Register / log-in to add to your Hammerwall Collection.
Manual Location
The Search Results for the Search Section to the left will appear here.
Page: 1
X - Series Local Security Manager User Guide Version 2.5 Part Number TECHD - 176 A01 Published December 2006 http : / / www . 3com.com /
Page: 2
3Com Corporation Copyright © 2006 , 3Com Corporation . All rights reserved . No part of this documentation may be reproduced in any form or by any means or used to make any 350 Campus Drive derivative work ( such as translation , transformation , or adaptation ) without written Marlborough , MA permission from 3Com Corporation . 01752 - 3064 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change . 3Com Corporation provides this documentation without warranty , term , or condition of any kind , either implied or expressed , including , but not limited to , the implied warranties , terms , or conditions of merchantability , satisfactory quality , and fitness for a particular purpose . 3Com may make improvements or changes in the product ( s ) and / or the program ( s ) described in this documentation at any time . If there is any software on removable media described in this documentation , it is furnished under a license agreement included with the product as a separate document , in the hardcopy documentation , or on the removable media in a directory file named LICENSE.TXT or ! LICENSE.TXT . If you are unable to locate a copy , please contact 3Com and a copy will be provided to you . UNITED STATES GOVERNMENT LEGENDS : If you are a United States government agency , then this documentation and the software described herein are provided to you subject to the following : United States Government Legend : All technical data and computer software is commercial in nature and developed solely at private expense . Software is delivered as Commercial Computer Software as defined in DFARS 252.227 - 7014 ( June 1995 ) or as a commercial item as defined in FAR 2.101 ( a ) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software . Technical data is provided with limited rights only as provided in DFAR 252.227 - 7015 ( Nov 1995 ) or FAR 52.227 - 14 ( June 1987 ) , whichever is applicable . You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in , or delivered to you in conjunction with guide . Unless otherwise indicated , 3Com registered trademarks are registered in the United States and may or may not be registered in other countries . 3Com and the 3Com logo are registered trademarks of 3Com Corporation . VCX is a trademark of 3Com Corporation . X5 ™ and Digital Vaccine are a registered trademarks . TippingPoint and the TippingPoint logo are trademarks of 3Com Corporation or one of its subsidiaries . Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and / or other countries . Oracle is a registered trademark of Oracle Corporation . Other brand and product names may be registered trademarks or trademarks of their respective holders .
Page: 3
Table of Contents Table of Contents About This Guide ix Chapter 1 . System Overview 1 X - Series System 2 Core Functionality 3 X - Series Environment 4 Local Clients 4 System Requirements 5 SMS Configuration 5 Chapter 2 . LSM Navigation 7 Overview 7 Security Notes 8 Logging In 8 LSM Screen Layout 10 Main Menu Bar 11 Navigation 13 Content and Functionality 14 Title Bar 14 Tabbed Menu Options 14 System Summary 15 System Status 15 Health 15 Packet Stats 16 Network DHCP 16 Reboot Device 16 Log Summary 17 Product Specifications 17 Chapter 3 . IPS Filtering 19 Overview 19 Using the IPS 20 Security Profiles 21 Managing Security Profiles 22 Security Profile Details 24 IPS Digital Vaccine ( DV ) Filters 27 Configuring DV Filters 29 View DV Filters 30 Filter Search 31 Filters List ( All Filters ) 32 X - Series LSM User’s Guide V 2.5 i
Page: 4
Table of Contents Edit DV Filter Category Settings 35 Configure Filter Limits / Exceptions based on IP Address 39 Reset an Individual Filter 41 Port Scan / Host Sweep Filters 41 Traffic Threshold Filters 44 Managing Traffic Threshold Filters 45 Create or Edit a Traffic Threshold Filter 47 Action Sets 50 Managing Actions 53 Rate Limit Action Set 55 Quarantine Action Set 55 Notification Contacts 58 Alert Aggregation and the Aggregation Period 59 IPS Services 62 Preferences 64 Reset Filters 64 Configure Threat Suppression Engine ( TSE ) 65 Adaptive Filter Configuration 67 How Adaptive Filtering Works 67 Chapter 4 . Firewall 69 Overview 69 How Firewall Rule Enforcement Works 71 Default Firewall Rules 73 Managing Firewall Rules 75 Configuring Firewall Rules 77 Firewall Services 82 Firewall Services Page Field Descriptions 84 Configuring Service Groups 85 Schedules 86 Firewall Schedules Page Field Descriptions 87 Managing Schedules 88 Virtual Servers 89 Virtual Servers page 90 Virtual Servers Summary Information 90 Configuring Virtual Servers 90 Web Filtering 93 How Web Filtering Works 94 Setting Up Web Filtering 95 Web Filtering 96 Web Filtering General Configuration Parameters 97 Web Filter Service 98 ii X - Series LSM User’s Guide V 2.5
Page: 5
Table of Contents Custom Filter List 100 Custom Filter List Configuration Parameters and Functions 102 Configure URL Patterns 103 URL Test 105 Chapter 5 . Events : Logs , Traffic Streams , Reports 107 Overview 108 Logs 108 Alert Log 109 Audit Log 110 IPS Block Log 111 Firewall Block Log 112 Firewall Session Log 113 VPN Log 114 Configuration 115 System Log 115 Configuring Remote System Logs 116 Managing Logs 117 Viewing Logs 118 Downloading a Log 118 Resetting a log 119 Searching a Log 120 Managed Streams 121 Blocked Streams 121 Rate Limited Streams 123 Quarantined Addresses 125 Health 127 Device Health 128 Memory and Disk Usage 129 Module Health 130 Performance / Throughput 131 Port Health 132 Reports 132 Attack Reports 133 Rate Limit Reports 135 Traffic Reports 136 Traffic Threshold Report 137 Quarantine Report 137 Configure Adaptive Filter Events Report 137 Firewall Reports 139 X - Series LSM User’s Guide V 2.5 iii
Page: 6
Table of Contents Chapter 6 . Network 141 Overview 142 Configuration Overview 143 Deployment Modes 144 Network Port Configuration 145 Troubleshoot Port Link - Down errors 147 Security Zone Configuration 148 Creating , Editing and Configuring Security Zones 150 IP Interfaces 154 Configuration Overview 154 Managing IP Interfaces 155 IP Addresses : Configuration Overview 156 Internal Interface : Static IP Address 157 External Interface : Static IP Address Configuration 158 External Interface : DHCP Configuration 159 External Interface : PPTP Client Configuration 159 External Interface : L2TP Client Configuration 160 External Interface : PPPoE Client Configuration 161 Configuring a GRE Tunnel 163 Manage Security Zones for IP Interfaces 164 Configuring routing for IP Interfaces 165 RIP for IP Interfaces 165 Multicast Routing for IP Interfaces 167 IP Address Groups 168 DNS 170 Default Gateway 171 Routing 171 Overview 171 Routing Table 172 Static Routes 174 RIP Setup 176 Multicast ( IGMP and PIM - DM ) 179 IGMP Setup 179 PIM - DM Setup 181 Default Gateway 183 DHCP Server 183 Overview 183 DHCP Server page 184 Configure DHCP Server 185 DHCP Relay 187 iv X - Series LSM User’s Guide V 2.5
Page: 7
Table of Contents Configuring DHCP Relay 188 Static Reservations 191 Network Tools 192 DNS Lookup 193 Find Network Path 193 Traffic Capture 193 Ping 194 Traceroute 195 Chapter 7 . VPN 197 Overview 197 About VPN 198 VPN Configuration Overview 199 IPSec Configuration 201 IPSec Configuration 203 Configure an IPSec Security Association 205 IKE Proposal 214 Manage IKE Proposals 215 Configuring IKE Proposals 217 L2TP Configuration 224 Overview 224 L2TP Status 225 L2TP Server Configuration 226 PPTP Configuration 228 Overview 228 PPTP Status 229 PPTP Server Configuration 230 Chapter 8 . System 233 Overview 233 Update TOS and TippingPoint Digital Vaccine Software 234 Viewing and Managing Current TOS and DV Software 235 Rolling Back to a Previous TOS Version 236 Download and Install a TOS or Digital Vaccine Update 237 Updating the Digital Vaccine ( Filters ) 238 Updating the TOS Software 241 System Snapshots 243 Time Options 246 Internal CMOS Clock 247 NTP Server 247 Time Zones 248 SMS / NMS 249 High Availability 252 X - Series LSM User’s Guide V 2.5 v
Page: 8
Table of Contents How High Availability Works 252 Failover Operation 252 Standby Operation 253 Polling 253 Configuration Overview 253 Thresholds to Monitor Memory and Disk Usage 256 Email Server 257 Syslog Servers 258 Setup Wizard 259 Chapter 9 . Authentication 261 Overview 261 User List 262 Overview 262 TOS and Local User Accounts 262 TOS User Security Level 263 Username and Password Requirements 264 Managing User Accounts 265 How Local User Authentication Works : RADIUS , Privilege Groups and X . 509 Certificates 268 Overview 268 RADIUS 269 Privilege Groups 270 X . 509 Certificates 272 Overview 272 Configuring X . 509 Certificates 273 CA Certificates 274 Configure CRL CA Certificate 276 Certificate Requests 277 Managing Certificate Requests 279 Local Certificates 281 Preferences 284 Appendix A . Browser Certificates 289 Overview 289 Client Authentication Message 290 Security Alert 291 Certificate Authority 292 Invalid Certificate Name 295 Example - Creating Personal Certificate 297 vi X - Series LSM User’s Guide V 2.5
Page: 9
Table of Contents Appendix B . Web Filter Service 299 Overview 299 Core Categories 299 Productivity Categories 302 Available Productivity Categories 302 Purchasing a Web Filter License 308 Appendix C . Log Formats and System Messages 311 Overview 311 Log Formats 312 Alert and IPS Block Log Formats 312 Audit Log Format 315 Firewall Block Log Format 316 Firewall Session Log Format 319 VPN Log Format 320 System Log Format 321 Remote Syslog Log Format 322 High Availability Log Messages 323 System Update Status Messages 324 Glossary 327 X - Series LSM User’s Guide V 2.5 vii
Page: 10
Table of Contents viii X - Series LSM User’s Guide V 2.5
Page: 11
About This Guide Explains who this guide is intended for , how the information is organized , where information updates can be found , and how to obtain customer support if you cannot resolve a problem . Welcome to the 3Com X - Series Local Security Manager ( LSM ) . The LSM is the control center from which you can configure , monitor , and report on the X - Series devices in your network . This section covers the following topics : • “ Target Audience � on page x • “ Conventions � on page x • “ Related Documentation � on page xii • “ Customer Support � on page xiv X - Series LSM User’s Guide V 2.5 ix
Page: 12
About This Guide Target Audience This guide is intended for administrators who manage one or more X - Series devices . Knowledge , Skills , and Abilities This guide assumes you , the reader , are familiar with general networking concepts and the following standards and protocols : • TCP / IP • UDP • ICMP • Ethernet • Simple Network Time Protocol ( SNTP ) • Simple Mail Transport Protocol ( SMTP ) • Simple Network Management Protocol ( SNMP ) Conventions This guide follows several procedural and typographical conventions to better provide clear and understandable instructions and descriptions . These conventions are described in the following sections . This book uses the following conventions for structuring information : • Cross References • Typeface • Procedures • Messages Cross References When a topic is covered in depth elsewhere in this guide , or in another guide in this series , a cross reference to the additional information is provided . Cross references help you find related topics and information quickly . Internal Cross References This guide is designed to be used as an electronic document . It contains cross references to other sections of the document that act as hyperlinks when you view the document online . The following text is a hyperlink : Procedures . External Cross References Cross references to other publications are not hyperlinked . These cross references will take the form : see < chapter name > in the Publication Name . x X - Series LSM User’s Guide V 2.5
Page: 13
Conventions Typeface This guide uses the following typeface conventions : Bold used for the names of screen elements like buttons , drop - down lists , or fields . For example , when you are done with a dialog , you would click the OK button . See Procedures below for an example . Code used for text a user must type to use the product Italic used for guide titles , variables , and important terms Hyperlink used for cross references in a document or links to web site Procedures This guide contains several step - by - step procedures that tell you how to perform a specific task . These procedures always begin with a phrase that describes the task goal , followed by numbered steps that describe what you must do to complete the task . The beginning of every chapter has cross references to the procedures that it contains . These cross references , like all cross references in this guide , are hyperlinked . Menu Navigation The LSM provides drop - down menu lists to navigate and choose items in the user interface . Each instruction that requires moving through the menus uses an arrow ( > ) to indicate the movement . For example , Edit > Details means , select the Edit menu item . Then , click the Details option . Sample Procedure STEP 1 Click the Filters tab . STEP 2 Place your mouse cursor over the Open menu . Screen Captures The instructions and descriptions in this document include images of screens . These screen captures may be cropped , focusing on specific sections of the application , such as a pane , list , or tab . Refer to the application for full displays of the application . Messages Messages are special text that are emphasized by font , format , and icons . There are four types of messages in this guide : • Warning • Caution • Note • Tip X - Series LSM User’s Guide V 2.5 xi
Page: 14
About This Guide A description of each message type with an example message follows . Warning Warnings tell you how to avoid physical injury to people or equipment You should carefully consider this information prior to enacting actions or procedures that could potentially harm your staff , data , or security . WARNING Do not store your user name and password on your workstation , in your personal effects , or anywhere in or around your work area . If you store your user name and password in any of these locations , your system security may be compromised . Caution Cautions tell you how to avoid a serious loss that could cause physical damage such as the loss of data , time , or security . You should carefully consider this information when determining a course of action or procedure . CAUTION You should disable password caching in the browser you use to access the LSM . If you do not disable password caching in your browser , and your workstation is not secured , your system security may be compromised . Note Notes tell you about information that might not be obvious or that does not relate directly to the current topic , but that may affect relevant behavior . Note If the X - Series is not currently under SMS control , you can find out the IP address of the last SMS that was in control by checking SMS & NMS page ( System > Configuration > SMS / NMS ) . Tip Tips are suggestions about how you can perform a task more easily or more efficiently . TIP You can see what percentage of disk space you are using by checking the Monitor page ( Events > Health > Monitor ) . Related Documentation The X - Series has a full set of documentation . These publications are available in electronic format on your installation CDs . For the most recent updates , check the Threat m . Management Center ( TMC ) web site at http : / / www . 3Com.co xii X - Series LSM User’s Guide V 2.5
Page: 15
Related Documentation Online Help Each window and dialog box in the LSM application includes Help button for accessing the online help . In the Launch Bar of the application , the Help button opens the main welcome page to the online help . You can also click on the help button on each page of the application to review context sensitive topics . Figure 3 - 1 : Help Icon and Button Opens the online help at the opening page . If you have problems finding help on a particular subject , you can review the Index or use the Search tab in the navigation pane . Each page also includes related topic links to find more information on particular subjects and functions . X - Series LSM User’s Guide V 2.5 xiii
Page: 16
About This Guide Customer Support 3Com is committed to providing quality customer support to all of its customers . Each customer is provided with a customized support agreement that provides detailed customer and support contact information . For the most efficient resolution of your problem , please take a moment to gather some basic information from your records and from your system before contacting 3Com customer support . Table 3 - 1 : Customer Support Information Information Location Your customer number You can find this number on your Customer Support Agreement and on the shipping invoice that came with your X - Series . Your X - Series device You can find this number in the LSM in the System serial number Summary page , or on the shipping invoice that came with your X - Series system . Your TOS version You can find this information in the LSM in the System show version number Summary page , or by using the CLI command . Your X - Series system You can find this information in the LSM in the System boot time Summary page . Contact Information Please address all questions regarding the 3Com software to your authorized 3Com representative . xiv X - Series LSM User’s Guide V 2.5
Page: 17
1 System Overview The X - Series is a high - speed , comprehensive security system with a browsable manager called the Local Security Manager ( LSM ) . The Overview section provides an overview of the LSM functions and use in the X - Series device . Overview Enterprise security schemes once consisted of a conglomeration of disparate , static devices from multiple vendors . Today , 3Com’s X - Series security system provides the advantages of a single , integrated , highly adaptive security system that includes powerful hardware and intuitive management interface . This section describes the X - Series system and the LSM client application , Command Line Interface ( CLI ) and Security Management System ( SMS ) used to interact with and manage the X - Series system . The Overview chapter includes the following topics : • “ X - Series System � on page 2 o “ Core Functionality � on page 3 o “ X - Series Environment � on page 4 o “ Local Clients � on page 4 • “ System Requirements � on page 5 • “ SMS Configuration � on page 5 Note Check the Release Notes for specific limitations and known issues regarding the current release . X - Series LSM User’s Guide V 2.5 1
Page: 18
Chapter 1 . System Overview X - Series System The 3Com X - Series device offers an integrated system that includes a stateful packet inspection firewall , IPSec virtual private network ( VPN ) management , bandwidth management , and web content filtering functions along with 3Com Intrusion Prevention System ( IPS ) functionality . The X - Series firewall functionality provides service - level , stateful inspection of network traffic . It incorporates filtering functionality to protect mission - critical applications . An administrator can use firewalls and content filters to determine how the system handles traffic to and from a particular service . These filters are specified by the source , destination , and service or protocol of the traffic . The X - Series scans your network and maintains an inventory of the active hosts and services on those hosts . IPSec VPN management provides the ability to apply all X - Series functionality across the enterprise , monitoring network traffic at the enterprise level and also traffic between main office and branch locations . Bandwidth management , or policy - based traffic shaping , allows the X - Series to control both inbound and outbound traffic streams as well as inside and outside IPSec VPN tunnels . Using these policies , the X - Series allows users to prioritize real - time business critical applications including video and conferencing , IP telephony and interactive distance - learning over non - essential traffic , such as peer - to - peer file sharing Web content filtering provides the tools to enforce network policy by prohibiting the download of non - work related web sites and offensive or illegal web content . The IPS functionality provides total packet inspection and intrusion prevention to detect and block malicious traffic such as worms , viruses , Trojans , Phishing attempts , Spyware , and VoIP threats . Using filters defined by the Digital Vaccine security team , the X - Series scans traffic to recognize header or data content that signals an attack along with the protocol , service , and the operating system or software the attack affects . Each filter includes an action set , which determines how the system responds when it detects packets that match filter parameters . In a broad sense , the X - Series either drops matching packets or permits them . The Digital Vaccine security team continually develops new attack filters to preemptively protect against the exploit of new and zero day vulnerabilities . To ensure up - to - date network protection , you can configure the X - Series device to automatically check for and install the DV updates released by 3Com . 2 X - Series LSM User’s Guide V 2.5
Page: 19
X - Series System Core Functionality The X - Series provides the following core functionality : • Stateful packet inspection firewall — flexible configuration of object - based firewall rules and unified control of multiple services , virtual servers , network address translation ( NAT ) and routing . • Security Zones — logically section your network for the purposes of applying firewall rules and IPS filters between internal sections of your network , between your network and the internet , and between your network and remote office locations ( VPN ) . • Standards - based IPSec Virtual Private Networks including : o hardware - accelerated encryption DES , 3DES , and AES encryption protocols o feature - rich client VPN capability using PPTP or L2TP protocols o ability to inspect and control traffic both inside and outside of all VPN tunnel types using firewalls or IPS to ensure secure VPN connectivity . • Flexible user authentication — control access to the X - Series device and the internet , authenticating via the X - Series device itself , or through an external RADIUS database • Web filtering — URL filtering with configurable permit / block lists and regular - expression URL matching as well as a web content filtering subscription service to enforce network security and usage policy by prohibiting the download of non - work related web sites and offensive or illegal web content . • Bandwidth management — enforce network usage policy by rate - limiting applications such as peer - to - peer file sharing and instant messaging applications • Prioritization of traffic inside and outside VPN tunnels with flexible , policy - based controls . • IP multicast routing ( PIM - DIM ) over IPSec , supporting next - generation IP conferencing applications — prioritizes real - time traffic and provides secure connectivity for IP multicast traffic . • Device management — option to configure , monitor , and manage the device using either the web - based client application ( the Local Security Manager ) or the command line interface ( CLI ) . • Centralized Management — option to configure , monitor , and manage individual or multiple X - Series devices using the Security Management System ( SMS ) . • An Intrusion Prevention System ( IPS ) — identify and stop malicious traffic on the edge of the network using filters that detect and block malicious traffic . Customize default filters to meet the specific needs of your enterprise . • Digital Vaccine real - time protection — the Threat Management Center monitors global network security threats and continually develops new attack filters which are automatically distributed to preemptively protect against the exploit of new and zero day vulnerabilities . The following sections describe the X - Series environment and system components in more detail . X - Series LSM User’s Guide V 2.5 3
Page: 20
Chapter 1 . System Overview X - Series Environment An X - Series can be installed at the perimeter of your network , in your remote offices , on your intranet , or in all three locations . The following diagram shows an example of a corporate network with X - Series devices deployed in a variety of locations . When the X - Series is installed and configured , it protects your network zones ( LAN , WAN , and VPN , for example ) using firewall rules and IPS filters . The device scans and reacts to network traffic according to the actions configured in the firewall rule or IPS filter . Each security zone and device can use a different set of firewall rules and IPS filters . Actions configured on the firewall rules and IPS filters provide the instructions for the device and can include blocking , rate limiting , or permitting the traffic and sending a notification about the action to a device or e - mail address . Options are also available to block traffic and quarantine the source IP address for the traffic . For users who will deploy multiple X - Series devices across the enterprise , 3Com provides the Security Management System ( SMS ) . The SMS allows you to coordinate the management of multiple devices ( both 3Com X - Series and IPS devices ) for administration , configuration , and monitoring . Most importantly , the SMS includes enterprise - wide reporting and trend analysis . Local Clients You can access the X - Series device for monitoring , management , and configuration from any of the following three client applications : • Local Security Manager ( LSM ) — Web - based GUI for managing one IPS device . The LSM provides HTTP and HTTPS ( secure management ) access . This access requires Microsoft Internet Explorer 6.0 or later , Firefox 1.5 + , Mozilla 1.7 + , or Netscape 8.1 + . Using the LSM , you have a graphical display for reviewing , searching , and modifying 4 X - Series LSM User’s Guide V 2.5
Page: 21
X - Series System settings . The GUI interface also provides graphical reports for monitoring the device traffic , triggered filters , and packet statistics . • Command Line Interface ( CLI ) — Command line interface for reviewing and modifying settings on the device . The CLI is accessible through Telnet and SSH ( secure access ) . • Secure Management System ( SMS ) — the SMS allows you to remotely manage multiple X - Series devices . You can configure security zones , profiles and policy ( firewall rules and IPS filters ) from the SMS and distribute the configuration to multiple X - Series devices . SMS also allows you to view , manage and edit device configuration , and review logs and reports for all X - Series devices under SMS management . Note The Intrusion Prevention System device allows for 10 web client connections , 10 telnet / SSH ( for CLI ) connections , and one console connection at once . System Requirements The LSM is software accessed using a web browser . The site’s hardware and software requirements are not as technical as systems loading the software locally . To access the LSM , you need the following : • A networked computer running Windows XP , ME , NT , 9x , or 2000 • Microsoft Internet Explorer ( MSIE ) v 6.0 or greater with 128 - bit encryption and support for Java Script and cookies , Firefox 1.5 + , Mozilla 1.7 + , or Netscape 8.1 + SMS Configuration If you will maintain your IPS device using the Security Management System ( SMS ) or you will no longer use the SMS , you need to configure a setting on the IPS device . This setting identifies if the device is controlled by the SMS . See “ SMS / NMS � on page 249 . X - Series LSM User’s Guide V 2.5 5
Page: 22
Chapter 1 . System Overview 6 X - Series LSM User’s Guide V 2.5
Page: 23
2 LSM Navigation LSM Navigation describes the LSM interface , how to log in , and the general sections of the application . Overview The Local Security Manager ( LSM ) is a graphical user interface ( GUI ) that makes configuring and monitoring your X - Series device easy by providing a user - friendly interface to help accomplish administrative activities . You access the LSM using a user account through a browser . See Log in to the LSM for more information . The LSM is an application that you browse to in a Web browser . You should use Microsoft Internet Explorer , version 6 or later , to access the application . In this application , you can access a variety of functions according to the access level of your user account . This chapter details the login and navigation procedures of the LSM user interface . It includes the following information : • “ Security Notes � on page 8 • “ Logging In � on page 8 • “ LSM Screen Layout � on page 10 • “ System Summary � on page 15 Note The LSM is designed to work with Microsoft Internet Explorer ( MSIE ) version 6.0 and greater . Using a browser other than MSIE may produce unpredictable results in the display and functionality of the interface . X - Series LSM User’s Guide V 2.5 7
Page: 24
Chapter 2 LSM Navigation Security Notes The LSM enables you to manage your X - Series device using a Web browser . It is important to note that some browser features , such as password caching , are inappropriate for security use and should be turned off . CAUTION Some browsers offer a feature that stores your user login and password for future use . 3Com recommends that you turn this feature off in your browser . It is counter to standard security practices to store login names and passwords , especially those for sensitive network equipment , on or near a workstation . In addition , the LSM provides two different Web servers , an HTTP and an HTTPS server . Whenever your IPS is connected to your network , you should run the HTTPS server , not the HTTP server . HTTP servers are not secure because your user name and password travels over your network unencrypted . You should only use the HTTP server when you are sure that communications between the IPS and the workstation from which you access the LSM cannot be intercepted . WARNING The procedure Enable the Web Server ( LSM and SMS ) enables you to turn on HTTP . HTTP is not a secure service because it sends unencrypted user names and passwords over the network . If you enable HTTP , you endanger the security of your 3Com device . Use HTTPS instead of HTTP . Logging In When you log in to the LSM , you are prompted for your username and your password . This login gives you access to the areas of the LSM permitted by your user role . For information on user roles and accesses , see Chapter 9 ‚ “ Authentication � . TIP Most Web browsers will not treat addresses beginning with HTTP and HTTPS interchangeably . If your browser cannot find your LSM , make sure that you are using http : / / or https : / / depending on which Web server you are running . Note The IPS device allows for 10 Web client connections , 10 telnet / SSH ( for CLI ) connections , and 1 console connection at once . Depending on your security settings , warnings may display when accessing the client . To access the system without warnings , refer to Appendix A ‚ “ Browser Certificates � . You will be presented with the login screen under the following situations : • When you first log in to the LSM • When you experience a Session Time - out 8 X - Series LSM User’s Guide V 2.5
Page: 25
Logging In Log in to the LSM STEP 1 Enter the IP address or hostname of your IPS device in your browser Address bar . For example : https : / / 123.45.67.89 The LSM displays a logon page . The page includes the name and model of your device . Figure 2 - 1 : LSM Logon Page STEP 2 Enter your Username . STEP 3 Enter your Password STEP 4 Click Log On . The LSM validates your account information against the permitted users of the software . If the information is valid , the LSM software opens . If the account information is not valid , the Logon page is redisplayed . Note Only 10 Web client and 10 SSH ( for CLI ) connections are allowed to connect to a device at once . X - Series LSM User’s Guide V 2.5 9
Page: 26
Chapter 2 LSM Navigation LSM Screen Layout The LSM provides features in two main areas of the browser window : — Located at the top of the browser window ( see item 1 in the figure • Main Menu Bar below ) . This area provides quick access to the System Summary page , online help , and current user and system status . — Located on the left side bar of the browser window ( see item 2 in the • Navigation figure below ) . The Navigation bar provides access to the LSM menu functions . To view all the options available for a main menu item ( IPS for example ) , click the menu label . On an expanded menu , options with a + indicate that additional sub - menu are available . When you select a menu item , the content and functionality area displays the content and available options . If you click the < < icon in the upper right corner of the Navigation menu , the menu collapses to provide more screen space for the current page displayed in the Content and Functionality area . Click > > to re - open the menu . • Content and Functionality — Located on the right side of the browser window ( see item 3 in the figure below ) . This area displays pages from which you can monitor the device operation and performance , view current configuration settings , and modify configuration . The content updates when you click a link in the LSM menu , or when you select buttons or links within a page . Links may display new content or open dialog boxes . When you first log onto the LSM , the System Summary page automatically displays in this area . 10 X - Series LSM User’s Guide V 2.5
Page: 27
LSM Screen Layout Figure 2 - 2 : LSM Screen Layout 1 3 2 Main Menu Bar The dark blue bar at the very top of the LSM screen provides quick access to basic logon information . The following table lists the available options in the Main Menu Bar : Table 2 - 1 : Main Menu Bar Options Option Description System Summary To display the System Summary , click the View System Summary icon . For information about this page , see “ System Summary � on page 15 . Online Help To access the online help for the X - Series , click the Launch Help Window icon . Current User Displays the login name for the current user X - Series LSM User’s Guide V 2.5 11
Page: 28
Chapter 2 LSM Navigation Table 2 - 1 : Main Menu Bar Options ( Continued ) ( Continued ) Option Description Current date and time Displays the current date and time on the X - Series device . The date and time settings on the device are determined by the time synchronization method and time zone configured for the device . For details , see “ Time Options � on page 246 . Auto Log Off To log off of the LSM , click the Log Off link . For security purposes , LSM sessions have a timeout period . This timeout period determines how long the LSM can remain idle before automatically ending the session / logging off the user . The default timeout period is 60 minutes . LSM administrators with super - user access can change the default timeout period from the Preferences page ( Authentication > Preferences ) . For details , see 4 . “ Preferences � on page 28 12 X - Series LSM User’s Guide V 2.5
Page: 29
LSM Screen Layout Navigation You can access the available features of the LSM by selecting an option from the navigation area . The LSM displays the page you select in the content and functionality area of the browser . Each option list displays a tier of links and features for maintaining and monitoring your 3Com system . The following table lists the available options in the navigation area : Table 2 - 2 : Navigation Options Option Description IPS — Create and manage security profiles used to monitor traffic between security zones . This includes reviewing category settings , creating filter overrides , and specifying limits and exceptions for user - specified IP address . — Create and manage traffic threshold filters , action sets , and ports for IPS services . — Manage and configure settings for IPS filters , the Threat Suppression Engine ( TSE ) , and global Adaptive Filter . See Chapter 3 ‚ “ IPS Filtering � for more information . Firewall — View and configure settings for the X - Series device Firewall . — View and configure web filtering for the web filter service and create a custom filter list to permit or block traffic based on user - specified URLs . for more information . See Chapter 4 ‚ “ Firewall � VPN View , configure and manage settings for site - to - site and / or client - to - for more information . site VPN connections . See Chapter 7 ‚ “ VPN � Events — View , download , print , and reset Alert , Block , and Misuse and Abuse logs . — View graphs reporting on traffic flow , traffic - related events , and statistics on firewall hit counts and triggered filters ( attack , rate limit , traffic threshold , quarantine and adaptive filter ) . — Monitor , search , and maintain traffic streams for adaptive filtering , blocked streams , and rate - limited streams . Manually quarantine an ip or release a quarantined ip . — View reports on traffic flow , traffic - related events , and statistics on firewall hit counts and triggered filters ( attack , rate limit , traffic threshold , quarantine and adaptive filter ) . for more See Chapter 5 ‚ “ Events : Logs , Traffic Streams , Reports � information . System — Configure system controls such as the management port , time options , and SMS / NMS interaction . — View the status of hardware components , performance , system health , and system logs . — Download and install software and Digital Vaccine ( filter ) updates . for more information . See Chapter 8 ‚ “ System � X - Series LSM User’s Guide V 2.5 13
Page: 30
Chapter 2 LSM Navigation Table 2 - 2 : Navigation Options ( Continued ) Option Description Network — Configure network ports , security zones , IP interfaces , IP Address Groups , DNS DHCP server , and the default gateway . DHCP , routing , and use tools for DNS lookup , packet captures and software . See Chapter 6 ‚ “ Network � for more information . Authenticatio Create , modify , and manage user accounts . Configure authentication . for more information . n See Chapter 9 ‚ “ Authentication � Content and Functionality The LSM displays all data in the central area of the browser window . As you browse and select linked options from the navigation area , pages display allowing you to review information , configure options , or search data . Links selected on these pages may display additional pages or dialog boxes depending on the feature selected . Title Bar On each page , you can see the position of the page in the menu hierarchy provided in the title bar . For example , on the Alert Log page , the menu hierarchy indicates that the page is located off the EVENTS > > LOGS sub - menu . On tabbed menu pages , you can navigate up the hierarchy from the current location by clicking on the link in the hierarchy listing . Auto Refresh Some screens ( such as the System Summary screen ) automatically refresh themselves periodically . • To disable the auto refresh function , deselect the Auto Refresh check box . • To manually refresh : click the Refresh link . • To reconfigure the Page Refresh Time , see “ Preferences � on page 284 . Tabbed Menu Options Some sub - menu options previously available in the left - hand navigation menu are now accessible as a tab on the main page for the menu . For example , from the NETWORK > > Tools page , the following tabs are available : DNS Lookup , Find Network Path , Traffic Capture , Ping , and Traceroute . 14 X - Series LSM User’s Guide V 2.5
Page: 31
System Summary System Summary The System Summary page automatically displays when you first log onto the LSM . To redisplay the System Summary page at anytime , click the View System Summary icon , in the Main Menu Bar . The System Summary page includes the following : • System Status — Displays summary information about the system health , packet statistics , and network DHCP . Also provides access to the Reboot Device function . — Displays summary information about all the Event Logs . • Log Summary • Product Specifications — Displays product , version , time , and encryption information . System Status Health The Health section of the Statistics frame displays a color indicator of the hardware health of your IPS . For detailed information about each of the health indicators , click on the corresponding link above the color indicator . The Health section includes indicators for the following components : • SystemLog • Threshold • Performance • Disk Space • Memory • WebFiltering • HAStatus The colors indicate the current state of each component : • Green if there are no problems • Yellow if there is a major warning • Red if there is a critical warning • Grey if the service is disabled You can set the thresholds for warnings . This defines when the indicator color will change based on the usage of those components . For more information , see “ Thresholds to Monitor Memory and Disk Usage � on page 256 , and click System > Thresholds in the Navigation area . If the System Log is other than green , you can click on the indicator to view the error that caused the condition . Note When you view the logged error , the indicator resets and changes to green under System Summary . X - Series LSM User’s Guide V 2.5 15
Page: 32
Chapter 2 LSM Navigation Packet Stats The Packet Stats section provides basic traffic statistics including the following : • Received — Total number of packets received and scanned by the Threat Suppression Engine • Blocked — Total number of packets that have been blocked by the Threat Suppression Engine • Rate Limited — The number of packets that matched a filter configured to a permit action set . • Dropped — Total number of packets that have been dropped because they are not properly formed or formatted To reset the counters , click the Reset link . Packet counters are meant to give you a snapshot look at traffic through your network . The packet totals give a partial account of blocked activity according to the filters . All other filter results affect the packet totals . Note The counters are not synchronized with each other , packets may be counted more than once in some situations . The counters display the amount of packets tracked . If the number is less than 1M , the Packet Statistics section displays the full amount . If the amount is greater than 999,999 K , the information is abbreviated with a unit factor . For example , 734,123K would display fully whereas 4,004,876,543 displays as 4.00B . When the number reaches the million and billion mark , the number displays as a decimal amount with a letter ( such as G for gigabytes ) . The unit factors include , M for mega , G for giga , and T for tera . To view the full amount , hover your mouse over the displayed amount . A Tool Tip pops up , displaying the full packet amount . Network DHCP The Network DHCP section displays the following information : • Current Leases • Available Leases Reboot Device To reboot the device , click the Reboot Device link 16 X - Series LSM User’s Guide V 2.5
Page: 33
System Summary Log Summary The Log Summary section displays the number of entries and events for each type of Event Log . In addition , it allows you to perform functions on those logs . • SystemLog • Audit Log . This log is only available to those with Super User access . • AlertLog • Block Log • Firewall Block Log • Firewall Session Log • VPNLog For more detailed information about these logs , click Events — > Logs . Product Specifications The Product Specification section displays the following information : • Model Number — Model number of the IPS • Product Code — The IPS product code • Serial Number — Serial number of the IPS • TOS Version number of the Operating System • Digital Vaccine — Version number of the Digital Vaccine • Boot Time — Time when the IPS was last started • Up Time — How long the IPS has been operating continuously • Encryption — Current encryption method being used . By default all new 3Com X - Series platforms are supplied with 56 - bit DES encryption only . To enable strong encryption functionality ( 3DES , 128 - AES , 192 - AES , 256 - AES ) , you need to install the correct Strong Encryption Service Pack for your device available from the TMC Web site . X - Series LSM User’s Guide V 2.5 17
Page: 34
Chapter 2 LSM Navigation 18 X - Series LSM User’s Guide V 2.5
Page: 35
Overview IPS Filtering Overview TM The X - Series provides the TippingPoint Intrusion Prevention System ( IPS ) and Digital Vaccine ( DV ) service that can be used to police your network to screen out malicious or unwanted traffic such as : • Vulnerability Attacks and Exploits • Worms • Spyware • Peer - to - Peer applications In addition to the Digital Vaccine filters , the IPS system also provides Traffic Threshold filters you can use to profile and shape network bandwidth . All IPS filtering occurs inline on traffic that has been permitted through the X - Series firewall . Filtering is performed by the Threat Suppression Engine , custom software designed to detect and block a broad range of attacks at high speed . When a packet matches an IPS filter , the X - Series handles the packets based on the Action configured on the filter . For example , if the action set is Block , then the packet is dropped . The X - Series device provides default actions to block or permit traffic with options to quarantine or rate - limit traffic and to notify users or systems when an action executes . Logging options are also available so you can review the types of traffic being filtered by the device . You can customize the default Actions , or create your own based on your network requirements . Action A Security Profile defines the traffic to be monitored and the DV filters to be applied . Traffic monitoring is based on security zone pairs . For example , to create a Security Profile to monitor traffic coming from the WAN zone to the LAN zone , you select the security zone pair WAN = = > LAN . Then , you can configure the DV filters to apply to that zone . The security zone pair specifies both the zone and the traffic direction which allows you to define separate Security Profiles for traffic in and out of a zone . The default security profile is set to the ANY = = > ANY security zone pair with all IPS filters configured with the default Digital Vaccine settings . With the default profile in place , all incoming and outgoing traffic in any security zone configured on the device is monitored according to the IPS filter configuration recommended by 3Com . You can edit X - Series LSM User Guide V 2.5 19
Page: 36
Chapter 3 IPS Filtering the default Security Profile to customize the security zones that it applies to and create custom filter settings , or create your own Security Profiles as required . Note Before creating Security Profiles , verify that the Network and System configuration on the X - Series device is set up correctly for your environment . In particular , you need to configure all required Security Zones before you can create the Security Profiles to protect them . For details , see “ System � on page 233 and “ Network � on page 141 . You can monitor and configure the IPS System from the IPS menu pages available in the LSM . For additional information , see the following topics : • “ Using the IPS � on page 20 • “ Security Profiles � on page 21 • “ IPS Digital Vaccine ( DV ) Filters � on page 27 • “ Traffic Threshold Filters � on page 44 • “ Action Sets � on page 50 Using the IPS You can monitor and configure the settings for the IPS System from the IPS menu pages available in the LSM . The following menu options are available : • Security Profiles — view and manage the Security Profiles available on the device , view the security profile coverage by security zone . • Traffic Threshold — view , manage and create Traffic Threshold filters to monitor network traffic levels . These filters can be configured to trigger when traffic is either above or below normal levels . • Action Sets — view , manage and create actions that define the operations a filter performs when a traffic match occurs • IPS Services — add and manage non - standard ports supported by the IPS device . Use this feature to configure additional ports associated with specific applications , services , and protocols to expand scanning of traffic . When filters scan traffic against the standard ports for listed services , the engine then accesses and scans traffic against the list of additional ports . • Preferences — reset IPS filters to the factory default values , configure timeout , logging , and congestion threshold settings to manage performance of the Threat Suppression Engine , configure the Adaptive Filter feature used to protect IPS performance from the effects of over - active filters . For details on each menu option , see the following topics : • “ Security Profiles � on page 21 • “ Traffic Threshold Filters � on page 44 • “ Action Sets � on page 50 • “ IPS Services � on page 62 • “ Preferences � on page 64 20 X - Series LSM User Guide V 2.5
Page: 37
Security Profiles Security Profiles On the X - Series device , Security Profiles are used to apply DV filter policies . A Security Profile defines the traffic to be monitored based on security zones ( for example , ANY = = > ANY , LAN = = > WAN , or WAN = = > LAN ) and the DV filters to be applied . A Security Profile consists of the following components : • Identification — Profile name and description • Security Zones — Specifies the incoming and outgoing security zones to which the Security Profile applies • IPS Filter Category Settings — determines the State and Action that applies to all filters within a given Filter Category group . • Filter overrides — configure filter - level settings that override the Category Settings ( optional ) • Global Limits and Exceptions — configure settings to apply filters differently based on IP address . You can limit filters to apply only to traffic between a source and destination IP address or address range , or apply filters to all traffic except the traffic between specified source and destination IP addresses or address ranges . When a Security Profile is initially created , the recommended settings for all filter categories are set . Default Security Profile The default security profile is set to the ANY = = > ANY security zone pair with all IPS filters configured with the default Digital Vaccine settings . With the default profile in place , all incoming and outgoing traffic in any security zone configured on the device is monitored according to the DV filter configuration recommended by 3Com . You can edit the default Security Profile to customize the security zones that it applies to and create custom filter settings , or create your own Security Profiles as required . 3Com recommends that you keep the default Security Profile with the default Security Zone pair ANY = = > ANY . This configuration ensures that all traffic will be inspected by the IPS using the default Security Profile , if the traffic does not match a more specific security zone configuration . Applying Security Profiles to Traffic In the IPS , it is possible for a packet to match more than one Security Profile depending how the security zone pairs are configured within each profile . As a general rule , the X - Series device will apply the filtering rules specified in the Security Profile that has the most specific Security Zone pair defined . To determine specificity , the X - Series device always considers the incoming zone first . See the following examples to see how the X - Series applies filtering rules when a packet matches more than one Security Profile . Table 3 - 1 : Example 1 : Security Profile Zone Configuration Security Profile Applies To Security Zone Pair # 1 ANY = = > ANY # 2 LAN = = > WAN X - Series LSM User Guide V 2.5 21
Page: 38
Chapter 3 IPS Filtering In Example 1 , a packet going from the LAN zone to the WAN zone matches both Security Profile # 1 and # 2 . The X - Series device applies the filtering rules from Security Profile # 2 to the packet because the LAN zone is more specific than the ANY zone . Table 3 - 2 : Example 2 : Security Profile Zone Configuration Security Profile Applies To Security Zone Pair # 4 ANY = = > ANY # 5 ANY = = > WAN # 6 LAN = = > WAN In Example 2 , a packet going from the LAN zone to the WAN zone matches Security Profiles # 4 , # 5 and # 6 . However , the X - Series device applies filtering rules from Security Profile # 6 to the packet because the LAN zone is more specific than the ANY zone . For additional information on Security Profiles , see the following topics : • “ Managing Security Profiles � on page 22 • “ Configuring DV Filters � on page 29 • “ Configure Filter Limits / Exceptions based on IP Address � on page 39 Managing Security Profiles Use the Security Profiles page ( IPS > Security Profiles ) to create and manage the Security Profiles used to apply IPS filtering to security zone traffic . Figure 3 - 1 : Security Profiles page 22 X - Series LSM User Guide V 2.5
Page: 39
Security Profiles The following table provides a summary of tasks available to configure and manage security profiles from the Security Profiles menu pages in the LSM . Table 3 - 3 : Security Profile Tasks Task Procedure View all Security From the LSM menu , select IPS > Security Profiles . Then , Profiles click a Security Profile name to open the profile . You can view a list of the Security Profiles as well as a listing that shows which Security Profiles provide DV filtering for the different Security Zones on the device . Note You cannot delete the default Security Profile . Create a Security From the LSM menu , select IPS > Security Profiles . On Profile the Security Profile page , click Create . Edit a Security From the LSM menu , select IPS > Security Profiles . On Profile the Security Profile page , click Create . Delete a Security On the Security Profiles page , click . When you delete Profile the profile , all the global and filter level settings are deleted . Change category On the Edit Security Profile page in the Profile Details settings for a group ( Advanced ) section , change the State and Action setting of filters for the category you want to modify . Then , Save the updated profile . Override global filter On the Edit Security Profile page in the Profile Details settings ( create filter ( Advanced ) Filters section , click Search Filters . On the level settings ) Search Filters page , locate the filter to override . Click the + icon to add the filter to the Security Profile . Then , edit the filter to customize the settings . Restore filter to On the Edit Security Profile page in the Profile Details global category ( Advanced ) Filters section , locate the filter override to settings ( Delete filter delete . Then , click . override ) Edit Port Scan / Host The Port Scan / Host Sweep filters are a special type of filter Sweep Filters used to protect the network against Port Scan / Host Sweep attacks . These filters can only be applied to Security Zones that include physical ports . For additional information on these filters , see “ Port Scan / Host Sweep Filters � on page 41 . X - Series LSM User Guide V 2.5 23
Page: 40
Chapter 3 IPS Filtering For additional information , see the following topics : • Table 3 - 4 , “ Security Profile Details , � on page 24 • “ Create a Security Profile : � on page 25 • “ Edit a Security Profile � on page 25 • “ View DV Filters � on page 30 • “ Edit DV Filter Category Settings � on page 35 • “ Port Scan / Host Sweep Filters � on page 41 Security Profile Details The following table describes the information available on the Security Profiles page . Table 3 - 4 : Security Profile Details Parameter Description Current Profiles : This section lists all the Security Profiles currently configured on the X - Series device . Profile Name The name assigned to the Security Profile . The Default Security Profile is pre - configured on the device . You can customize this profile to add Security Zone pairs or modify global and individual filter settings , but you cannot delete or rename this profile . Description Displays the description entered for the Security Profile if any exists . Function ( s ) The functions available to manage Security Profiles : • Edit the Security Profile to configure security zones , Category Settings , filter overrides , or global limits and exceptions • Delete the Security Profile . Security Zones : This section lists all the security zone pairs that are currently protected by an IPS Security Profile . Note If a Traffic Threshold has been configured with a Security Zone pair that is not protected by an IPS Security Profile , the pair will be listed in the table in red along with the following message . To correct the error , add the security zone pair to an existing Security Profile , or create a new Profile to protect it : No security profile is assigned to the security zones . Traffic will NOT be inspected by the IPS . Incoming The Security Zone that is the traffic source Outgoing The Security Zone that is the traffic destination Security Profile The name of the Security Zone configured on the device 24 X - Series LSM User Guide V 2.5
Page: 41
Security Profiles For additional information , see the following topics : • Table 3 - 4 , “ Security Profile Details , � on page 24 • “ Create a Security Profile : � on page 25 • “ Edit a Security Profile � on page 25 • “ View DV Filters � on page 30 • “ Edit DV Filter Category Settings � on page 35 Create a Security Profile : STEP 1 On the LSM menu , click IPS > Security Profiles . Then , click the Create Security Profile button . STEP 2 On the Create Security Profiles page , click the ( edit ) icon to edit the desired security profile . STEP 3 In the Security Zones section , specify the security zone pairs for the Security Pro - file : STEP A Select the Incoming and Outgoing Security Zone . STEP B Click Add to table . Repeat this process until you have added all the required security zone pairs . Note For additional information about setting up the Security 8 . Zones , see “ Security Zone Configuration � on page 14 STEP 4 Review or configure advanced configuration options . If the advanced options are not visible , click Show Advanced Options . Do any of the following as needed : • Inthe Profile Details ( Advanced ) section in the Category Settings table , change the global State or Action for a filter Category Group if required . For more detailed instructions , see “ Edit Category Settings for a Filter Group � on page 35 . • To review filters or add a filter to the Security Profile for customization , locate the filter using the Search Filters button or View all filters link . For details , see 7 . “ Edit Individual Filter Settings � on page 3 STEP 5 Click Create . After you create the Security Profile , you can edit the Security Profile and perform additional advanced configuration to create filter overrides and specify global limits and exceptions . Edit a Security Profile STEP 1 On the LSM menu , click IPS > Security Profiles . STEP 2 On the Create Security Profiles page , click the ( edit ) icon to edit the desired security profile . X - Series LSM User Guide V 2.5 25
Page: 42
Chapter 3 IPS Filtering STEP 3 In the Security Zones section , modify the security zone pair configuration , if nec - essary . STEP A Select the Incoming and Outgoing Security Zone . STEP B Click Add to table . Repeat this process until you have added all the required security zone pairs . STEP C Click to delete a security zone . STEP 4 Review or configure advanced configuration options . If the advanced options are not visible , click Show Advanced Options . Do any of the following as needed : • Inthe Profile Details ( Advanced ) section in the Category Settings table , change the global State or Action for a filter Category Group if required . For more detailed instructions , see “ Edit Category Settings for a Filter Group � on page 35 . • To review filters or add a filter to the Security Profile for customization , locate the filter using the Search Filters button or View all filters link . For details , see 7 . “ Edit Individual Filter Settings � on page 3 • Configure global IP address limits or exceptions if required . For details , see 0 . “ Configure Global IP address Limits and Exceptions � on page 4 STEP 5 Click Save to update the Security Profile . • “ View DV Filters � on page 30 • “ Edit DV Filter Category Settings � on page 35 • “ Port Scan / Host Sweep Filters � on page 41 26 X - Series LSM User Guide V 2.5
Page: 43
IPS Digital Vaccine ( DV ) Filters IPS Digital Vaccine ( DV ) Filters TippingPoint IPS Digital Vaccine ( DV ) Filters are used to monitor traffic passing between network security zones . Based on the Security Profiles configured on the device , the X - Series applies the filters to traffic passing between network security zones . Each Security Profile has its own filter settings . Within a Security Profile , you can modify the filter ( recommended ) settings for a filter category and , if necessary , customize individual filters based on your network environment and security needs . The following sections provide an overview of the DV filters and the components used to configure them : • “ About the Digital Vaccine Package � on page 27 • “ Filter Components � on page 28 • “ Categories and Category Settings � on page 28 Categories and category settings are used to configure global settings for all filters within a specified category group . • “ Filter Override Settings � on page 29 Filter settings are used to override the global settings for individual filters within a category group . About the Digital Vaccine Package DV filters are contained in a Digital Vaccine ( DV ) package . All X - Series devices have a DV package installed and configured to provide out - of - the - box IPS protection for the network . After setting up the X - Series , you can customize the filters in the DV through the LSM . The filters within the DV package are developed to protect the network from specific exploits as well as potential attack permutations to address for Zero - Day threats . These filters include traffic anomaly filters and vulnerability - based filters . Vulnerability - based filters are designed to protect the network from an attack that takes advantage of a weakness in application software . For viruses that are not based on a specific vulnerability in software , the DV provides signature filters . 3Com delivers weekly Digital Vaccine updates which can be automatically installed on the X - Series device ( System > Update ) . If a critical vulnerability or threat is discovered , Digital Vaccine Updates are immediately distributed to customers . TIP In addition to providing a download location for Digital Vaccine packages , the TMC also provides DV product documentation that includes more detailed information about the filters included in the DV package , filter updates , and other information related . X - Series LSM User Guide V 2.5 27
Page: 44
Chapter 3 IPS Filtering Filter Components IPS filters have the following components which determine the identity the filter type , global and customized settings , and how the system will respond when the Threat Suppression Engine finds traffic matching the filter : • Category — defines the type of network protection provided by the filter . The category is also used to locate the filter in the LSM and to control the global filter settings using the Category Setting configuration . • Action set — defines the actions that execute when the filter is matched . • Adaptive Filter Configuration State — allows you to override the global Adaptive Filter configuration settings so that the filter is not affected by adaptive filtering ( see “ Adaptive Filter Configuration � on page 67 for additional information ) • State — Indicates if the filter is enabled , disabled , or invalid . If the filter is disabled , the Threat Suppression Engine does not use the filter to evaluate traffic . Categories and Category Settings Categories and category settings are used to configure global settings for all filters within a specified category group . DV Filters are organized into Categories and groups based on the type of protection provided : • Application Protection Filters — defend against known exploits and exploits that may take advantage of known vulnerabilities targeting applications and operating systems . This filter type includes the following sub - categories : Exploits , Identity Theft , Reconnaissance ( includes Port Scan / Host Sweep filters ) , Security Policy , Spyware , Virus , and Vulnerabilities . • Infrastructure Protection Filters — protect network bandwidth and network infrastructure elements such as routers and firewalls from attack by using protocols and detecting statistical anomalies . These filter types includes the sub - categories Network Equipment and Traffic Normalization . • Performance Protection Filters — block or rate - limit traffic from applications that can consume excessive bandwidth , leaving network resources available for use by key applications . This filter type includes the following sub - categories : IM , P2P , and Streaming Media . These Categories are used to locate filters . Category Settings are used to assign global configuration settings to filters within a category . For example , if you want don’t want to use any filters to monitor P2P traffic , you can the disable the P2P group in the Performance Protection category . You can configure the following global parameters : • State — determines whether filters within the Category are enabled or disabled . If a category is disabled , all filters in the Category are disabled . • Action Set — determines the action set that filters within a Category will execute when a filter match occurs . If the Recommended action set is configured , filters within the category are configured with the settings recommended by the Digital Vaccine team , the group can have different settings . For the best system performance , 3Com recommends that you use global Category Settings and the Recommended action set for all DV filters . However , in some cases , you may need to override the category settings and recommended action for individual filters 28 X - Series LSM User Guide V 2.5
Page: 45
IPS Digital Vaccine ( DV ) Filters due to specific network requirements , or in cases where the recommended settings for a filter interact poorly with your network . customize individual filters . Filter Override Settings For the best system performance , 3Com recommends that you use global Category Settings and the Recommended action set for all DV filters . However , in some cases , you may need to override the category settings and recommended action for individual filters due to specific network requirements , or in cases where the recommended settings for a filter interact poorly with your network . Filter override settings specify custom settings to be applied to the filter in the Security Profile . Once a filter has been customized , it is not affected by the global Category Settings that specify the filter State and Action . For details , see “ Edit Individual Filter Settings � on page 37 . Configuring DV Filters You configure filters separately for each Security Profile configured on the X - Series device . When a profile is initially created , all filters are set to the default Category Settings . You can change the Category Settings for filters or edit individual filters from the Edit Security Profile page in the LSM . For additional information , see the following topics : Because of the large number of DV filters available on the device , the LSM provides a search interface to view and edit filters . For instructions on using this interface and on editing filters , see the following topics : • “ View DV Filters � on page 30 • “ Edit DV Filter Category Settings � on page 35 o “ Edit Category Settings for a Filter Group � on page 35 o “ Edit Individual Filter Settings � on page 37 o “ Configure Filter Limits / Exceptions based on IP Address � on page 39 o “ Edit a Port Scan / Host Sweep Filter � on page 42 • “ Reset an Individual Filter � on page 41 X - Series LSM User Guide V 2.5 29
Page: 46
Chapter 3 IPS Filtering View DV Filters You can view and manage filters configured for a Security Profile using either the Filters and Filter Search menu pages . Both pages can be accessed from the Advanced Options Filters section of the Security Profile pages . • To access the Filters page , use the View all filters link . • To access the Filter Search page , click Search Filters The following figure shows the Filters page : Figure 3 - 2 : IPS : Filters page with Search You can complete the following tasks from these pages : • View current filters • Sort the filter list • Locate a filter or group of filters • Add a filter to the Security Profile to create a filter override • View the filter description page which includes information about the filter , recommended settings , and the current filter state . For additional information , see the following topics : • “ Filter Search � on page 31 • “ Filters List ( All Filters ) � on page 32 • “ Reset an Individual Filter � on page 41 • “ Port Scan / Host Sweep Filters � on page 41 30 X - Series LSM User Guide V 2.5
Page: 47
IPS Digital Vaccine ( DV ) Filters Filter Search Filter search provides options to view all filters or only those matching user - specified search criteria . You can access the Filter Search page by clicking the Search Filters button when you are editing a Security Profile ( IPS > Security Profiles , then edit a profile ) . You can sort filter search results by filter name , control type , action , or state by clicking a column heading in the Filters List table . Note The search is a string search , not a boolean search . It is not case sensitive . Therefore , if you enter more than one word in the search box , it will only search for that particular phrase , not for a combination of words . For example , if you enter “ ICMP reply � the search will not return a filter whose description is “ ICMP : Echo Reply � . The following table describes the available search criteria that can be configured : Table 3 - 5 : Search Filter Criteria Parameters Parameter Description Keywords Type a word or phrase to search for in the filter names . The keyword Filter Search is a string search , not a boolean search . You can search for a specific filter number , or for a specific substring in the filter name . If you enter more than one word , the search will look for the exact phrase entered , not a combination of words . For example , if you enter ICMP reply Include Check this option to search for the specified keyword ( s ) in the Description filter descriptions , as well as in the filter names . Filter # Search by filter number , type the filter number in this field . Filter State Search by current operating state , select from the following : Any , Disabled , or Enabled . Filter Control Search for filters configured with Category Settings or filters that have been customize ( override ) . Categories Search by IPS filter Category group . Selection list includes all groups in the Application Protection , Infrastructure Protection , and Performance Protection categories . Action Set Search by Action Set assigned to filter . The selection list includes all the default and custom Action Sets configured on the device . Protocol Search by transport protocol that the filter applies to : ANY , ICMP , TCP , and UDP Severity Search by the Severity Level assigned to the filter . X - Series LSM User Guide V 2.5 31
Page: 48
Chapter 3 IPS Filtering For details on performing a filter search see the following topics : • “ View Filters with Recommended ( Default ) Settings � on page 34 • “ View Filter Overrides and Custom Settings � on page 34 Filters List ( All Filters ) The Filters List page provides a listing of all filters configured for the Security Profile . You can access the page by selecting the View all filters link when you are editing the Security Profile . Because of the large number of filters , it may takes some time for the system to display the page . Filter List Details The following table describes the information and functions available on the Filters List page . Table 3 - 6 : Filter List Details Parameter Description Search Interface For details on the search criteria fields , see “ Search Filter Criteria Parameters � on page 31 . Check Box Use the check box for a filter entry to select it for editing . After checking the desired filters , use the Add Selected Filters button to add the filters to the Security Profile so you can edit them . If a filter entry has no check box , that filter has already been added to the Security Profile . You can manage these filters from the Security Profiles page Filters table . 32 X - Series LSM User Guide V 2.5
Page: 49
IPS Digital Vaccine ( DV ) Filters Table 3 - 6 : Filter List Details Parameter Description The name of the filter . The name contains the filter number and Filter Name additional information relating to the protocol the filter applies and / or other descriptive information about the purpose of the filter ( 0079 : ICMP:Echo Reply ) . These names are assigned by the Send e - mail comments about this guide or about any Voice product documentation to : VOICE_Techcomm_comments @ 3com.com Include the following information with your comments : n Document title n Document part number ( found on the front page ) n Page number n Your name and organization ( optional ) Example : VCX Administration Guide Part Number 900 - 0383 - 01 Rev AA Page 25 Please address all questions regarding the 3Com software to your authorized 3Com representative . Digital Vaccine team . To view filter information , click the name of the filter . Control Indicates whether the filter configuration is : • Category Settings - uses the global Category Settings configured for the filter’s category . To view the Category and Category Group for filter , click the filter name . • Filter - uses custom settings configured from the Security Profile page . You can manage customized filters from the Filters table on the Security Profile page . Action Set Indicates the action set currently assigned to the filter . If the filter uses Category Settings and the Action Set is recommended , the Action field list Disabled to indicate that the filter is under the control of the default configuration . If the filter has an override , the Action selected in the override is displayed . State Indicates whether the filter is enabled ( in use ) or disabled . X - Series LSM User Guide V 2.5 33
Page: 50
Chapter 3 IPS Filtering Table 3 - 6 : Filter List Details Parameter Description Function ( s ) Available functions for the filter : • Add to Security Profile so you can edit the filter settings . If the filter has been overridden , the Add function is not available . You can edit the filter settings from the Filter Override list on the Security Profile page . For details on viewing filters on the Filter List page , see the following topics : • “ View Filters with Recommended ( Default ) Settings � on page 34 • “ View Filter Overrides and Custom Settings � on page 34 View Filters with Recommended ( Default ) Settings STEP 1 On the LSM menu , click IPS > Security Profiles . STEP 2 On the Security Profiles page , click the ( edit ) icon to edit the desired security profile . STEP 3 On the Edit Security Profile page , if the Profile Details ( Advanced ) table is not visible , click Show Advanced Options . STEP 4 In the Profile Details ( Advanced ) table , scroll down to the Filters section . You can click either View all filters or Search Filters . • View all filters displays the Filters page . Because of the large number of filters , this action may take some time to execute . • Search Filters displays the Search Filters page so you can specify filter search criteria and perform the search . o If you select this option , select the desired Search criteria . Then click Search . Note that the Search facility performs string searches . In the keywords field , enter the If you select View all filters , the Search Filters page displays a list of the available IPS filters . You can sort the filters by filter name , control type , action , or state by clicking the appropriate column heading in the Filters List table . To specify new search criteria , use the search interface available at the top of the page . If you select Search Filters , the Search Filters page displays with only the search interface displayed . To locate filters , specify one or more search parameters . Then , click Search . View Filter Overrides and Custom Settings STEP 1 On the LSM menu , click IPS > Security Profiles . STEP 2 On the Security Profiles page , click the Profile Name you want to edit . 34 X - Series LSM User Guide V 2.5
Page: 51
IPS Digital Vaccine ( DV ) Filters STEP 3 On the Edit Security Profile page , if the Profile Details ( Advanced ) table is not visible , click Show Advanced Options . STEP 4 In the Profile Details ( Advanced ) table , scroll down to the Filters section . In the Filters section , the table lists all filters that have been added to the Profile . STEP 5 To view and / or edit a filter , click the Filter Name . If you want to remove the filter override and return the filter to its default , recommended settings , click the Delete icon . Edit DV Filter Category Settings By default , a Security Profile uses the Category Settings for all filters available in the Digital Vaccine package . In some cases you may not need a particular filter or category of filters . For example , you may want to disable filters that protect a particular type of web server against attack if that server is not installed on your network . From the LSM , you can modify the filter configuration for a Security Profile by category or by changing individual filter settings . You can make the following types of changes : • Edit a Filter Category Group to enable / disable all filters in the group or change the assigned action for all filters in the group . • Edit an individual filter or group of filters to modify the following settings : State , Action , Adaptive Filter Configuration State , Exceptions . When you edit a filter , the changes only affect the Security Profile in which you make the edits . This allows you to have different filter configurations for different Security Zones . For details on editing filters , see the following topics : • “ Edit Category Settings for a Filter Group � on page 35 • “ Edit Individual Filter Settings � on page 37 • “ Edit a Port Scan / Host Sweep Filter � on page 42 Note If the category setting is enabled and you disable the filter , the filter may still display as enabled . Edit Category Settings for a Filter Group Note When you change the Category Settings for a group of filters , the settings will not affect any filters that have been customized ( overridden ) . Filters that have been customized display on the Edit Security Profiles page in the Filters section . On the Filters List page , these filters are listed with Control = Filter . STEP 1 From the LSM menu , click Security Profiles . STEP 2 On the Security Profiles page in the Current Profiles table , click the pencil icon for the Security Profile you want to change . X - Series LSM User Guide V 2.5 35
Page: 52
Chapter 3 IPS Filtering STEP 3 On the Edit Security Profile page in the Advanced Options section , locate the Filter Category group in the Category Settings table shown in the following fig - ure : Figure 3 - 3 : Edit Security Profile page - Advanced Options - Category Settings Click Show Advanced Options if the Advanced Options table is not displayed . STEP 4 Modify the settings as required : • Inthe State field for the Category group , clear the check box to disable all filters in the group , or check it to enable all filters in the group . • Inthe Action field , select the Action Set to be used for all filters in the group . The Recommended Action Set is the system default for all category groups . If this action is selected , each filter in the group is configured with the settings recommended by 3Com . Filters within the group may have different settings for State and Action . The following action set selections are available for each Filter Category : o For all Application Protection filters , the selection list includes all available actions sets and recommended . o For Infrastructure Protection filters , the selection list includes all available actions sets and recommended . o For Performance Protection filters , the selection list includes all available and recommended except sets with permit actions STEP 5 After making the desired changes , click Save ( at the bottom of the Security Pro - file page ) . 36 X - Series LSM User Guide V 2.5
Page: 53
IPS Digital Vaccine ( DV ) Filters Edit Individual Filters to Override Category Settings For the best system performance , 3Com recommends that you use global Category Settings and the Recommended action set for all DV filters . However , in some cases , you may need to override the category settings and recommended action for individual filters due to specific network requirements , or in cases where the recommended settings for a filter interact poorly with your network . Filter override settings specify custom settings to be applied to the filter in the Security Profile . Once a filter has been customized , it is not affected by the global Category Settings that specify the filter State and Action . For details , see “ Edit Individual Filter Settings � on page 37 . Edit Individual Filter Settings Note These instructions are for editing all Application Protection , Infrastructure Protection , and Performance Protection filters with the exception of the Port Scan / Host Sweep filters available in the Application Protection : Reconnaissance category . For details on Port Scan / Host Sweep filters , see “ Port Scan / Host Sweep Filters � on page 41 . STEP 1 From the LSM menu , click Security Profiles . STEP 2 On the Security Profiles page in the Current Profiles table , click the pencil icon for the Security Profile you want to change . STEP 3 On the Edit Security Profile page in the Advanced Options section , locate the Filters table . X - Series LSM User Guide V 2.5 37
Page: 54
Chapter 3 IPS Filtering STEP 4 In the Filters table , find the filters that you want to edit : • Click Search Filters . Then , on the Search Filters page , specify the search criteria . Click Search to display the filter search results . OR • Click View all filters to display the Filters page with all IPS filters available . Because of the large number of IPS filters , this operation may take a few moments to complete . STEP 5 In the Filters List table , select the filter or filters to edit : • To select a single filter , click to add the filter to the Security Profile . • To select multiple filters , select the check box for each filter . Then , click the Add Selected Filters button at the bottom of the Filters page . The Security Profiles page displays with the selected filters in the Advanced Options - Filters table as shown in the following figure : STEP 6 To edit the filter settings , click the filter name , or the pencil icon . STEP 7 On the Edit Filter page in the Action / State section , select Use Category Settings or Override . If you select Override to use a different action set for the filter , do the following : STEP A Select the Override radio button in the Parameters section . STEP B Check Enabled to enable the filter , or clear the check box if you want to disable the filter . STEP C Choose an Action from the drop - down list . If the action for the filter is Recommended and you do not change it , the filter may remain disabled even when you select the Enabled check box . This happens because the recommended setting for the filter state is disabled . To enable a filter configured in this manner , you must change the action from Recommended to another option . 38 X - Series LSM User Guide V 2.5
Page: 55
IPS Digital Vaccine ( DV ) Filters STEP 8 Optionally , set adaptive filter settings for flow control . In the Adaptive Filter Configuration State section , select one of the following : • Use adaptive configuration settings — Applies the global adaptive filter settings • Do not apply adaptive configuration settings to this filter — Removes any global adaptive filter settings for this filter STEP 9 Optionally , define IP address exceptions for the filter . For details , see “ Configure Filter Limits / Exceptions based on IP Address � on page 39 . STEP 10 Click Save . Configure Filter Limits / Exceptions based on IP Address Limits and exceptions allow you to configure the device so that the filters in a Security Profile can be applied differently based on IP address . For example , you can specify a limit setting so that filters only apply to specified source and destination IP addresses or address ranges . You can configure the following limit and exceptions from the LSM : • Filter Exceptions ( specific ) — Allow traffic that would normally trigger a filter to pass between specific addresses or address ranges without triggering the filter . Configured from the Filter Edit page , these exceptions apply only to the filter where they were configured . • Limit Filter to IP Addresses ( global ) — Only apply filters to traffic between specified source and destination IP address pairs . You can configure IP address limits that apply to all the following filter types : Application Protection , Traffic Normalization , and Network Equipment Protection filters . You can configure separate limits that apply only to Performance Protection filters . • Exceptions ( global ) — Exclude traffic between specified source and destination IP address pairs . You can configure exceptions for the following filter types : Application Protection , Traffic Normalization , Network Equipment Protection , and Performance Protection filters . These exceptions are global for all specified filters . If a filter has both global and filter - level exception settings , the Threat Suppression Engine uses the filter - level settings to determine how to apply the filter . For additional information , see the following topics : The following sections describe the procedures to configure and delete global limits and exceptions from the Security Profile page . • “ Configure Global IP address Limits and Exceptions � on page 40 • “ Delete a Global Limit / Exception Setting � on page 40 • Configure filter - level exceptions : “ Edit Individual Filter Settings � on page 37 X - Series LSM User Guide V 2.5 39
Page: 56
Chapter 3 IPS Filtering Configure Global IP address Limits and Exceptions STEP 1 From LSM menu , click IPS . Then , edit the Security Profile where you want to modify limit / exception settings . STEP 2 On the Edit Security Profile page in the Advanced Options section , scroll down to the Limits / Exceptions table . Click Show Advanced Options if the Advanced Options table is not displayed . STEP 3 In the Limits / Exceptions section , specify the Application Protection Filter Exclu - sives ( limits ) for Application Protection , Traffic Normalization , and Network Pro - tection filters : STEP A Enter the Source Address . Source and Destination IP Addresses can be entered in CIDR format , as “ any � or as * . STEP B Enter the Destination Address . STEP C Click add to table below . STEP D Repeat this process for each IP address exception required . STEP 4 In the Application Protection Filter Setting Exceptions section , specify the IP address exceptions for Application Protection , Traffic Normalization , Network Equipment Protection and Performance Protection filters . STEP 5 In the Performance Protection Filter Settings section , specify IP address limits for Performance Protection filters . STEP 6 Click Apply . Delete a Global Limit / Exception Setting STEP 1 From LSM menu , click IPS . Then , edit the Security Profile where you want to modify limit / exception settings . STEP 2 On the Edit Security Profile page in the Advanced Options section , scroll down to the Limits / Exceptions table . Click Show Advanced Options if the Advanced Options table is not displayed . STEP 3 Review the global limit and exception address entries . Click to delete an entry . To delete a filter - level exception , edit the filter . For details , see “ Edit Individual Filter Settings � on page 37 STEP 4 Click Apply . 40 X - Series LSM User Guide V 2.5
Page: 57
IPS Digital Vaccine ( DV ) Filters Reset an Individual Filter If you have created a filter override in a Security , you can restore the filter to its default settings by deleting the Filter from the Security Profile Filters table . You can also reset all filters to their factory default settings from the IPS Preferences page . If you do this , all the filters will be set to their recommended state and all action sets , rate limits , and thresholds ( other than defaults ) will be deleted . You will also lose the Security Profiles you have created along with any custom settings configured on the default “ Reset Filters � on page 64 . Security Profile . For details , see Delete a Filter Override STEP 1 From the LSM menu , click Security Profiles . STEP 2 On the Security Profiles page in the Current Profiles table , click Profile Name for the profile you want to change . STEP 3 On the Edit Security Profile page in the Advanced Options section , locate the Filters table . STEP 4 In the Filters table , find the entry for the filter override you want to remove . Then , click . The filter is restored to the recommended settings for the category it belongs to . Port Scan / Host Sweep Filters A port scan attack scans a host looking for any open ports that can be used to infiltrate the network . A host sweep scans multiple hosts on the network looking for a specific listening port that can be used to infiltrate the network . The Port Scan / Host Sweep Filters ( Filter numbers 7000 - 7004 ) available in the Application Protection Category - Reconnaissance group are designed to protect the network against these types of attacks . These filters monitor the rate of connections generated by hosts on the network . The filter triggers when the connection rate during a specified interval goes above a given threshold . X - Series LSM User Guide V 2.5 41
Page: 58
Chapter 3 IPS Filtering The following figure shows the Port Scan / Host Sweep Filters added to the Security Profile for editing . Figure 3 - 4 : Security Profile : Port Scan / Host Sweep Filter Overrides The Port Scan / Host Sweep Attacks can only be used to monitor traffic on Security Zones that include physical ports . That is , you cannot run Port Scan / Host Sweep filters on VLANs or zones configured with a Virtual Server . In the Category Settings , all Port Scan / Hosts Sweeps are disabled . If you want to apply these filters to the Security Profile , you can enable the filters , tune the threshold and timeout interval settings , and assign an action set to meet your network requirements . Because the Recommended setting for Port Scan Host / Sweep filters is disabled , you have to assign a specific action to the filter in order to enable it . Filter Tuning You can tune the sensitivity of Port Scan / Host Sweep filters by adjusting their Timeout and Threshold parameters . The timeout value is used in combination with the threshold value to determine whether or not an alert is sent . For example , if the time interval is 300 seconds ( 5 minutes ) and the connection threshold is 100 hits , then the filter is triggered every time the rate of connections exceeds 100 , or a multiple of the threshold ( 101 , 201 , 301 . . . ) within the 300 second ( five minute ) time period . The filters support any of the configured action sets available on the device . You can also configure ip address exceptions . Edit a Port Scan / Host Sweep Filter STEP 1 From the LSM menu , click Security Profiles . Then , edit the Security Profile that you want to provide the Port Scan / Host Sweep filter protection . The Security Profile must contain zones that have physical ports . STEP 2 On the Security Profile page , scroll down to the Advanced Options , Filters sec - tion . 42 X - Series LSM User Guide V 2.5
Page: 59
IPS Digital Vaccine ( DV ) Filters STEP 3 Locate the Port Scan / Host Sweep filters : STEP A Click Search Filters . Then , on the Filter Search page , specify the search criteria : STEP B In the Categories selection list , click Reconnaissance . STEP C In the Severity selection list , click Low . STEP D Click Search . STEP E In the Filters List with the search results , click the > > page control button to go to the last page of the results . STEP 4 To add the Port Scan / Host Sweep filters to the Security Profile for editing , do one of the following : • To add an individual filter , click the Add icon in the Functions column for that filter . • To add multiple filters , check each filter . Then , click Add Selected Filters . STEP 5 On the Edit Security Profile page in the Filters section , click the Filter Name to edit the settings . STEP 6 In the Action / State section , select Use Category Settings or Override . If you select Override to use a different action set for the filter , do the following : STEP A Select the Override radio button in the Parameters section . STEP B Check the Enabled check box . STEP C Choose an Action from the drop - down list . STEP 7 Optionally , you can set adaptive filter settings for flow control . In the Adaptive Filter Configuration State section , select one of the following : • Use adaptive configuration settings — Applies the global adaptive filter settings • Do not apply adaptive configuration settings to this filter — The filter will not be monitored by the Adaptive Filter mechanism STEP 8 In the Scan / Sweep Parameters section , do the following : STEP A Enter the number of seconds for the Timeout . STEP B Enter the number of hits allowed for the Threshold . STEP 9 Optionally , you can add exceptions to the filter so that the filter will not be used to monitor traffic from specified IP addresses . In the Exceptions section , do the fol - lowing : STEP A Enter the Source Address . STEP B Enter the Destination Address . STEP C Click add to the table below . STEP 10 Click Save . X - Series LSM User Guide V 2.5 43
Page: 60
Chapter 3 IPS Filtering Traffic Threshold Filters Note The default X - Series configuration does not include any Traffic Threshold filters . You must create them based on your network requirements . Traffic threshold filters alert you and the system when network traffic varies from the norm . The 3Com IPS system determines normal traffic patterns based on the network statistics over time . You can set 4 types of thresholds for each filter : • major increase — Traffic is greatly over the set threshold . • minor increase — Traffic is slightly over the set threshold . • minor decrease — Traffic is slightly below the set threshold . • major decrease — Traffic is greatly under the set threshold . Thresholds are expressed as a “ % of normal � traffic . For example , a threshold of 150 % would fire if traffic exceeded the “ normal � amount by 50 % . A threshold of 60 % would fire if the level of traffic dropped by 40 % from “ normal � amount of traffic . Note Network traffic rates are inherently erratic and can vary as much as 50 % above or below the normal level on a regular basis . When you set up Traffic Threshold filters , avoid setting small variation percentages for minor and major thresholds to prevent the Traffic Threshold filter from triggering too often . You can configure an action set for each threshold level the Traffic Threshold filter . When the filter triggers , the system executes the action specified for the threshold setting that triggered the filter . You can also configure traffic thresholds so that they only monitor traffic on the network without taking any action . All traffic threshold activity is recorded in the Traffic Threshold report ( Events > Reports > Traffic Threshold ) . Thresholds trigger when the traffic flow is above the Above Normal threshold percentage specified , or below the Below Normal threshold percentage specified by the set amounts . When traffic exceeds a threshold and returns to normal levels , the system executes the action specified for the threshold that triggered the filter and generates an alert . These alerts inform you of the triggered filter , when the thresholds are exceeded and return to normal , and the exceeded amount . After the filter triggers , you must reset it to re - establish it for use in the system . The filter is not disabled , but it does require resetting . Note A triggered Traffic Threshold filter will not perform functions until you manually reset it . Traffic Threshold filter events are recorded in the Alert and Block logs ( Events > Logs ) , based on the action set specified for the filter . Information on traffic threshold events is also available in the Traffic Thresholds report ( Events > Reports > Traffic Threshold ) . 44 X - Series LSM User Guide V 2.5