g400/g2000 appliances user guide - ibm€¦ · appliance help, and in the readme files associated...

®

G400/G2000AppliancesUser Guide

Internet Security Systems, Inc.6303 Barfield RoadAtlanta, Georgia 30328-4233United States(404) 236-2600http://www.iss.net

© Internet Security Systems, Inc. 2003-2005 All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc.

Patent Pending.

Internet Security Systems, System Scanner, Wireless Scanner, SiteProtector, Proventia, Proventia Web Filter, Proventia Mail Filter, Proventia Filter Reporter, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure, SecurePartner, SecureU, and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. InstallShield is a registered trademark and service mark of InstallShield Software Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice.

Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to [email protected].

March 27, 2005

http://www.iss.net

mailto:[email protected]

Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiAbout Proventia Appliance Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixConventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xGetting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1: Introduction to the Proventia G400/G2000 Appliances . . . . . . . . . . 1Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1About the Proventia Intrusion Prevention Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2What’s New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Overview of Inline Appliance Operation Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Overview of Inline Appliance with HA Operation Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Part I: Getting StartedChapter 2: Using Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Accessing Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Starting Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Installing the License File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Using the Proventia Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3: Updating the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Updating the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Using the SiteProtector X-Press Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Viewing the Status of Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Installing Available Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Manually Downloading and Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring an Update Advanced Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Part II: Configuring the ApplianceChapter 4: High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35About High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36High Availability Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38High Availability Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39High Availability Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41SiteProtector Management with HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 5: Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Setting Up a Local Configuration Interface and Logging On the Appliance . . . . . . . . . . . . . . . . . . . . . . 46Logging Out of the Local Configuration Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

iiiProventia G400/G2000 Appliances User Guide

Contents

Section A: Configuring Appliance and Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Viewing the Appliance Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Backing Up the Current Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Restoring a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Disabling Remote Root Access to the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Rebooting or Shutting Down the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Viewing the Status of Appliance Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Restarting the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Changing the Agent Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Section B: Configuring Network, Time, and SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . 59Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Changing the Network Configuration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Changing the Host Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Changing the Link Speed and Duplex Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Changing the Date and Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Changing the Time Zone Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Changing NTP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Changing Appliance Passwords through the Local Configuration Interface . . . . . . . . . . . . . . . . . . . . . 66Changing SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Chapter 6: Configuring Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69About Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configuring an Email Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configuring a Log Evidence Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuring Quarantine Response Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Configuring an SNMP Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Configuring a User Specified Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 7: Monitoring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81About Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Section A: Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83About Security Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Using Response Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88About Protection Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Managing Quarantine Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Section B: Connection Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93About Connection Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Adding a Connection Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Editing the Properties of a Connection Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Removing a Connection Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Section C: User-Defined Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99About User-Defined Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Adding a User-Defined Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Editing the Properties of a User-Defined Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Removing a User-Defined Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Context Descriptions for User-Defined Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Regular Expressions in User-Defined Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

iv

Contents

Section D: Trons Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113About Trons Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Adding a Trons Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Editing the Properties of a Trons Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Removing a Trons Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Part III: Managing the ApplianceChapter 8: Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121About Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Firewall Rules Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Customizing Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Firewall Advanced Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 9: Managing the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Viewing the Status of System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Changing Appliance Passwords in Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Configuring an SNMP Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring an Email Notification Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Editing the Network Card Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Configuring the Size of the Alert Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Configuring an Advanced Local Tuning Parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configuring a Global Tuning Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Configuring the External Kill Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Using the Traceroute Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Pinging a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Stopping the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Chapter 10: Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Accessing the Alerts Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Getting More Information about Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Refreshing and Searching the Alerts List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Saving the Alerts List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Clearing the Alerts List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Managing Saved Alert Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Chapter 11: Managing with SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Managing with SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Enabling SiteProtector Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Configuring SiteProtector Management Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

vProventia G400/G2000 Appliances User Guide

Contents

vi

Preface

Overview

Purpose of this guide

This guide explains how to configure and use the Proventia G400/G2000 appliances and the Proventia Manager software.

Scope The Proventia G400/G2000 Appliances User Guide includes information about the following topics:

● changing configuration settings

● using the Proventia Manager Local Management Interface (LMI)

● configuring events, responses, rules, policies. and advanced parameters

● reinstalling the appliance software

● customizing firewall rules

● configuring quarantine responses

● reinstalling the appliance software

● high availability

Audience This guide is intended for network security system administrators who are responsible for configuring and managing the Proventia G400/G2000 appliances in a network environment. A fundamental knowledge of network security policies and IP network configuration is helpful.

What’s new in this guide

The latest up-to-date documentation is always available in the Proventia Manager appliance Help, and in the Readme files associated with each release.

This guide supports the 1.0 release of the next generation of Proventia Intrusion Prevention Appliances. The documentation is available in the Help, and in the Readme files associated with each release.

This release contains new information about the following:

● new models G400 and G2000 (copper, fiber, and copper-fiber)

● changes to the Proventia Setup Utility for the G400 and G2000 models

● ability to select operational mode at the port level

● ability to manage the appliance locally using Proventia Manager

● using protection domains as virtual sensors

● high availability failover protection

viiProventia G400/G2000 Appliances User Guide

Preface

About Proventia Appliance Documentation

Introduction Complete all of the installation procedures before you configure your appliance. The Quick Start Guide included with your appliance provides the installation procedures.

What’s in this guide This guide explains how to configure the G400/G2000 appliances using the Proventia Manager software and the Proventia Setup Utility (your local configuration interface).

Use Part I–Getting Started to learn about the appliance features and capabilities. Procedures are provided about how to start using Proventia Manager to access and manage the appliance. Information is provided to help you verify your initial appliance configuration settings.

Use Part II–Configuring the Appliance to learn the procedures for configuring intrusion prevention, firewall settings, and high availability.

Use Part III–Managing the Appliance to locate information about how to manage and maintain your Proventia G400/G2000 appliances.

Locating additional documentation

Additional documentation described in this topic is available on the ISS Web site athttp://www.iss.net/support/documentation/.

Related publications See the following for more information about the appliance:

Document Contents

Proventia G400/G2000 Appliances Quick Start Guide

Instructions and requirements for installation and initial configuration of the G400/G2000 appliance.

Proventia G400/G2000 Help

Help located in Proventia Manager.

Proventia G Series Appliance Data Sheet

General information about appliance features located at http://documents.iss.net/literature/proventia/ProventiaGSeries_Datasheet.pdf.

Proventia G Series Appliance Frequently Asked Questions

Frequently asked questions about the appliance and its functions located at http://documents.iss.net/literature/proventia/ProventiaGSeries_FAQ.pdf.

Readme File The most current information about product issues and updates, and how to contact Technical Support located at http://www.iss.net/download/.

Table 1: Reference documentation

viii

http://www.iss.net/support/documentation/

http://documents.iss.net/literature/proventia/ProventiaGSeries_Datasheet.pdf



http://documents.iss.net/literature/proventia/ProventiaGSeries_FAQ.pdf

http://documents.iss.net/literature/proventia/ProventiaGSeries_FAQ.pdf

http://www.iss.net/download/


Conventions Used in this Guide

Conventions Used in this Guide

Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize.

In procedures The typographic conventions used in procedures are shown in the following table:

Command conventions

The typographic conventions used for command lines are shown in the following table:

Convention What it Indicates Examples

Bold An element on the graphical user interface.

Type the computer’s address in the IP Address box.Select the Print check box. Click OK.

SMALL CAPS A key on the keyboard. Press ENTER.Press the PLUS SIGN (+).

Constant width

A file name, folder name, path name, or other information that you must type exactly as shown.

Save the User.txt file in the Addresses folder.Type IUSR__SMA in the Username box.

Constant width italic

A file name, folder name, path name, or other information that you must supply.

Type Version number in the Identification information box.

A sequence of commands from the taskbar or menu bar.

From the taskbar, select Start Run.On the File menu, select Utilities Compare Documents.

Table 2: Typographic conventions for procedures

Convention What it Indicates Examples

Constant width bold

Information to type in exactly as shown.

md ISS

Italic Information that varies according to your circumstances.

md your_folder_name

[ ] Optional information. dir [drive:][path] [filename] [/P][/W] [/D]

| Two mutually exclusive choices.

verify [ON|OFF]

{ } A set of choices from which you must choose one.

% chmod {u g o a}=[r][w][x] file

Table 3: Typographic conventions for commands

ixProventia G400/G2000 Appliances User Guide

Preface

Getting Technical Support

Introduction ISS provides technical support through its Web site and by email or telephone.

The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/support/) provides direct access to frequently asked questions (FAQs), white papers, online user documentation, current versions listings, detailed product literature, and the Technical Support Knowledgebase (http://www.iss.net/support/knowledgebase/).

Support levels ISS offers three levels of support:

● Standard

● Select

● Premium

Each level provides you with 24-7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at [email protected] if you do not know the level of support your organization has selected.

Hours of support The following table provides hours for Technical Support at the Americas and other locations:

Contact information The following table provides electronic support information and telephone numbers for technical support requests:

Location Hours

Americas 24 hours a day

All other locations

Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding ISS published holidays

Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.

Table 4: Hours for technical support

Regional Office

Electronic Support Telephone Number

North America Connect to the MYISS section of our Web site:

www.iss.net

Standard:(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Select and Premium:Refer to your Welcome Kit or call your Primary Designated Contact for this information.

Latin America [email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Table 5: Contact information for technical support

x

http://www.iss.net/support/

http://www.iss.net/support/

http://www.iss.net/support/knowledgebase


http://www.iss.net


Getting Technical Support

Europe, Middle East, and Africa

[email protected] (44) (1753) 845105

Asia-Pacific, Australia, and the Philippines

[email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Japan [email protected] Domestic: (81) (3) 5740-4065

Regional Office

Electronic Support Telephone Number

Table 5: Contact information for technical support (Continued)

xiProventia G400/G2000 Appliances User Guide




Preface

xii

Chapter 1

Introduction to the Proventia G400/G2000 Appliances

Overview

Introduction This chapter describes the Proventia G400/G2000 appliances. The appliances come pre-configured with factory default settings that protect your system with a minimum of additional configuration.

In this chapter This chapter contains the following topics:

Topic Page

About the Proventia Intrusion Prevention Appliances 2

What’s New in This Release 4

Overview of Inline Appliance Operation Modes 6

1Proventia G400/G2000 Appliances User Guide

Chapter 1: Introduction to the Proventia G400/G2000 Appliances

About the Proventia Intrusion Prevention Appliances

Introduction The Proventia Intrusion Prevention appliances are inline intrusion prevention systems (IPS) that automatically block malicious attacks while preserving network bandwidth and availability.

Appliance diagram Figure 1 shows a functional overview of the Proventia Intrusion Prevention appliances:

The Proventia Intrusion Prevention appliances offer proven intrusion prevention technology including:

● high speed deep traffic analysis

● multiple methods of detection

● automatic updates from ISS X-Force – the world leader in security research and vulnerability detection

● high availability configuration

In addition, the Proventia Intrusion Prevention appliances have automatic protection capabilities including ISS X-Force tagging of events such as block or alert and tuning.

Installing and configuring an appliance

ISS delivers appliances with pre-installed software. See the Quick Start Guide that is provided with the appliance for instructions on installing the hardware and configuring the software.

Managing the appliance from the console

After you complete the configuration steps listed on the Quick Start Guide, you must configure additional appliance settings and edit appliance policies from the SiteProtector management console.

Reference: For instructions on managing the appliance from the management console, see the SiteProtector user documentation at http://www.iss.net/support/documentation/ or the SiteProtector Help.

Protected Network

attack traffic

permitted traffic

000111000101110001110001110001

101010100

00111000111100011100011100011010101000 payload

header

payload

header

HTTP

HTTP

Proventia inspectsHTTP packet

Protects againstattack

Firewall inspects header

Allows web trafficto pass

2



About the Proventia Intrusion Prevention Appliances

Accessing the SiteProtector Help

To access the SiteProtector Help:

1. On the Console menu bar, select Help→SiteProtector Help.

2. Open the Working with Proventia A and Proventia G Appliances and Sensors section.

3. Look up “Working with Proventia Appliance Policies” and “Working with Asset Properties and Responses.”

Licensing The Proventia Intrusion Prevention appliances require a properly configured license key. If you have not installed the appropriate license key through the management console and Proventia Manager, you will not be able to update the appliance. Contact your local sales representative to purchase a license for the appliance.

Proventia Setup Utility

The Proventia Intrusion Prevention Setup Utility is your local configuration interface. Use this tool to initially configure your appliance settings. See “Using the Proventia Setup Utility” on page 46.

Proventia Manager Proventia Manager offers a Web-based graphical user interface (GUI) for local appliance management. Use Proventia Manager to manage the appliance. Proventia Manager provides local management of the following functions:

● monitoring the status of the appliance

● configuring operation modes

● configuring firewall settings

● managing appliance settings and activities

● reviewing alert details

● configuring high availability

● managing policies with protection domains (The only to place to view this function).

Note: You can only use Proventia Manager or SiteProtector to manage policies. You cannot use both at the same time to manage policies.

High availability The Proventia G400/G2000 High Availability (HA) feature enables the Proventia G Intrusion Prevention appliances to work in an existing high availability network environment. The appliances pass all traffic between them over mirroring links. This ensures that both appliances see all of the traffic over the network, and thus maintain state. This also allows the appliances to see asymmetrically routed traffic, if necessary, and thus fully protect the network. The Proventia G High Availability support is limited to two cooperating appliances.

Both appliances process packets inline and block attack traffic that arrives on their inline monitoring ports, not on their interconnection/mirror ports. Both appliances also report events received on their inline monitoring ports to the management console.



What’s New in This Release

Introduction This release includes support for the new Intrusion Prevention appliances: Proventia G400 and Proventia G2000. These appliances are inline intrusion prevention systems (IPS) that automatically block malicious attacks while preserving network bandwidth and availability.

The new appliances offer the following capabilities:

● three modes of operation, configured at the port level

■ inline protection

■ inline simulation

■ passive monitoring

● high availability (HA) modes (cannot be configured at port level)

■ normal mode

■ HA simulation mode

■ HA protection mode rules

● firewall rules

● granular policy implementation (Protection Domains)

● quarantine response

● block

● TCP dump

● agent settings for processing traffic

● SNMP configuration (Simple Network Management Protocol)

● X-Force recommended blocking responses

● a Web-based local management interface (Proventia Manager)

New modes of operation

The inline appliance can operate in one of six modes. Three of those modes operate in a high availability environment. Use this feature to tune the appliance without disrupting your network, blocking legitimate traffic, or high availability deployment.

Reference: See “Overview of Inline Appliance Operation Modes” on page 6 for more information.

Firewall rules You can configure firewall rules that apply globally to stop attackers from accessing Trojan viruses or probing networks. When appropriate, using firewall rules is preferred over using connection events to help improve the efficiency of the appliance.

Reference: See “Customizing Firewall Rules” on page 127 for more information.

Quarantine response

The inline appliance uses the quarantine response to block traffic for a specified amount of time after an initial attack.

Reference: See “Overview of Inline Appliance Operation Modes” on page 6 and “Configuring Quarantine Response Objects” on page 74 for more information.

4

What’s New in This Release

Block response The inline appliance uses the block response to block and reset a connection in which an event occurs or to drop the packet that triggered an event.

Reference: See“Overview of Inline Appliance Operation Modes” on page 6 for more information.

Event details for quarantine and block responses

You can view event details in SiteProtector to determine if the block or quarantine responses were used for an event.

Agent settings for processing traffic

You can configure settings that tell the agent how to process traffic when the network is congested, when the agent is not responding, or during an agent update.

Reference: See the chapter on “Managing the System” on page 131 for more information.



Overview of Inline Appliance Operation Modes

Three operation modes

The inline appliances include three operation modes as follows:

● passive monitoring

● inline simulation

● inline protection

You selected one of these operation modes when you installed the appliance software. Or you can use the default operation mode and install a different one later.

Passive monitoring In this mode, block is the only response that can modify network traffic. When block response is enabled, the appliance will send a reset to block a TCP connection. Works similar to IDS, sniffing traffic, but not inline.

Usage: Use this mode to tune the appliances for subsequent inline protection by sampling traffic.

Inline simulation This mode includes all the functionality of the passive monitoring mode. In addition, firewall rule actions Drop and DropAndReset are disabled. The block and quarantine responses are enabled, but packets are not dropped when these responses are invoked. In inline simulation mode, the appliance does not reset TCP connections by default. In this mode, traffic is not impacted.

: Use this mode when you need to do the following: ● tune your policies in a production environment without the risk of adversely affecting your network traffic

● verify that the appliances are not disrupting your network or blocking legitimate traffic

Inline protection This mode includes all the functionality of passive monitoring mode. In addition, all firewall rules are enabled, so any packets that match a Drop and DropAndReset firewall action are dropped and not processed any further by the appliance. In this mode, all rules configured are applied.

Changing appliance modes

If you change from the passive monitoring mode to the inline simulation or inline protection mode, you must also change the network connections to your appliance. An appliance operating in passive monitoring mode requires a connection to a tap, hub, or SPAN port.

6

Overview of Inline Appliance with HA Operation Modes

Overview of Inline Appliance with HA Operation Modes

Three operation modes

In a HA configuration, the appliance can only operate in either inline simulation or inline protection modes. Normal monitoring mode is not supported.

If HA simulation mode is selected, all monitoring adapters will be put in inline simulation mode automatically. If HA protection mode is selected, all monitoring adapters will be put in inline protection mode automatically. In normal mode, each adapter can be configured to run in a different operational mode.

High Availability addresses the operation of inline appliances in a high availability environment. It does not address the availability or fault-tolerance of the appliances themselves. Therefore, there is no separate high availability solution for appliances configured and wired for passive monitoring mode.

● normal mode

● HA simulation mode

● HA protection mode

You selected one of these operation modes when you installed the appliance software. Or you can use the default operation mode and install a different one later.

Normal mode In Normal operation mode, the appliance does not cooperate with another appliance. Appliance can be configured to run in inline protection, inline simulation and passive monitoring modes at the adapter level.

HA simulation mode In HA simulation mode, both HA partner appliances monitor traffic inline but do not block any traffic. Instead they provide passive notification responses. The appliances also monitor the traffic on each other’s segment via mirror links – ready to take over notification in case of network failover.

HA protection mode In protection mode, both HA partner appliances monitor traffic inline and each report and block the attacks received on their inline ports. The appliances also monitor the traffic on each other’s segment via mirror links – ready to take over reporting and protection in case of network failover.



8

TM

Part I

Getting Started

Chapter 2

Using Proventia Manager

Overview

Introduction This chapter describes how to start using the Proventia Manager. Proventia Manager is the Web-based GUI for the G400 and G2000 appliances. Use Proventia Manager to perform updates, make adjustments, and augment configuration settings.

Note: Initial appliance installation and network configuration steps are defined in the Proventia G400/G2000 Appliances Quick Start Guide.


Recommendations Prior to using the appliance, you must install the license key. Additionally, ISS recommends that you perform the following tasks:

● view your component status on the Home page

● update the firmware

● configure update settings

● configure and update intrusion prevention settings

● configure the firewall

Topic Page

Before You Begin 12

Accessing Proventia Manager 13

Starting Proventia Manager 14

Installing the License File 15

Using the Proventia Manager Home Page 16


Chapter 2: Using Proventia Manager

Before You Begin

Introduction Before you access the Proventia Manager, you must complete the initial configuration and setup of the appliance.

Initial configuration Before you begin, make sure you have completed all of the steps in the Quick Start Guide for your appliance.

Initial requirements Verify that you have done the following:

1. Properly installed the hardware and connected the cables.

2. Created a connection using a VT100 compatible terminal emulation program, with the recommended settings.

3. Completed all initial setup configurations, including the following:

■ logged on to the appliance with the Proventia Setup Utility (your local configuration interface)

■ configured the command line and Web passwords

■ configured the management interface

■ configured the time and date

■ applied the settings

Important: You can find detailed procedures for these steps in the Quick Start Guide. The Proventia G400/G2000 Appliances Quick Start Guide is available on the ISS Web site at http://www.iss.net/support/documentation/.

12

http://www.iss.net/support/documentation/.

Accessing Proventia Manager

Accessing Proventia Manager

Introduction Before you configure your appliance, you must log on to Proventia Manager. This topic explains what steps are required before you can access Proventia Manager.

Prerequisites After you perform network configurations, you must do the following before you can access the Proventia Manager:

Reference: See the Help for more information about accessing and using the Proventia Manager.

Prerequisite

Verify that you received a valid license from your ISS Operations or Partner personnel.

Download the license, and then save it locally to upload to the appliance. ISS recommends that you upload the license so that you can download the latest updates automatically.

Reference: See “Installing the License File” on page 15.

Verify that you have Internet Explorer Version 6 or later installed.

Connect a computer or laptop to the internal network.

Verify that your Client TCP/IP settings are properly configured for your network.

Table 6: Prerequisites for accessing Proventia Manager



Starting Proventia Manager

Procedure To start Proventia Manager:

1. Start Internet Explorer 6.

2. Type https:// followed by the IP address of the appliance’s management interface you configured during initial setup.

Reference: See the Proventia G400/G2000 Appliances Quick Start Guide for detailed instructions.

Important: You must use a secure connection to access Proventia Manager. Be sure you use https:// in the address bar.

3. Log in using the user name admin and the Proventia Manager password that you configured for the appliance during initial setup.

4. If a message informs you that you do not have Java2 Runtime Environment (JRE) Version 1.4.2 installed, install it now, and then return to this procedure and log in again.

A Welcome screen appears.

5. Select Yes or No to access the Getting Started procedures.

6. Click Launch Proventia Manager.

Note: ISS recommends that you use the Getting Started procedures to help you customize the appliance settings. If this screen does not appear, you can also access the Getting Started procedures from the Help.

Accessing the Proventia Manager Help

To access the Proventia Manager Help:

● On the Proventia Manager Home page, click Help.

The Home Page topic appears.

14

Installing the License File

Installing the License File

Introduction You must install a license file for Proventia Manager.

Use the procedure below to install the license file. This is necessary to make your appliance run at full capability. Installation involves saving the license file information to the appropriate location so that the Proventia Manager software can locate and acknowledge it.

Note: To purchase a license file for your appliance, contact your ISS sales representative.

Prerequisite Before you install the license file, complete the following:

● register your customer license

● download the license from the ISS Registration Center (http://www.iss.net/support)

About the Licensing page

The Licensing page displays important information about the current status of your license file, including expiration dates. Additionally, this page allows you to access the License Information page, which includes information about how to acquire a current license.

Installing the license file

To install the license file:

1. On the Proventia Manager navigation pane, select System→Licensing.

The Licensing page appears.

2. Click Browse.

3. Locate the license file that you downloaded.

4. Click OK.

The license directory path appears in the field.

5. Click Upload.

The license is installed in the appropriate directory for the appliance.

Reference: See the Help for more information about accessing and using the Proventia Manager.



Using the Proventia Manager Home Page

Introduction The Proventia Manager Home page provides a snapshot of the current status of the appliance. Check the Home page often to obtain the following information:

● protection status

● system status

● important messages

Tip: See the Help for more information about accessing the Home page.

Protection status The protection status area describes the current status the intrusion prevention component.

Selecting a component name links you to the component status page.

Protection status icons

Determine the current status of a component by glancing at the status icon. Status icons are as follows:

System status The system status group box describes the current status of the system. The following table describes the data available in the system status area:

Icon Description

Indicates that the component is active.

Indicates that the component is stopped.

Indicates that the component is in an unknown state. This status may require immediate attention.

Table 7: Protection status icons

Statistic Description

Model Number The model number of the appliance. Model possibilities are:

• G400

• G2000

Base Version Number The base version of the appliance software.

Note: The base version is the software version shipped with the appliance, or the software version of the most recent firmware update.

Uptime The length of time that the appliance has been online. The time is given in the following format:

x days, x hours, x minutes

Last Restart The time the appliance was last restarted. The time is given in the following format:

yyyy-mm-dd hh:mm:ssExample: 2004-05-04 16:24:37

Table 8: System Status statistics

16

Using the Proventia Manager Home Page

Important messages

The Home page displays important messages about licensing and updates. If you have not configured your system to download updates automatically, such messages may appear with a link to the appropriate Proventia Manager page.

Last Firmware Update The time the appliance firmware was last updated. The time is given in the following format:

yyyy-mm-dd hh:mm:ss - version: x.xExample: 2004-05-04 16:25:56 - version: 1.7

Last Intrusion Prevention Update

The time the appliance firmware was last updated. The time is given in the following format:

yyyy-mm-dd hh:mm:ss - version: x.xExample: 2004-01-25 12:34:36 - version: 1.7

Last System Backup The time the last system backup was created. The time is given in the following format:

yyyy-mm-dd hh:mm:ssExample: 2004-05-04 15:49:01

Backup Description The type of backup on the appliance. The backup possibilities are:

• Factory Default

• Full System Backup


Table 8: System Status statistics (Continued)



18

Chapter 3

Updating the Appliance

Overview

Introduction This chapter describes how to update your appliance in Proventia Manager. You can manually download and/or install firmware updates and security updates, or you can configure the appliance to automatically download and install some or all updates at designated times.


Topic Page

Updating the Appliance 20

Using the SiteProtector X-Press Update Server 22

Viewing the Status of Updates 23

Installing Available Updates 25

Configuring Automatic Updates 26

Manually Downloading and Installing Updates 29

Configuring an Update Advanced Parameter 31


Chapter 3: Updating the Appliance


Introduction You should always make sure your appliance is running the latest firmware and intrusion prevention updates. Your appliance retrieves updates from the ISS Download Center, accessible over the Internet.

You can update the appliance in two ways:

● configure automatic updates

● find, download, and install updates manually

Types of updates You can install the following updates:

● firmware updates

● intrusion prevention updates

You can find updates from the Updates to Download page, and you can schedule automatic update downloads and installations from the Update Settings page.

Note: Some firmware updates require that you reboot your appliance.

How the appliance find updates

When you click the Find Updates button on the Update Status page, the appliance checks for the following:

● updates that are already downloaded to the appliance and ready to be installed

● updates that are available for download from the ISS Download Center

If the appliance finds updates to download or install, an alert message displays a link to the appropriate page (the Download Updates or Install Updates page).

Update packages and rollbacks

A rollback removes the last intrusion prevention update that was installed on the appliance. You cannot roll back firmware updates.

ISS recommends that you perform a full system backup before you install a firmware update. If you enable automatic firmware updates, you can enable the Perform Full System Backup Before Installation option.

After an update is installed, the appliance deletes the update package and the downloaded package is no longer on your appliance. If you roll back the update, the appliance is available for update downloads and installation the next time updates are available or at the next scheduled automatic update.

If you manage your appliance with SiteProtector

If you manage your appliance with SiteProtector, you can install an update while the appliance is registered with the SiteProtector Agent Manager.

Note: See “Using the SiteProtector X-Press Update Server” on page 4.

20


Update process and recommendations

ISS recommends that you do the following when you schedule updates:

● Create a system backup prior to installing any firmware updates.

Note: To ensure that you have a system backup before each automatic firmware update installation, you can enable the Perform Full System Backup Before Installation option on the Update Settings page. If you enable automatic system backup before firmware installation, then the appliance reboots and creates the system backup before it installs the firmware update. Your appliance stores only one system backup, so if you select this option then the appliance overwrites the previous system backup.

● Schedule automatic update checks at least one hour before installing firmware updates or performing a system backup, to allow time for the updates to download

● Schedule firmware updates outside business hours, as the appliance may go offline for several minutes during the installation process

Example You can configure the appliance to automatically download and install updates as follows:

● check for updates daily at 3:00 AM

● automatically download and install security updates

● automatically download firmware updates

● automatically perform a system backup and install available firmware updates daily at 5:05 AM

The following table describes the appliance update process with these settings:

Stage Description

1 At 3:00 AM, the appliance checks the ISS Download Center for updates.

2 The appliance downloads security and firmware updates.

3 The appliance installs security updates immediately.

4 At 5:05 AM, the appliance does the following:

• reboots, and then creates a system backup

• installs the firmware update, and then reboots if necessary

Table 9: An example of the update process



Using the SiteProtector X-Press Update Server

Introduction By default, the appliance uses the ISS Download Server at www.iss.net. If you use SiteProtector to manage your appliance, you can configure the appliance to use the SiteProtector X-Press Update Server as an alternate download server for updates. Configure the appliance to use the SiteProtector X-Press Update Server as an alternate update download server on the Update Settings page.

Why use the alternative download server?

If you use SiteProtector to manage your appliance, you may want to use the SiteProtector X-Press Update Server as an alternate update server for the following reasons:

● If you have a large deployment of appliances, you can save bandwidth on your Internet connection. Your appliances can request updates from one SiteProtector update server, rather than each appliance using bandwidth to download the same updates from the default ISS Download Center.

● If you want to download updates in a more secure environment and do not want every appliance to have access to the Internet for update downloads, the appliances can request updates from the SiteProtector update server. In this scenario, only the SiteProtector update server requires an Internet connection.

Configuring the Update Server

You use the advanced parameter Update.source.url to configure the Update Server.

Reference: See “Configuring an Update Advanced Parameter” on page 31 for a procedure.

22

Viewing the Status of Updates

Viewing the Status of Updates

Introduction You can perform the following tasks on the Update Status page (select Updates on the Proventia Manager navigation pane):

● view the status of downloads and installations

● view the history of firmware update installations

● roll back intrusion prevention updates

● manually find updates available for download

Finding updates When you click the Find Updates button on the Update Status page, the appliance checks for the following:


● updates available for install that are already downloaded to the appliance

If the appliance finds updates to download or install, an alert message displays a link to the appropriate page (the Download Updates or Install Updates page).

To find available updates:

1. On the Proventia Manager navigation pane, select Updates.

If your appliance model requires it, the Export Administration Regulation window appears.

2. If needed, review the Export Agreement, select Yes, and then click Submit.

The Update Status page appears.

3. In the Updates area, click Find Updates.

To view available downloads or updates, do one of the following:

■ if the appliance displays an available download alert message, click View Available Downloads to go to the Available Downloads page

■ if the appliance displays an available install alert message, click View Available Installs to go to the Available Installs page

■ select Available Downloads or Available Installs on the navigation pane

Rolling back updates

A rollback removes the last intrusion prevention update that was installed on the appliance. You cannot rollback firmware updates.

Note: ISS recommends that you perform a full system backup before you install a firmware update. If you enable automatic firmware updates, you can enable the Perform Full System Backup Before Installation option.

Update packages and rollbacks

After you install an update, the appliance deletes the update package. Therefore, the downloaded package is no longer on your appliance. If you roll back the update, then the update will be found as available for download and installation the next time you find updates or at the next scheduled automatic update.



Cumulative updates and rollbacks

Updates are cumulative. See the following example for a description of the appliance behavior during the rollback of cumulative updates.

Example: If you install version 1.1, do not install version 1.2, and then install version 1.3, version 1.2 is installed with version 1.3. However, the appliance does not rollback to version 1.2. A rollback to the last update takes the appliance back to version 1.1.

To roll back an update:


The Update Status page displays the status of the Intrusion Prevention and the Firmware updates.

2. Click the corresponding Rollback Last Update link, and then click OK.

The page automatically refreshes. If not, you can press F5to refresh the page and check the progress of the rollback.

24

Installing Available Updates

Installing Available Updates

Introduction Use the Update Settings page to configure how the appliance locates, downloads, and installs available updates.

Note: If the icon appears next to a field on this page, then data is required in the field or the data in the field is invalid. If the icon appears next to a policy or a tab on this page, then the policy or tab contains invalid settings or empty fields that require data.

Updates in SiteProtector

If you manage your appliance with SiteProtector, you can install an update while the appliance is registered with the SiteProtector console.

Troubleshooting If you experience unusual behavior after you apply a firmware update, try the following:

1. Close your Web browser.

2. Clear your Java cache.

3. Restart your Web browser and logon to Proventia Manager.

Note: For more information about how to clear your Java cache, see your operating system documentation.



Configuring Automatic Updates

Introduction You can configure your Proventia appliance to automatically download and install updates based on your settings.

Configure the following items for the automatic updates:

● enable or disable automatic updates

● enable or disable automatic installations

● schedule automatic updates and installations

Prerequisite You must install a Intrusion Prevention license before you can configure automatic updates. See “Installing the License File” on page 15.

Automatic update tasks

You can set the following on the Update Settings page:

Settings to define You must define the following settings to configure automatic updates for your appliance:

● when to check for updates

● when to download and install security updates

● when to download firmware updates

● how and when to install firmware updates

● which firmware update version(s) to install

Task 1: Automatically checking for updates

To specify when the appliance checks for updates:

1. On the Proventia Manager navigation pane, select Updates→Settings.



The Update Settings page appears.

3. Select the Update Settings tab.

4. Do one of the following:

Task Option Description

1 Automatically check for updates Configure this option to automatically check for any available updates.

2 Security updates Configure this option to automatically download available security updates.

3 Firmware updates Configure this option to automatically download firmware updates.

4 Install options Configure this option to automatically backup your system and install updates.

Table 10: Automatic update options

26

Configuring Automatic Updates

■ To check for updates daily or weekly:

- select Check for updates daily or weekly

- select the day to check for updates from the Day of Week list

- select a time from the Time of Day list

Note: If you want to check for updates on the same day that you select the Time of Day setting, you must schedule update checks at least 1 hour prior to your scheduled automatic updates to ensure that updates are downloaded before the scheduled automatic update time.

■ To check for updates more often than daily, select Check for updates at given intervals, and then use the slider bar to select a value or type a value in the Interval (minutes) field.

The minimum interval is 60 minutes. The maximum interval is 1440 minutes.

Task 2: Configuring automatic security updates

To specify whether the appliance automatically downloads and installs security updates:

1. To automatically download security updates, select the Automatically Download check box.

2. To automatically install security updates, select the Automatically Install check box.

Task 3: Configuring firmware updates

To configure firmware updates, select options from the following table:

If you want to... Then do this...

Automatically download firmware updates

• Select the Automatically Download check box.

Note: The appliance automatically downloads firmware updates each time it checks for updates. You can specify how often the appliance checks for updates in the Automatically Check for Updates area.

Perform a full system backup before the appliance installs the firmware update

• Select Perform Full System Backup Before Installation.

Important: This option is enabled by default. ISS recommends that you perform a full system backup before installing a firmware update. Your appliance stores only one system backup, so if you select this option then the appliance overwrites the previous system backup.

Download firmware updates but not install them

• Select Do Not Install.

Note: This option allows you to install updates manually. See “Manually Downloading and Installing Updates” on page 29.

Automatically install firmware updates

• Select Automatically Install Updates.

Important: If you select this option, the appliance may go offline for several minutes during the installation process.

Table 11: Configure firmware updates



Task 4: Specifying when to install firmware updates

To specify when to install firmware updates, select one of the options described in the following table:

Task 5: Specifying firmware update versions to install

To specify which firmware update versions to install:

1. In the Which version to Install area, select one of the following:

■ To install all versions up to the most recent version, select All Available Updates.

■ To install all versions up to a specific version number, select Up To Specific Version, and then type the version in the Version field.


■ On the Proventia Manager screen, click Save Changes.

If you want to... Then select this option... And then do this...

Install updates at a specific date and time

Delayed

Note: You must configure the automatic installation to occur at least 1 minute after automatic update downloads are complete.

• Select a day from the Day of Week list.

• Select a time from the Time of Day list.

Install new updates as soon as they are automatically downloaded

Immediate

Note: ISS does not recommend this option, as the installation process takes the system offline for several minutes.

N/A

Install one instance of updates at a specific date and time

Schedule One-Time Install • Type a date in the Date field.

Note: The date must be in the following format:

yyyy-mm-dd• Type a time in the Time

field.

Note: The time must be in the following military time format:

hh:mm

28

Manually Downloading and Installing Updates

Manually Downloading and Installing Updates

Introduction If you do not have automatic updates configured for the appliance or you want to install an available update off schedule, you can find and manually install updates.

Manual updates task overview

You must complete the following tasks to manually update the appliance:

Task 1: Finding available updates

The appliance first checks for updates locally, then connects to the ISS Download Center for updates that have not been downloaded.

When you click the Find Updates button on the Update Status page, the appliance checks for the following:

● updates available for install that are already downloaded to the appliance


Note: If the appliance finds updates to download or install, an alert message displays a link to the appropriate page.

To find available updates:




The Update Status page appears.

3. In the Updates area, click Find Updates.

4. Do the following to view the available updates:

■ Click the View Available Downloads link in the alert message.

■ On the Proventia Manager navigation pane, click Updates Available→Downloads.

Task 2: Downloading updates manually

To download updates:

1. If updates are available to download, the following message appears:

“There are updates available. Click here to see details.”

2. Click the link in the message.

The Updates to Download page appears.

Task Description

1 Find available updates

2 Download updates

3 Install updates

Table 12: Manual updates task overview



3. Click Download All Available Updates.

The Downloading Alert page displays while the appliance downloads the updates. After the download is complete, the available updates message is cleared from the Updates to Install page.

Task 3: Installing updates manually

To install updates manually:

1. On the Proventia Manager navigation pane, select Updates→Available Installs.

2. If your appliance model requires it, the Export Administration Regulation window appears.


The Available Installs page appears, and available updates to install are displayed in the Updates to Install table.

4. Select the updates you want to install, and then click Install Updates.

Note: Some firmware updates require that you reboot your appliance. For more information about product issues and updates, see the Proventia G Series Readme on the ISS Download Center at http://www.iss.net/download/. You can view the status of the installation in the Update History table on the Update Status page.

30




Configuring an Update Advanced Parameter

Configuring an Update Advanced Parameter

Introduction You may need to tune the update settings. You can tune these settings by adding or editing name and value pairs in the Updates→Settings→Advanced Parameters tab.

Adding an update advanced parameter

To add an update advanced parameter:



2. Select the Advanced Parameters tab.

3. Click Add. The Add Advanced Parameter window appears.

4. Type the parameter name in the Name field.

5. Type a meaningful description of the parameter in the Description field.

6. Specify the value type and value in the Value area.



Editing an update advanced parameter

To edit an update advanced parameter:




3. Select a parameter to edit, and then click Edit.

The Edit Advanced Parameter window appears.

4. Edit the properties of the parameter, and then click OK.



Copying and pasting an update advanced parameter

You can copy and paste a parameter before you edit it. This is useful if you want to add an parameter that is similar to an parameter already in the list.

To copy and paste an update advanced parameter:




3. Select a parameter, and then click the Copy icon.

The appliance copies the parameter to the clipboard.

4. Click the Paste icon.

The appliance copies the parameter to the end of the list.

5. If needed, edit the properties of the parameter, and then click OK.





Removing an update advanced parameter

To remove an update advanced parameter:




3. Select a parameter, and then click Remove.

The parameter is removed.



32

TM

Part II

Configuring theAppliance

Chapter 4

High Availability

Overview

Introduction This chapter explains how to configure the Proventia G Intrusion Prevention appliances that works in an existing high availability network environment.

Additional documentation described in this topic is available on the ISS Web site athttp://www.iss.net/support/documentation/.


Topic Page

About High Availability 36

High Availability Configuration Overview 38

High Availability Deployment 39

High Availability Configuration Procedures 41

SiteProtector Management with HA 44



Chapter 4: High Availability

About High Availability

Introduction The Proventia G appliances using high availability features pass all traffic between them over mirroring links. This ensures that both appliances see all of the traffic over the network, and thus maintain state. This also allows the appliances to see asymmetrically routed traffic, if necessary, and thus fully protect the network. The Proventia G High Availability support is limited to two cooperating appliances.

Both appliances process packets inline and block attack traffic that arrives on their inline monitoring ports, not on their interconnection/mirror ports. Both appliances also report events received on their inline monitoring ports to the management console.

Supported network configurations

High availability networks are typically configured in one of two ways:

● Primary / Secondary configuration: With this configuration, the traffic flows only on one of the redundant network segments and the primary devices on the network handle all of the traffic until one of the devices fails, at which point the traffic fails over to the secondary redundant network segment and the secondary devices take over.

● Clustering configuration: With this configuration, the traffic is load balanced and both sets of devices are active and see traffic all of the time.

Proventia G high availability feature supports both of these network configurations. In order to accomplish this, both Proventia G appliances must maintain identical state. The Proventia G appliances are connected together by mirror links (which actually consists of multiple connections over multiple ports). These mirror links pass all traffic that an appliance receives on its inline ports to the other appliance. This ensures that the protocol analysis modules on both appliances process all of the traffic over the network, and thus maintain state. In addition, this allows the appliances to process asymmetrically routed traffic, and thus fully protects the network. Finally, this ensures that there is no gap in protection during failover. If you run the Proventia Setup Utility when the HA feature is enabled, you cannot modify network settings.

Processing responses

Both appliances process packets received from all redundant segments but only block attack traffic that arrives on their inline ports when appropriate. Both appliances report events to the management console at all times. However, responses will be processed only for events that are generated by packets that arrive on inline ports. Appliances process but do not block or report events that are generated by traffic that arrive on mirroring ports.

As both appliances see all the traffic at all times, failover time for response processing is eliminated. Both appliances maintain current state, so if one HA network segment fails the other appliance will receive all packets on its inline ports, resulting in events being generated as soon as the network fails over.

Note: A small number of signatures, such as Port Scans, can result in duplicate events being generated, one by each appliance in a clustered configuration.

HA Modes In a HA configuration, the appliance can only operate in either inline simulation or inline protection modes. Passive monitoring mode is not supported.

Adapter level operation modes supported in normal mode is also not supported in an HA configuration. If HA simulation mode is selected, all monitoring adapters will be put in inline simulation mode automatically. If HA protection mode is selected, all monitoring

36

About High Availability

adapters will be put in inline protection mode automatically. In normal mode, each adapter can be configured to run in a different operational mode.

High Availability addresses the operation of inline appliances in a high availability environment. It does not address the availability or fault-tolerance of the appliances themselves. Therefore, there is no separate high availability solution for appliances configured and wired for passive monitoring mode. The Proventia G appliances with high availability can be configured in the three modes, see Table 13:

Setting Description

Normal mode Regular operation mode. In this mode, appliance does not cooperate with another appliance. Appliance can be configured to run in inline protection, inline simulation and passive monitoring modes at the adapter level.

HA Simulation mode Both HA partner appliances monitor traffic inline, but do not block any traffic. Instead, both appliances monitor traffic and provide passive notification responses. The appliances also monitor the traffic on each other’s segment via mirror links – ready to take over notification in case of network failover.

HA Protection mode Both HA partner appliances monitor traffic inline and each report and block the attacks that are configured with block response, quarantine response, and firewall rules. The appliances also monitor the traffic on each other’s segment via mirror links – ready to take over reporting and protection in case of network failover.

Table 13: HA appliance modes



High Availability Configuration Overview

Introduction This topic provides an overview of the HA configuration page and tasks you must perform to use the high availability feature. You must use the Proventia Setup Utility and Proventia Manager to perform the initial configuration steps and create firewall access policies on each appliance. After you complete the initial configuration, you enable and configure high availability on the designated primary appliance only. For more information, see “High Availability Deployment” on page 39.

Prerequisites High Availability support is provided by firmware update 1.1. You must install the 1.1 firmware update to enable the high availability feature. SiteProtector must be updated to 5.6 prior to installing the Proventia G Firmware 1.1.

Licensing Licensing for a high availability configuration is identical to licensing for a non-HA appliance; each individual appliance will request a single license from Site Protector.

Limitations In HA mode, using adapter parameters as part of the firewall rules and protection domain definitions is not supported. As same traffic may flow on different adapters in an HA environment, using adapter parameters may cause the two HA partner appliances to become unsynchronized.

Important: In protection domain definitions, Adapter field must be set to ‘Any’. In constructed firewall rule definitions, all adapters must be selected. In manually constructed firewall rule definitions, the adapter keyword must not be used. For example, the firewall rule ‘adapter A,B,G Portia top’ is valid normal mode but not supported in an HA mode.

Proventia Manager High availability configurations are visible to Proventia Manager and are capable of accepting policies and updates, but it is recommended to use SiteProtector to manage the G400 or G2000 appliances when using inline high availability configurations. Each pair of Proventia G appliances in a high availability configuration must be put in the same group in SiteProtector so that updates to the appliances can be easily synchronized, including application of XPUs and policies. Both appliances will report to SiteProtector using unique IDs.

It is recommended that both HA partner appliances are configured to use the same policies.

The user may choose to apply content updates and firmware updates serially so that one appliance is always operational in order to maintain network connectivity, particularly when both appliances are configured to fail closed.

Connecting cables for HA

Reference: For more information about connecting cables for HA, see your Proventia G400/G2000 Quick Start Guide.

38

High Availability Deployment

High Availability Deployment

Introduction This topic describes a typical deployment scenario for using the Proventia G appliances in a high availability environment. It includes the following:

● a logical diagram for a standard HA deployment

● a physical network diagram for a standard deployment

Logical Diagram You can manage your HA appliance cluster from Proventia Manager. If you use a SiteProtector console to manage your appliances, you can manage the HA cluster from the SiteProtector Agent Manager. A Logical HA diagram is shown in Figure 1:

Figure 1: Logical HA diagram for standard deployment



Physical HA network diagram

A physical network diagram of a typical HA deployment scenario is shown in Figure 2:

Figure 2: HA physical network diagram

40

High Availability Configuration Procedures


Introduction This topic describes the procedures required for configuring your Proventia G appliances for high availability (HA). Once the network and appliance configuration is complete, you enable and configure the high availability feature on your appliances.

Enabling HA To enable high availability, do the following on both HA partner appliances:

1. On the navigation pane, select System.

2. Select High Availability.

The High Availability page appears.

3. Select one of the following appliance modes:

HA simulation

HA protection

Note: You must select the same mode on both appliances.


On the Proventia Manager interface, click Save Changes.

On the SiteProtector screen, interface OK.

Note: The adapter modes will be pre-set and are not editable when HA mode is enabled. All monitoring adapters will be put into inline simulation mode when HA simulation mode is selected. All monitoring adapters will be put in inline protection mode when HA protection mode is selected. The settings for the non-HA adapter modes will be preserved but will not be used unless appliance is switched back to normal mode.

Disabling HA To disable high availability

1. On the navigation pane, select System.

2. Select High Availability.

The High Availability page appears.

3. Select the following appliance mode:

Normal


On the Proventia Manager interface, click Save Changes.

On the SiteProtector interface, click OK.

Card Management Page

In a HA configuration, the Card Management page is used to view and manage failure and appliance modes (System® Local Tuning Parameters® Card Management tab). Table 14 describes the these modes and settings for the network card:

Column Description

Card Name The name of the network card.

Note: You cannot change the name of the network card.

Table 14: Card Management page fields



Adapter Mode (non-HA) The operation mode of the appliance. The operation modes are as follows:

• inline protection

The appliance monitors traffic inline, and blocks attacks that are configured with the block response, quarantine response, and firewall rules.

• inline simulation

The appliance monitors traffic inline, but does not block any traffic. Instead, the appliance monitors traffic and provides passive responses.

• monitoring

The appliance monitors traffic from a tap, hub, or span port.

Port Lets you associate a meaningful name (such as Finance Department Network Segment) with each port.

Default: The port names match the labels A, B, C, D, E, F, G, and H that are on the back of the appliance. The ports are arranged as pairs of ports on a card as follows:

• A with B on Card1

• C with D on Card2

• E with F on Card3

• G with H on Card4

TCP Resets Determines whether kills are sent through this port or through the external kill port.

Port Speed/Duplex Settings The method the network card on the port uses to determine link speed and mode. The methods are as follows:

• Auto-Negotiate

Allows two interfaces on a link to select the best common mode automatically, the moment a cable is connected.

Important: ISS recommends that you use this setting (Auto-Negotiate) unless you have to change the setting, for a switch or other network device that does not support auto-negotiation, or if the auto-negotiation process is taking too long to establish a link.

• 10 MB Half Duplex

Allows a device to either transmit or receive at 10 megabits per second, but not at the same time.

• 10 MB Full Duplex

Allows information to be transmitted at 10 megabits per second in both directions at the same time.


Allows a device to either transmit or receive at 100 megabits per second, but not both at the same time.




• Allows information to be transmitted at 1000 megabits per second in both directions at the same time.

Column Description

Table 14: Card Management page fields (Continued)

42


Unanalyzed Policy How the agent processes traffic when the network is congested.

The options are as follows:

• Forward

Forwards traffic without processing it, or fails open to traffic. When traffic levels return to normal, the agent resumes normal operation.

• Drop

Blocks some of the traffic without processing it, or fails closed to traffic. When traffic levels return to normal, the agent returns to normal operation.

Note: This drop setting is used when the Adapter Mode is set to either Inline Protection or Inline Simulation.

Propagate Link If set to true, and one of the links is broken (cable broken, cable disconnected), then the link on the corresponding inline port is also broken by the network driver.

Note: This setting is used when the Adapter Mode is set to either Inline Protection or Inline Simulation.

Fail Mode Determines whether the network card fails open or closed. (Applies only to copper cabling only).

Note: This only applies to network cards in inline mode. Cards in monitoring mode always fail closed.

The fail modes are as follows:

• Auto

The appliance decides whether to fail-open or fail-closed based on the sensor mode. If sensor mode is set to Normal mode, the card will fail open. If sensor mode is set to one of the HA modes, the card will fail closed.

Note: This is the default recommendation.

• Open

The card fails open to the traffic.

• Closed

The card fails closed to the traffic.

Appliance Mode (HA) The operation mode of the appliance. The operation modes are as follows:





• monitoring


Column Description




SiteProtector Management with HA

Introduction The HA module is manageable through the SiteProtector agent manager. Each pair of Proventia G appliances in a high availability configuration must be put in the same group in SiteProtector so that updates to the appliances can be easily synchronized, including application of XPUs and policies. Both appliances will report to SiteProtector using unique IDs.

44

Chapter 5

Appliance Settings

Overview

Introduction Use the information in this chapter to verify or adjust any of the appliance settings you configured using the local configuration interface (the Proventia Setup Utility) when you initially installed the appliance.

Once the appliance is initially deployed and operational, ISS recommends that you make most of these changes using Proventia Manager.

In this chapter This chapter contains the following sections:

Section Page

Configuring Appliance and Agent Settings 49

Configuring Network, Time, and SNMP Settings 59


Chapter 5: Appliance Settings

Setting Up a Local Configuration Interface and Logging On the Appliance

Introduction Before you can view or change appliance settings, you must set up a local configuration interface and log on to the appliance using the Proventia Setup Utility.

Using the Proventia Setup Utility

You log on to the appliance using the Proventia Setup Utility (your local configuration interface) to change any of your initial settings. Once you have set your network configurations, you use the Proventia Manager interface to configure and manage the appliance.

Reference: See “Using Proventia Manager” on page 11 for information on using the Proventia Manager interface.

Procedure To set up a local configuration interface and log on to the appliance:


■ Connect a keyboard and monitor to the connectors on the rear panel of the appliance.

■ Connect a computer (such as a laptop) to the serial port on the appliance using the serial cable provided. Using a program such as Hyperterminal™, create a connection to the appliance with the following settings:

– Bits per second = 9600

– Data bits = 8

– Parity = None

– Stop bits = 1 (8-N-1)

– Flow control = None

– Communications Port = com port to which you have connected the appliance.

2. Set up Terminal Emulation = auto detect. Settings may vary, depending on the program you are using. In Hyperterminal, do the following:

■ Go to File Properties Settings.

■ Select Terminal Emulation = auto detect.

■ Click OK.

3. Press the POWER button to start the appliance.

The appliance displays the login prompt: <appliance name> login: _

4. Type admin, and then press ENTER.

5. Type the admin password, and then press ENTER.

The Configuration menu appears. The following menus are available:

■ Appliance Information

■ Appliance Management

■ Agent Management

■ Network Configuration

■ Time Configuration

46

Setting Up a Local Configuration Interface and Logging On the Appliance

■ Password Management

■ SNMP Configuration

6. Use the UP and DOWN arrow keys to move from one menu item to another.

7. Press ENTER to select a menu item.



Logging Out of the Local Configuration Interface

Introduction You can log out of the local configuration interface when you are finished viewing or changing the appliance’s settings.

Procedure To log out of the local configuration interface:

● Select Configuration→Exit, and then press ENTER.

The appliance displays the Login prompt.

48

Overview

SECTION A: Configuring Appliance and Agent Settings

Overview

Introduction This section provides information about how to manage and maintain your appliance.

In this section This section contains the following topics:

Topic Page

Viewing the Appliance Settings 50

Backing Up the Current Configuration 51

Restoring a Configuration 52

Disabling Remote Root Access to the Appliance 53

Rebooting or Shutting Down the Appliance 54

Viewing the Status of Appliance Components 55

Restarting the Agent 56

Changing the Agent Name 57



Viewing the Appliance Settings

Introduction You can view the following settings that you configured during the appliance installation:

● serial number

● revision

● agent name

● host name

● IP address

● netmask

● gateway

● primary DNS

● secondary DNS

Procedure To view the appliance settings:

1. Set up a local configuration interface and log on to the appliance.

Reference: See “Setting Up a Local Configuration Interface and Logging On the Appliance” on page 46.

2. From the Configuration menu select Appliance Information, and then press ENTER.

The Appliance Information screen displays information about the appliance.

3. Click OK to return to the Configuration menu.

50

Backing Up the Current Configuration

Backing Up the Current Configuration

Introduction You can back up the appliance configuration settings.

Procedure To back up the appliance configuration settings:



2. Select Configuration→Appliance Management, and then press ENTER.

The Appliance Management menu appears.

3. Select Backup Current Configuration, and then press ENTER.

The Backup Appliance screen appears.

4. Click OK to start the backup process.



Restoring a Configuration

Introduction You can restore an appliance configuration.

Procedure To restore an appliance configuration:





3. Select from one of the following options:

■ Restore Configuration From Backup

■ Restore to Factory Default

Note: The Restore to Factory Default option preserves the current host, network, time zone, and password settings.

4. Press ENTER.

5. Click OK to start the restoration process.

52

Disabling Remote Root Access to the Appliance

Disabling Remote Root Access to the Appliance

Introduction You can disable remote SSH access to the root user. If you disable remote root access, the root user can only log on to the appliance from a local console. However, you cannot re-enable remote root access from the user interface once you have disabled it.

Important: Once remote root access is disabled, only the admin user will have remote SSH access.

Procedure To disable remote root access to the appliance:





3. Select Disable Remote Root Access, and then press ENTER.

The Remote Root Access screen appears.

4. Click Disable to disable remote root access.



Rebooting or Shutting Down the Appliance

Introduction You can shut down or reboot the appliance using the local configuration interface.

Procedure To shut down or reboot the appliance:





3. Select one of the following:

■ Reboot Appliance

■ Shutdown Appliance

4. Press ENTER.


■ To reboot the appliance, click Reboot.

The appliance reboots and displays the Login prompt.

■ To shut down the appliance, click Shutdown.

The appliance shuts down and displays a message when it is safe for you to turn off the power.

54

Viewing the Status of Appliance Components

Viewing the Status of Appliance Components

Introduction You can view the status and version of the agent and daemon components of the appliance.

Procedure To view the status of the appliance components:



2. Select Configuration→Agent Management, and then press ENTER.

The Agent Management menu appears.

3. Select Agent Status, and then press ENTER.

The appliance displays the following items:

■ Agent

■ Engine

■ Daemon

4. View the information, and then click Cancel.

The Configuration menu appears.



Restarting the Agent

Introduction You may want to restart the agent to troubleshoot a problem with the appliance.

Procedure To restart the agent:





3. Select Agent Status, and then press ENTER.

4. Click Restart Agent.

The agent restarts, and then a confirmation screen appears.

5. Press ENTER.


56

Changing the Agent Name

Changing the Agent Name

Introduction You can change the agent name that you configured when you installed the appliance.

Note: This is the name that appears for the appliance in your management interface. ISS recommends that you select a name that corresponds to the appliance’s geographic location, business unit, building address, or some other meaningful classification.

Procedure To change the agent name:





3. Select Agent Name Configuration, and then press ENTER.

The Agent Name Configuration screen appears.

4. Change the agent name, and then click OK.



58

Overview

SECTION B: Configuring Network, Time, and SNMP Settings

Overview

Introduction This section provides information on how to configure network, time, and SNMP settings for your appliance.


Topic Page

Changing the Network Configuration Settings 60

Changing the Host Configuration Settings 61

Changing the Link Speed and Duplex Mode Settings 62

Changing the Date and Time Settings 63

Changing the Time Zone Setting 64

Changing NTP Settings 65

Changing Appliance Passwords through the Local Configuration Interface 66

Changing SNMP Settings 68



Changing the Network Configuration Settings

Introduction You can change the following network configuration settings that you configured when you installed the appliance:

● IP address

● subnet mask

● gateway

Procedure To change the network configuration settings:



2. Select Configuration→Network Configuration, and then press ENTER.

The Network Configuration screen appears.

3. Select IP Settings, and then press ENTER.

4. Type the IP Address, Subnet Mask, and Gateway.

Note: The IP address is used to manage the appliance through SSH and SiteProtector.

5. Click OK.


60

Changing the Host Configuration Settings

Changing the Host Configuration Settings

Introduction You can change the following host configuration settings that you configured when you installed the appliance:

● hostname (required)

● domain name (recommended)

● primary and secondary name server (recommended)

Note: The appliance uses domain names and DNS information to send Email and SNMP responses. If you do not provide this information now, the appliance can still send Email and SNMP responses. You must specify the IP address of the appliance’s mail server when you define the Email response on the management console. The appliance must have network access to the mail server.

Procedure To change the host configuration settings:





3. Select Host Name Settings, and then press ENTER.

The Host Configuration screen appears.

4. Type the Hostname (required), Domain Name, Primary Name Server, and Secondary Name Server.

5. Click OK.




Changing the Link Speed and Duplex Mode Settings

Introduction You can change the link speed and duplex mode settings from the management port.

Note: You have to use Proventia Manager to change the link speed and duplex mode settings for the inline monitoring ports. See “Editing the Network Card Properties” on page 137 for a procedure.

Choosing the settings

Choose link speed and duplex mode settings to match your environment. If you are not sure which settings are correct for your environment, choose Auto.

● Auto

● Full Duplex 1 Gbps

● Full Duplex 100 Mbps

● Full Duplex 10 Mbps

● Half Duplex 100 Mbps

● Half Duplex 10 Mbps

Appliances and link speed

The G400 and G2000 appliances have one management port labeled 1. You can configure link speed and duplex mode settings appropriate for the appliance you have installed.

Procedure To change the link speed and duplex mode settings:




The Network Configuration menu appears.

3. Select Change Management Port Link Settings, and then press ENTER.

The Management Port Link Settings screen appears.

4. Select a setting, and then click OK.

Note: Reboot the appliance. See “Rebooting or Shutting Down the Appliance” on page 54 for a procedure.

62

Changing the Date and Time Settings

Changing the Date and Time Settings

Introduction You can change the date and time settings that you configured when you installed the appliance.

Procedure To change the date and time settings:



2. Select Configuration→Time Configuration, and then press ENTER.

The Time Configuration menu appears.

3. Select Date/Time Settings, and then press ENTER.

The Date/Time Configuration menu appears.

4. Type a new date in the Date field, and then press ENTER.

Note: Use the format [MM/DD/YYYY].

5. Type a new time in the Time field, and then press ENTER.

Note: Use the format [HH:MM:SS] and a 24-hour clock.

6. Click OK.




Changing the Time Zone Setting

Introduction You can change the time zone settings for the appliance.

Procedure To change the time zone setting:





3. Select Time Zone Configuration.

The Time Zone Configuration screen appears.

4. Select the continent or ocean in which the appliance is located, and then press ENTER.

5. Select the country in which the appliance is located, and then press ENTER.

6. Select the region in which the appliance is located, and then press ENTER.

Note: This screen does not appear if the country you selected contains only one region (time zone).

7. Click OK.


64

Changing NTP Settings

Changing NTP Settings

Introduction The network time protocol (NTP) synchronizes the local date and time with the network time server. If you specify more than one time server, the appliance obtains a number of samples from each of the specified servers.

Procedure To change the NTP setting:





3. Select NTP Configuration, and then press ENTER.

The NTP Configuration menu appears.

4. Select Enable NTP, and then click Enable.

The NTP Version screen appears.

5. Select a version, and then click OK.

The Add NTP Server screen appears.

6. Type in the address or host name for the NTP server in the NTP Server field, and then click OK.

The NTP Synchronization Interval screen appears.

7. Type in synchronization time in minutes for the server in the Synchronization Interval field, and then click OK.

The NTP Configuration menu appears.



Changing Appliance Passwords through the Local Configuration Interface

Introduction You can change the appliance passwords at any time.

Caution: Record and protect these passwords. If you lose the passwords, you must reinstall the appliance.

Changing the administrative password

To change the administrative password:



2. Select Configuration→Password Management, and then press ENTER.

The Password Management menu appears.

3. Select Change Admin Password, and then press ENTER.

The Change Password screen appears.

4. Type the old password, and then press ENTER.

5. Type the new password, and then press ENTER.

Note: You must use a minimum of six characters.

6. Retype the new password to confirm it, and then press ENTER.

The appliance displays a confirmation screen.

7. Click OK.


Changing the root password

To change the root password:





3. Select Change Root Password, and then press ENTER.







7. Click OK.


66

Changing Appliance Passwords through the Local Configuration Interface

Changing the Proventia Manager password

To change the Proventia Manager password:





3. Select Change Proventia Manager Password, and then press ENTER.







7. Click OK.


Configuring the boot loader password

The boot loader password (which is the root password) protects the appliance from unauthorized users during the boot process.

Important: You setup the root password when the appliance is initially configured. When you enable the boot loader password (root password), the password is already set.

● G400 appliance uses the UP kernel

● G2000 appliance uses the SMP kernel

To configure the bootloader password:





3. Select Configure Boot Loader Password, and then press ENTER.

The Bootloader Password screen appears.

4. The Enable option is already on because the root password is set. Select Disable, and then press ENTER to disable the password setting.




Changing SNMP Settings

Introduction You can enable the SNMP daemon to send SNMP traps on certain appliance health- related events such as low disk space, low swap space, or very high CPU usage.

You can also configure SNMP to send traps to multiple trap receivers using either the SNMPv1 or SNMPv2c protocols.

Procedure To enable SNMP:



2. Select Configuration→SNMP Configuration, and then press ENTER.

The SNMP Configuration menu appears.

3. Select Enable SNMP.

The Enable SNMP screen appears.

4. Click Enable.

The SNMP appliance screen appears.

5. Type in a location for the system in the System Location field.

6. Type in a contact for the system in the System Contact field.

7. Type in a name for the system in the System Name field.

8. Click OK.

The Add SNMP Trap Receiver screen appears.

9. Type in the IP address of the trap receiver in the Trap Receiver field.

Note: This IP address is the server address where the SNMP Manager is running. The SNMP Host must be accessible to the appliance to send SNMP traps.

10. Type in a port number in the Port Number field. (Default port number is 162)

11. Type the appropriate community name (public or private) in the Community String field.

12. Select the version of the trap receiver in the Trap Receiver field.

■ SNMPv1

■ SNMP2

13. Click OK.

The SNMP Configuration menu appears.

68

Chapter 6

Configuring Responses

Overview

Introduction This chapter describes how to configure responses for the appliance.


Topic Page

About Responses 70

Configuring an Email Response 71

Configuring a Log Evidence Response 73

Configuring Quarantine Response Objects 74

Configuring an SNMP Response 76

Configuring a User Specified Response 78


Chapter 6: Configuring Responses

About Responses

Introduction This topic explains what responses do, discusses response types and their characteristics, and tells where responses are stored.

What do responses do?

The responses that are defined in a response policy file specify actions that an appliance should take when it detects an intrusion. The response type (and response name, if derived responses are defined) to be performed by the appliance is specified in the appliance’s policy file according to each signature.

Response types Responses can be either pre-defined or user-specified as follows:

● email

● log evidence

● quarantine

● SNMP

● user specified

● display

Global response policy

A global response policy contains all of the response types that can be applied to the appliance.

70

Configuring an Email Response

Configuring an Email Response

Introduction You can configure the appliance to notify you by email when events occur, or send an email notification to an individual or to a group. (To send email notification to a group, create an email distribution list on your corporate server.)

About the Email responses page

When you configure an email response, use the following fields on the Email page to customize the attributes of the response:

Adding an email response

To add an email response:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Responses.

The Responses page appears.

2. Select the Email tab.

The Email page appears.

3. Click Add.

The Add Email window appears.

4. Type a meaningful name in the Name field.

5. Type the mail server (as a fully qualified domain name or IP address) in the SMTP Host field.

The SMTP Host must be accessible to the appliance to send email notifications.

6. Type an individual deliverer or email group in the From field.

7. Type an individual recipient or email group in the To field.

8. Select one or more subject fields.

9. Select one or more body fields.

10. Click OK.



Editing an email response

To edit an email response:





Column Description

Name The name of the response.

SMTP Host The mail server (as a fully qualified domain name or IP address).

From An individual deliverer or email group.

To An individual recipient or email group.

Table 15: Email page fields




■ Select an entry, and then click Edit.

■ Select an entry, and then double-click it.

The Edit Email window appears.

4. Edit the properties of the response, and then click OK.



Copying and pasting an email response

You can copy and paste an email response, and then edit the email address. This is useful if you want to add an email response entry that is similar to an entry already in the list. You can also copy and paste multiple entries.

To copy and paste an email response:





3. Select the entry you want to copy.

Note: To select multiple entries, press the CTRL key, and then select each entry. To select a range of entries, press the SHIFT key, and then select the first and last entries in the range.

4. Click the Copy icon.

The appliance copies the entry to the clipboard.


The appliance copies the entry to the end of the list.

6. If needed, edit the properties of the response, and then click OK.



Removing an email response

To remove an email response:





3. Select the response to remove, and then click Remove.

The appliance removes the response from the list.



72

Configuring a Log Evidence Response

Configuring a Log Evidence Response

Introduction You can configure the appliance to log the summary of an event. The appliance logs the packet that triggered the event to the /var/iss/ directory.

About the Log Evidence page

When you configure a log evidence response, use the following fields in the Log Evidence page to customize the attributes of the response:

Procedure To configure a log evidence response:


The Responses Page appears.

2. Select the Log Evidence tab.

The Log Evidence page appears.

3. Type the maximum files to log in the Maximum File field.

4. Type the maximum file size in the Maximum File Size field.

5. Type the prefix of the log file in the Log File Prefix field.

6. Type the suffix of the log file in the Log File Suffix field.

Column Description

Maximum Files The maximum files that can be stored in the log.

Default: 10 files

Maximum File Size The maximum file size that can be stored in the log.

Default: 10000 Kilo Bytes

Log File Prefix The prefix of the log file.

Default: evidence

Log File Suffix The filename extension for the log file.

Default: .enc

Table 16: Log Evidence page fields



Configuring Quarantine Response Objects

Introduction You can create response objects that block intruders when a specific series of events are triggered.

Pre-defined response objects

The following table describes the three pre-defined response objects in the list:

Note: You can change the settings for the pre-defined response objects, but you cannot rename or remove them.

Adding a quarantine response

To add a quarantine response:



2. Select the Quarantine tab.

3. Click Add.

The Add Quarantine window appears.


5. Enable the appropriate settings, and then click OK.



Editing a quarantine response

To edit a quarantine response:







The Edit Quarantine window appears.




Quarantine objects Description

Quarantine Intruder Fully blocks the intruder of an attack.

Quarantine Trojan Isolates any system that is the victim of an attack.

Quarantine Worm Isolates the item the worm is trying to find; for example, a SQL port.

Table 17: Pre-defined response objects

74

Configuring Quarantine Response Objects

Copying and pasting a quarantine response

You can copy and paste a quarantine response. This is useful if you want to add a response entry that is similar to an entry already in the list. You can also copy and paste multiple entries.

To copy and paste a quarantine response:













Removing a quarantine response

To remove a quarantine response:








Note: Quarantine rules are only displayed and edited in Proventia Manager.



Configuring an SNMP Response

Introduction You can configure a Simple Network Management Protocol (SNMP) notification response for events.

Tip: To display the ISS-assigned Event Name in SNMP trap messages, you can import or compile the ISS MIB file (iss.mib) into an SNMP management application such as Hewlett-Packard OpenView. The ISS MIB file defines the format of ISS SNMP traps, and is used by your management application to provide translations of the numeric Object Identifiers (OIDs) contained in the trap messages. You can download the iss.mib file from the ISS Download Center at http://www.iss.net/download/. Reference: For more information about using your SNMP management application, see your SNMP management application software documentation.

About the SNMP responses page

When you configure an SNMP response, use the following fields in the SNMP page to customize the attributes of the response:

Adding an SNMP response

To add an SNMP response:



2. Select the SNMP tab.

3. Click Add.

The Add SNMP window appears.

4. Type the name of the response in the Name field.

5. Type the IP address in the Manager field.


6. Type the appropriate community name (public or private) in the Community field.



Editing an SNMP response

To edit an SNMP response:




Column Description


Manager The server address where the SNMP Manager is running.

Note: The SNMP Host must be accessible to the appliance to send SNMP traps.

Community The community name (public or private).

Table 18: SNMP page fields

76

Configuring an SNMP Response




The Edit SNMP window appears.




Copying and pasting an SNMP response

You can copy and paste an SNMP response. This is useful if you want to add an SNMP response entry that is similar to a entry already in the list. You can also copy and paste multiple entries.

To copy and paste an SNMP response:









The appliance copies entry to the end of the list.




Removing an SNMP response

To remove an SNMP response:





The appliance removes response from the list.





Configuring a User Specified Response

Introduction You can create an executable file that the appliance runs when it detects a specific event.

Creating a user specified response

Use a Linux binary or shell script file in an executable, including any command-line options or arguments (such as event name or source address).

Once you have created the response, you must manually copy the executable to the appliance. You can define as many different user-specified responses as needed, but the appliance can only execute one response for a specific event. To run a series of executables, you must place all commands in a shell script that the appliance can run.

About the User Specified responses page

When you configure a user specified response, use the following fields in the User Specified page to customize the attributes of the response:

Adding a user specified response

To add a user specified response:



2. Select the User Specified tab.

3. Click Add. The Add User Specified window appears.


5. Type a command in the Command field.

6. Select one or more command parameters, and then click OK.

7. Do the following:


Editing a user specified response

To edit a user specified response:







The Edit User Specified window appears.




Column Description


Command A command associated with the response.

Table 19: User Specified page fields

78

Configuring a User Specified Response

Copying and pasting a user specified response

To copy and paste a user specified response:













Removing a user specified response

To remove a user specified response:










80

Chapter 7

Monitoring Events

Overview

Introduction This chapter describes how to configure and monitor events for the appliance.

In this chapter This chapter contains the following sections:

Section Page

Security Events 83

Connection Events 93

User-Defined Events 99

Trons Events 113


Chapter 7: Monitoring Events

About Events

Introduction An event is generated by the appliance when an attack signature is detected.

Types of events You enable events in a policy using Proventia Manager. The types of events that you can configure or apply to the appliance are as follows:

● security events

● connection events

● Trons events

● user-defined events

About policies A policy contains a list of items, called signatures, that determine what the appliance can detect. The sensor uses each signature to detect a specific security event.

Use policies to control the following:

● the kind of security events the appliance detects

● the priority of each event

● how the appliance responds to events

Contents of a policy Each policy contains a list of items, called signatures, that determine what the appliance can detect. The sensor uses each signature to detect a specific security event.

Pre-defined policies Both appliances come with a pre-defined profile that protects your system.

82

Overview

SECTION A: Security Events

Overview

Introduction This section explains how to configure security events for the appliance.


Topic Page

About Security Events 84

Using Response Filters 88

About Protection Domains 90

Managing Quarantine Rules 92



About Security Events

What are security events?

A security event is network traffic with content that can indicate an attack or other suspicious activity. These events are triggered when the network traffic matches one of the pre-defined profiles in the active policy.

About the Security Events page

You can enable or disable a security event. You can also customize the following attributes:

● priority of the events

● responses

● advanced properties

When you configure a security event, use the following fields on the Security Events page to customize the attributes of the event:

Column Description

Enabled Enable or disable the event. Selecting the box enables the event and clearing the box disables the event.

Protection Domain A group of network assets that correspond to the event.

Attack/Audit Shows whether the event triggered is an attack or an audit event.

Tag Name The name of the event.

Severity The severity level of the event. The severity levels are as follows:

• high

• medium

• low

XPU The XPU in which the vulnerability check was released.

Check Date The month and the year the vulnerability check was created.

Event Throttling Reduces the number of events received.

The value is specified in seconds. At most, one event that matches an attack is reported during the specified interval. A value of zero disables event throttling.

Display Displays the detected event to the monitoring console.

The options for the response are as follows:

• None

Does not display the detected event.

• WithoutRaw

Logs a summary of the event.

• WithRaw

Logs a summary and the associated packet capture.

User Overridden Shows whether an event’s default settings has been modified.

Block Blocks the attack by dropping packets and sending resets to TCP connections.

Table 20: Security Events page fields

84


Adding a security event to a protection domain

To add a security event for the protection domain:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Security Events.

The Security Events page appears.

2. Click Add. The Add Security Events window appears.

3. Select the Enabled check box.

4. Select the protection domain to which you want to add the security event.

5. Select the security event that you want to add to the protection domain in the Tag Name field.

6. Select the severity of the security event in the Severity field.

7. Configure additional settings for the security event, such as blocking responses, and then click OK.

The event appears under its protection domain.



Adding multiple security events to a protection domain

To add multiple security events to the protection domain:



2. Select the events that you want to add to a protection domain.

Note: To select multiple events, press the CTRL key, and then select each events. To select a range of events, press the SHIFT key, and then select the first and last events in the range.


The appliance copies the events to the clipboard.


The appliance copies the entries to the end of the list and the new entries display the icon next to them.

Default Quarantine The default blocking rules recommended by ISS X-Force for any signatures that have a blocking recommendation. Note: This is useful if you change a blocking response and then would like to know what was recommended by X-Force.

Log Evidence Logs the packet that triggered the event to the /var/iss/ directory.

Email Shows whether an email response is configured for the event.

Quarantine Shows whether a quarantine response is configured for the event.

SNMP Shows whether an SNMP response is configured for the event.

User Specified Shows whether a user specified response is configured for the event.

Column Description

Table 20: Security Events page fields (Continued)



5. Select all entries with the icon that you just pasted, and then click Edit.

The Edit Security Events page appears.

6. Select the protection domain to which you want to add the events.

7. Configure settings for the protection domain, and then click OK.



Editing the properties of a security event

To edit the properties of a security event:



2. Select the Security Events tab.




The Edit Security Events window appears.

4. Edit the properties of the event, and then click OK.



Editing the properties of multiple security events

To edit the properties of multiple security events:




3. Select the events you want to edit.

Note: To select multiple events, press the CTRL key, and then select each events. To select a range of events, press the SHIFT key, and then select the first and last events in the range.

4. Click Edit. The Edit Security Events window appears.

Note: When you make changes, they are applied to all selected events. If you see a blue triangle icon next to some of the fields, then those fields currently have different values assigned in the selected events. For example, if you have a block response enabled for one of the selected events and disabled in the other events, the blue triangle icon appears next to the Block field. If you change the value of a field with this icon, the value changes to the new setting for all selected events and the blue triangle icon no longer appears next to the field.

5. Click OK.



86


Removing a security event

Note: You cannot remove events that belong to the Global protection domain.

To remove a security event:




3. Select an event from the list, and then click Remove.

The event is cleared from the list.

Disabling ISS X-Force default blocking

By default, X-Force default blocking is enabled for the appliance. You can disable the appliance from accepting the blocking responses.

To disable recommended default blocking:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Global Tuning Parameters.

The Global Tuning Parameters page appears.

2. Select the ISS X-Force Default Blocking tab.

3. Clear the Use X-Force blocking recommendations box.





Using Response Filters

Introduction Response filters provide granular control for security event processing.

When to use Use response filters to do the following:

● configure responses for signatures that trigger based off network criteria specified in the filter

● reduce the number of events an appliance reports to the console

If you have hosts on your network that are secure and trusted or hosts that you want the appliance to ignore for any other reason, you can use a response filter with the IGNORE response enabled.

Filters and other signatures

When the appliance detects traffic that matches a response filter, the appliance executes the responses specified in the filter. Otherwise, the appliance executes the signatures configured for the security event.

Note: If a security event is disabled, its corresponding response filters are also disabled.

Filter ordering The response filters follow rule ordering. For example, if you add more than one filter for the same security event, the appliance executes the responses for the first match. The appliance reads the list of filters from top to bottom.

To change the rule order of a filter:



2. Select the Response Filters tab.

The Response Filters page appears.

3. Select an entry, and then use the UP or DOWN arrow keys to move the filter.

Attributes of filters Filter signatures have the following configurable attributes:

● adapter

● virtual LAN (VLAN)

● source or destination IP address

● source or destination port number (all ports or a port associated with a particular service) or ICMP type/code (one or the other will be used)

Adding a response filter

To add a response filter:





88

Using Response Filters

3. Click Add.

The Add Response Filters window appears.

4. Configure settings for the filter, and then click OK.

The filter appears in the list.



Editing the properties of a response filter

To edit the properties of a response filter:








The Edit Response Filters window appears.

4. Edit the properties of the filter, and then click OK.



Removing a response filter

To remove a response filter:





3. Select a filter from the list, and then click Remove.

The filter is cleared from the list.



About Protection Domains

Introduction A protection domain is a type of virtual sensor that is made up of a group of network assets or security events that monitor IP address, port paging, or VLAN.

When to use You use protection domains when you want to monitor groups of different network segments from a single appliance using global policies that centralize intrusion prevention.

You can also use protection domains in the following scenarios:

● to define and apply multiple protection domains to a single appliance

● to apply multiple policies to a single appliance, which lets you tune the responses to specific network traffic on one or more networks

The global policy The appliance always uses a global policy. If you do not define a protection domain, the global policy acts as the single policy used by the appliance. If you define a protection domain and apply it to the appliance, the global policy settings remain global and apply to each protection domain. You can also define the settings for the protection domain to override the global settings.

About the Protection Domains page

Use the Protection Domains page to do the following:

● define unique policies per interface, per IP range, or per virtual LAN to monitor a group of different network segments

● create customized groups of events (beyond the default event groupings of priority, attack/audits, or event category) to address special needs such as a group to view or to edit group membership and setting responses

Example: You may have a group of checks that you have validated for use with mission-critical Web servers. You can set or modify responses in a single step rather than manually selecting each event.

● create a particular response or group of responses for multiple events

Example: You can apply a custom response to many events rather than manually setting a response for each event.

● view events added from an XPU in the same view or group as previously existing events

● search for particular events based on strings in the event name and/or event description

When you configure a protection domain, use the following fields on the Protection Domains page to customize the attributes of the event:

Setting Description

Enabled Enable or disable the policy. Selecting the box enables the policy and clearing the box disables the policy.

Protection Domain Name

The name for a group of network assets.

Table 21: Protection Domains page fields

90

About Protection Domains

Adding a protection domain

To add a protection domain:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Protection Domains.

The Protection Domains page appears.

2. Select the Protection Domain tab.

3. Click Add. The Add Protection Domain window appears.

4. Configure settings for the protection domain, and then click OK.

The Protection Domain appears in the list.

Editing the properties of a protection domain

To edit the properties of a protection domain:







The Edit Protection Domain window appears.

4. Edit the properties of the protection domain, and then click OK.



Removing a protection domain

To remove a protection domain:




3. Select a protection domain from the list, and then click Remove.

The protection domain is cleared from the list.

Comment A unique description of the group of network assets.

Adapter One of the appliance monitoring adapters or a list of monitoring adapters.

VLAN Range The range of virtual LAN tags.

IP Address Range The range of IP source and destination addresses.

Setting Description

Table 21: Protection Domains page fields



Managing Quarantine Rules

Introduction Quarantine rules are dynamically generated in response to detected intruder events. These rules prevent worms from spreading, and deny access to systems that are infected with backdoors or trojans.

About quarantine rules

The appliance creates quarantine rules in response to events and stores the rules in the Quarantine Rules table. Quarantine rules specify the packets to block and the length of time to block them.

Quarantine rules table

The following fields are available in the quarantine rules table:

Note: An asterisk * in a field means that the rule is ignoring that part of the rule.

Viewing a quarantine rule

To view a quarantine rule:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Quarantined Intrusions.

The Quarantine Rules Management page appears.

2. Select the rule from the Rules table, and then click Display.

Removing a quarantine rule

To remove a quarantine rule:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Quarantined Intrusions.

The Quarantine Rules Management page appears.

2. Select the quarantine rule from the Rules table, and then click Remove.

The appliance removes the rule.



Field Description

Source IP Indicates the source IP address of packets to block.

Source Port Indicates the source port number of packets (if protocol is 6 or 17) to block.

Dest IP Indicates the destination IP address of packets to block.

Dest Port Indicates the destination port number of packets (if protocol is 6 or 17) to block.

ICMP Type Indicates the ICMP type number of packets (if protocol is 1) to block.

ICMP Code Indicates the ICMP code number of packets (if protocol is 1) to block.

Protocol Indicates the IP protocol of the rule (ICMP=1, TCP=6, UDP=17).

Expiration Time Indicates the expiration time of the rule.

Block Percentage Indicates the percentage of packets that are dropped (values less than 100% can be used to lessen the impact of some denial-of-service attacks).

Table 22: Quarantine rules table fields

92

Overview

SECTION B: Connection Events

Overview

Introduction This section explains how to configure connection events for the appliance.


Topic Page

About Connection Events 94

Adding a Connection Event 96

Editing the Properties of a Connection Event 97

Removing a Connection Event 98



About Connection Events

What are connection events?

A connection event is network traffic that connects to the monitored network through a particular port, from a particular address, with a certain network protocol. These connections are detected by the appliance using packet header values, not because of their contents.

Connection events do not necessarily constitute an attack or other suspicious activity, but are network occurrences that might be of interest to a network security system administrator.

Connection event types

The sensor policy contains pre-defined connection event signatures for different types of connections, such as WWW, FTP, or IRC. By default, the policy has two signatures for each type of connection event so that you can configure one signature for incoming traffic and another signature for outgoing traffic.

You can create your own custom connection event signatures if the pre-defined signatures do not cover the traffic you need to monitor.

Connection events and your policy

By default, no connection event signatures are enabled in a policy. If you want the appliance to monitor connection events, you must enable and configure (if necessary) one or more connection event signatures.

About the Connection Events page

When you configure a connection event, use the following fields on the Connection Events page to customize the attributes of the event:

Column Description


Event The name of the event.

Comment A unique description of the event.

Severity The severity level of the event.

The severity levels are as follows:

• high

• medium

• low


The value is specified in seconds. At most, one event that matches a connection is reported during the specified interval. A value of zero disables event throttling.

Protocol The IP protocol of the event (ICMP=1, TCP=6, UDP=17).

ICMP Type/Code The set of ICMP types or codes for either side of the packet.

Table 23: Connection Events page fields

94

About Connection Events



• None


• WithoutRaw


• WithRaw



Default Quarantine The default blocking rules recommended by ISS X-Force for any signatures that have a blocking recommendation. This is useful if you change a blocking response and then would like to know what was recommended by X-Force.

Log Evidence Logs the packet triggered by the event to the /var/iss/ directory.

Source Port The source IP address.

Default: Any

Destination Port The destination IP address.

Default: Any


Log evidence Logs the packet triggered by the event to the /var/iss/ directory.

Quarantine Shows whether a quarantine response is configured for the event.



Column Description

Table 23: Connection Events page fields (Continued)



Adding a Connection Event

Introduction You can configure a connection event for the appliance.

Procedure To add a connection event:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Connection Events.

The Connection Events page appears.

2. Select the Connection Events tab.

3. Click Add.

The Add Connection Event page appears.

4. Configure settings for the connection event, and then click OK.

The event appears in the list.



96

Editing the Properties of a Connection Event

Editing the Properties of a Connection Event

Introduction You can edit the properties of a connection event.

Procedure To edit the properties of a connection event:







The Edit Connection Event window appears.






Removing a Connection Event

Introduction You can remove a connection event from the appliance.

Procedure To remove a connection event:






98

Overview

SECTION C: User-Defined Events

Overview

Introduction This section explains how to configure user-defined events for the appliance.


Topic Page

About User-Defined Events 100

Adding a User-Defined Event 102

Removing a User-Defined Event 104

Context Descriptions for User-Defined Events 105

Regular Expressions in User-Defined Events 111



About User-Defined Events

What are user-defined events?

You can define your own network events (or user-defined events) based on text pattern matching within specific context.

When to use If you want to monitor a type of event that the pre-defined signatures do not monitor, you can create a user-defined signature.

About the User Defined Events page

When you create a user-defined event, use the following fields on the User Defined Events page to customize the attributes of the event:

Column Description


Name Change the name of the user-defined event.

Comment A unique description of the event.

Severity The severity level of the event.

The severity levels are as follows:

• high

• medium

• low

Context Specify the type and part of a network packet for the appliance to scan.

You can choose from the following:

• DNS_Query

• Email_Receiver

• Email_Sender

• Email_Subject

• File_Name

• News_Group

• Password

• RPC_Request

• SMTP_Command

• SNMP_Community

• URL_Data

• URL_Post_Data

• URL_Raw_Data

• URL_Raw_Post_Data

• URL_User_Agent_Data

• User_Login_Name

• User_Probe_Name

•

Table 24: User Defined Events page fields

100

About User-Defined Events

Search String Specify the text string in the packet (context) that determines whether an event matches this signature. You can use wildcards and other expressions in strings.





• None


• WithoutRaw


• WithRaw



Log Evidence Logs the packet triggered by the event to the /var/iss/ directory.


Quarantine Shows whether a quarantine response is configured for the response.



Column Description

Table 24: User Defined Events page fields (Continued)



Adding a User-Defined Event

Introduction You can add a user-defined event to the appliance.

Procedure To add a user-defined event:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→User Defined Events.

The User Defined Events page appears.

2. Click Add.

The Add User Defined window appears.

3. Configure settings for the user-defined event, and then click OK.

The event appears in the list.



102

Editing the Properties of a User-Defined Event

Editing the Properties of a User-Defined Event

Introduction You can edit the properties of a user-defined event.

Procedure To edit the properties of a user-defined event:



2. Select the User Defined tab.




The Edit User Defined Event window appears.






Removing a User-Defined Event

Introduction You can remove a user-defined event.

Procedure To remove a user-defined event:



2. Select the User Defined tab.



104

Context Descriptions for User-Defined Events


Introduction A context is a parameter setting for user-defined signatures. The appliance uses the context setting to identify the type and particular part of a network packet to monitor.

Example: The email_subject context configures the appliance to monitor the subject line of email packets (messages).

Types of contexts The contexts for user-defined events are as follows:

● DNS_Query

● Email_Receiver

● Email_Sender

● Email_Subject

● File_Name

● News_Group

● Password

● SNMP_Community

● URL_Data

● User_Login_Name

● User_Probe_Name

DNS_Query context Most programs use domain names to access resources on the Internet. These programs search for the DNS name on a server to determine the specific IP of an Internet resource. Use the DNS_Query context to monitor access to particular sites or classes of sites without knowing specific IP addresses.

What it monitors: The DNS_Query context monitors the DNS name in DNS query and DNS reply packets over UDP and TCP. The appliance compares the information in the String box to the expanded (human-readable) version of the domain name in these packets.

Examples: For example, you could use the DNS_Query context along with a string value of www.microsoft.com to monitor users accessing the Microsoft Web site.

If you are concerned about users on your site accessing hacker-related materials on the Internet, you could monitor access to domains such as the following:

● hackernews.com

● rootshell.com

You could use this to generically monitor access to pornography from work or monitor other sites depending on corporate usage policies.

What it does not monitor: If a user accesses a site directly using an IP address, the DNS lookup does not occur and the appliance cannot, therefore, detect the event.



If you are trying to monitor for particular URLs, keep in mind that a domain name is only the first element in a URL. Use the URL_Data context (see “URL_Data context” on page 109) to detect the rest of the URL.

Definition—first element in a URL: The first element in a URL is between the ":" and the first single slash. For example, //www.cnn.com is the first element in http://www.cnn.com/stories.

Email_Receiver context

Use the Email_Receiver context to monitor incoming or outgoing email to a particular recipient.

What it monitors: The Email_Receiver context monitors the receiver address part of the email header using the SMTP, POP, IMAP protocols. When the appliance detects an event that matches a signature using the Email_Receiver context, you can determine which protocol the email used by examining the details of the event.

Examples: If, for instance, you suspect that “social engineering” manipulations of particular employees are being attempted, you might want to monitor for inbound email to those employees addresses, and log the IPs from which they come. Likewise, if you suspect some sort of proprietary information leak within your company to a particular outside email address, you could track email to that address using this context.

What it does not monitor: This context does not monitor email sent with the MAPI protocol.

Email_Sender context

Use the Email_Sender context to monitor incoming or outgoing email from a particular recipient.

What it monitors: The Email_Sender context monitors the sender address part of the email header using the SMTP, POP, IMAP protocols. When the appliance detects an event that matches a signature using the Email_Sender context, you can determine which protocol the email used by examining the details of the event.

Examples: Like the Email_Receiver context, one of the best examples of using the Email_Sender context is to detect instances of social engineering or other employee manipulation (inbound) or to detect information leaks from your company (outbound).


Email_Subject context

Use the Email_Subject context to monitor the subject line of email.

What it monitors: The Email_Subject context monitors the subject line in the email header of messages using the SMTP, POP, and IMAP protocols.

Examples: Like the other email contexts, this context is best suited to monitoring information leaks. For example, you could create signatures to detect the use of important project names or file names. (Email_content is also very useful in this manner.)

You can also use Email_Subject to detect viruses, such as the ILOVEYOU virus. However, because viruses and other attacks have developed programs that systematically change the subject line, the Email_Content context is more reliable to use.

106



File_Name context Use the File_Name context to monitor access over the network to sensitive files in your organization.

What it monitors: The File_Name context detects when someone (or a program) attempts to remotely read a file or write to a file with any of the following protocols:

● TFTP

● FTP

● Windows file sharing (CIFS or Samba)

● NFS

Example: The infamous Explorer worm of 1999 is a good example. When this worm propagates over a Windows network, it attempts to write to certain files on remote Windows shares. You can monitor for attempts to access these files and stop the worm from propagating locally. In this case, monitor the WIN.INI and ZIPPED_FILES.ZIP file names.

What it does not monitor: NFS can open files in many ways, some of which do not directly reference the name of the file. Therefore, using this context to monitor NFS access to a file is not 100% effective.

News_Group context

Use the News_Group context to monitor the names of news groups that people at your company use.

What it monitors: The News_Group context monitors people accessing news groups using the NNTP protocol.

Example: You can use the context to detect subscriptions to news groups, such as hacker or pornography groups, that are inappropriate according to your company’s Internet usage policy.

Password context Use the Password context to identify passwords that are passed in clear text over the network. When a password is not encrypted, an attacker can easily steal this password by monitoring traffic with a sniffer program from another site. Therefore, you should consider any passwords sent in clear text as compromised.

What it monitors: The Password context monitors programs or users sending passwords in clear text using the FTP, POP, IMAP, NNTP or HTTP protocols.

Examples: Other than monitoring clear text passwords to keep attackers from stealing passwords, you can use the Password context in other ways:

● monitoring compromised accounts to gain forensic data

● monitoring the accounts of employees that have been terminated

● detecting the use of default passwords

Example—Monitoring compromised accounts: For example, you can use this context to detect attempts to use accounts that you know have been compromised in the past. After cancelling a compromised account, you can create a signature to monitor attempt to use it.



The information gained from monitoring this activity may lead you to the person that accessed the compromised data.

Example—Monitoring terminated employee accounts: Likewise, when employees are terminated, add searches for their passwords (if known) to detect unauthorized remote access attempts to their now-closed accounts.

Example—Detecting the use of default passwords: Finally, a very common security vulnerability is the use of some pre-defined password on an account name for software or systems installed “out of the box.” The X-Force database contains many records detailing the names of such accounts. By setting up signatures to look for default passwords that are relevant to your site, you could detect attempts by attackers to probe for common vulnerabilities.

Reference: For more information about default passwords, look up passwords in the X-Force database at http://xforce.iss.net.

Using these signatures with Internet Scanner: If you scan this network with Internet Scanner, a signature using this context to check for default passwords may detect many instances of this event in response to a password scan.

What it does not monitor: This context does not monitor encrypted passwords.

SNMP_Community context

Use the SNMP_Community context to monitor the use and possible abuse of SMNP community strings.

What it monitors: The SNMP_Community context monitors any packet containing an SNMP community string.

Definition—SNMP community strings: An SNMP community string is a clear text password in an SNMP message. This password authenticates each message. If the password is not a valid community name, then the message is rejected.

Security implications: If an unauthorized person gains knowledge of your community strings, that person could use that information to retrieve valuable configuration data from your equipment or even reconfigure your equipment.

Security recommendations: ISS strongly recommends that you use highly unique community strings and that you reconfigure them periodically.

Examples: The following paragraphs describe two ways to use this context:

● detecting people trying to use old community name strings

● detecting the use of default community strings

Example—Detecting people trying to use old strings: If you change the SNMP community strings, create a signature using this context to have the appliance search people trying to use the old strings.

Example—Detecting the use of default strings: The X-Force database contains information about several vulnerabilities that involve default community strings on common equipment. Attackers can attempt to gain access to your equipment by using these default passwords. To have the appliance detect this kind of activity, you can create signatures using this context to monitor for the default passwords that are relevant to the

108

http://xforce.iss.net


equipment at your site. These signatures could detect attackers attempting to probe for these common vulnerabilities.

Reference: For more information about default passwords, look up SNMP in the X-Force database at http://xforce.iss.net.

Using these signatures with Internet Scanner: If you scan this network with Internet Scanner, a signature using this context to check for SNMP community strings may detect many instances of this event in response to a SNMP scan.

URL_Data context Use the URL_Data context to monitor various security issues or policy issues related to HTTP GET requests.

Definition—HTTP GET request: An HTTP GET request occurs when a client, such as a Web browser, requests a file from a Web server. For example, when a user types a URL into a browser, the browser sends an HTTP GET request for that page. The HTTP GET request is the most common way to retrieve files on a Web server.

What it monitors: The URL_Data context monitors the contents of a URL (minus the domain name or address itself) for particular strings, when accessed through an HTTP GET request.

Examples: You can use this context to have the appliance monitor for attacks involving vulnerable CGI scripts or other sorts of attacks against Web servers. For example, ISS Advisory #32, released on August 9, 1999, describes how to use this context to search for an attempt to exploit a vulnerability in a Microsoft Internet Information Server component.

Reference: For more information, see Vulnerabilities in Microsoft Remote Data Service at http://xforce.iss.net/alerts/advise32.php.

You could also use this context to generically search for certain types of computer misuse in an organization, such as attempts to access some pornography.

What it does not monitor: This context does not monitor the domain name associated with an HTTP GET request.

Reference: For information about monitoring access based on the domain, see “DNS_Query context” on page 105.

User_Login_Name context

Use the User_Login_Name context to detect user names that are exposed in plain text during authentication requests. This context works for many protocols, so you can use it to track attempts to use a particular account regardless of which protocol the attacker uses.

What it monitors: The User_Login_Name context monitors for plain text user names in authentication requests using the FTP, POP, IMAP, NNTP, HTTP, Windows, or R* protocols.

Examples: You can use this context to track attempts to use compromised accounts or attempts by recently dismissed employees to access their old accounts online.



http://xforce.iss.net/alerts/advise32.php


For example, if you know the account named “FredJ” was compromised in an attack, configure a signature using this context to search for attempts to access the account. This signature could catch attempts by an attacker to return to a compromised computer.

User_Probe_Name context

Use the User_Probe_Name context to identify attempts to gain access to computers on your network using default program passwords.

What it monitors: The User_Probe_Name context monitors any user name associated with FINGER, SMTP, VRFY, and SMTP EXPN.

Security implications: An attacker can use these default accounts to gain access to your servers or other computers in the future.

Example: Like the Password and SNMP_Community contexts, you can use the X-Force database to build a list of default accounts and passwords relevant to the systems and software on your network.

Reference: For more information about default passwords, look up SNMP in the X-Force database at http://xforce.iss.net.

110


Regular Expressions in User-Defined Events

Regular Expressions in User-Defined Events

Introduction Regular expressions are a combination of static text and variables that the appliance uses to detect patterns in network packets.

When to use Use regular expressions in user-defined signatures if you need to detect more than a single, static text string.

Regular expression library

The appliance uses a custom ISS regular expression library called Deterministic Finite Automata or DFA regular expression.

Changing the order of precedence

Use parentheses in these regular expressions to offset the standard order of precedence.

Example: The natural order of precedence would interpret 4+2*4 as 12, because in the natural order of precedence, multiplication takes precedence over addition. However, you can use parentheses to change this precedence. For example, if you use (4+2)*4, the answer would be 24 instead of 12. This example describes a mathematical use of the order of precedence, but many other non-numerical uses exist.

Reference: For more information about the order of precedence or other information about using regular expressions, see Mastering Regular Expressions: Powerful Techniques for Perl and Other Tools (O'Reilly Nutshell) by Jeffrey E. Friedl (Editor), Andy Oram (Editor).

Regular expression syntax

You can use the following syntax in the String box:

Meta-Character Description

(r) matches r

x matches x

xr matches x followed by r

\s matches either a space or a tab (not a newline)

\d matches a decimal digit

\” matches a double quote

\’ matches a single quote

\\ matches a backslash

\n matches a newline (ASCII NL or LF)

\r matches a carriage return (ASCII CR)

\t matches a horizontal tab (ASCII HT)

\v matches a vertical tab (ASCII VT)

\f matches a formfeed (ASCII FF)

\b matches a backspace (ASCII BS)

\a matches a bell (ASCII BS)

Table 25: String standard expressions



\ooo matches the specified octal character code

\xhhh matches the specified hexidecimal character code

. matches any character except newline

\@ matches nothing (represents an accepting position)

““ matches nothing

[xy-z] matches x, or anything between y and z inclusive (character class)

[^xy-z] matches anything but x, or between y and z inclusive

• the caret must be the first character, otherwise it is part of the set literally

• enter the dash as the first character if you want to include it

“text” matches text literally without regard for meta-characters within

• the text is not treated as a unit

r? matches r or nothing (optional operator)

r* matches zero or more occurrences of r (kleene closure)

r+ matches one of more occurrences of r (positive kleene closure)

r{m,n} matches r at least m times, and at most n times (repeat operator)

r|l matches either r or l (alternation operator)

r/l matches r only if followed by l (lookahead operator)

^r matches r only at the beginning of a line (bol anchor)

r$ matches r only at the end of the line (eol anchor)

r, l matches any arbitrary regular expression

m, n matches an integer

x,y,z matches any printable or escaped ascii character

text matches a sequence of printable or escaped ascii characters

ooo matches a sequence of up to three octal digits

hhh matches a sequence of hex digits

Meta-Character Description

Table 25: String standard expressions (Continued)

112

Overview

SECTION D: Trons Events

Overview

Introduction This section explains how to configure a Trons event for the appliance.


Topic Page

About Trons Events 114

Adding a Trons Rule 115

Editing the Properties of a Trons Rule 116

Removing a Trons Rule 117



About Trons Events

Introduction You can configure snort Intrusion Detection System (IDS) rules for the appliance.

Example of a Trons rule

The appliance supports the iss-response string as part of a snort or Trons rule. Valid responses are as follows:

● DISPLAY

● email

● SNMP

● user specified

Note: The email, SNMP, and user specified responses require a specific response.

The following example:

iss-response:"DISPLAY:WithoutRaw,EMAIL:Jon";

Note: If you do not specify the iss-response string in the Trons rule, the appliance will perform the default response DISPLAY:WithoutRaw.

would be used in a rule as follows:

alert tcp any any -> any any (msg:"tronstest"; flow:established,from_server; content:"Invalid"; sid:5001;iss-response:"DISPLAY:WithoutRaw,EMAIL:Jon";)

Reference: See the SnortTM Web site at http://www.snort.org for more information on creating Trons rules.

About the Trons Events page

When you create a Trons event, use the following fields on the Trons Events page to customize the attributes of the event:

Column Description


Comment A unique description of the Trons rule.

Rule String Specify the text string in the rules that determines whether an event matches this signature. You can use wildcards and other expressions in the strings.

Risk The risk level of the event. The risk levels are as follows:

• high

• medium

• low



Table 26: Trons Events page fields

114

http://www.snort.org

Adding a Trons Rule

Adding a Trons Rule

Introduction You can add a Trons rule to be used by the appliance.

Procedure To add a Trons rule:

1. On the Proventia Manager navigation pane, select Intrusion Prevention→Trons Events.

The Trons Settings page appears.

2. Select the TronsRule tab.

3. Click Add.

The Add TronsRule window appears.

4. Configure settings for the rule, and then click OK.

The rule appears in the list.





Editing the Properties of a Trons Rule

Introduction You can edit the properties of a Trons rule.

Procedure To edit the properties of a Trons rule:







The Edit TronsRule window appears.

4. Edit the properties of the rule, and then click OK.



116

Removing a Trons Rule

Removing a Trons Rule

Introduction You can remove a Trons rule if you no longer need it.

Procedure To remove a Trons rule:




3. Select a rule from the list, and then click Remove.

The rule is cleared from the list.



118

TM

Part III

Managing theAppliance

Chapter 8

Firewall Settings

Overview

Introduction You can configure firewall rules to block attacks based on various source and destination information in the packet. You specify this information in rule statements.


Topic Page

About Firewall Rules 122

Firewall Rules Language 124

Customizing Firewall Rules 127

Firewall Advanced Parameters 129


Chapter 8: Firewall Settings

About Firewall Rules

Firewall rules and actions

The firewall supports several different actions that describe how the firewall reacts to the packets matched in the rules, or statements. These actions are defined as follows:

Configuring firewall rules

You can configure firewall rule statements manually or from Proventia Manager.

If you manually configure firewall rules, you must construct the firewall rule statements using the firewall rule language described in “Firewall Rules Language” on page 124. If you configure firewall rules from Proventia Manager, Proventia Manager constructs the rule statements for you using the values you have specified. See“Customizing Firewall Rules” on page 127 for procedures.

Note: Configuring rules manually provides more flexibility when writing firewall rules.

Rule ordering The appliance reads the list of rules from top to bottom and applies corresponding actions.

If a packet comes across the network that matches a rule that has the Ignore action set, then the rest of the rules in the firewall are ignored (for that packet) when the action is executed. This allows for increased granularity in the rules.

Rule ordering example

Use two statements to kill all connections coming into a network segment except those destined to a specific port on a specific host.

adapter any IP src addr any dst addr xxx.xx.x.xx tcp dst port 80

(Action = “ignore”)

adapter any ip src addr any dst addr xxx.xx.x.1-xxx.x.x.255

(Action = “drop”)

Rule Description

Ignore Enables the matching packet pass through, so that no further actions or responses are taken on the packet.

Protect Enables matching packets to be processed by normal responses, such as (but not limited to) logging, the block response, and quarantine response.

Monitor Functions as an IP whitelist. Applies to packets that match the statements bypass the quarantine response and bypass the block response. However, all other responses still apply to the packet.

Drop Drops the packets as they pass through the firewall. Because the firewall is inline, this action prevents the packets from reaching the target system. To the person whose packet is dropped, it appears as if the target system simply does not respond. The connection most likely makes several retry attempts, and then the connection eventually times out.

Drop and Reset Functions in the same manner as the drop action, but sends a reset TCP to the source system. The connection terminates more quickly (because it is automatically reset) than with the drop action.

Table 27: Firewall actions

122

About Firewall Rules

The first rule allows all traffic to port 80 on the host xxx.xx.x.xx to pass right through as legitimate traffic to a Web server. All other traffic on that network segment is dropped.

If you reversed the order of those two rules, all traffic to that segment is dropped, even traffic to the Web server on xxx.xx.x.xx.

Note: These rules can be applied to not only TCP traffic, but also to ICMP and UDP traffic. This allows you to effectively block (through the drop action) UDP connections.

To change the order of a firewall rule:

1. On the Proventia Manager navigation pane, select Firewall Settings.

The Firewall Settings page appears.

2. Select the Firewall Rules tab.

3. Select an entry, and then use the UP or DOWN arrow keys to move the filter.

Mode differences The firewall rules, as described, work only in inline modes. When the appliance is set to passive mode it works like a traditional sensor, and is not in the “direct path” of the packets. Therefore, the firewall rules are disabled in passive mode. However, traditional responses such as Email still work in all modes.

Network traffic is not affected when the appliance is in simulation mode. This is a good way to set up the appliance on a real network. Packets still pass through, and the appliance describes what it would have done to your traffic had you enabled it.



Firewall Rules Language

Firewall clauses A firewall rule consists of several clauses that can be chained together to match specific criteria for each packet. The clauses represent specific layers in the protocol stack.

Types of clauses Each clause can be broken down into conditions and expressions. The expressions are the variable part of the rule in which you plug in your address, port, or numeric parameters.

The clauses are as follows:

Expression overview An expression describes a list of values that must match the clause’s protocol parser. Each clause is directly responsible for matching a specific layer in the protocol stack. The syntax and accept range of values is determined by the clause. The expression can be a single value, a comma separated list of values, or a range set.

<value><value>, <value><value> - <value>

Adapter clause The adapter clause indicates a specific adapter where the rule is applied. The supported adapter expressions are any and the letters A through H. If you do not specify an adapter clause, the rule matches packets on any adapter.

adapter <adapter-id>adapter Aadapter anyadapter A,Cadapter A-C

Ethernet clause You can use the Ethernet clause to filter 801.1q VLAN traffic or allow/deny specific types of Ethernet protocols. You can find the list of protocol types at http://www.iana.org/assignments/ethernet-numbers. Ethernet protocol constants can be specified in decimal, octal, hexadecimal, or alias notation. To make it easier to block specific types of Ethernet traffic, you can specify an alias instead of the well-known number. In some cases, the alias blocks more than one port (for example, ipx and pppoe).

ether proto <protocol-id>ether proto {arp|aarp|atalk|ipx|mpls|netbui|pppoe|rarp|sna|xns}ether vid <vlan-number>ether vid <vlan-number> proto <protocol-id>

Clause Description

Adapter clause Specifies a set of adapters from A through H that attaches the rule to a specific adapter.

Ethernet clause Specifies either a network protocol type or virtual LAN (VLAN) identifier to match the 802.1 frame.

IP datagram clause Specifies the transport level filtering fields such as IPv4 addresses, TCP/UDP source or destination ports, ICMP type or code, or a specific IP protocol number.

Table 28: Types of clauses

124

http://www.iana.org/assignments/ethernet-numbers

http://www.iana.org/assignments/ethernet-numbers

Firewall Rules Language

ether proto !arpether vid 1 proto 0x0800ether vid 2 proto 0x86ddether vid 3-999 proto 0x0800,0x86dd

IP datagram clause The IP datagram clause identifies the protocol that resides inside the IP datagram and the protocol-specific conditions that must be satisfied in order for the statement to match. Currently, only ICMP, TCP, and UDP conditions are supported, but you can specify filters based on any IP protocol. If you do not specify an IP datagram clause, the statement will match any IP datagram protocol.

The first and second statements below block source and destination IP packets that match the IP address expression. The third statement below blocks source or destination IP packets that match the IP address expression. The fourth statement below blocks IP packets that match the protocol type. The fifth statement is a combination of the first and second statements. The sixth statement is a combination of the first, second, and fourth statements.

1. ip src addr <IPv4-addr>2. ip dst addr <IPv4-addr>3. ip addr <IPv4-addr>4. ip proto <protocol-type>5. ip src addr <IPv4-addr> dst addr <IPv4-addr>6. ip src addr <IPv4-addr> dst addr <IPv4-addr> proto <protocol-type>

Examplesip addr 192.168.10.1/24ip addr 192.168.10.0-192.168.10.255

TCP and UDP conditions

The TCP and UDP port numbers can be specified in decimal, octal, or hexadecimal notation. The port’s value range is 0 through 65534.

tcp src port <TCP-UDP-port>tcp dst port <TCP-UDP-port>tcp dst port <TCP-UDP-port> src port <TCP-UDP-port> udp src port <TCP-UDP-port>udp dst port <TCP-UDP-port>udp dst port <TCP-UDP-port> src port <TCP-UDP-port>

ICMP conditions ICMP conditions can be specified in decimal, octal, or hexadecimal notation. You can find the valid number for type and code at http://www.iana.org/assignments/icmp-parameters.

icmp type <protocol-type>icmp code <message-code>icmp type <protocol-type> code <message-code>

Expressions An expression specifies the set of allowable header values. An expression will match if at least one value in the set matches the header field. Currently, expressions exist to specify adapter numbers, IPv4 addresses, TCP and UDP port numbers, ICMP message type and codes, and IP datagram protocol numbers. An expression can specify a single value, a hyphen-separated range of values, or a comma-separated combination of values and ranges. You can use the keyword any as a value in all expressions to specify all possible values.


http://www.iana.org/assignments/icmp-parameters

http://www.iana.org/assignments/icmp-parameters


Not Expressions: An expression that begins with an exclamation mark (!) is called a not-expression. A not-expression will match all values except those specified. A not-expression that does not match any values will generate an error.

IPv4 address:

The <n> can be either hex or decimal number in a range from 0 to 255. All hex numbers must have a 0x prefix.

The second example demonstrates the list syntax. The third example specifies an address using CIDR format and the netmask value must have a range from 1 to 32. The last example shows an address where the first value must be greater than last.

n.n.n.nn.n.n.n, n.n.n.nn.n.n.n / <netmask>n.n.n.n - n.n.n.n

TCP/UDP ports, protocol identifiers, or numbers:

The values listed for any constant must be within the fields required range; otherwise the parser will refuse the parse clause.

0xFFFF655350, 1, 20 - 2 ! 3 - 65535

Examples The following statements are examples of complete firewall rules. If you do not specify a protocol, the rule assumes and uses the any protocol.

adapter A ip src addr 192.168.10.1 adapter A ip src addr 192.168.10.1 dst addr any tcp src port 20 dst port 80adapter any ip src addr any dst addr 192.168.10.1adapter any ip src addr any dst addr any icmp type 8tcpadapter B icmpudp

126

Customizing Firewall Rules

Customizing Firewall Rules

Introduction You can customize firewall rules so that a policy matches your security plan needs.

Firewall guidelines The following guidelines apply to firewalls:

● firewall rules are available for inline appliances only

● when appropriate, using firewall rules is preferred over the use of connection events, to help improve the efficiency of the appliance

Adding a constructed firewall rule to the appliance

To add a constructed firewall rule to the appliance:



2. Click Add.

The Add Firewall Rules window displays the Enabled box.

3. Type a comment about the rule in the Rule Comment field.

4. Select whether to log the details of packets that match this rule in the Log box.

Note: Firewall log is located in the /var/iss directory.

5. Select a firewall action from the Action list.

6. Select the Constructed rule type in the Rule Type field.

7. Enter a range of VLAN tags in the VLAN field.

8. Select a protocol from the Protocol list.

9. Configure the source and destination IP addresses and ports in the IP Address and Port field.

10. Click OK.

The rule appears in the list.

Entering a firewall rule manually

To manually enter a firewall rule:



2. Select the Firewall Rules tab.

3. Click Add.

The Add Firewall Rules window appears.

4. Select the Enabled box.

5. Type a comment about the rule in the Rule Comment field.

6. Select whether to copy the log file to the /var/iss/ directory in the Log field.

7. Select a firewall action from the Action list.

8. Select the Manually Entered rule type in the Rule Type field.

9. Type in the rule in the Firewall Rule field.

10. Click OK. The rule appears in the list.



Removing a firewall rule

To remove a firewall rule:



2. Select an entry, and then click Remove.

The rule is cleared from the list.

128

Firewall Advanced Parameters

Firewall Advanced Parameters

Introduction You can tune firewall rules using advanced parameters.

List of name/value pairs

The following table describes the name/value pairs and includes the default value for each pairs.

Name Description Field Type/Values Default Value

np.firewall.log Determines whether to log the details of packets that match firewall rules that are enabled.

string on

np.firewall.log.count Number of firewall log files. number 10

np.firewall.log.prefix Prefix of firewall log file name. string /var/iss/fw

np.firewall.log.size Maximum size of a firewall log file in bytes. number 1400000

np.firewall.log.suffix Suffix of firewall log file name. string .log

Table 29: Firewall advanced parameters



130

Chapter 9

Managing the System

Overview

Introduction This chapter describes how to view the status of the system and how to change settings and properties of the system.


Topic Page

Viewing the Status of System Settings 132

Changing Appliance Passwords in Proventia Manager 133

Configuring an SNMP Trap 135

Configuring an Email Notification Response 136

Editing the Network Card Properties 137

Configuring the Size of the Alert Queue 139

Configuring an Advanced Local Tuning Parameter 140

Configuring a Global Tuning Parameter 145

Configuring a Global Tuning Parameter 145

Configuring the External Kill Port 147

Using the Traceroute Utility 150

Pinging a Computer 151

Stopping the Appliance 152


Chapter 9: Managing the System

Viewing the Status of System Settings

Introduction You can view data for the following statistics types:

● memory usage

● CPU usage

Viewing the system status

To view the system status:

● On the Proventia Manager navigation pane, select System.

The System Status page appears.

Memory usage The following table describes memory usage statistics:

CPU usage The following table describes CPU usage statistics:


Total memory Amount of memory installed on the appliance.

Used memory Amount of memory currently used by running processes.

Free memory Amount of unused memory on the appliance.

Table 30: Memory usage


User Percentage of CPU resources used by user-level processes

System Percentage of system resources used by the kernel.

Idle Percentage of CPU resources currently not used.

Table 31: CPU usage statistics

132

Changing Appliance Passwords in Proventia Manager

Changing Appliance Passwords in Proventia Manager

Introduction You can change the following passwords in your Proventia Manager interface:

● root password for the command line

● administrative (admin) password for the Proventia appliance (for accessing the Proventia Setup Utility)

● Web administrative password for the Proventia Manager

● the boot loader (root) password that protects the appliance boot process

Caution: Record and protect your passwords. If you lose a password, you must reinstall the appliance and reconfigure your network settings.

Changing the root password

To change the root password:

1. On the Proventia Manager navigation pane, select System→Access.

The Access Control page appears.

2. In the root section, type the Current Password.

3. Click Set Password located below the New Password.

4. Type your new password, and then type it again to confirm.

5. Click OK.

The password displays as asterisk placeholders.

6. Click Save Changes.

Changing the administrative password

To change the administrative (admin) password:



2. In the Admin section, type the Current Password.



5. Click OK.






Changing the Proventia Manager password

To change the Proventia Manager password:



2. In the Proventia Manager User section, type the Current Password.



5. Click OK.



Enabling or disabling the boot loader password

The boot loader password (which is the root password) protects the appliance from unauthorized users during the boot process.

Important: When you enable the boot loader password, you must enter the root password to use a boot option other than the default. The appliances use the following default boot options:

● G400 appliance uses the UP kernel

● G2000 appliance uses the SMP kernel

To enable the boot loader password:



2. In the Boot Loader section, do one of the following:

■ select the Enable bootloader password box to enable

■ clear the Enable bootloader password box to disable



134

Configuring an SNMP Trap

Configuring an SNMP Trap

Introduction You can configure how the appliance sends SNMP traps to a consolidated SNMP server.

Procedure To configure an SNMP trap:

1. On the Proventia Manager navigation pane, select System→Local Tuning Parameters.

The Local Tuning Parameters page appears.

2. Select the Alerts tab.

3. Select the Send SNMP Trap box in the following areas:

■ Sensor Error

■ Sensor Warning

■ Sensor Informative

4. Click Configure SNMP.

The Configure SNMP window appears.

5. Click Add.

The Add SNMP window appears.

6. Type the name of the response in the Name field.

7. Type the IP address in the Manager field.


8. Type the appropriate community name (public or private) in the Community field.





Configuring an Email Notification Response

Introduction You can send alerts by email to an individual address or email group. You can define multiple email notifications for these responses and configure the data sent.

Procedure To configure an email notification response:



2. Select the Alerts tab.

3. Select the Send Email box in the following areas:

■ Sensor Error

■ Sensor Warning

■ Sensor Informative

4. Click Configure Email.

The Configure Email window appears.

5. Click Add.

The Add Email window appears.


7. Type the mail server (as a fully qualified domain name or IP address) in the SMTP Host field.

The SMTP Host must be accessible to the appliance to send email notifications.

8. Type an individual recipient or email group in the To field.

9. Select one or more subject fields.

10. Select one or more body fields.

11. Click OK.



136

Editing the Network Card Properties

Editing the Network Card Properties

Introduction You can edit the properties of the network card used by the appliance.

About the Card Management page

When you edit the network card properties, use the following fields in the Card Management page to customize the attributes of the network card:

Column Description

Card Name The name of the network card.

Note: You cannot change the name of the network card.

Port Lets you associate a meaningful name (such as Finance Department Network Segment) with each port.

Default: The port names match the labels A, B, C, D, E, F, G, and H that are on the back of the appliance. The ports are arranged as pairs of ports on a card as follows:

• A with B on Card1

• C with D on Card2

• E with F on Card3

• G with H on Card4

Port Speed/Duplex Settings The method the network card uses to determine link speed and mode.

The methods are as follows:

• Auto-Negotiate

Allows two interfaces on a link to select the best common mode automatically, the moment a cable is plugged in.

Important: ISS recommends that you leave this setting at Auto-Negotiate unless you need to change the setting, such as if there is a switch or other network device that does not support auto-negotiation or if the auto-negotiation process is taking too long to establish a link.











Table 32: Card Management page fields



Procedure To edit the network card properties:



2. Select the Card Management tab.

The Card List window appears.

3. Select a card from the list, and then click Display.

The Display Card List window appears.

4. Edit the properties of the network card, and then click OK.


The new settings are applied to the card.

Unanalyzed Policy How the agent processes traffic when the network is congested.

The settings are as follows:

• Forward

Forwards traffic without processing it, or fails open to traffic. When traffic levels return to normal, the agent resumes normal operation.

• Drop

Blocks some of the traffic without processing it, or fails closed to traffic. When traffic levels return to normal, the agent returns to normal operation.


Propagate Link If set to true, if one of the links is down (cable broken, cable disconnected), then the link on the corresponding inline port is also taken down by the network driver.


Adapter Mode The operation mode of the appliance.

The operation modes are as follows:





• monitoring


Column Description


138

Configuring the Size of the Alert Queue

Configuring the Size of the Alert Queue

Introduction You can set how large a queue file can become before alerts are lost and how the queue file handles alerts after the maximum file size is reached.

The appliance uses the queue file to store alerts that have not yet been collected by its event collector.

About the Alert Queue page

When you configure the size of the alert queue, use the following fields in the Alert Queue page to customize the attributes of the queue:

Procedure To determine the size of the alert queue:



2. Select the Alert Queue tab.

The Alert Queue page appears.

3. Type in the file size you want for the alert queue in the Alert queue max size field.

4. Determine the method used by the appliance once the queue has reached its maximum capacity in the Alert queue full policy field.

5. Click Save Changes to save your settings.

Option Description

Alert queue max size The maximum size of the queue in which alerts are sent to the event collector.

Alert queue full policy The method used by the appliance once the queue has reached its maximum size.

The methods are as follows:

• Stop Logging

The queue file stops logging alerts when the maximum file size is reached.

• Wrap Around

The queue file overwrites the oldest alert in order to create space for the new alert, when the maximum file size is reached.

Table 33: Alert Queue page fields



Configuring an Advanced Local Tuning Parameter

Introduction You may need to tune common appliance settings such as:

● adapter parameters

● driver parameters

● sensor parameters

● netprotect parameters

Location of local tuning parameters

You tune these parameters on the Proventia Manager Home page by adding or editing name and value pairs from the System→Local Tuning Parameters→Advanced Parameters tab.

Common tuning parameters

The following table describes the common tuning parameters:

Name Type Default Value Description

crm.history.enabled boolean true Determines whether to log administrative history.

crm.history.file string /var/iss/crmhistory.log

The administrative history file name.

crm.policy.numbackups integer 4 The number of previous policy files to save.

engine.adapter.high-water.default

integer 5 The number of packets per traffic sampling interval that are expected to flow on each adapter. The high-water mark is used to prevent multiple low traffic warnings from being issued when the traffic is hovering around low-water mark.

engine.adapter.low-water.default

integer 1 The minimum number of packets per traffic sampling interval that are expected to flow on each adapter. The low-water mark is used as the threshold to issue Network_Quiet and Network_Normal audit events.

engine.droplog.enabled boolean false Determines whether logging of dropped packets is enabled.

engine.droplog.fileprefix string /var/iss/drop The drop log file name prefix.

engine.droplog.filesuffix string .enc The drop log file name suffix.

engine.droplog.flush boolean false Disables buffering of dropped packets. Enabling this adversely affects performance.

engine.droplog.maxfiles integer 10 The number of drop log files to save.

engine.droplog.maxkbytes integer 10000 (kb) The maximum size of a drop log file.

engine.evidencelog.fileprefix string /var/iss/evidence The evidence file name prefix.

engine.evidencelog.filesufffix string .enc The evidence file name suffix.

engine.evidencelog.maxfiles integer 10 The number of evidence files to save.

Table 34: Common tuning parameters

140


engine.evidencelog.maxkbytes

integer 10000 (kb) The maximum size of an evidence file.

engine.log.file string /var/iss/engine#.log

The engine log file name.

engine.pam.logfile string /var/iss/pam#.log The PAM log file name.

engine.statistics.interval integer 120 The number of seconds between statistics gathering.

np.drop.invalid.checksum string true Determines whether to block packets with checksum errors in inline protection mode.

np.drop.invalid.protocol string true Determines whether to block packets that violate protocol in inline protection mode.

np.drop.resource.error string false Determines whether to block packets if there are insufficient resources to inspect them in inline protection mode.

np.drop.rogue.tcp.packets string false Determines whether to block packets that are not part of a known TCP connection in inline protection mode.

np.firewall.log string on Determines whether to log the details of packets that match firewall rules that are enabled.

np.log.quarantine.added string on Logs the details of rules that are added to the quarantine table.

np.log.quarantine.expired string on Logs the details of rules that have expired from the quarantine table.

np.log.quarantine.removed string on Logs the details of rules that are removed from the quarantine table before they have expired.

np.statistics string on Determines whether logging of PAM statistics is enabled.

np.statistics.file on /var/iss/pamstats.dat

The PAM statistics file name.

pam.traffic.sample boolean true Enables traffic sampling for the purpose of detecting abnormal levels of network activity. This parameter affects the Network_Quiet and Network_Normal audit events.

pam.traffic.sample.interval integer 300 The interval, expressed in seconds, at which traffic flow should be sampled for the purpose of detecting abnormal levels of network activity. This parameter affects the Network_Quiet and Network_Normal audit event.

sensor.trace.level integer 3 The Proventia G log level.

Update.certificate.file string /etc/httpd/conf/ssl.crt/ca-bundle.crt

Specifies the SSL Cert Authority file to use when connecting to the Update Server.

Update.proxy.enable boolean false Enables the use of the HTTP proxy server when connecting to the Update Server.


Table 34: Common tuning parameters (Continued)



engine.evidencelog.maxkbytes

integer 10000 (kb) The maximum size of an evidence file.

engine.log.file string /var/iss/engine#.log

The engine log file name.

engine.pam.logfile string /var/iss/pam#.log The PAM log file name.

engine.statistics.interval integer 120 The number of seconds between statistics gathering.

np.drop.invalid.checksum string true Determines whether to block packets with checksum errors in inline protection mode.

np.drop.invalid.protocol string true Determines whether to block packets that violate protocol in inline protection mode.

np.drop.resource.error string false Determines whether to block packets if there are insufficient resources to inspect them in inline protection mode.

np.drop.rogue.tcp.packets string false Determines whether to block packets that are not part of a known TCP connection in inline protection mode.

np.firewall.log string on Determines whether to log the details of packets that match firewall rules that are enabled.

np.log.quarantine.added string on Logs the details of rules that are added to the quarantine table.

np.log.quarantine.expired string on Logs the details of rules that have expired from the quarantine table.

np.log.quarantine.removed string on Logs the details of rules that are removed from the quarantine table before they have expired.

np.statistics string on Determines whether logging of PAM statistics is enabled.

np.statistics.file on /var/iss/pamstats.dat

The PAM statistics file name.

pam.traffic.sample boolean true Enables traffic sampling for the purpose of detecting abnormal levels of network activity. This parameter affects the Network_Quiet and Network_Normal audit events.

pam.traffic.sample.interval integer 300 The interval, expressed in seconds, at which traffic flow should be sampled for the purpose of detecting abnormal levels of network activity. This parameter affects the Network_Quiet and Network_Normal audit event.

sensor.trace.level integer 3 The Proventia G log level.

Update.certificate.file string /etc/httpd/conf/ssl.crt/ca-bundle.crt

Specifies the SSL Cert Authority file to use when connecting to the Update Server.

Update.proxy.enable boolean false Enables the use of the HTTP proxy server when connecting to the Update Server.



142


Adding a local tuning parameter

To add a local tuning parameter:




3. Click Add.

The Add Advanced Parameter window appears.


5. Type a meaningful description of the parameter in the Comment field.


7. Click OK.



Editing a local tuning parameter

To edit a local tuning parameter:




3. Select an advanced parameter, and then click Edit.





Copying and pasting a local tuning parameter

You can copy and paste a local tuning parameter before you edit it. This is useful if you want to add an parameter that is similar to an parameter already in the list.

To copy and paste a local tuning parameter:




Update.proxy.port integer none The port number of HTTP proxy for connecting to the Update Server.

Update.source.url string https://www.iss.net/XPU

Specifies the address of the Update Server.












Removing a local tuning parameter

To remove a local tuning parameter:








144

Configuring a Global Tuning Parameter

Configuring a Global Tuning Parameter

Introduction You may need to tune the intrusion prevention settings and apply those settings globally to a group of network assets.

Location of global tuning parameters

You can add or edit name/value pairs from the Intrusion Prevention→Global Tuning Parameters→Tuning Parameters tab.

Adding a global tuning parameter

To add a global tuning parameter:


2. Select the Tuning Parameters tab.

3. Click Add.

The Add Advanced Parameter window appears.


5. Type a meaningful description of the parameter in the Comment field.


7. Click OK.



Editing a global tuning parameter

To edit a global tuning parameter:



3. Select a parameter, and then click Edit.





Copying and pasting a global tuning parameter

You can copy and paste a parameter before you edit it. This is useful if you want to add a parameter that is similar to an parameter already in the list.

To copy and paste a global tuning parameter:












Removing a global tuning parameter

To remove a global tuning parameter:







146

Configuring the External Kill Port


Introduction You can use the appliance to monitor (read-only) SPAN ports on network equipment. To monitor (read-only) SPAN ports, you must configure the appliance’s external kill port.If using (read-only) monitoring ports, the appliance must send kills on another interface.

Note: The appliance is configured by default to send kills through the monitoring ports even in passive monitoring mode. For example, if you are monitoring through a hub, you won’t need to configure the external kill port.

Procedure To configure the external kill port:

1. Connect the kill port (labeled 0 on the back of the appliance) to the network.

2. Determine the MAC address of the router of the kill port (eth0). Your system administrator can give you the MAC address of the router.

3. You can run a script on the appliance named get-reset-config to obtain the necessary MAC addresses.

4. Login to the appliance as root and run get-reset-config.

Run script without parameters and get-reset-config displays usage information.

Run script with required parameters and get-reset-config displays the MAC address.

Note: get-reset-config utility requires a temporary IP address to connect to the network in order to detect the router’s MAC address. During normal operation kill port is in stealth mode and does not require an IP address

5. Add the local tuning parameter np.macaddress.destination to configure the MAC address of the router:

np.macaddress.destination = XX:XX:XX:XX:XX:XX

6. Determine the MAC address of the kill port (eth0):

Note: If you do not specify the MAC address of the kill port, the appliance will detect it. You can also use the get-reset-config utility to display the MAC address of the kill port.

7. Add the local tuning parameter np.macaddress.source to configure the MAC address of the kill port:

np.macaddress.source = XX:XX:XX:XX:XX:XX

8. Enable the external kill port for one or more monitoring adapters.

9. Add the local tuning parameter np.adapter.X.reset and set its value to false (where x is the adapter number):

np.adapter.X.reset = false



Local tuning parameters

The following local tuning parameters are only used in Passive Monitoring mode. If you switch to Inline Protection or Inline Simulation mode, these parameters will be ignored.

Reference: See “Adding a local tuning parameter” on page 143.

Name Type Description Value

engine.adapter.0.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter A.

Set to False to send the kills through the external kill port.

Set to True to send the kills through the monitoring adapter. (This is the default setting.)

engine.adapter.1.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter B.



engine.adapter.2.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter C.



engine.adapter.3.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter D.



engine.adapter.4.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter E.



engine.adapter.5.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter F.



148


engine.adapter.6.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter G.



engine.adapter.7.reset boolean Determines whether kills are sent through the monitoring adapter or the external kill port for the monitoring adapter H.



Name Type Description Value



Using the Traceroute Utility

Introduction You can use the traceroute utility to obtain a list of all the routers along the path to a computer or destination.

Traceroute protocols

The following types of protocols are used for the traceroute utility:

Procedure To use the traceroute utility:

1. On the Proventia Manager navigation pane, select System→Tools.

The System Tools page appears.

2. In the Diagnostics area, type the IP address you want to trace in the Traceroute field.

3. Select a protocol in the Protocol area. The options are as follows:

■ UDP (User Datagram Protocol)

■ ICMP (Internet Control message Protocol)

4. Click Submit.

The traceroute results appear in the Diagnostics area.

Traceroute protocol

Description

UDP The UNIX traceroute command. When you select a UDP traceroute protocol, the appliance sends a UDP packet to a random port on the target host. The TTL (Time to Live) field and the destination port field are incremental for each ICMP Port Unreachable message that is returned, or 30 hops are reached.

ICMP The Windows tracery command. When you select an ICMP traceroute protocol, the TTL (Time to Live) field and the destination port field are incremental for each ICMP Echo Request message that is returned, or 30 hops are reached.

Table 35: Traceroute protocols

150

Pinging a Computer

Pinging a Computer

Introduction You can ping a computer on your network to determine if the computer is reachable.

Procedure To ping a computer:



2. In the Diagnostics area, type the IP address of the computer you want to test in the Ping field.

3. Click Submit.

The ping results appear in the Diagnostics area.



Stopping the Appliance

Introduction You can either shut down or reboot the appliance.

Rebooting the appliance

To reboot the appliance:



2. In the System area, click Reboot.

The Reboot in Progress page appears, and then the appliance reboots.

Shutting down the appliance

To shut down the appliance:



2. In the System area, click Shut Down.

The Shutdown in Progress page appears, and then the appliance shuts down.

Important: After the appliance shuts down, you must press the POWER button to manually restart the appliance.

152

Chapter 10

Managing Alerts

Overview

Introduction This chapter describes how to manage and view alerts.


Topic Page

Accessing the Alerts Page 154

Getting More Information about Alerts 155

Refreshing and Searching the Alerts List 156

Saving the Alerts List 158

Clearing the Alerts List 159

Managing Saved Alert Files 160


Chapter 10: Managing Alerts

Accessing the Alerts Page

Viewing security and system alerts

Use the Alerts page to view security and system-related alerts. You also use this page to access the Log File Management page.

About the alerts list The alerts list contains the following types of alerts:

● intrusion prevention alerts that are related to attempted attacks that occur in your network

● system alerts that are related the appliance and its operation

Risk level icons You can determine the risk level of an alert by the icon in the Risk Level column of the log file. The risk levels are as follows:

Information icons Additional information is available by clicking the information icons in the Alert Name column of the log file. The information icons are as follows:

Procedure You can display the Alerts page in two ways:

● When you click an Alerts subnode for a module in the navigation pane, the Alerts page displays alerts for that module.

● When you click the Alerts button at the top of any page, the Alerts list displays all alerts.

Icon Description

Indicates a Low Risk alert.

Indicates a Medium Risk alert.

Indicates a High Risk alert.

Table 36: Risk level icons

Icon Description

Links to an X-Force Alert Description of the alert.

Table 37: Information icons

154

Getting More Information about Alerts

Getting More Information about Alerts

Introduction You can obtain more information about alerts that you see in the Alerts list, such as:

● viewing alert details

● getting intrusion prevention information

Viewing alert details To view alert details:

1. On the Proventia Manager navigation pane, select System→Alerts.

The Alerts page appears.

2. Click the alert name in the Alert Name column.

The Alert Details window appears.

Tip: Click the UP or DOWN arrow keys to view details of the previous or next alert.

Getting intrusion prevention information

To get more information about intrusion prevention alerts:

1. On the Proventia Manager navigation pane, click the System→Alerts.


2. Click the X-Force Alert icon in the Alert Name column.

The X-Force Alert Description of the alert appears.



Refreshing and Searching the Alerts List

Viewing the latest alerts

You can refresh the alerts list to ensure that you are viewing the latest alerts. You can also filter alerts, and search the alerts list to find information about a specific alert.

Prerequisite for searching

Before you search the alerts list, you must know the 26-character alert ID number of the alert.

Filtering the alert lists

You can filter the alerts list by any of the following options:

● Risk Level

● Alert Name

● Alert Type

● Date and Time

● Source IP

● Target IP

● Source and Target IP

● Source Port

● Target Port

To filter the alerts list:



2. Select an option from the Filter Options list.

3. In the field that appears, type or select the criteria for the filter.

4. Click Go.

The list displays the alerts that match your criteria.

To remove the filter from the alerts list:



2. Select Filter Off, and then click Go.

The list displays all alerts.

Refreshing the alerts list

You can refresh the alerts list manually or automatically at certain intervals. The refresh data options are as follows:

● Refresh Now (Use this option to manually refresh the page.)

● every 10 seconds



● every 1 minute

● every 2 minutes

156

Refreshing and Searching the Alerts List

● Auto Off (Use this option to disable automatic refresh.)

To refresh the alerts list:



2. Select one of the options from the Refresh Data list.

The list is refreshed to display the latest alerts.

Searching the alerts list

To search the alerts list:



2. Type the 26-character alert ID number in the Search by Alert Id# field, and then click Go.

The record is highlighted on the page.

Reference: See “Accessing the Alerts Page” on page 154 for more information.



Saving the Alerts List

Introduction You can save the current alerts list. A saved copy may be beneficial for forensic purposes.

Note: When alerts are saved, the events remain visible in the Alerts page.

How the list is saved

The current list is saved as three comma separated values (.csv) files. The three files are used to cross-reference the data displayed in the list.

The files are as follows:

To save the current alert list:



2. Click Save alerts list to file.

The file is saved and the Log File Management page appears.


This file... Contains...

filename_eventdata.csv the distinct records that match the alert record number. This file also lists the alert name and the risk level.

filename_eventinfo.csv the data listed in the event specific information section of the alert.

filename_eventresp.csv the data from the responses executed section of the alert.

Table 38: Log file names

158

Clearing the Alerts List

Clearing the Alerts List

Introduction You can clear all the alerts from the alerts list. When alerts are cleared from the list, they no longer appear in the Alerts page.

Before you begin Before you clear the alerts list, you may want to save a copy for archiving. A saved copy may be beneficial for forensic purposes.

Reference: See “Saving the Alerts List” on page 158 for more information.

Procedure To clear the alerts list:



2. Click Clear alerts list.

A confirmation message appears.

3. Click OK.

The alerts list is cleared.




Managing Saved Alert Files

Introduction You can manage saved alert files on your system. Managing the files involves either downloading them to another system or deleting them or both.

Viewing and managing saved alert files

Use the Log File Management page to view and manage your saved alert files.

Downloading an alert file

You can download a saved alert file from the appliance to a local workstation. After the download, the saved file still exists on the appliance.

To download alert files:



2. Click View/manage alerts files.

The Log File Management page appears.

3. Select a file to download, and then click Download.

The File Download window appears.

4. Select Save the file to disk, and then click OK.

The Save As window appears.

5. Type a File Name, and then click Save.

Deleting alert files You can remove saved alert files from the appliance.

To delete alert files:



2. Click View/manage alerts files.

The Log File Management page appears.


■ Select a file to delete, and then click Delete.

■ Click Delete All.

A confirmation window appears.

4. Click OK.

The file or files are deleted.

160

Chapter 11

Managing with SiteProtector

Overview

Introduction This chapter provides procedures for managing the appliance from the SiteProtector console.


Topic Page

Managing with SiteProtector 162

Enabling SiteProtector Management 166

Configuring SiteProtector Management Settings 166


Chapter 11: Managing with SiteProtector


Introduction SiteProtector is the ISS management console. SiteProtector can manage a variety of network assets such as appliances, agents, and sensors. If you use a SiteProtector console with your appliance, you can report alerts and events to the SiteProtector console.

Appliance functions you can manage in SiteProtector

When you register your appliance with SiteProtector, SiteProtector controls the following management functions of the appliance:

● Firewall settings

● Intrusion prevention

● Notification

● Updates

Navigation pane When you register the appliance with SiteProtector, some panes in Proventia Manager become read-only. When you unregister the appliance from SiteProtector, the panes become fully functional again.

Update and Installation nodes

You can manage Update and Installation Settings on the Proventia Manager navigation pane or from SiteProtector.

When to use the Proventia Manager

There are some settings that you must manage directly on the appliance, even when the appliance is registered with SiteProtector.

Use the Proventia Manager for the following tasks:● assign the management of the device to SiteProtector

● revoke SiteProtector’s management of the appliance, and restore management to Proventia Manager

● view quarantined intrusions

● delete quarantine rules

SiteProtector management options

When you register the appliance with a SiteProtector group, you can do the following:● allow the appliance to inherit sensor group settings

● manage some or all of settings for a single appliance in the group independently in SiteProtector, so that the appliance maintains those individual settings regardless of group settings

Registering an appliance with SiteProtector

When you register your appliance in SiteProtector, you assign the appliance to a group in the Desired SiteProtector Group for Sensor field. You can configure group settings in SiteProtector, and SiteProtector can apply those settings to some or all appliances in the group.

In SiteProtector, appliances and other protection agents are called sensors, and you manage the appliance settings on the Sensor tab. An appliance can only be assigned to a Sensor group that includes other appliances; do not assign an appliance to a group that contains other types of sensors.

Reference: For more information about SiteProtector, see your SiteProtector documentation.

162


Appliance heartbeats

A heartbeat is an encrypted, periodic HTTP request that the appliance uses to indicate it is still running and to allow it to receive updates from the Agent Manager. When you register the appliance with SiteProtector, you specify the time interval between heartbeats to SiteProtector.

When you register the appliance with SiteProtector, you can override SiteProtector settings on the appliance for the first heartbeat. This allows the appliance to maintain its own local settings until you change the settings in SiteProtector.



Enabling SiteProtector Management

Introduction You can set up and enable the SiteProtector management on your appliance.

Prerequisites To manage your appliance with SiteProtector, you must run SiteProtector version 2.0 Service Pack 5 or later.

Reference: For more information about using SiteProtector, see your SiteProtector documentation.

Recommendations ISS recommends that you do the following before you register your appliance with SiteProtector:

● Verify the name of the SiteProtector sensor group to which you want to assign the appliance.

● Verify the IP address and port for each SiteProtector Agent Manager that you want to use with the appliance.

● Make sure that the appliance has the latest firmware update installed.

You can schedule automatic downloads and installations of firmware updates to the appliance, without unregistering the appliance from SiteProtector. Reference: See “Updating the Appliance” on page 19 for more information.

Setting up SiteProtector management

To set up SiteProtector management on your appliance:

● Register your appliance with SiteProtector on the System→Management page in Proventia Manager.

SiteProtector management process

The following table describes the SiteProtector management process:

Overriding SiteProtector group settings

When you register the appliance with SiteProtector, you must specify one of the following:

● allow the appliance to inherit group settings at the first heartbeat

● override the group settings at the first heartbeat so that the appliance maintains each individual setting until you change that setting at the group level in SiteProtector

The Local Settings Override SiteProtector Group Settings box on the System→Management page in the Proventia Manager is enabled by default. Use this setting to determine whether group settings are shared down to the appliance at the first

Stage Description Result

1 Register the appliance with the SiteProtector group on the System→Management page in the Proventia Manager.

The appliance waits for the first heartbeat interval, and then sends a heartbeat to SiteProtector.

2 The appliance appears in the SiteProtector console, and receives updates.

Depending on the override setting, the appliance either inherits group settings or maintains individual settings.

Table 39: SiteProtector management process

164

Enabling SiteProtector Management

heartbeat to SiteProtector. If you leave this box selected, then the appliance maintains individual settings and does not inherit group settings at the first heartbeat. After the first heartbeat, any policy setting you change in SiteProtector at the group level is shared down to every appliance in the group at the next heartbeat. You can manage the individual settings for the appliance at the appliance level in SiteProtector.

Be careful when you disable the option to override group settings at the first heartbeat. SiteProtector applies the group settings to the appliance even if the group settings are not defined. If you disable the override option and apply SiteProtector group settings to the appliance at the first heartbeat, be sure that you define group settings (such as firewall rules) at the group level in SiteProtector. If you configure settings in Proventia Manager, and then register the appliance without the group setting override option enabled, then the appliance settings are overridden at the first heartbeat with the default, undefined group settings.

Reference: For more information about managing appliance settings in the SiteProtector, see your SiteProtector documentation.

Override recommendations

ISS recommends that you use the Local Settings Override SiteProtector Group Settings option as follows:

Status of group settings in SiteProtector

Do this...

not defined Enable the Local Settings Override SiteProtector Group Settings box.

This prevents undefined SiteProtector group settings from overriding existing appliance settings. If undefined group settings override existing policy settings, you must define the appliance settings at the group level. The changes are shared down to the appliance at the next heartbeat.

defined Clear the Local Settings Override SiteProtector Group Settings box so that the appliance immediately inherits the group settings at the first heartbeat. This allows you to apply the group settings to the appliance without further changes.

Table 40: Override recommendations



Configuring SiteProtector Management Settings

Introduction You can configure the appliance to be managed by SiteProtector.

Procedure To configure SiteProtector management of your appliance:

1. On the Proventia Manager navigation pane, select System→Management.

The Management page appears.

2. Select Register with SiteProtector.

3. Do you want local appliance settings to override SiteProtector group settings for the first heartbeat?

■ If yes, select the Local Settings Override SiteProtector Group Settings box.

■ If no, clear the Local Settings Override SiteProtector Group Settings box.

4. Type a valid SiteProtector group name in the Desired SiteProtector Group for Sensor field.

5. In the Heartbeat Interval (secs): field, type the number of seconds that you want the appliance to wait between heartbeats to SiteProtector.

Note: This value must be between 60 and 86,400 seconds.

6. In the Agent Manager Configuration area, click Add.

The Add Agent Manager Configuration window appears.

7. Select the Authentication Level.

8. Type a meaningful name that corresponds to the SiteProtector Agent Manager in the Name field.

9. Type the IP address of the SiteProtector Agent Manager in the Agent Manager Address field.

10. Type the port number on which alerts are sent to SiteProtector in the Agent Manager Port field.

Default: The default port number is 3995. If you change the default port number, you must also configure the port number locally on the SiteProtector Agent Manager.

11. Type in a user name in the Username field.

12. Click Set Password.

The Set Password screen appears.

13. Type in the password twice, and then click OK.

14. Is a proxy server installed in the network between the appliance and SiteProtector?

■ If yes, select the Use Proxy Settings box, and then go to Step 15.

■ If no, clear the Use Proxy Settings box, and then go to Step 17.

15. Type the IP address of the proxy server in the Proxy Server Address field.

16. Type the port number of the proxy server in the Proxy Server Port field.

17. Click OK.

18. Repeat Step 6 through Step 17 for each Agent Manager you want to add.


166

Index

downloading 160
symbols.enc 73
numerics10 MB Full Duplex 42, 13710 MB Half Duplex 42, 137100 MB Half Duplex 42, 1371000 MB Full Duplex 42, 137

aAbout High Availability 36Access Control page 133Adapter Mode 42, 138Add Connection Event page 96Add Security Events window 85adding a firewall rule 127adding a global tuning parameter 145adding a local tuning parameter 143adding a protection domain 91adding a quarantine response 74adding a response filter 88adding a security event 85adding a user specified response 78adding a user-defined event 102adding an email response 71adding an SNMP response 76adding an update advanced parameter 31administrative password 66advanced parameters

configuring 31agent

changing name 57restarting 56viewing status 55

agent name 57alert

getting more information 155viewing details 155

alert filesdeleting 160

Proventia G400/G2000 Appliances User Guide

managing 160alert ID number 156Alert queue full policy 139Alert queue max size 139Alert Queue page 139Alert Queue tab 139alert types

intrusion prevention 154system 154

alerts list 154clearing 159filtering 156refreshing 156searching 156

Alerts page 154–156displaying 154

appliancerebooting 54shutting down 54viewing status 55

appliance heartbeats 163appliance settings

backing up 51restoring 52viewing 50

Attack/Audit 84audience of guide viiautomatic update tasks 26automatic updates 20automatically checking for updates 26automatically downloading firmware updates 27automatically install firmware updates 27Auto-Negotiate 42, 137

bbacking up appliance settings 51Block Percentage 92boot loader password 67, 134

167

Index

cCard Management page 137Card Management tab 138changing

appliance modes 6link speed and duplex mode settings 62passwords 133

changing administrative password 66, 133changing agent name 57changing appliance passwords 66, 133changing boot loader password 67, 134changing date and time settings 63changing host configuration settings 61changing network configuration 60changing NTP settings 65changing Proventia Manager password 67, 134changing root password 66, 133changing SNMP settings 68changing time zone settings 64clearing the alerts list 159comma separated values 158common tuning parameter 140configuring

agent name 57configuring a connection event 96configuring a log evidence response 73configuring a user specified response 78configuring an email notification response 136configuring an email response 71configuring an SNMP response 76configuring an SNMP trap 134–135configuring automatic security updates 27configuring automatic updates 26configuring external kill port 147configuring firmware updates 27configuring security events 84configuring SiteProtector management 166configuring size of alert queue 139configuring update advanced parameters 31connection 96connection event 94

configuring 96editing 97removing 98

connection eventstypes of 94

Connection Events page 94Connection Events tab 96–98context 105

168

types of 105context setting 105contexts

DNS_Query 105Email_Receiver 106Email_Sender 106Email_Subject 106File_Name 107News_Group 107Password 107SNMP_Community 108URL_Data 109User_Login_Name 109User_Probe_Name 110

conventions, typographicalin commands xin procedures xin this manual x

copying and pasting a global tuning parameter 145copying and pasting a local tuning parameter 143copying and pasting a parameter 31copying and pasting a quarantine response 75copying and pasting a user specified response 79copying and pasting an email response 72copying and pasting an SNMP response 77CPU usage statistics 132crm.history.enabled 140crm.history.file 140crm.policy.numbackups 140cumulative updates 24customizing

firewall rules 127

ddate and time

changing settings for 63Default Quarantine 85, 95deleting alert files 160Dest IP 92Dest Port 92disabling ISS X-Force recommended blocking

responses 87disabling remote root access 53DNS_Query context 105domain names 61downloading a saved log file 160downloading alert files 160downloading firmware updates but not install them 27downloading updates 29Drop 43, 138

Index

eediting a connection event 97editing a global tuning parameter 145editing a local tuning parameter 143editing a quarantine response 74editing a response filter 89editing a security event 86editing a user specified response 78editing an email response 71editing an SNMP response 76editing an update advanced parameter 31editing network card properties 137editing the user-defined event 103email notification response

configuring 136Email page 72email response 71

adding 71copying and pasting 72editing 71removing 72

Email responses 61Email tab 72Email_Receiver context 106Email_Sender context 106Email_Subject context 106–107engine.adapter.high-water.default 140engine.adapter.low-water.default 140engine.droplog.enabled 140engine.droplog.fileprefix 140engine.droplog.filesuffix 140engine.droplog.flush 140engine.droplog.maxfiles 140engine.droplog.maxkbytes 140engine.evidencelog. maxkbytes 141–142engine.evidencelog.fileprefix 140engine.evidencelog.filesufffix 140engine.evidencelog.maxfiles 140engine.evidencelog.maxkbytes 141–142engine.log.file 141–142engine.pam.logfile 141–142engine.statistics.interval 141–142event

description 82event filter 156event throttling 84, 94, 101evidence 73Expiration Time 92Explorer worm example 107Export Agreement 26


fFile_Name context 107filename_eventdata.csv 158filename_eventinfo.csv 158filename_eventresp.csv 158files

comma separated values (.csv) 158filtering the event log file 156filters 88Find Updates button 20, 23, 29finding available updates 23, 29finding updates

process 20FINGER, monitoring user name associated with 110firewall rule

adding 127removing 128

Firewall Settings page 127firmware updates 20Forward 43, 138

gget-reset-config 147global policy 90global response policy 70global tuning parameter 145


hHA configuration 36HA Modes 36hardware

installing the appliance in a rack 2high availability

overview 3High Availability Configuration 38, 41High Availability Deployment 39host configuration

changing 61host configuration settings 61HTTP GET request 109

169

Index

iICMP 150ICMP Code 92ICMP Type 92ILOVEYOU virus example 106inline protection 42–43, 138inline simulation 42–43, 138install updates manually 30installing a license file 15installing available updates 25installing the appliance 2Internet Security Systems

technical support xiWeb site xi

intruder events 92intrusion prevention alerts 154intrusion prevention updates 20ISS management console 162iss-response string 114

llicense file

installing 15license key

installing 3purchasing 3

Licensing page 15local configuration interface

connecting a computer 46connecting a keyboard and monitor 46logging out 48

local tuning parameteradding 143copying and pasting 143editing 143removing 144

Local Tuning Parameters page 135–136, 138–139, 143–144

Log Evidence page 73log evidence response 73Log Evidence tab 73Log File Management page 158, 160log files

downloading 160saving 158

Logical HA diagram 39

170

mmanagement console 2–3

user documentation 2Management page 164, 166managing alert files 160manual updates task overview 29manually downloading and installing updates 29manually update tasks 29memory usage statistics 132monitoring 42–43, 138monitoring (read-only) SPAN ports 147

nnetwork card

editing properties of 137network configuration

changing 60network sensor

regular expression library 111News_Group context 107np.drop.invalid.checksum 141–142np.drop.invalid.protocol 141–142np.drop.resource.error 141–142np.drop.rogue.tcp.packets 141–142np.firewall.log 141–142np.log.quarantine.added 141–142np.log.quarantine.expired 141–142np.log.quarantine.removed 141–142np.statistics 141–142np.statistics.file 141–142NTP setting 65

oonline Help

for SiteProtector 3operation modes

definitions 6order of precedence

changing in regular expressions 111overriding SiteProtector group settings 164

ppam.traffic.sample 141–142pam.traffic.sample.interval 141–142password

Index

changing Proventia Manager 134Password context 107passwords

administrative 133boot loader 134changing 133root 133

perform a full system backup 27Physical HA network diagram 40ping 151pinging a computer 151policy

contents 82description 82pre-defined 82when to use 82

pre-defined policies 82pre-defined response objects 74pre-defined responses 70pre-installed software 2Propagate Link 43, 138protection domain 90

adding 91editing 91removing 91when to use 90

Protection Domain tab 91Protection Domains page 90protection status 16Protocol 92Proventia Manager

using with SiteProtector 162Proventia Manager Home page 16Proventia Manager password 67Proventia Setup Utility 45

qQuarantine Intruder 74quarantine response


quarantine response objects 74quarantine rules 92

removing 92


viewing 92Quarantine Rules Management page 92Quarantine Rules table 92Quarantine tab 74–75Quarantine Trojan 74Quarantine Worm 74queue file 139Quick Start Guide 2

rReadme document ixrebooting appliance 54, 152recommended blocking responses 87Refresh Data 157registering applianc with 162regular expressions

in user-defined signatures 111related publications ixremoving a connection event 98removing a firewall rule 128removing a global tuning parameter 146removing a local tuning parameter 144removing a protection domain 91removing a quarantine response 75removing a quarantine rule 92removing a response filter 89removing a security event 87removing a user specified response 79removing a user-defined event 104removing an email response 72removing an SNMP response 77removing an update advanced parameter 32response filter 88

adding 88attributes 88editing 89removing 89

171

Index

rule ordering 88Response Filters tab 88–89response types 70responses 70Responses page 72restarting agent 56Restore Configuration From Backup 52Restore to Factory Default 52restoring appliance settings 52risk level 154rollbacks 20rolling back an update 24rolling back updates 23root password 66, 133

ssaving the current log file 158scope of guide viisecurity event

adding to a protection domain 85description 84editing 86removing 87

security eventsconfiguring 84

Security Events page 84Send SNMP Trap box 135Sensor Error 135Sensor Informative 135Sensor Warning 135sensor.trace.level 141–142shut down 152shutting down appliance 54, 152SiteProtector 162

Help 3managing appliance 20

SiteProtector management options 162SiteProtector management process 164SMP kernel 134SMTP EXPN, monitoring user name associated

with 110SMTP, monitoring user name associated with 110SNMP community strings 108SNMP page 76SNMP response 76

adding 76configuring 76copying and pasting 77editing 76

172

removing 77SNMP responses 61SNMP setting 68SNMP tab 76SNMP trap

configuring 134–135SNMP_Community context 108Source IP 92Source Port 92specifying firmware update versions to instal 28specifying when to install firmware updates 28statistics types 132status icons 16Stop Logging 139String box, syntax for 111system alerts 154system status 16, 132System Status page 132System Tools page 150–152

ttechnical support, Internet Security Systems xitime zone

setting for the appliance location 64traceroute 150traceroute protocols 150traceroute utility 150Trons Events page 114Trons rule

adding 115editing 116removing 117

troubleshooting firmware updates 25Tuning Parameters tab 145–146tuning update settings 31types of connection events 94types of events 82typographical conventions x

uUDP 150Unanalyzed Policy 43, 138UP kernel 134update advanced parameters 31update history table 30update packages 20update process 21update settings

Index

tuning 31Update Settings page 20, 25–26Update Status page 23–24, 29Update.certificate.file 141–142Update.proxy.enable 141–142Update.proxy.port 143Update.source.url 143Updates node 24Updates to Download page 20updating

the appliance 20URL_Data context 109User Defined Event page 100User Specified page 78user specified response

adding 78configuring 78copying and pasting 79editing 78removing 79

User Specified tab 78User_Login_Name context 109User_Probe_Name context 110user-defined event

adding 102editing 103removing 104

user-defined events 100user-defined signature

regular expressions 111using filters 88using protection domains 90using response filters 88using the traceroute utility 150

vviewing a quarantine rule 92viewing agent status 55viewing appliance components 55viewing appliance settings 50viewing events 2viewing security and system related alerts 154viewing status of appliance 55viewing update status 23virtual sensor 90VRFY, monitoring user name associated with 110


wWeb site, Internet Security Systems xiwhat’s new in guide viiWithoutRaw 84, 101WithRaw 84, 101Wrap Around 139

xX-Force Alert 155

173

Index

174

Internet Security Systems, Inc. Software License AgreementTHIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPY-ING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE PRODUCT AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN.1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and non-

transferable, limited license for the accompanying ISS software product and the related documentation (“Software”) and the associated license key(s) for use only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS’ quotation and Licensee’s purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device con-nected to Licensee’s network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. A device may also include ISS hardware delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware. Except as provided in the immediately preceding sentence, Licensee may reproduce, install and use the Software on multiple devices, provided that the total number and type are authorized by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Soft-ware on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on a subscription basis for a Term and provides Licensee with a license key for each such subscription. Content subscriptions are licensed pursuant to this License based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs) and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS’ related analysis of such information, all of which ISS regards as its con-fidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The use or re-use of such content for commercial purposes is prohibited. Licensee’s access to the security content is through an Internet update using the Software. In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered in to ISS’ URL database and provided to Licensee as security content updates at regular intervals. ISS’ URL database is located at an ISS facility or as a mirrored version on Licensee’s premises. Any access by Licensee to the URL database that is not in conformance with this License is prohibited. Upon expiration of the security content subscription Term, unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request.

2. Migration Utilities – For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software to which the Migration Utility relates (the “Original Software”), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensee’s migration of the Original Software to the replace-ment software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes.

3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturer’s terms and conditions that will be pro-vided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crys-tal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverse-engineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing, data analysis or report delivery product or any other product that performs the same of similar functions as Crystal Decisions’ product offerings; Licensee agrees not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-pur-pose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a rental or timesharing basis or to operate a service bureau facility for the benefit of third–parties unless Licensee first acquires an Application Service Provider License from Crystal Decisions; Licensee may not use the Software or Runtime Software by itself or as part of a system to regularly deliver, distribute or share Reports outside of the Runtime Software environment: (a) to more than fifty (50) end users directly, or (b) to a location that is accessible to more than 50 end users without obtaining an additional license from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, OR IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FIRNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 “Software” means the Crystal Reports software and associated documentation supplied by ISS and any updates, additional modules, or additional software provided by Crystal Decisions in connection therewith; it includes Crystal Decisions’ Design Tools, Report Application Server and Runtime Software, but does not include any promotional software of other software products pro-vided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product.

4. Beta License – If ISS is providing Licensee with the Software, security content and related documentation as a part of an alpha or beta test, the following terms of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the subject Beta Software or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/prototype software program, security content, if any, and any related documentation furnished by ISS (“Beta Software”) for Licensee’s evaluation and comment (the “Beta License”) during the Test Period. ISS’ standard test cycle, which may be extended at ISS’ discretion, extends for sixty (60) days, commencing on the date of delivery of the Beta Software (the “Test Period”). Upon expiration of the Test Period or termination of the License, Licensee shall, within thirty (30) days, return to ISS or destroy all copies of the Beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. Licensee will provide ISS information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Software. Licensee agrees that ISS shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensee’s use and evaluation of the Beta Software. Such information shall include but not be limited to changes, modifications and corrections to the Beta Software. Licensee grants to ISS a perpetual, royalty-free, non-exclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item resulting from Licensee’s evaluation of its installation and operation of the Beta Software. If Licensee is ever held or deemed to be the owner of any copyright rights in the Beta Software or any changes, modifications or corrections to the Beta Software, then Licensee hereby irrevocably assigns to ISS all such rights, title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and agrees that the Beta Software (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee fur-ther agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of the Beta Software as contemplated in this Agreement. With regard to the Beta Software, ISS has no obligation to provide support, maintenance, upgrades, mod-ifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Software and related documentation within a reason-able time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Software may be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Software, Licensee is advised not to rely exclusively on the Beta Software for any reason. LICENSEE AGREES THAT THE BETA SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WAR-RANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES THAT THE BETA SOFTWARE MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEE’S USE OF THE BETA SOFTWARE IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA SOFTWARE LICENSE BY WRITTEN NOTICE TO ISS.

5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evalua-tion in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, mod-ifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRAN-TIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUA-TION LICENSE BY WRITTEN NOTICE TO ISS.

6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Software. Licensee agrees: (i) the Software, security content or Beta Software is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software, security content or Beta Software from unauthorized access, disclosure, copying or use; (iii) not to

modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software, security content or Beta Software; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Software or make it available for time-sharing, service bureau, managed services offering, or on-line use.

7. Support and Maintenance – Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://docu-ments.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and mainte-nance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified.

8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content, (ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interac-tion with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Soft-ware or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFT-WARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CON-TENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMI-LAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VUL-NERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.

9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MER-CHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PRO-VIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.

10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly noti-fied in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available infor-mation and reasonable assistance. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software and security content.

11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCI-DENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may imme-diately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.

13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. ISS Software and security content are generally delivered to Customer by supplying Customer with license key data. If Customer has not already down-loaded the Software, security content and documentation, then it is available for download at http://www.iss.net/download/. All ISS hardware with pre-installed Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Geor-gia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the Interna-tional Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS.

14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.

15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, any related technology, or any direct product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the United States has embargoed the export of goods (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourc-ing and Fulfillment for export questions relating to the Software or security content ([email protected]). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License.

16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that com-puter network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with all applicable laws, regulations and rules.

17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the fore-going disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.

18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Dis-closing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the

Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Dis-closing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the Disclosing Party.

19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Software and security content is in com-pliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the scope of use and/or the number of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable cur-rent list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addi-tion to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License.

20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Lic-ensee’s vendor within the framework of processing Licensee’s order. All personal data will be treated confidentially.

Revised March 16, 2004.