Force10 Networks PSeries 100-00055-01 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Force10 Networks PSeries 100-00055-01. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Force10 Networks PSeries 100-00055-01 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Force10 Networks PSeries 100-00055-01 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Force10 Networks PSeries 100-00055-01 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Force10 Networks PSeries 100-00055-01
- nom du fabricant et année de fabrication Force10 Networks PSeries 100-00055-01
- instructions d'utilisation, de réglage et d’entretien de l'équipement Force10 Networks PSeries 100-00055-01
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Force10 Networks PSeries 100-00055-01 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Force10 Networks PSeries 100-00055-01 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Force10 Networks en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Force10 Networks PSeries 100-00055-01, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Force10 Networks PSeries 100-00055-01, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Force10 Networks PSeries 100-00055-01. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    P-Series Installation and Operation Guide V ersion 2.3.1.2 May 27, 2008 PN: 100-00055-01[...]

  • Page 2

    Copyright 2008 Force10 Networks ® All rights reserved. Printe d in the USA. January 2008. Force10 Networks® reserves the r ight to change, mo dify , revi se this publicati on without notice. T rademarks Force10 Networks® and E-Series® ar e registered trademarks of Force10 Networks, In c. Force10, the Force10 logo, and P-Series are trademarks of[...]

  • Page 3

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 3 Content s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Preface About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 4

    4 Contents Mirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 GUI Commands . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 5

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 5 Chapter 8 Compiling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 6

    6 Contents Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 vi Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Appendix E Glossary . . . . . . . . . . . . . .[...]

  • Page 7

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 7 Objectives This document provid es installation and opera tion instructions for the P-Series P10 appliance. Audience This guide is intended to be used by network engineers. The P10 is a Unix-based product th at runs rule management software based on Linux and FreeBSD. A s such, understan[...]

  • Page 8

    8 About this Guide Information Symbols Related Document s Additional P-Series documentation is available on the software CD that came with the appliance and in the documentation section of the Force10 website , www .force10networks.com . • P-Series Release Notes Additional Resources • Cox, Kerry and Ger g, Christopher . 2004. Managing Security [...]

  • Page 9

    P-Series Installation and Operation Guide, version 2.3.1.2 9 Figure 1 P-Series P10 Appliance (Front V iew) IDENTIFY LAN 2 LAN 1 VGA SERIAL USB x2 KEYBOARD MOUSE POWER RJ-45 SERIAL E0 & E1 IP ADDRESS MANAGEMENT PORTS LEDs POWER DISPLA Y (E0) (E1) MIRROR PORT 1 (P1) PORT 0 (P0) PORT 0 (M0) MIRROR PORT 1 (M1) HARD DISK fn9000007 Figure 2 P-Series [...]

  • Page 10

    10 Installation System S pecifications The specifications in Table 1 apply to the P-Series P10 a ppliance, Force10 catalog number PB-10GE-2P . Physical Connections (Power Butto n) This button turns the appliance o n and off. Press and hold the bu tton to tur n off the appliance. (Laser Warning) This label in the bottom right corn er of the applianc[...]

  • Page 11

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 11 Ste p T a sk 1 Review the system specificat ions and ensure that your operating and storage conditions meet the state d requirement s. 2 Connect the power cable, a ke yboard, and a monito r to the appliance. 3 Connect the LAN 1 port on the appliance to the lo cal area network wher e DHC[...]

  • Page 12

    12 Installation Booting During booting y ou can select the OS of your choice. The management ports are configured for DHCP and pr obe for an IP address, gateway , and na me server . The IP address is displayed on the LCD screen. When the appliance is powered up , all packets are forwarded betwee n its ports by default until the firmware and device [...]

  • Page 13

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 13 W arning: S top all traf fic from flowing through the appliance, and discon nect all cables from the XFPs before proceeding. Step T ask Command 1 Save earlier configuratio n files and firmware by copying the dir ec to ry /usr/local/pnic to the home directory . cp -Rf /usr/local/pnic/ /h[...]

  • Page 14

    14 Installation 13 Re-compile all rules firmware with the new comp iler located in the directory pnic-compiler. cd upgrade_directory /pnic-compiler gmake 14 Insta ll pre -compiled firmware if need ed. cd upgrade_directory /firmware gmake install Step T ask Command[...]

  • Page 15

    P-Series Installation and Operation Guide, version 2.3.1.2 15 T o begin inspecting and fi ltering traf fic you must: 1. Select firmware and dynamic rules 2. Set capture/forward policies 3. Check for proper operation by generating traffic across the appliance. Ste p T ask 1 As root, enter the command pn ic gui from the Unix command line to invoke a [...]

  • Page 16

    16 Getting Started[...]

  • Page 17

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 17 The P-Series P10 Intrusion Detection and Pr evention System ( IDS/IPS ) appliance employs Dynamic Parallel Inspection ( DPI ) technology . It uses a Multiple Instructio n Single Data (MISD) massively parallel processor that executes thousan ds of security policies or traffic capture ope[...]

  • Page 18

    18 Introduction Figure 3 illustrates how all matched packets are copied and transmitte d by mirror ports. Figure 3 F orwarding Engine Detection Engine Packet Data PCI-X Module Packet Data Device Access Config Commands Packet Data State T able Rx1 Tx1 Rx0 Tx0 Mirror 1 Mirror 0 Match Result figindex 006 Logic Diagram of T raffic Flow in the P10 DPI T[...]

  • Page 19

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 19 Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA . T wo sets of sample rules files have been compiled into firmware and are available to be uploaded to the FPGA using either of two firmware man[...]

  • Page 20

    20 Introduction Inline Deployment Use the P-Series for inline traf fic inspection in IPS or firewall applications at 10-Gigabit line rate ( Figure 4 ). • For IPS deployment, no special configuratio n is n eed ed; the P-Series is in inline IPS mode by default. • For a firewall deployment, enable drop mode (see Command Line Reference on page 79 )[...]

  • Page 21

    P-Series Installation and Operation Guide, version 2.3.1.2 21 Highly-available Deployment Use optical bypass switches with the P-Series for a hi ghly-available, redundant deployment, as sh own in Figure 6 . Both the appliances have the same conf iguration so that in the event of a power failure on one device, the other continues to operat e, and th[...]

  • Page 22

    22 Introduction Figure 8 N etwork Tap P-Series P10 fn90033mp P0 10-Gigabit 10-Gigabit Passive Deployment with Aggrega tion using a Network T ap Figure 9 Network Switch with SPAN port P-Series P10 fn90034mp P0 Port to Monitor 10-Gigabit SPAN Port Passive Deployment with Aggregation using a SP AN port Capturing Matched T raffic P-Series supports capt[...]

  • Page 23

    P-Series Installation and Operation Guide, version 2.3.1.2 23 Capturing to a Host CPU Captured traffic can be sent to a host C PU throug h a libpcap library interface, where it can be made available to applications for anal ysis. A typical implementation provid es IDS/Snort acceleration beca use of the hardware assist. Figure 10 Capturing Matched T[...]

  • Page 24

    24 Introduction Mirroring to Another Device Mirror captured traffic out of the 1-Gigabit mirroring po rts to use the P-Series as an IDS accelerator or as part of an integrated s ecurity monitoring solution. Figure 12 HW M1 P1 P0 M0 1-Gigabit/IDS Security Monitoring Application Matched Traffic Traffic to Monitor PB-10GE-2P fn90037mp Creating an IDS [...]

  • Page 25

    P-Series Installation and Operation Guide, version 2.3.1.2 25 The GUI can be used to: • Start and stop the DPI • Load firmware • Compile and lo ad dynamic rules • Manage the runtime parameters • Manage the capture/forward policies for rule s Note: Using the GUI requires the super user privilege. T o invoke the GUI: Runtime statistics are [...]

  • Page 26

    26 Graphical User Interface GUI Commands From the Runtime S tatistics display , you can enter commands to control the DPI (see Ta b l e 3 , or enter the h command from th e GUI comm and line). Figure 13 fn9000010 N/A/1 FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=5ms CPU(s): 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Runt[...]

  • Page 27

    P-Series Installation and Operation Guide, version 2.3.1.2 27 Managing Rules, Policies, and Firmware Enter the m command from the GUI command line (see “GUI Commands” on page 26 ) to invoke a menu that enables you to manage dynami c rules, captur e/forward policies, and firmware. Three options are available; they are shown in Figure 14 and desc[...]

  • Page 28

    28 Graphical User Interface Ta b l e 5 describes the four possible combina tions of capture/forward policies. Editing Dynamic Rules with the GUI Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory . The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file. T able 4 Managin[...]

  • Page 29

    P-Series Installation and Operation Guide, version 2.3.1.2 29 T o modify dynamic rules: Figure 15 Editing Dynamic Rules in vi fn90000012 pnic Managing Capture/Forward Policies with the GUI Upon compiling static and dynamic rules, default capture/f orward policies are assigned to each rule. T o change capture/forward policies: Ste p T ask 1 Enter th[...]

  • Page 30

    30 Graphical User Interface Figure 16 fn9000013 Managing Capture/Forward Policies GUI Figure 17 fn9000014 Capture/Forward Policies GUI Selecting Firmware with the GUI Firmwar e is a se t of rules that has be en transformed— using a compiler—from Snort syntax into a form suitable for uploading to the FPGA.[...]

  • Page 31

    P-Series Installation and Operation Guide, version 2.3.1.2 31 T o select firmware: Figure 18 Manage Firmwa re GUI fn9000015 Runtime S tatistics Runtime statistics are displayed when firmware is uploaded, and traffi c is flowing across the appliance. The GUI presents two views of traffic statistics. The default view shows the tota l st atistics for [...]

  • Page 32

    32 Graphical User Interface The remaining lines report the cumula tive number of events and the rate of those events. A description of each line is given in Ta b l e 6 . Figure 19 CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Pack[...]

  • Page 33

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 33 Reloading Firmware During firmware reloading, all packets flow regardless of capture/ forward policies, as the policies cannot be enforced during system initialization. This "open" st ate during configuration st ate transition ensures that there is no interruption of se rvice [...]

  • Page 34

    34 Graphical User Interface[...]

  • Page 35

    P-Series Installation and Operation Guide, version 2.3.1.2 35 Y ou can mana ge and monitor the P-Series on the web using the Force10 Netwo rks P-Series Node Manager . Launching the P-Series Node Manager Note: The Web-based GUI is best vie wed with a minimum screen resolution of 1280x800. Y ou must also have Java Run T ime Environment (JRE) inst all[...]

  • Page 36

    36 Web-based Manageme nt Figure 21 Lauching the P-Seri es Node Manager Note: S top the secure HTTP service using th e command pnic web-gui-stop (see Appendix A , on page 79 ).[...]

  • Page 37

    P-Series Installation and Operation Guide, version 2.3.1.2 37 W eb-browser Security Certificates The P-Series Node Manager client and the server communicate via H TTPs. All transactions are encrypt ed, and thus protected, by the SSL protocol. The SSL certific ate is a self-signed certificate that is not signed by a trusted Certificate Authority (CA[...]

  • Page 38

    38 Web-based Manageme nt Monitoring System Performance Monitor system performance from the Home panel ( Figure 23 ). The Home pa nel is displaye d after logging into Node Manager . It displays basic system informat ion, card, interface , and reso urce information, as well as CPU and memory usage over time. Figure 23 P-Series Node Manager: Home Pane[...]

  • Page 39

    P-Series Installation and Operation Guide, version 2.3.1.2 39 Managing Firmware Images Manage the software image from the Image Management panel ( Figure 24 ). The Image Management panel provides options for compiling and dele ting an image. It displays a list of available images along with the currently applied image and its details. Figure 24 P-S[...]

  • Page 40

    40 Web-based Manageme nt Figure 25 P-Series Node Manager: Card Ma nagement Panel[...]

  • Page 41

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 41 Managing Policies Manage policies from th e Polic y Management panel ( Figure 26 ). The Policy Management pane l provides you with a list of available static and dynamic rules av ailable for the currently ru nning image. It also has the provision for adding , modifying, and deleting dyn[...]

  • Page 42

    42 Web-based Manageme nt Figure 26 P-Series Node Manager : Policy Managment Panel[...]

  • Page 43

    P-Series Installation and Operation Guide, version 2.3.1.2 43 A key aspect of network security de ployment is the ability to monitor the network for security events, analyze them, and perform counter measures. T o that end, the P-Series supports Sguil, an open source network security monitoring and reportin g system that provides the ability to: ?[...]

  • Page 44

    44 Network Security Monito ring Inst alling the Sguil System T o employ Sguil you mu st: 1. Install the sensor . See page 44 . 2. Install the server . See page 44 . 3. Install the client. See page 45 . Note: Y ou can download the server and client Sguil compone nts directly from the Sguil website at http:/ / sguil.source forge.net/ind ex.html . The[...]

  • Page 45

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 45 Uninst alling the Sguil Server T o uninstall the server: Inst alling the Sguil Client Y ou must have the following soft ware installed in your PC befo re installing the Sguil client: • ActiveT cl, Force10 recommends Ac tiveT c l8.4.14 which includes W ish •W i n Z i p •W i r e s h[...]

  • Page 46

    46 Network Security Monito ring Inst allation Files Ta b l e 7 lists the files and dire ctories created during in stallation that are releva nt to running the Sguil system. 3 Config ure the following p a rameters in the file sguil.conf : • Enable (1) or disable (0 ) the debug option • Set the browser p ath. • Set the Wireshark ap plication pa[...]

  • Page 47

    P-Series Installation and Operation Guide, version 2.3.1.2 47 Running the Sguil System Running the Sguil Sensor Start the Sguil se nsor using the command pnic sguil-sensor-start . Specify the IP address of the Sguil server , and confirm the action, as shown in Figure 29 . Figure 29 root@# pnic sguil-sensor-start Enter the IP address of the Sguil-Se[...]

  • Page 48

    48 Network Security Monito ring • The rule file you are using shou ld be mentioned in snort.c onf file. A sample rule file under rules directory is already added and commented in snort.conf . • Log files are stored in th e installation sub-directory ... /nsm/sguil/logs . • When adding new rules to the file sample.rules , uncomment the line, ?[...]

  • Page 49

    P-Series Installation and Operation Guide, version 2.3.1.2 49 Running the Sguil Client T o run the Sguil Client: Figure 31 Running the Sguil Client Ste p T ask 1 Open sguil.tk using the Wish application. A window ap pears, as shown in Figure 31 . 2 S pecify the IP address o f the Sguil server , and your username and p assword. 3 Select the sensors [...]

  • Page 50

    50 Network Security Monito ring Figure 32 fn90027mp Selecting the Sensor to Mo nitor When the Sguil client starts and the client is prop erly connected to the Sgu il server , the window in Figure 33 appears. Figure 33 fn90028mp Accepting Event s from the Sensor[...]

  • Page 51

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 51 The command line interface (CLI) is an alternative to the GUI for managi ng the appliance. A script called pnic is used to perform the same management functions as the GUI. Invoke the pnic script us ing the command syntax pnic command ; the OS environment variables are set such that thi[...]

  • Page 52

    52 Command Line Inter face This feature can be enabled per channel. When MAC rewrite is enabled, the P10 applia nce classifies the incoming traf fic into one of 256 hash buckets to determ ine the value to be written to the LSB of destination MAC address. A hash function based on the source and destina tion IP ad dresses is used to calculate an 8-bi[...]

  • Page 53

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 53 Removing VLAN T ags The P-Series can strip the VLAN tag from incoming pa ckets before they exit the egress port. Enable the feature using the command pnic vlan-remove-enable . The frame CRC is recalculated when this feature is enabled. If an incoming packet is untagged, it is not change[...]

  • Page 54

    54 Command Line Inter face[...]

  • Page 55

    P-Series Installation and Operation Guide, version 2.3.1.2 55 The P-Series Network Interface Car d Compiler (pnic-Compiler) produces user-defined firmware for the appliances. The user-defined input is a set of signature-based rule s in Snort syntax, and compilation directives. The output of the comp iler is a Xilinx bit file and ASCII mapping files[...]

  • Page 56

    56 Compiling Rules T able 8 Compiler Configuration Options Compilation Option Description 1 Ta r g e t D e v i c e Choose the model of your appliance. • The P10 requires type PB-10G-2P (see Fig ure 35 on pa ge 58 ) 2 Match non-IP T raffic Answering Yes to this option matches pa ckets that are not IPv4. This option should be set to No if only IP t[...]

  • Page 57

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 57 7 Segmentat ion Evasion Rules The pnic-Compiler prepends a set of fixed rules—ca lled evasion.rules — located in the pnic-compiler/rules directory . The rule s help detect attacks which are using strategic TCP s egment ation to avoid detection. It is best to include this file if Sno[...]

  • Page 58

    58 Compiling Rules Figure 35 pnic-Compiler Option 1- 6 root@# gmake Makefile:2: mtp_configuration: No such file or directory bin/getparams2.sh Please choose the target device 1) PB-10G-2P #? 1 Do you want to support matching of non IP v4 and non IPv6 packets (like ARP/IPX etc)? 1) Y es 2) No #? 2 Ethernet types allowed Do you want to match packets [...]

  • Page 59

    P-Series Installation and Operation Guide, version 2.3.1.2 59 Figure 36 Channel 1 D ynamic rules Please choose how many dynami c rules (5-20 recommended) Dynamic rules are rule s that can be added without recompiling the firmware. They can be a dded at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1) 0 5) 20 9) 60 13) 100 [...]

  • Page 60

    60 Compiling Rules Figure 37 pnic-Compiler Option 8- 9 Please choose the maximum number of byt es per sig nature (1024 recommended). Selecting a small number allows lar ger sets of signatures at the expense of more false posit ives. 1) 16 2) 32 3) 64 4) 96 5) 128 6) 256 7) 512 8) 1024 #? 8 Enter the firmware base -image nam e (press the Enter key t[...]

  • Page 61

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 61 Configuration and Generated Files Ta b l e 9 describes the files that are used or generated by the pnic-Compiler . T able 9 Configuration and Generated Files File Description Location pnic_*.bit G ene ra te d after co mpiling static rules. They are then r enamed and copi ed to /usr/loca[...]

  • Page 62

    62 Compiling Rules Firmware Filenames The pnic-Compiler creates new firmware — in the /usr /local/pnic/fir mware directory — consisting of four . bit files and eight . mapping files. The default firmware filenames follow a naming convention designed to identify three properties: • The appliance that can use it • The number of dynamic ru les[...]

  • Page 63

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 63 P-Series rule syntax is based on Snort. Both rule structures are descr ibed in this chapter . • Snort Rule Syntax on page 63 • P-Series Rule Syntax on pag e 66 Snort Rule Synt ax Snort rules are descriptions of tra ffic plus a prescrib ed action that is taken if a packet matches tha[...]

  • Page 64

    64 Writing Rules • pass directs Snort to ignore the packet. • activate directs Snort to generate an aler t and activate another specified rule. • dynamic directs Snort to disregard the rule until it is activated by another rule. Once activated, the action defaults to log. Protocol Snort supports four p rotocols: tcp , udp , icmp , or ip . The[...]

  • Page 65

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 65 Ports Port numbers may be specified by the keyword any , a single port number , ranges, and by negation. any specifies any port. St atic ports are indicated by a si ngle port number , for exam ple, 23 for T elnet. Port ranges can be specified using a colon as a range oper ator . It can [...]

  • Page 66

    66 Writing Rules Destination Address and Port The destination address and port follo w the direction operator . The syntax of these parameters are the same as the source address a nd port. See “Source Addresses” on page 64 , and “Ports” on page 65. Snort Rule Options Options are made of a key word and an ar gument. An ar gu ment is the pack[...]

  • Page 67

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 67 depth No No dsize Y es No flags Y es Y es, no wild card flow Y es No fragbits Y es No fragoffset Y es No icmp_id Y es Y es icmp_seq Y es Y es icode Y es Y es id Y es Y es ip_proto Y es Y es itype Y es Y es offset No No nocase Y es No protocol ICMP , U DP , TCP , IP ARP , ICMP , UDP , TC[...]

  • Page 68

    68 Writing Rules W r iting S t ateful Rules Stateful matching improves the accuracy of detectio n because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a no n-cyclic pattern; no state transitions may erase any of the previous states. New state transitions are simply recorded via[...]

  • Page 69

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 69 Pre-match Condition — the S V alue The value in register C f is presented to all the signatur es simultaneously during matching. C f must have all the bits specified by s i (in addition to matching m i ) in order for the signature i to trigger . In other words, if the result of the lo[...]

  • Page 70

    70 Writing Rules When a packet is stored in either T emporary Memory or Match Memory , a pointer to the previously stored packet in the same flow (contained in a portion of the flow register C f ) is also stored. Thus a packet stored in Match Memory may reference another packet st ored in T emporary Memory , which in turn may reference more packets[...]

  • Page 71

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 71 Y ou can inspect Signatures 4, 5, and 6, an d verify th at they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutiv e packets are seen with size between 0 and 100. The third packet references the previous two stored in T emporary Memory [...]

  • Page 72

    72 Writing Rules The start of the state mach ine is prompted by a SYN ; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a l[...]

  • Page 73

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 73 Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Ta b l e 2 4 shows rules which were derived from the Snort scan pre-processor . The compiler also automatically produces rules that ma tch all pack[...]

  • Page 74

    74 Writing Rules[...]

  • Page 75

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 75 Deploying the P-Series as a Firewall By default the P-Series is an IDS/ IPS system; the P-Series forwards a ll traf fic by default and blocks packets only if it matches a rule. Y o u can deploy the P-Series as a limite d firewall by enabling Drop mod e. In Drop mode, the P-Series blocks[...]

  • Page 76

    76 Firewall Enabling the Firewall Enable Drop mode using the command pnic default-drop-enable . Disable Drop mode using the command pnic default-drop-disable . These commands are shown in Figure 39 . Figure 39 [root@localhost ~]# pnic default-drop-disable No device number specif ied. Assuming device 0 *** Disabling Default-Packet-D rop on card:0 su[...]

  • Page 77

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 77 Allowing T raffic through the Firewall T o allow packets through the firewall you must write ru les so that packets that you want the appliance to forward match those rules. Rules can be as simple as a llowing traffic destined to a port. S tateful rules can be used to allow all traff ic[...]

  • Page 78

    78 Firewall T able 25 Sample Firewall Rules #permit: let through and do not log to the host #alert: let through and log to the host #deny: DO NOT let throu gh and do not l og to the host #divert: DO NOT let through and log to the host # S:<precondition>; C:<postcond ition> R:<logging> # A packet is matched if precondition ma tches[...]

  • Page 79

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 79 The comman d line interfa ce (CLI) is an alternat ive to the GUI for managing the appliance. A script called pnic is used to perform the same ma nagement function s as the GUI. Invoke the pnic script using the commands in this ch ap ter; the OS enviro nment variab les are set such that [...]

  • Page 80

    80 Appendix A • pnic showconf on pag e 108 • pnic show-firmware s on page 108 • pnic showtech on page 109 • pnic start on page 11 0 • pnic stop on page 111 • pnic temp-mem-disable on pa ge 11 2 • pnic temp-mem-enable o n p age 11 2 • pnic updatemacvalue on page 11 3 • pnic vlan-remove-disab le on page 11 4 • pnic vlan-remove-ena[...]

  • Page 81

    P-Series Installation and Operation Guide, version 2.3.1.2 81 Related Commands pnic aggregate-mode-enable Receive both client-to-serv er and server -to-clie nt traffic on one port. T his is the default behavior . Synt ax pnic aggregate-mode-enable [ number ] Disable agg regate m ode using th e command pnic aggregate-mode-disable . Parameters Comman[...]

  • Page 82

    82 Appendix A Parameters Command History Example Figure 42 [root@localhost SW]# pnic apply-firmware No card number specified. Assuming card 0 Do you really want to apply a new firmware for card0 (y/n)? y Please enter the path or name of the firmware to apply: /usr/local/ pnic/firmware/null.xc4vlx200-ff1513.50.50.2048 Compiling dynamic rules for pni[...]

  • Page 83

    P-Series Installation and Operation Guide, version 2.3.1.2 83 pnic capture-of f Disable the capturing of packet s via direct memory access (DMA). Synt ax pnic capture-off Parameters Command History Example Figure 44 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful[...]

  • Page 84

    84 Appendix A Example Figure 45 pnic capture-on Command Exa mple root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic capture-on No card number specified. Assuming card 0 Capture ON set successful. [root@localhost SW]# Related Commands pnic [...]

  • Page 85

    P-Series Installation and Operation Guide, version 2.3.1.2 85 pnic compilerules T ransform the dyna mic Snort rules contained in /usr/local/pnic/0/rules.custom into binary code suitable for the DPI processor . Synt ax pnic compilerules [ number ] Parameters Command History Example Figure 47 pnic compilerules Co mmand Example [root@localhost SW]# pn[...]

  • Page 86

    86 Appendix A Example Figure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled. *** Flow teardown disabled. [root@localhost SW]# pnic default-drop-disable Command Example pnic default-drop-enable Enable firewall functionali[...]

  • Page 87

    P-Series Installation and Operation Guide, version 2.3.1.2 87 Parameters Command History Example Figure 50 [root@localhost pnic]# pnic diag No card number specified. Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching. Do you want to proceed [n/y]? y *** Matching disabled. Test starting ... Waiting for matching to stop ... P[...]

  • Page 88

    88 Appendix A pnic flow-teardown-disable Configure the appliance to reset the state of the flow on ly upon a t imeout. This is the default behavior . Synt ax pnic flow-teardown-disable Command History Example Figure 52 [root@localhost SW]# pnic flow-teardown-disable No card number specified. Assuming card 0 *** Disabling Flow-Teardown on card:0 suc[...]

  • Page 89

    P-Series Installation and Operation Guide, version 2.3.1.2 89 Example Figure 53 [root@localhost SW]# pnic flow-teardown-enable No card number specified. Assuming card 0 *** Enabling Flow-Teardown on card:0 successful. [root@localhost SW]# pnic flow-teardown-ena ble Command Example Usage Information The flow teardown feat ure is coupled with the fir[...]

  • Page 90

    90 Appendix A Related Commands pnic gui Launch the graphical user interface. Synt ax pnic gui Command History pnic macrewrite - on Enable MAC rewriting. pnic macrewrite - off Disable MAC rewriting. pnic updatemacvalue Update the LSB value for a p a rticular hash index value. V ersion 2.0.0.1 Introduced[...]

  • Page 91

    P-Series Installation and Operation Guide, version 2.3.1.2 91 Example Figure 55 [root@localhost SW]# pnic gui CPU(s): 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=1ms HW Interfaces CH0 Top Rate/s CH[...]

  • Page 92

    92 Appendix A pnic help Display a list of all available comman ds, their syntax, and descriptions. Synt ax pnic help Command History Example Figure 56 [root@localhost SW]# pnic help No card number specified. Assuming card 0 Usage: pnic function_command <card_num> <channel_num> <force_options> pnic aggregate-mode-disable <0|...|[...]

  • Page 93

    P-Series Installation and Operation Guide, version 2.3.1.2 93 pnic linkdown Disable the physical link. Synt ax pnic linkdown [ number ] [ channel ] Enable a physical link using the command pnic linkup . Parameters Command History Example Figure 57 [root@localhost SW]# pnic linkdown No card number specified. Assuming card 0 No channel number specifi[...]

  • Page 94

    94 Appendix A Parameters Command History Example Figure 58 [root@localhost SW]# pnic linkup No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Card 0, Channel 0 is up. [root@localhost SW]# pnic linkup Command Example Related Commands pnic loadconf Upload the runtime configuration pa rameters contained in the f[...]

  • Page 95

    P-Series Installation and Operation Guide, version 2.3.1.2 95 Example Figure 59 [root@localhost ~]# pnic loadconf No card number specified. Assuming card 0 Loading configurations ... Read from configuration file and apply to PNIC card... Registers on master FPGA: (0x10)0000 (0x14)0010 (0x18)0000 Registers on PCI FPGA: (0x18)0100 (0x24)20788 (0x28)2[...]

  • Page 96

    96 Appendix A pnic loadeproms Load the PCI-X and front-end EEPROM s. Synt ax pnic loadeproms [ number ] Parameters Command History Usage Information Use this command to upgrade P CI-X and front-end EEP ROMs to new revisions. Reboot the chassis after executing this command; only then does new firmware take ef fect. pnic loadparams (deprecated) Uploa[...]

  • Page 97

    P-Series Installation and Operation Guide, version 2.3.1.2 97 Example Figure 60 [root@localhost ~]# pnic loadparams No card number specified. Assuming card 0 Loading configurations... Read from configuration file and apply to PNIC card... (0x10)0000 (0x14)0010 (0x18)0000 (0x18)0100 (0x24)20788 (0x28)20788 DMA Capture Status: off MAC Rewrite state: [...]

  • Page 98

    98 Appendix A pnic loadrules Upload to the FPGA the dynamic rules fo r both channels encoded in the files /usr/local/pnic/ 0/pnic_{0|1}.bin . Synt ax pnic loadrules [ channel ] Parameters Command History Example Figure 61 root@# pnic loadrules 0 dynamic rules loaded pnic loadrules Command Exampl e Usage Information Capture/block policies p reviousl[...]

  • Page 99

    P-Series Installation and Operation Guide, version 2.3.1.2 99 pnic macrewrite-off Disable MAC rewriting. This is the default behavior . Synt ax pnic macrewrite-off [ number ] [ channe l ] Enable MAC rewritin g using the command pnic macrewri te-on . Parameters Command History Example Figure 62 [root@localhost SW]# pnic macrewrite-off No card number[...]

  • Page 100

    100 Appendix A Parameters Default MAC rewrite is disabled by default. The defa ult value for the LSB is the system-assigned hash index value . Command History Example Figure 63 [root@localhost SW]# pnic macrewrite-on No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:[...]

  • Page 101

    P-Series Installation and Operation Guide, version 2.3.1.2 101 Example Figure 64 root@# pnic macrewrite-on 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# pnic off No card number specified. Assuming card 0 Capture OFF set successful. [root@localhost SW]# pnic off Com[...]

  • Page 102

    102 Appendix A pnic params Display the card interface name, device ID, and co ntents of the register on the PCI-X and Master FPGAs. Synt ax pnic params [ number ] Parameters Command History Example Figure 66 [root@localhost SW]# pnic params No card number specified. Assuming card 0 PNIC 8002 pnic0 0xffff810000700000 20006 ********************** Reg[...]

  • Page 103

    P-Series Installation and Operation Guide, version 2.3.1.2 103 Command History Example Figure 67 pnic passive-mo de- disable Command Example [root@localhost SW]# pnic passive-mode-disable No card number specified. Assuming card 0 Channel 0 and 1 are set to work in normal TX/RX mode. [root@localhost SW]# Related Commands pnic passive-mode-enable Con[...]

  • Page 104

    104 Appendix A pnic resetconf Reset the system configuration back to the default settings, wh ich are located in <installation_dir ectory>/SW/misc/pnic.conf . Synt ax pnic resetconf [ number ] Parameters Command History Example Figure 69 [root@localhost ~]# pnic resetconf No card number specified. Assuming card 0 Loading default configuration[...]

  • Page 105

    P-Series Installation and Operation Guide, version 2.3.1.2 105 • Load the rule firmware • Load the capt ure/b lock configura t ion • Load the runtime param eters • Enable the netw ork interface Synt ax pnic restart Command History Example Figure 70 [root@localhost SW]# pnic restart No card number specified. Assuming card 0 Interface pnic0 i[...]

  • Page 106

    106 Appendix A Synt ax pnic sguil-sensor- start [ -f ] Stop the Sguil sensor using the command pnic sguil-sensor-stop . Parameters Command History Example Figure 71 [root@localhost pnic]# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:10.11.194.183 Do you want to enable secure connection between sguil-sensor and sguil-server? 1) E[...]

  • Page 107

    P-Series Installation and Operation Guide, version 2.3.1.2 107 pnic sguil-sensor-stop Stop the Sguil sensor . Synt ax pnic sguil-sensor- stop [ -f ] Start the Sguil sensor using the command pnic sguil-sensor-start . Parameters Command History Example Figure 72 [root@localhost pnic]# pnic sguil-sensor-stop Do you really want to stop the Sguil-sensor[...]

  • Page 108

    108 Appendix A pnic showconf Display configuration paramet ers of the card. Synt ax pnic showconf [ number ] Parameters Command History Example Figure 74 [root@localhost ~]# pnic showconf No card number specified. Assuming card 0 DMA Capture : on MAC rewrite : CH0 - disabled; CH1 - disabled Default Drop packet : disabled Temporary memory : enabled [...]

  • Page 109

    P-Series Installation and Operation Guide, version 2.3.1.2 109 Command History Example Figure 75 [root@localhost SW]# pnic show-firmwares No card number specified. Assuming card 0 List of available firmware images: null.xc4vlx200-ff1513.50.50.2048 snort_rules.bad.xc4vlx200-ff1513.20.20.2048 [root@localhost SW]# pnic show-firmwares Command Example R[...]

  • Page 110

    110 Appendix A Example Figure 76 [root@localhost pnic]# pnic showtech | more No card number specified. Assuming card 0 ************************************************************ Display date ************************************************************ Tue Apr 29 11:21:07 PDT 2008 ************************************************************ Displa[...]

  • Page 111

    P-Series Installation and Operation Guide, version 2.3.1.2 111 Example Figure 77 [root@localhost SW]# pnic start No card number specified. Assuming card 0 Interface pnic0 is down Loading pass/block settings ... Done. Loading dynamic rules ... Done. *************************************** Interface pnic0 is up MTU set to 9264 bytes *****************[...]

  • Page 112

    112 Appendix A pnic temp-mem-disable Disable temporary memory . Synt ax pnic temp-mem-disable [ numbe r ] Enable temporary memo ry using the command pnic temp-mem-enable . Parameters Command History Example Figure 79 [root@localhost SW]# pnic temp-mem-disable No card number specified. Assuming card 0 *** Disabling temporary memory on card:0 success[...]

  • Page 113

    P-Series Installation and Operation Guide, version 2.3.1.2 113 Example Figure 80 [root@localhost SW]# pnic temp-mem-enable No card number specified. Assuming card 0 *** Enabling temporary memory on card:0 successful. [root@localhost SW]# pnic temp-mem-enable Comm and Example Related Commands pnic updatemacvalue Specifies an LSB value for a particul[...]

  • Page 114

    114 Appendix A pnic vlan-remove-disable Disable the VLAN T ag Remove feature. Synt ax pnic vlan-remove-disable Default The VLAN T ag Remove feature is disabled by default. Command History Usage Information This feature is enabled and disabled on both sensing ports. Example Figure 82 pnic vlan-remove-disab le Command Example [root@localhost pnic]# p[...]

  • Page 115

    P-Series Installation and Operation Guide, version 2.3.1.2 115 pnic version Display the driver version. Synt ax pnic version Command History Example Figure 84 pnic version Command Exampl e [root@localhost SW]# pnic version Force10 Networks PNIC Software Version: P_MAIN2.2.0.058 [root@localhost SW]# pnic web-gui-start Start the web server . Synt ax [...]

  • Page 116

    116 Appendix A Example Figure 85 pnic web-gui-st ar t Command Example [root@localhost pnic]# pnic web-gui-start INFO: Generating SSL certificate for the web-gui application. Generating a 1024 bit RSA private key .........++++++ ......++++++ writing new private key to '/usr/local/pnic-mgmt-lib/sslcert/rootkey.pem' ----- You are about to be[...]

  • Page 117

    P-Series Installation and Operation Guide, version 2.3.1.2 117 Example Figure 86 pnic web-gui-stop Command Example [root@localhost pnic]# pnic web-gui-stop Do you really want to stop the web-gui application (y/n)? y Web-gui application has been stopped! [root@localhost pnic]# Related Commands pnic web-gui-start S tart the web serv er .[...]

  • Page 118

    118 Appendix A[...]

  • Page 119

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 119 Ta b l e 2 8 describes briefly the valid Snort keywords su pported on the P-Series. For a more detailed explanation for these keywords, see the Snort website at http://www .snort.org/docs/snort_manual/ node17.html. Appendix B Snort Keywords T able 28 Description of P-Series Snort Keywo[...]

  • Page 120

    120 Appendix B flow This keyword applies the rule to a specific traf fic flow direction. The flow can be in one of two states: • established : Trigg er only on established TCP connections. • stateless : Trigger regardless of the state of th e stream processor . The direction paramete r has the following options: • to_client : Tr igger on serv[...]

  • Page 121

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 121 ttl This keyword checks for the specif ied IP time-to-live value. ttl: [ number { > | < | = } | number - | { - | > | < | = }] number ; uricontent Searches the normalized request URI field for the specified content. data_string can contain mixed text and bin ary da ta. Binar[...]

  • Page 122

    122 Appendix B[...]

  • Page 123

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 123 The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Ta b l e 2 9 and Ta b l e 3 0 . Appendix C Met a and Evasion Rules T able 29 meta Rules for Channel 0 and Channel 1 met a Rules alert tcp any any -> any any (msg :"Z SYN"; flags:S,12; S[...]

  • Page 124

    124 Appendix C[...]

  • Page 125

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 125 Unix Commands Appendix D Basic Unix Commands T able 31 Basic Unix Commands Command Description cd path Changes the current dir ectory to the specified directory . The p ath specified can be an absolute path, or a rela tive path: • The absolute path begins with a fo rward slash, and s[...]

  • Page 126

    126 Appendix D vi Commands vi has two modes: • Command Mode : In command mode, commands can be entered which allow yo u to jump to points in a file, search text, and exit the editor . • Insert Mode : Insert mode allows you to create or alter text in a f ile. Note: Commands are case sensitive. T able 32 Basic vi Commands Command Description vi f[...]

  • Page 127

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 127 Appendix E Glossary ACK An Acknowledgment p acket (ACK) is a packet tha t is sent from the client to th e server to complete a TCP connection. See SYN . DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol that autom atically request s an IP address, su bn et mas k, an d de fa[...]

  • Page 128

    128 Snort Snort is an open source netwo rk intrusion detec tion and prevention system that uses rules created with a special synt ax to ex amine and control specified tra ffic. SP AN Port Switched Port Analyzer (SP AN) Port is a switch po rt that receives a copy of specific traffic that passes through a switch. The SP AN po rt is also called a mirr[...]

  • Page 129

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 129 Manual Pages Information on op erating the appliance can be accessed through manual pages (man pages) with the command man command . The command man pnic displays the man pages on the command line interface; and man pnic displays them on the Ncurses interface. Man pages for the compile[...]

  • Page 130

    130 Technical Support Cont acting the T echni cal Assist ance Center Locating P-Series Serial Numbers The P10 serial number is located on a sticker on the back of the unit in the top-right corner (see Figure 2 ), as well as on the left mounting bracket (see Figure 87 ). The serial number is below the bar cod e and has 8 characters. Figure 87 Locati[...]

  • Page 131

    P-Series Installation and Operation Guide, ve rsion 2.3.1.2 131 Requesting a Hardware Replacement T o request replacement hardware, follow these steps: Step T ask 1 Determine the part number and serial n umber of the component. 2 Request a Return Materia ls Author ization (RMA) number from T AC by opening a support case. Op en a support case by: ?[...]

  • Page 132

    132 Technical Support[...]