CH-4-SMS.pdf

Transcript

Lesson 4: Security Management System (SMS) Lesson 4: Security Management System (SMS) Lesson Objectives: After completing this lesson, participants will be able to: Discuss Key Features of the SMS Demonstrate SMS Setup and Configuration Identify the uses of Threat Insights Portal Navigate the SMS using the SMS client from the Desktop Setup and Basic Configuration Feature Overview Quarantine Protection for automated event response: is included with the Security Management System Appliance and is an automated response system that allows IT administrators to specify an action in response to a security event; this can range from directing a user to a self-remediation site, generating a trouble ticket, or, if the event is severe enough, migrating them to a secure VLAN or removal from the network. Advanced Security Policy Definition: IPS security policies can be defined based on physical segments, VLAN, MPLS tags, IPv4 and IPv6 addresses and ranges, and traffic direction; with the optional Threat Digital Vaccine (Threat DV) service, security policies can be defined based on reputation tags, including Reputation Score tags, Device Type tags, Country tags, and Data Source tags; further security policies can easily and automatically be adjusted as threats arise. Automated security updates/Digital Vaccine distribution: The Digital Vaccine Labs (DVLabs) security research team constantly researches security threats and software vulnerabilities and distributes new protection filters to customers through regular Digital Vaccine updates to protect customer systems from new threats; the Security Management System Appliance is central to the distribution of these updates and can be configured to automatically check for, download, and distribute these updates. Systems management integration: the Security Management System Appliance is the network solution component of an organization’s management infrastructure; the appliance will integrate with various enterprise system management tools; with the appliance, blocked attacks, quarantine actions, and security configuration updates can all be tracked and reported as events of interest. Security device configuration and monitoring: Security Management System Appliance management scales to over 100 security devices and can be used to drill down deep into the internal workings of the security devices themselves; in addition, a single appliance client can operate across multiple © 2022 Trend Micro Inc. Education 51 Lesson 4: Security Management System (SMS) appliances for even greater scalability; network parameters as well as system and filter behaviors can be viewed, assessed, and tuned from one interface. Additional Key Features Some of the other great features of the TippingPoint SMS include: Geo/Location Filtering: TippingPoint SMS can be configured to detect and block network traffic based on a computer’s IP address and host name within a geographic region or country. Customers can establish an action set associated with geographic filters to minimize or eliminate communications with potentially risky systems. Active Directory Integration: TippingPoint SMS can provide visibility, enhanced context, and reporting on the traffic of a particular user through Active Directory (AD) integration. The user name, domain, machine, and user group are all tracked and available for forensics, reporting, and filtering results (e.g., see all attacks targeted to Machine X, or from User Y). Administrators can also see the IP history of a particular AD user or the user history for a particular IP. Comprehensive Network Traffic Visualization: TippingPoint solutions can support the export of network flow data statistics for visualization and analysis. With TippingPoint SMS, statistics and flow data summaries can be viewed and analyzed to optimize performance and help identify compromised hosts and other suspicious and malicious network traffic. Third Party Integration: TippingPoint SMS integrates with several third-party security solutions using APIs to enhance a layered approach to security. These APIs can be used to integrate with existing security tools to enhance response and control across the network. Customers can gain visibility into their network to make informed decisions and take immediate action on any potential threats to infrastructure or data. Integration with Trend Micro Vision One via the Service Gateway. Threats detected by Trend Micro Vision One are now actionable at the network layer, giving you the power to block Suspicious Objects within minutes of detection and disrupt attacks at key locations in your network. Using Trend Micro Vision One’s Service Gateway you can seamlessly integrate your TippingPoint security hardware appliances with Vision One to gain greater visibility into your Trend Micro solutions and leverage the latest threat intelligence Device Management TippingPoint management is highly-regarded in the industry with one of the strongest features being the easy to use SMS. Let’s look at the TippingPoint solution starting at the bottom and building up. First we have the IPS and/or TPS devices. The devices connect to the network and monitor traffic and take action based on the rules created by the administrator. The devices can be managed via the CLI, LSM, or SMS. We will discuss SMS management shortly but for now let’s focus on the CLI and LSM. The CLI is accessed via a Console connection, SSH or Telnet with Telnet being disabled by default. Accessing the device 52 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) through the CLI requires a keyboard, monitor, and Console cable. The LSM is accessed via HTTP and HTTPS which is the default and is a GUI interface. To do so, open a web browser and point it to the IP address of the IPS and log in. Management for both CLI and Web allows for 1 to 1 management. A SMS device is not required but is recommended for managing devices. Initial setup of the SMS will be discussed in a later. A java based client can be downloaded from the SMS to a computer for management which then allows for device management once logged in. An IPS device can then be imported into the SMS and managed through the SMS client. It is recommended that you configure the DNS and Gateway so that updates can be simplified from the Threat Management Center (TMC). The TMC (Threat Management Center) is how you stay up to date with the latest security for your device(s). New filters are continuously fed to the device to keep it up-to-date against the latest vulnerabilities. Each filter can be thought of as a Virtual Software Patch that is created within the network to protect downstream hosts from attack. Any malicious traffic intended to exploit a particular vulnerability is immediately detected and blocked. The solution is highly scalable in that the intrusion prevention system can protect thousands of unpatched systems with a single virtual patch. TippingPoint's expertise is recognized worldwide: 300,000 administrators, executives, and security professionals subscribe to the SANS @RISK report, which is authored by TippingPoint security analysts. The same analysis feeds our Digital Vaccine filter developers to prioritize how best to protect our customers. New Digital Vaccines are typically released on a weekly basis, but are turned in a matter of hours in emergency situations. The speed with which we deliver new filters makes this a powerful weapon in the patch race. Update Flow: TMC provides updates to SMS, TOS, DV and ThreatDV. These may be downloaded by the SMS and pushed down to IPS devices Data Flow: Security Events are sent from the IPS devices to the SMS. The SMS can in turn, send those events to the TMC for ThreatlinQ inclusion. © 2022 Trend Micro Inc. Education 53 Lesson 4: Security Management System (SMS) SMS Setup at a Glance The SMS Setup process is similar to the IPS. The console speed on the SMS needs to be set at 9600/ 8/N/1 which is different then both the IPS and TPS devices. The SMS does require a reboot to complete the configuration. For TMC access the user will need to configure an IP address, Subnet Mask, DNS and a Gateway. If behind a proxy, the SMS supports HTTP which includes Authenticated Proxy. For access to additional systems like NMS, Syslog Servers, SMTP Servers, configure the Gateway, and/or Static Routes as necessary. The Time Settings on your IPS and SMS are important. Make sure to choose the right time zone and set the time appropriate for your time zone. Best Practice: Set the IPS and SMS in the same time zone for log file time stamping to remain consistent. Inspection Devices SMS 115200/8/N/1 *9600/8/N/1 - Virtualization Console/Keyboard & Monitor Security Level Required Required Superuser Username Required Required Superuser Password Required Required Serial Console Speed *SMS Only 54 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Inspection Devices SMS Required for TMC Access Required for TMC Access - Optional (auto) Optional (myhostname) Optional (sms-server) Optional (room/rack) Optional (room or rack) - Optional (Customer COntact) Time Settings Time Zone, Daylight Savings, SNTP or Manual Time Zone, NTP or Manual Server Options - SSH/HTTPS NMS/Email - Optional No Yes, Always reboot 1 P/Mask/Gateway/DNS Mgmt Port Setup Host Name Host Location System Contact Reboot Required? © 2022 Trend Micro Inc. Education 55 Lesson 4: Security Management System (SMS) Initial Login The SMS begins its life ready for OBE. You begin by entering the one time initial user “SuperUser” without password. You must connect a terminal cable and boot the SMS to reach this initial log in. License and Setup Wizard The first step in the Setup Wizard is to read and accept the SMS software license agreement. Security Level, Username and Password Next you must choose the Security Level and create your super user account name and password. 56 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Network Configuration Now choose IPv4, IPv6 or Dual-Stack and enter the IP Address, Network Mask, Default Gateway and DNS information. © 2022 Trend Micro Inc. Education 57 Lesson 4: Security Management System (SMS) Finishing the Setup Wizard Now we will continue through the wizard and then reboot the SMS. Configuration settings that can be configured during this portion of the setup include: Management speed/duplex Host name Timekeeping Server Options (ping, SSH, http, etc.) SMTP SNMP trap During the reboot of an SMS, the network is still protected by the IPS. Security alerts will be recorded by the IPS and transferred to the SMS after the reboot. Communication Settings Communication Channels SMS communicates with the TPS devices using a secure channel Initiated from the SMS to the device over TCP/443 (TLS) Used for: - 58 Applying configuration changes to the TPS Profile & DV distribution Log Collection © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Statistics gathered using SOAP APIs versus SNMP on the inspection device SNMP can be enabled on TPS boxes for 3rd party polling There is no SNMP communication between SMS and TPS SNMP Traps from the TPS You can configure TPS devices to send Traps to NMS. TPS devices don’t send traps to SMS. The IPS sends SNMP Traps for three main reasons: To signal SMS for immediate attention: When an IPS Quarantine occurs Other health reasons (i.e. Layer 2 Fallback) Health / State change to a third party NMS When re-managing from the IPS System level events, HA status change, log rollover, link up/down, etc. Access to management is via SMS Device Tab > IPS > Device Configuration > NMS Security Event Notification - Configured as an Action Set Notification Contact or Management Console – if the SMS IPS Secure Channel is disabled SNMP Monitoring SMS will use SNMP Gets for health and statistics Network interface statistics, CPU, Temperature, Tier 3 performance, Congestion, etc. 3rd Party NMS or MIB browser can read inspection device values You can define your own read community string Community String User defined community strings See text for list of example OID’s Leverage default read-only used by SMS (recommended) For CPU Utilization:.1.3.6.1.4.1.10734.3.3.2.5.4.1.0 IPS also includes support for standard MIBs - MIB-2 (RFC 1907): Network Management of TCP/IP-based internets IF-MIB (RFC 2233): Network Management of Network Interfaces © 2022 Trend Micro Inc. Education 59 Lesson 4: Security Management System (SMS) SMS Web Console Threat Insights Compromised Hosts - Identify hosts in your network that might be compromised based on intelligence gathered from your Deep Discovery devices, TPS devices, and IPS devices. Attacked Vulnerable Hosts - Attacked Vulnerable Hosts identify vulnerabilities in your network. Thirdparty scans generate the vulnerability data, which the SMS imports and presents as a list. This enhanced visibility into your network allows you to highlight blocked or permitted attacks targeted to vulnerable assets. You can then make immediate updates to your security policy for the protection of your network. With the vulnerability insights provided by the Attacked Vulnerable Hosts, you can run updates on your assets. Suspicious Objects - Suspicious Objects use intelligence gathered from your Deep Discovery devices and your TippingPoint devices to block malware and other infections. In addition to preventing infections and disrupting malware communications, this integrated environment protects critical resources and isolates infected resources. Suspicious Objects also use data provided by the Deep Discovery and the Reputation Database. When your Deep Discovery device detects a threat, it alerts your TippingPoint IPS and TPS devices by forwarding threat intelligence to the SMS. ZDI Filter Hits - Zero Day Initiative (ZDI) Filter Hits identify the number of blocked or permitted hits for pre-disclosed and disclosed filters. DV filter protection covers the time between when a vulnerability is discovered and when a patch is made available. In addition, DV filters provide added protection for legacy, unsupported software. DV packages are delivered weekly, or immediately when critical vulnerabilities emerge, and can be deployed automatically with no user interaction required. 60 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Policy Workflow Policy Workflow is a tool that offers actionable guidance to underlying vulnerabilities currently being exploited in the wild. This security intelligence, sourced by our research teams, allows users to quickly identify and prioritize the most relevant filters and mitigation capabilities, providing a simple, threatfocused approach to inspection policy management. Active Malware Threats The TippingPoint SMS Web console now offers actionable guidance for Active Malware Threats and the underlying vulnerabilities currently being exploited in the wild. This security intelligence, sourced by Trend Micro’s security research teams, allows users to quickly identify and prioritize the most relevant TippingPoint filters and mitigation capabilities, providing a simple, threat-focused approach to IPS policy management. © 2022 Trend Micro Inc. Education 61 Lesson 4: Security Management System (SMS) Performance Insights The TippingPoint SMS now centrally monitors and correlates performance data from selected T/TX devices allowing TippingPoint users to proactively review and assess the potential performance impact of a given filter within their environment. This guidance is available through the new policy workflow capability in the SMS web console. New/Modified DV Filters As part of the continued investment in the TippingPoint web console, TippingPoint has introduced a new workflow-based approach to policy and filter management. Any new or modified filters added to the Digital Vaccine are now “flagged for review.” Users can also flag their filters for review to assist in change control management. 62 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Devices (L2FB) Layer-2 Fallback can be initiated through Threat Insights. Reports As the SMS detects malicious attacks and manages network usage, events data is logged in the database. The information details the system’s behavior as it responds to network traffic. The SMS provides a set of options to generate reports about the compiles and stored log information. You can use reports in the SMS to generate up-to-the-moment data analaysis to help your network data. With an easy-to-use reporting wizard, you can customize existing reports or build them from scratch. © 2022 Trend Micro Inc. Education 63 Lesson 4: Security Management System (SMS) Exports and Archives Export.pkg files via Threat Insights. 64 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) System Logs Review System Logs. Client Installation Install the SMS Client via the download. © 2022 Trend Micro Inc. Education 65 Lesson 4: Security Management System (SMS) SMS Management Client Versions The installation wizard will check for previous installations and guides you through the options for installing or updating the client software. When installation is complete, the installer will prompt you to end or open the client. When you launch the SMS client application, you may see a splash screen, and then the SMS Login screen is displayed. By default the SMS client will remember the previous SMS Server IP addresses and usernames, this can be disabled for additional security if required. From within the SMS GUI, Edit > Preferences > Security. Dashboard and Main Window The customizable dashboard provides gadgets that track and display event data, performance, and system health and status. The SMS is polled approximately every five minutes to collect data for display in the historical charts. Health and Status gadgets (for example; Charting, Geo, Top Gadgets) provide a high-level warning system for potential health and performance problems with your devices. To enhance the quick view statistics, you can configure the dashboard to display specific reports. 66 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) General Settings Downloading a software-upgrade can take some time, depending on the local internet-connection. The TippingPoint License Package will at first show you the ‘Transitional’ license. The SMS will automatically contact the TMC and adapt your license according to the subscription-information stored in your TMC-account. Normally the state then will change to a green-colored OK Clicking on the Admin button from the toolbar allows the administrator to drill down into the system health, view the port health and view both the system and audit logs. Information on the SMS can be viewed including the system uptime as well as current software installed. It is here that the system can be rebooted or shutdown. Current SMS software revisions can be downloaded and installed at this screen as well as system patches. If adding devices the, the SMS License key can be upgraded here as well. © 2022 Trend Micro Inc. Education 67 Lesson 4: Security Management System (SMS) Note: The shutdown-function will also power off the server. Once downloaded the upgrade-process will not proceed until you click the install-button. Once the installation starts there is no rollback possible. Even a factory-reset will maintain the SMS softwareand patch-version. Server Properties Management Detailed information on the system can be found on the Server Properties page. The name can be modified as well as a contact provided and detailed information as to the location of the device. FIPS mode can be disabled on this screen. FIPS documents define rules, regulations, and standards for many aspects of handling of information by computers and by people. These rules apply to all US government employees and personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by US government personnel must conform to all the relevant FIPS regulations. Any changes made to the FIPS settings should only be performed after discussing with TAC. Some services including, HTTPS, HTTP, Telnet, Ping, and SSH may need to be disabled based on your employers policy. 68 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) © 2022 Trend Micro Inc. Education 69 Lesson 4: Security Management System (SMS) Network Settings The network management tab allows administrators to configure the management interface. NTP servers can be configured for date and time services. SYSLOG Properties The Remote Syslog function gives you the possibility to setup the SMS as a forwarder that sends all security and/or device-events from the inspection device to a syslog-server that you define 70 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) TLS Properties SMS Admin - Users, Groups, and Roles Access is controlled by the User Groups Create a New Role Create a New Group assigning the newly created Role Create a new user Assign user to a Group Authentication and Authorization The SMS uses capabilities and roles to give users permissions to perform specific actions within the system. © 2022 Trend Micro Inc. Education 71 Lesson 4: Security Management System (SMS) The SMS uses three predefined basic roles: superuser, admin, and operator. You cannot modify the predefined system roles, but you use them as starting points to initialize new roles. When you create a role, you can select a base system role from which to initialize the new role. The new role is given the same capabilities as the system role it is initialized from. until you customize the capabilities. User Roles Roles determine user rights within the SMS Three predefined user roles: - superuser admin operator Create new user roles with an initial set of capabilities based on the role 72 Allows for expanding or limiting the capabilities of an existing role Allows for targeting a specific set of capabilities for a group of SMS users © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Capabilities The capabilities section allows the administrator to adjust user roles with granularity. © 2022 Trend Micro Inc. Education 73 Lesson 4: Security Management System (SMS) User Groups SMS user groups provide a way to align user capabilities with functional areas in the SMS. A user group pairs a role with resources that group members can access. The SMS has one predefined group called superuser. The system superuser group includes the superuser role and provides access to all SMS features and functionality. Give careful scrutiny before you assign users to the superuser group. In a typical new installation, you must create new user groups to specify access rights for users who do not have superuser privileges. The new groups assign role capabilities (such as admin and operator capabilities) to resources. The role assigned to a group specifies the rights to execute the capabilities to manage the group resources, such as devices and profiles. If Active Directory authentication is configured for the SMS, users may be authorized through a mapped AD group. Any user account that logs on to the SMS must be assigned to at least one user group. because a user account must have a New Resource Group. You can use user groups to delineate the functional capabilities of users by authorizing, at a graular level, which security tasks can be implemented from the SMS on TippingPoint systems. The User Groups screen displays a list of groups. the role associated with the group. and a description provided for the defined group.This screen enables you to create, edit, and delete user groups. In the Admin workspace. expand Authentication and Authorization in the navigation pane and select Groups to display the User Groups screen. 74 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) Segment Groups Define the list of devices, segment groups, and profiles the group will have permission to access. User Management © 2022 Trend Micro Inc. Education 75 Lesson 4: Security Management System (SMS) User Creation Membership 76 © 2022 Trend Micro Inc. Education Lesson 4: Security Management System (SMS) User Monitoring Note: Terminate is Grayed out due to this being a “Live” session and you can’t terminate your own session. SMS Resource Permissions A user may also be granted permission to access an SMS resource by: Modifying the Security Group associated with the specific user Right clicking on the SMS Resource and modifying the permissions Menu bar: Edit->Permissions © 2022 Trend Micro Inc. Education 77 Lesson 4: Security Management System (SMS) Hands-on Labs Lab 4: SMS Management Estimate time to complete this lab: 45 minutes 78 © 2022 Trend Micro Inc. Education