First steps from redborder manager

Once redborder IPS has been registered in redborder Manager, the sensor configuration must continue. Before redborder IPS will be able to analyze traffic based on a security policy, some tasks must be completed:

  • Enable inspection segments

  • Choose the sensor operating mode

  • Download IPS rules

  • Create security policies

  • Push security policies to sensor

After completing these tasks correctly, redborder Manager will display the security events that the sensor will start to generate.

The generation of events by the sensor will depend on the nature of the traffic to be inspected and on the security policies applied.

Access to redborder Manager

Accessing the redborder Manager is necessary to begin with sensor management. To do this, enter the Manager IP address in a browser window and then access with administrator credentials.

The default administrator credentials are: user admin and password redborder.

image
Figure 1. redborder manager login window

Basic redborder IPS sensor configuration

Once inside redborder Manager, it is possible that a dashboard created by default by the platform appears directly. From here it is possible to go to the Sensors section, where the new registered sensor (mysensor) will appear.

image
Figure 2. Monitor Dashboard on redborder manager: go to Sensors

To access the sensor edit options, click on the sensor name.

image
Figure 3. Sensor mysensor registered and visible from the Sensors section

These edit options are shown in the image below.

image
Figure 4. Sensor edit options

In the IPS/IDS Settings section you can set the sensor operating mode, which by default will be the operating mode inherited from the section ToolsGeneral Settings.

image
Figure 5. redborder IPS sensor operating modes

Available operating modes are:

  • IDS Forwarding

    • It does not block network traffic.

    • In inspection segments with two interfaces, the sensor forwards the incoming traffic to the second interface and analyzes the traffic of the first interface. This ensures connectivity.

    • In inspection segments with an interface, the sensor would act the same as in IDS span mode.

  • IDS span

    • It does not block network traffic.

    • It is used in inspection segments with an interface (Span Port or Port Mirroring). The sensor analyzes the traffic coming from this interface.

    • In inspection segments with two interfaces, the sensor does not forward traffic from one interface to another, as it does in the IDS Forwarding mode.

  • IPS test mode

    • It does not block network traffic.

    • It acts as a conventional IPS mode, but in test mode.

  • IPS

    • Block network traffic if necessary.

    • It analyzes the incoming traffic of the segment and forwards it to the segment output as long as it does not have to be blocked.

A necessary action for the sensor to start working is to enable the inspection segment(s). To do this, in the sensor edit options, the Groups section must be unfold and then desired segment(s) must be enabled. The example below shows how the default group has a single segment and 4 available CPUs.

image
Figure 6. Segment group default: segment br0 disabled

In order for the sensor to inspect the network traffic passing through that segment, it is necessary to activate the inspection of that segment in this window, as shown in the following image.

image
Figure 7. Segment group default: segment br0 enabled

Once enabled, the changes will be activated after clicking the Update button.

Download IPS rules

Signing policies are created based on Snort rules, so the first necessary step is to configure the platform rules sources. This is done in ToolsRule Versions, as shown in the image below.

image
Figure 8. Tools → Rule Versions

There is a list of three rule sources created and activated by default:

  • Emerging Threats community rules

  • Emerging Threats PRO rules

  • VRT (current Talos)

The Code column shows if it is necessary to include any code to be able to download the rules from that rule source. The possible values are:

  • Code not required (−): it is not necessary to enter any code to download rules. This is the case of the rule source emergingthreats.

  • Code not configured (✗): it is necessary to enter a code to download the rules, and this has not been made yet. This is the case of the rule sources etpro and vrt in the example below.

  • Code configured (✓): the required code to download the rules has already been entered.

image
Figure 9. Default rule sources

For the example case, the etpro rule source will be disabled and the vrt rule source will be edited to enter the required code.

image
Figure 10. Default rule sources: disable etpro and edit vrt

The code for the vrt rule source can be obtained from the official Snort website. Once it is obtained, it will be entered in the Oinkcode box and the changes will be applied after clicking on Update.

image
Figure 11. vrt rule source edition: Oinkcode

Once configured, you can see in the image below how the value of the Code column becomes of the type "Code configured" (✓).

image
Figure 12. emergingthreats and vrt rule sources enabled and vrt code configured

After enabling and configuring rule sources correctly, it is possible to proceed to download rules by clicking on Force Rule Update.

image
Figure 13. Download of enabled rule sources

In order to download IPS rules, redborder Manager must have an Internet connection and at least one properly configured primary DNS server, as explained in the redborder IPS Installation and Configuration Quick Guide.

Enabled rule sources will begin to be downloaded and processed in redborder Manager.

image
Figure 14. Downloading enabled rule sources

This action creates a background task. The status of this task can be checked in ToolsWorker & Job Queue.

image
Figure 15. ToolsWorker & Job Queue

You can see that the RuleUpdatedbJob task is in process.

image
Figure 16. RuleUpdatedbJob task is in process

When the task finishes, it will go to the Stored jobs section, from where you can get more information.

image
Figure 17. RuleUpdatedbJob task completed

This information shows the console output of the completed task.

image
Figure 18. Console output of the RuleUpdatedbJob task completed

For vrt rule source, repeated attempts to download rule versions may result in a restriction by the provider. If this happens, the error message "429 Too Many Requests" will appear in the information message. We recommend you to wait 24 hours to retry the download.

Going back to the ToolsRule Versions section you can see the two versions of downloaded rules, as shown in the image below.

image
Figure 19. ToolsRule Versions: downloaded rule versions

Each rule version is identified by its date and time of download and has the following fields:

  • Checkbox: The platform administrator will enable this box to indicate that the rules version has been approved by him and it can be used in signature policies.

  • Rule version identifier with date and time in "YYYY-MM-DD HH: MM: SS" format.

  • Policies: it indicates the number of signatures policies that are using this rule version.

  • Number of Rules: it indicates the total number of rules that this version has, including commented (or disabled) rules.

  • New Rules: it indicates the total number of new rules with regard to the previous version.

  • Modified Rules: it indicates the total number of modified rules with regard to the previous version.

  • Del Rules: it indicates the total number of deleted rules with regard to the previous version.

Security policies

redborder IPS sensor needs at least one security policy to be able to analyze traffic based on it. This section will explain how to create a signature policy and a reputation policy, how to assign them to a sensor and how to apply these changes so that policies are deployed to the sensor. To do this, you need to go back to the Sensors section on the redborder Manager website, as shown in the image below.

image
Figure 20. Rule Versions section in redborder Manager: go to Sensors

The Options drop-down list in this section shows different options related to security policies:

image
Figure 21. Sensors: Options related to security policies

Signature policy creation

Access to Global Signature Policies to create a signature policy.

image
Figure 22. Sensors: go to Global Signature Policies

When you enter for the first time a message will appear stating that there is no policy.

image
Figure 23. Global Signature Policies: New Policy

To create a policy, click on the New Policy button and complete the fields as shown in the following image.

image
Figure 24. New Signature Policy

Description of each field or option:

  • Name: name of the signature policy.

  • Description: description of the signature policy.

  • Rule Sources & Rule Versions: selection of rule source and rule version which will be used to create the signature policy.

  • Options:

    • Show only uncommented rules:

      • Checked: only rules not commented (or enabled) are used.

      • Not checked: all rules are used, including commented (or disabled) rules.

    • Auto resolve dependencies:

      • Checked: redborder Manager resolves flowbit dependencies.

    • Add new rules on update:

      • Checked: after downloading and validating a new version of rules, the new rules of this version will be automatically included in the policy, taking the action indicated in the list that appears when enabling this option.

    • Block updates available:

      • Checked: a message indicating a rule update is available will not be displayed.

      • Not checked: after downloading and validating a new version of rules, a message will appear stating that there is a rule update available for the policy.

Once the policy is created, all the rules included in it are displayed, as shown in the image below, which indicates that there are a total of 0 rules available for 10695 available.

image
Figure 25. Signature Policy: rules

The rules are grouped by categories, being able to deploy each category until arriving at the detail of a particular rule.

image
Figure 26. Signature Policy: rules in detail

Rules can be enabled individually or by category. For this example all rules have been enabled. To do this, all rules are selected and the Alert action is selected after clicking on Change action(s) button, as shown in the image below.

image
Figure 27. Signature policy: activating the entire set of rules

After a few seconds all the rules are activated, as shown in the image below.

image
Figure 28. Signature Policy: all rules activated

To return to the list of signature policies, simply click on Signature Policies for Domain root, as shown in the image above. The following image shows how the new signatures policy appears on the Global Signature Policy list.

image
Figure 29. Global Signature Policies: new policy on the list

Description of each column:

  • Policy Name: name of the policy. There can not be two policies with the same name.

  • Sources: rule sources used to create the policy .

  • Rules: number of active rules in the policy.

  • Owner: domain owner of the policy.

  • Status: if a more recent version of rules exists, it is indicated by the text "Update Available".

  • Created at: date and time of policy creation.

Reputation policy creation

To create a reputation policy you need to go back to the Sensors section.

image
Figure 30. Global Signature Policies: go to Sensors

From Sensors you can go to the Global Reputation Policies section from the options menu, as shown in the image below.

image
Figure 31. Sensors: go to Global Reputation Policies

From Global Reputation Policies select the New Rep Policy option.

image
Figure 32. Global Reputation Policies: New Rep Policy

A window appears where you must enter the name of the policy and, optionally, a description, as shown in the following image.

image
Figure 33. New Reputation Policy

After the policy has been created, the Manager automatically redirects to a window where the reputation rules that make up the policy can be configured.

image
Figure 34. Types of Rules for a Reputation Policy

Types of Rules for a Reputation Policy:

  • IP/Networks: IP addresses or network addresses involved in the communication.

  • Countries: countries involved in the communication.

  • Continents: continents involved in the communication.

Regardless of the type of reputation rule to be chosen, the action to be applied in each case can be:

  • analyze: network traffic is analyzed as if there was no reputation policy.

  • bypass (white list): network traffic is not analyzed and is allowed to pass through.

  • drop (black list): network traffic is not analyzed and is blocked.

A reputation rule example can be seen in the image below

image
Figure 35. Fields to complete on a reputation rule

The image below shows an example of reputation rules, which indicates the following in each of them:

  • Analyze all the traffic of the network address 10.0.50.0/24.

  • Analyze all the traffic of the IP address 10.0.70.5.

  • Allow and not analyze all traffic of the network address 10.0.0.0/8.

  • Block and not analyze all traffic related to Switzerland.

image
Figure 36. Example of reputation rules

It is important to take into account the order of the rules, since within each type, these are applied from top to bottom, with priority being given to the first ones introduced.

Analyzing the IP/Networks section of this example, we see that the network of the third rule contains the network of the first rule and the IP of the second rule, in spite of this, the first two rules will have preference over the third. Therefore, traffic related to the network 10.0.50.0/24 and the IP 10.0.70.5 will be analyzed, but traffic of the rest of the IP addresses of the network 10.0.0.0/8 will not be analyzed. If the third rule were in the first position, then the rules concerning the network 10.0.50.0/24 and the IP 10.0.70.5 would have no effect.

Finally, referring to the rule in the Countries section, network traffic from or to Switzerland will always be blocked, regardless of the previous rules.

Assigning and enforcing security policies on redborder IPS

Once the security policies have been created in redborder Manager, it is time to deploy them to the sensor.

To do this, from the Sensors section, it is necessary to display the sensor options on which you want to apply each policy and select Signature Policies or Reputation Policies.

image
Figure 37. Types of policies available for redborder IPS sensor

For example, first a signature policy will be assigned. To do this, once inside the Signature Policies, click on the Assign button and then on OK, as shown in the image below.

image
Figure 38. Assignment of Signature Policy to the sensor

After this, the policy assigned to the sensor is highlighted in green.

image
Figure 39. Signature policy assigned to the sensor

When you repeat the same steps for the reputation policy, you get a window similar to the one in the previous image, in which the reputation policy assigned to the sensor is highlighted in green.

image
Figure 40. Reputation policy assigned to the sensor

At the end of the assignment, the Policies column in the Sensors section shows which policies have been assigned to the sensor.

At the same time, the text Configuration Changed indicates that the configuration of this sensor has changed in regards to the security policies, so it is necessary to apply the new configuration in order to activate the changes.

image
Figure 41. Assigned policies, configuration change notice and application of the new configuration

Selecting the Apply Configuration option from the sensor options leads to the following image, which shows a list of sensors with assigned policies.

image
Figure 42. Configuration Update view

The Configuration Update view shows the policies to be applied to the different sensors. In this example, the boxes on the right are checked by default since the Manager has detected that there are pending changes to apply for the sensor mysensor.

Description of the columns in the Configuration Update view:

  • Sensor / Group / Binding: Sensor, group and binding in which the policy in question has been assigned. Since reputation policies do not apply to bindings, this column does not appear in the Reputation Policies list.

  • Sig Policy o Rep Policy: signature or reputation policy to be applied.

  • Num. Rules: number of rules of the signature or reputation policy.

  • Last Time Applied: the last time a signature or reputation policy was applied to this sensor, group and binding combination.

After selecting the Update option, the policy deployment task on the sensor, named ApplyUpdateJob, starts. Once the task finishes, the result can be seen in the ToolsWorker & Job Queue section, as was done previously with the rule download task.

image
Figure 43. Console output of the ApplyUpdateJob task completed

Event visualization

After the configuration, assignment and application of policies in the sensor is completed, the sensor starts analyzing the network traffic and sending the generated events to redborder Manager.

To visualize the sensor events you have to go to the analytical part of the platform, located on the left of the top panel of the web of redborder Manager. The IPS App is in this zone, from which it is possible to consult the information that the sensor is generating.

image
Figure 44. Go to the IPS App

Once inside, the view is structured as follows:

  • Row formed by different options and located at the beginning of the view: From these options you can set filters, switch between types of views, select aggregation and granularity, change the type of graph, include new fields to view, etc.

image
Figure 45. IPS App analytics configuration options
  • Row formed by different temporal ranges: By default, last hour data is displayed, but with just a mouse click you can quickly view data for the last 24 hours, last week or even last month. Of course, there is the possibility of selecting custom ranges.

image
Figure 46. Preset temporary ranges of the IPS App
  • Graphical representation of IPS events: There are different types of graphical representations: Streams, Area, Line, Bars, Stacked Area, etc.

image
Figure 47. Streams type representation of IPS events
  • Table of IPS events: Below the graphical representation, the detail of the events appears.

image
Figure 48. Table of IPS events

From the Raw view it is possible to obtain the complete detail of each event by clicking on the button to the right of each row.

image
Figure 49. Detail of an IPS event