147) runs on the Alerts Concentrators. Correlators, on the other hand, run on the IPS-1 Management Server, monitoring alerts from all IPS-1 Sensors through all Alerts Concentrators. This means that an external command to be activated by a correlator must also be on the IPS-1 Management Server host. Correlators initiate actions when they receive a specified number of alerts matching specific criteria within a specified time window. For example, a Correlator could issue an alert if it receives fifty alerts about traffic from the same Source IP within two minutes. Correlators maintain a count of the alerts they see that meet their criteria. If the count reaches the specified threshold within a specified time period, the correlator triggers the specified action. If the time window ends without the count reaching the threshold, the count is reset to zero. There are five types of correlators: Cluster correlators watch for alerts containing identical values within specified fields - for example, all alerts containing the same alert source signatures, regardless of what the actual value is.
Chapter 3
89
Defining Correlators
Boolean correlators watch for alerts that contain a specified value - for example, all alerts containing a specific source IP address and a specific destination port. Secondary Correlators are either Cluster or Boolean Correlators that apply their criteria only to an alert subset forwarded to them by another Correlator. The first Correlator needs to be configured to forward its matching alerts to the Secondary Correlator. The combined result is that the Secondary Correlators specified action is activated if and only if the alerts meeting the criteria and threshold of the first (forwarding) Correlator meet the criteria (Cluster or Boolean) and threshold of the Secondary Correlator. Scan Correlators behave like Secondary Correlators, monitoring only alerts forwarded to them. The Scan Correlator watches for alerts containing different values within specified fields (scan behavior). This can be useful in conjunction with a Cluster Correlator. For example, to identify a port scan, a Cluster Correlator could be defined to forward alerts with the same destination IP to a Scan Correlator, which would watch for alerts with different destination ports. The Vulnerability Correlator is predefined and usually should not be edited. It correlates Nessus Scan vulnerability data with new alerts, allowing the Alert Browser to assign a compromise risk index to each alert. Compromise risk is an assessment of how successful an attack would be, based on Nessus data. For information on the Vulnerability Correlator, see Disabling Vulnerability Correlation on page 163.
In This Section
Defining a Cluster Correlator (Regular or Secondary) Defining a Boolean Correlator (Regular or Secondary) Defining a Scan Correlator page 90 page 94 page 99
Defining a Cluster Correlator (Regular or Secondary)

For an explanation of Secondary and regular Cluster Correlators, see Correlators Overview on page 89. To define a Cluster Correlator: 1. From the Management menu, select Correlators. The Correlators window appears.
90
2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Cluster Correlator or Secondary Cluster Correlator. Click OK.
4. In the Description tab, provide the following information: Threshold: Number of matching alerts that must be received within the time window to trigger the correlator. Window: The time period in seconds during which matching alerts are counted.
Note - The Threshold and Window fields work together. The correlator maintains a count of matching alerts it receives. It resets this count to zero if the specific count is not reached within the time window.
Select Yes to enable the Correlator.
Chapter 3
91
5. In the Cluster Correlator tab, select each criterion you want the correlator to use for matching. For example, if you check Alert Source, the correlator will monitor alerts with the same source.
6. In the Alert Settings tab, define whether the correlator, when triggered, should generate an alert, and set the priority of the alert. This alert will appear in the Alert Browser.
92
7. In the Alert Forwarding tab, select other Correlators to which to send alerts that match this Correlator.
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK. 10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster.
To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
Defining a Boolean Correlator (Regular or Secondary)

For an explanation of Secondary and regular Boolean Correlators, see Correlators Overview on page 89. To define a Boolean Correlator: 1. From the Management menu, select Correlators. The Correlators window appears.
2. Click New, or select an existing correlator and click Edit.
94
3. If you are creating a new correlator, type a name and select Boolean Correlator or Secondary Boolean Correlator. Click OK.
Select Yes to enable the Correlator.
Chapter 3
95
5. In the Boolean correlator tab, define the criteria:
Create an evaluation statement using the provided tool buttons, dropdown lists, and text box (mouse over each button to see a tooltip). The available operators are:
Table 3-1
= != > < >= <= IN NI
Is equal to Is not equal to Is greater than Is less than Is greater than or equal to Is less than or equal to Is within the specified netmask value (used for IP addresses only) Is not within the specified netmask value (used for IP adresses only) EXAMPLE 1 The following statement would cause the correlator to trigger for alerts where the source IP address is 192.168.2.3.
96
You can create more complex evaluation statements by combining multiple clauses and joining them with AND or OR logical operators. Use the following tool buttons to create complex evaluation statements: To insert another clause. To delete an existing clause. To move a clause up in the list of multiple clauses. To move a clause down in the list of multiple clauses. EXAMPLE 2 The following statement causes the correlator to match on all alerts where the destination port is 88 and the IP Protocol is not EIGRP.
Note - When you insert a NOT operator or a parenthesis within a clause, it will display in the statement window. To remove a NOT operator or a parenthesis, click the appropriate tool button (for example, the tool button that has the exclamation point with the slash through it removes the NOT operator).
Chapter 3
97
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK.
98
10. For a Secondary Correlator to function, alerts need to be forwarded to it from another cluster correlator. To forward alerts to a Secondary Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Secondary Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
Defining a Scan Correlator

For an explanation of Scan Correlators, see Correlators Overview on page 89. To define a Scan Correlator: 1. From the Management menu, select Correlators. The Correlators window appears.
2. Click New, or select an existing correlator and click Edit. 3. If you are creating a new correlator, type a name and select Scan Correlator. Click OK.
Chapter 3
99
Select Yes to enable the correlator.
100
5. In the Scan Correlator tab, select the fields which should be monitored to detect scans.
Chapter 3
Managing Attack Detection and Prevention 101
8. In the External Programs tab, define whether the correlator, when triggered, should activate a script or executable.
For the correlator to run the program only once, when it reaches the threshold, select One Shot. Otherwise, the correlator will continue running the program each time an alert is matched during the time window. You can Insert another line in which to type an additional command to be activated. Note that this is resource-intensive. 9. Click OK.
102
10. For the Scan Correlator to function, alerts need to be forwarded to it from another cluster. To forward alerts to a Scan Correlator: a. Create or Edit the forwarding Correlator. b. In the forwarding Correlators Alert Forwarding tab, select Forward Matching Alerts, and move the Scan Correlator from the Available Correlators list to the Selected Correlators list. c. Click OK.
Chapter 3
Firewall-Style Access Control
Firewall-Style Access Control

IPS-1 enables firewall-style access control with inline IPS-1 Sensors at relevant network locations. For regular (non-Power) Sentivist and IPS-1 Sensors of versions 5.0-5.0.6, the current version of IPS-1 management provides a firewall rule editor in GUI form. For details, see IPS-1 Firewall GUI on page 104. For Sentivist Sensors of versions prior to 5.0, for IPS-1 NGX Sensors, and for Power Sensors, firewall settings are configured only in the Policy Settings Protocol. For details, see Policy Settings on page 105.
In This Section
IPS-1 Firewall GUI Policy Settings page 104 page 105
IPS-1 Firewall GUI

In newer IPS-1 Sensors, use the Rule Editor GUI for configuring Firewall access controls. This section is only for regular (non-Power) Sentivist and IPS-1 Sensors of versions 5.0-5.0.6. For Sentivist Sensors of versions prior to 5.0, IPS-1 NGX Sensors, or Power Sensors, see Policy Settings on page 105.
Warning - This functionality is for advanced users and is very resource-intensive. Use it only as neccessary.
Configuring IPS-1 Firewall

To configure IPS-1 Firewall: 1. In Policy Managers Policy Manager menu, point to Advanced, and enable Show Advanced Settings. 2. In the Protection tab, in the left-hand navigation tree, select IPS-1 Firewall. 3. In the profile list, select a protection profile. The firewall settings you configure will apply to IPS-1 Sensors associated with this profile. Existing rules, if any, appear in the lower pane.
104
Policy Settings
4. Click Edit. The Rule Editor opens. 5. Click New to add a rule. To edit a value in the rule, click a cell. Then select or enter the relevant value(s). You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. See Macros on page 105. To change the logical Rule order according to which the IPS-1 Sensor will examine traffic, change the order of the Rules by selecting rules and clicking the Up and Down buttons.
6. Click OK, and Install Policy.
Macros
You can preconfigure groups of values to be inserted as objects into a rule cell. You can subsequently change these groups values, thus automatically affecting all rules in which they appear. In IPS-1 Firewall, these value groups are called Macros. To create a Macro: 1. In the Macros tab, click New. 2. Select the type of values to be included in the sets and type a name for the Macro. 3. Click the Macro Value cell. 4. Type a single value and press Enter or click to open a value editor.
The Macro will now appear in value editors for relevant rule values.
Policy Settings
In newer IPS-1 Sensors, use Policy Settings to configure firewall functionality. For regular (non-Power) Sentivist and IPS-1 Sensors of versions 5.0-5.0.6, firewall functionality is more easily configured in the IPS-1 Firewall GUI. See IPS-1 Firewall GUI on page 104 for details.
Chapter 3
Policy Settings
Warning - This functionality is for advanced users and is very resource-intensive. Use it only as neccessary.
To configure Policy Settings: 1. In Policy Managers Policy Manager menu, point to Advanced and enable Show Advanced Settings. 2. In the Protection tab, in the left-hand navigation tree, under Network Security, expand Policy Settings and select Policy Configuration Settings. 3. Read the help text information in the lower-right pane. Follow the instructions to configure rules in Policy Configuration Settings. 4. Install Policy.
106
4 Chapter Alert Monitoring and Analysis

In This Chapter Overview The Alert Browser and History Browser Alert Management Tools The Timeline Window Creating Alert Graphs Customizing Alerts page 108 page 109 page 127 page 134 page 140 page 147
107
Overview
Overview
The IPS-1 Management Dashboard incorporates a number of different windows in which you can monitor alert activity. These are: Alert Browser and History Browser: Display detailed alerts in a customizable window of spreadsheet-type rows of alerts. The Alert Browser displays streaming, filterable alerts as they are generated and received. History Browser snapshots are frozen versions of the Alert Browser, showing alerts for a specified time frame. The Alert Browser and History Browser incorporate management tools for alert analysis. Timelines: Display multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for comparison between multiple alert categories. Graphs: Customizable graphs depicting total or categorized alert activity level by time, or alert value frequency by specified alert fields. All graphs change dynamically as alerts come in, and can be frozen as a saved snapshot or printed.
108
The Alert Browser and History Browser
The Alert Browser and History Browser

The Alert Browser and History Browser display detailed alerts in a customizable window of spreadsheet-type rows of alerts. The Alert Browser displays streaming, filterable alerts as they are generated and received. History Browser snapshots are frozen versions of the Alert Browser, showing alerts for a specified time frame. The Alert Browser and History Browser incorporate management tools for alert analysis.
In This Section
The Alert Browser Window Working in the Alert Browser Viewing History Browser Snapshots page 110 page 113 page 125
Chapter 4
Alert Monitoring and Analysis 109
The Alert Browser Window

The Alert Browser appears when you log into the IPS-1 Management Server with the IPS-1 Management Dashboard:
Figure 4-1 Alert Browser
In This Section
Window Areas Hiding Window Panels Toolbar Buttons page 111 page 111 page 112
110
Window Areas
The main window areas are: All Alerts panel: Each row represents an alert or group of alerts received by the IPS-1 Management Dashboard. Each column displays values for a particular field. You can customize the fields (columns). See Adding or Removing Columns on page 114. Hold panel: The held alerts panel displays alerts that you have selected to hold for the current session. Show only / Hide these alerts field trees (on the left): Used to filter the alerts that appear in the alerts panel. See Filtering Alerts by Field Values on page 120) Status Summary. This area in the lower left-hand corner of the window shows the distribution of current alerts by priority (red=high; yellow=medium; green=low):
Hiding Window Panels

Alert Browser window panels, including the filter trees, can be hidden or restored, by using the little arrow heads between panels.
Chapter 4
Toolbar Buttons
In additions to the buttons on the right end of the toolbar, which are common to all of the main IPS-1 Management Dashboard windows, the Alert Browser toolbar contains the following buttons:
Table 4-1
Undo a change to the filter tree. Redo an undone filter change. Interrupt loading alerts. Split into panels of alerts grouped by priority. Mark selected alert(s) as read. Unmark as read - remove read mark from selected alert(s) Display alerts for prevented attacks in a separate panel. Display ignored (filtered out) alerts in a separate panel. Change the time span for displayed alerts. Create a History Browser snapshot of the Alert Browsers current time period.
112
Working in the Alert Browser

In This Section
Organizing Alerts and Alert Field Columns Adding or Removing Columns Selecting Multiple Alerts Alert Grouping Splitting the Alert Browser Window by Priority Limiting the Number of Alerts Changing the Alerts Time Span Filtering Alerts by Field Values Viewing Ignored Alerts Saving Customized Views Copying Alerts to the Clipboard page 113 page 114 page 117 page 118 page 119 page 120 page 120 page 120 page 124 page 124 page 124
Organizing Alerts and Alert Field Columns

Alerts in all panels follow the same column order. However, in some configurations, the column headings may not appear above all panels. Alerts are ordered according to a left-to-right hierarchy of columns. Alerts become ordered meaningfully when the column order reflects a meaningful hierarchy of data. Each field can be sorted in either ascending or descending order. An example of a common column order is: Priority Protocol Name Destination IP Destination Port
Chapter 4
In this example, the highest level of ordering would be by priority. Same-priority alerts would be internally arranged by Protocol Name; same-Name alerts by Destination IP, and so on. This configuration allows a user to easily locate a particular alert and determine which hosts have been attacked. Alerts are shaded in different shades of gray, indicating grouping of data values. Groups of rows with like values are similarly shaded. The shading is useful in quickly discovering patterns of alerts. To move a column, drag the column heading. To toggle between the ascending and descending sort order for a column, click the column heading. To add or remove a column, see below.
Adding or Removing Columns

Not all available alert fields are displayed by default. To add or remove alert field columns: 1. From the Alert Browser menu, select Show/Hide Columns:
114
2. From the list of available fields, select the desired ones. Click OK. Newly added columns appear to the right of existing ones, keeping the current alert order intact. You can also add or remove columns by right-clicking any column heading and selecting Show/Hide Columns. You can also remove a column by right-clicking its heading and then selecting Hide <field> Column. Available alert fields are:
Table 4-2
Column Name Alert GUID Alert ID Alert Origin Alert Source
Column Description An identifier for the alert type, unique across all databases An identifier for this specific alert, unique in the IPS-1 Management Server database The IPS-1 component, typically a Sensor, that generated the alert The Alerts Concentrator that recorded the alert
Chapter 4
Working in the Alert Browser Table 4-2
Column Name Alert Type
Column Description Alert source type - one of the following: Network: an alert related to network traffic, from the Alerts Concentrator, based on information from the Sensor Correlator: an alert related to network traffic, based on a Correlation by the IPS-1 Management Server System: a system message from the Sensor or the Alerts Concentrator IPS-1 Management Server: a system message from the IPS-1 Management Server Audit: an audit alert from the Alerts Concentrator Indicates whether an alert has comments A list of CVE IDs, if any, associated with a particular attack. A CVE ID is the ID of a particular vulnerability as defined by the U.S. National Institute of Standards and Technology's <http://csrc.nist.gov/> (NIST) National Vulnerability Database <http://nvd.nist.gov/> (NVD). An assessment of how successful an attack would be based on Vulnerability data. To populate this field, you must have uploaded vulnertability data - see Vulnerability Detection and Defense on page 153. See Viewing Compromise Risk in the Alert Browser on page 162. The likelihood that the Protection has detected an actual attack or problem, rather than being a false positive The time and date that the alert was stored in the alert database The alert description The traffics destination IP address The operating system of the traffics destination The traffics destination port number The file name from the traffic, when the alert was caused by a file-related protection IPv4 or IPv6 The traffics IP protocol
Annotation CVE List
Compromise Risk
Confidence Level Create Date Description Destination Address Destination OS Destination Port File Name IP Family IP Protocol
116
Working in the Alert Browser Table 4-2
Column Name Impact Packet Interface Prevented Priority Protection Group Protection Name Protocol Read By Sense Time Sensor Mode
Column Description The possible impact of the activity that generated the alert, such as Denial of Service or Information Gathering The Sensor interface into which the traffic entered Whether the traffic that triggered the alert was prevented The alert priority: High (red), Medium (yellow), or Low (green) The protection group that detected the attack The protection that detected the attack, or system message name The Protocol that the Protection Group belongs to, as grouped in Policy Manager Username and main IP of user who marked the alert as read The time the IPS-1 Sensor generated the alert The mode of the Sensor that generated the alert - one of the following: IDS (passive) IPS (inline, fail-closed) IPS (inline, fail-open) IPS Monitor-Only (inline, fail-open) Unavailable (a legacy mode) The traffics source IP address The operating system of the traffics source The traffics source port Username from the traffic; typically available when the alert is from an authentication-related protection The traffics Vlan ID
Source Address Source OS Source Port Username Virutal LAN ID
Selecting Multiple Alerts

To apply a menu or toolbar command to a block of alerts, click the first alert and then shift+left-click the last alert. To select multiple discontinuous alerts, control+left-click each alert. To apply a context-menu (right-click) command to the block of alerts, control+right-click the last one.
Chapter 4
Alert Grouping
The Alert Browser can group similar alerts together into one row, according to configurable criteria. By default, Alert Grouping is disabled. When Alert Grouping is enabled, a Count column appears as the first column of the Alert Browser. This column contains the number of alerts that have been combined into the row, and a plus sign (+) with which you can expand the grouped alerts. The grouped alerts can then be collapsed with the (-) sign. In the alert field columns of the combined row, the values are those of the first alert. The configurable Grouping Level value defines grouping behavior. If the Grouping Level is set to n, Alert Grouping combines into one row alerts with identical values in the first n fields. For example, if Priority is the first column, and Alert Name is the second, and the Grouping Level is 2, then all alerts that have the same priority and name will be grouped into a single row. You can change grouping behavior either by rearranging columns or by changing the Grouping Level.
Figure 4-2 Alert Grouping
In the above figure, the Grouping Level is 3, so grouped alerts have identical Priority, Protocol, and Protection Group.
118
To enable Alert Grouping: 1. Arrange columns so that fields you want grouped for identical values are on the left. 2. Do one of the following: From the Alert Browser menu, select Alert Grouping. Select a Grouping Level, and click OK. Right-click in an alert, on the right-most column you want grouped for identical values, and select Group To <field>.
Splitting the Alert Browser Window by Priority

Alerts can be separated into separate panes by priority. This causes alerts to be arranged by priority, but still lets you view all three priority levels in the same window. Alerts are displayed in four separate panels: one for each priority level and one for held alerts. You can scroll through each panel independently. To split the Alert Browser window into panes by priority, click the Split by Priority button:
To revert to the previous appearance, click the button again.
Chapter 4
Limiting the Number of Alerts

Large numbers of alerts entering the IPS-1 Management Dashboard could exhaust memory resources. To avoid this problem, the Management Dashboard prevents more than a defined number of Maximum Alerts from entering. The maximum (and default) value is 30,000. In some cases, such as when running numerous Alert Browsers and Timelines, you should reduce the number. To change the number: 1. From the Alert Browser menu, select Maximum Alerts. 2. Type a value, and click OK.
Changing the Alerts Time Span

By default, IPS-1 Management Dashboard displays alerts that occurred within the past hour. To change the alerts Time Span: 1. From the Alert Browser menu, select Set Time Span (or click the Set Time Span button).
s
2. Select the time span (number and units) and click OK. If you made the time span longer than it previously was, you may have to wait as additional alerts are loaded.
Filtering Alerts by Field Values

In This Section
Overview Applying Filter-In Values Applying Filter-Out Values Undoing Filter Changes Applying Filter Values From an Alert Filtering-In a Single Value in a New Alert Browser Window Copying and Pasting Filter Settings page 121 page 121 page 121 page 121 page 122 page 122 page 123
120
Overview
By default, IPS-1 Management Dashboard displays all alerts received by the IPS-1 Management Server within the defined time span. You can filter alerts according to any combination of alert field values. For a particular Filter Field, you can either defined Filter-In values, to view only alerts with those values, or Filter-Out values, to exclude alerts with those values. Filter-In values are defined using the upper filter tree, whereas Filter-Out values are defined using the lower filter tree. For example, if you want to see only medium and high priority alerts from one particular Server, you could define that servers IP address as a Filter-In value for the Src Addr field, and Low as a Filter-Out value for the Priority field.
Applying Filter-In Values

To define and apply Filter-In values: 1. In the upper filter tree, if the Filter Field has a plus sign (+) next to it, expand it to see already defined filter values. 2. Select values you want to view, and clear values to filter out. 3. To define an additional value to view, select and right-click the Filter Field. Type or select a value, and click OK. 4. Below the upper filter tree, click Apply.
Applying Filter-Out Values

To define and apply Filter-Out values: 1. In the lower filter tree, if the Filter Field has a plus sign (+) next to it, expand it to see already defined filter values. 2. Clear values you want to view, and select values to filter out. 3. To define an additional value to filter out, select and right-click the Filter Field. Type or select a value, and click OK. 4. Above the lower filter tree, click Apply.
Undoing Filter Changes

To undo filter changes, either clear filter values, or click undo You can do this multiple times to undo multiple filter changes. and then Apply.
To clear all filters and bring back all alerts, below the upper filter tree, click Clear.
Chapter 4
Applying Filter Values From an Alert

If you have an actual alert with a value you want to filter in or filter out, you can define a filter according to that value, as follows: 1. Select and right-click the alert cell with the value to be filtered in or filtered out. 2. From the context menu, select Filter In <Field (<Value>)> or Filter Out <Field (<Value>)>, where <Field> is the Filter Field, and <Value> is the value to be filtered.
The value is added to the filter tree in red and already selected. 3. Click Apply.
Filtering-In a Single Value in a New Alert Browser Window

You can, with one action, launch a new active Alert Browser window with filter settings adjusted to show only alerts with one particular value in a particular Filter Field. To open a new Alert Browser with a single value filtered-in: 1. Select and right-click an alert cell with the desired filter-in value. 2. From the context menu, select Track <Field (<Value>)>, where <Field> is the Filter Field and <Value> is the value to be filtered in.
122
A new window appears with a panel displaying only alerts with the specified value.
Copying and Pasting Filter Settings

You can copy and paste the filter values and settings (enabled or disabled) of one or more filter fields, between any two upper or lower filter trees of the Alert Browser, History Browser, or a Timeline. You can also paste the settings into a text files to be shared between users. To copy and paste filter values and settings: 1. In a filter tree, select one or more filter fields. You can right-click and select Select All. 2. Right-click and select Copy. 3. In another filter tree (in the same or a different window), right-click and select Paste.
Note - Existing values in the target tree will not be automatically removed. An existing value with the same name as a pasted one, but a different setting (enabled/disabled), will be overwritten.
Chapter 4
Viewing Ignored Alerts

Alerts that have been removed from the display by filters are hidden, not deleted. You can view these alerts in a separate alert panel. To view these ignored alerts in a separate panel, click the Split by Ignored button.
Only alerts from the last ten minutes appear in the ignored alerts panel. To remove the panel, click the button again.
Saving Customized Views

Once you have customized the Alert Browser window to suit your needs, you can save your column and filter settings and use them again by creating Views. You can have multiple Views open simultaneously. Views are saved on the IPS-1 Management Server and can be accessed from different IPS-1 Management Dashboard hosts. Views are saved by user and cannot be shared between users. Use the following File menu commands to manage Views: Open View Delete View Save View Save View As: Name and save a view
When naming a view, the Save View As window gives the option of making it the default View, the view which is displayed when the Alert Browser is opened:
Copying Alerts to the Clipboard

You can copy one or more alerts, or individual cells, to the clipboard for use with other applications, such as MS Word or Excel. Copy commands are available from the context (right-click) menu. To select multiple alerts, see Selecting Multiple Alerts on page 117.
124
Viewing History Browser Snapshots

History Browser snapshots are static versions of the Alert Browser, showing alerts for a specified time frame. Filtering and other Alert Browser features apply to History Browser as well.
In This Section
Launching a History Browser Opening a History Browser Window from a Timeline Changing the History Browser Time Frame page 125 page 125 page 126
Launching a History Browser

You can open a History Browser window with current Alert Browser column, filter, time span and other settings; or with default settings. In both cases, the History Browser initially displays alerts from a static time frame ending in the time it was launched. Subsequently, you can change the time frame. To open a History Browser window with the current Alert Browser column and filter settings, in the Alert Browser, click the History Browser button:
To open a History Browser window with default settings, from the File menu, select New History Browser.
Opening a History Browser Window from a Timeline

For information on Timelines, see The Timeline Window on page 134. You can, in one action, open a History Browser window from a timeline window for a time frame corresponding to an alert cluster or a segment of a timeline, filtered according to the timeline category. For example, from a timeline of inside-to-outside alerts, you can open a History Browser with filters set to show only inside-to-outside alerts, limited to alerts with Sense Times corresponding to an alert cluster or a selected segment of the timeline. To open a History Browser window from a timeline, for a time segment of the timeline:
Chapter 4
1. From an active timeline window, drag a selection box around alerts on a segment of a timeline. 2. Right-click in the selection box, and select View Selected Alerts. The desired History Browser opens. To open a History Browser window from a timeline alert cluster: 1. In an active timeline window, enable Cluster Alerts and set the clustering Resolution. 2. Double-click an alert cluster. The desired History Browser opens.
Changing the History Browser Time Frame

To change the time range for the alerts being shown: 1. In the History Browser window, in the upper filter tree, expand Sense Time. 2. Clear or Remove the default Sense Time value. 3. Select and right-click Sense Time, and select New Sense Time. 4. Use the controls or type a Start Time and an End Time. To insert the current time into either field, click Now. 5. Click OK, and Apply.
126
Alert Management Tools
Alert Management Tools

In This Section
Viewing Alert Details Packet Capture and Viewing Using Alerts to Modify Protection Settings Holding an Alert Marking Alerts as Read Annotating Alerts page 127 page 129 page 130 page 131 page 131 page 132
Viewing Alert Details

You can view the complete details of an alert. To view complete alert details, in an Alert Browser, History Browser or Timeline, select and right-click an individual alert, then select Alert Details. Alternatively, double-click the alert.
Chapter 4
Viewing Alert Details Figure 4-3 Alert Details window
The fields shown in Alert Details depend on the alert type. In general, all fields from the alert browser are shown, including hidden fields. After a brief pause, additional fields may become visible as they are retrieved from the Alerts Concentrator. With Alert Grouping, Alert Details for a grouped row will display information for the first alert. The other alerts of the group will appear in an additional pane of the Alert Details window:
128
Packet Capture and Viewing Figure 4-4 Grouped Alerts Pane
From Alert Details, you can do one of the following: Copy the entire window contents to the clipboard (if you then paste to a spreadsheet application such as MS Excel, only the Details section will be pasted). Show Raw Packets: see Packet Capture and Viewing on page 129. View Vulnerability Info: this feature is enabled only if vulnerability data has been uploaded. See Vulnerability Detection and Defense on page 153.
You can enable the traffics source hostname to appear in the Alert Details, as follows: 1. From the Tools menu, select User Preferences. 2. Under Alert Details, select Allow reverse DNS lookup. 3. Click OK.
Packet Capture and Viewing

You can view an alerts raw packets via Ethereal/Wireshark or any third-party packet capture utility that can accept PCAP files via command line. The utility must be installed on the machine running the IPS-1 Management Dashboard. You can configure which protections should capture packets, and for each protection profile, how many packets should then be captured.
Setting Up Packet Capture and Viewing

To set up viewing raw packets: 1. From the Tools menu, select User Preferences. 2. Under Packet Capture, provide the following:
Chapter 4
Using Alerts to Modify Protection Settings
Path to Packet Capture Utility: a path to the executable for the packet capture utility. Working Directory: Specifies where the packet capture files will be stored.
3. Click OK. 4. In Policy Managers System Settings tab, in the left-hand navigation tree, select General Profile Settings. 5. For each defined protection profile (for example: Default_Protection): a. Under Profile, select the protection profile. b. Under Other Critical Information, for Number of Packets to capture per attack, click , and type the number of packets to be captured. c. Click OK. 6. For each enabled protection that you want to capture packets, in Policy Managers Protection tab, navigate to the protections page, and select Enable Packet Capture. 7. Install Policy on all Sensors.
Viewing an Attacks Packets

Once Packet capture and viewing has been set up, and alerts have been then generated, you can view the attack packets. To view an alerts attack packets: 1. In an Alert Browser, History Browser or Timeline window, double-click an individual alert to display Alert Details. 2. Click Show Raw Packets.
Using Alerts to Modify Protection Settings

IPS-1 Sensors generate alerts based on the configuration of the protections in the profile that is applied to the Sensor. Based on analysis of the alerts, you may decide that the protection settings must be modified to more effectively detect or prevent suspicious traffic. From an alert, SmartDefense allows you to display the protection settings page of the enforced profile. This feature allows you to quickly apply the lessons learned from an alert and immediately improve the effectiveness of your intrusion defenses.
130
Holding an Alert
Editing Protection Settings from an Alert

To edit the protection settings of the protection that generated a specific alert: 1. Open the IPS-1 Alert Browser or History Browser. 2. Select an alert. 3. Right-click and select Edit Protection Settings. The IPS-1 Policy Manager window appears displaying the protection that generated the alert, with the active profile selected.
Holding an Alert
As you view alerts, you can put one or more aside, or hold them, for further investigation. Held alerts are copied to a separate panel of the Alerts Browser or History Browser. They are held until the end of the current session and are not affected by the time-frame limits or other filters of non-held alerts. As with all Alert Browser / History Browser panels, you can hide the Hold panel. At the bottom of the panel, click the up arrow. To hold an alert, right-click it and select Hold. To remove an alert from the Hold panel, right-click it and select Remove Hold.
Marking Alerts as Read

When you are done reading an alert, you can mark it as read. A strikethrough will appear through an alert marked as read:
To mark an alert as read, right-click the alert and select Mark as Read, or select the alert and, in the toolbar, click the Mark as Read button: . To hide alerts that are marked as Read: 1. In the Hide these Alerts panel, select Read By. 2. Right-click on Read By and select New Read By.
Chapter 4
Annotating Alerts
3. In the field under the Read By Entry list, type *@* and press enter. 4. Click OK. 5. Click Apply. Alerts that have been read by anyone are now filtered out of the Alert Browser. To remove the strikethrough from an alert, right-click the alert and select Unmark as Read, or select the alert and, in the toolbar, click the Unmark as Read button: . Both commands can also be accessed from the Alert Browser menu.
Annotating Alerts
You can add comments to one or more alerts for future reference, as follows: 1. Select one or more alerts, right-click them and select Annotate.
Figure 4-5 New Annotation
2. Provide a title and select a status. Other fields are optional.
132
Annotating Alerts
3. To add more alerts to the annotation, click Add Alerts. Select alerts and click Add Alerts. To remove an alert from the annotation, select the alert and click Remove Alerts. 4. Click OK. To see or edit the annotation for an alert, right-click on the alert and select Annotate again. To see a checkmark in the Alert Browser for each annotated alert, display the Annotation column.
Chapter 4
The Timeline Window
The Timeline Window

In This Section
Overview Opening the Timeline Window Creating the Default Timeline Set Configuring Timelines and Views Viewing Detailed Alerts from a Timeline Window page 134 page 135 page 136 page 138 page 139
Overview
The Timeline window displays multiple dynamic timelines of categorized alerts. Timelines are useful for time-sensitive analysis and for easy comparison between multiple alert categories.
134
Opening the Timeline Window
Alerts are color-coded according to Priority: Red: High Yellow: Medium Green: Low
You can scroll the view along the timelines to view past history. Use the scroll arrow buttons at the top of the window to move backward and forward along the timeline.
Use the Return to Now button to return to the current time:
Each timeline can be filtered separately, enabling separate categories of alerts. For details see Filtering Timelines on page 138. A Timeline Configuration Wizard prompts for your network and server address, and accordingly creates a Default set of timelines. Timelines can then be customized, or you can create your own timelines. For details see Creating the Default Timeline Set on page 136. You can add, remove, copy and paste, rename and rearrange timelines. To access these commands, select and right-click an individual timeline. Sets of configured timelines can be saved as views, similar to the Alert Browser. To manage views, use commands from the File menu. Alerts along timelines can be individually represented, or clustered. For details see Clustering Timeline Alerts on page 138.
Opening the Timeline Window

To open a timeline window, from the File menu, select New Timeline. Or, from any IPS-1 Management Dashboard window, click the Launch Timeline view button.
The first time the Timeline window is opened, the Timeline Configuration wizard appears. You can subsequently access the wizard from the Timeline menu. For details see the following section, Creating the Default Timeline Set on page 136.
Chapter 4
Creating the Default Timeline Set

The Timeline Configuration wizard prompts for your networks values for filtering the alerts for the default set of timelines. Providing the wizard with all the requested values results in a Timeline view with the following Timelines: Network Alerts: Alerts related to network traffic, from the Alerts Concentrator, based on information from the Sensor. System Alerts: System messages from the Sensor or the Alerts Concentrator Correlator Alerts: Alerts related to network traffic, based on a Correlation of alerts by the IPS-1 Management Server Inside-to-Outside Alerts: Alerts triggered by traffic from the internal network to outside hosts. Outside-to-Inside Alerts: Alerts triggered by traffic from outside the internal network. Inside-to-Inside Alerts: Alerts triggered by traffic where both source and destination IP addressed are internal. Email: Alerts triggered by traffic where the destination IP address is the email server. DNS: Alerts triggered by traffic where the destination IP address is the DNS server. FTP: Alerts triggered by traffic where the destination IP address is the FTP server. Web: Alerts triggered by traffic where the destination IP address is the web server. The wizard also prompts for another special network name and address, and if provided, accordingly creates an additional timeline.
Times and views can be further customized.
136
To create some or all of the above timelines: 1. Open a Timeline window. The first time the Timeline window is opened, the Timeline Configuration wizard appears. Otherwise, access the wizard from the Timeline menu.
2. In each wizard page, type network addresses, Add them, and click Next. The Timeline Configuration wizard pages prompt for the following network addresses: Internal Network Email server DNS server FTP server Web server Other server: In this page, type a name for the Server Type as well.
3. In the Save View page, type a name for the view, and choose whether this should be the default view for Timeline windows. 4. Click Finish. The configured Default Timeline set appears.
Chapter 4
Configuring Timelines and Views
Configuring Timelines and Views

Filtering Timelines
Each Timeline in a Timeline window can be configured by filtering the alerts it displays. Each Timeline has its own set of filters. To access a timelines filter trees, above the filter trees, click the tab corresponding to the timeline. Use the filter trees in the same way as in the Alert Browser. For details, see Filtering Alerts by Field Values on page 120.
Clustering Timeline Alerts

Alerts along timelines can be individually represented, or clustered into small pie graphs. When alerts are clustered, each cluster pie section represents one Priority value High (red), Medium (yellow), or Low (green). You can determine the clustering Resolution. Each cluster represents all of the alerts from a time span equal to the Resolution value.
138
Viewing Detailed Alerts from a Timeline Window
To cluster alerts, select Cluster Alerts, and set the Resolution.
Viewing Detailed Alerts from a Timeline Window

You can view details for one or more alerts in a timeline window, by opening History Browser for them. For details, see Opening a History Browser Window from a Timeline on page 125. Alternitavely, you can copy alerts to the clipboard for export to external applications. Drag a selection box around a segment of a timeline, and then right-click in the box and select Copy Selected Alerts.
Chapter 4
Creating Alert Graphs
Creating Alert Graphs

In This Section
Overview Creating an Activity Level Graph Creating Pick Graphs Creating a Top n Graph Saving Graphs Printing a Graph page 140 page 140 page 142 page 144 page 146 page 146
Overview
You can create customizable alert graphs. Graphs change dynamically as alerts come in, and can be frozen as a saved snapshot, or printed. There are three types of alert graphs: An Activity Level graph plots total alert activity level by time. A Pick Graph plots alert activity level by time, limited to alerts with a specific value for a particular alert field. You can simultaneously view multiple Pick Graphs for a specified alert field. For example, you could compare the alert activity levels for three different source IPs. A Top n Graph is a bar graph that plots alert frequency by specified alert values. For example, the top three most-active source IPs.
You can save, configure and modify all of these graphs.
Creating an Activity Level Graph

An Activity Level graph plots total alert activity level by time.
140
Creating an Activity Level Graph
To create an Activity Level graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button:
2. In the left-hand list tree, select Activity Level. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
Chapter 4
Creating Pick Graphs
4. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Graph is green for alert counts less than: When the highest alert count in the displayed graph is less than this number, the entire graph becomes green. Otherwise, it is yellow or red. Graph is yellow for alert counts less than: When the highest alert count in the displayed graph is less than this number, but equal to or more than the previous setting, the entire graph becomes yellow. If it is equal to or more than this number, it is red. Show as Area Graph: When selected, the area under the graph line is filled.
5. Click OK.

You can simultaneously view multiple Pick Graphs for a specified alert field. Each graph plots the activity level by time of alerts with a specific value for the alert field, for comparison purposes. For example, you could compare the alert activity levels for three different source IPs.
142
To create a Pick graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph,or from the toolbar click the Graphs button:
2. In the left-hand list tree, under Pick Graphs, select an alert field. 3. For each value to be plotted in a Pick Graph, do the following: a. Right-click in the graph area and select Add <field>. b. Type or select the desired value. c. To choose the graph color for this value, click Choose the color. Select a color, and click OK. d. Click OK.
Chapter 4
Creating a Top n Graph
4. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
5. Set the following: Graph Resolution: The time span represented by each scale mark on the X-axis. Appearance: One of the following: Area Graph: The area under the graph line is filled. Note that with multiple graphs, they will hide parts of one another. Stacking Area Graph: The area under the graph line is filled, and graphs stack on top of each other. Note that Y values for upper graphs are aggregated values. Plot Graph: Regular line graphs.
6. Click OK. An alternitave way of creating a Pick graph is from the Alert Browser / History Browser. Right-click a cell with a value you want to plot on a Pick graph, and select Graph <field> (<value>). You can then continue to add values as in the above procedure.

A Top n Graph is a bar graph that plots the number of alerts over a specified time span, for each of the n most-occuring by specified alert values. For example, the top three (n=3) most-active source IPs.
144
To create a Top n Graph graph: 1. From the File menu of any IPS-1 Management Dashboard window, select Graph, or from the toolbar click the Graphs button:
2. In the left-hand list tree, under Top n Graphs, select an alert field. 3. From the Graph menu, select Settings. Or, right-click in the graph area and select Settings.
Chapter 4
Saving Graphs
4. Set the following: Include alerts that have occurred within the last: Only alerts from this time span are considered or displayed. Show counts for items that are in the top: This is the n value - the n most-occuring values are displayed.
5. Click OK.
Saving Graphs
Saving a Graph View
You can save and later reopen graph views, similarly to the Alert Browser, History Browser, and Timeline window. This way you can retain graph settings for future alerts. Access these commands from the File menu.
Saving a Graph Snapshot

You can freeze a graph as a saved snapshot. From the Graph menu, select Save Image As. Or, right-click in the graph area, and select Save Image As.
Printing a Graph
To print a graph, from the Graph menu, select Print. Or, right-click in the graph area, and select Print.
146
Customizing Alerts
Customizing Alerts
In This Section
Overview Configuring Actions Applying Actions to Alerts Changing an Alerts Displayed Priority page 147 page 147 page 150 page 151
Overview
You can customize the IPS-1 system so that the Alerts Concentrator issues notifications other than the standard alerts to be viewed in the Alert Browser. The Alerts Concentrator can perform the following kinds of Actions along with issuing standard alerts: Send an Email to specified recipients Send an SNMP trap Execute a generic external application
Any of the above actions can be defined to be performed along with any system alert. In addition to logging, Custom Actions can be applied to an individual alert, or simultaneously to a whole group of alerts. There are predefined Alert groups, with the alerts grouped by protocol, and you can also create your own custom alert groups to which you can then apply custom Actions. System alerts can also be customized by changing their displayed Priority.
Configuring Actions
This section discusses creating or modifying Alert Actions, which can then be applied to alerts or to alert groups, as discussed in Applying Actions to Alerts on page 150. Note that modifying an existing Action will affect any alerts or alert groups to which the Action is already applied.
Chapter 4
Configuring Actions
To create or modify an Action: 1. Click the Alert Actions tab. If the Alert Actions tab does not appear in Policy Manager, enable Advanced Settings from the Policy Manager menu. 2. In the left-hand Alerts tree, select a group or an alert, and click Edit Actions.
3. Select an existing Action and click Properties; or, click New Action, select one of the following Action types, and click OK: Email - Send an email to specified recipients (not available on SecurePlatform) SNMP Trap - Send an SNMP trap with the following information: Object ID: 1.3.6.1.4.1.4811.0.<Trap ID> . <Trap ID> is user-defined when creating the SNMP Trap Alert Action. Alert source IP address of the host that caused the alert. Community authentication string: user-defined when creating the SNMP Trap Alert Action. System up time: set to 0:00:00.00 . Trap source: 1.3.6.1.4.1.4811.0.1 . Message: 1.3.6.1.4.1.4811.0.2 .
Generic - Execute a generic external application
4. Type or modify the Action properties, which are explained in the following section. In an pre-existing Action, you cannot change the Action name. 5. Click OK, and OK. Install Policy to save changes.
148
Configuring Actions
Action Property Fields

When you create or modify an Action, as explained in the previous section, the following fields appear for configuration:
Email Action Property Fields

Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Recipients - Email address (or addresses) to which the alert will be sent. Separate addresses with spaces. Subject - Subject line for the email. Latency - The time, in seconds, after which the email will be sent, even if Alerts/Message (the following field) has not been reached. Alerts/Message - When this number of alerts is collected, they will be grouped in a single email and the email will be sent, even if Latency (the previous field) has not been reached.
SNMP Trap Action Property Fields

Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Manager - The SNMP Manager's IP address (port 162). Community - The SNMP Manager's authentication string. Trap ID - Identifying number for this alert type. Make sure to use a different Trap ID for each SNMP Trap Action.
Generic Action Property Fields

Action name - Use alphanumeric characters and underscore only. The name cannot start with an underscore. Executable - Full path to an external program, executable by the ips1 user, on the Alerts Concentrator Arguments (optional) - command line arguments to be passed to the external program. Interval - The time, in seconds, after which the program will be executed, even if Alert Count (the following field) has not been reached. Alert Count - When this number of alerts is queued, the external program will be executed, even if the Interval (the previous field) has not been reached.
Chapter 4
Applying Actions to Alerts
Applying Actions to Alerts

This section discusses applying an already defined Action to an alert or to a group of alerts. An Action that has been defined for one alert is then available to be applied to any alert or alert group. To define an Action, see Configuring Actions on page 147. To apply an Action to an alert or alert group: 1. If the Alert Actions tab does not appear in Policy Manager, enable Show Advanced Settings from the Policy Manager menu. 2. Click the Alert Actions tab. 3. If you want to apply an Action to a group that does not appear in the alert tree, create a new group. Or, you can modify an existing user-defined group. To create a new group: a. In the left-hand Alerts tree, select User-Defined Groups, and click New Group.
b. Type a name for the group, and click OK. The group appears under User-Defined Groups. c. Select the group you just created, and click Add Alerts. d. Select all alerts to be added to the group, and click OK. To modify an existing group: a. In the left-hand Alerts tree, select an existing group from under User-Defined Groups. b. To add alerts to the group, click Add Alerts. To remove an alert from the group, select the alert and click Remove.
150
Changing an Alerts Displayed Priority
4. Select a group or an alert to which to apply an Action. Click Edit Actions.
5. Move one or more Actions from the Available Actions list to Applied Actions 6. Click OK, and Install Policy to save changes. You can later modify the Action, as explained in Configuring Actions on page 147.
Note - An Action applied to an alert group is displayed only at the group level, and does not appear when an individual alert from the group is selected, even though the Action will be performed for that alert.

You can customize an alert by changing its displayed Priority, as follows: 1. In Policy Manager, if the Alert Actions tab does not appear, enable Show Advanced Settings from the Policy Manager menu. 2. In Policy Manager, Click the Alert Actions tab. 3. In the left-hand alerts tree, under Built-in Groups, expand the relevant protocol and select the desired alert. 4. In the right-hand Alert window, select the desired Priority
Chapter 4
5. Install Policy to save the changes.
152
5 Chapter Vulnerability Detection and Defense

In This Chapter
Overview Installing Network Vulnerability Data, and Dynamic Shielding Viewing Vulnerabilities Investigating Vulnerabilities with the Distribution Graph Viewing Compromise Risk in the Alert Browser Disabling Vulnerability Correlation page 154 page 155 page 156 page 159 page 162 page 163
153
Overview
Overview
You can proactively protect your network by scanning your network to search for vulnerabilities that might be exploited by an attacker. The vulnerability data obtained from the scan can be used by the IPS-1 system in the following three ways: Dynamic Shielding: IPS-1 can check protection settings at vulnerability data upload time, to prevent discovered vulnerabilities from being exploited. Dynamic Shielding can be configured to change protection settings automatically, to prompt for user approval before changing protection settings, or to just issue alerts to the Alert Browser for unprotected vulnerabilities. Vulnerability Browser: An IPS-1 Management Dashboard window that displays detailed scan results, enabling you to accordingly determine which attacks against known vulnerabilities should be detected and prevented by the IPS-1 Sensors, and to accordingly configure Sensor protections. Compromise Risk: The Alert Browser can be enabled to display for each alert its Compromise Risk factor, based on your networks vulnerability to the attack.
Vulnerabilities are idenified with CVEs. A CVE is a unique identifying number for a specific type of vulnerability. CVE numbers are defined by the U.S. National Institute of Standards and Technology (NIST: http://csrc.nist.gov/) in its National Vulnerability Database (NVD: http://nvd.nist.gov. To take advantage of these features, use the third-party Nessus network vulnerability scanner to scan your network and create a scan result file. IPS-1 can then take advantage of the vulnerability data in this file. Nessus is currently owned and developed by Tenable Network Security. Nessus is neither provided nor supported by Check Point.
154
Installing Network Vulnerability Data, and Dynamic Shielding
Installing Network Vulnerability Data, and Dynamic Shielding

To create vulnerability data to be uploaded into the IPS-1 system, use the third-party Nessus network vulnerability scanner to scan your network and create a scan result file in XML format. Nessus is currently owned and developed by Tenable Network Security, and obtainable at www.nessus.org. Nessus is neither provided nor supported by Check Point. Only XML files produced by Nessus version 2, from 2.0.12 onwards, is supported. NBE files are not supported. Most Check Point testing has been done with output from Nessus 2.1.12 through 2.2.4 . To prevent the scan itself from triggering alerts (and possibly being blocked by a Sensor!), add the hosts from which you are scanning to the list of source addresses to ignore, under General Profile Settings in Policy Managers System Settings tab. With Dynamic Shielding, IPS-1 can change protection settings at vulnerability data upload time, to prevent discovered vulnerabilities from being exploited. Dynamic Shielding can be configured to change protection settings automatically, subject to user approval, or not at all. Once you have created the vulnerability data file, perform the following: 1. Configure Dynamic Shieldings behavior regarding changing protections: From Policy Managers Policy Manager menu, go to Advanced > Dynamic Shield Configuration. In the left-hand tree, protocols are marked as to whether Dynamic Shielding will automatically change protection settings or not. A question mark indicates that Dynamic Shielding will prompt to change protection settings. To change Dynamic Shieldings behavior for all the protection groups of a protocol (or for all protocols), select the protocol (or All Protocols), change the setting, and click Apply. To save the changes, click OK. 2. From Policy Managers Policy Manager menu, select Upload Nessus XML Vulnerability Scan. 3. Navigate to the vulnerability data file and select it. Click Open. 4. You are prompted as to whether during the upload alerts should be issued to the Alert Browser for unprotected vulnerabilities. Select Yes or No.
Chapter 5
Vulnerability Detection and Defense 155
Viewing Vulnerabilities
The features discussed in this section are available only when network vulnerability data has been collected and installed in IPS-1, as explained in Installing Network Vulnerability Data, and Dynamic Shielding on page 155. You can view full vulnerability data in the Vulnerability Browser. To open the Vulnerability Browser, from the File menu, select New Vulnerability Browser. Or, click the Vulnerability Browser icon:
156
Viewing Vulnerabilities Figure 5-1 The IPS-1 Vulnerability Browser
In the upper part of the Vulnerability Browser, vulnerability details are displayed. You can filter displayed vulnerabilities with the left-hand filter trees, in the same way alerts are filtered in the Alert Browser. You can rearrange column order by dragging column headings.
Chapter 5 Vulnerability Detection and Defense 157
For information on the Distribution Graph in the lower-right corner of the Vulnerability Browser, see Investigating Vulnerabilities with the Distribution Graph on page 159. The Information Pane to the left of the Distribution Graph contains the following information: A description of the vulnerability. This description is identical to the information in the Scan Data column for the selected vulnerability. Distribution Graph details. These details are the same as the yellow text that appears together with the Distribution Graph. To understand these details, see Investigating Vulnerabilities with the Distribution Graph on page 159.
158
Investigating Vulnerabilities with the Distribution Graph
Investigating Vulnerabilities with the Distribution Graph

In This Section
Distribution Graph Overview Configuring the Distribution Graph Investigation Examples page 159 page 159 page 160
Distribution Graph Overview

The Distribution Graph, located in the lower-right corner of the Vulnerability Browser, enables locating specific security risks. It displays the distribution of vulnerabilities according to a specified Distribution Factor, while limiting the analysis to vulnerabilities with specified values in Constraint fields. For example, to show which services cause most of the high-confidence, high-risk vulnerabilities, and which services cause fewer such vulnerabilities, you can create a Distribution Graph with Service Name as its Distribution Factor, constrained to vulnerabilities with a Risk Factor value of High and a Confidence value of 3. The Distribution Graphs properties are determined by the selected cell of the selected vulnerability in the Vulnerability Browser. All the cells in the selected vulnerability up until and including the selected cell define the Constraint fields and values; the next column to the right defines the Distribution Factor for the graph.
Configuring the Distribution Graph

To create a Distribution Graph according to a desired Distribution Factor and desired Constraining values: 1. Arrange the Vulnerability Browsers columns so that the columns for the desired Constraint fields are first (left-most). In the example from the Distribution Graph Overview on page 159, Risk Factor and Confidence should be the first two columns. Their order does not matter; in continuing the example, we will assume Confidence and then Risk Factor. 2. Place the column for the desired Distribution Factor immediately after (to the right of) the Constraint field columns. In the above example, the column order would now be: Confidence, Risk Factor, Service Name.
Chapter 5
Investigation Examples
3. Find a vulnerability with the desired constraining values in the Constraint fields, and click the last (right-most) of the constraining values. In the above example, find a vulnerability with Confidence=3, Risk Factor=High, and click its Risk Factor cell (the cell with High). The Distribution Graph immediately displays the desired distribution. In the above example, The Distribution Graph analyzes all the vulnerabilities of Confidence=3, Risk Factor=High, and displays the distribution of those vulnerabilities by Service Name. The largest section of the pie represents the services causing the most high-confidence, high-risk vulnerabilities. Each section of the Distribution Graph pie represents one value of the Distribution Factor. The section representing the value in the selected vulnerability extends beyond the circumfrence of the circle. The number of vulnerabilities with each value appears on its representative section, near the circle center. Above the graph itself is text describing the graph. The text describes the total number of vulnerabilities analyzed, the number of different values of the Distribution Factor, and the Constraints that determined which vulnerabilities were analyzed. This text appears also in the second part of the Information Pane.
The following examples describe some common security questions and methods for investigating them with the Distribution Graph.
160
Example 1
What services on the network are causing problems; and for these services, which vulnerabilities need to be fixed? Put columns in the following order: Confidence, Service Name, and CVE. Select a cell with 3 in the confidence column to activate the Distribution Graph by Service Name for definite (high-confidence) vulnerabilities. See which service has the largest section, and select a cell with that service name, in a vulnerability with Confidence of 3. The Distribution Graph will display the distribution of definite vulnerabilities for that service.
Example 2
Where are the high-risk security holes in the network? Put the columns in the following order: confidence, risk factor, severity, and IP address. Select a high severity cell in a row with a high risk factor and high confidence. The Distribution Graph will show which hosts have the most such vulnerabilities.
Chapter 5
Viewing Compromise Risk in the Alert Browser
Viewing Compromise Risk in the Alert Browser

The feature discussed in this section is available only when network vulnerability data has been collected and installed in IPS-1, as explained in Installing Network Vulnerability Data, and Dynamic Shielding on page 155. Once the vulnerability data has been imported, you can view each alertss Compromise Risk factor in the Alert Browser. Compromise Risk is an assessment of how successful an attack is likely to be, based on vulnerability data. The importance of Compromise Risk is that an attack (even a high risk one) is less of a security risk if it is targeting a service that is not vulnerable to the attack (for example: an attack that tries to insert x86 instructions into a service that is running on SPARC architecture). To display Compromise Risk in the Alert Browser: 1. From the Alert Browsers Alert Browser menu, select Show/Hide Columns. 2. Select Compromise Risk. Click OK. 3. To save the view, from the File menu, select Save View. Correlated vulnerabilities appear in the Alert Browser in blue.
162
Disabling Vulnerability Correlation

You can disable vulnerability correlation completely, for specific Sensors or for specific alerts, by editing the Vulnerability Correlator.
Note - This is an advanced feature most users will not need. Usually, the Vulnerability Correlator should not be edited.
To edit the Vulnerability Correlator: 1. From the Management menu, select Correlators. 2. Select the vulnerability correlator, and click Edit. 3. To completely disable vulnerability correlation, in the Description tab, select No. 4. In the Vulnerability Correlator tab, you can disable vulnerability correlation for a Sensor or for an alert by clearing its checkbox. To disable an alert only for a particular Sensor, expand the tree for the alert, and under the alert clear the Sensor. 5. Click OK.
Chapter 5
164
6 Chapter Data Analysis with External Tools

In This Chapter Overview Setting up Reports Generating a Report Report Template List Integration with Eventia Analyzer page 166 page 167 page 169 page 173 page 175
165
Overview
Overview
The information in the IPS-1 database can be used to create reports with Crystal Reports XI from Business Objects. Check Point provides an assortment of pre-defined report templates. You can use these report templates as they are or modify them to suit your needs. These report templates, along with the MySQL ODBC drivers, are on your IPS-1 Management CD-ROM.
166
Setting up Reports
Setting up Reports
Follow the instructions below to create an ODBC data source for reports. Before starting: Obtain and install Crystal Reports XI: Professional, Developer, or Advanced edition. These are the only editions supported for creating an IPS-1 report. Make sure that the Alerts Concentrator is running.
Creating an ODBC Data Source

1. Create a database username and password for the user generating reports by performing the following on the IPS-1 Management Server: a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root. b. Run:
rep_useradd <name>
where <name> is the desired username. c. At the prompts, type and retype a password. 2. On the computer on which Crystal Reports is installed, install MyODBC-commercial-3.51.12-win32.msi from the IPS-1 CD (under windows\CPipsClient\odbc). The My ODBC Setup wizard starts. Follow instructions to complete installation. 3. Go to Start > Control Panel > Administrative Tools > Data Sources (ODBC). 4. In the System DSN (or File DSN) tab, click Add. 5. From the driver list, select MySQL ODBC 3.51 Driver. Click Finish. The Connector/ODBC Add Data Source window appears:
Chapter 6
Data Analysis with External Tools 167
Creating an ODBC Data Source
6. In the Connect Options tab, type the following information: Port : 55555
7. In the Login tab, type the following information: Data Source Name: (example: IPS-1DS) Description: (optional) Server: resolvable hostname or IP Address of the IPS-1 Management Server User: the username created in step 1. Password: the password for the above username. Database: the name of the IPS-1 database, usually: esdb
8. Click Test to make sure you can properly connect to the data source. If configuration is successful, a message appears telling you so. Click OK.
168
Generating a Report
Generating a Report
1. The Reports folder from the IPS-1 CD is copied into the Alerts Concentrators installation directory during installation. You can access the Crystal 11 report templates from there, or on the CD, under windows\CPipsClient\reports. 2. Double-click on a report filename to launch Crystal Reports v11. 3. From the menu bar, select Database > Set Datasource Location. The Set Datasource Location window appears. 4. In the bottom panel of the window, expand Create New Connection > ODBC (RDO). The ODBC (RDO) window appears. 5. Select the data source you created in the previous section (in the example: IPS-1DS), and Click Next. If prompted, enter the database username and password. Click Finish. 6. In the top panel of the Set Datasource Location window, select the database icon. In the bottom panel, select the one you created (in the example: IPS-1DS). Click Update. The datasource location in the top panel now reflects your database server:
Chapter 6
Generating a Report
Some report templates may contain sub-report templates. For example, the Alert List report contains sub-reports. When you set the datasource location to generate the report, you must also make sure the sub-report's Current Data Source is updated.
7. Click Close. 8. In the main Crystal Reports window, click Refresh: .
The Enter Values window appears. Available fields depend on the selected report. 9. Enter values, and click OK. The report appears.
170
Generating a Report Figure 6-1 Alerts by Date
You can now exit or save your report. Note that saving the report will retain your datasource location configurations. If you choose not to save the report, you will have to set your datasource next time the report is opened. To view a sub-report, click its link.
Chapter 6
Generating a Report Figure 6-2 Alerts List Example
Figure 6-3
Alerts Details Sub-Report Example
172
Report Template List
Report Template List

The following reports can be generated in Crystal Reports.
Table 6-1
Report Alert Details Alert List Alerts by Date Alerts by Day of the Week Alerts by Hour Alerts by Month Alerts by Package Alerts by Package by Sensor Alerts by Priority Alerts by Year Bottom Alerts Bottom Alert Sources Bottom Destination IPs Bottom Destination Ports Bottom Packages Bottom Sensors Bottom Source IPs Bottom Source Ports Bottom Source Hosts Bottom Vulnerable Hosts Generic Cover Page Report ICMP Alerts Security Summary Reports Services by Priority TCP Alerts TOP Alerts TOP Alert Sources
Report Description Generates details about an alert or alerts Generates a list of alerts Generates alert by date Generates alerts by date Generates alerts by hour Generates alerts by month Generates alerts by package Generates alerts by Protocol and IPS-1 Sensor Generates alerts by priority Generates alerts by year Generates bottom n alerts Generates bottom n alert sources Generates bottom n destination IPs Generates bottom n destination ports Generates bottom n Protocols Generates bottom n Sensors Generates bottom n source IPs Generates bottom n source ports Generates bottom n source hosts Generates bottom n vulnerable hosts Generates a generic report cover Generates ICMP alerts Generates summary reports Generates services by priority Generates TCP alerts Generates top n alerts Generates top n alert sources
Chapter 6
Report Template List Table 6-1
Report Top Destination IPs Top Destination Ports Top Packages Top Sensors Top Source IPs Top Source Ports Top Vulnerable Host UDP Alerts Vulnerability by Host Vulnerability by Severity
Report Description Generates top n destination IPs Generates top n destination ports Generates top n packages Generates top n Sensors Generates top n source IPs Generates top n source ports Generates top n vulnerable hosts Generates UDP Alerts Generates vulnerabilities by host Generates vulnerabilities by Severity
174
Integration with Eventia Analyzer
Integration with Eventia Analyzer

In This Section
Introduction Integrating with Eventia Analyzer page 175 page 175
Introduction
Eventia Analyzer can be used to process IPS-1 Management Server alerts by parsing, normalizing and extracting relevant log fields from syslog messages generated by the IPS-1 Management Server. Adding IPS-1 support to Eventia Analyzer requires modifications on both the Eventia Analyzer server and the IPS-1 Management Server. IPS-1 support on the Eventia Analyzer server is enabled via a dynamic update. Eventia Analyzer server (R63 and up) enables downloads of new and modified events and parsing definition updates from Check Point User Center. The support for IPS-1 was first included as part of dynamic update revision No. 3 of the event and parsing definitions. Dynamic updates are cummulative; an updated Eventia Analyzer server with a more recent update (revision 3 and up) includes the support for IPS-1. A manual process must be performed on the IPS-1 Management Server. The process includes a Perl script that is be downloaded and stored on the IPS-1 Management Server.
Integrating with Eventia Analyzer

To enable IPS-1 Management Server to send Alerts to Eventia Analyzer:
On the IPS-1 Management Server:

1. Download the integration utility for the specific IPS-1 Management Server platform from http://support.checkpoint.com. Eventia-IPS1_SecurePlatform Eventia-IPS1_Solaris
2. Save the downloaded file in the /opt/CPips1-R65/alcr/bin directory.
Chapter 6
3. Grant the Eventia1 user execute permissions using the following command:
chmod og+rwx Eventia-IPS1_{Platform}

4. Use a DNS server that can resolve the Eventia Analyzer's hostname or modify the /etc/hosts file on the IPS-1 Management Server to enable resolution of the Eventia Analyzer's hostname using the entry:
xxx.xxx.xxx.xxx -TAB- <AnalyzerServerName>

5. Modify the /etc/syslog.conf file on the IPS-1 Management Server so that all syslog messages from facility Local5 and priority notice will be forwarded to the Eventia Analyzer server using the entry:
local5.notice -TAB- @<AnalyzerServerName>

6. Restart the syslog service on the IPS-1 Management Server using the following command under the /sbin/ directory:
%>service syslog restart On the IPS-1 Management Dashboard:

7. Use the IPS-1 Management Dashboard to connect to the IPS-1 Management Server. 8. Select Policy from the Management menu. The Policy Manager window appears. 9. In the Alert Actions tab of Policy Manager, expand the Built-in Groups. Right-click an Alert Group for which syslog messages should be generated and select Edit Actions. To send syslog messages for all alerts, right-click all and select Edit Actions. The Edit Actions for Alert Group all window appears. 10. Create a new Generic action by clicking the New Action button and choosing Generic from the Action Templates list. 11. In the New Generic Action window, modify the parameters: Action name: Eventia Executable: /opt/CPips1-R65/bin/Eventia-IPS1_{Platform} Arguments: Interval: 15 Alert Count: 1000 12. Select the Eventia rule in the Available Actions list and move it to the Applied Actions list. Click OK.
176
13. Install Policy.
On the Eventia Analyzer Dashboard:
Note - Perform a Dynamic Update only for Eventia Analyzer servers updated with a Policy and parsing preceding revision 3 update):
1. Open Eventia Analyzer SmartConsole. 2. Select Dynamic Update from the Actions menu. The Check Point User Center login window appears. 3. Enter your User Center username and password and click 'OK'. The Dialog window opens. 4. From the Available Updates list, select Update Parsing Definitions.
Note - Updating the Event Policy is not required for IPS-1 integration.
5. Click Update Now. The relevant files are retrieved from the User Center and IPS-1 parsing files are updated in Eventia Analyzer and all Log Servers installed on Eventia components. 6. Install Policy.
On External Log Server, if you have one:

If you have an external log server that manually parses the third party product data, copy the $FWDIR/conf/syslog directory from the Eventia Analyzer Server to the same directory on the log server and run cpstop and cpstart.
Revert the Dynamic Update to a Previous Version:

1. Open Eventia Analyzer SmartConsole. 2. Select Undo last policy update from the Actions menu. If you click Yes, the process brings the Event Policy back to its prior definition.
Chapter 6
Note - Undo last policy update applies to Policy Updates only and not to all updates.
If logs are being sent, tcpdump can be used for troubleshooting using the command /usr/sbin/tcpdump.
178
Chapter Backup and Migration

In This Chapter
Overview Exporting IPS-1 Management Server Data Importing IPS-1 Management Server Data
7
page 180 page 181 page 185
179
Overview
Overview
The IPS-1 Management Server can be backed up by exporting its data into Java Archive (.jar) files. The data can then be restored or migrated by importing the .jar files into the same or a new IPS-1 Management Server. The export and import tools are provided in the IPS-1 Management Dashboard.
Note - The exported data does not include Alert Details and raw packets, which are stored only on the Alerts Concentrator.
Three types of data can be exported: Alerts Policy Settings Vulnerability Data
Each type requires a separate .jar file. For a complete backup or migration, create all three. You can choose to export the alerts from a particular time frame. This is useful if you want to do periodic backups.
180
Exporting IPS-1 Management Server Data
Exporting IPS-1 Management Server Data

IPS-1 data can be exported using the Policy Managers Export function or through the command line. From the Dashboard, the user can export data to .jar files located on the IPS-1 Management Server. Once the export is performed, the .jar files can be copied to another server or backup media for disaster recovery. From the command line, the user can also schedule the data export process to create scheduled backups. The user can also export data directly to another IPS-1 Management Server using the command line. This is particularly useful when migrating an IPS-1 Management Server from one hardware platform to another.
In This Section
Exporting Data using the Dashboard Exporting Data using the Command Line Migrating Data using the Command Line page 182 page 182 page 184
Chapter 7
Backup and Migration 181
Exporting Data using the Dashboard
Exporting Data using the Dashboard

To export IPS-1 Management Server data to a .jar file using the Dashboard: 1. From Policy Managers Policy Manager menu, select Export. The Export Data window appears:
2. Set a name for the .jar file, and whether to overwrite an existing file. 3. Select the data type to export. 4. If you are exporting Alerts, define the time frame for the alerts to be exported. 5. Click OK. The .jar file is created on the IPS-1 Management Server in:
/opt/CPips1-R65/ips1server/server/default/data/archive
Exporting Data using the Command Line

To export IPS-1 Management Server data to a .jar file using the command line: 1. Stop the IPS-1 Management Server, but leave the MySQL database running. 2. Open a command-line console on the target machine as root
182
Exporting Data using the Command Line
3. Change to the ips1 user: "su - ips1" 4. Export Policy settings using the following command:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u [db_user] -w {db_password] -h localhost -p 55555 -d esdb -f /opt/CPips1-R65/ips1server/server/default/data/archive/[file_name] -j /opt/CPips1-R65/ips1server
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/CPips1-R65/ips1server
5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/CPips1-R65/ips1server -v
6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h localhost -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/CPips1-R65/ips1server -a -t 01012008 01022008
7. Start the IPS-1 Management Server. For scheduling backups, include the commands above in a shell script and use crond to invoke the script on a periodic basis
Chapter 7
Migrating Data using the Command Line
Migrating Data using the Command Line

When migrating an IPS-1 Management Server to a new hardware platform, prepare the target machine with a fresh installation of the IPS-1 Management Server. The migration process requires network connectivity from the target machine to port 55555 on the source machine and that the original MySQL database will allow users to log in remotely from the target machine. To export IPS-1 Management Server data to a .jar file using the command line: 1. Stop the IPS-1 Management Server on the source and target machines, but leave the MySQL database running. 2. Open a command-line console on the new machine as root 3. Change to the ips1 user: "su - ips1" 4. Export Policy settings using the following command:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u [old_db_user] -w [old_db_password] -h [old_db_host IP] -p 55555 -d esdb -f [/opt/CPips1-R65/ips1server/server/default/data/archive/[new dest_file_name.jar] -j /opt/CPips1-R65/ips1server
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/policy_archive.j ar -j /opt/CPips1-R65/ips1server
5. Export Vulnerability Data using the same command with -v appended to the end and with a different target filename. For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/vulnerability_ar chive.jar -j /opt/CPips1-R65/ips1server -v
6. Export Alerts using the same command with -a appended to the end and with a different target filename. Alerts from a specific time period can be imported by adding the -t [start date] [end date] option, where the dates are in mmddyyyy format. It is recommended to only import the alerts from the last 24 hours.
184
Importing IPS-1 Management Server Data
For example:
java -jar ips1server/server/default/lib/upgradetools.jar -m -u ips1dbuser -w test -h 192.168.2.3 -p 55555 -d esdb -f /opt/CPips1R65/ips1server/server/default/data/archive/alerts_archive.j ar -j /opt/CPips1-R65/ips1server -a -t 01012008 01022008
7. Start the IPS-1 Management Server on the target machine and continue with Importing IPS-1 Management Server Data.

Before importing, be aware that importing policy data causes an automatic user-informed restart of the IPS-1 Management Server. To import IPS-1 Management Server data from a .jar file: 1. If the .jar file has been moved from its original location, copy it to:
/opt/CPips1-R65/ips1server/server/default/data/archive
2. From Policy Managers Policy Manager menu, select Import. The Database Import window appears:
3. Select a .jar file. Import the Policy Settings, the Vulnerability Data and Alerts, in that order. 4. Click OK.
Chapter 7
186

Administration Guide Version NGX R65.1: March 8, 2009

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Administration Guide Version NGX R65.1: March 8, 2009

Uploaded by

Copyright:

Available Formats

IPS-1

Administration Guide Version NGX R65.1

2003-2009 Check Point Software Technologies Ltd.

Managing the IPS-1 System

Managing Attack Detection and Prevention

Alert Monitoring and Analysis

Vulnerability Detection and Defense

Data Analysis with External Tools

Backup and Migration

About this Guide

About this Guide

Who Should Use This Guide

Who Should Use This Guide

Chapter IPS-1 Overview

IPS-1 Key Benefits

IPS-1 Key Benefits

Trusted Intrusion Prevention

IPS-1 System Architecture

IPS-1 System Architecture

IPS-1 System Architecture

Working in the IPS-1 Management Dashboard

Working in the IPS-1 Management Dashboard

Navigating the IPS-1 Management Dashboard Windows

Navigating the IPS-1 Management Dashboard Windows

The IPS-1 Management Dashboard Menus

The IPS-1 Management Dashboard Menus

The IPS-1 Management Dashboard Toolbar

The IPS-1 Management Dashboard Toolbar

The IPS-1 Management Dashboard Toolbar Table 1-1

2 Chapter Managing the IPS-1 System

Managing the IPS-1 System

The Install Policy window appears:

4. Click OK. Policy Manager changes to read-only while Policy is installed.

Adding an Alerts Concentrator to the System

Adding an Alerts Concentrator to the System

The New Alerts Concentrator window appears:

Managing the IPS-1 System

Adding an Alerts Concentrator to the System

Adding an IPS-1 Sensor to the Management Server

Adding an IPS-1 Sensor to the Management Server

Managing the IPS-1 System

Adding an IPS-1 Sensor to the Management Server

User Accounts Overview

Managing User Accounts

Managing the IPS-1 System

Changing the Password

The Manage Users window appears:

Changing the Password

Unlocking a User Account

Unlocking a User Account

cd /opt/CPips1-R65/ips1server/bin set_ips1_passwd.sh <username>

Managing the IPS-1 System

Viewing License Summary

2. In the left-hand license list, select Licenses.

Managing the IPS-1 System

Maintaining Database Size

Maintaining Database Size

Space Management Overview

Managing the IPS-1 System

Configuring Space Management

Configuring Space Management

Reclaiming Database Space