CH-12-Best Parcticse.pdf

Full Transcript

Lesson 12: Best Practices Lesson 12: Best Practices Lesson Objectives: After completing this lesson, participants will be able to: Examine the Threat Suppression Engine Apply filtering concepts for various kinds of attacks Illustrate various deployment considerations for an environment Discuss daily system administration tasks and considerations Inspection Architecture Modifying TSE Configuration/Behavior/Parameters TSE Connection Table - Blocked Streams All packets received by the TPS are identified as a member of a flow (packet stream). A flow can consist of one or more packets. All packets received that are classified as a member of a “blocked stream” are discarded. Packets will only be blocked if they match a filter that has an action set of BLOCK. © 2022 Trend Micro Inc. Education 173 Lesson 12: Best Practices Connection Table Timeout (TCP) - Specifies the global timeout interval for TCP traffic on the connection table. For blocked streams in the connection table, this value determines the time interval that elapses before the blocked connection is cleared from the connection table. Before the timeout occurs, any incoming packets for that stream are blocked at the IPS device. After the connection is cleared (the timeout interval expires), the incoming connection is allowed until traffic matches another blocking filter. Blocked streams can also be cleared from the connection table manually from the Blocked Streams page (Events -> Managed Streams -> Blocked Streams). Trusted Streams - Specifies the global timeout interval for the trust table. This value determines the time interval that elapses before the trusted connection is cleared from the trust table. TSE Adaptive Filtering With Adaptive Filtering, the TSE automatically manages filter behavior when the inspection device is under extreme load conditions. The TPS Adaptive Filtering feature is designed to protect the TPS from poorly performing filters. When the device detects a poorly performing filter, it automatically disables the offending filter and generates a system log message. A filter is determined to be poorly performing under the following conditions: Filter time out - Each filter may have one or more specific inspection functions, some of which may be implemented using regular expressions. If a regular expression times out, or exceeds a certain level of recursion, then the TPS will initiate AFC on that filter. When a Filter is creating congestion and not firing - It is possible that traffic is passing early inspection, but failing the later inspection functions. If the device is experiencing continued congestion, the recommendation is to look for these filters and consider disabling them. Most filters provide configuration settings for adaptive filtering. If you do not want a filter to be subject to adaptive filtering, you can edit the filter and disable Adaptive Filtering. You can also modify the device-wide adaptive filter configuration for a device using Device Configuration. 174 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Filtering Concepts The TPS supports different types of filters, each of which provides protection from certain types of attacks or is used to implement the customer’s security policies. TMF Ordering When you create Traffic Management filters, you can modify the sequence they fire in by selecting a filter and using the Move Up and Move Down buttons at the bottom of the screen. In general, more specific filters should come first. For example, a more specific IP filter might block traffic with fully qualified source and destination IP addresses and ports. More general ones, like those that apply to subnets, should follow. Packets that match "allow" or "rate-limit" filters are inspected by other types of filters. In other words, the system does not allow attacks through because the packet matched an "allow" filter. You can also set the filters to trust traffic. Trusted filters instruct the IPS not to inspect the traffic, allowing the traffic to continue without comparing it with any other filter rules. Note: Traffic Management filters do not generate alerts. Traffic Management Filters, particularly those with a Trust action, should be used carefully. They are commonly used in the following situations: Rate Limit - Customer wants to rate limit an entire class of traffic, as specified by the TCP port. This may be used to preserve bandwidth for other applications. © 2022 Trend Micro Inc. Education 175 Lesson 12: Best Practices Note: Rate Limiting is only a reservation and not a guarantee of bandwidth at all times. It could create latency and other issues when TMFs meet rate limitations for flows being inspected or examined. Configuration Considerations Rate Limit - Customer wants to rate limit an entire class of traffic, as specified by the TCP port. This may be used to preserve bandwidth for other applications. Note: Rate Limiting is only a reservation and not a guarantee of bandwidth at all times. It could create latency and other issues when TMFs meet rate limitations for flows being inspected or examined. Block or Allow based on ports or protocols - The use of trust TMF to improve the performance of certain applications is possible when considered against select Filters or Categories. This is common and recommended with certain applications, in particular, streaming media, where payloads consisting of essentially random data. It is possible that this data will look suspicious to the TPS (i.e., match some filters’ triggers) and cause the flow to be submitted for deeper inspection. The deeper detailed inspection fails; however, this process can possibly create jitter and result in packets being delivered out of order. Streaming media clients are very sensitive to these conditions, and the overall application performance may suffer. In these cases, a TMF using the trust action can alleviate the condition. This should be written “tightly,” meaning it should specify the application port(s) as well as the IP addresses of the media servers. Trust - When Network File System (NFS) backups running through the TPS. They may generate very large packets, which are fragmented at the IP layer. The TPS will reassemble IP fragments; however, 176 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices this operation is very costly in performance of the sensor. If the NFS data is trusted, (i.e., known to be free of attacks) then a TMF trust rule applied to IP fragments will help improve the throughput of this application. Note: As indicated above, a TMF filter set to trust will cause the TPS to forward traffic meeting the matching criteria without inspecting it for attacks. Therefore, the matching criteria should be written in the most restrictive manner possible. Deployment Considerations The TippingPoint TPS and the Security Management System (SMS) server are very easy to deploy. The initial configuration is performed using the Out-of-Box Experience (OBE) wizard; this script prompts the user for the needed and essential configuration values. Typically, the baseline configuration of an SMS or TPS will require less than 10 minutes. However, as with any in-line network device, the deployment should be carefully planned. The following section provides guidance on planning and executing the initial deployment of the TippingPoint solution. The following section will summarize key TPS configuration parameters. Positioning The most common TPS deployment is at the customer network perimeter, which is those links connecting the customer network to the Internet. Although the TPS may be deployed in front of the firewall, most customers will deploy it behind the firewall. In this way, the firewall will drop traffic per its Access Control Lists (ACLs), thereby reducing the load on the TPS. With the introduction of the T/ TX-Series devices not only can these devices be installed at the perimeter, but they can also be installed at the Core. © 2022 Trend Micro Inc. Education 177 Lesson 12: Best Practices In today’s network environments, the “network perimeter” is becoming blurred. This is due to employees entering the network using a Virtual Private Network (VPN) or mobile users - employees and guests connecting to the network while at the customer site, particularly using wireless access points. This drives the need to consider a “defense-in-depth” strategy. In addition to the network border, the internal network is subdivided into separate “attack domains” (also known as “security broadcast domains”); this not only contains outbreaks within the LAN but also allows continued TPS protection if one unit is bypassed for maintenance. In most cases, user traffic can pass through as many as three TPS devices before any cumulative latency is noticed. Physical Connections The TPS is placed in-line between two network elements (i.e., between 2 routers or switches) or can be placed on a switch where it can translate VLANs. The TPS doesn’t act as a network element in the sense that it does not route traffic – it simply inspects the traffic. Because the TPS is an in-line device, the physical interfaces must match the segment in which it will be placed. Individual segments and are not shared. 178 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices I/O Modules The TippingPoint TX-Series devices support both standard I/O modules and bypass I/O modules for fiber and copper components. Only optical transceiver modules (including SFP, SFP+, and QSFP+) available from TippingPoint have been validated to achieve optimal performance with TippingPoint products. Other vendor devices are not supported. Using other vendor devices could be detrimental to the proper operation of the TippingPoint system. Bypass I/O modules are zero-power high-availability (ZPHA) modules that permit network traffic and services while bypassing the device entirely when the device loses power. The purpose of the bypass modules is to route traffic around the device if and when there is a power failure. If the power is interrupted due to power supply failure, power loss, or unplugging, the module continues to pass traffic (uninspected) through the network while bypassing the device. Depending on the device, the bypass module comes in a different configuration to include copper and fiber. Standard I/O Modules The TX-Series devices support up to four I/O modules, which enable the user to customize the device to suit the needs of the network. Each module occupies a slot, and each slot can contain up to 12 physical ports or 6 segments, depending on the module that is installed. © 2022 Trend Micro Inc. Education 179 Lesson 12: Best Practices Bypass I/O Modules The TX-Series devices support a range of Bypass I/O Modules (BIOMs), which combine the segment interfaces with mechanical bypass switches for high-availability purposes. The BIOMs offered for the TX-Series support various interface speed and connectivity types, including copper or fiber (1Gbps) or fiber (10Gbps). Fiber modules are available with either long-range or short-range transceivers. The BIOMs can route traffic within the module when the device loses power or when the module is removed from the device. Using the LSM, CLI, or SMS, you can also configure the BIOMs to bypass traffic on a per-module basis. General Module Information Running “show-mfg” from the Command Line Interface (CLI) will display the model number of the modules that are installed into the appliance. In addition, the model number and description can also be found on the sticker on the bottom of the module itself. When the device is managed by the SMS, a delay of up to 1 minute can occur before the SMS recognizes the changed I/O module. Hot-swapping I/O modules during system initialization is not supported. Hot-swapping I/O modules is only supported with swapping like-for-like I/O modules in the same slot. A bypass module that is installed while the system is powered on remains in bypass mode. This way, the network can continue to pass traffic while users configure the number of network ports and their speeds to meet specific requirements. The BIOM must be taken out of bypass mode either administratively (using the CLI or the LSM) or through a reboot. Bypass modules should continue to pass traffic even while not connected to the device, or while the device is powered off or administratively placed in bypass mode. If the module does not pass traffic under these conditions, ensure that you have the appropriate cable for your network. In many cases, replacing a straight-through cable with a cross-over cable will resolve link issues. Bypass modules contain electromechanical switches that are very sensitive to handling when not installed in the system. Network disruption can occur if handled improperly. Best Practice: 180 Network connectivity should be tested in all available modes (inspection, bypass, and transitions) between devices to ensure that cabling mistakes have occurred. © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Module Hot-Swapping Guidelines When hot-swapping I/O modules, note the following administrative guidelines: If a slot has always been empty, all possible ports and segments on the slot are absent and unavailable. If a slot’s configuration is erased by the user, configuration of that slot’s ports and segments is deleted, and all possible ports and segments on the slot become absent and unavailable. However, any policy-related configuration for these ports does not change when the bay configuration is erased and must be manually cleaned up by the user. When a module is inserted into a slot or restarted, the system software performs the following evaluation. When the device boots up, the evaluation is performed for every module installed in a slot: The module is validated. The physical state (present/absent) and availability state (available/unavailable) for each possible port and segment on this slot is determined. The configuration is changed and applied as necessary. The status of the module (whether there is a module in the slot, what type of module it is, whether it is being used or is in error) is determined. A Syslog message is added (depending on whether the module passed validation and the module status check). Removing a module from a slot does not change or reapply the configuration. It also does not change the availability state of ports and segments. It will, however, change the physical state to absent. An error-level Syslog message indicates that the module was removed. In addition, users are shown the physical state when viewing configuration and status related to that slot. These changes also occur when the device boots up for every empty slot. The following conditions are displayed when the corresponding ports and segments are available and are hidden when they are unavailable: Segment configuration Network port configuration Network port health Network port throughput performance Traffic profile by the network port System Administration Device Management in SMS Issue the following command at the command line: sms unmanage To re-enable SMS management issue the following CLI command: sms manage © 2022 Trend Micro Inc. Education 181 Lesson 12: Best Practices You can also turn SMS management on or off by using the LSM via System > SMS. After the TPS is managed by an SMS, you can view the SMS information from the CLI of the TPS. Type in the following to get information on which SMS is managing your device: show sms This will display the SMS Serial number, the SMS version, SMS IP address, as well as the SMS Port. Management Port TippingPoint recommends configuring the management port on the TPS to use a non-routed IP address from the RFC-1918 Private Address space. This helps to prevent a direct attack on the management port from the Internet. Additionally, the management port IP Address filter feature should be used to limit access to the management port. Only addresses defined by the command will be allowed to access the TPS. Host IP filters are essentially ACLs on the management port of the TPS. When the TPS is initially configured, the default security policy is set to permit any connection. Once you establish a host IP filter, whether it is a permit or deny, then the default IP filter becomes deny any, the old legal idea of the inclusion of one is to the exclusion of all others). If you are doing this via SSH (not the console), the first thing you must do is a permit rule for the IP address you are on, or you will deny your IP access to the management port inadvertently. 182 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices “Management interface under attack” This message appears when too much of the traffic sent to the management port wasn't meant for the management IP address - too much broadcast traffic for instance. Note: The TPS must not be under SMS control when doing this. If the device is currently managed, you may use the CLI command “sms unmanage” to temporarily unmanage the TPS. To resume SMS management, use the CLI command “sms manage.” You can use the following CLI commands to configure the management port: {running-mgmt} ip-filter (allow|deny) (https|icmp|snmp|ssh|ip) [ip] For example, issue the following command to limit management port access to one host: {running-mgmt} ip-filter allow ip 192.168.1.32/24 If you require more than one address, then create a host ip-filter for all IP addresses or the subnet that is allowed to access the device. For example, if the legal machines are on the 192.168.10.X subnet, enter the following CLI command: {running-mgmt} ip-filter allow ip 192.168.1.0/24 To change the default action back to "permit any" enter the following command: {running-mgmt} ip-filter allow default © 2022 Trend Micro Inc. Education 183 Lesson 12: Best Practices Authentication Levels Option Description None User names must be at least six characters in length User names must be at least six characters in length Low User names must be at least six characters in length Must contain at least two alphabetic characters User names must be at least six characters in length Must contain at least two alphabetic characters Contains at least one uppercase character Medium High A password MUST be defined Passwords must contain at least 8 and no more than 32 characters without spaces Passwords must contain at least 8 and no more than 32 characters without spaces Must contain at least one numeric characters Must contain at least one non-alphanumeric character (E.g. ! ? $ * #). Passwords must contain at least 15 and no more than 32 characters without spaces Must contain at least one numeric characters Must contain at least one non-alphanumeric character (E.g. ! ? $ * #). Contains at least one lowercase character At least half the characters cannot occupy the same positions as the current password. Inspection Device Password Recovery You cannot recover the SuperUser password of a TPS device, but you can reset it to a new value or create a new login with SuperUser privileges. Note: Caution: This procedure requires a reboot operation which will disrupt traffic! Connect to the TPS device via the console serial port using a null-modem cable. The terminal emulator software must be set to 115200bps, 8 Data Bits, No Parity, 1 Stop Bit. (115200,8,N,1) Reboot the inspection device. As the device is rebooting, watch for the word "Loading." You should see something similar to the following: 184 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Note: Type the word mkey within 3 seconds of seeing the word "Loading" and press. If you do not type mkey before the dots "…" appear after the word Loading you will have to reboot the device and try again. If successful, you will see the following prompts; Enter Super User username: Type the account name you would like to reset or type a new account name and press. Enter SuperUser password: Enter your new password and press. Verify SuperUser password: Re-type the password to verify and press again. After entering the new password, you will see the following screen Log in to the system with the new credentials Inspection Device Factory Reset Note: The TPS will reboot during this procedure and will interrupt traffic flow through the TPS. When the TPS finishes the process of resetting to factory defaults, the TPS will need to be reconfigured using the Out-of-Box-Experience at the serial console. Be aware that the TPS will revert to the original TOS shipped with the device and that the Digital Vaccines (DVs) will be deleted. System logs, snapshots, and other system data will not be deleted, but they will not be visible until you restore the TOS version that created them. To factory reset your TPS enter the following command at the CLI interface; © 2022 Trend Micro Inc. Education 185 Lesson 12: Best Practices debug factory-reset System Upgrades Hitless upgrades are available for TPS devices. To completely reboot or do a full reboot, non-hitless, type the following at the CLI: TPS# reboot full Note: If possible, connect to the console port during a TOS upgrade so that you can watch the status and catch any errors. Always update the DV after a TOS upgrade since the TOS will include a DV from the period in which the TOS file was generated. TPS Storage Devices TPS devices have both internal and external storage devices. The internal storage device (CFast card) contains the TippingPoint Operating System (TOS), Digital Vaccine, Malware Filters, and the running configuration. The external device (CFast/SSD) is used to store system logs, snapshots, and other system data. By removing the external storage device, all customer-specific data is removed from the system. The user can remove and insert the external storage device while the device is running; however, the user must be sure to issue the appropriate CLI command. The device will continue to perform correctly if the external storage device is not available. However, if you attempt to take a system snapshot, the operation will fail, and an error will be recorded in the system log. Note: External storage devices are required to stay with the customer if performing an RMA. The replacement RMA unit does not come with an external storage device. Commercially available External storage devices are not supported. If a new device is required, ensure that you contact the TippingPoint Technical Assistance Center (TAC) for a replacement. Ejecting a compact flash card may fail after a 30-second timeout if the card is in use. The most common cause for failure is if a snapshot is being written to the card when the Eject command is issued. 186 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Link-Down Synchronization (LDS) Industry-standard routing protocols like Open Shortest Path First (OSPF), Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP) utilize “path down” detection technology to detect when a network path is down and thus initiate a switch to a redundant default path. LinkDown Synchronization, also called Sympathetic HA, allows you to configure the device to force both ports down on a segment when the device detects a link-state of down on one of the ports. When Link-Down Synchronization is enabled, the device monitors the link state for both ports on a segment. If the link goes down on either port, both ports on the segment are disabled. This functionality propagates the link-state across the device. In the case of Router, A and Router B, if the link to Router A goes down, then both ports are disabled, resulting in the link to Router B also going down, which Router B then detects. With Link-Down Synchronization, ports respond according to the configured setting. The settings include the following: Hub - When a port goes down, the system ensures the partner port remains up. Breaker - When a port goes down, the system disables the partner port until both ports are manually restarted. The breaker option requires manually restarting both ports. Wire - When a port goes down, the system disables the partner port, automatically restarting both ports when the link is re-established. In addition to the ability to enable Link-Down Synchronization for each segment, you can change the amount of time after detecting a link is down before forcing both ports down on a segment. The default is one second. You can configure the setting to any number of seconds ranging from zero to 240. Note: Best practice recommendation is to set the time between two and four seconds Once you enable Link-Down Synchronization for a segment, monitoring of that segment begins only after link-up is detected on both ports. When Link-Down Synchronization disables the ports on a segment, two audit log messages are generated. The first message in the audit log corresponds to the port with the link down. The second message corresponds to the segment partner. Additionally, © 2022 Trend Micro Inc. Education 187 Lesson 12: Best Practices an error message is added to the system log indicating which port was detected with the link down, activating Link-Down Synchronization for that segment. Best Practice: Note: We recommend in most network environments to set the link down synchronization to wire mode to prevent routing issues. Testing has shown that it can take up to 4 seconds for the partner link to shut down even if the timer is set to less than 4 seconds. Intrinsic Network High Availability (HA) Intrinsic HA, also known as “Layer 2 Fallback” (L2FB), is a mode wherein the TPS will pass traffic from one interface to its partner without inspecting the traffic. If an internal failure is detected, the device goes into L2FB mode and either permits or blocks all traffic on each segment, depending on the preference of the network administrator (see below). Some of the checks, thresholds, and resulting actions can be customized based on each customer's HA and security requirements. For example, L2FB can be configured to fail open (Permit All) or closed (Block All) on a per-segment basis. L2FB can also be enabled manually (see below). Traffic flowing through each segment on the device will be either blocked or permitted based on the segment configuration. Any permitted traffic will not be inspected. Setting the TPS manually in L2FB is a useful tool for troubleshooting by ruling out the TPS as the device causing the issue (or not). 188 © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Note: L2FB only functions as long as the TPS device has power. If you lose power to the device, you will lose connectivity unless the device has a Zero Power High Availability (ZPHA) module. To place device in L2FB from the Command Line Interface (CLI), it will be necessary to take the TPS out of SMS control. Otherwise, this can be controlled through the SMS. Note: Function not supported by vTPS. Snapshot Best Practice: Best practice calls for snapshots to be created each time the TPS device is modified. Whether you distribute a new DV or upgrade the TOS or modify any system configuration, you should perform a snapshot. Snapshots are stored on the external storage device. Through the SMS System Snapshot section, you can manage the snapshots taken of device filters and settings. You can create these snapshots through the Device Configuration screen for a specific device. Creating a new snapshot stores a copy on the TPS device. Archiving a snapshot stores, a copy on the SMS. Deleting a snapshot removes the system snapshot from the device and, if present, the snapshot on the SMS. Snapshots have the option to include LSM created Reputation Entries, as well as Reputation DV and SMS, created Entries. © 2022 Trend Micro Inc. Education 189 Lesson 12: Best Practices Note: If you perform a TOS upgrade on the TPS, any snapshots taken on a previous version of the TOS will not be visible after the upgrade. However, the snapshots are still saved, and if/or when you perform a rollback, the snapshot will be visible again. Common Pitfalls Virus Category - Turning on all of these filters includes the entire Malware category, which can cause performance issues. Also, they can block all traffic from mail servers, so test before enabling them. Security Policy Category – These filters are provided as additional tools for specific applications that wouldn’t otherwise be allowed in secure environments. They should not, as a rule, be enabled as they will block legitimate traffic. Traffic Normalization – By default, most Traffic Normalization filters are set to Block. We do not recommend using a permit action on these filters as it could introduce vulnerabilities with malformed packets. Over Configured Devices – too many overrides, double/triple inspection – perimeter, core, and DMZ on the same device – use bypass or traffic management or virtual segments if necessary. Too much permit & notify can cause performance issues as it endlessly inspects legitimate packets over and over again. Permit+Notify should be restricted to testing filters and/or limited use for troubleshooting purposes. Do’s Filters Bandwidth Packet size 190 Dont’s Carefully select filters appropriate to your environment and threats Do Not turn on every filter on the box Monitor bandwidth in use - consider both baselines and burst for sizing Do not utilize all available physical ports. Monitor bandwidth on the links and consider the device’s licensed bandwidth Monitor traffic mix and packet sizes; baseline and continuously monitor your average mix of packet-sizes Do not implement new applications that rely on excessive small or fragmented packets © 2022 Trend Micro Inc. Education Lesson 12: Best Practices Do’s Dont’s Protocols Monitor mix - Watch for protocols that are prone to fragmentation and anomalies such as an abnormal ratio of SYNs to SYN-ACKs Do not implement protocols that are prone to fragmentation and anomalies such as an abnormal ratio of SYNs to SYNACKs Trust SSL or QUIC Filters 28987 and 29276 are available to trust SSL to avoid inspection or block QUIC traffic to force the use of HTTPS Do not use these filters without careful monitoring; SSL may fill the ‘Trusted Flows’ table on the device Backups Create regular device snapshots and SMS backups Do Not forget to ‘archive’ snapshots to your SMS Throughput Licensing Update your license package to assign a product capability that you have purchased, such as an inspection throughput license, to a particular security device. To review and manage the capabilities in your license package, go to the TippingPoint License Manager on the TMC. Verify your product license provides sufficient inspection throughput. By default, a TPS security device is unlicensed and provides reduced inspection throughput for testing and evaluation purposes only. Model vTPS Licensed Un-Licensed 250/500 Mbps/1 Gbps/2 Gbps Trial Mode 440T 250/500 Mbps/1 Gbps 100 Mbps 2200T 1/2 Gbps 200 Mbps 1100T 5500T 8200TX 3/5/10/15/20/30/40 Gbps 1 Gbps 8400TX 3/5/10/15/20/30/40 Gbps 1 Gbps Note: Making and change to the licensed throughput will require a reboot of the device. Hands-on Labs Lab 12: Best Practices Estimated time to complete this lab: 25 minutes © 2022 Trend Micro Inc. Education 191