DFL-2100 / DFL-2400 - D-Link
Contents
1. Select System Alert Level Select a warning level _ Little Risk High Risk Low Risk _ Serious Risk _ Medium Risk e DR lt Cancel Figure 8 30 Change warning levels 98 DFL 2100 DFL 2400 Intrusion Detection System User Manual Select a warning level select the attack seriousness level that makes the system to inform occurrences of attacks Ok button click on this button to accept the setting of a new warning level Cancel button click on this button to exit this screen 90 When network attacks occur the system displays a warning screen according to settings D Attack Warning Mon Jan 20 15 44 29 CST 2003 System is under attack ICMP Destination Unreachable vo Figure 8 31 The warning dialogue box displays when the system is attacked E Mail tarp Setting enable an e mail trap when the system is attacked These settings include a check box enabling mail notification and complete e mail account and IP address of SMTP server Set Alert Mode DSUN Email Trap Enable Email Trap ida aaa Delete SMTP Server lo flo lo Wo e OK A Cancel Figure 8 32 Use this dialogue box to enable the e mail trap 99 DFL 2100 DFL 2400 Intrusion Detection System User Manual Set up the schedule report output form When users click on Time Report ve button they can see a dialogue box in Figure 8 33 for the setting of report outp2. Figure 8 23 The selection of discontinuous periods Up and down scrolling button Notes of selection 1 The field of year Use the up and down scrolling button to decide which year to display 2 The field of month June 3 The selection button of week Click on the week selection button to select a week and click once more to cancel this selection When this button is selected it is dark gray Otherwise it is bright gray 4 The selection button of day 6 E 93 DFL 2100 DFL 2400 Intrusion Detection System User Manual Click on the day selection button to select a day and click once more to cancel this selection When this button is selected it is dark gray Otherwise it is bright gray 5 The display of today 3 The letter on this button is displayed in green 6 Monthly report button Click on this button to select the month displayed on the whole screen To cancel just click once more 7 Specific time option When this option is selected the system would search for time information and display as the following e Specific Hour 7 00 The report print function After getting any form of required reports the system manager not only can review most of the reports on line but also print them out or switch to a bar chart or to a pie chart for a further analysis and comparison 4 The system manager just clicks on Print ZE button in the options of report
3. DIDS Reporting 5ysten g Cal al fal Soe IDS 102 ie 1 2 12 dontor Top All Attacked Host A Hurm of Stacks Atarked Hosts 1001694188 210 162182 188 65 18472 163160 755 RE 255 2595 250 192 165 168 70 E 224 0 0 7 192 155 758 90 182 166 168 28 182 162 168 532 182 102 160 523 460 192 166 7650 R 192162160 65 To Mo atacara Attack Type Numotat 192 108 168 255 138 255 255 250 1193180164 70 224 0 0 2 192 166184 90 fa 188188 29 aed 8 6 Tie inquiry screen of the host aake EAR The content description of inquiry screen Ranking the host attacked ranking Name of attacked hosts the host names defined on the address list eo IP address the IP address of attacked hosts Attacked number Numbers of IP address been attacked 83 DFL 2100 DFL 2400 Intrusion Detection System User Manual 84 Users can double click the content of this form to see the detail information display like the one on the right side of the following screen Rank AttackedHost IP __ Numof t Mo Attack Name Attack Type Num of Attac 1 192 168 168 106 72 1 Possible CheckThi Other 2 2 197 168 168 652 SE SEE sml3com ace Other 1 3 192 168 168 244 63 WEB whisker HEA Other 1 4 192 168 168 2 68 4 WEB Netscape Ent Other 1 5 192 168 168 218 66 5 WEB Phorum read Other 1 6 192 168 169 109 66 6 WEB novell group Other 1 T 192 168 168 147 65 T WEB Ecommerce Other 1 3 192 169 168 223 6
4. gt gt get snmp Options system community trap system Show SNMP System Information community Show SNMP Community Setting trap Show SNMP trap Information gt gt get snmp system SNMP Location D Link SNMP Contact service dlink com SNMP Name DFL 2100 DFL 2400 gt gt get snmp trap SNMP Trap Disable SNMP Trap IP 0 0 0 O gt get snmp community SNMP Read Only Community public SNMP Read Write Community private SNMP Trap Community SNMP_trap Set Command Use the set command to enter system configuration parameters The usage and description are illustrated in the following Some set functions are applicable to both console and telnet set Description Show the set command parameters and available commands Syntax set Arguments none Example gt gt set set Set system parameters Available commands system System configurations including IP password and etc time Device clock setting 19 DFL 2100 DFL 2400 Intrusion Detection System User Manual interface Interface stealth function and working link mode state Device operation state psserver Policy server configurations snmp snmp parameters gt gt set system 20 Description Use the set system command to configure DFL 2100 DFL 2400 include IP address gateway network musk and other information Syntax get system ip gateway mask passwd rpasswd detect logmax Arguments ip lt ip address
5. is considered as a match DFL 2100 DFL 2400 Intrusion Detection System User Manual The extra parameters in the payload don t matter too For example given a pattern cgi bin foo exe p1 abc amp p2 def An URL packet with URL request cgi bin foo exe p0 xyz amp p1 abc amp p2 def is considered as a match Attack Packet Signature Matching String asal A 0 HEX Matching Offset 0 E byte s Matching Depth l 5 byte s Matching Method Case sensitive Figure 6 15 The Content Tab 69 DFL 2100 DFL 2400 Intrusion Detection System User Manual l POLICY DEFINITION PROCESS In this Chapter we will discuss setting the parameters of books These books will be used in Policy definition Edit Service Book DFL 2100 DFL 2400 can support attack detection on the different types of Services such as FTP HTTP SMTP and so on These Services are defined in the Service Book DFL 2100 DFL 2400 has predefined several Services commonly seen in the network You can also define your own Services and add them to the Service Book Click Service Book button a to display the content of Service Book showing in the Book Table window All the changes to the Service Book will not take effect until the red lighted Confirm button is clicked Add a Service 70 NO Oo O1 AOO N Click Service Book button e to switch to the Service Book page of Click Add button El
6. DFL 2100 DFL 2400 Intrusion Detection System User Manual First Edition December 2002 Printed In Taiwan RECYCLABLE 1 Limited Warranty Hardware D Link warrants its hardware products to be free from defects in workmanship and materials under normal use and service for the following periods measured from date of purchase from D Link or its Authorized Reseller Product Type Warranty Period Complete products One year Spare parts and spare kits 90 days The one year period of warranty on complete products applies on condition that the product s Registration Card is filled out and returned to a D Link office within ninety 90 days of purchase A list of D Link offices is provided at the back of this manual together with a copy of the Registration Card Failing such timely registration of purchase the warranty period shall be limited to 90 days If the product proves defective within the applicable warranty period D Link will provide repair or replacement of the product D Link shall have the sole discretion whether to repair or replace and replacement product may be new or reconditioned Replacement product shall be of equivalent or better specifications relative to the defective product but need not be identical Any product or part repaired by D Link pursuant to this warranty shall have a warranty period of not less than 90 days from date of such repair irrespective of any earlier expiration of original warranty period W
7. and D Link reserves the right in such a case to levy a reasonable handling charge in addition mailing or shipping costs Software Warranty service for software products may be obtained by contacting a D Link office within the applicable warranty period A list of D Link offices is provided at the back of this manual together with a copy of the Registration Card If a Registration Card for the product in question has not been returned to a D Link office then a proof of purchase such as a copy of the dated purchase invoice must be provided when requesting warranty service The term purchase in this software warranty refers to the purchase transaction and resulting license to use such software D Link warrants that its software products will perform in substantial conformance with the applicable product documentation provided by D Link with such software product for a period of ninety 90 days from the date of purchase from D Link or its Authorized Reseller D Link warrants the magnetic media on which D Link provides its software product against failure during the same warranty period This warranty applies to purchased software and to replacement software provided by D Link pursuant to this warranty but shall not apply to any update or replacement which may be provided for download via the Internet or to any update which may otherwise be provided free of charge D Link s sole obligation under this software warranty shall be to replace any d
8. DEFINE YOUR OWN DEFENSE FOLIC Y sucia ai 57 DEFINE YOUR OW NIDEFENSE FOLIC a a a dada debia 57 PICEADERENSE POLE ATRIBUTO a la laca 59 DETERMINE THE IREC OGNIZE CONDITION csi 60 DETERMINE THE ACTION WHILE BEING ATTACKED ccssssssccessccssssessnscsccessssescccesecessssnscceasssccssessccessecssssessccesceess sees 60 PIERUP TAE SCA PUDE A ad 60 PE SCRIP LION Slides lee aera elect eels dedi be hee Sateen te ie dee hed dea dees 61 PIPE THE PACKED CRITERIA coicoriiconl sli olaa dalla dolia 62 Ene Comparison Opera On S tt dto 62 MAO TI A A A a ka cues 63 Mer Taba ta ta ta taa 64 Fe UPDP TOD asas deseas 65 TNEeIEMP TaD erat NA 66 TCA GIVER TOD sii iaa iaa dos 67 Ehe Content Taba e E Ea leas austin Glas EAEE 68 POLICY DEFINITION PROCESS aeaa adria 70 EDIT ERVICE BOOK miaii SA A E ia 70 Add SEVICE siie a oaa o aea aaa a a 70 Mod O SII Oee 71 Deleted Service dadadadadadadacidaida dali 72 EDEL ADDRESS BOOK nd los I2 AA PGNACAVICSS iii 72 PO GI AUOT aaa 73 WWI OGU VATU NAOKO SE i sien tian teles dano noia a ataereiauuaanaiabenacabacs 4 Pelet ean Adad CSS hisses cisco Sie isco Se isco atta e alls cbs Gu alo Bia nba aa wd we du ele Rio okie yiodiaiotcaa aus dads eaa ei 74 EDIT GROUP BOOK aaa a da 75 AACA TOU o A E E 75 MOYE A a a a aca iba a a E 76 Dole e GTO UP eee alados 76 FEDT SCHEDULE BOOK a es 17 AAC S CHC GUNG andas 77 Mod VO S CHEGIN 6 E E E EN 78 DEIA A is 78 IDS REPORTING SYSTEM oa 79 THE DEL 2100 DFL 2400 IDS REPORTING SYSTE
9. Description Use the arp command display the entries in the Address Resolution Protocol table Syntax arp a d host Arguments a d host Example gt gt arp usage arp host arp a arp d host arp s host ether_addr temp arp f filename gt gt arp 192 168 168 65 Show the all ARP table entries Delete the host IP address in ARP table Show the host IP address in ARP table 192 168 168 65 192 168 168 65 at 0 0 e2 65 94 7d gt gt arp a 192 168 168 65 192 168 168 65 at 0 0 e2 65 94 7d 192 168 168 70 192 168 168 70 at 0 50 fc 2f d3 6a 192 168 168 165 192 168 168 165 at 0 50 ba 1a 9b ab 192 168 168 254 192 168 168 254 at 0 7 4f d 60 1c 192 168 168 71 192 168 168 71 at 0 50 22 0 38 27 gt gt netstat Description Use the netstat command display the network status for debug Syntax netstat a 27 DFL 2100 DFL 2400 Intrusion Detection System User Manual Arguments a Show the network connected status include the protocol host IP state Example gt gt netstat a Proto Local Address Foreign Address state udp 0 0 0 0 199 udp _ 0 0 0 0 1024 udp 0 0 0 0 161 tcp 127 0 0 1 1024 127 0 0 1 9728 ESTABLISHED tcp 127 0 0 1 9728 127 0 0 1 1024 ESTABLISHED tcp 0 0 0 0 7594 0 0 0 0 0 LISTEN tcp 192 168 168 201 22 192 168 168 65 2455 ESTABLISHED tcp 0 0 0 0 22 0 0 0 0 0 LISTEN tcp 0 0 0 0 1024 0 0 0 0 0 LISTEN gt gt netstat Proto Local Address Foreign Address state tcp
10. je FIP satan scan fe WOM 15 Pinger ler POMP retriever Pira Figure 5 6 Tye ID Severity attack Maria Dejad method Sued kre Issued Dale Altack Type Ameca OB Descipion AHack mpari False Pasiva Fake Megatins Recommand Acton Feglarence EVEN se e aea e de n DefensaP aliai F Take Betio AP pE Era plii baas Erm MEAN 1040000 Defense Policy lie Attributes ICMP LStatilever Ping D Link Wed Aug 21 17 4010 CST 2007 Bran al This evant mar indria hal Bo0maona ls Scenning Your Mata 1 5 sucur iy scanner This leghmate saruni toolis for auth and should notbe used on uneauthonzed nebio none Thie Whe o ICAP pira eens to be alaa gereraeo by ipliali Wink dorian condrllers riiposlet mara nore arachnids 311 Defense Policy Network Defense Policies Database 49 DFL 2100 DFL 2400 Intrusion Detection System User Manual Select Defense Policy The procedure of picking up a defense policy is 1 Select a defense policy in policy list 2 Set actions when this policy is met 3 Define it s protect scope or DDoS parameters Note For DDoS attack defense policies there are no protect scope field because they always protect all hosts by default However they have another field called DDoS Parameters See section of Setting DDoS Parameters Select a Defense Policy In policy list you can double click the class item to span close the items in the class If
11. remote intruders can exec privileges ofthe user running named typically root a none hone none Figure 5 9 The Attack Attributes Frame DFL 2100 DFL 2400 Intrusion Detection System User Manual Defense Policy Define Policy Protect Scope The protect scope of a policy confine the detection range of a policy An idea is to set the protect scope to be Any to Any but it s not practical Since the resources and computing power of DFL 2100 DFL 2400 is limited in order to maximize the utilization carefully defining protect scope is necessary For example those policies dedicated for UNIX machines only can protect UNIX hosts not including Windows hosts D Take Defense Policy Defense Policy Protect Scope O Directional Undirectional HostScope 1 ANY Local HostScope 2 ANY Remote Actions le Block packet Block connection E mail Alarm e Log event with packet header e Schedule Policy active schedule ANY wf OK Figure 5 10 The Defense Policy Property Frame lf the protect scope is defined as Directional the scope are distinguished by source and destination If it is defined as Un directional the policy will protect the traffic from both directions Pick the protect scope by pull down the combo box it will list available addresses and groups Protect Scope Directional gt Undirectional HOLICE 7 ANS Remote y
12. 0 Group Address Don t Care mm My Eo Figure 6 14 The IGMP Tab 67 DFL 2100 DFL 2400 Intrusion Detection System User Manual The Content Tab 68 The Content tab consists parameters for searching payload of packets Note If Protocol Type is IP the matching starting point is at the end of IP layer 3 header otherwise it would start matching from the end of layer 4 headers Match String the string can be ASCII or HEX strings If HEX string is used allowable alphabet is 0 9 A F a f Matching offset the offset from the start point of payload Matching method the matching method can be 0 Case sensitive lower case and upper case characters are different This is the default value 0 Case insensitive ignore the differences of upper case and lower case characters 0 Ignore white space ignore the white space occurred in the payload such as blank tab new line linefeed carriage return e URL strings the URL portion of payload will be extracted and parsed And the sub string of pattern before the character will be regarded as the base part of URL and the others are the parameters of URL The URL matching is case insensitive by default but it won t remove the white spaces The order of URL parameters doesn t matter For example given a pattern cgi bin foo exe p1 abc amp p2 def An URL packet with URL request cgi bin foo exe p2 def amp p1 abc
13. ANY Remote ANT ae Jan 150039014 05T 0 4 IGMP Soaring ALY Local ANT Remote ES zo MP Plocding al Figure 5 2 Add new Policy 2 There is a default policy database on the DFL 2100 DFL 2400 Policy Server administrator must select Update latest attack pattern button 1 to update latest pattern from Administrator Utility CD Policy Server PolicyDB policyXXX ptn 3 After register DFL 2100 DFL 2400 Management System will check the update server for latest pattern 46 DFL 2100 DFL 2400 Intrusion Detection System User Manual ete a ee Anuar Attlee A E El FE mal pea T 9 betansa Policy DE sul amp fe DOS fe Butter Crie rtk e Apiesa Contino e Scan a FINGER search queary Update Attack Patterns FINGER 104 query FINGER null request le FINGER cubero op query Lasi upiya Jan 17 AURA W FINGER Ih query Curren version 2 10 FINGER query FIP adm scan W FIP iss scan W ETP pige scan W FTP saint scam W FIP amp atan scan EMP 55 Pager el ICMP LSretricwar Ping E ICMP PING HWAP WA pasppsserpessa pel wf UK cancer Figure 5 3 download latest attack pattern 4 You can find new defense policies in the policy list when you finish the update A Defense Policy DB F Defense Policy DB F Defense Policy DB Q r DDoS amp j DDoS amp jr DDoS Y TCP SYN Flooding Buffer Overflow Y Buffer Overflow 4 TCP Flooding Y DNS EXPLOIT
14. BBASE T UTP STP O BOBASE TX 0BASE T4 G BOVGANyLAN G thers 7 What applications are used on your network desktop publishing preadsheet ord processing AD CAM Database management O 2 counting thers 8 What category best describes your company ferospace gineering amp ducation nance Mospital Mkegal surance Real Estate Manufacturing etail Chainstore Wholesale O Government ransportation Utilities Communication AR ystem house company GO ther 9 Would you recommend your D Link product to a friend OES OR O Don t know yet 10 Your comments on this product ASVild
15. Care z 0 E o E El Destination Port Don t Care Y o E To BBE Length Don t Care 7 E Checksum Don t Care 4 lo Figure 6 11 The UDP Tab Note The port number can be chosen by the button Te It will show the service name that defined in the service elect from service Book Figure 6 12 The Select from Service Book 65 DFL 2100 DFL 2400 Intrusion Detection System User Manual The ICMP Tab The ICMP tab consists parameters for ICMP packet header field value settings Type ICMP type field Code ICMP code field ID ICMP identification value Packet Size ICMP packet total size Checksum ICMP checksum field Sequence ICMP sequence number oo ee a Attack Packet Signature Type Equal v E E Code Don t Care o E ID Don t Care 4 o E Packet Size Don t Care 4 o E Checksum Don t Care o E Sequence Ho Don t Care 4 o E Figure 6 13 The ICMP Tab 66 DFL 2100 DFL 2400 Intrusion Detection System User Manual The IGMP Tab The IGMP tab consists parameters for IGMP packet header field value settings Type IGMP type field Rest IGMP max response time field ID IGMP identification value Packet Size IGMP packet total size Checksum ICMP checksum field Group Address IGMP group address value Oe a a Attack Packet Signature Type Don t Care 4 0 E Rest Don t Care v 0 E Packet Size Don t Care 4 0 E Checksum Don t Care v
16. Don t Care Y lo Flags DontCare Y 1 DFE MF UE Figure 6 9 The IP Tab 63 DFL 2100 DFL 2400 Intrusion Detection System User Manual The TCP Tab The TCP tab consists parameters for TCP packet header field value settings Source Destination Port Source and Destination port number TCP Size TCP packet total size TCP Header size TCP header size Checksum TCP checksum field SEQ TCP sequence number ACK TCP acknowledgement number URG Pointer TCP urgent pointer value Window size TCP window value TCP Flags URG urgent ACK acknowledgement PSH push RST reset SYN synchronization FIN finish E D oe o Attack Packet Signature Source Port Don t Care lo B lo B gt Destination Port Don t care 0 E To BIB TCP Size Don t Care 4 20 TCP Header Size Don t Care X 20 Checksum Don t Care 7 lo SEQ Don t Care 7 lo ACK Don t Care Xi lo URG Pointer Don t Care lo Window Size Don t Care 4 lo C URG ACK _ PSH TCP Flags Dont Care Y J RST _ SYN FIN Figure 6 10 The TCP Tab 64 DFL 2100 DFL 2400 Intrusion Detection System User Manual The UDP Tab The UDP tab consists parameters for UDP packet header field value settings 1 Source Destination Port Source and Destination port number 2 Length UDP packet total size 3 Checksum UDP checksum field Attack Packet Signature Source Port Don t
17. Other o cas COM Hien afar 31 105 AHacked Trpes TER E T JT 2 21 1 The content description of inquiry screen Ranking the ranking of attack names Figure 8 10 The inquiry screen of attack types ranking ICWP Echo Reply CWP PIRES windows RPC portnap reques bootalk UDP ICNP L3reriever Ping UDF Traceroute A GRP Flooding EMP TROP router selechon EME Pla ORACLE EXECUTE STETEM attemp urn of lar 792 166188 210 107 168 168 29 192 168 168 593 107 168 166 57 85 DFL 2100 DFL 2400 Intrusion Detection System User Manual 86 e Attack names the names of the detected network attacks e Attack types the type of network attacks such as Scan BufferOverflow and etc Numbers of the attack the number of this attack Users can double click the content of this form to see a detailed information display like the one on the right side of the following screen Attack Mame Mo Hast IP Murni of Att 1 DOS Jolt attack Other A NE 192 168 168 254 2 SMP broadcasttrap Other 24 192 168 169 349 3 COMP Loretriever Ping Scan iA 3 192 168 168 30 4 SHELLCODE x86 NO BufferOverflow 12 5 ICMP PING Windows Other g 6 DOS Teardrop attack Other T T SCAN Proxy attempt Other 3 5 SCAN cybercop os pro Scan 2 2 CMF Echo Reply Other El Figure 8 11 The inquiry screen of detailed information on attack events The content description of inquiry screen Serial number the attack
18. Statistics option refer to Figure 8 19 on the screen of report form selection and then selects a statistical analysis the report could be selected in the form of daily weekly or monthly of all attacks or one specific type of network attack or one host Note If the addresses of attacked targets have been input into an address list they can be directly selected in a search Besides users can also directly enter an IP address to search 90 DFL 2100 DFL 2400 Intrusion Detection System User Manual O Statistic s Daily O Weekly C Monthly O Al Attack Type 1 Attacked Host ACKcmac trojan scan FTP Server w BAD TRAFFIC 0 ttl BackConstruction 2 1 Client FTP Op BackConstruction 2 1 Connection BackConstruction 2 1 Server FTP O BackOr fice access Back rffice web access CDK Figure 8 19 The screen of attack events results DIDS Reporting Systeo KI A fel a mM 2 105 102 168 160 212 mentor statistice Monthly Nun arAltacke 123243456 7 E g 1011121314151617 18 192071 222324 25 2621232823031 pay a 3 Ti Nite aioir ELITE 20034 20031144 2003 00345 oa PEDT ES 00340 fa ajo aja cara oo ol o colo aloa olo Figure 8 20 A monthly report of attack events 91 DFL 2100 DFL 2400 Intrusion Detection System User Manual DIDS Reporting System el A ts Ba EA WS 197 GA T2412 stabsbic m We 1117 0AA 200351514 2003145 C E NORA 7 200s Figure 8 21 A wee
19. WHAT IS DEL 200 DEL 2400 iana AEA EEE E E ica a cent ER EEN l KEPA TORES ia 1 NETWORK AR TEC TUR E a 2 THEDEL 200 DEL 2 BOOT AMUN isis ASS A AAA deste doula ee els AAA 3 INSTALLA HON AND INITIAL SETUP lt A AA 4 INSTAELDEL Z TO DEE ere tee enone anaes ret aaa 4 Connecting the DFL 2100 DFL 2400 to the NetWwOTk orsica a 4 Hardware AAA O O O 4 Check the tE erd Cle uti o ai yola e dle tc E iO eRe eee 4 Attach the line to the backend of the DFL 2100 DFL 2400 ooocccooccnccccnnnccnonccnonononccnononononcononccnoncononnnnnncnonnnnonnrnnonnanonoss 4 Install Policy Server SOWAT ne erii E EE ie SAS ladle ai Ae 5 Policy Server Hardware and Operating System Requirement oooccoooccnnoccnoncnnoncnnonnnonccnonocnnnnnnnonncnonnononnnnnncnonncnonannnonoss 5 TS ta laton Procedure lt A AAA LAA A RNa 5 CONFIGURE TE DELE WOO 2100n O 5 Sarin ehe Sd beniacetuciucs 6 SETTLES SW STCUIE POT QIN CLOTS A A A A E A AS A AAA GETING STA RIED ii ET 6 Policy Server TT S a Se heJa A pieles 7 GENE COVE ICAL ON AA A A A A AA AA AENA 7 MANAGE YOURDEL 2 1O00 DEL 240 Oui site ia att da AA Ei ta 8 Start DFE 2100 DFL 2400 Management Susi aida 8 Add New DEL ZIO0 DEL 2 400 ia 9 Load Newest Defense Roles ti 10 SUMMARY OF STEPS ada ondo ieda 12 DS COMMAND SHOP birotussdansiis adonde 13 DEL 2T100 DPL 2400 CONSOLE SSH SYSTEM ds e 13 Starting DFL 2100 DFL 2400 Command Shell ccccccccccccsccccssscsesscsssscecescecsseecssseessseecsseecssaeeessaeecesaeeeseeeseneeens 13 The Com
20. adding one or more DFL 2100 DFL 2400s to the IDS Tree you can now load them to the DFL 2100 DFL 2400 IDS Management System and set up their Policy Rules and Books Double click on one of the tree node icons then the DFL 2100 DFL 2400 device specified by this node will be loaded and its Books will be shown in the Book Table window 31 DFL 2100 DFL 2400 Intrusion Detection System User Manual Tree View root the DFL 2100 DFL 2400 Policy Server with IP address being connected to Double click this icon to expand the IDS tree Tree View root the DFL 2100 DFL 2400 Policy Server with IP address being connected to Double click this icon to collapse the IDS tree Designates an active DFL 2100 DFL 2400 device with alias name and IP address specified behind Double click this icon to load the contents of this DFL 2100 DFL 2400 device Designates the DFL 2100 DFL 2400 that has been loaded and modified its settings and has not been updated Designates the DFL 2100 DFL 2400 is unavailable broken of offline Table 4 1 Tree View Icons and descriptions Add a DFL 2100 DFL 2400 1 Click Add DFL 2100 DFL 2400 button Ss on the tool Bar or right click on the IDS tree window to bring up the pop up menu Select Add a DFL 2100 DFL 2400 2 Enter the Alias Name of the DFL 2100 DFL 2400 3 Enter the DFL 2100 DFL 2400 IP of the DFL 2100 DFL 2400 you wish to add A Click Add to add the DFL 2100 DFL 2400 device to the IDS Tree D Add a IDS
21. display and the system would automatically generate a print preview in a browser Then he she just has to print out directly Events List Events List Packet No Attack Name Hast Destination IP Source IP No Begin Time End Time E Policy Server 192 168 168 210 192 168 168 209 0 ae sai 2 ICMP Echo Reply 192 168 168 209 192 168 168 210 0 ae ons 3 ee Policy Server 192 168 168 210 192 168 168 209 0 eri a 4 ICMP Echo Reply 192 168 168 209 192 168 168 210 ae ar 5 ee Policy Server 192 168 168 210 192 168 168 209 9 cai E 6 ICMP Echo Reply 192 168 168 209 192 168 168 210 9 cocido E 7 ae Policy Server 192 168 168 210 192 168 168 209 0 eae ae 8 ICMP Echo Reply 192 168 168 209 192 168 168 210 0 elt sa 94 Figure 8 24 web based print preview DFL 2100 DFL 2400 Intrusion Detection System User Manual 5 The system manager just clicks on Chart Switch Ste button in the options of report display the system would automatically switch a bar chart to a pie chart DIDS Reporting Systen E FA Gi EJ m sat IDS 107 160 160 242 vioritor Top AN Attacked Host Stacked Hosta NM 192182768 210 i E 192 108 768 64 E 192 168 708 2455 1397457354 250 E 14218316370 234 0 0 3 E 192 165 709 50 192185108 23 E 1821568715685 53 di ia Fri Rank AtaikedHos IP Numara No AfiatkMame Atack Troe Murn of Al U1 8 188 210 Napa 2 CMP PING M ndoss ihar 12 192150160565 ORACLE EXECUTE Acasa Control 182168 16
22. gt Set DFL 2100 DFL 2400 IP address gateway lt gateway_address gt The IP address of the router that forwards all traffic to the specified target address mask lt ip_mask gt Set DFL 2100 DFL 2400 network mask passwd Change the administrator password If you change the password by console you will change the console password lf you change the password by SSH you will change the remote login password rpasswd Change the remote login password This command is applicable to console detect tcptimeout policy Set the DFL 2100 DFL 2400 detect parameters pingmax stateful integrity pinglen wccp vpnbypass logmax lt value 10 10000 gt Set the DFL 2100 DFL 2400 can log event messages number Example Ex 1 gt gt set sys passwd Change password Please type your current SSH passwd gt gt Ex 2 gt gt set sys passwd Change password Please type your current SSH passwd Please type your new passwd Please re type your new passwd DFL 2100 DFL 2400 Intrusion Detection System User Manual Password is changed successfully gt gt EX S gt gt set system ip Need IP address 000 000 000 000 gt gt Ex 4 gt gt set sys logmax Need value 10 10000 gt gt set sys logmax 300 Change max log OK set system detect Description Use the set system detect command to configure DFL 2100 DFL 2400 intrusion detect parameters Syntax get system detect tcptimeout policy pingmax stateful in
23. is released Starting DFL 2100 DFL 2400 Command Shell Once you have accessed the Command Shell with SSH or a Terminal connection press any key and the following prompt will appear Login as admin IDS admin 192 168 168 201 s Password D Link IDS Protect your network and servers Please enter the login ID Login and password Password default login ID admin password DLink Login successful user can see the prompt user can key help or to get the setting information gt gt help help This message get Get system information set Set system parameters ping Ping utility arp Show amp handle arp table netstat Show system network status reset Reset system configurations to manufacturing defaults reboot Reboot system 13 DFL 2100 DFL 2400 Intrusion Detection System User Manual gt gt The Command Classes All Commands are divided into four classes Help Query Set and Miscellaneous The Commands in the Help class are used to give user other command s information The Commands in the Query class are used by prefix command get to retrieval system information and configuration And the Commands in Set class are used by prefix command set to given parameters for system Other functions not belonged to above two classes are in the Miscellaneous class Help Command The get command can display the arguments of others help get Descri
24. none Example gt gt set time Current time 2002 4 12 20 43 55 GMT 8 Specify year 1980 2050 Specify month 1 12 Specify date 1 31 Specify hour 0 23 Specify minute 0 59 Specify second 0 59 Specify timezone 12 to 12 Change time successfully set interface 22 Description Use the set interface command to define the physical and logical interface settings for the DFL 2100 DFL 2400 Device Syntax set interface link stealth Arguments link lt remote local manage gt lt 10 100 auto gt lt full half gt Define the physical connection mode on the specified interface as auto sensing whether to operate at full or half duplex as required by the device to which it is connected stealth lt remote local manage gt Setting the stealth mode on the specified interface Example gt gt set interface Need commana link stealth gt gt set int Need commana link stealth DFL 2100 DFL 2400 Intrusion Detection System User Manual set interface link Description Use the set interface link command to define the physical connection mode on the specified interface as auto sensing whether to operate at full or half duplex Syntax set interface link remote local manage 10 100 auto full half Arguments lt remote local manage gt remote Specified remote WAN interface setting local Specified local LAN interface setting manage Specified manage interface setting lt 10 100 auto g
25. operations There four sets of operations see below figure Note If a value is given but the Comparison Operation is set to Don t Care then this field is discarding Don t Care Don t Care Case sensitive Case insensitive VEL string Ignore Fhile space Figure 6 8 The Comparison Operations 62 DFL 2100 DFL 2400 Intrusion Detection System User Manual The IP Tab The IP tab consists parameters for IP packet header field value settings Directional Un directional This is the same as protect scope Source Destination Source and Destination addresses TOS Type of service in IP header IP Packet Size IP packet total size Fragment ID IP packet identification field TTL IP time to live field IP Header size IP header size Checksum IP checksum field Fragment Pointer IP fragment pointer value 0 Flags DF Don t Fragment MF More Fragment UF Unused Flag A ee oe ee el a Attack Packet Signature 5 Directional Undirectional Host Scope 1 Don t Care Y ANY Local Y Host Scope 2 Don t Cae Y ANY Remote Y TOS Value Tos Dontcare Y og gig ee ee EE E JE IE IE 00 0 0 0 0 0 OO BO OF D IP Option Don t Care 4 end of option list a no operation security IP Packet Size Don t Care Y 20 Fragment ID Dont Care Y lo TIL Don t Care Y El IP Header Size Don t Care Y 0 1 Checksum Dont Care Y Fragment Point
26. or right click on the Book Table and select Add The following dialog appears Assign a unique Service Name Assign a unique Color as an identifier in the Reporting System Select a type TCP or UDP from the Service Type pull down menu If the type of Service is other than a FTP service the From Port and To Port field must be specified else check the View as FTP Service box and specify the Control Port and Data Port Enter your Comment for this Service Click Add to add the Service to the Service Book DFL 2100 DFL 2400 Intrusion Detection System User Manual Add a new Service Add anew Service Service Name Color Select Color Transport TCP o Rek E Figure 7 1 Add a Service Dialog Modify a Service 1 Click Service Book button e to switch to the Service Book page 2 Click Modify button ii or right click on the Book Table and select Modify The following dialog appears 3 Modify any of these fields as you wish 4 Click Modify to update this Service Note You cannot modify a default Service Modify this Service Modify this Service Service Name Service 1 Color Transport y Modify l X Cancel Figure 7 2 Modify a Service Dialog 71 DFL 2100 DFL 2400 Intrusion Detection System User Manual Delete a Service Select the Service to be deleted from the Service Book Table and click the Delete T button Fil or right click on the table a
27. the DFL 2100 DFL 2400 and Policy Server The irst will show how to connect DFL 2100 DFL 2400 with other Network equipments and Networks The latter is a description for manager DFL 2100 DFL 2400 via Policy Server to make sure the intrusion detection system will protect your network and servers Overview of this User Manual Chapter 1 Introduction Describes the Intrusion Detection System and its features Chapter 2 Installation and Initial Setup Helps you get started with the basic installation of the IDS Chapter 3 IDS Command Shell Describes the IDS Command mode and shell functions Chapter 4 IDS Management System A more detailed discussion of some of the management features of the IDS including device management Policy management User management Chapter 5 Policy base IDS Talk about what is a policy Chapter 6 Define Your Own Defense Policy A more detailed discussion of the policy Chapter 7 Policy Definition Process A more detailed discussion of some of the management features of the Policy including Address book Group book and Service book Chapter 8 IDS Reporting System Describes the advance reporting system including the real time attack monitor real time traffic monitor attack events search and graph report ix DFL 2100 DFL 2400 Intrusion Detection System User Manual INTRODUCTION What is DFL 2100 DFL 2400 DFL 2100 DFL 2400 is an active and on line Network based Intrusion Det
28. 0 DFL 2400 Management System Default ID admin Password admin Note The control mechanism of access to DFL 2100 DFL 2400 IDS Management System is password SeMverIP 192 166 168 210 i Password e PI Login A Cancel Figure 4 1 DFL 2100 DFL 2400 Management System Login Screen 30 DFL 2100 DFL 2400 Intrusion Detection System User Manual DFL 2100 DFL 2400 Management System Main Screen The DFL 2100 DFL 2400 Management System main screen consist three windows IDS Tree A tree view of all the DFL 2100 DFL 2400 devices handled by the DFL 2100 DFL 2400 Policy Server you are current connected to Tree view Icons are described below Books Table A table based setting environment for DFL 2100 DFL 2400 It consists five pages Policy Book Service Book Address Book Schedule Book and Group Book We will describe these books detail in the following chapters por 192 160 168 210 Tool Bar G AL ron beeen 2168168 1m Al cd 051192 182 168 2014 Figure 4 2 DFL 2100 DFL 2400 Management System Main Screen tKa 182 160 1601212 Madek DFL 2100 Defense Policies 1020 Network Attack Defense Policies 1012 Name ACES tr AZ Wum Heibio Ed COE Picea site a Enant Protect Propa BHT Local gt ENT Local ANT Local gt
29. 0 265 in 139755 55 250 1983108168 70 214002 1921 60 168 90 192 1 68 166 29 1821 68 168 53 r E Be e a a l L ja EE NEERE EEEE e ES E p a ie AA ep wt a T eee ee L h Figure 8 25 Attacks are displayed in the form of a pie chart Real time traffic monitor When the system manager clicks on traffic Monitor UEIS button DFL 2100 DFL 2400 IDS Reporting System would provide two real time monitoring screens of network traffics The upper screen displays the number of network packets received on line and the number of real time connections the lower screen displays the number of packets that are identified as attacks and discarded by DFL 2100 DFL 2400 For users to more easily read the contents of monitored flows DFL 2100 DFL 2400 IDS Reporting System uses different colors to display different flows of protocol packets which include most used TCP UDP ICMP IGMP IPX NetBEUI and etc The traffic monitoring includes 4 options delivered outward by an internal network delivered inward by an external network Flow monitoring both of directions inward and outward Set up time for data update Table 8 3 The options of on line real time traffic monitor 95 DFL 2100 DFL 2400 Intrusion Detection System User Manual E wate amp cot DS 102 460 160 212 AN i ore me e y pe Bl Received Parkets Cone chon Number 1 l i Ss ll tt a r Tce E uwr iar i Ne A
30. 0 DFL 2400 Device Information To see the information of the DFL 2100 DFL 2400 device you have loaded and click E preference system information button a on the Tool Bar The following dialog appears IDS Information Configuration Device Information A IDS IP 192 168 168 52 Version 1 0 Current DFL 2100 DFL 2400 IP DFL 2100 DFL 2400 version Model Name DFL 2400 Device state Normal LinkMode Remote Auto Negotiation LinkMode Local Auto Negotiation IDS time Jan 01 2002 00 20 44 startup time 0 days0 hours 13 mins33 secs Status of this DFL 2100 DFL 2400 Attack Pattern Version 0 0 O META Figure 4 6 DFL 2100 DFL 2400 Device Information Dialog Setting DFL 2100 DFL 2400 parameters With getting the information of the DFL 2100 DFL 2400 device at last section you can set DFL 2100 DFL 2400 device some parameters at same button Click preference system F information button aso on the Tool Bar and select set device parameters Tab The following dialog appears There are five parameters can be set 1 Maximum ping number per second 34 DFL 2100 DFL 2400 Intrusion Detection System User Manual 2 TCP session timeout times Maximum log per second 4 Set the DFL 2100 DFL 2400 state There are four states in DFL 2100 DFL 2400 Normal means DFL 2100 DFL 2400 works normally according to give
31. 1 Canada TEL 1 905 829 5033 FAX 1 905 829 5095 BBS 1 965 279 8732 FREE CALL 1 800 354 6522 URL www dlink ca FTP ftp dlinknet com E MAIL techsup dlink ca D LINK SOUTH AMERICA Isidora Goyenechea 2934 of 702 Las Condes Santiago Chile TEL 56 2 232 3185 FAX 56 2 2320923 URL www dlink cl E MAIL ccasassu dlink cl tsilva dlink cl D LINK DENMARK Naverland 2 DK 2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FAX 45 43 424347 URL www dlink dk E MAIL info dlink dk D LINK MIDDLE EAST 7 Assem Ebn Sabet Street Heliopolis Cairo Egypt TEL 202 2456176 FAX 202 2456192 URL www dlink me com E MAIL support dlink me com fateen dlink me com D LINK FRANCE Le Florilege 2 Allee de la Fresnerie 78330 Fontenay Le Fleury France TEL 33 1 30238688 FAX 33 1 3023 8689 URL www dlink france fr E MAIL info dlink france fr D LINK CENTRAL EUROPE D LINK DEUSTSCHLAND GMBH Schwalbacher Strasse 74 65760 Eschborn Germany TEL 49 0 6196 7799 0 FAX 49 0 6196 7799 300 URL www dlink de E MAIL mbischoff dlink de mboerner dlink de D LINK INDIA Plot No 5 Kurla Bandra Complex Road Off Cst Road Santacruz E Bombay 400 098 India TEL 91 22 652 6696 FAX 91 22 652 8914 URL www dlink india com E MAIL service dlink india com D LINK ITALY Via Nino Bonnet No 6 b 20154 Milano Italy TEL 39 02 2900 0676 FAX 39 02 2900 1723 E MAIL info dlink it URL www dlink it D LINK JAPAN 10F 8 8 15 Nis
32. 127 0 0 1 1024 127 0 0 1 9728 ESTABLISHED tcp 127 0 0 1 9728 127 0 0 1 1024 ESTABLISHED tcp 192 168 168 201 22 192 168 168 65 2455 ESTABLISHED reset Description Use the reset command to reload the manufacturing default setting After reset to default you must reboot the system to take efface Syntax reset Arguments none Example gt gt reset Are you sure to reset all settings to manufacturing defaults y n yes Reset to defaults OK please reboot to apply change gt gt reboot 28 Description Use the reboot command to reboot the DFL 2100 DFL 2400 device Syntax reboot Arguments none Example gt gt reboot Are you sure to reboot system yes gt gt DFL 2100 DFL 2400 Intrusion Detection System User Manual 29 DFL 2100 DFL 2400 Intrusion Detection System User Manual IDS MANAGEMENT SYSTEM DFL 2100 DFL 2400 Management System is a Web based application that allows multi user to manage one or more DFL 2100 DFL 2400 devices concurrently It can be used from any computer with access to the DFL 2100 DFL 2400 Policy Server via Web browser DFL 2100 2400 IDS Management Main Screen Login Connect the DFL 2100 DFL 2400 Policy Server from browser gt Open your browser and enter http lt IP Address of the Policy Server gt 6592 IDS 1 Select Manager from the Policy Server web homepage the following login dialog will appear 2 Enter the Password and click Login to login to the DFL 210
33. 18 45 17 18 45 17 18 45 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 r ai p A ree A A O E Humber of Packets 1 Header o F IF Wer sion 4 2002 06 04 17 18 45 Header Length 20 Type of Service 0 Total Length 56 Identification 47204 ffset TTL U 126 Protocal 1 Checksum 44903 Packet Arrive Time Figure 8 8 The detailed analysis screen of attack packet Ranking of network attack types Protocol ICMP DFL 2100 DFL 2400 Intrusion Detection System User Manual In the options of attack report selects the scope as Local or other scopes all or remote then selects Attack Type and the corresponding time and then click Generate Chart to see the ranking report of attacks similar to Figure 8 10 Chart View OAI Local C Remote i Attacked Host 2 Attack Type O Severity Figure 8 9 The inquiry screen of attack types ranking DIDS Reporting System A La a le Top All Attack Type A Hum of Attacks 400 360 320 Br 240 200 160 120 BD 40 Rark At kName Allack Type 2 3 4 5 5 T z a Gat Ers TOS ee Tel 1 CRF Echo Raph Oihar ICWP PING Win RFC porma t CMF Lara UDP Traceroute Stk IW Fondin ICNFIRDP rout
34. 20604 17 1 A Bi 11758 4 Identification 4720 i ne Cffset ao recae unten eum inane TTL 128 Protocol 1 Checksum 44903 Figure 8 12 The detailed analysis screen of attack packets Warning ranking of attack In the options of attack event report selects the scope as All or other scopes as remote or local then selects Attack Warning Level and the corresponding time and click Generate Chart to see the report of the warning ranking of attacks similar to Figure 8 14 Chart View Al Local Remote i Attacked Host i Attack Type Severity Figure 8 13 The inquiry screen of attack warning ranking 87 DFL 2100 DFL 2400 Intrusion Detection System User Manual DIDS Reporting System 6 A ola a coo DS 107 168 HELIA Woritor Top Out Severity 4 Gener ihi Litige Risk B Low Riek E hediurn Fisk E High Risk AE E Serioue Rick 300 50 as 500 Ll asp mol e 7 w E ui 1 z ul ul bhi Severih Total Madum Fisk o Low Fisk 3 Lite Risk High Risk Baagh ma A ee Oa n Figure 8 14 The inquiry screen of th E O lA E a E eaa E OE LEA e danger attack ranking The content description of inquiry screen of the danger ranking of attack Serial number the serial number of each attack warning level group Display of the warning levels of attacks the warning levels distinguished to 5 level slight low level medium level danger high level dan
35. 455 1779 1 949 455 9616 URL www dlink com E MAIL tech dlink com support dlink com Registration Card Print type or use block letters Your name Mr Ms Organization Dept Your title at organization Telephone Fax Organization s full address Country Date of purchase Month Day Year Product Product Serial No Product installed in type of Product installed in computer A A e g Compaq 486 m No Applies to adapters only Product was purchased from Reseller s name Telephone Fax Reseller s full address Answers to the following questions help us to support your product 1 Where and how will the product primarily be used OHome OOffice OTravel ACompany Business Home Business OPersonal Use 2 How many employees work at installation site 01 employee 02 9 0110 49 050 99 1100 499 1500 999 011000 or more 3 What network protocol s does your organization use OXNS PX OTCP IP ODECnet OOthers 4 What network operating system s does your organization use OD Link LANsmart Novell NetWare ONetWare Lite ASCO Unix Xenix OPC NFS O3Com 3 0pen relied Vines ODECnet Pathwork indows NT tindows NTAS indows 95 hers 5 What network management program does your organization use View OP OpenView Windows P OpenView Unix unNet Manager ovell NMS RetView 6000 ihers 6 What network medium media does your organization use ber optics Fhick coax Ethernet thin coax Ethernet Y
36. ANY Remote ANY Tuelan1300 30 1405T 4 UDPSmurfing ANY Local gt ANY Remote ANY Tue Jan 13 00 3014CST ICMP Flooding ANY Local gt AMY Remote ANY Tuelani300 30 14CST ICMP Smurfing ANY Local gt ANY Remote ANY Tue Jan 1300 30 140ST 7 IGMP Flooding ANY Local gt ANY Remote ANY Tuelani30030 14C5 Figure 5 1 Policy Book 45 DFL 2100 DFL 2400 Intrusion Detection System User Manual Load latest attack pattern The policies are the most important information in the DFL 2100 DFL 2400 Management System Policies indicate to DFL 2100 DFL 2400 for how to detect an attack and how to response when an attack is detected To begin using your DFL 2100 DFL 2400 you need to load the latest defense policies 35 1 Select Add button 2 right click on the Network attack Defense Policies window to add new policies D IDS Manager ama BER ABBR BBR EBBe amp oatadasbe cir es 6 1 62150 168 52 Model DFL PAM ti Le Pole Serra 92 168 168 2710 EA DE 181168168114 SA DFL 3900 192 165 168 52 Defense Policies Y Network Attack Defense Policies 0 Prop Hama Protect Scope DY DOCS Attack Defense Policies i IA A ane _ _ ia lao Y f Topsy ANY Loca lt ANY Remote a as BT aw creo CS E See ALTE Local c ANY Remote ANYO ad UDP Fhetng ANY Lone ANY emot ANY Te lan 15 105140 E d DEP Sei ANY Localice
37. Alias Name DFL 2100 IDS IP 4 i Y Figure 4 4 Add a DFL 2100 DFL 2400 Dialog 32 DFL 2100 DFL 2400 Intrusion Detection System User Manual Remove a DFL 2100 DFL 2400 1 Select the DFL 2100 DFL 2400 you want to remove from the IDS Tree 2 Click Remove DFL 2100 DFL 2400 button sa on the tool bar or right click on the tree and select Remove from the pop up menu A warning message is displayed 3 Click Yes to remove this DFL 2100 DFL 2400 from the IDS Tree or No to cancel this action Note Remove DFL 2100 DFL 2400 will also remove all the log files from the Policy Server If you wish to keep these log files backup these files on the Policy Server before removing this DFL 2100 DFL 2400 Modify a DFL 2100 DFL 2400 1 Click Modify DFL 2100 DFL 2400 button g or right click on the IDS tree window to bring up the pop up menu Select Modify DFL 2100 DFL 2400 2 Enter the new Alias Name of the DFL 2100 DFL 2400 3 Click Modify to update the property of this DFL 2100 DFL 2400 or Cancel to cancel the modification D Modify this IDS Alias Hame IDS IP Figure 4 5 Modify this DFL 2100 DFL 2400 Dialog 33 DFL 2100 DFL 2400 Intrusion Detection System User Manual DFL 2100 DFL 2400 configure and setting Once a DFL 2100 DFL 2400 has been added in the IDS tree double click the icon in the tree view to load the contents of this DFL 2100 DFL 2400 device DFL 210
38. BHT Local ENT Local gt ENT Local Ea A cn Antark Defense Polici Hsi Rh Hare TOF SH FE LDP Flooding UDP Sroine IHF Floodag IMP Somnfing YOMP Flooding F E FO Tor Finoan AMT Renote lt AHT Panos AHT Remote lt AHT Panos E lt ANT Panos Tool Bar It consists all of the function buttons for managing DFL 2100 DFL 2400 Books Table Schaue AHT AHT AHT AHT AHT AHT AHT Tue Ten 13 05 22 05 Jasued Date Tue Teo 13 0606 93 COTE Tur Jen 13 0600 22 COT Toe Ten 13 06 00 13 05 Toe Ten 13 06 05 13 05 Toe Jen 13 06 00 13 05 Toe Ten 19 06 05 12 05 P Je ANT Local AMT Hanmi ART Local AE Hanoin ARY Local AHY Benin ANT Local ARE erode ART Local AR Pihema ANT Local AWE Hisrents E NER DIE Manage DFL 2100 DFL 2400 Prolert Gr grope E Schedule ANT Local AME Rare le ANF ANT ANT ANT AHE AHT AHT issued Dae Tos Jue La 00 31 MET Tue Jan 13 0030 Een Tes Jen IOSD CST Tos Jen 13 00 30 aoti Tus Jen 13 00 30 To Toe Jen 13 00 30 TA Jer Teo 13 00 30 a pr The DFL 2100 DFL 2400 IDS Management System can management multiple DFL 2100 DFL 2400s To manage a DFL 2100 DFL 2400 you must first add the DFL 2100 DFL 2400 device to the DFL 2100 DFL 2400 IDS Management main screen The device will be added to the IDS Tree of the tree view window After
39. DFL 2100 DFL 2400 Using policy server administrators can control DFL 2100 DFL 2400 anywhere anytime via web browser Standard RS232 console port Remote Telnet control support SNMP aware Remote kernel updates support DFL 2100 DFL 2400 Intrusion Detection System User Manual Extensibility Within built in anomaly detection model DFL 2100 DFL 2400 can detect potential attacks By taking advantage of flexible policies DFL 2100 DFL 2400 can be updated to detect new attack instantly that reduces the exposure time of attack cycle Reporting feature Organized reporting and event trace back provides a clear view of what happened on the network Long term events management Logged packet header decoding Template based printing function that fits the need of different level of management Network Architecture DFL 2100 DFL 2400 is a transparent device and it does not change the network architecture A Policy Server with DFL 2100 DFL 2400 Management System and DFL 2100 DFL 2400 Reporting System provides a very friendly user interface to configure DFL 2100 DFL 2400 Administrators could use DFL 2100 DFL 2400 Management System to set up some policies for their network architecture Policy server can manages multiple DFL 2100 DFL 2400s concurrently and receive system logs attack events from DFL 2100 DFL 2400s IDS IDS Internet nterne Management Reporting System System ERO a Switc
40. Destination ftp web Local dl 53 DFL 2100 DFL 2400 Intrusion Detection System User Manual Only addresses and groups already defined in Address Book and Group Book will show in the combo box If you want to add a host in the protect scope you have to define it in the Address Book first See chapter 7 Policy definition Process When a Local address or Local group is chosen the opposite field must be a Remote address or Remote group Only traffic from Local to Remote or from Remote to Local will pass through DFL 2100 DFL 2400 Figure 5 11 Directional Protect Scope Protect Scope CO Directional fa Undirectional Host Scope 1 ANY Remote 7 Host Scope 2 f tofweb Local 4 Figure 5 12 Un directional Protect Scope Frotect Scope w Directional gt Undirectional Source gt target Local od ANY Local Destination My Home Local My DNS Local target Local ftpfreb Local ANY Lemote Yahoo Remote DAZ worms home Resote Figure 5 13 Pick Protect Scope Set DDoS Parameters lf a DDoS Attack Defense Policy is selected there is no protecting scope window But the administrators need to set some parameters needed by statistical detection model The parameters are 1 Number of packets The lower bound number of packet passed through in a second 2 Number of flooding smurfing packets The lower bound number of packets that are iden
41. Detection System User Manual 2002 05 16 19 53 44 I CON Login OK 2002 05 16 19 55 12 I SSH SSH user login from 192 168 168 65 OK Event level gt Info W Warning U Urgent F Fatal Event source gt CON Console SSH SSH SYS System PSS Policy agent get interface Description Use the get interface command to display the interface information of DFL 2100 DFL 2400 Syntax get interface Arguments none Example gt gt get interface Remote port AUTO MAC address 0 30 64 1 8 2 Local port AUTO MAC address 0 d0 b7 b2 5f ff gt gt get state Description Use the get state command to display the state information of DFL 2100 DFL 2400 Syntax get log Arguments none Example gt gt get state State NORMAL gt gt get psserver Description Use the get psserver command to display the Policy Server s information include IP Address and Log transfer interval time Syntax get psserver Arguments none Example gt gt gel psserver Policy server IP address 192 168 168 160 Log transfer interval 30 seconds gt gt get snmp Description Use the get snmp command to display the snmp information of DFL 2100 DFL 2400 18 DFL 2100 DFL 2400 Intrusion Detection System User Manual Syntax get snmp system community trap Arguments system Show the DFL 2100 DFL 2400 s snmp information community Show the snmp network community setting trap Show the snmp trap information Example
42. LIF E UF i i J l c i 1 Figure 6 2 The Define new Defense Policy Window Tridib ANY The procedure of defining your own policy is ae a Fill the Defense Policy Attributes frame Determine the Recognize condition constraint of a policy Determine the Action while being attacked for this policy Determine the Policy active schedule for this policy Fill the Packet Criteria frame We will illustrate the procedure in details in the following sections DFL 2100 DFL 2400 Intrusion Detection System User Manual Fill Defense Policy Attributes In Defense Policy Attribute frame you have to give some information about the attack you want to detection or the access you want to control 1 Attack name The name is given to identify to show on the reporting system or emails It must be a unique one Attack type Determine what kind of attack that this belongs to Available options are DDOS Buffer Overflow Access Control Scan Trojan Horse and etc Affected OS type Determined what kind of OS would be suitable to apply this policy This field can have multiple options Protocol type What kind of layer 4 protocol that this policy is on it can be TCP UDP ICMP and IGMP If you want to detect IP packets only choosing IP is fine Attack Severity lt defines the dangerous level of the attack that this policy wants to detect Attack Attributes Attack nam
43. M oerrint ie iiaa a a a e a 79 Man CE A A A is indie sete stots AAA TO 79 Start to use DFL 2100 DFL 2400 IDS Reporting SyS esinen 80 REALTIME NETWORK ATTACK MONITOR ienie ea a e TE A O A 81 NETWORK ATTACK RETOR E riirii a aaa a 82 Dronscof mamalak even S A A a tetas 83 Rankinsor atac ked OSSLA 83 Ranking Of network attack types 1d AAA EAS AAA AAA da 85 Warne rat POF A a niacin eat ait eaten 87 Inquiry about important ALLACKS rennon a aa a a a aa a a aa a a a 5S SLATESEICGLONGIY SIS Of GUHACK CV EIIS taints sucess casa duDulguuita e De casos dices E EE 90 Selections OF INQUITING TINO eds 92 Select one COMEMUOUS PEO uri A AAA A A AAA O EA 92 Select SCONO S me Pero d tada dadas dada 93 TCT ED OTE DVL FUNCT ON yi IS A io 94 REA TIME TRAFICO MONTO aia 95 Set up time for real time data update ooooconocuccncoucnononnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nn non n nn nono n nn canon nnnnnnnnnnnos 96 SISTE ME VEN id 97 INTRODUCTION OF OTHER IMPORTANT TOOLS csssssssssssecececcccececceeesesssssssseeeeececceeeeeseseesesssssaaeeeeeceeeeeeeeesesseaaaaaaaeeees 98 Changedis PLA LAO E E A A e 98 Change Waning LEVELS owen ace es 98 Set up the schedule report output OTM o cccccccccccscccccsscccessseccssscecsssscecsssseeessseeeseceecsesseessseeeeseaeeesssseescesaaeees 100 VET SILOM TRONO IAS i A 102 DFL 2100 DFL 2400 Intrusion Detection System User Manual ABOUT THIS GUIDE This User Manual provides instruction for installing and manager
44. RP Ml PX WETEEUI AH ESP Se DA Connection Sumber 3 O Tor E uwr jor mr ARP EPS NETBEUL AH ESP Figure 8 26 Real time traffic monitoring Set up time for real time data update The system manager can set up data update time for flow monitoring After EN button is clicked a dialogue box of time setup would appear for setting E Lu Got 105 102 168 108712 Commection Hambeer 4 AS m Ff Laval TEA E UP _ OMF IGMP E ARP IPH METBEUL 0 AH ESP Figure 8 27 Set up data update time for real time traffic monitoring 96 DFL 2100 DFL 2400 Intrusion Detection System User Manual System events When the system manager clicks on System Event IMA button DFL 2100 DFL 2400 IDS Reporting System will provide reports of all system information including the occurring time and contents of system information YINFO system warning A WARN system emergency ERR and fatal system error GEATAL S cla la oo DS 100 108 408 42 System Log Figure 8 28 The reviewing screen of system event records The content description of system event screen Serial number the serial number of historical records of system events 9 Type there are four definitions of system event system information INFO system warning GA WARN system emergency ERR and fatal system error GEATAL 1 System information such as information about booting 2 System warning Minor errors or events that temporarily d
45. UMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE INSTALLATION MAINTENANCE OR USE OF D LINK S PRODUCTS D LINK SHALL NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND EXAMINATION DISCLOSE THAT THE ALLEGED DEFECT IN THE PRODUCT DOES NOT EXIST OR WAS CAUSED BY THE CUSTOMER S OR ANY THIRD PERSON S MISUSE NEGLECT IMPROPER INSTALLATION OR TESTING UNAUTHORIZED ATTEMPTS TO REPAIR OR ANY OTHER CAUSE BEYOND THE RANGE OF THE INTENDED USE OR BY ACCIDENT FIRE LIGHTNING OR OTHER HAZARD LIMITATION OF LIABILITY INNO EVENT WILL D LINK BE LIABLE FOR ANY DAMAGES INCLUDING LOSS OF DATA LOSS OF PROFITS COST OF COVER OR OTHER INCIDENTAL CONSEQUENTIAL OR INDIRECT DAMAGES ARISING OUT THE INSTALLATION MAINTENANCE USE PERFORMANCE FAILURE OR INTERRUPTION OF A D LINK PRODUCT HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY THIS LIMITATION WILL APPLY EVEN IF D LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE IF YOU PURCHASED A D LINK PRODUCT IN THE UNITED STATES SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU D Link Offices for Registration and Warranty Service The product s Registration Card provided at the back of this manual must be sent to a D Link office To obtain an RMA number for warranty service as to a hardware product or to obtain warranty service as to a software product contact
46. User Manual D Users and Passwords Users User Marne Group admin Administrators guest Guests Set Password Hew password Confirm new password W OK S Cancel a Pik F eit 41 F I ANUE He THI Y and press the button Figure 4 11 Change Password Dialog D User and Password User Information User name User password Confirm password User group Administrators T Policy server _ Read Only ReadWrite Report _ Read Only ReadWrite Rule _ Read Only Read Write User Management Read Only Readirie Cea Re Figure 4 12 Edit User Permission Dialog 38 DFL 2100 DFL 2400 Intrusion Detection System User Manual Signature Live Update D Link Service Team is constantly monitoring the Internet for new types of attacks and developing signatures correspondingly Live Update lets installed NetKeeper device and Policy Server connect to a D Link Upgrade Server automatically for Signature and DFL 2100 2400 Kernel updates Customer Register Register here if you are a regular customer of DFL 2100 2400 and wish to avail of our Update service D Link Live Update will enable you to track on line the status update of your shipments sent over the last one year Click the register button Ea on the tool bar 2 Fill out and submit the following details Your e mail and telephone number is mandatory to enable us to get in touch with you 3 Registration complete th
47. ack Host name The names of attacked hosts pre defined on the address list Attacked IP address the attacked IP address Number of packet the number of packets accepted by this attack Starting time the time this attack begins Finishing time the time this attack ends 89 DFL 2100 DFL 2400 Intrusion Detection System User Manual When user double clicks the content of this form user will be able to analyze the packet content of this attack DFL 2100 DFL 2400 IDS Reporting System not only provides the entire network safety status to system manager but also instinctively gets a detailed and comprehensive network intrusion records to handle network crisis well lol x Number of Packets o Packelarrive Time Protocol 1 2002 06 04 17 18 45 ICMP E Header IP IP Yersion 4 Header Length 20 Type of Service 0 Total Length 56 Identification 41209 Offset TTL 128 Protocol 1 Checksum 44903 Figure 8 18 The analysis screen of attack packet Serial number of packet the serial numbers of packets Event time the event begins Packet attacking time the time when packets are received Protocol the protocol type of a packet The protocol might be TCP UDP ICMP or IGMP Double click on a certain packet and then the system will analyze this packet and display each field in a tree structure Refer to Figure 8 18 Statistical analysis of attack events The system manager selects
48. anage tools include add delete edit change priority push policy import export policy and print function The last class management system tools include Internet Register live update reporting system and user manage functions Table 4 1 The function list of DFL 2100 DFL 2400 Management System Export Books Administrator can duplicate all the policy and books from DFL 2100 DFL 2400 to either Policy Server or local host This function can be used when administrator want to change the deployment or copy books to other DFL 2100 DFL 2400 The procedure is as followings 1 Load the DFL 2100 DFL 2400 that wants to export its books 2 Click the Export button in the toolbar And the following dialog will show up 3 Choose the target either the Policy Server of local host 4 If To Policy Server is chosen a filename must be given Otherwise you can specify 40 DFL 2100 DFL 2400 Intrusion Detection System User Manual the local host directory that you want to store the books Export Books Export Books To PolicyServer gt To local host File Name xx IP ebk Figure 4 15 Export policy and books to policy server dialog 3 To PolicysServer 8 To local host Export to Documents and Settingsikueil Browse Look In MARKETING DJ j rs fa ES EJ Jenny E Network Processor El Jerry back up A NPDP CT Kuei EA PMM Planing Make Money Lori J Public CI Mcafee E reports Mi
49. armful interference and 2 this device must accept any interference received including interference that may cause undesired operation CE Mark Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Warnung Dies ist ein Produkt der Klasse A Im Wohnbereich kann dieses Produkt Funkstoerungen verursachen In diesem Fall kann vom Benuizer verlangt werden angemessene Massnahmen zu ergreifen Precaucion Este es un producto de Clase A En un entorno dom stico puede causar interferencias de radio en cuyo case puede requerirse al usuario para que adopte las medidas adecuadas Attention Ceci est un produit de classe A Dans un environnement domestique ce produit pourrait causer des interf rences radio auquel cas utilisateur devrait prendre les mesures ad quates Attenzione Il presente prodotto appartiene alla classe A Se utilizzato in ambiente domestico il prodotto puo causare interferenze radio nel cui caso possibile che l utente debba assumere provvedimenti adeguati BSMI Warning E AS EE PERAJE m EER hE AA ib Siena AA Ce te aoe MENE OR RE STOR VCCI A Warning itd HERES SRS H EG hee VCC OBE BOC 7 SAA arias Ae CT OBS Re CAT ob SS E a E T OBRERA MAREAS LIE RC MOLE RHE Table of Contents ABOUT THIS GUIDE calcita IX OVER VIEW OR THIS USER MANUA E A RA ad IX INTRODUCTION ulises cea 1
50. attack packet header the first 64 bytes will be logged Actions _ Block attacking packet _ Block connection Y Log event with packet header Figure 5 15 The Actions Setup 55 DFL 2100 DFL 2400 Intrusion Detection System User Manual Note The logged attack event will transfer from DFL 2100 DFL 2400 to Reporting System every fixed time interval To change this setting see the section in DFL 2100 DFL 2400 Console Telnet System Tip For some policies that are not ambiguous uncheck Log packet headers will increase the utilization of DFL 2100 DFL 2400 system Note Only TCP policies will have the option of Block Connection since other Layer 4 protocol is connectionless Define Policy Action Schedule At least you must define when the defense policy will active The default setting is all the time schedule Policy active schedule ANY T Figure 5 16 The Schedule Setup Only Schedule already defined in schedule Book will show in the combo box If you want to add a schedule you have to define it in the Schedule Book first See chapter 7 Policy definition Process 56 DFL 2100 DFL 2400 Intrusion Detection System User Manual DEFINE YOUR OWN DEFENSE POLICY Define Your Own Defense Policy The DFL 2100 DFL 2400 IDS Management System provides a mechanism that allows multiple authorities to release attack detection database for DFL 2100 DFL 2400 users Therefore users can get extensiv
51. attack pattern gt You can find new defense policies in the policy list when you finish the update Update Attack Patterns Last update Jan 20 2003 15 30 Current version 2 10 Figure 2 10 download latest attack pattern gt All the changes to the defense policies will not take effect until the red lighted Confirm button EA clicked 11 DFL 2100 DFL 2400 Intrusion Detection System User Manual D IDS Manager EER DA a Pokey Server 102 168162109 6 El Policy Bererii 92 180 462 7105 GP IDS 192 188 168 212 i Defensa Pobrias 1 Netwark Attack EAEN Policies 410137 Prony farra Frotaci Scope semadulo issued Dato l ACE tr ANY Lol ANY Famole Toe don 13060538 CoT d QAS Wom ANY Lol ANY Pamote Toe dun L3 060553 05 7 Meteo Fo ANY Loch ANY Pome T Jan 3060528 65 fq COR ANY Lop o gt ANY Pamot 3 T dan 13060529 03 aa ALY Lor gt ANY Remote i Toe Jan 150003 5 a E MECA a AY Lordi ANY Remote j T Ju 130605 ES ab Serle enna T Jan LOGIA a AY Lord e ANY Pmi TCP Fe ANY Local ce ANY emote AMY Coral cr ANY Pamot aE a g ANY Lorh AMY Remate AL T fun 130004 aoe bag ANY Lanp ANY Remote ANY a Lao att at a a EE eee A Sa eg y ha Figure 2 11 make sure the defense policies to take effect Summary of Steps In summary you can make sure your DFL 2100 DFL 2400 have protected your servers and networks 1 Connecting your DFL 2100 DFL 2400 Policy Server
52. ces you must use cross over line included with the device Attach the line to the backend of the DFL 2100 DFL 2400 The DFL 2100 DFL 2400 comes standard with three 10 100 Half Full duplex Ethernet interfaces Since the DFL 2100 DFL 2400 is placed on the internal side of your access router the DFL 2100 DFL 2400 will have three ports Ethernet WAN and Manager The Ethernet port of the DFL 2100 DFL 2400 is the side that interfaces to your LAN The WAN port of the DFL 2100 DFL 2400 is the side that interfaces to the WAN side of your network via your access router The Manager port of the DFL 2100 DFL 2400 is the safety connection with Policy Server DFL 2100 DFL 2400 Intrusion Detection System User Manual WA N Cross Over UTP Cable Through UTP Cable LA N Figure 2 2 Cable Connection Install Policy Server Software Policy Server Hardware and Operating System Requirement Before install the DFL 2100 DFL 2400 Policy Server we must understand a few points about the DFL 2100 DFL 2400 Policy Server The Operation System should be Windows 2000 Windows XP or Windows NT with service pack 6 0 and above The host can support Internet access DFL 2100 DFL 2400 will send log data to Policy Server and Policy Server will save it in hard disk Therefore your hard disk may have 30G free space We suggest that your CPU would be Pentium III 1000 and memory would be 256 MB or more Installation Procedur
53. chelle ES Rick20021213 EJ My Visor 4 Song Net Master J Student J NetScreen File Name Files of Type All Files wf Export S Cancel Figure 4 16 Export policy and books to local host dialog Import Books Administrator can import the books from either Policy Server or local host The can be used when administrator want to change the deployment or copy books to other DFL 2100 DFL 2400 The procedure is as followings 1 Load the DFL 2100 DFL 2400 that wants to import books 2 Click the Import button ed in the toolbar And the following figure will show up 3 Choose the source either the Policy Server of local host 41 DFL 2100 DFL 2400 Intrusion Detection System User Manual 4 If From Policy Server is chosen you can choose from different filenames Otherwise you can specify the local host directory that has the books Import Books Import Books o From PolicyServer 4 From local host Import from Documents and Setingsihue Cl Browse aff Import S Close Figure 4 17 Import policy from Policy Server dialog Import Books O From PolicyServer From local host Import from Documents and Settingstkuei Ex CJ Network Processor NPDP CA PMM Planing Make Money 4 Public reports CJ Rick 0021213 LJ Song Student 4 Eb Eo Es Ex Ed Eb E E File Name Files of Type Policy Books ebk wf Import S Cancel Figure 4 18 Import policy from
54. command to display the arguments of netstat command Syntax help netstat Arguments none Example gt gt help netstat netstat Show system network status help reset Description Use the help reset command to display the arguments of reset command Syntax help reset Arguments none 15 DFL 2100 DFL 2400 Intrusion Detection System User Manual Example gt gt help reset reset Reset system configurations to manufacturing defaults help reboot Description Use the help reboot command to display the arguments of reboot command Syntax help reboot Arguments none Example gt gt help reboot reboot Reboot system Query Command There are several query functions and their command usage and description are illustrated in the following All query functions are applicable to both console and telnet get Description Use the get command to display the arguments of get command Syntax get Arguments none Example gt gt get get Get system information Available commands system System configurations including IP password and etc log System logs time Device clock setting interface Interface stealth function and working link mode state Device operation state psserver Policy server configurations snmp snmp parameters get system Description Use the get system command to display the system information include DFL 2100 DFL 2400 version network states po
55. ct Add Specify a unique Device Name Enter the IP Address Select a net mask from the Net mask pull down menu or enter your own net mask Enter your Comment for this Address 7 Click Add to add this Address to the Address Book O Bb W PO O Add a new Target Add a new Target Target Name Hosti IP lo Y Y y 295 255 255 209 Figure 7 3 Add a new Address Dialog 73 DFL 2100 DFL 2400 Intrusion Detection System User Manual Modify an Address 1 Click Address Book button uh to switch to the Address Book page EA 2 Click Modify button ci or right click on the Book Table and select Modify The following dialog appears 3 Modify any of these fields as you wish 4 Click Modify to update this Address or Cancel to remain unchanged Modify this Address Modify this Target Target Name Host IP 192 fre ise les Netmask 255 255 295 299 Comments Figure 7 4 Modify an Address Dialog Delete an Address Select the entries to be deleted on the Address Book Table and click the Delete button E or right click on the table and select Delete from the pop up menu Note You cannot delete an Address that is currently referenced by the Policy Rules 74 DFL 2100 DFL 2400 Intrusion Detection System User Manual Edit Group Book Groups are used to organize a set of Policy Rules so that they can be enabled or disabled together For example you can put a se
56. d 2 WEB r00t Other i 9 197 168 168 209 64 9 WEB PHP strings Other i Figure 8 7 The detail information on the inquiry screen of attacked host The content description of inquiry screen Serial number the ranking of network attacks to this host Attack names name of the attacks to this host Attack types types of these attacks Numbers of attacked numbers of the attacks to this IP address When users double click the content of the right form user will get a screen displaying more detail information such as attack time source data and etc User can double click the content on this screen to analyze the packet content of this attack DFL 2100 DFL 2400 Reporting System not only provides the entire safety status of the system manager s network but also instinctively gets a detailed and complete network intrusion record to handle network crisis well E 10 x Destination IP 192 168 168 210 Attack Name ICMP Destination Unreachable Port Unreachable Total Number of Events 6109 1 100 r Source IP Begin Time End Time Packet 192 168 168 208 192 168 168 708 192 168 168 208 192 166 168 206 192 166 168 206 3 4 5 amp 7 8 a 192 168 168 208 192 168 168 208 192 169 168 208 192 168 188 208 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 06 04 2002 08 04 2002 06 04 2002 06 04 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17 18 45 17
57. e Attack type DOS Affteced OS 140 _ WINDOWS 95 98 _ WINDOW 2000P Linux FreeBSD SGI Others Solaris Network Device Protocol type IP w Loa Attack Seventy Little Low Medium High Serious Figure 6 3 The Defense Policy Attributes Frame 59 DFL 2100 DFL 2400 Intrusion Detection System User Manual Determine the Recognize Condition For some defense policies a single packet doesn t harm the network integrity we must collect enough packets to identify an attack Two parameters Repetition and Duration are introduced to increase to precision Packet happened times means we must collect enough repetitive packets The default value is 1 In every sec means the time interval from first packet detected to the last packet that qualified the repetition constraint If the DFL 2100 DFL 2400 doesn t collect enough matched packets during this duration time the repetition count is reset to zero Recognize Condition Packet happened n times o E secs Figure 6 4 The Recognize condition Frame Determine the Action While Being Attacked It is the same as section Define Policy Actions Actions while being Attacked _ Block attacking packet e Log event without packet T Figure 6 5 The Actions Frame Pick Up the Schedule Determine the enabled time slot for this policy pick the schedule you want from the combo box Policy Actree Sch
58. e Step 0 Install NT service pack 6 0 Step 1 Install Policy Server Step 1 1 Install Java Run Time Environment JRE Step 1 2 Install MySQL database server Step 1 3 Install Apache Web server for Win32 Step 1 4 Install Policy Server software Step 2 Auto Configuration Step 3 Close and reboot Note The detail installation describe can refer to Quick Installation Guide Configure the DFL 2100 DFL 2400 Before you can begin to manage the DFL 2100 DFL 2400 device i e protect your network and servers it must first be initialized This procedure is accomplished through the DFL 2100 DFL 2400 Command Shell which resides in the DFL 2100 DFL 2400 device Access to the Command Shell can be made either through SSH or from a terminal or terminal emulator connected directly to the DFL 2100 DFL 2400 device These methods are described below DFL 2100 DFL 2400 Intrusion Detection System User Manual Starting the System The Power on off switch of the DFL 2100 DFL 2400 is located near the power cable To start the system switch it to the ON position You will be prompted for a login ID and a password after the system Is started The login ID is admin and the password is DLink to change the password see Change Password on page 15 Setting System Parameters Once you have accessed the Command Shell with SSH or a terminal connection press any key and the following prompt will appear Login as admin admin 192 168 168 201 s Passwo
59. e 3 4 firewall must open the private service for DFL 2100 DFL 2400 set state Description There are four states in DFL 2100 DFL 2400 Normal means DFL 2100 DFL 2400 works normally according to given policies Protect means DFL 2100 DFL 2400 works like an access controller It would let packets pass according to given policies Stop means DFL 2100 DFL 2400 would drop all the packets it receives And Bypass means DFL 2100 DFL 2400 would let all the packets pass through freely without any checks Syntax set state normal protect bypass stop Arguments normal Set DFL 2100 DFL 2400 works normally according to given policies protect Set DFL 2100 DFL 2400 works like an access controller bypass Set DFL 2100 DFL 2400 would let all the packets pass through freely without any checks stop Set DFL 2100 DFL 2400 drop all the packets it receives Example Ex 1 gt gt set state normal Change system state to NORMAL mode Ex 2 gt gt set state bypass 25 DFL 2100 DFL 2400 Intrusion Detection System User Manual Change system state to BYPASS mode set snmp Description Use the set snmp command to configure the DFL 2100 DFL 2400 Device for Simple Network Management Protocol to gather statistical information from the DFL 2100 DFL 2400 device and receive notification when events of interest occur Syntax set snmp system community trap Arguments System lt name gt Define the physical location name a
60. e D Link Service Team will send the username and password to customer by e mail o_o D Register on Internet Product information Model DFL 2400 Date Purchased 2003 v 05 05 y Product Series No Dat 10353000005 Distributor DLink Customer Information Company D Li nk Customer Name Te st man Email Address Te st_mangDlink net Address City State Province Zip Postal Code Country TEL 1 86 5768 984895 FAX All fields with asterisk 4 must been filled in Auto Update When we get the username and password from D Link we can update the latest signature and kernel file by Internet The DFL 2100 2400 Policy Server will check the Update Server for latest signature automatically 4 1 Click the update button SA on the tool bar 2 Fill out the user name and password in the login dialog The update will be done automatically 39 DFL 2100 DFL 2400 Intrusion Detection System User Manual Upgrade on Internet Please Input Username Password Username Te ot Password sa XK Cancel Figure 4 14 auto update dialog IDS Management system miscellaneous functions DFL 2100 DFL 2400 Management System tool bar include a manager tools that manages devices and edit network security policy and show other information The first class DFL 2100 DFL 2400 device manage tools include add delete and edit device The secondary class policy m
61. e same time box will uncheck it 5 Enter your Comment for this Schedule 6 Click Add to add the Schedule to the Schedule Book E 0 N Add a new Schedule Add a new Schedule Schedule Name Schedule Times Comments Figure 7 7 Add a new Schedule Dialog 77 DFL 2100 DFL 2400 Intrusion Detection System User Manual Modify a Schedule i 1 Click Schedule Book button O to switch to the Schedule Book page 2 Click Modify button A or right click on the Book Table and select Modify The following dialog appears 3 Modify any of these fields as you wish 4 Click Modify to update this Schedule or Cancel to remain unchanged Modify this Schedule Modify this Schedule Schedule Name Working Hours Schedule Times Comments Figure 7 8 Modify this Schedule Dialog Delete a Schedule Select the entries to be deleted on the Schedule Book Table and click the Delete button al or right click on the table and select Delete from the pop up menu You cannot delete a Schedule that is currently referenced by the Policy Rules 78 DFL 2100 DFL 2400 Intrusion Detection System User Manual IDS REPORTING SYSTEM The DFL 2100 DFL 2400 IDS Reporting System DFL 2100 DFL 2400 IDS Reporting System is an analysis tool that manages network attacks events and the records of DFL 2100 DFL 2400 system It cannot only inquire about any network attack but also simultaneously monitor
62. e support from vender or third parties Check the Detect method provider from Arrange Policies button provider Defense Police D8 Sl Dilo A A de e Access Control el Scan le ANGER search queany le AGE root query fe ANGER muii e ura st fel ROA oybercop query el ARGER D query le FMGER guury fe FTP adm scan le FTP ise scan fel FTP pias 20 am le FTP saint scan le FIP satan scan fe WOM Pinger le COMP Livetriever Ping le CIRT PANG Me Se ee MEA ag ash ih j La Tepe ID Severi aliack Nare Delad mehodissuat Er Issued Dab Attack Type Amari OR Deseneion AHack mpari False Paskis Fake Heagaivs Recommend achon Fegiarence to show the policies group by Abak Attr bules 104602 Lite Fisk ICMP Lopeiilever Ping D Link Wed Aug 2 POST 002 Bran Al This event May Incicaba hal poMaone ls Scaring your Fiete 1 5 securky scanner This legnimate saruni tools for auth and should not be used on unauthonzed nebo none THis Whe o ICAP pira sese to be alo gereraeo by iplali Wink domain coides Amposlet nore nore arachnids 311 CRA ATT ATA WA AE MES pa dd Arai IE tet dd ide camisa gt HA A A EA A ee Defense Policy DetansePolic Figure 6 1 The Defense Policy database widow But the DFL 2100 DFL 2400 Management System also allow users to define their own policies Press the Define a New Policy database Window a Define Ne
63. eal time warnings of network attacks in the form of text For the system manager to fully understand the current situation of network at a glance the monitoring function classifies the threatening levels of network attacks into 5 real time monitoring screens serious threat high level threat medium level threat low level threat and slight threat DIDS Reporting System Sa 68 coe IDS 102 900 180 242 81 DFL 2100 DFL 2400 Intrusion Detection System User Manual Network Attack Report Report When the system manager clicks Report button DFL 2100 DFL 2400 IDS Reporting System will provide review inquiry and ty functions of network A attacks The system manager then selects Report Form button to open Report Inquiry Screen refer to Figure 8 4 User will select a needed report form and inquiring time and then click Generate Report to get needed network attacks or analysis DIDS Reporting System EES a FA ta EJ E sa 1051942 10t 10k Monitor Chart view SAN Cl Loca O Remote Attacked Host UI Atberck Type Seven Event viewer The selection screen of report forms Contewoers Tina Start Year 2003 Mod 1 a iz End Yee 2003 Month 1 17 Specific Hom Day The selection screen of report inquiring time ermita Tie gt gt Make Report Figure 8 4 Report inquiry screen of attacks On the selection screen of report forms the inquiries of network a
64. ection System NIDS Its responsibility is to detect malicious and suspicious packets on computer network and take actions in real time It analyzes the incoming and outgoing packets with a mixed approach combined with misused and anomaly model With this hybrid mechanism DFL 2100 DFL 2400 can detect unknown type packet flooding and extend the ability to detect new pattern based attack type easily since a flexible rule set is provided that new policies can be added easily DFL 2100 DFL 2400 is built on real time OS equipped with high performance appliance enables us to do much more than other software based IDS Key Features Real time detection and reaction Detect the validity of packets in great performance The ability of instant traffic control block packets cut off connections generate alarm and log suspicious packets Complete packet inspection Robustness Based on dedicated Real Time OS with strengthen TCP IP protocol stack DFL 2100 DFL 2400 minimizes the risk of being attacked and maximizes the durability Policy based detection and access control Policy based detection rules with schedule function support Prioritized Policy Bi directional detection and protection Layer 3 and Layer 4 are under control and specially enhance the URL detection and access control Manageability Web based management interface the administrator can take advantage of the simplicity of user interface to manage
65. ed hosts ranking Host name the names of attacked hosts o IP address the IP addresses of attacked hosts Number of attacks the numbers of this IP address been attacked When user double click the content of the right form user will get a screen displaying more detailed information such as attack time sources and etc User can double click the content on this screen to analyze the packet contents of this attack DFL 2100 DFL 2400 Reporting System not only provides the entire network safety status to system manager but also instinctively gets a detailed and complete network intrusion record to handle the network crisis well DFL 2100 DFL 2400 Intrusion Detection System User Manual Protocol Humber of Packets Packet Arrive Time 1 SONANAIMA 171845 Destination IF 192 168 168 210 Attack Name CMP Destination Unreachable Por Total Humber of Everts 6109 1 100 Y No Source IF Begin Time End Tina E 1 92 166 156 2068 2002 0604 121645 2002 0604 qf ade 2 92168 15 208 2002 06 04 111645 2002 0604 17 oe 3 92168136208 2002 06 04 17 16 45 2002 0604 17 8 48 A BE GOR 200200 17 16 45 2002 0604 17 8 45 Ni Header 5 92188156208 2002106104 17 18 45 20020604 17 Bae POE eversion a PP 92408136 200 20020604 ATIEAS 200X08IOS 177 84E Header Length 207 92168 13 208 2002 06 04 17 16 45 2002 06 04 17 84E Type of Serice 0 a 92168136708 20020804 17 1 45 20020604 17 8 48 Total Length 56 Mi se 208 200
66. edule Schedule Figure 6 6 The Schedule Frame 60 DFL 2100 DFL 2400 Intrusion Detection System User Manual Description When we define a new attack policy we should give some reference information about this attack It will be very useful for other user to understand the policy There is some information filed about the policy should be descript ed by the Hack Tack Windows troja E Description Crackers may scan large address ra nges using this probe to locate compr none Attack Impact his signature matches the default pa fis Used by Hackal Tack Itis possib False Positrve le though unlikely that other software none False Hegatre none a Recorunand Action i Reference Figure 6 7 The policy information 61 DFL 2100 DFL 2400 Intrusion Detection System User Manual Fill the Packet Criteria The packet criteria section is the heart of a policy It defines lots of parameters to detect attacks or control access There are tabs in this frame And the tabs are shown according to your selection of Protocol type in Policy Property Protocol Type Policy Property Tabs IP Content IP TCP Content IP UDP Content ICMP IP ICMP Content IGMP IP IGMP Content Table 6 1 Protocol Type and Policy Property Tabs The Comparison Operations There are lots of fields in each tab When the value of a field is given you should specify the comparison
67. een Default ID admin password admin D Login to the Policy Server SeverIP 192 168 165 210 ID Password w Login S Cancel Figure 2 5 DFL 2100 DFL 2400 Management System Login Screen DFL 2100 DFL 2400 Intrusion Detection System User Manual DIDS Manager E aad BBI API anlai iw E AA OL Policy Senertt 97 160 168 naji a DECSZI60 168 21G Policy Rules l 3 E i Merrork Amack Defense Policies Prion Ramo ProtectScope schudue Issuod Date Comments DDOS Attack Defense Policies i Protect Eco Schedule Issued Date Comments Figure 2 6 DFL 2100 DFL 2400 Management main screen Add New DFL 2100 DFL 2400 1 Click Add DFL 2100 DFL 2400 button 2 Enter the Alias Name of the DFL 2100 DFL 2400 3 Enter the IP of the DFL 2100 DFL 2400 which you want to add 4 Click Add to add the DFL 2100 DFL 2400 device to the DFL 2100 DFL 2400 Tree 5 Double click the device icon e which you add and you can manage the DFL 2100 DFL 2400 device D Add a IDS Alias Name DFL 2100 IDS IP Y E Y Figure 2 7 Add a DFL 2100 DFL 2400 Dialog DFL 2100 DFL 2400 Intrusion Detection System User Manual Load Newest Defense Policies The policies are the most important information in the DFL 2100 DFL 2400 Management System Policies indicate to DFL 2100 DFL 2400 how to detect an attack and how to response when an attack is detected To star
68. eeseseeeeesesneeeseaaes 31 MANAG DRE 2100 DEL 2 400 ias 31 Ada DEE Z2100 DRE 2400 es 32 Remove a DELE LOOT 24 OO roo ciada 33 Moda DEE TOOT ET 2400 0 SA tat iedeticdl aaa J3 DELE 2100 DFL 2400 CONFIGURE AND SETTING tdi 34 DFL TOODE L 2400 Device INOW ING ON a iia 34 Setin e DEL 2100 DFE 2400 parameter S orita oad adtna lated undinal alabado lalala dienes 34 USER MANAGE laca 35 A A A teviter stebetareiatuiertestnes 36 A OA 37 BULUS T A O 37 SIGNA TURP LIVE UPDATE a dd 39 CUSTOMER ade 39 A A OR A 39 IDS MANAGEMENT SYSTEM MISCELLANEOUS FUNCTIONS cccsseccessecesececsseeecesscecssaceeseeessnecesseecessneeeseeeesaeeessaeenses 40 EPO DOO A pica 40 TUPO BOOKS Fei iach E E EEE a S A a 41 EROS E O es 42 PFL LOO DE I Z400 TDS REDOING SYST ane iio 43 About DFL 2100 DFL 2400 IDS Management System ccccccccscccessecessccessseccssseecssnecseseecsseeesneeseseeesssaeeseeeeas 43 POLICY BASED IDS cia A 45 WEA EAS ALOE cis 45 TAE POC BOOR soso scare eaters ee oe cle eased EA ES 45 Loda lare statlack paer a ese kcaakd 46 Change ne PTOS OT O ES ain E T ETA toes iii 48 NETWORK DEFENSE POLICIES DATABASE ts 49 SECEDE ENE POLIC aea RA OE T 50 SLC CELTIC CHSC LT OUEN aa E hl ates ina E a a 50 FOSA OUGC saint icici Satanic rani E 32 DEFENSE POL td ido os 53 PDC TENCE OLUCy PTO CL SCOPE sere tes AAA AA A AA E A lA J9 SELD DOS GOIN TS Eo 54 PAE ROME ACUDA S iii a re erent re erent OTe mre et ere 55 Defne T ol YAONA NECU ain T N E ial eaeebelaeaataes 56
69. efective software product with product which substantially conforms to D Link s applicable product documentation Purchaser assumes responsibility for the selection of appropriate application and system platform software and associated reference materials D Link makes no warranty that its software products will work in combination with any hardware or any application or system platform software product provided by any third party excepting only such products as are expressly represented in D Link s applicable product documentation as being compatible D Link s obligation under this warranty shall be a reasonable effort to provide compatibility but D Link shall have no obligation to provide compatibility when there is fault in the third party hardware or software D Link makes no warranty that operation of its software products will be uninterrupted or absolutely error free and no warranty that all defects in the software product within or without the scope of D Link s applicable product documentation will be corrected LIMITATION OF WARRANTIES IF THE D LINK PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE THE CUSTOMER S SOLE REMEDY SHALL BE AT D LINK S OPTION REPAIR OR REPLACEMENT THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESSED OR IMPLIED EITHER IN FACT OR BY OPERATION OF LAW STATUTORY OR OTHERWISE INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE D LINK NEITHER ASS
70. ger and serious Total the accumulated attack numbers for all warning group Inquiry about important attacks The system manager selects Event Search refer to Figure 8 15 on the screen of report form options and then selects to search by attacked address or by network attack names The next step is to select a corresponding time period in order to inquire about all attacks occurring on the host or hosts attacked by selected attacks during the selected time period a Event Viewer _ Search by host FTP Server x Search by Attack Type ACKemdcC trojan scan Figure 8 15 The browse and inquiry screen of attack events 88 Note If the addresses of the attacked targets have been input into an address list they can be directly selected in the search Besides users can enter directly an IP address to search DFL 2100 DFL 2400 Intrusion Detection System User Manual After clicks Generate Chart button a list will display the detailed information about each attack on the report screen Therefore this screen provides not only the exhaustive information but also the complete records and analysis of attack packets for system managers to search and to investigate the sources of attack packets DIDS Reporting System de ail ps Total Manor of Eventa 7 a La 1 2 Mo SttackMame Host Moa I J d J 7 3 J Lo 11 12 13 4 LS La Li La 19 ail 2 PL IGMP Flooding IGMP Flo
71. hanged D Modify this Group Modify this Group Group Name User Group Grouped Target Addresses CO Local Remote Host B Host A Comments TestGruou st Gruau J Modify l X Cancel Figure 7 6 Modify a Group Dialog Delete a Group Select the entries to be deleted on the Group Book Table and click the Delete button l or right click on the table and select Delete from the pop up menu Note You cannot delete a Group which is currently referenced by the Policy Rules 76 DFL 2100 DFL 2400 Intrusion Detection System User Manual Edit Schedule Book DFL 2100 DFL 2400 allows you to define policy enable time based on the schedule predefined in the Schedule Book You can specify a Schedule as one or more periods of time slots that composed of any hour in a week All the changes to the Schedule Book will not take effect until the red lighted Confirm button is clicked Add a Schedule ot 1 Click Schedule Book button O to switch to the Schedule Book page Click Add button Ej or right click on the Book Table and select Add Specify a unique Schedule Name Click or drag a scope with your mouse on the Schedule Time Table to select the time that rule is to be triggered The selected time box will be checked You can also use the predefined schedule time by clicking the Weekday Weekend Working Hours and Whole Week button on the right side of the table Duplicate selection on th
72. hanism is introduced The rule is policy with higher priority is checked first and the action is determined according to first matched policy For administrators to change the priority of policies there are two buttons on the toolbar Higher Priority and Lower Priority EA 48 In order to change the priority of policies you have to double click the policy book table first a selected table will be highlighted And then select a policy to move it up or down When it moves up it gets higher priority otherwise it gets lower priority DFL 2100 DFL 2400 Intrusion Detection System User Manual Network Defense Policies Database There is a policy database on the Policy Server administrator do up policies from this predefined database Or user can click the Add a Policy button dl on the toolbar to add a policy to the database The Network Defense Policies Database window consists of three parts E The policy list List of policies and group by class E Attack Attributes The attack name ID type protected OS and other attack descriptions E Defense Policy Define the actions when the policy is matched Pick Policies Detense Policias JM EY Deferise Police DB O Dos Ee A A T Access Control Scan le ARGER suarch queany le AGE root queny fe ANGER muii e qua st bel PGR cybercap query le ARGER D query le AIGER query fe FTP adm scan F ise mam P las tot aia F FIP sain scan
73. hed Hub DFL 21002400 IDS 7 za Workstation 3 e Database Server Server ER Sarvar Farm Policy Server Figure 1 1 DFL 2100 DFL 2400 IDS Network Architecture DFL 2100 DFL 2400 Intrusion Detection System User Manual The DFL 2100 DFL 2400 Family The DFL 2100 DFL 2400 Family consists of the following products The DFL 2100 is a hardware and software solution that is optimized for medium sites The DFL 2100 supports wire speed Network Intrusion Detect and can accept up to 8 000 simultaneous connections The DFL 2400 is a high performance system that is optimized for supporting larger sized network configurations The DFL 2400 supports wire speed Network Intrusion Detect and can support 128 000 simultaneous connections DFL 2100 DFL 2400 Intrusion Detection System User Manual INSTALLATION AND INITIAL SETUP Install DFL 2100 DFL 2400 Connecting the DFL 2100 DFL 2400 to the Network Hardware install A DFL 2100 DFL 2400 unit can be mounted in a standard 19 inch equipment rack or on a desktop or shelf Mount the device onto the rack using four rack mounting screws Figure 2 1 Installing the DFL 2100 DFL 2400 onto a rack Check the target device Network Devices like switching router switch hub If DFL 2100 DFL 2400 connects with Network Devices generally you use through UTP patch core CPE like router Desktop PC notebook If DFL 2100 DFL 2400 connects to CPE devi
74. hen D Link provides replacement then the defective product becomes the property of D Link Warranty service may be obtained by contacting a D Link office within the applicable warranty period and requesting a Return Material Authorization RMA number If a Registration Card for the product in question has not been returned to D Link then a proof of purchase such as a copy of the dated purchase invoice must be provided If Purchaser s circumstances require special handling of warranty correction then at the time of requesting RMA number Purchaser may also propose special procedure as may be suitable to the case After an RMA number is issued the defective product must be packaged securely in the original or other suitable shipping package to ensure that it will not be damaged in transit and the RMA number must be prominently marked on the outside of the package The package must be mailed or otherwise shipped to D Link with all costs of mailing shipping insurance prepaid D Link will ordinarily reimburse Purchaser for mailing shipping insurance expenses incurred for return of defective product in accordance with this warranty D Link shall never be responsible for any software firmware information or memory data of Purchaser contained in stored on or integrated with any product returned to D Link pursuant to this warranty Any package returned to D Link without an RMA number will be rejected and shipped back to Purchaser at Purchaser s expense
75. hi Gotanda Shinagawa ku Tokyo 141 Japan TEL 81 3 5434 9678 RUSSIA SINGAPORE S AFRICA SWEDEN TAIWAN U K U S A FAX 81 3 5434 9868 URL www d link co jp E MAIL kida d link co jp D LINK RUSSIA Michurinski Prospekt 49 117607 Moscow Russia TEL 7 095 737 3389 7 095 737 3492 FAX 7 095 737 3390 E MAIL vi dlink ru D LINK INTERNATIONAL 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 65 774 6233 FAX 65 774 6322 URL www dlink intl com E MAIL info dlink com sg D LINK SOUTH AFRICA Unit 2 Parkside 86 Oak Avenue Highveld Technopark Centurion Gauteng Republic of South Africa TEL 27 0 126652165 FAX 27 0 126652186 CELL NO 0826010806 Bertus Moller CELL NO 0826060013 Attie Pienaar E MAIL bertus d link co za attie d link co za D LINK SWEDEN P O Box 15036 S 167 15 Bromma Sweden TEL 46 0 8564 61900 FAX 46 0 8564 61901 E MAIL info dlink se URL www dlink se D LINK TAIWAN 2F No 119 Pao Chung Road Hsin Tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 URL www dlinktw com tw E MAIL dssqa tsc dlinktw com tw D LINK EUROPE D Link Europe Ltd 4 Floor Merit House Edgware Road Colindale London NW95AB U K TEL 44 20 8731 5555 FAX 44 20 8731 5511 URL www dlink co uk E MAIL info dlink co uk D LINK U S A 53 Discovery Drive Irvine CA 92618 USA TEL 1 949 788 0805 FAX 1 949 753 7033 INFO LINE 1 800 326 1688 BBS 1 949
76. i0 20020117 15 09 55 200301117 15 09 a acosta 150950 200301017 15044 10 200901117 19 09 57 200301017 19002 10 2003001417 15 09 58 200301117 150 5 io poa 15 09 59 200901417 14 04 i 200301017 1910 00 200301017 191013 10 200301417 15 10 01 200301017 15108 30030117 18 10 03 2009001417 161008 lo 20030117 15 10 03 200301017 15108 10 200301 H7 151004 200301117 15 10 0 20040157 18 10 08 20030117 15 10 10 20030117 19 10 06 2003001017 19 10 10 AO HA 1510007 20040 AT 15 10 10 20030157 151008 20030117 cd m 300301507 19 10 09 2003001077 19 10 i 200301 18 10 11 200390117 18 10 10 20030107 15 10 10 200a 10 Icod 13 10 12 200301117 19 10 METE aa 7 EJ Figure 8 16 The screen a attack events result The content description of attack displaying screen Number of events For user to conveniently review attacks each screen will only display 100 records User can use a pull down screen to select needed section of 9 A A SEE SEE SEE 4 attacks Total Humber of Evems 1476 2 Attack Mame ES WS Overflow htr access Pic ao MS SUL sp _passyrord pa E EXT ai 101 200 201 300 00 DeepThroat 3 1 Process Lis 901 400 91 MISC sm4ck atternpt Mis on WEB Metscape Enterprise 93 FTP pass who0t a ooo e 501 600 601 700 701 800 Figure 8 17 The screen of number of attack events Serial number the serial number of attacks Attack name the name of this att
77. icy Serveri 52 160 168 710 H B 105 1 S27 68 168 412 Defense Policies 102 Nermark Attack Defense Policies 2017 Prony Mame Proterisenpe Semodue Issued Dato l AGE cms tr BAY Loca AHY Ps motel Toe don 13060538 CoT AG Wom BAY Loc BAY Pa mote Toe dun L3 060553 05 HetMeio Fi AHY Loch ANY Ramos T Jan 1306050 65 COR ANY Lop o gt ANY Pamot 3 Toe Jan 130603 03 Ao ate ARY Toch ANY Femte i Toe Jan 150003 5 MMC Hat ALY Loch ANY Remote K Toe Jan Liidia 03 KISS mmc IY Locals AHY Fami k T dan Ls 00032 CoT CES A AAA add DDOS Attack Defense Polieles a i Prot Mame HE CTCRSYN Fk ANY Londo ANY Pamo ANY Toe tan 130020 lacsT TCE Phong ANY Local ANY Remme ANY Tee Jan 130090 Ld caT UDP Flooding ANY Local c ANY Esmote ANY Tolan 300301 CST UDF Smug ANY Local ANY Remote Toe Jen 1300 4D L4 CST ICMP Flooding ANY Lorh ANY Remate AMY Toe dun 3009014 C8T 0 CMP imig AHY Local gt ANY Erte AMY Tor hn i30040 14CaT SHE tae Ta al ABT ie detal eke a ea EEF heie rie cer cat Ai EET 7 Figure 5 5 Click ine Confirm button after NETET defense policies Change the Priority of Policies The detection policies may not mutual exclusive i e a single packet may match different policies concurrently In order to solve this kind of conflicts a priority mec
78. ing r Log event with packet lee Aon by E Archos rile bem Attached packat LJ Block conmertios mad yor Figure 4 19 Print Policy Book Preview Screen DFL 2100 DFL 2400 IDS Reporting System The DFL 2100 DFL 2400 IDS Reporting System is an advance report system lts include the real time attack monitor real time traffic monitor and advance attack event search o We will show the subsystem detail at chapter 8 When the Reporter Ez button on the toolbar is pressed we will go into the DFL 2100 DFL 2400 IDS Reporting System and get the more detail attack events messages About DFL 2100 DFL 2400 IDS Management System When the About button on the toolbar is pressed the current version information will be show by the popup window Click Close to close this screen Dis AAA pioi for people eet A 43 DFL 2100 DFL 2400 Intrusion Detection System User Manual Figure 4 20 DFL 2100 DFL 2400 Management System information 44 DFL 2100 DFL 2400 Intrusion Detection System User Manual POLICY BASED IDS What is a Policy The policy is the most important information in the DFL 2100 DFL 2400 IDS Management System A policy tells DFL 2100 DFL 2400 how to detect an attack how to response when an attack is detected what to protect and when to protect Therefore a policy consists of policy information defense describe protect scope schedule actions and some high level information such as clas
79. kly report of attack events Selections of inquiring time When the system manager inquires any form of reports he she should also select the corresponding time period DFL 2100 DFL 2400 IDS Reporting System provides two methods to select a time period one continuous period the other one as any combination of discontinuous time period Select one continuous period For a continuous period the system manager can easily use a pull down menu to select the starting and finishing time Year month and day or even specific time especially valuable for tracking the intrusion by the hacker Time Continuous Time Stat Year 2002 Mont End Year 002 Month Specific Hour C Intermittent Time gt dp Figure 8 22 The selection of a continuous time period 92 DFL 2100 DFL 2400 Intrusion Detection System User Manual Select discontinuous time period For discontinuous time period DFL 2100 DFL 2400 IDS Reporting System displays a visual calendar to select required dates after the system manager clicks on gt gt key This calendar supports multiple choices and provides buttons for the system manager to conveniently quick select time periods The details of all functions and components are described as following oo select Day Time selection poor sd Month button oe a a ee eu ona da a A Year button Week button Green represent today Monthy OK
80. licies and DFL 2100 DFL 2400 status Syntax get system Arguments none Example 16 DFL 2100 DFL 2400 Intrusion Detection System User Manual gt gt gei system Version 1 0 0 2002 12 20 Model DFL 2100 Identification code ftbed2fe426fb392fted26e439 IDS IP Address 192 168 168 201 netmask 255 255 255 0 gateway 192 168 168 254 CPU utilization 100 free memory 19MBytes Current TCP connections 3 TCP idle time limit 1800 seconds Maximum log number per second 500 Detection parameters Maximum ping packet size 100 VPN bypass off TCP state check bypass off WCCP bypass off WCCP redirect IP 0 0 0 0 Remote port working policy number 861 lt on gt max ping 100 Local port working policy number 861 lt on gt max ping 100 gt get time Description Use the get time command to display the time information of DFL 2100 DFL 2400 Syntax get time Arguments none Example gt gt get time Boot time Thu Apr 11 15 21 35 2002 GMT 8 Now time Thu Apr 11 17 28 39 2002 GMT 8 Up time O days 2 hours 7 minutes 4 seconds gt gt get log Description Use the get log command to display the log information of DFL 2100 DFL 2400 Syntax get log Arguments none Example gt gt get log 2002 05 16 19 53 05 U SYS Failed to open DDoS policy file 2002 05 16 19 53 05 U SYS Failed to open policy file 2002 05 16 19 53 05 I SYS DFL 2100 DFL 2400 startup 17 DFL 2100 DFL 2400 Intrusion
81. local host dialog Print Books __ Another way to back up books is to print them out in papers When the Print button ha on the toolbar is pressed the current loaded book will be prepared to print out The print preview screen as the following figure will show up Click Print to print it out otherwise click Cancel to close this screen 42 DFL 2100 DFL 2400 Intrusion Detection System User Manual DDOS Defense Policy Pronty Hame motet Soo pe Schertok lasued Date L TOP SYH Flooding AN T ANY ANY Tos Jah 1300 30 14 35T 1970 Descapiion TCP STH define policy Activas while being Attacked are al Blot enert Lap event with parkal ABRAS E 2 TOP Flooding AN T Y ANY Tos Jan 1300 30 1435T 1970 Tampion TCP Flooding defines poler E EA Block twk 7 co le Log evant with packat e 8 Jara by E Aetius while beng Atharker palit CA Block ccnrertica teal a 3 UDP Flooding ANT 4Y ANY Tus Jan 1300 30 14 25T 1970 Dea cnpdion UCF Flooring deliha poleg Rote lee Block attacking o lei Log event with packat le par dy E Auctions alile berg Aitacker pachat CI Block commentica head Sii qj UOP Smufing AN T 407 AHY Tos Jan LS 00304425T 1970 Deg crip ion UDP Stuurllyg defbren policy eae ek ee Block atbecking r oo H Log event with pocket e Ahm by E Achous while beig Attacked aaa Block convectica ada mail 5 ICF Flooding ANT 4b Y AHY Tos Jan L3 00 30 14 5T 1970 Deacxipilon ICMP Footing Gali policy Les Wl Block tack
82. mand ClO SSCS oie ead aces la Se ck ele a e 14 PEEP ONA E D ER NE RPE PORT oP Pe E RT De ee Cee Pee COE Ta 14 help A ee Re RE RTT OM TITRE SORTED EE ORIEL TRE TOE IEP STE OTE TESTE NA OT eT 14 CASA Laine La haat Ganka A ak de Caleaste 14 AU PIN AAA I RTT ONTOS TECTIA OES ETON E TT ETC ANT TCA 15 NEUVOT D O ee OTE EE One ena ee eer ee ree ae ee eT eee 15 MELO TOUS IA A A OR E ONAE 15 A en 15 OIDO TODO da 16 CUERNO ONNMIAN Decade iii ia 16 O A SA AA ARA A arses acud ecenaaahedte ease E 16 padre DES UA AOOCAA P POR UE e UT na 16 OL TUN AA E E E E 17 OEI LO O e 17 BOE TINCT IAC LEE E E AA AAA AAA AS 18 AA O e nn O a A 18 AM SNA A A ERA A E SR E E EN TUTTE 18 COSTOS 18 18 CO i Eno e OP A TT 19 SOLS VS CMA A es es eee da 20 CSU CIC A RT 21 SCEE A wee sai AAA N wee eee eee esa tees rec eee cuca ee Ga eae eee 22 Sern e I A a II alle aoSeceatan tts 22 ser ner ace SA ed ached eect 23 R A A A ORT TE E E S A ETE E EA E E E errr ey err 23 SECOS VOT Nr 23 SCE SEL E EE E A I E E E A E E EAN 23 SOU STII ese rock E E TE A AEAEE OO E A A eG 26 MISCELLANEOUS COMMANDS serrano E E A 26 1 AORE REEERE AE ERA 26 O a O E PU E tie 27 TCE SEAL EEEIEE AET A E A E A N lhc EE E E EE E 27 RR 28 COO A E O E OR RR 28 EDS MANAGEMENT SYSTEM siii 30 DFL 2100 2400 IDS MANAGEMENT MAIN SCREEN aricii innie A 30 POD 1 Acti Nag heal A idea edi aeeaena cia eee dalaiilld 30 DFL 2100 DFL 2400 Management System Main Screen cccccccsscccessccesesnccesssnccecseseeecssseeesesee
83. n policies Protect means DFL 2100 DFL 2400 works like an access controller It would let packets pass according to given policies Stop means DFL 2100 DFL 2400 would drop all the packets it receives And Bypass means DFL 2100 DFL 2400 would let all the packets pass through freely without any checks 5 Set Policy will apply to which interface a IDS Information Confi guration penca tomada Set device parameters Maximum Ping number per seconds mo TCP session timeout seconds Maximum log per seconds Log transfer interval seconds system State Apply policy check for remote port Y Apply policy check for local port Reset to default value NETA Figure 4 7 set device parameters Dialog User Manage A user is some one who can use or access DFL 2100 DFL 2400 IDS Management System As the Management System administrator you decide who has permission to access modify policy select policy search report Click User Management button EN on the tool bar The Management Windows will appear There are two default users in DFL 2100 DFL 2400 Policy Server One is Admin administrator another is guest guests 35 DFL 2100 DFL 2400 Intrusion Detection System User Manual D Users and Passwords aea Liser Marne Administrators Guests Password for Administrator te Please select a user to change password ae and press the button Figure 4 8 Use
84. named 8 2 gt 8 2 1 Y Access Control Y UDP Flooding Y DNS EXPLOIT named overflow Y FINGER cybercop query Y UDP Smurfing Y DOS Winnuke attack Y FTP forward ICMP Flooding ssh CRC32 overflow binish FTP rhosts ICMP Smurfing ssh CRC32 overflow NOOP Y FTP CWD root r IGMP Flooding ssh CRC32 overflow 1 FTP pass whD0t Y IP Flooding Y ssh CRC32 overflow 2 Y FTP passwd retreval attempt 1 TFN Probe v netscape 4 7 client overflow r FTP passwd retreval attempt 2 Y tin2k icmp possible communicatio Y NNTP Cassandra Overflow FTP site exec Trin00 DaemontoMaster PONGdet Y x86 linux samba overflow Y FTP tar parameters Y Stacheldraht server spoof imap x86 linux overflow Y FTP ADMwOrm ftp login attempt Y Stacheldraht server response gac Y imap x86 linux overflow Y FTP No Password Y Stacheldraht server response Y imap x86 linux overflow Y MISC Insecure TIMBUKTU Passwo Y Stacheldraht client spoofworks imap x86 linux overflow Y MISC PCCS mysql database admin Figure 5 4 select your defense policies 5 When we select the defense policies click the OK button return to the main manage window All the changes to the defense policies will not take Tarn effect until the red lighted Confirm button is clicked 47 DFL 2100 DFL 2400 Intrusion Detection System User Manual IDS Manager BEB Decade MM Y e Pokey Server 12 188 168220 ferrari l Gl Pol
85. nd contract of the DFL 2100 DFL 2400 community lt ro rw trap gt Defines the name and the permission for the SNMP community Trap lt enable disable ip gt Enable or disable SNMP traps for the community Define the IP address listen the trap Example gt gt set snmp trap Need command enable disable ip gt gt gt gt set snmp trap ip 192 168 168 65 Add SNMP Trap IP OK Note 1 This command is only applicable to console Miscellaneous Commands ping Description Use the ping command to check the network connection to another system Syntax ping host_ip timeout count Arguments host_ip Ping the host with IP address timeout The ping timeout in seconds count The ping count Example gt gt ping 192 168 168 65 ping 192 168 168 65 56 data bytes 192 168 168 65 is alive gt gt ping s 192 168 168 165 10 ping 192 168 168 165 56 data bytes 64 bytes from 192 168 168 165 icmp_seq 0 64 bytes from 192 168 168 165 icmp_seq 1 26 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 64 bytes from 192 168 168 165 icmp_seq 2 icmp_seq 3 icmp_seq 4 icmp_seq 5 icmp_seq 6 icmp_seq icmp_seq 8 icmp_seq 9 10 packets transmitted 10 packets received gt gt arp DFL 2100 DFL 2400 Intrusion Detection System User Manual
86. nd select Delete Note You cannot delete a Service that is currently referenced by the Policy Rules Edit Address Book 72 An Address is a target element of your network such as a PC or a LAN You can specify an Address with its own IP MAC and net mask so that detection can be managed for a specific IP host or subnet with the same net mask Because for different machines that with different operating systems and different services the policies applied for each host are varied For example DNS and web servers may run on UNIX machines while end user may use Windows at their PC Attack detection policies for UNIX and Windows are quite different Therefore administrator can define specific name for each host and the names will be used in the policies The Addresses defined in the Address Book are listed in the Address Book Table Addresses can be classified into two categories 1 Remote Address Addresses beyond the DFL 2100 DFL 2400 2 Local Address Addresses behind the DFL 2100 DFL 2400 Click Address Book button uh to display the content of Service Book showing in the Book Table window Note All changes to the Address Book will not take effect until the red E lighted Confirm button L is clicked DFL 2100 DFL 2400 Intrusion Detection System User Manual Add an Address to Click Address Book button uh to switch to the Address Book page h Click Add button Ej or right click on the Book Table and sele
87. ne policy section or by severity to group different severity policy Defense Policies 3 Defense Policy DB By policy type amp r DDoS T By OS type r Buffer Overflow C By issued date r Access Control By alphabet amp jF Scan 1 By detect method provider r Torjan Horse AA Y Other Y HackAttack 1 20 Connect i Matrix 2 0 Server access lx MISC linux rootkit attempt Y MISC linux rootkit attempt IrkrOx MISC linux rootkit attempt Figure 5 8 Arrange Policies Options 51 DFL 2100 DFL 2400 Intrusion Detection System User Manual Policy Attribute Each Policy has detail description about defense attack attributes Administrator can get the detail description and recommend action 52 Type ID Severity Attack Marne Detect method issued by Issued Date Attack Type Affected Ds Description Attack Impact False Positive False Negative Recommand Action Reference Attack Attributes 1048754 serious Risk DMS EXPLOIT named Over cr D Link Wed Aug 21 17 40 10 CST 2002 Buffer Overflow Linux FreeBSD solaris SGI Other Unix some versions of BIND fail to properly validate MAT recor 5 could allow an intruder to overflow a buffer and execute ali ofthe name server i MAT record suppoit was introduced in BIND version 6 2 E da are notvulnerable to this problem The loC supplied i problem in version 8 2 2 a By exploiting this vulnerability
88. network traffic and attacks circumstances In terms of operation DFL 2100 DFL 2400 IDS Reporting System can support any Java Runtime Environment JRE by web servers Users with authority are able to use browsers supporting Java Program such as Internet Explorer or Netscape Navigator to monitor the whole condition of network attacks through web based IDS Reporting System Function Description Real time network attacks Provides a real time monitor for network attacks and monitor classifies attacks according to their threatening levels to monitor Network attack reports The reports can review detected attacks according to IP address attack names the level of attacks and attack time It also provides analysis in the forms of statistical charts and bar charts Real time traffic monitor Provides options of different printing formats System events Reviews operational events of DFL 2100 DFL 2400 system Table 8 1 The function list of DFL 2100 DFL 2400 Reporting System Main screen The main screen of DFL 2100 DFL 2400 IDS Reporting System is composed of three parts 1 The toolbar of DFL 2100 DFL 2400 IDS Reporting System E Changes the language of display Changes the level of warming Sets up the export method of reports E The help functions il Version information L Table 8 2 The toolbar of DFL 2100 DFL 2400 Reporting System 79 DFL 2100 DFL 2400 Intrusion Detection System User Manual 2 The main func
89. o not influence system operation 3 System emergency Serious errors that influence a normal operation or some functions of the system 4 Fatal system error Events that influence the operation of main system functions Time of System events the occurring time recorded by the system Information about system events the descriptions of system events 97 DFL 2100 DFL 2400 Intrusion Detection System User Manual Introduction of other important tools The toolbar provides users some tools to change language warning level and report output setting on the main screen of DFL 2100 DFL 2400 IDS Reporting System Change display language When users click on Language Selection 66 button they can see a dialogue box in Figure 8 30 Change Language Select display anguage Select display language a English 0 Chinese BIG5 Cancel button A Cancel O Chinese GB MZA Figure 8 29 Change display language Select display language select a different language to display a different language version on program operation screens Ok button click on this button to accept the setting of a new language version 9 Cancel button click on this button to exit this screen Change warning levels When users click on Warning level FA button they can change related settings of on line warning levels and e mail warning in a dialogue box refer to Figure 8 30 Set Alert Mode
90. oding IGP Flooding IGMP Flocding IGMP Flooding oP Flocding GMP Flooding ISP Flooding IOMP Flooding GMP Flooding IGM Flooding IGMP Flooding IGMP Flooding IGMP Flooding ICMP Flocding IGMP Flooding IGMF Flooding IWP Flooding IGMP Floceling IGMF Flooding IGMP Flooding IGMP Fiooding IGMF Flooding 102160168 H t DSW AGA A F Soure P 192100 1 66 270 192 168 166 210 192 168 168 210 192 168 188 210 402 166 168 210 499 160 160 40 192 100 188 210 142168 160 210 192 168 168 210 192168 1608 210 1 93 160 166 10 182 169 168 210 152 160 160 210 192 168 168 210 182 168 166 210 192160 160 210 192164 168 210 182168 1 BE 210 192 168 168 210 192 168 168 210 192 188 168 210 eared Terr ar AA PEET E TET FE r rki e a ce hak 182 168 165208 192 160 165 209 199169 108 209 1921868 168 Z09 192 165 188205 491169169209 192 165 188 205 19116515520 499169168209 192168 168 A0 192 1S TAS 205 10 192 168 1685 209 1971691683209 192 165 168 209 131 165 199 205 192 169 188 209 192 188 16S 205 192 166 166 205 193169 188 309 191 163 1562 205 192 169 158 209 11921688 168 209 1192 128 1565 208 reta 199169168209 EE 14 09 40 200904117 15 08 a Eegin Time EndTime 200301117 19 09 51 200301017 15 07 10 2003 01447 15 09 52 2003 01 17 15 09 io 20090117 15 09 53 200904017 15000 10 NOB 19 09 54 200301017 19 03
91. ption Use the help get command to display the arguments of get command Syntax help get Arguments none Example gt gt help get get Get system information Available commands system System configurations including IP password and etc log System logs time Device clock setting interface Interface stealth function and working link mode state Device operation state psserver Policy server configurations snmp snmp parameters help set 14 Description Use the help set command to display the arguments of set command Syntax help set Arguments none Example gt gt help set set Set system parameters Available commands system System configurations including IP password and etc DFL 2100 DFL 2400 Intrusion Detection System User Manual time Device clock setting interface Interface stealth function and working link mode state Device operation state psserver Policy server configurations snmp snmp parameters gt gt help ping Description Use the help ping command to display the arguments of ping command Syntax help ping Arguments none Example gt gt help ping ping Ping utility gt gt help arp Description Use the help arp command to display the arguments of arp command Syntax help arp Arguments none Example gt gt help arp arp Show amp handle arp table gt gt help netstat Description Use the help netstat
92. r Manage Window Add new user Click Add User button CA on the dialog The following dialog appears Enter the User Name User password Confirm the password Select a user group Give the Read Write permission about policy service report service and user management D User and Password RN A User Information User name User password Confirm password User group Guests T Policy server Read Only _ Read WWrite Report _ Read Only ReadMyrite Rule _ Read Only _ Read WWrite User Management Read Only _ Read WWrite 36 DFL 2100 DFL 2400 Intrusion Detection System User Manual Figure 4 9 Add New User Dialog Delete user 1 Click Delete User button Ea on the dialog 2 The confirm dialog will appear D Users and Passwords Liser Mame Administrators Guests User and Password Adee mn Remove quest 7 S Cancel Ad Please select a user to change password Y and press the button Password for Administrator Figure 4 10 Remove User Dialog Edit user Once you click user management button E it will show the user list Select one user you can he the password by click change password button lll Or you can click the manage DA button in the dialog to edit the user parameters There are three levels of parameters can be changed 1 User password 2 User group 3 Policy Server Access permission 37 DFL 2100 DFL 2400 Intrusion Detection System
93. rd D Link IDS Protect your network and servers 1 Setting DFL 2100 DFL 2400 Device IP gt gt set system ip lt IDS Device IP gt 2 Setting DFL 2100 DFL 2400 Gateway IP gt gt set system gateway XXX XXX XXX XXX XXX XXX XXX XXX is your gateway IP 3 Setting DFL 2100 DFL 2400 Network mask gt gt set system mask XxXxX XXX XXX XXX XXX XXX XXX XXX IS your network mask 4 Setting DFL 2100 DFL 2400 Policy Server IP gt gt set psserver ip lt Policy Server IP gt Getting Started Once you have completed the initial setup as described in the previous chapter you can now connect to the DFL 2100 DFL 2400 Policy Server and manage your DFL 2100 DFL 2400 via web browser Connect the DFL 2100 DFL 2400 Policy Server from browser gt Open your browser and enter http lt IP Address of the Policy Server gt 6592 IDS Policy Server Initial Screen The Initial Screen of Policy Server is the first Web page that you will see when you connect to the DFL 2100 DFL 2400 Policy Server This is the main screen for Policy Server by clicking on a particular Manu Tab you can start to use its respective functions Manager DFL 2100 DFL 2400 Management System It allows users to manage one or more DFL 2100 DFL 2400 devices concurrently See DFL 2100 DFL 2400 Management System DFL 2100 DFL 2400 Intrusion Detection System User Manual Get Certification Downloading the Certification files to your client machine to ensure that your bro
94. ress shouldn t the IP address of real Policy Server Please check your network status before you enter the IP address Example For example A DFL 2100 DFL 2400 on the network 192 168 168 xxx and the Policy Server set behind the firewall at 10 0 0 xxx The firewall or NAT must reconfigure a Virtual IP or Mapped IP for Policy Server The DFL 2100 DFL 2400 set the Policy Server IP to the Virtual IP IDS Policy 192 168 168 201 a cd or 192 168 168 251 10 0 0 2 Figure 3 1 set policy server sample gt gt set psserver ip 192 168 168 248 The Firewall or NAT must reconfigure Port Mapping as 192 168 168 248 7595 10 0 0 2 7595 F 92 168 168 248 7596 10 0 0 2 7596 Port 7595 and 7596 are private ports for DFL 2100 DFL 2400 Management System Firewall example NetScreen Interface IP Netmask 194 166 166 2o ADDAI Mapped IP Address 192 168 168 248 Netmask 255 255 255 255 Host IP Address iy OR cua Figure 3 2 set policy server virtual IP sample 24 DFL 2100 DFL 2400 Intrusion Detection System User Manual SERVICE CONFIGURATION Service Name Source Fort Destination Port Low High Low High iM 65535 759 fs 6 TCP CUDP COtherl E 2 if 65535 756 CTCP SUD Otherfi 7596 Figure 3 3 set private ports service for Policy Server Transport Name optional source Address 192 168 168 201 Destination Address MIP L9 168 163 248 Service tsi NAT Off Figur
95. s issued date and etc The Policy Book The policy book is divided into two tables The upper table is Network Attack Defense Policies and the lower table is DDoS Attack Defense Policies The reason of dividing these policies into different categories is because the detection methods are quite different inherently The Network Attack Defense Policies employ the pattern matching while the DDoS Attack Defense Policies use statistical modeling j 192 168 168 212 Model DFL 2100 PO A Defense Folicies 1020 Network Attack Defense Policies 1012 Priori Name Protect Scope Schedule Issued Date I ACKemaCtr ANY Local gt ANY Remote ANY Tue Jan 13 06 05 22 CST 2 QAZ Worn ANY Loca gt ANY Remote ANY Tue Jan 130605 22C8T 3 NetMetroFil ANY Local ANY Remote ANY Tue Jan 13 06 05 22 C5 4 CDK ANY fLoca gt AN Remote ANY Tue Jan 13 06 05 22 CS1 5 wOOwOO0atte ANY Loca lt gt ANY Remote ANY Twe Jan 130605225 MISC w0tat ANY Local lt ANY Remote ANY Tuelan1306 05 22 C51 7 MISClimxx ANY Loca lt gt ANY Rerwote ANY Tus Jan 13 06 05 22 CS7 E EE DDOS Attack Defense Policies 8 Priority Mame Protect Scope _ schedule Issued Date i TCPSYNFlo ANY Local lt gt ANY Remote ANY gt Tuelan130030 14C5T 2 2 TCPFlooding ANY Local gt ANY Remote ANY Tue Jan 1300 30 14CST 3 UDP Flooding ANY Local gt
96. t 10 Set the physical connection at 10 Mbps 100 Set the physical connection at 100 Mbps auto Setting the physical connection operate mode by auto sensing lt full half gt full Setting the physical connection operate mode at full duplex half Setting the physical connection operate mode at half duplex Example gt gt set interface link Need interface name remote local manage Note This command is only applicable to console set interface stealth Description Use the set interface stealth command to set the stealth mode on the specified interface on the DFL 2100 DFL 2400 Device Syntax set interface stealth remote local manage Arguments lt remote local manage gt remote Specified remote WAN interface setting local Specified local LAN interface setting manage Specified manage interface setting Example gt gt set interface stealth remote Need interface name remote local manage Note 1 This command is only applicable to console set psserver Description Use the set psserver command to configure the Policy Server which manage and log events for the DFL 2100 DFL 2400 Device Syntax set psserver ip interval Arguments 23 DFL 2100 DFL 2400 Intrusion Detection System User Manual ip lt ip_ address gt Set the Policy Server host IP interval lt value 10 600 gt Configure the time interval of sending the events to the Policy Server Note If Policy Server set behind the firewall the IP add
97. t of Rules in Group_A and another set of Rules in Group_B then you can disable all the Rules in Group_A by just disabling Group_A instead of disabling all the Rules in Group_A one bye one Note a All the changes to the Schedule Book will not take effect until the red lighted Confirm button is clicked b A disabled Rule in an enabled Group is still disabled and a enabled Rule in a disabled Group is still disabled Add a Group hag 1 Click Group Book button i to switch to the Group Book page 2 Click Add button El or right click on the Book Table and select Add The following dialog appears 3 Enter the Group Name 4 Select one or more Addresses from the Source Address List and click ie the selected Addresses then be added to the Grouped Address List 5 Enter your Comment for this Group 6 Click Add to add the Group to the Group D Add a Group Edit a new Group Group Name Test Group Grouped Target Addresses Book Local Remote Host1 toe Source Address List Grouped Address List Figure 7 5 Add a new Group Dialog 75 DFL 2100 DFL 2400 Intrusion Detection System User Manual Modify a Group 1 Click Group Book button NY to switch to the Group Book page 2 Click Modify button Ei or right click on the Book Table and select Modify The following dialog appears 3 Modify any of these fields as you wish 4 Click Modify to update this Schedule or Cancel to remain unc
98. t your DFL 2100 DFL 2400 you first need to load latest defense policies gt 10 J Select Add button el or click the right button of mouse on the Network attack Defense Policies window to add new policies D IDS steti A BH PEE ET e El Policy Serer192168168 210 A IDB 10150 160 217 Defense Policies 8 Netrark Attack Defense Policies 0 tinii D iii B inn iii w lira nana TN ia ie Hd al ar DDOS Attack Defense Policies m y 2 ees AER fi H4 CHIA drums CHE an T Import Books cht ANY Local lt ANY Fenske T KHY Looal AHY enata AHY Reet Some AY ae a a neta Figure 2 8 Add Policies Dialog There is a default policy database on the DFL 2100 DFL 2400 Policy Server administrator must select Download latest attack pattern via network to update latest pattern from Administrator Utility CD Policy Server PolicyDB policyXXX pin DFL 2100 DFL 2400 Intrusion Detection System User Manual Pick Policies Metanga Policias wE E F B Derense Policy DO LL Tune ii Dodo Update Attack Patterns e TEP SYH Flood fel TCP Pond lc LDP Flood le UDP marina F WRAP Find e OMP Sarit A IGMP Fiai rag F IP Heading e Buffer iveri om Attack obtribwhes le Access Conirol iY Scat El Troan Horse File ame patemi pin E Othos Fies of Type Patterns tn 70 Xoca v OR XK comcel Figure 2 9 download latest
99. tegrity pinglen wccp vpnbypass ip gateway mask passwd rpasswd detect logmax Arguments toctimeout lt Value 20 86400 gt Set and modify the TCP connections timeout policy lt remote local gt lt onl off gt Set and modify the policies work or not pingmax lt remote local gt lt Value 1 5000 gt Allow how many users can ping a host in a second stateful lt on off gt Checking the TCP state or not Default setting is lt off gt integrity lt on off gt Checking the IP integrity or not Default setting is lt on gt pinglen lt Value 64 1500 gt Set and modify the packet size of ping wccp lt bypass redirect_ip gt Checking the WCCP packet or not and specification the redirect host IP address vpnbypass lt on off gt Checking the VPN packet or not Example Ex 1 gt gt set system detect tcptimeout Need value 20 86400 gt gt set system detect tcptimeout 6000 Change TCP session time out limit to 6000 OK gt gt Ex 2 gt gt set system detect pingmax local Need value 1 5000 gt gt set system detect pingmax remote 3000 Change remote port maximum ping packet limit to 3000 OK 21 DFL 2100 DFL 2400 Intrusion Detection System User Manual Ex 3 gt gt set system detect policy remote on Apply policy check for remote interface OK gt gt set time Description Use the set time command to set the system time on the DFL 2100 DFL 2400 Device Syntax set time Arguments
100. the D Link office nearest you An addresses telephone fax list of D Link offices is provided in the back of this manual Trademarks Copyright 2000 D Link Corporation Contents subject to change without prior notice D Link is a registered trademark of D Link Corporation D Link Systems Inc All other trademarks belong to their respective proprietors Copyright Statement No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United States Copyright Act of 1976 FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with this user s guide may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense This device complies with part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause h
101. the icon before the policy name is checked then it was selected Otherwise if it is unchecked then this defense policy is not selected When a policy is selected you can see its attributes and property in the Attack Attribute window and Defense Policy Property window a Defense Policy DB amp DDoS Buffer Overflow amp Y Access Control amp Y Scan Torjan Horse Y Other Hackattack Matrix 2 0 Server atte Y MISC linux rootkit attempt 4 MISC linux rootkit attempt IrkrOx Y MISC linux rootkit attempt Y MISC sm4ck attempt Y MISC solaris 2 5 attempt Y HidePak backdoor attempt Y HideSource backdoor attempt 7 BAD TRAFFIC 0 ttl v Trin00 Daemon to Master HELLO w Trin00 Attacker to Master default p Figure 5 7 Policy List Screen Non Spanned Class Spanned Class 50 Tip DFL 2100 DFL 2400 Intrusion Detection System User Manual In order to find the policy you want quickly you can sort the policies in the list Press the Arrange Policies button and choose the listing method The default setting is by Policy Type You can try by OS type to group target machine specific policies by Issued Date to get new released policies by alphabet to list policies by alphabet by detect method provider to group different policies released by different authority Including user defined policies see defi
102. tified as flooding smurfing packets in a second 3 Traffic distribution A number to tune the sensitivity of detection model Range from 0 54 DFL 2100 DFL 2400 Intrusion Detection System User Manual to 100 If you give a large number the internal model of DFL 2100 DFL 2400 will be more sensitive to the variance of traffic distribution DDoS Parameters Number of packets fh OU aboversectdetault1 O00 and Number of Syn packets fso abovelsecidefault5 0 Low Medium High Traffic distribution 50 default Figure 5 14 The DDoS Parameters Setup If you got a lot of false alarm of DDoS attack you could try to lower this value But before doing this you had better check the DFL 2100 DFL 2400 Reporting System and inspect the logged packet headers That makes sure that they are really false alarm or not Define Policy Actions The final procedure to edit a policy is to define what kind of action will be applied when this policy conditions are matched There are several actions are available 1 Alarm by Email the DFL 2100 DFL 2400 will send a mail contain the information of this attack to the email addresses of administrators defined in email trap instantly 2 Log the attack will be logged and managed by DFL 2100 DFL 2400 Reporting System 3 Block Packet this attack packet would be dropped 4 Block Connection this attack packet would be dropped and its connection would be cut off 5 Log packet headers this
103. tion about DFL 2100 DFL 2400 IDS Reporting System including related information about network attacks and system information DFL 2100 DFL 2400 Reporting System builds these time reports in a web based form Users just click on the index htm of the home page to review reports through a browser while receiving reports gt Basic Local Attack Information Num of Attacks Top 10 Attacked Hosts y 1689511 Remote i E 211 75 42 222 Attack 1600 A O Information ee aA Information UN 800 E 211 75 41 205 Attack ps 140 114 87 20 Events List 200 pi Sustem Lo 0 DEBERAN E 209 73 225 14 Received Packets Dropped Packets Figure 8 35 The Schedule Summary report 101 DFL 2100 DFL 2400 Intrusion Detection System User Manual Version information Figure 8 36 The dialogue box of DFL 2100 DFL 2400 version information Close button click on this button to go back to the main screen Version information this field includes version information of the system 102 D Link Offices AUSTRALIA CANADA CHILE DENMARK EGYPT FRANCE GERMANY INDIA ITALY JAPAN D LINK AUSTRALASIA Unit 16 390 Eastern Valley Ways Roseville NSW 2069 Australia TEL 61 2 9417 7100 FAX 61 2 9417 1077 TOLL FREE 1800 177 100 Australia 0800 900900 New Zealand URL www dlink com au E MAIL support dlink com au info dlink com au D LINK CANADA 2180 Winston Park Drive Oakville Ontario L6H 5W
104. tions of report The system manager can select the events or contents that user wants to monitor through 4 options including Real time network attack monitor Network attack report Real time traffic monitor and System events 3 Report screen The main display area displays information and charts according to selected options on the reporting system DIDS Reporting System The main functions of Report screen report Ed AS A F Figure 8 1 The main screen of DFL Start to use DFL 2100 DFL 2400 IDS Reporting System The system manager just clicks on Reporting System iJ button on the screen of DFL 2100 DFL 2400 IDS Management System to open DFL 2100 DFL 2400 IDS Reporting System gt When the system manager clicks the button to enter DFL 2100 DFL 2400 IDS Reporting System the system will pre load the real time network attack monitoring screen of DFL 2100 DFL 2400 that the user is currently managing If DFL 2100 DFL 2400 IDS Management System has not loaded any equipment of DFL 2100 DFL 2400 the reporting system will not be able to work by clicking the button directly gt Select one of the 4 main report functions The system pre loads the function of Real time network attack monitor 80 DFL 2100 DFL 2400 Intrusion Detection System User Manual Real time network attack monitor The on line Real time network attack monitor MEME of DFL 2100 DFL 2400 IDS Reporting System provides r
105. ttacks can be categorized into three groups 1 The attack report a report of main network attacks The manager can check the ranking of attacked hosts the ranking of attack types the risk ranking of attacks and etc 2 The event search An inquiry about serious attacks It can search the network attacks events distinguished by host attacks or network attacks 3 The final type is Statistics a statistical analysis of network attacks including daily report weekly report monthly report and various statistics of occurred network attacks or hosts attacks Note All attack events in report forms inquiry accurate Inquiring Time otherwise the search information may not be found 82 DFL 2100 DFL 2400 Intrusion Detection System User Manual Browse of main attack events On the select screen of report forms the system manager selects Attack event Report and then selects the inquiry scope object and time to inquire about the ranking of attacked hosts attack types and warning levels Chart View Alo Local Remote a Attacked Host 0 Attack Type 7 Severity Figure 8 5 The inquiry screen of attack events ranking report Ranking of attacked hosts In the options of attack events report select the scope as All or other scopes as local or remote then select Attacked Host Name and the corresponding time and click Generate Chart to see the Host attacked ranking report similar to Figure 8 6
106. ut DFL 2100 DFL 2400 IDS Policy Server regularly outputs reports via e mail or FTP The interval of output time can be set as few hours or few days D Set Report 7 Enable Export Report Time Interval Every i w Hour O mey E ay FTP aii Enable FTP Server IP lo Jo PR jo ID username Password jeter Upload Directory wf OK K Cancel Figure 8 33 set up Time Report as FTP output 1 Check the box of Enable report output 2 Select an interval of data output by time few hours or by day few days 3 Select to receive report data with a FTP server 4 Set up the IP address account and password and upload directory of a FTP server Note When the FTP outputs time reports is selected the account of upload should have enough reading and writing authority on the upload directory of a FTP server 100 DFL 2100 DFL 2400 Intrusion Detection System User Manual D Set Report _ Enable Export Report Time Interval Every E Hour O Every 1 7 Day Gey mai Enable Mail Email Address luser IDS SMTP Server lo lo itr tr Ka Figure 8 34 Set up a time report as mail output Check the box of Enable Mail Enter an e mail address and click on Finish button Enter your STMP server Click on Set up button to finish the setting of enabling the time report output for e mail received SI Time Report Output covers complete informa
107. via your browser 2 Manage your DFL 2100 DFL 2400 via your Policy Server management windows 3 Download the latest attack pattern and make sure the defense policies to take effect 12 DFL 2100 DFL 2400 Intrusion Detection System User Manual IDS COMMAND SHELL DFL 2100 DFL 2400 Console SSH System The Console Service on DFL 2100 DFL 2400 provides a text mode interface for administrators to configure DFL 2100 DFL 2400 via RS 232 serial line lt runs as a shell when legal commands are given it performs the requested tasks And the SSH Service do things like the console service do actually they use the same shell but there are three points of difference i SSH provides a mechanism that administrator can configure DFL 2100 DFL 2400 remotely via computer network li Since remote access is considered more risky than accessing from console some functions are limited to the console service only The list of limited functions will be showed in next section lil For the sake of security the SSH service can be suspended In security field the common way to protect against brute force password guess is increasing the delay time between login attempts For the console service it is not necessary But for the SSH service it is necessary Thus the SSH login attempt is confined to 3 times and 60 seconds If the login failed over 3 times or the user hang on login procedure over 60 seconds the SSH connection is cut off and the resource
108. w Policy window will show as following figure 5 El button in the Defense Policy Note All policies created by users are labeled as User Defined And only User Defined policies can be modified and deleted Policies issued by vender or third parties can 57 DFL 2100 DFL 2400 Intrusion Detection System User Manual Note 58 not modified or deleted users can change their protect scope schedule and actions only Before you define your own policies be sure that you know how the network works There are lots of fields in the Define your own policy procedure D Define a new Defense Policy singe A o paca San Attack amp tiriberies Aibak bate Directional Untirecional hitack ype DDoS Source IP Dant Care ANY Loca A Aed OS JAN WINDOWS 95 Destination IP Dant care ANY Fermate C WINDOW AONNE Lime PeBSD 11991 Cj Otem C dolaris Network Device Be Bath TOS Dant Care Pyotocal type lie E gt E kihat Srl IE Ciprian Don t Caro Low Medium High Serie Recognice Cansidion iP Packet Sier Den t Caro Fackel tappinad iia o ans Fragment 10 Dan t Care TL Dant Cate Actions while being Asked IP Heiler Size Dani Cane Bleck pocket Checks Dont Care e lo Loge wick pt OF Fragment Point DantCane 0 Police Muela St tet ibe Flags Dant Care e
109. wser will consider the DFL 2100 DFL 2400 Management System and Reporting System applets as trusted y 4 ia OL O l Figure 2 3 The DFL 2100 DFL 2400 Main Page The Java Plug in The DFL 2100 DFL 2400 Management System and Reporting System run as Java applets with the assistance of Sun Microsystems Java Plug in You will install the Java Plug in from the Policy Server automatically when your browser connecting the Policy Server at the first time Getting Certification Once you have completed the installation of the Java Plug in you must get certification To get the certification click on Get Certification and it will install certification files automatically DFL 2100 DFL 2400 Intrusion Detection System User Manual Importing Certificate for PolicyServer Welcome This program will import Certificate for PolicyServer into the keystore of your JAYA Plug in Press the Next button to start the imporatation ou can press the Cancel button now if you do not want to import Certificate for PolicyServer at this time H Cancel Figure 2 4 Get Certification Once you have finished downloading the certification you must restart your browser Manage your DFL 2100 DFL 2400 Start DFL 2100 DFL 2400 Management System gt Select Manager from the DFL 2100 DFL 2400 Main Page the following login dialog will appear gt Enter the Password and click Login to login to the DFL 2100 DFL 2400 Management main scr
Download Pdf Manuals
Related Search