Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Network Security Monitoring, P-Series Sensors, Sguil Server

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 43

Chapter 6 Network Security Monitoring

Chapter 6 Network Security Monitoring

A key aspect of network security deployment is the ability to monitor the network for security events, analyze them, and perform counter measures. To that end, the P-Series supports Sguil, an open source network security monitoring and reporting system that provides the ability to:

•collect, monitor, and correlate security events/alerts in the network

•analyze security events based on context

•categorize and escalate events for intrusion response decisions

The Sguil solution consists of the following components (Figure 27):

•Sensors—Sensors are the systems actually monitoring network traffic and collecting data. Sensors perform packet captures of network traffic in addition to running Snort in alert mode.

•Database—The database holds the alert and session data that the sensors collect.

•Client—The client is the interface to the Sguil server.

•Server—The Sguil server maintains connections to the sensors, clients, and database.

Figure 27 Sguil Architecture

P-Series Sensors						Sguil Server
		Security Alert Information						Sguil Client

fn90025mp

P-Series Installation and Operation Guide, version 2.3.1.2

43

Image 43

Force10 Networks 100-00055-01 manual Network Security Monitoring, P-Series Sensors, Sguil Server, Sguil Client

Contents

Version P-Series Installation and Operation GuideMay 27 USA Federal Communications Commission FCC Statement Copyright 2008 Force10 NetworksTrademarks Statement of ConditionsPreface ContentsContents InstallationWeb-based Management Command Line InterfaceGraphical User Interface ChapterWriting Rules Command Line ReferenceBasic Unix Commands Compiling RulesTechnical Support Appendix EGlossary Appendix FAudience PrefaceAbout this Guide ObjectivesP-Series Release Notes Information SymbolsRelated Documents Additional ResourcesChapter InstallationPhysical Connections System SpecificationsPB-10GE-2P Step Task Upgrading Software BootingConfiguration Security Checkscp username@serverabsolutepath mkdir ~/upgradedirectoryfilename ~/upgradedirectory cd upgradedirectorygmake install Commandcd upgradedirectory/pnic-compiler cd upgradedirectory/firmwareTo begin inspecting and filtering traffic you must Returning to the Default ConfigurationGetting Started ChapterGetting Started Hardware Architecture Overview IntroductionChapter Sample Rules and Firmware Types of RulesDeploying the P-Series Rule ManagementFirewall Deployment” on page Optical Bypass 10-Gigabit Inline DeploymentFail-safe Deployment 10-Gigabit10-Gigabit Highly-available DeploymentPassive Deployment P1P0P-Series P10 Capturing Matched TrafficNetwork Switch with SPAN port Network Tap 10-Gigabit 10-GigabitCapturing to a Host CPU Traffic to Monitor Mirroring to Another DevicePB-10GE-2P M1 P1 P0 M0Chapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and FirmwareTo manage firmware, see “Selecting Firmware with the GUI” on page Editing Dynamic Rules with the GUIdirectory see “Editing Dynamic Rules with the GUI” on page GUI” on pageTo modify dynamic rules Managing Capture/Forward Policies with the GUITo change capture/forward policies fn9000013 Selecting Firmware with the GUIfn9000014 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface Launching the P-Series Node Manager Chapter 5 Web-based ManagementTo launch the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerManaging Firmware Images on page Managing the P-Series using Node ManagerWeb-browser Security Certificates Monitoring System Performance on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelSguil Client Chapter 6 Network Security MonitoringP-Series Sensors Sguil ServerHardware and Software Requirements Installing the Sguil SystemInstalling the Sguil Sensor Installing the Sguil ServerUninstalling the Sguil Server Installing the Sguil ClientWireshark # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesRunning the Sguil Sensor Running the Sguil SystemWriting New Rules Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpEditing Dynamic Rules with the CLI Chapter 7 Command Line InterfaceCLI Commands CLI commands are given in Command Line Reference on pageTo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Compiling Rules Compiling RulesCreating Rules Files Rules Capacity3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Options Target DeviceMatch non-IP Traffic pagesee Figure 37 on page Segmentation Evasion Rulessee Figure 36 on page Maximum StringEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationwhich the .bit files in /usr/local/pnic/0 are Configuration and Generated Filesto which the .mapping files in /usr/local/pnic Firmware Filenames Compiler ErrorsAction Writing RulesSnort Rule Syntax Snort Rule HeadersSource Addresses ProtocolDirection Operator PortsDestination Address and Port P-Series Rule SyntaxP-Series Supported Snort Keywords Snort Rule Optionsprotocol KeywordStatic DynamicStateful Matching Writing Stateful Rulesthen cpi Equation∧ si = si ⎬In Table Stateful Rule ExamplesHandling Segmentation Evasion Support for Snorts flow KeywordThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall FirewallChapter Figure 39 Enabling and Disabling Drop Mode Enabling the FirewallDrop mode Disabled Drop mode Enabled Verify Drop mode is EnabledWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic default-drop-disable on page pnic default-drop-enable on page Appendix A Command Line Referencepnic aggregate-mode-disable on page pnic aggregate-mode-enable on page pnic apply-firmware on pagepnic vlan-remove-enable on page pnic web-gui-start on page pnic aggregate-mode-disablepnic temp-mem-disable on page pnic temp-mem-enable on page pnic updatemacvalue on page pnic vlan-remove-disable on pagepnic apply-firmware pnic aggregate-mode-enableDisplay the available firmware Parameters Command History ExampleCommands pnic show-firmwaresSyntax Parameters Command History Example pnic capture-offpnic capture-on Enable the capturing of packets via direct memory accessCommands pnic cardstatusCommands Syntax Parameters Command History Examplepnic compilerules pnic default-drop-disableParameters Command History Example pnic default-drop-enableTemporary memory is disabled while the firewall is enabled pnic diagUsage Information Parameters Command History ExampleVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-enable pnic flow-teardown-disablevalue for an IP address pairs pnic getmachashindexpnic updatemacvalue pnic guiEnable MAC rewriting Disable MAC rewritingP-Series Installation and Operation Guide, version pnic gui Command ExampleExample output omitted pnic helpSyntax Command History Example pnic helpCommands pnic linkdownpnic linkup Syntax Parameters Command History ExampleSyntax Parameters Command History pnic loadconfParameters Command History Example CommandsCorresponding Parameter Addresspnic loadparams number pnic loadepromspnic loadparams deprecated pnic loadeproms numberCorresponding Parameter AddressCommand History Example Usage Information pnic loadrulesSyntax Parameters pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedpnic on deprecated pnic on deprecatedUsage Information Related Commands Syntax Parameters Command History Examplepnic params pnic passive-mode-disableCommands pnic passive-mode-enablepnic passive-mode-enable CommandStop capturing and matching pnic resetconfpnic restart Syntax Parameters Command History ExampleSyntax Command History Example pnic sguil-sensor-startDisable the network interface Enable the network interfacepnic sguil-sensor-start -f Stop the Sguil sensor using the command pnic sguil-sensor-stopSyntax Parameters Command History Example Commandspnic sguil-sensor-start Start the Sguil sensor pnic sguil-sensor-stopSyntax Parameters Command History Example CommandsCommands pnic showconfpnic show-firmwares Syntax Parameters Command History ExampleSyntax Parameters Command History pnic showtechCommand History Example CommandsDisable the network interface using the command pnic stop pnic startLoad the capture/block configuration Load the runtime parameters Enable the network interfaceSyntax Parameters Command History Example pnic stopEnable the network interface Commandspnic temp-mem-enable pnic temp-mem-disableEnable MAC rewriting pnic updatemacvalueUse this command with the MAC rewrite feature pnic temp-mem-disablepnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-enable pnic vlan-remove-disableDisplay the driver version pnic versionpnic web-gui-start Disable the web server using the command pnic web-gui-stopCommand Enable the web server using the command pnic web-gui-startpnic web-gui-stop CommandsRelated Commandspnic web-gui-start ExampleAppendix A dsize number number Appendix BSnort Keywords ack numberKeyword Rule Syntax uricontent ! “datastring”Keyword DescriptionAppendix B meta Rules Appendix C Meta and Evasion RulesEvasion Rules Appendix C Description Appendix D Basic Unix CommandsUnix Commands Command? text vi CommandsCommand DescriptionGlossary Appendix EStatic Rules SnortSPAN Port StateManual Pages Accessing iSupport ServicesAppendix F Technical SupportLocating P-Series Serial Numbers Contacting the Technical Assistance CenterSerial Number see Locating P-Series Serial Numbers on page To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support