Force10 Networks PSeries 100-00055-01 User's Manual
Contents
1. P arameters number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command l History Version 2 0 0 1 Introduced Example Figure 47 pnic compilerules Command Example root 1ocalhost SW pnic compilerules N No card number specified Assuming card 0 Compiling dynamic rules for pnic0 Parsing the dynamic rules for channel0 Parsing the dynamic rules for channell Version P_MAIN2 2 0 058 tzoot localnost SW y Usage The binary code created by this command is stored in the file usr local pnic 0 Information pnic_ 011 bin This command also updates the rule description databases usr local pnic 0 pnic_f011 custmapping pnic default drop disable Disable firewall functionality This is the default behavior pnic default drop disable number Enable firewall functionality using the command pnic default drop enable Parameters number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command 7 History Version 2 2 0 0 Introduced P Series Installation and Operation Guide version 2 3 1 2 85 Example Figure 48 pnic default drop disable Command Example root localhost SW pnic default drop disable No card number specified Assuming card 0 Disabling Default Packet Drop on card 0 successful Temporary memory enabled Flow teardown disabled root localhost SW pnic default drop enable En2. P Series Installation and Operation Guide Version 2 3 1 2 May 27 2008 PN 100 00055 01 Copyright 2008 Force10 Networkse All rights reserved Printed in the USA January 2008 Force10 Networks reserves the right to change modify revise this publication without notice Trademarks Force10 Networks and E Series are registered trademarks of Force10 Networks Inc Force10 the Force10 logo and P Series are trademarks of Force10 Networks Inc All other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability Force10 Networks reserves the right to make changes to products described in this document without notice Force10 Networks does not assume any liability that may occur due to the use or application of the product s described herein USA Federal Communications Commission FCC Statement This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC rules These limits are designated to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy If it is not installed and used in accordance to the instructions it may cause harmful interference to radio communications Operation of this equipmen
3. Related Commands pnic web gui stop Stop the web server Syntax pnic web gui stop f Enable the web server using the command pnic web gui start i f Stop the Web gui server without a confirmation prompt Command History Version 2 3 0 0 Introduced 116 Appendix A Example Figure 86 pnic web gui stop Command Example root localhost pnic pnic web gui stop Do you really want to stop the web gui application Web gui application has been stopped root localhost pnic y n y Related Commands pnic web gui start Start the web server P Series Installation and Operation Guide version 2 3 1 2 117 118 Appendix A Snort Keywords Table 28 describes briefly the valid Snort keywords supported on the P Series For a more detailed explanation for these keywords see the Snort website at http www snort org docs snort_manual node17 html Table 28 Description of P Series Snort Keywords Keyword ack Description Checks for a specific TCP acknowledgment number number is a reference to a previously transmitted sequence number that is being acknowleged Rule Syntax ack number content Specifies the content within the packet payload for which the rule is to search data_string can contain mixed text and binary data Binary data is enclosed within pipe characters and is written in hexadecimal form content data_string ds
4. root localhost pnic resetconf No card number specified Assuming card 0 Loading default configurations Read from configuration file and apply to PNIC card Registers on master FPGA 0x10 0000 0x14 0010 0x18 0000 Registers on PCI FPGA 0x18 0100 0x24 20788 0x28 20788 DMA Capture on MAC rewrite CHO disabled CH1 disabled Default Drop packet disabled Temporary memory enabled Aggregate mode enabled Flow teardown disabled PHY passive mode disabled Vlan remove disabled Read out the registers that were just applied On MASTER FPGA 0x10 00000000 0x14 00000010 0x18 00000000 On PCI FPGA 0x18 00000100 0x24 00020788 0x28 00020788 DMA Capture on MAC rewrite CHO disabled CH1 disabled Default Drop packet disabled Temporary memory enabled Aggregate mode enabled PHY passive mode disabled Flow teardown disabled Vlan remove disabled Version P_MAIN2 3 0 006 Mo 14 e Stop capturing and matching 104 Appendix A e Load the rule firmware e Load the capture block configuration e Load the runtime parameters Enable the network interface Note Essentially this command performs the command pnic stop followed by the command pnic start Syntax pnic restart Command History Version 2 0 0 1 Introduced Example Figure70 pnic restart Command Example xoot localhost SW pnic restart N No card number specified Assum
5. Enabling temporary memory on card 0 successful root localhost SW pnic temp mem disable Disable temporary memory pnic updatemacvalue Syntax Parameters Command History Example Related Commands Usage Information Specifies an LSB value for a particular hash index pnic updatemacvalue number number Enter the number of the network interface card Range 0 5 Default O Version 2 1 0 0 Introduced Figure 81 pnic updatemacvalue Command Example root localhost SW pnic updatemacvalue No card number specified Assuming card 0 Please input the hash index 0 255 56 The value to replace 0x78 The MAC address updating is done on register 0x4e0 index 56 root localhost SW pnic macrewrite on Enable MAC rewriting pnic macrewrite off Disable MAC rewriting pnic updatemacvalue Obtain or assign a MAC LSB hash index value Use this command with the MAC rewrite feature P Series Installation and Operation Guide version 2 3 1 2 113 pnic vlan remove disable Syntax Default Command History Usage Information Example Disable the VLAN Tag Remove feature pnic vlan remove disable The VLAN Tag Remove feature is disabled by default Version 2 3 1 2 Introduced This feature is enabled and disabled on both sensing ports Figure 82 pnic vlan remove disable Command Example root localhost pnic pnic vlan remove disable No card numbe
6. action protocol source_address source_port gt destination_address destination_port content data_string msg message Table 12 Snort Rule Example alert tcp any any gt 192 168 1 0 24 111 content 00 01 86 a5 msg mounted access Snort Rule Headers Action The first item in a rule is the action keyword It dictates how Snort is to handle a packet that matches the rule All of the elements in a rule must be true for Snort to execute the action There are five actions keywords in Snort e alert directs Snort to generate an alert and log the packet e log directs Snort to log the packet P Series Installation and Operation Guide version 2 3 1 2 63 e pass directs Snort to ignore the packet e activate directs Snort to generate an alert and activate another specified rule e dynamic directs Snort to disregard the rule until it is activated by another rule Once activated the action defaults to log Note The default actions for the P Series are different from Snort See P Series Rule Syntax on page 66 The meaning of the Snort action keyword dynamic is not the same as P Series dynamic rules Dynamic rules in Snort are rules that must be activated where as with the P Series dynamic rules are any rules that are uploaded to the FPGA without creating new firmware Protocol Snort supports four protocols tcp udp icmp or ip The protocol keyword follows the action keyword Sourc
7. e Aggregate traffic from both sides of the link to one port as shown in Figure 8 e Aggregate traffic from both sides of the link to one port using a SPAN port as shown in Figure 9 Figure 7 Passive Deployment using a Network Tap Network Tap 10 Gigabit J 10 Gigabit P Series P10 fn90032mp P Series Installation and Operation Guide version 2 3 1 2 21 Figure 8 Passive Deployment with Aggregation using a Network Tap Network Tap 10 Gigabit P Series P1 fn90033mp Figure 9 Passive Deployment with Aggregation using a SPAN port Network Switch with SPAN port 10 Gigabit fn90034mp Capturing Matched Traffic P Series supports capturing matched traffic for analysis 29 Introduction Capturing to a Host CPU Captured traffic can be sent to a host CPU through a libpcap library interface where it can be made available to applications for analysis A typical implementation provides IDS Snort acceleration because of the hardware assist Figure 10 Capturing Matched Traffic via the libpcap Interface PB 10GE 2P Matched Traffic HW M1 Pi PO Mo Traffic to monitor fn90035mp Use the P Series in an integrated security monitoring solution through the management port The P Series comes with support for Sguil NSM see Network Security Monitoring on page 43 Figure 11 Creating a Network Monitoring Solution with the P Series PB 10GE 2P Custom app
8. 3 499 2007 12 12 08 47 27 25 0 0 99 16 125 0 0 99 32 6 priority 5 Napoli_1 3 500 2007 12 12 08 47 27 25 0 0 100 16 125 0 0 100 32 6 priority 5 8 M Show Packet Data Y Show Rule www snort org nvid nist gov gt 121 0 0 1 24 any erse DNS Enable External DNS priority 1 i id 10000001 24 0 0 121 0 0 98 c240 0 1 hsd1 nj comcast netUnknown Unknownip 121 0 0 98 onqnetworks net Whois Query C None SrcIP DstIP e a 70 72 69 6F 72 69 74 79 31 00 00 00 00 00 00 00 tat a a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A A RAS 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RI72 AP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RN137 AP nA AA AA AA AA AN APNIC HM Search Packet Payload Hex Text NoCas fn90028mp Network Security Monitoring Command Line Interface The command line interface CLI is an alternative to the GUI for managing the appliance A script called pnic is used to perform the same management functions as the GUI Invoke the pnic script using the command syntax pnic command the OS environment variables are set such that this command can be executed from any path CLI Commands CLI commands are given in Command Line Reference on page 79 Editing Dynamic Rules with the CLI Dynamic rules are stored in the file rules custom in the usr local pnic 0 directory To edit dynamic rules Step Task 1 C
9. gt any any msg Z Default rule fragmented ip Note P Series does not support the Snort action keywords log pass activate and dynamic P Series supports the action keywords alert permit divert and deny P Series Supported Snort Keywords Table 19 lists Snort keywords that the P Series supports for both dynamic and static rules Table 19 Supported Snort Keywords for Static and Dynamic Rules Keyword Static Dynamic ack Yes Yes content Yes no negative No 66 Writing Rules Table 19 Supported Snort Keywords for Static and Dynamic Rules Keyword Static Dynamic depth No No dsize Yes No flags Yes Yes no wild card flow Yes No fragbits Yes No fragoffset Yes No icmp_id Yes Yes icmp_seq Yes Yes icode Yes Yes id Yes Yes ip_proto Yes Yes itype Yes Yes offset No No nocase Yes No protocol ICMP UDP TCP IP ARP ICMP UDP TCP IP seq Yes Yes source address Yes Only 8 16 24 32 masks destination address Yes Only 8 16 24 32 masks source port Yes Yes no ranges destination port Yes Yes no ranges tos Yes Yes ttl Yes Yes uricontent Yes no negative No window Yes No within No No P Series Installation and Operation Guide version 2 3 1 2 67 Writing Stateful Rules Stateful matching improves the accuracy of detection because it adds ordering when specifying behaviors across multiple matching events State tra
10. libpcap Matched Traffic Mgmt HW M Pi Po Mo Port Custom security monitoring E application Traffic to monitor fn90036mp P Series Installation and Operation Guide version 2 3 1 2 23 Mirroring to Another Device Mirror captured traffic out of the 1 Gigabit mirroring ports to use the P Series as an IDS accelerator or as part of an integrated security monitoring solution Figure 12 Creating an IDS Accelerator with the P Series PB 10GE 2P Traffic to Monitor Matched Traffic 1 Gigabit IDS Security Monitoring Application n90037mp 24 Introduction Graphical User Interface The GUI can be used to e Start and stop the DPI e Load firmware e Compile and load dynamic rules e Manage the runtime parameters e Manage the capture forward policies for rules Note Using the GUI requires the super user privilege To invoke the GUI Step Task 4 Invoke the GUI by entering the command pnic gui Note The OS environment variables are set such that the pnic gui command can be executed from any path Runtime statistics are displayed after the pnic gui command is executed If the FPGA is not loaded the display appears as shown in Figure 13 If firmware is loaded the display appears as in Figure 19 P Series Installation and Operation Guide version 2 3 1 2 25 GUI Commands From the Runtime Statisti
11. 00000000 On PCI FPGA 0x18 00000100 DMA Capture MAC rewrite Loading configurations Read from configuration file and apply to PNIC card Registers on master FPGA 0x10 0000 0x14 0010 0x18 0000 Registers on PCI FPGA 0x18 0100 0x24 20788 0x28 20788 Default Drop packet disabled Temporary memory enabled Aggregate mode enabled Flow teardown disabled PHY passive mode disabled Vlan remove disabled Read out the registers that were Just applied On MASTER FPGA Default Drop packet disabled Temporary memory enabled Aggregate mode enabled PHY passive mode disabled Flow teardown disabled Vlan remove disabled soot8 localhost pnic loadconf N No card number specified Assuming card 0 2 On CHO disabled CH1 disabled 0x14 00000010 0x18 00000000 0x24 00020788 0x28 00020788 on CHO disabled CH1 disabled asia P_PRIV2 3 0 010 a The syntax of such parameter files is address value where address is the decimal address of the DPI control register and value is the hexadecimal parameter to be loaded Table 27 shows the parameters to which each address is mapped Table 26 pnic loadconf Address Mapping Address Corresponding Parameter Address 20 Master FPGA This address is mapped to the parameter Flow timeout measured in multiples of 0 86 seconds This parameter controls how quickly the stateful packet analysis can garbage collect previou
12. Default Drop packet disabled Temporary memory enabled Aggregate mode enabled PHY passive mode disabled Flow teardown disabled Vlan remove disabled debida On MASTER FPGA HAAA AAE AE AE AE AAE AE E AA Per Flow Packet Limit unlimited Timeout for Flow Garbage Collection 16 Truncation after Match Packet full packet HHHEEEHEHEEEREE EEE HEHE On PCI FPGA 4AA AE IE TE AE AE AE IE AE AE HEE EE EA E H EEH DMA Burst Size 1024 Bytes DMA Flush Timer 1 ms Interrupt Frequency Timer 1 ms ee P_PRIV2 3 0 010 Y Related i P TE Commands pnic cardstatus Display the status of the ports the revision number of PCI X FPGA and the revision number of the Master FPGA pnic version Display the driver version pnic show firmwares List the available firmware images Syntax pnic show firmwares 108 Appendix A Command History Version 2 3 0 0 Introduced Example Figure 75 pnic show firmwares Command Example root localhost SW pnic show firmwares No card number specified Assuming card 0 List of available firmware images null xc4v1x200 ff1513 50 50 2048 snort_rules bad xc4v1x200 ff1513 20 20 2048 root localhost SW Related Commands pnic apply firmware Apply a specific firmware to the card pnic showtech Display all technical data and configuration files for the diagnostic and debugging purpose Syntax pnic showtech number gt filen
13. Max string 32 To generate new PNIC firmware with the above configuration Select Save_configuration and run make The compilation process will create the file snort_rules sample xc4vlx200 ff1513 20 20 2048 N Y N N 1 Save_configuration L Exit Starting and Stopping the pnic Compiler Enter the keyboard command Ctrl C or a SIGINT signal to interrupt the compilation or configuration process Enter gmake to restart the process from where it was interrupted The compilation process restarts at the point where it was halted the configuration process restarts from the beginning During compilation enter Ctrl C followed by gmake clean to regenerate firmware with different options This erases the current configuration and resets the compilation process Previously generated firmware files are not erased Compiling Rules Configuration and Generated Files Table 9 describes the files that are used or generated by the pnic Compiler Table 9 Configuration and Generated Files File pnic_ bit pnic_ mapping Description Generated after compiling static rules They are then renamed and copied to usr local pnic firmware When selecting firmware the bit files are symbolically linked to the corresponding renamed files in the firmware directory Generated after compiling static rules They are then renamed and copied to usr local pnic firmware When selecting firmware the mapping files are symbolically linked to th
14. Table 24 TCP Packets with Anomalous Flags alert on cO tcp any any gt any any msg Z SAPU TCP Flags flags SAPU alert on cO tcp any any gt any any msg Z FU TCP Flags flags FU alert on cO tcp any any gt any any msg Z PF TCP Flags flags PF alert on cO tcp any any gt any any msg Z UP TCP Flags flags UP alert on cO tcp any any gt any any msg Z Zero TCP Flags flags 0 The compiler also automatically produces rules that match all packets that are IP fragments or have IP options These rules are not specified in the pnic meta file as they can be more efficiently implemented by the compiler directly P Series Installation and Operation Guide version 2 3 1 2 73 74 Writing Rules Firewall Deploying the P Series as a Firewall By default the P Series is an IDS IPS system the P Series forwards all traffic by default and blocks packets only if it matches a rule You can deploy the P Series as a limited firewall by enabling Drop mode In Drop mode the P Series blocks all traffic by default and forwards traffic only if it matches a rule P Series Installation and Operation Guide version 2 3 1 2 75 Enabling the Firewall Enable Drop mode using the command pnic default drop enable Disable Drop mode using the command pnic default drop disable These commands are shown in Figure 39 Figure 39 Enabling and Disabling Drop Mode O rootO localhost pnic default drop disable No
15. The command text Searches for the specified text in the forward direction e The command text searches for the specified text in the backwards direction n 1 G La command nG moves the cursor to the specified line where n is the line num The command 1G moves the cursor to the first line in the file e The command G moves the cursor to the last line in the file 0 Moves the cursor to the beginning of the current line Moves the cursor to the end of the current line set number no Turns the line numbers on and off number q Exits the editor without saving changes wq Saves changes and exits the editor 126 Appendix D Glossary ACK DHCP DMA DPI Dynamic Rules Flow FPGA Garbage Collection IDS IPS MISD Null Firmware Offset meta rules SFP An Acknowledgment packet ACK is a packet that is sent from the client to the server to complete a TCP connection See SYN Dynamic Host Configuration Protocol DHCP is a protocol that automatically requests an IP address subnet mask and default gateway for a network client Direct Memory Access DMA is a method by which devices in a hardware system can transfer data without occupying the CPU In the case of the P Series the network interface card can transfer matched packets directly to the host memory by taking control of the PCI X bus Dynamic Parallel Inspection DPI is an engine based on Multiple Instruction Single Data MISD hardware arch
16. f option the P10 prompts you again for the parameters to generate a new certificate on Version 2 3 0 0 Introduced P Series Installation and Operation Guide version 2 3 1 2 115 Example Figure 85 pnic web gui start Command Example xoot localhost pnic pnic web gui start ES INFO Generating SSL certificate for the web gui application Generating a 1024 bit RSA private key A Sh i 8 writing new private key to usr local pnic mgmt lib sslcert rootkey pem You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Common Name FQDN or IP address of the P Series box using which you access the web gui application 192 168 1 1 10 11 194 184 Organization Name company Forcel0 Networks Inc Organizational Unit Name department division P Series Security Locality Name city district 350 Holger way San Jose State or Province Name full name California Country Name 2 letter code US Email Address support forcel0networks com INFO SSL certificate generation for the web gui application successful Web gui application has started successfully AU eens pnic y pnic web gui stop Stop the web server
17. the compilation process fails and you receive a Error PhysDesignRules error message In this case enter gmake clean to erase the current configuration and begin again e Iftoo many rules stored in the rules file specified in Option 6 of the compiler configuration phase the compilation process fails In this case enter gmake clean to erase the current configuration and begin again 62 Compiling Rules Writing Rules P Series rule syntax is based on Snort Both rule structures are described in this chapter e Snort Rule Syntax on page 63 e P Series Rule Syntax on page 66 Snort Rule Syntax Snort rules are descriptions of traffic plus a prescribed action that is taken if a packet matches that description Rules are divided into two sections e Header The header contains the action protocol source and destination IP addresses with subnet masks and the source and destination ports e Options The options section contains alert messages and specifies values to search for inside the packet Table 11 shows the syntax for Snort rules and Table 12 shows an example The text preceding parenthesis is the header and the section enclosed in parenthesis contains the rule options The words before the colons in the rule options section are option keywords Rules that span multiple lines must have a backslash at the end of the line All rules and options must be punctuated with a semicolon Table 11 Snort Rule Syntax
18. through the DPI network interface 70 Writing Rules You can inspect Signatures 4 5 and 6 and verify that they trigger a match and place a packet in Match Memory thus alerting the host if three consecutive packets are seen with size between 0 and 100 The third packet references the previous two stored in Temporary Memory Thus once the third packet is received the three segments are presented to the host through the DPI network interface Notice that the bit pattern used in the two rules avoids collision with the previous rule if the flow hashing also happens to collide The meta rules File The meta rules file located in the pnic compiler rules directory specifies a number of stateful rules to be used with standard Snort rules which use the Flow keyword In addition these rules implement a stateful mechanism to circumvent some common forms of TCP IDS evasion The meta rules are given in Appendix C on page 123 Support for Snort s flow Keyword The two stateful rules in Table 21 initiate a new flow if a SYN or a SYN ACK are seen A Snort flow established keyword is translated to S 4 and S 2 for client to server and server to client flows respectively These keywords are automatically inserted by the PNIC Compiler when a flow established keyword is encountered during compilation You can also insert the keywords directly into your rules Table 21 Flow Established Rules alert tcp any any gt any any msg
19. 27 Loadparams Address Mapping Address Corresponding Parameter Address 20 Master FPGA This address is mapped to the parameter Flow timeout measured in multiples of 0 86 seconds This parameter controls how quickly the stateful packet analysis can garbage collect previous states Smaller values increase the number of concurrent flows that can be tracked The default value is 16 Address 16 Master FPGA This address is mapped to the parameter Flow length measured in packets This parameter controls the maximum number of packets in a flow that are considered for capturing Typical values range from 6 to16 P Series Installation and Operation Guide version 2 3 1 2 97 Table 27 Loadparams Address Mapping Address Corresponding Parameter Address 24 This address is mapped to the parameter Burst size measured in 32 bit PCI X FPGA words This parameter sets the number of 32 bit words to transfer in one PCI X master cycle Larger bursts achieve higher throughput but may increase buffering latency and contention with other devices sharing the same bus The default value is 1024 Address 36 This address specifies the count in PCI X clocks before the DMA buffer is PCI X FPGA transferred to the host if the buffer contains less than the programmed burst size pnic loadrules Syntax Parameters Command History Example Usage Information Upload to the FPGA the dynamic rules for both channels
20. AO 19 Deploying the P Series ria daa elias TAE TENE E PR TE pimeni O le Mine Dopo oaii a eee di a edinnd ods NE ar Oe pied weed 5 Hehe 20 Farsale DEMONIC cri aes eda a ode eee a ad cee A es de a 20 Highly available Deployment cccccccccecree tener re Pee eee A A A a 21 Passivo USHOVING coi re erer sire Leer edhe heel RARA RR dl 21 Capturing Matched Traffic TERES PE TEE TIET TIET PENTET AET PEAT hie Be apne Wom HOS CPU cea AAA 23 P Series Installation and Operation Guide version 2 3 1 2 3 Mirroring to Another Device 2 2 ccc vecsavcdessasivtseawnd sine des weesd ede peu d 24 Chapter 4 ed nn oe devon Geeks sceuae de 25 GUC OMAN ceses cane siria ais 26 Managing Rules Policies and Firmware 22 0cceeuanevaceeeo gears AA 27 Editing Dynamic Rules with the GUI uc ii a cca a dul eee asd 28 Managing Capture Forward Policies with the GUI ooooooooooonoora 29 Selecting Fimwars witht the GUI c eco4 cae desreuee ar rra A 30 OMI A hake Lbs ood dee es eee ak eee add 31 Reloading Firmware ccccceetecret EErEE sere A CREW ORR EE REG RS HOR 33 Chapter 5 Web based Management scccccd ncn cestd sea neceneenesa eee e deen seed eed ean dana 35 Launching the P Series Node Manager 0 0 eee eect ete 35 Web browser Security Certificates 2 0 0 0 tenet nes 37 Managing the P Series using Node Manager 000 0c cece eee teen eens 37 Monitorning System PEONES de 38 Managing Firmware Mages co
21. Bytes Bits Tracks data received by the OS Any difference between the values in this line and those in the Captured Packets line is due to buffering and or packet loss packet loss is due to high contention on the CPU Errors Reports the number of anomalous receive conditions the driver encounters Truncated Packets This feature is not supported Delayed Packets Reports the number of packets that were stored in the temporary buffer in hardware Reloading Firmware During firmware reloading all packets flow regardless of capture forward policies as the policies cannot be enforced during system initialization This open state during configuration state transition ensures that there is no interruption of service when the DPI is updated If the OS crashes or is halted the device drivers are rendered inactive but the card continues to operate independently and block forward policies are still enforced This behavior applies even when the device drivers are re installed during a reboot P Series Installation and Operation Guide version 2 3 1 2 33 34 Graphical User Interface Web based Management You can manage and monitor the P Series on the web using the Force10 Networks P Series Node Manager Note The web based GUI is supported on Linux only which is the default OS and requires software version 2 3 0 0 or newer Launching the P Series Node Manager Note The Web based GUI is best viewed with a minimum sc
22. Default 0 Version 2 0 0 1 Introduced Figure 57 pnic linkdown Command Example root localhost SW pnic linkdown No card number specified Assuming card 0 No channel number specified Assuming channel 0 Card 0 Channel 0 is down root localhost SW pnic linkup Enable the physical link ports Enable the physical link pnic linkup number channel Disable a physical link using the command pnic linkdown P Series Installation and Operation Guide version 2 3 1 2 93 Parameters Command History Example Related Commands number Enter the number of the network interface card Range 0 5 Default 0 channel Enter the channel number Range 0 1 Default 0 Version 2 0 0 1 Introduced Figure 58 pnic linkup Command Example root localhost SW pnic linkup No card number specified Assuming card 0 No channel number specified Assuming channel 0 Card 0 Channel 0 is up root localhost SW pnic linkdown Enable the physical link ports pnic loadconf Syntax Parameters Command History Upload the runtime configuration parameters contained in the file usr local pnic O pnic conf pnic loadconf number number Enter the number of the network interface card Range 0 5 Default O Version 2 3 0 0 Introduced 94 Appendix A Example Usage Information Figure 59 pnic loadconf Command Example DMA Capture MAC rewrite 0x10
23. Example 1 xoot localhost pnic pnic sguil sensor stop SS Do you really want to stop the Sguil sensor application y n y LogPackets stopped successfully Trying to stop Pcap Agent Stopped Pcap Agent successfully Trying to stop Sancp Agent Stopped Sancp Agent successfully Trying to stop Snort Agent Stopped Snort Agent successfully Trying to stop Barnyard Barnyard is not running Trying to stop Snort Stopped Snort successfully Trying to stop Sancp Stopped Sancp successfully Trying to stop tail of snort stats started by sensor_agent Stopped tail of snort stats successfully The Sguil sensor application has been stopped eee pnic we Figure 73 pnic sguil sensor stop Command Example 2 root localhost SW pnic sguil sensor stop Do you really want to stop the Sguil sensor application y n n root localhost SW Related Commands pnic sguil sensor start Start the Sguil sensor P Series Installation and Operation Guide version 2 3 1 2 107 onic showconf Display configuration parameters of the card Syntax pnic showconf number Parameters number Enter the number of the network interface card Range 0 5 Default 0 Command F History Version 2 0 0 1 Introduced Example Figure 74 pnic showconf Command Example xoot localhost pnic showconf N No card number specified Assuming card 0 DMA Capture on MAC rewrite CHO disabled CH1 disabled
24. FW Version 28 DMA Status Flow Timeout 16 Packets per Flow 0 Truncation IRQ Period 1 System Resource Status Default Drop Disabled Host CPU Load Average A Firmware Image Applied null xc4vlx200 fF1513 50 50 2048 AN Xx Interface Information w a 2 Bs al eee Interface Type Status Mac rewrite bi M ptr pnicO 0 sensing UP Active Disabled pnicO 1 sensing UP Active Disabled mirror0 0 mirror Up Active Not Applicable 13 55 13 56 13 57 13 58 13 59 14 00 14 01 14 02 Time hh mm ss 1 Min Average 5 Min Average 15 Min Average mirror0 1 mirror Up Active Not Applicable Host Memory Usage nasesessosssosecccnancesnsosssssssneeceenenens 4355 13 56 13 57 1358 1359 14 00 1401 14002 Time hh mm ss Ready Last refreshed time Fri 23 May 2008 14 02 19 0530 Status Connected to 10 16 130 245 Ready Fri 23 May 2008 14 02 26 0530 Java Applet Window 38 Web based Management Managing Firmware Images Manage the software image from the Image Management panel Figure 24 The Image Management panel provides options for compiling and deleting an image It displays a list of available images along with the currently applied image and its details Figure 24 P Series Node Manager Image Managment Panel Force10 P Series Node Manager 1 0 File View Help amp amp Home Image Mgmt Card Mgmt Policy Mgmt Image Management Line car
25. Parsing the dynamic rules for channel0 R 8 alert on c0 ip any any gt any any msg non ipv4 Parsing the dynamic rules for channell R 8 alert on cl ip any any gt any any msg non ipv4 Loading rule firmwares Done Loading pass block settings Done Loading dynamic rules Done Please run pnic restart or reboot the box to make it operate normally Version P_MAIN2 3 0 014 E aga sw y Figure 51 pnic diag Command Example 2 root localhost SW pnic diag No card number specified Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching Do you want to proceed n y n Exit Diagnostic test aborted root localhost SW This CLI provides the ability to diagnose the hardware problems which might appear in registers memories or other devices It reads and writes the registers on the master and PCI FPGAs which include all configuration registers counters MDIO and PHY registers It also tests the pass block setting rule CAM registers The RAM BIST and initialization are also done in this test P Series Installation and Operation Guide version 2 3 1 2 87 pnic flow teardown disable Configure the appliance to reset the state of the flow only upon a timeout This is the default behavior Syntax pnic flow teardown disable Command History Version 2 3 1 2 Introduced Example Figure 52 pnic flow teardown disable Command Examp
26. Rule Options Current set of dynamic rules applied on the device are You can add modify delete the rules anytime Interface Action Protocol Src IP msg Test rule 11000080 cl Ready Rule list refreshed 42 Web based Management Network Security Monitoring A key aspect of network security deployment is the ability to monitor the network for security events analyze them and perform counter measures To that end the P Series supports Sguil an open source network security monitoring and reporting system that provides the ability to e collect monitor and correlate security events alerts in the network e analyze security events based on context e categorize and escalate events for intrusion response decisions The Sguil solution consists of the following components Figure 27 e Sensors Sensors are the systems actually monitoring network traffic and collecting data Sensors perform packet captures of network traffic in addition to running Snort in alert mode e Database The database holds the alert and session data that the sensors collect e Client The client is the interface to the Sguil server e Server tThe Sguil server maintains connections to the sensors clients and database Figure 27 Sguil Architecture P Series Sensors Sguil Server Sguil Client Security Alert Info
27. SW 7 Enter the command gmake erase followed by gmake erase gmake gmake 8 Enter the command gmake install gmake install 9 Verify that the new software version is installed pnic cardstatus Warning The remainder of this procedure is for upgrading the boot firmware The boot firmware AN upgrade process takes up to 30 minutes and must not be interrupted If the process is interrupted the boot firmware must be reloaded via JTAG which requires an RMA 10 Enter the command pnic loadeproms to upgrade the pnic loadeproms boot firmware Answer yes to the confirmation question Note This process takes up to 30 minutes 11 Reboot the appliance shutdown r now Note Reboot the appliance only after pnic loadeproms has successfully finished 12 Log into the appliance and enter the command pnic pnic cardstatus cardstatus Verify that there is an output for this command This indicates that the upgrade process has been completed successfully Note See Appendix A on page 79 for an example output for this command P Series Installation and Operation Guide version 2 3 1 2 13 Step Task Command 13 Re compile all rules firmware with the new compiler cd upgrade_directory pnic compiler located in the directory pnic compiler gmake 14 Install pre compiled firmware if needed cd upgrade_directory firmware gmake install 14 Installation Getting Started To begin inspecting and filtering traffic
28. accessible only via Secure Shell Daemon SSHv1 or SSHv2 However inspect the configuration and make sure it meets the security policy requirements of your network before deploying the appliance Upgrading Software Upgrading software requires a boot firmware PROM upgrade This upgrade must be done during a maintenance window During this period stop all traffic from flowing through the appliance and disconnect all cables from the XFPs Note You must be logged in as root to upgrade software 42 Installation Warning Stop all traffic from flowing through the appliance and disconnect all cables from the XFPs A before proceeding Step Task Command 1 Save earlier configuration files and firmware by cp Rf usr local pnic home copying the directory usr local pnic to the home directory 2 Create a new sub directory in the home directory for mkdir upgrade_directory the upgrade package 3 From the root directory secure copy the file filename scp username server absolute_path from a server to the upgrade directory you created filename upgrade_directory Note In Unix the tilde symbolizes the home directory and can be used in place of the absolute path to the home directory The upgrade file is a Unix tarball the file extension of which is tar gz 4 Change directory to upgrade directory you created cd upgrade_directory 5 Untar the file PTPS P_MAIN tar xvzf PTPS P_MAIN 6 Change directory to SW cd
29. any gt any any msg Z Evasion State 2 Fragment of size 1 dsize 1 S 4 R 1 C 16 alert tcp any any gt any any msg Z Evasion State 1 First fragment of size 0 lt gt 10 state 1 dsize 0 lt gt 20 S 4 R 1 C 8 alert tcp any any gt any any msg Z Evasion State 2 Second fragment of size 0 lt gt 10 capture flow dsize 0 lt gt 20 S 8 R 1 C 16 alert tcp any any gt any any msg Z Evasion State 3 Capture flow fragments of size O lt gt 10 dsize O lt gt 100 S 16 R 2 C 17 P Series Installation and Operation Guide version 2 3 1 2 123 124 Appendix C Basic Unix Commands Unix Commands Table 31 Basic Unix Commands Command cd path Description Changes the current directory to the specified directory The path specified can be an absolute path or a relative path e The absolute path begins with a forward slash and specifies the destination directory beginning from the top of the directory tree e The relative path does not begin with a forward slash and specifies the destina tion beginning from a point common between the current and destination direc tories grep text filename Searches the specified file for a specified string of characters logout Logs you out of the current session Is directory Displays the contents of the specified directory man command Diplays the online manual pages for the specified command
30. apply firmwares capture off off capture on on cardstatus of the PCI X eo omitted Usage pnic function_command lt card_num gt lt channel_num gt lt force_options gt pnic aggregate mode disable lt 0 5 gt pnic aggregate mode enable lt 0 15 gt pnic apply firmwares lt 0 5 gt lt f gt pnic capture off lt 0 5 gt pnic capture on lt 0 5 gt pnic cardstatus lt 0 5 gt pnic compilerules lt 0O 5 gt pnic default drop disable lt 0 15 gt pnic default drop enable lt 0 15 gt pnic diag lt 0 5 gt pnic getmachashindex lt 0 5 gt pnic gui lt 0 5 gt pnic linkdown lt 0 5 gt lt 0 1 gt pnie linkup lt o lies 15 gt lt 07 12 pnic loadconf lt 0 5 gt pnic loadeproms lt 0 5 gt pnic loadpassblock lt 0 5 gt pnic loadrules lt 0 5 gt pnic macrewrite off lt 0 5 gt lt 0 1 gt pnic macrewrite on lt 0 5 gt lt 0 1 gt pnic params lt 0 5 gt pnic passive mode enable lt 0 5 gt pnic passive mode disable lt 0O 5 gt pnic restart lt 0O 5 gt lt f gt pnic showconf lt 0 5 gt pnic show firmwares pnic sguil sensor start pnic sguil sensor stop pnic start lt 0 5 gt pnic stop lt 0O 5 gt pnic temp mem disable lt 0 5 gt pnic temp mem enable lt 0O 5 gt pnic updatemacvalue lt 0O 5 gt pnic version pnic web gui start pnic web gui stop pnic help aggregate mode enable aggregate mode
31. device number specified Assuming device O Disabling Default Packet Drop on card 0 successful lt q Drop mode Disabled Temporary memory enabled root localhost pnic default drop enable No device number specified Assuming device 0 Enabling Default Packet Drop on card 0 successful 4 Drop mode Enabled Temporary memory disabled root localhost SW pnic showconf No device number specified Assuming device 0 DMA Capture on MAC Rewrite state CHO disabled CH1 disabled Default Drop Packet enabled Verify Drop mode is Enabled Temporary memory disabled Aggregate mode enabled PHY passive mode disabled HHHH On MASTER FPGA HHRHH H H HHHH HHHH Per Flow Packet Limit unlimited Timeout for Flow Garbage Collection 16 Truncation after Match Packet full packet RH H H HHHH On PCI FPGA HA E H H HHH H HHHH DMA Burst Size 1024 Bytes DMA Flush Timer 1 ms Interrupt Frequency Timer 5 ms Version P2 3 0 2 Waa SW E 76 Firewall Allowing Traffic through the Firewall To allow packets through the firewall you must write rules so that packets that you want the appliance to forward match those rules Rules can be as simple as allowing traffic destined to a port Stateful rules can be used to allow all traffic for an established connection To allow non IP traffic to pass through the firewall you must select Yes for compiler option 2 as descr
32. disable currently in use or FPGA and the revision number of the Master FPGA compilerules Transform the dynamic Snort rules contained in usr local pnic 0 rules custom into binary code suitable for the DPI processor default drop enable default drop disable diag Run diagnostic tests on the card getmachashindex Display the hash index value for a specific source and destination IP address combination linkup Enable the physical link EN Option Default blank values are 0 Select from 0 1 2 3 4 or 5 Select from 0 or 1 This option will skip the firmware revision check Map both client to server and server to client traffic to the same flow state entry Map client to server and server to client traffic from channels to different flow state entries Apply the selected firmware to the link that is for loading Disable the capture of the packets via DMA Enable the capture of the packets via DMA Display the status of the ports the revision number Enable firewall functionality Disable firewall functionality P 92 Appendix A pnic linkdown Syntax Parameters Command History Example Related Commands pnic linkup Syntax Disable the physical link pnic linkdown number channel Enable a physical link using the command pnic linkup number Enter the number of the network interface card Range 0 5 Default 0 channel Enter the channel number Range 0 1
33. distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE Please Login Sguild Host 10 16 130 246 i 7734 P Series Installation and Operation Guide version 2 3 1 2 49 Figure 32 Selecting the Sensor to Monitor f SGUIL 0 7 0 ALPHA fn90027mp When the Sguil client starts and the client is properly connected to the Sguil server the window in Figure 33 appears Figure 33 Accepting Events from the Sensor SGUIL 0 7 0 ALPHA Connected To 10 16 130 245 File Query Reports Sound Off ServerName 10 16 130 245 UserName sguill UserID 2 2007 12 12 08 49 27 GMT RealTime Events Sensor Alert ID Date Time Event Message 1 Napoli_1 3 98 2007 12 12 08 47 07 21 0 0 98 64 121 0 0 98 80 6 priority 1 1 Napoli_1 3 99 2007 12 12 08 47 21 0 0 99 64 121 0 0 99 80 6 priority 1 Napoli_1 3 100 2007 12 12 08 47 07 21 0 0 100 64 121 0 0 100 80 6 priority 1 la Sensor Alert ID Date Time Event Message Napoli_1 3 298 2007 12 12 08 47 18 23 0 0 98 96 123 0 0 98 112 6 priority 3 1 Napoli_1 3 299 2007 12 12 08 47 18 23 0 0 99 96 123 0 0 99 112 6 priority 3 Napoli_1 3 300 2007 12 12 08 47 18 23 0 0 100 96 123 0 0 100 112 6 priority 3 Sensor Alert ID Date Time Event Message Napoli_1 2007 12 12 08 47 27 25 0 0 98 16 125 0 0 98 32 priority 5 1 Napoli_1
34. encoded in the files usr local pnic O pnic_ O 1 bin pnic loadrules channel channel Enter the channel number Range 0 1 Default O Version 2 0 0 1 Introduced Figure 61 pnic loadrules Command Example root pnic loadrules 0 dynamic rules loaded Capture block policies previously stored are temporarily disabled during this operation and traffic 1s forwarded The new rules take effect when the loading process is complete 98 Appendix A pnic macrewrite off Syntax Parameters Command History Example Usage Information Related Commands Disable MAC rewriting This is the default behavior pnic macrewrite off number channel Enable MAC rewriting using the command pnic macrewrite on number Enter the number of the network interface card Range 0 5 Default O channel Enter the channel number Range 0 1 Default O Version 2 1 0 0 Introduced Figure 62 pnic macrewrite off Command Example root localhost SW pnic macrewrite off No card number specified Assuming card 0 No channel number specified Assuming channel 0 Disabling MAC rewrite on card 0 channel 0 successful root localhost SW MAC rewriting can be used for load balancing Load balancing is achieved by overwriting the least significant byte of the destination MAC address for packets with a specified source and destination IP address with a user specified value pnic macrewrite on Re
35. entirely for applications in which host capture is not desired P Series Installation and Operation Guide version 2 3 1 2 17 Figure 3 illustrates how all matched packets are copied and transmitted by mirror ports Note Mirroring is automatically enabled when the mirroring port is connected to another network device Mirroring is not controlled through the CLI Figure 3 Logic Diagram of Traffic Flow in the P10 DPI State Table Mirror 0 Packet Data Detection Engine Match Result Forwarding Engine ezeg 3842ed Config Commands Mirror 1 2 F E a m v gt xXx fal pe a p a G a figindex 006 Types of Rules Two types of rules can be uploaded to the FPGA Static rules Static rules are compiled to become part of the firmware and are mapped directly into logic gates Static rules can be set to capture not capture and block not block individually but they cannot be changed once they have been loaded into the FPGA Dynamic rules Dynamic rules are programmed at runtime in the DPI hardware registers and can be configured without changing the firmware These rules like static rules can be disabled enabled individually Sample Rules and Firmware The P10 includes sample rules files in the pnic compiler rules directory You can browse these files in order to become more familiar with Snort syntax or creating rules files you can also generate firm
36. files lt install_dir gt nsm sguil logs rules files lt install_dir gt nsm sguil rules Snort logs var log Snort Packet logs var log Sensor LogPackets Server server installation directory usr local sguil server sguild conf lt install_dir gt nsm sguil etc log files lt install_dir gt nsm sguil logs 46 Network Security Monitoring Running the Sguil System Running the Sguil Sensor Start the Sguil sensor using the command pnic sguil sensor start Specify the IP address of the Sguil server and confirm the action as shown in Figure 29 Figure 29 Starting the Sguil Sensor Eootet pnic sguil sensor start b Enter the IP address of the Sguil Server 192 16 130 246 KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK INTERFACE NAME gt pnicd SGUIL SERVER IP ADDRESS 192 16 130 246 RAS To start Sguil sensor with the above configuration Select Ok 1 Ok 2 Exit 2 1 Starting sguil sensor processes Info lt InstallDir gt sguil pids snort_log localhost pid does not exist Checking for old process with ps No old processes found Starting new process anyway LogPackets started successfully Checking disk space limited to 90 Current Disk Use 26 Done Barnyard started successfully Snort started successfully Sancp started successfully Pcap Agent started successfully Sancp Agent started successfully Snort Agent started successfully oe has started successfully y St
37. number Enable aggregate mode using the command pnic aggregate mode enable P ane number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command History Version 2 3 0 0 Introduced Example Figure 40 pnic aggregate mode disable Command Example root localhost SW pnic aggregate mode disable No card number specified Assuming card 0 Aggregate mode disabling on card 0 successful root localhost SW 80 Appendix A Related Commands pnic aggregate mode enable Receive both client to server and server to client traffic on one port pnic aggregate mode enable Receive both client to server and server to client traffic on one port This is the default behavior Syntax pnic aggregate mode enable number Disable aggregate mode using the command pnic aggregate mode disable P ETON number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command History Version 2 3 0 0 Introduced Example Figure 41 _ pnic aggregate mode enable Command Example root localhost SW pnic aggregate mode enable No card number specified Assuming card 0 Aggregate mode enabling on card 0 successful root localhost SW Related Commande pnic aggregate mode disable Receive client to server and server to client traffic on different ports This is the default behavior pnic apply firmware Ap
38. number for example 23 for Telnet Port ranges can be specified using a colon as a range operator It can be applied in three ways as shown by Table 15 Table 15 Rules Containing the Port Number Range Operator log udp any any gt 192 168 1 0 24 1 1024 log udp log tcp any any gt 192 168 1 0 24 6000 log tcp any 1024 gt 192 168 1 0 24 500 e A colon between two port numbers indicates all ports between those ports including the specified ports e A colon before a port number indicates all ports less than or equal to the specified port e A colon after a port number indicates all ports greater than or equal to the specifed port The negation operator can also be used in combination with port numbers The rule in Table 16 logs all TCP traffic destined for ports other than port 6000 on the local network Table 16 Rules Containing the Port Number Negation Operator log tcp any any gt 192 168 1 0 24 6000 6000 Note The negation operator may not be placed before the keyword any The ICMP protocol does not require a port number Direction Operator The direction operator gt indicates direction of the traffic to which the rule applies The source IP address and port are on the left side of the direction operator and the destination address and port are on the right side of the operator There is also a bidirectional operator lt gt This directs Snort to consider traffic originating from either of the spec
39. packets via direct memory access DMA pnic cardstatus Display the status of the ports the revision number of the PCI X FPGA and the revision number of the Master FPGA Syntax pnic cardstatus number Parameters number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command History Version 2 0 0 1 Introduced Example Figure 46 pnic cardstatus Command Example V zoot localhost SW pnic cardstatus Fy No card number specified Assuming card 0 KKK KEKE KKK KEKE KK KKK KK KEKE KKK AAA AAA RARA AAA AAA KKK KKK Channel Port Connection Status Card 0 Channel 0 UP Active RX TX Card 0 Channel 1 UP Active RX TX Mirror Port Connection Status Card 0 Mirror Port 0 No Carrier Card 0 Mirror Port 1 No Carrier kkxkxkxkxkxkxkxkxkkxkxkxkxkkkkkkkkxkxkxkkkkkkkkxkkkkkkkkkkkkkkkxk PCI FPGA revision 2 8 KEKKKKKKKKKKKKKKKKKKKKK KKK KK AAA AAA AAA KK AA Master FPGA is loaded revision 2 6 KKK KKK KKK KKK KKK KEK KEK KKK KKK KKKKKKKKKKKKKKAKKK KKK KKK Version P_MAIN2 2 0 058 leia pued SW wy Related Commands pnic showconf Display the configuration parameters of the system pnic version Display the driver version 84 Appendix A pnic compilerules Transform the dynamic Snort rules contained in usr local pnic O rules custom into binary code suitable for the DPI processor Syntax pnic compilerules number
40. parameters within brackets are optional xly Keywords and parameters separated by a bar require you to choose one P Series Installation and Operation Guide version 2 3 1 2 7 Information Symbols Symbol Warning Description AN Danger This symbol warns you that improper handling and installation could result in bodily injury Before you work on this equipment be aware of electrical hazards and take appropriate safety precautions Caution This symbol informs you that improper handling and installation could result in equipment damage or loss of data A Warning This symbol informs you that improper handling could reduce your component or system performance Note This symbol informs you of important operational information Related Documents Additional P Series documentation is available on the software CD that came with the appliance and in the documentation section of the Forcel0 website www force10networks com e P Series Release Notes Additional Resources Cox Kerry and Gerg Christopher 2004 Managing Security with Snort and IDS Tools Sebastopol California O reilly Media Inc e Snort org http www snort org About this Guide Installation Figure 1 P Series P10 Appliance Front View PORT 1 P1 PORT 0 PO MIRROR MIRROR E0 amp E1 IP ADDRESS PORT 1 M1 PORT 0 M0 DISPLAY MOUSE SERIAL VGA RJ 45 SERIAL Eo ee fn9000007 ooo POWER KEYBOARD USB x2 LAN 2 LAN
41. the current state of that flow in that case the postcondition is ORed and applied to rewrite the state of that flow A precondition of 1 starts a new flow logging should be set to 2 for most cases see the user manual for R 1 Topology assumption c0 Unsecured EXTERNAL network Htc1 Secured INTERNAL network specify here your inside networks var INTERNAL 192 168 50 0 24 var INTERNAL any var EXTERNAL any specify here your outside DNS servers var DNS 10 11 0 1 10 11 0 2 var DNS any var DNSPORT 53 specify here the services provided from the inside network var ALLOWEDPORTS 21 22 25 var ALLOWEDPORTS 22 allow INTERNAL network to poke a hole through the firewall for TCP services permit on c1 tcp INTERNAL any gt EXTERNAL any msg Z SYN flags S S 1 R 2 C 3 permit on cO tcp EXTERNAL any gt INTERNAL any msg Z SYNACK flags SA S 2 R 2 C 4 allow EXTERNAL network to poke a hole through the firewall if accessing any of the ALLOWEDPORTS permit on cO tcp EXTERNAL any gt INTERNAL ALLOWEDPORTS msg Z SYN flags S S 1 R 2 C 3 permit on c1 tcp SINTERNAL ALLOWEDPORTS gt EXTERNAL any msg Z SYNACK flags SA S 2 R 2 C 4 allow TCP packets on the established flow hole INTERNAL lt gt EXTERNAL permit on all tcp any any gt any any msg Z TCP flow allowed S 4 R 2 C 4 allow INTERNAL network to poke a hole through the firewall for DNS queries permit on c1 udp INTER
42. 0 S 8 R 1 C 16 alert on cO tcp any any gt any any msg Z Evasion State 3 Capture flow fragments of size 0 lt gt 100 dsize 0 lt gt 100 S 16 R 2 C 16 Support for Snort s within Keyword Many buffer overflow detection rules use a within keyword that verifies that an end of line character is received within a certain number of bytes from the start of the session If the within statement is for a large number of bytes the check needs to be performed across TCP segments In this case several packets must be captured to find the end of line character or whatever the character might be For this reason within statements capture the entire flow The within statements are translated by the PNIC Compiler upon setting the S 32 and S 64 bits This causes two rules to trigger the capturing of TCP and UDP flows Table 23 shows two rules which trigger the capturing of TCP and UDP flows Table 23 Capturing TCP and UDP Flows alert on cO tcp any any gt any any msg Z TCP within was issued previously for this flow capture flow S 32 R 2 C 32 alert on cO udp any any gt any any msg Z UDP within was issued previously for this stream capture stream S 64 R 2 C 64 72 Writing Rules Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information Table 24 shows rules which were derived from the Snort scan pre processor
43. 0 1000 2000 3000 3514 224896 Tue Jan 08 19 23 40 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 31 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 23 I5T 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 15 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 08 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 00 I5T 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 22 52 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 22 44 IST 2008 6000 1000 2000 3000 3514 224896 1000 2000 SSSo Se ope opsoseeseoseesjajojajojaja 3000 S SSS SS SS SSS SS SSoselseelsejsje SSSelosje Sfeesejesje eejajsejaajajojajajsajo SSSlS SS SpSeesea sje oslo Ssfesjajojsjojaje SSSsso ss oso ss oso so ssojsojaja 0 0 0 0 0 0 0 0 0 0 0 0 224896 0 0 0 o 0 0 0 0 0 0 0 0 0 3514 224896 Tue Jan 08 19 22 37 IST 2008 35146 ARAE 0 Ready Last refreshed time Tue 8 Jan 2008 19 25 49 0530 Java Applet Window Tue 8 Jan 2008 1 40 Web based Management Managing Policies Manage policies from the Policy Management panel Figure 26 The Policy Management panel provides you with a list of available static and dynamic rules available for the currently running image It also has the provision for adding modifying and
44. 1 IDENTIFY HARD POWER E1 E0 I DISK LJ LEDs MANAGEMENT PORTS Figure 2 P Series P10 Appliance Rear View AC POWER RECEPTACLE fn 9000009 MAIN POWER SERIAL NUMBER Label Description LCD screen The LCD screen displays the IP address of the appliance next to either e0 or e1 which represent LAN ports 1 and 2 respectively Port 1 Port 0 These two ports are sensing ports through which traffic is forwarded They accept 10G XFP modules unlabeled RJ 45 serial This port is not used port next to IDENTIFY IDENTIFY This LED is not used HDD This LED is blue when the hard disk is accessed PWR This LED is green when the power is on P Series Installation and Operation Guide version 2 3 1 2 9 Label Description Power Button This button turns the appliance on and off Press and hold the button to turn off the appliance Laser Warning This label in the bottom right corner of the appliance indicates that the appliance is a Class 1 laser product that emits invisible laser radiation This product complies with CDRH 21 CFR 1040 CLASS 1 LASER PRODUCT LASERPRODUKT DER KLASSE 1 V8rF000NI System Specifications The specifications in Table 1 apply to the P Series P10 appliance Force10 catalog number PB 10GE 2P Table 1 System Specifications Power AC Power Supply Power Consumption 400W maximum 260W nominal Current 3 6 A O 120V 2 0 A O 240V Voltage 100 240V 4
45. 138705306 on cO tcp any any gt any any msg Btcp on all tcp any any gt any any msg ftcp flags S on all udp any any gt any any msg Budp on all icmp any any gt any any msg Bicmp usr local pnic O rules custom 17L 877C fn90000012 Managing Capture Forward Policies with the GUI Upon compiling static and dynamic rules default capture forward policies are assigned to each rule To change capture forward policies Step Task 1 Enter the m command from the GUI command line see GUI Commands on page 26 to access the rule management GUI see Figure 14 Select Manage Rules to access the policy management menu see Figure 16 Use the arrow keys to highlight a rule and the Select option and press the Enter key Select alert permit divert or deny based on the descriptions in Table 5 also see Figure 17 Exit the menu by selecting Done and repeat Steps 3 through 5 for other rules if desired OJIA RR wy Pp Select Done you are prompted to confirm your changes P Series Installation and Operation Guide version 2 3 1 2 29 Figure 16 Managing Capture Forward Policies GUI 10 11 231 7 PuTTY Edit Forward Block 1 IP with source conten rotocol any On cl fn9000013 Figure 17 Capture Forward Policies GUI t through and capture it fn9000014 Selecting Firmware with the GUI Firmware is a set of rules that has been transf
46. 7 63Hz 8A maximum input current Heat Dissipation 1360 BTU hr maximum 888 BTU hr nominal Battery 3V CR2032 coin cell Physical Dimensions Height 1 75 in Width 17 6 in Depth 15 5 in 1RU half depth Weight 20 Ibs 9 07 kg Environmental Temperature Operating 41 to 104 F 5 to 40 C Storage 40 to 149 F 40 to 65 C Relative humidity 20 80 non condensing Altitude Operating 50 to 10 000 ft 16 to 3048 m Storage 50 to 35 000 ft 16 to 10 600 m Physical Connections Note Connections to the sensing mirroring and management ports require straight through CAT5 cables Warning Do not hot swap XFPs If they are accidentally removed turn off the appliance replace the XFPs and then turn the appliance back on 10 Installation Step Task Review the system specifications and ensure that your operating and storage conditions meet the stated requirements Connect the power cable a keyboard and a monitor to the appliance Connect the LAN 1 port on the appliance to the local area network where DHCP is available If a DHCP server is not available an IP address can be assigned manually see Configuration on page 12 Install XFPs in the ports that will be used Connect the sensing ports to the devices from which the appliance will receive traffic e Traffic originating from the device connected to Port O has Channel 0 s rules applied to it e Traffic originating
47. EGA Rima A CREARA Nie ART Mz Y hE EAL ERMO ER I ME Y N ERLELTRE lo O Danger AC Power cords are for use with Force10 Networks equipment only do not use Force10 Networks AC Power cords with any unauthorized hardware Feedback on Documentation Send email to techpubs force10networks com Contents nn a E 3 Preface AAA Ann 7 COJSCIVOS vara aci E A A AAA AAA 7 PAREN PAR cies hie hee ee Ne eee lene hens adie 7 Conventions aiii eee EE T diarias 7 IMOEMAOD SVINDOIS carr AI AAA AA adore ds 8 ad AA Ah cee ew A A Reka AeroBed Da 8 Additonal PSSOUIGES cian cceeke deus radianes TESS Dede eee A mE eRe W Eee 8 Chapter 1 Mstalalio econ AAA AAA Ede Oe eRe 9 AS MALO ac de no ba a det da eee ee 10 Physical Connections a PETT PET eee aes TETT LATT EET TEE 10 PON lt i seed AI Keene joke died SARNA ARA AR 12 SR a a a RE A A eae wok a aA 12 COCUnYy COCK 22 28cctacekaads Ai thes AAA de A A AAA A 12 Upgrading SOWAS srt A RA A AAA He da 12 Chapter 2 E oot ceeset ce seiect orci de a a a E 15 Returning to the Default Configuration ENTE FAA EFE 15 Chapter 3 MiroductiOM s siississsiisirst iit rr intra resi DRACO SRA RRA RA IAEA 17 Hardware Archilecture Overview cc veeds seed cra A 17 PESO Rules sc acdacadaue ciadedwaeoaceacinedensed ax enii CERRO RECEDIT EEEE FEDS 18 Sample Rules and FINNA coccion rta aren tees AAA AAA A A AA 18 OSMA a oo aio Di te ai acs cade ce pe aime ia
48. Example root localhost SW pnic passive mode disable No card number specified Assuming card 0 Channel 0 and 1 are set to work in normal TX RX mode root localhost SW pnic passive mode enable Configure the ports to only receive traffic pnic passive mode enable Syntax Parameters Command History Example Related Commands Configure the ports to only receive traffic pnic passive mode enable number Disable passive mode using the command pnic passive mode disable number OPTIONAL Enter the number of the network interface card Range 0 5 Default O Version 2 3 0 0 Introduced Figure 68 pnic passive mode enable Command Example root localhost SW pnic passive mode enable No card number specified Assuming card 0 Channel 0 and 1 are set to work in passive mode root localhost SW Receive both client to server and server to client traffic on one port pnic passive mode disable P Series Installation and Operation Guide version 2 3 1 2 103 pnic resetconf Syntax Parameters Command History Example pnic restart Reset the system configuration back to the default settings which are located in lt installation_directory gt SW misc pnic conf pnic resetconf number number OPTIONAL Enter the number of the network interface card Range 0 5 Default O Version 2 3 1 2 Introduced Figure 69 pnic resetconf Command Example
49. K KKK KKKKKAKKA KKK KKK INTERFACE NAME pnicd SGUIL SERVER IP ADDRESS 10 11 194 183 SECURE CONNECTIVITY Enabled KKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKK KK KKK KKK To start Sguil sensor with the above configuration Select Ok 1 Ok 2 Exit 2 1 Starting sguil sensor processes Starting barnyard Starting snort Snort is already running Starting sancp Sancp is already running Starting new process LogPackets started successfully Killing old process Old LogPackets process killed successfully Checking disk space limited to 90 Current Disk Use 19 Done Starting Pcap Agent Pcap Agent already running Starting Sancp Agent Sancp Agent already running Starting Snort Agent Snort Agent already running Barnyard started successfully Snort started successfully Sancp started successfully Pcap Agent started successfully Sancp Agent started successfully Snort Agent started successfully Sguil sensor has started successfully a eor anda pnic lt pnic sguil sensor stop Stop the Sguil sensor 106 Appendix A pnic sguil sensor stop Stop the Sguil sensor Syntax pnic sguil sensor stop f Start the Sguil sensor using the command pnic sguil sensor start i 1 ale f Exit the Squil sensor without a confirmation prompt Command History Version 2 3 0 0 Introduced Example Figure72 pnic sguil sensor stop Command
50. NAL any gt DNS DNSPORT msg DNS query S 1 R 2 C 9 permit on cO udp DNS DNSPORT gt INTERNAL any msg DNS reply S 8 R 2 C 16 allow UDP packets for the established UDP flow holes INTERNAL lt gt DNS permit on all udp any any gt any any msg Z UDP flow allowed S 16 R 2 C 16 bad stuff do not let though and do not log deny on all tcp any any gt any any msg Z SAPU TCP Flags flags SAPU deny on all tcp any any gt any any msg Z FU TCP Flags flags FU deny on all tcp any any gt any any msg Z PF TCP Flags flags PF deny on all tcp any any gt any any msg Z UP TCP Flags flags UP deny on all tcp any any gt any any msg Z Zero TCP Flags flags 0 EA AA AA 78 Firewall Command Line Reference The command line interface CLD is an alternative to the GUI for managing the appliance A script called pnic is used to perform the same management functions as the GUI Invoke the pnic script using the commands in this chapter the OS environment variables are set such that these command can be executed from any path pnic aggregate mode disable on page 80 pnic aggregate mode enable on page 81 pnic apply firmware on page 81 pnic capture off on page 83 pnic capture on on page 83 pnic cardstatus on page 84 pnic compilerules on page 85 pnic default drop disable on page 85 pnic default drop enable on page 86 pnic diag on page 86 pnic flow teardown disable on pag
51. Z SYN flags S 12 S 1 R 2 C 3 alert tcp any any gt any any msg Z SYNACK flags SA S 1 R 2 C 5 Handling Segmentation Evasion Tools like fragroute or Nessus are used to fragment the packet payload in several TCP segments in order to evade packet based signature systems The stateful rules in Table 22 detect the arrival of packets exhibiting an anomalous use of TCP segmentation P Series Installation and Operation Guide version 2 3 1 2 71 The start of the state machine is prompted by a SYN state 1 is reached if a packet of length greater than 0 but less than 20 is detected state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than O but less than 20 is detected the final state is reached if a packet of a length between 0 and 100 is seen This state diagram was derived from observing common fragmentation evasion patterns it seems to catch most of them More complex state diagrams can also be devised at your discretion Table 22 TCP Packets with Anomalous Segmentation alert on cO tcp any any gt any any msg Z Evasion State 2 Fragment of size 1 dsize 1 S 4 R 1 C 16 alert on cO tcp any any gt any any msg Z Evasion State 1 First fragment of size 0 lt gt 20 state 1 dsize 0 lt gt 20 S 4 R 1 C 8 alert on cO tcp any any gt any any msg Z Evasion State 2 Second fragment of size 0 lt gt 20 capture flow dsize 0 lt gt 2
52. able firewall functionality pnic default drop enable number Disable firewall functionality using the command pnic default drop disable parameters number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Command History Version 2 2 0 0 Introduced Example Figure 49 pnic default drop enable Command Example root localhost SW pnic default drop enable No card number specified Assuming card 0 Enabling Default Packet Drop on card 0 successful Temporary memory disabled Flow teardown enabled root localhost SW Usage Temporary memory is disabled while the firewall is enabled Information pnic diag Run diagnostic tests on the card Syntax pnic diag number v 86 Appendix A Parameters Command History Example Example Usage Information number Enter the number of the network interface card Range 0 5 Default 0 V Display a detailed output Version 2 3 1 2 Added option V Version 2 0 0 1 Introduced Figure 50 pnic diag Command Example 1 root localnost pnic pnic diag US No card number specified Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching Do you want to proceed n y y Matching disabled Test starting Waiting for matching to stop PNIC card 0 is detected on PCI bus Software driver module is loaded Loading Null firmware Null firmware loading is done
53. ame dat Parameters number Enter the number of the network interface card Range 0 5 Default 0 filename Save the output to a file Command f History Version 2 3 1 2 Introduced P Series Installation and Operation Guide version 2 3 1 2 109 Example pnic start Syntax Parameters Command History Figure 76 pnic showtech Command Example xoot localhost pnic pnic showtech more No card number specified Assuming card 0 KKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK Display date KKKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK Tue Apr 29 11 21 07 PDT 2008 KKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK Display OS version information KKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK Linux localhost localdomain 2 6 18 8 1 14 e15 1 SMP Thu Sep 27 19 05 32 EDT 2007 x86_64 x86_64 x86_64 GNU Linux CentOS release 5 Final KKKKKKKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK Display CPU usage KKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK top 11 21 08 up 23 01 Tasks 76 total 1 running leeping 0 stopped 0 zombie Cpu s 0 6 us 0 5 sy 0 0 ni 98 8 id 0 2 wa 0 0 hi ene omitted 3 users load average 0 03 0 02 0 FONS e Load the rule firmware if it is not already present e Load
54. an use it e The number of dynamic rules e The maximum allowed number of half bytes per rule Firmware files have the format lt name gt lt type gt lt dynamic 011 gt lt maxstring gt 0I1 bithmapping Table 10 describes each of the elements in this format Table 10 Firmware Filename Description Element Description lt name gt This field is a mnemonic name identifying the original rules file you supplied during the compilation of the firmware lt type gt This field identifies the card type The P10 is represented by xc4vIx200 ff1513 lt dynamic 0 1 gt This field is the estimated number of dynamic rules that you can enter at runtime for the two channels lt maxstring gt This field is the maximum number of half bytes the compiler allocates for each rule A typical value is 2048 to indicate that the compiler truncates match string to 1024 bytes Typically a value is 2048 which does not result in any truncation Lower values are possible and result in a larger number of rules but this increases the probability of false positives for rules with truncated match strings 0 1 This field indicates whether the file is for Channel 0 or Channel 1 bit mapping The compiling process generates 12 files which together make firmware 8 files have the extension mapping and 4 have the extension bit Compiler Errors e If too many dynamic rules are specified in Option 9 of the compiler configuration phase
55. arams number AS number Enter the number of the network interface card Range 0 5 Default O Command History Version 2 0 0 1 Introduced Example Figure 66 pnic params Command Example root localnost SW pnic params N No card number specified Assuming card 0 PNIC 8002 pnicO Oxffff810000700000 20006 KKKKKKKKKKKKKKKKKKKKKK Register Display KKKKKKKKKKKKKKKKKKKKKK KKKK Configurations on Master FPGA KKKKKKKKKKKKKKKKKKKKKKKKKKKKK Register Name Address Hex Revision 0x000 80020006 Chip Control 0x004 00000073 Scratch 0x008 75318642 Chip Status 0x00c 00000003 Packet Linked List Limit 0x010 00000000 Timeout for Flow Garbage Collection 0x014 00000010 Byte Number of Truncation with Match 0x018 00000000 Time Stamp for Sync 0x01c 4C787C4B RAM Failure Address 0x020 00000000 RAM Failure Data Low 0x024 00000000 RAM Failure Data Meddle 0x028 00000000 RAM Failure Data High 0x02c 00000000 Vee omitted A pnic passive mode disable Configure the ports to transmit and receive traffic This is the default behavior Syntax pnic passive mode disable number Enable passive mode using the command pnic passive mode enable Parameters number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 102 Appendix A Command History Example Related Commands Version 2 3 0 0 Introduced Figure 67 pnic passive mode disable Command
56. atic rules maximizes dynamic rule capacity see Figure 35 on page 58 Note The script performs a syntax check on the input file If there are errors you are prompted to enter the file name again The entry must be made at the prompt if the Enter key is pressed erroneously such that the entry cannot made at the prompt enter Ctrl C to halt the configuration process and then enter gmake to begin again 5 Dynamic Rules Enter the number of dynamic rules to synthesize If you enter one of the sample Snort rules files choose the minimum number of dynamic rules otherwise the placing may fail If you are using fewer static rules you can increase the number of dynamic rules up to approximately 30 for each channel 60 in total see Figure 35 on page 58 Note The number of dynamic rules specified in this option is guideline that the compiler uses to reserve space on the FPGA The number you choose is the approximate number of rules you will be able to configure at runtime The amount of space a rule consumes varies based on the complexity of the rule Therefore you might not be able to compile as many dynamic rules as specified in this option if the rules are complex 6 meta rules The pnic Compiler prepends a set of fixed rules called meta rules located in the pnic compiler rules directory The rules in this file report on flow information and provide compatibility with Snort include or exclude this file consideri
57. ation Enter Yes to save the configuration and compile the Snort rules into firmware see Figure 37 on page 60 P Series Installation and Operation Guide version 2 3 1 2 57 Figure 35 pnic Compiler Option 1 6 A 5 oa q Enter command gmake from Makefile 2 mtp_configuration No such file or directory pnic compiler directo ry bin getparams2 sh Please choose the target device 1 PB 10G 2P 49 1 Do you want to support matching of non IPv4 and non IPv6 packets like ARP IPX etc 1 Yes 2 No 22 Ethernet types allowed Do you want to match packets that are IP fragments or have any IPV4 options 1 Yes 2 No 22 no fragments or IPv4 options Enter filename containing rules to compile enter null for no rules snort dos rules 1 1 1 1 ee ee ee ee ee ee ee ee k k k k k kk k kk Verified 0 conforming signatures in file snort rules sample PAS FAS FAS 28 EEE E EE FAS FAS E HS E OAS E E E E E E E E E E E E K E E is K E k 2k K k k k k k k k k k k k k k kkk Channel 0 Dynamic rules Please choose how many dynamic rules 5 20 recommended Dynamic rules are rules that can be added without recompiling the firmware They can be added at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1 0 5 20 9 60 13 100 17 180 21 260 25 340 2 2 6 30 10 70 14 120 18 200 22 280 26 360 3 5 7 40 11 80 15 140 19 220 23 300 27 380 4 10 8 50 12 90 16 160 20 240 24 320 28 400 58 Compil
58. ax ttl number gt lt number El gt lt number uricontent Searches the normalized request URI field for the specified content data_string can contain mixed text and binary data Binary data is enclosed within pipe characters and is written in hexadecimal form uricontent data_string P Series Installation and Operation Guide version 2 3 1 2 121 122 Appendix B Meta and Evasion Rules The meta and evasion rules for Channel 0 and Channel 1 are the same They are listed in Table 29 and Table 30 Table 29 meta Rules for Channel 0 and Channel 1 meta Rules alert tcp any any gt any any msg Z SYN flags S 12 S 1 R 2 C 3 alert tcp any any gt any any msg Z SYNACK flags SA S 1 R 2 C 5 alert tcp any any gt any any msg Z TCP within was issued previously for this flow capture flow S 32 R 2 C 32 alert udp any any gt any any msg Z UDP within was issued previously for this stream capture stream S 64 R 2 C 64 alert tcp any any gt any any msg Z SAPU TCP Flags flags SAPU alert tcp any any gt any any msg Z FU TCP Flags flags FU alert tcp any any gt any any msg Z PF TCP Flags flags PF alert tcp any any gt any any msg Z UP TCP Flags flags UP alert tcp any any gt any any msg Z Zero TCP Flags flags 0 Table 30 Evasion Rules for Channel 0 and Channel 1 Evasion Rules alert tcp any
59. bles capturin to the CPU but the card still forwards blocks traffic on the wire P Series Installation and Operation Guide version 2 3 1 2 111 pnic temp mem disable Syntax Parameters Command History Example Related Commands Usage Information Disable temporary memory pnic temp mem disable number Enable temporary memory using the command pnic temp mem enable number Enter the number of the network interface card Range 0 5 Default O Version 2 3 0 0 Introduced Figure 79 pnic temp mem disable Command Example root localhost SW pnic temp mem disable No card number specified Assuming card 0 Disabling temporary memory on card 0 successful root localhost SW pnic temp mem enable Enable temporary memory Disabling the temporary memory reduces flow collisions In firewall mode default drop temporary memory is disabled automatically pnic temp mem enable Syntax Parameters Command History Enable temporary memory This is the default behavior pnic temp mem enable number Disable temporary memory using the command pnic temp mem disable number Enter the number of the network interface card Range 0 5 Default O Version 2 3 0 0 Introduced 112 Appendix A Example Related Commands Figure 80 pnic temp mem enable Command Example root localhost SW pnic temp mem enable No card number specified Assuming card 0
60. cript fis the flow or sub stream and the r value is used to direct the packet storage 68 Writing Rules Pre match Condition the S Value The value in register Cris presented to all the signatures simultaneously during matching Cy must have all the bits specified by s in addition to matching m in order for the signature i to trigger In other words if the result of the logical AND of register Cy with s is non zero and equal to s the signature is allowed to trigger Otherwise the signature is not triggered Therefore value s is referred to as the pre match bit pattern Post match Condition the C Value The c value is the post match bit pattern defined by the signature i If m matches in the data stream and the pre match condition is met c is logically OR ed with the existing value in register Cp and the result is written back to Cp In general for each signature i at time t If m s amp Cs de s then cp c else cp 0 Equation 3 d Sor where A is a logical AND operator amp is a bitwise AND Sigma is a bit wise OR of several terms and is a bitwise OR of two terms t 1 Ce Equation 4 Equation 3 states that if there is a match m and the pre match condition holds the post match condition cp is enabled Equation 4 states that at each cycle the register Cy is updated by the bitwise OR of all the cp values of all the signatures and a final bitwise OR with the
61. cs display you can enter commands to control the DPI see Table 3 or enter the h command from the GUI command line Figure 13 Runtime Statistics FPGA Unloaded CPU s 0 0 user 0 0 nice 0 0 system 0 0 interrupt 100 idle N A 1 FlowTimeout 16 Packets flow 0 Truncation 0 Irq period 5ms h help z stop m manage_rules c truncation t timeout f packets flow x DMAlj Note GUI commands that require a subsequent value entry have the current value displayed in parentheses at the prompt Table 3 GUI Commands Command Description a Establishes the IRQ period measured in milliseconds which moderates DPI access to the PCI X bus Valid values are 1 to 255 where 1 is no throttling and 255 is maximum throttling c This command is not supported Brings the OS network interface down and disables matching f Establishes the maximum number of packets to be captured for each flow Packets Flow A value of O specifies all packets h Displays help information about the commands i Establishes the display refresh interval measured in seconds m Invokes a dialog menu through which dynamic rules can be defined capture forwarding policies can be set for each individual rule and the firmware can be selected and loaded see Figure 14 q Exits the graphical user interface r Reset all the OS counters Starts or restarts the drivers and reloads the firmware rl yn Establishes the number of second
62. customization in order to be effective they are included only for you to become more familiar with the functionality of the appliance Rule Management The P Series software provides three methods by which you can manage the rules and functionality of the appliance e Graphical User Interface The graphical user interface GUI is a menu based method for managing the appliance e Web based GUI Manage the appliance and graphically plot performance online e Command Line Interface The command line interface CLD uses a script called pnic through which you can manually perform the same management tasks as the GUI by entering commands at the command prompt Force10 recommends using the GUI or web based GUI if no programmatic interface is required Deploying the P Series The flexible architecture of the P Series lends itself to various deployments P Series Installation and Operation Guide version 2 3 1 2 19 Inline Deployment Use the P Series for inline traffic inspection in IPS or firewall applications at 10 Gigabit line rate Figure 4 e For IPS deployment no special configuration is needed the P Series is in inline IPS mode by default e Fora firewall deployment enable drop mode see Command Line Reference on page 79 Figure 4 P Series Inline Deployment 10 Gigabit 10 Gigabit P Series P10 10 Gigabit 10 Gigabit Campus Core a Backbone P Series P10 Data Center fn90029m
63. d 0 Firmware Images Available Firmware Images api_test xc4vlx200 fF1513 50 50 2048 bro_rules_test Image Details Image Name misc rules Signature File snort misc rules null xc4vlx200 FF1513 50 50 2048 optenet Target Device PB 10G 2P private rules_StatRules xc4vlx200 FF1513 20 20 2048 Maximum bytes per signature 32 snort snort_rules bad xc4vlx200 fF1513 20 20 2048 Channel 0 Number of Dynamic Rules 4 Channel 1 Number of Dynamic Rules 4 Other options Match Non IP Traffi D El x Y 2 Note Image colored in RED is the currently applied image Status Log Processing apply image request Image successfully applied on line card w Clear Logs R eady Image successfully applied on line card Status Connected to 10 16 130 245 Ready Tue 29 Jan 2008 17 42 49 0530 Java Applet Window Managing the Network Interface Card Manage the network interface card from the Card Management panel The Card Management panel displays hardware and software counters for Channel 0 pnic 0 0 and Channel 1 pnic 0 1 Counters are displayed in absolute value and in graphical or tabular format as shown in Figure 25 P Series Installation and Operation Guide version 2 3 1 2 39 Figure 25 P Series Node Manager Card Management Panel Force10 P Series Node Manager 1 0 Ge amp Image Mgmt Card Mgmt x Policy Mgmt Poller Options Poll Interval in secs 5 Statistic
64. deleting dynamic rules P Series Installation and Operation Guide version 2 3 1 2 41 Figure 26 P Series Node Manager Policy Managment Panel Force10 P Series Node Manager 1 0 a 2 2 FORCE D Image Mgmt Policy Mgmt Policy Management DER Line card 0 Static Rules Current set of static rules compiled on the device are listed below _ Mody action You can modify the action associated with these rules anytime Y SeqID In Ac Protocol Src IP SrcPort Di Dest IP Dest Port Options 11000015 cO alert 10 10 10 11 32 lany gt lany any msg StatRulesSrcIPRange content SrcIPRange sid 1000015 11000016 c0 alert 11 10 10 1 32 any lany msg StatRulesSrcIPRange content SrcIPRange sid 1000016 co alert 172 168 1 0 24 any 192 168 1 0 30 conten H StatRuleswithSrcDstMultiple sid 1000017 co any c0 10 2 1 0 24 10 1 1 1 32 tatRuleswithSrcDstMultiple sid 1000020 11000021 c0 1192 168 1 0 192 252 1 0 8 src negation msi atRulesSrcNegation sid 1000021 1000022 co 1172 168 1 0 8 192 168 2 0 16 SrcNegationMultiple msg StatRuleswithSrcNegatinMultiple sid 1000022 1000023 c0 1172 168 1 0 8 11 2 1 0 8 msg StatRuleswithSrcNegatinMultiple sid 1000023 1000024 c0 110 1 1 0 16 192 168 2 0 16 msq StatRuleswithSrcNegatinMultiple sid 1000024 Y Dynamic Rules Current set of dynamic rules applied on the device are l
65. dy specified in P Series rules and will yeild a syntax error Running the Sguil Server Scripts are used to perform management tasks such as starting and stopping the server and adding and deleting users Run scripts from the bin sub directory of the installation directory Task Script Start the server When the Sguild server is started StartMysqlserver sh for the first time you are prompted to add a new Startserver sh user Stop the server Shutdownserver sh ShutdownMysalserver sh Add a new user You are prompted for a new ManageSguilserverUser sh add username and password Delete a user You are prompted for your ManageSguilserverUser sh delete username and Squil user to be deleted 48 Network Security Monitoring Running the Sguil Client To run the Sguil Client Step Task 1 Open sguil tk using the Wish application A window appears as shown in Figure 31 2 Specify the IP address of the Sguil server and your username and password 3 Select the sensors to monitor click Select All to monitor all sensors and click Start SGUIL Figure 32 Figure 31 Running the Sguil Client f SGUIL 0 7 0 Sguil A tcl tk interface for network security monitoring Copyright C 2002 2008 Robert Bamm Visscher lt bamm sguil net gt This program is distributed under the terms of version 1 0 of the Q Public License See LICENSE QPL for further details This program is
66. e corresponding renamed files in the firmware directory Location usr local pnic O usr local pnic O lt firmware_filename gt bit Firmware files for Channel 0 and Channel 1 They are the renamed bit files that were generated after compiling static rules When selecting firmware these are the files to which the bit files in usr local pnic 0 are symbolically linked usr local pnic firmware lt firmware_filename gt lt firmware_filename gt mapping Firmware files for Channel 0 and Channel 1 They are the renamed mapping files that were generated after compiling static rules When selecting firmware these are the files to which the mapping files in usr local pnic 0 are symbolically linked usr local pic firmware lt firmware_filename gt pnic_ bin Contain compiled dynamic rules for Channel 0 and Channel 1 usr local pnic O pnic_ custmapping Contain the capture forward policies for each rule on Channel 0 and Channel 1 usr local pnic O rules custom Contains dynamic rules written in Snort syntax usr local pnic O P Series Installation and Operation Guide version 2 3 1 2 61 Firmware Filenames The pnic Compiler creates new firmware in the usr local pnic firmware directory consisting of four bit files and eight mapping files The default firmware filenames follow a naming convention designed to identify three properties e The appliance that c
67. e 88 pnic flow teardown enable on page 88 pnic gui on page 90 pnic help on page 92 pnic linkdown on page 93 pnic linkup on page 93 pnic loadconf on page 94 pnic loadeproms on page 96 pnic loadparams deprecated on page 96 pnic loadrules on page 98 pnic macrewrite off on page 99 pnic macrewrite on on page 99 pnic off deprecated on page 100 pnic on deprecated on page 101 pnic params on page 102 pnic passive mode disable on page 102 pnic passive mode enable on page 103 pnic resetconf on page 104 pnic restart on page 104 pnic sguil sensor start on page 105 pnic sguil sensor stop on page 107 P Series Installation and Operation Guide version 2 3 1 2 79 e pnicshowconf on page 108 e pnic show firmwares on page 108 e pnic showtech on page 109 e pnic start on page 110 e pnic stop on page 111 e pnic temp mem disable on page 112 e pnic temp mem enable on page 112 e pnic updatemacvalue on page 113 e pnic vlan remove disable on page 114 e pnic vlan remove enable on page 114 e pnic web gui start on page 115 e pnic web gui stop on page 116 Note The P10 does not support multiple network interface cards Therefore the only valid entry for the number variable is 0 Card 0 and Channel 0 are assumed for all commands if the card and number options are not specified pnic aggregate mode disable Receive client to server and server to client traffic on different ports Syntax pnic aggregate mode disable
68. e Addresses The source address and port follow the protocol keyword Addresses are written using dotted decimal notation with the subnet mask in CIDR block notation For example the address CIDR combination 192 168 1 0 24 signifies a block of addresses from 192 168 1 1 to 192 168 1 255 The keyword any may be used to define any source address The address field can be negated by placing an exclamation point before the address This operator specifes all addresses other than the one contained in the rule The rule in Table 13 indicates specifes all traffic originating from outside the local network and destined for the local network Note The negation operator may not be placed before the keyword any Table 13 Rules Containing Address Negation alert tcp 192 168 1 0 24 any gt 192 186 1 0 24 111 content 00 01 86 a5 msg mounted access Lists of IP addresses can be specified by placing the addresses in brackets and separating each address with a comma do not include spaces Table 14 shows an example of a rule containing multiple addresses Table 14 Rules Containing Multiple IP Addresses alert tcp 192 168 1 0 24 10 1 1 0 24 any gt 192 186 1 0 24 10 1 1 0 24 111 content 00 01 86 a5 msg mounted access 64 Writing Rules Ports Port numbers may be specified by the keyword any a single port number ranges and by negation any specifies any port Static ports are indicated by a single port
69. e ga sa ce art A tag a he O 63 Shon PUG Heade 2c cackabaanew andes Cade eked Kha eee eee RAR eee EEERS MERRRT ETE SS 63 Sor Rule OHIOS 222 2cceectakaiedietavetideee s a IRER eR ER ER deeds 66 Pam AI RAR dat be ca i ede heel sc Cache aie Rad Sie x ae ead Red al a e ca AR A 66 P Series Supported Snort Keywords 0 00 cece cette ene ene eae 66 VRE Stele RUGS coca odes Poca AA AAA AAA AA 68 a VITAE ii Se oh Suk i gd ech he sea ie Mc Bo AS Desc ia hited a one ah ep ea ads 8 68 Stateful Rule EXSIMP IES lt ccccieagacat carr AAA AAA AS AAA ad 70 TS Met FURS Ple srra ken kA A A AR AA A A 71 Support for Sports low KeyWord casaca pierdes 71 Handling Segmentation EVASION sie icca0cecccieesaneded eben ves ce abe deta dese aw an ds 71 Support for Snort s within Keyword nna cas dace ee ce dee wee ee ee eee T2 Anomalous TOF PROS sr cortar Arras ss 73 Chapter 10 Firewall eee rT See eT er ee eee errs IANS NAAR eer eee Tree eee eT Se eT ree 75 Deploying ine P Series as a Firewall assicura Ohare A wk Pie RRR eee eS 75 Enomoto PISA scores rajas errar ds 76 Allowing Traffic through the Firewall o ooooooocrrooorroror ees 77 Writing Rules for a Firewall Deployment scocin eee a ade daa a a da A ee ed YY Appendix A Command Line Reference cooscosiosnaricnirisrrarcos rro eri 79 Appendix B P 119 Appendix C Meta and Evasion Rules is cisesc des ise biae raras e 123 Appendix D Basic Unix GOS as paid aaa A ee 125 P Series Insta
70. ed with man pnic compiler e For information on Snort or creating Snort rules visit www snort org e For information on Unix commands and the vi editor see Appendix D on page 125 The iSupport Website iSupport provides a range of documents and tools to assist you with effectively using Force10 equipment and mitigating the impact of network outages Through iSupport you can obtain technical information regarding Force10 products access to software upgrades and patches and open and manage your Technical Assistance Center TAC cases Force10 iSupport provides integrated secure access to these services Accessing iSupport Services The URL for Support is www force10networks com support To access iSupport services you must have a userid and password If you do not have one you can request one at the website 1 On the Force10 Networks iSupport page click the Account Request link 2 Fill out the User Account Request form and click Send You will receive your userid and password by E Mail 3 To access iSupport services click the Log in link and enter your userid and password P Series Installation and Operation Guide version 2 3 1 2 129 Contacting the Technical Assistance Center How to Contact Force10 TAC Log in to Support at www force1Onetworks com support and select the Service Request tab Information to Submit When Opening a Support Case e Your name company name phone number and E mail addr
71. ess e Preferred method of contact Model number e Serial Number see Locating P Series Serial Numbers on page 130 Software version number e Symptom description Screen shots illustrating the symptom including any error messages Managing Your Case Log in to iSupport and select the Service Request tab to view all open cases and RMAs Downloading Software Updates Log in to iSupport and select the Software Center tab Technical Documentation Log in to iSupport and select the Documents tab This page can be accessed without logging in via the Documentation link on the iSupport page Contact Information E mail support force1Onetworks com Web www force1 Onetworks com support Telephone US and Canada 866 965 5800 International 408 965 5800 Locating P Series Serial Numbers The P10 serial number is located on a sticker on the back of the unit in the top right corner see Figure 2 as well as on the left mounting bracket see Figure 87 The serial number is below the bar code and has 8 characters Figure 87 Location of P10 Serial Number EO amp E1 IP ADDRESS DISPLAY PORT 1 P1 PORT 0 PO MIRROR MIRROR PORT 1 M1 PORT 0 MO MOUSE SERIAL VGA RJ 45 SERIAL fn9000007 E oo eo FT EI FORCE POWER KEYBOARD USB x2 LAN 2 LAN 1 IDENTIFY HARD POWER E1 E0 l DISK L LEDs MANAGEMENT PORTS 130 Technical Support Requesting a Hardware Replacement To request
72. ets for all rules This feature is optionally activated during the PNIC Compiler configuration phase meta rules is a Snort rules file supplied with the P Series appliance by Force10 The rules in this file report on flow information and handle possible TCP segmentation evasion attempts They also provide compatibility with Snort and including them allows you to run Snort on the DPI interface Small Form factor Pluggable SFP is an optical transceiver that interfaces a network device and a fiber or unshielded twisted pair UTP network cable SFPs support the SONET and Gigabit Ethernet standards and can transmit data at a rate of 4 25 Gb s P Series Installation and Operation Guide version 2 3 1 2 127 Snort SPAN Port State Static Rules SYN Tap XFP Snort is an open source network intrusion detection and prevention system that uses rules created with a special syntax to examine and control specified traffic Switched Port Analyzer SPAN Port is a switch port that receives a copy of specific traffic that passes through a switch The SPAN port is also called a mirroring port State is information about a flow including the source address destination address source port and destination port See Flow Static rules are rules that are specified in a file using Snort syntax and then compiled to become part of the firmware Static rules can be disabled enabled individually but they cannot be changed once they have been
73. from the device connected to Port 1 has Channel 1 s rules applied to it Optional Connect the mirroring ports to the devices that will receive mirrored traffic e Mirror Port O mirrors matched traffic from Channel 0 e Mirror Port 1 mirrors matched traffic from Channel 1 Connect the power cable to a power source and switch on the main power on the back of the appliance Press the power button on the front of the appliance to turn on the device P Series Installation and Operation Guide version 2 3 1 2 11 Booting During booting you can select the OS of your choice The management ports are configured for DHCP and probe for an IP address gateway and name server The IP address is displayed on the LCD screen When the appliance is powered up all packets are forwarded between its ports by default until the firmware and device drivers are loaded Once they have been loaded the DPI generates interrupts to the host processor and offers the captured packets in the same way as a standard network interface card in promiscuous mode Configuration Once the appliance is booted Step Task 1 Log in as root with the password plogin Change the password if desired with the command passwd Set the clock for the appropriate timezone using the command tzsetup This command calls a graphical user interface that instructs you on how to select the appropriate timezone Security Check The P10 is remotely
74. getmachasindex Obtains the hash index value for a particular source and destination IP combination In Figure 34 1 MAC rewriting is enabled 2 The user associates an LSB value with a particular index value 3 All packets with source and destination IP addresses that hash to this index value then have the the least significant byte of their destination MAC address overwritten with the user entered LSB value Figure 34 Rewriting Destination MAC Addresses to Load Balance footer pnic macrewrite on 0 l MAC Rewrite Enabled k No channel number specified Assuming channel 0 Enabling MAC rewrite on card 0 channel 0 is successful root localhost pnic showconf No device number specified Assuming device 0 HHH HEHEHE HH HH HEHE HEHEHE On MASTER FPGA tii tt tt tt tt HH HH HE HE HE Temporary Packet Linked list Limit unlimited Timeout for Flow Garbage Collection 16 seconds Truncation after Match Packet full packet HEHEHE HEE HEE HH HH HEHEHE HEH On PCL FPGA tata ttt ttt tt tH HH HH HH EHH DMA Burst Size 1024 Bytes DMA Flush Timer 1 ms Interrupt Frequency Timer 1 ms DMA Capture on Y MAC Rewrite Enabled MAC Rewrite state CHO enabled CH1 disabled Version P_MAIN2 0 0 80 root localhost pnic updatemacvalue No device number specified Assuming device 0 Please input the hash index 0 255 47 The value to replace 69 LSB Rewritten for Entered Index The MAC updating is done on register 0x4bc
75. gnature 1 alert on c0 tcp any any gt any any msg SYN flags S S 1 R 0 C 3 Signature 2 alert on cO tcp any any gt any any msg ack flags A S 2 R 1 C 4 Signature 3 alert on cO tcp any any gt any any msg ack flags A S 4 R 2 C 4 Signature 4 alert on cO tcp any any gt any any msg frag dsize O lt gt 100 S 1 R 1 C 9 Signature 5 alert on cO tcp any any gt any any msg frag dsize 0 lt gt 100 S 8 R 1 C 16 Signature 6 alert on cO tcp any any gt any any msg frag dsize O lt gt 100 S 16 R 2 C 16 In Table 20 e Signature 1 matches any TCP SYN packet erasing any expired Crregister if this signatures triggers meaning a SYN is present it sets bits O and 1 value 3 in the Cyregister The SYN packets is discarded R 0 e Signature 2 triggers if Signature 1 has triggered the Crregister having bit 1 set and a TCP packet contains an ACK bit The result for this match is that bit 2 value 4 is set in the Cf register The packet is stored in Temporary Memory R 1 e Signature 3 triggers if Signature 2 has triggered the Cyregister having bit 2 value 4 set and another later TCP packet contains an ACK bit The result for this match does not modify the existing content of the Cyregister The packet is stored in Match Memory referencing the packet of Signature 2 The DPI driver then presents to the host the packet matched by 2 followed by the packet matched by 3
76. hange directories to usr local pnic 0 2 Enter the command vi rules custom to edit dynamic rules see Appendix D on page 125 for information on vi Enter rules according to the format described in Writing Rules on page 63 Save your changes and exit vi Enter pnic compilerules to compile the new dynamic rules O a A Enter pnic loadrules upload the dynamic rules to the FPGA MAC Rewriting The MAC rewrite feature allows the least significant byte LSB of a packet s destination MAC address to be overwritten with a user specifed value This feature may be used to load balance or redirect traffic P Series Installation and Operation Guide version 2 3 1 2 51 This feature can be enabled per channel When MAC rewrite is enabled the P10 appliance classifies the incoming traffic into one of 256 hash buckets to determine the value to be written to the LSB of destination MAC address A hash function based on the source and destination IP addresses is used to calculate an 8 bit index for each incoming packet The index is used to look up the LSB values to be written into the packet To enable MAC rewriting Step Task 1 Enter the command pnic macrewrite on O channel to enable MAC rewriting 2 Verify that MAC rewrite is enabled using the command pnic showconf Two additional commands are available with this feature e pnic updatemacvalue Assigns a new LSB for a particular index e pnic
77. he protection requirements of EU Council Directive 89 336 EEC on the approximation of the laws of the Member States relating to electromagnetic compatibility Force 10 Networks can not accept responsibility for any failure to satisfy the protection requirements resulting from a non recommended modification of this product including the fitting of non Force10 option cards This product has been tested and found to comply with the limits for Class A Information Technology Equipment according to CISPR 22 European Standard EN 55022 The limits for Class A equipment were derived for commercial and industrial environments to provide reasonable protection against interference with licensed communication equipment Warning This device is a Class A product In a domestic environment this device can cause radio interference in which case the user may be required to take appropriate measures VCCI Compliance for Class A Equipment Japan CORES HHLBRESERRSAEMHBMS VCCI 0 CESTIOITAAMHMEMEBDOI CORE t RERA CHATS CBR BBE ET TIEKE o COMBICMBAEPBDCHREBST BELIBKENSCEPHVETF This is Class A product based on the standard of the Voluntary Control Council For Interference by Information Technology Equipment VCCI If this equipment is used in a domestic environment radio disturbance may arise When such trouble occurs the user may be required to take corrective actions AR CAEL THWRS ERI REY hid ARMA KERI BEY hik ARMA Sins SOHO MECC EA RIES TCESHR
78. ibed in Table 8 on page 56 Sample rules for a firewall deployment are available in file pnic compiler rules fw rules Writing Rules for a Firewall Deployment Rules for a firewall deployment are written in the same Snort based syntax as IDS IPS rules The difference is that you must describe packets that you want to forward rather than block See P Series Rule Syntax on page 66 In Table 25 stateful rules are used to allow specified traffic into the internal network Notice that in the incoming direction the policies require that the packet be destined to a set of allowed ports while in the outgoing direction there is no port requirement This asymmetry produces typical firewall behavior The Drop mode can also accommodate arbitrary rules that do not assume an inside and outside interface This is an attractive quality since the notion of inside and outside is often blurred in modern network topologies Also note that traditional IPS and IDS rules can be coupled with the firewall rules to block packets and or capture suspicious packets P Series Installation and Operation Guide version 2 3 1 2 77 Table 25 Sample Firewall Rules permit let through and do not log to the host alert let through and log to the host deny DO NOT let through and do not log to the host divert DO NOT let through and log to the host S lt precondition gt C lt postcondition gt R lt logging gt A packet is matched if precondition matches
79. ified addresses and ports This operator can be used for analyzing both sides of a conversation An example of the bidirectional operator being used to record both sides of a Telnet session is shown in Table 17 Table 17 Rules Containing the Bidirectional Operator log tcp 192 168 1 0 24 any lt gt 192 168 1 0 24 23 P Series Installation and Operation Guide version 2 3 1 2 65 Destination Address and Port The destination address and port follow the direction operator The syntax of these parameters are the same as the source address and port See Source Addresses on page 64 and Ports on page 65 Snort Rule Options Options are made of a keyword and an argument An argument is the packet data against which the rule is matched Option keywords are followed by a colon and each option is puncutated with a semi colon Table 19 lists the option keywords that the P Series supports P Series Rule Syntax P Series rules have a syntax that is slightly different from Snort rules P Series rules have the following syntax capture forward_policy on channel Snort_rule capture forward policy can have four values alert permit divert or deny These settings are described in Table 5 on page 28 e channel can be cO for Channel 0 c1 for Channel 1 or all for both channels e Snort_rule is a rule written in Snort syntax Table 18 shows an example P Series rule Table 18 P Series Rule Example alert on c1 any any
80. index 47 APRO pe 52 Command Line Interface Removing VLAN Tags The P Series can strip the VLAN tag from incoming packets before they exit the egress port Enable the feature using the command pnic vlan remove enable The frame CRC is recalculated when this feature is enabled If an incoming packet is untagged it is not changed View the enable state of this feature using the command pnic showconf P Series Installation and Operation Guide version 2 3 1 2 53 54 Command Line Interface Compiling Rules The P Series Network Interface Card Compiler pnic Compiler produces user defined firmware for the appliances The user defined input is a set of signature based rules in Snort syntax and compilation directives The output of the compiler is a Xilinx bit file and ASCII mapping files that map specified signatures to internal configuration registers The configuration registers are used to disable enable rules or block packets Creating Rules Files Store rules files in a pnic compiler sub directory for example pnic compiler rules Force10 recommends not storing rules files elsewhere because this increases the length of the firmware file name Rules Capacity The maximum rules capacity for the P10 is approximatly 14000 static rules or 200 dynamic rules The space required for a static rule depends upon its complexity Compiling Rules Note The pnic Compiler is managed with GNU ma
81. ing Rules Figure 36 pnic Compiler Option 6 7 Fes 1 Dynamic rules N Please choose how many dynamic rules 5 20 recommended Dynamic rules are rules that can be added without recompiling the firmware They can be added at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1 0 5 20 9 60 13 100 17 180 21 260 25 340 2 2 6 30 10 70 14 120 18 200 22 280 26 360 3 5 7 40 11 80 15 140 19 220 23 300 27 380 4 10 8 50 12 90 16 160 20 240 24 320 28 400 25 Do you want to include the default meta rules Selecti ng Yes is recom mended alert tcp any any gt any any msg Z SYN flags S 12 S 1 R 2 C 3 A alert tcp any any gt any any msg Z SYNACK flags SA S 1 R 2 C 5 when USING Snort alert tcp any any gt any any msg Z TCP within was issued previously for this flow capture flow S 32 R 2 C 32 alert udp any any gt any any msg Z UDP within was issued previously for this stream capture stream S 64 R 2 C 64 alert tcp any any gt any any msg Z SAPU TCP Flags flags SAPU alert tcp any any gt any any msg Z FU TCP Flags flags FU alert tcp any any gt any any msg Z PF TCP Flags flags PF alert tcp any any gt any any msg Z UP TCP Flags flags UP alert tcp any any gt any any msg Z Zero TCP Flags flags 0 1 Yes 2 No 2 1 Do you want to include the segmentation evasion rules alert tcp any any gt any any msg Z Evasion S
82. ing card 0 Interface pnic0 is down Waiting for matching to stop Loading rule firmwares Done Loading pass block settings Done Loading dynamic rules Done KEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Interface pnicO is up MTU set to 9264 bytes KKEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Version P_MAIN2 2 0 058 CIO SW A Usage restart always reloads the FPGA as opposed to start which does not load the FPGA if Information firmware is already present Related Commands pnic stop Disable the network interface pnic start Enable the network interface pnic sgull sensor start Start the Sguil sensor P Series Installation and Operation Guide version 2 3 1 2 105 Syntax Parameters Command History Example Related Commands pnic sguil sensor start f Stop the Sguil sensor using the command pnic sguil sensor stop f The first time the sensor starts the you are prompted for parameters Those parameters are stored in configuration files and reused Specify this option to be prompted for new parameter values Version 2 3 0 0 Introduced Figure 71 pnic sguil sensor start Command Example root localhost pnic pnic sguil sensor start Enter the IP address of the Sguil Server 10 11 194 183 Do you want to enable secure connection between sguil sensor and sguil server 1 Enable 2 Disable 2 1 KKKKK KKK KK KKK KKK KKK KKK KKK KKK KK
83. isted below i You can add modify delete the rules anytime add Rule Modify Rule Delete Rule SeqiD Interface Action Protocol Src IP SrcPort Direct Dest IP Dest Port Options 11000058 co lalere lp any any gt lany lany sid 1000058 1000080 c1 alert tcp 1 1 1 1 32 any gt 2 2 2 2 24 80 msg Match the HTTP sessions sid 1000080 Ready Rule list refreshed Status Connected to 10 Java Applet Window Corona Shate Canfin Fui latoct_dar Miernenft Ward Force10 P Series Node Manager 1 0 jae tet Lee Image Mgmt Card Mgmt Policy Mgmt Policy Management Line card O Static Rules Current set of static rules compiled on the device are listed below You can modify the action associated with these rules anytime SeqID In Ac Protocol Src IP Src Port Di 11000015 c0 alert cp 10 10 10 11 32 any 1000016 co alert tcp 11 10 10 1 32 2p 5 le detail 1000017 co alert udp 172 168 1 0 24 Squirt 11000018 c0 alert ludp 172 168 1 0 24 Dynamic Rule Details 1000019 10 2 1 0 2 11000020 co alert udp 10 2 1 0 24 Action aert i Interface 11000021 co alert cp 1192 168 1 0 lany Source IP Mask 10 1 1 1 32 Source Port 1000022 co alert ludp 1172 168 1 0 8 any 11000023 co alert Judp 1172 168 1 0 8 lany Direction gt f 11000024 cO alert lud 110 1 1 0 16 jam ET pue Y Dest IPjMask 20 2 2 2 32 Dynamic Rules
84. itecture that can simultaneously execute thousands of security policies and capture blocking operations on the same data Dynamic rules allocate generic registers inside the firmware to allow you to create and modify rules at runtime without changing the firmware A flow is a series of packets with the same state See State Field Programmable Gate Array FPGA is a logic device that is re programmable it is a counterpart to the Application Specific Integrated Circuit ASIC that cannot be modified once it has been programmed Garbage is data that is no longer necessary garbage collection is the process of discarding this data to free resources In the context of the P Series garbage is old state or flows Intrusion Detection System Intrusion Prevention System Multiple Instruction Single Data MISD is a computer architecture that executes many operations simultaneously on one set of data It is a counterpart to Single Instruction Multiple Data SIMD and Multiple Instruction Multiple Data MIMD architectures Null firmware is firmware that has no static rules Null firmware is used to maximize the dynamic rule capacity on the FPGA Offset is a Snort keyword that specifies a pattern matching start location within a packet For example an offset of 5 directs Snort inspect packets beginning after the first 5 bytes of the payload The P Series does not support this Snort keyword Rather the P Series has an offset feature that enables offs
85. ize Inspects the packet payload size number is the payload size in bytes dsize gt lt number gt lt number flags Checks for the presence of the specified TCP flag bits Valid flag bits include e F FIN Least Significant Bit LSB in the TCP Flags byte SYN e R RST e P PSH e A ACK U URG 1 Reserved bit 1 Most Significant Bit MSB in TCP Flags byte e 2 Reserved bit 2 e 0 No TCP Flags Set The following modifiers change the match criteria Match on the specified bits plus any others Match if any of the specified bits are set I Match if the specified bits are not set flags F S R P A U 1 2 0 F S R P A U 1 2 0 P Series Installation and Operation Guide version 2 3 1 2 119 Table 28 Description of P Series Snort Keywords Keyword Description Rule Syntax flow This keyword applies the rule to a specific traffic flow flow established stateless direction direction The flow can be in one of two states e established Trigger only on established TCP connections e stateless Trigger regardless of the state of the stream processor The direction parameter has the following options e to_client Trigger on server responses from A to B e to_server Trigger on client requests from A to B e from_client Trigger on client requests from A to B e from_server Trigger on server responses from A t
86. ke To complile rules Step Task 1 Change directory to pnic compiler 2 Enter the command gmake This command invokes the configuration script the pnic Compiler and the Xilinx compiler in succession Entering time gmake invokes the same processes but this command measures the compilation time as well 3 The script prompts you for a number of compilation options Refer to Table 8 for a description of each option and enter a response for each P Series Installation and Operation Guide version 2 3 1 2 55 Table 8 Compiler Configuration Options Compilation Option 1 Target Device Description Choose the model of your appliance e The P10 requires type PB 10G 2P see Figure 35 on page 58 2 Match non IP Traffic Answering Yes to this option matches packets that are not IPv4 This option should be set to No if only IP traffic is allowed see Figure 35 on page 58 3 Match Fragmented IPv4 Packets or IPv4 Packets w Options Answering Yes to this option Adds a rule to match fragmented IPv4 packets Adds a rule to match IPv4 packets with any option in the header see Figure 35 on page 58 4 Rules File Specify the rules file that contains the Snort rules that will be compiled into firmware Include the relative path of the file in your entry e Your entry is used to create the firmware names Enter null to create firmware with no static rules compiling firmware with no st
87. le root localhost SW pnic flow teardown disable No card number specified Assuming card 0 Disabling Flow Teardown on card 0 successful root localhost SW Usage The flow teardown feature is coupled with the firewall feature When default drop mode is Information enabled command pnic default drop enable the flow teardown is enabled by default When default drop mode is disabled pnic default drop disable the flow teardown is disabled by default Related Commands pnic default drop disable Disable firewall functionality This is the default behavior pnic default drop enable Enable firewall functionality pnic flow teardown enable Configure the appliance to clear any existing state for a TCP connection in the state memory when it receives a TCP packet with FIN and or RST bit set Syntax pnic flow teardown enable Command History Version 2 3 1 2 Introduced 88 Appendix A Example Usage Information Related Commands Figure 53 pnic flow teardown enable Command Example coot localhost SW pnic flow teardown enable No card number specified Assuming card 0 Enabling Flow Teardown on card 0 successful ON SW A The flow teardown feature is coupled with the firewall feature When default drop mode is enabled command pnic default drop enable the flow teardown is enabled by default When default drop mode is disabled pnic default drop disable the f
88. llation and Operation Guide version 2 3 1 2 5 U CIN aa orita a aa 125 MA COIS A A mmm da le ad mao wh E ela wean a 126 Appendix E ee ee ee ee er ee rr 127 Appendix F Technical SUPPOM s ice scctassedescrsinee steeds earned ensenneanesenseioecian 129 MARTA ARES sra deme tn ode tends wd Re IIA AA A ds AAA 129 The ISUODOMINEDSIO ssrrcasiar arica AEREA ARA 129 Accessing iSupport Services cosirccrrrirrr tiara AAA ARA 129 Contacting the Technical Assistance Center 0 600 0 cee eee 130 Locating P Series Serial Numbers o ooccoccccccccr tees 130 Requesting a Hardware Replacement 2000 cee eee 131 Contents About this Guide Objectives This document provides installation and operation instructions for the P Series P10 appliance Audience This guide is intended to be used by network engineers The P10 is a Unix based product that runs rule management software based on Linux and FreeBSD As such understanding how to operate the appliance requires a basic knowledge of Unix including the vi editor Conventions This document uses the following conventions to describe command syntax Convention Description keyword Keywords are in bold and should be entered at the command prompt as listed parameter Parameters are in italics and require a number or word to be entered at the command prompt X Keywords and parameters within braces must be entered at the command prompt X Keywords and
89. loaded into the FPGA To change static rules you make changes to the rules in the original rules file recompile them and reload the new firmware in the FPGA A synchronous packet SYN is a packet sent from the client to the server that requests a TCP connection It is the first part of the TCP handshake that establishes a TCP connection between the client and server The second part of the handshake is where the server sends a SYN ACK packet back to the client to acknowledge the receipt of the SYN request Finally the client sends an ACK packet to the server to complete the connection A SYN flood is a type of denial of service attack where a series of handshakes is initiated but not completed because the final ACK packet is never sent to the server This occupies the server s resources which results in a denial of service for other clients See ACK A tap is a device that can passively monitor network traffic and is analogous to a telephone wire tap XFP is a tranceiver that interfaces a network device and a fiber or unsheilded twisted pair UTP network cable It can transmit data at a rate of 10 Gb s 128 Technical Support Manual Pages Information on operating the appliance can be accessed through manual pages man pages with the command man command The command man pnic displays the man pages on the command line interface and man pnic displays them on the Ncurses interface Man pages for the compiler can be access
90. low teardown is disabled by default pnic default drop disable Disable firewall functionality This is the default behavior pnic default drop enable Enable firewall functionality pnic getmachashindex Syntax Parameters Command History Example Usage Information Display the hash index value for a specific source and destination IP address combination pnic getmachashindex number number Enter the number of the network interface card Range 0 5 Default O Version 2 1 0 0 Introduced Figure 54 pnic getmachashindex Command Example root localhost SW pnic getmachashindex No card number specified Assuming card 0 Please input the Source IP address e g 192 168 15 22 10 14 122 21 Input the Destination IP address e g 172 168 15 14 154 12 123 44 The hash index calculated for MAC rewrite is 170 0xaa root localhost SW Use this command with the MAC rewrite feature This command displays the hash index value for an IP address pairs P Series Installation and Operation Guide version 2 3 1 2 89 Related Commands pnic gui Syntax Command History 90 pnic macrewrite on Enable MAC rewriting pnic macrewrite off Disable MAC rewriting pnic updatemacvalue Update the LSB value for a particular hash index value Launch the graphical user interface pnic gui Version 2 0 0 1 Introduced Appendix A Example Figure 55 pnic g
91. mkdir directory Makes a directory in the specified location more filename Displays the contents of a file one screenful at a time mv directory target Moves the specified directory to the target location passwd Allow you to change the current password pwd Displays the directory in which you are currently present working directory rmdir directory Removes the specifed directory Two conditions apply to this command e The specified directory must be empty e The specified directory must not be between the current directory and root directory P Series Installation and Operation Guide version 2 3 1 2 125 vi Commands vi has two modes e Command Mode In command mode commands can be entered which allow you to jump to points in a file search text and exit the editor e Insert Mode Insert mode allows you to create or alter text in a file Note Commands are case sensitive Table 32 Basic viCommands Command vi filename Description Opens the specified file in the editor If the filename does not exits vi creates it Enter this command from the Unix shell prompt Escape Key Exits Insert Mode and enters Command Mode Arrow Keys Moves the cursor up down left and right Enters Insert Mode and allows you to insert text at the current cursor position x Deletes the character at the current cursor position text
92. n 0 Irq period 1ms HW Interfaces CHO Top Rate s CH1 Top Rate s Total Packets 0 0 0 0 TCP Packets 0 0 0 0 UDP Packets 0 0 0 0 ICMP Packets 0 0 0 0 Other Packets 0 0 0 0 Capture Packets 0 0 0 0 Total Flows 0 0 0 0 Delayed Pkts 0 0 0 0 Stateful Pkts 0 0 0 0 Blocked Packets 0 0 0 0 OS Interface pnicd Rate s Rx Packets 5676268 0 Rx Bytes 2815514660 0 Rx Bits 1049280800 0 Errors 0 0 Truncated Packets 0 0 z stop m manage_rules c truncation t timeout f packets flow x DMA e Graphical User Interface Table 6 Runtime Statistics Description Statistic Description Total Packets Shows the number of packets received by the ports This is a Layer 1 statistic and is independent of whether the OS interface is up or down TCP UDP ICMP Other Reports the type of packets received during matching Other includes all non IP types and all IP types other than TCP UDP and ICMP Capture Packets Counts the total number of packets matched and captured by some policy Total Flows Reports the number of new flows started according to the flow policies Stateful Packets Reports the number of packets matched because of a stateful policy The mathematical difference between this counter and the Captured Packets counter is the number of packets captured by stateless policies Blocked Packets Reports the number of packets blocked because of some policy except that packets blocked by default are not counted Rx Packets
93. nds after which a flow is considered expired u Bring the OS network interface up and enable matching x Toggle packet capture on or off z Unload the PNIC drivers and disable the PNIC Press any key to continue Legend Total packets Number of packets received by the PNIC ports Blocked Packets blocked by the PNIC TCP UDP ICMP Packet types received by the active port Other Packet types received by the active port not TCP UDP ICMP Total Captured Packets matched and captured by some PNIC policy Total Flows Number of flows recognized by PNIC policies Delayed Stored packets that may become captured later Stateful Captured packets matched by a stateful policy Rx Packets Bytes Bits Captured data received by the OS Errors Anomalous rx conditions Truncated Truncated packets received by OS may be because of high load Delayed Captured packets that have been delayed because of stateful rule Press any key to continue AO SW y P Series Installation and Operation Guide version 2 3 1 2 91 pnic help Syntax Command History Example Display a list of all available commands their syntax and descriptions pnic help Version 2 3 0 0 Introduced Figure 56 pnic help Command Example soot8 localhost SW pnic help No card number specified Assuming card 0 Note lt gt lt card_num gt lt channel_num gt lt force_option gt Command Help on a channel separate
94. ng that including them allows you to run Snort on the DPI interface It is best to include this file if Snort is being used as the front end If not using Snort as the front end these rules should not be included or they should be changed to accommodate other packet analysis requirements see Figure 36 on page 59 56 Compiling Rules Table 8 Compiler Configuration Options Compilation Option 7 Segmentation Evasion Rules Description The pnic Compiler prepends a set of fixed rules called evasion rules located in the pnic compiler rules directory The rules help detect attacks which are using strategic TCP segmentation to avoid detection It is best to include this file if Snort is being used as the front end If not using Snort as the front end these rules should not be included or they should be changed to accommodate other packet analysis requirements see Figure 36 on page 59 8 Maximum String Specify the maximum number of bytes a single static rule can use for content matching A low value truncates the match string and increases the number of rules that can fit into the FPGA but this is at the expense of increased false positives A value lower than 1024 is not recommended unless you can cope with the increased number of false positives through Snort or some other means see Figure 37 on page 60 9 Firmware Name Enter a mnemonic name for the firmware you are about to create 10 Confirm
95. nsitions in the P Series follow a non cyclic pattern no state transitions may erase any of the previous states New state transitions are simply recorded via a non destructive additive operation As new states are produced they are bitwise OR ed with the current states contained in the per flow register Cz which is 16 bits wide This method is different from stateful matching in software systems where old state is removed after a set amount of time It allows a deterministic wire speed state management algorithm while guaranteeing that no match events are ever lost due to resource constraints Figure 38 shows the state matching algorithm Note that the only time some state is erased is in the case of a timeout Figure 38 State Management Algorithm New Packet Calculate Cf Address Bitwise OR Update Cf Cf new state 9000017 Stateful Matching Each signature i contains a pattern matching expression m that is compared to the incoming data stream in real time time f In addition each signature may contain at your discretion three values s c and r which respectively specify e The pre match state condition necessary for the signature to match in addition to m e The post match state condition applied after the signature has matched e A directive indicating what to do with the matched packet The s and c values are used to manage a per flow register Cy where the subs
96. o B e no_stream Do not trigger on rebuilt stream packets only_stream Only trigger on rebuilt stream packets icmp_id This keyword checks for a specific ICMP ID value icmp id number icmp_seq This keyword checks for a specific ICMP sequence value icmp seq number icode This keyword checks for a specific ICMP code value icode gt lt number gt lt number id This keyword checks the IP ID field for the specified id number value ip_proto This keyword inspects the IP protocol header ip_proto gt lt name numben itype This keyword checks for the specified ICMP type value itype gt lt number gt lt number nocase This keyword matches strings without regard for nocase capitalization This keyword modifies the content keyword protocol Enter the protocol ICMP UDP TCP IP seq This keyword checks for the specified TCP sequence seq number number source Enter the address from which traffic is arriving The A B C D subnet_mask address destination Enter the address to which traffic is destined A B C D subnet_mask address souce port Enter the port from which traffic is arriving port_number destination Enter the port to which traffic is destined port_number port tos This keyword checks for the specified ToS value tos number 120 Appendix B Table 28 Description of P Series Snort Keywords Keyword Description ttl This keyword checks for the specified IP time to live value Rule Synt
97. oic orcos ii isisao aa ld eee ee 39 Managing the Network Interface Card o cocccccccccccooa 39 e A OAR RRRCKS MERE ARES AR ES ane R dee Rae sa 41 Chapter 6 Network Security Monitoring 200 e eee eee eee eee 43 lla tie Soil Syste id ia e 44 Dee TaN eE AAA de moo a Ned ck pelo ied dk daa acd 44 installing th Soul See coord A tees A A A 44 Installing the Squil Client 22 0 4c00ecedes caine Odeo eee ae rr edadOsee eR EEE 45 Steen PGS irradia 46 Runing the Soul SVM a a 47 Munning the E AAN 47 R nning the SOU Server di cdccde cede esas eat 48 Running the Sguil Ceni cass cd cde Ok ae e edad reir a a E e 49 Chapter 7 Gommand LINE Mieri coc 2s clesseciuccdeecseceuGeincsu iaa a cs 51 OLORES cccnidadednet OSS LNA ES AA SEE SES a ira wah ow CRS 51 Editing Dynamic Rules with the GLI ccccdetciieeete tease eicadiae e A A nARa na 51 AA E A e See sh a A O eat es a 51 PREMIAN VE N Ie reiron ri onia OR 53 Contents Chapter 8 COMPU MMOS causo ee 55 el A ck in eal dade ae Ince a me yeti A ad ricanenigs adds 55 HUESCA 2idenaceeecceras ara e AAA e A RA a e a A TA A 55 lA A A O N 55 starting and Stopping the pnic Conipiler accsciecseceeseceeuane a sdeuean 60 Configuration and Generated Files css 21csceheedeewudebewcnd a viee ee eee eds 61 Pies PICNENS Sedans coe is ae oes whee A id meee wed 62 Coin plat EWS sordas irradia RAPE RAI 62 Chapter 9 Writing RUISS si nrinarianasrrrarnrrride rr EA A IAR AEA RAA AAE RA AA 63 MORUE
98. okes the vi editor on the file rules custom in the user local pnic 0 directory see Editing Dynamic Rules with the GUI on page 28 e You can add delete or modify dynamic rules for either of the processing channels see Appendix D on page 125 for information on v The rules are automatically compiled and loaded into the appliance you are prompted to confirm these actions Manage Rules This option instructs the DPI on handling matching packets e It capes a list of all the rules contained in the FPGA and the policy setting for each e There are four policies available and they are described in Table 5 e Rules configured to ignore a packet that is the policy setting is permit or deny take precedence over rules that have a policy setting of alert or divert Therefore a permit or deny rule disables the capturing for all other rules that match the same packet To modify policy settings see Managing Capture Forward Policies with the GUI on page 29 Note The Capture toggle is not used Capture forward settings can only be modified through the graphical user interface Manage Firmware It displays the firmware files in usr local pnic firmware and allows you to select one to be uploaded to the FPGA Selecting firmware restarts and reloads the FPGA To manage firmware see Selecting Firmware with the GUI on page 30 Table 5 describes the four possible combinations of capture forward policie
99. op the Sguil sensor using the command pnic sguil sensor stop as shown in Figure 30 Figure 30 Stopping the Sguil Sensor core pnic sguil sensor stop A Do you really want to stop the Sguil sensor application y n y LogPackets stopped successfully Stopped Pcap Agent successfully Stopped Sancp Agent successfully Stopped Snort Agent successfully Stopped Barnyard successfully Stopped Snort successfully Stopped Sancp successfully Stopped tail of snort stats successfully Sguil sensor application has been stopped a Writing New Rules e All rules files are stored in the installation sub directory nsm sguil rules P Series Installation and Operation Guide version 2 3 1 2 47 e The rule file you are using should be mentioned in snort conf file A sample rule file under rules directory is already added and commented in snort conf e Log files are stored in the installation sub directory nsm sguil logs e When adding new rules to the file sample rules uncomment the line include sample rules in the file snort conf e Snort rule syntax is different from P Series rule syntax For example the following rule is invalid for Snort but valid for the P Series alert on cl tcp any any gt any any msg tcp sid 100000001 rev 1 See Chapter 9 Writing Rules on page 63 e The SID rule option is mandatory for Snort rules e Do not specify channel information in Snort rules as it is alrea
100. ormed using a compiler from Snort syntax into a form suitable for uploading to the FPGA 30 Graphical User Interface To select firmware Step Task 4 Enter the m command from the GUI command line see GUI Commands on page 26 to access the main rule management GUI Select Manage Firmware see Figure 18 Use the arrow keys to highlight the desired firmware and the Select option and press the Enter key See Firmware Filename Description on page 62 for information on identifying firmware by their filenames 4 Confirm your selection and exit the GUI Figure 18 Manage Firmware GUI Manage Firmware Please select rule with up down arrow keys and press enter ringup xc4v1x200 f1513 30 30 2048 N Y N N Jan 18 18 31 snort_ru es bad v143 xc4v1x200 ff1513 20 20 2048 N Y N N Jan 17 22 43 lt Capture Toggle gt fn9000015 Runtime Statistics Runtime statistics are displayed when firmware is uploaded and traffic is flowing across the appliance The GUI presents two views of traffic statistics The default view shows the total statistics for Channel O and 1 as shown in Figure 19 Enter the command p to view traffic statistics for both channels separately or as a sum as shown in Figure 20 Use the command p to toggle between the two views e The first line shows the device number type of device firmware ID and version number e The second line shows the status of the Ethernet interface and di
101. p Fail safe Deployment The P Series hardware is fail safe In the event of a software exception or reboot the card continues to function as it did before the event In the event of a power failure the hardware stops functioning and traffic is dropped When the appliance powers up again all the traffic is allowed by default and the card functions as before Use an optical bypass switch in an inline deployment so that traffic continues to flow in the event of a power failure as shown in Figure 5 Figure 5 Fail safe Behavior with Optical Bypass Optical Bypass 10 Gigabit lt A o 10 Gigabit P Series P 1 0 fn90030mp Introduction Highly available Deployment Use optical bypass switches with the P Series for a highly available redundant deployment as shown in Figure 6 Both the appliances have the same configuration so that in the event of a power failure on one device the other continues to operate and the detection engine remains intact In the event that both devices experience a power failure the traffic continues to flow through the bypass switches Figure 6 Highly available Redundant Deployment ae Optical Bypass 10 Gigabit sien A 10 Gigabit P Series P10 fn90031mp Passive Deployment Enable passive mode see Command Line Reference on page 79 with fiber taps in line for IDS deployments e Send traffic from one side of the tap to port PO and traffic from the other side to port P1 as shown in Figure 7
102. p Task Command 1 Copy sguil server lt version gt tar gz to the server in which it will be installed 2 From the directory where the server package is stored tar zxvf sguil server lt version gt tar gz untar the Sguil server package 3 Change to Bash shell bash 44 Network Security Monitoring Step Task Command 4 Source the server configuration file The default source Configure Inputs sh parameters in this file may be changed 5 Compile and build the Sguil server package Use the gmake gt build log 2 gt amp 1 logging option to collect debugging information during compilation and redirect standard output and errors to a log file 6 Install the Sguil server package gmake install 7 OPTIONAL Set the debug flag to 1 in sguild conf before executing Startserver sh to display Sguil server debug messages Uninstalling the Sguil Server To uninstall the server Step Task Command 1 Stop the Sguil and MySQL servers if they are running 2 From the directory in which the sever package was source Configure Inputs sh installed source the Sguil server configuration file 3 Uninstall the Sguil server Use the logging option to gmake uninstall gt uninstall log 2 gt amp 1 collect debugging information during uninstallation and redirect standard output and errors to a log file Installing the Sguil Client You must have the following software installed in your PC before installing the Sguil client e lt Ac
103. passwd username password can be used The application can be best viewed with the minimum screen resolution of 1280 x 800 FORCEGO Web Client Login P Series Login User Name Password Login user logged in Queries please e mail to sales force1 Onetworks com Product Support support force1 Onetworks com 36 Web based Management Web browser Security Certificates The P Series Node Manager client and the server communicate via HTTPs All transactions are encrypted and thus protected by the SSL protocol The SSL certificate is a self signed certificate that is not signed by a trusted Certificate Authority CA While trying to launch the P Series Node Manager your web browser might display an alert indicating that the security certificate was not issued by trusted CA or a similar warning Figure 22 You are safe to use the application without security risks Figure 22 Web browser Security Certificate Alert Website Certified by an Unknown Authority Unable to verfy the identity of 10 16 130 245 as a trusted she a Possible reasons for the error Your browser does not recognize the Certficate Authority that issued the site s certficate The ste s certificate is incomplete due to a server misconfiguration You ara connected to a site pretending to be 10 16 130 245 possibly to obtain your confidential information Please notify the stes webmaster about this problem Before accepting
104. ply a specific firmware image to the card You must specify either the firmware name or the complete path of the firmware Syntax pnic apply firmware number P Series Installation and Operation Guide version 2 3 1 2 81 Parameters Command History Example Related Commands number OPTIONAL Enter the number of the network interface card Range 0 5 Default 0 Version 2 3 0 0 Introduced Figure 42 pnic apply firmware Command Example 1 AA SW pnic apply firmware i No card number specified Assuming card 0 Do you really want to apply a new firmware for card0 y n y Please enter the path or name of the firmware to apply usr local pnic firmware null xc4vlx200 ff1513 50 50 2048 Compiling dynamic rules for pnic0O Parsing the dynamic rules for channel0 Parsing the dynamic rules for channell Interface pnicO is down Waiting for matching to stop Loading rule firmwares Done Loading pass block settings Done Loading dynamic rules Done KKEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Interface pnicO is up MTU set to 9264 bytes KKEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Version P_MAIN2 2 0 058 The firmware image null xc4v1x200 ff1513 50 50 2048 was successfully applied to card0 NA SW Figure 43 pnic apply firmware Command Example 2 root localhost SW pnic apply firmware No card number specified Assuming card 0 Do you really want to apply a new firm
105. previous state When a stateful flow is older than a timeout value Cr is ignored It is replaced by 0x1 So the rule for the first state of a flow should have s 1 Packet Handling the R Value The constant r is a flag that tells the hardware what to do with a packet that has been matched to signature i The memory used to store the matched packets is divided into Temporary Memory and Match Memory If a packet is stored in Match Memory action is requested from the host to process the matched packet If a packet is stored in Temporary Memory no action is requested from the host as this represents only a partial match P Series Installation and Operation Guide version 2 3 1 2 69 When a packet is stored in either Temporary Memory or Match Memory a pointer to the previously stored packet in the same flow contained in a portion of the flow register Cy is also stored Thus a packet stored in Match Memory may reference another packet stored in Temporary Memory which in turn may reference more packets thus forming a linked list of partial matches starting with a packet stored in Match Memory The values for r have the following meanings 1 store the packet in Temporary Memory 2 store the packet in Match Memory and notify host software Note If the Hash key option is selected the R 2 flag no longer causes the packet to be stored in Temporary Memory Stateful Rule Examples Table 20 Stateful Matching Signatures Si
106. r specified Assuming card 0 Disabling VLAN tag remove on card 0 channel 0 amp 1 successful root localhost pnic pnic vlan remove enable Syntax Default Command History Usage Information Example Remove the VLAN tag and recalculate the CRC on all tagged packets passing through the appliance pnic vlan remove enable The VLAN Tag Remove feature is disabled by default Version 2 3 1 2 Introduced This feature is enabled and disabled on both sensing ports Figure 83 pnic vlan remove enable Command Example root localhost pnic pnic vlan remove enable No card number specified Assuming card 0 Enabling VLAN tag remove on card 0 channel 0 amp 1 successful root localhost pnic 114 Appendix A pnic version Display the driver version Syntax pnic version Command History Version 2 0 0 1 Introduced Example Figure 84 pnic version Command Example root localhost SW pnic version Forcel0 Networks PNIC Software Version P_MAIN2 2 0 058 root localhost SW pnic web gui start Start the web server Syntax pnic web gui start f Disable the web server using the command pnic web gui stop parameters f The first time the Web server is started the P10 prompts for and stores parameters to generate a self signed certificate From then on the same certificate is used when starting the server when you enter the command If you specify the
107. rameters Command History Disable the capturing of packets via direct memory access DMA pnic off number Enter the number of the network interface card Range 0 5 Default 0 Version 2 0 0 1 Introduced 100 Appendix A Example Usage Information Related Commands Figure 64 pnic off Command Example root localhost SW pnic off No card number specified Assuming card 0 Capture OFF set successful root localhost SW Turning off capturing might be desirable during traffic mirroring or pure filtering applications where the host is only used for control pnic on deprecated Enable the capturing of packets via direct memory access DMA onic on deprecated Syntax Parameters Command History Example Related Commands Enable the capturing of packets via direct memory access DMA pnic on number Enter the number of the network interface card Range 0 5 Default 0 Version 2 0 0 1 Introduced Figure 65 pnic on Command Example root localhost SW pnic on No card number specified Assuming card 0 Capture ON set successful root localhost SW pnic off deprecated Disable the capturing of packets via direct memory access DMA P Series Installation and Operation Guide version 2 3 1 2 101 pnic params Display the card interface name device ID and contents of the register on the PCI X and Master FPGAs Syntax pnic p
108. raph Table Options Show statistics as O Graph Table Show on Graph Table Absolutes Rate sec TCP Pkts 103883756 UDP Pkts 2000 Timestamp Total Pkts Tue Jan 08 19 25 45 IST 2008 103888756 ICMP Pkts 3000 Other Pkts Capture 103888756 Total Flows Delaye Stateful Blocked TotalRx 5289699 Total Rx Errors 338540736 Truncat Delayed Tue Jan 08 19 25 38 IST 2008 6000 1000 2000 3000 442432 28315648 Tue Jan 08 19 25 30 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 25 22 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 25 13 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 25 05 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 58 15T 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 50 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 42 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 34 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 27 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 19 15T 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 24 11 IST 2008 6000 1000 2000 3000 3514 Tue Jan 08 19 24 02 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 55 IST 2008 6000 1000 2000 3000 3514 224896 Tue Jan 08 19 23 47 IST 2008 600
109. rect memory access DMA and the values of Flow Timeout Packets Flow and IRQ Period These parameters can be adjusted using the GUI commands described in Table 3 P Series Installation and Operation Guide version 2 3 1 2 31 The remaining lines report the cumulative number of events and the rate of those events A description of each line is given in Table 6 Figure 19 Runtime Statistics for Channel 0 and 1 FPGA Loaded C20 8 0 0 user 0 0 system 0 0 nice 100 0 idle Dev 8002 Type PNIC 0 FirmwareID 64 Ver 2 6 DefaultDrop disabled pnic0 UP Capture on FlowTimeout 16 Packets flow 0 Truncation 0 Irq period 1ms HW Interfaces CHO Top Rate s CH1 Top Rate s Total Packets 0 0 0 0 TCP Packets 0 0 0 0 UDP Packets 0 0 0 0 ICMP Packets 0 0 0 0 Other Packets 0 0 0 0 Capture Packets 0 0 0 0 Total Flows 0 0 0 0 Delayed Pkts 0 0 0 0 Stateful Pkts 0 0 0 0 Blocked Packets 0 0 0 0 OS Interface pnicd 0 Rate s pnic0 1 Rate s Rx Packets 2838226 0 2838042 0 Rx Bytes 1408250941 0 1407263719 0 Rx Bits 2676072936 0 2668175160 0 Errors 0 0 0 0 Truncated Pkts 0 0 0 0 UA z stop m manage_rules c truncation t timeout f packets flow x DMA J Figure 20 Cumulative Runtime Statistics for Channels 0 and 1 FPGA Loaded CPU s 0 0 user 0 0 system 0 0 nice 100 0 idle Dev 8002 Type PNIC 0 FirmwareID 64 Ver 2 6 DefaultDrop disabled pnic0 UP Capture on FlowTimeout 16 Packets flow 0 Truncatio
110. reen resolution of 1280x800 You must also have Java Run Time Environment JRE installed with the Use JRE X Y Z for lt applet gt option enabled under Tool gt Internet Options gt Advanced tab when using either Internet Explorer 6 or 7 To launch the P Series Node Manager Step Task 4 Enter the command pnic web gui start to enable the secure HTTP service on the P Series see Appendix A on page 79 2 Lauch the P Series Node Manager in a web brower by entering https ipaddress in the address bar as shown in Figure 21 3 Login using the username and password configured on your P Series appliance P Series Installation and Operation Guide version 2 3 1 2 35 Figure 21 Lauching the P Series Node Manager FORCEGO Note Stop the secure HTTP service using the command pnic web gui stop see Appendix A on page 79 About P Series Node Manager 1 0 Force10 Networks P Series Node Manager is a flexible graphical element management tool that simplifies P Series configuration and monitoring With full features to do rule management image management and interface traffic monitoring the GUI provides the information necessary to ensure predictable network performance In addition the graphical user interface allows you to do health monitoring You can look atthe CPU and memory usage ofthe device lt also keeps you updated with the current card status Login credentials The operating system login etc
111. replacement hardware follow these steps Step Task 1 Determine the part number and serial number of the component 2 Request a Return Materials Authorization RMA number from TAC by opening a support case Open a support case by e Using the Create Service Request form on the Support page see Contacting the Technical Assistance Center on page 130 e Contacting Force10 directly by E mail or by phone see Contacting the Technical Assistance Center on page 130 Provide the following information when using E mail or phone Part number description and serial number of the component Your name organization name telephone number fax number and E mail address e Shipping address for the replacement component including a contact name phone number and E mail address A description of the failure including error messages e The support representative will validate your request and issue an RMA number for the return of the component 3 Pack the component for shipment Label the package with the component RMA number P Series Installation and Operation Guide version 2 3 1 2 131 132 Technical Support
112. rmation i B fn90025mp P Series Installation and Operation Guide version 2 3 1 2 43 Installing the Sguil System To employ Sguil you must 1 Install the sensor See page 44 2 Install the server See page 44 3 Install the client See page 45 Note You can download the server and client Sguil components directly from the Sguil website at http sguil sourceforge net index html The solution uses a number of components which must be installed For your convenience a simplified install package is provided on the Force10 Networks support website please see the instructions in the remainder of this chapter Installing the Sguil Sensor P Series appliances running version 2 3 0 0 or newer are already capable of operating as a Sguil sensor Installing the Sguil Server The Sguil server package installs the Mysql server and Sguild server packages Hardware and Software Requirements Force10 recommends using a server that has at least 2 GB of RAM a 3 0 GHz processor and 150 GB hard disk with a RAIDS array for speed and reliability Sguil runs on a variety of BSD and Linux based systems Force10 has tested compatibility with and recommends using e CentOs 5 64 bit Linux version 2 6 18 8 1 14 el5 e CentOs 5 32 bit Linux version 2 6 18 8 1 14 el5 or e FreeBSD 6 2 lt release gt Note Red Hat Enterprise Linux RHEL might also be compatible but has not been tested To install the server Ste
113. s Table 5 Capture Forward Policies Policy Capture Forward Permit Y Deny Alert Y Y Divert Y Editing Dynamic Dynamic rules are store Rules with the GUI d in the file rules custom in the usr local pnic 0 directory The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file 28 Graphical User Interface To modify dynamic rules Step Task 4 Enter the m command from the GUI command line see GUI Commands on page 26 to access the main rule management GUI see Figure 14 Select Edit Rules to invoke the vi editor see Figure 15 Add delete alter or uncomment rules using vi commands see Appendix D on page 125 You are prompted to confirm your changes upon exiting the editor Figure 15 Editing Dynamic Rules in v If you prepend an or any other particular character to all msg strings fall dynamic rules will be grouped together in the alphabetical list in the GUI thus making it easier to find them as a group fUsing ip instead of tcp udp or icmp saves quite a bit of match memory sample rules can be used to test with the provided DARPA trace on cl ip 172 16 112 0 8 23 gt 195 115 0 0 16 any msg RTest rule3 ttl on cl ip 172 16 112 0 8 23 gt any any msg Test rule4 id 21707 cl ip any any gt any any msg Rf Test rule5 ack 3642704891 on cO tcp any any gt any any msg fTest rule6 seq
114. s after which a flow is considered expired Flow Timeout 26 Graphical User Interface Table 3 GUI Commands Command Description u Brings the OS network interface up and enables matching This is similar to the command s but it does not load reload the driver It is only valid after the command s has been executed x Toggles the direct memory access DMA off and on to enable or disable capturing to the host respectively z Disables the DMA and brings the interface down in succession This is equivalent to issuing the commands pnic down and pnic off in succession Note Commands 1 2 3 4 and 5 are for engineering use only If you enter a command 1 through 5 by gt mistake enter O to return to the runtime statistics screen Managing Rules Policies and Firmware Enter the m command from the GUI command line see GUI Commands on page 26 to invoke a menu that enables you to manage dynamic rules capture forward policies and firmware Three options are available they are shown in Figure 14 and described in Table 4 Figure 14 Rule Management GUI PNICO Not Active Please select with up down arrow keys and press enter edit Rules Add Remove Rules Manage Rules Change Permit Deny policie Manage Firmware Change the firmware fn9000011 P Series Installation and Operation Guide version 2 3 1 2 27 Table 4 Managing Rules Using the GUI Option Edit Rules Description This option inv
115. s on pnicO 0 Statistics on pnic0 1 Maximum poll entries to keep Apply Settings Stop Polling Graph Table Options Show statistics as Graph O Table Show on Graph Table Absolutes O Ratefsec HW Interface Statistics pnic0 0 HW Interface Statistics gt 19 22 30 19 22 35 Total Pkts TCP Pkts UDP Pkts ICMP Pkts Other gt Delayed Pkts Stateful Pkts Blocked Pkts gt 19 22 40 19 22 45 19 22 50 Time hh mm ss Pkts Captured Pkts Total Flows OS InterFace Statistics pnic0 0 OS Interface Statistics 200 000 150 000 100 000 19 22 25 19 22 30 19 22 35 19 22 40 Time hh mm ss 19 22 45 19 22 50 Total Pkts 6000 TCP Pkts 1000 DP Pkts 2000 Total Flows 0 FE 2 B Z Pkts pooo cere Total Rx Pkts Total Rx Bytes Errors Truncated Pkts Delayed Pkts Capture 6000 Ready Last refreshed time Tue 8 Jan 2008 19 22 56 0530 Status Connected to 10 16 130 243 Ready Java Applet Window Force10 P Series Node Manager 1 0 GS Home Image Mgmt Card Mgmt Card Management Line card 0 amp Policy Mgmt Tue 8 Jan 2008 19 22 58 0530 FORCEG O DEK Poller Options Poll Interval in secs 5 Statistics on pni Statistics on pnicO Maximum poll entries to keep 100 Apply Settings Stop Polling G
116. s states Smaller values increase the number of concurrent flows that can be tracked The default value is 16 Address 16 Master FPGA This address is mapped to the parameter Flow length measured in packets This parameter controls the maximum number of packets in a flow that are considered for capturing Typical values range from 6 to16 Address 24 This address is mapped to the parameter Burst size measured in 32 bit PCI X FPGA words This parameter sets the number of 32 bit words to transfer in one PCI X master cycle Larger bursts achieve higher throughput but may increase buffering latency and contention with other devices sharing the same bus The default value is 1024 Address 36 This address specifies the count in PCI X clocks before the DMA buffer is PCI X FPGA transferred to the host if the buffer contains less than the programmed burst size P Series Installation and Operation Guide version 2 3 1 2 95 pnic loadeproms Load the PCI X and front end EEPROMs Syntax pnic loadeproms number Parameters number Enter the number of the network interface card Range 0 5 Default 0 Command History Version 2 0 0 1 Introduced Usage Use this command to upgrade PCI X and front end EEPROMs to new revisions Reboot the Information chassis after executing this command only then does new firmware take effect Note This process takes up to 30 minutes onic loadparams deprecated Upload
117. t in a residential area is likely to cause harmful interference in which case users will be required to take whatever measures necessary to correct the interference at their own expense Properly shielded and grounded cables and connectors must be used in order to meet FCC emission limits Forcel0 Networks is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications in the equipment Unauthorized changes or modification could void the user s authority to operate the equipment This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation Canadian Department of Communication Statement The digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications Attention Le present appareil numerique n emet pas de perturbations radioelectriques depassant les normes applicables aux appareils numeriques de la Class A prescrites dans le Reglement sur les interferences radioelectriques etabli par le ministere des Communications du Canada European Union EMC Directive Conformance Statement This product is in conformity with t
118. tate 2 Fragment of size 1 dsize 1 S 4 R 1 C 16 alert tcp any any gt any any msg Z Evasion State 1 First fragment of size 0 lt gt 10 state 1 dsize 0 lt gt 20 S 4 R 1 C 8 alert tcp any any gt any any msg Z Evasion State 2 Second fragment of size 0 lt gt 10 capture flow dsize 0 lt gt 20 S 8 R 1 C 16 alert tcp any any gt any any msg Z Evasion State 3 Capture flow fragments of size 0 lt gt 10 dsize 0 lt gt 100 S 16 R 2 C 17 1 Yes a Selecting Yes is recommended C l when using Snort J P Series Installation and Operation Guide version 2 3 1 2 59 Figure 37 pnic Compiler Option 8 9 Please choose the maximum number of bytes per signature 1024 recommended Selecting a small number allows larger sets of signatures at the expense of more false positives 1 16 2 32 3 64 4 96 5 128 6 256 7 512 8 1024 2 8 Enter the firmware base image name press the Enter key to retain the default name snort_dos rules xc4vlx200 ff1513 10 10 32 snort_dos rules Selected configuration q Summary of configuration Signature files snort dos rules Firmware name snort dos rules Firmware file snort_dos rules bit Mapping for ch 0 snort_dos rules 0 mapping Mapping for ch 1 snort_dos rules 1 mapping PNIC device xc4v1x200 ff1513 Include meta rules yes Include evasion rules yes Dynamic rules CH 0 10 Dynamic rules CH 1 10
119. the capture block configuration e Load the runtime parameters Enable the network interface pnic start number Disable the network interface using the command pnic stop number Enter the number of the network interface card Range 0 5 Default O Version 2 0 0 1 Introduced 110 Appendix A Example Related Commands pnic stop Syntax Parameters Command History Example Related Commands Usage Information Figure 77 pnic start Command Example xoot localhost SW pnic start SS No card number specified Assuming card 0 Interface pnicO is down Loading pass block settings Done Loading dynamic rules Done KKEKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKKK Interface pnicO is up MTU set to 9264 bytes KKEKKKKKKKKKKK KKK KKK KKK KKK KKK KKK KKK KKKKK Version P_MAIN2 2 0 058 oe SW Y pnic stop Disable the network interface Turn off capture and disable the network interface pnic stop number Enable the network interface using the command pnic start number Enter the number of the network interface card Range 0 5 Default O Version 2 0 0 1 Introduced Figure 78 pnic stop Command Example root localhost SW pnic stop No card number specified Assuming card 0 Interface pnicO is down root localhost SW pnic start Enable the network interface This command disables the pnic software interface and disa
120. the runtime configuration parameters contained in the file usr local pnic O pnic conf Syntax pnic loadparams number Parameters number Enter the number of the network interface card Range 0 5 Default 0 command Version 2 0 0 1 Introduced History 96 Appendix A Example Figure 60 pnic loadparams Command Example Aggregate mode On MASTER FPGA 0x10 00000000 On PCI FPGA 0x18 00000100 lt oot localhost pnic loadparams N N o card number specified Assuming card 0 Loading configurations Read from configuration file and apply to PNIC card 0x10 0000 0x14 0010 0x18 0000 0x18 0100 0x24 20788 0x28 20788 DMA Capture Status off MAC Rewrite state CHO disabled CH1 disabled Default Drop Packet disabled Temporary memory disabled Passive mode disabled Read out the registers that were just applied DMA Capture off MAC Rewrite state CHO disabled CH1 disabled Default Drop Packet disabled Temporary memory enabled Aggregate mode enabled PHY passive mode disabled Version P_MAIN2 2 0 062 enabled 0x14 00000010 0x18 00000000 0x24 00020788 0x28 00020788 gt MAMA eis 14 F Usage The syntax of such parameter files is address value where address is the decimal address Information of the DPI control register and value is the hexadecimal parameter to be loaded Table 27 shows the parameters to which each address is mapped Table
121. this certificate you should examine this site s certificate carefully Are you wiling to to accept this certificate for the purpose of idertifying the Web ske 10 16 130 2457 Examine Certificate Accept this certficate permanently O Accept this certificate temporarily For this session Do not accept this certificate and do not connect to this Web site OK Cancel Managing the P Series using Node Manager P Series Node Manager has four major management capabilities e Monitoring System Performance on page 38 e Managing Firmware Images on page 39 Managing the Network Interface Card on page 39 e Managing Policies on page 41 P Series Installation and Operation Guide version 2 3 1 2 37 Monitoring System Performance Monitor system performance from the Home panel Figure 23 The Home panel is displayed after logging into Node Manager It displays basic system information card interface and resource information as well as CPU and memory usage over time Figure 23 P Series Node Manager Home Panel Force10 P Series Node Manager 1 0 File View Help S amp amp Horne Image Mgmt Card Mgmt Policy Mgmt Home E E ES Device Information Line card 0 Card Information Hostname localhost localdomain IP Address 10 16 130 245 NA Card Type Card Status Up Number of Line Cards Device ID Firmware 1D Master FW Version 2 1b PNIC Software Version P_MAINZ 3 0 018 PCI
122. tiveTcl Force 10 recommends ActiveTcl8 4 14 which includes Wish e WinZip e Wireshark e Wish e Download the OpenSSL TCL extension TLS package to the client and extract the contents to the lib directory of the TCL installation Typically the TCL installation directory is c program files tcl To install the client Step Task 1 Copy sguil client lt version gt tar gz to the PC on which it will be installed 2 Extract the tar file P Series Installation and Operation Guide version 2 3 1 2 45 Step Task 3 Configure the following parameters in the file sguil conf e Enable 1 or disable 0 the debug option Set the browser path Set the Wireshark application path e Set the TLS library path as shown in Figure 28 e Set priority levels of the alert window Figure 28 Setting the TLS Library Path PATH to tls lib if needed tcl can usually find this by default set TLS_PATH usr lib tls1 4 libtls1 4 so win32 example set TLS_PATH c progra 1 Tc1 1ib t1s1 4 1 t1s14 d11 Installation Files Table 7 lists the files and directories created during installation that are relevant to running the Sguil system Table 7 Sguil Files and Directories File Location Sensor sensor installation directory usr local pnic mgmt lib sguil sensor sensor configuration files lt install_dir gt nsm sguil etc snort conf lt install_dir gt nsm sguil etc log
123. ui Command Example root localhost SW pnic gui SN CPU s 0 0 user 0 0 system 0 0 nice 100 0 idle Dev 8002 Type PNIC 0 FirmwareID 64 Ver 2 6 DefaultDrop disabled pnicO UP Capture on FlowTimeout 16 Packets flow 0 Truncation 0 Irq period 1ms EW Interfaces CHO Top Rate s CH1 Top Rate s Total Packets 0 0 0 0 TCP Packets 0 0 0 0 UDP Packets 0 0 0 0 ICMP Packets 0 0 0 0 Other Packets 0 0 0 0 Capture Packets 0 0 0 0 Total Flows 0 0 0 0 Delayed Pkts 0 0 0 0 Stateful Pkts 0 0 0 0 Blocked Packets 0 0 0 0 OS Interface pnic0 0 Rate s pnic0 1l Rate s Rx Packets 0 0 0 0 Rx Bytes 0 0 0 0 Rx Bits 0 0 0 0 Errors 0 0 0 0 Truncated Pkts 0 0 0 0 Delayed Pkts 0 0 0 0 h help z stop m manage_rules c truncation t timeout f packets flow x DMA Available commands are a IRQ period ms Range 0 80 0 no throttling 80 maximum throttling Cc Number of bytes to capture after a match 0 means entire packet d Bring the OS network interface down and disable matching f Maximum number of packets captured for each flow h Display this help page i Number of seconds for the refresh interval m Manage the dynamic rules set the capture forwarding policies and select and load the firmware p Toggle the display of OS stats for separate channels and combined channel q Quit the program r Reset all the OS counters s Start or restart the PNIC drivers and reload the firmware t Number of seco
124. ump enter the command tcpdump i pnicO n from the Unix command line e This prints to standard output all of the packets captured by the DPI e Ifthe appliance is operating correctly you will see the ICMP packets Returning to the Default Configuration Return to the factory default settings using the command pnic resetconf See the Command Line Reference on page 79 P Series Installation and Operation Guide version 2 3 1 2 15 Getting Started Introduction The P Series P10 Intrusion Detection and Prevention System IDS IPS appliance employs Dynamic Parallel Inspection DPI technology It uses a Multiple Instruction Single Data MISD massively parallel processor that executes thousands of security policies or traffic capture operations on the same data stream at the same time DPI synthesizes individual security policies and packet analysis algorithms and maps them directly into silicon hardware gates Through this design it is able to deliver full packet inspection and protection at line rate for 1 Gigabit and 10 Gigabit links whether the traffic load or security policy is 1 or 100 The policies can be derived from public domain signatures or they can be completely user defined For each policy you can direct the DPI to e Capture packets for the host capture is defined as both DMA to host and copying to the mirror port e Forward packets with negligible delay e Block packets As a result the P10 can be
125. used as both an IDS accelerator and a stateful content filter for IPS applications In an active configuration it can be inserted inline into the network this alleviates the need for a SPAN port or tap and enables filtering applications In passive configurations it can merely listen to the network via a mirroring port or tap Hardware Architecture Overview The P10 is a 1 RU appliance provisioned with one DPI processing system and has at minimum an AMD Dual Core Opteron 280 processor a 400 GB hard drive 8 GB of RAM Figure 3 shows packet flow in the DPI which is a two port device Packets are forwarded from the receive side of the first port Rx0 to the transmit side of the second port Tx1 Likewise Rx1 forwards packets to TxO of the first port As the packets are being forwarded they are also processed in real time by two independent processing channels each with its own set of policies If there is a match in a processing channel the DPI can block the packet capture it and send it to the host through the PCI X bus The two processing channels are completely independent and thus they can be used to process two asymmetric links or both directions of a full duplex connection In addition to two sensing interfaces the P10 includes two 1 Gigabit Ethernet mirroring ports These ports can copy and forward matched traffic to another device It is also possible to disable the PCI X DMA capture and let the matched traffic bypass the host
126. ware from these files at your discretion 18 Introduction Table 2 Firmware is a set of rules that has been transformed using a compiler from Snort syntax into a form suitable for uploading to the FPGA Two sets of sample rules files have been compiled into firmware and are available to be uploaded to the FPGA using either of two firmware management methods see Rule Management on page 19 Table 2 describes each sample rules file Sample Rules Files Rule Set Description evasion tules The rules in this file help detect attacks which are using strategic TCP segmentation to avoid detection fw rules This file contains rules written in Snort syntax for a firewall application see Writing Rules for a Firewall Deployment on page 77 meta rules The rules in this file report on flow information and provide compatibility with Snort null rules This file contains no rules the firmware created from these files are empty images that maximize the dynamic rule capacity see Rules Capacity on page 55 sample rules This file contains rules written in Snort syntax that were derived from publicly available IDS rules The firmware based on the sample rules files follow the naming convention described in Selecting Firmware with the GUI on page 30 Note Force 10 recommends not using the sample firmware for production IDS IPS use The sample firmware requires considerable site specific
127. ware for card0 y n n root localhost SW pnic show firmwares Display the available firmware 82 Appendix A pnic capture off Syntax Parameters Command History Example Usage Information Related Commands Disable the capturing of packets via direct memory access DMA pnic capture off number Enter the number of the network interface card Range 0 5 Default O Version 2 3 0 0 Introduced Figure 44 pnic capture off Command Example root localhost SW pnic capture off No card number specified Assuming card 0 Capture OFF set successful root localhost SW Turning off capturing might be desirable during traffic mirroring or pure filtering applications where the host is only used for control pnic capture on Enable the capturing of packets via direct memory access DMA onic capture on Syntax Parameters Command History Enable the capturing of packets via direct memory access DMA pnic capture on number Enter the number of the network interface card Range 0 5 Default 0 Version 2 3 0 0 Introduced P Series Installation and Operation Guide version 2 3 1 2 83 Example Figure 45 pnic capture on Command Example root localhost SW pnic capture on No card number specified Assuming card 0 Capture ON set successful root localhost SW Related Commands pnic capture off Disable the capturing of
128. write the least significant byte LSB of the destination MAC address for packets with particular source and destination IP addresses pnic macrewrite on Syntax Rewrite the least significant byte LSB of the destination MAC address for packets with particular source and destination IP addresses pnic macrewrite on number channel Disable MAC rewriting using the command pnic macrewrite off P Series Installation and Operation Guide version 2 3 1 2 99 Parameters Default Command History Example Usage Information Related Commands Enter the number of the network interface card Range 0 5 Default 0 number Enter the channel number Range 0 1 Default 0 channel MAC rewrite is disabled by default The default value for the LSB is the system assigned hash index value Version 2 1 0 0 Introduced Figure 63 pnic macrewrite on Command Example root localhost SW pnic macrewrite on No card number specified Assuming card 0 No channel number specified Assuming channel 0 Enabling MAC rewrite on card 0 channel 0 successful root localhost SW MAC rewriting can be used for load balancing Load balancing is achieved by overwriting the least significant byte of the destination MAC address for packets with a specified source and destination IP address with a user specified value pnic macrewrite off Disable MAC rewriting pnic off deprecated Syntax Pa
129. you must Select firmware and dynamic rules 2 Set capture forward policies 3 Check for proper operation by generating traffic across the appliance Step Task 1 As root enter the command pnic gui from the Unix command line to invoke a graphical user interface GUI 2 Enter the command m from the GUI command line 3 Select Manage Firmware from the Rule Management GUI then select null firmware and confirm The sample firmware and rules files are testing examples only Force 10 recommends not employing the sample firmware for production IDS IPS use 4 Select Edit Rules from the Rule Management GUI 5 Uncomment the rule alert on all icmp any any gt any any msg icmp by removing the symbol before the rule Enter the command i to enter insert mode e Navigate to the character using the arrow keys and delete the character 6 Enter the command wq to exit the vi editor and confirm your changes 7 Confirm to reload the Forward Block settings 8 Run a packet sniffer such as tcodump on the network interface associated with the appliance 9 Generate some ICMP traffic to be exchanged between endpoints Endpoints are two network nodes on opposite sides of the appliance such that traffic between those nodes passes through the appliance e For example enter ping destaddress where destaddress is the IP address of the endpoint on the opposite end of the appliance 10 If you are using tcpd
Download Pdf Manuals
Related Search