Documente Academic
Documente Profesional
Documente Cultură
Version 2.1
Table of Contents
About This Guide
Welcome to the UnityOne LSM
Target Audience
Organization
Conventions
Cross References
Typeface
Procedures
Screen Captures
Messages
Related Documentation
Online Help
Customer Support
Overview
UnityOne System
UnityOne Architecture
SMS Client
SMS Server
Threat Suppression Engine
IPS Devices
Local Clients
Local Security Manager Overview
Filters Page
Logs Page
Configure Page
Monitor Page
Update Page
Admin Page
Getting Started
System Requirements
SMS Configuration
xi
xi
xi
xii
xiii
xiii
xiv
xiv
xiv
xv
xvi
xvii
xviii
1
2
3
3
4
5
6
7
8
8
9
9
9
9
10
11
12
12
LSM Navigation
13
Security Notes
Logging In
Login Screen
14
14
14
ii
Table of Contents
Session Time-out
Logging Off
LSM Screen Layout
Launch Bar
System Stats
Main Pane
Filters
Filters Page
Managing Filters
Viewing Filters
Searching Filters
Creating New Filters
Editing a Group of Filters
Deleting Filters
Application Protection
Attack Protection Filters
Reconnaissance Filters
Security Policy Filters
Informational Filters
Application Settings
Infrastructure Protection
Advanced DDoS Filters
Advanced DDoS Filters for UnityOne-5000E
Network Equipment Protection Filters
Traffic Normalization Filters
Traffic Threshold Filters
Performance Protection
Misuse and Abuse Filters
Traffic Management Filters
Performance Protection Settings
Category Settings
Enabling Filters
Disabling Filters
Action Sets
Rate Limiting
Notification Contacts
Alert Aggregation
Setting Preferences
Logs
Logs Page
LSM Logs
Alert Log
iii
15
16
16
16
17
21
23
25
25
26
28
29
30
30
31
32
36
43
46
49
55
56
64
69
72
77
83
84
88
93
94
98
99
100
102
106
107
108
113
114
114
115
Table of Contents
Block Log
Misuse & Abuse Log
System Log
Audit Log
Packet Trace Log
Managing Logs and Reports
Viewing Logs and Reports
Downloading Log Files
Printing Log Files
Resetting Log Files
Searching Log Files
More Reports
Reports Preferences
Configure
Configure Page
Segment Configuration
Segment INHA
Link-Down Synchronization
Configure a Segment
Management Port Configuration
Management Port Options
Management Port Services
Command Line Interface (CLI)
Web Interface (LSM and SMS)
Routing Options
Time Options
Time Zones
Internal CMOS Clock
SNTP Server
SMS and NMS Configuration
Network High Availability
INHA Configuration
TNHA Configuration
TSE Configuration
TSE General Configuration
TSE Adaptive Filter Configuration
TSE Blocked Streams
TSE Rate Limited Streams
TSE Non Standard Ports
TSE Blacklisted Streams
Monitor
Monitor Page
116
117
118
119
120
121
122
122
124
125
125
126
132
135
136
137
138
139
139
142
143
145
145
147
147
148
149
151
152
152
155
157
158
159
159
161
163
165
167
170
173
174
iv
Table of Contents
Device Health
Device Health
Performance/Throughput
Module Health
High Availability
Multi-Zone Defense
Intrinsic Network HA Health
Monitor Preferences
Major Levels
Critical Levels
Discovery Scans
Discover Page
Preparing for Scans
Performing Scans
Schedule Scans
Update
Update Page
Threat Management Center
Filter Updates
Software Updates
Persistent Settings
Update States
Software Rollbacks
Persistent Settings
Deleting Previous Versions
Device Snapshots
Administration
Admin Page
Access to Admin Functions
User Access Level
Account Security Access
Security Level Capabilities
Managing Users
Valid User Data
User Security Preferences
Web Idle Timeout
Security Level
Password Expiration
Max Login Attempts
Viewing Audit and System Logs
175
175
177
179
180
181
182
183
184
184
185
186
186
187
191
193
194
195
195
196
197
197
200
200
202
202
205
206
207
207
208
208
209
209
212
213
213
214
214
216
Table of Contents
Browser Certificates
Overview
Client Authentication Message
Security Alert
Certificate Authority
Invalid Certificate Name
Example - Creating Personal Certificate
217
217
218
219
219
220
225
226
237
237
238
239
240
243
245
Troubleshooting
247
Overview
IPS Port Out-of-Service
247
247
Log Formats
Overview
Log Format
Remote Syslog Log Format
249
249
249
250
Glossary
253
Index
260
vi
Table of Contents
vii
List of Procedures
About This Guide
Overview
LSM Navigation
Log in to the LSM
15
28
29
30
31
34
40
42
45
48
51
51
54
54
55
60
62
67
68
70
75
80
82
83
87
91
92
94
94
96
97
98
98
98
99
Filters
vi
List of Procedures
99
104
105
108
108
109
110
111
111
111
111
122
123
125
125
126
128
129
129
130
130
131
132
138
141
144
144
146
146
147
148
149
151
152
154
155
156
156
160
161
163
164
164
Logs
Configure
vii
List of Procedures
165
166
167
167
169
169
171
171
171
184
185
187
189
189
190
190
190
190
191
191
192
195
196
199
199
201
202
203
203
204
204
204
Monitor
Update
Administration
Change Your Password
Create a New User
Modify an Existing User
Delete an Existing User
Set User Preferences
211
211
212
212
214
238
239
viii
List of Procedures
Troubleshooting
Log Formats
ix
Target Audience
This guide is intended for administrators who manage one or more Intrusion Prevention System(IPS)
devices.
xi
TCP/IP
UDP
ICMP
Ethernet
Simple Network Time Protocol (SNTP)
Simple Mail Transport Protocol (SMTP)
Simple Network Management Protocol (SNMP)
Organization
The UnityOne Local Security Manager Users Guide is organized as follows:
Overview
Details the UnityOne system and LSM application, user interface, and login procedures. You should
review this section to understand how to navigate through the application.
Navigation
Details the UnityOne system user interface and steps for logging in and navigating the system.
Filters
Details the information and instructions for managing filters. The sections include important
instructions for tuning, copying, and customizing filters, exceptions, action sets, and notification
contacts.
Logs
Details information and instructions for reviewing and managing compiled logs. These logs include
the alert, block, peer-to-peer, system, audit, and packet trace logs. The sections also include
information on generating reports of system behavior.
Discovery
Details the options for performing and scheduling discovery scans of hosts on your device.
Configure
Details the configuration settings and instructions for an IPS device and its segments. The sections
include important information on management port settings, routing options, time options, setting for
the SMS and NMS, network high availability (INHA and TNHA), and the Threat Suppression Engine
(TSE).
xii
Monitor
Details information for reviewing system behavior and device health. The section include information
on possible health problems your device may have according to status indicators.
Update
Details instructions and information for updating the LSM software and Digital Vaccine package
updates for the LSM.
Administration
Details the administration information for creating and managing user accounts. The section also
include details on reviewing system and audit logs.
Appendix - Troubleshooting
Provides troubleshooting information for the LSM.
Glossary
Defines terms for the UnityOne and LSM system.
Conventions
This guide follows several procedural and typographical conventions to better provide clear and
understandable instructions and descriptions. These conventions are described in the following
sections.
This book uses the following conventions for structuring information:
Cross References
Typeface
Procedures
Messages
Cross References
When a topic is covered in depth elsewhere in this guide, or in another guide in this series, a cross
reference to the additional information is provided. Cross references help you find related topics and
information quickly.
xiii
Typeface
This guide uses the following typeface conventions:
Bold
Code
Italic
Hyperlink
used for the names of screen elements like buttons, drop-down lists, or fields. For
example, when you are done with a dialog, you would click the OK button. See
Procedures below for an example.
used for text a user must type to use the product
used for guide titles, variables, and important terms
used for cross references in a document or links to web site
Procedures
This guide contains several step-by-step procedures that tell you how to perform a specific task. These
procedures always begin with a phrase that describes the task goal, followed by numbered steps that
describe what you must do to complete the task.
The beginning of every chapter has cross references to the procedures that it contains. These cross
references, like all cross references in this guide, are hyperlinked.
Menu Navigation
The LSM provides drop-down menu lists to navigate and choose items in the user interface. Each
instruction that requires moving through the menus uses an arrow (>) to indicate the movement.
For example, Edit > Details would indicate the selecting the Edit drop-down menu and selecting
the Details option.
Sample Procedure
STEP 1
STEP 2
Screen Captures
The instructions and descriptions in this document include images of screens. These screen captures
may be cropped, focusing on specific sections of the application, such as a pane, list, or tab. Refer to the
application for full displays of the application.
xiv
Messages
Messages are special text that are emphasized by font, format, and icons. There are four types of
messages in this guide:
Warning
Caution
Note
Tip
Warning
Warnings tell you how to avoid physical injury to people or equipment You should carefully consider
this information prior to enacting actions or procedures that could potentially harm your staff, data, or
security.
WARNING: Do not store your user name and password on your workstation, in
your personal effects, or anywhere in or around your work area. If you store your
user name and password in any of these locations, your system security may be
compromised.
Caution
Cautions tell you how to avoid a serious loss that could cause physical damage such as the loss of data,
time, or security. You should carefully consider this information when determining a course of action
or procedure.
CAUTION: You should disable password caching in the browser you use to access the
LSM. If you do not disable password caching in your browser, and your workstation is not
secured, your system security may be compromised.
Note
Notes tell you about information that might not be obvious or that does not relate directly to the
current topic, but that may affect relevant behavior.
Note: If the IPS is not currently under SMS control, you can find out the IP
address of the last SMS that was in control by checking your Audit log from the
Logs page.
Tip
Tips are suggestions about how you can perform a task more easily or more efficiently.
Tip: You can see what percentage of disk space you are using by checking the
Monitor page.
xv
Related Documentation
The UnityOne systems have a full set of documentation. These publications are available in electronic
format on your installation CDs. For the most recent updates, check the Threat Management Center
(TMC) web site at https://tmc.tippingpoint.com.
Table ii - 1: UnityOne Documents
Audience
Hardware
Technicians
xvi
Publication
Location
printed version in the UnityOne box,
UnityOne Documentation CD,
https://tmc.tippingpoint.com
https://tmc.tippingpoint.com
https://tmc.tippingpoint.com
UnityOne Local Security Manager Online Help
https://tmc.tippingpoint.com
UnityOne Security Manager System Quick Start
Guide
https://tmc.tippingpoint.com
UnityOne Security Management System Users
Guide
https://tmc.tippingpoint.com
and on the SMS server
https://tmc.tippingpoint.com
and on the SMS server
Third Party Management for UnityOne IPS
https://tmc.tippingpoint.com
Online Help
Each window and dialog box in the LSM application includes Help button for accessing the online help.
In the Launch Bar of the application, the Help button opens the main welcome page to the online help.
You can also click on the help button on each page of the application to review context sensitive topics.
Figure ii - 1: Help Icon and Button
Opens the online help at the opening page.
If you have problems finding help on a particular subject, you can review the Index or use the Search
tab in the navigation pane. Each page also includes related topic links to find more information on
particular subjects and functions.
xvii
Customer Support
The TippingPoint Technologies technical support phone number is 1-866-681-8324 (866-681-TECH).
TippingPoint is committed to providing quality customer support to all of its customers. Each
customer is provided with a customized support agreement that provides detailed customer and
support contact information. For the most efficient resolution of your problem, please take a moment
to gather some basic information from your records and from your system before contacting TP
customer support.
Table 3: Customer Support Information
Information
xviii
Location
You can find this number on your Customer Support Agreement and on
the shipping invoice that came with your UnityOne system.
You can find this number on the shipping invoice that came with
your UnityOne system.
You can find this information in the LSM in the System Stats
frame, in the Update tab, or by using the CLI show version
command.
You can find this information in the LSM in the System Stats
frame.
Overview
The UnityOne is a high-speed, comprehensive security system that includes Intrusion Prevention
System (IPS) devices with a browsable manager called the Local Security Manager (LSM). The
Overview section provides an overview of the LSM functions and use in the UnityOne system.
Overview
Enterprise security schemes once consisted of a conglomeration of disparate, static devices from
multiple vendors. Today, TippingPoints (TP) UnityOne security system provides the advantages of a
single, integrated, highly adaptive security system that includes powerful hardware and intuitive
management interface.
This section details the UnityOne system, LSM, IPS devices, and how it all works together to provide a
quality system for the prevention of malicious attacks on your network. See Chapter 2 LSM
Navigation for more information on the user interface and accessing the system.
LSM Overview includes the following topics:
UnityOne System
The principle components of the UnityOne are the Intrusion Prevention System (IPS) devices models
UnityOne 50, 100E, 200, 400, 1200, 2400, and 5000E. The IPS models UnityOne-200, UnityOne-400,
UnityOne-1200, UnityOne-2400, and UnityOne-5000E are single units that can protect up to four
network segments. The UnityOne-50 and UnityOne-100E can protect one segment on your network. A
single IPS can be installed at the perimeter of your network, on your intranet, or both. All device
models have the uniformity and simplicity needed to achieve a high level of protection with minimal
administrative action.
An IPS protects your network segments. A segment is protected when its traffic passes through a pair
of ports on the IPS that are configured with filters and global settings. The device scans and reacts to
network traffic according to the filter instructions, or action set. Each segment and device can use a
different set of filters to manage and block traffic and malicious attacks to protect your network.
include all of the filters and information for protecting your network. Action sets in these filters provide
the instructions for the device to block, permit, and send alerts to the system. Filters include three
pillars of filter categories:
Application Protection Pillar of filter types that defend against known and unknown exploits
targeting applications and operating systems. These filters include a variety of vulnerability and
security policy filters.
Infrastructure Protection Pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attack using a combination of traffic
normalization, DDoS protection, and application, protocol, and statistical anomaly detection. These
filters include DDoS, network equipment protection, and traffic normalization filters.
Performance Protection Pillar of filter types that allow key applications to have prioritized
access to bandwidth ensuring that mission critical applications have adequate performance during
times of high congestion. These filters include misuse and abuse and traffic management filters.
Filters provide detection and response instructions for segments and devices. If a filter affects an entire
device, it overrides the segmental settings. The action sets for these filters can be set according to
category or customized settings entered per filter. Each action set can also include a set of notification
contacts to receive alerts when the device detects and responds to traffic. The UnityOne also enables
you to set exceptions and inclusions (or apply only rules) for filters. These settings can also be set and
enacted according to filter or for all categories of filters.
The UnityOne system also includes a Zero Power High Availability (ZPHA) device (optional) that
ensures constant, non-interrupted flow of network traffic. You can use the ZPHA to continue network
traffic and services by bypassing the IPS entirely when the power no longer feeds into the system, when
you need to unplug the system, and to continue service while the IPS reboots. The ZPHA is a chassis
with a set of relays that directs traffic depending on the status of power received through a USB cable
connected to the IPS device. If the power interrupts, the ZPHA bypasses the IPS device, providing
continuous network traffic.
Beyond the hardware, the UnityOne provides software to manage and customize your network
protection and intrusion prevention system. The Local Security Manager (LSM) manages a single IPS.
The LSM is a web-based management application that provides on-the-box administration,
configuration, and reporting.
To manage multiple IPS devices, you can use the Security Management System (SMS). The SMS
provides functionality beyond that provided by the LSM. Furthermore, it provides coordination across
your UnityOne system for administration, configuration, and monitoring. It provides a central point of
control for monitoring the way your IPS devices react to attack traffic, customizing that response, and
distributing your customizations to your entire network.
UnityOne Architecture
The UnityOne uses a flexible architecture that consists of an SMS Client (Java), Centralized
Management Server (SMS), IPS device(s), and Local Clients including the Local Security Manager
(LSM) and Command Line Interface (CLI). The entire UnityOne system provides intrusion prevention
protection against malicious attacks and traffic loads and local and centralized management
capabilities for 1 to 1,000 deployed systems. The following image provides an overview of the
architecture:
Figure 1 - 1: UnityOne Architecture
SMS Client
The UnityOne Security Management System (SMS) client provides services and functions to monitor,
manage, and configure the entire UnityOne system. This client is a Java-based application installed and
accessed on a computer running the appropriate Windows operating system. Each user receives a
specific user level with enhanced security measures to protect access and configuration of the system.
You can monitor the entire UnityOne system through the SMS client on a computer with the following
requirements:
One of the following operating systems:
Windows 98, 2nd edition
Windows NT, Service Pack 5 or later
Windows 2000, Service Pack 3 or later
Windows XP
Internet Explorer, version 6.0 or higher
The SMS features a policy-based operational model for scalable and uniform enterprise management.
It enables behavior and performance analysis with trending reports, correlation and real-time graphs including reports on all, specific, and top 10 attacks and their sources and destinations as well as all,
specific, and top 10 peers and filters for misuse and abuse (peer-to-peer piracy) attacks. You can
create, save, and schedule reports using report templates. All reports are run against system and audit
logs stored for each device managed by the system. These logs detail triggered filters. You can modify,
update, and control distribution of these filters according to segment groups for refined intrusion
prevention.
The SMS dashboard provides at-a-glance monitors, with launch capabilities into the targeted
management applications that provide global command and control of UnityOne. It displays the
entries for the top 5 filters triggered over the past hour in various categories, a graph of triggered filters
over the past 24 hours, the health status of devices, and update versions for software of the system.
Through the Dashboard, you gain an overview of the current performance of your system, including
notifications of updates and possible issues with devices monitored by the SMS.
SMS Server
The SMS Server of the UnityOne is an enterprise-class management platform that provides
administration, configuration, monitoring and reporting for up to 1,000 UnityOne Intrusion
Prevention Systems. It is a rack mountable device that features a state-of-the-art Java client interface.
The SMS Server processes, stores, and provides essential components and functions to manage and
protect your network.
This component centralizes functionality for use and management across the UnityOne architecture. It
provides a central point for storing and managing resources, settings, and logs. Using the SMS and
local clients, you can perform monitoring, logging, reporting, and scanning procedures. It provides the
following functionality:
Enterprise-wide Device Status and Behavior Stores, updates, and alerts clients, devices, and
logging functions of filter, device, software, and network status. The state of components in the
architecture stores in this component.
IPS Networking and Configuration Stores and configures devices according to the settings
modified, imported, or distributed by clients. These settings affect the flow and detection of traffic
according to device, segment, or segment group.
Scheduled and Pending Network Discovery Scans Stores and enacts network discovery scans
set and maintained by clients. Scan results save in the database for review and management by the
SMS and local clients.
Filter Customization Stores filter customizations in profiles as maintained by the SMS client.
These settings are distributed and imported to devices, which can be reviewed and modified by local
clients. If a device is managed by the SMS Server, the local clients cannot modify settings.
Filter and Software Distribution Monitors and maintains the distribution and import of filters,
Digital Vaccine packages, and software for the TippingPoint Operating System and SMS Client. The
SMS client and Central Management Server can distribute these packages according to segment
group settings. The Central Management Server maintains a link to the Threat Management Center
(TMC) for downloading and installing package updates.
IPS Devices
Intrusion Prevention System (IPS) devices protect your network by scanning, detecting, and
responding to network traffic according to the filters, action sets, and global settings maintained on
each device by a client. Each device provides intrusion prevention for your network according to the
amount of network connections and hardware capabilities.
UnityOne IPS devices are designed to handle the extremely high demands of carriers and high-density
data centers. Even while under attack, UnityOne Intrusion Prevention Systems are extremely lowlatency network infrastructure ensuring switch-like network performance. UnityOne also has built-in
intrinsic high-availability features, guaranteeing that the network keeps running in the event of system
failure.
UnityOne IPS devices are active network defense systems using the Threat Suppression Engine (TSE)
to detect and respond to attacks. UnityOne Intrusion Prevention Systems are optimized to provide high
resiliency, high availability security for remote branch offices, small-to-medium and large enterprises
and collocation facilities. Each UnityOne can protect network segments from both external and
internal attacks. UnityOne Intrusion Prevention Systems are extremely low-latency network
infrastructure ensuring switch-like network performance, even while under attack. UnityOne also has
built-in intrinsic high-availability features, guaranteeing that the network keeps running in the event
of system failure.
IPS devices provide the following segments and traffic performance:
Multiple UnityOne devices can be deployed to extend this unsurpassed protection to hundreds of
enterprise zones. You can monitor and manage the devices through local clients or up to 1,000 devices
through the SMS Client.
You can also implement an optional device called the Zero Power High Availability (ZPHA). This device
provides continued traffic in the event of a power loss in yourIPS devices.
High Availability
UnityOne devices are designed to guarantee that your network traffic always flows at wire speeds in the
event of internal device failure. In the case of any internal hardware or software failure, UnityOne can
automatically or manually fall back to be a simple Layer 2 switch, ensuring high-network availability.
The UnityOne provides Network High Availability settings for Intrinsic Network HA (INHA) and
Transparent Network HA (TNHA). These options enact manually or automatically, according to
settings you enter using the clients (LSM and SMS) or LCD panel for IPS devices.
Intrinsic Network High Availability is the ability of multiple LSM applications and their IPS devices to
see and direct the flow of network traffic between devices and their ports. When traffic flows through
the ports of a device, one port may have an issue occur causing an interruption in traffic. The port then
transfers the traffic flow to the other available port or device accordingly. Through the INHA, the
system routes network traffic and state information by signalling one device, its port, and its client
(LSM or SMS) of the IP address, connection table, and flow information. The target port, device, and
client then builds the information from scratch, to handle network traffic for optimum usage. It
transfers the TCP flow when fail-overs occur.
Transparent Network HA performs the same service; however, it differs by constantly updating devices
of the TCP flow information. For these networks and devices, the fail-over port/device does not have to
rebuild the information flow tables based on the information sent from the failing port/device. It
receives information from an XSL to update its connection table settings. Once updated, this type of
network HA quickly transfers fail-over traffic without having to rebuild the settings.
For more information, see Network High Availability on page 155.
Local Clients
The UnityOne provides various points of interaction, management, and configuration of the intrusion
prevention system. The clients include graphical user interfaces (GUI) and command line interfaces
(CLI). These clients include the following:
Local Security Manager (LSM) Web-based GUI for managing one IPS device. The LSM provides
HTTP and HTTPS (secure management) access. This access requires Microsoft Internet Explorer 6.0
or later. Using the LSM, you have a graphical display for reviewing, searching, and modifying
settings. The GUI interface also provides graphical reports for monitoring the device traffic,
triggered filters, and packet statistics.
Command Line Interface (CLI) Command line interface for reviewing and modifying settings
on the device. The CLI is accessible through Telnet and SSH (secure access).
LCD Panel UnityOne 50/100E/200/400/1200/2400 devices provide an LCD panel for entering and
modifying some settings for the device. These settings include HA, query the serial number,
resetting logs, and others.
Note: The IPS device allows for 10 web client connections, 10 telnet/SSH (for
CLI) connections, and 1 console connection at once.
Filters Page
Logs Page
Configure Page
Monitor Page
Update Page
Admin Page
Filters Page
The Threat Management Center collects information on threats to software, hardware, and network
security throughout the world. These threats are analyzed and converted into filters. These filters
integrate with the interface to analyze data and protect systems. The filters use advanced protection
logic to accurately block attacks and cut down the possibility of false positives. The TMC provides these
filters as packages called Digital Vaccine to all UnityOne customers. The Filters page enables you to
manage these filters.
You can download, install, and manage these packages and their filters in the LSM interface. Filters
apply threat recognition data to traffic passing through specific areas of your network.
See Chapter 3 Filters
Logs Page
The Logs page enables you to view log messages sorted by the time and date they were recorded. These
messages indicate the status of IPS components, reported from the devices, or messages from the
UnityOne about components that do not respond to periodic polling. These reports and graphs provide
detailed information about the attack filters and alerts in your system.
See Chapter 4 LSM Logs
Configure Page
The Configure page enables you to view and modify the configured settings for a device and the LSM.
Through this page, you can view and set segments, modify network routes, reboot a device, and enable
or disable the use of SMS.
See Chapter 5 Configure.
Monitor Page
The Monitor page enables you to see the status of your IPS hardware. Through this page, you can view
system logs and check the current state of the hardware. You can also define the thresholds that
configure how hardware status is displayed. The information gathered by the monitor function
includes the following:
disk space and usage
memory usage
the state of the hardware (such as active and stand-by)
See Chapter 6 Monitor.
Update Page
TippingPoint is committed to providing the best means of protecting your network using the UnityOne
family of products. Therefore, from time to time, the Threat Management Center will release Software
Updates and Attack Filter Updates. The Update page enables you to review and install updates
downloaded from the TMC website (https://tmc.tippingpoint.com).
See Chapter 7 Update.
Admin Page
The LSM provides features for managing user access to the interface. The Admin page enables you to
create and manage user access to the IPS device through the LSM. Through this page, you can create
and modify user accounts, access settings, set the time-out limit, set expirations for passwords, and
view the audit and system logs.
Note: You must have the appropriate user access to use the Admin page. Not all
users can affect the access of other users.
10
Getting Started
Prior to using the LSM interface, you need to install and configure the IPS device. Gather the following
documents depending on your product:
The Release Notes that shipped with the product. For updated release notes, visit the Threat
Management Center website (https://tmc.tippingpoint.com)
For the IPS UnityOne-50 device, read the following:
UnityOne-50 Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-50.
Quick Start UnityOne-50 Details how to unpack and install the UnityOne-50 quickly.
For the IPS UnityOne-100E device, read the following:
UnityOne-100E Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-100E.
Quick Start UnityOne-100E Details how to unpack and install the UnityOne-100E quickly.
For the IPS UnityOne 200/400/1200/2400 devices, read the following:
UnityOne 200/400/1200/2400 Installation and Configuration Guide Provides instructions for
installing and configuring the UnityOne 200/400/1200/2400 devices.
Quick Start UnityOne 200/400/1200/2400 Details how to unpack and install the UnityOne 200/
400/1200/2400 quickly.
For the IPS UnityOne-5000E device, read the following:
UnityOne-5000E Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-5000E.
Quick Start UnityOne-5000E Details how to unpack and install the UnityOne-5000E quickly.
For the ZPHA device, read the following:
UnityOne Zero Power High Availability Installation Guide Provides installation instructions for
the Zero Power High Availability (ZPHA) device.
UnityOne Modular Fiber/Copper ZPHA Installation Guide Provides installation instructions for
the modular Zero Power High Availability (ZPHA) device, which uses fiber and/or copper
segments.
Before you use the LSM for the first time, you must complete the following:
Read the Release Notes that shipped with your IPS device. Information contained in the release notes
supersedes information in the manuals and in the online help.
Install the UnityOne device according to the instructions in the appropriate installation and
configuration guide for your UnityOne: IPS.
Complete the Out-of-Box Setup Wizard according to the instructions in the Startup Configuration
chapter of the Unity One Command Line Interface Reference. Be sure to enable the http and/or https
server.
11
System Requirements
The LSM is an online piece of software accessed using a web browser. The sites hardware and software
requirements are not as technical as systems loading the software locally. To access the LSM, you need
the following:
A networked computer running Windows NT, 9x, or 2000
Microsoft Internet Explorer (MSIE) v 6.0 or greater with 128-bit encryption and support for Java
Script and cookies
SMS Configuration
If you will maintain your IPS device using the Security Management System (SMS) or you will no
longer use the SMS, you need to configure a setting on the IPS device. This setting identifies if the
device is controlled by the SMS.
See View or Configure SMS Information on page 154.
12
LSM Navigation
LSM Navigation describes the LSM interface, how to log in, and the general sections of the
application. The Launch Bar, menus, and links are detailed with links to further information
throughout this guide.
Overview
The Local Security Manager (LSM) is a graphical user interface (GUI) that makes configuring and
monitoring your UnityOne device easy by providing user-friendly menus to help accomplish
administrative activities. You access the LSM using a user account through a browser. See Log in to the
LSM for more information.
The LSM is an application that you browse to in a web browser. You should use Microsoft Internet
Explorer, version 6 or later, to access the application. In this application, you can access a variety of
functions according to the access level of your user account.
This section details the login and navigation procedures of the LSM user interface.
LSM Navigation includes the following information:
Security Notes on page 14
Logging In on page 14
LSM Screen Layout on page 16
Note: The LSM is designed to work with Microsoft Internet Explorer (MSIE)
version 6.0 and greater. Using any other browser than MSIE may produce
unpredictable results in the display and functionality of the interface.
13
Security Notes
The LSM enables you to manage your IPS using an ordinary Web browser. It is important to note that
some browser features, such as password caching, are inappropriate for security use and should be
turned off.
CAUTION: Some browsers offer a feature that stores your user login and password for
future use. TippingPoint Technologies recommends that you turn this feature off in your
browser. It is counter to standard security practices to store login names and passwords,
especially those for sensitive network equipment, on or near a workstation.
In addition, the LSM provides two different web servers, an HTTP and an HTTPS server. Whenever
your IPS is connected to your network, you should run the HTTPS server, not the HTTP server. HTTP
servers are not secure because your user name and password travels over your network unencrypted.
You should only use the HTTP server when you are sure that communications between the IPS and the
workstation from which you access the LSM cannot be intercepted.
WARNING: The procedure Enable the Web Server (LSM and SMS) enables you to
turn on HTTP. HTTP is not a secure service because it sends unencrypted user
names and passwords over the network. If you enable HTTP, you endanger the
security of your UnityOne device. Use HTTPS instead of HTTP.
Logging In
When you log in to the LSM, you are prompted for your username and your password. This login gives
you access to the areas of the LSM permitted by your user role. User roles and access are described in
Access to Admin Functions.
Tip: Most Web browsers will not treat addresses beginning with HTTP and
HTTPS interchangeably. If your browser cannot find your LSM, make sure that you
are using http:// or https:// depending on which web server you are running.
Note: The IPS device allows for 10 web client connections, 10 telnet/SSH (for
CLI) connections, and 1 console connection at once.
Login Screen
There are three different situations in which you will be presented with the login screen:
When you first log in to the LSM
When you experience a Session Time-out
When you attempt to access an area that exceeds your current User Access Level
14
Enter the IP address or hostname of your IPS device in your browser Address bar. For
example:
https://123.45.67.89
The LSM displays a Login page. The page includes the model and name of your device.
STEP 2
STEP 3
STEP 4
The LSM validates your account information against the permitted users of the software. If the
information is valid, the LSM software opens. If the account information is not valid, the Login page
displays.
Note: Only 10 web client and 10 SSH (for CLI) connections are allowed to connect
to a device at once.
Session Time-out
For security purposes, LSM login sessions have a 10 minute time-out. If you do not provide the LSM
with any input for ten minutes, you will be logged off.
15
Logging Off
You can log off of the LSM at any time by clicking the Log Off link in the upper right corner of the LSM
screen.
Launch Bar
You can access the available features of the LSM by selecting tabs from the Launch Bar. The LSM
displays the page you select in the Main Pane. Each tab displays a default page with features and
options for managing your UnityOne system.
16
The following table lists the available tabs with descriptions of their options:
Table 2 - 1: Launch Bar Tabs
tab
Feature
Description
Filters
Logs
Configure
Monitor
Update
Admin
Create, modify, and delete users; view user or system audit log.
See Chapter 8 Administration for more information.
Help
System Stats
The System Stats sidebar shows information about system boot time, traffic, status, and software
versions. It refreshes itself periodically, unless you click the Freeze check box beside the refresh
counter. You can also manually refresh the System Stats sidebar by clicking the Refresh link beside the
counter.
17
The sidebar sections can be minimized and maximized by clicking the sizing icon to the right of the
section title. These sections include the following:
System Boot Time Displays the time the device booted
Packet Statistics Provides a running total of packets scanned by the LSM, including totals for
invalid, blocked, and permitted packets
Health Displays a color indicator for the current status of the system log, threshold logs, and usage
of disk space and memory. For more information on system usage, see Chapter 6 Monitor.
High Availability Indicates the state of the Intrinsic and Transparent Network HA. For more
information, see Network High Availability on page 155.
UnityOne Versions Details the current version of the LSM software installed and running. For
more information on LSM and Digital Vaccine versions, see Chapter 7 Update.
You can hide and show each portion of the System Stats using the collapse icon next the section.
Figure 2 - 3: Collapse Icon
Collapse icon for hiding and showing information on the System Stats.
The following is the System Stats sidebar:
Figure 2 - 4: System Stats Sidebar
18
Packet Statistics
The Packet Statistics section provides basic traffic statistics including the following:
Total Packets Total number of packets received and scanned by the Threat Suppression Engine
Invalid Total number of packets that have been dropped because they are not properly formed
or formatted
Blocked Total number of packets that have been blocked by the Threat Suppression Engine
Permitted Total number of packets that have passed through the Threat Suppression Engine
without being blocked or dropped.
Packet counters are meant to give you a snapshot look at traffic through your network. The packet
totals give a partial account of blocked activity according to the filters. All other filter results affect the
packet totals. When the number reaches the million and billion mark, the number displays as a
decimal amount with a letter (such as G for gigabytes).
Note: The counters are not synchronized with each other, packets may be
counted more than once in some situations.
Note: For UnityOne-50: The Blocked and Permitted counts include the number
of packets dropped or allowed through by a rate limiter.
The counters display the amount of packets tracked. If the number is less than 1M, the Packet
Statistics section displays the full amount. If the amount is greater than 999,999 K, the information is
abbreviated with a unit factor. For example, 734,123K would display fully whereas 4,004,876,543
displays as 4.00B. The unit factors include, M for mega, G for giga, and T for tera. To view the full
amount, hover your mouse over the displayed amount. A Tool Tip pops up, displaying the full packet
amount.
To reset the counters, click the reset link.
19
Health
The Health section of the Statistics frame gives you a visual indicator of the hardware health of your
IPS. The Health section includes indicators for the following components:
System Log Provides compiled messages regarding the usage, actions, and errors of the system. It
displays the Logs - System Logs page. See Chapter 4 Logs.
Thresholds Provides a link to the Alert Log Search Results page displaying the Traffic
Threshold filter events. See Traffic Threshold Filters on page 77.
Performance Provides details on the congestion of filters. It runs the Performance Wizard. See
Performance/Throughput on page 177.
Disk Space Provides details on disk storage and usage. It displays the Monitor - Device Health
page. See Device Health on page 175.
Memory Provides details of memory usage. It displays the Monitor - Device Health page. See
Device Health on page 175.
The indicator next to the components indicates the current state:
Green if there are no problems
Yellow if there is a major warning
Red if there is a critical warning.
You can set the thresholds for warnings, setting when the indicator color will change based on the
usage of those components. If the System Log is other than green, you can click on the indicator to view
the error that caused the condition.
Note: When you view the logged error, the indicator resets and changes to green
under System Stats.
High Availability
The indicators listed for the High Availability section include the state for the Intrinsic and
Transparent HA. The indicator next to the component indicates the following:
Green if there are no problems
Yellow if there is a major warning
Red if there is a critical warning.
Click on the link to go to the Configure - High Availability page. See Network High Availability on
page 155.
20
UnityOne Versions
The UnityOne Versions section displays the current version numbers of the following software
components:
Model Number
TOS Software version
Digital Vaccine (Attack Filter) version
Custom Vaccine version (Optional Custom Shield Writer software application)
Main Pane
The LSM displays all data in the central pane of the browser window. This main pane of the window
displays the pages and of the LSM based on selects you make from the Launch Bar and within each
page.
The content is formatted in a table format. The columns can be alternatively sorted in ascending or
descending order by clicking the heading name link in the top row of the table. Only the items in that
view are sorted. For example, if you are viewing items 1-10 of 600 total items, only the items displayed
on the page are sorted.
21
22
Filters
Filters describes Application Protection, Infrastructure Protection, and Performance Protection
filters and explains how to enable, disable, and modify their various features. This section also
details IP filtering, action sets, category settings, and notification contacts.
Overview
Filters apply threat recognition data to traffic passing through specific areas of your network. You can
create, modify, and manage these filters to block and protect against malicious attacks and piracy of
your bandwidth and network services. Each filter consists of instructions detailing how packets and
traffic should be investigated, processed, and blocked for the network. These instructions are action
sets.
Filters are the key to protection and prevention of malicious invasion on your network and data. The
LSM includes the following pillars of filter types:
Application Protection Pillar of filter types that defend against known and unknown exploits
targeting applications and operating systems. These filters include a variety of attack protection,
reconnaissance, security policy, and informational filters.
Infrastructure Protection Pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attack using a combination of traffic
normalization, Advanced DDoS protection, and networked equipment. These filters include DDoS,
network equipment protection, and traffic normalization filters.
Performance Protection Pillar of filter types that allow key applications to have prioritized
access to bandwidth ensuring that mission critical applications have adequate performance during
times of high congestion. These filters include misuse and abuse, IP, and congestion/mitigation
filters.
23
Filters provide rules for handling network traffic. The instructions of a filter consist of various
components that build and provide these rules for the system:
Category Defines the type of filter, such as a particular Application Protection, Infrastructure
Protection, or Performance Protection filter
Action set Provides a set of actions that are triggered and performed when managing traffic
State Indicates if the filter is enabled, disabled, or invalid
Each filter includes settings for these components. Categories dictate the default and global settings
and actions for a specific type of filter. You can modify and enhance the category or particular instance
of a filter through the action sets. These sets of actions detail the instructions that become rules for
handling network traffic. The state of the filter indicates if the system enacts the filter against specific
types of traffic.
Through action sets and category settings, you can modify action sets to affect all filters of a particular
category or directly override the action sets on a filter-by-filter basis. You can selectively enhance the
filters to match the needs of your network.
Filters includes the following topics:
24
Filters Page
When you access the Filters page, it displays the Filters - Attack/Policy Filters Main List as default.
The following is the Filters page:
Figure 3 - 1: Default Filters Page
You can access the different types of filters by selecting the Open menu. A drop-down menu displays
listing the options for the page. The menu options may change depending on the menu option you
select. The instructions in this chapter indicate when to navigate through the drop-down menu
options.
Managing Filters
This section details the general procedures for managing filters in the LSM. This section includes the
following sections:
25
For specific editing instructions and information about filters, see the following sections:
Performance Protection on page 83
Application Protection on page 31
Infrastructure Protection on page 55
Viewing Filters
You can view filters that are loaded on your device. The Filters page displays a summary of the active
and inactive filters that are currently loaded on your IPS device. You can sort the filters on your screen
by any of the columns with an HTML link as a heading.
Figure 3 - 2: Filters Default Page
For example, you can sort the filters by the Filter Name or Segment by clicking the column name. The
following table details the information displayed on the page.
Table 3 - 1: Filters Page Description
Column Name
26
Description
Filter Name
Each filter name is also a link to a page that contains more information and configuration
options for that filter. Click on the filter name link to view and configure filter details.
Segment
Segments are the portions of your network that you protect as discrete units. Traffic for
one segment flows in and out of one port pair on a Multi-Zone Defense (MZD) Module.
By default, a filter applies to all segments that you are protecting.
Control
Description
Action
Action refers to the action set that is performed when the filter is triggered You can click
on the links in this column to view or edit details about the action set, or you can click on
the category action link to see what the default action associated with this filter is.
State
Function
The Function column contains icons that allow you to perform filter operations. These
icons are shown in the table entitled Functions Icons
Note: The state of a filter may indicate the filter is enabled even if it is disabled
for a particular segment and enabled for others. To review the enabled/disabled
settings for a filter, review the Category Settings on page 94.
These filters have icons in the Function column indicating an available options.
Table 3 - 2: Functions Icons
Icon
Function
Description
Copy
Click the Copy icon to create a copy of the filter. You can use copies of filters to
apply filters in different ways to different segments, or to apply filters only to
certain segments.
Edit
Click the Edit icon to edit filter parameters such as whether the filter is
controlled through Category Settings or individually, what action set the filter
it uses, and what exceptions are applied to the filter.
Delete
Use the Delete icon to delete a filter that you have created (using the copy filter
icon). You cannot delete the filters that come with the LSM, but you can disable
them.
Filter
Exception
The Filter Exception icon indicates filters that have exceptions defined. You can
click the Filter Exception icon to view more information about the filter and to
see the exceptions that are defined for it.
Reset
The Reset icon resets a triggered Traffic Threshold filter. When one of these
filters triggers, you must reset it.
27
Searching Filters
You can search for a specific filter number, or for a specific substring in the filter name. You enter
searches in the Search field at the bottom of the specific Filters page. When you search for filters, you
can search according to the following:
By Filter Type By default, the Filters page open the Filters - Attack/Policy Filters Main List
page (Application Protection filters). You must access the filter type by selecting a menu item from
the Open > Application Protection, Infrastructure Protection, or Performance Protection
menus.
Filter Number You can enter a number of the filter in the search field.
Filter Name You can enter the full or partial name of the filter in the search field.
Note: The search is a string search, not a boolean search. It is not case sensitive.
Therefore, if you enter more than one word in the search box, it will only search
for that particular phrase, not for a combination of words. For example, if you
enter ICMP reply the search will not return a filter whose description is ICMP:
Echo Reply.
You cannot search by filter category. Returned results of the search include matches against the name of
the filter.
Note: To view all filters of the selected type, click the Show All Filters link. To
change types of filters, select a menu item from the Open > Application
Protection, Infrastructure Protection, or Performance Protection menus.
STEP 2
The Filters page displays. By default, it lists the All Filters page.
You can search for any filter through this page or select the type of filter you want to search for
from the Open > Application Protection, Infrastructure Protection, or Performance
Protection menu items.
STEP 3
Type a filter number, a word, or part of a word in the Search field. You cannot search for a category type.
Note: The search is a string search, not a boolean search. It is not case sensitive.
Therefore, if you enter more than one word in the search box, it will only search
for that particular phrase, not for a combination of words. For example, if you
enter ICMP reply the search will not return a filter whose description is ICMP:
Echo Reply.
STEP 4
28
Click the Search button. Any filters that contain the search string as their number or name
display.
STEP 2
STEP B
You can browse for a filter by selecting a category from the Open menu.
STEP C
You can also copy a filter when editing a filter, from the filters details/edit page.
Click the Copy icon next to the filter you want to copy or click Copy. The copy page for the filter displays.
STEP 3
Select a Segment from the drop-down list. The options depend on the type of filter. You can
also select Recommended, which uses the recommended action set for the filter type.
29
STEP 4
Select either Use Category Settings or Override in the Filter Parameters section.
If you choose Override, check the Enable option and select an Action for this filter from the
drop-down list.
STEP 5
Click Copy.
Display the Filters - All Filters page or a main page for a filter category.
STEP 2
STEP 3
Click Edit Selected. The Filters - Group Filters Edit/Details page displays.
STEP 4
STEP 5
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
Click Save.
Deleting Filters
You can delete filters you create on the Filters page. However, you cannot delete the filters installed on
the LSM or from Digital Vaccine packages. When you create a filter through copying and editing it, you
then gain the functionality to delete that filter.
30
Delete a Filter
STEP 1
STEP 2
Click the Delete icon next to the filter you wish to delete. A browser confirmation box opens.
STEP 3
Application Protection
Application Protection is a pillar of filter types that defend against known and unknown exploits that
target applications and operating systems of workstations and servers on a network. These filters
include a variety of attack protection and security policy filters used to detect attacks targeting
application and operating system resources on your network. Malicious attacks may probe your
network for vulnerabilities, available ports and hosts, and available applications accessible through the
network. Application Protection filters defend your network by providing an IPS device with threat
assessment, detection, and management instructions.
Through the Filters page, you can tune attack filters to meet the needs of your enterprise. You can
create a segment-specific filter or a custom filter exception. You also can alter the systems response to
an attack filter by disabling the filter, editing the action set, and modifying notification contact
settings.
These filters block traffic depending on the configured actions for the filter or filter category. These
actions are called an action set. You can set these action sets to the entire category of filters or override
specific filters to perform a different set of actions. See Action Sets on page 100 for more information.
31
32
Both types of Attack Protection filters display the same information on their respective pages. The
following is the Filters - Vulnerabilities Filters Main List page:
Figure 3 - 5: Filters - Vulnerabilities Filters Main List Page
Definition
Filter Name
Segment
Control
Action
State
Functions
33
Viewing Filters
Searching Filters
Creating New Filters
Edit an Attack Protection Filter
Editing a Group of Filters
Deleting Filters
Vulnerabilities Filters
Attackers generally look for vulnerabilities in a network. Writing malicious code, they try to find the
weak points in a network security system to bypass filters and reach data and services. These attackers
seek use intrusion methods against areas such as software back-doors and poorly protected hosts and
ports. Vulnerability scanning checks for all potential methods that an attacker could use to infiltrate a
network and system.
Vulnerabilities filters protect these possible points of entry in a network, detecting and blocking
attempted intrusions. These filters protect vulnerable components of a computer system or network by
analyzing and blocking traffic seeking these points of entry. The filters constantly scan for possible
intrusions points, giving a warning when a vulnerability is found or when malicious attacks occur.
As security threats are recognized, the Threat Management Center (TMC) creates and releases filter
updates to protect potentially vulnerable systems.
Exploit Filters
Exploits are attacks against a network using weaknesses in software such as operating systems and
applications. These attacks usually take the form of intrusion attempts and attempts to destroy or
capture data. These filters seek to protect software from malicious attacks across a network by
detecting and blocking the request.
The two most common methods for exploiting software include email and web browsing. All web
browsers and many email clients have powerful capabilities that access applications and operating
systems. Attackers can create attachments that scan for and exploit this software.
Edit an Attack Protection Filter
STEP 1
On the Filters page, select the Open > Application Protection > Attack Protection
and choose one of the following menu items:
Vulnerabilities
Exploits
The appropriate filters page displays.
34
STEP 2
STEP 3
STEP 4
STEP 5
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
35
STEP 6
STEP A
STEP B
STEP C
Click Save.
Reconnaissance Filters
A Reconnaissance filter protect your system against malicious traffic that scans your network for
vulnerabilities. These filters constantly monitor incoming traffic, looking for any sign of network
reconnaissance. These attacks probe your system, seeking any weakness that can be exploited by
attacks. In effect, the attacks attempt to perform reconnaissance of your network to report its strengths
and weaknesses for further attacks. These filters are disabled by default.
Note: Port Scans/Host Sweeps filters are not affected by Application Settings.
When you create exceptions and apply-only settings in the Application Settings
page, they only affect Vulnerability Probing filters.
Reconnaissance filters include the following:
Vulnerability Probing Filters Filters that detect scans for vulnerabilities in the system. These
filters protect the network from probing attacks.
Port Scans/Host Sweeps Filters Filters that detect port scans and host sweeps. These filters protect
against scan attacks and possible exceeded threshold limits against your ports and hosts.
Both types of Reconnaissance filters display the same information on their respective pages.
The following is the Filters - Vulnerability Probing Filters Main List page:
Figure 3 - 7: Filters - Reconnaissance Filters Main List Page
36
Definition
Name of the filter
Definition
Segment
Action
State
Timeout (seconds)
Threshold (hits)
Functions
Viewing Filters
Searching Filters
Creating New Filters
Edit a Vulnerability Probing Filter
Editing a Group of Filters
Edit a Port Scans/Host Sweeps Filter
Deleting Filters
37
protecting access and evaluating requests. The following is the Filters - Vulnerability Probing Filters
Main List page:
Figure 3 - 8: Filters - Vulnerability Filters Main List Page
38
Definition
Filter Name
Segment
Control
Action
State
Functions
Filter Tuning
You can tune the sensitivity of Reconnaissance filters by adjusting their Timeout and Threshold
parameters. The timeout value is used in combination with the threshold value to determine whether
or not an alert is sent.
For example, with a timeout of 300 seconds, and a threshold of 100 hits, the LSM sends an alert every
time you exceed the threshold or a multiple of the thresholdat 101, 201, 301... hits detected within
the 300 second (five minute) time period.
39
On the Filters page, select the Open > Application Protection > Reconnaissance
> Vulnerability Probing menu item. The Filters - Vulnerability Probing Filters Main
List page displays.
STEP 2
STEP 3
40
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
STEP 4
STEP 5
STEP 6
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
41
On the Filters page, select the Open > Application Protection > Port Scan/Host
Sweep menu item. The Filters - Reconnaissance Filters Main List page displays.
STEP 2
STEP 3
STEP 4
STEP 5
42
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
STEP B
Click Save.
43
The following is the Filters - Security Policy Filters Main List page:
Figure 3 - 11: Filters - Security Policy Filters Main List Page
44
Definition
Filter Name
Segment
Control
Action
State
Functions
The Filters - Security Policy Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Creating New Filters
Edit a Security Policy Filter
Editing a Group of Filters
Deleting Filters
On the Filters page, select the Open > Application Protection > Informational
menu item. The Filters - Security Policy Filters Main List page displays.
STEP 2
STEP 3
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
45
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
Informational Filters
Informational filters provide a means for classic Intrusion Detection System (IDS) testing. These filters
allow you to perform tests against your network security. The behavior of these filters provide detailed
information as to the strength of your security. An example of these filters includes Blade signatures.
These filters are disabled by default.
46
Definition
Filter Name
Segment
Control
Action
State
Functions
47
The Filters - Security Policy Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Creating New Filters
Edit an Informational Filter
Editing a Group of Filters
Deleting Filters
On the Filters page, select the Open > Application Protection > Informational
menu item. The Filters - Informational Filters Main List page displays.
STEP 2
48
STEP 3
STEP 4
STEP 5
STEP 6
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
Application Settings
Exceptions specify actions that occur differently for filters, such as limiting a filter to specific IP
addresses or excluding an IP from all filters. You can set exceptions and limits on individual filters or
globally to affect all filters.
In the LSM, you can add exceptions to an individual or to all Application Protection, Traffic
Normalization, and Network Equipment filters:
Filter Exceptions (specific) Exclude IP addresses from a specific Application Protection filter.
This exception only affects the modified filter.
Limit Filter to IP Addresses (global) Inclusions that limit all Application Protection, Traffic
Normalization, and Network Equipment filters to apply against a specific set of IP addresses. These
exceptions are global for all attack protection and security policy filters.
Exceptions (global) Exclude IP addresses from all Application Protection filters. These
exceptions are global for all attack protection and security policy filters.
CAUTION: The UnityOne system has specified limits for performance regarding the
number of exceptions and limit filters for Application Settings. You should not exceed the
following:
Create no more than 1 Limit Filter (apply only rules)
Create no more than 5 Exceptions
49
Tip: When you create a filter exception, the filter displays a green shield icon in
the functions column of the filters page.
This section details how to add these exceptions to Application Protection filters:
IP Restriction Filters
Filter Exceptions
Global Exceptions and Settings
IP Restriction Filters
The LSM has rules for determining when global exceptions affect custom filter exceptions. When you
create custom filter exceptions for filters that search for specific IP addresses as part of their logic, the
Threat Suppression Engine determines the exception to follow. In these instances, the LSM applies the
custom filter exception rather than the global exception.
For example, you could set exceptions on a filter that searches for a specific IP address, such as the
Vulnerability filter 0052: IP: Source IP Address Spoofed (Loopback). You could set a custom exception,
limiting the set of IP addresses, to monitor attacks against the IP addresses within a specific server
group. If you then set a global exception on IP addresses that included the address searched by this
filter, the Threat Suppression Engine would follow the rules of the custom exception, not the global
exception.
For instances of filters that search for hard-coded IP addresses and apply the IP restriction filter as an
exception (which limits the IP addresses), the LSM follows the rules of the filters exceptions. The
system then logs an alert. To end the alerts and follow global exception rules, you can disable the
individual filter.
Filter Exceptions
You can add a custom exception directly to a filter without affecting other filters. You set these custom
exceptions directly to selected Application Protection filters. When you create filter exceptions, you
specify IP addresses for that custom filter.
Note: These settings are not overridden by the Global Settings of Application
Protection Filters. See Global Exceptions and Settings on page 51.
50
On the Filters page, select and view one of the following pages from the Open menu items:
STEP 2
STEP 3
In the Exceptions section, enter the Source IP Address and Destination Address of the
exception in CIDR format.
Note: Source and Destination IP Addresses can be entered in CIDR format, as
any or as *.
STEP 4
STEP 5
Click Save.
On the Filters page, select and view one of the following pages from the Open menu items:
Filters - Attack/Policy Filters Main List
Filters - Attack Protection Filters Main List
Filters - Security Policy Filters Main List
STEP 1
Locate the filter and click the Filter Exception icon. The edit page displays.
STEP 2
On the edit page of the filter, click the Delete icon next to the exception you would like to
remove.
STEP 3
Click Save.
51
52
conditions are met. To have the filter affect all traffic, you can configure a Limit rule with wildcard
characters through the CLI using the following command:
conf t protection-settings perf-limit add * * -segment 1
53
On the Filters page, select the Open > Application Protection > Application
Settings menu item. The Filters - Application Protection Filters Settings page displays.
STEP 2
STEP B
STEP C
Select a Segment from the drop-down list. You can also select All Segments. Segmental assignment applies the exception or restriction to a specified segment rather
than to the entire device. If select All Segments, the setting affects the traffic of all
segments on a device.
STEP 3
STEP 4
Click Save.
On the Filters page, select the Open > Application Protection > Application
Settings menu item. The Filters - Application Protection Filters Settings page displays.
STEP 2
In the Exceptions section, enter the Source IP Address and/or Destination Address in
CIDR format.
Note: Source and Destination IP Addresses can be entered in CIDR format, as
any or as *.
STEP 3
54
Select a Segment from the drop-down list. Segmental assignment applies the exception or
restriction to a specified segment rather than to the entire device. If you do not select a segment, the setting affects the traffic of all segments on a device.
STEP 4
STEP 5
Click Save.
On the Filters page, select the Open > Application Protection > Global Settings
menu item. The Filters - Application Protection Filters Settings page displays.
STEP 1
To delete an IP address limit setting or exception, click the Delete icon next to the entry.
STEP 2
Click Save.
Infrastructure Protection
Infrastructure Protection is a pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attacks. These filters use a combination of
traffic normalization, Advanced DDoS protection, and network equipment protection. Infrastructure
Protection filters include Advanced DDoS, network equipment protection, and traffic normalization
filters.
Advanced DDoS filters detect and protect a network against request floods. These attacks are called
Denial of Service attacks. The LSM provides support to detect and block these flood attacks such as
SYN floods. Reconnaissance filters detect and block anomalies in traffic patterns. Traffic normalization
filters block network traffic when the traffic is considered malicious.
Infrastructure Protection profiles include the following types of filters:
Advanced DDoS Filters Category of filters that detect and block randomized requests, unsolicited
responses, amplifiers, reflectors, zombies, bots, and indistinguishable requests attacks against the
system.
Note: Only E-Series devices include Advanced DDoS Protection option filters,
such as UnityOne-100E and UnityOne-5000E. All other IPS models (not E-Series)
running 2.x TOS do not have DDoS filter support.
If you are using a UnityOne-5000E, refer to Advanced DDoS Filters for UnityOne5000E on page 64 for instructions on Advanced DDoS filters. The screens differ
for this device model.
For more information on upgrading your system with Advanced DDoS Protection
and purchasing E-Series devices, contact your TippingPoint Sales Representative.
Network Equipment Protection Filters Category of filters that detect and block exploit based
attacks against networked equipment.
55
Traffic Normalization Filters Category of filters that detect and manage traffic on a network. These
filters are enabled and use the Block action set by default. The filters support Block and/or Notify
options for action sets and check for the following flags:
Invalid TCP header flags
Invalid IP fragments
Invalid TCP reassembly
Unsolicited requests
Traffic Threshold Filters Category of filters that detect statistical changes in traffic patterns. These
filters allow are setup by the user of the device.
56
57
Definition
Filter Name
Destination IP
Segment
Direction
SYN Proxy
CPS
Connection Flood
Functions
The Filters - DDoS Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Create an Advanced DDoS Filter
Edit an Advanced DDoS Filter
Deleting Filters
Note: To create an exception for a DDoS filter, you must first create the filter.
After creation, you can edit the filter to add exceptions.
58
Solution
Description
Randomized
Requests
Host Limiting
Unsolicited
Responses
Stateful Connection
Support
Amplifier
Reflector
Session Limiting
Stateful Connection
Support
Indistinguishable
Request
59
On the Filters page, select the Open > Infrastructure Protection > DDoS menu item.
The Filters - DDoS Filters Main List page displays.
STEP 2
Note: If the screen looks different, you may be accessing a UnityOne-5000E. If so,
see Advanced DDoS Filters for UnityOne-5000E on page 64.
60
STEP 3
STEP 4
STEP B
Select a Segment.
STEP C
STEP D
STEP 5
STEP 6
STEP 7
STEP 8
Check the box Enable for SYN Proxy. Manually enabling this option provides traps
for SYN floods, rather than using firewall blocks.
STEP B
Enter the number of SYN requests allowed per second for the Threshold.
STEP B
Enter the number of maximum average connections allowed per second for the
Threshold.
STEP B
Click Create.
61
On the Filters page, select the Open > Infrastructure Protection > DDoS menu item.
The Filters - DDoS Filters Main List page displays.
STEP 2
STEP 1
Note: If the screen looks different, you may be accessing a UnityOne-5000E. If so,
see Advanced DDoS Filters for UnityOne-5000E on page 64.
62
STEP 3
STEP 4
STEP 5
STEP 6
STEP 7
STEP 8
STEP A
STEP B
Select a Segment.
STEP C
STEP D
Check the box Enable for SYN Proxy. Manually enabling this option provides traps
for SYN floods, rather than using firewall blocks.
STEP B
Enter the number of SYN requests allowed per second for the Threshold.
STEP B
Enter the number of maximum average connections allowed per second for the
Threshold.
STEP B
STEP B
Click Save.
63
64
safe or accepted IP address. It attempts to flood the network by sending more connections than the
system can handle. These attacks do not harm data, but the flood can deny users access and
connections to networks and services.
When using Advanced DDoS Protection filters, you must place the IPS device in a Symmetric Network.
The device must see both sides of the traffic.
Note: Advanced DDoS Protection Filters function only in a symmetric network
configuration. You must disable Asymmetric Mode for your device. See TSE
General Configuration on page 159.
The following is the Filters - DDoS Filters Main List page:
Figure 3 - 19: Filters - DDoS Filters Main List Page for UnityOne-5000E
The Global Settings section provides the preference settings for the Advanced DDoS enabled
protection. You can select the following protection options: SYN Proxy, CPS, and Connection Floor. The
section also allows you to enter the following:
CPS Threshold Indicates the threshold setting for the CPS option. The amount is the average
number of connections allowed per second.
Connection Flood Threshold Indicates the threshold setting for the Connection Flood option.
The amount is the average number of open connections allowed.
65
Definition
Filter Name
Destination IP
Segment
Direction
SYN Proxy
Functions
The Filters - DDoS Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Create an Advanced DDoS Filter for the UnityOne-5000E
Edit an Advanced DDoS Filter for the UnityOne-5000E
Deleting Filters
Note: To create an exception for a DDoS filter, you must first create the filter.
After creation, you can edit the filter to add exceptions.
66
On the Filters page, select the Open > Infrastructure Protection > DDoS menu item.
The Filters - DDoS Filters Main List page displays.
STEP 2
Note: If the screen looks different, you may be accessing a UnityOne E Series
other than a UnityOne-5000E. If so, see Advanced DDoS Filters on page 56.
STEP 4
STEP B
Select a Segment.
STEP C
STEP D
STEP 5
In the Thresholds section, enter the number of SYN requests allowed per second. Settings for
CPS and Connection Flood are entered on the main DDoS page.
STEP 6
Click Create.
67
On the Filters page, select the Open > Infrastructure Protection > DDoS menu item.
The Filters - DDoS Filters Main List page displays.
STEP 2
STEP 1
Note: If the screen looks different, you may be accessing a UnityOne E Series
other than a UnityOne-5000E. If so, see Advanced DDoS Filters on page 56.
68
STEP 2
STEP 3
STEP B
Select a Segment.
STEP C
STEP D
STEP 4
In the Thresholds section, enter the number of SYN requests allowed per second. Settings for
CPS and Connection Flood are entered on the main DDoS page.
STEP 5
Click Save.
Definition
Filter Name
Segment
Control
69
Definition
Action
State
Functions
Viewing Filters
Searching Filters
Creating New Filters
Edit a Network Equipment Protection Filter
Deleting Filters
On the Filters page, select the Open > Infrastructure Protection > Network
Equipment menu item. The Filters - Network Equipment Filters Main List page displays.
STEP 2
70
STEP 3
STEP 4
STEP 5
STEP 6
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
71
72
73
The following is the Filters - Traffic Normalization Filters Main List page:
Figure 3 - 24: Filters - Traffic Normalization Filters Main List Page
74
Definition
Filter Name
Segment
Control
Action
State
Functions
The Filters - Traffic Normalization Filters Main List page includes the following options:
Edit a Normalization Filter
Viewing Filters
Note: You can create Traffic Normalization filters with the same name as existing
filters, and in the same profile. The LSM gives each filter a unique ID, using that
ID as reference in the system.
Edit a Normalization Filter
STEP 1
On the Filters page, select the Open > Infrastructure Protection > Network
Equipment menu item. The Filters - Network Equipment Filters Main List page displays.
STEP 2
75
STEP 3
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
Note: If you select Recommended as the action set, this sets all filters to Block.
If you assigns the Permit+Notify action to a hardcode, packets matching the rule
are logged and passed without further inspection. This process differs from
normal packet processing and can introduce vulnerabilities. When you select a
non-blocking action set or create an exception to a Normalization filter, you
receive a notification from the system.
If you select a rate limit, it applies only to TCP, UDP, or ICMP traffic.
76
STEP 4
STEP 5
STEP 6
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
Thresholds are expressed as a % of normal traffic. For example, a threshold of 120% would fire if
traffic exceeded the normal amount by 20%. A threshold of 80% would fire if the level of traffic
dropped by 20% from normal amount of traffic.
Thresholds trigger when traffic edges the set amounts. When traffic exceeds a threshold and returns to
normal levels, the system generates an alert. These alerts inform you of the triggered filter, when the
thresholds are exceeded and return to normal, and the exceeded amount. These amounts include an
amount exceeded above and below normal levels. Once the filter triggers, you must reset it to reestablish it for use in the system. The filter is not disabled, but it does require resetting.
Note: A triggered Traffic Threshold filter will not perform functions until you
manually reset it. Resetting a triggered filter is not the same as enabling or
disabling a filter. See Reset a Traffic Threshold Filter on page 83.
At times, a Traffic Threshold filter can trigger multiple times. The filter could be triggering falsely due
to threshold settings not matching the new traffic behavior of your system, or other such issues. The
77
system lists the top ten (10) filters disabled either manually or automatically on the Configure - TSE
Adaptive Filter Configuration page. See TSE Adaptive Filter Configuration on page 161.
To view the logs for traffic threshold events, you can click on the Threshold link in the System Stats
bar. Traffic Threshold filter events can be found in the alert and block logs, based on the action set of
the filter. When you click the Threshold link, the default view displays the Traffic Threshold filter
events in the Alert Log Search Results page. To review the entries in the block log, click the Logs tab
and search the block log for those results.
You can create and manage these filters on the Filters - Traffic Threshold Filters Main List page.
Note: When you create a Traffic Threshold filter, you do not need to copy the
filter first and modify it. You can create an entirely new filter. See Create a Traffic
Threshold Filter on page 80.
The following is the Filters - Traffic Threshold Filters Main List page:
Figure 3 - 26: Filters - Traffic Threshold Filters Main List Page
78
Definition
Filter Name
Segment
Definition
Units
The number of selected units per second. The unity values include
packets, bytes, and connections.
Period
The period of time for the historical data. The period values include the
last minute, hour, day, 7 days, 30 days, and 35 days.
Threshold Above
Threshold Below
Functions
The Filters - Traffic Threshold Filters Main List page includes the following options:
Viewing Filters
Create a Traffic Threshold Filter
Edit a Traffic Threshold Filter
Reset a Traffic Threshold Filter
79
On the Filters page, select the Open > Infrastructure Protection > Traffic Threshold
menu item. The Filters - Traffic Threshold Filters Main List page displays.
STEP 2
STEP 3
STEP 4
Select a Segment.
STEP B
STEP C
Select the Units per Second and the amount to be based on.
The unity values include packets, bytes, and connections. The period values
include the last minute, hour, day, 7 days, 30 days, and 35 days.
STEP D
80
The monitor only option sets the system to generate a report without triggering
traffic thresholds.
STEP 5
STEP 6
For Thresholds, you can modify up to 4 thresholds for each filter: minor increase over normal, major increase over normal, minor drop below normal, and major drop below normal.
Each threshold is a percentage change from the normal baseline.
STEP A
For Above Normal Major, select the Enabled check box, enter a percentage
amount of normal, and enter an action set.
STEP B
For Above Normal Minor, select the Enabled check box, enter a percentage
amount of normal, and enter an action set.
STEP C
For Below Normal Major, select the Enabled check box, enter a percentage amount
of normal, and enter an action set.
STEP D
For Below Normal Minor, select the Enabled check box, enter a percentage
amount of normal, and enter an action set.
STEP 7
Click Save.
81
On the Filters page, select the Open > Infrastructure Protection > Traffic Threshold
menu item. The Filters - Traffic Threshold Filters Main List page displays.
STEP 2
STEP 3
STEP 4
Select a Segment.
STEP B
STEP C
Select the Units per Second and the amount to be based on.
The unity values include packets, bytes, and connections. The period values
include the last minute, hour, day, 7 days, 30 days, and 35 days.
STEP D
82
STEP 5
STEP 6
For Thresholds, you can modify up to 4 thresholds for each filter: minor increase over normal, major increase over normal, minor drop below normal, and major drop below normal.
Each threshold is a percentage change from the normal baseline.
STEP A
For Above Normal Major, select the Enabled check box, modify the percentage
amount of normal, and modify the action set.
STEP B
For Above Normal Minor, select the Enabled check box, modify the percentage
amount of normal, and modify the action set.
STEP C
For Below Normal Major, select the Enabled check box, modify the percentage
amount of normal, and modify the action set.
STEP D
For Below Normal Minor, select the Enabled check box, modify the percentage
amount of normal, and modify the action set.
STEP 7
Click Save.
On the Filters page, select the Open > Infrastructure Protection > Traffic Threshold
menu item. The Filters - Traffic Threshold Filters Main List page displays.
STEP 2
STEP 3
Performance Protection
Performance Protection is a pillar of filter types that allow key applications to have prioritized access to
bandwidth. These filters ensure mission critical applications have adequate performance during times
of high congestion. These filters include misuse and abuse and traffic management filters.
83
Traffic management filters allow users to define policies with specific actions. Performance Protection
profiles include the following types:
Misuse and Abuse Filters Category of filters that allow you to manage policy around nonproductive or potentially illegal applications. Initially this includes peer-to-peer management, where
the user may apply block or shape actions across the category or on an individual basis.
Traffic Management Filters Category of filters that permit, rate limit or block traffic based on
header-level information such as source and destination addresses, ports, protocols, and (if
applicable) on ICMP type/code.
84
You can view Misuse and Abuse filters loaded on your IPS. The following is the Filters - Misuse and
Abuse Filters Main List page:
Figure 3 - 29: Filters - Misuse and Abuse Filters Main List Page
85
Definition
Filter Name
Segment
Control
Action
State
Functions
Note: Misuse and Abuse filters can only use blocking action sets: block, block +
notify, and block + notify + trace. The permit action sets are not available for
Misuse and Abuse filters.
The Filters - Misuse and Abuse Filters Main List page includes the following options:
86
Viewing Filters
Searching Filters
Deleting Filters
Edit a Misuse and Abuse Filter
Performance Protection Settings
On the Filters page, select the Open > Performance Protection > Misuse and Abuse
menu item. The Filters - Misuse and Abuse Main List page displays.
STEP 2
STEP 3
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
STEP B
STEP C
87
STEP 4
STEP 5
STEP 6
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
STEP A
STEP B
STEP C
Click Save.
88
Destination
Address
Protocol
Source
Port
Destination
Port
Action
any
any
UDP
any
53
Allow
any
any
UDP
any
any
Block
any
any
ICMP
any
any
20 Mbps rate-limit
any
1.2.3.4
TCP
any
80
Allow
any
any
TCP
any
80
Block
The following is the Filters - Traffic Management Filters Main List page:
Figure 3 - 31: Filters - Traffic Management Filters Main List Page
89
Definition
Filter Name
Segment
Action
Protocol
The protocol the filter checks for: IP, ICMP, TCP, or UDP
Source Address
Source Port
Destination Address
Destination Port
State
Functions
The Filters - Traffic Management Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters
Create a Traffic Management Filter
Edit a Traffic Management Filter
Note: You can create Traffic Management filters with the same name as existing
filters, and in the same profile. The LSM gives each filter a unique ID, using that
ID as reference in the system.
90
On the Filters page, select the Open > Performance Protection > Traffic
Management menu item. The Filters - Traffic Management Filters Main List page
displays.
STEP 2
STEP 3
STEP 4
In the Filter Parameters section, select the parameters for the filter:
STEP 5
STEP A
Select either Block or Rate Limit (and a data flow rate) for the Action.
STEP B
Select the Segment that this IP filter will protect from the drop-down list.
STEP C
Click the radio button to select the Direction of the traffic being filtered (port A to B
or B to A)
STEP D
Select Trusted for trusted traffic. This traffic will not be inspected by the IPS.
Select the Protocol this filter checks for from the drop-down list: IP, ICMP, TCP, or UDP.
91
STEP 6
Enter the source information: the IP Address and Port (if applicable).
STEP 7
Enter the destination information: the IP Address and destination Port (if applicable).
Note: Source and Destination IP Addresses can be entered in CIDR format, as
any, or as *.
STEP 8
Enter the ICMP information: the ICMP Type (if applicable, 0-255) and the ICMP Code (if
applicable, 0-255).
STEP 9
Click Create.
On the Filters page, select the Open > Performance Protection > Traffic
Management menu item. The Filters - Traffic Management Filters Main List page
displays.
STEP 2
Click the Edit icon of the filter you want to edit. The Traffic Management Filters Detail/Edit
page displays.
STEP 3
STEP 4
Select either Block or Rate Limit (and a data flow rate) for the Action.
STEP B
Select the Segment that this IP filter will protect from the drop-down list.
STEP C
Click the radio button to select the Direction of the traffic being filtered (port A to B
or B to A)
STEP 5
Select the Protocol this filter checks for from the drop-down list: IP, ICMP, TCP, or UDP.
STEP 6
Modify the source information: the IP Address and Port (if applicable).
STEP 7
Modify the destination information: the IP Address and destination Port (if applicable).
Note: Source and Destination IP Addresses can be entered in CIDR format, as
any or as *.
92
STEP 8
Modify the ICMP information: the ICMP Type (if applicable) and the ICMP Code (if applicable).
STEP 9
Click Save.
93
On the Filters page, select the Open > Performance Protection > Application
Settings menu item. The Filters - Misuse and Abuse Filters Settings page displays.
STEP 2
STEP B
STEP C
STEP 3
Click add to table below. The IP address appears in the address table.
STEP 4
Click Apply.
On the Filters page, select the Open > Performance Protection > Application
Settings menu item. The Filters - Performance Protection Filters Settings page displays.
STEP 2
In the Limit Filters to the following IP addresses section, click the Delete icon next to the
IP address that you want to remove from the table.
STEP 3
Click Apply.
Category Settings
Category Settings enable you to change, enable, and disable global action settings for filter categories.
These categories can be set for the system at large or customized according to segment. You can use
these abilities to manage many filters at once, rather than manipulating each filter one-by-one.
Each filter category is assigned a default action set. Category Settings enables you to change the
category action set for each filter category. The available actions differs between the pillar types of
filters. Each filter category has a default state that initially enables or disables all filters of that category
type.
94
When you override the category settings for a particular filter, you edit the specific filter rather than the
category. However, when you disable a filter category, all filters of that category are disabled regardless
of overridden settings.
Note: If you wish to override the category action for a particular filter, you must
also override the filters state and either enable or disable the filter individually.
However, if the category setting is enabled, the filter may still display as enabled.
See Enable a Single Filter (Override Category Control) on page 98 for more
information.
You can modify category settings globally or per segment. By default, active filters apply to all
segments on your IPS device. These are modified in the Global Category Settings table. A segmental
attack filter applies to a particular segment on the IPS you select. You might create a segmental attack
filter that has a different action set from the global filter if you want one segment to respond differently
from the rest of the system. These are added and modified in the Segment Category Settings table.
Note: The state of a filter may indicate the filter is enabled even if it is disabled
for a particular segment and enabled for others. If you set the category to be
globally enabled yet disable a filter in that category for a segment, the filter
continues to display as enabled. See Enabling Filters on page 98 and Disabling
Filters on page 99.
The Filters - Category Settings page consists of two sections. The first section details the Global
Category Settings Table, as follows:
Figure 3 - 34: Filters - Category Settings Page - Global Category Settings Table
95
The second section details the Segmental Category Settings Table, as follows:
Figure 3 - 35: Filters - Category Settings Page - Segmental Category Settings Table
You can set global category settings for filters across all segments or for specific segments. As you enter
settings in the Global Category Settings Table according to segment, the values display with the
appropriate segment in the Segmental Category Settings Table. You can edit or delete these settings
from the Segmental Category Settings Table as needed.
Add a Global Category Setting
96
STEP 1
On the Filters page, select the Open > Category Settings menu item. The Filters Category Settings page displays.
STEP 2
For each filter category in the Global Category Settings Table, select a global action from
the drop-down menu.
Check the Enabled box above the Category you want to enable.
STEP 4
STEP 5
Click add to table below. The settings display in the Segmental Category Settings Table.
Note: Repeat the process of action and segment configuration as needed (steps 2
through 5).
STEP 6
STEP 7
Click OK.
On the Filters page, select the Open > Category Settings menu item. The Filters Category Settings page displays.
STEP 2
In the Segmental Category Settings Table, modify settings for the Application, Infrastructure Protection, and Performance Protection category settings.
You can enable settings by choosing an action from the drop-down menu according to filter
category and clicking the enable box. Or you can disable a category by clearing any enabled
categories.
STEP 3
From the Segment drop-down menu, select a segment you want to create a category setting
from the select box.
STEP 4
Click Apply. A confirmation message displays informing you the change may take some time
to enact.
STEP 5
Click OK.
97
On the Filters page, select the Open > Category Settings menu item. The Filters Category Settings page displays.
STEP 2
In the Segmental Category Settings Table, click the Delete icon next to the segmental category setting you want to delete.
STEP 3
Click Apply. A confirmation message displays informing you the change may take some time
to enact.
STEP 4
Click OK.
Enabling Filters
You can enable filters either on a category basis, or on an individual basis. When you enable a category
filter, you enable all of the filters in that category. These enabled filters use the global actions selected
when the filter category is enabled.
You can also enable an override of enabled setting on a particular filter. You may want a filter to enact a
different set of actions that differ from the global actions for the filters category. To override the global
settings, you directly enable a different set of actions on the filter itself.
Note: When you enable a category of filters through the Category Settings page,
you only enable filters that have not been specifically set to override category
control. Overridden filters retain the action settings set.
Note: If the category setting is enabled and you disable the filter for a particular
segment, the filter may still display as enabled.
On the Filters page, select the Open > Category Settings menu item. The Filters Category Settings page displays.
STEP 2
Check the Enabled box above each Category Action that you want to enable.
STEP 3
Click Apply. A confirmation message displays informing you the change may take some time
to enact.
STEP 4
Click OK.
98
STEP 1
STEP 2
Click the Edit icon next to the filter you want to override. The edit page for the filter displays.
STEP 3
STEP 4
STEP 5
STEP 6
Click Save.
Note: If the category setting is enabled and you disable the filter for a particular
segment, the filter may still display as enabled.
Disabling Filters
The IPS comes loaded with a comprehensive set of filters. You may not need all of these filters running
at all times. Through the LSM, you can disable all filters of a specific category. In instances when you
want to keep a few filters running of a specific category, you can override specific filters to be disabled.
You can disable filters either on a category basis or on an individual basis. When you disable a filter
category, you disable all filters in that category regardless of any overridden settings. When you disable
an overridden filter, you disable only that filter.
For example, a filter that protects a particular type of web server against attack may not be necessary if
you do not have that type of web server installed. You could disable that filters by overriding its
settings.
Note: If the category setting is enabled and you disable the filter for a particular
segment, the filter may still display as enabled.
On the Filters page, select the Open > Category Settings menu item. The Category
Settings page displays.
STEP 2
Uncheck the Enabled box for each Category Action that you want to disable.
STEP 3
Click Apply. A confirmation message displays informing you the change may take some time
to enact.
STEP 4
Click OK.
STEP 2
Click the Edit icon next to the filter you want to edit. The edit page for the filter displays.
STEP 3
Select the Use Category Settings radio button in the Parameters section. The filter changes
to use the global settings for the filter category.
99
STEP 4
Click Save.
Note: If the category setting is enabled and you disable the filter for a particular
segment, the filter may still display as enabled.
Action Sets
Action Sets determine what the IPS does when a packet triggers a filter. An action set can contain more
than one action, and can contain more than one type of action. The types of action that can be
specified include the following:
Flow Control determines where a packet is sent after it is inspected. A permit action allows a
packet to reach its intended destination. A block action discards a packet. A rate limit action enables
you to define a maximum bandwidth.
Packet Trace allows you to capture all or part of a suspicious packet for analysis. You can set the
packet trace priority and packet trace verbosity for action sets.
Priority sets the relative importance of the information captured. Low priority items will be
discarded before medium priority items if there is a resource shortage.
Verbosity determines how much of a suspicious packet will be logged for analysis. If you
choose full verbosity, the whole packet will be recorded. If you choose partial verbosity, you can
choose how many bytes of the packet (from 64 to 1600 bytes) the packet trace log records.
Notification Contacts indicate the contacts to notify about the event. These contacts can be
systems, individuals, or groups.
Note: If you are going to create a new action set that includes an alert action, you
should view the notification contacts to see what contacts are currently defined
first. If you are going to create a notification contact for the action set, you must
do so before you create an action set. See Notification Contacts on page 106 for
more information.
Action sets include the following types of actions:
Table 3 - 17: Available Actions
Action Name
100
Description
Description
Permit + Notify
Permits a packet, notifies all selected contacts of the packet, and logs
all information about the packet according to the packet trace
settings
Recommended
You can also add the TCP reset option to Block action sets. This option enables the device to reset
blocked TCP flows. You can set the option to reset the source or destination IP. The TCP Reset can also
affect both sides of the connection, source and destination.
Note: You should use the TCP reset option when you experience issues with
certain mail clients and servers on email related filters. Globally enabling this
option may negatively impact your system performance.
The Blacklist option, available with Block Actions, blocks packets based on the IP addresses in the
packet the triggers the filter. This allows you to block all traffic from the host that launched the attack
instead of just the one flow from that host.
When a filter with a Blacklist option triggers, the system installs two blocks: one for the flow (as is
normally done with Block actions) and another for the blacklisted IP address. You can review and flush
the blocked flows in LSM on the Configure TSE Connection Table (Blocked Streams) page and
the blacklisted IP addresses on the Configure TSE Connection Table (Blacklisted Streams).
In addition to installing the two blocks, the system enacts any further actions based on the action set,
such as notifications. If the filter action set is set to specific segment, the IP address is blocked only to
that segment and not the entire IPS.
Blacklisted IP addresses remain in effect for 3 minutes or until flushed. Blocked flows remain in effect
for 1800 seconds or until flushed. See TSE Blacklisted Streams on page 170.
101
Description
Action Set
Actions(s)
TCP Reset
The option to reset a TCP connection used with Block action sets
Blacklist
The option to block on IP for a triggered filter used with Block action sets
Packet Trace
Contacts(s)
Functions
Contains icons that allow you to perform filter operations. These icons are shown in the
table entitled Functions Icons
You can sort the action set listings by characteristics. There is a link at the top of each column on the
Actions - Main List page. Click on the link of the column by which you would like to sort. For example,
to sort by the packet trace setting, click the (Packet Trace) link at the head of the column. Only the
items in that list are sorted; if you are displaying items 1-50, then 1-50 are sorted.
Rate Limiting
A rate limiting action set defines a maximum bandwidth that can be used by traffic that matches filters
assigned to that action set. Incoming traffic in excess of this bandwidth is dropped. If two or more
filters use the same rate limiting action set, then all packets matching these filters share the bandwidth.
For example, if filters 164 (ICMP Echo Request) and 161 (ICMP Redirect Undefined Code) use the
same 10 Mbps action set, then both Echo Requests and Redirect Undefined Codes filters share the
10 Mbps pipe as opposed to each filter getting a dedicated 10Mbps pipe.
102
The supported rates are subject to restrictions according to the device model. Any of these listed rates
can be used as long as it does not exceed 25% percent of the total bandwidth of the product.
The following table details the models and their supported rates.
Table 4: Rate Limit Rates per Model
IPS
Model
Supported Rates
(listed in Kbps)
50
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40
100E
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83
200
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83
400
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200
1200
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500
2400
--
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500, 1000
5000E
--
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500, 1000
Note: The rates are not implemented exactly according to ratehigher rates are
less precise. For example, on a 5000E device, the observed rate on a 125Mbps
limiter will be closer to 130Mbps.
103
On the Filters page, select the Open >Action Sets menu item. The Filters - Actions Main
List displays.
STEP 2
STEP 3
STEP 4
STEP 5
104
Select the priority from the drop-down list: low, medium, or high.
STEP B
Select the verbosity from the drop-down list. If you choose partial verbosity, choose
how many bytes of the packet to capture (between 64-1600).
STEP 6
Choose one or more Contacts by checking the box next to the appropriate Contact Name. If
there are no contacts displayed, you must Create a Notification Contact first.
STEP 7
Click Create.
On the Filters page, select the Open >Action Sets menu item. The Filters - Actions Main
List displays.
STEP 2
Click the Edit icon next to an action set you want to edit. The Filters - Actions Details/Edit
page displays.
STEP 3
STEP 4
STEP 5
Select the priority from the drop-down list: low, medium, or high.
STEP B
Select the verbosity from the drop-down list. If you choose partial verbosity, choose
how many bytes of the packet to capture (between 64-1600).
STEP 6
Choose one or more Contacts by checking the box next to the appropriate Contact Name. If
there are no contacts displayed, you must Create a Notification Contact first.
STEP 7
Click Save.
105
Notification Contacts
Alerts are messages that are sent to a specific recipient (either human or machine) when traffic flowing
through the IPS triggers a filter that requires notification. Alert Aggregation determines how
frequently alerts for the same filter will be sent. These alerts are sent to notification contacts set for
action sets.
When you create or edit an action set, you have the option to inform interested parties or contacts about
matching traffic. Contacts include the management console, which encompasses both the SMS and
LSM, email addresses, and the remote syslog. The management console is a predefined contact. All
email contacts must be added to your system.
To use email contacts, you must enter all server and domain configuration settings on the
Configuration page for the IPS device. See Chapter 5 Configure. For all contacts, you must specify an
aggregation period. The aggregation period is the amount of time that the system accrues information
about attack traffic before it sends a notification. For example, an operator may want to be notified
about all UDP flood commands that have occurred within a five-minute period.
Note: The UnityOne limits the number of email alerts sent in a minute. This
feature supplements the currently used aggregation functionality in the UnityOne.
The system by default allows the sending of ten (10) email alerts per minute. On
the first email alert, a 1 minute timer starts, counting the number of email alerts to
send according to the configured limit. Email alerts beyond the limit in a minute
are blocked. After one minute, the system resumes sending email alerts. If any
email alerts were blocked during that minute, the system logs a message to the
system log as follows:
The first time a particular filter is triggered, a notification is sent to the filter contacts. At the same
time, the aggregation timer starts counting down the aggregation period. During the aggregation
period, the system counts other matching packets, but no notification is sent. At the end of the
aggregation period, a notification, including the packet count, is sent. The timer and the counter are
reset, and continue to cycle as long as matching packets continue to arrive.
A remote syslog server is another channel that you can use to report filter triggers. Remote syslog sends
filter alerts to a syslog server on your network. If you intend to use Action Sets that include the Notify
Remote Syslog option, you must create an entry for the devices to use. The system uses collectors for
the settings. Collectors are specified by the required settings for the IP address and port, including
options for a delimiter and facility numbers for alert messages, block messages, and misuse/abuse
messages. The settings for the facilities are optional. Valid delimiters include horizontal tab, comma
106
(,), semicolon (;), and bar (|). For more information on the message and log format, see See Create a
Notification Contact for more information.
CAUTION: Only use remote syslog on a secure, trusted network. Remote syslog, in
adherence to RFC 3164, sends clear text log messages using the UDP protocol. It does not
offer any additional security protections. Therefore, you should not use remote syslog
unless you can be sure that syslog messages will not be intercepted, altered, or spoofed by
a third party.
Tip: For more information about syslog, consult the syslog server documentation
that came with your operating system or syslog software.
Alert Aggregation
Because a single packet can trigger an alert, attacks featuring large numbers of packets could
potentially flood the alert mechanism. Alert aggregation enables you to receive alert notification at
intervals to prevent this flooding.
For example, if you set the aggregation period to five minutes, you will receive an email at the first
trigger of a filter, and then subsequent alerts will be collected and then sent every five minutes.
Aggregation Period
Alert notification is controlled by the aggregation period that you configure when you Create a
Notification Contact. The aggregation period is the amount of time that the LSM accrues alerts before
it sends a notification. The first time a particular filter is triggered, a notification is sent to the alert
contact target. At the same time, the aggregation timer starts ticking down the aggregation period.
During the aggregation period, further packet triggers are counted, but no notification is sent. At the
end of the aggregation period, a second notification, including the packet count, is sent. The timer and
the counter are reset, and will continue to cycle as long as the filter in question is active.
CAUTION: Short aggregation periods can significantly affect system performance. The
shorter the aggregation period, the higher the system load. In the event of a flood attack, a
short aggregation period can lead to system performance problems.
107
Setting Preferences
The notification feature uses default email preferences to pre-fill email contact settings. When you first
set up your IPS, you must define the default email settings for email alerts. Once you define the default
from address, domain name, and SMTP server address, the IPS uses this information for all email
alerts it generates. You can only change the sender information (from) using Set Email Preferences.
You can change the recipient email address (to) when you create or edit a notification contact.
On the Filters page, select the Open > Filters - Notification Contacts menu item. The
Notification Contacts Details/Edit page displays.
STEP 2
Select the Edit > Preferences menu item. The Filters - Contacts Preferences page displays.
STEP 3
STEP 4
STEP 5
STEP 6
STEP 7
Click Save.
Note: You must be sure that the IPS can reach the SMTP server that will be
handling the email notifications. You may have to Add a Network Route on
page 148 so that the IPS can communicate with the SMTP server.
108
STEP 1
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Create button or select the Edit > Create Contact menu item.
STEP 3
STEP 4
STEP 5
Enter the Aggregation Period. Longer aggregation periods improve system performance.
STEP 6
STEP 7
Optionally, click the Test Email button. If you click the button, the IPS attempts to send an
email message, using the server defined in the default email settings, to the email contact you
are creating.
Note: If the email fails to send properly, check for the following possible causes:
1. Is default email alertsink configured? See Set Email Preferences on page 108.
2. Email server must be reachable from the IPS. In the CLI use the PING command
to see if you can reach email server IP.
3. Email server may not allow mail relaying. Make sure you use account/domain
that the email server accepts.
STEP 8
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Edit icon for the entry you want to edit. The appropriate edit page displays.
STEP 3
STEP B
For the Remote System Log (SYSLOG), see Create a Notification Contact on
page 108.
STEP C
For the Management Console (MGMT), enter the name and aggregation period.
STEP D
For the LSM (ALERT), enter the name and aggregation period.
STEP 4
For email contacts only, click the Test Email button. If you click the Test Email button, the IPS
will attempt to send an email to the email contact you are editing
STEP 5
STEP 6
Click OK.
109
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Edit icon next to the Remote System Log entry. It has the type of SYSLOG.
STEP 3
Edit the IP Address and Port the host that receives Remote System Log messages.
Tip: Be sure that your IPS can reach the remote system log server on your
network. If the remote system log server is on a different subnet than the IPS
management port you may have to Add a Network Route on page 148.
STEP 4
Select an Alert Facility from the drop-down menu: none or select from a range of 0 to 31.
STEP 5
Select a Block Facility from the drop-down menu: none or select from a range of 0 to 31.
STEP 6
Select a Misuse and Abuse Facility from the drop-down menu: none or select from a range
of 0 to 31.
STEP 7
Select a Delimiter for the generated logs: tab, comma, semicolon, or bar.
STEP 8
STEP 9
Click Save.
Note: Designating a remote system log server does not automatically send attack
and shield notifications to that server. You must select the Remote System Log
contact for action sets. After you apply these changes, active filters associated
with the modified action set will send remote messages to the designated server.
110
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Edit icon next to the SMS entry. It has the type of SNMP.
STEP 3
STEP 4
Enter the Aggregation Period for notification messages. This setting is measured by minutes.
STEP 5
Click Save.
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Edit icon next to the Management Console entry. It has the type of MGMT.
STEP 3
STEP 4
Enter the Aggregation Period for notification messages. This setting is measured by minutes.
STEP 5
Click Save.
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Edit icon next to the LSM entry. It has the type of ALERT.
STEP 3
STEP 4
Enter the Aggregation Period for notification messages. This setting is measured by minutes.
STEP 5
Click Save.
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Delete icon for the notification contact you would like to delete. A confirmation dialog message displays.
STEP 3
Click OK.
111
112
Logs
Logs describes the several logs and reports that you can view using the LSM. In this section, you
will review the information presented in the logs and how to manage the logs. Only users with
Super-user access may view all of the logs available.
Overview
The logging features of the LSM provide you with the ability to review the attacks received by the IPS
device. Through the logs and report options, you can better understand and review the amount of
packets received and attacks blocked or managed by the device. When you access the LSM, the Logs
page displays. This page clearly and quickly provides an overview of all attacks received by the system.
The information includes an optional visual graph of the attacks by severity in relation to the total
number of attacks, links to reports for the logs, and provides links to further reports to better
investigate the system and network.
Logs covers the following topics:
LSM Logs on page 114
Managing Logs and Reports on page 121
More Reports on page 126
The Logs page enables you to view log messages, sorted by the time and date they were recorded.
These messages indicate the status that IPS components report about themselves, or messages from
the UnityOne about components that do not respond to periodic polling. Many reports are available to
provide a timely update to any and all levels of the IPS operational behavior.
The Attacks by Severity graph displays at the top of the page. You can enable or disable an animation
option for the graph. This graph displays a graphical representation of attacks against the current total
of logged attacks. This total includes only the attacks compiled between resets of the system total.
When viewing a log, you can click Log Index from the Open menu to return to this page.
113
Logs Page
When you access the LSM, it displays the Logs Main List as default. The following is the Logs page:
Figure 4 - 1: Logs Page
LSM Logs
The LSM documents triggered filters and actions in various logs. These logs compile information
about your IPS device according to set category and action sets. When you access the LSM, the Logs
page displays. The Logs page provides the following logs:
114
The LSM also provides various graphical reports on the system and network traffic. See More
Reports on page 126 for more information.
When you view the log, the user listed for the logged events may include SMS, LSM, and CLI. These
entries are entered by those applications into the audit log, as a Super-User level of access.
Alert Log
The Alert log contains information about network traffic that triggers filters associated with alert
actions. These alerts include filters that notify contacts when triggered, such as specific types. Any user
can view the log, but only administrator and super-user level users can print the log. Alert log entries
include the following information:
Table 4 - 1: Alert Log Information
Column
Description
Log ID
Date/Time
Severity
Indicates the severity of the triggered filter. Possible values include: Critical, Major,
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
115
Block Log
The Block log contains information about packets that have triggered a filter with both block and alert
actions specified. The Block Log entries include the following information:
Table 4 - 2: Block Log Information
Column
Description
Log ID
Date/Time
Severity
Indicates the severity of the triggered filter. Possible values include: Critical, Major,
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
116
Description
Log ID
Date/Time
Severity
Indicates the severity of the triggered filter. Possible values include: Critical, Major,
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
117
System Log
The system log contains information about the software processes that control the UnityOne device,
including startup routines, run levels, and maintenance routines. System log entries can provide useful
troubleshooting information if you encounter problems with your UnityOne device.
Note: Any access level user can view and print the system log, but only
Administrator and Super-user level users can reset the system log.
Description
Log ID
Severity Level
The severity level of a message indicates whether the log entry is simply informational
(INFO) or whether it indicates an error condition (ERR or CRIT)
Component
The component is an abbreviation that indicates which software component sent the
message to the log
Message
118
Audit Log
The audit log keeps track of IPS user activity that may have security implications. This activity
includes user attempts (successful and unsuccessful) to do the following:
Description
Log ID
Username
Access Level
IP Address
The IP address from which the user connected to perform the action
Interface
The interface with which the user logged in (either WEB for the LSM or CLI for the
Command Line Interface)
Component
The area in which the user perform an action (LOGIN, LOGOUT and Launch Bar Tabs)
Result
Action
119
The packet trace log uses the same Log Rotation as the other logs. It is a good idea to periodically reset
the log to increase download performance.
Note: When you reset the log, any packet trace records in the log buffer will be
discarded.
During a graceful shutdown, as during an update or reboot command in the CLI, Packet Trace data
may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to disk, do the
following:
Click on any Packet Trace icon in the alert or block logs
Click on the Packet Trace (TCPDUMP) icon
You can do the following from this page:
Downloading Log Files on page 122
Resetting Log Files on page 125
120
Function
Description
View
Click the View icon to review the compiled contents of the log or report. A page
displays providing the entries compiled and reported for each log.
Download
Click the Download icon to download an electronic copy of the log or report.
When you click the icon, a download query page displays allowing you refine
the parameters for the log or report to be downloaded.
Search
Click the Search icon to search for an entry in the log or report. The Logs page
displays a search page according to the selected log or report.
Reset
Use the Reset icon to clear a log of all current entries. The log will then begin
compiling new information.
121
Description
Log ID
Date/Time
Severity
Indicates the severity of the triggered filter. Possible values include: Critical, Major,
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
STEP 2
Click the View icon next to the log. A log view page displays.
STEP 3
You can browse and review the log entries. You can also review the filter that triggered the log.
122
STEP 2
Click the Download icon next to the log or report you want to download. The download query
page displays.
Note: If there are not any entries in the log, the download link will be disabled, or
grayed out.
STEP 3
Select a Log Type: Alert Log, Audit Log, Block Log, Peer-to-Peer Log, or System Log.
STEP 4
STEP 5
For Options, check the boxes for file format options: Comma delimited format (csv) or
Open in Internet Explorer.
STEP 6
Click Download.
123
Log Rotation
IPS logs are stored on a rotating basis. By default, each type of log has two filesthe current file and the
previous file. The IPS uses a volume threshold to limit the size of each log file (4 mb). When the current
log reaches the volume threshold, it is deactivated, and a new log is started as the current log.
Whenever the current log reaches the volume threshold, it is rotated into storage, and a new log is
started as the current log.
Note: When you view logs from the LSM, you review all log entries from both of
the log files. The only time you need to consider log rotation is when you are
downloading a log file.
You can also reset the log file for each type of log. When you reset the log, you clear the current log of all
compiled entries.
For Packet Trace logs, the amount of raw data stored depends on the device model. See the following:
UnityOne-50:
Default # of files = 2
Max # of files = 10
Default Size of each file = 5MB
Other UnityOne devices:
Default # of files = 10
Max # of files = 100
Default Size of each file = 10MB
124
Note: The information displayed in the log works best when printed in a
landscape, not portrait, format.
Print a Log
STEP 1
On the Logs page, click the name of the log (hyperlink) or click the View icon next to the log
you want to print. The view page for the log displays.
STEP 2
Select Edit > Print menu item. The browsers print dialog box opens.
STEP 3
STEP 4
Click Print.
On the Logs page, click the Reset icon next to the log you want to reset.
STEP 2
STEP 3
Click OK.
125
Search a Log
STEP 1
On the Logs page, click Search icon next to the log you want to search. The search page
displays.
STEP 2
STEP 3
Check the box next to each Severity of the alerts you wish to retrieve [optional].
STEP 4
Enter the name of the Filter Name whose alerts you would like to find [optional].
STEP 5
Enter the name of the Protocol whose alerts you would like to find [optional].
STEP 6
Enter the Source Address for alerts you would like to find. [optional].
STEP 7
Enter the Destination Address for the alerts you would like to find [optional].
STEP 8
STEP 9
Click Search.
Tip: In Step 4 through Step 7, you can enter the first part of
the item you want to search for. For example you can enter
the first few letters or numbers in a filter name, or the first
few numbers of an IP address.
More Reports
The More Reports feature provides access to a set of bar graphs that provide detailed information about
the LSM system alert and traffic activity. The feature can be accessed by selecting the More Reports
Link from the Logs - Main List pane or selecting options from Open -> Reports menu. Through a
preferences page, the LSM allows you to modify the color background setting for the graph. The
options provide a custom approach to reviewing data on your system. See Reports Preferences on
page 132.
126
127
DDoS Displays reports for Denial of Service filters and attacks. The report provides an option to
review rejected and accepted connections or SYNs according to the type of DDoS filter.
Figure 4 - 3: Reports - More Reports Page
128
STEP 2
In the Top Ten section, click the Filters link. The graph updates displaying the top ten filters
triggered on the IPS device.
STEP 3
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
STEP 2
Select the type of attack you want to view results for under Attacks:
by severity
by action
by protocol
by port: all
by port: permit
by port: block
by port: misuse & abuse
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
STEP 2
by transmission types
by protocol
by frame size
by port
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
129
STEP 2
STEP 3
STEP 4
You can then select the following information for the report:
Last 24 Hours
Last 60 minutes
Last 60 seconds
The LSM generates a report for each user-defined rate limit filter you create or configure.
STEP 5
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
130
STEP 2
STEP 3
STEP 4
You can then select the following information for the report:
Last 35 Days
Last 24 hours
Last 60 minutes
Last 60 seconds
You can use the reported information to configure traffic thresholds tuned to a specific
network configuration. The monitor only option for a Traffic Threshold filter sets the system
to generate a report without triggering traffic thresholds.
Figure 4 - 4: More Reports: Traffic Threshold
STEP 5
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
131
STEP 2
STEP 3
Reports Preferences
The Logs - Report Preferences page allows you to customize your report graphs. You can change the
color of chart background by selecting a preset color or entering a color setting. The custom color
setting can create a gradient from one color to another, entered as the start and end colors. Custom
colors are entered as RRGGBB, such as FF0000 for red. See Select a Report Background Color on
page 132 for details.
The following image displays the Logs - Report Preferences page:
Figure 4 - 5: Logs - Report Preferences Page
132
STEP 1
On the Logs - More Reports page, click Edit -> Preferences on the drop-down menu. The
Logs - Report Preferences page displays.
STEP 2
To select a preset color, select one of the options called Blue Gradient (default), Red Fire Gradient, Dark Grey Gradient, Green Gradient, or Solid Blue Gradient.
STEP 3
STEP 4
STEP A
STEP B
STEP C
Click Test. You can repeat until you are satisfied with the color.
133
134
Configure
Configure describes the configuration utilities in the LSM, and how to configure segments and
hardware components using the LSM.
Overview
The Configure page enables you to view and change configuration items for your IPS device. When
you configure the device, you can modify various settings for the segments including management,
routing, time, and Intrinsic Network HA. These segments are part of the Multi-Zone Defense (MZD)
modules that protect the segment and network from malicious traffic and attacks.
You can configure the following settings for segments, ports, and modules:
Segment information
Discovery settings to allow discovery scans on ports
Time zone information
Command Line Interface, routing, and information for ports
Non-Standard ports
Intrinsic and Transparent Network HA for segments
SMS control for these modules
NMS settings
Settings and management for the Threat Suppression Engine (TSE)
135
Configure Page
To view the Configure page, you click the Configure tab on the Launch Bar. The Configure - Segment
Config page displays as default:
Figure 5 - 6: Configure Page
136
Segment Configuration
UnityOne IPS Multi-Zone Defense (MZD) modules enable you to protect multiple segments of your
network. Each segment uses two ports on the MZD module: one port that interfaces with the protected
segment and one port that interfaces with the rest of the network. When you configure these ports, you
modify the routing and port options, Intrinsic and Transparent Network HA, and discovery settings.
CAUTION: After you configure a segment on the device, you need to restart the device.
Each port of the segment provides a Restart button. Make sure to click this button after
making changes to ensure proper functioning of the device.
CAUTION: If you use a copper-fiber translator (such as Netgear), you will need to turn off
auto-negotiation on the IPS device before clicking the Restart button. Netgear does not
support auto-negotiation. When the copper cable is pulled, Netgear does not attempt to
auto-negotiate with the device. The device driver will attempt to re-initialize the port
several times before timing out and placing the port in an Out-of-Service mode.
You can view the configuration information for the device segments through the Configure - Segment
Config page:
Figure 5 - 7: Configure - Segment Config Page
This page provides a summary listing of each segment including the following information:
Table 5 - 8: Segment Information
Column
Description
Segment Name
The segment name by default the segment name is a combination of the slot number
and port pair of the Defense Module that the physical connection is made through
Media
IP Address /
Subnet Mask
Shows the IP address and network mask of the segment if they are configured for
network discovery
Port
Indicates which port is being referred to by the line speed and hardware columns
Line Speed
137
Description
Indicates if the hardware (the physical port) is turned on or off
STEP 2
The Configure - Segment Config page displays. Segment information displays as default
when you access the configure page.
STEP 3
To locate this information from within the Configure page, select the Open > Segment
Config menu item.
Segment INHA
Segment ports are designated A and B. When you configure a segment, you can assign IP and routing
information for Discovery scans and choose line options for these ports. You can also define the
Intrinsic Network High Availability (INHA) layer-2 fallback option. This determines if the device
permits all traffic or blocks all packet transfers on that segment in the event of a fallback operation.
Note: You should only assign an IP address to a segment if you want discovery
enabled on that segment. For more information on discovery scans, see Chapter 5
Discover.
Port Options
Port options enable you to set line options for the segments ports. You can set port options without
enabling discovery. You can set the two ports in the same segment with different settings.
Note: Fiber ports can only be set to 1000 Mbps line speed and full duplex.
Although the port may negotiate different settings, you cannot arbitrarily
downgrade line speed on a fiber Gigabit Ethernet port.
138
Link-Down Synchronization
Link-Down Synchronization, also called Sympathetic HA, allows you to configure the IPS to force both
ports down on a segment when the device detects a link state of down on one of the ports. When LinkDown Synchronization is enabled, the IPS monitors the link state for both ports on a segment. If the
link goes down on either port, both ports on the segment are disabled. This functionality propagates
the link state across the IPS. In the case of Router A and Router B, if the link to router A goes down,
then the ports both ports are disabled, resulting in the link to Router B going down, which Router B
detects. With Link-Down Synchronization, ports respond according to the configured setting. The
setting include the following:
Hub When a port goes down, the partner port is unaffected.
Breaker When a port goes down, the system disables the partner port until both ports are
manually restarted. The breaker option requires manually restarting both ports.
Wire When the port that originally went down comes back up, the system restarts the partner
port (which is the port it disabled).
In addition to the ability to enable Link-Down Synchronization for each segment, you can change the
amount of time after detecting a link is down before forcing both ports down on a segment. The default
is one second. You can configure the setting to any number of seconds in the range of zero to 240.
Once you enable Link-Down Synchronization for a segment, monitoring of that segment begins only
after link up is detected on both ports. When Link-Down Synchronization disables the ports on a
segment, two audit log messages are generated. The first message in the audit log corresponds to the
port with the link down. The second message corresponds to the segment partner. Additionally, an
error message is added to the system log indicating which port was detected with the link down,
activating Link-Down Synchronization for that segment.
Configure a Segment
When you configure a segment, including INHA, you complete the following three main steps:
STEP 1
STEP 2
Discovery configuration IP address, subnet mask, routing, discovery-enabled. See Prepare a Segment for Scanning on page 123 for more information.
STEP 3
139
To configure a segment, you select a segment from the Configure - Segment Config page. The
Configure - Segment Details/Edit page displays:
Figure 5 - 8: Configure - Segment Details/Edit Page
140
On the Configure page, click the Segment you want to configure. The Configure - Segment
Details/Edit page displays.
STEP 2
STEP 3
To enable discovery on the ports, see Prepare a Segment for Scanning on page 123.
STEP 4
Specify the Intrinsic Network High Availability (INHA) layer-2 fallback action:
Click the Block All to shield all packet transfer in the event of a fallback.
OR
Click the Permit All to permit all packet transfer in the event of a fallback.
STEP 5
For Link-Down Synchronization, select an option and enter a Timeout Period between 0-240
seconds.
Hub (port goes down, partner port remains up)
Breaker (port goes down, partner taken down, both ports require manual restart)
Wire (port does down, partner taken down, automatically restarts when link reestablished)
When selected, if one interface is down for an amount of time exceeding the timeout period,
both interfaces are managed according to the selected option.
STEP 6
To enable Discovery scans, check the Enabled check box for Discovery.
Enter the Dest Network, Gateway, and Mask and click the add to table below
button for each port (A / B) that you want to enable for scanning.
Note: You only need to enter routing options for a port if you are going to run
discovery on a subnet outside of the subnet on which the discovery IP address is
located.
STEP B
Check the Hardware: On check box to make the port active. If you enabled this
option, the Restart button is enabled.
STEP C
Check the Auto Negotiation: On check box to enable auto-negotiation for line
speed.
Note: If Auto Negotiation is on and Line Speed is set to 100 mbps, the port will
negotiate between 10 and 100 mbps. If Line Speed is set to 1000 mbps, the port
negotiates between 10, 100, and 1000 mbps.
141
STEP D
STEP E
STEP F
CAUTION: After you configure a segment on the device, you need to restart the device.
Each port of the segment provides a Restart button. Make sure to click this button after
making changes to ensure proper functioning of the device. To restart both ports, click
Restart Both.
STEP 7
Click Save.
If the LSM has errors and refuses to locate the device, check the connections on the IPS device. If you
use a copper-fiber translator (such as Netgear) and it is disconnected or loose, the IPS device driver
will attempt to reinitialize the port several times before timing out and placing the port in an Out-ofService mode. Netgear does not support auto-negotiation. When you remove the copper cable or the
cable is loose, Netgear does not attempt to auto-negotiate with the IPS device.
To resolve this issue, do the following:
STEP 1
On the Configure - Segment Details/Edit page, clear the Auto Negotiation: On check box
for each port of the IPS device. The option disables.
STEP 2
Click Restart.
Leave auto-negotiation off. The port should reset.
142
You can manage the management port settings and reboot the IPS device through the Configure Management Port page:
Figure 5 - 9: Configure - Management Port Page
Description
Valid Input
IP Address
Subnet Mask
Host Name
Host Location
A maximum of 32 characters
describing where the UnityOne
device is located.
143
Description
Valid Input
Default Gateway
Serial Number
On the Configure page, click Open > General Config > Management Port menu
item. The Configure - Management Port page displays.
STEP 2
Click the Reboot Device button in the upper-right corner of the Configure - Management
Port page.
STEP 3
A confirmation message displays warning you to save all of your work prior to rebooting. Perform any saves prior to the reboot.
STEP 4
Click OK.
During a graceful shutdown, as during an update or reboot (in the LSM or command in the CLI),
Packet Trace data may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to
disk, do the following:
Click on any Packet Trace icon in the alert or block logs
Click on the Packet Trace (TCPDUMP) icon
For more information on Packet Trace logs, see Packet Trace Log on page 120.
Change Management Port Configuration
STEP 1
On the Configure page, select the Open > General Config > Management Port menu
item. The Configure - Management Port page displays.
STEP 2
STEP 3
STEP 4
STEP 5
If the port uses a default gateway, click the Enabled check box and enter an IP address.
STEP 6
Click Apply.
Note: If your IPS will only be communicating with devices on the same network
subnet, you do not need to enable and define a default gateway. Possible devices
that you may have to define a route or gateway for include SMS devices, time
servers (for SNTP), email servers (for email alerts), and workstations (for remote
access to the CLI or LSM).
144
Description
Valid Input
SSH Enabled
Telnet Enabled
145
On the Configure page, select the Open > General Config > Management Port menu
item. The Configure - Management Port page displays.
STEP 2
In the Management Port Services section, click the SSH Enabled check box. Click Telnet
Enabled for non-secure communications.
STEP 3
Click Apply. This button is not visible if the device is under control of the SMS.
On the Configure page, select the Open > SMS & NMS Config menu item. The
Configure - SMS Config page displays.
146
STEP 2
STEP 3
STEP 4
Enter the NMS Community String. You can enter 1-31 characters for this string.
STEP 5
Click Apply.
On the Configure page, select the Open > General Config > Management Port menu
item. The Configure - Management Port page displays.
STEP 2
In the Management Port Services section, click the Enabled check box for the Web option.
STEP 3
Select HTTPS from the drop-down menu. Select HTTP for nonsecure communications.
STEP 4
Click Apply. This button is not visible if the device is under control of the SMS
Note: When you change from one web server to another, either from HTTP to
HTTPS or from HTTPS to HTTP, you must reboot your IPS for the changes to take
effect.
Routing Options
Routing options enable you to communicate with network subnets other than the subnet on which the
Management Port is located. If you will manage your UnityOne device from a different subnet you will
need to define a route between the subnet to which your workstation is connected and the subnet to
which your UnityOne Host Management Port is connected.
The following is the Configure - Routing Options page:
Figure 5 - 11: Configure - Routing Options Page
147
On the Configure page, select the Open > General Config > Routing Options menu
item. The Configure - Routing Options page displays.
STEP 2
STEP 3
STEP 4
Enter the Gateway IP address used by UnityOne to communicate with the destination network.
STEP 5
Time Options
The UnityOne device can either keep time internally, using its own Internal CMOS Clock, or it can use a
Simple Network Time Protocol Server (SNTP Server) to check and synchronize time periodically. In
addition, you can Set the IPS Time Zone used to display local time.
Time options includes the following topics:
Time Zones
Internal CMOS Clock
SNTP Server
148
Time Zones
The UnityOne device comes with pre-defined time zone entries. Although system logs are kept in
Universal Time (UTC), the LSM will translate UTC time values into local time values for viewing
purposes. See Table 5 - 11, Time Zone Definitions, on page 149 for the time zones you can choose
from.
Set the IPS Time Zone
STEP 1
On the Configure page, select the Open > General Config > Time Options menu
item. The Configure - Time Options page displays.
STEP 2
Select the Timezone entry you would like to use from the drop down list
STEP 3
Click the check box to Automatically adjust clock for daylight saving changes.
STEP 4
Click Apply.
Offset
from UTC
(hours)
Daylight
Savings
Time
ACST
+9.5
OFF
AEST
+10
OFF
149
150
Time Zone
Code
Offset
from UTC
(hours)
AKST
-9
OFF
AST
-4
OFF
AWST
+8
OFF
CET
+1
OFF
CST
-6
OFF
EET
+2
OFF
EST
-5
OFF
GMT
OFF
HST
-10
OFF
JST
+9
OFF
KST
+9
OFF
MSK
+3
OFF
Moscow Time
MST
-7
OFF
NZST
+12
ON
PST
-8
OFF
WET
OFF
GMT-12
-12
OFF
GMT -12:00
GMT-11
-11
OFF
GMT -11:00
GMT-10
-10
OFF
GMT -10:00
GMT-9
-9
OFF
GMT -9:00
GMT-8
-8
OFF
GMT -8:00
GMT-7
-7
OFF
GMT -7:00
GMT-6
-6
OFF
GMT -6:00
GMT-5
-5
OFF
GMT -5:00
GMT-4
-4
OFF
GMT -4:00
GMT-3
-3
OFF
GMT -3:00
GMT-2
-2
OFF
GMT -2:00
Daylight
Savings
Time
Offset
from UTC
(hours)
Daylight
Savings
Time
GMT-1
-1
OFF
GMT -1:00
GMT+1
+1
OFF
GMT +1:00
GMT+2
+2
OFF
GMT +2:00
GMT+3
+3
OFF
GMT +3:00
GMT+4
+4
OFF
GMT +4:00
GMT+5
+5
OFF
GMT +5:00
GMT+6
+6
OFF
GMT +6:00
GMT+7
+7
OFF
GMT +7:00
GMT+8
+8
OFF
GMT +8:00
GMT+9
+9
OFF
GMT +9:00
GMT+10
+10
OFF
GMT +10:00
GMT+11
+11
OFF
GMT +11:00
GMT+12
+12
OFF
GMT +12:00
On the Configure page, select the Open > General Config > Time Options menu
item. The Configure - Time Options page displays.
STEP 2
Click the Internal CMOS clock option. You can click Set Time to Local Browser Time to
automatically populate the settings.
STEP 3
STEP 4
STEP 5
Click Apply.
151
SNTP Server
If you choose to keep system time for your UnityOne device using a Simple Network Time Protocol
(SNTP) server, you must Define Primary and Secondary SNTP Servers. SNTP servers are central
servers that keep time coordinated with a central atomic clock. SNTP servers help keep network time
synchronized so that network events that occur on different hosts can be compared.
Tip: Be sure that you configure your various SNTP clients (both UnityOne devices
and other network devices) to use the same SNTP servers. Using the same SNTP
servers will help ensure that event times from different network entities can be
meaningfully compared.
CAUTION: Using external SNTP servers could possibly make your IPS susceptible to a
man-in-the-middle attack. It is more secure to use an SNTP server on a local, protected
network.
Define Primary and Secondary SNTP Servers
STEP 1
On the Configure page, select the Open > General Config > Time Options menu
item. The Configure - Time Options page displays.
STEP 2
STEP 3
STEP 4
STEP 5
STEP 6
STEP 7
STEP 8
STEP 9
STEP 10
Click Apply.
152
The SNMP Server provides access to interface counters and other statistics, configuration data, and
general system information via the Simple Network Management Protocol (SNMP). The SNMP server
must be enabled to use SMS management or to allow NMS access.
CAUTION: If you disable the SNMP V2 option, you disable SMS and NMS functionality. To
provide SMS functionality, enable the SNMP V2 option.
You use the Configure - SMS Config page to configure the information. If your IPS is currently under
SMS control, the serial number and the IP address of the controlling SMS are displayed on the
Configure - SMS Config page.
To communicate to the SMS, you need to configure the segments to have the following enabled:
HTTPS (HyperText Transfer Protocol, Secure) Protocol for handling secure transactions. See
Web Interface (LSM and SMS) on page 147 for instructions on configuring HTTPS.
SNMP (Simple Management Network Protocol) Protocol for managing nodes on an IP network
and monitoring various types of equipment including computers, routers, and wiring hubs
NMS (Network Management System) Protocol for monitoring the device by a restricted NMS,
such as HP OpenViewTM.
The following is the Configure - SMS Config page:
Figure 5 - 13: Configure - SMS Config Page
153
On the Configure page, select the Open > SMS & NMS Config menu item. The
Configure - SMS Config page displays.
STEP 2
To enable or disable SMS control, check or uncheck the SMS Control: Enabled check box. If
SMS is not available, the option is disabled, or grayed-out. If enabled, the page displays the
serial number, IP address and port for the SMS machine.
STEP 3
Check the Enabled check box for each version of SNMP you want to use.
Note: To communicate to the SMS, you must enable the SNMP V2.
STEP 4
Enter the SMS Authorized IP Address for the authorized IP. Enter any to allow any IP
address.
STEP 5
Click Apply.
Note: If the IPS is not currently under SMS control, you can find the IP address of
the last SMS that was in control by checking your Audit log from the Logs page.
154
On the Configure page, select the Open > SMS & NMS Config menu item. The
Configure - SMS Config page displays.
STEP 2
To enable NMS configuration, you must enable SNMP V2 in the SMS configuration values.
STEP 3
STEP 4
STEP 5
Enter the NMS Community String. You can enter 1-31 characters for this string.
STEP 6
Click Apply.
155
Configure INHA
STEP 1
On the Configure page, select the Open > High Availability menu item. The Configure High Availability page displays.
STEP 2
STEP 3
Click Apply.
Configure TNHA
156
STEP 1
On the Configure page, select the Open > High Availability menu item. The Configure High Availability page displays.
STEP 2
STEP 3
STEP 4
Click Apply.
INHA Configuration
A lack of reported errors or congestion through the Threat Suppression Engine (TSE) does not
guarantee that the components receive correct and error-free traffic. The Intrinsic Network HA (INHA)
must monitor the TSE for several points of failure and apply failure detection logic against the system.
All components for the INHA are checked for failure, including Broadcom, XML, TIF, LINX, FPP, RSP,
and NetPAL.
All Components
The following conditions are checked for all components (Broadcom, XSL, TIF, LINX, FPP, RSP,
NetPAL) to determine TSE failure:
Check back-pressure Presence of back-pressure indicates packets are queued for processing. It
indicates a failure if it does not process packets.
Determine traffic requirements If the IPS does not pass traffic, the ability to detect a failed TSE is
more difficult. A minimum rate of traffic must pass through the IPS for best TSE-failure detection.
Handle non-atomic nature of the data path A packet passes through each component at different
times and rates. The status of each component is determined independently of each other. INHA uses
sampling to determine if the TSE is healthy.
Discovery considerations (IPS originated traffic) Discovery is a special case where the IPS
generates packets. In these cases, responses will terminate at NetPAL. INHA must make sure this
behavior is not mistaken as a TSE failure.
Check and transmit the inbound receive counters Each component has receive counters
incremented by packets received from the previous component. The component transmit these
counters incremented as packets to the next component. These counters are the most accurate and
most complicated way of detecting TSE health.
Each component also has a specific set of functions for failure checking. See the following sections for
specific failure checking:
Broadcom
XSL
NetPAL
Broadcom
The following conditions are checked for Broadcom:
Check all ports and all MZDM switch blades Each MZDM has an XSL and a Broadcom
component. These components must be checked to validate the data passing between the MZDM
and the TSE.
Know up/down state of port pairs A downed-port must be considered by INHA so that it is not
mistakenly detected as a failed TSE.
XSL
The following conditions are checked for XSL:
Check watchdog INHA will make sure the XSL watchdog is not mistaken for a TSE failure.
157
NetPAL
The following conditions are checked for RSP and NetPAL:
Check inbound packet queue from RSP to NetPAL Packets are sent from the RSP to NetPAL
through a packet queue. INHA checks both sides of the queue to verify TSE health.
STEP 2
TNHA Configuration
The Transparent Network HA (TNHA) has various configuration settings and requirements for you
should consider when configuring high availability for the LSM and UnityOne devices. When
configuring high availability, TNHA configuration includes the following:
It requires a partner IPS IP address.
TNHA can be enabled/disabled.
TNHA includes the following status states:
communication error (red) An error occurred during communication
latency (yellow) A warning occurred during communication
normal (green) Running appropriately without errors
In TNHA, data is sent to partner machine when the following situations occur:
When blocked flows occur in the connection table as they are received and added
When the user flushes the connections with the flush all option on the Config - TSE Connection
Table (Blocked Streams) page or using the clear connection-table blocks command
through the Command Line Interface (CLI). The TRHA partner is instructed to flush, or remove, the
entries.
When the user flushes individual flows from the list in the Config - TSE Connection Table (Blocked
Streams) page, a directive to flush each individual flow is sent to the TRHA partner
DDoS SYN traps are detected and installed
Note: Data may not reach peer machine if active machines are under extremely
heavy load.
158
TSE Configuration
The Threat Suppression Engine uses a blend of ASICs and network processors to detect threats and
anomalies in network traffic. The TSE filters malicious attacks before they become a problem using the
latest updates of operating system and Digital Vaccine packages. You can configure the settings for the
TSE to filter and react to these attacks.
You can configure the following settings for the TSE:
TSE General Configuration General settings for the TSE including the connection table timeout
and asymmetric network settings
TSE Adaptive Filter Configuration Settings for managing extreme loads of network traffic.
TSE Blocked Streams Managing options for clearing blocked streams from the connection table
TSE Rate Limited Streams Managing options for clearing rate limited streams from the
connection table
TSE Non Standard Ports Managing options for creating and deleting non-standard ports for
services
TSE Blacklisted Streams Managing options for unblocking Blocked IP addresses
159
change the Connection Table Timeout and you are using Transparent High Availability, you will need
to set the value on the other IPS also.
Note: If your system has two IPS devices communicating through Transparent
High Availability (TNHA), a change to the global timeout for the connection table
at one IPS device will not propagate to the other IPS. You must make this change
on each device accordingly.
Asymmetric Network By the default the UnityOne is set to Asymmetric mode. Which means the
UnityOne does not need to see both sides of a connection before notifying the user. Setting
Asymmetric mode disabled (symmetric mode) means that the UnityOne will continue to block an
attack it detects but will not alert unless a valid connection setup takes place. Symmetric mode is
useful for testing with tools such as STICK and SNOT. The UnityOne will always block an attack it
detects - regardless of this setting.
The Logging Mode section allows you to configure settings for alerts. Through the section, you can
enable or disable alerting of permitted and blocked packets. The system logs a warning and disables
alerting if it causes the device to drop packets. The default setting for this option is 10 minutes. When
the downtime expires, the system re-enables alerting and displays the amount of missed alerts
(callbacks). The settings provide configurable ranges for managing the packet loss threshold and
amount of time for disabling notifications.
The following is the Configure - TSE General Config page:
Figure 5 - 15: Configure - TSE General Config Page
On the Configure page, select the Open > TSE Config > General TSE Config menu
item. The TSE General Config page displays.
STEP 2
Click the check box to enable the TSE for an Asymmetric network.
STEP 3
STEP 4
STEP 5
160
STEP 6
STEP A
STEP B
Enter a length of time (in seconds) in which logging is disabled before being enabled
(60 to 3600).
Click Apply.
Note: If your system has two IPS devices communicating through Transparent
High Availability (TNHA), a change to the global timeout for the connection table
at one IPS device will not propagate to the other IPS. You must make this change
on each device accordingly.
On the Configure page, select the Open > TSE Config > General TSE Config menu
item. The TSE General Config page displays.
STEP 2
STEP 3
Click Apply.
161
You can also use an optional setting that allows you to override the automatic disable feature on
Intrusion Prevention and Misuse and Abuse filters. You cannot use the feature on the following filters:
Traffic Management, Reconnaissance, and Traffic Normalization filters.
The following is the Configure - TSE Adaptive Filter Configuration page:
Figure 5 - 16: Configure - TSE Adaptive Filter Configuration Page
162
Definition
Mode
Mode setting you can configure that indicates if the mitigation for
handling network traffic congestion is auto or manual
Table that displays the ten most recent mitigation filters triggered
Filter Name
Filter State
Indicates the adaptive state of the filter. If it displays Enabled, the filter
has been disable. The LSM disables a filter if the adaptive filter settings
are triggered.
Functions
On the Configure page, select the Open > TSE Config > Adaptive Filter Config menu
item. The TSE Adaptive Filter Configuration page displays.
STEP 2
STEP 3
Click Apply.
163
Definition
Protocol
Src/Dest Address
Port
Src/Dest Address
Port
Segment/Port
Reason
The filter link that details why the traffic connection stream was blocked.
Click the link to display and manage the filter.
On the Configure page, select the Open > TSE Config > Blocked Streams menu item.
The Configure - TSE Connection Table (Blocked Streams) page displays.
STEP 2
STEP 3
On the Configure page, select the Open > TSE Config > Blocked Streams menu item.
The Configure - TSE Connection Table (Blocked Streams) page displays.
STEP 2
STEP 3
164
On the Configure page, select the Open > TSE Config > Blocked Streams menu item.
The Configure - TSE Connection Table (Blocked Streams) page displays.
STEP 2
Select blocked streams you want to remove by checking the check box next to each listed
entry in the table.
STEP 3
STEP 4
165
The following is the Configure - TSE Connection Table (Rate Limited Streams) page:
Figure 5 - 18: Configure - TSE Connection Table (Rate Limited Streams) Page
Definition
Protocol
Src/Dest Address
Port
Src/Dest Address
Port
Segment/Port
Reason
The filter link that details why the traffic connection stream was blocked.
Click the link to display and manage the filter.
On the Configure page, select the Open > TSE Config > Rate Limited Streams menu
item. The Configure - TSE Connection Table (Rate Limited Streams) page displays.
STEP 2
166
STEP 3
On the Configure page, select the Open > TSE Config > Rate Limited Streams menu
item. The Configure - TSE Connection Table (Rate Limited Streams) page displays.
STEP 2
STEP 3
On the Configure page, select the Open > TSE Config > Rate Limited Streams menu
item. The Configure - TSE Connection Table (Rate Limited Streams) page displays.
STEP 2
Select blocked streams you want to remove by checking the check box next to each listed
entry in the table.
STEP 3
STEP 4
167
Definition
Application
Protocol
User-Defined Ports
System-Defined Ports
168
On the Configure page, select the Open > TSE Config > Non Standard Ports menu
item. The Configure - Non Standard Ports page displays.
STEP 2
STEP 3
STEP 4
STEP 5
Click Create.
On the Configure page, select the Open > TSE Config > Non Standard Ports menu
item. The Configure - Non Standard Ports page displays.
STEP 2
STEP 3
STEP 4
STEP 5
Click Delete.
169
Definition
Source Address
Destination Address
Segment/Port
Reason
170
On the Configure page, select the Open > TSE Config > Blacklisted Streams menu
item. The Configure - TSE Connection Table (Blacklisted Streams) page displays.
STEP 2
STEP 3
On the Configure page, select the Open > TSE Config > Blacklisted Streams menu
item. The Configure - TSE Connection Table (Blacklisted Streams) page displays.
STEP 2
STEP 3
On the Configure page, select the Open > TSE Config > Blacklisted Streams menu
item. The Configure - TSE Connection Table (Blacklisted Streams) page displays.
STEP 2
Select blocked streams you want to remove by checking the check box next to each listed
entry in the table.
STEP 3
STEP 4
171
172
Monitor
Monitor describes the hardware monitoring features of the LSM and how you can view hardware
status, set thresholds, and view the hardware fault log. It includes sections on the health of your
device(s), ports, and Intrinsic Network High Availability (HA).
Overview
The Monitor page enables you to see the status of your IPS hardware and define the thresholds that
configure how hardware status is displayed. You can monitor the usage of disk space and memory, the
system log, triggered events, and the health of the IPS device. The information detailed on the Monitor
page is also displayed in the System Stats sidebar of the entire page. This pane gives a quick view of the
state of the system, device, and traffic.
Through this page, you can also perform and manage discovery scans of your network. These scans
examine your network and determine if your network is vulnerable to exploits. You can create
scheduled scans or perform manual scans as needed.
The Monitor page provides greater details on the following:
Devices
Modules, including the Multi-Zone Defense modules
Intrinsic Network HA
Discovery scans
173
Monitor Page
The Monitor page provides the information and status of devices on the network. These components
include the health of devices, modules, and the Intrinsic Network High Availability (HA).
The Monitor - Device Health page displays as default:
Figure 6 - 1: Monitor Page
174
Device Health
The health, or current status, of the IPS device indicates how it is functioning on the network. You can
review the health of the device through the Monitor- Device Health page. It displays the current state
of the chassis components and modules installed in your UnityOne IPS device.
Device Health includes the following:
Device Health
Performance/Throughput
Module Health
High Availability
Multi-Zone Defense
Intrinsic Network HA Health
To view the page, you click Monitor tab on the Launch Bar. The Monitor - Device Health page
displays, listing the device, module, and Intrinsic Network HA status.
Device Health
The Device Health section of the Monitor - Device Health page displays the current status of a variety
of chassis components, including power modules, fans, temperature, and memory and disk space
usage.
Table 6 - 1: Device Health
Column
Description
Component
The component or resource being monitored. These components include the following:
Memory
Performance (You can click this link to see Performance/Throughput information)
The following displays for 200/400/1200/2400/5000E
Disk/boot
Disk/log
Disk/usr
Disk/opt
The following displays for 50/100E
Disk/usb0
State
The current operating status of the component or resource being monitored. The state
can be one of the following:
Active The device is active without errors
Active with Faults The device is active but has errors
Stand-by The device is waiting for traffic or usage in a stand-by mode
Out-of-service The device is not working or disabled
Diagnostic The device is running a diagnostic
175
Description
Graph
Details
Memory Usage
The Memory Usage statistic displays usage averaged over the last refresh period. These values fluctuate
fairly frequently. If Memory Usage percentages seem consistently high, check your log for Memory
Fault messages.
Note: If IPS Health is consistently showing yellow or red warnings about Disk or
Memory Usage, but the log does not show any hardware fault messages, your
usage is spiking, but is not remaining consistently high.
If Memory Usage percentages are consistently high, it could mean that you need to adjust some filter
settings. Filters that require notification actions require more resources than filters that do not require
notification, but this difference only comes into play when network traffic matches or nearly matches
these filters.
Tip: To reduce memory and disk usage, use the LSM to make the following filter
adjustments:
176
Performance/Throughput
The Performance/Throughput section of the Monitor- Device Health page displays the current
performance of the system and status of the UnityOne segments.
Table 6 - 2: Performance/Throughput
Column
Description
Component
The component or resource being monitored. These components include the following:
Performance (You can click this link to enact the Performance Wizard)
Segments (displays a number of segments according to the UnityOne model).
State
The current operating status of the component or resource being monitored. The state
can be one of the following:
Active The device is active without errors
Active with Faults The device is active but has errors
Stand-by The device is waiting for traffic or usage in a stand-by mode
Out-of-service The device is not working or disabled
Diagnostic The device is running a diagnostic
Graph
Details
On the Monitor- Device Health page, you can click the segment links in the Performance/Throughput
section. The Configure - Segment Config page displays. See Segment Configuration on page 137.
On the Monitor- Device Health page, you can click the Performance link to display information and
setting for performance of the system. This page also displays when clicking the Performance link in
the System Stats pane. This link loads a Monitor - Performance page that runs a performance wizard.
The wizard runs determining the performance of your current configuration of the device. If the
wizard diagnoses the IPS as having minor or major congestion problems, the Performance Wizard
attempts to evaluate the device and provide suggestions to alleviate the load. If any of the Performance
Wizard tests indicate an issue, the LSM displays applicable improvements. Each suggestion may be
enabled or disabled with a check box.
177
Further suggestions are only presented to the user if the device experiences congestion while
significantly below the maximum throughput, indicating filter configuration settings may cause the
178
loss of performance. The wizard displays the filter that may cause the congestion, allowing you to make
modifications to the configuration. The following Monitor - Performance page displays:
Figure 6 - 4: Monitor - Performance Page - Configuration
Module Health
The Module Health section of the Monitor- Device Health page displays the current status of the
modules, such as Multi-zone Defense (MZD) modules, that you can install in the UnityOne IPS.
Table 6 - 3: Module Health
Column
Description
Slot
Indicates the slot used by the module. The number and description of slots differs
according to UnityOne model.
Module
Configuration
Module State
179
Description
Qualifier-1
Qualifier-2
Port State
Intrinsic
Network HA
Current operational state of the intrinsic network high availability. Possible value:
Normal
Layer-2 Fallback
For any state other than Normal, a cause description is displayed.
High Availability
The High Availability section of the Monitor- Device Health page displays the current status of the
Intrinsic and Transparent Network High Availability for the IPS.
Table 6 - 4: Module Health
Column
180
Description
Intrinsic
Network HA
Current operational state of the intrinsic network high availability. Possible value:
Normal
Layer-2 Fallback
For any state other than Normal, a cause description is displayed.
Transparent HA
Current operational state of the transparent network high availability. Possible value:
Enabled
Not Enabled
Multi-Zone Defense
From the Module Health table, you can select the Multi-Zone Defense Module link to manage the
modules ports. The Monitor - Port Health page displays.
Figure 6 - 5: Monitor - Port Health Page
Description
Port
Speed
Duplex
Configuration
Module State
Qualifier-1
Qualifier-2
Media
Type
181
Transparent Network HA
Transparent Network HA (TNHA) performs the same service as the INHA; however, it differs by
constantly updating devices of the TCP flow information. For these networks and devices, the fail-over
port/device does not have to rebuild the connection tables based on the information sent from the
failing port/device. It periodically receives information from an XSL to update its connection table
settings.
Once updated, this type of network HA quickly transfers fail-over traffic without having to rebuild the
settings. Network traffic and flow transfer without lag in performance or time. Network users continue
use of their services and resources without experiencing a lack of response time or slow loading and
refreshing issues.
The Monitor - Device Health page displays the current status and description of the TNHA.
When you click the Transparent HA link, the Configure - High Availability page displays. For
configuration details on TNHA, see TNHA Configuration on page 158.
182
Monitor Preferences
The Monitor - Preferences page enables you to set the thresholds at which the IPS shows hardware
statistics as an error condition. There are two types of threshold that you can set: Major Level and
Critical Level. These terms are explained in the following paragraphs. In general, the default settings
configured on the LSM should be appropriate for normal use.
You can set threshold values for the following:
Disk Usage Statistics The usage of disk space according to feature
Memory Usage The usage of system memory
These settings indicate the major and critical level limits that actively change the health, or status, of
the device on the Monitor page. You can set net limits for each device setting, or you can return the
system to its default settings.
The threshold values include the following:
Major Levels
Critical Levels
You can also set the Discovery Aging setting for discovery scans. Discovery data aging enables you to
set a scan data aging period. This aging period is used to determine whether scan data is new enough
to be used when assigning importance to an alert. If scan data is new enough, it is used to weight
alerts.
For example, a scan may show that the host corp-fiscal-22 uses only the Apache web server. Therefore,
if the Threat Suppression Engine (TSE) senses an exploit that targets Microsofts IIS aimed at corpfiscal-22, it assigns a lower priority to the alert it generates.
Once scan data is considered stale, the TSE uses the default importance of an alert trigger. For example,
if the aging period is set to one week, and the last scan of corp-fiscal-22 was performed two weeks ago,
someone might have installed new software in the intervening time. Therefore, the TSE does not deemphasize the importance of an alert based on stale scan data.
This weighting system helps to reduce false attack alerts caused by irrelevant attacks such as IIS
exploits aimed at Apache web servers or a Linux exploit aimed at a Microsoft host.
183
Major Levels
The major level is the medium range of the threshold. When a system reaches this level of usage, it is
considered important to manage before it reaches a critical point. You should set Major Levels to give
you time to react to a problem before it becomes a crisis. For example, you should set the temperature
Major threshold higher than the normal operating temperature range, but low enough so that you
receive a warning before hardware damage may occur.
Critical Levels
The critical level is the highest level of the threshold. When a system reaches critical usage, hardware
damage is imminent. You should set Critical Levels to warn you before damage is about to occur. For
example, you should set the temperature Critical threshold at the outside edge of safe operating
temperatures.
Set Monitor Preferences
184
STEP 1
On the Monitor page, select the Edit > Preferences menu item. The Monitor Preferences page displays.
STEP 2
For Disk Usage Threshold, enter a numeric value for the Major Levels and the
Critical Levels. The major level value must be set lower than the critical level value.
STEP B
For Memory Usage Threshold, enter a numeric value for the Major Levels and the
Critical Levels. The major level value must be set lower than the critical level value.
STEP 3
For Discovery Aging, enter a number of days in the Discovery Data Valid for field.
Note: For the Data Aging period, you can enter either a whole number (0 - 4000)
or a number with a single place decimal indicating partial days (1.5 for 1 and a
half days). Decimal values less than one must start with a zero (0). Entering 0
disables Discovery Aging.
STEP 4
Click Save.
On the Monitor page, select the Edit > Preferences menu item. The Monitor Preferences page displays.
STEP 2
STEP 3
Click Save.
Discovery Scans
Through the Monitor page, you can perform and manage discovery scans, which enable you to
examine your network as it is currently configured. Through the discover features, you can also
determine if your network is vulnerable to exploits. Discovery scans can be created and performed
manually or set ahead of time. Preset scans are scheduled scans, set to run against a segment or set of
IP addresses at specific intervals and times.
You can enact various scans and watch their progress and completion through an activity page. You can
stop and restart scans as needed. Before you can run discovery scans on your device, you must
configure the IPS device to accept these types of scans.
You can do the following actions for discovery scans:
The Discovery pages provide icons next to each entry displaying the available functions
185
Discover Page
When you access the Discover page, the Discover - Discovered Hosts page displays as default. The
following is the Discover page:
Figure 6 - 7: Discover Page
This page has icons in the Function column indicating an available options:
Table 6 - 6: Functions Icons
Icon
Function
Description
Rescan
Click the Rescan icon to rescan a single host. You can only rescan hosts
previously scanned.
Stop Scan
You can access the different options for discovering hosts and running scans by selecting the Open and
Edit menus. A drop-down menu displays listing the options for the page. The menu options may
change depending on the menu option you select. The instructions in this chapter indicate when to
navigate through the drop-down menu options.
186
segment when that is appropriate. You should not scan the managing subnet. The VNAM port
containing the routes to the management plane will cause a loss of connection.
For example, if Port A is connected to the Internet, and Port B is connected to your Accounting subnet,
you can disable scanning on Port A, and enable scanning on Port B, because you wont want to scan the
Internet for vulnerabilities, but you will want to scan your accounting subnet for vulnerabilities.
Prepare a Segment for Scanning
STEP 1
STEP 2
STEP 3
STEP B
STEP C
WARNING: You should not scan the managing subnet. The VNAM port containing
the routes to the management plane will cause a loss of connection.
STEP 4
Click the Enabled check box for Discovery. This setting enables Discovery scans to
run through the port.
STEP B
Enter the Destination Network, Gateway, and Mask and click the add to table
below button for each port (A / B) that you want to enable for scanning.
Note: You only need to enter routing options for a port if you are going to run
discovery on a subnet outside of the subnet on which the discovery IP address is
located.
STEP 5
Click Save.
Performing Scans
A scan searches your network for hosts and services on those hosts that might be vulnerable to attack.
A scan usually takes approximately fifteen seconds per host, but may take as long as two minutes on
some hosts.
Note: Some operating systems purposely slow the rate of scan returns to make it
difficult for malicious parties to gain system information. To prevent such systems
from impeding scan efficiency, individual host scans timeout after two minutes. If
the scan of a particular host times out, no information about that host will be
returned.
187
When you perform scans, you can also edit the Discovery Data Aging setting on the Monitor Preferences page. See Monitor Preferences on page 183.
As each host scan is completed, the results display on the Discover - Discovered Hosts page:
Figure 6 - 8: Discover - Discovered Hosts Page
Segment
segment on which
the scanned host
was sensed
Host OS
operating system
of the scanned
host
Services
number of active
services sensed on
scanned the host
Last Scan/
Modify
last time the host
was scanned or
host information
was modified
Note: The scanner attempts to sense the host operating system based on its lists
of known operating systems. If it cannot make an exact determination, it makes a
best guess. If this guess is not accurate, you can Perform a Manual Scan to
correct the information.
If you wish to see the ports and services the scanner sensed, you can View Scan Details.
Note: You can only start a discovery scan if you have at least one discovery port
enabled. See Prepare a Segment for Scanning for more information. Also, you will
not be able to perform a scan from the LSM if the device is under control of the
SMS.
WARNING: You should not scan the managing subnet. The VNAM port containing
the routes to the management plane will cause a loss of connection.
188
On the Monitor page, select the Edit > Start Scan menu item. The Discover - Manual
Scan page displays.
STEP 2
STEP 3
STEP 4
Click Scan.
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
Review the listed scans. These include in-progress, pending, and completed scans.
Note: You cannot delete a scan from this page.
189
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
The Scan Activity page displays the scans in-progress, pending, and completed scans.
STEP 3
Click the Stop Scan icon in the Functions column corresponding to the scan you would like to
stop.
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
STEP 3
Click the IP address of the hosts Scan Results you would like to review.
The Discovery Details/Edit page displays the IP address of the host, the last day and time a scan was
performed, and what services were discovered on what ports.
Rescan a Single Host
STEP 1
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
STEP 3
190
STEP 1
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
Click the IP address of the hosts Scan Results you would like to edit.
STEP 3
Click the specify OS check box if you want to change the operating system determination
made by the discovery scanner.
STEP A
Select the OS Group from the Please Select OS Group drop-down menu:
Computers, Network Devices, Peripheral Devices.
STEP B
Select more specific categories of the selected OS Group from the two drop-down
menus.
STEP 4
Change the text listing for any services you want to edit.
STEP 5
Click Save.
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
STEP 3
STEP 4
Schedule Scans
You can also schedule scans on the Discovery page. You may want a scan to run during a specific time
on selected ports and segments. You can only run scheduled scans on ports and segments set to accept
discovery scans.
Note: Prior to scheduling a scan, you must prepare a segment for discovery
scans. See Preparing for Scans.
When you schedule a scan, you set scan settings according to the following:
Frequency When the scan performs: weekly, hourly, or daily
Segment The segment and its ports to scan
IP Address The IP or range of IP addresses to scan
Schedule a Scan
View Scheduled Scans
Schedule a Scan
STEP 1
On the Monitor page, select the Open > Schedule Scan menu item. The Discover Schedule Scan page displays.
STEP 2
STEP 3
STEP A
STEP B
Select a start day from the Start scan every drop-down menu.
STEP C
Select the hour and minute for the scan from the time drop-down menus.
In the What to Scan section, select the Number of ports to scan: 1,024 or 65,536.
191
STEP 4
STEP 5
192
STEP 1
On the Monitor page, select the Open > Schedule Scan menu item. The Discover Schedule Scan page displays.
STEP 2
Update
Update is used to update the IPS embedded operating system (UnityOne) and the attack protection
filters that the IPS uses to prevent attacks. These updates are downloaded and installed from the
Threat Management Center.
Overview
TippingPoint is committed to providing the best means of protecting your network using the UnityOne
family of products. Therefore, the Threat Management Center (TMC) releases Software Updates and
Filter Updates for the LSM. These updates include new filters and settings to detect and manage new
threats on the internet and attacking servers.
The new filters are released as packages called Digital Vaccine. For more information, visit the TMC
website (https://tmc.tippingpoint.com).
Update includes the following topics:
193
Update Page
The following is the Update page:
Figure 7 - 1: Update Page
You can access the different types of monitor options by selecting the Open and Edit menus. A dropdown menu displays listing the options for the page. The menu options may change depending on the
menu option you select. The instructions in this chapter indicate when to navigate through the dropdown menu options.
194
Filter Updates
When new types of attack are discovered, or when improved methods of sensing existing attacks are
developed, the Threat Management Center (TMC) creates and releases new filters to add to your filter
database. These filters are released as Digital Vaccine packages. The TMC sends notifications when you
can Download a Filter Update to your local workstation. Once you have downloaded the update, you
can Install a Filter Update on your UnityOne device. After it is installed, you can then enable a filter
category for each filter that applies to your network configuration.
You can do the following:
Download a Filter Update
Install a Filter Update
Note: You cannot rollback to a previous Digital Vaccine version. If you want to
use a previous version of a Digital Vaccine, select an older version of the Digital
Vaccine package from the TMC.
Download a Filter Update
STEP 1
On the Update page, click the Threat Management Center link or open another browser
window to:
STEP 2
https://tmc.tippingpoint.com
Log in to the TMC.
STEP 3
STEP 4
Find the update you want and click the More Info button.
Note: You cannot rollback to a previous Digital Vaccine version. If you want to
use a previous version of a Digital Vaccine, select an older version of the Digital
Vaccine package from the TMC.
STEP 5
STEP 6
195
You can then install the update through the Update page.
Install a Filter Update
STEP 1
First, download an update. See Download a Filter Update. Further instructions are also
detailed on the Update page.
STEP 2
On the Update page, check the Update Status of the IPS. Read Step 2 in the Update - Main
View window. If the status is not ready or OK, click the (reset status) link.
STEP 3
Check the line that says Make sure the file you downloaded is less than: <number> Mb.
Read Step 3it has information about the size of the download file. If it is not less than suggested Mb, Delete Old Versions from Previous OS Versions Window to free disk space for the
update.
STEP 4
Check the High Priority Enabled check box (Step 4) if there is an immediate need for the
update and it is during normal working hours.
Note: This option provides the priority for downloading the package. The system
does not give priority over attacks to installing the new package. A system under
heavy attack trying to install the update would not give priority to the upgrade at
that time.
STEP 5
Check the Layer-2 Fallback check box (Step 4) to enable the option during the installation.
STEP 6
In the Install Version field, enter in the full pathname for the update file or click Browse to
select the file on your local machine.
STEP 7
Click Install.
While the new file is loaded onto your IPS, the word Uploading appears in place of the Install button.
Once the transfer is complete, a progress bar displays an in-progress percentage for the install.
When the installation completes, you are returned to the Update - Main View page. The new version
displays in the Version column of the Current Installed Versions table.
Software Updates
When improvements or additions are made to the UnityOne system, TippingPoint releases a software
update on the TMC website (https://tmc.tippingpoint.com). You can download and install updates
from this site. Prior to installing the update, you should make sure to backup any filters created and
implemented using the Custom Shield Writer. The update will overwrite these files.
CAUTION: You must read the release notes posted with your IPS software update package
on the TMC. The release notes contain information that may make the difference between a
successful software update and an unsuccessful software update.
196
When you download and install an update, the LSM automatically updates the TippingPoint Operating
System (TOS) and flashes the FPGAs.
Note: UnityOne-50 and UnityOne-100E devices do not require or use FPGAs. The
update for this device does not include a flash of FPGAs.
When you perform an update of the software, the Update page displays a set of status messages. See
Update States on page 197 for details. The settings for your filter and system settings are persisted.
See Persistent Settings on page 200 for details.
You can do the following:
Download a Software Update
Install a Software Update
Persistent Settings
When you perform a software update, your current configuration and filter settings are persisted
forward.
Note: When you Install a Software Update, an archive copy of your current filters
settings will be saved. If you Perform a Software Rollback in the future, changes
made to your filters settings after the update will not be preserved.
During a graceful shutdown, as during an update or reboot (in the LSM or command in the CLI),
Packet Trace data may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to
disk, do the following:
Click on any Packet Trace icon in the alert or block logs
Click on the Packet Trace (TCPDUMP) icon
For more information on Packet Trace logs, see Packet Trace Log on page 120.
Update States
The LSM provides update status on the progress of the update. The messages include <Update
State>:<qualifier>. The <Update State> indicates the state of the update. The <qualifier> provides
information about the state. The following table details the messages that display on the LCD screen
during an update of the TOS:
Table 8: IPS Update States
Update State
Ready
Description
Device is ready for an update.
197
Description
Updating
UpdateCommitting
UpdateFailure
Rollback
RollbackCommitting
RollbackFailure
Failsafe
Device was unable to load a valid image and is running a scaledback image.
If an error occurs, the information changes. The state displays as UpdateFailure:<state> where
<state> is one of the listed states in Table 8 . The listed state displays a qualifier and message regarding
the state. The following table details the qualifier and messages:
Table 9: IPS Update Failure Messages
Update Failure Qualifier
198
Message
OK
InvalidUpdateState
InvalidLocation
RebootDuringUpdate
TarChecksumError
TarExractError
ArchiveCreateFailure
SystemError
WrongPlatformType
PackageReadError
WrongPackageType
NotEnoughFreeSpace
UnsignedPackage
Message
MemoryError
BadCertificate
DowngradeRevisionNotSupported
PackageOpenError
Unable to open package. Make sure you have a correct TippingPointsupplied IPS package.
CannotUpdateDVWhenTSEIsBusy
STEP 2
Click the Threat Management Center link or open another browser window to:
STEP 3
https://tmc.tippingpoint.com
Log in to the TMC.
STEP 4
STEP 5
Find the update you want and click the More Info button.
STEP 6
Click the Download Now button of the IPS Software Images (UnityOne) file.
STEP 7
You can then install the update through the Update page.
Install a Software Update
STEP 1
STEP 2
On the Update page, check the Update Status of the IPS. Read Step 2 on the Update - Main
View page. If the status is not ready or OK, click the (reset status) link.
STEP 3
Check the line that says Make sure the file you downloaded is less than: <number> Mb.
Read Step 3 on the Update - Main View page. It has information about the size of the download file. If it is not less than suggested Mb, Delete Old Versions from Previous OS Versions
Window to free disk space for the update.
STEP 4
Check the High Priority Enabled check box (Step 4) if there is an immediate need for the
update and it is during normal working hours.
Note: This option provides the priority for downloading the package. The system
does not give priority over attacks to installing the new package. A system under
heavy attack trying to install the update would not give priority to the upgrade at
that time.
STEP 5
Check the Layer-2 Fallback check box (Step 4) to enable the option during the installation.
199
STEP 6
In the Install version field, enter in the full pathname or click Browse to select the file on
your local hard disk.
STEP 7
Click Install.
The IPS installs the updated software image. This process takes between five and ten minutes while the
boot image and configuration files are replaced.
When the installation completes, the IPS performs a soft reboot. After the reboot, you can log back in
to the system.
Note: When you update the software, the FPGA files are flashed automatically by
the system. You do not need to perform additional steps to update your TOS.
Software Rollbacks
Occasionally, you may need to rollback the customized settings or version of the software or filter. A
rollback operation reverts the currently running software or Digital Vaccine version on your UnityOne
device to a previous working version. When the rollback occurs, the system rolls back without losing
your customized settings. When you recover your system, the default values are used.
Occasionally, you may need to rollback the version of the software or filter. A rollback operation reverts
the operating system on your UnityOne device to a previous working version and deletes the currently
installed version. The system retains the settings and configurations of your system. However, not all
functionality may be available according to the version of the TOS you rollback to. For details, refer to
the release notes for that version of the software.
CAUTION: If you perform a rollback, read the release notes for both the software version
you are rolling back from and the software version you are rolling back to. You may need to
flash the FPGA files for the IPS if you rollback to an older version of the TOS, such as going
from 1.4.2 to 1.4.1. Functionality may also differ from version to version.
If you rollback to use an older version of the TOS, such as V 1.4.2 to V 1.4.1, an SMS running
the latest software cannot push profiles or Digital Vaccine packages to the device.
Note: When you update and rollback, the LSM does not lose your settings or
configurations.
When you perform a rollback of the software, the Update page displays a set of status messages. See
Update States on page 197 for details.
Persistent Settings
When you perform an operating system rollback, your current configuration settings are preserved,
but filter settings roll back to the settings that were in effect when the rollback version was archived.
200
Any changes to filter setting made after your target rollback version are deactivated, including attack
protection filter updates.
Note: When up update and rollback, you do not lose your none of the settings or
configurations were lost with the exception of renaming segments and threshold
settings.
The system retains the settings and configurations of your system. However, not all functionality may
be available according to the version of the TOS you rollback to. For details, refer to the release notes for
that version of the software.
CAUTION: If you perform a rollback, read the release notes for both the software version
you are rolling back from and the software version you are rolling back to. You may need to
flash the FPGA files for the IPS if you rollback to an older version of the TOS, such as going
from 1.4.2 to 1.4.1. Functionality may also differ from version to version.
If you rollback to use an older version of the TOS, such as V 1.4.2 to V 1.4.1, an SMS running
the latest software cannot push profiles or Digital Vaccine packages to the device.
Perform a Software Rollback
STEP 1
On the Update page, click the Rollback Icon beside the IPS OS Image listed under Current
Installed Versions. A confirmation message displays.
STEP 2
Click OK.
The UnityOne device deletes the current operating system files and reinstalls the previous operating
system files. When the installation completes, it performs a soft reboot. After the IPS has rebooted, you
can log back into the LSM.
If you want to restore the operating system you rolled back from, you will need to reload it on your
UnityOne device using the Download a Software Update and the Install a Software Update instructions.
Note: A rollback can only revert to a software version that is currently stored on
your IPS. It will not automatically download a software image.
201
On the Update page, review the list of previous versions and decide which is safe to delete.
These files are typically the oldest of several is the safest to delete.
STEP 2
Click the delete (trash can) icon in the Functions column next to the image or filter package
you would like to delete. A confirmation message displays.
STEP 3
Click OK.
Device Snapshots
You can create a snapshot of your devices settings through the Update page. You can create, manage,
and import local snapshots for your IPS device through the LSM. After restoring a snapshot, the device
will always restart
WARNING: You can apply a single snapshot to multiple devices. However,
applying the snapshot to devices managed by an SMS can cause a device ID
conflict. Do not apply a snapshot to multiple devices when managed by SMS.
WARNING: Do not perform an Update of your software while running a snapshot.
The system may experience conflicts.
202
Definition
Name
Date
Software Build
The build number for the TOS software running when the snapshot was
generated
Digital Vaccine
The version number of the Digital Vaccine package running when the
snapshot was generated
Functions
Create a Snapshot
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
STEP 4
Click Create.
Import a Snapshot
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
For Import Snapshot, click Browse. Locate the file to import. The file location and name displays on the page.
STEP 4
Click Install. The selected snapshot uploads and displays in the list of snapshots.
203
Restore a Snapshot
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
STEP 4
Export a Snapshot
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
STEP 4
Delete a Snapshot
204
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
Locate the snapshot you want to delete. Click the Delete icon.
Administration
Administration describes user characteristics and user administration tasks. This section details
how to create and manage users, update SMS software, and review logs.
Overview
The Admin page enables you to manage and view the access and usage of a system. Through this page,
you can create and maintain user access through accounts and review system logs. However, not all
users can maintain this information. You must have administrator access to open and use the features
of the Admin page.
The system include three types of users:
Operator Basic access to review the status of the system
Administrator Advanced access to monitor and manage functions in the system
Super User Full access to use and manage all functions available in the system
Administration includes the following topics:
205
Admin Page
The following is the Admin page:
Figure 8 - 1: Admin Page
This page has icons in the Function column indicating an available options:
Table 8 - 1: Functions Icons
Icon
Function
Description
Edit
Click the Edit icon to edit the settings for a user account.
Delete
Note: You can only delete or edit an account with the proper level of access.
You can access the different types of administrator options by selecting the Open and Edit menus. A
drop-down menu displays listing the options for the page. The menu options may change depending
on the menu option you select. The instructions in this chapter indicate when to navigate through the
drop-down menu options.
206
207
Level Name
Description
Level 0
No Security
Checking
Level 1
Basic Security
Checking
Level 2
Maximum Security
Checking
The UnityOne system uses Level 2, Maximum Security Checking, security access restrictions as
default. To modify the security level for an account, see User Security Preferences on page 212.
Note: When the no security checking option is selected, any user logging in
must still use a username defined in the LSM.
208
Operator
Administrator
Super-user
Filters
view
all
all
Attacks
view
all
all
Discover
view
all
all
Monitor
view
all
all
Logs
all
Update
view
all
all
Configure
view
all
Operator
Administrator
Super-user
Admin
all, including
change Idle Timeout
change Password
Expiration
Help
view
view
view
Managing Users
Through the Admin page, you can create and maintain user accounts. These accounts determine the
access and available functions for all users of the UnityOne system. When you create or modify a user,
you must be sure to enter valid user data. Valid entries for login names and passwords are described
below.
Note: Modifications of a user ID that is currently logged in will not take effect
until that user IDs next login.
Only Super-user accounts can create and edit all aspects of a user. Administrator and Operator
accounts can only change their passwords. On this page, you can do the following:
209
fjohnson
fredj123
freDj-123
fRedj-*123
210
Invalid Passwords
my-pa55word
my-b1rthday
myd*gsnam3
On the Admin page, click on your user account (login) name or Edit icon. The Administer User Details/Edit page displays.
STEP 2
Type your new Password. See Valid Password Data for password requirements.
STEP 3
Type your new password again in the Confirm Password field. You must enter the password
exactly as you did in step 3.
STEP 4
Click Save.
STEP 1
On the Admin page, select the Edit > Create User menu item or click the Create button.
The Administer - Create User page displays.
STEP 2
Enter a user Login name. See Valid Login Names for more information.
STEP 3
STEP 4
STEP 5
STEP 6
Click Create.
211
STEP 1
On the Admin page, select an account (login). The Administer - User Details/Edit page
displays.
STEP 2
You can modify the security level or password of the user account. See Security Level Capabilities or Valid Password Data for more information.
STEP 3
Click Save.
STEP 1
STEP 2
Click the Delete icon next to the user you want to delete. A confirmation message displays.
STEP 3
Click OK.
Web Idle Timeout Set the idle timeout for lack of usage
Security Level Set the security level for authenticating users
Password Expiration Set the expiration time and action for passwords
Max Login Attempts Set the maximum number of failed log in attempts and action
Tip: Session timeouts and password expiration periods may be covered in your
companys information security policy. Consult your security policy to be sure you
configure these values appropriately.
212
Security Level
You can set the level of security checking that is performed when you add a new user or change a
password. Checking performed for the levels includes:
No Security Checking Any user name or password can work. User access is not authenticated
against the saved user accounts in the LSM.
Basic Security Checking User names must be between 6 and 32 characters long; passwords
must be between 8 and 32 characters long.
Maximum Security Checking User names must be between 6 and 32 characters long. Passwords
must be strong passwords, having 8 and 32 characters and containing at least one numeric character
and one non-alphanumeric character.
The UnityOne system uses Maximum Security Checking level of security access as default.
See Set User Preferences on page 214.
213
Password Expiration
The LSM features configurable password expiration enabling you to decide how frequently users must
change their passwords. Password expiration is configurable through the LSM to periods of anywhere
from10 days to 1 year. The default password expiration period is 90 days.
You can assign an action to the system to do the following:
Prompt the user to change the password when it expires
Notify the user when the password is expired
Disable the account
The system notifies the user five days before the expiration occurs and at each subsequent login. At
expiration, a new dialog box displays prompting the user to change the password before accessing the
LSM.
See Set User Preferences on page 214.
214
STEP 1
On the Admin page, select the Edit > Preferences menu item. The Administer - User
Preferences page displays.
STEP 2
To change the idle timeout, enter a number of minutes (up to 9999) for Web Idle Timeout.
STEP 3
To change the rate of page refreshes, enter a number of seconds for the Page Refresh Time.
STEP 4
To select the security level of the LSM, select a security setting from the Security Level dropdown menu:
No Security Checking Any user name or password can work
Basic Security Checking User names must be between 6 and 32 characters long;
passwords must be between 8 and 32 characters long.
Maximum Security Checking User names must be between 6 and 32 characters long.
Passwords must be between 8 and 32 characters long and must contain one numeric
character and one non-alphanumeric character.
STEP 5
To change the period of time for password expiration, select a period of time from the Password Expiration drop-down menu: Disabled, 10 days, 20 days, 30 days, 45 days, 60 days, 90
days, 6 months, or 1 year.
Note: If your password expiration period is too long, it increases the chance that
a users password will be discovered by an outsider, or that ex-employees
passwords remain valid after they leave. If your password expiration period is too
short, it increases the chances that employees will write passwords down, or use
browser features to remember passwords. Standard practice dictates that
password expiration periods should not be shorter than 30 days or longer than 90
days.
STEP 6
To assign an action to the expiration period (if not disabled in Password Expiration), select
an action from the Password Expiration Action drop-down menu:
Force User to Change Password Displays a dialog box prompt for new password.
Notify User of Expiration Displays a message informing you the password has expired
Disable Account Disables all access to the LSM using the expired account
STEP 7
To assign the number of login attempts allowed prior to disabling the account, select a number (1-10) from the Max Login Attempts drop-down menu.
STEP 8
To assign an action for the failed access, select an action from the Failed Login Action dropdown menu:
Disable Account Disables the account from usage
Lockout Account Locks the account out from access for a set period of time
Audit Event Documents the failed access to the audit log
STEP 9
To set the lockout period, select a number of minutes from the Lockout Period drop-down
menu: 1, 5, 10, 15, 30, or 60.
STEP 10
Click Save.
215
216
Web Reference
Apache
http://www.apache.org
http://www.gnu.org/licenses/gpl.html
BSD License
http://www.opensource.org/licenses/bsd-license.php
http://www.mozilla.org/MPL/
GSOAP License
http://www.cs.fsu.edu/~engelen/soap.html
PCRE license
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
217
Web Reference
snprintf
http://www.ijs.si/software/snprintf/
SOAP
http://xml.apache.org/soap/index.html
Open SSL
http://www.openssl.org/
Web Reference
NMAP
http://www.nmap.org/
Nessus
http://www.nessus.org/
License Name
Web Reference
GSOAP
http://www.cs.fsu.edu/~engelen/soap.html
BSD License
http://www.freebsd.org
PCRE
PCRE license
ftp://ftp.csx.cam.ac.uk/pub/software/
programming/pcre/
Required Statements
Required by the Apache License:
This product includes software developed by the Apache Software Foundation (http://www.apache.org/
).
Required by the gSOAP License:
Part of the software embedded in this product is gSOAP software.
Portions created by gSOAP are Copyright (C) 2001-2002 Robert A. van Engelen, Florida State
University. All Rights Reserved.
THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAP SOFTWARE AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
218
License Texts
The Apache, GPL, and gSOAP public licenses require that their texts be published in the user
documentation of products that use software covered by these licenses.
Apache License
The Apache Software License, Version 1.1
Copyright (c) 1999-2000 The Apache Software Foundation. All rights reserved. Redistribution and
use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following
acknowledgment: This product includes software developed by the Apache Software Foundation
(http://www.apache.org/). Alternately, this acknowledgment may appear in the software itself, if and
wherever such third-party acknowledgments normally appear.
4. The names Xerces and Apache Software Foundation must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact apache@apache.org.
5. Products derived from this software may not be called Apache, nor may Apache appear in their
name, without prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE
SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
==========================================================
This software consists of voluntary contributions made by many individuals on behalf of the Apache
219
Software Foundation and was originally based on software copyright (c) 1999, International Business
Machines, Inc., http://www.ibm.com. For more information on the Apache Software Foundation,
please see <http://www.apache.org//>.
220
The precise terms and conditions for copying, distribution and modification follow.
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright
holder saying it may be distributed under the terms of this General Public License. The Program,
below, refers to any such program or work, and a work based on the Program means either the
Program or any derivative work under copyright law: that is to say, a work containing the Program or a
portion of it, either verbatim or with modifications and/or translated into another language.
(Hereinafter, translation is included without limitation in the term modification.) Each licensee is
addressed as you.
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program is
covered only if its contents constitute a work based on the Program (independent of having been made
by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to
the absence of any warranty; and give any other recipients of the Program a copy of this License along
with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer
warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based
on the Program, and copy and distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and
the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is
derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when
started running for such interactive use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there is no warranty (or else, saying that
you provide a warranty) and that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on the Program is not required to
print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not
derived from the Program, and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those sections when you distribute them
as separate works. But when you distribute the same sections as part of a whole which is a work based
221
on the Program, the distribution of the whole must be on the terms of this License, whose permissions
for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely
by you; rather, the intent is to exercise the right to control the distribution of derivative or collective
works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a
work based on the Program) on a volume of a storage or distribution medium does not bring the other
work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or
executable form under the terms of Sections 1 and 2 above provided that you also do one of the
following:
a) Accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
no more than your cost of physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an
executable work, complete source code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to control compilation and installation of the
executable. However, as a special exception, the source code distributed need not include anything that
is normally distributed (in either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of
the source code, even though third parties are not compelled to copy the source along with the object
code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under
this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and
will automatically terminate your rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses terminated so long as such parties
remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants
you permission to modify or distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by modifying or distributing the
Program (or any work based on the Program), you indicate your acceptance of this License to do so,
222
and all its terms and conditions for copying, distributing or modifying the Program or works based on
it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute or modify the Program
subject to these terms and conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties
to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of
this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License
and any other pertinent obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of the Program by all those
who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of
the free software distribution system, which is implemented by public license practices. Many people
have made generous contributions to the wide range of software distributed through that system in
reliance on consistent application of that system; it is up to the author/donor to decide if he or she is
willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of
this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by
copyrighted interfaces, the original copyright holder who places the Program under this License may
add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public
License from time to time. Such new versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of
this License which applies to it and any later version, you have the option of following the terms and
conditions either of that version or of any later version published by the Free Software Foundation. If
the Program does not specify a version number of this License, you may choose any version ever
published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution
conditions are different, write to the author to ask for permission. For software which is copyrighted by
223
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of
our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE
QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE
OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR
DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best
way to achieve this is to make it free software which everyone can redistribute and change under these
terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each
source file to most effectively convey the exclusion of warranty; and each file should have at least the
copyright line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of
author>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
224
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive
mode:
Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY
NO WARRANTY; for details type `show w.' This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General
Public License. Of course, the commands you use may be called something other than `show w' and
`show c'; they could even be mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a
copyright disclaimer for the program, if necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes
passes at compilers) written by James Hacker.
<Signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If
your program is a subroutine library, you may consider it more useful to permit linking proprietary
applications with the library. If this is what you want to do, use the GNU Library General Public License
instead of this License.
BSD License
Copyright (c) <YEAR>, <OWNER>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
225
226
227
The Modifications which You create or to which You contribute are governed by the terms
of this License, including without limitation Section 2.2. The Source Code version of
Covered Code including Compiled Code may be distributed only under the terms of this
License or a future version of this License released under Section 6.1, and You must
include a copy of this License with every copy of the Source Code or Compiled Code You
distribute. You may not offer or impose any terms on any Source Code version that alters
or restricts the applicable version of this License or the recipients' rights hereunder.
However, You may include an additional document offering the additional rights
described in Section 3.5.
229
lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new
knowledge has been obtained.
(b) Contributor APIs.
If Contributor's Modifications include an application programming interface and Contributor has
knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must
also include this information in the LEGAL file.
(c) Representations.
Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes
that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has
sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices.
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not
possible to put such notice in a particular Source Code file due to its structure, then You
must include such notice in a location (such as a relevant directory) where a user would be
likely to look for such a notice. If You created one or more Modification(s) You may add
your name as a Contributor to the notice described in Exhibit A. You must also duplicate
this License in any documentation for the Source Code where You describe recipients'
rights or ownership rights relating to Covered Code. You may choose to offer, and to
charge a fee for, warranty, support, indemnity or liability obligations to one or more
recipients of Covered Code. However, You may do so only on Your own behalf, and not
on behalf of the Initial Developer or any Contributor. You must make it absolutely clear
than any such warranty, support, indemnity or liability obligation is offered by You alone,
and You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of warranty,
support, indemnity or liability terms You offer.
230
or any Contributor. You hereby agree to indemnify the Initial Developer and every
Contributor for any liability incurred by the Initial Developer or such Contributor as a
result of any such terms You offer. If you distribute executable versions containing
Covered Code as part of a product, you must reproduce the notice in Exhibit B in the
documentation and/or other materials provided with the product.
3.8. Restrictions.
You may not: 1) modify, translate, reverse engineer, decompile, disassemble or otherwise
attempt to reconstruct or discover the source code of Compiler (except to the extent
applicable laws specifically prohibit such restriction); 2) sell or offer for sale, rent, lease,
sublicense, convey, or distribute Compiler; 3) transfer rights to the Covered Code or
Compiler.
4 INABILITY TO COMPLY DUE TO STATUTE OR REGULATION.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of
the Covered Code due to statute, judicial order, or regulation then You must: (a) comply with the terms
of this License to the maximum extent possible; and (b) describe the limitations and the code they
affect. Such description must be included in the LEGAL file described in Section 3.4 and must be
included with all distributions of the Source Code. Except to the extent prohibited by statute or
regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to
understand it.
5 APPLICATION OF THIS LICENSE.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to
related Covered Code.
6 VERSIONS OF THE LICENSE.
6.1. New Versions.
Grantor may publish revised and/or new versions of the License from time to time. Each
version will be given a distinguishing version number.
231
Once Covered Code has been published under a particular version of the License, You
may always continue to use it under the terms of that version. You may also choose to use
such Covered Code under the terms of any subsequent version of the License.
233
8.4.
In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding
distributors and resellers) which have been validly granted by You or any distributor hereunder prior to
termination shall survive termination.
9 LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING
NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY
OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY
OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION,
DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH
PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY
RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS
SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT
APPLY TO YOU.
10 MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of
this License is held to be unenforceable, such provision shall be reformed only to the extent necessary
to make it enforceable.
11 RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages
arising, directly or indirectly, out of its utilization of rights under this License and You agree to work
with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing
herein is intended or shall be deemed to constitute any admission of liability.
EXHIBIT A.
The contents of this file are subject to the gSOAP Public License Version 1.0 (the ``License''); you may
not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.cs.fsu.edu/~engelen/soaplicense.html
Software distributed under the License is distributed on an AS IS basis, WITHOUT
WARRANTY OF ANY KIND, either express or implied. See the License for the specific language
governing rights and limitations under the License.
The Original Code of the gSOAP Software is: stdsoap.h, stdsoap2.h, stdsoap.c,
stdsoap2.c, stdsoap.cpp, stdsoap2.cpp.
234
The Initial Developer of the Original Code is Robert A. van Engelen. Portions created by Robert van
Engelen, Gunjan Gupta, Saurabh Pant, and Yunwei Wang are Copyright (C) 2001-2002 Robert A. van
Engelen, Florida State University. All Rights Reserved.
Contributor(s): ________________________.
[Note: The text of this Exhibit A may differ slightly form the text of the notices in the Source Code files
of the Original code. You should use the text of this Exhibit A rather than the text found in the Original
Code Source Code for Your Modifications.]
EXHIBIT B.
Part of the software embedded in this product is gSOAP software.
Portions created by gSOAP are Copyright (C) 2001-2002 Robert A. van Engelen, Florida State
University. All Rights Reserved.
THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAP SOFTWARE AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
APPENDIX A.
The Compiler of the gSOAP Software is any one of the executable files provided
with the gSOAP distribution: soapcpp, soapcpp2, soapcpp.exe, soapcpp2.exe.
235
236
Browser Certificates
Details creating browser certificates for use in Internet Explorer to ensure notification messages are
no longer reported to user.
Overview
Due to the security settings of the Local Security Manager (LSM), Internet Explorer may display a
Client Authentication message followed by a Security Alert message. Messes dialogs display when you
first establish an HTTPS session with the UnityOne IPS. This appendix details how to create certificates
to remove these messages.
Browser Certificates includes the following sections:
Client Authentication Message on page 238
Security Alert on page 239
Example - Creating Personal Certificate on page 245
237
To remove this warning, you can create and install a personal certificate on your workstation.
The following Procedures detail how to create and install the personal certificate:
Creating a Personal Certificate on page 238
Installing the Personal Certificate on page 239
Creating a Personal Certificate
The following command generates a self-signed certificate good for 10 years. The user must have
access to a computer with OpenSSL installed on it. For the latest copy of OpenSSL, go to the OpenSSL
web site: http://www.openssl.org
STEP 1
openssl req -new -x509 -days 3650 -out cert.pem -keyout privkey.pem
238
STEP 2
STEP 3
STEP 4
STEP 5
Click Next.
STEP 6
STEP 7
STEP A
Click Browse.
STEP B
STEP C
Click Next.
STEP B
STEP C
Click Next.
STEP 8
On the Certificate Store screen, select the option Automatically select the certificate store
based on the type of certificate.
STEP 9
Click Next.
STEP 10
Security Alert
The Security Alert dialog in the following illustration shows two security alerts regarding certificates:
Certificate Authority on page 240 The certificate is not from an trusted certifying authority
Invalid Certificate Name on page 243 The name of the certificate is invalid
TippingPoint creates a SSL device certificate that uses TippingPoint as the ROOT Authority. This allows
TippingPoint devices to use SSL communication between the device and client application. You can
eliminate this dialog by installing the certificate into the client certification trust list and placing an
entry for the device in your local HOSTS or LMHOSTS file. The entry in the HOSTS file should name the
host by its device serial number and then its IP address. This allows the SSL client to resolve the
certificate common name.
239
Certificate Authority
The following dialog warning displays for a certificate authority security alert:
Figure B -2: Certificate Authority
You can eliminate the Certificate Authority warning with the following procedure:
STEP 1
When the warning displays, click View Certificate. The Certificate dialog box displays.
STEP 2
240
STEP 3
STEP 4
241
STEP 5
Select the Place all certificates in the following store option. The certificate store should be
Trusted Root Certificate Authorities. Click Next.
The Completing the Certificate Import Wizard dialog displays.
242
STEP 6
Click Finish to install the certificate. The Root Certificate Store indicates the status of the
import and displays the certificate information.
STEP 7
Performing the following steps can solve the Certificate Invalid warning:
243
STEP 1
When the warning displays, click View Certificate. The Certificate dialog box displays.
STEP 2
STEP 3
Navigate and open the local workstations HOSTS file. This file is located in
C:\WINNT\system32\drivers\etc on a Windows 2000 workstation.
STEP 4
244
Add a line to the file with the UnityOne's IP address and serial number.
STEP 5
When browsing to the IPS, enter the workstation name instead of the IP address in your Web
browser. This name and certificate works only on that particular workstation.
[]# openssl req -new -x509 -days 3650 -out cert.pem -keyout
privkey.pem
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.......++++++
.................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: DefaultPemPhrase
Verifying password - Enter PEM pass phrase: DefaultPemPhrase
----You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [GB]: US
State or Province Name (full name) [Berkshire]: Texas
Locality Name (eg, city) [Newbury]: Austin
Organization Name (eg, company) [My Company Ltd]: TippingPoint
Technologies
Organizational Unit Name (eg, section) []: TAC
Common Name (eg, your name or your server's hostname) []: TPTI
Email Address []: tac@tippingpoint.com
[]# openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out
to_import.p12
Enter PEM pass phrase: DefaultPemPhrase
Enter Export Password: exportPassCode
Verifying password - Enter Export Password: exportPassCode
[]#
245
246
Troubleshooting
Details troubleshooting information for using the Local Security Manager (LSM).
Overview
As you manage your network security, you may encounter issues with the LSM. Troubleshooting
includes the following sections:
IPS Port Out-of-Service on page 247
On the Configure - Segment Details/Edit page, clear the Auto Negotiation: On check box
for each port of the IPS device. The option disables.
STEP 2
Click Restart.
Leave auto-negotiation off. The port should reset.
247
248
Log Formats
Details the format of the alert log in the Local Security Manager (LSM).
Overview
This section details the format of the alert log accessible through the LSM:
Log Format on page 249
Remote Syslog Log Format on page 250
Log Format
The following is the format of the alert, block, and peer log format for downloaded logs:
249
In this example, the header follows the standard syslog format. Using the previous log entry as the
example, the message is as follows:
ALT,v4,20050113T125501+0360,"i robot"/
192.168.65.22,1017,Permit,1,Low,00000002-0002-0002-0002000000000164,"0164: ICMP: EchoRequest (Ping)","0164: ICMP: Echo
Request(Ping)",icmp,216.136.107.233:0,216.136.107.91:0,20050113T125205
+0360,199," ",1,3:1
The character located between each field is the configured delimiter. In this case, the delimiter is a
comma. The following table details the fields and their descriptions.
Table D - 1 : Remote Syslog Field Descriptions
Field
250
Description
Hostname/IP address that generated the alert; note that the quotes are required
for this release because of a bug in the hostname validation (note the space in the
name)
Sequence ID
Description
(reserved)
Policy UUID
10
Policy Name
11
Signiture Name
12
13
14
15
16
17
18
19
251
252
Glossary
action set
An integral part of an attack or peer-to-peer filter. It includes instructions that control the system
response when it encounters matching traffic. The conditions include the following:
action the response of the system
permit allow the data
rate limiting limit the speed of the transferred data/or only allow data of a certain speed?
block do not allow the data
packet trace the setting for scanning the packet
priority
verbosity (depth of the scan)
bytes to capture of the packet/data
contacts systems to receive an alert
253
aggregation period
The length of time during which multiple instances of a specific attack can occur before notification is
sent to a contact.
Application Protection
Pillar of filter types that defend against known and unknown exploits that target applications and
operating systems of workstations and servers on a network. These filters include a variety of attack
protection and security policy filters. These filters detect specific recognition data to recognize an
attempted attack and take specific courses of action that you define when an attempt is detected.
attack traffic
Packets traversing a network that match at least one attack protection filter.
block on IP
Option for Action Sets that enables you to unblock IP addresses blocked by filters. The Block action set
provides an option for blocking IP addresses that trigger the filter. When an IP is blocked, any requests
or traffic to or from the IP through the network is not accepted by the IPS. The system blocks the IP
traffic and enacts any further actions based on the action set, such as notifcations. If the filter Action
Set is set to specific segment, the IP address may be blocked only to that segment, and not the entire
IPS.
254
category
An assessment of the likelihood that attack traffic is malicious. The TMC assesses each attack filter and
assigns it to one of the following categories:
Application Protection Pillar of filter types that defend against known and unknown exploits
that target applications and operating systems:
Attack Protection Filters Detect and block traffic known to be malicious, suspicious, and to
have known security implications. These include vulnerabilities and exploit filters.
Reconnaissance Filters Detect scanning of your network for vulnerabilities. These include
vulnerability probing and scans/sweeps filters.
Security Policy Filters Detect and block traffic that may or may not be malicious. This traffic
may be different in its format or content from standard business practice, aimed at specific
software or operating systems, or contrary to your companys security policies.
Informational Provide a testing method of your security system.
Infrastructure Protection Pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attack using a combination of filter types:
DDoS Filters Detect and block denial of service and flood requests, such as SYN Requests, that
can overwhelm a system.
Reconnaissance Filters Detect and block anomalies in traffic flow.
Traffic Normalization Filters Detect and block abnormal or malicious traffic.
Performance Protection Pillar of filter types that allow key applications to have prioritized
bandwidth access setting that ensure mission critical applications have adequate performance
during times of high congestion:
Misuse and Abuse Filters Protect the resources and usage of file sharing across networks and
personal computers.
Traffic Management Filters that protect the network by shielding against IP addresses or
permitting only a set of IP addresses.
category setting
The default action set assigned to a particular category of attack filter. Barring any action set
customizations, the system responds to an attack filter according to its category setting.
255
floods of full (3-way) established TCP connections using a safe or accepted IP address. It attempts to
flood the network by sending more connections than the system can handle. These attacks do not
harm data, but the flood can deny users access and connections to networks and services.
DDoS filters
Denial of Service filters that detect denial of service attacks. These attacks flood a network with
requests, including traditional SYN floods, DNS request floods against nameservers, and attempts to
use protected systems as reflectors or amplifiers in attacks against third parties. These filters detect
direct flood attacks and attacks hidden within larger packets and requests. These filters are part of the
Infrastructure Protection pillar of filters.
Digital Vaccine
Downloadable update that includes filters for protecting your network system. These filters provide
new signature to protect against researched threats to network security. The Threat Management
Center (TMC) researches, creates, and distributes these filter packages from the following website:
https://tmc.tippingpoint.com.
exploit filters
Filters that protect software from malicious attacks across a network by detecting and blocking the
request. Exploits are attacks against a network using weaknesses in software such as operating systems
and applications. These attacks usually take the form of intrusion attempts and attempts to destroy or
capture data. These filters are part of the Application Protection pillar of filters.
filter
Policy of settings and rules for managing and blocking traffic on a network. Each filter includes an
action set that includes instructions for managing data and a category setting. The LSM includes
various types of filters, including Performance Protection, Application Protection, Infrastructure
Protection, and IP filter.
informational filters
Filters that provide a means for classic Intrusion Detection System (IDS) testing. An example of these
filters includes Blade signatures. These filters are part of the Application Protection pillar of filters.
Infrastructure Protection
Category, or pillar, of filter types that protect network bandwidth and network infrastructure elements
such as routers and firewalls from attack using a combination of traffic normalization, DDoS
256
protection, and application, protocol, and network equipment protection. These filters include DDoS,
network equipment protection, and traffic normalization filters.
IP filter
A filter that blocks traffic based on the source, destination, port, protocol, and other parameters of the
traffic.
network discovery
The process by which the UnityOne system monitors the network for changes in the hosts and services.
You can use network discovery information to tune filters.
notification contacts
Recipients of alert messages. These contacts receive an email alert when a filter with the proper
notification contacts settings triggers. Contacts include staff with email accounts and the SMS
application.
257
packet trace
Allows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority
and packet trace verbosity for action sets.
Performance Protection
Category, or pillar, of filter types that allow key applications to have prioritized access to bandwidth
ensuring that mission critical applications have adequate performance during times of high
congestion. These filters include misuse and abuse, IP, and congestion/mitigation filters.
rate limiting
Setting in an action set that defines a maximum bandwidth that can be used by traffic that matches
filters assigned to that action set. Incoming traffic in excess of this bandwidth is dropped. If two or
more filters use the same rate limiting action set, then all packets matching these filters share the
bandwidth.
reconnaissance filters
Filters that monitor for attacks that perform reconnaissance of the network. These attacks search
through your network using various methods to locate vulnerabilities. Once the attack has gathered
data by probing your system and scanning your network, it continues with pointed attacks against
those vulnerabilities. Reconnaissance filters look for these patterns and alert either the LSM or the
SMS when an attack is detected. These filters are part of the Application Protection pillar of filters.
segment
Similar to a subnet. A segment comprises a group of hosts protected through a licensed pair of ports on
an IPS.
SNMP Server
Provides access to interface counters and other statistics, configuration data, and general system
information via the Simple Network Management Protocol (SNMP). The SNMP server must be
enabled to use SMS management or to allow NMS access.
258
sweep/scan filters
Filters that perform port scans and host sweeps to prevent any malicious code, attacks, and exceeded
threshold limits for traffic. Each filter scans a specific type of port and protocol to block attacks against
ports and hosts. These filters are part of the Application Protection pillar of filters.
vulnerabilities filters
Filters that detect and block against vulnerabilities in the network. These filters determine is a
vulnerability exists based on traffic requests and reaction by services. These filters are part of the
Application Protection pillar of filters.
259
Index
A
access level
user 207
account security levels
level 0 208
level 1 208
level 2 208
action set 253
blacklisted IPs 170
defined 100
action sets 100
category 255
flow control 100
notification contacts 100
packet trace 100
actions sets
Block 100
Block + Notify 100
Block + Notify + Trace 101
create 104
Permit + Notify 101
Permit + Notify + Trace 101
rate-limiting 102
Recommended 101
adaptive aggregation 161
adaptive filter 161
adaptive filter config 41, 46, 49, 71, 77, 88
add a network route 148
admin 205
page 10, 206
Administration 205
administration
user 205
administrator 207
Advanced DDoS
CPS Flood filters 56
SYN floods 56
Advanced DDoS filters 56
Connection Flood 56
aggregation
alert, alert aggregation 107
aggregation count 106
aggregation period 106, 108, 111, 254
alert aggregation 106
period 107
Application Protection 23, 31
attack protection filters 32
exploit filters 34
vulnerabilities filters 34
filter exceptions 50
informational filters 46
reconnaissance filters 36
filter tuning 39
port scans,host sweeps 39
vulnerability probing 37
security prevention filters 43
settings 49
architecture 3
asymmetric network 159, 160
attack filter 254
attack filters
contacts 106
attack protection filters 32
exploit filters 34
vulnerabilities filters 34
Attacks 127
attacks by severity 113
attacks filters
enable 98
audit log
view 216
B
blacklist IPs 104, 105
blacklisted IPs 170
Block 100
Block + Notify 100
Block + Notify + Trace 101
blocked streams 163
boot time 19
browser certificates 237, 238, 239, 240,
243, 245
C
category 255
action sets 100
category settings 94
add category setting 96
delete segmental category 98
disable filter category 99
override 99
edit segmental category 97
enable filter category 98
override 98
certificate authority 240
certificates 237
client authentication message 238
example 245
security alert 239
certificate authority 240
invalid certificate name 243
CIDR 255
Classless Inter-Domain Routing 255
CLI server 145
client authentication message 238
clients
local 7
SMS 3
CMOS 148
configuration
management port 142
NMS 152
routing options 147
segment 139
segment INHA 138
SMS 152
timekeeping 148
TSE 159, 161, 163, 165
configuration network HA 155
INHA 157
TNHA 158
configuration, segment 137
Configure
SNMP 153
configure
asymmetric network 160
Link-Down Synchronization 141
logging mode 160
NMS 155
page 9, 136
remote system log 110, 111
segment 141
SMS 154
SNMP 154
TSE 160
Configure INHA 138
Connection Flood 56
connection table timeout 159
contacts, attack filters 106
CPS Flood filters 56
create
action sets 104
filters 29
Advanced DDoS 60
Advanced DDoS UnityOne5000E 67
traffic management 91
traffic threshold 80
non standard ports 167, 169
notification contact 108
user 209, 210
creating
personal certificates 245
critical thresholds 184
CSW 256
Custom Shield Writer 256
customer support xviii
D
DDoS 2, 23, 55, 256
attacks, solutions 59
amplifiers 59
indistinguishable requests 59
randomized requests 59
unsolicited responses 59
260
E
edit
filters
Advanced DDoS 62
Advanced DDoS UnityOne5000E 68
attack protection 34
informational 48
misuse and abuse 87
network
equipment
protection 70
normalization 75
port scans,host sweeps 42
security policy 45
traffic management 92
traffic threshold 82
vulnerability probing 40
notification contacts 109
email
default settings 108
email failure 109
email preferences 108
enable
filter category 98
override 98
261
vulnerability probing 40
enable 98
exceptions
Application Protection 49
Infrastructure Proection
DDoS 23
Infrastructure Protection 23, 55
Advanced DDoS 56
DDoS 55
network
equipment
protection 69
traffic normalization filters 72
traffic threshold filters 77
manage 25
view 26
notification contacts 106
overview 23
page 8, 25
Performance Protection 23, 83
misuse and abuse 84
traffic management filters 88
pillars
Application Protection 2, 255
Infrastructure Protection 2,
255
Performance Protection 2, 255
rate-limiting 102
reset
traffic threshold 83
search 28
update 195
F
filters 23, 256
action sets 100
adaptive filter config 41, 46, 49, 71,
77, 88
Application Protection 23, 31
attack protection filters 32
exploit filters 34
vulnerabilities filters 34
filter exceptions 50
informational filters 46
reconnaissance filters 36
filter tuning 39
port scans,host
sweeps 39
vulnerability probing 37
security policy filters 43
settings 49
attack filters 254
category 255
disable 99
override 99
enable 98
override 98
category settings 94
add category setting 96
delete segmental category 98
edit segmental category 97
create 29
Advanced DDoS 60
Advanced DDoS UnityOne5000E 67
traffic management 91
traffic threshold 80
DDoS 2, 256
delete 30
edit
Advanced DDoS 62
Advanced DDoS UnityOne5000E 68
attack protection 34
informational 48
misuse and abuse 87
network
equipment
protection 70
normalization 75
port scans,host sweeps 42
security policy 45
traffic management 92
traffic threshold 82
G
getting started 11
guide
audience xi
convention
note xv
tip xv
conventions xiii
caution xv
warning xv
organization xii
related documentation xvi
screen captures xiv
H
HA
sympathic 139
hardware
monitor 173
health
module 179, 180
performance/throughput 177
system stats 20
High 138
high availability 20, 155
INHA 157
TNHA 158
I
icons 27
copy 27
delete 27
edit 27
filter exception 27
launch bar 17
reset 27
image
deleting 202
informational filters 46
Infrastructure Protection 23, 55
Advanced DDoS filters 56
DDoS 55
network equipment protection 69
traffic normalization filters 72
traffic threshold filters 77
INHA 6, 139, 141, 157, 182, 257
interface
launch bar 16
main pane 21
system stats 17
Intrinsic Network High Availability 257
Intrusion Prevention System 257
invalid certificate name 243
IP filter 257
IPS 2, 6, 257
L
launch bar 16
icons 17
layout
LSM screen 16
level
user access 207
Link-Down Synchronization 139, 141
local clients 7
Local Security Manager 2, 257
overview 8
log
system
view 216
logging in 14
logging mode 160
login name
valid 210
logs
formats
1.4 249
page 9, 114
reports
attacks 129
DDoS 131
rate limit 130
top ten filters 128
traffic profile 129
traffic threshold 130
LSM 2, 257
launch bar 16
login 14
timeout 15
main pane 21
overview 1, 8
admin page 10
configure page 9
filters page 8
getting started 11
logs page 9
monitor page 9
SMS configuration 12
system requirements 12
UnityOne 2
update page 9
packet statistics 19
system stats 17
timeout 15
LSM screen layout 16
LSM Server 145
main pane 21
manage
filters 25
management console 111
management port
configuration 142
memory usage 176
misuse and abuse 84, 257
misuse and abuse filters 84
modify
user 209
module
health 179, 180
Intrinsic Network HA 182
Multi-Zone Defense 181
monitor 173
hardware 173
page 9, 174
preferences 183
More Reports 126
MZD 181
N
navigation
LSM 13
overview 16
network equipment protection filters 69
network HA 155, 157, 158
NMS 152, 153
configure 155
non standard ports 167, 169
notes
security 14
O
operating system
delete old images 202
rollback 200
update 193
operator 207
options, port 138
options, routing 138
overview 1
R
rate limited streams 165
rate-limiting 102, 258
model 100E 103
model 1200 103
model 200 103
model 2400 103
model 400 103
model 50 103
model 5000E 103
Recommended 101
reconnaissance filters 36
filter tuning 39
port scans,hostsweeps 39
vulnerability probing 37
related documentation xvi
remote syslog format 250
262
reports
attacks 129
DDoS 131
preferences 132
rate limit 130
top ten filters 128
traffic profile 129
traffic threshold 130
Reports, Top Ten 127
requirements
system 12
reset
traffic threshold filters 83
reset, TCP 100
results
scan 190
role
user 207
rollback
operating system 200
states, messages 197
route, add a network route 148
routing options 138, 147
S
scan
results 190
scans
check 189
delete 191
edit 190
in-progress 190
perform 187
manual 189
recan 190
view 190
schedule scan 191
search
filters 28
security alert 239
certificate authority 240
invalid certificate name 243
Security Management System 3, 258
SECURITY NOTES 14
security policy filters 43
segment 258
configuration 177
segment configuration 137
servers 145
services, host management port 145
signature
update
download 196
signatures
update 193
SMS 152, 258
client 3
configure 154
NMS 155
server 4
SNMP 152, 153, 258
SNTP 108, 148
software update 196
states, messages 197
SSH 145
super-user 207
263
sychronization 139
sympathetic HA 139
SYN Proxy 56
system boot time 19
system log
view 216
system requirements 12
System Stats 17
system boot time 19
system stats 17
health 20
high availability 20
packet statistics 19
system boot time 19
versions 21
T
TCP reset 100
tech support xviii
telnet 145
Threat Management Center xviii, 259
Threat Management Center (TMC) 195
Threat Suppression Engine 5
configuration 159
adaptive filter config 161
blocked streams 163
general 159
rate limited streams 165
thresholds
critical 184
throughput 177
timekeeping 148
CMOS 148
SNTP 148
timeout
LSM 15
TMC xviii, 195, 259
login 195
registration 195
TNHA 6, 158, 259
Top Ten reports 127
Traffic 127
traffic management filters 88
traffic normalization filters 72
traffic threshold filters 77
Transparent Network High Availability 259
troubleshooting 247, 249
trusted 89
TSE 5, 159
adaptive filter config 161
blacklisted IPs 170
blocked streams 163
non standard ports 167, 169
rate limited streams 165
U
UnityOne 2
architecture 3
high availability 6
IPS 6
local clients 7
SMS client 3
SMS server 4
Threat Supression Engine 5
overview 1
update 193
Digital Vaccine 193
filter 195
filters 193
operating system 193
page 9, 194
signature
download 196
signatures 193
software 196
states, messages 197
Update, Attack Filter 195
usage
memory 176
user
access level 207
administration 205
create 209, 210
modify 209
valid names 210
valid password 210
V
valid password data 210
valid user data 210
versions
in system stats sidebar 21
view
audit log 216
filters 26
system log 216
vulnerabilities filters 34
vulnerability probing filters 36, 37, 52