Professional Documents
Culture Documents
Changelog
Date 2012 17.05.2013 17.05.2013 27.05.2013 Name Matthias Schungel (Master of 3D Report) Thomas Werner Matthias Schungel (Master of 3D Report) Henning Ermert Changes Initial document Added Performance and troubleshooting section Bugfixes Updated to reflect v.1.16
Contents
Best Practice 3D Security Report ................................................................................................ 1 1. Install from Image ............................................................................................................... 2 2. Mirror Port configuration ...................................................................................................... 2
a. b. c. d. Configure Mirror Ports ..................................................................................................................... 2 Enable DLP for Mirror Port Setup .................................................................................................... 3 Configure Mirror Port Topology ....................................................................................................... 3 install policy ..................................................................................................................................... 3
3.
a. b. c. d. e. f. g. h.
4.
a.
5. 6.
a. b. c.
Sample Switch Configurations for Mirror Port .................................................................... 11 Example setup & how to start at customer side ................................................................. 13
Appliance ....................................................................................................................................... 13 Checks ........................................................................................................................................... 13 Connecting the mirror port interface ............................................................................................. 13
7.
a. b. c. d.
8.
a. b. c.
Install & First-time configuration of R76 GAiA Install 30 Days Eval License + Contract
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
d. install policy
ignore the topology warning regarding missing Anti-spoofing
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
Also in IPS Tab edit the Aggressive Aging Protection is (IPS signature) enabled with the following settings: TCP Start Timeout: 5 TCP Session Timeout: 55 TCP End Timeout: 3 Set tracking for the protection to None
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
Ensure the destination is Any (and not Internet as defined by default) If you have a 3D Report with a huge bandwidth and you are monitoring several Days or weeks, it is recommended to use only Log and not extended Log in der Track field. It decreased the time for generating the 3D Report Word Document. Go to the Engine`s settings and enable following options.
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
And make sure the profile specifies that all file types/directions are scanned:
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
h. Install Policy
Install the new policy Note: For testing with EICAR test virus see SK44781
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
i. Define the internal network (same object used in the AntiBot policy) ii. Install SmartEvent policy
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
CLI commands
enable mirroring to port 23 untagged configure mirror add port 1 configure mirror add port 2 configure mirror add port 3 configure mirror add port 16 configure mirror add port 14
comments
Make sure the relevant port (23 in this example) is not tagged
Cisco Catalyst 2850, 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750, 3750-E 4500/4000 and C6500/6000 Series Switches That Run Cisco IOS System Software and Cisco Nexus Series Switches That Runs NX-OS Software
conf t monitor session 1 source interface gigabitEthernet 0/17 both monitor session 1 destination interface gigabitEthernet 0/15 exit write mem Syntax: monitor session session_number source interface interface-id [, | -] [both | rx | tx] monitor session session_number destination interface interface-id
Source interface is the interface connected to the router leading to the internet, and destination interface is the mirror port. both - Monitor both received and sent traffic. rx - Monitor received traffic. tx - Monitor sent traffic.
Cisco Catalyst 2900, 4500/4000, 5500/5000, and 6500/6000 Series Switches That Run CatOS
Juniper EX-2200
root@switch# edit root@switch# set ethernet-switching-options 0/0/6.0 root@switch# set ethernet-switching-options analyzer mirror-3d input ingress interface ge-0/0/6.0 root@switch# set ethernet-switching-options analyzer mirror-3d output interface ge0/0/13.0 root@switch# commit
Input port is ge-0/0/6.0 Output / Mirrored port is ge-0/0/13.0 instance Input needs both ingress and egress in order to see entire connection setup
analyzer mirror-3d input egress interface ge- mirror-3d is the name given to the "analyzer"
HP Procurve Switches
Some HP Procurve Switch models only provide ingress traffic only when configured in monitor mode. See following HP knowledge base article bit outdated) (a
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
RouterBoard 250GS
A great, cheap switch to use in situations where the customer is unable to provide a mirror port!
Important! Check switch statistics and if the port you want to monitor has a utilization of more than 50% of the in peaks (1Gbps ports can do 2Gbps 1Gbps TX and 1Gbps RX) one should split the monitor port and sent TX packets to one port and RX packets to another port (this is what TAPs are doing). This will avoid over subscription of the switch monitor/SPAN port and make sure all packets are sent to the PoC device. The PoC device must then be configured in bridge mode and connect the TX and RX monitor/SPAN ports to each side of the bridge. In most cases a setup with separated TX and RX span port in bridge mode will give you better performance on the device since you can configure a topology. This will let the inspection engine better understand what traffic is outbound and what traffic is inbound and be more efficient.
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
Monitor Interfaces
b. Checks Check the setting with the customer (IP Addresses & GW configuration) Check DNS & Routing (for the update interface) Check updates & contract enforcement (IPS, APPC, AntiBot & Antivirus)
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
Good luck!
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
b. Memory
i. cpstat -f memory os ii. fw ctl pstat iii. cat /proc/meminfo
c. Network
i. ii. iii. iv. netstat ni ifconfig eth1 (=> look for dropped packages on mirror port) netstat s ethtool -S eth1
d. Cores
i. fw ctl multik stat
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
2. Turn off Sequence Verifier in IPS: In SmartDashboard: IPS > Protections > By Protocol > IPS Software Blade > Network Security > TCP > Sequence Verifier. Make protection inactive for all profiles. 3. Disable Out of State Protections 1. 2. 3. In SmartDashboard: Policy > Global Properties > Stateful Inspection Uncheck Drop out of state TCP packets Uncheck Drop out of state ICMP packets
4. Install Policy
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution