Force10 Networks 100-00055-01 инструкция обслуживания

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

Идти на страницу of

Хорошее руководство по эксплуатации

Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации Force10 Networks 100-00055-01. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции Force10 Networks 100-00055-01 или обучающее видео для пользователей. Условием остается четкая и понятная форма.

Что такое руководство?

Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции Force10 Networks 100-00055-01 можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.

К сожалению немного пользователей находит время для чтения инструкций Force10 Networks 100-00055-01, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.

Из чего должно состоять идеальное руководство по эксплуатации?

Прежде всего в инструкции Force10 Networks 100-00055-01 должна находится:
- информация относительно технических данных устройства Force10 Networks 100-00055-01
- название производителя и год производства оборудования Force10 Networks 100-00055-01
- правила обслуживания, настройки и ухода за оборудованием Force10 Networks 100-00055-01
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам

Почему мы не читаем инструкций?

Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск Force10 Networks 100-00055-01 это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок Force10 Networks 100-00055-01 и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта Force10 Networks, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания Force10 Networks 100-00055-01, как это часто бывает в случае бумажной версии.

Почему стоит читать инструкции?

Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства Force10 Networks 100-00055-01, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.

После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции Force10 Networks 100-00055-01. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.

Содержание руководства

  • Страница 1

    P-Series Installation and Operation Guide V ersion 2.3.1.2 May 27, 2008 PN: 100-00055-01[...]

  • Страница 2

    Copyright 2008 Force10 Networks ® All rights reserved. Printe d in the USA. January 2008. Force10 Networks® reserves the r ight to change, mo dify , revi se this publicati on without notice. T rademarks Force10 Networks® and E-Series® ar e registered trademarks of Force10 Networks, In c. Force10, the Force10 logo, and P-Series are trademarks of[...]

  • Страница 3

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 3 Content s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Preface About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Страница 4

    4 Contents Mirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 GUI Commands . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Страница 5

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 5 Chapter 8 Compiling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Страница 6

    6 Contents Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 vi Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Appendix E Glossary . . . . . . . . . . . . . .[...]

  • Страница 7

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 7 Objectives This document provid es installation and opera tion instructions for the P-Series P10 appliance. Audience This guide is intended to be used by network engineers. The P10 is a Unix-based product th at runs rule management software based on Linux and FreeBSD. A s such, understan[...]

  • Страница 8

    8 About this Guide Information Symbols Related Document s Additional P-Series documentation is available on the software CD that came with the appliance and in the documentation section of the Force10 website , www .force10networks.com . • P-Series Release Notes Additional Resources • Cox, Kerry and Ger g, Christopher . 2004. Managing Security [...]

  • Страница 9

    P-Series Installation and Operation Guide, version 2.3.1.2 9 Figure 1 P-Series P10 Appliance (Front V iew) IDENTIFY LAN 2 LAN 1 VGA SERIAL USB x2 KEYBOARD MOUSE POWER RJ-45 SERIAL E0 & E1 IP ADDRESS MANAGEMENT PORTS LEDs POWER DISPLA Y (E0) (E1) MIRROR PORT 1 (P1) PO RT 0 (P0) PORT 0 (M0) MIRROR PORT 1 (M1) HARD DISK fn9000007 Figure 2 P-Series[...]

  • Страница 10

    10 Installation System S pecifications The specifications in Table 1 apply to the P-Series P10 a ppliance, Force10 catalog number PB-10GE-2P . Physical Connections (Power Butto n) This button turns the appliance o n and off. Press and hold the bu tton to tur n off the appliance. (Laser Warning) This label in the bottom right corn er of the applianc[...]

  • Страница 11

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 11 Ste p T a sk 1 Review the system specificat ions and ensure that your operating and storage conditions meet the state d requirement s. 2 Connect the power cable, a ke yboard, and a monito r to the appliance. 3 Connect the LAN 1 port on the appliance to the lo cal area network wher e DHC[...]

  • Страница 12

    12 Installation Booting During booting y ou can select the OS of your choice. The management ports are configured for DHCP and pr obe for an IP address, gateway , and na me server . The IP address is displayed on the LCD screen. When the appliance is powered up , all packets are forwarded betwee n its ports by default until the firmware and device [...]

  • Страница 13

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 13 W arning: S top all traf fic from flowing through the appliance, and discon nect all cables from the XFPs before proceeding. Step T ask Command 1 Save earlier configuratio n files and firmware by copying the dir ec to ry /usr/local/pnic to the home directory . cp -Rf /usr/local/pnic/ /h[...]

  • Страница 14

    14 Installation 13 Re-compile all rules firmware with the new comp iler located in the directory pnic-compiler. cd upgrade_directory /pnic-compiler gmake 14 Insta ll pre -compiled firmware if need ed. cd upgrade_directory /firmware gmake install Step T ask Command[...]

  • Страница 15

    P-Series Installation and Operation Guide, version 2.3.1.2 15 T o begin inspecting and fi ltering traf fic you must: 1. Select firmware and dynamic rules 2. Set capture/forward policies 3. Check for proper operation by generating traffic across the appliance. Ste p T ask 1 As root, enter the command pn ic gui from the Unix command line to invoke a [...]

  • Страница 16

    16 Getting Started[...]

  • Страница 17

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 17 The P-Series P10 Intrusion Detection and Pr evention System ( IDS/IPS ) appliance employs Dynamic Parallel Inspection ( DPI ) technology . It uses a Multiple Instructio n Single Data (MISD) massively parallel processor that executes thousan ds of security policies or traffic capture ope[...]

  • Страница 18

    18 Introduction Figure 3 illustrates how all matched packets are copied and transmitte d by mirror ports. Figure 3 F orwarding Engine Detection Engine Packet Data PCI-X Module Packet Data Device Access Config Commands Packet Data State T able Rx1 Tx1 Rx0 Tx0 Mirror 1 Mirror 0 Match Result figindex 006 Logic Diagram of T raffic Flow in the P10 DPI T[...]

  • Страница 19

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 19 Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA . T wo sets of sample rules files have been compiled into firmware and are available to be uploaded to the FPGA using either of two firmware man[...]

  • Страница 20

    20 Introduction Inline Deployment Use the P-Series for inline traf fic inspection in IPS or firewall applications at 10-Gigabit line rate ( Figure 4 ). • For IPS deployment, no special configuratio n is n eed ed; the P-Series is in inline IPS mode by default. • For a firewall deployment, enable drop mode (see Command Line Reference on page 79 )[...]

  • Страница 21

    P-Series Installation and Operation Guide, version 2.3.1.2 21 Highly-available Deployment Use optical bypass switches with the P-Series for a hi ghly-available, redundant deployment, as sh own in Figure 6 . Both the appliances have the same conf iguration so that in the event of a power failure on one device, the other continues to operat e, and th[...]

  • Страница 22

    22 Introduction Figure 8 N etwork Tap P-Series P10 fn90033mp P0 10-Gigabit 10-Gigabit Passive Deployment with Aggrega tion using a Network T ap Figure 9 Network Switch with SPAN port P-Series P10 fn90034mp P0 Port to Monitor 10-Gigabit SPAN Port Passive Deployment with Aggregation using a SP AN port Capturing Matched T raffic P-Series supports capt[...]

  • Страница 23

    P-Series Installation and Operation Guide, version 2.3.1.2 23 Capturing to a Host CPU Captured traffic can be sent to a host C PU throug h a libpcap library interface, where it can be made available to applications for anal ysis. A typical implementation provid es IDS/Snort acceleration beca use of the hardware assist. Figure 10 Capturing Matched T[...]

  • Страница 24

    24 Introduction Mirroring to Another Device Mirror captured traffic out of the 1-Gigabit mirroring po rts to use the P-Series as an IDS accelerator or as part of an integrated s ecurity monitoring solution. Figure 12 HW M1 P1 P0 M0 1-Gigabit/IDS Security Monitoring Application Matched Traffic Traffic to Monitor PB-10GE-2P fn90037mp Creating an IDS [...]

  • Страница 25

    P-Series Installation and Operation Guide, version 2.3.1.2 25 The GUI can be used to: • Start and stop the DPI • Load firmware • Compile and lo ad dynamic rules • Manage the runtime parameters • Manage the capture/forward policies for rule s Note: Using the GUI requires the super user privilege. T o invoke the GUI: Runtime statistics are [...]

  • Страница 26

    26 Graphical User Interface GUI Commands From the Runtime S tatistics display , you can enter commands to control the DPI (see Ta b l e 3 , or enter the h command from th e GUI comm and line). Figure 13 fn9000010 N/A/1 FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=5ms CPU(s): 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Runt[...]

  • Страница 27

    P-Series Installation and Operation Guide, version 2.3.1.2 27 Managing Rules, Policies, and Firmware Enter the m command from the GUI command line (see “GUI Commands” on page 26 ) to invoke a menu that enables you to manage dynami c rules, captur e/forward policies, and firmware. Three options are available; they are shown in Figure 14 and desc[...]

  • Страница 28

    28 Graphical User Interface Ta b l e 5 describes the four possible combina tions of capture/forward policies. Editing Dynamic Rules with the GUI Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory . The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file. T able 4 Managin[...]

  • Страница 29

    P-Series Installation and Operation Guide, version 2.3.1.2 29 T o modify dynamic rules: Figure 15 Editing Dynamic Rules in vi fn90000012 pnic Managing Capture/Forward Policies with the GUI Upon compiling static and dynamic rules, default capture/f orward policies are assigned to each rule. T o change capture/forward policies: Ste p T ask 1 Enter th[...]

  • Страница 30

    30 Graphical User Interface Figure 16 fn9000013 Managing Capture/Forward Policies GUI Figure 17 fn9000014 Capture/Forward Policies GUI Selecting Firmware with the GUI Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA.[...]

  • Страница 31

    P-Series Installation and Operation Guide, version 2.3.1.2 31 T o select firmware: Figure 18 Manage Firmwa re GUI fn9000015 Runtime S tatistics Runtime statistics are displayed when firmware is uploaded, and traffi c is flowing across the appliance. The GUI presents two views of traffic statistics. The default view shows the tota l st atistics for [...]

  • Страница 32

    32 Graphical User Interface The remaining lines report the cumula tive number of events and the rate of those events. A description of each line is given in Ta b l e 6 . Figure 19 CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Pack[...]

  • Страница 33

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 33 Reloading Firmware During firmware reloading, all packets flow regardless of capture/ forward policies, as the policies cannot be enforced during system initialization. This "open" st ate during configuration st ate transition ensures that there is no interruption of se rvice [...]

  • Страница 34

    34 Graphical User Interface[...]

  • Страница 35

    P-Series Installation and Operation Guide, version 2.3.1.2 35 Y ou can mana ge and monitor the P-Series on the web using the Force10 Netwo rks P-Series Node Manager . Launching the P-Series Node Manager Note: The Web-based GUI is best vie wed with a minimum screen resolution of 1280x800. Y ou must also have Java Run T ime Environment (JRE) inst all[...]

  • Страница 36

    36 Web-based Manageme nt Figure 21 Lauching the P-Seri es Node Manager Note: S top the secure HTTP service using th e command pnic web-gui-stop (see Appendix A , on page 79 ).[...]

  • Страница 37

    P-Series Installation and Operation Guide, version 2.3.1.2 37 W eb-browser Security Certificates The P-Series Node Manager client and the server communicate via H TTPs. All transactions are encrypt ed, and thus protected, by the SSL protocol. The SSL certific ate is a self-signed certificate that is not signed by a trusted Certificate Authority (CA[...]

  • Страница 38

    38 Web-based Manageme nt Monitoring System Performance Monitor system performance from the Home panel ( Figure 23 ). The Home pa nel is displaye d after logging into Node Manager . It displays basic system informat ion, card, interface , and reso urce information, as well as CPU and memory usage over time. Figure 23 P-Series Node Manager: Home Pane[...]

  • Страница 39

    P-Series Installation and Operation Guide, version 2.3.1.2 39 Managing Firmware Images Manage the software image from the Image Management panel ( Figure 24 ). The Image Management panel provides options for compiling and dele ting an image. It displays a list of available images along with the currently applied image and its details. Figure 24 P-S[...]

  • Страница 40

    40 Web-based Manageme nt Figure 25 P-Series Node Manager: Card Ma nagement Panel[...]

  • Страница 41

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 41 Managing Policies Manage policies from th e Polic y Management panel ( Figure 26 ). The Policy Management pane l provides you with a list of available static and dynamic rules av ailable for the currently ru nning image. It also has the provision for adding , modifying, and deleting dyn[...]

  • Страница 42

    42 Web-based Manageme nt Figure 26 P-Series Node Manager : Policy Managment Panel[...]

  • Страница 43

    P-Series Installation and Operation Guide, version 2.3.1.2 43 A key aspect of network security de ployment is the ability to monitor the network for security events, analyze them, and perform counter measures. T o that end, the P-Series supports Sguil, an open source network security monitoring and reportin g system that provides the ability to: ?[...]

  • Страница 44

    44 Network Security Monito ring Inst alling the Sguil System T o employ Sguil you mu st: 1. Install the sensor . See page 44 . 2. Install the server . See page 44 . 3. Install the client. See page 45 . Note: Y ou can download the server and client Sguil compone nts directly from the Sguil website at http:/ / sguil.source forge.net/ind ex.html . The[...]

  • Страница 45

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 45 Uninst alling the Sguil Server T o uninstall the server: Inst alling the Sguil Client Y ou must have the following soft ware installed in your PC befo re installing the Sguil client: • ActiveT cl, Force10 recommends Ac tiveT c l8.4.14 which includes W ish •W i n Z i p •W i r e s h[...]

  • Страница 46

    46 Network Security Monito ring Inst allation Files Ta b l e 7 lists the files and directories create d during in stallation t hat are releva nt to running the Sguil system. 3 Config ure the following p a rameters in the file sguil.conf : • Enable (1) or disable (0 ) the debug option • Set the browser p ath. • Set the Wireshark ap plication p[...]

  • Страница 47

    P-Series Installation and Operation Guide, version 2.3.1.2 47 Running the Sguil System Running the Sguil Sensor Start the Sguil se nsor using the command pnic sguil-sensor-start . Specify the IP address of the Sguil server , and confirm the action, as shown in Figure 29 . Figure 29 root@# pnic sguil-sensor-start Enter the IP address of the Sguil-Se[...]

  • Страница 48

    48 Network Security Monito ring • The rule file you are using shou ld be mentioned in snort.c onf file. A sample rule file under rules directory is already added and commented in snort.conf . • Log files are stored in th e installation sub-directory ... /nsm/sguil/logs . • When adding new rules to the file sample.rules , uncomment the line, ?[...]

  • Страница 49

    P-Series Installation and Operation Guide, version 2.3.1.2 49 Running the Sguil Client T o run the Sguil Client: Figure 31 Running the Sguil Client Ste p T ask 1 Open sguil.tk using the Wish application. A window ap pears, as shown in Figure 31 . 2 S pecify the IP address o f the Sguil server , and your username and p assword. 3 Select the sensors [...]

  • Страница 50

    50 Network Security Monito ring Figure 32 fn90027mp Selecting the Sensor to Mo nitor When the Sguil client starts and the client is prop erly connected to the Sgu il server , the window in Figure 33 appears. Figure 33 fn90028mp Accepting Event s from the Sensor[...]

  • Страница 51

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 51 The command line interface (CLI) is an alternative to the GUI for managi ng the appliance. A script called pnic is used to perform the same management functions as the GUI. Invoke the pnic script us ing the command syntax pnic command ; the OS environment variables are set such that thi[...]

  • Страница 52

    52 Command Line Inter face This feature can be enabled per channel. When MAC rewrite is enabled, the P10 applia nce classifies the incoming traf fic into one of 256 hash buckets to determ ine the value to be written to the LSB of destination MAC address. A hash function based on the source and destina tion IP ad dresses is used to calculate an 8-bi[...]

  • Страница 53

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 53 Removing VLAN T ags The P-Series can strip the VLAN tag from incoming pa ckets before they exit the egress port. Enable the feature using the command pnic vlan-remove-enable . The frame CRC is recalculated when this feature is enabled. If an incoming packet is untagged, it is not change[...]

  • Страница 54

    54 Command Line Inter face[...]

  • Страница 55

    P-Series Installation and Operation Guide, version 2.3.1.2 55 The P-Series Network Interface Car d Compiler (pnic-Compiler) produces user-defined firmware for the appliances. The user-defined input is a set of signature-based rule s in Snort syntax, and compilation directives. The output of the comp iler is a Xilinx bit file and ASCII mapping files[...]

  • Страница 56

    56 Compiling Rules T able 8 Compiler Configuration Options Compilation Option Description 1 Ta r g e t D e v i c e Choose the model of your appliance. • The P10 requires type PB-10G-2P (see Fig ure 35 on pa ge 58 ) 2 Match non-IP T raffic Answering Yes to this option matches pa ckets that are not IPv4. This option should be set to No if only IP t[...]

  • Страница 57

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 57 7 Segmentat ion Evasion Rules The pnic-Compiler prepends a set of fixed rules—ca lled evasion.rules — located in the pnic-compiler/rules directory . The rule s help detect attacks which are using strategic TCP s egment ation to avoid detection. It is best to include this file if Sno[...]

  • Страница 58

    58 Compiling Rules Figure 35 pnic-Compiler Option 1- 6 root@# gmake Makefile:2: mtp_configuration: No such file or directory bin/getparams2.sh Please choose the target device 1) PB-10G-2P #? 1 Do you want to support matching of non IP v4 and non IPv6 packets (like ARP/IPX etc)? 1) Y es 2) No #? 2 Ethernet types allowed Do you want to match packets [...]

  • Страница 59

    P-Series Installation and Operation Guide, version 2.3.1.2 59 Figure 36 Channel 1 D ynamic rules Please choose how many dynami c rules (5-20 recommended) Dynamic rules are rule s that can be added without recompiling the firmware. They can be a dded at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1) 0 5) 20 9) 60 13) 100 [...]

  • Страница 60

    60 Compiling Rules Figure 37 pnic-Compiler Option 8- 9 Please choose the maximum number of byt es per sig nature (1024 recommended). Selecting a small number allows lar ger sets of signatures at the expense of more false posit ives. 1) 16 2) 32 3) 64 4) 96 5) 128 6) 256 7) 512 8) 1024 #? 8 Enter the firmware base -image nam e (press the Enter key t[...]

  • Страница 61

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 61 Configuration and Generated Files Ta b l e 9 describes the files that are used or generated by the pnic-Compiler . T able 9 Configuration and Generated Files File Description Location pnic_*.bit G ene ra te d after co mpiling static rules. They are then r enamed and copi ed to /usr/loca[...]

  • Страница 62

    62 Compiling Rules Firmware Filenames The pnic-Compiler creates new firmware — in the /usr /local/pnic/fir mware directory — consisting of four . bit files and eight . mapping files. The default firmware filenames follow a naming convention designed to identify three properties: • The appliance that can use it • The number of dynamic ru les[...]

  • Страница 63

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 63 P-Series rule syntax is based on Snort. Both rule structures are descr ibed in this chapter . • Snort Rule Syntax on page 63 • P-Series Rule Syntax on pag e 66 Snort Rule Synt ax Snort rules are descriptions of tra ffic plus a prescrib ed action that is taken if a packet matches tha[...]

  • Страница 64

    64 Writing Rules • pass directs Snort to ignore the packet. • activate directs Snort to generate an aler t and activate another specified rule. • dynamic directs Snort to disregard the rule until it is activated by another rule. Once activated, the action defaults to log. Protocol Snort supports four p rotocols: tcp , udp , icmp , or ip . The[...]

  • Страница 65

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 65 Ports Port numbers may be specified by the keyword any , a single port number , ranges, and by negation. any specifies any port. St atic ports are indicated by a si ngle port number , for exam ple, 23 for T elnet. Port ranges can be specified using a colon as a range oper ator . It can [...]

  • Страница 66

    66 Writing Rules Destination Address and Port The destination address and port follo w the direction operator . The syntax of these parameters are the same as the source address a nd port. See “Source Addresses” on page 64 , and “Ports” on page 65. Snort Rule Options Options are made of a key word and an ar gument. An ar gu ment is the pack[...]

  • Страница 67

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 67 depth No No dsize Y es No flags Y es Y es, no wild card flow Y es No fragbits Y es No fragoffset Y es No icmp_id Y es Y es icmp_seq Y es Y es icode Y es Y es id Y es Y es ip_proto Y es Y es itype Y es Y es offset No No nocase Y es No protocol ICMP , U DP , TCP , IP ARP , ICMP , UDP , TC[...]

  • Страница 68

    68 Writing Rules W r iting S t ateful Rules Stateful matching improves the accuracy of detectio n because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a no n-cyclic pattern; no state transitions may erase any of the previous states. New state transitions are simply recorded via[...]

  • Страница 69

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 69 Pre-match Condition — the S V alue The value in register C f is presented to all the signatur es simultaneously during matching. C f must have all the bits specified by s i (in addition to matching m i ) in order for the signature i to trigger . In other words, if the result of the lo[...]

  • Страница 70

    70 Writing Rules When a packet is stored in either T emporary Memory or Match Memory , a pointer to the previously stored packet in the same flow (contained in a portion of the flow register C f ) is also stored. Thus a packet stored in Match Memory may reference another packet st ored in T emporary Memory , which in turn may reference more packets[...]

  • Страница 71

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 71 Y ou can inspect Signatures 4, 5, and 6, an d verify th at they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutiv e packets are seen with size between 0 and 100. The third packet references the previous two stored in T emporary Memory [...]

  • Страница 72

    72 Writing Rules The start of the state mach ine is prompted by a SYN ; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a l[...]

  • Страница 73

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 73 Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Ta b l e 2 4 shows rule s whic h were derived from the Snort scan pre-processor . The compiler also automatically produces rules that ma tch all pa[...]

  • Страница 74

    74 Writing Rules[...]

  • Страница 75

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 75 Deploying the P-Series as a Firewall By default the P-Series is an IDS/ IPS system; the P-Series forwards a ll traf fic by default and blocks packets only if it matches a rule. Y o u can deploy the P-Series as a limite d firewall by enabling Drop mod e. In Drop mode, the P-Series blocks[...]

  • Страница 76

    76 Firewall Enabling the Firewall Enable Drop mode using the command pnic default-drop-enable . Disable Drop mode using the command pnic default-drop-disable . These commands are shown in Figure 39 . Figure 39 [root@localhost ~]# pnic default-drop-disable No device number specif ied. Assuming device 0 *** Disabling Default-Packet-D rop on card:0 su[...]

  • Страница 77

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 77 Allowing T raffic through the Firewall T o allow packets through the firewall you must write ru les so that packets that you want the appliance to forward match those rules. Rules can be as simple as a llowing traffic destined to a port. S tateful rules can be used to allow all traff ic[...]

  • Страница 78

    78 Firewall T able 25 Sample Firewall Rules #permit: let through and do not log to the host #alert: let through and log to the host #deny: DO NOT let throu gh and do not l og to the host #divert: DO NOT let through and log to the host # S:<precondition>; C:<postcond ition> R:<logging> # A packet is matched if precondition ma tches[...]

  • Страница 79

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 79 The comman d line interfa ce (CLI) is an alternat ive to the GUI for managing the appliance. A script called pnic is used to perform the same ma nagement function s as the GUI. Invoke the pnic script using the commands in this ch ap ter; the OS enviro nment variab les are set such that [...]

  • Страница 80

    80 Appendix A • pnic showconf on pag e 108 • pnic show-firmware s on page 108 • pnic showtech on page 109 • pnic start on page 11 0 • pnic stop on page 111 • pnic temp-mem-disable on pa ge 11 2 • pnic temp-mem-enable o n p age 11 2 • pnic updatemacvalue on page 11 3 • pnic vlan-remove-disab le on page 11 4 • pnic vlan-remove-ena[...]

  • Страница 81

    P-Series Installation and Operation Guide, version 2.3.1.2 81 Related Commands pnic aggregate-mode-enable Receive both client-to-serv er and server -to-clie nt traffic on one port. T his is the default behavior . Synt ax pnic aggregate-mode-enable [ number ] Disable agg regate m ode using th e command pnic aggregate-mode-disable . Parameters Comman[...]

  • Страница 82

    82 Appendix A Parameters Command History Example Figure 42 [root@localhost SW]# pnic apply-firmware No card number specified. Assuming card 0 Do you really want to apply a new firmware for card0 (y/n)? y Please enter the path or name of the firmware to apply: /usr/local/ pnic/firmware/null.xc4vlx200-ff1513.50.50.2048 Compiling dynamic rules for pni[...]

  • Страница 83

    P-Series Installation and Operation Guide, version 2.3.1.2 83 pnic capture-of f Disable the capturing of packet s via direct memory access (DMA). Synt ax pnic capture-off Parameters Command History Example Figure 44 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful[...]

  • Страница 84

    84 Appendix A Example Figure 45 pnic capture-on Command Exa mple root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic capture-on No card number specified. Assuming card 0 Capture ON set successful. [root@localhost SW]# Related Commands pnic [...]

  • Страница 85

    P-Series Installation and Operation Guide, version 2.3.1.2 85 pnic compilerules T ransform the dyna mic Snort rules contained in /usr/local/pnic/0/rules.custom into binary code suitable for the DPI processor . Synt ax pnic compilerules [ number ] Parameters Command History Example Figure 47 pnic compilerules Co mmand Example [root@localhost SW]# pn[...]

  • Страница 86

    86 Appendix A Example Figure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled. *** Flow teardown disabled. [root@localhost SW]# pnic default-drop-disable Command Example pnic default-drop-enable Enable firewall functionali[...]

  • Страница 87

    P-Series Installation and Operation Guide, version 2.3.1.2 87 Parameters Command History Example Figure 50 [root@localhost pnic]# pnic diag No card number specified. Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching. Do you want to proceed [n/y]? y *** Matching disabled. Test starting ... Waiting for matching to stop ... P[...]

  • Страница 88

    88 Appendix A pnic flow-teardown-disable Configure the appliance to reset the state of the flow on ly upon a t imeout. This is the default behavior . Synt ax pnic flow-teardown-disable Command History Example Figure 52 [root@localhost SW]# pnic flow-teardown-disable No card number specified. Assuming card 0 *** Disabling Flow-Teardown on card:0 suc[...]

  • Страница 89

    P-Series Installation and Operation Guide, version 2.3.1.2 89 Example Figure 53 [root@localhost SW]# pnic flow-teardown-enable No card number specified. Assuming card 0 *** Enabling Flow-Teardown on card:0 successful. [root@localhost SW]# pnic flow-teardown-ena ble Command Example Usage Information The flow teardown feat ure is coupled with the fir[...]

  • Страница 90

    90 Appendix A Related Commands pnic gui Launch the graphical user interface. Synt ax pnic gui Command History pnic macrewrite - on Enable MAC rewriting. pnic macrewrite - off Disable MAC rewriting. pnic updatemacvalue Update the LSB value for a p a rticular hash index value. V ersion 2.0.0.1 Introduced[...]

  • Страница 91

    P-Series Installation and Operation Guide, version 2.3.1.2 91 Example Figure 55 [root@localhost SW]# pnic gui CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=1ms HW Interfaces CH0 Top Rate/s CH[...]

  • Страница 92

    92 Appendix A pnic help Display a list of all available comman ds, their syntax, and descriptions. Synt ax pnic help Command History Example Figure 56 [root@localhost SW]# pnic help No card number specified. Assuming card 0 Usage: pnic function_command <card_num> <channel_num> <force_options> pnic aggregate-mode-disable <0|...|[...]

  • Страница 93

    P-Series Installation and Operation Guide, version 2.3.1.2 93 pnic linkdown Disable the physical link. Synt ax pnic linkdown [ number ] [ channel ] Enable a physical link using the command pnic linkup . Parameters Command History Example Figure 57 [root@localhost SW]# pnic linkdown No card number specified. Assuming card 0 No channel number specifi[...]

  • Страница 94

    94 Appendix A Parameters Command History Example Figure 58 [root@localhost SW]# pnic linkup No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Card 0, Channel 0 is up. [root@localhost SW]# pnic linkup Command Example Related Commands pnic loadconf Upload the runtime configuration pa rameters contained in the f[...]

  • Страница 95

    P-Series Installation and Operation Guide, version 2.3.1.2 95 Example Figure 59 [root@localhost ~]# pnic loadconf No card number specified. Assuming card 0 Loading configurations ... Read from configuration file and apply to PNIC card... Registers on master FPGA: (0x10)0000 (0x14)0010 (0x18)0000 Registers on PCI FPGA: (0x18)0100 (0x24)20788 (0x28)2[...]

  • Страница 96

    96 Appendix A pnic loadeproms Load the PCI-X and front-end EEPROM s. Synt ax pnic loadeproms [ number ] Parameters Command History Usage Information Use this command to upgrade P CI-X and front-end EEP ROMs to new revisions. Reboot the chassis after executing this command; only then does new firmware take ef fect. pnic loadparams (deprecated) Uploa[...]

  • Страница 97

    P-Series Installation and Operation Guide, version 2.3.1.2 97 Example Figure 60 [root@localhost ~]# pnic loadparams No card number specified. Assuming card 0 Loading configurations... Read from configuration file and apply to PNIC card... (0x10)0000 (0x14)0010 (0x18)0000 (0x18)0100 (0x24)20788 (0x28)20788 DMA Capture Status: off MAC Rewrite state: [...]

  • Страница 98

    98 Appendix A pnic loadrules Upload to the FPGA the dynamic rules fo r both channels encoded in the files /usr/local/pnic/ 0/pnic_{0|1}.bin . Synt ax pnic loadrules [ channel ] Parameters Command History Example Figure 61 root@# pnic loadrules 0 dynamic rules loaded pnic loadrules Command Exampl e Usage Information Capture/block policies p reviousl[...]

  • Страница 99

    P-Series Installation and Operation Guide, version 2.3.1.2 99 pnic macrewrite-off Disable MAC rewriting. This is the default behavior . Synt ax pnic macrewrite-off [ number ] [ channe l ] Enable MAC rewritin g using the command pnic macrewri te-on . Parameters Command History Example Figure 62 [root@localhost SW]# pnic macrewrite-off No card number[...]

  • Страница 100

    100 Appendix A Parameters Default MAC rewrite is disabled by default. The defa ult value for the LSB is the system-assigned hash index value . Command History Example Figure 63 [root@localhost SW]# pnic macrewrite-on No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:[...]

  • Страница 101

    P-Series Installation and Operation Guide, version 2.3.1.2 101 Example Figure 64 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic off No card number specified. Assuming card 0 Capture OFF set successful. [root@localhost SW]# pnic off Com[...]

  • Страница 102

    102 Appendix A pnic params Display the card interface name, device ID, and co ntents of the register on the PCI-X and Master FPGAs. Synt ax pnic params [ number ] Parameters Command History Example Figure 66 [root@localhost SW]# pnic params No card number specified. Assuming card 0 PNIC 8002 pnic0 0xffff810000700000 20006 ********************** Reg[...]

  • Страница 103

    P-Series Installation and Operation Guide, version 2.3.1.2 103 Command History Example Figure 67 pnic passive-mo de- disable Command Example [root@localhost SW]# pnic passive-mode-disable No card number specified. Assuming card 0 Channel 0 and 1 are set to work in normal TX/RX mode. [root@localhost SW]# Related Commands pnic passive-mode-enable Con[...]

  • Страница 104

    104 Appendix A pnic resetconf Reset the system configuration back to the default settings, wh ich are located in <installation_dir ectory>/SW/misc/pnic.conf . Synt ax pnic resetconf [ number ] Parameters Command History Example Figure 69 [root@localhost ~]# pnic resetconf No card number specified. Assuming card 0 Loading default configuration[...]

  • Страница 105

    P-Series Installation and Operation Guide, version 2.3.1.2 105 • Load the rule firmware • Load the capt ure/b lock configura t ion • Load the runtime param eters • Enable the netw ork interface Synt ax pnic restart Command History Example Figure 70 [root@localhost SW]# pnic restart No card number specified. Assuming card 0 Interface pnic0 i[...]

  • Страница 106

    106 Appendix A Synt ax pnic sguil-sensor- start [ -f ] Stop the Sguil sensor using the command pnic sguil-sensor-stop . Parameters Command History Example Figure 71 [root@localhost pnic]# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:10.11.194.183 Do you want to enable secure connection between sguil-sensor and sguil-server? 1) E[...]

  • Страница 107

    P-Series Installation and Operation Guide, version 2.3.1.2 107 pnic sguil-sensor-stop Stop the Sguil sensor . Synt ax pnic sguil-sensor- stop [ -f ] Start the Sguil sensor using the command pnic sguil-sensor-start . Parameters Command History Example Figure 72 [root@localhost pnic]# pnic sguil-sensor-stop Do you really want to stop the Sguil-sensor[...]

  • Страница 108

    108 Appendix A pnic showconf Display configuration paramet ers of the card. Synt ax pnic showconf [ number ] Parameters Command History Example Figure 74 [root@localhost ~]# pnic showconf No card number specified. Assuming card 0 DMA Capture : on MAC rewrite : CH0 - disabled; CH1 - disabled Default Drop packet : disabled Temporary memory : enabled [...]

  • Страница 109

    P-Series Installation and Operation Guide, version 2.3.1.2 109 Command History Example Figure 75 [root@localhost SW]# pnic show-firmwares No card number specified. Assuming card 0 List of available firmware images: null.xc4vlx200-ff1513.50.50.2048 snort_rules.bad.xc4vlx200-ff1513.20.20.2048 [root@localhost SW]# pnic show-firmwares Command Example R[...]

  • Страница 110

    110 Appendix A Example Figure 76 [root@localhost pnic]# pnic showtech | more No card number specified. Assuming card 0 ************************************************************ Display date ************************************************************ Tue Apr 29 11:21:07 PDT 2008 ************************************************************ Displa[...]

  • Страница 111

    P-Series Installation and Operation Guide, version 2.3.1.2 111 Example Figure 77 [root@localhost SW]# pnic start No card number specified. Assuming card 0 Interface pnic0 is down Loading pass/block settings ... Done. Loading dynamic rules ... Done. *************************************** Interface pnic0 is up MTU set to 9264 bytes *****************[...]

  • Страница 112

    112 Appendix A pnic temp-mem-disable Disable temporary memory . Synt ax pnic temp-mem-disable [ numbe r ] Enable temporary memo ry using the command pnic temp-mem-enable . Parameters Command History Example Figure 79 [root@localhost SW]# pnic temp-mem-disable No card number specified. Assuming card 0 *** Disabling temporary memory on card:0 success[...]

  • Страница 113

    P-Series Installation and Operation Guide, version 2.3.1.2 113 Example Figure 80 [root@localhost SW]# pnic temp-mem-enable No card number specified. Assuming card 0 *** Enabling temporary memory on card:0 successful. [root@localhost SW]# pnic temp-mem-enable Comm and Example Related Commands pnic updatemacvalue Specifies an LSB value for a particul[...]

  • Страница 114

    114 Appendix A pnic vlan-remove-disable Disable the VLAN T ag Remove feature. Synt ax pnic vlan-remove-disable Default The VLAN T ag Remove feature is disabled by default. Command History Usage Information This feature is enabled and disabled on both sensing ports. Example Figure 82 pnic vlan-remove-disab le Command Example [root@localhost pnic]# p[...]

  • Страница 115

    P-Series Installation and Operation Guide, version 2.3.1.2 115 pnic version Display the driver version. Synt ax pnic version Command History Example Figure 84 pnic version Command Exampl e [root@localhost SW]# pnic version Force10 Networks PNIC Software Version: P_MAIN2.2.0.058 [root@localhost SW]# pnic web-gui-start Start the web server . Synt ax [...]

  • Страница 116

    116 Appendix A Example Figure 85 pnic web-gui-st ar t Command Example [root@localhost pnic]# pnic web-gui-start INFO: Generating SSL certificate for the web-gui application. Generating a 1024 bit RSA private key .........++++++ ......++++++ writing new private key to '/usr/local/pnic-mgmt-lib/sslcert/rootkey.pem' ----- You are about to be[...]

  • Страница 117

    P-Series Installation and Operation Guide, version 2.3.1.2 117 Example Figure 86 pnic web-gui-stop Command Example [root@localhost pnic]# pnic web-gui-stop Do you really want to stop the web-gui application (y/n)? y Web-gui application has been stopped! [root@localhost pnic]# Related Commands pnic web-gui-start S tart the web serv er .[...]

  • Страница 118

    118 Appendix A[...]

  • Страница 119

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 119 Ta b l e 2 8 des cribes briefly the valid Snort keywo rd s su pported on the P-Series. For a mo re detailed explanation for these keywords, see the Snort website at http://www .snort.org/docs/snort_manual/ node17.html. Appendix B Snort Keywords T able 28 Description of P-Series Snort K[...]

  • Страница 120

    120 Appendix B flow This keyword applies the rule to a specific traf fic flow direction. The flow can be in one of two states: • established : Trigg er only on established TCP connections. • stateless : Trigger regardless of the state of th e stream processor . The direction paramete r has the following options: • to_client : Tr igger on serv[...]

  • Страница 121

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 121 ttl This keyword checks for the specif ied IP time-to-live value. ttl: [ number { > | < | = } | number - | { - | > | < | = }] number ; uricontent Searches the normalized request URI field for the specified content. data_string can contain mixed text and bin ary da ta. Binar[...]

  • Страница 122

    122 Appendix B[...]

  • Страница 123

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 123 The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Ta b l e 2 9 an d Ta b l e 3 0 . Appendix C Met a and Evasion Rules T able 29 meta Rules for Channel 0 and Channel 1 met a Rules alert tcp any any -> any any (msg :"Z SYN"; flags:S,12; [...]

  • Страница 124

    124 Appendix C[...]

  • Страница 125

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 125 Unix Commands Appendix D Basic Unix Commands T able 31 Basic Unix Commands Command Description cd path Changes the current dir ectory to the specified directory . The p ath specified can be an absolute path, or a rela tive path: • The absolute path begins with a fo rward slash, and s[...]

  • Страница 126

    126 Appendix D vi Commands vi has two modes: • Command Mode : In command mode, commands can be entered which allow yo u to jump to points in a file, search text, and exit the editor . • Insert Mode : Insert mode allows you to create or alter text in a f ile. Note: Commands are case sensitive. T able 32 Basic vi Commands Command Description vi f[...]

  • Страница 127

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 127 Appendix E Glossary ACK An Acknowledgment p acket (ACK) is a packet tha t is sent from the client to th e server to complete a TCP connection. See SYN . DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol that autom atically request s an IP address, su bn et mas k, an d de fa[...]

  • Страница 128

    128 Snort Snort is an open source netwo rk intrusion detec tion and prevention system that uses rules created with a special synt ax to ex amine and control specified tra ffic. SP AN Port Switched Port Analyzer (SP AN) Port is a switch po rt that receives a copy of specific traffic that passes through a switch. The SP AN po rt is also called a mirr[...]

  • Страница 129

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 129 Manual Pages Information on op erating the appliance can be accessed through manual pages (man pages) with the command man command . The command man pnic displays the man pages on the command line interface; and man pnic displays them on the Ncurses interface. Man pages for the compile[...]

  • Страница 130

    130 Technical Support Cont acting the T echni cal Assist ance Center Locating P-Series Serial Numbers The P10 serial number is located on a sticker on the back of the unit in the top-right corner (see Figure 2 ), as well as on the left mounting bracket (see Figure 87 ). The serial number is below the bar cod e and has 8 characters. Figure 87 Locati[...]

  • Страница 131

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 131 Requesting a Hardware Replacement T o request replacement hardware, follow these steps: Step T ask 1 Determine the part number and serial n umber of the component. 2 Request a Return Materia ls Author ization (RMA) number from T AC by opening a support case. Op en a support case by: ?[...]

  • Страница 132

    132 Technical Support[...]