Network Security Monitoring | Force10 Networks 100-00055-01 specs

Chapter 6 Network Security Monitoring

A key aspect of network security deployment is the ability to monitor the network for security events, analyze them, and perform counter measures. To that end, the P-Series supports Sguil, an open source network security monitoring and reporting system that provides the ability to:

•collect, monitor, and correlate security events/alerts in the network

•analyze security events based on context

•categorize and escalate events for intrusion response decisions

The Sguil solution consists of the following components (Figure 27):

•Sensors—Sensors are the systems actually monitoring network traffic and collecting data. Sensors perform packet captures of network traffic in addition to running Snort in alert mode.

•Database—The database holds the alert and session data that the sensors collect.

•Client—The client is the interface to the Sguil server.

•Server—The Sguil server maintains connections to the sensors, clients, and database.

Figure 27 Sguil Architecture

P-Series Sensors						Sguil Server
		Security Alert Information						Sguil Client

fn90025mp

P-Series Installation and Operation Guide, version 2.3.1.2

43

Image 43

Force10 Networks 100-00055-01 manual Network Security Monitoring

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Convention Description Keyword ObjectivesAudience Conventions Additional Resources Information SymbolsSymbol Warning Description Related Documents This LED is not used This LED is blue when the hard disk is accessedThis LED is green when the power is on Label Description Physical Connections System SpecificationsPB-10GE-2P Step Task Security Check BootingConfiguration Once the appliance is booted Cd SW Gmake installCp -Rf /usr/local/pnic/ /home Tar xvzf PTPS-PMAIN Located in the directory pnic-compiler Cd upgradedirectory/pnic-compilerInstall pre-compiled firmware if needed Re-compile all rules firmware with the new compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Introduction Types of RulesSample Rules and Firmware Rx1 Tx1 Mirror Rule Set Description Rule ManagementDeploying the P-Series Sample Rules Files Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui GUI Commands GUI CommandsCommand Description Rule Management GUI Managing Rules, Policies, and Firmware Permit Deny Editing Dynamic Rules with the GUIOption Description Policy Capture To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI To select firmware Runtime StatisticsSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Runtime Statistics Description Reloading FirmwareStatistic Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Web-browser Security Certificates Managing the P-Series using Node ManagerSeries Node Manager has four major management capabilities Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Wish Installing the Sguil ClientTo uninstall the server Source the server configuration file. The default Server Installation FilesSguil Files and Directories File Location Sensor Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Change directories to /usr/local/pnic/0 CLI CommandsEditing Dynamic Rules with the CLI MAC Rewriting Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface To complile rules Creating Rules FilesRules Capacity Compiling Rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration Configuration and Generated Files Configuration and Generated FilesFile Description Location Firmware Filename Description Compiler ErrorsFirmware Filenames Describes each of the elements in this format Snort Rule Headers Snort Rule SyntaxSnort Rule Syntax Protocol Ports Keyword Static Dynamic Series Rule SyntaxSeries Supported Snort Keywords Snort Rule Options Yes Only /8/16/24/32 masks Seq YesYes Yes, no ranges Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable number Pnic aggregate-mode-disableAppendix a Pnic apply-firmware Pnic aggregate-mode-enablePnic aggregate-mode-enable number Different ports. This is the default behavior Display the available firmware Pnic apply-firmware Command Example Syntax pnic capture-on Pnic capture-offPnic capture-on Pnic capture-off Display the driver version Display the configuration parameters of the systemPnic cardstatus Pnic cardstatus number Pnic compilerules number Pnic default-drop-disablePnic default-drop-disable number Pnic compilerules Pnic diag Pnic default-drop-enableEnable firewall functionality Run diagnostic tests on the card Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-enable Pnic flow-teardown-disable Pnic getmachashindex Example pnic flow-teardown-enable Command ExamplePnic getmachashindex number Launch the graphical user interface Pnic guiSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadeproms number Pnic loadepromsPnic loadparams deprecated Load the PCI-X and front-end EEPROMs Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Pnic macrewrite-off Disable MAC rewriting. This is the default behaviorEnable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting using the command pnic macrewrite-off Syntax pnic off Pnic off deprecated100 Appendix a Pnic on Example pnic off Command ExampleEnable the capturing of packets via direct memory access Pnic on deprecated Pnic params number Pnic passive-mode-disableSyntax pnic passive-mode-disable number Pnic params Configure the ports to only receive traffic Pnic passive-mode-enableConfigure the ports to only receive traffic Example pnic passive-mode-disable Command Example Stop capturing and matching Pnic resetconfPnic resetconf number Pnic restart Pnic restart Series Installation and Operation Guide, version 105Pnic sguil-sensor-start Start the Sguil sensor Pnic sguil-sensor-start -f Pnic sguil-sensor-stop -f Series Installation and Operation Guide, version 107Pnic sguil-sensor-stop Stop the Sguil sensor List the available firmware images Display configuration parameters of the cardPnic showconf Pnic show-firmwares Pnic showtech number filename.dat Series Installation and Operation Guide, version 109Pnic showtech Apply a specific firmware to the card Pnic start number Disable the network interface using the command pnic stopExample pnic showtech Command Example Pnic start Pnic stop Turn off capture and disable the network interfaceEnable the network interface using the command pnic start Disable the network interface Enable temporary memory. This is the default behavior Pnic temp-mem-disablePnic temp-mem-enable Disable temporary memory Specifies an LSB value for a particular hash index Pnic updatemacvalueDisable temporary memory Pnic updatemacvalue number Vlan Tag Remove feature is disabled by default Pnic vlan-remove-disablePnic vlan-remove-enable Disable the Vlan Tag Remove feature Display the driver version Disable the web server using the command pnic web-gui-stopPnic version Pnic web-gui-start Pnic web-gui-stop -f Pnic web-gui-stopStop the web server Stop the web server Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Flags!*+ FSRPAU120 Description of P-Series Snort KeywordsKeyword Description Rule Syntax Ack Checks for a specific TCP acknowledgment number Ipproto ! name number Flow establishedstatelessIcmp idnumber Icmp seq number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Meta Rules Meta Rules for Channel 0 and ChannelEvasion Rules 124 Appendix C Pwd Unix CommandsLogout Passwd Number Vi Commands? text Set number no Collection Dynamic RulesFlow Garbage Static Rules SnortSpan Port State ISupport Website Accessing iSupport ServicesSeries Installation and Operation Guide, version 129 Manual Pages Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support