Force10 Networks 100-00055-01 manuale d’uso
- Visualizza on-line o scarica il manuale
- 132 pagine
- 2.68 mb
Vai alla pagina of
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso Force10 Networks 100-00055-01. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica Force10 Networks 100-00055-01 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso Force10 Networks 100-00055-01 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso Force10 Networks 100-00055-01 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo Force10 Networks 100-00055-01
- nome del fabbricante e anno di fabbricazione Force10 Networks 100-00055-01
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature Force10 Networks 100-00055-01
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio Force10 Networks 100-00055-01 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti Force10 Networks 100-00055-01 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio Force10 Networks in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche Force10 Networks 100-00055-01, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo Force10 Networks 100-00055-01, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso Force10 Networks 100-00055-01. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
P-Series Installation and Operation Guide V ersion 2.3.1.2 May 27, 2008 PN: 100-00055-01[...]
-
Pagina 2
Copyright 2008 Force10 Networks ® All rights reserved. Printe d in the USA. January 2008. Force10 Networks® reserves the r ight to change, mo dify , revi se this publicati on without notice. T rademarks Force10 Networks® and E-Series® ar e registered trademarks of Force10 Networks, In c. Force10, the Force10 logo, and P-Series are trademarks of[...]
-
Pagina 3
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 3 Content s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Preface About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 4
4 Contents Mirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 GUI Commands . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 5
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 5 Chapter 8 Compiling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 6
6 Contents Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 vi Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Appendix E Glossary . . . . . . . . . . . . . .[...]
-
Pagina 7
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 7 Objectives This document provid es installation and opera tion instructions for the P-Series P10 appliance. Audience This guide is intended to be used by network engineers. The P10 is a Unix-based product th at runs rule management software based on Linux and FreeBSD. A s such, understan[...]
-
Pagina 8
8 About this Guide Information Symbols Related Document s Additional P-Series documentation is available on the software CD that came with the appliance and in the documentation section of the Force10 website , www .force10networks.com . • P-Series Release Notes Additional Resources • Cox, Kerry and Ger g, Christopher . 2004. Managing Security [...]
-
Pagina 9
P-Series Installation and Operation Guide, version 2.3.1.2 9 Figure 1 P-Series P10 Appliance (Front V iew) IDENTIFY LAN 2 LAN 1 VGA SERIAL USB x2 KEYBOARD MOUSE POWER RJ-45 SERIAL E0 & E1 IP ADDRESS MANAGEMENT PORTS LEDs POWER DISPLA Y (E0) (E1) MIRROR PORT 1 (P1) PO RT 0 (P0) PORT 0 (M0) MIRROR PORT 1 (M1) HARD DISK fn9000007 Figure 2 P-Series[...]
-
Pagina 10
10 Installation System S pecifications The specifications in Table 1 apply to the P-Series P10 a ppliance, Force10 catalog number PB-10GE-2P . Physical Connections (Power Butto n) This button turns the appliance o n and off. Press and hold the bu tton to tur n off the appliance. (Laser Warning) This label in the bottom right corn er of the applianc[...]
-
Pagina 11
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 11 Ste p T a sk 1 Review the system specificat ions and ensure that your operating and storage conditions meet the state d requirement s. 2 Connect the power cable, a ke yboard, and a monito r to the appliance. 3 Connect the LAN 1 port on the appliance to the lo cal area network wher e DHC[...]
-
Pagina 12
12 Installation Booting During booting y ou can select the OS of your choice. The management ports are configured for DHCP and pr obe for an IP address, gateway , and na me server . The IP address is displayed on the LCD screen. When the appliance is powered up , all packets are forwarded betwee n its ports by default until the firmware and device [...]
-
Pagina 13
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 13 W arning: S top all traf fic from flowing through the appliance, and discon nect all cables from the XFPs before proceeding. Step T ask Command 1 Save earlier configuratio n files and firmware by copying the dir ec to ry /usr/local/pnic to the home directory . cp -Rf /usr/local/pnic/ /h[...]
-
Pagina 14
14 Installation 13 Re-compile all rules firmware with the new comp iler located in the directory pnic-compiler. cd upgrade_directory /pnic-compiler gmake 14 Insta ll pre -compiled firmware if need ed. cd upgrade_directory /firmware gmake install Step T ask Command[...]
-
Pagina 15
P-Series Installation and Operation Guide, version 2.3.1.2 15 T o begin inspecting and fi ltering traf fic you must: 1. Select firmware and dynamic rules 2. Set capture/forward policies 3. Check for proper operation by generating traffic across the appliance. Ste p T ask 1 As root, enter the command pn ic gui from the Unix command line to invoke a [...]
-
Pagina 16
16 Getting Started[...]
-
Pagina 17
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 17 The P-Series P10 Intrusion Detection and Pr evention System ( IDS/IPS ) appliance employs Dynamic Parallel Inspection ( DPI ) technology . It uses a Multiple Instructio n Single Data (MISD) massively parallel processor that executes thousan ds of security policies or traffic capture ope[...]
-
Pagina 18
18 Introduction Figure 3 illustrates how all matched packets are copied and transmitte d by mirror ports. Figure 3 F orwarding Engine Detection Engine Packet Data PCI-X Module Packet Data Device Access Config Commands Packet Data State T able Rx1 Tx1 Rx0 Tx0 Mirror 1 Mirror 0 Match Result figindex 006 Logic Diagram of T raffic Flow in the P10 DPI T[...]
-
Pagina 19
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 19 Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA . T wo sets of sample rules files have been compiled into firmware and are available to be uploaded to the FPGA using either of two firmware man[...]
-
Pagina 20
20 Introduction Inline Deployment Use the P-Series for inline traf fic inspection in IPS or firewall applications at 10-Gigabit line rate ( Figure 4 ). • For IPS deployment, no special configuratio n is n eed ed; the P-Series is in inline IPS mode by default. • For a firewall deployment, enable drop mode (see Command Line Reference on page 79 )[...]
-
Pagina 21
P-Series Installation and Operation Guide, version 2.3.1.2 21 Highly-available Deployment Use optical bypass switches with the P-Series for a hi ghly-available, redundant deployment, as sh own in Figure 6 . Both the appliances have the same conf iguration so that in the event of a power failure on one device, the other continues to operat e, and th[...]
-
Pagina 22
22 Introduction Figure 8 N etwork Tap P-Series P10 fn90033mp P0 10-Gigabit 10-Gigabit Passive Deployment with Aggrega tion using a Network T ap Figure 9 Network Switch with SPAN port P-Series P10 fn90034mp P0 Port to Monitor 10-Gigabit SPAN Port Passive Deployment with Aggregation using a SP AN port Capturing Matched T raffic P-Series supports capt[...]
-
Pagina 23
P-Series Installation and Operation Guide, version 2.3.1.2 23 Capturing to a Host CPU Captured traffic can be sent to a host C PU throug h a libpcap library interface, where it can be made available to applications for anal ysis. A typical implementation provid es IDS/Snort acceleration beca use of the hardware assist. Figure 10 Capturing Matched T[...]
-
Pagina 24
24 Introduction Mirroring to Another Device Mirror captured traffic out of the 1-Gigabit mirroring po rts to use the P-Series as an IDS accelerator or as part of an integrated s ecurity monitoring solution. Figure 12 HW M1 P1 P0 M0 1-Gigabit/IDS Security Monitoring Application Matched Traffic Traffic to Monitor PB-10GE-2P fn90037mp Creating an IDS [...]
-
Pagina 25
P-Series Installation and Operation Guide, version 2.3.1.2 25 The GUI can be used to: • Start and stop the DPI • Load firmware • Compile and lo ad dynamic rules • Manage the runtime parameters • Manage the capture/forward policies for rule s Note: Using the GUI requires the super user privilege. T o invoke the GUI: Runtime statistics are [...]
-
Pagina 26
26 Graphical User Interface GUI Commands From the Runtime S tatistics display , you can enter commands to control the DPI (see Ta b l e 3 , or enter the h command from th e GUI comm and line). Figure 13 fn9000010 N/A/1 FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=5ms CPU(s): 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Runt[...]
-
Pagina 27
P-Series Installation and Operation Guide, version 2.3.1.2 27 Managing Rules, Policies, and Firmware Enter the m command from the GUI command line (see “GUI Commands” on page 26 ) to invoke a menu that enables you to manage dynami c rules, captur e/forward policies, and firmware. Three options are available; they are shown in Figure 14 and desc[...]
-
Pagina 28
28 Graphical User Interface Ta b l e 5 describes the four possible combina tions of capture/forward policies. Editing Dynamic Rules with the GUI Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory . The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file. T able 4 Managin[...]
-
Pagina 29
P-Series Installation and Operation Guide, version 2.3.1.2 29 T o modify dynamic rules: Figure 15 Editing Dynamic Rules in vi fn90000012 pnic Managing Capture/Forward Policies with the GUI Upon compiling static and dynamic rules, default capture/f orward policies are assigned to each rule. T o change capture/forward policies: Ste p T ask 1 Enter th[...]
-
Pagina 30
30 Graphical User Interface Figure 16 fn9000013 Managing Capture/Forward Policies GUI Figure 17 fn9000014 Capture/Forward Policies GUI Selecting Firmware with the GUI Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA.[...]
-
Pagina 31
P-Series Installation and Operation Guide, version 2.3.1.2 31 T o select firmware: Figure 18 Manage Firmwa re GUI fn9000015 Runtime S tatistics Runtime statistics are displayed when firmware is uploaded, and traffi c is flowing across the appliance. The GUI presents two views of traffic statistics. The default view shows the tota l st atistics for [...]
-
Pagina 32
32 Graphical User Interface The remaining lines report the cumula tive number of events and the rate of those events. A description of each line is given in Ta b l e 6 . Figure 19 CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Pack[...]
-
Pagina 33
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 33 Reloading Firmware During firmware reloading, all packets flow regardless of capture/ forward policies, as the policies cannot be enforced during system initialization. This "open" st ate during configuration st ate transition ensures that there is no interruption of se rvice [...]
-
Pagina 34
34 Graphical User Interface[...]
-
Pagina 35
P-Series Installation and Operation Guide, version 2.3.1.2 35 Y ou can mana ge and monitor the P-Series on the web using the Force10 Netwo rks P-Series Node Manager . Launching the P-Series Node Manager Note: The Web-based GUI is best vie wed with a minimum screen resolution of 1280x800. Y ou must also have Java Run T ime Environment (JRE) inst all[...]
-
Pagina 36
36 Web-based Manageme nt Figure 21 Lauching the P-Seri es Node Manager Note: S top the secure HTTP service using th e command pnic web-gui-stop (see Appendix A , on page 79 ).[...]
-
Pagina 37
P-Series Installation and Operation Guide, version 2.3.1.2 37 W eb-browser Security Certificates The P-Series Node Manager client and the server communicate via H TTPs. All transactions are encrypt ed, and thus protected, by the SSL protocol. The SSL certific ate is a self-signed certificate that is not signed by a trusted Certificate Authority (CA[...]
-
Pagina 38
38 Web-based Manageme nt Monitoring System Performance Monitor system performance from the Home panel ( Figure 23 ). The Home pa nel is displaye d after logging into Node Manager . It displays basic system informat ion, card, interface , and reso urce information, as well as CPU and memory usage over time. Figure 23 P-Series Node Manager: Home Pane[...]
-
Pagina 39
P-Series Installation and Operation Guide, version 2.3.1.2 39 Managing Firmware Images Manage the software image from the Image Management panel ( Figure 24 ). The Image Management panel provides options for compiling and dele ting an image. It displays a list of available images along with the currently applied image and its details. Figure 24 P-S[...]
-
Pagina 40
40 Web-based Manageme nt Figure 25 P-Series Node Manager: Card Ma nagement Panel[...]
-
Pagina 41
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 41 Managing Policies Manage policies from th e Polic y Management panel ( Figure 26 ). The Policy Management pane l provides you with a list of available static and dynamic rules av ailable for the currently ru nning image. It also has the provision for adding , modifying, and deleting dyn[...]
-
Pagina 42
42 Web-based Manageme nt Figure 26 P-Series Node Manager : Policy Managment Panel[...]
-
Pagina 43
P-Series Installation and Operation Guide, version 2.3.1.2 43 A key aspect of network security de ployment is the ability to monitor the network for security events, analyze them, and perform counter measures. T o that end, the P-Series supports Sguil, an open source network security monitoring and reportin g system that provides the ability to: ?[...]
-
Pagina 44
44 Network Security Monito ring Inst alling the Sguil System T o employ Sguil you mu st: 1. Install the sensor . See page 44 . 2. Install the server . See page 44 . 3. Install the client. See page 45 . Note: Y ou can download the server and client Sguil compone nts directly from the Sguil website at http:/ / sguil.source forge.net/ind ex.html . The[...]
-
Pagina 45
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 45 Uninst alling the Sguil Server T o uninstall the server: Inst alling the Sguil Client Y ou must have the following soft ware installed in your PC befo re installing the Sguil client: • ActiveT cl, Force10 recommends Ac tiveT c l8.4.14 which includes W ish •W i n Z i p •W i r e s h[...]
-
Pagina 46
46 Network Security Monito ring Inst allation Files Ta b l e 7 lists the files and directories create d during in stallation t hat are releva nt to running the Sguil system. 3 Config ure the following p a rameters in the file sguil.conf : • Enable (1) or disable (0 ) the debug option • Set the browser p ath. • Set the Wireshark ap plication p[...]
-
Pagina 47
P-Series Installation and Operation Guide, version 2.3.1.2 47 Running the Sguil System Running the Sguil Sensor Start the Sguil se nsor using the command pnic sguil-sensor-start . Specify the IP address of the Sguil server , and confirm the action, as shown in Figure 29 . Figure 29 root@# pnic sguil-sensor-start Enter the IP address of the Sguil-Se[...]
-
Pagina 48
48 Network Security Monito ring • The rule file you are using shou ld be mentioned in snort.c onf file. A sample rule file under rules directory is already added and commented in snort.conf . • Log files are stored in th e installation sub-directory ... /nsm/sguil/logs . • When adding new rules to the file sample.rules , uncomment the line, ?[...]
-
Pagina 49
P-Series Installation and Operation Guide, version 2.3.1.2 49 Running the Sguil Client T o run the Sguil Client: Figure 31 Running the Sguil Client Ste p T ask 1 Open sguil.tk using the Wish application. A window ap pears, as shown in Figure 31 . 2 S pecify the IP address o f the Sguil server , and your username and p assword. 3 Select the sensors [...]
-
Pagina 50
50 Network Security Monito ring Figure 32 fn90027mp Selecting the Sensor to Mo nitor When the Sguil client starts and the client is prop erly connected to the Sgu il server , the window in Figure 33 appears. Figure 33 fn90028mp Accepting Event s from the Sensor[...]
-
Pagina 51
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 51 The command line interface (CLI) is an alternative to the GUI for managi ng the appliance. A script called pnic is used to perform the same management functions as the GUI. Invoke the pnic script us ing the command syntax pnic command ; the OS environment variables are set such that thi[...]
-
Pagina 52
52 Command Line Inter face This feature can be enabled per channel. When MAC rewrite is enabled, the P10 applia nce classifies the incoming traf fic into one of 256 hash buckets to determ ine the value to be written to the LSB of destination MAC address. A hash function based on the source and destina tion IP ad dresses is used to calculate an 8-bi[...]
-
Pagina 53
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 53 Removing VLAN T ags The P-Series can strip the VLAN tag from incoming pa ckets before they exit the egress port. Enable the feature using the command pnic vlan-remove-enable . The frame CRC is recalculated when this feature is enabled. If an incoming packet is untagged, it is not change[...]
-
Pagina 54
54 Command Line Inter face[...]
-
Pagina 55
P-Series Installation and Operation Guide, version 2.3.1.2 55 The P-Series Network Interface Car d Compiler (pnic-Compiler) produces user-defined firmware for the appliances. The user-defined input is a set of signature-based rule s in Snort syntax, and compilation directives. The output of the comp iler is a Xilinx bit file and ASCII mapping files[...]
-
Pagina 56
56 Compiling Rules T able 8 Compiler Configuration Options Compilation Option Description 1 Ta r g e t D e v i c e Choose the model of your appliance. • The P10 requires type PB-10G-2P (see Fig ure 35 on pa ge 58 ) 2 Match non-IP T raffic Answering Yes to this option matches pa ckets that are not IPv4. This option should be set to No if only IP t[...]
-
Pagina 57
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 57 7 Segmentat ion Evasion Rules The pnic-Compiler prepends a set of fixed rules—ca lled evasion.rules — located in the pnic-compiler/rules directory . The rule s help detect attacks which are using strategic TCP s egment ation to avoid detection. It is best to include this file if Sno[...]
-
Pagina 58
58 Compiling Rules Figure 35 pnic-Compiler Option 1- 6 root@# gmake Makefile:2: mtp_configuration: No such file or directory bin/getparams2.sh Please choose the target device 1) PB-10G-2P #? 1 Do you want to support matching of non IP v4 and non IPv6 packets (like ARP/IPX etc)? 1) Y es 2) No #? 2 Ethernet types allowed Do you want to match packets [...]
-
Pagina 59
P-Series Installation and Operation Guide, version 2.3.1.2 59 Figure 36 Channel 1 D ynamic rules Please choose how many dynami c rules (5-20 recommended) Dynamic rules are rule s that can be added without recompiling the firmware. They can be a dded at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1) 0 5) 20 9) 60 13) 100 [...]
-
Pagina 60
60 Compiling Rules Figure 37 pnic-Compiler Option 8- 9 Please choose the maximum number of byt es per sig nature (1024 recommended). Selecting a small number allows lar ger sets of signatures at the expense of more false posit ives. 1) 16 2) 32 3) 64 4) 96 5) 128 6) 256 7) 512 8) 1024 #? 8 Enter the firmware base -image nam e (press the Enter key t[...]
-
Pagina 61
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 61 Configuration and Generated Files Ta b l e 9 describes the files that are used or generated by the pnic-Compiler . T able 9 Configuration and Generated Files File Description Location pnic_*.bit G ene ra te d after co mpiling static rules. They are then r enamed and copi ed to /usr/loca[...]
-
Pagina 62
62 Compiling Rules Firmware Filenames The pnic-Compiler creates new firmware — in the /usr /local/pnic/fir mware directory — consisting of four . bit files and eight . mapping files. The default firmware filenames follow a naming convention designed to identify three properties: • The appliance that can use it • The number of dynamic ru les[...]
-
Pagina 63
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 63 P-Series rule syntax is based on Snort. Both rule structures are descr ibed in this chapter . • Snort Rule Syntax on page 63 • P-Series Rule Syntax on pag e 66 Snort Rule Synt ax Snort rules are descriptions of tra ffic plus a prescrib ed action that is taken if a packet matches tha[...]
-
Pagina 64
64 Writing Rules • pass directs Snort to ignore the packet. • activate directs Snort to generate an aler t and activate another specified rule. • dynamic directs Snort to disregard the rule until it is activated by another rule. Once activated, the action defaults to log. Protocol Snort supports four p rotocols: tcp , udp , icmp , or ip . The[...]
-
Pagina 65
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 65 Ports Port numbers may be specified by the keyword any , a single port number , ranges, and by negation. any specifies any port. St atic ports are indicated by a si ngle port number , for exam ple, 23 for T elnet. Port ranges can be specified using a colon as a range oper ator . It can [...]
-
Pagina 66
66 Writing Rules Destination Address and Port The destination address and port follo w the direction operator . The syntax of these parameters are the same as the source address a nd port. See “Source Addresses” on page 64 , and “Ports” on page 65. Snort Rule Options Options are made of a key word and an ar gument. An ar gu ment is the pack[...]
-
Pagina 67
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 67 depth No No dsize Y es No flags Y es Y es, no wild card flow Y es No fragbits Y es No fragoffset Y es No icmp_id Y es Y es icmp_seq Y es Y es icode Y es Y es id Y es Y es ip_proto Y es Y es itype Y es Y es offset No No nocase Y es No protocol ICMP , U DP , TCP , IP ARP , ICMP , UDP , TC[...]
-
Pagina 68
68 Writing Rules W r iting S t ateful Rules Stateful matching improves the accuracy of detectio n because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a no n-cyclic pattern; no state transitions may erase any of the previous states. New state transitions are simply recorded via[...]
-
Pagina 69
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 69 Pre-match Condition — the S V alue The value in register C f is presented to all the signatur es simultaneously during matching. C f must have all the bits specified by s i (in addition to matching m i ) in order for the signature i to trigger . In other words, if the result of the lo[...]
-
Pagina 70
70 Writing Rules When a packet is stored in either T emporary Memory or Match Memory , a pointer to the previously stored packet in the same flow (contained in a portion of the flow register C f ) is also stored. Thus a packet stored in Match Memory may reference another packet st ored in T emporary Memory , which in turn may reference more packets[...]
-
Pagina 71
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 71 Y ou can inspect Signatures 4, 5, and 6, an d verify th at they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutiv e packets are seen with size between 0 and 100. The third packet references the previous two stored in T emporary Memory [...]
-
Pagina 72
72 Writing Rules The start of the state mach ine is prompted by a SYN ; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a l[...]
-
Pagina 73
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 73 Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Ta b l e 2 4 shows rule s whic h were derived from the Snort scan pre-processor . The compiler also automatically produces rules that ma tch all pa[...]
-
Pagina 74
74 Writing Rules[...]
-
Pagina 75
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 75 Deploying the P-Series as a Firewall By default the P-Series is an IDS/ IPS system; the P-Series forwards a ll traf fic by default and blocks packets only if it matches a rule. Y o u can deploy the P-Series as a limite d firewall by enabling Drop mod e. In Drop mode, the P-Series blocks[...]
-
Pagina 76
76 Firewall Enabling the Firewall Enable Drop mode using the command pnic default-drop-enable . Disable Drop mode using the command pnic default-drop-disable . These commands are shown in Figure 39 . Figure 39 [root@localhost ~]# pnic default-drop-disable No device number specif ied. Assuming device 0 *** Disabling Default-Packet-D rop on card:0 su[...]
-
Pagina 77
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 77 Allowing T raffic through the Firewall T o allow packets through the firewall you must write ru les so that packets that you want the appliance to forward match those rules. Rules can be as simple as a llowing traffic destined to a port. S tateful rules can be used to allow all traff ic[...]
-
Pagina 78
78 Firewall T able 25 Sample Firewall Rules #permit: let through and do not log to the host #alert: let through and log to the host #deny: DO NOT let throu gh and do not l og to the host #divert: DO NOT let through and log to the host # S:<precondition>; C:<postcond ition> R:<logging> # A packet is matched if precondition ma tches[...]
-
Pagina 79
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 79 The comman d line interfa ce (CLI) is an alternat ive to the GUI for managing the appliance. A script called pnic is used to perform the same ma nagement function s as the GUI. Invoke the pnic script using the commands in this ch ap ter; the OS enviro nment variab les are set such that [...]
-
Pagina 80
80 Appendix A • pnic showconf on pag e 108 • pnic show-firmware s on page 108 • pnic showtech on page 109 • pnic start on page 11 0 • pnic stop on page 111 • pnic temp-mem-disable on pa ge 11 2 • pnic temp-mem-enable o n p age 11 2 • pnic updatemacvalue on page 11 3 • pnic vlan-remove-disab le on page 11 4 • pnic vlan-remove-ena[...]
-
Pagina 81
P-Series Installation and Operation Guide, version 2.3.1.2 81 Related Commands pnic aggregate-mode-enable Receive both client-to-serv er and server -to-clie nt traffic on one port. T his is the default behavior . Synt ax pnic aggregate-mode-enable [ number ] Disable agg regate m ode using th e command pnic aggregate-mode-disable . Parameters Comman[...]
-
Pagina 82
82 Appendix A Parameters Command History Example Figure 42 [root@localhost SW]# pnic apply-firmware No card number specified. Assuming card 0 Do you really want to apply a new firmware for card0 (y/n)? y Please enter the path or name of the firmware to apply: /usr/local/ pnic/firmware/null.xc4vlx200-ff1513.50.50.2048 Compiling dynamic rules for pni[...]
-
Pagina 83
P-Series Installation and Operation Guide, version 2.3.1.2 83 pnic capture-of f Disable the capturing of packet s via direct memory access (DMA). Synt ax pnic capture-off Parameters Command History Example Figure 44 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful[...]
-
Pagina 84
84 Appendix A Example Figure 45 pnic capture-on Command Exa mple root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic capture-on No card number specified. Assuming card 0 Capture ON set successful. [root@localhost SW]# Related Commands pnic [...]
-
Pagina 85
P-Series Installation and Operation Guide, version 2.3.1.2 85 pnic compilerules T ransform the dyna mic Snort rules contained in /usr/local/pnic/0/rules.custom into binary code suitable for the DPI processor . Synt ax pnic compilerules [ number ] Parameters Command History Example Figure 47 pnic compilerules Co mmand Example [root@localhost SW]# pn[...]
-
Pagina 86
86 Appendix A Example Figure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled. *** Flow teardown disabled. [root@localhost SW]# pnic default-drop-disable Command Example pnic default-drop-enable Enable firewall functionali[...]
-
Pagina 87
P-Series Installation and Operation Guide, version 2.3.1.2 87 Parameters Command History Example Figure 50 [root@localhost pnic]# pnic diag No card number specified. Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching. Do you want to proceed [n/y]? y *** Matching disabled. Test starting ... Waiting for matching to stop ... P[...]
-
Pagina 88
88 Appendix A pnic flow-teardown-disable Configure the appliance to reset the state of the flow on ly upon a t imeout. This is the default behavior . Synt ax pnic flow-teardown-disable Command History Example Figure 52 [root@localhost SW]# pnic flow-teardown-disable No card number specified. Assuming card 0 *** Disabling Flow-Teardown on card:0 suc[...]
-
Pagina 89
P-Series Installation and Operation Guide, version 2.3.1.2 89 Example Figure 53 [root@localhost SW]# pnic flow-teardown-enable No card number specified. Assuming card 0 *** Enabling Flow-Teardown on card:0 successful. [root@localhost SW]# pnic flow-teardown-ena ble Command Example Usage Information The flow teardown feat ure is coupled with the fir[...]
-
Pagina 90
90 Appendix A Related Commands pnic gui Launch the graphical user interface. Synt ax pnic gui Command History pnic macrewrite - on Enable MAC rewriting. pnic macrewrite - off Disable MAC rewriting. pnic updatemacvalue Update the LSB value for a p a rticular hash index value. V ersion 2.0.0.1 Introduced[...]
-
Pagina 91
P-Series Installation and Operation Guide, version 2.3.1.2 91 Example Figure 55 [root@localhost SW]# pnic gui CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=1ms HW Interfaces CH0 Top Rate/s CH[...]
-
Pagina 92
92 Appendix A pnic help Display a list of all available comman ds, their syntax, and descriptions. Synt ax pnic help Command History Example Figure 56 [root@localhost SW]# pnic help No card number specified. Assuming card 0 Usage: pnic function_command <card_num> <channel_num> <force_options> pnic aggregate-mode-disable <0|...|[...]
-
Pagina 93
P-Series Installation and Operation Guide, version 2.3.1.2 93 pnic linkdown Disable the physical link. Synt ax pnic linkdown [ number ] [ channel ] Enable a physical link using the command pnic linkup . Parameters Command History Example Figure 57 [root@localhost SW]# pnic linkdown No card number specified. Assuming card 0 No channel number specifi[...]
-
Pagina 94
94 Appendix A Parameters Command History Example Figure 58 [root@localhost SW]# pnic linkup No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Card 0, Channel 0 is up. [root@localhost SW]# pnic linkup Command Example Related Commands pnic loadconf Upload the runtime configuration pa rameters contained in the f[...]
-
Pagina 95
P-Series Installation and Operation Guide, version 2.3.1.2 95 Example Figure 59 [root@localhost ~]# pnic loadconf No card number specified. Assuming card 0 Loading configurations ... Read from configuration file and apply to PNIC card... Registers on master FPGA: (0x10)0000 (0x14)0010 (0x18)0000 Registers on PCI FPGA: (0x18)0100 (0x24)20788 (0x28)2[...]
-
Pagina 96
96 Appendix A pnic loadeproms Load the PCI-X and front-end EEPROM s. Synt ax pnic loadeproms [ number ] Parameters Command History Usage Information Use this command to upgrade P CI-X and front-end EEP ROMs to new revisions. Reboot the chassis after executing this command; only then does new firmware take ef fect. pnic loadparams (deprecated) Uploa[...]
-
Pagina 97
P-Series Installation and Operation Guide, version 2.3.1.2 97 Example Figure 60 [root@localhost ~]# pnic loadparams No card number specified. Assuming card 0 Loading configurations... Read from configuration file and apply to PNIC card... (0x10)0000 (0x14)0010 (0x18)0000 (0x18)0100 (0x24)20788 (0x28)20788 DMA Capture Status: off MAC Rewrite state: [...]
-
Pagina 98
98 Appendix A pnic loadrules Upload to the FPGA the dynamic rules fo r both channels encoded in the files /usr/local/pnic/ 0/pnic_{0|1}.bin . Synt ax pnic loadrules [ channel ] Parameters Command History Example Figure 61 root@# pnic loadrules 0 dynamic rules loaded pnic loadrules Command Exampl e Usage Information Capture/block policies p reviousl[...]
-
Pagina 99
P-Series Installation and Operation Guide, version 2.3.1.2 99 pnic macrewrite-off Disable MAC rewriting. This is the default behavior . Synt ax pnic macrewrite-off [ number ] [ channe l ] Enable MAC rewritin g using the command pnic macrewri te-on . Parameters Command History Example Figure 62 [root@localhost SW]# pnic macrewrite-off No card number[...]
-
Pagina 100
100 Appendix A Parameters Default MAC rewrite is disabled by default. The defa ult value for the LSB is the system-assigned hash index value . Command History Example Figure 63 [root@localhost SW]# pnic macrewrite-on No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:[...]
-
Pagina 101
P-Series Installation and Operation Guide, version 2.3.1.2 101 Example Figure 64 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic off No card number specified. Assuming card 0 Capture OFF set successful. [root@localhost SW]# pnic off Com[...]
-
Pagina 102
102 Appendix A pnic params Display the card interface name, device ID, and co ntents of the register on the PCI-X and Master FPGAs. Synt ax pnic params [ number ] Parameters Command History Example Figure 66 [root@localhost SW]# pnic params No card number specified. Assuming card 0 PNIC 8002 pnic0 0xffff810000700000 20006 ********************** Reg[...]
-
Pagina 103
P-Series Installation and Operation Guide, version 2.3.1.2 103 Command History Example Figure 67 pnic passive-mo de- disable Command Example [root@localhost SW]# pnic passive-mode-disable No card number specified. Assuming card 0 Channel 0 and 1 are set to work in normal TX/RX mode. [root@localhost SW]# Related Commands pnic passive-mode-enable Con[...]
-
Pagina 104
104 Appendix A pnic resetconf Reset the system configuration back to the default settings, wh ich are located in <installation_dir ectory>/SW/misc/pnic.conf . Synt ax pnic resetconf [ number ] Parameters Command History Example Figure 69 [root@localhost ~]# pnic resetconf No card number specified. Assuming card 0 Loading default configuration[...]
-
Pagina 105
P-Series Installation and Operation Guide, version 2.3.1.2 105 • Load the rule firmware • Load the capt ure/b lock configura t ion • Load the runtime param eters • Enable the netw ork interface Synt ax pnic restart Command History Example Figure 70 [root@localhost SW]# pnic restart No card number specified. Assuming card 0 Interface pnic0 i[...]
-
Pagina 106
106 Appendix A Synt ax pnic sguil-sensor- start [ -f ] Stop the Sguil sensor using the command pnic sguil-sensor-stop . Parameters Command History Example Figure 71 [root@localhost pnic]# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:10.11.194.183 Do you want to enable secure connection between sguil-sensor and sguil-server? 1) E[...]
-
Pagina 107
P-Series Installation and Operation Guide, version 2.3.1.2 107 pnic sguil-sensor-stop Stop the Sguil sensor . Synt ax pnic sguil-sensor- stop [ -f ] Start the Sguil sensor using the command pnic sguil-sensor-start . Parameters Command History Example Figure 72 [root@localhost pnic]# pnic sguil-sensor-stop Do you really want to stop the Sguil-sensor[...]
-
Pagina 108
108 Appendix A pnic showconf Display configuration paramet ers of the card. Synt ax pnic showconf [ number ] Parameters Command History Example Figure 74 [root@localhost ~]# pnic showconf No card number specified. Assuming card 0 DMA Capture : on MAC rewrite : CH0 - disabled; CH1 - disabled Default Drop packet : disabled Temporary memory : enabled [...]
-
Pagina 109
P-Series Installation and Operation Guide, version 2.3.1.2 109 Command History Example Figure 75 [root@localhost SW]# pnic show-firmwares No card number specified. Assuming card 0 List of available firmware images: null.xc4vlx200-ff1513.50.50.2048 snort_rules.bad.xc4vlx200-ff1513.20.20.2048 [root@localhost SW]# pnic show-firmwares Command Example R[...]
-
Pagina 110
110 Appendix A Example Figure 76 [root@localhost pnic]# pnic showtech | more No card number specified. Assuming card 0 ************************************************************ Display date ************************************************************ Tue Apr 29 11:21:07 PDT 2008 ************************************************************ Displa[...]
-
Pagina 111
P-Series Installation and Operation Guide, version 2.3.1.2 111 Example Figure 77 [root@localhost SW]# pnic start No card number specified. Assuming card 0 Interface pnic0 is down Loading pass/block settings ... Done. Loading dynamic rules ... Done. *************************************** Interface pnic0 is up MTU set to 9264 bytes *****************[...]
-
Pagina 112
112 Appendix A pnic temp-mem-disable Disable temporary memory . Synt ax pnic temp-mem-disable [ numbe r ] Enable temporary memo ry using the command pnic temp-mem-enable . Parameters Command History Example Figure 79 [root@localhost SW]# pnic temp-mem-disable No card number specified. Assuming card 0 *** Disabling temporary memory on card:0 success[...]
-
Pagina 113
P-Series Installation and Operation Guide, version 2.3.1.2 113 Example Figure 80 [root@localhost SW]# pnic temp-mem-enable No card number specified. Assuming card 0 *** Enabling temporary memory on card:0 successful. [root@localhost SW]# pnic temp-mem-enable Comm and Example Related Commands pnic updatemacvalue Specifies an LSB value for a particul[...]
-
Pagina 114
114 Appendix A pnic vlan-remove-disable Disable the VLAN T ag Remove feature. Synt ax pnic vlan-remove-disable Default The VLAN T ag Remove feature is disabled by default. Command History Usage Information This feature is enabled and disabled on both sensing ports. Example Figure 82 pnic vlan-remove-disab le Command Example [root@localhost pnic]# p[...]
-
Pagina 115
P-Series Installation and Operation Guide, version 2.3.1.2 115 pnic version Display the driver version. Synt ax pnic version Command History Example Figure 84 pnic version Command Exampl e [root@localhost SW]# pnic version Force10 Networks PNIC Software Version: P_MAIN2.2.0.058 [root@localhost SW]# pnic web-gui-start Start the web server . Synt ax [...]
-
Pagina 116
116 Appendix A Example Figure 85 pnic web-gui-st ar t Command Example [root@localhost pnic]# pnic web-gui-start INFO: Generating SSL certificate for the web-gui application. Generating a 1024 bit RSA private key .........++++++ ......++++++ writing new private key to '/usr/local/pnic-mgmt-lib/sslcert/rootkey.pem' ----- You are about to be[...]
-
Pagina 117
P-Series Installation and Operation Guide, version 2.3.1.2 117 Example Figure 86 pnic web-gui-stop Command Example [root@localhost pnic]# pnic web-gui-stop Do you really want to stop the web-gui application (y/n)? y Web-gui application has been stopped! [root@localhost pnic]# Related Commands pnic web-gui-start S tart the web serv er .[...]
-
Pagina 118
118 Appendix A[...]
-
Pagina 119
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 119 Ta b l e 2 8 des cribes briefly the valid Snort keywo rd s su pported on the P-Series. For a mo re detailed explanation for these keywords, see the Snort website at http://www .snort.org/docs/snort_manual/ node17.html. Appendix B Snort Keywords T able 28 Description of P-Series Snort K[...]
-
Pagina 120
120 Appendix B flow This keyword applies the rule to a specific traf fic flow direction. The flow can be in one of two states: • established : Trigg er only on established TCP connections. • stateless : Trigger regardless of the state of th e stream processor . The direction paramete r has the following options: • to_client : Tr igger on serv[...]
-
Pagina 121
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 121 ttl This keyword checks for the specif ied IP time-to-live value. ttl: [ number { > | < | = } | number - | { - | > | < | = }] number ; uricontent Searches the normalized request URI field for the specified content. data_string can contain mixed text and bin ary da ta. Binar[...]
-
Pagina 122
122 Appendix B[...]
-
Pagina 123
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 123 The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Ta b l e 2 9 an d Ta b l e 3 0 . Appendix C Met a and Evasion Rules T able 29 meta Rules for Channel 0 and Channel 1 met a Rules alert tcp any any -> any any (msg :"Z SYN"; flags:S,12; [...]
-
Pagina 124
124 Appendix C[...]
-
Pagina 125
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 125 Unix Commands Appendix D Basic Unix Commands T able 31 Basic Unix Commands Command Description cd path Changes the current dir ectory to the specified directory . The p ath specified can be an absolute path, or a rela tive path: • The absolute path begins with a fo rward slash, and s[...]
-
Pagina 126
126 Appendix D vi Commands vi has two modes: • Command Mode : In command mode, commands can be entered which allow yo u to jump to points in a file, search text, and exit the editor . • Insert Mode : Insert mode allows you to create or alter text in a f ile. Note: Commands are case sensitive. T able 32 Basic vi Commands Command Description vi f[...]
-
Pagina 127
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 127 Appendix E Glossary ACK An Acknowledgment p acket (ACK) is a packet tha t is sent from the client to th e server to complete a TCP connection. See SYN . DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol that autom atically request s an IP address, su bn et mas k, an d de fa[...]
-
Pagina 128
128 Snort Snort is an open source netwo rk intrusion detec tion and prevention system that uses rules created with a special synt ax to ex amine and control specified tra ffic. SP AN Port Switched Port Analyzer (SP AN) Port is a switch po rt that receives a copy of specific traffic that passes through a switch. The SP AN po rt is also called a mirr[...]
-
Pagina 129
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 129 Manual Pages Information on op erating the appliance can be accessed through manual pages (man pages) with the command man command . The command man pnic displays the man pages on the command line interface; and man pnic displays them on the Ncurses interface. Man pages for the compile[...]
-
Pagina 130
130 Technical Support Cont acting the T echni cal Assist ance Center Locating P-Series Serial Numbers The P10 serial number is located on a sticker on the back of the unit in the top-right corner (see Figure 2 ), as well as on the left mounting bracket (see Figure 87 ). The serial number is below the bar cod e and has 8 characters. Figure 87 Locati[...]
-
Pagina 131
P-Series Installation and Operation Guide, ve rsion 2.3.1.2 131 Requesting a Hardware Replacement T o request replacement hardware, follow these steps: Step T ask 1 Determine the part number and serial n umber of the component. 2 Request a Return Materia ls Author ization (RMA) number from T AC by opening a support case. Op en a support case by: ?[...]
-
Pagina 132
132 Technical Support[...]