This article presents some of the
common checkpoints when reviewing Tipping Point IPS for an enterprise.
Although, the points discussed could be configured/mis-configured for any IPS,
this is not an exhaustive list.
For the benefit of the reader, TIPPING
POINT
“protects your network by scanning, detecting, and responding to
network traffic according to the filters, action sets, and global settings
maintained on each device by a client. Each device provides intrusion
prevention for your network according to the amount of network connections and
hardware capabilities”
The primary set up of IPS in an
organization would consist of the following:
1 IPS
Devices & Local Client
2 Core
Controller
3 Security
Management System (SMS server and client)
A visual depiction could be found
as shown. This roughly depicts the overall architecture in a typical set up for
an organization’s network.
Figure 1IPS
in Network Architecture
Source: Tipping
Point LSM User Guide
Some of the common points to
review would consist of the below:
1)
Filters
& Profiles
This setting is
of utmost importance in any IPS/IDS and is worth investing more time in. These
filters will eventually set the rules for what is allowed and not allowed into
or out of the network.
First
consideration when reviewing filters is to evaluate the ‘Security profiles’ set
in the IPS. The admin would generally divide the complete network into meaning
full network segments. These segments would be allowed a set of protocols to
communicate across.
IPS
> Security Profiles
Each of these
profiles would give Digital vaccine coverage to these segments.
There are other
profiles such as the Traffic management profiles that help monitor network
traffic into and out of these segments and can be tuned to thresholds to avoid
network congestion. Unless, your network is small or medium sized, these must
be defined set to optimum values.
Review Filters:
TIPPING POINT
defines 3 kinds of filters:
- Application Filters
- Infrastructure Filters
- Performance Filters
The search features comes in
handy and you can pick and select the suspicious or ‘insecure’ rules from
mapped to the respective profiles as shown below:
Figure 2 Profile
Menu and search criteria
A. Review
the above in general to see what’s enabled and what’s disabled. You may check
with team if there are specific reasons for suppressing some of the filters.
B. Review
these filters to see if a recommended filter is disabled and check with the
team on the reasons why; applies to the Action settings for the filters as well.
The filters can be viewed by selecting:
IPS
> Security Profiles > View all filters
C. Filter
settings are used to override the global settings for individual filters within
a category group : Check for exceptions here and ask if this went through
change management; or for appropriate business justification for this.
D. For
DDoS filters check the below:
- Action taken
- Threshold for the maximum number of SYN connection requests allowed per second
E. Preferences
: It is a good idea to get a lot of system related parameters that have been
set such as timeout, congestion threshold
F. Unlike
in case of firewalls, everything is set to ANY - ANY by default here. This
means that All communication or traffic sent to and from Any port will be inspected
as per the filters.
Any realistic
network would require some exceptions though. This is done by creating
‘filter-level settings and overriding the global ‘Defaults’. Do check the
filter level settings to verify what’s allowed and why? More often than not
this would have been a temporary
requirement and should be reset once the task is done.
Below is an
example of some filters that have been set to permit exploit signatures and
vulnerabilities which are critical severity.
Figure 3
Action set to permit/permit-notify for critical exploits
In another example, action set
was ‘disabled’ for some critical exploits and mapped to certain profiles.
Figure 4
Action Set disabled
While some of these may not be
relevant issues, others would be. It would be worth noticing which signatures
are marked for ‘Exception’, ‘locked’, ‘AFC’, ‘State’ and so on..
Figure 5 Critical filters set to Permit
As is obvious, for rest of the
interface, explanations are self-explanatory along with CVEs provided for
further analysis.
In the same way other filters
should be looked into such as reputation and DDoS filters.
Note: If the action for the filter is set to
Recommended and you do not change it, the filter may remain disabled even when
you select the Enabled check box. This happens when the recommended setting for
the filter state is Disabled. To enable a filter with this setting, you must
change the action from Recommended to another option.
2)
System
Settings & Update
Managing an SMS
system along with the various IPS devices in the network can be a task.
As a reviewer
however, the system settings are relatively straightforward to check for any
issues. A mini cheat sheet can help in a quick review.
a. Check
if the below are latest or up to date:
i.
Versions of the TOS
ii.
The Digital Vaccine
iii.
IP Reputation package
b. Automatic
updates are enabled for DV or a regular schedule is followed : System >
Update > Auto DV Update
Figure 6
DV set to Automatic update
c. When
was the system last updated
d. Check
with the team if the device is ready for a roll back if needed. Has this been
tested
e. Have
system snapshots been taken
f.
In case of an LSM, check to see how the system
is being managed; Has a secure management port been set, if and for which
subnets has management routing been enabled and why, time options set, routing
for SMS, etc..
g. Has
the system been integrated with an Email server? If yes you need to check the
contacts, kind of filters enabled for alerting and is any critical filters has
been left out.
Paths to
look for: System > Update > Install Package
Authentication:
Review the mode
of Administration to the system to check –
a.
How many users have been created and with what
privileges. Primarily three types of users- Operator, Admin and super user.
b.
Password policy while setting user password for
the device- check to see if this is Level 2. Any less can be reported. Match
with client’s password policy
c.
Check for other miscellaneous thins such as
timeouts, page refresh, password expiration, lock outs and so on..
Paths to
look for: Authentication > Preferences
Figure 8
Device Configuration
3)
Logging
& Alerting
There are many
instances during the communication when we would configure events to be
recorded for suspicious activities or further inspections. This could be
classified depending on the actions taken on the traffic.
One of the table
shows the how this is done in TIPPING POINT > Profiles > Action Sets
Figure 9
None of the actions are marked for Syslog
- A quick run through the logs should give some idea about the issues. Review the logs to check for unexpected activities and attacks. Check with the team to see if these have been handled.
- It’s also a good idea to verify what kind of events are being logged and mark those that have been missed.
- Check the ‘Trace’ events in particular
- Log Storage: verify if and for how long are the logs stored and where; the security of the logs and if any monitoring is done on those. Look for the presence of SIEM and major incidents if any.
Alerts: Check to see which contacts are
to be emailed for alerts and if the right kind of events along with the appropriate
set of details are mailed to the rightful owner.
Figure 10 Format of Audit Log
Parameters in the IPS
Note: Only Administrator and Super-user
level users can reset the system log. Only Super user level users can reset the
audit log. All can view the logs.
4)
Traffic
Management & Streams
Traffic
management filters are the ones that allow or deny access in and out of
segments over predefined protocols. Additionally they allow the user to ‘Rate
Limit’ the traffic based of certain criteria.
Check this to
see if the organization utilizes these to rate limit traffic for DoS prone
protocols, restrict UDP traffic, condition egress filtering and so on. Without
these advanced filters being set, an IPS may just be reduced to a smarter
firewall. An example of this shown below:
Figure 11
Traffic management filters not set
Streams
These can be of the below types :
- Blocked streams
- Rate-Limited streams
- Quarantined
- Trusted
These are all as the name
suggests and can be verified at the path below:
Events > Managed Streams > Blocked
Streams, Rate Limited Streams and so on..
If these have not been set
sufficiently, then traffic amplification based attacks might go undetected or
cause unavailability. Moreover, this is one of the features that differentiates
IPS over Firewall and should be used effectively.
5)
Availability
& Reporting
The IPS can be run on various
High availability modes. Check to see if any and which ones are enabled, is
that suited for the architecture and redundancy expected from the IPS:
§ Intrinsic
Network HA (INHA) for individual device deployment. > Layer-2 Fallback –
default allow ALL
§ Transparent
High Availability (TRHA) - for devices deployed in a redundant configuration
where one device takes over for the other in the event of system failure.
§ Zero-Power
High Availability, which provides high availability through an external device
or through a Smart ZPHA module.
System > High Availability
Check to see if any of these are
set and if yes if it suits the network architecture and respective IPS
placement. Below is a setting that shows an example of High Availability setup
for the device.
Figure 12
HA status as reflected in device configuration
Figure 13
Devices > Member Summary > HA
Figure 14
‘Back Ups’ state for a sample IPS
Note: Look for the REDs in the
configuration settings. Most of the times these are obvious mis-configuration
that might shell out some good findings.
Reporting: The IPS provides a lot of options for reporting on a
daily, weekly and monthly basis. The reviews and checks conducted above should
give a fare idea as to what type of reports are necessary for the organization
in a short, medium and long term. The important ones to look for are as follows
:
- Attack reports by the filters and action sets
- Rate Limit & DDoS reports for traffic streams
Path
to look into : IPS > Reports
Verifying the above would give
you an overall idea of what kind of traffic is coming in and going out, network
is prone to what kind connections and attack scenarios, if there are and how
many attempts to overload the network bandwidth and if the network is capable
to face it. These should cross checked for monitoring by the internal team and
actions taken if any.
No comments:
Post a Comment