NetScreen-IDP Fundamentals
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has
been tested and found to comply with the limits for a Class A digital device, pursuant to
part 15 of the FCC rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. The equipment generates, uses, and can radiate radio-frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference, in which case users will be
required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment
described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with NetScreen’s installation instructions, it may cause
interference with Radio and television reception. This equipment has been tested and
found to comply with the limits for a Class B digital devices in accordance with the
specifications in part 15 of the FCC rules. These specifications are designed to provide
reasonable protection against such interference in a residential installation. However,
there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which
can be determined by turning the equipment off and on, the user is encouraged to try to
correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Consult the dealer or an experienced radio/TV technician for help.
• Connect the equipment to an outlet on a circuit different from that to which the
receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and
authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING
PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE.
IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
Contents
Introduction ........................................................................................ 15
Organization..................................................................................... 16
Document Conventions.................................................................... 17
Related Documents.......................................................................... 18
Customer Support............................................................................. 18
IDP Fundamentals | 3
Contents
IDP Fundamentals | 5
Contents
Designing Rules.................................................................................93
Identifying Risks & Threats................................................................................. 93
Setting Source & Destination ............................................................................ 93
Setting Services ................................................................................................ 94
Using Default Services ................................................................................ 95
Using Custom Services (Service Objects) ................................................... 95
Setting Terminal Rules....................................................................................... 96
Setting Attack Objects...................................................................................... 98
Adding Attack Objects by Severity ............................................................ 98
Adding Attack Objects by Service ............................................................. 99
Adding Attack Objects by Attack Type .................................................... 100
Adding Attack Objects Individually.......................................................... 100
Normalizing Network Traffic (Protocol Normalization) ............................... 100
Setting Actions................................................................................................ 101
Using IDP Actions Against Current Connections ....................................... 101
Using IP Actions Against Existing Connections .......................................... 103
Choosing an IP Action ............................................................................. 103
Choosing an IP Blocking option ............................................................... 104
Configuring IP Logging, Alarms & Timeouts.............................................. 104
Setting Notification ......................................................................................... 105
Setting an Alarm ...................................................................................... 105
Tracking Session Data .............................................................................. 106
Setting an SNMP Trap ............................................................................... 106
Setting a Syslog Message ........................................................................ 106
Sending Email .......................................................................................... 106
Setting a Run Script .................................................................................. 106
IDP Fundamentals | 7
Contents
IDP Fundamentals | 9
Contents
IDP Fundamentals | 11
Contents
IDP Fundamentals | 13
Contents
sctop commands............................................................................251
Index................................................................................................ 277
C
ongratulations on choosing the NetScreen Intrusion Detection and Prevention
TM
(IDP ) system. Unlike passive intrusion detection systems that simply monitor
network traffic using only one or two detection methods, IDP uses multiple methods
to detect attacks against your network—and prevents attackers from gaining access and
doing damage.
Additionally, where passive intrusion detection systems frequently alert on suspicious
activity, IDP is specifically designed to reduce false positives and ensure that only actual
malicious traffic is detected and stopped.
This book is intended to help you make the most of the IDP system's innovative protection
technology by explaining some of the basic concepts and providing examples on how to use
IDP.
IDP Fundamentals | 15
Introduction
ORGANIZATION
This book is organized into the following sections:
• IDP Technical Overview. This chapter provides an in-depth description of the
components and functionality that make up the IDP system.
• Getting Started With IDP. This chapter gets you up and running with your IDP
system, helping you add network objects, create and install a Security Policy, and
view log records in the IDP Log Viewer.
• Fine-Tuning Your IDP System. This chapter walks you through a step-by-step process
of fine-tuning the IDP system to fit your network traffic.
• Using the Log Viewer. This chapter includes information and instructions on using
the IDP Log Viewer to view log records and analyze attacks.
• Managing the Attack Object Database. This chapter provides information about the
signatures and protocol anomaly Attack Objects that make up the Attack Object
database, and describes format used to create custom signatures.
• Managing Effective Security Policies. This chapter provides background information
and directions for maintaining the Security Policies that protect your networks,
including information about terminal rules, notification preferences, and actions.
• Configuring Sensor Settings. This chapter details the implicit rules within the IDP
system and how to edit their default values on the IDP Sensor.
• Tagged Interfaces & Virtual Routers. This chapter provides information about using
virtual routers with the IDP system, and how to pass VLAN traffic through the IDP
Sensor.
• High Availability Solutions. This chapter details IDP High Availability (HA)
solutions, including Standalone HA and Third-Party HA.
• Configuring OPSEC. This chapter guides you through configuring IDP and ©Check
Point Software Technologies Ltd. FireWall-1TM so you can enable OPSECTM
functionality.
• Appendix A: Command Line Utilities. This appendix provides information and
instructions for the command line utilities provided with the IDP system.
• Appendix B: Third-Party HA with Nokia Firewall-1 Appliances. This appendix
provides instructions on deploying a third-party HA solution with Nokia Firewalls.
• Glossary. The glossary provides definitions for terms that are used in the IDP system
and throughout the computer security industry.
• Index. The index provides quick access to topics included in this document.
DOCUMENT CONVENTIONS
NetScreen publications use the following conventions to indicate optional and required
elements, variables, and options:
• A parameter inside [ ] (square brackets) is optional. This element might appear in the
message.
• A parameter inside { } (braces) is required. This element must appear in the message.
• Anything inside < > (angle brackets) is a variable and denotes the type, rather than
the exact wording, of element that appears in the message.
• If there is more than one option for an element inside [ ] and { }, they are separated by
a pipe ( | ).
• courier. Courier indicates text as shown on the computer screen, such as scripts
or error messages.
• courier BOLD. Courier Bold indicates commands.
• italics. Italics emphasize a newly introduced term, or indicate the title of a manual.
Ex. IDP Hardware Guide.
IDP Fundamentals | 17
Introduction
RELATED DOCUMENTS
• IDP Online Help 2.1. A comprehensive set of instructions for using the IDP system,
including overviews of all major components and step-by-step directions for
performing common tasks.
• IDP QuickStart Guides, 2.1. Describes the steps to set up and use your IDP 10, IDP
100, or IDP 500 system as quickly as possible (also available for high availability
solutions).
• IDP Hardware Information Guide 2.1. Contains important safety and compliance
information about the IDP appliance.
• IDP Release Notes 2.1. Contains information about the status of the IDP 2.1 release,
including known issues and workarounds.
NetScreen continually upgrades and improves its customer documentation and welcomes
all feedback that makes the documentation more usable and accurate.
CUSTOMER SUPPORT
NetScreen is committed to helping our customers efficiently secure their networks so that
they can concentrate on the competencies that are core to their business. We developed
our products to address the security pain points that were articulated by security, IT, and
network managers during extensive customer research. As a result, our products are
designed to simplify the implementation, management, and maintenance of a company's
network security.
If you have problems or suggestions, we want to know, so that we can continue to adjust
our products to more effectively serve your needs. We are happy to answer any questions
that you have about the implementation of our products. Please call our support center at
877-NETSCREEN, send an email idp-support@netscreen.com, or visit us at
www.netscreen.com/support.
T he NetScreen Intrusion Detection and Prevention system is the first device capable
of using eight detection methods to accurately detect malicious network traffic. It is
also the first device able to drop attacks to prevent damage to your network.
Unlike other intrusion detection systems that provide only a passive sniffer mode, IDP
has the ability to operate in-line as an active gateway, directly in the path of traffic
coming and going on your network:
• When deployed as a passive sniffer, IDP can detect attacks; as an active gateway, IDP
can detect attacks and protect your network from them.
• When deployed as an active gateway, IDP prevents detected attacks from reaching
their target. IDP drops malicious packets or connections before they enter your
network.
IDP detection and prevention capabilities are rule-based, so you define how attack
packets or connections are dropped using a combination of rules in your Security Policy.
When you install the Security Policy on your IDP Sensors, the rules tell each Sensor how
to behave. Set your Sensors to log, send alarms, and even drop suspicious traffic—IDP
drops only what you tell it to drop.
IDP Fundamentals | 19
Chapter 1 IDP Technical Overview
IDP ARCHITECTURE
IDP uses a three-tier architecture that consists of the IDP SensorTM, the IDP Management
ServerTM, and the IDP User InterfaceTM.
• IDP Sensors see all network traffic and are the enforcement points that implement
Security Policies.
• The IDP Management Server stores and manages all Attack Objects (including
attack signature and protocol anomalies), log information, rulebases, and Security
Policies.
• The User Interface (UI) is a graphical interface for interacting with the IDP
system. You can use the UI to remotely access and manipulate the information stored
on the Management Server.
IDP Sensor
The NetScreen-IDP Sensor monitors the network on which the IDP system is installed.
The Sensor is a hardware appliance (called the IDP appliance) that runs the IDP Sensor
software.
The Sensor’s primary task is to detect suspicious and anomalous network traffic based on
specific rules defined in IDP rulebases. If the Sensor is running in-line, it can also take a
predefined action against malicious traffic.
You can deploy IDP Sensor/s as active gateways or passive sniffers:
• A passive sniffer Sensor connects to a switch or hub and sniffs the network traffic as it
passes by. The Sensor monitors network traffic, records security events, and can
create alarms for attacks. However, because a sniffer Sensor cannot take action
against the attack, it cannot prevent it.
• An active gateway Sensor sits between the network and a firewall, or a network and a
DMZ, and takes an active role in protecting the network. When it detects intrusions or
attacks defined by Security Policies, the Sensor can drop, block, or ignore the
suspicious connection—or drop only the suspicious packets. Because active gateway
Sensors can take action against the attack, they can prevent the attack.
Because other IDS systems operate in passive sniffer mode only, they cannot provide true
attack protection. Only IDP, when running as an active gateway, can detect and prevent
attacks.
High Availability
You can also deploy the IDP system in a high availability solution to provide failure
protection, either in a standalone configuration or using third-party hardware. In high
availability, 2 to 16 Sensors are joined together in an HA cluster that provides failure
protection and/or load balancing. State information is shared between Sensors in the
cluster using state-sync interfaces and dedicated network interface cards (NIC).
You can deploy a high availability configuration using one of the following methods:
• Standalone HA
• Third-party solutions (required third-party hardware)
• Spanning Tree Protocol (STP)
High availability configurations are available for bridge, router, and proxy-ARP
deployment modes:
• Bridge Mode. Sensors running in bridge mode support the use of spanning tree
protocol (STP) or third-party hardware for high availability and load balancing.
Note: You must configure support for STP manually through the command line utilities.
• Proxy-ARP and Router Modes. Sensors running in proxy-ARP and router modes
support the use of standalone high availability or third-party hardware for high
availability. Standalone and third-party HA offer load balancing or hot standby for
failure protection.
– Load Balancing. All Sensors in the cluster share network traffic equally. If a
Sensor fails, network traffic is redirected to the other Sensors in the cluster.
– Hot Standby. A primary Sensor handles all network traffic while a secondary
Sensor stands by. If the primary Sensor fails, network traffic is redirected to the
secondary Sensor.
For more information about NetScreen’s high availability solutions, see “High Availability
Solutions” on page 201.
IDP Fundamentals | 21
Chapter 1 IDP Technical Overview
Although the UI supports multiple users, only one user at a time can take control of the
Management Server; this eliminate concerns about synchronization or data loss. You can
configure the UI with your own preferences—IDP stores user preferences and custom Log
Viewer views in the central database so that they remain consistent when you access
them from different client machines. The UI also provides extensive online help to help
you use your IDP system quickly and efficiently.
The UI contains seven components:
• Dashboard
• Log Viewer
• Security Policy Editor
• Object Editor
• Device Monitor
• Reports
• Log Investigator
Dashboard
The Dashboard component displays the vital statistics of your network and the IDP
system, and is the default component shown in the main display area when you first log
in. You use the data provided in the Dashboard to make quick, at-a glance decisions about
how to employ IDP.
The data that appears in the Dashboard is real time, and refreshes periodically from the
IDP Management Server. You can customize the Dashboard to display only the
information that is most important to you and your network.
The Dashboard consists of five sections:
• Host Watch List
• Source Watch List
• Attack Summary
• Reports
• Device Status
Note: You can refresh the information that appears in the Dashboard individually or all at once;
from the File menu, choose Edit>Set Refresh Interval... and enter interval settings for Summary
Tables, Reports, and Device Status.
Log Viewer
In the Log Viewer, you can view log records that IDP Sensors generate based on criteria
defined in the Security Policies. The Log Viewer displays log records in table format and
can be modified using filters or column settings.
IDP Fundamentals | 23
Chapter 1 IDP Technical Overview
Security Policies
The Security Policy Editor contains the IDP rulebases and provides a graphical, easy-to-
use rule building platform.
Use the Security Policy Editor to:
• Add or modify existing rules in the Main, SYN-Protector, Network Honeypot,
Backdoor Detection, Traffic Anomalies, and Sensor Settings Rulebases
• Create new Security Policies
• Create new Security Policies based on existing policies
• Install Security Policies on one or multiple IDP Sensors
• Manage multiple versions of Security Policies
• Delete or undelete Security Policies
Objects
The Object Editor contains the Objects used in your IDP system. Objects are the building
blocks of the IDP system:
• Network Objects represent components of your network (hosts, networks, servers,
Sensors).
• Service Objects represent services running on your network, such as FTP, HTTP, and
Telnet.
• Attack Objects represent attack signatures and protocol anomalies, and are used to
create rules for Security Policies.
You can use the Object Editor to:
• View and/or edit the Object properties
• Create, edit, or delete Objects
• Create custom groups of Objects
Device Monitor
The Device Monitor component provides a graphical view of the current status of IDP
Sensors and Management Server.
The Device Monitor provides two categories of information:
• Device status. Displays information about the status, CPU, and memory of the IDP
Sensor/s and Management Server.
• Process status. Displays information about individual processes on IDP Sensor/s
and Management Server.
You can customize the Device Monitor to:
• Display only the information you want to see
• Update information at specified time periods
• Set alarm criteria for a device or process
For step-by-step instructions on using the User Interface, click the icon in the menu
bar of the UI to access the IDP Online Help.
IDP Fundamentals | 25
Chapter 1 IDP Technical Overview
Using Stateful Signature™ technology, IDP tracks the state of a connection and looks for
attack patterns only in the relevant portions of network traffic. This approach
significantly increases detection performance and reduces the false alarms associated
with other signature-based IDSes currently on the market.
Stateful Signatures represent a significant improvement over legacy signature-based
IDSes that use packet signature detection, which detects attack patterns across the traffic
stream. Stateful Signatures can pinpoint where an attack pattern match can do damage,
and apply the signatures only to those relevant portions of traffic, significantly reducing
irrelevant pattern matches.
For more information on Stateful Signatures, “Managing the Attack Object Database” on
page 127.
Ease of Management
The IDP system’s rule-based, centralized management system makes it easy to configure,
update, and maintain your IDP system. You can manage an unlimited number of IDP
Sensors with a single, logical Security Policy—no more managing individual configuration
files for individual sensors. With IDP, you simply define an enterprise-wide Security
Policy and then distribute it with the push of a button. All relevant configuration and
signature information is automatically sent to the IDP Sensors in a secure manner
(authenticated and encrypted).
IDP also keeps a copy of all of the Security Policies that have been installed, so you can
always go back and see a history of the revisions you have made. An unlimited number of
remote User Interface installations (running on either Windows- or Linux-based systems)
can access and manage all aspects of the IDP system.
IDP provides security incident management that’s intuitive and integrated. When an
incident occurs, you need to know what traffic caused the alarm, why it was triggered, and
what to do about it.
IDP Fundamentals | 27
Chapter 1 IDP Technical Overview
IDP gives you one-click navigation between the Log Viewer (shows incidents), the Session
Viewer (shows associated packets), and the Security Policy Editor (shows why the
incident was triggered).
For more information on working with Security Policies for your IDP system, see
“Managing Effective Security Policies” on page 89.
T
o begin deriving benefit from the IDP system, you must customize IDP to work with
your network. Initially, this means adding the IDP Sensors as Network Objects in
the User Interface, then selecting and installing a Security Policy that describes how
you want your Sensor/s to protect your network.
The IDP system contains several Security Policy templates that you can quickly
customize to your network. If you are unfamiliar with the IDP system or are new to
policy-based management, using a template can help get you up and running quickly and
easily. If you want to start with a blank Security Policy, see “Managing Effective Security
Policies” on page 89 for information on designing custom rules.
After you install a Security Policy on your IDP Sensors, they immediately begin
monitoring your network traffic. If directed by the Security Policy, the Sensor generates a
log record for security events, which can be an attack against your network, a protocol
anomaly, or a simple login attempt.
Log records display in the Log Viewer, where you can analyze them to determine the
effectiveness of your current Security Policy. Log records are also a valuable insight into
your network traffic: You can see where traffic is coming from, where traffic is going to,
and what malicious content (if any) the traffic contains.
IDP Fundamentals | 29
Chapter 2 Getting Started With IDP
4. Click OK. A confirmation dialog box appears, prompting you to register your new
Sensor with the NetScreen customer support Web site, as shown below:
Click the registration link to register the Sensor (registration is required for Attack
Object updates).
5. From the toolbar, click to save the new IDP Sensor object to the Network Object
database. This Network Object (also called a Sensor Object) now represents that IDP
Sensor in the IDP system.
IDP Fundamentals | 31
Chapter 2 Getting Started With IDP
IDP Rulebases
The IDP system contains six rulebases for detecting, acting upon, and preventing
suspicious activity on your network. You create rules in rulebases, which combine to
create your Security Policy. The rulebases are:
w Traffic Anomaly
w SYN-Protector
w Network Honeypot
w Main
w Backdoor Detection
w Sensor Settings
Each rulebase uses a unique detection mechanism to protect against intrusions.
Together, the rulebases provide a multi-method detection mechanism that can
thwart any attack.
A third Security Policy template, the getting_started template, described on page 36,
contains rules for the Main Rulebase, the Backdoor Detection Rulebase, the SYN-
Protector Rulebase, and the Traffic Anomalies Rulebase. This template is specifically
designed to help you first monitor your network traffic, then edit your Security Policy
based on the log records you receive, and finally actively prevent intrusions by closing or
dropping malicious connections.
The following sections detail how to create a new Security Policy using the Getting
Started template and how to install that policy on your IDP Sensors. “Fine-Tuning Your
IDP System” on page 39 gives you step-by-step instructions on further customizing the
Getting Started template to your network.
To create and install a Security Policy:
1. In the Navigation Tree, select Security Policies, then click the icon in the toolbar
to create a new Security Policy. The New Security Policy dialog box appears.
2. In the Name box, enter the name for the Security Policy. You can use letters,
numbers, "-" or "_". Each Security Policy must have a unique name; you cannot save a
Security Policy with a name shared by an existing Security Policy.
3. In the Description box, enter a description. In the Use Template menu, select
getting_started, then click OK to save the Security Policy. This new Security Policy
appears in the list of policies in the Navigation Tree.
4. Double-click the Security Policy name to display the Security Policy in the main
display area. By default, the Main Rulebase appears. In the Install On column of the
IDP Rulebase, select the Sensors on which you want to install the policy, and click the
install icon in the toolbar to push the policy to your Sensors.
IDP Fundamentals | 33
Chapter 2 Getting Started With IDP
Note: If you are not receiving log records, check your Sensor connections and configuration, and
ensure that a policy is installed.
Log records contain a lot of important data about the activity on your network, but you
might not want to see all the information at one time. You can use the Log Viewer to
manipulate, analyze, and export the information contained in your log records so you see
only the information that interests you. For example, you can:
• View complete, summarized, or detailed information for each log record
• Show, hide, or move columns, and filter data by column headings
• Create a new instance of the Log Viewer that shows only your filters and column
settings
• Set flags on log records to indicate a specific priority or action
• Launch the Packet Viewer
• Print or export log record data
For more details on the Log Viewer component, see “Using the Log Viewer” on page 63.
Or, if you are working with Getting Started Security Policy template, see “Fine-Tuning
Your IDP System” on page 39 to begin using the Log Viewer to customize the policy to
your network.
IDP Fundamentals | 35
Chapter 2 Getting Started With IDP
IDP Fundamentals | 37
Chapter 2 Getting Started With IDP
Attack Objects are categorized according to their severity, and contain information
about group classification, platforms affected, summary of event behavior, protocol
reaction, and references.
A fter you have set up the IDP system, installed a Security Policy based on the
Getting Started template on your Sensors, and viewed log records using the Log
Viewer, you are ready to begin fine-tuning your IDP.
Fine-tuning is the process of learning to recognize the information IDP is giving you and
how to tell IDP what you want to do about it, including:
• Comprehending the information in log records, the Log Viewer, the Log Investigator,
and Reports
• Understanding how IDP represents your network elements, including servers and
other machines you want to protect
• Telling IDP which events you want log records created for and eliminating the noise
caused by false positives and other network events you don’t care about
• Recognizing actual attacks and telling IDP to respond to attacks when it detects them
on your network
IDP Fundamentals | 39
Chapter 3 Fine-Tuning Your IDP System
IDP Fundamentals | 41
Chapter 3 Fine-Tuning Your IDP System
Log records are generated when a rule in the IDP rulebases contains the action Log and a
network traffic event matches the Match portion of the rule.
Security
Policy Log Record
Log Record
Log Record
Log Viewer
Logs contain a great deal of information about what is occurring on your network. The
Getting Started Security Policy template logs for all rules in the Main rulebase. To
examine those log records, open the Log Viewer:
Security administrators are divided about how many logs are useful. Some
want large numbers of logs, even though they don’t have time to review all
the data immediately. Some want more manageable numbers of logs that
they can view within a short period.
Now that you are familiar with these basic concepts of the IDP system, you are ready to
begin the four-step process of fine-tuning IDP.
IDP Fundamentals | 43
Chapter 3 Fine-Tuning Your IDP System
Note: For more information on UI components, see the IDP Online Help.
Log Viewer
To see attack source and destination in the Log Viewer, look at the source address column
and the destination address columns:
• The source address of an attack tells you the IP address of the computer that
generated the attack. This can be a computer on the external network (an outside
attack) or a computer on your internal network (an internal attack).
• The destination address of an attack tells you the IP address of the computer that the
attack targeted. This can be any computer or device on your network.
Each Log Viewer column contains several different IP addresses that each represent a
host computer. Some hosts are devices on your network (your internal hosts) and others
are devices outside your network (external hosts).
An important part of fine-tuning your IDP system is determining which internal hosts
you want to protect. An important source or destination have an IP address that is
receiving more attacks than other hosts, or it might be the IP address of a critical device
on your network, such as a mail server.
Reports
The best method for quickly identifying most frequently targeted hosts is to view a
Report. In the Navigation Tree, click the Reports component, then click the title of the
Report you want to view.
• To see important sources, click Top Attackers.
• To see important destinations, click Top Targets.
Each report displays a graph and table indicating the host IP addresses and their number
of attacks. Review both the Top Attackers and Top Targets reports to determine your
most important sources and destinations.
IDP Fundamentals | 45
Chapter 3 Fine-Tuning Your IDP System
IDP Fundamentals | 47
Chapter 3 Fine-Tuning Your IDP System
To identify false positives in logs, use the information in the table shown below to
determine if the attack is a false positive.
Keep in mind that false positives are specific to your network and the traffic that flows on
it. Attack Objects that generate false positives for your network might detect real attacks
on another network—or different network traffic.
IDP Fundamentals | 49
Chapter 3 Fine-Tuning Your IDP System
To identify irrelevant attacks, open the Log Viewer and select a log record. View the
Summary panel to see the attack description:
Affected System
Attack Type (hardware, software,
(buffer overflow, password OS, or service) Attack Pattern
exploit, DOS, etc.) (what to match against
and where to look)
Attack Description
(how it works and
the consequences)
Look carefully at the information about affected systems, and compare it with what you
know about your network. Determine if the attack is relevant:
If irrelevant, you can remove the matching Attack Object from the rule that triggered the
log record, or monitor the Attack Object using custom severity setting.
Create a rule that specifically defines a false positive as “low severity” and then
monitor log records created by that rule in the Low Severity default view in the Log
Viewer. Be aware, however, that monitoring large amounts of false positives can
affect IDP performance.
IDP Fundamentals | 51
Chapter 3 Fine-Tuning Your IDP System
If you want your log records to contain packet data, specify the log packet action in your
rules. In the Getting Started template, the Sensor collects packet data for all events.
IDP Fundamentals | 53
Chapter 3 Fine-Tuning Your IDP System
1-Critical All log records triggered by a rule that has the severity setting of critical
(this is set in a Security Policy rule or in an Attack Object in a rule with a
Severity setting of default)
2-High All log records triggered by a rule that has the severity setting of high (this
is set in a Security Policy rule or in an Attack Object in a rule with a
Severity setting of default)
3-Medium All log records triggered by a rule that has the severity setting of medium
(this is set in a Security Policy rule or in an Attack Object in a rule with a
Severity setting of default)
4-Low All log records triggered by a rule that has the severity setting of low (this
is set in a Security Policy rule or in an Attack Object in a rule with a
Severity setting of default)
All Attacks All log records with entries in the Attack column
Config Logs Log records with the following entries in the Config column: policy load,
IDP Sensor restart, or policy unload
Scans All log records with a scan entry in the sub category column, such as port
scan
Traffic Logs All log records that are not the result of attack matches (i.e., log records
resulting from Network Honeypot, Backdoor Detection, or Sensor Settings
rulebase matches)
You can also create an unlimited number of customized views with unique properties.
The first rule uses the host as the Destination IP, specifies critical severity Attack
Objects, and sends an email notification when the attack is detected. The second
rule uses the host as the Destination IP, specifies high severity Attack Objects, and sets
an alarm in the log record when the attack is detected. You can create as many
rules as you need in the IDP Main rulebase.
IDP Fundamentals | 55
Chapter 3 Fine-Tuning Your IDP System
1. In the attack column of an alarmed log record, right-click and select Show>Attack.
2. In the basics tab of the signature or protocol anomaly editor, review the attack
properties. Use the description to determine if the attack targets your network and if
the attack is dangerous.
3. In the references tab, review the known network security references for this attack.
Use the references to determine how dangerous the attack is to your network.
4. In the attack column of an alarmed log record, right-click and choose Show>Packet
data. By default, all rules in your Getting Started Security Policy record the
individual packets in the network traffic that matched a rule by capturing the session
data for the attack.
5. Review the packets used in an attack on your network to help determine the extent of
the attempted attack and its purpose, if the attack was successful, and any possible
damage to your network.
Note: You might need to increase the number of packets that are logged for the attack.
w Click the log record and select the All Fields tab to list the responsible rulebase.
w Right-click the log record and select show>Security Policy to view to the Security
Policy that generated the rule.
Log records with a rulebase of None are generated by the Sensor Settings Rulebase.
This rulebase uses implied rules (inherent to IDP) that control how the IDP Sensor
handles traffic. You can adjust how these rules are applied by editing the default
values for Sensor parameters, such as load time, router and run time parameters.
Note: When IDP is in-line, you can prevent scans by blocking the attacker’s IP address.
IDP Fundamentals | 57
Chapter 3 Fine-Tuning Your IDP System
Note: When IDP is in-line, you can prevent interactive traffic by blocking the attacker’s IP address.
IDP Fundamentals | 59
Chapter 3 Fine-Tuning Your IDP System
1. In the Log Viewer, investigate your log records for the Backdoor Detection Rulebase
and identify the services that produce interactive traffic. If you allow the service on
your network, the log record might be a false positive. You should ignore the service
when detecting interactive traffic.
2. In the Backdoor Detection Rulebase, right-click the Service column of the first rule in
the Backdoor Detection Rulebase to display the Service Object Editor. Add the Service
Object that represents the allowed interactive service and click OK.
3. Verify and install the edited Security Policy on your Sensor.
4. Review the logs in the LogViewer.
IDP continues to detect interactive traffic for all services not specified in the first rule of
the Backdoor Detection Rulebase.
Is it a program or a person?
Interactive traffic usually indicates human involvement. It looks different than other
traffic because humans are manually controlling one end of the connection. In a
connection between two programs, the data transfer is automated; TCP packets can
be batched and sent in bulk for efficiency. In a connection between a program and
user, packets are sent when they become available; characters display as they are
typed (not after the word is complete).
Note: When IDP is in-line, you can actively prevent SYN-floods by dropping connections that are
not established promptly.
Meanwhile, the attacker continues to send SYN packets to the server, requesting
multiple connections; the connection table fills to capacity and cannot accept new
SYN requests. The overwhelmed server is effectively disabled by the SYN Flood.
IDP Fundamentals | 61
Chapter 3 Fine-Tuning Your IDP System
W hen directed by the installed Security Policy, your Sensor generates a log record
for security events. These log records appear in the Log Viewer component of the
UI, where you can analyze them to determine the effectiveness of your current
Security Policy.
The Log Viewer is a powerful tool for analyzing the traffic on your network. In a single log
record, you can see where traffic is coming from, where traffic is going to, and what
malicious content (if any) the traffic contains. You can view summarized information
about security events and alarms for multiple log records, or drill down to view specific
information for an individual log record.
IDP Fundamentals | 63
Chapter 4 Using the Log Viewer
flag
The flag column displays a user-selected flag. To add a flag to a log record, right-click the
flag column for the log record and select a flag from the menu. You can use flags to:
• Override the default severity of Attack Object in the Security Policy rule (High,
Medium, Low)
• Mark suspected false positives (False Positive)
• Control workflow for a security team (Assigned, Investigate, Follow-Up, Pending,
Closed)
You must log in as a read/write user and take control to add flags to log records.
alarm
The alarm column displays the alarm icon , which appears for log records generated
by a Security Policy rule that has an alarm set. You can set an alarm for a rule in the
Security Policy Editor by right-clicking the notification column for the rule and selecting
alarm. When the rule is matched, the resulting log record displays the alarm icon in its
alarm column.
Setting alarms for rules that match critical and high severity attacks is a good way to
keep a close watch on threats to your network. For more information about using alarms,
see “Responding to Real Attacks” on page 55.
IDP Fundamentals | 65
Chapter 4 Using the Log Viewer
time received
The time received column displays the date and time that the Management Server
received the log record. Mouseover an entry in this column to view the date and time in
extended format.
attack
The attack column displays the name of the signature or protocol anomaly Attack Object
that triggered the log record.
For protocol anomaly Attack Objects, mouseover to view a description of the attack.
For signature Attack Objects, mouseover to view the attack signature context and
binding.
To view the Attack Object in the Security Policy rule, right-click and select Show attack in
Policy. The Security Policy Editor opens to display the rulebase, rule, and Attack Object
that triggered the log record. For more information, see “Locating Matching Attack
Objects” on page 86.
If the log record is not the result of an Attack Object match, the attack column is empty.
action
The action column displays the action that the IDP Sensor performed when it generated
the log record. Examples: accept, drop connection, drop packet. For more information
about setting actions in Security Policy rules, see “Setting Actions” on page 101.
Note: IDP Sensors running in sniffer mode cannot drop packets or close connections.
source address
The source address column displays the IP address of the computer that generated the
matching traffic.
To display the host name of the computer instead of the IP address, enable the external
address resolution by editing the Log Viewer preferences in the Preferences Settings.
src port
The src port column displays the source port of the traffic for TCP /UDP or ICMP ID of the
traffic for ICMP. Mouseover an entry in this column to view its TCP/UDP protocol and
port, RPC program number, or ICMP type and code ( applies for known protocols only).
destination address
The destination address column displays the IP address or host name that received the
matching traffic.
To display the host name of the computer instead of the IP address, enable the internal
address resolution by editing the Log Viewer preferences in the Preferences Settings.
dst port
The dst port column displays the destination port of the traffic for TCP /UDP or ICMP
type of the traffic for ICMP. Mouseover an entry in this column to view its TCP/UDP
protocol and port, RPC program number, or ICMP type and code ( applies for known
protocols only).
IDP Fundamentals | 67
Chapter 4 Using the Log Viewer
protocol
The protocol column displays the IP protocol of the traffic that generated the log record
(TCP, UDP, ICMP, etc).
device address
The device address column displays the IP address or host name of the IDP Sensor that
generated the log record.
To display the host name of the IDP Sensor instead of the IP address, enable the internal
address resolution by editing the Log Viewer preferences in the Preferences Settings.
severity
The severity column displays the severity of the Attack Object in the log record. If the log
record does not contain a matching Attack Object, this column is empty.
comment
The comment column displays user comments about the log record. To add a comment to a
log record, double click the comment column for the log record and type a comment. By
default, this comment column is empty.
category
The category column displays the log record category:
• ATTACK category includes security events that threaten your network.
• CONFIG category includes log records for IDP appliance activity, such as Security
Policy loading, unloading, restarting, and HA status reports.
• TRAFFIC category includes log records generated by rules in the SYN-Protector
Rulebase, the Backdoor Detection Rulebase, and implied rules in the Sensor Settings
Rulebase.
sub category
The sub category column displays the log record sub category.
• ATTACK sub categories:
– IDP_ATTACK_MATCH indicates a traffic match with a signature Attack Object
in a Security Policy rule.
– all other entries indicate a traffic match with a protocol anomaly Attack Object in
a Security Policy rule.
Mouseover an entry in this column to view the name, description, and variable data.
IDP Fundamentals | 69
Chapter 4 Using the Log Viewer
packet data
The packet data column displays the icon for log records that contain packet data.
Doubleclick the icon to display the packet data in a new window.
Packet data is a record of the individual packets in the network traffic that matched a
rule. Viewing the packets used in an attack on your network can help you determine the
extent of the attempted attack and its purpose, if the attack was successful, and any
possible damage to your network.
To configure a rule to log packet data for an attack, right-click in the notification column
of the rule in the Security Policy Editor and select configure notification. In the
Configure Notification dialog box, select enable logging and log packets, then specify
the number of packets before and after the attack that you want to record. To improve
IDP performance when logging packets, log only the packets after the attack.
log id
The log id column displays the unique ID for the log record, which is derived from the
combination of the date and log number.
device vin
The device vin column displays the VIN of the IDP Sensor that generated the log record.
Each IDP Sensor has a unique VIN that is given to you during the Sensor configuration
process (you use this VIN to create the Sensor as a Sensor Network Object in the IDP
system). If you are using multiple IDP Sensors, you can use the device VIN to help
determine which Sensor generated the log record.
time generated
The time generated column displays the date and time that the IDP Sensor generated the
log record. Mouseover an entry in this column for the date and time in extended format.
inbound if
The inbound if column displays the network interface card (NIC) that the traffic used to
enter your network. Examples: eth0, eth1.
outbound if
The outbound if column displays the network interface card (NIC) that the traffic used to
depart your network. Examples: eth0, eth1.
misc
The misc column indicates the number of times a log record repeats. Examples: repeated 1
times, repeated 2 times.
By default, the IDP Sensor compresses consecutive log records with equal values in all
columns (excluding time generated and time received) into one log record. Repeated log
records can indicate a sustained attack on your network, such as a denial-of-service or
brute force attack.
bytes
The bytes column displays the number of bytes present during a session.
Session data
Session data includes the number of packets passed, the number of bytes, and the
elapsed time. You might want to track session data to:
IDP Fundamentals | 71
Chapter 4 Using the Log Viewer
packets
The packets column displays the number of packets transmitted during a session.
elapsed
The elapsed time column displays the elapsed time for a session; appears only for a
session end log record.
policy id
The policy id column displays the ID of the Security Policy that generated the log record.
policy version
The policy version column displays the version of the Security Policy that generated the
log record. A version is a copy of an original Security Policy, and contains information
about when the policy was installed and which user performed the install.
rule number
The rule number column displays the number of the Security Policy rule that generated
the log record. The topmost rule in any rulebase is rule number 1; subsequent rules are
numbered in ascending order.
rulebase
The rulebase column displays the Security Policy rulebase that generated the log record
(Main, Backdoor Detection, Network Honeypot, SYN-Protector, Traffic Anomalies, Sensor
Settings).
script
The script column contains a checkbox. If checked, the IDP Sensor ran a script when it
generated the log record; if unchecked, no script was run.
To configure a rule to run a script, right-click in the notification column of the rule in the
Security Policy Editor and select configure notification. In the Configure Notification
dialog box, select enable logging and run script, then specify the script you want run.
The IDP includes two sample scripts; to use additional scripts, place the scripts in the run
script directory on the Management Server (/usr/idp/mgt-svr/var/
accounts/1/scripts). You can specify a different run script for each rule, if
desired. For more information on using run scripts, see “Setting a Run Script” on page
106.
email
The email column contains a checkbox. If checked, the IDP Sensor automatically sent an
email to a user-specified email address when it generated the log record; if unchecked, no
email was sent.
Automatic emails are useful for helping you keep track of important security events, such
as critical and high attacks against your network.
To configure a rule to send an email, right-click in the notification column of the rule in
the Security Policy Editor and select configure notification. In the Configure
Notification dialog box, select enable logging and send email, then specify the email
address. To specify new email recipients, enter their email addresses in the email field
and click Enter (the new email addresses now appear in the email pull-down menu).
snmp
The snmp column contains a checkbox. If checked, the IDP Sensor sent an SNMP trap
when it generated the log record; if unchecked, no SNMP trap was sent.
syslog
The syslog column contains a checkbox. If checked, the IDP Sensor sent a syslog when it
generated the log record; if unchecked, no syslog was sent.
external
The external column contains a checkbox. If checked, the IDP Sensor received the traffic
on one of its external interfaces; if unchecked, traffic was received on an internal
interface.
You can configure the external interfaces for an IDP Sensor by editing the Sensor
Network Object.
Using Views
When you use the Log Viewer for the first time, it displays all rows and a predefined set of
column headings; this is the default view of the Log Viewer. A view is an arrangement of
Log Viewer rows and columns that has been customized to display specific information,
usually for a specific purpose.
Your IDP system contains the default view, which displays when the Log Viewer
component is selected in the UI navigation tree) and eight predefined views, which are
listed under the Log Viewer component:
• 1-Critical displays all log records generated by a Security Policy rule with a critical
severity setting.
IDP Fundamentals | 73
Chapter 4 Using the Log Viewer
• 2-High displays all log records generated by a Security Policy rule with a high
severity setting.
• 3-Medium displays all log records generated by a Security Policy rule with a medium
severity setting.
• 4-Low displays all log records generated by a Security Policy rule with a low severity
setting.
• All Attacks displays all log records that indicate attacks. The attack column of the
All Attacks view displays an entry.
• Config Logs displays all log records generated by the Sensor when a Security Policy
is loaded, unloaded, or the Sensor restarts. The sub category column of the Config
Logs view displays policy load, policy unload, or IDP Sensor restart.
• Scans displays all log records that indicate a scan. The sub category column of the
Scans view displays a scan entry, such as a port scan.
• Traffic Logs displays all log records generated by an implied rule in the Sensor
Settings Rulebase.
You can create additional views by filtering your log records or by changing the column
heading settings. For more information on creating custom views, see “Creating & Saving
Views” on page 77.
IDP Fundamentals | 75
Chapter 4 Using the Log Viewer
Filtering by Column
You can set filters on columns in the Log Viewer. To set a filter, select the columns you
want to appear using the Column Settings or Column Headers.
Column Settings
Click the Column Settings
icon in the toolbar to
display the Column Settings
dialog box.
• To show the selected
columns, click Show.
• To hide the selected
columns, click Hide.
• To move the selected
column/s left in the main
display area, click Move
Up.
• To move the selected
column/s right in the
main display area, click
Move Down.
Click OK to close.
Column Headers
In a main display area:
• To hide the column, right-
click the column header of
a column and choose
Hide.
• To move a column to the left, click the column header and drag it to the left.
• To move a column to the right, click the column header and drag to the right.
Filtering by Cell
You can set filters on the content in a Log Viewer cell. Filters applied to cells affect only
the content in that cell’s column. Right-click the cell you want to filter on to display the
filter menu options:
• Edit. Use this option to set multiple filters for cell content at the same time. Select to
display the Filter dialog box for that column, then select the columns you want to
filter on.
– To display only the selected content, click OK.
– To display everything except the selected content, click the checkbox next to
Negate, then click OK.
– To clear filters for the selected content, click Clear.
• Only This Value. Displays only the content in the selected cell.
• Not This Value. Displays everything except the content in the selected cell.
• Clear Filter. Removes a current filter on the selected cell content. If no filter exists,
this option is unavailable.
• Clear All Filters. Removes all filters on the current view.
IDP Fundamentals | 77
Chapter 4 Using the Log Viewer
• Alarms. To quickly access log records generated by a Security Policy rule that
contains an alarm, create a view that filters on the alarm column. This method is
useful when you are fine-tuning your IDP system to distinguish between valid attacks
and false positives.
• Sensors. To manage IDP Sensors in multiple locations that use different
investigation processes, create a separate view for each IDP Sensor at a specific
location. Filter on the device vin column.
To save a view, use one of the methods below:
• Set filters, then choose File> Save As... Enter a name for the customized view and
click OK.
• Choose File>New View. Enter a name for the customized view and click OK. Set
filters.
Log Collapsing
You can collapse similar log records to make them easier to read.
IDP Fundamentals | 79
Chapter 4 Using the Log Viewer
./log2action -a format
Exporting to XML
Login to the IDP Management Server as admin, then change to the utility directory by
typing: usr/idp/mgt-svr/utils. Choose the destination of the log records:
• To export to screen, type: ./log2action options -a xml
• To export to file, type: ./log2action options -a xml > file.xml
The Management Server exports all log records to XML; each log record becomes an XML
record, which you can open in most Web browsers.
Note: To view the XML schema file, type: /usr/idp/mgt-svr/lib/logActions/log.xsd.
The XML format action has no required actions.
Exporting to CSV
Login to the IDP Management Server as admin, then change to the utility directory by
typing: usr/idp/mgt-svr/utils. Choose the destination of the log records:
• To export to screen, type: ./log2action options -a csv
• To export to file, type: ./log2action options -a csv > file.csv
The Management Server exports all log records to CSV; each log record becomes a CSV
record. The optional actions for exporting to CSV:.
Exporting to SNMP
Login to the IDP Management Server as admin, then change to the utility directory by
typing: usr/idp/mgt-svr/utils. You must specify the SNMP community and the
SNMP server IP address that receive the exported log records:
IDP Fundamentals | 81
Chapter 4 Using the Log Viewer
Exporting to Syslog
Login to the IDP Management Server as admin, then change to the utility directory by
typing: usr/idp/mgt-svr/utils. You must specify the IP address of the syslog
server that receives the exported log records:
Exporting to Script
Login to the IDP Management Server as admin, then change to the utility directory by
typing: usr/idp/mgt-svr/utils. You must specify the name of the script that
receives the exported log records:
Using the UI
To enable log export to your Postgres database using the UI:
1. In the UI menu bar, choose Tools>Preferences to display the Preference Settings
dialog box, then select Management Server.
2. In the Database Export section, click the Enable Export checkbox and enter values
for the following fields:
IDP Fundamentals | 83
Chapter 4 Using the Log Viewer
The Management Server exports all log records to the specified database. The required
actions for exporting to database:
• Choose File>Export>PDF to export your logs in PDF (.pdf) format. In the Export to
PDF dialog box, browse to a save location and enter a filename for your exported logs.
Click Export.
• Choose File>Export PostScript to export your logs in postscript (.ps) format. In the
Export to PostScript dialog box, browse to a save location and enter a filename for
your exported logs. Click Export.
If no disk space remains and communication has not been restored, the Sensor first deletes
sysinfo logs (debug and error messages) then packet captures to free up disk space. The
Sensor continues to store logs generated by a Security Policy until it can send them to the
Management Server.
IDP Fundamentals | 85
Chapter 4 Using the Log Viewer
The Security Policy Editor opens to display the rulebase and rule that triggered the log
record (the matching rule is highlighted in the color cream to help you identify it quickly).
Additionally, the Object Browser opens to display the matching Attack Object:
IDP Fundamentals | 87
Chapter 4 Using the Log Viewer
S
ecurity Policies define what traffic to look at, what to look for, and how to respond
when an attack is detected. To create and manage Security Policies, use the Security
Policy Editor, a User Interface (UI) component.
Security Policies are created using detection mechanisms, rules, and rulebases.
IDP Fundamentals | 89
Chapter 5 Managing Effective Security Policies
IDP Fundamentals | 91
Chapter 5 Managing Effective Security Policies
Understanding Rules
Rules give context to detection mechanisms by
specifying which part of the network traffic the IDP
system should look in to find attacks. When rule is Attack Column in Rule
matched, an attack has been detected in the network
traffic for that rule.
Rules also specify how the IDP responds the detected
attack by setting an action. When a rule match
“triggers” the action for that rule, the IDP system
performs the specified action and protects your
network from that attack.
You create rules using the Security Policy Editor in
the UI. Each rulebase can have multiple rules—you
determine the order that rules are applied to network Rules are contained
traffic by placing them in the desired sequential order. within rulebases
Rulebases
Understanding Rulebases
Each rulebase in the IDP system uses specific
detection methods to identify and prevent attacks.
Together, rulebases provide a Multi-Method Detection
system that can thwart almost any attack. You can use
the UI to add, modify, disable, and delete rules in five
rulebases: Main, SYN-Protector, Backdoor Detection,
Network Honeypot, and Traffic Anomalies. For more
information about the different IDP rulebases, see
“Working with Rulebases” on page 112. Rulebases combine to create
a Security Policy that is
installed on the IDP Sensor
DESIGNING RULES
Well-designed rules can make detection and prevention of attacks easy and manageable.
Conversely, poorly-designed rules can make detection and prevention difficult and
frustrating—or worse, leave your network vulnerable.
This section covers the basics of designing rules for your network, and includes the
following guidelines:
• Identifying your network risks and threats
• Using Attack Objects to detect attacks against your network vulnerabilities (Main
Rulebase only)
• Setting IDP actions that protect your network
• Understanding how terminal and non-terminal rules work in the IDP system
• Dealing with false positives
Although each IDP rulebase uses different detection mechanisms to detect attacks, they
all share similar rule design concepts. After you have learned the basic concepts of
designing an efficient rule, you can learn more about building rules for each IDP rulebase
in “Working with Rulebases” on page 112.
IDP Fundamentals | 93
Chapter 5 Managing Effective Security Policies
In the IDP system, Network Objects represent the devices running on your network. You
use the Object Editor in the UI to create a Network Object for each device, then use these
Network Objects in rules to specify the source and destination of attacks. See the
NetScreen Online Help topic “Adding Network Objects” for more information.
The more specific you are in defining the source and destination of an attack, the more
you reduce false positives.
Setting Services
Services are application layer protocols that define how data is structured as it travels
across the network. The services you support on your network are the same services that
attackers use to attack your network. You specify which services are supported by the
destination IP to make your rule more efficient.
Note: All services rely on a transport layer protocol to transmit data. The IDP system includes
services that use TCP, UDP, RPC, and ICMP transport layer protocols.
In the IDP system, Service Objects represent the services running on your network. IDP
comes with several Service Objects based on industry-standard services already created
for you. You use these Service Objects in rules to specify the service an attack uses to
access your network.
If you are supporting services on non-standard ports, you should choose a service other
than default.
IDP Fundamentals | 95
Chapter 5 Managing Effective Security Policies
You can create your own Service Objects to use in rules using the Object Editor, such as
Service Objects for protocols that use non-standard ports. However, you cannot match
Attack Objects to protocols they do not use. See the NetScreen Online Help topic “Adding
Service Objects” for more information.
The normal IDP rule-matching algorithm starts from the top of the rulebase and matches
all rules with the same source, destination, and service until it encounters a terminal
rule. A terminal rule is an exception to this normal rule-matching algorithm: When a
match is discovered against an Attack Object in a terminal rule, the Sensor does not
continue to apply subsequent rules to that connection.
Terminal rules should appear at the top of the rulebase, before other rules that would
match the same traffic. You can set a rule as terminal by selecting the box in the Terminal
column of the Security Policy Editor when the rule is created or modified.
IDP Fundamentals | 97
Chapter 5 Managing Effective Security Policies
• Severity 4 (Low). Low attacks attempt to obtain non-critical information or scan the
network with a scanning tool. They can also be obsolete attacks or anomalous (but
probably harmless) traffic. Recommended Action: log
• Severity 5 (Informational). Informational attacks are normal, harmless traffic
containing URLs, DNS lookup failures, and SNMP public community strings. You can
use informational Attack Objects to obtain information about your network. No
recommended action.
• Third Party Signatures. Third party signatures are prone to false positives; this
group is included only for compatibility with other intrusion detection systems. No
recommended action.
If you do not want to apply Attack Objects by severity or do not want to choose an entire
severity group for a rule, you can select your Attack Objects by service.
IDP Fundamentals | 99
Chapter 5 Managing Effective Security Policies
Setting Actions
Network security is an ongoing process of understanding what is normal traffic for your
network. Eliminating malicious traffic is important, but identifying ambiguous traffic can
be equally important. You do not always want to drop traffic that appears abnormal; you
might want to reset the connection, block the attacker, simply log the event, or use all
three methods.
You can tell IDP which actions to perform against attacks that match rules in your
Security Policy. You can set different actions for each rule in your Security Policy. The
IDP system uses two types of actions to protect your network: IDP actions and IP actions.
For each attack that matches a rule:
• IDP actions respond to matching traffic by ignoring, dropping, or closing the current
attacking connection. In some rulebases, actions are known as operations (Network
Honeypot Rulebase) or modes (SYN-Protector Rulebase).
• IP actions respond to future traffic based on the previous matching traffic by logging,
blocking, or dropping future attacking connections. IP actions are a dynamic, specific
method for protecting your network from future intrusions while permitting
legitimate traffic.
Action Description
none IDP takes no action against the connection.
ignore IDP ignores the remainder of a connection after a Attack Object in a
Security Policy rulebase is matched.
drop packet IDP drops a matching packet before it can reach its destination but does
not close the connection. Use this action to drop packets for attacks in
traffic that is prone to spoofing, such as UDP traffic. Dropping a
connection for such traffic could result in a denial of service that
prevents you from receiving traffic from a legitimate source IP address.
drop IDP drops the connection without sending a RST packet to the sender,
connection preventing the traffic from reaching its destination. Use this action to
drop connections for traffic that is not prone to spoofing.
close client IDP closes the connection and sends a RST packet to both the client and
and server the server. If the IDP Sensor is in sniffer mode, IDP sends a RST packet to
both the client and server but does NOT close the connection.
close client IDP closes the connection to the client, but not to the server.
close server IDP closes the connection to the server, but not to the client.
Action Description
accept IDP accepts the interactive traffic.
drop IDP drops the interactive connection without sending a RST packet to the
connection sender, preventing the traffic from reaching its destination. Use this
action to drop connections for traffic that is not prone to spoofing.
close client IDP closes the interactive connection and sends a RST packet to both the
and server client and the server. If the IDP Sensor is in sniffer mode, IDP sends a RST
packet to both the client and server but does NOT close the connection.
close client IDP closes the interactive connection to the client, but not to the server.
close server IDP closes the interactive connection to the server, but not to the client.
Operations Description
ignore IDP does not impersonate the selected destination IP and service.
impersonate IDP creates a counterfeit port based on the selected destination IP and
service.
Modes Description
none IDP takes no action, and does not involve itself in the three-way
handshake.
relay IDP acts as the middleman, or relay, for the connection establishment,
performing the three-way handshake with the client host on behalf of the
server.
passive IDP handles the transfer of packets between the client host and the
server, but does not actively prevent the connection from being
established. Instead, IDP uses a timer to ensure that connections are
established promptly, minimizing the use of server resources. The timer
IDP uses for the connection establishment is shorter than the timer the
server uses for the connection queue.
Choosing an IP Action
For each IP action option, an IP action is generated by the IDP system. The IP action,
instructs the IDP Sensor to perform the specified task. Select from the following options:
• IDP Notify. IDP does not take any action against future traffic, but logs the event.
• IDP Block. IDP blocks the matching connection and future connections that match
the criteria set in the Blocking Options box.
• IDP Close. IDP closes future connections that match the criteria in the Blocking
Options box.
Setting Notification
The first time you design a Security Policy, you might be tempted to log all data for all
attacks and let the policy run indefinitely. Don’t do this! Some Attack Objects are
informational only, and others can generate false positives and redundant logs on your
network. If you become overloaded with data, you can miss something important. A good
Security Policy generates enough logs to fully document only the important security
events on your network.
You can choose to simply log an attack and create log records with attack information that
you can view real-time in the Log Viewer. For more critical attacks, however, you might
want to be notified immediately by email, have IDP run a script in response to the attack,
or set an alarm flag to appear in the log record. Your goal is to fine-tune the attack
notifications in your Security Policy to your individual security needs.
Note: For more information on fine-tuning, see “Fine-Tuning Your IDP System” on page 39.
To log an attack for a rule, right-click in the notification column of the rule and select
configure notification. The Configure Notification dialog box appears. Select enable
logging and then click OK. Each time the rule is matched, the IDP system creates a log
record that appears in the Log Viewer.
Depending on your security needs and the severity of the attack, you might want IDP to
provide additional notification when a rule is matched:
Setting an Alarm
You can set an alarm for the rule. If alarm is selected and the rule is matched, IDP places
an alarm flag in the alarm column of the Log Viewer for the matching log record.
Sending Email
Sends an email to designated recipients. To specify new email recipients, enter their email
addresses in the email field and click Enter. The new email addresses now appear in the
email pull-down menu.
1. In the Notification column for a rule, right click and select Enable Logging. The
Configure Notification dialog box displays:
2. Click to select the check box next to run script and choose a script from the drop-down
menu. Click OK to close the Configure Notification dialog box.
3. To use new scripts, place them in the run script directory on the Management Server:
/usr/idp/mgt-svr/var/accounts/1/scripts. The new scripts now
appear in the run script pull-down menu in the Configure Notification dialog box.
Note: The script is run as idp:idp user. You must set the permission for each script as
chmod +x and chown idp.idp
Parameter Value
Log Id Unique ID for the log record; a combination of the date and log number.
Time Received Date and time the IDP Management Server received the log record.
Time Generated Date and time the IDP Sensor created the log record.
Origin IP address or name of the IDP Sensor that originated the log record.
Source IP address or name of the source of the traffic.
Parameter Value
Destination IP address or name of the destination of the traffic.
Inbound Interface Network interface card (NIC) the traffic arrived on.
Outbound Interface Network interface card (NIC) the traffic went out on.
Attack [For attacks only] Name of the Attack Object that triggered the rule. Use the
attack, category, and sub category log record fields to determine the
nature of the attack.
Policy Name of the Security Policy that contains the matching rule.
Rulebase Rulebase in the Security Policy contains the matching rule.
Rule Number Number of the rule that matched the traffic.
Misc Indicates compression of log records. The Sensor compresses consecutive
log records that have equal values in all columns (excluding time
generated and time received) into one log record.
Comment Comment about the rule. You add comments to rule in the Comments
column of the rule in the Security Policy Editor.
Bytes Number of bytes processed in the session.
Packets Number of packets processed in a session.
Elapsed [For session end only] Elapsed time in a session.
Session Id Unique ID for the log record.
Protocol IP protocol (TCP, UDP, or ICMP).
User Flag Log record flag: High, Medium, Low, Closed, False Positive, Assigned,
Investigate, Follow-Up, Pending. You can set log record flags in the Log
Viewer.
Category Category: ATTACK, CONFIG, MISC, TRAFFIC. Use the attack, category, and
sub category log record fields to determine the nature of the attack.
Sub Category Subcategory. Use the attack, category, and sub category log record fields
to determine the nature of the attack. An “attack_match" value indicates
the rule was matched by a signature Attack Object. All other value
indicate the rule was matched by a protocol anomaly Attack Object.
Action Action taken by the IDP Sensor, as defined in the matching rule.
Severity [For attacks only] Severity of the attack. You can configure the attack
severity in the Severity column of the rule in the Security Policy Editor.
Run Script Indicates execution of a run script for the matching rule.
Send Email Indicates an e-mail sent for the matching rule.
Example: sample.sh
#!/bin/sh
while read LINE
do
echo $LINE >> /tmp/output
done
Example: sample.pl
#!/usr/bin/perl -w
open(RESULT, ">>/tmp/output") || die
"cant open output\n";
while (<STDIN>) {
print RESULT $_;
}
close(RESULT);
Log: 20021010/115
fixed.timeGeneratedGMT=2002/10/10 15:59:19
fixed.timeReceivedGMT=2002/10/10 15:59:24
fixed.deviceAddress=10.0.101.100
fixed.devinVIN=7BF8-A764-2CAB-C3B1
fixed.sourceAddress=10.0.0.150
fixed.sourcePort=3634
fixed.destinationAddress=10.0.101.101
fixed.destinationPort=79
fixed.inboundInterface=eth0
fixed.outboundInterface=
fixed.virtualDevice=s0
fixed.attack=FINGER:BACKDOOR:CMD-ROOTSH
fixed.policy=testpolicy1
fixed.policyVersion=13
fixed.rulebase=IDS
fixed.ruleNumber=2
fixed.miscellaneous=
fixed.bytes=0
fixed.packets=0
fixed.elapsed=0
fixed.protocol=TCP
fixed.category=ATTACK
fixed.subCategory=IDP_ATTACK_MATCH
fixed.action=CLOSE
fixed.severity=CRITICAL
fixed.isAlert=yes
Logging Packets
You can record the individual packets in the network traffic that matched a rule by
capturing the packet data for the attack. Viewing the packets used in an attack on your
network can help you determine the extent of the attempted attack and its purpose, if the
attack was successful, and any possible damage to your network.
Note: To improve IDP performance when logging packets, log only the packets after the attack.
Remember that Security Policies that generate too many log records are hazardous to the
security of your network, as you might discover an attack too late or miss a security
breach entirely due to sifting through hundreds of log records. Excessive logging can also
affect IDP throughput, performance, and available disk space.
Setting Sensors
You can use a single Security Policy to control multiple Sensors. For each rule, you can
select the Sensors that will use that rule to detect and prevent attacks. When you install
the Security Policy that the rule belongs to, the rule becomes active only on the Sensors
you selected in the Install On column of the rulebase.
Attackers typically use a scanning tool that attempts to connect to every port on a single
machine (port scanning) or connect to multiple IP addresses on a network (network
scanning). By determining which services are allowed and responding on your network,
attackers can gain valuable information about your network configuration.
Detecting Scans
To detect scans and other distributed network attacks, the Traffic Anomalies Rulebase
looks for patterns that indicate abnormal network activity. Attackers often use scanning
tools to automate their port scans, allowing them to scan multiple ports quickly and
efficiently. IDP can detect these scans by counting the number of ports scanned in a
specified time period.
For TCP and UDP port scans, you can set a port count (number of ports scanned) and the
time threshold (the time period that ports are counted) in seconds.
SYN-Floods
Attackers initiate a SYN-flood by manipulating the basic three-way handshake:
• A client host sends a SYN packet to a specific port on the server. However, the
attacker ensures that the client host’s IP address is a spoofed IP address of an
unreachable system.
• Next, the server sends the client host (spoofed address) a SYN/ACK packet. The
potential connection is now in a SYN_RECV state.
• Since the system is unreachable, the server never receives an ACK or RST packet
back from the client host. The potential connection is now in the SYN_RECV state,
and is placed into a connection queue while it waits for an ACK or RST packet. This
potential connection remains in the queue until the connection-establishment timer
expires (when it will be deleted).
• The attacker sends another SYN packet to the server, requesting another connection.
And then another. And another. The connection table fills to capacity and cannot
accept new SYN requests. The server is overwhelmed, and quickly becomes disabled.
Impersonating a Port
Attackers view ports as entry points into your network. You can create counterfeit ports
on existing servers to trick attackers who are attempting to break into your network. A
counterfeit port can appear to offer notoriously vulnerable services to make it attractive to
attackers.
You create a counterfeit port in the Network Honeypot Rulebase by specifying an existing
Network Object and choosing a port and service to impersonate. You can also set an IP
Action to perform against the Attacker IP. If an attacker attempts to communicate with
your counterfeit port, the rule matches and the IP action triggers. For more information
about IP Actions, “Using IP Actions Against Existing Connections” on page 103.
Match
Specify the type of network traffic you want IDP to monitor for attacks.
• Source IP. Select the source IP from the list of Network Objects, or set to any to
monitor all incoming network traffic.
Note: You can also negate a Network Object to specify all Network Objects except that one.
• Destination IP. Select the destination IP from the list of Network Objects, or set to
any to monitor all outgoing network traffic. Selecting specific Network Objects for the
Destination IP enhances performance immensely by allowing IDP to monitor a subset
of all network traffic.
• Service. Specify the services supported by the destination IP that you want IDP to
monitor.
• Terminal. By default, rules in the Main Rulebase are non-terminal. You can set your
rule to be terminal, however.
Note: When a match is discovered against an Attack Object in a terminal rule, the Sensor does not
apply subsequent rules to that connection. For more information on terminal rules and examples,
“Setting Terminal Rules” on page 96.
Look For
Specify the attacks you want IDP to match in the monitored network traffic:
• Attacks. Choose the Attack Objects that IDP uses to detect attacks. Each Attack
Object represents a known pattern of attack; when this known pattern of attack is
encountered in the monitored network traffic, the Attack Object is matched. You can
add Attack Objects by severity, protocol, attack type, or individually. For more
information about Attack Objects, “Setting Attack Objects” on page 98.
Action
Specify the actions you want IDP to take when rule’s Attack Objects match:
• Action. Choose the action you want IDP to perform against the connection.
• IP Actions. Choose the IP Actions that are appropriate for your network.
• Notification. Choose none, or enable logging and select the logging options that are
appropriate for your network.
• Severity. Use the default severity setting of the selected Attack Objects, or choose a
specific severity for your rule.
A sample Main Rulebase rule is below:
packets are sent when they become available; characters display as they are typed (not
after the word is complete). Interactive programs transmit several short IP packets
containing individual keystrokes and their echoes, reflecting the real-time actions of a
user (or attacker).
Detecting Backdoors
When attackers type commands to control a backdoor, they generate interactive traffic
that IDP can detect. Unlike anti-virus software, which scans for known backdoor files or
executables on the host system, IDP detects the interactive traffic that is produced when
backdoors are used. This method ensures that IDP can detect all backdoors, both known
and unknown. If interactive traffic is detected, IDP can perform IDP actions against the
connection to prevent the attacker from further compromising your network.
– Create a rule for each severity group and use the default actions.
– Install the Security Policy on the Sensors, analyze the results by viewing the log
records and Reports, then edit the Security Policy based on what you find.
– Identify false positives and eliminate the matching Attack Objects.
– Install the edited policy on the Sensors.
• Use the Bottom Up Method:
– Create one or two rules with a few individual Attack Objects that target your
vulnerabilities.
– Install the Security Policy on the Sensors, analyze the results by viewing the log
records and reports, and edit the Security Policy based on what you find.
– Identify false positives and eliminate the matching Attack Objects.
– Add a few more individual Attack Objects to your existing rules, and create one or
two more rules.
– Install the edited policy on the Sensors.
Remember that all networks are different. Security Policies that do not produce false
positives on one network can produce them on another. You must experiment with your
own network to determine how best to handle false positives.
Rule Shadowing
Rule shadowing occurs when two rules are designed to detect the same attack.
Eliminating rule shadowing improves IDP performance. To correct, return to the rule that
is shadowing and modify or delete it.
• Rule 1 matches all TCP-HTTP traffic from your European email server to any
destination on your network.
• Rule 2 matches TCP-HTTP traffic from your European email server to your internal
network.
Rule 2 “shadows” Rule 1 because any HTTP attacks on the internal network have already
been detected by Rule 1.
The default service binding (the protocol and port that the attack uses) for Critical FTP
Attack Objects is FTP/21, which conflicts with the specified Service Object UDP/21.
Note: You can create Service Objects for protocols that use non-standard ports, but you cannot
match Attack Objects to protocols they do not use.
Because this rule can negatively impact Sensor performance, you should determine your
network vulnerabilities and adjust your Security Policy accordingly.
Note: For information on tuning a Security Policy to your network, see “Fine-Tuning Your IDP
System” on page 39.
This rule can negatively impact Sensor performance. Consider modifying the rule to only
match DNS attacks that target your DNS server, and add the Network Object that
represents your DNS server as the Destination IP.
No errors are generated if you decide to select these actions or detection mechanisms in
your rule. However, because the IDP is not in-line, it cannot perform these actions or
prevent attack using these detection mechanisms. If a sniffer rule that has preventative
actions is matched, the IDP system generates a log record with the action Dismiss in the
Log Viewer Action column (if logging is enabled).
To correct, return to the rule that created the problem and select actions that monitor or
log activity.
A ttack Objects detect known and unknown attacks that attackers can use to
compromise your network. The IDP system includes a database of several hundred
Attack Objects (signature Attack Objects and protocol anomaly Attack Objects)
that detect these attacks. Signature Attack Objects detect known attacks, and protocol
anomaly Attack Objects detect unknown attacks:
• Detecting Known Attacks (Signature Attack Object). Known attacks are the
easiest to detect because you know what you are looking for. The world’s security
community, comprised of network administrators, security specialists, and security
organizations (like CERT), provide information on known attacks that can help you
detect them. When a new attack is discovered, the security community analyzes the
attack and reports their findings on how the attack works, where to look for it, and
how to detect it.
Even if you are not active in the security community, you have probably heard of
attacks like the CodeRed worm or the ILoveYou virus in the media. NetScreen has
created signature Attack Objects to detect these and other known attacks based on
security community knowledge.
• Detecting Unknown Attacks (Protocol Anomaly Attack Objects). Unknown
attacks are more complicated to detect because they’re unknown—and unpredictable.
You don’t know what you are looking for or even where the attack might occur, so you
need to be suspicious of any unusual activity on your network. You could monitor all
traffic, all the time, hoping to catch something amiss in your log records—or you can
use protocol anomalies to detect traffic that doesn’t look like it should.
Network protocols work the same way. If one side of a network connection performs
oddly, something might be wrong. Protocol anomaly Attack Objects detect when a
protocol isn’t being followed correctly.
Attack Objects don’t work on their own—they need to be part of a rule before they can
start detecting attacks on your network. You use Attack Objects in the rules you create for
the Main Rulebase (other rulebases use different methods to detect attacks).
Stateful Signatures
IDP creates and uses stateful signatures to detect attacks. A stateful signature is a
signature that not only knows the pattern it is attempting to find, but also knows where
to look for that pattern. Stateful signatures produce very few false positives because they
understand the context of the attack and can eliminate huge sections of network traffic
they know the attack won’t be in.
Stateful signatures are much smarter than regular signatures: they know the protocol or
service used to perpetrate the attack, they know the direction and flow of the attack, and
they know the context in which the attack occurs. Obviously, though, a signature can’t
contain all this information within the attack signature pattern—the data must be
associated with the signature, but not actually part of the pattern itself. IDP does this by
combining the attack pattern with service, context, and other information into a neat
little package called a signature Attack Object.
The IDP system includes several hundred signature Attack Objects that all use stateful
signatures to detect known attacks. You can view, create, edit, or delete signature Attack
Objects using the Signature Editor dialog box in the User Interface.
Note: For information about how to use signature Attack Objects in your rules, see “Setting Attack
Objects” on page 98.
When you double-click a signature Attack Object, the Signature Editor dialog box for that
Attack Object appears, displaying the tabs. All Attack Objects have a basic tab and a
reference tab. Some signature Attack Objects also have defined properties in the binding,
IP, and protocols tabs.
To create a signature Attack Object, you’ll need to use blank tabs. Right-click the Attack
Objects component in the Navigation Tree and select New to display a Signature Editor
dialog box with blank fields for each tab.
Basic Tab
The basic tab specifies the attack properties and the attack pattern that IDP uses to
match attacks.
Name
The name is used to display the Attack Object in most components of the UI; however, log
records do not display the Attack Object name (they use the Attack Object key instead).
When creating a new signature Attack Object, you might want to include the protocol the
attack uses in the name for easy reference.
Key
The key is used to identify the Attack Object in the IDP system. A key is a unique
identifier that is used to display the Attack Object in log records; it cannot exceed 31
characters.
Description
The description provides details about the attack that the Attack Object detects, such as:
• Attack type (buffer overflows, password exploits, format string attacks, denial-of-
service, etc.)
• Affected system (hardware, operating system, software application, or protocol the
attack targets)
• Attack mechanism (how the attack works)
• Attack lethality (the consequences of a successful attack)
You are not required to include all this information when creating a new signature Attack
Object, but it’s a good idea. If you ever need to edit this signature, the description can help
you remember important information about the attack.
Color
The color is used to display the signature Attack Object in the Main display area, the
Security Policy Editor when using the signature Attack Object to build rules, and in the
Log Viewer when this signature Attack Object is matched in a rule. When creating a new
signature Attack Object, choose the color you want to represent the signature Attack
Object. If you are creating multiple Attack Objects, you might want to devise a color
scheme to better manage your custom signatures.
Direction
The direction defines the connection direction of attack:
Flows
The flow defines the connection flow of the attack:
• Control (detects the attack in the initial connection that is established persistently to
issue commands, requests, etc.)
• Auxiliary (detects the attack in the response connection established intermittently to
transfer requested data)
• Both (detects the attack in the initial and response connections)
When creating a new signature Attack Object, choose a single flow to improve IDP Sensor
performance and detection accuracy.
Severity
The severity indicates how dangerous the attack is. IDP has five severity levels: critical,
high, medium, low, and informational. Critical attacks are the most dangerous—typically
these attacks attempt to crash your server or gain control over your network.
Informational attacks are the least dangerous, and typically are used by network
administrators to discover holes in their own security system.
When creating a new signature Attack Object, choose a severity that matches the
lethality of the attack. For more information Attack Object severities, see “Adding Attack
Objects by Severity” on page 98.
False Positives
The false positive setting indicates the frequency (unknown, rarely, occasionally,
frequently) that the Attack Object produces a false positive when used in a Security
Policy. By default, all signature Attack Objects are set to unknown; as you fine-tune your
IDP system to your network traffic, you can change this setting to help you track false
positives.
Product
The product indicates the hardware and/or software application that is vulnerable to the
attack that the Attack Object is designed to prevent.
Keywords
Keywords indicate the important words that relate to the attack and the Attack Object.
When creating a new signature Attack Object, entering keywords in this field can help
you find it later.
Pattern
The attack pattern is the signature of the attack you want to detect. Remember that a
signature is a pattern that always exists within an attack; if the attack is present, so is
the signature. Existing signature Attack Objects (the ones that are already in the Attack
Object database) use stateful signatures created by the security professionals at
NetScreen.
When creating a new signature Attack Object, you must analyze the attack to detect a
pattern (segment of code, a URL, a value in a packet header, etc.) and then use that
pattern to create a signature.
IDP uses a syntax based on regular expressions to match signature patterns, shown
below:
Pattern Syntax
Direct binary match (octal) \0<octal-number>
Direct binary match (hexadecimal) \X<hexadecimal-number>\X
Case insensitive matches \[<character-set\]
Match any symbol .
Match 1 or more symbols *
Match 0 or 1 symbols ?
Grouping of expressions ()
Alternation - typically used with () |
Character range [<start>-<end>]
Negation of range [^<start>-<end>]
You can enter the syntax characters manually or choose from a drop-down menu, as
shown below:
jdoe@nextserver@nextserver@nextserver@nextserver@
The signature Attack Object that detects the finger bomb attack uses the signature
pattern shown below:
*@.*(@.*)+
Context
The context defines the location of the signature. Remember that stateful signatures
know both the attack pattern and where to look for that attack pattern. The context of a
signature Attack Object is very important because it specifies where IDP looks for
attacks. Signature Attack Objects with packet, line, or stream contexts detect attacks that
use an unspecified context. Signature Attack Object with a service context detect attacks
that use a specific context.
When creating a new signature Attack Object, you can tell IDP to detect attacks in
multiple contexts, or you can limit the search to just one context. Choosing just one or two
contexts makes IDP more effective and reduces false positives.
1 2 3 4 5
GET \\goodweb\server\secrets.html
6 7 8 9 10
HOST www.evilweb.com\secrets
Stream Context. As before, the incoming command is fragmented and no single packet
contains the attack pattern. Instead of looking for the attack in individual packets, IDP
uses stream reassembly to extract HTTP data from all fragments and successfully
recreates the original command. Stream reassembly does not recognize packet
boundaries, so both the command and host data are combined into one stream of HTTP
data:
IDP detects a match for the attack pattern in the command as shown below. However,
IDP also detects a second match in the host name, creating one false positive.
Line Context. As in the packet context and stream context, IDP reassembles the
fragmented packets and extracts the HTTP data stream. IDP separates the stream into
individual lines, based on the line terminators included in the original HTTP header:
Line Terminator
Line 1 GET \\goodweb\server\secrets.html \r\n
Line Terminator
Line 2 HOST www.evilweb.com\secrets \r\n
IDP successfully detects two matches for the attack pattern in Line 1: one real attack, and
one false positive.
Service Contexts
A service context tells IDP to look in a specific service context for the attack. To
understand how service contexts work, it’s important to know how networks use protocols
to transfer data.
Protocols are a set of rules that determine how two computers (or more) communicate
with each other. Because protocols often rely on other protocols to handle communication
tasks that are outside their own functionality, a layered model work best for
understanding protocol interaction. The TCP/IP model of communication uses four
protocol layers: Link, Network, Transport, and Application. Each protocol layer uses
different protocols to manage a specific aspect of the communication process.
The highest protocol layer, Application, contains service protocols. Services define how
data is structured; a service context is a specific location within that defined data
structure. A service can contain multiple service contexts. Services must still use a
transport or network layer protocol to actually transfer that data.
When creating a signature Attack Object, choose a service context if possible. Because the
service context is very specific, your chances of detecting a false positive are greatly
reduced. However, choosing a service context overrides the default service binding in the
binding tab. Service contexts can specify the exact location of an attack.
IDP supports contexts for the services shown below:
Note: For details on Service contexts, see the Online Help topic “Creating and Editing Attack
.\ same directory
A Web server automatically performs the directory traversal when executing the URL
command. IDP must parse the URL command by dividing the command into components,
identifying each component type, and analyzing the component before it can determine
the appropriate action.
Unicode is a widely accepted standard that attempts to electronically map characters of
every language (65,000) to a 16 bit number. “%c1%9c” is the unicode representation of “\”.
A Web server, using a process called normalizing, automatically decodes unicode
representations into their equivalent character/s. IDP must parse the URL command
before it can identify and normalize the unicode component.
Here’s how HTTP-URL and HTTP-URL-PARSED service contexts would handle this
attack:
with unicode
GET \\goodweb\server\anydir\..\.%c1%9csecrets.html
decoded
GET \\goodweb\server\anydir\..\.\secrets.html
GET \\goodweb\server\secrets.html
Offset
The offset is the number of bytes in the flow that precede the signature pattern. IDP uses
the offset to determine when to begin monitoring traffic in the flow. The default setting is
0, meaning that IDP begins detecting the attack at the very beginning of the context.
Binding Tab
The binding tab displays the service binding for a signature Attack Object. A service
binding is simply the service that an attack uses to enter your network. You can specify
service bindings only for signature Attack Objects that use a packet, stream or line
context (the service is already specified for Attack Objects that use a service context).
When creating a signature Attack Object, you do not need to specify a service binding if
you selected a service context in the basic tab.
However, if you choose a packet, stream, or line context, you should set a service binding
for the attack—this helps to significantly improve the accuracy of the signature Attack
Object and can improve IDP performance.
Any
If you are unsure of the correct service, choose any and IDP attempts to match the
signature in all services. Attacks can use multiple services to attack your network. Attack
Objects that detect these attacks use a service binding of any, allowing IDP to detect the
attack regardless of which service the attack chooses for a connection.
RPC
The remote procedure call (RPC) protocol is used by distributed processing applications to
handle interaction between processes remotely. When a client makes a remote procedure
call to an RPC server, the server replies with a remote program. Each remote program
uses a different program number. Attack Objects can use the RPC program to detect
attacks against the RPC protocol.
Service
Many attacks use a specific service to attack your network. Attack Objects that detect
these types of attacks use a matching service binding.
IP Tab
The IP tab specifies the contents of the IP header in a malicious packet. When creating a
signature Attack Object, you cannot specify IP header contents if you selected a line,
stream, or a service context in the basic tab. However, if you selected a packet context, you
can define IP header contents for the malicious packet. If you are unsure of the IP flags
and IP fields for the malicious packet, leave all fields blank and IDP will attempt to match
the signature for all IP header contents.
IP Fields
You can set values for the following IP fields:
• Time to Live. The time-to-live (TTL) number of the packet. This number represents
the number of routers the packet can pass through. Each router that processes the
packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded.
• Protocol. The protocol of the packet (ICMP, TCP, etc.).
• Type of Service. The service type:
– 0000 Default
– 0001 Minimize Cost
– 0002 Maximize Reliability
– 0003 Maximize Throughput
– 0004 Minimize Delay
– 0005 Maximize Security
• ID. A unique value used by the destination system to reassemble a fragmented
packet.
• Packet Length. The number of bytes in the packet, including all header fields and
the data payload.
IP Flags
You can also specify the fragmentation options as none, set, or unset:
• Reserved Bit. This bit is not used.
• More Fragments. When set (1), this option indicates that the packet contains more
fragments. When unset (0), it indicates that no more fragments remain.
• Don’t Fragment. When set (1), this option indicates that the packet cannot be
fragmented for transmission.
Protocols Tab
The protocols tab specifies the data length, flags, and other detailed data in the protocol
header of a malicious packet. This tab appears only for signature Attack Objects that use
a packet context.
You can specify different options for TCP, UDP, and ICMP protocol headers, or choose
None to match all fields in all protocol headers. For each protocol field value you enter,
you must also specify the relational or equality operator: equal to, greater than, less than,
etc.
UDP Headers
For UDP, you can set values for the following fields:
ICMP Headers
For ICMP, you can set values for the following fields:
• ICMP Type. The primary code that identifies the function of the request/reply.
• ICMP Code. The secondary code that identifies the function of the request/reply
within a given type.
• Sequence Number. The sequence number of the packet. This number identifies the
location of the request/reply in relation to the entire sequence.
• ICMP ID. The identification number is a unique value used by the destination system
to associate requests and replies.
• Data Length. The number of bytes in the data payload.
References
The references tab displays known network security references for the attack. All
signature Attack Objects (except custom signature Attack Objects) have a references tab:
Network security references are links to some of the security community’s official
descriptions of an attack. Because the security community is continually discovering and
analyzing new attacks, and communicating their findings to each other on the Internet,
references to their work are often the best way to truly understand an attack.
The attack description in the basic tab provides a brief overview of the attack. However, if
you want more detailed information about how an attack works, or want to research an
existing attack to compare to a suspected new attack, check the references.
• CVE (Common Vulnerabilities and Exposures). A standardized list of
vulnerabilities and other information security exposures.
• BugTraq. A moderated mailing list that discusses and announces computer security
vulnerabilities.
• Other References. Relevant information available on the Internet.
You cannot add references to new signature Attack Objects at this time.
Note: Some software applications produce legitimate traffic that can appear as protocol anomalies
due to non-standard implementation of a protocol RFC.
Protocols
CHARGEN FINGER IMAP RLOGIN SMB Gnutella SSH
DISCARD FTP IP Packet RPC SMTP Gopher SYSLOG
DNS HTTP POP3 RSH SNMP IRC TCP segment
ECHO ICMP REXEC RTSP SNMPTRAP MSN TELNET
LPR MSN NFS NNTP RUSERS VNC YMSG
You can use the Sensor Settings Rulebase to adjust thresholds and configuration options
for many of the included protocols. However, you cannot create, edit, or delete protocol
anomaly Attack Objects.
Basic Tab
The basic tab provides the anomaly properties and describes how the anomaly deviates
from the standard protocol specifications.
References
The references tab displays known network security references for a protocol anomaly
Attack Object. All Attack Objects have a references tab, which can contain the following
references:
Note: You must register your IDP Sensor to access updates to the Attack Object database.
S
ensor settings specify how the IDP Sensor handles traffic before it becomes
associated with a connection, such as packet fragments. Unlike other rulebases, the
Sensor Settings Rulebase has implied rules already created for you.
You can adjust how these rules are applied by editing the default values for Sensor
parameters, such as load time, router parameters, and run time parameters.
For more information on editing the Sensor Setting Rulebase, see the IDP Online Help
topic, “Tuning Sensor Parameters.”
Note: You can view the Sensor settings for a specific action or event in the sub category column of
the Log Viewer.
Router Parameters
Use the router parameters to control how the IDP Sensor handles address resolution
protocol (ARP) requests/replies and media access control (MAC) address issues.
Note: Because IP datagrams can be broken into fragments, fragment processing can be CPU- and
memory-intensive. Reassembled fragments should not exceed 64K.
Fragment timeout
The Sensor drops incomplete fragment chains when one or more fragments do not arrive
promptly. This setting controls the number of seconds an incomplete fragment chain is
maintained. If the Sensor does not receive the missing fragments in the specified number
of seconds, it sends a FRAGMENT_TIME_EXCEEDED log record to the Management
Server. Default setting: The Sensor maintains incomplete fragment chains for 5 seconds.
Flow Timeouts
• Timeout (seconds) for non-UDP/TCP/ICMP flows
• Timeout (seconds) for UDP flows
• Timeout (seconds) for TCP flows
• Timeout (seconds) for ICMP flows
These settings control how many seconds an idle flow is maintained in the flow table. If
the Sensor does not see flow activity in the specified number of seconds, it removes the
idle flow from the flow table. Default settings for all flow types: The Sensor removes idle
flows from the flow table after 30 seconds of inactivity.
Maximum Flows
• Maximum TCP sessions IDP 500 (default setting: 100000)
• Maximum TCP sessions IDP 100 (default setting: 50000)
• Maximum UDP sessions IDP 500 (default setting: 100000)
• Maximum UDP sessions IDP 100 (default setting: 10000)
• Maximum ICMP sessions IDP 500 (default setting: 50000)
• Maximum ICMP sessions IDP 100 (default setting: 5000)
Note: The IDP 10 appliance can maintain 10000 sessions. This number cannot be changed.
IDP Signatures
The Sensor can detect packet signatures. Default setting: Not enabled. The Sensor does
not detect packet signatures. If you are evaluating the IDP system, enable this setting.
Request Length
This setting controls the maximum number of bytes in an HTTP request. If the Sensor
sees an HTTP request containing more bytes than the specified maximum, it can consider
the request a possible protocol anomaly. Default setting: The Sensor considers HTTP
requests that are larger than 1024 bytes as possible protocol anomalies.
Header Length
This setting controls the maximum number of bytes in an HTTP header. If the Sensor
sees an HTTP packet with a header that contains more bytes than the specified
maximum, it can consider the packet a possible protocol anomaly. Default setting: The
Sensor considers HTTP packets with headers larger than 1024 bytes as possible protocol
anomalies.
Cookie Length
This setting controls the maximum number of bytes in an cookie. If the Sensor sees an
cookie containing more bytes than the specific maximum, it can consider the cookie a
possible protocol anomaly. Default setting: The Sensor considers cookies that are larger
than 2048 bytes as possible protocol anomalies.
Cookies that exceed the cookie length setting can match the protocol anomaly “HTTP-
HEADER-OVERFLOW” and produce unnecessary log records. If you are getting too many
log records for the HTTP-HEADER-OVERFLOW protocol anomaly, increase the cookie
length setting.
Authorization Length
This setting controls the maximum number of bytes in an HTTP header authorization
line. If the Sensor sees an authorization line that contains more bytes than the specified
maximum, it can consider the packet a possible protocol anomaly. Default setting: The
Sensor considers authorization lines larger than 128 bytes as possible protocol anomalies.
Content-Type Length
This setting controls the maximum number of bytes in an HTTP header content-type. If
the Sensor sees a content-type that contains more bytes than the specified maximum, it
can consider the packet a possible protocol anomaly. Default setting: The Sensor considers
content-types larger than 64 bytes as possible protocol anomalies.
User-Agent Length
This setting controls the maximum number of bytes in an HTTP header user-agent. If the
Sensor sees a user-agent that contains more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
user-agents larger than 128 bytes as possible protocol anomalies.
Host Length
This setting controls the maximum number of bytes in an HTTP header host. If the
Sensor sees a host that contains more bytes than the specified maximum, it can consider
the packet a possible protocol anomaly. Default setting: The Sensor considers hosts larger
than 64 bytes as possible protocol anomalies.
Referrer Length
This setting controls the maximum number of bytes in an HTTP header referrer. If the
Sensor sees a referrer that contains more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
referrers larger than 1024 bytes as possible protocol anomalies.
Line Length
This setting controls the maximum number of bytes in an FTP line. If the Sensor sees an
FTP line containing more bytes than the specified maximum, it can consider the packet a
possible protocol anomaly. Default setting: The Sensor considers FTP packets with lines
larger than 1024 bytes as possible protocol anomalies.
Password Length
This setting controls the maximum number of bytes in an FTP password. If the Sensor
sees an FTP password containing more bytes than the specified maximum, it can consider
the packet a possible protocol anomaly. Default setting: The Sensor considers FTP packets
with passwords larger than 32 bytes as possible protocol anomalies.
Pathname Length
This setting controls the maximum number of bytes in an FTP pathname. If the Sensor
sees an FTP pathname containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
FTP pathnames larger than 512 bytes as possible protocol anomalies.
Sitestring Length
This setting controls the maximum number of bytes in an FTP sitestring. If the Sensor
sees an FTP sitestring containing more bytes than the specified maximum, it can consider
the packet a possible protocol anomaly. Default setting: The Sensor considers FTP
sitestrings larger than 512 bytes as possible protocol anomalies.
Line length
This setting controls the maximum number of bytes in an POP3 line. If the Sensor sees an
POP3 line containing more bytes than the specified maximum, it can consider the packet
a possible protocol anomaly. Default setting: The Sensor considers POP3 packets with
lines larger than 512 bytes as possible protocol anomalies.
Password length
This setting controls the maximum number of bytes in an POP3 password. If the Sensor
sees an POP3 password containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
POP3 packets with passwords larger than 64 bytes as possible protocol anomalies.
APOP length
This setting controls the maximum number of bytes in an APOP. If the Sensor sees an
APOP containing more bytes than the specified maximum, it can consider the packet a
possible protocol anomaly. Default setting: The Sensor considers APOPs larger than 100
bytes as possible protocol anomalies.
Line Length
This setting controls the maximum number of bytes in an IMAP line. If the Sensor sees an
IMAP line containing more bytes than the specified maximum, it can consider the packet
a possible protocol anomaly. Default setting: The Sensor considers IMAP packets with
lines larger than 2048 bytes as possible protocol anomalies.
Password Length
This setting controls the maximum number of bytes in an IMAP password. If the Sensor
sees an IMAP password containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
IMAP packets with passwords larger than 64 bytes as possible protocol anomalies.
Mailbox Length
This setting controls the maximum number of bytes in an IMAP mailbox. If the Sensor
sees an IMAP mailbox containing more bytes than the specified maximum, it can consider
the packet a possible protocol anomaly. Default setting: The Sensor considers IMAP
mailboxes larger than 64 bytes as possible protocol anomalies.
Reference Length
This setting controls the maximum number of bytes in an IMAP reference If the Sensor
sees an IMAP reference containing more bytes than the specified maximum, it generates
a protocol anomaly. Default setting: The Sensor generates a protocol anomaly for IMAP
references larger than 64 bytes.
Flag Length
This setting controls the maximum number of bytes in an IMAP flag. If the Sensor sees an
IMAP flag containing more bytes than the specified maximum, it can consider the packet
a possible protocol anomaly. Default setting: The Sensor considers IMAP flags larger than
64 bytes as possible protocol anomalies.
Password Length
This setting controls the maximum number of bytes in an IRC password. If the Sensor
sees an IRC password containing more bytes than the specified maximum, it can consider
the packet a possible protocol anomaly. Default setting: The Sensor considers IRC packets
with passwords larger than 16 bytes as possible protocol anomalies.
Channel Length
This setting controls the maximum number of bytes in an IRC channel name. If the
Sensor sees an IRC channel name containing more bytes than the specified maximum, it
can consider the packet a possible protocol anomaly. Default setting: The Sensor considers
IRC channel names larger than 64 bytes as possible protocol anomalies.
Message length
This setting controls the maximum number of bytes that the header of a Yahoo!
Messenger message can indicate for the total message length (excluding the header). If
the Sensor sees an Yahoo! Messenger message with a header that indicates more bytes for
the total message than the specified maximum, it can consider the packet a possible
protocol anomaly. Default setting: The Sensor considers Yahoo! Messenger messages that
specify a message length larger than 8192 bytes in the header as possible protocol
anomalies.
Username length
This setting controls the maximum number of bytes in an Yahoo! Messenger ID. If the
Sensor sees an Yahoo! Messenger ID containing more bytes than the specified maximum,
it can consider the packet a possible protocol anomaly. Default setting: The Sensor
considers Yahoo! Messenger packets with IDs larger than 84 bytes as possible protocol
anomalies.
Crypt length
This setting controls the maximum number of bytes in an Yahoo! Messenger encrypted
password. If the Sensor sees an Yahoo! Messenger encrypted password containing more
bytes than the specified maximum, it can consider the packet a possible protocol anomaly.
Default setting: The Sensor considers Yahoo! Messenger packets with encrypted
passwords larger than 1024 bytes as possible protocol anomalies.
Challenge length
This setting controls the maximum number of bytes in an Yahoo! Messenger challenge; a
challenge is sent from the server to the client as part of the authentication process. If the
Sensor sees an Yahoo! Messenger challenge containing more bytes than the specified
maximum, it can consider the packet a possible protocol anomaly. Default setting: The
Sensor considers Yahoo! Messenger challenges larger than 25 bytes as possible protocol
anomalies.
Cookie length
This setting controls the maximum number of bytes in an Yahoo! Messenger cookie sent
from the server to the client. If the Sensor sees an Yahoo! Messenger cookie containing
more bytes than the specified maximum, it can consider the packet a possible protocol
anomaly. Default setting: The Sensor considers Yahoo! Messenger cookies larger than 400
bytes as possible protocol anomalies.
URL length
This setting controls the maximum number of bytes in an Yahoo! Messenger URL name.
If the Sensor sees an Yahoo! Messenger URL name containing more bytes than the
specified maximum, it can consider the packet a possible protocol anomaly. Default
setting: The Sensor considers Yahoo! Messenger URL names larger than 1024 bytes as
possible protocol anomalies.
E-mail length
This setting controls the maximum number of bytes in an email address included in a
Yahoo! Messenger new email alert message (send from the server to the client). If the
Sensor sees an Yahoo! Messenger new email alert containing an email that has more
bytes than the specified maximum, it can consider the packet a possible protocol anomaly.
Default setting: The Sensor considers Yahoo! Messenger new email alerts that contain
email addresses larger than 84 bytes as possible protocol anomalies.
Filename length
This setting controls the maximum number of bytes in a file name included in Yahoo!
Messenger file transfer. If the Sensor sees an Yahoo! Messenger file transfer containing a
file name that has more bytes than the specified maximum, it can consider the packet a
possible protocol anomaly. Default setting: The Sensor considers Yahoo! Messenger file
transfers that contain file names larger than 1000 bytes as possible protocol anomalies.
Request length
This setting controls the maximum number of bytes in an IDENT request. If the Sensor
sees an IDENT request containing more bytes than the specified maximum, it can
consider the request a possible protocol anomaly. Default setting: The Sensor considers
IDENT requests that are larger than 15 bytes as possible protocol anomalies.
Reply length
This setting controls the maximum number of bytes in an IDENT reply. If the Sensor sees
an IDENT reply containing more bytes than the specified maximum, it can consider the
reply a possible protocol anomaly. Default setting: The Sensor considers IDENT replies
that are larger than 128 bytes as possible protocol anomalies.
E-mail length
This setting controls the maximum number of bytes for an email address in a LPR control
file. After the file has printed, it is sent to the email address specified in the control file. If
the Sensor sees an email containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
email addresses larger than 32 bytes in an LPR control file as possible protocol anomalies.
Font length
This setting controls the maximum number of bytes for a font name in a LPR control file.
If the Sensor sees a font name containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers font
names larger than 64 bytes in an LPR control file as possible protocol anomalies.
Line length
This setting controls the maximum number of bytes in a line send by a Gopher server to
client. If the Sensor sees a line containing more bytes than the specified maximum, it can
consider the packet a possible protocol anomaly. Default setting: The Sensor considers
Gopher server to client lines larger than 512 bytes as possible protocol anomalies.
Length of IP:port
This setting controls the maximum number of bytes for the IP:port parameter in an MSN
user state. An IP:port parameter indicates the IP address and port number of the MSN
server for a switchboard session. If the Sensor sees an MSN IP: port parameter containing
more bytes than the specified maximum, it can consider the packet a possible protocol
anomaly. Default setting: The Sensor considers MSN messages with IP:port parameters
larger than 30 bytes as possible protocol anomalies.
URL length
This setting controls the maximum number of bytes for a URL address in an MSN
message. If the Sensor sees a URL address containing more bytes than the specified
maximum, it can consider the packet a possible protocol anomaly. Default setting: The
Sensor considers MSN messages with URL addresses larger than 1024 bytes as possible
protocol anomalies.
Switch A
VLAN 10 VLAN 20 VLAN 30
tag header 10 tag header 20 tag header 30
The VLAN tag
header is added to
the ethernet frame
of packets as they Physical Interface: eth1
pass through their Tagged Interfaces: eth1.10, eth1.20, eth1.30
assigned tagged
interface. eth1
IDP
Virtual routers
receive tagged .10 .20 .30
vr0: eth1.10, eth0.10
packets and
forward them
vr0 vr1 vr2 vr1: eth1.20, eth0.20
through the IDP .10 .20 .30 vr2: eth1.30, eth0.30
appliance.
Switch B
eth0 eth1
The default virtual router is vr0; subsequent virtual routers are user-defined. You can
configure and manage each virtual router as an independent entity.
I n high availability (HA) mode, multiple IDP appliances combine to provide failover
protection. HA solution can provide your network with increased throughput using
load sharing and increased reliability using failure protection.
IDP provides the following HA solutions for your network:
• The Standalone HA solution requires two or more IDP appliances running in active
gateway router or active gateway proxy-ARP mode, and minimal network
reconfiguration.
• The Third-Party HA solution requires two or more IDP appliances running in active
gateway bridge or active gateway router mode, and two third-party devices, such as
firewalls or load balancers, that can provide failure protection and/or load balancing.
You can also use spanning tree protocol (STP) to provide failover for IDP appliances
running in bridge mode. For details, see “Spanning Tree Protocol” on page 238.
Traffic Handling
Typically, traffic enters your network by passing through a network switch. In an IDP HA
solution, you configure your network switch to forward traffic to the HA cluster, where
each node in the cluster receives a copy of all network traffic. Then, each node performs a
simple algorithm on the traffic’s source and destination IP addresses and determines
whether to handle the traffic.
If the node determines that it should handle the traffic, it processes the data packets in
that traffic according the installed Security Policy. After processing the traffic, the node
forwards allowed traffic to the destination IP, and drops or blocks disallowed traffic.
However, if the node determines that it should not handle the traffic, it ignores the traffic
entirely. Each node makes the decision to handle or not handle traffic based on:
• The status of other nodes in the cluster (the node might need to handle traffic for a
failed node)
• The status of the node itself (the node must be functioning normally to process traffic)
• The source and destination IP address of the traffic (the node handles a specific traffic
connection, not random flows)
ping
ping
ping
ping
ping
HA Heartbeat HA Heartbeat HA
Daemon Daemon Daemon
The daemon performs each function once per interval (a user-defined value that is
measured in seconds).
Path Verification
The HA daemon uses ICMP to determine which interfaces on a node have connectivity to
the rest of the network; this is known as path verification. To perform path verification,
the daemon sends ICMP echo-requests (pings) to the IP address, called the Verity IP, of
another device that is reachable by one of the node’s forwarding interfaces.
The daemon pings the Verify IP once per interval, which is a user-defined time period
(default is 1 second), and keeps track of every time it does not receive a response. If the
daemon does not receive a response for a user-defined number of intervals (known as the
fail-count), it considers the state of its node to be FAIL. (For information on node states,
see “Determining Node Status” on page 205)
Example: HA Clusters
HA cluster 1 has an interval setting of one second and a fail-count of three seconds. Node
A sends a ping to its Verify IP address for two consecutive intervals (two seconds) but
receives no response. If Node A sends another ping during the third interval (three
intervals = fail-count) and still receives no response, Node A considers itself in FAIL state.
Note: Interval and fail-count cluster settings must be the same for all nodes in the HA Cluster.
About Heartbeats
w Heartbeats pass through the forwarding interfaces of the IDP Sensor.
w Heartbeat packets have a TTL of 1 and cannot be routed.
w To view the heartbeat packet data in tcpdump, use the NetScreen version of
tcpdump. For more information, see “Heartbeats” on page 209.
Note: Switches that do not support IGMP cannot be used for a standalone HA configuration and
are not supported.
Check Requirements
Packet Authentication • HB versions match
• Heartbeat belongs to same cluster
• Heartbeat timestamp is increased
Configuration parameters match • Valid node ID
• Cluster settings match
• Cluster IP and Cluster MAC addresses match
• Same number of interfaces with IP addresses
Status of Remote Node
If all checks succeed, the heartbeat packet is processed. If any check does not succeed the
heartbeat is not processed.
Heartbeat Failure
The HA daemon keeps track of every time it does not receive a heartbeat from a specific
node during an interval or does not process a heartbeat due to heartbeat check
failure. If the HA daemon does not receive or process a heartbeat from a specific node for
a user-defined number of intervals (known as the fail-count), it considers the state of the
node to be FAIL.
Example: Heartbeats
HA cluster 1 has an interval setting of one second and a fail-count of three seconds. Node
A does not send heartbeats to Node B or Node C for two intervals (two seconds). If Node A
does not send a heartbeat by the third interval (three intervals = fail-count), Node B and
Node C consider Node A failed.
For information on node states, see “Determining Node Status” on page 205.
Note: Interval and fail-count are Cluster settings that are the same for all nodes in the HA Cluster.
• Local State Calculations. The HA daemon uses the information gathered from path
verification and incoming heartbeat packets to determine the state (FAIL, INIT, or
OK) of its local node:
• Remote State Calculations. The HA daemon uses the information gathered from
incoming heartbeat packets to determine the state (FAIL or OK) of all other nodes in
the cluster.
HA Communication Settings
Nodes in an HA cluster communicate with each other (via the HA daemon) using the
heartbeat interface on the IDP appliance. When you configure the Sensor software on the
IDP appliance (using the ACM), you configure three types of communication settings for
the HA cluster:
• Cluster Settings must be the same for all nodes.
• Interface Settings are the same given interface on all nodes.
• Node Settings are different for each node.
These settings determine how the HA daemon verifies and manages the cluster state.
Cluster Settings
All nodes must use the same settings for schad communication. These Cluster settings
determine the information that is included in the heartbeat packet, which enables the HA
daemon to verify and manage the state of the cluster. A list of Cluster settings, supported
values, and descriptions is shown below.
Failure Count numeric, 1-10 Sets the number of intervals (using the Configure
interval setting): Standalone
• a ping must fail before a node HA
considers itself as failed
• a heartbeat must not be received
before the other node is
considered failed
Reintegrate numeric, 1-10 Sets the number of intervals (using the Configure
Count interval setting) that all Verify IP pings Standalone
must succeed before a node HA
changes from:
• INIT to OK
• FAIL to OK
Shared Secret alphanumeric, 6-16 Sets the string that is used to Configure
authenticate HA messages. Standalone
HA
Interface Settings
All nodes in the HA cluster use identical interface settings for a given interface. Ex. All
eth0 interfaces on all Sensors in the HA cluster use the same interface settings. A list of
interface settings, supported values, and descriptions is shown below.
Supported Modes
The IDP system supports Standalone HA configurations in proxy-ARP and router modes:
• In proxy-ARP mode, all IDP Sensors use the same multicast cluster MAC address for
each side of the HA cluster.
• In router mode, all IDP Sensors use the same unicast cluster IP addresses and
multicast cluster MAC addresses for each side of the HA cluster.
All nodes in the cluster share a unicast IP address called the Cluster IP address and a
unicast or multicast MAC address called the Cluster MAC address. The nodes in the
cluster receive incoming packets from the Cluster IP, which is mapped to the multicast or
unicast Cluster MAC address to enable all Sensors to receive a copy of all network traffic.
• Cluster IP Addresses. The Cluster IP is the gateway that enables network devices
to communicate with the HA Cluster. When network devices pass traffic to the
Cluster IP, any node in the cluster can handle the traffic.
Heartbeats
The nodes in an HA Cluster communicate with each other using a heartbeat protocol,
which uses a multicast IP address. Switches can automatically “learn” about the
heartbeat protocol using Internet Group Management Protocol (IGMP). You must enable
IGMP on your network switch to pass heartbeats to the IDP appliances in the HA cluster.
For instructions on configuring your switch, please consult your switch manufacturer’s
operating manual.
Note: Switches that do not support IGMP cannot be used for a standalone HA configuration and
are not supported. “Standalone HA Switch Compatibility” on page 224 lists switches that support
IGMP and provides additional information about configuring specific network switches.
To decode heartbeat packets, use the NetScreen patch for tcpdump that decodes the
heartbeat packet data. This patch has been applied to the version of tcpdump that is
installed on the Sensors; the patch is also available on the NetScreen Support Web site.
Note: The NetScreen tcpdump patch has been updated for IDP 2.1.
Use the following guidelines when decoding heartbeat packets with TCPdump:
• Heartbeats go out UDP/5505. Outbound heartbeat packets appear to use the interface
of the default route. In reality however, they use the correct interface (heartbeat
interface). This distortion is due to the IDP kernel module.
• The default snaplen (-s) is 68 bytes, which is not enough to decode the entire
heartbeat packet. Minimum heartbeat packet size is 112 bytes.
• To verify the MD5 checksum, compile tcpdump with libcrypto support. Pass the
command: -H <secret> to tcpdump and capture the entire heartbeat packet.
• Heartbeat decoding has three levels: terse, verbose, and very verbose.
– Terse decodes only basic information (default setting).
– Verbose (-v) decodes the entire heartbeat header.
– Very Verbose (-vv) decodes the entire heartbeat header as well as the physical
and cluster interface information.
From the Sensor command line, type mcasttest -h for a list of options, or see the mcasttest
man page for more details.
You must enter an ARP entry for every non-multicast device that exists on each side of
the HA cluster; if you have several devices, the number of required ARP entries could
potentially be very large. A sample network diagram and the static ARP entry
calculations for Proxy-ARP mode is shown below.
Determining HA Status
Viewing HA Status from Command Line
You can verify HA Cluster connectivity using SCTOP commands at the Sensor command
line. Perform the following connectivity test after you have added the second Sensor to the
HA Cluster and repeat for each subsequent Sensor added:
1. From the Sensor command line, type the command: sctop. The sctop menu displays.
2. Type w to select HA status. The node and Cluster statistics for the IDP Sensor
display. An UP status indicates that the node is functioning normally; a DOWN
status can indicate that the node is not sending heartbeats, not receiving heartbeats,
or the switch is experiencing problems.
• The icon indicates the cluster is experiencing problems. This can indicate that
one or more Sensors in the cluster is not functional, or that one or more processes on
the sensor is overloaded.
• Forwarding Networks and Interfaces. The interfaces that connect the IDP
appliance to the external network and protected network are a forwarding interfaces.
You use the forwarding interfaces to send and receive network traffic. You can choose
multiple forwarding interfaces on the IDP Sensor; however, the forwarding interfaces
on the protected network must use IP addresses that are different from the
Management IP address so the IDP appliance can route correctly.
• The State Sync Network and Interface (Dedicated Network). The interface
that connects to other IDP appliances is a state-sync interface. The state-sync
interface is used for communication between the IDP Sensors. State-sync networks
can be any dedicated network, including RFC1918 non-routable networks.
• The Management Network and Interface. The interface that connects to the
Management Server is the Management Interface. You use the management
interfaces (or one of the forwarding interfaces) to manage the IDP Sensor from the
User Interface. You must choose one interface as the Management interface and
assign it a routable IP address for that network segment.
A sample network/interface configuration is shown below:
Forwarding Interface
to external network
Forwarding Interface
can also be management
interface to the protected network
Example Configurations
Use the example configurations in this section to help you determine which IP addresses
and networks to use when installing and configuring the IDP system. Each example
includes a network diagram with IP and MAC addresses for the HA cluster and the
settings for that cluster.
Multicast Proxy-ARP
The following diagram shows the network connections for IDP appliances in proxy-ARP
mode in an HA cluster that uses multicast.
Firewall 10.0.113.254
External Network
10.0.113.0/24
Cluster IP 10.0.113.4
Cluster MAC 01:00:00:00:00:10
Eth0 10.0.113.1
GW 10.0.113.254
Node 1
idpHA1 Eth2 192.168.0.1
Eth1 10.0.113.17 Eth0 10.0.113.2
GW 10.0.113.254
Node 2 State Sync
idpHA2 Eth2 192.168.0.2 192.168.0.0/24
Eth1 10.0.113.18 Eth0 10.0.113.3
GW 10.0.113.254
Node 3
idpHA3 Eth2 192.168.0.3
Eth1 10.0.113.19
Cluster IP 10.0.113.20
Cluster MAC 01:00:00:00:00:11
Protected Network
10.0.113.0/24
Cluster Settings
The configuration above uses the following Cluster settings. You configure these cluster
settings during the Sensor configuration process using ACM. All Sensors in the HA
cluster use the same HA cluster settings to enable schad communication. These Cluster
settings determine how the HA daemon verifies and manages the state of the cluster.
Schad Communication
shared secret N3t5cr33n
cluster ID 0
total nodes 3
interval 1 second
fail count 3
reintegrate count 5
Interface Settings
The configuration above uses the following interface settings. All Sensors in the HA
cluster use identical interface settings for a given interface. Ex. All eth0 interfaces on all
Sensors in the HA cluster use the same interface settings.
eth0 eth1
cluster ip 10.0.113.4 cluster ip 10.0.113.20
cluster mac 01:00:00:00:00:10 cluster mac 01:00:00:00:00:11
verify ip 10.0.113.254 verify ip 10.0.113.21
heartbeat ip 239.0.0.10 heartbeat ip 239.0.0.11
Multicast Router
The following diagram shows the network connections for IDP appliances in router mode
in an HA cluster that uses multicast
Firewall 10.0.113.14
External Network
10.0.113.0/28
Cluster IP 10.0.113.4
Cluster MAC 01:00:00:00:01:00
Eth0 10.0.113.1
GW 10.0.113.14
Node 1
idpHA1
Eth2 192.168.0.1
Eth1 10.0.113.17 Eth0 10.0.113.2
GW 10.0.113.14
Node 2 State Sync
idpHA2 Eth2 192.168.0.2 192.168.0.0/24
Eth1 10.0.113.18 Eth0 10.0.113.3
GW 10.0.113.14
Node 3
idpHA3 Eth2 192.168.0.3
Eth1 10.0.113.19
Cluster IP 10.0.113.20
Cluster MAC 01:00:00:00:01:01
Protected Network
10.0.113.16/28
Cluster Settings
The example configuration uses the following cluster settings:.
Schad Communication
shared secret N3t5cr33n
cluster ID 0
total nodes 3
interval 1 second
fail count 3
reintegrate count 5
Cluster settings determine how the HA daemon verifies and manages the state of the
cluster. To enable schad communication when you configure the IDP Sensor using ACM,
you must configure all Sensors in the HA cluster use the same HA cluster settings.
Interface Settings
The configuration above uses the following interface settings. All Sensors in the HA
cluster use identical interface settings for a given interface. Ex. All eth0 interfaces on all
Sensors in the HA cluster use the same interface settings.
eth0 eth1
cluster ip 10.0.113.4 cluster ip 10.0.113.20
cluster mac 01:00:00:00:01:00 cluster mac 01:00:00:00:01:01
verify ip 10.0.113.14 verify ip 10.0.113.21
heartbeat ip 239.0.0.10 heartbeat ip 239.0.0.11
The following diagram shows the network connections for this configuration:
Router
GW 10.156.113.254
External Network
10.156.113.0/24
Untrusted Untrusted
GW 10.156.113.254 GW 10.156.113.254
Eth3 10.156.113.204 Eth3 10.156.113.204
Eth3:1 10.156.113.205
Hub Eth3:1 10.156.113.205
Manage IP 10.156.113.201 Manage IP 10.156.113.202
HA
active/active
Trusted Trusted
Eth1 10.2.1.9 Eth1 10.2.1.9
Eth1:1 10.2.1.10 Eth1:1 10.2.1.10
Manage IP 10.2.1.11 Manage IP 10.2.1.12
Cluster IP 10.2.1.15
Cluster MAC 01:00:00:01:00:00
Hub
Protected Network
10.2.1.0/24
Cluster Settings
The example configuration uses the following cluster settings:.
Schad Communication
shared secret N3t5cr33n
cluster ID 0
total nodes 2
interval 1 second
fail count 3
reintegrate count 5
Cluster settings determine how the HA daemon verifies and manages the state of the
cluster. To enable schad communication when you configure the IDP Sensor using ACM,
you must configure all Sensors in the HA cluster use the same HA cluster settings.
Interface Settings
The example configuration uses the following interface settings.
eth1 eth0
cluster ip 10.2.1.1 cluster ip 10.2.1.15
cluster mac 01:00:00:02:00:00 cluster mac 01:00:00:01:00:00
verify ip (node 1) 10.2.1.9 verify ip (node 1) 10.2.1.20
verify ip (node 2) 10.2.1.10 verify ip (node 2) 10.2.1.20
heartbeat ip 239.0.0.10 heartbeat ip 239.0.0.11
All Sensors in the HA cluster use identical interface settings for a given interface, except
for the eth1 verify ip:
• For node 1, the eth1 verify ip is 10.2.1.9, which is the trusted vsi of the first vsd.
• For node 2, the eth1 verify ip is 10.2.1.10, which is the trusted vsi of the second vsd.
Note that the eth1 verify ip for each IDP appliance is also the default gateway for that
IDP appliance.
Note: Some switches might work even though they are not recommended.
Vendor Product SW/FM Cluster Forwarding Mode Notes Tested Rcmd
Version a
IGMP Multicast Unicast ?
Piggyback MAC MAC
b
Foundry FastIron 7.5 Yes Yes No Requires multicast Yes Yes
Workgroup filters.
b
Foundry FastIron 6.x Yes No No Upgrade to 7.5 SW. Yes No
Workgroup
b b
Foundry BigIron 7.2 Yes No No 7.5 SW should work. Yes No
Nortel/Alteon AceDirector AD3 Yes No No Yes No
Nortel/Alteon AceDirector Yes Yes No Yes Yes
184e
b
Cisco Catalyst 3500XL 12.0(5)WC7 Yes No No Other 3500 series Yes Yes
(released 03- should work.
05-2003)
b
Dell PowerConnect Yes No No Tested. Yes No
3524
b b
Extreme Extreme Summit Extremeware No No No NetScreen has tested Yes No
24e3 6.2e.1 (build and confirmed that this
15), released switch does not work.
08-13-2002
b b b
Cisco Catalyst 5xxx/ Yes Yes No Stonesoft docs indicate No Yes
6xxx Series these switches work.
b b b
Cisco Catalyst 2900XL IOS 12.0 (5.1) Yes Yes Yes NetScreen has tested Yes Yes
XP, released the Cisco 2950 and
12-10-1999 confirmed that this
switch does not work.
Other 2900 series
should work.
b b b
Nortel/Bay BayStack 450 Yes No No Stonesoft docs indicate No No
this switch works.
b b b
Nortel Business Policy No No No Stonesoft docs indicate No No
Switch 2000 this switch works.
b b b
Nortel Passport 1200 No No No Stonesoft docs indicate No No
this switch works.
b b b
Nortel Passport 8100 No No No Stonesoft docs indicate No No
this switch works.
b b b
Nortel Passport 8600 No No No Stonesoft docs indicate No No
this switch works.
a.This mode requires setting the cluster MAC for a given interface to the same MAC used by the IP multicast address (also used for
heartbeats). This mode is not recommended due to potential ARP compatibility issues with other devices on the network. Unless
otherwise noted, the switch has not been tested in this mode.
Layer-2 Unicast/Multicast
The standalone HA solution uses two types of multicast traffic:
• IP multicast is used to pass heartbeat packets between nodes.
• MAC (layer 2) multicast is used to forward network traffic to the networks on each
side of the HA cluster. Devices on the network that want to talk to a device on the
other side of the HA cluster use the Cluster MAC address in the destination field of
the ethernet frame. Additionally, the nodes in an HA Cluster receive incoming
packets via a Cluster IP, which is mapped to a multicast or unicast Cluster MAC
address to enable all Sensors to receive a copy of all network traffic.
To enable nodes in an HA cluster to communicate with network on each side of the cluster
and with other nodes, you must:
• Manually configure your network switch/s to pass layer-2 multicast or unicast MAC
traffic to the IDP appliances in the HA cluster.
• Enable IGMP on your network switch/s to pass heartbeats to the IDP appliances in
the HA cluster.
• The forwarding switch must also pass multicast IP traffic (heartbeat packets) to the
other nodes in the HA cluster. To accomplish this, the administrator can enable IGMP
on the network switch. IGMP is a protocol that enables switches to automatically
learn about devices that belong to an IP multicast group. Some switches have IGMP
enabled by default.
VLANs
Because the security features of VLAN implementations differ, NetScreen recommends
that you do not use VLANs to separate traffic on each of the HA cluster. Use a dedicated
switch instead. For more information on VLANs, see “Tagged Interfaces & Virtual
Routers” on page 195.
Switch Hardware
This list is not comprehensive of every switch or vendor that does or does not work in a
standalone HA configuration. Different versions or branches of the switch software might
behave differently than those devices tested.
Tested Switches
NetScreen has tested several switches in standalone HA configurations. The following
switches work when properly configured:
• Foundry FastIron Stackable series (multicast with filtering). NetScreen has tested:
– Foundry FastIron 400, IronWare 07.6.03 (released 05-08-2003)
• Foundry BigIron Chassis series (multicast with filtering)
• Cisco Catalyst (IOS series) switches (unicast or multicast with filtering). NetScreen
has tested:
– Cisco Catalyst 3500XL, 12.0(5)WC7 (released 03-05-2003)
– Cisco Catalyst 2900XL, IOS 12.0 (5.1) XP (released 12-10-1999)
• Cisco Catalyst (CatOS series) switches (multicast with filtering). NetScreen has
tested:
– Cisco Catalyst 6509, CatOS 5.5(1).
Untested Switches
NetScreen has not tested all switches in standalone HA configurations. Typically, the
older the switch, the less likely it will work.
The following switches should work when properly configured:
• Juniper
• Nortel Passport 1200
• Intel
If you use an untested switch in your network, NetScreen recommends that you contact
the switch manufacturer before you implement an IDP HA configuration. The switch
manufacturer might be able to provide internal test results, configuration guides, or
reference other customer installations to help you implement IDP HA successfully.
Unknown Switches
NetScreen has not tested the following switches:
• Centillions (now Nortel)
• Shasta (now Nortel)
• Accellars (now Nortel)
Configuring Switches
This section includes details for configuring Foundry, Cisco IOS, Cisco COS, and HP
Procurve switches.
Foundry
NetScreen has tested the following Foundry switch:
• Foundry FastIron 400
• IronWare 07.6.03, released 05-08-2003
• Multicast only
• Proxy-ARP and Router
• Load-Balancing and Hot-Standby
ip multicast passive
This enables the switch to learn about heartbeat IP Multicast via IGMP.
2. Prevent traffic to the HA cluster from being broadcasted to all ports on the VLAN by
typing the commands:
HP Procurve Series
NetScreen recommends that you do not use an HP Procurve switch as they cannot keep
static MAC address entries. You can configure the HP Procurve to forward all multicast
traffic to certain ports, but performance and security might suffer. By default, IGMP is
disabled on HP Procurve switches.
1. Enable IGMP and multicast traffic forwarding by typing the command:
Port 1 Port 2
Cluster IP 10.0.113.4/24
Node 1 Cluster MAC 01:00:00:00:01:00 Node 2
idpHA1 idpHA2
Eth0 10.0.113.1/24
Eth0 10.0.113.2/24
Eth2 192.168.0.1/24 Eth2 192.168.0.2/24
Eth1 10.0.113.17/24
State-Sync Switch Eth1 10.0.113.18/24
Cluster IP 10.0.113.20/24
Cluster MAC 01:00:00:00:10:10
Port 1 Port 2
Deployment Modes
You can deploy the IDP appliances in high availability using two methods:
• As an active gateway bridge using two NetScreen firewall appliances that support
NSRP.
• As an active gateway router using two Alteon AceDirectors
To choose the deployment mode for your network, determine your existing third-party
failure protection and/or load balancing hardware, then determine how your existing
network configuration of IP addresses and subnetworks is currently constructed.
Review the information in the following sections and choose a deployment mode that
works with your existing hardware.
You can choose multiple interfaces on the IDP appliance as forwarding interfaces.
However, to increase performance, NetScreen recommends that you assign
forwarding interfaces to those interfaces that share a network driver: For IDP 10, 100,
and 500 appliances, use eth0 and eth1 as forwarding interfaces, or use eth2 and eth3
as forwarding interfaces.
• The State Sync Network and Interface (Dedicated Network). The state-sync
interface connects the IDP appliances. The HA daemon uses the dedicated state-sync
interface to synchronize traffic flow between the IDP Sensors. State-sync IP addresses
can be any IP address, including RFC1918 non-routable IPs.
• The Management Network and Interface. The interface that connects to the
Management Server is the management interface. Use the management interface to
manage the IDP Sensor from the User Interface. Choose one interface as the
Management interface and assign it a routable IP address for that network segment.
To use a forwarding interface as a management interface, you can assign the interface
an IP address. However, because of security risks, NetScreen does not recommend
this option. Instead, use a dedicated interface for management—this option decreases
the risk that an attacker might be able to communicate directly with the IDP Sensor.
4. Using the ACM, configure the Sensor software on each IDP appliance to use bridge
mode, third-party HA, hot standby:
– You must use a stealth interface (no assigned IP address) for the forwarding
interface that does not connect to the IDP Management Server.
– You must assign an IP address to the management interface on each IDP
appliance. If you are using a forwarding interface as a management interface, you
must assign that interface an IP address.
– If you are using a dedicated management interface, you can use a stealth interface
for all forwarding interfaces on the IDP appliance.
Network Configuration
The diagram below shows an example network configuration:
External Network
Network 1
NetScreen NetScreen
Firewall Firewall
HA
Network 3
IDP IDP
Network 2
Protected Network
IP Configuration
The diagram below shows an example IP configuration:
Router 10.2.0.254
HA
Untrusted 10.2.0.2 active/passive Untrusted 10.2.0.2
GW 10.2.0.254 GW 10.2.0.254
NetScreen NetScreen
Firewall Firewall
Trusted 10.2.1.12 Trusted 10.2.1.12
State Sync
IDP Eth0 Stealth 192.168.0.0/24 Eth0 Stealth IDP
Node 1 GW 10.2.1.12 GW 10.2.1.12 Node 2
idpHA1 idpHA2
Eth2 Eth2
Eth3 10.2.1.22 Eth1 Stealth 192.168.0.1 192.168.0.2 Eth1 Stealth Eth3 10.2.1.23
Management Management
This diagram displays a dedicated management interface with IP address for each IDP
appliance. Both forwarding interfaces for each IDP appliance are stealth interfaces,
indicating that they do not have an assigned IP address.
Note: NetScreen recommends Alteon ACEdirector load balancers for your third party failure
protection. However, any OPSEC-compatible, hardware-only load balancing solution should work.
To deploy with Alteon ACEdirectors:
1. Setup and configure your load balancers using the vendor documentation.
2. Connect the IDP Sensors to your network.
3. Using the ACM, configure the Sensor software on each IDP appliance to use router
mode, third-party HA, load balancing. You must also assign IP addresses for each
network that connects to the IDP
Network Configuration
The diagram below shows an example network configuration:
External Network
Network 1 Network 1
LoadBalancer
Network 3
IDP IDP
LoadBalancer
Network 2 Network 2
ProtectedNetwork
• Network 1 connects the external network and load balancer to the IDP Sensors.
• Network 2 connects the protected network and load balancer to the IDP Sensors.
• Network 3 connects the IDP Sensors to each other.
For complete step-by-step setup instructions for IDP third-party high availability with
Alteon ACEdirectors, see the High Availability QuickStart Guide, IDP 100 & 500.
IP address configuration
The diagram below shows an example IP configuration:
Firewall 10.0.113.254
10.2.10.1
10.2.0.1 10.2.0.2
Load Balancer
State Sync
192.168.0.0/24
IDP Eth0 10.2.0.11 Eth0 10.2.0.12
IDP
Node 1 Node 2
idpHA1 Eth2 Eth2 idpHA2
Eth1 10.2.1.11 Eth1 10.2.1.12
192.168.0.1 192.168.0.2
Load Balancer
10.2.1.1 10.2.1.2
10.2.20.1
Enabling STP
To enable STP, edit the user_funcs file on the Sensor:
1. From the Sensor command line, open /usr/idp/device/bin/user_funcs
in a text editor.
2. Locate the line: user_start_end() and add the following line below:
Monitoring STP
To monitor the STP state for each forwarding interface, use the sctop command line
utility with option p.
Disabling STP
To temporarily disable STP until the next Sensor reboot or until you restart the Sensor
processes, type the command:
scio const -v vr0 set sc_stp_enabled 0
CPMI server Authentication Port 18190 is the default port. You do not need to
change this setting.
Object Name
Communications Password
OPSEC Application DN Name
FW-1 Management Server DN Name
/usr/idp/mgt-svr/utils
2. Using the information in the CPMI table, enter the following commands:
opsec_pull_cert -h <FW-1 management server host ip>
-n <object name>
-p <communication password>
-o /usr/idp/mgt-svr/var/sysinfo/opsec.p12
3. Change the user and group permissions of the opsec.p12 file to idp by typing the
following command:
This Check Point FW-1 Network Object is imported... ... and becomes this IDP
Network Object
Check Points > Gateway Host
Nodes->Gateway Host
Nodes->Host Host
Networks->Network Network
Groups Groups
FW-1 network objects not included in the table above are not imported.
Note: IDP also imports the IP address of the FW-1 Network Object. For OPSEC objects that
include multiple IP addresses, IDP imports only the IP Address that is defined in the General
Properties tab for that Network Object.
To import OPSEC objects:
1. In the User Interface (UI), click the Objects component in the Navigation Tree.
2. From the File menu, select Import OPSEC.
A dialog box appears, indicating the import progress. During this time, the
Management Server is re-loading its Network Object cache.
When the Management Server completes the import process, the OPSEC
confirmation dialog box appears.
3. Click OK to close the OPSEC dialog box.
4. Click the Network Objects category in the Object Editor to view your imported FW-1
objects.
If an imported OPSEC object name is identical to an existing IDP Network Object name,
IDP adds _opsec to the OPSEC object name.
Troubleshooting
Occasionally, FW-1 network objects do not import as expected. If an import process fails,
the IDP system creates error messages to help you troubleshoot the import process. A
complete list of successfully imported objects and any associated error messages are
located in the /usr/idp/mgt-svr/var/sysinfo/logs directory.
This directory also includes error messages for all IDP Management Server processes.
U se command line utilities to manage and troubleshoot the IDP system from the
command line interface. NetScreen provides the command line utilities shown
below:
• idp.sh. Starts, stops, and monitors the status of Sensor processes.
• mgtSvr.sh. Starts and monitors the status of the Management Server.
• scio. Configures the IDP system.
• sctop. Monitors connection tables and displays Sensor status.
The following sections detail each command line utility location, option, functions, and
arguments.
MGTSVR.SH COMMANDS
Use the mgtSvr.sh utility to control Management Server processes:
Location /usr/idp/mgt-svr/bin
Syntax mgtSvr.sh <options>
Options Function Arguments
start Starts the Management Server. None
Displays the status of the
status Management Server.
None
IDP.SH COMMANDS
Use the idp.sh utility to control Sensor processes.
Location /usr/idp/device/bin
Syntax idp.sh <options>
Options Function Arguments
start Starts the Sensor. None
status Displays the status of the Sensor. None
stop Stops the Sensor processes. None
SCIO COMMANDS
Use scio commands to configure the IDP system. Many scio commands are replicated by
the parameters in the Sensor Settings Rulebase.
Location /usr/bin
Syntax scio [command] [options] [arguments]
subs
Use the subs command to manage Sensors on a virtual circuit.
Syntax scio subs <options> <arguments>
Options Function Arguments
define Defines a new Sensor. <sub name>
undef Clears a Sensor definition. <sub name>
attach Attaches a Sensor to a virtual circuit. <sub name> <vc name>
Detaches a Sensor from a virtual
release circuit.
<sub name> <vc name>
const
Use the const command to set and view kernel constants.
Syntax scio const <options> <arguments>
Options Function Arguments
get Displays the value of a constant. <name>
set Specifies the value of a constant. <name>
list Displays all constant–value pairs. <name> <value>
vc
Use the vc command to manage virtual circuits and sniffer mode.
Syntax scio vc <options> <arguments>
Options Function Arguments
list Displays defined virtual circuits. None
define Specifies a virtual circuit. <vc name>
undef Clears a virtual circuit definition. <vc name>
Sets or unsets an interface as an
external interface. Logs generated
external from packets arriving on this <vc name> <set | unset>
interface have the external bit set or
unset.
vr
Use the vr command to manage virtual routers.
Syntax scio vr <options> <arguments>
Options Function Arguments
list Displays all defined virtual routers. None
define Defines a new virtual router. <vr name>
undef Clears a virtual router definition. <vr name>
Attaches a virtual router to a virtual
attach circuit.
<vr name> <vc name>
var
Use the var command to display variable settings for a Sensor or virtual router.
nic
Use the nic command to attach or detach the kernel module to or from a network
interface card (NIC). Default setting: Attach/detach all NICs.
policy
Use the policy command to manually load and unload a Security Policy.
If Management Server flows are not exempted from IDP detection methods, Security
Policies that drop any traffic for any service can create communication problems between
the User Interface and the Management Server. By default, the Sensor exempts all flows
between the Sensor and the Management Server and does not apply Security Policy rules
to Sensor-Management Server connections.
To view or modify this setting, edit the general parameters in the Sensor Settings
Rulebase in the UI.
Syntax scio policy <options> <arguments>
Options Function Arguments
Installs a rulebase on a Sensor from
load the policy file.
<sub> <filename>
version
Use the scio version command to show the version of the Sensor.
sysconf
Uses the sysconf command to display Sensor configuration information.
Syntax scio sysconf <options>
Options Function
protocols Displays protocols supported by the Sensor.
attacks Display analyzed attacks supported by the Sensor.
contexts Displays contexts that can be searched for attacks.
ptypes Displays protocols the kernel can detect.
all Displays all statistics shown above for a Sensor.
ha
Use the ha command to manage high availability (HA) clusters.
Syntax scio ha <options> <arguments>
Options Function Arguments
<ha cluster> <ha id> <subs
define Defines a new HA cluster.
name>
undef Clears an HA cluster definition. <ha cluster>
Configures an HA cluster to use a
use virtual circuit as an HA interface.
<vc name> <ha cluster>
SCTOP COMMANDS
Use sctop commands to monitor the Sensor connection tables and view Sensor status:
Location /usr/bin
Syntax sctop <options>
Options Function
-h Displays help for the sctop utility.
-a Displays the ARP/MAC table.
-i Displays the IP flows.
-c Displays the ICMP flows.
-u Displays the UDP flows.
-t Displays the TCP flows.
-r Displays the RPC program table.
-x Displays the RPC XID table.
-s Displays status information about the Sensor.
-m Displays system memory statistics.
-l Displays Q-module statistics.
-e Displays rulebase statistics.
Location /usr/bin
Syntax sctop <options>
Options Function
-g Displays aggregate statistics.
-k Displays attack statistics.
-p Displays spanning tree protocol information.
-b Displays IP Action table.
-w Displays HA status.
-0 Disables sorting.
-3 Sorts by expiration.
-4 Sort by service.
The Flag column has five sections, with the following options:
- - - - -
Flow State Management Flow Auxiliary Flow Packet Logging Flow Sync
R Ready m Management Auxiliary Packet Flow failed
a p h
A Anticipated Flow Flow Logging over
• R----
Flow is Ready, non-management, non-auxiliary, no packet logging, normal.
• Rm---
Flow is Ready, management, non-auxiliary, no packet logging, normal.
• A--ps
Flow is Anticipated, non-management, non-auxiliary, with packet logging, and
synched over from another IDP.
T o deploy IDP with two Nokia FireWall-1 appliances, you must use bridge mode. For
instructions on setting up and configuring Nokia firewalls, please consult the firewall
vendor documentation. After you have configured the firewalls and verified that they
are working properly, connect the IDP Sensors to your network.
External Network
Virtual Router
Firewall Firewall
IDP HA IDP
Sensor Sync Sensor
Protected Network
The two firewalls and the two IDP Sensors combine to form a virtual router. Although
these are four machines, the network sees them as one entity:
External Network
Virtual Router
Network 1
Firewall Firewall
Network 3
IDP IDP
Sensor Sensor
Network 2
Protected Network
Internet
Firewall 10.2.0.254 Router
10.2.0.2 10.2.0.3
FireWall-1 FireWall-1
10.2.1.12 10.2.1.11
State Sync
Eth0 192.168.1.1 192.168.0.0/24 Eth0 192.168.1.2
VRRP
Nokia firewalls in the HA cluster use the Virtual Router Redundancy Protocol (VRRP) to
send VRRP messages to each other. To enable VRRP communication and ensure proper
failure protection, you must configure the IDP appliances in the cluster to recognize the
IP Multicast address of the VRRP protocol and configure the Nokia firewalls to use ICMP
active gateway
IDP is deployed to take full advantage of IDP attack prevention capabilities by running
inline. Active Gateway has three deployment modes: bridge, proxy-ARP, or router.
admin user
An IDP user type who has full privileges in the IDP User Interface and can write to the
IDP Management Server. Admin users can add and delete other users.
alarm
1. A column in the Log Viewer. 2. A log record that represents an important event. If an
alarm is configured for a rule in the Security Policy, when the rule is matched the
corresponding log record displays an alarm in the alarm column of the Log Viewer.
Security administrators use alarms to become aware of and react to important security
events.
alert
Warnings that correspond to the performance of IDP devices or device processes. You
configure alerts in the Device Monitor. 2. Disk space alerts warn the user that IDP is
about to purge logs in the Management Server to save space. You configure disk space
alerts in IDP Management Server settings.
attack
Attacks attempt to exploit vulnerabilities in computer hardware and software. Depending
on the severity of the attack, it might disable your system completely, allow an attacker to
gain confidential information stored on your system, or use your network to attack other
networks.
Attack Object
A signature or protocol anomaly that is combined with context information. Attack
Objects are used in Main Rulebase rules to match malicious traffic patterns. Each Attack
Object detects a known attack or protocol anomaly that can be used by an attacker to
compromise your network.
Attack Summary
A section of the Dashboard that displays the top 10 attacks on a network over a specified
period.
backdoor
A mechanism installed on a host computer that facilitates unauthorized access to the
system. Attackers who have already compromised a system can install a backdoor to
make future attacks easier. When attackers send and retrieve information from backdoor,
they generate interactive traffic, which can be detected and prevented by the Backdoor
Detection Rulebase.
binding
The connection that links a signature to the service context in which it occurs. The service
binding for each signature is defined in the signature Attack Object. You can view or set
bindings in the Signature Editor dialog box.
bridge mode
A deployment mode of the IDP system. In this mode, the IDP system acts as a networking
bridge, forwarding packets within the same logical network subnet, which is broken into
several physical parts. Packets are forwarded transparently; you do not need to configure
other network devices to be aware of the IDP Sensor.
buffer overflow
An event that occurs when a program or process attempts to store more data in a buffer
than the buffer was intended to hold. Buffers, which provide temporary data storage, are
designed to contain a finite amount of data; any additional data can overflow the buffer
zone and attempt to enter nearby buffers, corrupting or overwriting that buffer's existing
data.
BugTraq
A moderated mailing list that discusses and announces computer security vulnerabilities.
www.bugtraq.com
component
One of the seven parts of the User Interface: Dashboard, Log Viewer, Security Policy
Editor, Object Editor, Device Monitor, Reports, and Log Investigator. A component
selected in the Navigation Tree appears in the main display area.
context
The matching criteria for an Attack Object: line, packet, stream, or network traffic
protocol. Specifies where IDP should look for patterns to match Attack Objects.
CVE
The Common Vulnerabilities and Exposures (CVE) forum is a standardized list of
vulnerabilities and other information security exposures.
Dashboard
A customizable User Interface component that provides vital real-time statistics of your
network.
dependent axis
The axis of the Log Investigator that provides secondary information based on the
primary information in the independent axis. Example: If the dependent axis is set to Top
Sources and the independent axis is set to Top Attacks, the Log Investigator displays the
most popular source IP address and the attacks that each source IP generated.
device
Constituent parts of the NetScreen-IDP system: the IDP Management Server and IDP
Sensor.
Device Monitor
A component of the User Interface that displays real-time availability and performance
status information on IDP Sensors and the IDP Management Server on your network.
Device Status
1. The section of the Dashboard component that displays a quick summary of the
performance status of IDP Sensors and the IDP Management Server on your network. 2.
A view of the Device Monitor that displays availability and performance status
information for IDP Sensors and the IDP Management Server on your network
disabled rule
A rule that has been temporarily removed from inclusion (but not deleted) in a Security
Policy rulebase.
DNS
An acronym for Domain Name Service. DNS allows you to enter a host name instead of an
IP address for network objects. If DNS is configured, the Sensor can also resolve IP
addresses by performing domain name lookups from Sensor console.
false positive
Any situation in which benign traffic causes an IDS to generate an alarm; also known as a
false alarm.
filter
A method of sifting log records by individual Log Viewer columns.
flag
A setting applied to log records in the Log Viewer. A flag setting can be one or the
following: High, Medium, Low, Closed, False Positive, Assigned, Investigate, Follow-Up,
or Pending.
forwarding interface
The ethernet port (interface) that the IDP Sensor uses to forward traffic to the external or
internal network.
FQDN
An acronym for Fully Qualified Domain Name. A FQDN consists of a host and domain
name, including the top-level domain. For example, www.mycompany.com is a fully
qualified domain name: www is the host, mycompany is the second-level domain, and
.com is the top level domain. A FQDN starts with a host name and continues to the top-
level domain name, so www.sensor1.mycompany.com is also a FQDN.
group
An object in the IDP system that contains related objects. You can create Network,
Service, or Attack Object groups to use in Security Policies or Dashboard Watch Lists just
as you would individual objects.
heartbeat interface
The interface that the IDP Sensor uses to send heartbeats. IDP Sensors joined in a high
availability configuration use heartbeats to share state information with each other.
Heartbeats use the heartbeat protocol.
heartbeat protocol
The protocol that determines how heartbeats operate. The heartbeat protocol (HB) sends
one or more heartbeats to all other IDP Sensors in the HA cluster once every interval. If
an IDP Sensor fails to send a heartbeat for the specified number of times in a row (the
failure count), the other IDP Sensors consider that Sensor inactive and begin to accept
traffic for that Sensor.
hot standby
A high availability configuration in which a primary IDP Sensor handles all network
traffic while a secondary IDP Sensor stands by. If the primary IDP Sensor fails, network
traffic is redirected to the secondary IDP Sensor.
ICMP
An acronym for Internet Control Message Protocol, a protocol that allows the passing of
error, control, and informational messages.
ICMP sweep
An attack that uses a single source IP address to ping multiple IP addresses on your
network.
IDP appliance
The hardware device that contains the IDP Sensor software pre-installed. You configure
the IDP Sensor software on the IDP appliance when you install the IDP system.
IDP Sensor
One of the three tiers of the IDP system. IDP Sensors can operate as passive sniffers to
monitor network traffic, or as in-line devices that detect and protect against intrusions by
sending alarms and resetting or dropping connections. The Sensor software is pre-
installed on the IDP appliance and can be configured to protect your networks and hosts
using the Appliance Configuration Manager (ACM).
idp.sh
A command line utility that starts, stops, and monitors the status of IDP Sensor
processes.
independent axis
The axis of the Log Investigator that defines the primary set of information. Example: If
the independent axis is set to Top Attacks and the dependent axis is set to Top Sources,
the Log Investigator displays the most popular attacks and the source IP addresses that
generated them.
initialization state
A state of the IDP Sensor. When a Sensor initially powers on, it enters the initialization
state. When initialization of the Sensor is complete, it moves to an active state and begins
forwarding traffic. You can also choose to forward traffic during the initialization state.
in-line
The position of the IDP appliance in the network traffic flow. When IDP is deployed in-
line, it is positioned directly in the path of packets, where it can actively prevent attacks.
interactive traffic
Network traffic that indicates human involvement in a normally automated process, such
as a user typing commands. Interactive traffic looks different than other traffic because
humans are manually controlling one end of the connection. In a connection between two
programs, the data transfer is automated; TCP packets can batched and sent in bulk for
efficiency. In a connection between a program and user, packets are sent when they
become available; characters display as they are typed (not after the word is complete).
Interactive programs transmit several short IP packets containing individual keystrokes
and their echoes, reflecting the real-time actions of a user (or attacker).
IP action
Traffic-handling instructions for the NetScreen-IDP Sensor. IP actions are dynamically
generated actions (triggered by rule match) that can affect future traffic based on previous
traffic. You can set IP actions in the Main, Network Honeypot, or Traffic Anomalies
rulebases.
IP spoofing
The practice of mimicking, or "spoofing" the source IP address of an IP packet. Every IP
packet includes the destination IP address (where the packet is going) and the source IP
address (where the packet came from). The routers that provide Internet communication
between distant computers determine the best route for the IP packet using only the
destination IP address, and typically ignore the source IP address. An attacker can fake
the source IP address of a malicious IP packet (by modifying the packet headers) so that
the packet appears to come from a trusted system.
key
A unique name that identifies an Attack Object internally in the IDP system and in the
Log Viewer.
link-check
An activity that verifies the status of the IDP appliance's interfaces. Each interface pings
specified IP addresses at regular intervals to ensure that they can send and receive
traffic.
load balancing
A high availability configuration in which all IDP Sensors in an HA cluster share network
traffic equally. If one IDP Sensor fails, network traffic is redirected to the other IDP
Sensors in the HA cluster.
log records
A record of a security event. Log records are created when IDP rules are triggered or when
the IDP system performs a standard function. Log records are stored in log files on the
IDP Management Server.
Log Viewer
The User Interface component that is used to view log records.
log
A grouping of log records. Logs are archived on the IDP Management Server until deleted.
MAC
An acronym for Media Access Control (MAC) addresses. MAC address are physical
hardware addresses that uniquely identify each node of a network. The MAC address is
assigned by the hardware manufacturer when the hardware is produced.
Main Rulebase
A rulebase in the Security Policy Editor that protects the network from attacks by using
signature and protocol anomaly Attack Objects to detect and prevent malicious activity.
management interface
The IDP appliance ethernet port (interface) that is used for communication between the
IDP Sensor and the IDP Management Server. Each IDP Sensor has a management
interface with an IP address that is accessible by the IDP
menu bar
The area of the User Interface that contains clickable commands. You can access many
menu bar commands using keyboard shortcuts.
mgtSvr.sh
A command line utility that starts and monitors the status of the IDP Management
Server.
Multi-Method Detection
A combination of detection methods. Each rulebase in the IDP system uses a specific
detection method to identify and prevent attacks. Together, these detection methods
provide a Multi-Method Detection system that can thwart almost any attack, including
reconnaissance, network-level, application-level, and backdoor intrusion attempts.
Navigation Tree
The area of the User Interface that lists the UI components. When you select a component
in the navigation tree, the component displays in the main display area.
netmask
A string of zeroes (0) and ones (1) that screen or “mask” the network section of an IP
address so that only the host computer section of the address remains. Netmasks are used
to produce ranges of IP addresses from a single IP address.
User Interface
The Graphical User Interface that IDP users use to manage the NetScreen-IDP system,
view system status, manage Security Policies, and view and examine log record data.
network
Two or more computers and devices that are connected to each other. A connected
computer or device is called a network component; components can share the information
and resources of other components on the network.
Network Object
A representation in the IDP system of a workstation, router, switch, subnetwork, IDP
Sensor, or other device on your network. Network Objects represent your network
topology in the Object Editor, Security Policies, and log records.
network scan
An attack in which a single source IP address attempts to connect to multiple IP
addresses on a network. Network scans provide attackers with valuable information
about your network configuration.
object
The building block of the IDP system. Network Objects represent components of your
network; Service Objects represent services running on your network; and Attack Objects
represent specific patterns of malicious activity or protocol anomalies within a connection.
You can create objects in the Object Editor.
Object Editor
The User Interface component used to create and manage objects that represent your
network configuration or traffic.
offline mode
A Log Viewer mode in which new log records do not appear. The IDP Sensor continues to
generate and store log records in offline mode but does not display them. To see new log
records, you must select to view the Log Viewer in online mode.
online mode
A Log Viewer mode in which new log records appear as soon as they are generated by the
IDP Sensor and transferred to the IDP Management Server.
OPSEC
An acronym for Open Platform for Security. OPSEC is the de facto standard for enterprise
security interoperability.
pattern
A regular expression that is used as matching criteria in an Attack Object.
pcAnywhere™
A Symantec Corporation product that provides remote administration functionality.
Administrators can take control of remote machines.
port scan
An attack in which a single source IP address attempts to connect to every port on a single
machine. Ports scans provide attackers with valuable information about your network
configuration.
process status
A view of the Device Monitor that displays availability and performance status
information for processes on IDP Sensors and the IDP Management Server on your
network.
protocol anomaly
A deviation from the RFC specifications that dictate how communications between two
entities should be implemented. Most legitimate traffic does not deviate from the
protocols; when anomalies are detected they are often a sign of malicious traffic and seen
as a threat to the system
Protocol normalization
A method of reducing false positives. Normalizes traffic into a common format for
accurate analysis.
proxy-ARP
A deployment mode of the IDP system. In this mode, the IDP system acts as proxy,
sending ARP requests and replies between networks. An ARP request/reply is a
mechanism to resolve IP addresses. Network devices coming online send out ARP
requests to determine if a particular IP address is being used. With IDP, network nodes
use the Sensor's MAC address to send network traffic across segments. The IDP Sensor
relays existing ARP requests between networks and proxies replies by issuing its own
ARP replies. If the IDP Sensor is inserted between network segments, network nodes
attached to these segments might need to update their cached ARP entries.
proxy-ARP loop
A loop that occurs when the IDP Sensor answers an ARP request for an IP address owned
by another IDP appliance in the HA cluster. To prevent proxy-ARP loops, you must
configure each Sensor in the HA cluster to ignore the forwarding interfaces of the other
IDP appliances.
read-only user
An IDP user privilege type that has limited command access to the User Interface. Read-
only users cannot take control of or write to the IDP Management Server.
read-write user
An IDP privilege user type that has elevated command access to the User Interface. Read-
write users can write to the IDP Management Server.
Reports
1. Summarize threats and traffic behavior over time based on filtered log records. 2. A
section of the Dashboard that displays two selected IDP Reports.
Reports component
The User Interface component displays reports. You can generate and view reports based
on filtered log records that summarize threats and traffic behavior over time.
RFC extension
An addition to a Request For Comments (RFC) document that extends the regulatory
domain of the original RFC and defines additional requirements. An RFC extension can
also clarify ambiguous or implied requirements of the original RFC.
routing table
A table that contains network route information. The IDP Sensor's routing table contains
route information about the path that data packets should use when traveling through
the IDP Sensor. When a new data packet enters the network, routing algorithms look at
the packet's source and determine the optimal route to the packet's destination. This
information is stored in the routing table; other data packets with the same source and
destination automatically use the route specified in the routing table.
RPC
An acronym for Remote Procedure Call, a type of protocol that allows a program on one
computer to execute a program on a server computer.
rule
A user-defined match/action sequence. Rules are represented graphically in the Security
Policy Editor, where you can create, modify, delete, and reorder them in a rulebase.
rulebase
A set of rules that uses a specific detection mechanism to identify and prevent attacks.
schad daemon
A process that runs on each IDP Sensor in the HA cluster. The schad daemon provides a
method for the Sensor to determine its state, sends heartbeats to other Sensors in the HA
cluster, and passes cluster state information to the Sensor's kernel module.
scio
A command line utility that you can use to configure the IDP system.
sctop
A command line utility that you can use to monitor connection tables and display IDP
Sensor status.
Security Policy
A set of rulebases. Security Policies are created in the UI and stored on the IDP
Management Server so they can be accessed from a remote client anywhere on the IDP
protected network. Security Policies are installed on IDP Sensors, which log network
traffic based on the rules within the Security Policy.
service
An application-layer protocol that specifies how communication between two systems
(applications, servers, Ethernet cards, etc.) occurs.
Service Object
A representation of a service that is supported on your network.
session
A period of time over which an event is performed.
severity
The designated threat level of an attack (critical, high, medium, low, or informational).
Attack Objects use the severity setting that matches the threat level of the attack they
detect.
shared secret
A user-defined alphanumeric text string that authenticates heartbeat messages and
verifies that the heartbeat has not been altered during transmission.
signature
A pattern that exists within an attack. The signature pattern can be a specific segment of
code, a URL, a value in a packet header, etc. Signatures are used to create signature
Attack Objects, which use the signature pattern to detect the attack and prevent it.
sniffer/gateway interface
An ethernet port (interface) on the IDP appliance. The sniffer interface "sniffs" the
network traffic as it passes through the network hub or switch. Only IDP Sensors running
in sniffer mode have a sniffer interface.
sniffer mode
A deployment mode of the IDP system. When IDP is deployed as a passive sniffer, it
monitors and logs network traffic only and cannot provide attack prevention functionality.
SSH
An acronym for Secure Shell. SSH provides secure remote access to devices. You can use
SSH to access the IDP Sensor remotely.
state-sync interface
The ethernet port (interface) that is used for communication between the IDP Sensors in
an HA cluster. All Sensors have a state-sync interface with an IP address that is
accessible by all other Sensors in the cluster.
status bar
The area of the User Interface that displays additional information for selected
components.
stealth mode
A mode for the forwarding interface in bridge mode. Stealth mode interfaces do not have
IP addresses, which makes them easier to setup and more secure.
STP
An acronym for Spanning Tree Protocol. STP is a 802.1d specification by the Institute of
Electrical and Electronic Engineers (IEEE). The spanning tree algorithm (STA)
determines the best communication path between a switch and a node. All other paths are
blocked, but not disabled; if the chosen path becomes unavailable, the algorithm re-
calculates a new communication path.
synchronization interface
The state-sync interface of an IDP appliance in an HA cluster.
SYN-Protector Rulebase
A rulebase in the Security Policy Editor that protects your network from SYN flood
attacks by ensuring the three-way handshake is successfully performed for specified TCP
traffic.
syslog
A UNIX system-wide program that records system events in a standard format.
TCP
An acronym for Transmission Control Protocol. TCP is a primary protocol used on the
Internet to enable hosts to exchange data streams.
TCP scan
An attack method that attempts to connect to every TCP port on a single machine. TCP
scans provide attackers with valuable information about your network configuration.
terminal rule
A rule that terminates the IDP rule-matching algorithm. When a terminal rule is
triggered, IDP does not execute subsequent rules in the rulebase.
terminal rulebase
A rulebase in which all rules are terminal. If a rule in a terminal rulebase is matched, IDP
does not execute subsequent rules.
toolbar
The area of the User Interface that contains buttons for common tasks. The buttons
displayed in the toolbar are determined by the selected component.
UDP
An acronym for User Datagram Protocol. UDP is a connectionless protocol that provides a
communication mechanism for applications.
UDP scan
An attack method that attempts to connect to every UDP port on a single machine. UDP
scans provide attackers with valuable information about your network configuration.
unique identifier
A unique number assigned to an IDP Sensor in an HA cluster. The unique identifier
enables state-sync communication with other IDP Sensors in an HA cluster. For load
balancing, this assignment is arbitrary and is used only to differentiate Sensors in the
cluster from each other. For hot standby, the IDP Sensor with the lowest unique identifier
is the primary IDP Sensor.
variable data
Additional data that is contained in a log record and is relevant to a protocol anomaly.
view
Another instance of the Log Viewer. You can create custom views with filters and save
them in the Log Viewer.
virtual router
A virtual router (VR) provides a hardware and software emulation of a physical router.
Virtual Routers have independent IP routing and forwarding tables.
VNC
An acronym for Virtual Network Computing. VNC is a remote display system that
displays a desktop environment from anywhere on the Internet.
WINS
An acronym for Windows Internet Naming Service. WINS determines the IP address of a
networked Microsoft Windows computer.
F K
false positives 111 key properties
flag column 65 creating 131
flow properties
viewing 132
flow table size 156
L
layer 2 91
line context 135
G load balancing 21
Gnutella 191 load time parameters 156
Gopher 186 flow table size 156
log collapsing 78
log id column 70
H log purging 84
high availability 201–238 Log Viewer 63–87
hot standby 21 address resolution 64
load balancing 21 columns 65–73
spanning tree protocol 21 action 67
standalone 202 alarm 65
example configurations 217 attack 66
switch compatibility 224 bytes (in a session) 71
switch configuration 225 category 68
technical overview 21 comments 68
third-party 232 destination address 67
Alteon ACEdirectors 236 device address 68
Nokia FireWall-1 233 device vin 70
HTTP-HEADER-OVERFLOW 166 dst port 67
elapsed (in a session) 72
I email 73
ICMP external 73
flow 251 flag 65
ICMP floods 175 inbound if 71
ICMP header properties log id 70
creating 148 misc 71
ICQ/AIM 182 outbound if 71
IDENT 180 packet data 70
IDP actions 101 packets (in a session) 72
IDP architecture 20 policy id 72
IDP Management Server policy version 72
technical overview 22 protocol 68
IDP Multi-Method Detection 89 rule number 72
idp.sh 246 rulebase 72
inbound interface column 71 script 72
inline Security Policy 32, 121 severity 68
installing Security Policies 125 snmp 73
interactive traffic 119 source address 67
IP src port 67
flow 251 sub category 68
IP actions 103 syslog 73
IP spoofing 91 time generated 71
IP tab for Signature Attack Objects time received 66
creating 144 customizing 76–85
viewing 129 detail pane 74
filtering