Intrusion Prevention with TippingPoint

A SANS Product Review

Written by Dave Shackleford
December 2015

Sponsored by
Trend Micro

©2015 SANS™ Institute

 Introduction
Organizations are facing more attacks than ever before. Organizations need to invest in
making their prevention and detection capabilities as robust and effective as possible to
keep as many attacks out or to detect attacks as quickly as they can.

Most mature enterprise security and network teams invested in signature-based

intrusion prevention technology over the years because it’s considered a mainstay of
many network security implementations. However, security operations teams have long
struggled with false positives, a lack of behavioral monitoring, and a general
Key Beneficial Features of inability to integrate with user directories and activities, as well as these
HPE TippingPoint 2600NX IPS systems not aligning with other response and vulnerability management tools
• Easy deployment and configuration and processes. Given the sophisticated nature of today’s attackers and exploit
• Ability to import vulnerability scan data, attempts, next-generation IPSes need to better detect and prevent malicious
correlate it and remediate against attack activity on our networks, which requires an evolution of their engineering.
attempts
• Reputation and geolocation rule sets We had an opportunity to review one such IPS, the Hewlett Packard Enterprise
(HPE) TippingPoint 2600NX, as well as its management platform. We found it
• Large, easily searchable and regularly updated
database of security filters easy to deploy and configure custom policies for detection and blocking. For

• Tunable, learnable policies that can help reduce example, we were able to block test sample traffic from North Korea, as well
false positives as block traffic based on parameters such as reputational scoring that are now
embedded in the TippingPoint system.

The system includes a modifiable database of security filters that HPE updates regularly.
Policies can be tuned further by importing vulnerability data, and the system provides
support for forensics and compliance through integration with security information and
event management (SIEM) systems.

Together, these and other features elevate the TippingPoint 2600NX IPS into a true next-
generation integrated IPS.

SANS ANALYST PROGRAM

1 Intrusion Prevention with TippingPoint
 Initial Deployment
In architectural terms, our testbed closely modeled a typical enterprise deployment,
depicted in Figure 1.

Figure 1. Typical IPS Deployment Architecture

For device management, HPE provides the TippingPoint Security Management System
(TippingPoint SMS) that enabled us to easily check all aspects of the device status by
selecting the Devices section of the TippingPoint SMS console and choosing the device
to monitor or troubleshoot, as shown in Figure 2.

Figure 2. TippingPoint SMS Console

SANS ANALYST PROGRAM

2 Intrusion Prevention with TippingPoint
 Initial Deployment (CONTINUED)

Having selected a device, administrators can immediately see at a glance how healthy
the device is, whether network ports are passing traffic and functioning properly, and
other aspects. A status view of the 2600NX we evaluated appears in Figure 3.

Figure 3. Device Status

This interface enabled us to evaluate the status of a system at a glance. Clicking on

the device elements in the display provided detailed information about hardware
components, which makes troubleshooting easy for administrators. Another set of
features that can easily ally fears of blocking traffic accidentally or causing network
outages includes Layer 2 Fallback and Inspection Bypass. These features allow
administrators to quickly and easily pass all traffic through a port pair on the device
(Layer 2 Fallback) or selectively pass traffic through a segment based on defined rules
(Inspection Bypass). Figure 4 shows us enabling Layer 2 Fallback on a segment in the
interface.

SANS ANALYST PROGRAM

3 Intrusion Prevention with TippingPoint
 Initial Deployment (CONTINUED)

Figure 4. Enabling Layer 2 Fallback

Figure 5 shows our configuration of Inspection Bypass.

Figure 5. Inspection Bypass Rules

Another configuration feature we explored enabled us to create virtual network

segments for particular systems or subnets in a defined network zone. Virtual segments
can be set up to define traffic according to the VLAN, an endpoint pair based on a
packet’s source and destination IP addresses, or both. The administrator can assign
one or more physical segments to the virtual segment. Virtual segments are, in turn,
members of a segment group to which administrators can apply policies, and they can
be a target for policy distribution or used in search criteria in events and reports.

SANS ANALYST PROGRAM

4 Intrusion Prevention with TippingPoint
 Initial Deployment (CONTINUED)

For our review, we created a virtual segment for a web server in the DMZ segment that
resides on VLAN 100, as shown in Figure 6.

Figure 6. Virtual Segment Creation

We could then apply policies to the virtual segment without affecting the rest of the
network.

Finally, on the Profiles tab, administrators can configure segment groups that include
both physical and virtual segments, enabling policy enforcement. Our virtual segment
used the “DMZ Profile” shown in Figure 7.

Figure 7. DMZ Virtual Segment with DMZ Profile Assigned

In short, the 2600NX was a breeze to deploy across our sample enterprise.

SANS ANALYST PROGRAM

5 Intrusion Prevention with TippingPoint
 Policy Configuration
Configuring the policies that our 2600NX applied for filtering and traffic control was
easy. Our first task was updating TippingPoint’s filter and policy updates, or Digital
Vaccines (DVs). A notification for a new DV filter set appears in Figure 8.

Figure 8. Digital Vaccine Update Notification

Administrators can take one or both actions upon seeing this prompt. The first, Activate,
adds the DV update to the Tipping Point SMS console (shown in Figure 9). The other,
Distribute, pushes the new DV to connected TippingPoint devices.

Figure 9. DV Inventory and Distribution

SANS ANALYST PROGRAM

6 Intrusion Prevention with TippingPoint
 Policy Configuration (CONTINUED)

During our review, TippingPoint released several DV updates that we found easy to
deploy. The success of a filter-based network IPS relies heavily on the accuracy and
frequency of its filter updates, so updating such files is an important part of any security
operations team’s routine.

Security Filter Searching

HPE’s DVLabs security team provides an enormous number of filters for the
TippingPoint IPS. Fortunately, TippingPoint SMS enables searching of the DVs
associated with a given profile. Figure 10 shows the result of our selecting Search
within the Profiles tab, highlighting Filter Taxonomy Criteria and then looking for
signatures related to HTTP traffic.

Figure 10. Filter Search

The ability to quickly search for specific filters based on a wide range of criteria is critical
for security analysts who need to find and tune filters for use in their environments. The
“one size fits all” approach to applying traffic filters in intrusion prevention just doesn’t
work in large networks, so analysts will need to carefully adjust their filter sets to best fit
the traffic types and attacks they need to evaluate.

SANS ANALYST PROGRAM

7 Intrusion Prevention with TippingPoint
 Policy Configuration (CONTINUED)

Importable Vulnerability Data

One new feature in the TippingPoint IPS software is the ability to import vulnerability
scan data and specifically tailor profiles to initiate actions for known vulnerabilities
among potential target assets within the environment. Figure 11 shows the TippingPoint
Policy Tuning Wizard and the result of our search for vulnerabilities in our test
environment, listed by Common Vulnerabilities and Exposures (CVE) reference.1

Figure 11. Adding a Vulnerability Scan to a Profile

Analysts who use scan data to better fine-tune the IPS can configure more perfectly
tailored blocking actions that, in turn, yield a much lower rate of false positives than
they otherwise would. In the testbed, we successfully added a completed vulnerability
scan report into the profile consideration to “teach” the profile about known assets and
vulnerabilities these assets currently have. We could also configure the IPS policy to
automatically block specific attacks to those assets.

1
The CVE dictionary is at https://cve.mitre.org
SANS ANALYST PROGRAM
8 Intrusion Prevention with TippingPoint
 Policy Configuration (CONTINUED)

Filter by Location
TippingPoint IPSes can now incorporate geolocation data and reputation information
about known malicious (or suspicious) IP addresses or DNS names into policies that
can reduce malicious traffic coming into the environment, as well as help minimize
communication with risky systems.

Creating such filters was incredibly simple. First, we created a basic reputation filter that
blocked traffic to systems that have a reputation score above 75.2 To create such a filter,
we selected the policy under the Profiles tab and then choose User Defined Filters and the
Reputation/Geo subtype.

A reputation filter requires the following elements:

• Name
• Action (e.g., “Block” or “Block+Notify”)
• Rule criteria for reputation (country, exploit or reputation score)

Geographic filters are very similar, requiring a filter name, an action and a country that
the TippingPoint IPS will use as rule criteria. We created a rule that blocked all traffic to
and from North Korea. Figure 12 shows our two test rules in place.

Figure 12. Reputation and Geographic Filter Rules

2
T ippingPoint assigns score tags between 1 and 100 (as well as identifying information) for each IP address and DNS name.
A score of 100 identifies the IP addresses or DNS names with the most malicious histories.
SANS ANALYST PROGRAM
9 Intrusion Prevention with TippingPoint
 Policy Configuration (CONTINUED)

Having created our filters, we selected the Distribute button in the console to push these
filters to our virtual DMZ segment, as shown in Figure 13.

Figure 13. Distributing Reputation/Geographic Filters

Overall, we found the TippingPoint policy engine easy to use. Finding and editing rules
and filters were intuitive processes, while creating new filters was a breeze. Once an
analyst defines the policies and filters, pushing them to selected segments and IPS
sensors is quick and painless.

SANS ANALYST PROGRAM

10 Intrusion Prevention with TippingPoint
 Forensics and Reporting
Although we didn’t have an opportunity to test the effectiveness of the filters with
simulated attacks, our testbed had a large volume of preloaded attack data, giving us a
good sense for how analysts would manage and monitor these systems and how they
would respond to real attack and event information.

In fact, in many ways, the most critical features of an IPS are the ones that facilitate
reporting and monitoring. The TippingPoint SMS Dashboard acts as a first stop for
analysts running daily operations, and it was quick to configure.

Highly Customizable
The TippingPoint SMS Dashboard is loaded with customizable widgets for real-time
monitoring of endpoint and network activity. Figure 14 shows the main Dashboard view.

Figure 14. TippingPoint SMS Dashboard

SANS ANALYST PROGRAM

11 Intrusion Prevention with TippingPoint
 Forensics and Reporting (CONTINUED)

The sidebar on the left of the Dashboard provides access to available widgets, organized
in three categories:
• SMS/Device. These address the appliance, checking items such as device health,
device status, policy distribution information or event rates.
• Inspection. Most widgets focus on traffic inspection for security events. This
category includes widgets for Top App Sources, Top Attacks or Top Attack Sources.
• Traffic Analysis. This category of widgets (which could be equally useful to
security and network teams) includes widgets that measure Top IPs by Bandwidth,
Top Protocols and Top Services.

We decided to drag and drop the “Top Attacks” widget onto the dashboard and then
customize it to show only HTTP attacks in the DMZ segment. Once the widget was
in place, we customized it by clicking the small wrench icon in the upper right of the
widget pane. Here, you can change any criteria for the widget’s display, including its
name, the protocol, service or attack type, network or user specifics and the segments
involved. Figure 15 shows the widget we modified.

Figure 15. Modified Dashboard Widget

Clicking on any widget on the Dashboard presents further information. For example, if
a new attack pops up on one of the widgets, analysts can view any specifics about the
attack event(s) by clicking them instead of having to go back to the “top” of the console
user interface. The dashboard was easy to use, and the widgets were simple to drag in,
configure and monitor within a very short time.

SANS ANALYST PROGRAM

12 Intrusion Prevention with TippingPoint
 Forensics and Reporting (CONTINUED)

Creating Exceptions
Another important feature of TippingPoint SMS enables analysts to create exceptions for
specific rules and policies to reduce false positives or cut down on the number of events
and alerts generated. For example, clicking on a specific event in the Dashboard takes us
back to the main SMS console’s Events pane for deeper analysis and review. From here,
creating an exception is just a matter of right-clicking the event, selecting Profile and
choosing Create Exception, as seen in Figure 16.

Figure 16. Creating Event Exceptions in the TippingPoint SMS Console

From here, analysts can see alerts coming into the dashboard and drill into them; if
something looks to be a false positive, they can create an exception and add it directly to
the filter profile.

SANS ANALYST PROGRAM

13 Intrusion Prevention with TippingPoint
 Forensics and Reporting (CONTINUED)

Flexible Reporting
The TippingPoint SMS console’s main Reports tab
enables analysts to create scheduled or on-the-fly
reports of network and system activity. It offers a
number of out-of-the-box templates for reports.
Analysts can modify the stock templates or create new
reports from scratch. Figure 17 shows the reporting
templates in our testbed.

Many of the report templates focus on attacks seen

and blocked, but reports also measure reputation Figure 17.
events, traffic patterns, traffic access controls with TippingPoint Reporting Templates

the firewalling capability built into the TippingPoint

system (in the Firewall section) and other aspects of the IPS. Scheduling reports to
provide regular assessments of the organization’s defensive status is easy.

We created a simple report for our DMZ segment that listed only critical attacks, as
shown in Figure 18.

Figure 18. Creating a Critical Attacks Report for the DMZ Segment

Being able to monitor the IPS and quickly control event rates and types, as well as
reporting on those events, is at the heart of many security operations teams’ daily
responsibilities. TippingPoint’s reporting was flexible and easy to configure to provide
useful information and drill-down data during and after an event.

SANS ANALYST PROGRAM

14 Intrusion Prevention with TippingPoint
 TippingPoint Administration
Finally, we took a brief look at some of the administrative features of the 2600NX. For
example, any critical security system will need strong role-based access controls. The
Admin panel of TippingPoint SMS enables management of the IPS’ users, their roles and
permissions, and how the device integrates with other security tools and systems, such
as authentication and directory services, event management or SIEM tools.

User Group Policies

The Admin panel provides a wizard-based interface for user and group management,
which we ran to create a new user that would have access to only the DMZ segment
for operations. The wizard walked us through adding a user (from a directory service or
using local system authentication) and defining the segments and policies that apply to
the user. Each user or group can have one or more roles, such as “Admin” (full control) or
“Operator” (specific control of one or more functions within the platform). We gave our
test user the power to manage and monitor the DMZ segment, as seen in Figure 19.

Figure 19. User Roles Configuration

This granular, role-based access control is especially valuable to larger organizations that
may have different teams handling specific segments or incident response (IR) functions.

Importing to SIEM Tools

We also explored sending events to other systems, such as a SIEM platform. With this
feature, administrators can configure export formats in the Syslog tab of the Admin
panel’s Server Properties section to. Although we didn’t export any or integrate with a
SIEM tool in this review, we examined the data export options, shown in Figure 20.

Figure 20. Event Data Export Formats and Configuration

IPS event data is even more useful for detecting attacks and initiating IR processes when
analysts can correlate it with other data and events. The more automated this can be, the
better, and this feature in the TippingPoint system makes it easy.

SANS ANALYST PROGRAM

15 Intrusion Prevention with TippingPoint
 TippingPoint Administration (CONTINUED)

History and Usage Data

One other useful feature we examined was the ability to view the IP address history and
usage of a particular Active Directory user on your network (which requires the 2600NX
be connected to the Active Directory domain) by selecting User ID IP Correlation in the
Admin panel. This opens a search interface that allows you to specify IP subnets, user
names, domains, machine names and date ranges. Figure 21 shows an example of one
such search.

Figure 21. User ID IP Correlation

This feature could be especially useful in looking for insider threat activity or fraud, as
well as finding user systems that attackers may have compromised.

As Advertised
Our review of the TippingPoint 2600NX IPS and the TippingPoint management platform
was smooth. We didn’t encounter any issues or “gotchas” along the way, and the system
performed as advertised on all counts. Standout features include general ease of use.
TippingPoint SMS provides a highly intuitive interface and a flexible set of menus and
wizards that intrusion analysts and security operations teams can have up and running
in no time.

SANS ANALYST PROGRAM

16 Intrusion Prevention with TippingPoint
 Conclusion
Today’s threats demand better and more integrated tools for detection and response.
HPE TippingPoint seems to understand that with its highly configurable IPS. Easy to
use, with searchable databases and flexible policies, TippingPoint reduces many of the
traditional pain points out of the box, including the following:
• Reduced false positives through self-learning
• Actionable threat defense with faster detection and prevention through location-,
user- and system-based awareness
• Improved visibility and analytics into events with correlation to vulnerability data
and integration to SIEM systems
• Operational simplicity with easy administration, including updates, across systems

IPSes are critical elements of a sound network security strategy and will continue to be
so. However, with increasing operational demands placed on information security teams,
such systems need to be simple to use, be easy to install, and must readily integrate with
SIEM and other analytic platforms. The 2600NX and its associated management tools,
with its behavior and reputation policies, external scan data and threat intelligence,
present a powerful defensive platform.

SANS ANALYST PROGRAM

17 Intrusion Prevention with TippingPoint
 About the Author
Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of
the board of directors for the SANS Technology Institute, is the founder and principal consultant with
Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory
compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive
experience designing and configuring secure virtualized infrastructures. He previously worked as chief
security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead
the Atlanta chapter of the Cloud Security Alliance.

Sponsor
SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM

18 Intrusion Prevention with TippingPoint