ips-1 - check point software · ips-1 alerts concentrator and ips-1 server components can be...

IPS-1Getting Started Guide

Version 5.0.6

April 16, 2007

IPS-1_Getting_Started_Guide.book Monday, April 16, 2007 3:48 PM

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.


Table of Contents 5

Contents

Preface Who Should Use This Guide................................................................................ 8About this Guide................................................................................................ 9A Convention Used in this Guide ....................................................................... 10Summary of Contents ....................................................................................... 11Related Documentation .................................................................................... 12More Information ............................................................................................. 13Feedback ........................................................................................................ 14

Chapter 1 Installing IPS-1 for the First Time Overview ......................................................................................................... 16

Deployment Scenarios ................................................................................. 16System Requirements ...................................................................................... 19

IPS-1 Sensor .............................................................................................. 19IPS-1 Alerts Concentrator ............................................................................ 19IPS-1 Server............................................................................................... 20IPS-1 Management Dashboard ..................................................................... 21

Installing Check Point IPS-1 ............................................................................. 22Before Installation ...................................................................................... 22Initial Installation Steps .............................................................................. 24Installing an IPS-1 Alerts Concentrator ......................................................... 26Installing the IPS-1 Server........................................................................... 27Installing a ‘Combo’ Server .......................................................................... 28Installing the IPS-1 Management Dashboard ................................................. 29Installing and Initially Configuring IPS-1 Sensors........................................... 30Installing and Initially Configuring IPS-1 Power Sensors ................................ 37

Chapter 2 Setting Up IPS-1 Functionality Overview ......................................................................................................... 46

Proxy Servers.............................................................................................. 46Starting the IPS-1 Alerts Concentrator and IPS-1 Server...................................... 47Logging into the IPS-1 Management Dashboard.................................................. 48Adding IPS-1 Alerts Concentrators..................................................................... 49

Importing Default Packages and Backends .................................................... 52Configuring User Accounts................................................................................ 55Adding IPS-1 Sensors ...................................................................................... 57Restarting an IPS-1 Sensor............................................................................... 59

Chapter 3 About Prevention with IPS-1 Sensor Overview ......................................................................................................... 62Modes ............................................................................................................ 63Prevention Quick Configuration ......................................................................... 64


6

Prevention Configuration .................................................................................. 65Blacklisting..................................................................................................... 66Tuning the Sensor............................................................................................ 67

Appendix A IPS-1 Sensor Configuration Variables IPS-1 Sensor Configuration Variable Definitions.................................................. 70IPS-1 Sensor Configuration Variables Worksheet ................................................. 74

Appendix B IPS-1 Deployment Options Overview ......................................................................................................... 78Inline Mode..................................................................................................... 79Passive Mode .................................................................................................. 80

Switched Networks, Span Mode ................................................................... 80Full Duplex Environment, Tap Mode ............................................................. 81Hub Mode.................................................................................................. 82

Standby Options .............................................................................................. 84Alert Continuity .......................................................................................... 84Monitoring of Failover Networks ................................................................... 85Fast Deployment of a Standby IPS-1 Sensor.................................................. 86

Index............................................................................................................ 93


7

Preface PPreface

In This Chapter

Who Should Use This Guide page 8

About this Guide page 9

A Convention Used in this Guide page 10

Summary of Contents page 11

Related Documentation page 12

More Information page 13

Feedback page 14


Who Should Use This Guide

8

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

• System administration.

• The underlying operating system.

• Internet protocols (IP, TCP, UDP etc.).


About this Guide

Preface 9

About this GuideThe IPS-1 Getting Started Guide is a guide to installion and initial configuration of the IPS-1 Management Dashboard, IPS-1 Alerts Concentrator, IPS-1 Server, and IPS-1 Sensor. For a broader explanation of the IPS-1 system, see the IPS-1 Administration Guide.

Check Point documentation is reissued when major product enhancements are introduced. Periodic updates may be issued to document minor product enhancements, correct documentation errors, etc. These updates can be downloaded from the Check Point Support site.

Note that some legacy account, group and file names follow the old NFR/Sentivist scheme to prevent script and tool breakage in the current release.


A Convention Used in this Guide

10

A Convention Used in this GuideThere may be instances when you are directed to enter a command that is too long to display as a single line within this guide. In these situations, you will still need to enter the command as a single line.

To indicate this, the text wrap symbol is displayed within the command line and the next line is indented. For example:

cp /cdrom/cdrom0/thirdparty/Solaris/gcc_stdc_sun.

tar.Z/tmp

When you see the text wrap symbol, type the text that precedes and follows this symbol as a single command line. Do not type the text wrap symbol as part of the command!


Summary of Contents

Preface 11

Summary of ContentsThis guide contains the following chapters and appendices:

Chapter Description

Chapter 1, “Installing IPS-1 for the First Time”

Deployment scenarios and how to perform a fresh installation of the primary IPS-1 components

Chapter 2, “Setting Up IPS-1 Functionality”

Initial setting of component functions after installation.

Chapter 3, “About Prevention with IPS-1 Sensor”

Information on IPS-1 Sensor functions.

Appendix Description

Appendix A, “IPS-1 Sensor Configuration Variables”

The variables used to configure IPS-1 Sensor.

Appendix B, “IPS-1 Deployment Options”

Several options for placing IPS-1 Sensors and within your network.


Related Documentation

12

Related DocumentationThis release includes the following documentation:

• IPS-1 Getting Started Guide

• IPS-1 Administration Guide


More Information

Preface 13

More Information• For additional technical information about Check Point products, consult Check

Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/.

• See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents.


https://secureknowledge.checkpoint.com/

https://secureknowledge.checkpoint.com/

http://www.checkpoint.com/support/technical/documents

http://www.checkpoint.com/support/technical/documents

Feedback

14

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]


mailto:[email protected]?subject=Check Point User Guide feedback

15

Chapter 1Installing IPS-1 for the First Time

In This Chapter

Overview page 16

System Requirements page 19

Installing Check Point IPS-1 page 22


Overview

16

OverviewThe IPS-1 Management Dashboard and IPS-1 Server are the management components of the IPS-1 system. Through the IPS-1 Management Dashboard and IPS-1 Server, you can monitor alerts generated throughout the entire system and perform high-level analysis. The IPS-1 Management Dashboard also allows you to centrally configure and manage all IPS-1 Servers and sensors in your system.

This section describes how to install a new IPS-1 system. Before beginning, ensure that the hosts meets system requirements and that the system as been "hardened" using security best practices.

Although there is no set order you have to follow to install the IPS-1 components, Check Point recommends you have IPS-1 Sensors installed first because you can easily add them when you initially launch the IPS-1 Management Dashboard. The IPS-1 Alerts Concentrator and IPS-1 Server components can be installed together or separately during the install process, the choice is yours. Installation of the client can be done at any point in the installation process. However, note that you will need the client to launch the IPS-1 5.0 interface.

Deployment ScenariosThere are two possible deployment scenarios: small deployment or large deployment.

• Small deployment where the IPS-1 Server and a single IPS-1 Alerts Concentrator are installed on a shared platform. Sensors are deployed according to your needs.

• Large deployment where one or more IPS-1 Alerts Concentrators reside on separate platforms, and the IPS-1 Server resides on its own platform apart from any IPS-1 Alerts Concentrators. IPS-1 Sensors are deployed according to your needs, and each sensor reports to one or two of the multiple IPS-1 Alerts Concentrators.

In either scenario, sensors are deployed at key points in the network according to your requirements (See Appendix B, “IPS-1 Deployment Options”), and the IPS-1 Management Dashboard (client) is deployed on various workstations throughout the enterprise.

The following screenshots gives you an idea of what deployment scenario may be appropriate for your organization.


Deployment Scenarios

Chapter 1 Installing IPS-1 for the First Time 17

Figure 1-1 Example of a Small Deployment

This is an example of a small deployment. For larger deployments, you would add additional IPS-1 components as needed on your network as shown in Figure 2.


Deployment Scenarios

18

Figure 1-2 Example of a Large Deployment


System Requirements


System RequirementsIn This Section

Before starting the installation, make sure the IPS-1 Management Dashboard, IPS-1 Server, and IPS-1 Sensors meet the following system requirements. For documentation on third party platforms, please contact support.

Check Point Security continually tests and certifies hardware that can support IPS-1 Sensor. A current listing of supported hardware configurations is available on the Check Point support site.

IPS-1 SensorIPS-1 Sensors are delivered as a Check Point pre-configured appliance.

IPS-1 Alerts ConcentratorThe supported operating systems are:

• Red Hat Enterprise Linux 3(AS/ES) and 4 (AS/ES)

• CentOS version 4

• SPARC platform running Solaris 9 or 10

IPS-1 Sensor page 19

IPS-1 Alerts Concentrator page 19

IPS-1 Server page 20

IPS-1 Management Dashboard page 21

Note - For users of Red Hat Linux, the IPS-1 Alerts Concentrator and the IPS-1 Server cannot use the 64-bit version of the operating system. To prevent system installation failure, use the 32-bit version of Red Hat Linux.

Tip - You must use NTP (Network Time Protocol) server to synchronize time between IPS-1 Alerts Concentrator and other network components if you want your system to function reliably. Refer to your NTP server documentation for installation and configuration instructions.


IPS-1 Server

20

IPS-1 ServerIPS-1 Server includes a database server and Java-based software that performs server-side functions. To obtain optimal performance, it is recommended that the IPS-1 Server run on a dedicated machine.

The supported operating systems are the same as for the Alerts Concentrator.

The supported databases are:

• MySQL 4.1

MySQL will be automatically installed and configured for you during the IPS-1 Server installation process.

Heavy Volume System RequirementsYou must meet these system requirements if heavy volume is anticipated (between 250,000 and 1,000,000 alerts per day).

• 3.0 GHz Pentium class machine with dual CPU's

• 4 GB RAM

• 100 Mbps network connection

• SCSI drives in a hardware RAID 10 (40GB usable)

• Hot Spare drive

• Solaris 9 or 10

• 400 MHz UltraSparc with dual CPU's

• 4 GB RAM

• SCSI drives in a hardware RAID 10 (Minimum 40GB usable)

• Hot spare drive

• 100 Mbps network connection

Note - The amount of free disk space (before installation) must be twice the amount of disk space required for the database. For example, if you anticipate that 20 GB is required for storing alert data, 40 GB of free disk space is needed before the installation process. This applies to both recommended and minimum system requirements.


IPS-1 Management Dashboard


IPS-1 Management DashboardThe IPS-1 Management Dashboard is a pure Java-based application. The supported operating systems are:

• Windows 2000 Professional with SP4

• Windows XP Professional with SP2

• Red Hat Enterprise Linux 3 (ES/AS) and 4

• CentOS 4

• Solaris 9 and 10

Note - If you plan on using the IPS-1 Management Dashboard on a Linux or Solaris workstation, it must have a graphical desktop environment (such as KDE or GNOME) installed.


Installing Check Point IPS-1

22

Installing Check Point IPS-1In This Section

Note - For many of the examples in the following instructions, we will be using RHEL4 as the Operating System. There are minor differences between RHEL3 and RHEL4, as the latter incorporates changes to follow the Linux Standards Base specification. For example, CDs mount on /mnt/cdrom on RHEL3, and /media/cdrom on RHEL4. On Solaris, CDs are generally mounted to /cdrom/cdrom0. While following these steps, you may need to adjust paths to match your specific installation rather than retyping the commands verbatim.

Before Installation

Hosts Table EntryWhen installing servers on Linux and Solaris, ensure that there is a /etc/hosts table entry for your IP address and server name:

RIGHT:

127.0.0.1 localhost localhost.localdomain

10.244.13.5 servername servername.example.com

WRONG:

127.0.0.1 servername localhost localhost.localdomain

Without the host entry, connections between IPS-1 Management Dashboard and servers may fail with confusing error messages.

Before Installation page 22

Initial Installation Steps page 24

Installing an IPS-1 Alerts Concentrator page 26

Installing the IPS-1 Server page 27

Installing a ‘Combo’ Server page 28

Installing the IPS-1 Management Dashboard page 29

Installing and Initially Configuring IPS-1 Sensors page 30

Installing and Initially Configuring IPS-1 Power Sensors page 37


Before Installation


Creating the ‘nfr’ User Account1. Before you can begin the installation process for IPS-1 5.0, you must create

the Check Point user account.

2. The installation for the IPS-1 Alerts Concentrator and IPS-1 Server has been streamlined for this release to make the process of installation easier for the user. You may install each component individually or at the same time. Before beginning the installation process, you must create the Check Point user account to install the software. Create a user account where:

• User name: nfr

• The user belongs to group: nfr

• The home directory for the user should be the same as the intended install location for the IPS-1 Alerts Concentrator and/or IPS-1 Server. By default, this is /usr/local/nfr on Linux hosts and /opt/nfr on Solaris hosts.

Perform the following steps as the root user.

Creating the ‘nfr’ user account on Linux

1. Create the directory where you will install the product:

mkdir /usr/local/nfr

2. Create the ‘nfr’ group:

/usr/sbin/groupadd nfr

3. Create the ‘nfr’ user:

/usr/sbin/useradd -g nfr -d /usr/local/nfr nfr

4. Set the ‘nfr’ user's password:

passwd nfr

5. The next step is to make ‘nfr’ the owner:

chown -R nfr:nfr /usr/local/nfr

Creating the ‘nfr’ user account on Solaris

As the root user:

1. Add the ‘nfr’ group:

/usr/sbin/groupadd nfr

2. Create the ‘nfr’ user as a member of the ‘nfr’ group with a home directory of /opt/nfr :


Initial Installation Steps

24

/usr/sbin/useradd -g nfr -d /opt/nfr nfr

3. Create the ‘nfr’ user's at home directory of opt/nfr :

mkdir /opt/nfr

4. Change the owner and group of the nfr user's home directory:

chown nfr:nfr /opt/nfr

5. Set the ‘nfr’ user's password:

password nfr

Initial Installation Steps1. To begin the installation process, insert the Check Point IPS-1 Alerts

Concentrator and IPS-1 Server CD-ROM into the CD-ROM drive. The following initial steps must be taken before beginning the actual installation process for the IPS-1 components.

2. Mount the CDROM. Type:

mount /media/cdrom

3. Login in as the ‘nfr’ user.

su - nfr

4. Change into the cdrom directory:

cd /media/cdrom

5. Run the command line:

./install

6. Set the path and filename of the configuration file where the configuration options are stored. Provide the path and filename to store the configuration.

default = /usr/local/nfr/sentivist.cnf

If the system cannot create the file, it will generate the message "I was unable to create /path/to/config_file.cnf, please reenter." This is usually caused by a typing error.

Note - The system will check the user id to make sure the user is not 'root'. If the user is 'root’, it will issue an error and exit the system.


Initial Installation Steps


7. Set the location and name of the install log. Provide the location of the install log file.

default = /tmp/IPS-1_install.log

8. Now determine the install option. You can decide if you want to install immediately after configuration, or if a configuration template should be created. The following message appears: "Enter [N/n] if you don't want the installation to start immediately after configuration?"

9. The system will now ask for the install type. This step allows you to select which components of the suite should be installed. The following menu appears:

Alerts Concentrator only= 0 (Installs Server)

IPS-1 Server only= 1 (Installs IPS-1 Server)

Combo (both servers)= 2 (Installs both)

[0/1/2] (default =2)

10. Once the install type has been determined, set the location of where the IPS-1 suite will reside.

default = /usr/local/nfr

11. Now select the OS type.

This step allows you to modify the operating system selection if it is not automatically detected. Typically, the default will reflect the appropriate value for the system on which the installer will run.

Enter the Operating System (Linux|SunOS)

default = Linux

Now begin the final installation process. Depending on what your install selection was, refer to the corresponding section.

• “Installing an IPS-1 Alerts Concentrator” on page 26

• “Installing the IPS-1 Server” on page 27

Note - If "N" or "n" is selected, the configuration file will be saved to the location specified in step 6 after the configuration settings are made and the installation will stop. Entering any other key will cause installation to begin immediately after configuration file settings are saved.

Note - At this point in the install process, you can elect to install the IPS-1 Alerts Concentrator and IPS-1 Server separately, or you can install them both at the same time, to a "unified" MySQL installation.


Installing an IPS-1 Alerts Concentrator

26

Installing an IPS-1 Alerts ConcentratorFollow the steps to only install the IPS-1 Alerts Concentrator.

How to install IPS-1 Alerts Concentrator

1. A message appears "Enter [Y/y] if you have a prior version of Alerts Concentrator (Sentivist Server) to upgrade. Press any other key to continue with a fresh installation". Enter N (no).

2. Set the server name.

This step allows you to select the hostname of the server. Acceptable entries are the DNS resolvable hostname or the results of /bin/hostname/. A message appears "Enter the name of the IPS-1 Alerts Concentrator."

(default = <hostname>)

3. Set the server IP.

This step allows you to select the IP address of the server host. A message appears "Enter the IP address of the server."

(default = 127.0.0.1)

4. Set the IPS-1 database admin password.

This step allows you to set the password for the 'root' user of the MySQL database. A message appears "Enter the password for the Alerts Concentrator database admin (MySQL.)"

5. Set IPS-1 database user password.

This step allows you to set the password for the 'nfr' user of the MySQL database. As mentioned in the previous note, the password will be in plain text in the configuration file. A message appears "Enter the password for the Alerts Concentrator user (MySQL)."

6. Set IPS-1 database host.

Note - This is the IP address used by the IPS-1 Sensor and IPS-1 Server to communicate with the IPS-1 Alerts Concentrator. It should never be set to the default value.

Note - The password is not displayed on screen. However, it is written in plain text to the configuration file. The configuration file should be relocated to a protected directory and/or have its permissions set appropriately to protect this information. The configuration file may be deleted after installation and should be deleted when no longer needed. Make note of the password as it is needed for database maintenance activities.


Installing the IPS-1 Server


This step allows you to set the host value for grant permissions on the MySQL database. Acceptable values are localhost, the IP address of the Server, or DNS resolvable hostname. In most cases, localhost is sufficient. However, if remote administrative access is required from a command line, it may be desirable to set the IP address or hostname.

A message appears "Enter the hostname for the IPS-1 database."

default = (localhost)

7. Set the IPS-1 database port.

This step allows you to change the default port used by MySQL for the IPS-1 installation. A message appears "Enter the port name for the IPS-1 database."

(default = 55555)

Installing the IPS-1 ServerFollow these steps to only install IPS-1 Server.

How to install IPS-1 Server

1. A message appears "Enter [Y/y] if you have a prior version of IPS-1 (Enterprise Server)to upgrade. Press any other key to continue with a fresh installation." Enter N for no.

2. Set the IPS-1 Server IP.

This step allows you to set the IP address of the IPS-1 Server. Enter the IP address of the IPS-1 Server.

(default = 127.0.0.1)

3. MySQL

a. Set the IPS-1 database admin password.

Note - Typical environments can leave this set to localhost. If it needs to be changed, valid values are the IP address or DNS resolvable name.


Installing a ‘Combo’ Server

28

This step allows you to set the password for the 'root' user of the MySQL database. Enter the password for the IPS-1 admin (MySQL)

b. Set the IPS-1 database user password.

This step allows you to set the password for the 'nfr' user of the MySQL database. Enter the password for the IPS-1 user.

c. Set IPS-1 database host.

This step allows you to set the host value for permissions on the MySQL database. The acceptable values are localhost, the IP address of the Server, or a DNS resolvable hostname. In most cases, the value localhost is acceptable. However, if remote access is required from a command line, it may be desirable to set the IP address or host name. Enter the host for the IPS-1 database.

(default = localhost)

d. Set the IPS-1 database port.

This step allows you to change the default port used for MySQL for the IPS-1 installation. Enter the port for the IPS-1 database.

(default = 55555)

Installing a ‘Combo’ ServerFollow these steps for a combination install.

How to Install IPS-1 Alerts Concentrator and IPS-1 Server

1. A message appears "Enter [Y/y] if youhave a prior version of the Alerts Concentrator (Sentivist Server) to upgrade. Press any other key to continue with a fresh installation.” Enter N (no).

2. A message appears "Enter [Y/y] if you have a prior version of IPS-1 Server (Enterprise Server) to upgrade. Press any other key to continue with a fresh installation." Enter N (no).

Note - The password is not displayed on screen. However, it is written in plain text to the configuration file. The configuration file should be located in a protected directory and/or have its permissions set appropriately to protect this information. The configuration file may be deleted after installation and should be deleted when no longer needed. Make note of the password as it is needed for database maintenance activities.

Note - Typical environments can leave this set to localhost. If it needs to be changed, valid values are the IP address or DNS resolvable host.


Installing the IPS-1 Management Dashboard


3. Set Server name.

This step allows you to set the hostname of the Server. Acceptable names are DNS Resolvable hostname or the results of /bin/hostname. Enter the hostname of IPS-1 Alerts Concentrator.

(default = <hostname>)

4. Set Server IP.

This step allows you to select the IP address of the Server host. Enter the IP address of the IPS-1 Alerts Concentrator.

5. MySQL

Values are the same as those set for the IPS-1 Alerts Concentrator. The questions are not prompted again.

At this point, the installer displays values that were selected. Review the entries to see if they are correct. Enter [Y/y] if the settings are correct.

However, if the values are not correct, then a table is displayed with numbered entry lines that you can use to correct your entries. Once all corrections are made, you can either start the installation immediately or write the configuration file.

Installing the IPS-1 Management Dashboard

On a Windows Host 1. Insert the IPS-1 Management Dashboard product distribution CD into the

CD-ROM drive.

2. If the installshield wizard doesn’t start automatically, run setupwin32.exe from the CD.

3. Follow the on-screen installation instructions.

Note - This is the IP address used by the sensors and IPS-1 Server to communicate with the IPS-1 Alerts Concentrator, it should never be a default value.

Note - On a combination install, this setting is the same for the IPS-1 Server installation. You will not be asked twice for it.


Installing and Initially Configuring IPS-1 Sensors

30

On a Linux or Solaris host1. Insert the IPS-1 Management Dashboard product distribution CD into the

CD-ROM drive. If the drive is not mounted, mount it now (You may log in as the root user to mount the drive). Do this installation as a non-root user (the ‘nfr’ user is not required for the SPC).

2. Start the IPS-1 Management Dashboard installation script. On a Linux RHEL4 host, enter:

/media/cdrom/setuplinux.bin

On a Solaris host, enter:

/cdrom/cdrom0/setupsolarisSparc.bin

3. Follow the on-screen installation instructions.

Installing and Initially Configuring IPS-1 SensorsCheck Point Security delivers IPS-1 Sensors as pre-installed appliances, eliminating the need to install software. Software installation is only necessary if the appliance needs to be re-installed or as an alternative to doing a remote upgrade. Installation of the appliance is a two-step process.

1. Physical installation of the hardware

2. Configuring the appliance

IPS-1 Sensor and Power Sensor Power Requirements

Note - Incorrect configuration during the installation process may cause failure. If the installation fails with the error message "The installer is unable to run in graphical mode," try running the installer with the -console or -silent flag.

Note - Before beginning, make sure the correct sensor product distribution CD is on hand for the correct model.

50C 200C/F 500C/F Power 1000C/F Power 2000C/F

Units AC AC AC AC AC

Amps 6.0/3.0 8.2/4.1 6.7/3.4 4/2 4/2 per 2U chassis

Voltage 110/220 110/220 110/220 110/220 110/220




Installing the IPS-1 Sensor HardwareEach IPS-1 Sensor model has at least two NIC ports. You will choose one of these to use for sensor management (through IPS-1 Alerts Concentrator). The remaining NIC or NICs are used to monitor the network. The IPS-1 Sensor always uses at least three NICs in one of the inline modes.

IPS-1 Sensor and IPS-1 Alerts Concentrator use the management network for communication between themselves. This network can be a LAN, WAN, or MAN - or it can be as simple as a crossover cable. IPS-1 Sensor listens for traffic on the monitored networks.

The following sections describe where to attach the network cables, depending on IPS-1 Sensor hardware model.

IPS-1 50C Figure 1-3 IPS-1 50C

The IPS-1 50C Sensor has 2 10/100/1000 Mbps copper Ethernet interfaces and 2 10/100 Mbps copper Ethernet interfaces

Input Range 100-240 100-127/200-240

100-127/200-240

90-255 90-255

Operating

Temperature

0°C to +40°C +10°C to +35°C

+10°C to +35°C

0°C to +55°C 0°C to +55°C

Non-Operating

Temperature

-20°C to +80°C

-40°C to +70°C

-40°C to +70°C

-10°C to +70°C -10°C to +70°C

Non-Operating

Relative

Humidity

10-90%, non- condensing@ 35°C

90%, non- condensing@ 35°C

90%, non- condensing@ 35°C



Emissions FCC Class A Device

FCC Class A Device

FCC Class A Device

FCC Class A Device

FCC Class A Device

50C 200C/F 500C/F Power 1000C/F Power 2000C/F

Note - Separating the management and monitoring activities allows sensor to operate in stealth mode - other sniffing or active probing software cannot detect it, and it will not respond to any network traffic or request from any service on the monitored network.



32

Either the em0 or em1 interface can be used to manage the IPS-1 Sensor. Plug the network cable from the IPS-1 Alerts Concentrator management network into this interface. When operating the IPS-1 Sensor in passive/IDS mode, the three remaining interfaces can be used to monitor network traffic. Plug the network cable(s) from the monitored networks into these interfaces. In inline modes - bridge, fail-severed or fail pass-through, the fxp0 and fxp1 interfaces must be used to connect the sensor to the monitored network. Plug the network cables from the monitored network into fxp0 and fxp1.

IPS-1 200CFigure 1-4 IPS-1 200C

The IPS-1 200C Sensor has four 10/100/1000 Mbps copper Ethernet interfaces.

Either the em0 or em1 interface can be used to manage the IPS-1 Sensor. Plug the network cable from the IPS-1 Alerts Concentrator management network into this interface. When operating the IPS-1 Sensor in passive/IDS mode, the three remaining interfaces can be used to monitor network traffic. Plug the network cable(s) from the monitored networks into these interfaces. In inline modes - bridge, fail-severed or fail pass-through, the em2 and em3 interfaces must be used to connect the sensor to the monitored network. Plug the network cables from the monitored network into em2 and em3.

IPS-1 Sensor 200F




Figure 1-5 IPS-1 Sensor 200F

IPS-1 Sensor 200F has two Gigabit fiber Ethernet interfaces and two 10/100/1000 Mbps copper Ethernet interfaces.

Either the em0 or em1 interface can be used to manage the IPS-1 Sensor. Plug the network cable from the IPS-1 Alerts Concentrator management network into this interface. When operating the IPS-1 Sensor in passive/IDS mode, the three remaining interfaces can be used to monitor network traffic. Plug the network cable(s) from the monitored networks into these interfaces. In inline mode - bridge, fail-severed or fail pass-through, the em2 and em3 interfaces must be used to connect the sensor to the monitored network. Plug the network cables from the monitored network into em2 and em3.

IPS-1 Sensor 500CFigure 1-6 IPS-1 Sensor 500C

IPS-1 Sensor 500C has three pairs of 10/100/1000 Mbps copper Ethernet interfaces.

Either the em0 or em1 interface can be used to manage the IPS-1 Sensor. Plug the network cable from the IPS-1 Alerts Concentrator management network into this interface. When operating the IPS-1 Sensor in passive/IDS mode, the five remaining interfaces can be used to monitor network traffic. Plug the network



34

cable(s) from the monitored networks into these interfaces. In inline modes - bridge, fail-severed or fail pass-through, the em2 and em3 and the em4 and em5 interface pairs must be used in these pairings to connect the sensor to the monitored network. Plug the network cables from the first monitored network into em2 and em3 and the cables from the second monitored network into em4 and em5. The remaining em0 or em1 interface is unused.

IPS-1 Sensor 500F

Figure 1-7 IPS-1 Sensor 500F

IPS-1 Sensor 500F has two pairs of interfaces, one pair of 10/100/1000 Mbps copper Ethernet interfaces and one pair of Gigabit fiber Ethernet interfaces.

Either the em0 or em1 interface can be used to manage the IPS-1 Sensor. Plug the network cable from the IPS-1 Alerts Concentrator management network into this interface. When operating the IPS-1 Sensor in passive/IDS mode, the five remaining interfaces can be used to monitor network traffic. Plug the network cable(s) from the monitored networks into these interfaces. In inline modes - bridge, fail-severed or fail pass-through, the em2 and em3 and the em4 and em5 interface pairs must be used in these pairings to connect the sensor to the monitored network. Plug the network cables from the first monitored network into em2 and em3 and the cables from the second monitored network into em4 and em5. The remaining em0 or em1 interface is unused.

Configuring IPS-1 SensorsBefore the IPS-1 Sensor can operate within your IPS-1 system, the default configuration must be replaced with values specific to your organization.

The configuration settings can be overwritten manually or with values contained on a "configuration disk" created by the user. The disk approach is referred to as an "unattended" installation/configuration because user intervention is not required beyond inserting the configuration disk into the drive.




Changing Configuration Values Manually

You can manually edit default configuration values in the IPS-1 Sensor Management Menu. Refer to the IPS-1 Administration Guide for information on how to access and use the IPS-1 Sensor Management Menu.

Using a Configuration Disk

You can elect to replace the IPS-1 Sensor's default configuration values with values from your configuration disk. There are two ways to create the configuration disk:

• If you have other IPS-1 Sensors installed within the IPS-1 system, you can create the configuration disk from an installed IPS-1 Sensor and edit the values for your new IPS-1 Sensor. For more information, see Chapter 4 of the Check Point IPS-1 Configuration and Administration Guide.

• You may also create a configuration disk without using an installed IPS-1 Sensor by following instructions below.

Using any text editor, create a file containing the following entries. For each configuration parameter, replace the value to the right of the equal sign with the specific value. To provide the value for admin_pass and admin_pass2, paste the encrypted password from the previous step.

admin_pass=<paste encrypted password here>

admin_pass2=<paste encrypted password here>

mngmtintf=em0

ipaddr0=nnn.nnn.nnn.nnn

netmask0=nnn.nnn.nnn.nnn

defroute=nnn.nnn.nnn.nnn

hostname=myhost

ip_central=nnn.nnn.nnn.nnn

Note - The default IPS-1 Sensor password is "password." As part of this process, you will create an encrypted password with the Linux sha1sum program or the corresponding equivalent in your environment. Before starting, make sure the program is installed on your workstation.

Tip - Refer to “IPS-1 Sensor Configuration Variables” on page 69 for more information on each configuration variable. Appendix A also contains a worksheet that can be used to record your configuration variables. This information will be needed when configuring IPS-1.



36

crypto=passphrase

ip_central2=nnn.nnn.nnn.nnn

crypto2=passphrase

localtime=/nfr/zone/North America/United States/Eastern

ntphost1=nnn.nnn.nnn.nnn

ntphost2=nnn.nnn.nnn.nnn

ntpkeynum=5

ntpkey=sf709qw374@#$!@#

Mode=inline fail-passthrough

Inline_if1=em1

Inline_if2=em2

Save the file as nfr_ida.cfg to a Windows-formatted disk (VFAT file system).

How to create the administrator password:

1. Create an encrypted administrator password by entering the following command from a command prompt:

echo -n `<admin_password>' | sha1sum -

where <admin_password> is the plaintext password to be encrypted. Copy the screen output and paste the information into the configuration file.

Warning - The password for the IPS-1 Sensor administrator account is highly sensitive information. Create a complex password (more than 8 characters with mixed-case letters and numbers). This password must be guarded carefully and changed according to organizational password policy.

Note - Do not enter comments in the configuration file.

Tip - You may install the IPS-1 Sensor locally, but then disconnect the keyboard and monitor for Sensor operation (reconnecting them only when needed to perform Sensor administration). To do this, after editing Sensor values, select Disable Serial Console from the Management Menu and then restart the Sensor. This will prevent the sensor from automatically routing the console data to the serial port when it restarts and detects the lack of a keyboard.


Installing and Initially Configuring IPS-1 Power Sensors



The IPS-1 Power Sensor is specifically designed for critical high-bandwidth network security applications. It delivers enterprise class features with high data rate capabilities. Currently, throughput is 4 Gbps, with the intent to increase throughput in the near future.

For power requirements for the IPS-1 Power Sensors, see “IPS-1 Sensor and Power Sensor Power Requirements” on page 30.

There are two configurations of the IPS-1 Power Sensor:

• IPS-1 Power Sensor 1000: Data rates up to 1Gbps inline and 2Gbps passive

• 1 x 2U chassis

• Seven processors

• 2 x 4 port 10/100/1000 interface module with hardware bypass

• Redundant AC power supplies and 36GB SCSI disks in RAID1

• IPS-1 Power Sensor 2000: Data rates up to 2Gbps inline and 4Gbps passive

• 2 x 2U chassis

• Fifteen processors

• 2 x 4 port 10/100/1000 interface module with hardware bypass

• Two redundant AC power supplies and 36GB SCSI disks in a RAID configuration

The IPS-1 Sensor is a 2RU box and is delivered with mounting brackets for 19-inch racks.

Rack Mounting• Use a Phillips screwdriver to attach the rack mount brackets to the IPS-1

Sensors.

• Place the chassis into position between the rack posts and align the mounting bracket holes with the rack-post holes.

• Attach the E Series rack mount brackets to the rack.



38

Connecting Power• Connect the power cords to the receptacles on the power supply at the rear of

the appliance.

• Connect the other end of the cords to the electrical outlets.

Connecting to the Management ConsoleSee section Accessing the Management Console via Serial Port at the beginning of Chapter 4 of the Check Point IPS-1 Configuration and Administration Guide.

IPS-1 Power 1000

Figure 1-8 IPS-1 Power Series 1000

IPS-1 Sensor ES1000 has one 10/100 Mbps Ethernet interface on the front for management and eight 10/100/1000 Mbps copper interfaces for monitoring. Interfaces are paired for inline monitoring.

Plug the network cable from the IPS-1 Alerts Concentrator management network into the interface on the front. When operating the ES sensor in passive/IDS mode, all eight interfaces on the back can be used to monitor network traffic. Plug the network cable(s) from the monitored network(s) into these interfaces. In inline modes - bridge, fail-severed or fail pass-through, the interfaces are paired horizontally for example, s1.e0 with s1.e1 as one pair and s1.e2 with s1.e3 as another to connect the sensor to the monitored network. Plug the network cables from the monitored network into the interface pairs.




Out of band 10/100 Ethernet Management PortThe 10/100 management port is an MDI RJ-45 Ethernet port. To connect to a hub or switch, use a standard straight-through Ethernet cable. To directly connect to a laptop NIC, use a crossover cable.

• Attach your management connection to the 10/100 out-of-band management port's RJ-45 jack located at the front of the IPS-1 Series as shown in the diagram above.

• Verify the Link LD on the Ethernet link port is green indicating a proper connection.

Figure 1-9 Back View

Figure 1-10 Accessories

Connecting the Network CablesYou should follow these steps to connect the fiber interface module located at the rear of the IPS-1 Series.



40

• Insert the SFP module into the SFP receptacle on the fiber interface module until the tabs lock into place. For proper placement, the key slots on the SFP module must be on the bottom.

• Remove the protective plug that may be attached to the SFP.

• Attach the fiber optic cable to the SFP port.

Software Installation• The IPS-1 Power Sensors come pre-installed. These instructions are to be used

either to reinstall the software or to install a future version of the software.

• Installation of the IPS-1 software on the IPS-1 Series platform can be accomplished through manual or automated installation. Manual installation of software on the IPS-1 Series platform is designed for individual imaging from the local hard drive or an external file server, as well as all non-manufacturing-time installation situations.

Manual Installation

The manual installation process is an interactive installation method. Any installation or re-installation must be performed through the system's BOOTROM interface. You can perform a manual installation from distribution files resident in one of two locations: the hard drive local distribution partition (LDP) or an external file server (FTP/HTTP/NFS) through the system's management port.

Local Distribution Partition (LDP)

A local distribution partition (LDP) can be used to perform a local reinstallation, avoiding the need for external media or servers. The LDP contains the complete file set is required for performing a re-installation. With an LDP, if a file or partition becomes corrupt, there is no need for the use of an external server and/or CD to perform a re-installation. The installation can be executed directly from the LDP partition.

Network-Based Installation

To perform a software installation, an external server hosting the relevant software packages is required. This server needs to offer one of the following services:

• FTP (File Transfer Protocol)

• NFS (Network File System)-mounted directories containing the packages

• HTTP (Hyper Text Transfer Protocol)




Booting a Rescue Image

In all cases, software installations must be initiated by entering the BOOTROM and booting the rescue image. In a few rare cases, the local rescue image may be unavailable or too old to properly install the latest software release. In these cases, it is necessary to obtain an updated rescue image and use the BOOTROM menu to TFTP boot rescue this image from a networked TFTP server with the help of Check Point Customer Support.

Manual Installation Process

• If you have configuration information resident on your current system that you would like to save, record it before continuing as it is overwritten during reinstallation.

• Download the distribution tar file to a local FTP, NFS, or HTTP server. Be sure to properly configure the FTP, NFS, or HTTP software on your system. (Configuration is beyond the scope of this document. See your System Administrator.)

• Extract the tar file into a unique directory on the installation server into a location accessible to the server (see above) you are using.

• Log into the IPS-1 Power Sensor.

• Reboot the IPS-1 Power Sensor.

• As the unit is rebooting, press "Esc-Esc" at the BOOTROM Menu prompt. Enter your BOOTROM password. If you have never set the BOOTROM password, press enter at the password.

• You will now see the BOOTROM menu.

• Select option "4" (boot in Rescue Mode) to boot into rescue mode.

• At the rescue image, select option "2" (re-install System-manual) to begin the interactive step-by-step installation procedure.

• Once the installation has completed, the system will reboot twice.

• Once the second reboot is complete, the system will display a prompt for you to login and begin the initial setup of the system. Typically, factory-fresh systems will be shipped with the system ready to boot at this point for you.

• Log in (the initial id and password are displayed, this first boot) and answer the questions as prompted by the system.



42

• Once the initial configuration is complete, the system must be rebooted one last time. Following the final reboot, the system will be completely ready for final configuration and use.

Initial ConfigurationTo complete initial set up and configuration, you will need to log in to the IPS-1 Power Sensor at the login prompt. The username is nfr and the initial password is password. You will be presented with a series of screens that need to be filled out.

• Set a new, robust password.

• Set Date and Time. When setting the time, you must always use UTC (GMT) time. Do not use local time. You can optionally configure the IPS-1 Sensor to use a NTP server.

• Network Configuration: Enter the IPS-1 Power Sensor's name, domain, and addressing information. Also be sure to add the IP address and Encryption key for one or two IPS-1 Alerts Concentrators. Note that the value of "SensorName" file must exactly match the name (including case) you use when adding this IPS-1 Sensor on the IPS-1 Server or IPS-1 Management Dashboard. Do not include the "Domain Name" field.

Note - The IPS-1 Power Series appliances use an internal network between various components. This address is pre-configured to be 10.10.10.0/24. If, however, this conflicts with your network addressing (for example, the IPS-1 Alerts Concentrator or sensor are in a network with that same address), you will need to reconfigure this internal network address.- To do so, login into the IPS-1 Power Series appliance as user ‘admin’- The password is the same as the ‘nfr’ user- At the prompt, type configure system- At the next prompt, type set mccp subset address <address>, where <address> is an available 24-bit network address (For example, 192.168.1.0)




• Operation Mode. Set which mode you wish to use. More information about the modes can be found in “Modes” on page 63. The available modes are:

• Passive

• Inline-fail-passthrough

• Inline-fail-severed

• Inline Bridge

After the last screen is filled out, the IPS-1 Power Sensor will automatically reboot. When it comes back up, it should be fully operational. You can continue to access the IPS-1 Sensor from the serial console or you can access the Management Menu via the management network interface with a SSH client as described earlier.



44


45

Chapter 2Setting Up IPS-1 Functionality

In This Chapter

Overview page 46

Starting the IPS-1 Alerts Concentrator and IPS-1 Server page 47

Logging into the IPS-1 Management Dashboard page 48

Adding IPS-1 Alerts Concentrators page 49

Configuring User Accounts page 55

Adding IPS-1 Sensors page 57

Restarting an IPS-1 Sensor page 59


Overview

46

OverviewThis chapter describes the basic post-installation tasks that need to perform to finish configuring your IPS-1 systems. The tasks are:

• Starting the IPS-1 Alerts Concentrator and IPS-1 Server.

• Connecting the IPS-1 Management Dashboard and IPS-1 Server to the IPS-1 Alerts Concentrator and all sensors.

• Configuring packages and backends, and then mirroring the new settings out to the sensors.

You use the IPS-1 Management Dashboard and IPS-1 Server to administer sensors through IPS-1 Alerts Concentrator, which manages sensor configurations and stores alert and event data.

Proxy ServersFor IPS-1, proxy server functionality is streamlined for ease of use. If your network uses proxy servers, check the Use proxy box that appears in the initial IPS-1 Management Dashboard login and in the Installing and Updating Packages/Backends functions. The proxy server information will vary depending on your organization's configurations.

You must know your proxy information to complete the required proxy server fields!! For more information, see your system administrator.

Note - For IPS-1 5.0, Check Point Security supports:- Digest/Basic/Plain Proxy between the IPS-1 Server and the IPS-1 Alerts Concentrator, the IPS-1 Alerts Concentrator proxy is independently configurable.- Basic/Plain/Digest Proxy between the IPS-1 Management Dashboard and the IPS-1 Server.

Users should note that Check Point Security ONLY supports Digest Proxy authentication between the IPS-1 Management Dashboard and the IPS-1 Server over HTTP, NOT HTTPS, due to a flaw in Sun's Java code.


Starting the IPS-1 Alerts Concentrator and IPS-1 Server

Chapter 2 Setting Up IPS-1 Functionality 47

Starting the IPS-1 Alerts Concentrator and IPS-1 Server

How to start IPS-1 Alerts Concentrator and IPS-1 Server

1. Log in to the IPS-1 Alerts Concentrator host as the Server administrator, which is nfr by default.

2. If you have installed one or the other, then running the sentivist.sh start command line will start the installed server's database and then bring up the Server itself.

3. If you have installed a combo box, run the command line ./sentivist.sh start. The script will start the database, the IPS-1 Alerts Concentrator and the IPS-1 Server in the proper order, without any additional user interaction.

4. If IPS-1 Alerts Concentrator and IPS-1 Power Sensor are on opposite sides of a firewall, you must open port 1968 bi-directionally to enable communications between them.


Logging into the IPS-1 Management Dashboard

48

Logging into the IPS-1 Management Dashboard

After starting the IPS-1 Server, start the IPS-1 Management Dashboard. To start the IPS-1 Server, in the IPS-1 Server installation directory, type sh sentivist.sh start. Then follow these steps to log into the IPS-1 Management Dashboard for the first time:

1. On a Windows system, launch IPS-1 Management Dashboard from Start > All Programs > Check Point IPS-1 Management Dashboard.

2. On a Linux or Solaris system, launch the IPS-1 Management Dashboard from a command prompt by typing the full path to the IPS1Dashboard.bin executable. Assuming that you installed the IPS-1 Management Dashboard in a subdirectory named /opt/Check Point/IPS-1, you would type:

/opt/Check Point/IPS-1/IPS1Dashboard.bin

3. At first login, the License Manager dialog appears. Add the appropriate Check Point IPS-1 Product licenses. The Setup Policies dialog will appear.

4. Add servers and sensors to configure the IPS-1 System following the provided directions.

Note - The IPS-1 Management Dashboard is a graphical application and requires a graphical desktop environment such as Gnome or KDE (on Linux), CDE or OpenWin.

Note - The Set Up Policies screen will only appear when the application is first installed.


Adding IPS-1 Alerts Concentrators


Adding IPS-1 Alerts ConcentratorsThe next step is to identify all the IPS-1 Alerts Concentrators in the system. You must add at least one IPS-1 Alerts Concentrator to the system before proceeding. However, the system will not be fully functional until ALL IPS-1 Alerts Concentrators have been added.

How to add an IPS-1 Alerts Concentrator

1. From the Setup Policies dialog in the previous section, click the New button.

2. In the New IPS-1 Alerts Concentrator dialog box, enter the requested information.

Figure 2-1 New IPS-1 Alerts Concentrator dialog box

• The IPS-1 Alerts Concentrator Name should match the name assigned to this IPS-1 Alerts Concentrator. No problems result from a mismatch in this instance, but consistent naming is a good practice.



50

• The Management Interface Port should normally be 2010. However, if special configuration, such as SSH port forwarding, is required to establish communications between the IPS-1 Server and IPS-1 Alerts Concentrator, this port number can be adjusted as well.

• The IPS-1 Alerts Concentrator IP address should be the IP address of the IPS-1 Alerts Concentrator's management interface as reachable from the IPS-1 Server. DNS names are supported; however, it is generally considered better practice to enter an IP address here. This ensures continued functioning of the IPS-1 System in the event of malfunctioning and/or compromised DNS servers.

• The Tap Port (default=45678) is only used when communicating with older IPS-1 Servers (versions less than 5.0) and does not support proxy communications. When connecting to a version 5.0 (or newer) IPS-1 Alerts Concentrator, this setting is ignored; all communications take place through port 2010 and the optional proxy server.

• The IPS-1 Alerts Concentrator Username must be the name of a user account that has full privileges on that IPS-1 Alerts Concentrator. The user will be unable to add this IPS-1 Alerts Concentrator to the IPS-1 Server unless this user account exists on the IPS-1 Alerts Concentrator and is unlocked.

• The IPS-1 Alerts Concentrator "Password" and "Confirm password": fields must be the correct password for the user account defined on the IPS-1 Alerts Concentrator.

• If a proxy server is required to reach the IPS-1 Alerts Concentrator from the IPS-1 Server, select the "Use Proxy" checkbox, and enter the necessary proxy information. The proxy username and password should be left blank if the proxy server does not require authentication.

• The Receive Alerts radio button should normally be "on". This enables the bridge connection between the IPS-1 Server and the IPS-1 Alerts Concentrator so alerts are received from the Alerts Concentrator. It is important to note that multiple IPS-1 Alerts Concentrators can connect to an IPS-1 Server.

Note - New for IPS-1 5.0, the IPS-1 Management Dashboard no longer communicates directly with IPS-1 Alerts Concentratorss. All IPS-1 Alerts Concentrator communications are directed through the IPS-1 Server. When entering connection and proxy information for an IPS-1 Alerts Concentrator, be sure to enter settings that will allow the IPS-1 Server to communicate with an IPS-1 Alerts Concentrator via HTTP on port 2010.




• The default setting ("Prefer this server...") for the Help Text lookups radio button is normally the appropriate setting. However, it may be desirable to turn it off for an IPS-1 Alerts Concentrator with a slow network link between it and another IPS-1 Server. This may help to improve performance in the alert details screen by redirecting requests for help text to an IPS-1 Alerts Concentrator on a faster link. This setting is only a hint; a given IPS-1 Alerts Concentrator may be contacted anyway if there is no alternative (if, for example none of the servers are "preferred" servers).

3. After all requested information is entered, click Ok. Default numbers are pre-entered. Change only if modified during the install.

4. Repeat the previous steps to add additional servers. When all servers are added, click Next.

You may also add Alerts Concentrators once IPS-1 Management Dashboard is launched by following these steps:

a. From the menu bar, select Management > Policies

b. When the IPS-1 Policy Manager window appears, select the Server Configuration tab.

c. Use the tree in the left hand panel to navigate to the policy group where the Server is to be added.

d. Right click to bring up the drop down menu. Select New IPS-1 Alerts Concentrator. A dialog box will be displayed. Enter the requested information.

e. Select a location from which to import the packages to be installed on the sensors. It is recommended that the latest set of packages be downloaded from the Check Point package server (ips-packages.checkpoint.com) to ensure the network is fully protected. This is the default option.

f. If you have customized N-Code that must be preserved, or if there is no Internet connectivity for obtaining the latest packages, you may optionally import existing packages from an IPS-1 Alerts Concentrator or from a CD/file system by selecting one of the alternative options. When importing

Note - The IPS-1 Server (not the Management Dashboard client) needs to be able to access ips-packages.checkpoint.com on port 2013, in order to pull packages directly. The packages server listens for update requests from IPS-1 Servers, and sends down the appropriate data. It is NOT an http server. Alternatively, a tarball (similar to a zipfile) of the current Packages is available from Check Point’s support site. Regardless of how packages are imported, the settings for any pre-existing sensors will be preserved.


Importing Default Packages and Backends

52

from a file system, it is sufficient to simply point to the parent directory of the desired packages. All packages within that subdirectory will then be imported.

Importing Default Packages and Backends1. Select the location of where to download the packages and backends from:

• Package Server: The default value is Check Point's Package Server where you can get the most current packages and backends.

• Local File: This file is created by the user and downloaded to a selected site on his network.

• IPS-1 Alerts Concentrator: Selection of this option will download packages and backends that are on the selected Server.

• Skip Download: This selection will skip the packages and backends download.

Fill in the appropriate information for the Package Server:

• Server Address: Default address for the Check Point package server (ips-packages.checkpoint.com)

• Server Port: 2013

If the Use Proxy box is checked, fill in the appropriate information. You must know the information for the following.

• Address: Your proxy address

• Port: Port number of your proxy

• User Name: Your user name

2. Click Next to start the packages download process.

3. After the download is complete, the new packages that were found will be displayed in a tree in the left-hand pane of the dialog, along with their associated backends. You may click on a particular package or backend to view detailed information regarding its contents. The package/backend details are shown in the right-hand pane. One or more packages may have checkmarks next to them. Only the selected packages will be installed into the IPS-1 Server; unmarked packages will not. Be sure to check all packages to be installed/upgraded before continuing. When satisfied with the selections, click Next to install the selected packages.




4. Enter the connection information that will be used to perform automatic updates of package/backend information from the Check Point Package Server. Skip this step if automatic updates are not a preferred option.

Otherwise, specify valid connection settings for the Check Point Package Server if the settings are not already entered here. If a proxy server is used, enter necessary settings. Click Next.

5. The Schedule Automatic Updates dialog appears.

There are six options:

• Disabled: disables automatic updates

• One Time: updates packages and backends one time only

• Twice Daily: updates packages and backends twice daily

• Once Per Day: updates packages and backends once per day

• Once Per Week: updates packages and backends once per week

• Once Per Month: updates packages and backends once per month

Select a frequency for updating your packages and backends. A dialog window will appear.

Set the time for the update to occur. Depending on what update frequency was selected, the time and date will vary. Click Next.

6. There may be a pause as the IPS-1 Server imports existing sensor settings for the packages and backends just installed. If this operation requires more than a few seconds, a status display will appear indicating the progress of import. Upon completion of the import, a warning dialog may be presented if potential

Note - When in doubt, it is better to install, then disable a package, than leave it uninstalled. The sensor's performance will be unaffected, but its configuration will indicate the package is deliberately disabled instead of being merely ignored. Enabling/disabling packages is accomplished using Policy Manager. See Chapter 3 in the Check Point IPS-1 Configuration and Administration Guide for more information.Some backends, such as those in the Badfiles and Authentication packages, depend on other packages being present to be able to work. Other packages actually have cross-dependencies -- notably MSRPC and SMB, which both rely on each other.

Note - Imported packages contain potential problems; a warning dialog may appear upon completion of the import. Make a note of the warnings, but otherwise proceed normally. If a serious error occurs instead of a warning, you will not be allowed to proceed to the next step until the error is corrected.



54

issues were encountered. One common cause of warnings is when a pre-existing sensor has packages installed on it that have not been installed in the IPS-1 Server. If you intend to remove these packages from the sensor, you may safely proceed. Otherwise, you may want to return to the previous step and install those packages on the IPS-1 Server, so the sensor settings for that package are preserved.

7. The final step in the setup process is to configure user accounts. By default, the single ‘nfr’ administrative user already exists. Follow the directions in the next section to configure user accounts.


Configuring User Accounts


Configuring User AccountsOnce the task of installing packages and backends for the first time is completed, user accounts must be set up. Follow these steps to set up user accounts.

How to Configure User Accounts

1. Click New.

2. An Add New User dialog will appear. Fill in appropriate information for the new user. At a minimum, a username and password must be supplied! Click Ok.

• The Username and Password will be the values that are entered for the user to login to the IPS-1 Management Dashboard.

• The Full Name and Description fields are optional and used to provide administrators with additional notes regarding the user.

• The Connect Retries field controls how many times the user can consecutively enter a bad password before his account is locked.

• The Role (admin or normal) controls whether or not the user permissions to edit policy settings.

• The Restart Sensor checkbox allows non-admin users to restart selected sensors.

• The Audit View checkbox allows users with a normal role to see audit alerts.

• The Show Alerts from all sensors checkbox overrides the individual sensor access settings and allows non-admin users to see alerts from all sensors regardless of whether or not they have permissions for a specific sensor.

• The sensor access tree allows control over which sensors the user can access. Unchecked sensors cannot be restarted by the user, and the user will not see alerts from them (unless "show all alerts" is checked).

Note - For non-admin users, sensors for which the user does not have permissions will not appear in Policy Manager, the Alert Browser, Timelines, System Status, etc., which provides adequate security for the majority of installations. However, note that the graphs window (which displays raw counts of alerts) may still include counts of alerts from these IPS-1 Sensors. Also note that any third-party tool which directly accesses the database, such as Crystal Reports®, will ignore these application-level settings.


Configuring User Accounts

56

Figure 2-2 Add New User

3. You may optionally add more users here, or simply click Finish.

Note - For more detailed information on use of policies, refer to Chapter 3 "Managing Packages and Backends" of the Check Point IPS-1 Configuration and Administration Guide.


Adding IPS-1 Sensors


Adding IPS-1 SensorsYou must be logged into the IPS-1 Management Dashboard with administrative privileges to perform the following steps.

How to add IPS-1 Sensors

1. From the menu bar, select Management > Policies. When the IPS-1 Policy Manager window appears, there will be three tabs. Select the Server Configuration tab. You will see the list of all IPS-1 Servers, and the sensors managed by each IPS-1 Alerts Concentrator.

2. To add new sensors to the system, right click on the name of the IPS-1 Alerts Concentrator to which the sensor will be added to. From the drop down menu, select Add New Sensor. The Add New Sensor dialog will appear. Provide the requested information. There will be two options given: You can add a new Sensor or add an existing sensor.

a. Add New Sensor to (server name) Figure 2-3 Add New Sensor

Note - The following procedure requires you to enter IPS-1 Sensor configuration information. Refer to the worksheet in “IPS-1 Sensor Configuration Variables” on page 69.


Adding IPS-1 Sensors

58

b. Add the new IPS-1 Sensor name, the Host/IP address, IPS-1 Sensor class, and password information. Leave the License field blank for the moment. Click Ok. You will now see the new IPS-1 Sensor in the tree. Click Apply. A dialog window will appear indicating the changes have been saved and a transmit is now in progress.


Restarting an IPS-1 Sensor


Restarting an IPS-1 SensorThere will be occasions when you might want to restart/reboot your sensor, such as after network configuration changes. You may restart your IPS-1 Sensors through the IPS-1 Management Dashboard by following these directions.

How to restart an IPS-1 Sensor

1. From the menu bar, select Management > Policies. When the IPS-1 Policy Manager appears, select the Server Configuration Tab.

2. Use the tree in the left hand panel to navigate to the selected IPS-1 Sensor or IPS-1 Alerts Concentrator.

3. Right click on the name of the IPS-1 Sensor or IPS-1 Alerts Concentrator to bring up the drop down menu, there are two choices:

• If a server is selected and right clicked:

• Select Restart Sensors to shut down and restart only the sensor packet detection software.

• Select Reboot Sensors to shut down and restart both the IPS-1 Sensor detection software and the operating system.

• If a sensor is selected and right clicked:

• Select Restart (Name of Sensor)…

• Select Reboot (Name of Sensor)…

Follow the prompts for selected options.

Note - Rebooting the sensors will generate a dialog indicating the time it will take to reboot. Restarting the sensors will generate no dialog display. For both options, click Close or Apply at the end of the task.


Restarting an IPS-1 Sensor

60


61

Chapter 3About Prevention with IPS-1 Sensor

In This Chapter

Overview page 62

Modes page 63

Prevention Quick Configuration page 64

Prevention Configuration page 65

Blacklisting page 66

Tuning the Sensor page 67


Overview

62

OverviewThe IPS-1 Sensor and IPS-1 Power Sensor were designed so that all packets that traverse the sensor running in IPS Inline mode are explicitly verified not to contain any known intrusion vectors before the packet is passed back onto the network.


Modes

Chapter 3 About Prevention with IPS-1 Sensor 63

ModesThe IPS-1 Sensor can operate in four different modes. The modes can be set from the appliance's management menu or from the IPS-1 Alerts Concentrator. See “IPS-1 Alerts Concentrator Commands” in the IPS-1 Administration Guide.

The modes are:

• Inline Bridging: Inline bridging is a special mode in which the IPS-1 Sensor will return packets to the network before processing for attacks. In this mode, the sensor will never discard or drop a packet; it acts as a repeater to the network and a pass-through Intrusion Detection device to the administrator.

• Inline Fail-passthrough A fail-passthrough IPS-1 Sensor processes all packets for attacks until a fault occurs. While the fault is present, and the sensor cannot process packets for attacks, the sensor will temporarily act like a bridge and forward those packets onto the network unprocessed. The sensor will resume processing packets for attacks upon resolution of the fault. The fault conditions are:

• the sensor has not completing booting and initialization

• the initially mirrored packages have not yet been compiled, or are compiling.

• when the sensor loses power (with optional Interface Masters NIC)

• when the sensor has a hardware failure (with optional Interface Masters NIC)

• when the sensor has crashed (with optional Interface Masters NIC)

• Inline Fail-severed: A fail-severed IPS-1 Sensor acts just like a fail-passthrough sensor, except that the packets are dropped if any faults occur. This is the most secure sensor mode since no packets can be checked for attacks while a fault condition exists.

• Passive: The IPS-1 Sensor can also act as a traditional passive intrusion detection system, with each non-management interface available to monitor a span port or hub.

Note - When the inevitable network glitch or outage occurs, you may be concerned that the sensor is the culprit. To rule it out, place the sensor into bridging mode where all the packets are bridged immediately before processing them for attacks. Again, a bridging IPS-1 Sensor will pass all packets with minimal delay (microseconds), regardless of packet contents.


Prevention Quick Configuration

64

Prevention Quick ConfigurationMake sure the attack package and the attack/prevention backend are enabled and mirrored to the IPS-1 Sensor. A default set of attacks to prevent has been supplied and enabled by default in attack/prevention's IPS_ATTACKS user configurable list. The default set was chosen for relevance and to minimize false positives, but it may be prudent to look them over to make sure none have been known false positives in your particular environment.

Note - Any absolutely critical servers should be added to the attack/prevention's WHITELIST_SERVERS variable to prevent IPS from dropping any packets to those servers (even attacks). Then you can watch the traffic and determine the correct settings for your environment. This is similar to setting up inline bridging mode, on a per-IP basis.


Prevention Configuration


Prevention ConfigurationThe attack/prevention backend contains the prevention logic and configuration. It ships with a list of attacks in the IPS_ATTACKS variable, which are prevented by default. This default list of prevented attacks was chosen from those alerts least likely to false positive on legitimate traffic. New attacks to prevent can be added in the alert/prevention's IPS_ATTACKS variable by adding the name of the alert. Optionally, the administrator can add a confidence threshold. The sensor will use this, in conjunction with the accuracy (confidence index value) of the attack to determine whether or not it will be blocked. New packages will be released in tandem with a new attack/prevention backend that contains an updated list of attacks to block.

Additional prevention logic exists in attack/prevention's IPS_IMPACTS variable. This allows the administrator to block attacks based on the effects of a successful attack. For example, an administrator can globally and generally block all attacks that lead to remote execution if the IPS-1 Sensor is more than 75% confident the attack is not a false positive. The IPS-1 Sensor classifies these attacks into eight groupings; each of which can be individually prevented:

• Admin access

• Code execution

• Data access

• Denial of service

• Information gathering

• Security violation

• User access

• Unknown

Sometimes servers absolutely must receive traffic (for contractual or other reasons), tven if they are being attacked. Such servers can be "whitelisted" in the attack/prevention's WHITELIST_SERVERS variable. No attack-bearing packets will be prevented from reaching whitelisted servers; however, the attack will still be detected and an alert generated. Any network honeypots should also be placed in the server whitelist.

Like the whitelist of servers, the attack/prevention WHITELIST_CLIENTS variable contains a list of clients from which attacks are never prevented. This list is typically used only for personnel authorized to monitor vulnerabilities.


Blacklisting

66

BlacklistingThe Check Point IPS-1 Sensor can optionally blacklist known attackers, preventing all traffic for a configurable period of time. The blacklisting follows the above prevention rules in IPS_ATTACKS and IPS_IMPACTS; when configured, any prevented attack will also blacklist the source of the attack. Both of the above whitelists will be excepted from blacklisting to prevent self-induced denial of service against the network infrastructure. It is also important to note that only attacks established over TCP connections are eligible for blacklisting. Other protocols are vulnerable to spoofing and would allow an attacker to cause the blocking of arbitrary hosts.


Tuning the Sensor


Tuning the SensorIt is possible to tune the Check Point IPS-1 Sensor without the risk of introducing false positives blocking legitimate connections. The first step is to configure the sensor in "bridging" mode.

The second step is to enable the PREVENTION_NOTIFY variable in the attack/prevention backend. With this variable set, the sensor will send an additional alert (called attack_prevention: prevented_alert) whenever the IPS would have blocked a packet had it not been in bridging mode. Remember that by default, the IPS-1 Sensor has been configured to block attacks where the risk of false detection is low.

The third step is to watch for the prevented_alerts. Each of these notification alerts will name the attack that would have been blocked had the sensor not been bridging. From here, each type of attack should be investigated to determine if it is a false positive. If one of the attacks appears to be a false positive, the administrator should look at the tuning documentation in the backend that detected the attack. If the attack accuracy cannot be safely determined, the administrator should consider removing the falsely detected attack from the attack/prevention's IPS_ATTACKS prevention rules.

The administrator can enable attack prevention once he is suitably confident in the accuracy by changing the operating mode to either "inline fail-severed" or "inline fail-passthrough." In the generic IDS mode (passive) the policy package contains a list of firewall-like rules that alert when a policy violation occurs. The policy package has been extended for the IPS-1 Sensor to not only monitor for site security policy conformance but to optionally enforce that policy.

In prior versions, each of the policy's firewall-like rules could have one or more actions when a match occurs: OK or ALERT. Two more actions have been added for the sensor: DROP or REJECT. When a packet matches a DROP rule, the packet and its connection will be dropped and the IPS will generate an alert. Likewise packets matching a REJECT rule will be dropped, an alert will be generated, and a TCP reset will be sent back to the source to notify them that their connection was rejected. The DROP and REJECT rules will be considered to be the same as ALERT rules when in passive mode.


Tuning the Sensor

68


69

Appendix AIPS-1 Sensor Configuration Variables

In This Chapter

IPS-1 Sensor Configuration Variable Definitions page 70

IPS-1 Sensor Configuration Variables Worksheet page 74


IPS-1 Sensor Configuration Variable Definitions

70


The following table identifies and defines the variables used to configure IPS-1 Sensor. The configuration variable name enclosed in parenthesis is the name used in the nfr_ida.cfg file on the configuration diskette. The configuration variable name not enclosed in parenthesis is the name displayed on the IPS-1 Sensor Management Menu.

Configuration Variable Definition Comments

Administrator Password(admin_pass),(admin_pass2)

The password used to access the IPS-1 Sensor Management Menu

Must be between 1 and 40 characters. If you are using a text editor to create the configuration file, you must first encrypt the passwords.Refer to the Linux's sha1sum program for assistance on encryption.

Name of this station(hostname)

The IPS-1 Sensor's unique name

Must be between 1 and 30 characters. IPS-1 Sensor names can only consist of alphanumeric characters (no periods, dashes, etc.). The IPS-1 Management Dashboard will not allow other characters to be input, and the Server CLI will give an error.

Management Interface(mngmtintf)

The IPS-1 Sensor's management NIC name, (This is the NIC used to connect to the IPS-1 Alerts Concentrator.)

Must be em0, em1, em2, em3, fxp0, fxp1, fxp2, sk0, or sk1

IP Address(ipaddr0)

The IPS-1 Sensor's IP address

Enter in dotted quad format (nnn.nnn.nnn.nnn)



Appendix A IPS-1 Sensor Configuration Variables 71

Network Mask(netmask0)

The IPS-1 Sensor's IP address network mask

Enter in dotted quad format (nnn.nnn.nnn.nnn) or a simple number between 2 and 31 representing CIDR subnet.

Default Router(defroute)

The IP address of the IPS-1 Sensor's default router


IP of Server(ip_central)

The IP address of the primary IPS-1 Alerts Concentrator used to manage this IPS-1 Sensor


Encryption Passphrase(crypto)

The shared key used to encrypt communication between this IPS-1 Sensor and its primary IPS-1 Alerts Concentrator

IP of backup Server(ip_central2)

The IP address of the backup IPS-1 Alerts Concentrator used to manage this IPS-1 Sensor

This is an optional variable, entered in dotted quad format (nnn.nnn.nnn.nnn)

Encryption Passphrase(crypto2)

The shared key used to encrypt communication between this IPS-1 Sensor and its backup IPS-1 Alerts Concentrator

This is an optional variable, required only if using a backup IPS-1 Alerts Concentrator.

(localtime) The path to the time zone file

The path to the time zone file is expressed as /nfr/zone/<region>/<subregion>/<timeframe>Example: /nfr/zone/North America/United States/Eastern




72

NTP Server Address1(ntphost1)

The primary NTP server's IP address

This is an optional variable, used only with an NTP server, entered in dotted quad format (nnn.nnn.nnn.nnn)


The backup NTP server's IP address

This is an optional variable, required only if using an NTP server, entered in dotted quad format (nnn.nnn.nnn.nnn)

Key Number(ntpkeynum)

The number associated with the key, as stored in the NTP server's key file, used by IPS-1 Sensor to authenticate to the NTP server

This is an optional variable, required only if using an NTP server with encryption and authentication

Key(ntpkey)

The key used by IPS-1 Sensor to authenticate to the NTP server

This is an optional variable, required only if using an NTP server. The key must be an MD5 key.

Operating Mode(mode)

The mode the IPS-1 Sensor will be in. One of the following:passiveinline fail-severedinline fail-passthroughinline bridge

Only available on IPS sensor.

First inline interface(inline_if1)

The NIC name for the first inline interface.

Only used for non-passive modes.

Second inline interface(inline_if2)

The NIC name for the second inline interface.

Only used for non-passive modes.



IPS-1 Sensor Configuration Variables Worksheet

74


You can record IPS-1 Sensor configuration values on this worksheet for use throughout the IPS-1 installation and configuration process.

Warning - After you install IPS-1, destroy or secure this worksheet as it will contain sensitive data. Also treat configuration floppies as Corporate Confidential and secure or destroy appropriately.

Table A-1

Configuration Variable IPS-1 Sensor #1 IPS-1 Sensor #2 IPS-1 Sensor #3

Administrator Password(admin_pass),(admin_pass2)

Name of this station(hostname)

Management Interface(mngmtintf)

IP Address(ipaddr0)

Network Mask(netmask0)

Default Router(defroute)

IP of Server(ip_central)

Encryption Passphrase(crypto)

IP of backup Server(ip_central2)

Encryption Passphrase(crypto2)

(localtime)






Key Number(ntpkeynum)

Key (ntpkey)

Operating Mode (mode)

First inline interface(inline_if1)

Second inline interface(inline_if2)

Table A-1

Configuration Variable IPS-1 Sensor #1 IPS-1 Sensor #2 IPS-1 Sensor #3



76


77

Appendix BIPS-1 Deployment Options

In This Chapter

Overview page 78

Inline Mode page 79

Passive Mode page 80

Standby Options page 84


Overview

78

OverviewThis appendix illustrates several options for placing IPS-1 Sensors and IPS-1 Power Sensors within your network. These diagrams illustrate common installation configurations; IPS-1 Sensor placement is not limited to these choices.


Inline Mode

Appendix B IPS-1 Deployment Options 79

Inline ModeWhen installing an IPS-1 Sensor in one of the inline modes, the sensor should be cabled so that all of the traffic you want to monitor flows through the IPS-1 Sensor.

It is very important that you connect everything correctly, or your network will be severed. Chose which interfaces you wish for the management network and which two the IPS-1 Sensor should use for its inline placement.

Except when configured to block, the IPS-1 Sensor will forward all traffic it sees on one inline interface to its other inline interface. When in "inline bridge" mode, it does not block any traffic. See “About Prevention with IPS-1 Sensor” on page 61 for additional information.

Note - If you are using your IPS-1 Sensor in the Passive (traditional) mode then follow one of the other sections in this appendix concerning installation of IPS-1 Sensors.


Passive Mode

80

Passive ModeIn This Section

Switched Networks, Span ModeOne method of assuring that IPS-1 Sensor is able to see all traffic in a switched environment is to configure the switch to span all traffic to the port monitored by IPS-1 Sensor. Your switch vendor may use a term like "mirror" instead "span."

The following diagram illustrates the installation of IPS-1 Sensor in a switched environment using a span port. The monitoring NIC is connected to the switch's span port. The management NIC is connected to the network on which IPS-1 Alerts Concentrator resides.Figure B-1 IPS-1 Sensor Installation

Switched Networks, Span Mode page 80

Full Duplex Environment, Tap Mode page 81

Hub Mode page 82


Full Duplex Environment, Tap Mode


Full Duplex Environment, Tap ModeIn a full-duplex environment, it is important to be able to monitor traffic flowing in both directions. Certain types of attack are only detected by clearly understanding the bi-directional communication occurring between the source and the target. By installing a tap between IPS-1 Sensor and the monitored network, the sensor can monitor and maintain complete state information on a full-duplex network.

The diagram below illustrates the installation of IPS-1 Sensor in a full-duplex environment, using a tap. One monitoring NIC is connected to one-half of the full-duplex environment (through the tap). Another monitoring NIC is connected to the other half of the full-duplex environment (also through the tap). The management NIC is connected to the network on which the IPS-1 Alerts Concentrator resides.

Note - In a switched network, the switch itself could drop packets if there is heavy network traffic. This is a limitation of the switch, not IPS-1 Sensor.


Hub Mode

82

Figure B-2 IPS-1 Sensor Installation

Hub ModeThe following diagram illustrates the installation of IPS-1 Sensor in an environment where traffic for the monitored network is routed through a hub. The monitoring NIC is connected to the hub. The management NIC is connected to the network on which IPS-1 Alerts Concentrator resides.


Hub Mode


Figure B-3 IPS-1 Sensor Installation


Standby Options

84

Standby OptionsIn This Section

IPS-1 includes several options for continuous operation and fast recovery in the event of a component failure. These options include:

• Alert continuity

• Monitoring of failover networks

• Fast deployment of an alternate IPS-1 Sensor

The following sections illustrate how to install and configure IPS-1 to support each of these options.

Alert ContinuityThis configuration option ensures continuity of information from IPS-1 Sensor in the event of an IPS-1 Alerts Concentrator failure. You can configure the IPS-1 Sensor to report to a backup IPS-1 Alerts Concentrator. This automatically redirects alerts and event data to the backup Alerts Concentrator if the primary Alerts Concentrator fails. You can install the backup Alerts Concentrator within the same network as the primary Alerts Concentrator.

As shown in the diagram below, if there are multiple IPS-1 Sensors within your enterprise, you can designate one IPS-1 Sensor's primary Alerts Concentrator as the backup Alerts Concentrator for another Sensor.

Alert Continuity page 84

Monitoring of Failover Networks page 85

Fast Deployment of a Standby IPS-1 Sensor page 86


Monitoring of Failover Networks


Figure B-4 Multiple IPS-1 Sensors

Monitoring of Failover NetworksFailover networks (also known as high-availability networks) are designed so that if one ISP fails, the networks automatically failover to a secondary ISP. As shown in the diagram below, you can install a single IPS-1 Sensor to monitor traffic from both ISPs.Figure B-5 Single IPS-1 Sensor


Fast Deployment of a Standby IPS-1 Sensor

86

When the first (primary) IPS-1 Alerts Concentrator is back up after a failure, the IPS-1 Sensor will not automatically switch back to it.

Fast Deployment of a Standby IPS-1 SensorIn the event of an IPS-1 Sensor hardware failure, you can remove the configuration floppy from the failed hardware . Move the cables and floppy to a cold standby unit. Reboot the standby unit.

Note - This scenario also applies to load-balanced networks. A load-balanced network uses dynamic routing so that traffic will come in from (and go out through) whichever ISP is the least utilized. This means that traffic from a single session can come in from one ISP and go out through another. an IPS-1 Sensor configured to monitor traffic from both ISPs can monitor the session regardless of which ISP is used.


87

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.


88

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.


89

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd


90

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability


91

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.


92


April 2007 93

Index

AAdding IPS-1 Sensors 57Adding IPS-1 Servers 49Administrator Password 70Alert Continuity 84

Bbackup IPS-1 Alerts

Concentrator 84Blacklisting 66

CChanging Configuration Values

Manually 35Configuration Disk 35Configuring IPS-1 Sensor 34Configuring User Accounts 55

DDefault Router 71Deployment Scenarios 16

EEncryption Passphrase 71

FFailover networks 85Fast Deployment of a Standby

IPS-1 Sensor 86

First inline interface 72Full Duplex Environment 81

HHub Mode 82

IImporting Default Packages and

Backends 52Initial Installation Steps 24Inline Bridging 63Inline Fail-passthrough 63Inline Fail-severed 63Inline Mode 79Installing "Combo" Server 28Installing and Updating Packages/

Backends 46Installing Check Point IPS-1

Suite 22Installing IPS-1 Management

Dashboard 29Installing IPS-1 Sensors 30Installing IPS-1 Server 27Installing the IPS-1 Alerts

Concentrator 26IP Address 70IP of backup Server 71IPS-1 10C and 50C 31IPS-1 Alerts Concentrator 50,

52, 84IPS-1 Management

Dashboard 19, 21IPS-1 Power Sensors 37IPS-1 Power Series 62IPS-1 Sensor 19, 62IPS-1 Sensor 100C & 200C 32IPS-1 Sensor 200F 32IPS-1 Sensor 500C 33

IPS-1 Sensor 500F 34IPS-1 Sensor Configuration

Variable Definitions 70IPS-1 Sensor Hardware 31IPS-1 Sensor hardware failure 86IPS-1 Sensors 19, 57

installation options 78IPS-1 Server 19

KKey 72Key Number 72

LLarge deployment 16Logging into the IPS-1

Management Dashboard 48

MManagement Interface 70Management Interface Port 50Modes 63Monitoring of Failover

Networks 85

NNetwork Mask 71NTP Server Address1 72NTP Server Address2 72


94

OOperating Mode 72

PPassive 63Passive Mode 80Prevention Configuration 65Prevention Quick

Configuration 64Proxy Servers 46

RRestarting a IPS-1 Sensor 59

SSecond inline interface 72Small deployment 16Span Mode 80Standby Options 84Switched Networks 80System Requirements 19, 20

TTap Mode 81Tap Port 50Tuning the Sensor 67

VVariables Worksheet 74


ips-1 - check point software · ips-1 alerts concentrator and ips-1 server components can be...

Documents