Beruflich Dokumente
Kultur Dokumente
Sponsored by
Trend Micro
• Tunable, learnable policies that can help reduce example, we were able to block test sample traffic from North Korea, as well
false positives as block traffic based on parameters such as reputational scoring that are now
embedded in the TippingPoint system.
The system includes a modifiable database of security filters that HPE updates regularly.
Policies can be tuned further by importing vulnerability data, and the system provides
support for forensics and compliance through integration with security information and
event management (SIEM) systems.
Together, these and other features elevate the TippingPoint 2600NX IPS into a true next-
generation integrated IPS.
For device management, HPE provides the TippingPoint Security Management System
(TippingPoint SMS) that enabled us to easily check all aspects of the device status by
selecting the Devices section of the TippingPoint SMS console and choosing the device
to monitor or troubleshoot, as shown in Figure 2.
Having selected a device, administrators can immediately see at a glance how healthy
the device is, whether network ports are passing traffic and functioning properly, and
other aspects. A status view of the 2600NX we evaluated appears in Figure 3.
For our review, we created a virtual segment for a web server in the DMZ segment that
resides on VLAN 100, as shown in Figure 6.
We could then apply policies to the virtual segment without affecting the rest of the
network.
Finally, on the Profiles tab, administrators can configure segment groups that include
both physical and virtual segments, enabling policy enforcement. Our virtual segment
used the “DMZ Profile” shown in Figure 7.
In short, the 2600NX was a breeze to deploy across our sample enterprise.
Administrators can take one or both actions upon seeing this prompt. The first, Activate,
adds the DV update to the Tipping Point SMS console (shown in Figure 9). The other,
Distribute, pushes the new DV to connected TippingPoint devices.
During our review, TippingPoint released several DV updates that we found easy to
deploy. The success of a filter-based network IPS relies heavily on the accuracy and
frequency of its filter updates, so updating such files is an important part of any security
operations team’s routine.
The ability to quickly search for specific filters based on a wide range of criteria is critical
for security analysts who need to find and tune filters for use in their environments. The
“one size fits all” approach to applying traffic filters in intrusion prevention just doesn’t
work in large networks, so analysts will need to carefully adjust their filter sets to best fit
the traffic types and attacks they need to evaluate.
Analysts who use scan data to better fine-tune the IPS can configure more perfectly
tailored blocking actions that, in turn, yield a much lower rate of false positives than
they otherwise would. In the testbed, we successfully added a completed vulnerability
scan report into the profile consideration to “teach” the profile about known assets and
vulnerabilities these assets currently have. We could also configure the IPS policy to
automatically block specific attacks to those assets.
1
The CVE dictionary is at https://cve.mitre.org
SANS ANALYST PROGRAM
8 Intrusion Prevention with TippingPoint
Policy Configuration (CONTINUED)
Filter by Location
TippingPoint IPSes can now incorporate geolocation data and reputation information
about known malicious (or suspicious) IP addresses or DNS names into policies that
can reduce malicious traffic coming into the environment, as well as help minimize
communication with risky systems.
Creating such filters was incredibly simple. First, we created a basic reputation filter that
blocked traffic to systems that have a reputation score above 75.2 To create such a filter,
we selected the policy under the Profiles tab and then choose User Defined Filters and the
Reputation/Geo subtype.
Geographic filters are very similar, requiring a filter name, an action and a country that
the TippingPoint IPS will use as rule criteria. We created a rule that blocked all traffic to
and from North Korea. Figure 12 shows our two test rules in place.
2
T ippingPoint assigns score tags between 1 and 100 (as well as identifying information) for each IP address and DNS name.
A score of 100 identifies the IP addresses or DNS names with the most malicious histories.
SANS ANALYST PROGRAM
9 Intrusion Prevention with TippingPoint
Policy Configuration (CONTINUED)
Having created our filters, we selected the Distribute button in the console to push these
filters to our virtual DMZ segment, as shown in Figure 13.
Overall, we found the TippingPoint policy engine easy to use. Finding and editing rules
and filters were intuitive processes, while creating new filters was a breeze. Once an
analyst defines the policies and filters, pushing them to selected segments and IPS
sensors is quick and painless.
In fact, in many ways, the most critical features of an IPS are the ones that facilitate
reporting and monitoring. The TippingPoint SMS Dashboard acts as a first stop for
analysts running daily operations, and it was quick to configure.
Highly Customizable
The TippingPoint SMS Dashboard is loaded with customizable widgets for real-time
monitoring of endpoint and network activity. Figure 14 shows the main Dashboard view.
The sidebar on the left of the Dashboard provides access to available widgets, organized
in three categories:
• SMS/Device. These address the appliance, checking items such as device health,
device status, policy distribution information or event rates.
• Inspection. Most widgets focus on traffic inspection for security events. This
category includes widgets for Top App Sources, Top Attacks or Top Attack Sources.
• Traffic Analysis. This category of widgets (which could be equally useful to
security and network teams) includes widgets that measure Top IPs by Bandwidth,
Top Protocols and Top Services.
We decided to drag and drop the “Top Attacks” widget onto the dashboard and then
customize it to show only HTTP attacks in the DMZ segment. Once the widget was
in place, we customized it by clicking the small wrench icon in the upper right of the
widget pane. Here, you can change any criteria for the widget’s display, including its
name, the protocol, service or attack type, network or user specifics and the segments
involved. Figure 15 shows the widget we modified.
Clicking on any widget on the Dashboard presents further information. For example, if
a new attack pops up on one of the widgets, analysts can view any specifics about the
attack event(s) by clicking them instead of having to go back to the “top” of the console
user interface. The dashboard was easy to use, and the widgets were simple to drag in,
configure and monitor within a very short time.
Creating Exceptions
Another important feature of TippingPoint SMS enables analysts to create exceptions for
specific rules and policies to reduce false positives or cut down on the number of events
and alerts generated. For example, clicking on a specific event in the Dashboard takes us
back to the main SMS console’s Events pane for deeper analysis and review. From here,
creating an exception is just a matter of right-clicking the event, selecting Profile and
choosing Create Exception, as seen in Figure 16.
From here, analysts can see alerts coming into the dashboard and drill into them; if
something looks to be a false positive, they can create an exception and add it directly to
the filter profile.
Flexible Reporting
The TippingPoint SMS console’s main Reports tab
enables analysts to create scheduled or on-the-fly
reports of network and system activity. It offers a
number of out-of-the-box templates for reports.
Analysts can modify the stock templates or create new
reports from scratch. Figure 17 shows the reporting
templates in our testbed.
We created a simple report for our DMZ segment that listed only critical attacks, as
shown in Figure 18.
Figure 18. Creating a Critical Attacks Report for the DMZ Segment
Being able to monitor the IPS and quickly control event rates and types, as well as
reporting on those events, is at the heart of many security operations teams’ daily
responsibilities. TippingPoint’s reporting was flexible and easy to configure to provide
useful information and drill-down data during and after an event.
This granular, role-based access control is especially valuable to larger organizations that
may have different teams handling specific segments or incident response (IR) functions.
IPS event data is even more useful for detecting attacks and initiating IR processes when
analysts can correlate it with other data and events. The more automated this can be, the
better, and this feature in the TippingPoint system makes it easy.
This feature could be especially useful in looking for insider threat activity or fraud, as
well as finding user systems that attackers may have compromised.
As Advertised
Our review of the TippingPoint 2600NX IPS and the TippingPoint management platform
was smooth. We didn’t encounter any issues or “gotchas” along the way, and the system
performed as advertised on all counts. Standout features include general ease of use.
TippingPoint SMS provides a highly intuitive interface and a flexible set of menus and
wizards that intrusion analysts and security operations teams can have up and running
in no time.
IPSes are critical elements of a sound network security strategy and will continue to be
so. However, with increasing operational demands placed on information security teams,
such systems need to be simple to use, be easy to install, and must readily integrate with
SIEM and other analytic platforms. The 2600NX and its associated management tools,
with its behavior and reputation policies, external scan data and threat intelligence,
present a powerful defensive platform.
Sponsor
SANS would like to thank this paper’s sponsor: