CH-7-Traffic Management Filters.pdf
Document Details
Uploaded by ComfortingWetland
2022
Tags
Full Transcript
Lesson 7: Traffic Management Filters Lesson 7: Traffic Management Filters Lesson Objectives: After completing this lesson, participants will be able to: Flow based vs. Non-flow based DV Filters Traffic Management Filters Flow Based vs. Non-Flow Based Flow Based Filters vs. Other Protection Flow-base...
Lesson 7: Traffic Management Filters Lesson 7: Traffic Management Filters Lesson Objectives: After completing this lesson, participants will be able to: Flow based vs. Non-flow based DV Filters Traffic Management Filters Flow Based vs. Non-Flow Based Flow Based Filters vs. Other Protection Flow-based Inspection filters look at the traffic “flow” Defined by the flow-tuple Source / Destination IP, Source / Destination Port, IP Protocol, and (optionally, where applicable) VLAN View the packet headers and the packet payload data Non-flow-based Inspection filters (a.k.a. User Defined) (discussed later) Algorithmic Filters Reconnaissance filters (Port Scans and Host Sweeps) Advanced DDoS Look at the overall behavior of traffic over time Invalid behavior when initiating a connection Discussed in detail in the ADDoS Module Header based filters - Traffic Management Filters (IP Header) Reputation Different Ways to Detect a Malicious Flow Inspection Filter used by TippingPoint: Vulnerability filters Exploit-Specific filters Policy filters Protocol Anomaly filters © 20212Trend Micro Inc. Education 117 Lesson 7: Traffic Management Filters Note: TippingPoint devices support several other filter types. Vulnerabilities vs. Exploits Traffic Management Filters Similar to firewall ACLs Traffic Management Filters can be ordered, uses first match Does not generate any events Does not generate any streams Vulnerability Scan Example - Use Cases You may want to create a TMF to trust your vulnerability scanners or internal IT monitoring script/ servers, to avoid unnecessary events overshadowing actual attacks and also to avoid this traffic from consuming inspection resources. A good example of why to do this is that for some customers, the top talkers to the web servers were IT service/uptime monitoring scripts that were consuming unnecessary resources and causing events, which initially led the staff to use Exceptions on attack filters, but in the end the Trust reduced the inspection overheads and reduced performance protection alerts in the system logs. 118 © 2022 Trend Micro Inc. Education Lesson 7: Traffic Management Filters Example: Trust all traffic to and from a network scanner located at 192.168.1.200, which passes through IPS via segment 1A --> 1B (in the direction A to B), but the scanner also scans through a different IPS#2, (in the direction B to A) on another IPS via Segment 6B to 6A. Instead of making a single rule, you may consider a 4-way trust to catch all possible directions in your environment for both scan AND the response. If your rule will be used for various segments and inspection devices, create four rules if you don’t know exactly how the traffic will traverse each inspection device, with respect to direction and segment. Filter Actions Block Rule: drops matching traffic No further inspection once block is matched Allow Rule: permits matching traffic Traffic is then inspected against DV filters Trust: similar to allow, but bypassing DV inspection Used for performance optimization (more on this later) Rate Limit: rate-limits traffic to the specified rate Traffic is then inspected against DV filters © 20212Trend Micro Inc. Education 119 Lesson 7: Traffic Management Filters Note: Managed streams are only used for DV filters, so any traffic management matches with block or rate-limit actions will not appear in either the Block Streams or Rate-Limited Streams. Creation Traffic Management Filters react to traffic based on a limited set of parameters including: Source IP address Destination IP address Port Protocol Other defined values Examples of Traffic Management Filters for your web servers in a lab that denies access to external users: Block traffic if the source is on an external subnet that arrives through port 80 and is destined for the IP address of your web server. Block traffic if the source is your web server, the source port is 80, and the destination is any external subnet. 120 © 2022 Trend Micro Inc. Education Lesson 7: Traffic Management Filters Network Settings © 20212Trend Micro Inc. Education 121 Lesson 7: Traffic Management Filters Ordering Example: Trust all traffic to and from a network scanner located at 192.168.1.200, which passes through IPS#1 via segment 1A --> 1B ( in the direction A to B), but the scanner also scans through a different IPS#2, (in the direction B to A) on another IPS via Segment 6 > A Instead of making a single rule, you may consider a 4-way trust to catch all possible directions in your environment for both scan AND the response. If your rule will be used for various segments and IPS devices, I would create 4 rules if you don’t know exactly how the traffic will traverse each IPS, with respect to direction and segment. Notes on Rate Limiting Each time you create a rate-limit Action Set you create a “virtual pipe. When you assign that ratelimit Action Set to a Filter, all flows which match that, and any other filter which shares the identical Action Set, will share the same “virtual pipe”. For example, if you create a Rate-Limit for 5Mbps, and assign that to the P2P and Stream Media Category, then all flows which match those filters will share the same 5Mbps pipe. If you want P2P and Streaming Media to have their own 5Mbps pipe – then create two Action Sets with different names, but same 5Mbps rate limit value. 122 © 2022 Trend Micro Inc. Education Lesson 7: Traffic Management Filters Rate Limit Action Set We begin the process by creating a Rate Limit Action Set to be used in the Rate Limit filter. It is important to remember to choose a speed that is supported by the IPS you wish to use the action set and filter on. HTTP Rate Limit To successfully rate limit HTTP traffic consider the nature of the traffic. A small request to port 80 (DST) results in a large reply from port 80 (SRC), so your rate-limit should affect the biggest transaction, i.e. port 80 source. © 20212Trend Micro Inc. Education 123 Lesson 7: Traffic Management Filters Network Settings Configuration Create Traffic Management Filter 124 Name the filter Choose an Action Select the Rate Limit Action Set created Choose Direction Specify Protocol Define the Source/Destination © 2022 Trend Micro Inc. Education Lesson 7: Traffic Management Filters LSM Rate Limit Reports (NX Example) Hands-on Labs Lab 7: Traffic Management Filters Estimated time to complete this lab: 45 minutes © 20212Trend Micro Inc. Education 125 Lesson 7: Traffic Management Filters 126 © 2022 Trend Micro Inc. Education