CH-6-Security Profile Management.pdf

Full Transcript

Lesson 6: Security Profile Management Lesson 6: Security Profile Management Lesson Objectives: After completing this lesson, participants will be able to: Explain Digital Vaccine (DV) package Flow based vs. Non-flow based DV Filters Traffic Management Filters Inspection Bypass Rules Profile Version, Rollback, and Auditing Profile Search Managing Multiple Profiles Digital Vaccine (DV) Overview Digital Vaccine is a downloadable security packages that includes filters for protecting an HP TippingPoint-secured network system. These filters provide new signatures to protect against researched threats to network security. The packages are pushed out to the Threat Management Center (TMC) (https://tmc.tippingpoint.com) for distribution through automatic download or manual download to devices. Digital Vaccine Filters are security filters developed by the Trend MicroTippingPoint Threat Research Organization to block attacks and other malicious traffic from the network. Filters come with a set of recommended (default) settings which specify: filter status (enabled or disabled) ”Adaptive Filter Configuration (AFC)” setting (on or off) Updates are distributed using Digital Vaccine Packages. type of action to be taken when the filter is triggered (action set defined to permit or block traffic and/or send a notification) Specialized filter packages that address specific security needs, such as advanced malware protection. Auxiliary Digital Vaccines (DVs) are updated and distributed independently of base DVs. Multiple types of Auxiliary DVs can exist and one package of each type can be active on a device, unlike the other DVs for which only a single package can be active on a device. © 2022 Trend Micro Inc. Education 99 Lesson 6: Security Profile Management Active vs. Distributed Before we get into the details of managing profiles, it is important to understand the concepts. The SMS has the notions of “Activating” and “Distributing”. Distributing means sending the information (DV or DVT package, or a Profile) to the device where it will “run”. Activating means which Profile version, DV package and, possibly, DVT package will be used to construct the user view in the client. The user view consists of: Filters – from the DV / DVT package State and control – from the Profile Typically what is “Active” is the same as what is “Distributed”, unless you are making changes to the Profile. DV Mismatch Inspection Profiles are defined using the Active DV The IPS may have a different DV to what is Active on SMS, which maybe newer or older What happens if a Profile uses a filter which is NOT part of the IPS DV? i.e. SMS has newer DV than inspection device And if roles are reversed, and the inspection device has a newer DV than the SMS, how are the additional filters on the IPS configured? 100 © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Best Practice: Click No, Fix and Redistribute. Active DV and Inspection Profiles If the SMS distributes a profile which uses a newer DV than installed on the device, where a filter is attempted to be configured (lower left segment in above table), you will receive two SMS system error’s for each unknown filter override. #1 Indicates that policy id [a3a933e6-e57d-11dc-4eb1-56c228dc92cc] is invalid: Wed Feb 27 15:48:03 CST 2008: 1200-Instructor (192.168.1.40) System Log Notification (error): parseOnePolicy: Invalid policy [a3a933e6-e57d-11dc-4eb1-56c228dc92cc] #2 Indicates which filter is invalid (unknown), in this case filter 5994: Wed Feb 27 15:48:02 CST 2008: 1200-Instructor (192.168.1.40) System Log Notification (error): isValid: Signature [00000001-0001-0001-0001-000000005944] does not exist for policy [a3a933e6-e57d-11dc-4eb1-56c228dc92cc] © 2022 Trend Micro Inc. Education 101 Lesson 6: Security Profile Management Filter Distribution by Categories Digital Vaccine (DV) packages include filter updates you can distribute to appliances and customize in profiles. You can download and distribute DV updates manually or automatically. This allows you to download packages and distribute them to appliances according to your own schedules. You can also configure the system to automatically check for, download, and distribute filter updates to the devices managed by the SMS. You can also set up the SMS to send you email notification of automatic Digital Vaccine downloads and distribution. To receive these messages via e-mail, add your contact information to the Network Information. Digital Vaccines offer multiple filter categories, detailed filter metadata, and suggestions on deployment for each filter. Digital Vaccines are updated weekly and blocking is enabled by default out of the box. The 12 categories listed above assist the user in filter management. 102 © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Inventory Digital Vaccine information can be viewed by clicking the Profiles button, opening profiles and clicking Digital Vaccines. The Digital Vaccine Inventory button allows the administrator to view the Active DV information as well as DV Inventory and distribution progress and history details. © 2022 Trend Micro Inc. Education 103 Lesson 6: Security Profile Management Import and Download from TMC Which DV is active defines what filters are available for searching and setting when editing IPS profiles. It is best practice to keep the Digital Vaccine on the IPS and the Active DV on the SMS in sync. If not the following two issues can occur: The DV on the SMS in newer than on the IPS – Filters in an IPS Profile could be turned on within the SMS, but the filter does not exist out on the IPS, so the filter is not properly controlled. The DV on the IPS is newer than on the SMS – In this case, you cannot turn on certain filters within an IPS Profile because they do not exist. On the IPS, the filters will take their category settings by default. In order to download Digital Vaccines from the Internet, the SMS needs access to the internet, a gateway, and DNS. Distribution The IPS performance issues with High Priority will especially noticed on software-based IPS’s and Eseries, since these have one CPU that is responsible for both inspection and management. At this point it makes sense to demonstrate some of the DV options we’ve covered over the past few slides: 104 Download DV from the TMC – if connected. If not, then load off of the course CD materials. Distribute the DV to the IPS or IPSes Show how the DV distribution history reflects the distribution and then clear it as an “obsolete” entry © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Show how to schedule a DV distribution and setup automatic download, activation and distribution Profile Versioning, Rollback, and Auditing Profile Snapshots When distributing a profile to your device, you get a snapshot of your profile called a Distribution Snapshot. The Distribution Snapshot is a restore point, allowing you to roll-back at a later time. To roll-back, simply change the required version to Active and Distribute the profile to the appropriate Segment Group. A manual Snapshot may be created as well at any time to allow rollback. From the Profile > Versions tab you can manage snapshot versions. © 2022 Trend Micro Inc. Education 105 Lesson 6: Security Profile Management Profile Versions You may drill-down into the details of each version of the Profile. The History view shows the Profile Version Details including an audit trail. The Profile versions consist of the major number (left of decimal point) that increases at each distribution if a change has been made and the minor number (right of the decimal) that tracks each individual filter or category change. The history is also useful for forensics as it tracks the date, time and user that made each change. 106 © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Profile Overview It is necessary to re-distribute profiles if you un-mange/re-manage an IPS. A newly managed or remanaged IPS will display None as the profile assigned to every segment of the IPS. Summary View detailing major settings of a profile Shows Category Settings Modified Filters Traffic Management Filters Actions Sets used in the profile Notification Contacts used in this profile Profile Settings Which Profiles are Applied Where? Profile Distribution History Device Network Configuration Profiles > > Profile Distribution Details Devices > > Network Configuration à Physical Segments Segment Group Details - Devices > Segment Groups > If IPS is un-managed / re-managed, the SMS loses this information as it doesn’t know if the profile was changed. © 2022 Trend Micro Inc. Education 107 Lesson 6: Security Profile Management Profile Search Searching for Individual Filters to Edit by Text or Filter Number The following Example is a search for “icmp”. Suspicious URL Metadata was introduced with SMS 4.6 to be used with Deep Discovery. 108 © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Editing Multiple Filters When editing multiple filters, the dialog changes slightly. File Details changes to Filters Being Modified. Editing many filters at the same time can take a while. Use the SHIFT or CTRL key to select multiple filters Select all filters using CTRL-A © 2022 Trend Micro Inc. Education 109 Lesson 6: Security Profile Management Source Criteria Search You can search by release dates and filter source. Additional Criteria Search Search by Actions and Exceptions. 110 © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Filter Taxonomy Criteria Filter Taxonomy Search Results Search Results © 2022 Trend Micro Inc. Education 111 Lesson 6: Security Profile Management Modified Filters Filters that have been modified will appear in the Filters tab. Import/Export Profiles.pkg files Profile Import/Export Useful for importing into another SMS Persistent backup for old unused Profiles Imported Profiles can be merged into an existing Profile - 112.pkg file Either preserving or replacing existing settings © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Importing a Profile Use the Wizard to import a profile. Exporting a Profile Easily propagate security policy from one SMS to another - Exporting and importing Profiles directly from another SMS © 2022 Trend Micro Inc. Education 113 Lesson 6: Security Profile Management Managing Multiple Profiles Global Search Across Multiple Profiles Useful if you are connected to the SMS and want to see if all teams did the same configuration to their profiles while doing the labs, try filter 1777 and 0164. Profile Compare Compare two or more Profiles and the deltas between them View the differences between multiple profiles 114 Determine what categories and filters are configured differently © 2022 Trend Micro Inc. Education Lesson 6: Security Profile Management Profile Compare Details for Categories Compare the name of the Action Set, not the content. Profile Compare by Filter Select the Check Box to view just the differences. © 2022 Trend Micro Inc. Education 115 Lesson 6: Security Profile Management Hands-on Labs Lab 6: Security Profile Management Estimated time to complete this lab: 30 minutes 116 © 2022 Trend Micro Inc. Education