high-availability load balancing with the brocade serveriron adx

APPLICATION NOTES High-Availability Load Balancing with the Brocade ServerIron ADX and McAfee Firewall Enterprise (Sidewinder) This solution leverages interoperable and best-of-breed networking and security products, tailored to fit individual enterprise requirements.

BROCADE ALLIANCES APPLICATION NOTES

High-Availability Load Balancing with the Brocade ADX and McAfee Firewall Enterprise (Sidewinder) 2 of 36

CONTENTS Introduction ......................................................................................................................................................................................................................................... 3

About McAfee ................................................................................................................................................................. 3

About Brocade ............................................................................................................................................................... 3

Overview .............................................................................................................................................................................................................................................. 3

Failover ........................................................................................................................................................................... 4

Heath Checks ................................................................................................................................................................. 4

Interoperability Test Results.......................................................................................................................................... 4

Reference Architecture ................................................................................................................................................................................................................... 5

Brocade ServerIron ADX Series Configuration ....................................................................................................................................................................... 6

External ServerIron ADX A (SI-EXT-A) ............................................................................................................................. 6

External ServerIron ADX B (SI-EXT-B) ............................................................................................................................ 8

Internal ServerIron ADX A (SI-INT-A) .............................................................................................................................. 9

Internal ServerIron ADX B (SI-INT-B) ........................................................................................................................... 11

Sidewinder Firewall GUI Configuration ................................................................................................................................................................................... 12

Firewall 1: Interfaces ................................................................................................................................................... 12

Firewall 1: Routing ....................................................................................................................................................... 13

Firewall 1: Rules........................................................................................................................................................... 14

Firewall 1: SNMP Traps ............................................................................................................................................... 20

Firewall 2: Interfaces ................................................................................................................................................... 21

Firewall 2: Routing ....................................................................................................................................................... 21

Firewall 2: Rules........................................................................................................................................................... 21

Firewall 2: SNMP Traps ............................................................................................................................................... 23

Network Management ................................................................................................................................................................................................................ 24

Loading MIBs into Brocade INM ................................................................................................................................. 24

Compiling the MIBs ...................................................................................................................................................... 25

Registering and Customizing MIBs ............................................................................................................................. 25

Event Log ...................................................................................................................................................................... 27

Network Security Manager ........................................................................................................................................................................................................ 27

SNMP Fault Notification .............................................................................................................................................. 28

Sensor Access .............................................................................................................................................................. 28

IPS Settings .................................................................................................................................................................. 29

Appendix A: Use Cases ............................................................................................................................................................................................................... 30

Use Case 1: Host Sweep Attack .................................................................................................................................. 30

Use Case 2: Port Scan Attack ...................................................................................................................................... 35



INTRODUCTION Brocade® and McAfee are partnering to deliver a comprehensive solution for High Availability (HA) Firewall Load Balancing (FWLB) with the Brocade ServerIron® ADX Series of application load balancing switches and McAfee Firewall Enterprise (Sidewinder). This joint solution brings end-to-end networking and security to the enterprise.

About McAfee McAfee, the world’s largest dedicated security technology company, is relentlessly committed to tackling the world’s toughest security challenges. The company delivers proactive and proven solutions and services that secure systems and networks around the world, allowing users to safely connect to the Internet, browse, and shop the Web securely. McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to comply with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security.

For McAfee support:

• McAfee Prime Support Technical Support: 1-800-338-8754

• McAfee Prime Support Service Portal: mysupport.mcafee.com

About Brocade Brocade is a leading provider of high-performance data center, enterprise, and service provider networking solutions and services. Brocade develops extraordinary networking solutions that enable today’s complex, data-intensive businesses to optimize information connectivity and maximize the business value of their data. The Brocade ServerIron ADX Series of application delivery and traffic management switches is the industry leader in high availability, acceleration, security, and scalability for business-critical IP and Web applications.

For Brocade support:

• Phone support in the US: 1-800-752-8061

• International support: www.brocade.com/services-support/contacts_international.page

• E-mail support: [email protected]

• Web support: www.brocade.com/services-support

OVERVIEW To achieve HA in the network, you can deploy pairs of ServerIron ADX switches in active-active configurations on each side of the firewalls. In an active-active configuration, both switches actively load balance firewall traffic. Active-active operation provides redundancy in the event that a Brocade ServerIron ADX becomes unavailable, while enhancing performance by using both switches to process and forward traffic.

HA load balancing on the Brocade ServerIron ADX s always stateful. Each ServerIron ADX sends session information about its active traffic flows to the other switch. If a failover occurs, the ServerIron ADX that is still active can provide service for the other ServerIron traffic flows using the session information provided by the ServerIron that is currently unavailable. In an HA topology, both ServerIron ADX switches actively load balance traffic to the firewalls. If one of the ServerIron ADX switches becomes unavailable, the other automatically assumes the load balancing function for the sessions that had been on the unavailable ServerIron ADX.

http://www.mcafee.com/us/enterprise/support/technical_support/index.html�

http://www.brocade.com/services-support/contacts_international.page�

mailto:[email protected]�

http://www.brocade.com/services-support�



This solution is an example of an active-active FWLB configuration that uses VRRP. Each pair of Brocade ServerIron ADX Series switches provides redundant load balancing, while VRRP on the external pair of ServerIron ADX switches provides redundancy for the default gateway address used by the client.

Failover In active-active FWLB, if one of the ServerIron ADX devices becomes unavailable, the other takes over. ServerIron ADX devices use the following parameters to manage failover:

• ServerIron ADX priority (active-standby only). You can specify a priority from 0 through 255 on each ServerIron ADX. The ServerIron ADX with the higher priority is the default active device. Specifying the priority is required.

• Path tolerance. Optionally, you also can configure a minimum number of firewall paths and router paths that must be available.

By default, failover occurs if the health checks between the ServerIron ADX switches reveal that the active ServerIron ADX has lost a path link.

Heath Checks There are two types of health checks in this solution:

• Path health checks. One of the required FWLB parameters is a separate path from the ServerIron ADX through each firewall to each of the ServerIron ADX switches on the other side of the firewall. A path to the ServerIron ADX’s gateway router is also required. By default, the ServerIron ADX performs a Layer 3 health check on each firewall and router path by sending an Internet Control Message Protocol (ICMP) ping packet on each path.

• Application health checks. You can also add information for individual application ports (optional). You can specify the following application protocols (TCP or UDP) and port number. The ServerIron ADX checks the health of the TCP or UDP service used by the application by sending a Layer 4 TCP or UDP health check to the firewall. Layer 4 health checks are enabled by default.

Interoperability Test Results Interoperability compliance testing covered features, functionality, and serviceability between the Brocade switches and the McAfee Network Security Platform (NSP) sitting inline. The following compliance tests were conducted:

• Trunking. A two-link 802.3ad link aggregation was created between the Brocade FastIron® SuperX to an internal Brocade FastIron GS and another 802.3ad link aggregation between the Brocade BigIron® RX to an internal FastIron GS. The test confirmed that the 802.3ad trunk could be negotiated and form a trunk with the McAfee Intrushield positioned between the switches. To test failover, one of the trunk links was disconnected and it was confirmed that traffic continued to flow on the other link.

• Spanning Tree. Rapid Spanning Tree was enabled on all switches and it was confirmed that spanning tree converged when the path went down.

• Virtual Router Redundancy Protocol-Extended (VRRP-e). VRRP-e was enabled on the Brocade FastIron SuperX and Brocade BigIron RX switches and redundancy was provided for default gateways while the Intrushield appliances were positioned between the switches.

• Media types. Tests were conducted with copper and fiber interfaces.

• Port configuration. Different port speeds were used: Auto-Negotiate and 1000-Full.



REFERENCE ARCHITECTURE The solution components are listed below and shown in Figure 1:

• 4 x Brocade ServerIron ADX 4000 (v12.1c routing code)

• 2 x Brocade FastIron® LS Series (v4.3.02 routing code)

• 2 x McAfee Firewall Enterprise (Sidewinder, v7.0.1.02)

• 1 x McAfee Intrusion Protection System (IPS)

Figure 1. FWLB solution topology



BROCADE SERVERIRON ADX SERIES CONFIGURATION Both ServerIron ADX switches external to the firewall and both switches external to the firewall were configures as detailed in the following four sections.

External ServerIron ADX A (SI-EXT-A) global-protocol-vlan ! # When configuring ADX for IronClad FWLB, you need to specify the port number of the dedicated synchronization link between the ADX and its active-active partner. server fw-port 1/5 ! no server l4-check # High-availability FWLB configurations require that you identify the ports on the ServerIron that are attached to the routers. server router-ports ethernet 1/9 # Specify the data path/links with the peer partner ADX. server partner-ports ethernet 1/6 ! context default ! server fw-name fw1 10.10.1.1 ! server fw-name fw2 10.10.1.2 ! server fw-group 2 #enables the active-active mode sym-priority 200 fw-name fw1 fw-name fw2 # Configure the paths for the firewall traffic. Each path consists of a path ID, the ServerIron port attached to the firewall, the IP address of the ServerIron at the other end of the path, and the next-hop IP address (usually the firewall interface connected to this ADX). fwall-info 1 1/7 10.10.2.111 10.10.1.1 fwall-info 2 1/6 10.10.2.111 10.10.1.2 fwall-info 3 1/7 10.10.2.112 10.10.1.1 fwall-info 4 1/6 10.10.2.112 10.10.1.2 fwall-info 5 1/9 20.20.1.101 20.20.1.101 vlan 1 name DEFAULT-VLAN by port # The always-active feature is used to simplify the topology of high-availability FWLB configurations always-active ! vlan 2 name Router_Vlan by port untagged ethe 1/9 always-active router-interface ve 2 ! vlan 3 name FW_Vlan by port



untagged ethe 1/6 to 1/7 always-active router-interface ve 3 ! vlan 99 name Synch_Vlan by port untagged ethe 1/5 ethe 1/8 ! hostname SI-EXT-A ip route 10.10.8.0 255.255.255.0 10.10.1.1 ip route 10.10.8.0 255.255.255.0 10.10.1.2 ip route 10.10.2.0 255.255.255.0 10.10.1.1 ip route 10.10.2.0 255.255.255.0 10.10.1.2 ip route 0.0.0.0 0.0.0.0 20.20.1.101 ! logging buffered 1000 router vrrp-extended no-asm-block-till-bootup ! interface management 1 ip address 10.66.16.203 255.255.255.0 ! interface ethernet 1/7 speed-duplex 1000-full ! interface ethernet 1/8 disable ! interface ethernet 1/11 disable ! interface ve 2 ip address 20.20.1.111 255.255.255.0 ip vrrp-extended vrid 2 backup priority 101 advertise backup ip-address 20.20.1.120 track-port e 1/7 track-port e 1/9 enable ! interface ve 3 ip address 10.10.1.111 255.255.255.0 ip vrrp-extended vrid 3 backup priority 101 advertise backup ip-address 10.10.1.120 track-port e 1/7 track-port e 1/9 enable ! end



External ServerIron ADX B (SI-EXT-B) global-protocol-vlan ! server fw-port 1/5 ! no server l4-check server router-ports ethernet 1/9 server partner-ports ethernet 1/6 ! context default ! server fw-name fw1 10.10.1.1 ! server fw-name fw2 10.10.1.2 ! server fw-group 2 sym-priority 100 fw-name fw1 fw-name fw2 fwall-info 1 1/6 10.10.2.111 10.10.1.1 fwall-info 2 1/7 10.10.2.111 10.10.1.2 fwall-info 3 1/6 10.10.2.112 10.10.1.1 fwall-info 4 1/7 10.10.2.112 10.10.1.2 fwall-info 5 1/9 20.20.1.101 20.20.1.101 vlan 1 name DEFAULT-VLAN by port always-active ! vlan 2 name Router_Vlan by port untagged ethe 1/9 always-active router-interface ve 2 ! vlan 3 name FW_Vlan by port untagged ethe 1/6 to 1/7 always-active router-interface ve 3 ! vlan 99 name Synch_Vlan by port untagged ethe 1/5 ethe 1/8 ! hostname SI-Ext-B ip route 0.0.0.0 0.0.0.0 20.20.1.101 ip route 10.10.8.0 255.255.255.0 10.10.1.2 ip route 10.10.8.0 255.255.255.0 10.10.1.1 ip route 10.10.2.0 255.255.255.0 10.10.1.2 ip route 10.10.2.0 255.255.255.0 10.10.1.1 ! logging buffered 1000 router vrrp-extended no-asm-block-till-bootup !



interface management 1 ip address 10.66.16.205 255.255.255.0 ! interface ethernet 1/7 speed-duplex 1000-full ! interface ethernet 1/8 disable ! interface ethernet 1/11 disable ! interface ve 2 ip address 20.20.1.112 255.255.255.0 ip vrrp-extended vrid 2 backup advertise backup ip-address 20.20.1.120 track-port e 1/7 track-port e 1/9 enable ! interface ve 3 ip address 10.10.1.112 255.255.255.0 ip vrrp-extended vrid 3 backup advertise backup ip-address 10.10.1.120 track-port e 1/7 track-port e 1/9 enable ! End

Internal ServerIron ADX A (SI-INT-A) global-protocol-vlan ! server fw-port 1/5 ! server router-ports ethernet 1/9 server partner-ports ethernet 1/6 ! context default ! server fw-name fw1 10.10.2.1 ! server fw-name fw2 10.10.2.2 ! server fw-group 2 sym-priority 200 fw-name fw1 fw-name fw2



fwall-info 1 1/7 10.10.1.111 10.10.2.1 fwall-info 2 1/6 10.10.1.111 10.10.2.2 fwall-info 3 1/7 10.10.1.112 10.10.2.1 fwall-info 4 1/6 10.10.1.112 10.10.2.2 fwall-info 5 1/9 10.10.8.101 10.10.8.101 vlan 1 name DEFAULT-VLAN by port always-active ! vlan 4 name Int_Vlan by port untagged ethe 1/9 always-active router-interface ve 4 ! vlan 5 name FW_Vlan by port untagged ethe 1/6 to 1/7 always-active router-interface ve 5 ! vlan 99 name Sync_Vlan by port untagged ethe 1/5 ethe 1/8 ! hostname SI-Int-A ip route 0.0.0.0 0.0.0.0 10.10.2.1 ip route 0.0.0.0 0.0.0.0 10.10.2.2 ! router vrrp-extended no-asm-block-till-bootup ! interface ethernet 1/7 speed-duplex 1000-full ! interface ethernet 1/8 disable ! interface ve 4 ip address 10.10.8.111 255.255.255.0 ip vrrp-extended vrid 4 backup priority 101 advertise backup ip-address 10.10.8.120 track-port e 1/7 track-port e 1/9 enable ! interface ve 5 ip address 10.10.2.111 255.255.255.0 ip vrrp-extended vrid 5 backup priority 101 advertise backup ip-address 10.10.2.120 track-port e 1/7 track-port e 1/9



enable ! end

Internal ServerIron ADX B (SI-INT-B) global-protocol-vlan ! server fw-port 1/5 ! server router-ports ethernet 1/9 server partner-ports ethernet 1/6 ! context default ! server fw-name fw1 10.10.2.1 ! server fw-name fw2 10.10.2.2 ! server fw-group 2 sym-priority 100 fw-name fw1 fw-name fw2 fwall-info 1 1/6 10.10.1.111 10.10.2.1 fwall-info 2 1/7 10.10.1.111 10.10.2.2 fwall-info 3 1/6 10.10.1.112 10.10.2.1 fwall-info 4 1/7 10.10.1.112 10.10.2.2 fwall-info 5 1/9 10.10.8.101 10.10.8.101 vlan 1 name DEFAULT-VLAN by port always-active ! vlan 4 name Int_Vlan by port untagged ethe 1/9 always-active router-interface ve 4 ! vlan 5 name FW_Vlan by port untagged ethe 1/6 to 1/7 always-active router-interface ve 5 ! vlan 99 by port untagged ethe 1/5 ethe 1/8 ! hostname SI-Int-B ip route 0.0.0.0 0.0.0.0 10.10.2.2 ip route 0.0.0.0 0.0.0.0 10.10.2.1 ! telnet server username admin password ..... router vrrp-extended snmp-server community ..... rw



no-asm-block-till-bootup ! interface ethernet 1/7 speed-duplex 1000-full ! interface ethernet 1/8 disable ! interface ve 4 ip address 10.10.8.112 255.255.255.0 ip vrrp-extended vrid 4 backup advertise backup ip-address 10.10.8.120 track-port e 1/7 track-port e 1/9 enable ! interface ve 5 ip address 10.10.2.112 255.255.255.0 ip vrrp-extended vrid 5 backup advertise backup ip-address 10.10.2.120 track-port e 1/7 track-port e 1/9 enable ! end

SIDEWINDER FIREWALL GUI CONFIGURATION After configuring the Brocade ServerIron ADX switches, you need to log in to the firewall and configure it using the McAfee Firewall Enterprise Admin Console. The following sections describe configuring internal and external interfaces, routing, rules, and SNMP traps on the two firewalls.

The Dashboard is the first screen that appears when you log in to the Firewall Admin Console. Paths are given starting from the Dashboard. When you see “New” in the path, click the green plus sign (+) button on the left above the table.

Firewall 1: Interfaces Configure the external and internal interfaces of FW1: Fw1 Dashboard > Network > Interfaces > + (New) For this configuration, the following interface configurations are added: em0 is external 10.10.1.1 em1 is internal 10.10.2.1



Firewall 1: Routing Configure the network routes and use the VRRP-e addresses configured on the ADX devices as the gateways for FW1: Fw1 Dashboard > Network > Routing > Static Routing > + (New) For this configuration, the following routes are added: Network Destination 10.10.8.0 Mask 255.255.255.0 Gateway 10.10.2.120 Network Destination 20.20.1.0 Mask 255.255.255.0 Gateway 10.10.1.120



Firewall 1: Rules Configure the required policy rules for Fw1: Fw1 Dashboard > Policy > Rules > (Administration selected in list) + (New)

For this configuration, the following rules are added: Login Console Admin Console Secure Shell Server *HTTP Proxy *HTTP Proxy_Rev (The two rules above can also be handled with one rule: HTTP Proxy Inbound and Outbound) SNMP *ICMP Packet Filter *ICMP Packet Filter_Rev (The two rules above can also be handled with one rule: ICMP Packet Filter Inbound and Outbound)

HTTP Proxy Select HTTP Proxy from the Service menu. To add source and destination, click the buttons with three dots (…) at the bottom of the Source and Destination sections.



Make sure that you select both external and internal burbs and click OK.

HTTP Proxy Inbound and Outbound Rule The final saved rule for HTTP includes the HTTP Proxy service and internal and external burbs, now displayed in the Source and Destination sections of the New Proxy Rule dialog box.



SNMP Select SNMP Agent from the Service menu. Select internal from the Burb menus in both the Source and Destination sections.

For this solution, a required services (ICMP) was not listed in the default Service menu. In order to add a service, you first create it: Fw1 Dashboard > Policy > Rule Element > Service > + (New)

Fill in information in the Modify Service dialog box, select ICMP Packet Filter from the drop-down menu, and click OK.



ICMP Packet Filter Inbound and Outbound Now return to the New Rule dialog box: Fw1 Dashboard > Policy > Rules > + (New)

Select the ICMP Packet Filter from the Service menu. To add source and destination, click the buttons with three dots (…) at the bottom of the Source and Destination sections. Make sure that you select both external and internal burbs in the Source Options dialog box and click OK.



Configure the SNMP Agent (snmpd) for SNMP v2c and v3. Add the SNMP management station where the trap will be sent. Fw1 Dashboard > Policy > Rule Elements > Services > snmpd > Properties

For this configuration, you need to manually configure: Host: 10.10.2.99 User: root1234 Community: public

Configure the SNMP filter for SNMP v2c traffic. Fw1 Dashboard > Policy > Application Defenses > Defenses > SNMP



This is the configuration after the required rules are added under Administration. Fw1 Dashboard > Policy > Rules



Firewall 1: SNMP Traps When the firewall is added to the network, traps can be enabled: Fw1 Dashboard -> Monitor -> IPS Attack Responses For this configuration, the following traps were enabled for SNMP.



Firewall 2: Interfaces The procedure used to configure Firewall 2 is the same as the procedure for Firewall 1, but with different parameters. Configure the external and internal interfaces of Fw2: Fw2 Dashboard > Network > Interfaces > + (New) For this configuration, the following IP addresses are added: em0 is external 10.10.1.2 em1 is internal 10.10.2.2

Firewall 2: Routing Configure the network routes and use the VRRP-e addresses configured on the NetIron ADX devices as the gateways for Fw2: Fw2 Dashboard > Network > Routing > Static Routing > + (New)

For this configuration, the following routes are added: Network Destination 10.10.8.0 Mask 255.255.255.0 Gateway 10.10.2.120 Network Destination 20.20.1.0 Mask 255.255.255.0 Gateway 10.10.1.120

Firewall 2: Rules Configure the required policy rules under Administration for Fw2: Fw2 Dashboard > Policy > Rules > + (New) For this configuration, the following rules are added: Login Console Admin Console Secure Shell Server HTTP Proxy HTTP Proxy_Rev (provides the reverse direction of the http proxy) SNMP ICMP Packet Filter ICMP Packet Filter_Rev (provides the reverse direction for the ICMP ping) HTTP Proxy

If any of the required services are not listed when the rules are configured, they can be created and modified under the Rule Element first, and then added to the Rules: Fw2 Dashboard > Policy > Rule Element > Service > + (New)

Fw2 Dashboard > Policy > Rules > + (New)

Configure the SNMP Agent (snmpd) for SNMP v2c and v3. Add the SNMP management station where the TRAP will be sent: Fw2 Dashboard > Policy > Rule Elements > Services > snmpd > Properties For this configuration, the following parameters are added: Host: 10.10.2.99 User: root1234 Community: public Configure the SNMP filter for SNMP v2c traffic: Fw2 Dashboard -> Policy -> Application Defenses -> Defenses -> SNMP



This is the configuration after the required rules are added under Administration: Fw2 Dashboard -> Policy -> Rules



Firewall 2: SNMP Traps When the firewall is added to the network, traps can be enabled: Fw2 Dashboard > Monitor > IPS Attack Responses

For this configuration, the following traps were enabled for SNMP.



NETWORK MANAGEMENT Brocade IronView Network Management (INM) can be used to alert the network operator when an issue occurs in the network. Brocade INM acts in response to the alert to protect the network and the hosts connected to the network. Brocade INM can monitor, notify, and act on alerts provided by McAfee Firewall and IPS using MIBs provided by McAfee, which are added to existing MIBs.

Loading MIBs into Brocade INM Create new folders for the McAfee MIBs in this INM folder: C:\ironview\htdocs\mibs Two new folders were added: mcafee_ips mcafee_snmp_mibs



Compiling the MIBs Modify the mibs_to_compile.txt file to include the McAfee MIBs, including the folder containing the MIBs: C:\ironview\htdocs\mibs Open mibs_to_compile.txt, change all the extensions from .txt to .mib (example circled in red below), and save and close the file. Saving and closing the file compiles the MIBs.

Registering and Customizing MIBs Once the MIBs are compiled, they are located in the Event reception under the Trap Configuration, Not Registered section (one example circled in red below): Administration > Event Reception > Trap Configuration > Not Registered Select a trap to register and customize. Customizing the trap means that when the message is displayed, it contains the severity and a specified message. The message is the information that the network operator sees in the description field when the alert is displayed. You also need to customize the trap to display the varbind (a variable that is predefined and captured at run time) data.

The message field configuration is the set up with the name of the data and the pointer to the varbind it belongs to. An example: Host Sweep Alert $1, $5 In this example, the alert message for Host Sweep Alert with varbind data from the first ($1) and fifth ($5) variable.



NOTE: This message field has a limit of 512 bytes and if the message exceeds the limit, it will be truncated. So think carefully about what you want to display and be sure not to exceed the limit.

All registered MIBs can be found in Brocade INM: Administration > Event Reception > Trap Configuration >Registered



Event Log All registered triggered events can be logged in the Event Log.

Event Manager -> Event Log -> Search This is an example of a failed login.

NETWORK SECURITY MANAGER The McAfee Network Security Manager (NSM) is required to manage IPS and provide traps. A separate NSM server is required to be configured for SNMP and to forward traps to Brocade INM.

On the NSM server, make sure that you:

• Start the SNMP Service if is it is not started

• Stop the SNMP Trap Service if it is started

Display the Services window. Select the SNMP Service and if it is not started, click Restart the service. Select the SNMP Trap Service and if it is started, click Stop the service.



SNMP Fault Notification Add the SNMP server IP address to which the traps will be forwarded: My computer > Fault Notification > SNMP > add

The server IP address added for this configuration is 20.20.1.99.

Sensor Access Add the NMS Sensor Access IP address: My computer > Device List > Sensor Access > NMS IP > add

The NMS IP address added for this configuration is 10.66.16.249.



IPS Settings Add the SNMP server IP address for Alert Forwarding: My computer -> IPS Setting -> Alert Notification -> SNMP -> add

The SNMP IP address added for this configuration is 20.20.1.99.



APPENDIX A: USE CASES

Use Case 1: Host Sweep Attack When host sweep attacks occur:

1. McAfee IPS detects the attack and alerts Brocade INM.

2. Brocade INM receives the IPS attack alert and sends an Access Control List (ACL) to the Brocade switch to block the attacker and a Security Assessment (SA, an e-mail notification) to the network operator. The assessment type is: Compromised network infrastructure equipment.

NOTE: IPS automatically alerts for host sweep attacks. The NSM must be configured to send alerts to INM (described earlier in this document).

Figure 2 illustrates the process.

Figure 2. Response to a host sweep attack

Note that before you configure an alert, you need to create it. In the Event Processor window, shown in Step 1, click New at the top of the list and follow the onscreen instructions to create the alert. In this solution, the alert is IPS_HOSTSweepAlert.

The stealthiest attacks are detected and

thwarted by McAfee IPS Attack alerts are relayed from IPS via Security Assessment message to INM, which then executes an ACL to the Brocade Switch to block the Attacker and sends an event message to the Network Operator

!

Attacker (Host Scan, Port Scan, XMAS, Signature Alerts)

BlockedBrocade Switch



1. In Brocade INM, select the host sweep alert and double-click: Event Manager > Event Processor > IPS_HOSTSweepAlert

2. The Edit Event Action dialog box appears, in which you can enter a name and description. Click Next.



3. The Events window shows the currently selected traps from the all available traps. Configure Varbind filters to Yes and click Next.

4. Configure senders for the alert (Brocade devices that can send alerts): Event Manger > Event Processor > Event Actions > Edit Event Action > Senders



5. Configure the policy for the alert (under what conditions to send the alert): Event Manger > Event Processor > Event Actions > Edit Event Action > Policy

6. Configure the actions to take when a trap is received. Select Deploy CLI Config, and click More. Event Manger > Event Processor > Event Actions > Edit Event Action > Action Group > Actions

If you want to send an e-mail notification to the network operator when an alert is triggered, you can configure it at this point. See the product documentation for instructions on how to set up a Security Assessment (SA) e-mail alert.



7. Click the Global Configuration tab in the CLI Configuration Manager (note that Demo CLI, shown in the window below, was created for this solution testing), select the CLI option to configure. Whatever you configure in the CLI Configuration Manager is sent to the global configuration mode of the Brocade device you’ll be selecting to act upon.

8. Select the CLI Commands tab to configure the CLI commands that will be executed on the Brocade switch in response to an alert. Enter the CLI parameter, select the type of variable from the drop-down menu, and click Insert and then Save.

Saving the CLI commands takes you back to the CLI Configuration Manager. Closing that window takes you back to the Actions window, shown in Step 6. But now the CLI parameter you configured appears in the Parameters list. Then you can map the parameter to the Varbind of the trap.

You can find these procedures explained in greater detail in the Brocade INM product documentation.



Use Case 2: Port Scan Attack When port scan attacks occur:

1. McAfee IPS detects the attack and alerts Brocade INM.

2. Brocade INM receives the IPS attack alert and sends an Access Control List (ACL) to the Brocade switch to block the attacker and a Security Assessment (SA, an e-mail notification) to the network operator. The assessment type is: Compromised network infrastructure equipment.

NOTE: IPS automatically alerts for port scan attacks. The NSM must be configured to send alerts to INM (described earlier in this document).

Figure 3 illustrates the process.

Figure 3. Response to a port scan attack

Note that before you configure an alert, you need to create it. In the Event Processor window, shown in Step 1 on page 31, click New at the top of the list and follow the onscreen instructions to create the alert. In this solution, the alert is IPS_PortScanAlert.

The stealthiest attacks are detected and

thwarted by McAfee IPS Attack alerts are relayed from IPS via Security Assessment message to INM, which then executes an ACL to the Brocade Switch to block the Attacker and sends an event message to the Network Operator

!

Attacker (Host Scan, Port Scan, XMAS, Signature Alerts)

BlockedBrocade Switch



1. In Brocade INM, select the port scan alert and double-click: Event Manager > Event Processor > Event Actions > IPS_PortScanAlert

2. Follow the same steps as described in the previous use case, “Host Sweep Attack.” Finish by selecting the CLI Commands tab and enter configuration commands that will be executed on the Brocade switch in response to an alert issued from Brocade INM.

© 2010 Brocade Communications Systems, Inc. All Rights Reserved. 5/10 GA-AN-289-00

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, and TurboIron are registered trademarks, and Brocade Assurance, DCFM, Extraordinary Networks, and Brocade NET Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

high-availability load balancing with the brocade serveriron adx

Documents