Nokia Intrusion prevention User manual

Appliance Quick Setup Guide

Part Number N450000567 Rev 001

Published September 2007

Nokia Intrusion Prevention

with Sourcefire

2 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth

in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at

DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this

computer software, the rights of the United States Government regarding its use, reproduction, and

disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at

FAR 52.227-19.

IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied warranties,

including, but not limited to, implied warranties of merchantability and fitness for a particular purpose

are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any

direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to,

procurement of substitute goods or services; loss of use, data, or profits; or business interruption)

however caused and on any theory of liability, whether in contract, strict liability, or tort (including

negligence or otherwise) arising in any way out of the use of this software, even if advised of the

possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS

Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are

trademarks or registered trademarks of their respective holders.

070101

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 3

Nokia Contact Information

Corporate Headquarters

Regional Contact Information

Nokia Customer Support

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or

1-650-625-2000

Fax 1-650-691-2170

Mail

Address Nokia Inc.

313 Fairchild Drive

Mountain View, California

94043-2215 USA

Americas Nokia Inc.

313 Fairchild Drive

Mountain View, CA 94043-2215

USA

Tel: 1-877-997-9199

Outside USA and Canada: +1 512-437-7089

email: [email protected]

Europe,

Middle East,

and Africa

Nokia House, Summit Avenue

Southwood, Farnborough

Hampshire GU14 ONG UK

Tel: UK: +44 161 601 8908

Tel: France: +33 170 708 166

email: [email protected]

Asia-Pacific 438B Alexandra Road

#07-00 Alexandra Technopark

Singapore 119968

Tel: +65 6588 3364

email: [email protected]

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or

1-613-271-6721 Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

050602

4 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 5

About This Document

This document describes how to quickly set up a Nokia Intrusion Prevention with

Sourcefire appliance to operate as a Sourcefire 3D Sensor on Nokia. It describes the

minimum configuration you need to do to set up the appliance. For information on

additional configuration you might want to perform, see the Nokia Intrusion Prevention

with Sourcefire User’s Guide, available on the product CD that came with your appliance.

About Nokia Intrusion Prevention with

Sourcefire

Nokia Intrusion Prevention with Sourcefire combines intrusion and vulnerability

management technologies to provide real-time network security. Based on the Sourcefire

3D System, Nokia Intrusion Prevention with Sourcefire enables you to access the

condition of the network in real time, update and enforce policies, monitor and manage

vulnerabilities, and respond quickly to security threats.

Nokia Intrusion Prevention with Sourcefire consists of the following components:

Sourcefire 3D Sensor on Nokia—consists of the Sourcefire Sensor on Nokia

application running on a Nokia Intrusion Prevention with Sourcefire appliance. A

Sourcefire 3D Sensor on Nokia can be deployed to run any or all of the following:

Sourcefire Intrusion Prevention System (IPS)—IPS monitors your network

for attacks that might affect the availability, integrity, or confidentiality of hosts

on the network.

Sourcefire Real-Time Network Awareness (RNA)—RNA provides active real-

time network discovery and vulnerability analysis.

Sourcefire Real-Time User Awareness (RUA)—RUA allows you to correlate

threat, endpoint, and network intelligence with user identity information.

Sourcefire Defense Center for Nokia—a standalone server that provides

correlation of intrusion events with network and host attributes and flow data, as

well as scalable centralized management of distributed 3D Sensors.

For more information about Nokia Intrusion Prevention with Sourcefire and its

components, see the Nokia Intrusion Prevention with Sourcefire User’s Guide.

6 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

Before You Begin

Plan Your Deployment

Before you begin installing and configuring your Nokia appliance, plan how you will

deploy the Nokia Intrusion Prevention with Sourcefire components as part of a network

and enterprise security plan.

The Nokia Intrusion Prevention with Sourcefire User’s Guide provides information on

intrusion prevention considerations, on network deployment scenarios, and on the use of

network devices, such as hubs, switches, and taps, to connect your sensor.

Set Up the Defense Center

You should set up your Defense Center before you install and configure your 3D Sensors.

To set up the Defense Center, see the first two chapters of the Sourcefire Defense Center

for Nokia Installation Guide. This guide is available on the Documentation and Restore

CD that is shipped with the Defense Center.

Nokia appliances can be configured to synchronize time with an NTP time server. A

recommended way to achieve time synchronization between 3D Sensors and the Defense

Center is to configure the Defense Center to be an NTP server that can serve time to the

sensors. To do so, when you configure the system policy for the Defense Center during

the initial setup, set the Serve Time via NTP field to enabled.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 7

Setup Overview

The following figure presents an overview of the steps to follow when you set up a Nokia

appliance to operate as a 3D Sensor. Each step is described in more detail in the following

pages.

Start

Perform the initial

configuration

Configure system

time

Enable Sourcefire

Sensor software

Setup Complete!

Install the

appliance

Add sensor to

Defense Center

Set up

communication

with Defense Center

Configure

DNS Install licenses

Configure detection

engine

Update sensor

software

8 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

1Install the Appliance

The following procedure describes the main steps you need to take to install your

appliance. If you need more help, refer to the appropriate Nokia IPxxx Intrusion

Prevention with Sourcefire Installation Guide, which is available on the product CD that

came with your appliance.

To install the appliance

1. Check the contents of the carton against the packing list to make sure that you

received all of the items you ordered.

Store any packing material that you might require for later shipping.

2. Read any documents packed with the appliance. In addition, read the Release Notes

for IPSO-LX, which is available on the CD that came with your appliance or on the

Nokia support Web site.

3. Make a note of the serial number of the appliance, which is located on the Product

Tracking I.D. Label on the bottom or side of the appliance.

You will need the serial number to obtain a license for the Intrusion Prevention

System (IPS) software.

4. Install the appliance in the equipment rack.

5. Connect the cables as follows:

Connect the supplied RJ-45 cable to the console port. You need to have a console

connection to perform the initial configuration. DHCP is not supported.

Connect the cable for the management interface as follows:

On a Nokia IP690 IPS, use the first or second port on slot 4.

On a Nokia IP290 IPS or IP390 IPS, use any one of the built-in Ethernet

ports.

Connect cables to the remaining Gigabit Ethernet ports that you want to use as

sensing interfaces.

Because the Sourcefire application requires a dedicated management interface,

the management interface cannot be used as a sensing interface.

For more information on connecting sensing interfaces to network devices and

on cabling, see the Nokia Intrusion Prevention with Sourcefire User’s Guide,

available on the product CD that came with your appliance.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 9

2Perform the Initial Configuration

When you turn on your appliance for the first time, a console wizard automatically runs

that prompts you to provide initial configuration information.

The information you need to supply includes:

The local hostname for the appliance. The name you choose can include

alphanumeric characters, dashes (-), and periods (.).

The case-sensitive password for the admin user account. The admin user has

complete read/write privileges for all IPSO-LX features that can be configured

through Nokia Network Voyager, a Web-based element management interface.

The case-sensitive password for the root user account.

The physical interface to be used for the management interface, its IP address, and

network mask length.

The IP address of the default gateway for the appliance.

To perform the initial configuration

1. Establish a console connection to the appliance, using a terminal or terminal

emulation program with the following port settings:

9600 bps

8 data bits

No parity

1 stop bit

2. The initial configuration begins with the following prompt:

Hostname?

If the

Hostname?

prompt does not appear on the console, see the Nokia IPxxx

Intrusion Prevention with Sourcefire Installation Guide for your appliance for

troubleshooting suggestions.

3. Answer the prompts for hostname, user admin password, and user root password.

4. When you see the following message, type 1.

You can configure your system in two ways:

1) configure an interface and use our Web-based Voyager via a

remote browser

2) configure an interface using CLI after reboot

Please enter a choice [ 1-2, q ]:

10 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

5. Select the physical interface that will be used for the management interface:

Select an interface from the following for configuration:

1) eth1

2) eth2

3) eth3

4) eth4

5) quit this menu

Enter choice [1-5]:

The list of interfaces that you see depends on the NICs that are installed. Built-in

port names take the form ethn, while ports on NICs take the form eth-snpn. For

example, eth-s4p1 is the ethernet port in chassis slot 4, port 1.

Type the number for the interface you want to configure. This interface should be the

same interface as you connected the management cable to.

6. When prompted, enter the IP address and subnetwork mask length.

7. When you see the following message, type y

(the default option):

Do you wish to set the default route [ y ] ?

8. When prompted, enter the IP address of the default router for this interface.

9. When prompted to configure speed and duplex mode, you can either:

Configure speed and duplex mode, thereby turning off auto-negotiation. Do this

if you do not want to use Ethernet auto-negotiation.

Enter Return to bypass this step. Do this if you want to leave auto-negotiation on.

10. When asked to confirm the interface parameters, type y.

The system will continue booting. When it is completed, the login prompt will

appear.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 11

3Configure DNS

After the appliance reboots, you are ready to continue configuring it by using Network

Voyager.

If you will be identifying the Defense Center that manages this sensor by hostname,

rather than an IP address, you need to configure DNS and specify a DNS server.

To use Network Voyager

1. Start a Web browser on a workstation that can connect to the appliance.

2. Enter the IP address you assigned to the management interface during the initial

configuration.

If you use HTTPS to make the connection, you need to enter the SSL port number,

8443. For example:

https://10.10.10.10:8443.

If you use HTTP, you are automatically redirected to HTTPS and the correct SSL

port. You do not need to enter the port number.

Because SSL is enabled, you will receive warning messages about the sample

certificate on the system. Accept the connection.

3. Log in as admin and use the password that you assigned to the admin user.

Note

As part of configuring the appliance with Network Voyager, do not enable the network

interfaces that will be used as sensing interfaces. The interfaces should be administratively

down. The only interface that should be enabled is the management interface.

To configure DNS

1. Choose System Configuration > DNS in the Network Voyager navigation tree.

2. Enter the following information into the following fields:

Search list field—enter a list of domain names that might be appended to names

users enter when trying to connect. Separate each name with a space.

The maximum length of the entire search list is 256 characters. The maximum

number of items in the search list is 6.

Server fields—enter the IP address of a host running a DNS server. The optional

secondary and tertiary servers are used if the primary (or secondary) server fails to

respond.

3. Click Submit.

12 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

4Configure System Time

You must ensure that time is synchronized between the Defense Center and the 3D

Sensors it manages. Nokia recommends that you do so by configuring the appliance to

use NTP for continuous time synchronization with an NTP time server. You can

configure the Defense Center itself to be the NTP time server.

Because it can take a while for the time synchronization to occur after you enable NTP,

you might want to first manually set the time and date by accessing the NTP server once

and then enable NTP for continuous time synchronization.

To set system time once

1. Choose System Configuration > Time from the tree view.

2. Select the appropriate time zone in the Time Zone list box.

3. Either set the time manually or specify a time server:

To set the time manually, enter the time and date units to change. You do not

need to fill in all fields; blank fields default to their existing values. Specify

hours in 24-hour format.

To set the time using an NTP time server, enter the name or IP address of the

time server in the NTP Time Server text box. Choosing this option sets the time

once; it does not update the time on a regular basis.

4. Click Submit.

To enable NTP

1. Choose Router Services > NTP from the tree view.

2. In the Add New NTP Server text field, enter the IP address for an NTP server and

click Add.

The server appears in the NTP Servers table.

3. Configure parameters for the server.

Usually, you only need to select the Use check box and you can accept the default

settings for all other parameters.

4. Add additional NTP servers if desired.

5. Click Enable NTP.

6. Click Submit.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 13

5Enable the Sourcefire Sensor on Nokia Software

The Sourcefire Sensor on Nokia software comes preinstalled on your appliance. You

need only to enable it.

To enable the Sourcefire Sensor on Nokia software

1. Select System Configuration > Packages > Manage Packages from the tree view.

2. Click the Enable check box for the Sourcefire Sensor on Nokia package.

3. Click the Submit button.

After a short wait, a message appears tell you that the package has been registered.

Note

Although the message suggests a reboot might be necessary, you do not need to reboot

the sensor.

After the Sourcefire Sensor on Nokia package is enabled, a link to the Sourcefire Sensor

Configuration page appears in the Network Voyager tree view.

14 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

6Set Up Communications with Defense Center

Establishing the connection between a 3D Sensor and the Defense Center is a two-step

process. You need to:

1. Set up communications with the Defense Center on the sensor.

2. Add the sensor to the Defense Center.

To set up communications on the sensor, you must specify the management interface to

use, the IP address of the Defense Center, and provide registration information for

security purposes.

Once you have done this, you can add the sensor to the Defense Center, using the

registration information you supplied on sensor.

To set up communications with the Defense Center

1. Select the Sourcefire Sensor link from the tree view.

2. Provide the following information on the Sourcefire Sensor Configuration page:

Management Interface—the interface that will be used for Defense Center

communications. You can choose only from the interfaces that are in the Up

status.

Management Host—the IP address or host name of the Defense Center.

Use a hostname rather than an IP address if your network uses DHCP to assign

IP addresses.

Registration ID—an optional alphanumeric value you can define as an

additional security check. If you specify an ID, you will have to provide this ID

when you add the sensor to the Defense Center.

This ID is useful in a network environment that uses network address translation

and more than one host could have the same IP address.

Registration Key—a one-time-use registration key that you define and that you

must provide when you add the sensor to the Defense Center.

Management Port—the TCP port number you want to use for communications

between the Defense Center and the sensor. The default value is 8305/tcp.

All appliances in your deployment should use the same port number.

3. Click the Submit button.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 15

7Add the 3D Sensor to the Defense Center

You are now ready to add the 3D Sensor to the sensors managed by the Defense Center.

After you complete this procedure, communications between the Defense Center and the

sensor are established and you can start managing the sensor from the Defense Center.

To add the sensor to the Defense Center

1. Log in to the Defense Center.

2. Select Operations from the main menu bar, then click Sensors.

3. On the Managed Sensors page, click New Sensors.

4. Provide the following information on the Sensor Administration page:

Host—the IP address of the sensor.

Registration ID—Enter the registration ID if you defined one.

Registration Key—Enter the registration key.

Store Events and Packets Only on the Defense Center—Because you can

store data on only the Defense Center and not the sensor, this check box is

selected automatically. You cannot change this setting for Sourcefire Sensors on

Nokia.

Prohibit Packet Transfer to the Defense Center—You can prevent packet data

from being stored on the Defense Center by checking this check box.

Note

If you elect to prohibit sending packet data, the data is not retained. Packet data is

often important for forensic analysis.

Add to Group—Select the group, if any, you want the sensor to belong to.

5. Click the Add button.

The sensor is added to the Defense Center. It can take up to two minutes for the

Defense Center to verify the sensor heartbeat and establish communication. You can

view the sensor status on the Defense Center Sensors page (Operations > Sensors).

16 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

8Install the Licenses

You cannot receive events from any 3D Sensor until the appropriate feature license is

installed on the Defense Center. The licenses required are as follows:

An IPS software license for each sensor the running the Sourcefire Intrusion

Prevention System (IPS).

An RNA Host license to receive RNA events from any sensor running Real-time

Network Awareness (RNA). As long as the host limits are not exceeded, a single

RNA Host license allows the Defense Center to receive events from multiple

sensors.

For example, if your Defense Center will be managing three different Sourcefire 3D

Sensors on Nokia, with two of them running IPS and all three running RNA, then

you must add two IPS software licenses and a single RNA Host license that is large

enough to cover the number of hosts monitored by the three sensors in aggregate.

An RUA license to receive RUA events from any sensor running Real-time User

Awareness (RUA). As long as the user limits are not exceeded, a single RUA license

allows the Defense Center to receive user login events from multiple sensors with

RUA.

Obtain and install a license as follows:

1. Use the Nokia serial number to obtain a license from the Web-based licensing center,

as described in “To obtain the license” below.

For an IPS software license, use the appliance serial number, which is available on

the Product Tracking I.D. Label that is on the bottom or side of your sensor unit.

For an RNA Host license or an RUA license, use the serial number you received in

the entitlement email from Nokia.

2. Add the license to the Defense Center, as described in “To add the license” below.

To obtain the license

1. From the Defense Center, select Operations > System Settings.

The Information page appears.

2. On the Information page, click License.

The License page appears.

3. On the License page, click Add New License.

The Add Feature License page appears.

4. Click the Get License button.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 17

The Licensing Center Web site appears.

Note

If your web browser cannot access the Internet, copy down the license key at the bottom of

the Add Feature License page. Switch to a browser on a host that can access the Internet

and go to https://www.keyserver.nokia.sourcefire.com.

5. Follow the on-screen instructions for obtaining a feature license.

Note

The Licensing Center Web site accepts 12-digit serial numbers only. Add leading zeros to

your Nokia feature serial number to make it a 12-digit number.

For example, for an IPS software license, add a leading zero to your appliance serial

number. If your appliance serial number is 93060305299, enter it as 093060305299.

6. The feature license will be sent to you in an email. When you receive your license,

you can then add it to the Defense Center as described in the next procedure.

To add the license

1. Copy the license from the email.

2. Return to the Add Feature License page, if you are not already there.

3. In the License field, paste the license provided to you by email.

4. Click the Verify License button to make sure the license has been copied correctly

and is valid.

A message appears stating whether the license has been verified or not.

5. If the license has been verified, click the Submit License button.

18 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

9Update the Sensor Software

Before you start modifying the sensor configuration and applying policies to the sensor,

you should check for software updates and update the software if necessary. Sourcefire

releases patches to the sensor software, vulnerability database updates (VDBs) for

sensors running RNA, and security enhancement updates (SEUs) for IPS policies.

If your Defense Center has an internet connection, you can download and install updates

from the Defense Center. For downloading and installing sensor software patches and

VDBs, go to Operations > Update. For SEU updates, go to Policy & Response > IPS >

SEU.

Sensor software updates, SEUs, and VDBs are also available for download at the Nokia

Support Web site. You can then use the Defense Center to upload them and install them.

For more information, see the Sourcefire 3D System for Nokia User Guide.

Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide 19

10Configure the Detection Engines

At this point, your Sourcefire 3D Sensor on Nokia is set up in the following default

configuration:

All the available network interfaces, excluding the management interface, are

combined in a single passive interface set. (To be considered available, an interface

must be administratively disabled.)

A single IPS detection engine is created, which uses the default passive interface set.

If the default configuration of your sensor matches your deployment needs, you can

start receiving events from the sensor as soon as you apply a passive IPS policy to

your detection engine.

From the Defense Center, you can select Policy & Response > IPS > Detection &

Prevention to create and apply a passive IPS policy. For more information, see

“Creating Intrusion Policies” in the Sourcefire 3D System for Nokia User Guide.

Changing the Default Configuration

Your deployment might require a different configuration from the default configuration.

For example, you might be deploying your sensor inline with fail open interfaces, which

would require creating an inline with fail open interface set. Or you might want to also

run RNA or RUA over the default passive interface set.

To change the default configuration, you can:

Edit the default interface set and create new interface sets.

By removing interfaces from the default interface set, you make those interfaces

available for inclusion in other interface sets that you create—for example, an inline

interface set. The new interface set can then be assigned to the default detection

engine or to a new detection engine that you create.

To begin configuring interface sets, select Operations > Configuration > Detection

Engines > Interface Sets.

Edit the existing default detection engine or create a new detection engine.

For example, if you are deploying your sensor inline, you can edit the IPS default

detection engine to use an inline interface set, rather than the default passive

interface set. Or you can create a new detection engine to run RNA or RUA.

To begin editing or creating detection engines, select Operations > Configuration >

Detection Engines > Detection Engines.

20 Nokia Intrusion Prevention with Sourcefire Appliance Quick Setup Guide

Note

The number of detection engines available to you depends on which Nokia appliance

model you are using.

Create IPS or RNA policies.

Before a detection engine can start sending IPS or RNA events to the Defense

Center, it must have a policy installed. Default IPS policies are supplied that you can

use as a basis for your IPS policy. You should also configure the RNA settings in the

system policy.

RUA detection engines do not require a policy.

To begin creating or applying detection policies, select Policy & Response and then

either IPS or RNA, depending on the type of policy.

The Sourcefire 3D System for Nokia User Guide provides information on how to create

and change interface sets, detection engines, and detection policies.

Table of contents

Popular Telephone manuals by other brands

V-tech

V-tech CTM-A2510-USB user guide

Blackbe;rry

Blackbe;rry VM-605 - LEARN MORE Safety and product information

One Talk

One Talk T46G user guide

V-tech

V-tech 5854 user manual

intertel

intertel Associate Display Phone user guide

V-tech

V-tech SN5147 Important safety instructions

Xtreme

Xtreme 51870 manual

Ulti Mate

Ulti Mate HTX-100 owner's manual

Silvercrest

Silvercrest SGKT 50 A1 User manual and service information

V-tech

V-tech ErisTerminal VSP715 user guide

V-tech

V-tech A2210-NS user guide

V-tech

V-tech SN6127 quick start guide

Nortel

Nortel NORSTAR M7324 User's card

AT&T

AT&T 957 user manual

RCA

RCA 25203 user guide

Eircom

Eircom advantage 4800 System introduction

Avaya

Avaya 4600 Series Administrator's guide

BELGACOM

BELGACOM Specifics 200 user manual

Nokia Intrusion Prevention User manual

Popular Telephone manuals by other brands