Embed Size (px)
Citation preview
TippingPoint Advanced Technical Security Products Training Course
Version 3.1
• TippingPoint provides comprehensive, collaborative training aimed to provide hands-on experience with the most powerful network-
TippingPoint Training Programs
2
most powerful network-based intrusion prevention system in the world
http://www.tippingpoint.com/training
Advanced Class Lab Materials
• You will need a laptop to perform the labs
– Or pair up with someone who has one
• Advanced Class Lab Guide
• IP Address Assignment Sheet (with login details)
• Electronic Materials from http://<ip of download server>
3
– Advanced class slides (in PDF format)
– Windows Tools (Putty, Wireshark, Kiwi, etc)
– Latest Digital Vaccines
– TippingPoint OS images
– Marketing Materials (datasheets, product photo’s, etc)
– Product Documentation (manuals, MIB files, etc)
Course Objectives
• Understand how to setup and configure TippingPoint IPS and SMS devices
• Understand how to manage your IPS and SMS devices including updating Digital Vaccines and the IPS and SMS software
• Understand how to create and apply security policies by
4
• Understand how to create and apply security policies by configuring filters and applying security profiles to your IPS devices
• Understand Events and Reporting from an IPS and SMS perspective
• Understand how to troubleshoot and monitor the performance of an IPS device
Class Introductions
• Instructor
– Freddy Saenz, Senior Systems Engineer, Trainining
• Student introductions
– Name, company, and location
5
– Name, company, and location
– Role
– Networking and security background
– Experience with TippingPoint products
– Objective for taking this class
Class Agenda
• Introduction to the TippingPoint family of products
• IPS setup and basic health / administration
• SMS setup, IPS management and Segment Groups
• Basic filter management
• Advanced filter management
6
• Advanced filter management
• Architecture & Performance
• IPS quarantine
• SMS Responder
• IP / DNS Reputation
• Maintenance & Troubleshooting
Class Schedule and Logistics
• 9:00 AM to ~5:00 PM each day
• Breaks
– Morning break
– Lunch
– Afternoon break
7
An Introduction to the Overall TippingPoint Solution and IPS Setup
Version 3.1
Intrusion Prevention System Background
• Intrusion Prevention System
– Sits in-line in the network flow
– Scans traffic as it passes and takes actions (block, rate-limit, alert) based on a configured policy
– The IPS acts like a “bump-in-the-wire” device (SEGMENT)
• No IP addresses
9
• Layer 2
• Easy deployment
– Effectively patches you at the network level
• Capabilities of an IPS:
– Perform as both a NETWORK device and as a SECURITY device
– NO FALSE POSITIVES (don’t block what you shouldn’t)
– Possess a flexible inspection engine to adapt to new threats
– Provide for policy and filter updates in real-time (no network outage)
Perimeter(1.5 – 1000Mbps)
Common IPS Deployments
DMZ
AggregationAccess CoreCore
DMZWeb Servers
DMZWeb Servers
WAN Perimeter
WAN Perimeter
Core Network
Core Network Internet
10
10Mbps – 1Gbps 1Gbps – 10Gbps 1Gbps – 10Gbps nx1Gbps – nx10Gbps
VPN
Data Center
Web Servers & Apps
Web Servers & Apps
Shared StorageShared Tape
Windows & Linux Blades
Data CenterServers, Apps
& Data
Data CenterServers, Apps
& Data
Remote OfficesRemote Offices
Departmental Zones
Departmental Zones
TippingPoint Product Portfolio
ModelInspection
ThroughputSegments
TippingPoint 10
TippingPoint 110 / 330
20 Mbps
100 Mbps / 300 Mbps
2 x Segments
4 x Segments
600E:1200E:
600 Mbps1.2 Gbps
11
E-Series600E, 1200E, 2400E, 5000E
1200E:2400E:5000E:
1.2 Gbps2.0 Gbps5 Gbps
4 x Segments(Copper, Fiber or 50/50 mix)
N-Platform660N, 1400N, 2500N, 5100N
660N:1400N:2500N:5100N:
750 Mbps1.5 Gbps3 Gbps5 Gbps
10 x 1 Gig Segments (5 x Copper + 5 x SFP)
1 x 10G Segment (2500N/5100N only)
CoreController 20 Gig(load balancing)
3 x 10G Segments
SMSSecurity Management System
N-Platform Hardware Overview
10G SmartZPHA Module(Option for 2500N / 5100N only)
12
10G Segment(2500N / 5100N only)
10 x 1G Segments(5 x Copper + 5 x SFP)
Removable Compact Flash(user data)
Out-of-Band Management Port(10/100/1000 Ethernet)
Serial Console (RJ45)(115,200/8/N/1
used for initial setup)
LCD & Keypad
E-Series Hardware Overview
Segment 1 Port A
Segment 1 Port B
13
Out-of-Band Management Port(10/100 Ethernet)
Serial Console (DB9)(115,200/8/N/1
used for initial setup)
LCD & Keypad
10 / 110 / 330 Hardware Overview
TippingPoint 110 / 3304 x 10/100/1000 Segments / In-Built ZPHA
14
TippingPoint 102 x 10/100/1000 Segments / In-Built ZPHA
TippingPoint Management Architecture
SMS Java GUI Client
TippingPoint Threat Management Center
15
Location 1 Location N
Security Management System (SMS) external server
Enterprise Management
Element Management
Location 2
Local Security Manager (LSM)
(IPS Web Interface)
CLI – Terminal, SSH, Telnet
TippingPoint Digital Vaccine (DV)
• Digital Vaccine
– Our term for new filter updates
– Twice-weekly updates (sometimes more often when
circumstances call for it)
– Immediate protection via a default Digital Vaccine with
“Recommended” settings for all filters
16
“Recommended” settings for all filters
– New Digital Vaccines may be automatically downloaded from
the TippingPoint Threat Management Center
– No network down time – filter updates happen in real-time
Digital Vaccine Process – DVLabs
• Customer Requests• SANS• CERT• Vendor Advisories• Bugtraq• VulnWatch• PacketStorm• Securiteam• Internally discovered Vulnerabilities• ZeroDay Initiative
( www.zerodayinitiative.com )*
Raw Intelligence Feeds
@RISKWeekly Report
17
DV Labs - Research
Vaccine Creation
Weekly Report
• The SANS @RISK newsletter is available for free at:
– http://www.sans.org/newsletters/risk/
• DVLabs - http://dvlabs.tippingpoint.com/
– Info on DV team
– DV Team blog
– DVLabs advisories
• Digital Vaccines are delivered via Akamai for resiliency and redundancy
Threat Management Center (TMC)
• Customer Web Portal (https://tmc.tippingpoint.com)
– Make sure you / your team have an account
– Provides access to important resources:
• TOS & DV’s
• Documentation (manuals, seminars, hints & tips, etc)
• Support materials (RMA processing, knowledge base articles)
18
• Support materials (RMA processing, knowledge base articles)
– Account holders also receive email notifications for new DV’s
and other support information
• SMS / IPS automated updates
– SMS and IPS devices can contact TMC directly for automated
updates for both DV’s and IPS/SMS software
Threat Management Center (TMC)
• Navigate to the appropriate section of the TMC for DV, TOS, etc.
19
Link to ThreatLinQ: Event aggregation service utilizing customer and TippingPoint
attack data for global threat analysis
ThreatLinQ Portal
• Helps customers make decisions about how, why, and when to enable different TippingPoint filters
Data sourced real-time by TippingPoint Light-House deployments & customer data
20
Top AttacksTop Policy FiltersTop Attack SourcesWorld Map ViewBlogs & RSS feeds
IPS Initial Setup Wizard
• Initial setup is done using a Setup Wizard
– Accessed using the IPS console (115200, 8, N, 1)
• What you need to know prior to setting up the device:
– Username and password for your super user account
– IP Address of your IPS (refer to the IP sheet)
21
– Subnet mask and default gateway
– DNS settings (if you want the device to access TMC)
• NOTE: The IPS will start up with a default security configuration
– This default security policy runs with all filters set to their
default policy as defined by the DVLabs at TippingPoint (more
on this later)
IPS Initial Setup Wizard
22
Connect to the IPS console
and answer the setup wizards
questions
The wizard can also be run
from the IPS LCD panel if you
do not have console access
IPS Setting the Security Level
23
Security Level sets user id and
password policy (length & characters)
We recommend using Level 2
Create Initial IPS Super User Account
After Security Level, you
will be asked to create an
initial super user account
24
initial super user account
IPS Management Port IP Address
Login with the new super user
account you just created to begin
the Setup Wizard
25
Setting the IP address of the
management port is most
important. We can then manage
via HTTPS and SSH
Running ‘setup’ again
26
After the Setup , you are in the CLI,
you may also connect to the CLI
using SSH
IPS Web Interface Local Security Manager
Use https to access the LSMhttps://<ip address of your IPS>
Supported browsers IEv6+ and FirefoxBrowser checking can be disabled using IPS CLI command: conf t no browser-check
27
To login: use the username / password created during the initial setup
Local Security Manager (LSM)
Home Icon – returns to System Summary Page
Current User / TimeSession timeout (configurable)
28
Main Navigation
LSM System Summary
Health Status(Click links for specifics)
29
Log SummaryIPS filter hits: Block & Alert logDevice Logs: System & Audit log
• The System Log is accessible in multiple places:
– CLI: show log system
– LSM: Events � Logs � System Log
• System Log contains Log ID, Log Entry Time, Security Level, Component, and Message
– Logs can be downloaded, searched and reset
IPS System Log
30
– Logs can be downloaded, searched and reset
• The Audit Log contains:
– Log ID, Log Entry Time, User, Access, IP Address, Interface,
Component, Result and Action
• The Audit Log can only be reset and viewed by a user with super-user privileges
IPS Audit Log
31
• Where to View Filter Events:
– Alert Log: Show filters with Permit + Notify Action Sets
– Block Log: Shows filters with Block + Notify Action Sets
Packet Trace: Filters with packet trace option set
• Option for permit or blocks
IPS Alert and Block Log
32
IPS Performance and Port Health
33
Shows ingress traffic by Segment / Port
Managing IPS User Accounts
Edit / Delete Users
Create up to 30 additional users
34
Edit / Delete Users
3 Access Levels:Super-user: All privileges, including
ability to create / edit users and view /
reset audit log
Administrator: Can make
configuration changes, can’t view /
reset audit log
Operator: As administrator but view
only
Managing IPS User Preferences
LSM inactivity timeoutLSM page refresh time
35
Failed login behavior
Password Security LevelInitially set during OBE, controls
username / password format
Password Expiration policy
Note: It is possible to lock yourself out of
the system due to excessive failed logins
(alternative user / password recovery)
Lab Network Overview
Tomahawk
IPS
Station 1
Tomahawk
IPS
Station 2
Tomahawk
IPS
Station n
36
SMS
Management
Network
management network 172.16.240.0/24
attack network 10.0.0.0/8
attack ethernet Student Laptops (DHCP)
• Linux server with three NICs– Two are connected to IPS– One is connected to management
network
• Server is running an open source application known as Tomahawk– Very similar to TCP replay
Tomahawk Details
37
– Very similar to TCP replay– Can generate clean and attack
traffic through the IPS by replaying select PCAPs
• Student logs in via SSH to the Tomahawk over the management network and run a number of scripts– attacks 10 – perf_http_rate 100
Tomahawk
Student
Lab #1: Initial Setup of IPS
• Refer to the Lab Guide, and complete Lab #1
– Connect to the IPS console and perform initial setup
– Verify IPS connectivity using SSH & HTTPS
– Run attacks from your Tomahawk
– Create IPS user accounts
38
SMS Setup, Device Management, Segment Groups
Version 3.1
SMS Feature Overview
• Device Management
– Multiple IPS device management
– Device configuration and health monitoring
– Centralized device package management (DV/TOS)
• Security Profiles
– Security Profile management and distribution
• Events/Reporting
40
• Events/Reporting
– Centralized event collection and reporting
• Granular Access Control
– Lock down user access to SMS resources
• Integration
– SMS API
– Syslog integration with SIM vendors
– Quarantine integration
• High-Availability Cluster Option
SMS Setup Wizard
• SMS Setup
– Similar to the IPS setup (except console settings: 9,600/8/N/1)
• Things to have ahead of time
– Super-user name and password
– Management IP, subnet mask and default gateway
41
– DNS (for TMC access)
– NTP servers and time zone
– NMS IP address information (SNMP trap receiver)
– SMTP server settings information
• For email notifications and reports
SMS Initial Login
• Connect a terminal cable and boot the SMS, type “SuperUser” at the prompt:
42
The default initial Username for the
SMS is SuperUser
SMS License and Setup Wizard
• Read and accept the SMS software license
43
Security Level, Username and Password
• Choose Security Level and create your super user account name and password
44
SMS IP Configuration
• Choose IPv4 or IPv6 or dual-stack
– Enter IP, Mask, Default Gateway & DNS
45
DNS is used to resolve the
TMC address and may also
be resolve IP addresses
associated with filter events
SMS Finishing the wizard
• Continue through the wizard, then reboot
– Management speed/duplex, host name, Timekeeping, Server
Options (ping, ssh, http, etc), SMTP, SNMP trap
46
Download the SMS client
from the SMS via HTTPS
You must reboot at the
end of the setup wizard
SMS Web Page - Client Download
• Login to the SMS web interface and download the latest SMS client
– https://<ip of SMS>
47
Logging in using the SMS Client
• The SMS client version must always match the SMS server version you are managing
– You can install different SMS versions at the same time (select
a different folder during the install process)
• Drop down list
48
• Drop down list
shows previously
selected SMS hosts
• Can be turned off
for security
purposes
• Selecting More
provides options to
login to multiple
concurrent SMS
servers
SMS Client – Dashboard and Main Window
Multiple SMS Tabs
49
SMS Client: Admin ���� General
Reboot / Shutdown the SMS
Update SMS Software & apply Patches
50
SMS System / Audit LogsSMS System / Port Health
SMS can manage up to 25 IPS devices with the default license
SMS Server Properties ���� Management
System Information
51
Services• As of 3.1 Ping is
enabled by default
Server Properties
Remote Syslog• Allows you to offload all
SMS events to an external syslog server (typically an external SIM)
• Can also offload SMS/device Audit & system logs
SMS Server Properties ���� Network Settings
SMS IP Settings
52
DNS SettingsRequired for TMC access
Date / Time SettingsChanges require a reboot
SMTP SettingsFor email alerts, and
emailing reports
SMS User Management
User list, shows all configured users
Select New to add
53
Select New to add additional users
Current Active Sessions
Creating SMS Users
Super User RoleView audit log
Manage SMS system properties
Add IPS devices
Manage Segment Groups
Update or patch SMS software
Permissions Provided by these Tabs
54
Shutdown / reboot SMS
Create user accounts
AdministratorManage IPS devices (need permission)
Manage Policies (need permission)
Push DV / TOS (need permission)
OperatorAs Administrator but view only
• Bob can manage IPS #1 and IPS #2
• John can edit the Core Policy and push to the Core Segment Group
• Chris can edit the DMZ Policy and push to the DMZ Segment Group
• Permissions can be granted in one of two ways:
– User perspective: when adding a new user account to the SMS
– Resource perspective: when adding a new device, profile or segment group
User Permissions – Example
55
group
IPS #1 IPS #2Core
Segment Group
DMZ Segment
Group
Core Policy
DMZ Policy
Bob
John
Chris
User Permissions
• Users can be granted permissions to SMS resources (Profile, Device, Segment Groups) a few ways:
– At user creation time, by a user with SuperUser privileges
– Implicitly, by creation of an SMS resource (Profile or Segment
Group – Administrators only)
56
• A user may also be granted permission to access an SMS resource, by going to the resource and adding permissions directly
Granting a User Permissions to a Resource
57
directly
• Permission dialogs exist for Profiles, Segment Groups and Devices
– Menu bar: Edit->Permissions
– Context menu: right click on device
Editing Resource Permissions
• When editing Permissions for a given resource, choose Administrator and Operator users
– Super User users already have rights to all SMS resources
58
Adding and Managing your IPS devices
59
Add a new Device
Adding a New Device
• To add a New Device, you must specify:– Device IP address, username
and password– Device Group– Whether you want to
synchronize the device to the current SMS time
60
current SMS time
• Configuration options for Online Devices– Launch the device
configuration dialog after adding
– Clone an existing device
• Device Groups allow you to group devices for ease of management
All Devices View
61
Each device has drill down information here
on the left
Information for all devices under SMS management, including TOS / DV version
Shelf Level View
62
Select Device node for Shelf Level View
IPS Behavior under SMS Management
• LSM behavior when an IPS is managed by an SMS
– Displays the message: “Device Under SMS Control” and most
configuration items are disabled
– Shows the IP Address and Serial Number of the SMS that is
managing the IPS
63
Removing the IPS from SMS Management
• To Disable Management
– From the SMS: right click on the device and select Edit �
Unmanage Device
– From the LSM: System � Configuration � SMS/NMS
– From the IPS CLI: conf t no sms
64
LSM: Uncheck SMS Control
IPS Behavior when re-managed by SMS
• To Enable Management Again
– From the SMS, right click on the device and select Edit �
Manage Device (you will need to re-authenticate)
– From the LSM: System � Configuration � SMS/NMS re-
check the “Enabled” check box
– You may also issue the CLI command: conf t sms
65
– You may also issue the CLI command: conf t sms
• When an IPS is re-managed by an SMS
– SMS will update health status
– SMS discovers any configuration changes
• IPS filter settings is not (more on this later)
– SMS imports all IPS filter events that occurred whilst un-
managed
Segment Group Concepts
• Segment Groups are logical grouping of IPS Segments that can represent a similar policy enforcement point
• IPS version 2.5 introduced directionality for segments, allowing a different policy to be applied between A����B versus B����A
66
• Examples of Segment Groups:– Perimeter (IPS segment between the Internet and users)– Core (between users and core servers)– Inbound Perimeter (Port B�A on Segment 1)– Outbound Perimeter (Port A�B on Segment 1)
• Used for Profile management
• Used for Events and Reporting
Segment Groups – Example
Core ServersInternet
Segment Groups:
Perimeter
Core
67
• 2 Segment Groups
– Perimeter: between users and the Internet (segment 1)
– Core: between users and core servers (segment 2)
User Group A User Group B
Segment Group Management (Devices Tab)
• There is a “Default” Segment Group on every SMS– The Default Segment Group can not be deleted
– Newly managed device Segments are placed in the Default Group
• A segment may only be a member of one Segment Group– New: creates a new Segment Group
– Details: view details for an existing Segment Group
– Edit Membership: move Segments into the Segment Group
– Delete: deletes Group, segments are moved back to the Default Group
68
– Delete: deletes Group, segments are moved back to the Default Group
Segment Groups – New/Edit
• Name the Segment Group
– Move segments to the right to add them to the current
Segment Group, and to the left to remove them
69
Updating Permissions for a Segment Group
• In order for Operators and Administrators to be able to interact with a Segment Group, you must grant permissions to your users
70
Edit Permissions
SMS Event Viewer
Choose the time period for the events
Define your event query in this pane
71
Choose the time period for the eventsSee the results here
Event Viewer: Using Query Panes
• Use one or more criteria panes to build up the event search criteria
– Filter Taxonomy criteria
– Network, IPS / Segment criteria
– Time criteria
• Use “Reset” Buttons to clear query parameters
72
• Use “Reset” Buttons to clear query parameters
Additional Panes exist for other search criteria
Event Viewer: Time Range Pane
• Real-time: display events as they arrive
• Relative Time
– Last Minute, 5 Minutes, 15 Minutes, 30 Minutes, Hour, Day,
Week, Month
• Absolute Time
– Specify Start and End Time
73
– Specify Start and End Time
• Controls
– “Refresh” Button executes a query
– “Cancel” Button cancels an already executed query
• Popular search queries can be saved
– Select the saved query, then hit Refresh to get the latest data
Event Viewer: Saved Queries
74
Event Viewer: Right Click Options
• Right Click on an Event or Multiple Events
– Copy, Export, View Packet Trace
– View Event Details
– Edit Filter / Filter Exception
– Add comment to event (searchable)
– DNS, whois or ThreatLinQ lookup
75
– DNS, whois or ThreatLinQ lookup
– Add IP Reputation entry (more later)
– Create SMS Response (more later)
– Create Named Resource
test footer
• Event– Event number, hit count
– Severity, custom comment
• Segment / Device– IPSDevice
– Segment (direction)
• Network
Event Viewer: Event Details
76
• Network– Source / Destination Address
– Source / Destination Port
– Whois DNS lookup option
• Filter Information– Name, Number, Classification,
Category, Profile, Taxonomy
– CVE / Bugtraq ID
– Description
• Copy Details to Clipboard• Edit Filter
SMS Named Resources
• Named objects used for configuration and events
– Objects include: IP / CIDR, VLAN ID, email addresses
Configured under Admin tab
IP / CIDR can also be added
by right clicking on event
77
Event Viewer showing
IP/CIDR named resources
Configuring the Event Viewer to resolve Named Resources
• If you want Named Resources to show up in the event viewer:
– Edit > Preferences > Events
– Check “Enable Named Resources lookup for Events table”
78
Lab #2: SMS Client & Device Management
• Install the SMS Java Client
– Download it from the SMS web page https://<sms_ip_addr>
• Note: select a different install directory if you do not want it to overwrite an existing client installation
• Manage your IPS using SMS
79
• Manage your IPS using SMS
– Add your IPS device
– Create Segment Groups and Named Resources
– Investigate IPS behavior when under management
– Review SMS Audit & System logs
Advanced Device Management with SMS
Version 3.1
Device Summary and Configuration
81
To Edit Device configuration
Devices Configuration Dialog
• All IPS settings are editable via this dialog
82
Reboot, Shutdown or Reset Filters (resets IPS policy to factory defaults)
Launch Browser to LSM or SSH (e.g. Putty, teraterm, etc)
Device Configuration – Member Summary
83
Member SummaryView Health, Configuration Summary & Device status
IPS Network Configuration Overview
• Network Port – physical Ethernet interface
– Configure auto-negotiation, speed and duplex
– Manage the Network Port – enable / disable, restart
– Bound to a specific physical Segment
• Physical Segment – pair of Network Ports
84
– Configure name, Layer-2 Fallback setting and Link Down
Synchronization setting
• Note
– Traffic entering on a Network Port will exit ONLY on the other
Network Port in the SegmentSegmentNetwork Ports
IPS Segment Settings
• Segment Name
– Used in Events and Reporting
• Intrinsic HA (Layer 2 Fallback)
– Specifies whether this Segment will Block or Permit traffic when the device is in Layer 2 Fallback
85
when the device is in Layer 2 Fallback
• Link Down Synchronization
– Control behavior of Segment’s physical Ports when one goes down
– Hub: if Port A goes down, do not take down Port B
– Breaker: if Port A goes down, take down Port B, and disable
– Wire: if Port A goes down, take down Port B, if Port A comes back up, bring up Port B
Network Configuration > Segment Settings
86
Network Configuration > Ports Settings
87
Force Speed / DuplexDisable unused portsRestart port (links down/up)
Network Configuration in LSM
• Similar configuration may be done via the LSM
– Segments
– Network Ports
88
Intrinsic HA/Layer 2 Fallback (L2FB)
• Failover mode for the IPS device, which disables all inspection
• L2FB can be triggered by the user or automatically
Internet Users
IPS
Inspection Engine
Normal Processing
89
the user or automatically by the IPS due to current conditions
– Manual – Why?
– During TOS Update
– During DV Update
– System Failure/IssueInternet Users
IPS
Layer 2 FallbackInspection Engine
• Each Segment has a setting for Block/Permit
– Intrinsic HA (L2FB) is a global setting to the device
– Each segment will behave as configured
Intrinsic HA – Configuring and Monitoring in the SMS
90
Intrinsic HA in the LSM
91
• Network resiliency provided using some form of switch / routing protocol to select the most suitable path– Spanning Tree, RIP, OSPF, VRRP, etc
• If primary path fails (detected by loss of update packets), then network will transition to secondary path
• In this type of deployment, consider blocking traffic in L2FB– This will cause the network to transition to the secondary path, but
still be inspected
Layer 2 Fallback (L2FB) – Block Example
92
still be inspected
Core
Access
Core IPS
IPS 1
IPS 2
A
B
A
BA
B
A
B
Layer-2 Fallback!
IPS 1 enters Layer-2 FallbackSegments configured to block traffic in L2FB
Network transitions, traffic continues to pass and be inspected by IPS 2
Consider configuring IPS 2 to permit traffic in L2FB in case both IPSs fallback simultaneously
• Determines what to do with a segment Ethernet port, if link fails on its partner port
– Hub: Do nothing, when link drops, partner port remains active
– Breaker: Drop and disable partner until port is manually restarted
– Wire: Drop partner link, until original restored
• Configurable “wait-time” for Wire and Breaker modes
– Avoids possible network “flap”
IPS: Link Down Synchronization
93
– Avoids possible network “flap”
Core
Access
Core IPS
IPS 3
IPS 4
A
B
A
BA
B
A
B
Assume Access switch transitions to secondary path on detection of link failure, by default in Hub mode, transition would not occur
If wire mode selected, then 1B would also drop, causing switch to transition
Link Failure on 1A!
Zero Power High Availability (ZPHA)
• Zero Power High Availability (ZPHA)
– ZPHA is an external device, purchased from TippingPoint
• NOTE: ZPHA is internal to the 10, 110 and 330
• The External ZPHA is powered by the IPS USB port
• The ZPHA bypasses the IPS during
94
– TOS updates (if device does not support hitless OS update)
– Power outages
– Hardware upgrades IPS 1
Internet Users
USB connection
for power
ZPHA
Connection made when
USB link drops power
ZPHA: Cabling Considerations
Net A A B Net B
Device A Device B
95
• When the ZPHA has power and traffic is shunted to the IPS, Auto-MDI will handle any cabling issues
• When the ZPHA is in by-pass mode, ensure the path from Device A to Device B (Orange Lines) has the proper cabling (straight through vs. cross over)
– To negate MDI/MDI-X or wiring issues, best practice is to deploy while IPS is powered off and ensure you have link
TippingPoint Operating System (TOS)
• TOS images may be imported into the SMS or downloaded from directly from TMC by SMS
• Updating the TOS is an important procedure because it involves a reboot of the IPS device(s)
96
• On E-series hardware models (600E-5000E), and N-Platform, the reboot process is hitless, and the device will honor the Intrinsic HA/L2FB setting for each segment during the code update
• On Software models (10, 110 & 330) and legacy IPS devices, the update is not hitless, but the impact can be mitigated with a ZPHA (built in on the 10, 110 & 330)
Devices > Updating the TippingPoint OS
Distribution Progress• View details for past or current TOS
TOS Inventory• Distributed to a single or multiple IPS
devices (may use Device Groups)
• Devices column shows how many
devices are running a given TOS version
97
• View details for past or current TOS
distributions
• Stop a current distribution
• Clear old distributions
• Import from local file system
• Download from TMC
– Choose version and select “Download”
Devices > Updating the TippingPoint OS
98
– All versions for all device types are downloaded
• Distribution
– Specific device group(s)
– All devices
– Specific device
• TOS updates may also be done in the LSM
• To Install a TOS image, navigate to
– System � Update � TOS/DV Update screen
• Note: Use same process to update the Digital Vaccine
Updating the TOS / DV using LSM
99
Lab #3: Advanced IPS Management
• Investigate Segment behavior in Intrinsic HA / L2FB
– Configure Segment 1 to Permit All in Layer 2 Fallback, then
run attacks from your Tomahawk
– Configure Segment 1 to Block All and re-run attacks
• Upgrade your IPS software to the specified TOS
100
• Upgrade your IPS software to the specified TOS
Basic Filter Policy and Digital Vaccine
Version 3.1
Policy Overview: Digital Vaccine
• The Digital Vaccine is a container holding thousands of Filters
– Filters are organized into 12 categories (for ease of management)
– Each individual Filter contains
• Meta Information – Name, Description
• Recommended setting (default policy)
• Matching criteria (trigger & threat verification)
– Digital Vaccines are read-only (you don’t configure the DV)
102
• Only a single Digital Vaccine can be installed on an IPS at any given time
– This is in addition to a custom DV or auxiliary DV which supplements the main primary DV
• Only a single Digital Vaccine can be Active on SMS at a given time
– SMS can have multiple DV’s in its inventory, but policy changes can only be applied to the filters contained within the Active DV
Policy Overview: IPS Profiles
• An IPS Profile is a collection of Filter policy settings which determines whether a Filter is enabled or disabled, along with Notification and other options– IPS Profiles are distributed to Segments or Segment Groups– You can have multiple profiles with different policies
• Core vs Perimeter vs DMZ vs Voice
– Each profile may have different filters enabled as required for that network location (Segment)
103
• By default all Filters are controlled by their Category Setting and each Category set to Recommended– Filters can be controlled either by Category
• For example setting the Spyware to Block / Notify will enable all current and new spyware filters to Block / Notify
– Filters can also be overridden from their Category Setting• Allows fine-grain control of each individual filter, where Category would be too
broad
• For example enabling ICMP Echo Request to Permit / Notify
• You don’t configure the Digital Vaccine, you control the Profile which accompanies it
Digital Vaccine + IPS Profile Relationship
Filter # Name Description Category Recommended Setting Trigger / Threat Verification
0164 ICMP Echo Request This filter detects ping… Security Policy Disabled
HiddenIntellectual Property
0260 HTTP: Code RedCode Red exploits a buffer
overflow in Microsoft…Exploits Enabled: Block / Notify
3798 HTTP: SQL Injection..This filter detects the string
variation of SQL injection..Security Policy Disabled
2289MS-RPC: This filter detects buffer
Vulnerability Enabled: Block / Notify
Digital Vaccine Contents (Active)
104
2289ISystemActivator overflow MS03-026 ..
Vulnerability Enabled: Block / Notify
3248 Spyware: WeatherBug
This filter detects an
attempt to download
WeatherBug..
Spyware Disabled
IPS ProfileCategory Setting Filter Overrides
Vulnerability: Recommended 0164 Filter Enabled: Permit + Notify Packet Trace: No Exceptions: None
Exploits: Recommended 3798 Filter Enabled: Block + Notify Packet Trace: YesExceptions:
172.16.240.2/32
Spyware: Block / Notify 3248 Filter Disabled
Security Policy Customization
• Even with a default security profile, customization is often required for different Segments or directions
– Core vs Perimeter vs DMZ
– Internet Inbound vs Internet Outbound
• Filter customization examples
– Expanded threats
105
– Expanded threats
• Spyware, non-common OS / Application vulnerability or exploits
– Access Policy / Bandwidth Management
• Instant Messenger, Peer-to-Peer, Streaming Media, etc
– Unique traffic mix or network
• VoIP, SCADA, etc
– Customized filtering
• Advanced DDoS, Traffic Management Filters, IP Reputation, Thresholding
SMS Profiles Tab
Profiles Tab
IPS Profiles
106
Digital Vaccines
Digital Vaccine: Auto DV & Inventory
Current Active DV
Auto DV SettingsDV’s can be downloaded &
Activated automatically
107
DV InventoryShow’s Active DV and list
of other available DV’s
DV Distribution ProgressDetails DV distribution progress
and history
DV Import and Download from TMC
DV’s can Imported from
108
DV’s can Imported from
disk, or downloaded
directly from TMC
DV’s can optionally be Activated
and Distributed as part of the
download procedure
DistributeDistributes and installs
selected DV to one or
more IPS devices, which
impacts inspection and
possibly network / IPS
performance
ActivateActivate only impacts the
SMS (no change is made to
the inline IPS devices).
SMS can only edit filter
policy from filters contained
within the Active DV
DV Distribution
Select which IPS devices
to distribute the DV to
109
Select Priority
Note: High Priority could cause
IPS performance issues
Distribution status
IPS Profiles
Profile InventoryShow’s all available Profiles
Create New IPS Profile
110
Create New IPS Profile
Distribution ProgressCurrent progress & history
• Create a new IPS Profile for each Segment Group– Perimeter Profile for the Perimeter Segment Group
– Core Profile for the Core Segment Group
– Its good practice to name the IPS Profile similar to the Segment Group to which it will be distributed to (helping to avoid distributing the wrong profile to the wrong group)
• When creating new IPS Profiles– Provide name & Description (optional)
IPS Profiles > NEW
111
– Provide name & Description (optional)
– Once the Profile is created you can optionally assign user permissions
To assign user permissionsFile > Permissions or “right-click” on a Profile
• Once you have created your new profile, you may edit the policy
• The default settings for a profile reflect the Digital Vaccine recommended setting where about 1/3 of all filters are set to block
• Notice that every profile contains:
Editing IPS Profiles
112
• Notice that every profile contains:
– Profile Overview
– Profile Settings
– Filters by Category
– Traffic Management
– Filter Search
• You may edit filters by
– Category
– Individually
• Default Profile Settings– All filters controlled by Category– All Categories set to Recommended– This means each filter enabled depending on its Recommended Setting
• As assigned by TippingPoint DV Labs
• To change a Category setting– Expand the appropriate Profile (from the left hand navigation)
Editing Filters by Category
113
– Expand the appropriate Profile (from the left hand navigation)– Select either Application, Infrastructure or Performance Protection
Editing Filters by Category, Continued
You can select the
required Action Set
for your desired
Category
114
In this example,
we’re choosing to
Block + Notify all
Spyware Filters
• You may identify individual filters two ways:
• By Category– Select a category of interest to
find and edit filters from within that category
• By Searching Filter criteria:
Identifying Individual Filters to Edit
115
• By Searching Filter criteria:– Filter Name or Description
– Severity
– State
– Control: Category or Filter
– Action Sets: Block, Permit or Rate Limit
– Classification
– Protocol
– Platform
• Choose a Category (Example: Spyware)
– Edit filter(s) by highlighting the filter(s) and clicking the “Edit” button or by right-clicking on the filter(s) and choosing ‘Edit”
– Create Exceptions, view Actions Set, view Related Events
Finding Filters – By Category
116
• Use Search to find for filters, press “Search” button to start search
– Filter Criteria – Name, Description, Severity, Category, Filter State
– Additional Criteria – Action Set, Exceptions, New / Modified, Filter comment
– Filter Taxonomy – Classification, Protocol, OS / Platform
Finding Filters – Search
117
• “Save” filter search query and “Reset All” for new searches
Editing Filters
Select one or more Filters
then right-click, select Edit
118
You can also use
the Edit button
Editing Filters
Override the Category
Setting by choosing an
Action Set for the Filter
119
Optionally add Filter
specific IP Exceptions
(filter won’t match)
• Filters can be edited directly from the Event Viewer
– Right-Click on an event, then Profile > Edit Filter
Editing Filters: From the Event Viewer
120
• Once you are finished editing Profiles, you need to Distribute it to a Segment or Segment Group for it to take effect
– Anywhere you see the Distribute button, you may select it to
distribute the profile
Distribution of Profiles
121
Select Profile, then Distribute
Select Destinations for Profile Distribution
You can select whether to
Distribute the Profile to a Segment
Group, single Segment or Device
122
Generally you would distribute to a
Segment Group
Be careful to select the
appropriate Priority, as this
may impact your network
Lab #4: Basic Filter Policy & DV Management
• Distribute the latest Digital Vaccine to your IPS
• Create an IPS Profile
– Edit the CrazzyNet Filter
– Distribute the Profile to your Segment Group
123
• Create SMS Reports for Top Attacks
Advanced Profile Management
Version 3.1
Default Action Sets
• Block
• Block + Notify
• Block + Notify + Trace
• Permit + Notify
• Permit + Notify + Trace
• Trust
125
• Trust
• Recommended
• Additional Action Sets are needed for:
– Rate-limiting
– Other notification types (i.e. snmp_trap, email, syslog)
– Other packet tracing needs (i.e. only grab the header)
– Additional block options (i.e. IPS Quarantine, TCP-reset)
• Action Sets are shared across all Profiles
– IPS Profiles > Shared Settings
• Other Shared Settings include:
– Notification Contacts (more later)
– IPS Services
Creating new Action Sets
126
Note: If you edit an
existing Shared Setting,
you must redistribute
any Profile which uses it
New Action Sets: Flow Control
Action Set NameBest practice is to use
something descriptive
Specify Flow ControlDetermines what to do
with the traffic once a
127
with the traffic once a
Filter matches i.e. block
or permit or rate-limit
More on Quarantine and
Trust Flow control
options later
New Action Sets: Notifications
Management ConsoleSends event to SMS,
event is also saved on
IPS (alert log if permit or
block log if blocking
action)
Remote Syslog
128
Causes IPS to send a
syslog notification to the
specified syslog server
Best practice is to have
SMS relay any syslog
events to a 3rd party
logging system Email / SNMP TrapsYou can also have the
IPS generate emails or
SNMP traps
New Action Sets: Packet Trace
Packet TraceYou can optionally
instruct the IPS to take
a packet trace of the
flow which caused the
Filter to fire, but use
sparingly
129
LevelSpecifies how many
bytes to capture
PriorityStorage retention
priority for the packet
trace
New Action Sets
Once created, new Action Sets
are available for controlling
Category settings and Filter
Overrides
130
Note: If an Action Set calls for the
IPS to generate a syslog message,
then you must define a remote
syslog server under Device
Configuration
From Devices TabRight-click device …
Edit > Device Configuration
Advanced Profile Management Topics
• Policy by direction
– For example Internet in-bound versus out-bound
• Policy by VLAN or CIDR
• Profile versioning, rollback and audit
– Profile snapshots (Distribution & user)
– Import / Exporting Profiles
131
• Management of multiple Profiles
– For example changing the same filter across multiple Profiles
– Comparing Profile differences
– Searching across multiple Profiles
• Scheduled Distributions
• Determining what Profile is running on which Segment
• LSM Profile Management
– Importing Profiles from the IPS
Policy by Direction
• Each physical IPS segment is actually defined as two virtual Segments to account directionality A����B & B����A– The Profile distributed to the A�B Segment can be different from the
B�A Segment
• For example if Segment 1 is your Perimeter and you wanted to support policy by direction:– Determine how its physically wired
• You would first need to determine how the Segment is physically wired, and whether A�B is out-bound vs. in-bound
132
• You would first need to determine how the Segment is physically wired, and whether A�B is out-bound vs. in-bound
– Create Two Segment Groups• It is best practice to create two Segment Groups say “Perimeter In-bound”
and “Perimeter Out-bound” and add the appropriate segments
– Create Two IPS Profiles• You would then create two IPS Profiles, “Perimeter In-bound” and “Perimeter
Out-bound”
– You would edit the Filters in the In-bound and Out-bound Profiles accordingly
– Distribute the Perimeter In-bound Profile to the Perimeter In-bound Segment Groups
• And same for Perimeter Out-bound
Policy by Direction: Segment Groups
Name “Perimeter Inbound”
Add appropriate Segments to
the group – in this case B�A is
inbound
133
• Create a Perimeter Inbound and Outbound Profile
– Edit Filters accordingly
• Then Distribute the two Profiles to the appropriate Segment Groups
Policy by Direction: Profiles
134
• At times you may wish to see the differences between two or more Profiles and determine what Filters are configured differently
– For example between Perimeter Inbound and Perimeter Outbound
• Profile Compare
– Allows you to compare two or more Profiles and see the deltas
Profile Operations: Profile Compare
135
– Allows you to compare two or more Profiles and see the deltas between them
Profile Compare Details
136
View just the differences
Edit Filter directly from
this screen
• Profiles may be Imported and Exported to / from SMS to an external storage medium
– Useful for importing into another SMS
– Persistent backup for old unused Profiles
• Imported Profiles can be merged into an existing Profile
– Either preserving or replacing existing settings
Profile Operations: Profile Import / Export
137
– Either preserving or replacing existing settings
Global Search (across multiple Profiles)
138
Search across all
Profiles and edit the
same filters(s) in
multiple Profiles
• When distributing a Profile to your device, you get a snapshot of your profile called a Distribution Snapshot
– This is a restore point, allowing you to roll-back to this point at a later time
– To roll-back simply Active / Distribute the required version
– A User Snapshot may be created as well
Profile Snapshots
139
– Profile Versions Tab allows you to manage snapshot versions
Profile Versions
Major number increases at each
140
Full audit Details of who
changed which Filter
Major number increases at each
distribution (if a change has been made)
The minor number for each individual
filter or category change
• Profile Distribution History– Profiles � <specific profile> � Profile Distribution Details
• Device Network Configuration– Devices � <specific device> � Network Configuration � Physical Segments
• Segment Group Details– Devices � Segment Groups � <specific segment group>
• If you un-manage / re-manage an IPS, the SMS will lose this information as it doesn’t know if the profile was changed
Which profiles are applied where?
141
information as it doesn’t know if the profile was changed
Security Profiles in LSM
Edit Existing Profile
142
Create New Profile
LSM: Create Security Profile
Profile Name Category Settings
143
Create Profile
• Once your Profile is created, you can edit it and create Filter Overrides to configure an individual filter to be different from its Category Setting
LSM: Filter Overrides
144
LSM: Filter Overrides > Search
Use filter search
capability to identify
filters to override
145
Once found, add
Filter to Profile
• Now the Filter is added to the override list, you can configure it to be different from its Category Setting
LSM: Filter Overrides
146
LSM: Editing Filter Overrides
General InformationFilter name & number,
Category, Severity,
description &
Recommended Setting
Action / State
147
Action / StateUse Category or Override
Enable / disable filter
Action Set
AFC & ExceptionsMore on AFC’s later
• Profile to Segment mapping differs by IPS platform
– E-Series: defined when you create the Security Profile
– N-Platform: separate screen under Network > Virtual
Segments
LSM: Apply Profile to Virtual Segment
148
Specify the Incoming /
Outgoing Virtual PortsSelect Profile
Add Virtual Segment
LSM: Creating new Action Sets
If needed Action Sets can be
created in the LSM
IPS > Action Sets
149
• Filter changes do not “synchronize” when you re-manage your IPS
– You have to determine which takes precedence, the Profile setting on the SMS or IPS
– If SMS then re-distribute your SMS Profiles to Segment Groups
– If the IPS takes precedence, you have to import them
SMS: Importing a Profile from the IPS
150
• Devices Tab > IPS > Network Configuration
Lab #5: Advanced Filter Policy
• Create Syslog contact & Action Set
• Update your Segment Groups for directionality
• Create Inbound & Outbound IPS Profiles
151
• Create Inbound & Outbound IPS Profiles
– Edit the Crazzy Net Filter using your new Action Set
– Distribute both Profiles to the appropriate Segment Groups
• Edit Filters using the IPS LSM
– IPS web interface called Local Security Manager or LSM
– Import updated Profile to SMS
Non-DV Filters
Version 3.1
Non-DV Filter Definition
• DV Filters
– Filters which perform flow based inspection, against all parts
of the traffic
• Including packet header and flow payload
– Filters are updated on a regular basis with a new DV
153
• Non-DV Filters
– Filters which statistically analyze flows or inspect at the IP
header
– Examples include
• Traffic Management Filters
• Advanced DDoS
• IP Reputation
Traffic Management Filters
• Traffic Management Filters inspect at the IP header level– Source / Destination IP address– Source / Destination TCP / UDP port– IP Protocol
• Configured within the applicable Profile
• Once matched traffic can be:
154
• Once matched traffic can be:– Blocked (silently – no notifications)– Allowed (traffic will be inspected against the DV)– Rate-limit (traffic will be inspected against the DV)– Trust (no further inspection occurs)
• Traffic Management Filters obey Precedence– Filters can be ordered and are evaluated in sequence– Allow rules can be used in conjunction with Block to pin hole IP’s within a larger
network, for example:1. Allow 172.16.240.10/32
2. Block 172.16.240.0/24
Traffic Management Filter Configuration
Name / Comment (optional)
ActionBlock / Allow / Trust / Rate LimitNote: Need to create Rate Limits
155
Note: Need to create Rate Limits
Action Sets first
Direction to apply this filter:
A� B, B� A or Both
Traffic DefinitionProtocol (IP, TCP, UDP, ICMP)
Trust / Block IP fragments
SRC/DST IP (can use named
resources)
Advanced DDoS
• Provides protection against your publically available servers
– Typically your DMZ
• Advanced DDoS capabilities differ by IPS platform
– SYN Flood Protection
• N-Platform (v3.1 onwards)
156
• N-Platform (v3.1 onwards)
• E-Series
• 110/330
– Connection Flood & Established Connections/Second Attack
• E-Series platforms only
• The IPS must be deployed in a Symmetric network for ADDoS to function
– IPS needs to inspect full 3-way TCP handshake
– Must also disable Asymmetric mode TSE setting
Normal 3-way TCP handshake SYN-Flood Attack
• Attacker sends many spoofed TCP SYN packets
• Server never receives ACK
– Connection table fills up quickly
– New requests are ignored
Background: SYN Flood Attacks
SYNConnection
Request
Request Acknowledged
Connection
SYN+ACK
ACK
157
SYNConnection Requests
(spoofed IP)
SERVERATTACKER
SYN+ACK
Complete
Data
SERVERCLIENT
ACK
Background: SYN Proxy
• SYN Proxy
– IPS mediates the session establishment – via SYN Proxy
– Server only handles legitimate connections
CLIENT IPSSYN
Connection Request
SERVER
158
SYN+ACK
ACKConnection Complete
Three-wayHandshake
Data
SYN
SYN+ACK
ACK
Advanced DDoS: Asymmetric Mode
Right-click device and
Edit configuration
159
TSE SettingsUnder Asymmetric
Network, uncheck Enabled
Advanced DDoS: New Filter
Create New ADDoS FilterProfiles > Infrastructure Protection
> Advanced DDoS
160
Name
Action
Direction
Protected
designations
Advanced DDoS: New Filter
E-Series Configuration Notification ThresholdThe IPS will only generate an event
when rejected SYN’s rise above this
rate (note protection is immediate)
161
N-Platform ConfigurationEnable SYN-ProxyN-Platform can be enabled here
E-Series is done under Devices Tab
Reporting for ADDoS & Rate Limits
SMS ReportsRate Limit (by device or rate)
Advanced DDoS report
Note: slight delay in SMS report
data gathering
162
LSM ReportsRate Limit & DDoS report
Note: useful for real-time reports
Lab #6: Non-DV Filters
• Traffic Management Filters
– Create a TM Filter to rate-limit inbound web traffic (TCP/80)
– Create TM Filter to Trust Tomahawk traffic
• Run Rate-Limit SMS Report
163
• Create TM Filter to Block all Tomahawk traffic (optional)
• Note: Ensure you remove all TM Filters when finished
High-Level Architecture & Performance
Version 3.1
Threat Suppression Engine (TSE)
• The TippingPoint TSE is flow based, a flow is defined by the following:– Source / Destination IP address
– Source / Destination Port
– IP Protocol
• The TSE inspection engine performs easiest tasks first– For example Traffic Management Filters are easier than DV inspection
165
– For example Traffic Management Filters are easier than DV inspection filters – TM filters occur first
– Flows must be complete and in sequence prior to inspection• IP re-fragmentation• TCP re-sequencing
– DV inspection can then occur on the re-fragmented/sequenced flow
• Let’s examine the art of filter writing, by using the Microsoft RPC DCOM buffer overflow vulnerability for our example:– Referenced in Microsoft security bulletin MS03-026
– Exploited by both the Blaster and Nachi worms to name a few
Microsoft RPC DCOM Overflow Vulnerability
BIND
Interface:
REQUEST
Function Call:
Server Port 135/tcp
Interfaces Available:
Pkt 1
Pkt 2
SERVER PACKETS FROM CLIENT
166
Interface: ISystemActivator
000001a0-0000-
0000-c000-
000000000046
v0.0
Function Call: Opnum 4
FunctionArguments
\\server\file
Interfaces Available:
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
975201b0-59ca-11d0-a8d5-00a0c90d8051 v1.0
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
00000136-0000-0000-c000-000000000046 v0.0
c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
000001a0-0000-0000-c000-000000000046 v0.0
Pkt 2
Pkt 3
Function call 4, contains a heap-based buffer overflow in the server parameter
• In EVERY attack, the following must be true to exploit the buffer overflow– TCP session established to appropriate port (135)– BIND is to the appropriate RPC interface– REQUEST is to appropriate function call (opnum=4)– SERVERNAME parameter must be longer than 44 characters
Vulnerability-Specific Filters
167
• This guarantees no false positives and no false negatives
\\server\filename
becomes
\\...44+ character buffer...\filename
Pros: Proactive protection, very precise, hard to evade
Cons: Requires powerful and fast filtering engine
• An exploit-specific filter detects the shellcode used in a particular exploit, which could lead to false positives / negatives – Example: The following hex string can be used to detect the MS
Blaster worm:
Exploit-Specific Filters
EB 19 5E 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE FC
FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95
168
• \\server\filename
• becomes
• \\...long buffer with shellcode...\filename
Pros: Simple string match, easy to implement, suitable for weak engines
Cons: Reactive, possible false positives / negatives, blind if exploit modified
FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95
80 BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32
TippingPoint Architecture
Flow TablePacket Header
ProcessingSuspicious
Flow Control
169
Threat Verification
DROP DROP
DROP
DV PROFILE
TRIGGER VERIFICATION POLICY
From SMS / LSM
NOTIFICATION ENGINE
SMS/LSM syslog trap email
FILTER MATCH
MGMT
Architecture: Block / Rate-Limit Streams
• When the IPS blocks a flow, it will block all packets which share the same 5-tuple
– Source / Destination IP address
– Source / Destination Port
– IP Protocol
• This has a significant perform gains, as the IPS no
170
• This has a significant perform gains, as the IPS no longer needs to inspect the packets belonging to a blocked flow
– Blocked streams remain for 30 minutes by default
– Changing a filter set to block to something else (permit or disable), will not clear a blocked stream
• You may have to manually clear out a blocked stream
• The same principle applies if the DV filter has an Action Set of Rate-Limit
Viewing blocked streams using SMS
5 Tuple
171
IPS > Events
Flush selected or All streams
Viewing blocked streams using LSM
Select to flush
172
• The TippingPoint IPS is built on a real-time operating system– Inspecting traffic is the highest priority
– Other tasks are all lower priority
• Block and Notify operations perform better than Permit and Notify operations– We are first and foremost an IPS (“Prevention”) and not an IDS (“Detection”)
• Overall system performance can be optimized automatically as well as through manual intervention
Performance Overview
173
manual intervention
Automatic Optimization Manual Optimization
• Layer 2 Fallback (Intrinsic HA) • Properly size the device (rated throughput)
• Performance Protection • Define Trust/Block TM Rules
• Adaptive Filter Configuration • Create Exceptions
• Disable poorly performing filters
• Use Blocks instead of Permits
• Reduce Packet traces & notifications
Layer 2 Fallback (Intrinsic HA)
Causes of automated Layer 2 Fallback
– IPS system issues
• Suspended Tasks
• TSE Issues
• Hardware and Software Watchdog timers
– Excessive congestion (90% packet loss in less than 10
174
– Excessive congestion (90% packet loss in less than 10
seconds)
• Extreme over-subscription of the IPS Device
• Sending notifications takes up CPU cycles
• Notifications can be suspended automatically if experiencing congestion
• Performance Protection settings
– Logging Mode: Always log / Disable if congested
– Congestion Percentage: Default:1.0% – Range: 0.1% to 99.9%
– Disable Time: Notification suppression time, Default: 600 seconds
Performance Protection
175
– Disable Time: Notification suppression time, Default: 600 seconds
Adaptive Filter Configuration - AFC
• The IPS can protect against the adverse effects of a specific filter
– Very dependent on individual customer traffic patterns
• The IPS can disable individual filters under certain situations:
– Threat Verification Timeout
– A Trigger results in a lot of suspicion, but no matches and the IPS is
176
– A Trigger results in a lot of suspicion, but no matches and the IPS is experiencing congestion
• AFC Settings:
– Filter Settings – AFC may be turned on/off for specific filters as well
– Global Settings – Auto or Manual
• Default: Auto, which means that AFC is on
Performance Optimization (Manual)
• Optimization is only required if congestion is occurring or if an IPS is being operated close to its maximum rated throughput
– How to view amount of congestion
– How to view amount of TSE throughput
– How to view filter performance
177
• The next few slides demonstrate the steps to consider when optimizing performance …
show np tier stats
• Look at Tier 1 Rx Mbps / Tx Mbps
– Shows current and maximum throughput from all Segments
• Recommend you run the command multiple times
– High-level watermark shown in parenthesis ()
• Reset on reboot or clear np tier stats (N-Platform only)
– Ensure traffic not too close to maximum rating for that device
How much traffic is traversing the IPS?
178
– Ensure traffic not too close to maximum rating for that device
Monitoring Throughput
179
show np general statistics
• These are always increasing values
– Run the command multiple times within a given period
– Congestion: shows packets dropped due to congestion
Is the IPS experiencing Congestion?
180
Look how many packets are
being dropped due to Congestion
Run command more than once
to see if congestion is increasing
On N-Platform its named
Dropped instead of Congestion
Monitoring Congestion
181
show np rule-stats• Show the top 20 triggered filters
• Which filters are triggering the most– Look for filters with high “% Total”
• Which filters are working well– Look for filters with high “% Success”
– 100% means each time a filter is
Which filters are working well (or not)?
182
– 100% means each time a filter is triggered, a threat is found
• Which filters are triggering, but not finding anything bad
– Look for filters with zero “% Success”
– Filters highlighted are candidates to be disabled
• Large number of flows• Zero success
– Note: they are candidates, as they may detect attacks in the future!
Common Performance Problems
Problem Solution
Over subscribing the IPS with too much traffic
• Route traffic around the IPS or get a bigger IPS / CoreController• Use inspection by-pass rules (N-Platform only)
Lots of out of order or fragmented packets
• Could be a network MTU issue• Lots of IP in IP traffic• Trust fragmented traffic between trusted servers
Congestion when distributing • Check that you do not have high-priority enabled• Distribute at a quieter time
183
Congestion when distributing Profiles or updating DV’s
• Distribute at a quieter time• Place device into L2FB, then distribute, then remove L2FB
Congestion during peaknetwork load
• Ensure you apply filters only where needed (i.e. VoIP filters only on voice vlan)
• Disable filters which you know you no longer need (patched, don’t use application / OS, old vulnerability, etc)
• Use show np rule-stats to identify filter candidates to disable• Consider using traffic management trust rules to trust backups or
other trusted bulk transfer applications
IPS Enters PerformanceProtection
• Check you don’t have excessive Permit + Notifies, packet traces or email notifications
• Look to set filters which are firing to Block only (ie SQL slammer)• Review other solutions above
IPS Quarantine, Reputation & SMS Responder
Version 3.1
IPS Quarantine Overview
• Quarantine can be used to prevent an infected machine from accessing the network
– It can optionally be used to inform the hosts user that something is wrong
• When a host is Quarantined the IPS can:
– Block, intercept or redirect http traffic
– Block all other non-http traffic from that host
185
– Block all other non-http traffic from that host
• Not just the 5-tuple flow of a regular Filter block or block/notify
• Quarantine behaves slightly different between platforms
– N-Platform devices support:
• Block + Quarantine (quarantine immediately)
• Permit + Quarantine (can specify a threshold before quarantining)– IE Quarantine after 5 hits in 2 minutes (ideal for failed login attempts)
– Non N-Platform devices (10, 110, 330, 600E-5000E)
• Only Block + Quarantine
• Thresholding can be achieved by leveraging SMS Responder
• Quarantine can be used to prevent an infected machine from spreading worms
– Can also be used to inform the user that something is wrong
IPS Quarantine Overview
1. Filter blocks worm2. Infected PC Quarantined
186
CorporateNetwork
Internet
Infected PC
Worm tries to spread
Browse towww.google.com..
.
“walk-in worm”
• IPS Quarantine is configured as a Filter Action Set
– Profiles > Shared Settings
IPS Quarantine Configuration
Name
187
Flow control: Quarantine
• Configure required Notifications
– All Notifications types are possible, along with Packet Traces
IPS Quarantine Configuration
188
• Configure Threshold and what to do with web requests and all other traffic
IPS Quarantine Configuration
Threshold hit count and period and what to do with the traffic until the threshold is reached.
189
reached.
Note: only N-Platform supports Permit, all other devices only support block
Web RequestsBlockRedirect (to your own server)Display quarantine web page* IPS displays block page
Choose what to do with other traffic
• Restrictions / Exceptions and Quarantined Access
IPS Quarantine Configuration
190
Quarantined AccessList of CIDRs which a quarantined host can access for example a remediation servers
Restrictions / ExceptionsWhich IP CIDR can or can not be quarantined.
The Filter will still match, this setting determines whether to quarantine the host
• When traffic hits a Block + Quarantine filter:
– A Blocked Stream is generated
– A Quarantined Host is generated
• Hosts can be released from Quarantine manually
– Or you can configure an automatic timeout
IPS Quarantine
191
IPS Quarantine Threshold ExampleN-Platform ONLY
• N-Platform allows the ability to perform Permit thresholds for Quarantine
– This is ideal for blocking excessive failed login attempts
192
IP / DNS REPUTATION
193
IP / DNS Reputation Overview
• Allows the ability to create policy based on IP / DNS reputation
– N-Platform only feature
– For DNS reputation IPS must be in path between client and DNS server
• Reputation data can be entered manually or sourced from TippingPoint with Reputation DV service
– Manual entries: can be added individually, from event viewer, or
194
– Manual entries: can be added individually, from event viewer, or imported from file (csv format)
– Reputation DV service from TippingPoint (future)
• Reputation Filter determines what action to perform when traffic matches a reputation criteria
– Configured as part of your IPS Profile (then distributed to appropriate Segment or Segment Group)
– Reputation Filters can use any available Action Set
• Including Block, Permit, Rate Limit & Quarantine
IP / DNS Reputation Overview
Set Policy Based Upon
• Reputation Score
• Locale (Country)
• Device Type - exploit source, malware host, Botnet CnC, spam, etc
Reputation DV
• IPv4 & IPv6 Address
• DNS Name
• Reputation information for each
Security Management System
195
Requests to Bad DNS Domains BlockedRequests to Bad DNS Domains Blocked Traffic from Bad IP Addresses BlockedTraffic from Bad IP Addresses Blocked
IPS Platform
InternetAccess
Switch
Reputation Database Example
IP / DNS Type Country Score
58.24.0.1 Botnet China 9
58.192.0.5 Hacker China 10
204.79.230.53 Spammer UK 6
62.212.96.43 Hacker France 9
62.217.0.154 Hacker France 10
196
• Each database entry can optionally contain a tag
• You can create your own tag categories
– Type, score, country, etc
• Categories can be defined as
– List, numeric range, date, Boolean, free form text
62.217.0.154 Hacker France 10
24.48.224.120 Hacker USA 3
Reputation: Tag Categories
197
Name
TypeText, Numeric, List,
Boolean, Date
Reputation: List Tag Category Example
Name: Country
Type: List
198
List Entries
• User Provided Entries
Reputation Database: Import / Add Entries
199
Once your tags are
defined, you can start
entering or importing
your entries
• Add Entry
Reputation Database: Adding EntriesAdd or Import from File
IP Address / DNS domain
Reputation Data
200
• Importing from CSV file62.201.128.219,Country,France,Score,7,Type,Hacker,Validated,TRUE
62.210.0.1,Country,France,Score,8,Type,Hacker,Validated,FALSE
62.212.96.219,Country,France,Score,9,Type,Hacker,Validated,TRUE
62.217.0.219,Country,France,Score,10,Type,Hacker,Validated,FALSE
24.40.96.219,Country,USA,Score,1,Type,Botnet,Validated,TRUE
24.40.128.218,Country,USA,Score,2,Type,Botnet,Validated,FALSE
24.40.192.219,Country,USA,Score,3,Type,Botnet,Validated,TRUE
24.41.0.218,Country,USA,Score,4,Type,Botnet,Validated,FALSE
Reputation Database: Search
• You can search the Reputation database by criteria
– For example: all Chinese & French botnets with a score >= 7
201
• Profile > Infrastructure Protection > Reputation
– Click New to create new Reputation Filter
• Reputation Settings
– Match against source, destination or both addresses
– Block or Permit while performing database lookup
Reputation: Profile Settings
202
Reputation: New Filter
Name
Action Set
203
Action Set
Reputation Criteria
Reputation: Events
204
SMS RESPONDER
205
SMS Responder Overview
• Responder (or Active Response) is a mechanism where SMS can perform Action based on various Inputs
• Inputs (also known as Response Initiation)– Manual (for example from Event Viewer)
– Threshold (x number of hits in y timeframe)
– IPS Quarantine occurrence
– External system integration (via an API call)
206
– External system integration (via an API call)
• Action (outcome of a Response)– Implement IPS quarantine
– Switch disconnect or move to VLAN
– Notification
– External system integration
– Custom Action / Response (fully scriptable)
• Example Responder use-cases– Failed login attempts / conficker mitigation
– Brute force web harvesting
– Desktop ticket system integration (i.e. in response to spyware filter hit)
SMS Responder Lifecycle
Response Closed
Response Triggered
(open)
Actions (close)
IPS Quarantine
Event Viewer
Threshold of filter hits
External System
START: Response Closed
SMS Performs closing Actions
207
Response Opened
Actions (open)
Response Triggered
(close)
SMS Opens Response
External SystemWeb call Switch DisconnectEmail
Move to VLANIPS Quarantine
Syslog / trap
SMS Performs one or more Actions
External System
Timeout
Manual
• Manual Response (from Event Viewer)
– Useful if you quickly want to block a host
SMS Responder Example (Simple)
1. Select Responder tab
208
2. Choose Policies
3. Click New
Responder: Initiation
1. Policy Name
209
2. Policy Initiation
Responder: Inclusions / Exclusions
210
Enter Inclusions / ExclusionsIn our case Allow Any IP Address
Responder: Actions
211
1. Click Add Action
2. Select IPS Quarantine
3. Click OK
4. Finish
Responder: Create Manual Response
From the SMS Event Viewer From the Responder Tab
212
Lab #7: IPS Quarantine and Event Viewer
• IPS Quarantine
– Create “DMZ” Segment Group & Profile
– Create new IPS Action Set for Block + Quarantine
– Edit ICMP Echo Request Filter #0164
– Distribute Profile & Test
213
• Create Filter Exception using SMS Event Viewer
Tomahawk
Lab Network Re-Wire
Before After
Tomahawk
214
StudentStudent
• Student connects directly to Tomahawk via management network
• Student traffic passes through IPS when connecting to Tomahawk via management network
RESPONDER THRESHOLDS(TIME PERMITTING)
215
SMS Responder Correlation & Thresholding
SMS Responder Example (Advanced)
• Your organization wishes to block excessive pings– Excessive = more than 20 pings in 2 minutes
– If threshold is exceeded, then block the attacker for 3 minutes
• Step #1 Create Active Response Policy– Enable Correlation & Thresholding for 20 in 2 minutes
– Specify timeout of 3 minutes
– Specify Actions – IPS Quarantine
216
– Specify Actions – IPS Quarantine
• Step #2 Create IPS Action Set– Under shared settings
– Set filter action to Permit, specify SMS Active Response policy just created in Step #1
• Step #3 Edit filter & Chose Action Set & Distribute Profile– Edit filter 0164: ICMP Echo Request
– Choose Action Set from Step #2
– Distribute
• Specify Initiation & Timeout
SMS Responder Example (Advanced)
217
Enable Correlation & Thresholding
Automatic Timeout after 3 minutes
• Specify Inclusions & Exclusions
SMS Responder Example (Advanced)
218
SMS Responder Example (Advanced)
219
Configure Threshold20 hits in 2 minutes
SMS Responder Example (Advanced)
220
Add Responder Actions
SMS Responder Example (Advanced)
221
If using IPS Quarantine as a Responder
Action, you must specify which devices
will implement the Action
• Create new Filter Action Set (Profiles > Shared Settings)
SMS Responder Example (Advanced)
222
We’re using Permit for Flow Control
As we want SMS Responder to
determine if / when to block
SMS Responder Example (Advanced)
223
We must tie this Action Set to the
desired SMS Responder Policy
What happens now
• Now you configure the appropriate filter with this Action Set
• If someone pings the victim excessively
– The IPS will generate hits for Filter #0164
– The SMS sees the filter hits (because we checked Permit and Notify in the Action Set)
224
in the Action Set)
• The SMS Responder Policy receives the filter hit (because we checked appropriate Responder policy in the Action Set)
– The Responder Policy will eventually become Active because more than 20 hits will be seen within 2 minutes
• The policy will go into effect, and the IPS devices will be told to Quarantine the attacking IP address
Lab #8: SMS Responder
• Block Excessive Pings using SMS Responder
– Trigger on 20 pings in 2 minutes
– Automatically close response after 3 minutes
– Create new IPS Action Set to use Responder Policy
• Apply to ICMP Echo Request Filter 0164
225
• Experiment blocking hosts using a Manual Response
Ongoing Maintenance, Troubleshooting and Additional Resources
Version 3.1
Digital Vaccine Maintenance
• Setting up Auto-DV download using the SMS is easy
– Download from TMC
– Activate in SMS
– Distribute to all Devices
– Note: This distribution will occur as soon as SMS detects the
new DV on TMC
227
new DV on TMC
• To Distribute new DV’s at a specific time, then:
– Setup Auto Download
– Setup Auto Activation
– DO NOT set Auto Distribution
• This would distribute the new DV immediately
– Create a Digital Vaccine schedule
Digital Vaccine Scheduled Distribution
Auto DV ActivationEnable Auto DV Download
Enable Auto DV Activation
Disable Auto DV Distribution
228
New Scheduled DistributionName, Schedule, DV version
IPS Device Targets
IPS System Snapshots
• System Snapshot is an IPS configuration backup
– Which includes current Digital Vaccine
– Once created you should export from the IPS
• Either to your laptop or SMS for safekeeping
• Useful for:
– Saving a known “good” configuration
229
– Saving a known “good” configuration
– Cloning configurations
– Backup purposes (Disaster Recovery)
• To restore a System Snapshot
– The IPS model and TOS version must match exactly the
device which it was created on
– The snapshot must be imported to the IPS
– The IPS will reboot when the Snapshot is restored
IPS System Snapshots (using SMS)
IPS System SnapshotsManaged under Devices Tab
IPS > Device Configuration > System Update
230
Creates new
snapshot on IPS
Import / Export
from disk
Copy’s snapshot
to / from SMS
Snapshot has to be on the device
before it can be restored
Restore
(will reboot IPS)
IPS System Snapshots (using LSM)
• Snapshots can also be managing using the LSM
– And CLI snapshot create <name>
231
SMS Database Backups
• SMS Database Backups– Backs up SMS database for disaster recovery purposes– Can be Scheduled or Immediate– Backup file can be stored locally or offloaded to NFS / SMB file share
or sFTP/SCP– The backup file can be optionally encrypted– Time/date stamp can be added to the backup filename
232
• SMS Database Backup Contents– SMS configuration information
• All SMS settings, all Devices under management
– Device configuration• IPS configuration and snapshots from devices (if stored on the SMS)
– Include Packages (Digital Vaccines & TOS images)• One or more Digital Vaccines, zero or more TOS images
– SMS event history (optional, could increase backup size to ~15GB)
SMS Database Backup
233
SMS Database Backup Wizard
Scheduled BackupSpecify schedule name &
recurrence
234
SMS Database Backup Wizard
Specify number of DV’s /
TOS images to include
235
Specify whether to include
event data (makes backup
large ~15GB)
SMS Database Backup Wizard
236
Specify backup locationRecommend off-box for disaster
recovery purposes
SMS Database Backup Wizard
237
SMS High Availability (HA)
• Configure two SMS devices
• One will be the active SMS, the other the passive SMS
• The two devices communicate over a secure channel to exchange heartbeat and to synchronize data
• This secure channel can be over the primary (management) or secondary (private) interface
238
(management) or secondary (private) interface
– NOTE: SMS servers have two NICs marked 1 (primary) and 2
(secondary)
• The two devices can share a virtual IP
– Active device responds to requests to the virtual IP
• If the active device fails, the passive will take over
HB
sync
SMS High Availability: Using Primary Link
SMS #1
192.168.1.20
SMS #2
192.168.1.21
Optional
Virtual Shared IP
192.168.1.22
239
User Laptop
192.168.1.x
HB
sync
IPS Password Reset Procedure
• To perform a password reset on an IPS:
– Establish a terminal connection to the IPS (115200/8/N/1)
– Reboot the IPS and watch for the word “Loading” (see screen
shot on next page)
– Type mkey before the “…” appears after the word “Loading”
– If mkey is input at the right time, the IPS will request the
240
– If mkey is input at the right time, the IPS will request the
following:
• Security level
• SuperUser name
• SuperUser password
• NOTE: Since this procedure requires a reboot of the IPS device, be aware that traffic through the device may be interrupted
IPS Password Reset Procedure
• IPS Serial Console
– Enter mkey (no spaces, no CR/LF)
241
Type mkey here
IPS Password Reset Procedure
• Enter security level and new Username / Password
– All other system configuration information remains the same
242
• Connect monitor & keyboard to SMS
– Reboot and interrupt the boot process
– Select “Password Recovery”
• Login to SMS using:
– Username: SuperUser
– Password: <SMS Serial Number>
• Serial number can be found by pressing <ALT><F12> once booted
SMS Password Recovery
243
• Serial number can be found by pressing <ALT><F12> once booted
IPS: Command Line Interface (CLI) Overview
• Connecting to the CLI– Terminal Cable
– SSH
– Telnet (Must turn this on for Telnet access to be available)
• CLI basics– “help” – Run this command to enter the help mode
– “?” will display sub-commands or usage information• “show ?” for example
244
• “show ?” for example
• Sticky commands– “conf t <enter>” will enter the configuration mode
– Ctrl-c or “exit” to escape this mode
• Auto-complete– Press “tab key” for auto-complete
– “sh<tab>” will get you “show”
• Shortcuts– “conf t” for “configure terminal”
– “sh” for “show”
IPS: CLI – Top-Level Commands
• Show commands: allows user to view IPS settings– “sh” for short– Example: “show conf host”
• Debug commands: for lower level troubleshooting– Example: “debug information memory”
• Configure Terminal commands: make configuration changes
245
• Configure Terminal commands: make configuration changes– “conf t” for short– Commands take effect immediately, no saving required (are persistent)– Example: “configure terminal server http”
• Snapshot commands: create and manage IPS snapshots
• Other useful top-level commands– “reboot” restarts the IPS– “halt” gracefully halts the system in preparation for a “power off”– “setup” re-run the setup wizard– “traffic-capture” capture traffic on inspection segments
IPS Factory Reset
• Login to the CLI as a user with super-user access
– Type: debug factory-reset
– When prompted, type “COMMIT” and press <enter>
• NOTE: This command will remove:
– All current configuration information
– All log files
246
– All log files
– All User Accounts
– All filter policies
– Resets IPS to the factory delivered TOS and DV versions
• Recovering after a Factory Reset
– Re-Setup the device
– Use an IPS system Snapshot and restore
– Use an SMS to re-push IPS Policy
SMS Factory Reset
• The SMS Factory Reset only clears out the SMS database and leaves the software version intact
247
Resetting IPS Filters
• If you are experiencing issues with performance, or filter policy, you may elect to reset the IPS filters
– In the SMS under the Device Configuration dialog
– From the LSM, IPS � Preferences � Reset
• Afterwards, you need to do the following
– Recreate any virtual segments
248
– Recreate any virtual segments
– Re-distribute your profiles to the device
Troubleshooting: IPS Management Port
• Ping
– ping <address>
• ARP Listing
– show arp
• TraceRoute
249
– traceroute
• Show Management Port Settings
– show conf interface mgmtEthernet
Troubleshooting: No traffic passing
• Port Health
– Link
– Negotiation
– L2FB Set to Block
• Blocked Streams
250
• Quarantined host entry
• IP Reputation entry set to Block
• Traffic Management Filter set to Block
Troubleshooting: Policy not working
• Port Health
– L2FB Set to Permit
• Has Policy been distributed to proper segment
• Filter Exception
• Profile Exception
251
• Traffic Management Filter set to Trust
Resources: TMC and ThreatLinQ
• TMC
– Make sure you are signed up to receive emails updates
– Great source for up to date information on TippingPoint products, release notes, white papers, best practices guides, etc
– Knowledge Base
– Product Releases
252
– Product Releases
• ThreatLinQ
– Helps with Policy decisions and dealing with timely/imminent threats
– Blog Articles on current threats and how to deal with them
– Top Attacks, Movers and Shakers
– Highest rated policy filters
– Note: Consider configuring your SMS to share info with Threatlinq (opt-in via Edit � Preference � Security)
Resources: TippingPoint User Group
• List Server is hosted by University of North Carolina
– Self help group, NOT run by TippingPoint
– TippingPoint employees monitor the group along with many
customers
• How to join
253
• How to join
– TippingPoint Users Group - http://mail.unc.edu/lists/
– List Name is "tippingpoint"
– Register and receive access by administrator
Resources: TippingPoint Support
• Phone Support
– North America: +1 866 681 8324
– International: +1 512 681 8324
– Note: For certain regions there are direct numbers (see website)
• Email address: [email protected]
• Things to Provide
254
– Company name
– Information to have handy
• show version – model, TOS, DV and Certificate Number
• show log system (especially showing WARN, ERROR and CRIT)
• show log audit
– For performance issues
• Packet Traces (for AFC filters)
• show tier-stats
• show rule-stats
THANK YOU!
255
http://www.tippingpoint.com/traininghttp://www.tippingpoint.com/traininghttp://www.tippingpoint.com/traininghttp://www.tippingpoint.com/training
![Trend Micro TIPPINGPOINT SECURITY … micro tippingpoint ® security ... tippingpoint security management system advanced policy ... sms_tippingpoint_160601us] sms technical](https://img.pdfslide.us/doc/110x75/5ac3d5097f8b9aa0518cd632/trend-micro-tippingpoint-security-micro-tippingpoint-security-tippingpoint.jpg)
