Lesson 5: Inspection Device Management PDF

Summary

This document provides an overview of inspection device management, including network configuration, segment groups, and Zero Power High Availability (ZPHA). It details configuration settings and various scenarios for different device configurations.

Full Transcript

Lesson 5: Inspection Device Management Lesson 5: Inspection Device Management Lesson Objectives: After completing this lesson, participants will be able to: Demonstrate the configuration of the inspection device Explain the network configuration (Segment Groups and Ports) Discuss IPS Segment Concepts (L2FB Configuration and Link Down Synchronization) Explain Zero Power High Availability (ZPHA) Summarize TippingPoint Operation System (TOS) version control and updates Device Configuration Device Summary and Configuration © 2022 Trend Micro Inc. Education 79 Lesson 5: Inspection Device Management Configuration Launch Browser to LSM or SSH (e.g. SuperPutty, mRemoteNG) Reboot, Shutdown, or Reset Filters (factory defaults) Multi-Device Edit Apply configuration settings to multiple devices Available for: - 80 Services: SSH, Telnet, HTTP(S), Encrypted Alert Channel, Device Retrieval Service AFC Settings: AFC Mode, AFC Event Severity Logging Mode NMS: Community String, NMS Trap Destinations Remote Syslog: System Log, Audit Log, Remote Syslog Server Servers: DNS, Email Time: Manual, SNTP, Time Zone, Daylight TSE: TCP Timeout, Asymmetric, Quarantine Authentication Preferences © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Starting Multi-Device Edit Devices Being Modified Overview of devices involved displays first. © 2022 Trend Micro Inc. Education 81 Lesson 5: Inspection Device Management Devices with Different Configurations Devices with different configurations for a parameter display a warning. Member Summary 82 © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Network Summary Network Configuration Overview The network ports allow for the user to configure auto-negotiation, speed and duplex. Network ports can be enabled or disabled as needed as well as restarted. Note: Traffic entering on a Network port will exit ONLY on the Network Port in the Segment. Through the SMS, you can view information about all of the segments on all of the IPS devices you are managing. You can view and configure the networking and traffic processing of those segments through the Device (Network Configuration) screen. To access this information, you expand the device entry in the Devices navigation pane and select Network Configuration. © 2022 Trend Micro Inc. Education 83 Lesson 5: Inspection Device Management Segment Groups When deciding how to split your segments up into different segment groups keep in mind how you want to apply policy and whether you want to differentiate between different segment groups from a reporting perspective. There is no right or wrong way to create profiles/segments but knowing the capabilities should help you make better decisions. Using two Segment Groups for a single policy allows for reporting on the differences between the Segment Groups. In this example, you can apply the same Profile (Core) to two network locations (Core EMEA and Core Americas) and then run reports later on Core EMEA versus Core Americas based on the segment groupings. Segment Group Concepts A segment group represents a collection of enforcement points that share some commonality, whether it be network location, or type of protection point (behind VPN, between users/Internet or in front of web application servers). Segments can only be a member of a single segment group. There is one default segment group that can not be deleted. When a new device is managed by the SMS, this is where the segments are placed. Inspection Profiles represent a collection of filter settings that may be applied to a segment group or single segment. There is one default profile on an SMS. You can create as many as you want to reflect your security posture. More on this later. Segment Group Management Every SMS contains a Default Segment Group - 84 Can not be deleted Newly managed device Segments are placed in the Default Group © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management A segment may only be a member of one Segment Group - New: creates a new Segment Group Details: view details for an existing Segment Group Edit Membership: move Segments into the Segment Group Delete: deletes Group, segments are moved back to the Default Group New/Editing Segment Groups Name the Segment Group Move segments to the right to add them to the current Segment Group, and to the left to remove them. © 2022 Trend Micro Inc. Education 85 Lesson 5: Inspection Device Management Modifying Permissions In order for Operators and Administrators to be able to interact with a Segment Group, grant permissions to access. Device Segment Settings Segment Name Intrinsic HA Layer 2 Fallback (L2FB) Used in Events and Reporting Specifies whether this Segment will Block or Permit traffic when the device is in L2FB Link Down Synchronization - Control behavior of Segment’s physical Ports when one goes down · · · Note: Hub: if Port A goes down, do not take down Port B Wire: if Port A goes down, take down Port B, if Port A comes back up, bring up Port B Breaker: if Port A goes down, take down Port B, and disable Wire and Breaker can be configured to restart (0-240 seconds) Network Availability The TippingPoint IPS/TPS is a high-speed networking device that operates at Layer 3 through 7 performing micro-second inspection of traffic to apply security policies, basically sorting good traffic from bad traffic. Allowing the good traffic to pass and dropping the bad traffic. The device was designed to be “invisible” from the perspective of the network being protected and to avoid detection by attackers undertaking reconnaissance. 86 © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management The device can be deployed very quickly to most networks using the built-in “default” configuration and policies. It is installed in-line on a network segment. Historically you had a link from inside the firewall interface to your LAN, you now have a link from inside the firewall interface to the TippingPoint device, then from the TippingPoint device to your LAN. As an in-line network device there are several useful considerations concerning placement, configuration, and device settings that may impact your environment Layer 2 Fallback (L2FB) L2FB is often used manually to remove the inspection engine from consideration, for example if you have connectivity, application or latency issues, placing the device into L2FB, you can ascertain whether the device is the cause or not. Note: If you are experiencing link negotiation, wiring or some other physical connectivity issue, then L2FB will not help you diagnose or identify the fault. Configuring Fallback Each Segment has a setting for Block\Permit Intrinsic HA (L2FB) is a global setting to the device Each segment behaves as configured © 2022 Trend Micro Inc. Education 87 Lesson 5: Inspection Device Management Manual Fallback L2FB Block Example Note: Most resilient networks typically employ some form of routing or switching protocol, to select the primary network path (Spanning Tree, RIP, OSPF, VRRP, etc). If primary path fails (detected by loss of update packets), the network transitions to secondary path. Inspection device does not participate in routing decisions. 88 In this type of deployment, consider blocking traffic in L2FB. Network will transition to the secondary path but still be inspected. © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Network Link is dropped on both sides when set to Block Device 1 enters Layer-2 Fallback Segments configured to block traffic in L2FB. Network transitions, traffic continues to pass and be inspected by Device 2. Consider configuring Device 2 to permit traffic in L2FB in case both devices Fallback simultaneously. Link Down Synchronization Segment Ethernet port failure settings determine behavior of partner port Hub: Do nothing, when link drops, partner port remains active Wire: Drop partner link, until original restored Breaker: Drop and disable partner until port is manually restarted Configurable “wait-time” for Wire and Breaker modes Avoids possible network “flap” (repeated up-down cycles) © 2022 Trend Micro Inc. Education 89 Lesson 5: Inspection Device Management Assume Access switch transitions to secondary path on detection of link failure, by default in Hub mode, transition would not occur If wire mode selected, then 1B would also drop, causing switch to transition Segment Settings 90 © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Port Settings Zero Power High Availability (ZPHA) The purpose of the bypass modules is to route traffic around the inspection device if and when there is a power failure. If the power is interrupted due to power supply failure, power loss, or unplugging, the module continues to pass traffic (un-inspected) through the network while bypassing the device. Depending on the inspection device, the bypass module comes in different configuration to include copper and fiber. © 2022 Trend Micro Inc. Education 91 Lesson 5: Inspection Device Management ZPHA Operation Action Result When ZPHA has power Traffic flows through the device The ZPHA does not have power Traffic bypassed the device During reboots and TOS updates The device will drop power to ZPHA during update/reboot Auto-MDIX Requires special care, connect un-powered Note: If you have no external ZPHA configured, then the above commands will have no effect other than dropping power on the USB port, which will effectively do nothing with no ZPHA connected Modular ZPHA Chassis The Modular ZPHA chassis is a device with five available segment ports for fiber or copper modular components. The ZPHA Chassis receives power from the inspection device via a USB cable connection (no AC required). If the power through the USB cable is interrupted due to a power loss, the ZPHA instantly switches over to reroute the network traffic and thus bypassing the inspection device. Note: If the ZPHA module is engaged, traffic is not being inspected. Available in two models: 92 Fixed ZPHA chassis, five segments (copper only), two USB-B type ports Modular ZPHA chassis, five segments (copper/fiber), one each USB-A/USB-B type ports © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Note: A ZPHA chassis cannot be shared between IPS units. Each ZPHA is dedicated to a single inspection device. However, a single ZPHA chassis can protect multiple segments of a single inspection device. ZPHA Bypass Modules Bypass modules are ZPHA that permit network traffic and services while bypassing the IPS entirely when the IPS loses power. All four standard modules and all five bypass modules are hot-swappable on devices running TOS 3.6.0 or later. Options - 4-Segment Gig-T Copper Bypass 2-Segment 1G Fiber SR Bypass (LC type) 2-Segment 1G Fiber LR Bypass (LC type) 2-Segment 10G Fiber SR Bypass (LC type) 2-Segment 10G Fiber LR Bypass (LC type 1-Segment 40G Fiber SR Bypass 1-Segment 40G Fiber LR Bypass On Device ZPHA 440T L2FB performed using Broadcom Switch (no network drops when activated) Integrated ZPHA bypass can be controlled in software © 2022 Trend Micro Inc. Education 93 Lesson 5: Inspection Device Management 2200T 94 L2FB performed using Broadcom Switch (no network drops when activated) Integrated ZPHA bypass can be controlled in software (copper only) SFP/SFP+ segments require external ZPHA if needed © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management TippingPoint Operating System (TOS) SMS Product Version Compatibility https://success.trendmicro.com/solution/TP000067488-What-is-the-upgrade-path-for-myTippingPoint-SMS-device Success.trendmicro.com Documentation > Products TOS Release Notes TOS Upgrade Path Verification Success.trendmicro.com Documentation > Products TOS Release Notes © 2022 Trend Micro Inc. Education 95 Lesson 5: Inspection Device Management Note: 1: You must upgrade the SMS from SMS v5.3.0 or later. If you are upgrading from a release earlier than v5.3.0, you must first upgrade to SMS v5.3.0, log in to the SMS to activate a Digital Vaccine, and then upgrade to v5.5. Note: 2: VMware vCenter server is not required to deploy the vSMS.ovf file. You can deploy the.ovf file directly through ESX/ESXi utilities. TOS Inventory and Distribution The SMS will confirm which devices to update and will limit the available device to the proper device family. The TOS update will distribute and when done, the distribution history will be updated to reflect the success/failure of the update. 96 © 2022 Trend Micro Inc. Education Lesson 5: Inspection Device Management Member Summary Hands-on Hands-on Labs Lab 5: Device Management and Network Configuration Estimated time to complete this lab: 30 minutes © 2022 Trend Micro Inc. Education 97 Lesson 5: Inspection Device Management 98 © 2022 Trend Micro Inc. Education