welcome to realsecure n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Welcome to RealSecure PowerPoint Presentation
Download Presentation
Welcome to RealSecure

Loading in 2 Seconds...

play fullscreen
1 / 212

Welcome to RealSecure - PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on

Welcome to RealSecure. Course Objectives. After completing this course, you will be able to: Explain how to deploy RealSecure components in various network environments Install and configure RealSecure components and X-Press Updates

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Welcome to RealSecure' - arvin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
welcome to realsecure

Welcome to RealSecure

RealSecure 6.0

course objectives
Course Objectives

After completing this course, you will be able to:

  • Explain how to deploy RealSecure components in various network environments
  • Install and configure RealSecure components and

X-Press Updates

  • Use the Workgroup Manager components to manage and monitor RealSecure assets
  • Configure and customize policies
  • Configure events and their responses
  • Display and inspect event information
  • Generate and view RealSecure Standard reports

RealSecure 6.0

course outline
Course Outline
  • Day Three
  • Configuring Server Sensors
  • Working with Events and Responses
  • Working with Databases and Reports
  • Course Review
  • Exam

Day One

  • Introduction
  • Implementing RealSecure
  • Preparing for Installation
  • Installing RealSecure
  • Using the Deployment Wizard
  • X-Press Updates

Day Two

  • Using the Console
  • Managing Assets
  • Managing Sensor Policies
  • Monitoring Events
  • Configuring Network Sensors
  • Configuring RealSecure for Nokia

RealSecure 6.0

module 1

Module 1

Introduction to RealSecure

RealSecure 6.0

module objectives
Module Objectives

After completing this module, you will be able to:

  • Identify and describe the RealSecure components
  • Describe how the RealSecure component work together to monitor your network
  • Identify the types of threats RealSecure recognizes
  • Review the goals and methods of attackers
  • Explain how RealSecure responds when your system is under attack

RealSecure 6.0

what is realsecure
What is RealSecure?

RealSecure is made up of many components

Sensors

Workgroup Manager

Network and Server:Software applications that look for suspicious activity or attacks and generate the appropriate response

Application used to manage sensors via a console, gather event data and send it to the database, and maintain the database from the sensors

RealSecure 6.0

the realsecure family
The RealSecure Family

RealSecure 6.0

types of managers
Types of Managers

Each RealSecure Manager provides a different function

RealSecure Workgroup Manager Allows for centralized control of sensors and centralized collection of threat event data

Command Line InterfaceSensor management from the command line

Sensor Manager Utility

Allows you to manage multiple groups of sensors using a JAVA-based front-end to the command line interface

RealSecure 6.0

types of sensors
Types of Sensors

RealSecure 6.0

how sensors work together
Network Sensor

Dedicated hardware/ software solution

One sensor protects multiple systems

Promiscuously monitors all traffic on a collision domain

Diverse range of attack signatures

Server Sensor

Runs on each system to be protected

Combination of host and network sensors (can be run with host components only)

Monitors system logs, file access, port activity, registry keys, user activity

Tightly integrated with the TCP/IP stack to monitor all traffic to and from the system

How Sensors Work Together

RealSecure 6.0

benefits of using both sensors
Benefits of Using Both Sensors

RealSecure sensors complement each other to provide maximum security coverage. They also provide:

  • Real-time detection at the network level
  • System-specific confirmation at the host level

RealSecure 6.0

how sensors work
How Sensors Work

Type of data monitored

  • Raw network packets for Network Sensors and Server Sensors
  • Operating system log entries for Server Sensors

Signature base

  • ISS X-Force
  • Comprehensive signature database

Functions of each sensor

  • Network Sensor
    • Runs on network segment where installed
    • Monitors all IP traffic
  • Server Sensor runs on host; monitors log files and network traffic to and from that host; compares log file entries against current policy

RealSecure 6.0

actions sensors can take
Actions Sensors Can Take

When a sensor detects unauthorized activity, it can take one or more actions.

  • Post an event to the RealSecure Console
  • Record an event to the RealSecure database or record the session to the RealSecure database
  • Send an email alert
  • Terminate the user’s session or send an RSKill
  • Send SNMP trap
  • Take a user-definable action
  • Block specific network packets all the time or in response to a particular event (Server Sensor only)

RealSecure 6.0

performance impact of sensors
Performance Impact of Sensors

Network Sensor on critical network segment:

  • Unobtrusive
  • Monitors traffic on the local network segment
  • Does not interrupt traffic stream

Server Sensor on the server:

  • Configurable
  • Minimal processor overhead for single-user systems
  • Impact increases on multi-user systems
  • You control how much auditing is done on the server

RealSecure 6.0

threats recognized by realsecure
Threats Recognized by RealSecure

Attack – Activity pattern indicating a potential malicious, unauthorized, or undesirable activity

  • Denial of Service
  • Unauthorized Access Attempts
  • Pre-attack Probes
  • Suspicious Activity

Misuse – Non-attack activity that violates stated security or appropriate use policies

  • Abuse of admin privileges
  • HTTP activity
  • Unauthorized access
  • E-mail session decoding

RealSecure 6.0

how to spot and counteract threats
How to Spot and Counteract Threats
  • Understand attack goals and methods
    • Information gathering
    • Initial system access
    • Obtaining elevated privilege
    • Establishing ownership
  • Recognize the role of firewalls
    • Are they enough?
    • Do they protect internal segments and servers?
    • Is the firewall rule base secure?
  • Configure RealSecure to identify and respond to attacks

RealSecure 6.0

attack goals
Attack Goals

Common attacker goals include:

  • Finding a weakly configured system to turn into a zombie
  • Using a compromised machine as a stepping stone to other linked systems
  • Acquiring data
  • Damaging or destroying information
  • Defacing a public site
  • Creating a denial-of-service condition

RealSecure 6.0

attack methods
Attack Methods

Attacker methods follow these steps:

  • Gathering information
  • Gaining initial system access
  • Obtaining elevated privileges
  • Establishing “ownership”

RealSecure 6.0

information gathering
Information Gathering

Attackers may gather information from many sources:

  • Telephone calls to the company.
  • Phone books.
  • Web and Newsgroup searches.
  • Visits to the physical site.
  • Public library reference tools.
  • Network scans.
  • The organization's own web site.
  • Finger probes.
  • Dumpster diving.
  • ARIN/RIPE/APNIC and DNS records.

RealSecure 6.0

initial system access
Initial System Access

User-level access can be obtained through:

  • Brute-forcing a legitimate user’s password
  • Logging in with a default account
  • Getting shell access by taking advantage of a bug or misconfiguration

This may be the most difficult step!

RealSecure 6.0

obtaining elevated privileges
With initial system access gained in the previous step, the attacker can:

Attempt to get root or administrator access

Traverse the system gathering information about vulnerabilities

Obtain or construct programs to exploit vulnerabilities discovered

Obtaining Elevated Privileges

RealSecure 6.0

establishing ownership
Once root access has been gained, an attacker will:

Install backdoors through which to access the system without creating logs or appearing on process or user lists

Alter system logs to remove any evidence of compromise

Now the attacker has control of your system!

Establishing Ownership

RealSecure 6.0

the role of firewalls
The Role of Firewalls

A firewall is the first line of defense against an external intruder. Questions to ask include:

  • Are they enough?
  • Do they protect internal segments and Servers?
  • How can you determine if the firewall rule base is secure?

RealSecure 6.0

anatomy of an attack no ids

Crack

NT

UNIX

UNIX

NT

Router

Network

Clients & Workstations

E-Mail

Server

imap

imap

Anatomy of an Attack: No IDS

Step 3. Attacker exploits trust relationships to get access to a Unix system inside firewall.

Step 4. Attacker cracks password files and now has root/administrator access to various systems and applications.

Web Server

rlogin

Step 5. Attacker uses password information to turn CEO’s system into a remotely-controlled zombie.

UNIX

Firewall

Step 1.A port scan through the firewall finds active rlogin services on various systems and a vulnerable IMAP service on the corporate e-mail server.

Step 2. Attacker exploits weakness in IMAP to get root access on E-Mail server in the DMZ.

RealSecure 6.0

anatomy of an attack realsecure ids
Anatomy of an Attack: RealSecure IDS

Step 3.Host IDS notifies you of unusual logins and restricts incoming connections from outside. Now a compromised external system can’t be leveraged against internal system.

Network Sensors

Server Sensors

Step 4.Host IDS sees attempted access to password files and restricts FTP/Telnet so attempt to crack passwords fails.

Web

Server

Step 5. Network & Host-Based IDS work together to protect your CEO’s system (and your job!).

NT

UNIX

UNIX

NT

UNIX

Firewall

Router

Network

Step 1.Network IDS sees port scans & reconfigures FW to block it.

Host IDS sees port probes and keeps internal systems from replying to scan.

Clients & Workstations

E-Mail

Server

Step 2.Network IDS sees attempt to exploit IMAP. Host IDS restricts outgoing connections from the mail server to the internal network.

RealSecure 6.0

module review
Module Review

You should be able to:

  • Identify and describe the RealSecure components
  • Describe how the RealSecure component work together to monitor your network
  • Identify the types of threats RealSecure recognizes
  • Review the goals and methods of attackers
  • Explain how RealSecure responds when your system is under attack

RealSecure 6.0

module 2

Module 2

Implementing RealSecure

RealSecure 6.0

module objectives1
Module Objectives

After completing this module, you will be able to:

  • Discuss scenarios for Workgroup Manager deployment.
  • Determine where to deploy Network Sensors and Server Sensors
  • Address configuration issues associated with Stealth mode and out-of-band reporting

RealSecure 6.0

deploying workgroup manager
Deploying Workgroup Manager
  • Typical install puts all components on one computer
  • Production environment: use custom install and split components among several computers to improve performance
  • Critical that Enterprise Database be on secure system, since it contains all event information

RealSecure 6.0

workgroup manager scenario one
Workgroup Manager Scenario One
  • 1-5 sensors, 1 computer, typical install:

RealSecure 6.0

workgroup manager scenario two
Workgroup Manager Scenario Two
  • 1-5 sensors, 1 computer, typical install; backup Console with custom install on second computer:

RealSecure 6.0

workgroup manager scenario three
Workgroup Manager Scenario Three
  • 6-20 sensors, WGM components distributed across 2 computers, backup Console on third computer:

RealSecure 6.0

workgroup manager scenario four
Workgroup Manager Scenario Four
  • 20-50 sensors, WGM components distributed across 3 computers, backup Console on fourth computer:

RealSecure 6.0

workgroup manager scenario five
Workgroup Manager Scenario Five
  • 50+ sensors, WGM components distributed across 5 computers, backup Console on sixth computer:

RealSecure 6.0

deploying sensors
Deploying Sensors

Place Network Sensors

On each segment of the network where:

  • Critical data must be protected
  • Users need to be monitored

Place Server Sensors

On all servers containing critical information

On host systems containing critical data

On Unix NIS servers

On hosts to be used for remote Unix syslog monitoring

RealSecure 6.0

one console multiple sensors
One Console, Multiple Sensors
  • One Console best supports up to 50 sensors
  • Varies depending on sensor configuration and how real-time incident response is handled
  • Number of sensors managed by a single Console can be limited by response capabilities of Console operator
  • Typical ratio for Network Sensors is 10-20 per Console
  • If less emphasis is placed on real-time response, ratio for Network Sensors is 20-30 per Console

RealSecure 6.0

one sensor multiple consoles
One Sensor: Multiple Consoles
  • A single sensor can send data to up to 50 Consoles
  • A typical configuration is one sensor sending data to 2-4 Consoles

RealSecure 6.0

examples of deployment
Examples of Deployment
  • Network Sensors in key locations:
    • In front of firewall
    • In DMZ
    • Inside firewall
    • On key segments of internal network
    • On segment with dial-up server
    • Behind firewall of corporate partner
  • Server Sensors on key systems:
    • Important servers
    • Host systems with critical data
    • Windows NT domain servers or UNIX NIS servers
  • Console on intranet backbone

RealSecure 6.0

liberal deployment
Liberal Deployment

RealSecure 6.0

realsecure on a switched network
RealSecure on a Switched Network
  • Ways to support RealSecure in a switched network environment include use of:
    • Span or mirror ports
    • Hubs
    • Taps
  • Associated issues are discussed in detail in the Advanced RealSecure course

RealSecure 6.0

stealth mode and out of band reporting
Stealth Mode and Out-of-Band Reporting
  • Out-of-band reporting: communications outside the network/channel that is being monitored
  • With RealSecure, set up out-of-band reporting for Network Sensor by using two interfaces:
    • A “stealth” interface with no IP address on the monitored segment
    • A reporting interface with an IP address on the reporting segment

RealSecure 6.0

advantages of stealth mode
Advantages of Stealth Mode
  • Network Sensors cannot be located by attacker
    • Attacker doesn't know which segments are monitored
    • Attacker can’t be sure Network Sensor is being avoided or overwhelmed
  • Network Sensors are inaccessible to IP attacks from production network
    • Sensor has no IP address
  • No Network Sensor reporting traffic exists on production network
    • Prevents attackers from getting information about IDS

RealSecure 6.0

ns responses and stealth mode
NS Responses and Stealth Mode
  • Kill responses are constructed by sensor’s packet engine and don’t require IP address
  • All other responses must be sent from IP-bound interface
  • Using stealth configuration, OPSEC, LMF, SMTP, and SNMP responses originate from reporting interface onto reporting segment; kill responses originate from monitored interface with spoofed source and destination

RealSecure 6.0

non kill responses and stealth mode
Non-Kill Responses and Stealth Mode
  • For non-kill responses to work, routing path must exist between reporting network and response recipients
  • Routing path can be an internal firewall between production network and out-of-band network
  • Example of out-of-band network firewall policy:
    • Block everything except (1) outgoing responses from Network Sensors and (2) reporting traffic between host-based sensors and Console

RealSecure 6.0

out of band reporting outside firewall
Out-of-Band Reporting Outside Firewall
  • Unfounded fear that this circumvents firewall
  • Network Sensor in stealth configuration is more secure than a firewall
  • Operating system’s TCP/IP stack is unbound from interface, isolating sensor from stack vulnerabilities
  • Incoming packets are handled as data, with no capacity to pass packets to reporting interface

RealSecure 6.0

module review1
Module Review

You should be able to:

  • Discuss scenarios for Workgroup Manager deployment.
  • Determine where to deploy Network Sensors and Server Sensors
  • Address configuration issues associated with Stealth mode and out-of-band reporting

RealSecure 6.0

module 3

Module 3

Preparing for Installation

RealSecure 6.0

module objectives2
Module Objectives

After completing this module, you will be able to:

  • Determine whether your systems meet the minimum requirements
  • Explain how authentication works in RealSecure
  • Identify the differences between authentication keys and license keys
  • Discuss some considerations for upgrading from RealSecure 5.x to 6.0

RealSecure 6.0

online help
Online Help

The online Help provides information such as:

  • Help during installation of RealSecure
  • Event information:
    • Type of event
    • Detailed description
    • Why the event might be dangerous
    • Possible false positives
    • Systems affected
    • How to respond to the event
    • How to remove the vulnerability

Requirement to use online Help: Internet Explorer 4.01 with SP 1 or higher

RealSecure 6.0

using authentication
Using Authentication

Authentication is a way for a component to prove who it is to one of its peers (another component). It:

  • Occurs when communication connections are established
  • Relies on a public/ private key pair created by the cryptographic providers you selected when you set up the component

RealSecure 6.0

when authentication is enabled
When Authentication is Enabled…

Communication is established from the Console in the following manner:

  • The Console makes an outbound request by sending its public key to the component.
  • The component authenticates this public key by matching it to the Console public key stored in its Keys folder. If they match, the component generates a session key, encrypts the session key using the Console’s public key, and sends the session key to the Console
  • The Console uses its private key to decrypt the session key, and then uses this session key to continue communication.

RealSecure Console

RealSecure Component

RealSecure 6.0

automatically importing keys
Automatically Importing Keys
  • If you enable key auto-import as you install RealSecure components, you can automatically push Console and Event Collector keys to components the first time you connect.
  • We will be using the Deployment Wizard later to push keys and connect to components.

RealSecure 6.0

location of console keys
Location of Console Keys

The Console’s public keys are located in the following directories by default:

\Program Files\ISS\RealSecure 6.0 Console\Keys\CerticomNRA

-and-

\Program Files\ISS\RealSecure 6.0 Console\Keys\RSA

RealSecure 6.0

location of event collector keys
Location of Event Collector Keys

The Event Collector’s public keys are located in the following directories by default:

\Program Files\ISS\RealSecure 6.0 Event Collector\Keys\CerticomNRA

-and-

\Program Files\ISS\RealSecure 6.0 Event Collector\Keys\RSA

RealSecure 6.0

location of sensor keys
For Windows, the sensor’s public keys are located in the following directory:

\Program Files\ISS\issSensors\[name of sensor]\Keys\CerticomNRA

For Solaris, the sensor’s public keys are located in the following directory:

/opt/ISS/issSensors/[name of sensor]/Keys/CerticomNRA

Location of Sensor Keys

RealSecure 6.0

customizing encryption
Customizing Encryption
  • RealSecure uses Certicom (ISS ENCRA) and RSA (Microsoft) encryption. If you want to use a different provider, you must install it before you install RealSecure.
  • As you do a custom install of RealSecure, you are prompted to select one or more cryptographic providers.
  • You can arrange providers in order of use.
  • You can also customize any default encryption algorithms or key strengths.

RealSecure 6.0

realsecure components
RealSecure Components

Components in RealSecure 6.0 are:

  • Workgroup Manager for Windows 2000 and NT
  • Network Sensor for Windows 2000 and NT
  • Network Sensor for Solaris
  • Server Sensor for Windows 2000 and NT
  • Server Sensor for Solaris
  • Server Sensor for Linux
  • RealSecure for Nokia Network Sensor

RealSecure 6.0

workgroup manager
Workgroup Manager

Consists of these components:

  • Console
    • Manages and monitors sensors, runs reports from Enterprise Database
  • Asset Database
    • Stores information on network assets
  • Event Collector
    • Manages connections to sensors and sensor data
  • Enterprise Database
    • Stores event information collected by sensors

RealSecure 6.0

wgm general requirements
WGM General Requirements

For any WGM component, alone or in combination with other components:

  • Intel Pentium II 400 MHz
  • Microsoft Windows 2000 Professional SP1, Server SP1, Advanced Server SP1, or Microsoft Windows NT 4.0 with Service Packs 4 through 6a
  • If using SQL Server, you must install the Server version of Windows on the SQL Server computer
  • Dedicated system
  • Other requirements:
    • Admin privileges to the system
    • A monitor with minimum resolution of 800x600 pixels and 256 colors

RealSecure 6.0

wgm all components together
WGM, All Components Together

Requirements for all components together on same machine:

  • 400 MB disk space plus 500 MB additional for each managed host sensor (1 GB recommended)
  • 256 MB memory required; more if Event Collector processing rate is 50 or more events/second or if you increase default event buffer size
  • MSDE 7, MSDE 8 (2000), or SQL Server installed before installing Workgroup Manager
  • Microsoft Internet Explorer 4.01 with SP1 or higher required for Console

RealSecure 6.0

requirements network sensor
Requirements: Network Sensor

WinNT/2000 system requirements for Network Sensor:

  • Intel Pentium II 400 MHz
  • Microsoft Windows 2000 Professional SP1, Server SP1, Advanced Server SP1, or Microsoft Windows NT 4.0 with Service Packs 4 through 6a
  • 128 MB memory minimum, 256 recommended
  • 175 MB disk space
  • Dedicated system
  • Other requirements:
    • PCI network interface card capable of promiscuous mode; connected to network segment to be monitored
    • Optional: second NIC connected to secure network for out-of-band communications with Console

RealSecure 6.0

solaris network sensor requirements
Solaris Network Sensor Requirements
  • UltraSPARC2 or better, Solaris SPARC 2.6 or 2.7
  • 175 MB disk space
  • Sbus or PCI adapter capable or promiscuous mode
  • NIC cards with a lot of Cache performs better

RealSecure 6.0

requirements server sensor
Requirements: Server Sensor

Server Sensor for Windows

  • Pentium II 200 MHz or better
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Profession Server SP1
  • Microsoft Windows NT 4.0 with SPs 4 through 6a

RealSecure 6.0

server sensor for linux requirements
Server Sensor for Linux Requirements
  • RedHat 7.1 with 2.4.2.2 kernel
  • 75 MB disk space
  • 64 MB memory in addition to memory required by other applications

RealSecure 6.0

solaris server sensor requirements
Solaris Server Sensor Requirements
  • Solaris SPARC 2.6 or 2.7, Solaris SPARC 8
    • For 2.6, install Solaris 2.6 Y2K patch 105621 or later
    • For 7, install patches 106541-11, 107544-03, and 109104-03
    • For 8, install patch #108875-09
  • 75 MB disk space
  • 64 MB memory in addition to memory required by other applications

RealSecure 6.0

realsecure for nokia requirements
RealSecure for Nokia Requirements
  • Nokia IP330, IP440, IP530, or IP650 with 256 MB memory
  • Ethernet port (or two ports for Stealth mode)
  • IPSO version 3.4 or higher
  • Windows NT 4.0 with SP3 or later for the Console computer
  • WinZip 7.0 or similar
  • Internet Browser (IE, Netscape) running on the NT machine

RealSecure 6.0

license keys vs authentication keys
License Keys vs. Authentication Keys

License KeyIndicates that you have the right to use the RealSecure product for a specific length of time and for a specific number of sensors

Authentication KeyValidates the interactions between the Console and other RealSecure components

RealSecure 6.0

obtaining license keys
Obtaining License Keys

Most secure method of obtaining license keys is to download the key with your browser. Thistakes advantage of the built-in Secure Sockets Layer (SSL) security in your browser.

RealSecure 6.0

installing the license key
Installing the License Key

To install the key, save the file as “iss.key” in the main installation directory for the Console and the Event Collector.The default directories are:

C:\Program Files\ISS\RealSecure 6.0 Console

C:\Program Files\ISS\RealSecure 6.0 Event Collector

RealSecure 6.0

upgrading from realsecure 5 x
Upgrading from RealSecure 5.x

A few things to consider if you are upgrading from RealSecure 5.x to 6.0:

  • Complete uninstall of 5.x components required
  • Saving backup copies of 5.x custom policies you want to use with 6.0 as you uninstall
  • Migrating data from 5.x Console to 6.0 Enterprise Database
  • Migrating data from 5.x Asset Database to 6.0 Asset Database

RealSecure 6.0

module review2
Module Review

You should be able to:

  • Determine whether your systems meet the minimum requirements
  • Explain how authentication works in RealSecure
  • Identify the differences between authentication keys and license keys
  • Discuss some considerations for upgrading from RealSecure 5.x to 6.0

RealSecure 6.0

module 4

Module 4

Installing RealSecure

RealSecure 6.0

module objectives3
Module Objectives

After completing this module, you will be able to:

  • Install the Workgroup Manager
  • Install the Network Sensor
  • Install the Server Sensor without network monitoring components

RealSecure 6.0

installing realsecure components
Installing RealSecure Components
  • Install Workgroup Manager
  • Install Network Sensor
  • Install Server Sensor with host monitoring components only

RealSecure 6.0

module review3
Module Review

You should be able to:

  • Install the Workgroup Manager
  • Install the Network Sensor
  • Install Server Sensor with host monitoring only
  • Copy license keys
  • Start Console

RealSecure 6.0

module 5

Module 5

Using the Deployment Wizard

RealSecure 6.0

module objectives4
Module Objectives

After completing this module, you will be able to:

  • List the requirements for running the Deployment Wizard
  • Explain the importance of key placement in the deployment of RealSecure Event Collectors and sensors
  • Use the Deployment Wizard to configure communication between the Event Collector and the sensors
  • Troubleshoot connectivity issues between the Event Collector and the sensors

RealSecure 6.0

what is the deployment wizard
What is the Deployment Wizard?
  • Must set up communication between the Event Collector and the sensors before you can monitoryour network
  • Deployment Wizard walks you through the steps required to complete this process

Note: While an Event Collector can gather data from multiple sensors, a sensor can report to only one Event Collector.

RealSecure 6.0

deployment wizard requirements
Deployment Wizard Requirements

Before running the RealSecure Deployment Wizard:

  • Install the 6.0 Workgroup Manager, enabling the Automatic key import option
  • Install the appropriate 6.0 sensors, enabling the Automatic key import option
  • Verify that you have Key Administrator status
  • Verify that your ISS license key is valid

RealSecure 6.0

importance of key placement
Importance of Key Placement

RealSecure Communication Architecture

Sensors

Sensor DaemonChannel

EC Daemon and EventChannels

EventCollector

Console

EnterpriseDatabase

AssetDatabase

RealSecure 6.0

distribution of keys
Distribution of Keys

Sensors

EC1

Sensors’ rs_eng keys EC1 rs_eng keyCon1 rs_con key

Console 1

EC1 rs_eng keyCon1 rs_con key

Con1 rs_con key

Sensors

EC2

Sensors’ rs_eng keysEC2 rs_eng keyCon2 rs_con key

Console 2

EC2 rs_eng keyCon2 rs_con key

Con2 rs_con key

Note: When a Console, an Event Collector, and a sensor are loaded on the same machine, the Event Collector’s rs_eng key will be the same as the sensor’s rs_eng key.

RealSecure 6.0

deployment wizard steps exercises
Deployment Wizard Steps (Exercises)
  • Identify the ISS license key location
  • Identify the Event Collector location
  • Verify connection to the Event Collector
  • Configure sensors
  • Configure encryption keys
  • Verify Event Collector configuration

RealSecure 6.0

troubleshooting connectivity issues
Troubleshooting Connectivity Issues

Connectivity problems may occur in two areas:

  • You do not have Key Administrator status for the sensors.
    • Edit the iss.access file to add the following line:[\Roles\KeyAdministrator\<computername_username>];
  • The Console public key is missing from the Event Collector or sensors.
    • Copy the rs_con key from the Console’s Keys folder to the Keys folders of the Event Collector and sensors

RealSecure 6.0

module review4
Module Review

You should be able to:

  • List the requirements for running the Deployment Wizard
  • Explain the importance of key placement in the deployment of RealSecure Event Collectors and sensors
  • Use the Deployment Wizard to configure communication between the Event Collector and the sensors
  • Troubleshoot connectivity issues between the Event Collector and the sensors

RealSecure 6.0

module 6

Module 6

RealSecure X-Press Updates

RealSecure 6.0

module objectives5
Module Objectives

After completing this module, you will be able to:

  • List the types of X-Press Updates
  • Determine whether your systems meet the minimum requirements for installing an X-Press Update
  • Install an X-Press Updates
  • Access the Available Updates window to view X-Press Update information
  • Enable new signatures supplied as part of an X-Press Update

RealSecure 6.0

types of x press updates
Types of X-Press Updates

The three types of X-Press Updates are:

  • Micro-Update
  • Service Release
  • Upgrade

RealSecure 6.0

requirements for x press updates
Requirements for X-Press Updates

The conditions that must be met before installing an X-Press Update are:

  • Console version 6.0 or higher
  • Sensor version 5.0 or higher
  • Must be master controller for the asset
  • Need access to X-Press Updates
  • Close Online Help and Policy Editor prior to installation

RealSecure 6.0

retrieving and locating x press updates
Retrieving and Locating X-Press Updates

Two methods to get X-Press updates include:

  • Internet - https://www.iss.net/update/RealSecure
  • SAFEsuite CD - Updates/RealSecure

RealSecure 6.0

module exercises
Module Exercises
  • Install an X-Press Update
  • Enable New Signatures

RealSecure 6.0

module review5
Module Review

You should be able to:

  • List the types of X-Press Updates
  • Determine whether your systems meet the minimum requirements for installing an X-Press Update
  • Install an X-Press Updates
  • Access the Available Updates window to view X-Press Update information
  • Enable new signatures supplied as part of an X-Press Update

RealSecure 6.0

module 7

Module 7

Using the Console

RealSecure 6.0

module objectives6
Module Objectives

After completing this module, you will be able to:

  • Use the Console menus and toolbar
  • Describe the information that is displayed in the Activity Tree and the Console windows
  • Manage Console windows
  • Configure the RealSecure Console

RealSecure 6.0

about the console user interface
About the Console User Interface

The Console consists of several windows. They include:

  • Menu and Toolbar
  • Online Help
  • Activity Tree
  • Priority windows
  • Event Inspector
  • Managed Assets
  • Session Playback

RealSecure 6.0

module review6
Module Review

You should be able to:

  • Use the Console menus and toolbar
  • Describe the information that is displayed in the Activity Tree and the Console windows
  • Manage Console windows
  • Configure the RealSecure Console

RealSecure 6.0

module 8

Module 8

Managing Assets

RealSecure 6.0

module objectives7
Module Objectives

After completing this module, you will be able to:

  • Explain what a RealSecure asset is
  • Identify the differences between managing and monitoring assets
  • Add, edit, and delete RealSecure assets
  • Configure daemon roles and properties
  • Maintain keys and files for Event Collectors and sensors
  • Configure Network Sensor and Server Sensor properties

RealSecure 6.0

what are realsecure assets
What are RealSecure Assets

RealSecure assets are the daemons and daemon components deployed on your network.

Daemons act as intermediaries between the RealSecure Console and the Event Collectors or sensors. The Console sends commands to the daemon that are directed to a particular component.

Daemon components include:

  • Event Collectors
  • Network Sensors
  • Server Sensors

RealSecure 6.0

managing versus monitoring assets
Managing an asset involves connecting to a daemon or daemon component to either modify its properties, modify its state, or apply policies to it. Assets that are currently being managed are displayed in the Managed Assets window.

Monitoring an asset involves reviewing information related to the security events detected by the asset.

Managing Versus Monitoring Assets

Managing Assets

Monitoring Assets

Note: If you stop monitoring an asset, the asset is still active and can be managed as necessary. However, RealSecure no longer displays any event alerts in the Console’s Priority windows.

RealSecure 6.0

working with assets exercises
Working with Assets (Exercises)
  • Select assets to manage or monitor
  • Save a Managed Assets group
  • Open a Managed Assets group
  • Acquire and Release Master Controller status

RealSecure 6.0

managing daemons
Managing Daemons

Daemon management is focused on two areas:

  • Administering Daemon Roles
    • Allows you to maintain lists of Key Administrators and Master Status Managers
  • Configuring Daemon Properties
    • Allows you to configure daemon ports, SNMP Trap usage, and basic daemon asset properties

RealSecure 6.0

administering daemon roles exercises
Administering Daemon Roles (Exercises)
  • Add and remove Key Administrators
  • Add and remove Master Status Managers

RealSecure 6.0

configuring daemon properties
Configuring Daemon Properties
  • In order to configure Daemon Properties, you must have Master Controller status of the daemon.
    • If you do not have this status you will only be able to review the configuration information.
  • Daemon Properties are configured in the Configure an Asset window.
    • You can also use this window to specify daemon encryption providers and daemon asset properties.

RealSecure 6.0

managing keys and files
Managing Keys and Files

The RealSecure Console allows you to manage:

  • Authentication keys
  • User-defined files
  • Log files

Note: You can perform these operations on multiple managed assets simultaneously.

RealSecure 6.0

managing keys for ec or sensor exercises
Managing Keys for EC or Sensor (Exercises)
  • Add a key to an Event Collector or sensor
  • Copy a key to another folder
  • Remove a key from an Event Collector or sensor

Note: You must have Key Administrator status to perform the above operations.

RealSecure 6.0

managing files for ec or sensor exercises
Managing Files for EC or Sensor (Exercises)
  • Add a file to an Event Collector or sensor
  • Copy a file to another folder
  • Remove a file from an Event Collector or sensor

Note: You must have Master Controller status to perform the above operations.

RealSecure 6.0

managing event collectors
Managing Event Collectors

Event Collector Properties settings allow you to:

  • View general Event Collector information, such as:
    • Event Collector version
    • IP address
    • Name
    • Daemon port
  • Configure settings for:
    • Event port used for connecting to the Console
    • Event Collector license key path
    • Partner Event Collector settings
    • Other detailed aspects of operation

RealSecure 6.0

accessing event collector properties
Accessing Event Collector Properties
  • To access the Event Collector Properties window, select Event CollectorProperties from the Managed Assets window
  • Event Collector Properties window contains four tabs:
    • General
    • Event Sources
    • Database
    • Alerts

Note: To modify Event Collector properties, you must have Master Controller status.

RealSecure 6.0

managing sensors
Managing Sensors
  • Sensor Properties control and allow you to view general Sensor information, such as:
    • Sensor version
    • IP address
    • Ports used for connection between the Console and the sensor
    • Adapter card used to monitor the sensor
  • Sensor Properties also control more detailed aspects of operation, involving Alerts and Sensor Queue settings

RealSecure 6.0

accessing sensor properties
Accessing Sensor Properties
  • To access the Sensor Properties window, select SensorProperties from the Managed Assets window
  • Sensor Properties window contains either three or four tabs:
    • General
    • Alerts
    • Sensor Queue
    • Server Sensor (applies only to Server Sensor)

Note: To modify Sensor properties, you must have Master Controller status

RealSecure 6.0

module review7
Module Review

You should be able to:

  • Explain what a RealSecure asset is
  • Identify the differences between managing and monitoring assets
  • Add, edit, and delete RealSecure assets
  • Configure daemon roles and properties
  • Maintain keys and files for Event Collectors and sensors
  • Configure Network Sensor and Server Sensor properties

RealSecure 6.0

module 9

Module 9

Managing Sensor Policies

RealSecure 6.0

module objectives8
Module Objectives

After completing this module, you will be able to:

  • Explain the function of sensor policies in RealSecure
  • Apply a policy to a sensor
  • Use the Policy Editor to derive a new policy
  • Use the Policy Editor to customize a policy

RealSecure 6.0

what are policies
What are Policies

Policies control the type of security event a sensor responds to. Each policy contains a list of items, called signatures, that the sensor can detect. When configured, polices control:

  • The type of security events a sensor detects
  • The priority of an event
  • How a sensor responds to an event

RealSecure 6.0

policy file descriptions
Policy File Descriptions

These policy files apply to both the Network and Server Sensors unless other wise indicated:

  • default.policy
  • current.policy
  • update.policy
  • push.policy
  • issDaemon.policy
  • common.policy
  • issCSF.policy
  • eventlog.policy
  • audit.policy

Network Sensor onlyServer Sensor only

RealSecure 6.0

the policy editor
The Policy Editor

The Policy Editor allows you to work with the various policies. It specifically allows you to:

  • View the contents of a policy
  • Create and customize policies
  • Import previous version policies
  • Print policies

RealSecure 6.0

working with policies
Working with Policies
  • Create a New Policy
  • Customize a Policy

RealSecure 6.0

module review8
Module Review

You should be able to:

  • Explain the function of sensor policies in RealSecure
  • Apply a policy to a sensor
  • Use the Policy Editor to derive a new policy
  • Use the Policy Editor to customize a policy

RealSecure 6.0

module 10

Module 10

Monitoring Events

RealSecure 6.0

module objectives9
Module Objectives

After completing this module, you will be able to:

  • Monitor the status of the Event Collector and sensors
  • Use the Activity Tree to review event information
  • Use the Event Inspector to view detailed information about event alerts

RealSecure 6.0

event collector functions
Event Collector Functions

Components that communicate with the Event Collector include:

Sends event information to the Event Collector

Sensor

Receives event information form the Event Collector and not from the individual sensors

Console

Receives event information from the Event Collector that can be used for reporting purposes

Enterprise Database

RealSecure 6.0

exercise
Exercise
  • Monitor Sensors

RealSecure 6.0

using the event inspector
Using the Event Inspector

The Event Inspector window lets you view details about any event RealSecure monitors.

RealSecure 6.0

module review9
Module Review

You should be able to:

  • Monitor the status of the Event Collector and sensors
  • Use the Activity Tree to review event information
  • Use the Event Inspector to view detailed information about event alerts

RealSecure 6.0

module 11

Module 11

Configuring Network Sensors

RealSecure 6.0

module objectives10
Module Objectives

After completing this module, you will be able to:

  • Identify the default Network Sensor policies
  • Add, edit, and delete network assets and network asset groups
  • Configure Network Sensor events
  • Create a user-defined event
  • Create a user-defined connection filter

RealSecure 6.0

pre defined network sensor policies
Pre-Defined Network Sensor Policies

Pre-defined policies for the Network Sensor include:

  • Attack Detector
  • DMZ Engine
  • Engine Inside Firewall
  • For Windows Networks
  • Protocol Analyzer
  • Session Recorder
  • Web Watcher
  • Maximum Coverage
  • Original

RealSecure 6.0

implementing stealth mode
Implementing Stealth Mode

A stealth configuration is implemented using two NICs on the Network Sensor host

RealSecure 6.0

stealth configuration requirements
Stealth Configuration Requirements

To meet stealth configuration, the system must have a:

  • Network Sensor with two NICs each attached to different segments.
    • Monitored segment:
        • Sends RSKills
    • Reporting segment:
        • Reports to console
  • Console accessible to the Reporting NIC

Note: EMAIL and SNMP traps originate from the Reporting NIC.

RealSecure 6.0

exercise1
Exercise
  • Disable/Enable Stealth Configuration

RealSecure 6.0

network sensor events
Network Sensor Events

There are four types of Network Sensor events. They are:

  • Security Events
  • Connection Events
  • User-Defined Events
  • Filters

RealSecure 6.0

realsecure asset organization
RealSecure Asset Organization

The RealSecure Console maintains an Asset database that stores information about the assets on your network.

The assets and the daemons that control them are represented in the Asset database with the following hierarchy:

RealSecure 6.0

network asset organization
Network Asset Organization

Asset groups help you organize other network assets that may be affected by sensor policies.

For example, the following hierarchy illustrates how you might group the network assets affected by connection events and filters:

RealSecure 6.0

creating asset groups exercises
Creating Asset Groups (Exercises)
  • Create an asset group
  • Add assets to a group

RealSecure 6.0

network sensor exercises
Network Sensor Exercises
  • Derive a New Policy
  • Create a Connection Event
  • Create a User-Defined Event
  • Create a Filter

RealSecure 6.0

module review10
Module Review

You should be able to:

  • Identify the default Network Sensor policies
  • Add, edit, and delete network assets and network asset groups
  • Configure Network Sensor events
  • Create a user-defined event
  • Create a user-defined connection filter

RealSecure 6.0

module 12

Module 12

Configuring RealSecure for Nokia

RealSecure 6.0

module objectives11
Module Objectives

When you complete this module you will be able to:

  • Connect to the Nokia appliance
  • Establish a serial connection
  • Install IPSO
  • Configure the Network Application Platform
  • List prerequisites for installing RealSecure on a Nokia appliance
  • Install RealSecure on a Nokia appliance

RealSecure 6.0

installation options

Connect to appliance

Establish serial connection

Install IPSO

Configure NAP

Prerequisites to installation

Upgrade/ReinstallRealSecure

InstallRealSecure

ConfigureRealSecure Console

Installation Options

RealSecure 6.0

configuring the nap
Configuring the NAP

System startup consists of the following steps:

  • Entering the Hostname
  • Entering Passwords
  • Entering the Browser Type
  • Entering Initial Interface Information
  • Confirming New System Setup Summary
  • Opening Voyager
  • Configuring the Interfaces
  • Monitoring the NAP

RealSecure 6.0

before installing realsecure
Before Installing RealSecure

There are a number of tasks you should complete before installing RealSecure for Nokia. These tasks are enabling:

  • Hostname Resolution
  • Logging of RealSecure informational messages
  • FTP Access

RealSecure 6.0

enabling hostname resolution
Enabling Hostname Resolution

You must enable hostname resolution so the network appliance can communicate with the workstation that runs the Console. Use one of the following to enable hostname resolution:

  • Select DNS servers to resolve hostnames
  • Add static hosts

RealSecure 6.0

module review11
Module Review

You should be able to:

  • Connect to the Nokia appliance
  • Establish a serial connection
  • Install IPSO
  • Configure the Network Application Platform
  • List prerequisites for installing RealSecure on a Nokia appliance
  • Install RealSecure on a Nokia appliance

RealSecure 6.0

module 13

Module 13

Configuring Server Sensors

RealSecure 6.0

module objectives12
Module Objectives

After completing this module, you will be able to:

  • Explain how the Server Sensor analyzes traffic
  • Configure Server Sensor to block events
  • Diagram Server Sensor architecture for Solaris and Windows NT
  • List the differences between the NT and Solaris Server Sensors
  • Identify the default Server Sensor policies
  • Configure Server Sensor events
  • Create a Firecell Signature

RealSecure 6.0

the os and server sensors
The OS and Server Sensors

The Server Sensor includes all legacy OS Sensor features as well as:

  • Firecell signatures and blocking
  • SecureLogic
  • Attack signature recognition

The Server Sensor can monitor:

  • Network traffic to and from one host only
  • Traffic above and below the TCP/IP stack on the protected host

RealSecure 6.0

server sensor features
Server Sensor Features

Features of the Server Sensor include:

  • Detecting network and system events
  • Detecting security events above and below the IP stack
  • Blocking specific network packets at all times or in response to an event
  • Command-line control
  • Extending validation and response wit SecureLogic scripts

RealSecure 6.0

basic traffic analysis

User-level

Application

Protocol Sensor

High Level Tap

UDP/TCP/ICMP

IP and IPSEC

Protocol Sensor

Low Level Tap

NIC

Kernel

Inbound/Outbound

Traffic for Host

Basic Traffic Analysis

High Module

System Protocol Stack

Low Module

RealSecure 6.0

when to use network sensors
When to Use Network Sensors

Use Network Sensors when:

  • Switching/speed/encryption are not an issue
  • You want to see unsuccessful attacks for early warning
  • You are willing to put time into tuning out false positives that come with such wide open detection
  • You want to monitor multiple systems with one sensor
  • You want to be notified of all attempted attacks

Otherwise, consider using the Server Sensor

RealSecure 6.0

blocking events
Blocking Events

You can block events using two methods:

  • A firecell signature
  • A Block response

Firecell signatures block all traffic from the designated addresses/port/direction combination until the rule is changed or disabled

The Block response works on a per signature basis rather than continually. It drops packets that match a particular signature

RealSecure 6.0

where blocking methods are used

User-level

Application

Protocol Sensor

High Level Tap

UDP/TCP/ICMP

IP and IPSEC

Protocol Sensor

Low Level Tap

NIC

Kernel

Inbound/Outbound

Traffic for Host

Where Blocking Methods Are Used
  • High Module
  • Block responses
  • Low Module
  • Block responses
  • Firecell signatures

RealSecure 6.0

about the block response
About the Block Response

Blocking operates in the Low and High Modules depending on the signature. They:

  • Work on a per-signature basis rather than continuously
  • Only act on the packets associated with a particular signature when that event occurs
  • Are similar to the Network Sensor Kill response except that a Block also works for TCP, ICMP, and UDP

RealSecure 6.0

about firecell signatures
About Firecell Signatures

Firecell signatures work like a local firewall on your server. They block all traffic for the:

  • Designated addresses
  • Port
  • Direction combination

Note: Firecell signatures operate in the Low Level Module only

RealSecure 6.0

firecell signature parameters
Firecell Signature Parameters

You can define firecell signatures according to the following criteria:

  • Inbound packet
  • Outbound packet
  • Protocol type (IP, TCP, UDP, or ICMP)
  • Specific IP address or class of addresses
  • Port number (for TCP and UDP firecell signatures)

RealSecure 6.0

solaris server sensor technology
Solaris Server Sensor Technology

…to Event Collector…

Server Sensor

Application

USER SPACE

KERNEL SPACE

ioctl

Socket

High Streams Module: rstcp

----

----

TCP/IP Stack

Low Streams Module:rsdrv

NIC Driver

RealSecure 6.0

solaris skip encryption
Solaris SKIP Encryption

Application

USER SPACE

KERNEL SPACE

Socket

Original packet

IP

TCP

Data…

SKIP encrypted packet

High Streams Module: rstcp

“IP”

key

IP

TCP

Data…

TCP/IP Stack

SKIP

SKIP: A non-application level type of encryption packages. It affects how traffic is monitored by the Server Sensor because it exists between the two RealSecure modules--rsdrv and rstcp.

Low Streams Module:rsdrv

NIC Driver

RealSecure 6.0

windows nt server sensor technology
Windows NT Server Sensor Technology

to Event Collector…

Server Sensor

Application

Shared memory

Winsock

High Module: ESP

Rsesp.dll

LSP

USER SPACE

KERNEL SPACE

TDI

TCP/IP Stack

NDIS

Low Module:DNE

rsdne (low)

Special High Module

NIC

White boxes = NT features

Purple boxes = Deterministic features

Blue/green boxes = RealSecure additions

RealSecure 6.0

windows nt stack overview
Windows NT Stack Overview

Winsock2

USER SPACE

KERNEL SPACE

RealSecure 6.0

windows nt server sensor exceptions
Windows NT Server Sensor Exceptions

Bypasses to Winsock

IIS, Netscape, & Exchange servers bypass Winsock

Application

Winsock

High Module: ESP

Rsesp.dll

USER SPACE

KERNEL SPACE

TDI

TCP/IP Stack

Special policy files “move” high decodes below TDI for applications that bypass Winsock.

NDIS

Low Module:DNE

rsdne (low)

Special High Module

NIC

NOTE: Only one high decode module is active at any time for a particular group of signatures.

RealSecure 6.0

windows nt server sensor exceptions1
Windows NT Server Sensor Exceptions

SSL and Ipsec Encryption

Application

SSL

Winsock

High Module: ESP

rsesp

USER SPACE

KERNEL SPACE

TDI

IPsec encryption causes the same lower level limitations as SKIP

TCP/IP Stack

IPsec

NDIS

Low Module:DNE

rsdne (low)

Special High Module

NIC

RealSecure 6.0

using the win nt include list
Using the Win NT Include List

The Include List:

  • Can be used to protect other Windows NT servers for which the Server Sensor does not provide special policies
  • Gives you the ability to control which applications the Server Sensor applies its high level signatures to

RealSecure 6.0

pre defined server sensor policies
Pre-Defined Server Sensor Policies

Pre-defined policies for the Server Sensor include:

  • Maximum Windows Exchange
  • Maximum Windows ActiveAlert
  • Maximum Windows IIS
  • Maximum Windows iPlanet
  • Maximum
  • Original

RealSecure 6.0

types of server sensor events
Types of Server Sensor Events

The four types of Server Sensor events/signatures are

  • Protect
  • Network Events
  • OS Events
  • X-Press Updates

RealSecure 6.0

guidelines for firecell signatures
Guidelines for Firecell Signatures

Which IP address and port do you put in the signature?

  • Server Sensor resides on the target host, therefore one IP address is always assumed to be local
  • Firecell signature contains the OTHER address
  • When systems talk, the destination port is usually specified to access a service and the source port is typically random
  • Firecell signatures use the well-known port rather than the random port

RealSecure 6.0

outbound firecell signatures
Outbound Firecell Signatures

You want to keep users from browsing any Web servers on the 192.168.1.0 network from protected system 192.168.1.3. Begin with a TCPOutbound rule to keep traffic from leaving our protected system. Configure the rule to block:

  • HTTP (port 80) the destination port
  • Web server network, which is 192.168.1.0/24, to cover our destination address of 192.168.1.2

Web_server: 192.168.1.2

Browser: 192.168.1.3

(server sensor)

D/ADDRESS: 192.168.1.2

D/PORT: HTTP (80)

S/ADDRESS: 192.168.1.3

S/PORT: VARIED

RealSecure 6.0

inbound firecell signatures
Inbound Firecell Signatures

You want to keep a particular system (192.168.1.3) from accessing the Web server on our protected system. Start with a TCP Inbound rule to keep traffic from coming into our protected system. Configure the rule to block:

  • HTTP (port 80) the destination port
  • Browser address, which is 192.168.1.3/32, the source address

Web_server: 192.168.1.2

(server sensor)

EVIL_Browser: 192.168.1.3

D/ADDRESS: 192.168.1.2

D/PORT: HTTP (80)

S/ADDRESS: 192.168.1.3

S/PORT: VARIED

RealSecure 6.0

discussion questions
Discussion Questions
  • Detect High Module Signatures for IIS
  • Create Firecell Signatures

RealSecure 6.0

module review12
Module Review

You should be able to:

  • Explain how the Server Sensor analyzes traffic
  • Configure Server Sensor to block events
  • Diagram Server Sensor architecture for Solaris and Windows NT
  • List the differences between the NT and Solaris Server Sensors
  • Identify the default Server Sensor policies
  • Configure Server Sensor events
  • Create a Firecell Signature

RealSecure 6.0

module 14

Module 14

Working with Events and Responses

RealSecure 6.0

module objectives13
Module Objectives

After completing this module, you will be able to:

  • Identify the different types of responses
  • Configure responses
  • Explain the benefits of tuning Event Propagation settings
  • Configure Event Propagation settings

RealSecure 6.0

configuring attack responses
Configuring Attack Responses

The process for specifying how RealSecure responds to attacks involves the following tasks:

  • Select a policy
  • Customize the policy by configuring events
  • Adjust how the sensor responds to events by configuring responses

RealSecure 6.0

response types
BANNER

BLOCK

DISABLE

DISPLAY

EMAIL

LMF

LOGDB

OPSEC

RSKILL

SECURE LOGIC

SNMP

SUSPEND

USER SPECIFIED

VIEW SESSION

Response Types

RealSecure provides the following responses:

RealSecure 6.0

ways to configure responses
Ways to Configure Responses

There are two locations where you can configure responses.

  • Global responses are configured for a Console
  • Sensor responses are configured on the Sensors

Response

Configuration

Global

Console

Sensor

Sensors

RealSecure 6.0

configuring sensor response policies
Configuring Sensor Response Policies
  • RealSecure allows you to create separate sensor response policies
    • Can be saved and applied to multiple sensors of the same type
    • Useful for managing groups of sensors on multiple networks in an enterprise

RealSecure 6.0

user defined responses for solaris
User-Defined Responses for Solaris

Creating a user-defined response for Solaris requires two major components:

  • Script
    • An executable text file that can be created with any text editor
    • Must call a shell and define an action (run an executable)
  • Response

RealSecure 6.0

understanding event propagation
Understanding Event Propagation
  • Event propagation specifies how an event is distributed to the components of RealSecure
  • Some RealSecure components are subject to flooding:
    • Console (Display and ViewSession responses)
    • Log Database
    • Mail gateway
    • Check Point Firewall-1
    • LMF Server
    • SNMP Agent
    • Host OS (User-defined signatures)

RealSecure 6.0

benefits of tuning propagation settings
Benefits of Tuning Propagation Settings
  • Prevents potential IDS and network crashes from event “floods”
  • Minimizes the amount of event “noise” seen by Console operators and logged to the RealSecure database

RealSecure 6.0

event propagation configuration
Event Propagation Configuration
  • Advanced window has two tabs:
    • Event Propagation
    • Optional
  • Advanced window contains three areas of user-configurable settings:
    • Event Propagation
    • Event Filtering
    • Optional Parameters

RealSecure 6.0

event propagation settings
Event Propagation Settings
  • Permits you to define a unique event and group event occurrences by either source or destination information
    • Allow you to see more readily all events from specific sources or directed against specific targets
    • Helps limit the number of event alerts sent to Console
  • Flood Protection option limits the number of LogDB and ViewSession responses the sensor generates when it detects duplicate occurrences of an event

RealSecure 6.0

event filtering settings
Event Filtering Settings
  • Event Filtering options eliminate redundant responses associated with duplicate occurrences of an event
  • The Event Filtering settings allow you to define either of the following:
    • Number of duplicate occurrences of an event to ignore before generating another response (applies only to LogDB and ViewSessions responses)
    • How many seconds to ignore duplicate occurrences of an event before generating another response (applies to all responses)

RealSecure 6.0

filtered versus non filtered responses
Filtered Versus Non-Filtered Responses

Filtered Responses:

  • Responses that occur on the first instance of a particular event during an inactive period
  • Display, E-Mail, SNMP, OPSEC, LMF, and User‑Specified

Non-Filtered Responses:

  • Responses that occur for each instance of a particular event, regardless of whether the response has been viewed
  • LogDB and ViewSession

RealSecure 6.0

optional parameters settings
Optional Parameters Settings
  • Optional parameters are customizable settings associated with an event
  • Each optional parameter has two lines:
    • Line 1: Parameter name and current value
    • Line 2: Description name and parameter description (value)

RealSecure 6.0

which events are useful
Which Events are Useful?
  • Depending on your network environment and local security policy, the default settings for RealSecure events may generate either:
    • Useful information
    • Event “noise”
  • Consequently, it is important to fine tune the default event propagation settings to suit your particular needs

RealSecure 6.0

http cookie example
HTTP_Cookie Example

Two Hypothetical Scenarios:

  • Administrator “A” wants to know which web sites have stored cookies on any company machine
  • Administrator “B” wants to enforce a company policy of not allowing acceptance of cookies from any source

Conclusion: “Noise” is defined differently in different environments

RealSecure 6.0

module exercises1
Module Exercises
  • Create a Banner Response
  • Create a User-Defined Response
  • Configure Event Propagation Settings

RealSecure 6.0

module review13
Module Review

You should be able to:

  • Identify the different types of responses
  • Configure responses
  • Explain the benefits of tuning Event Propagation settings
  • Configure Event Propagation settings

RealSecure 6.0

module 15

Module 15

Working with Databases and Reports

RealSecure 6.0

module objectives14
Module Objectives

After completing this module, you will be able to:

  • Describe how sensor data transfer occurs.
  • Determine and change size limits of the Enterprise Database; determine if the Enterprise Database is full; and delete event data from the Enterprise Database.
  • Identify and describe the standard reports provided with RealSecure.
  • Specify, save, and remove or reset report criteria.
  • Generate and view a standard report.

RealSecure 6.0

sensor data transfer
Sensor Data Transfer
  • Console supports both 5.x and 6.0 sensors
  • Event information from 6.0 sensors monitored directly in Console and automatically stored in Enterprise Database
  • No need to synchronize 6.0 sensors with Console
  • Events viewed in real time
  • 6.0 sensor deletes any information in its log file after info is delivered and committed to Enterprise Database
  • 5.x sensor functionality remains the same

RealSecure 6.0

realsecure databases
RealSecure Databases
  • Three types:
    • Console database used for data from 5.x sensors
    • Asset Database used for info about RealSecure Assets
    • Enterprise Database that is common repository for all Console database information; used for viewing, storing, and reporting
  • To use event info from 5.x sensors, 5.x sensor logs must be synchronized with Console database and imported to Enterprise Database.

RealSecure 6.0

realsecure reporting features
RealSecure Reporting Features
  • Built-in capability to generate text-based and graphical activity reports
  • Report can tell you where attack came from and when it occurred
  • Can be used to collect evidence for prosecution

RealSecure 6.0

configuring databases
Configuring Databases
  • Enterprise Database
    • Covered in module on Event Collector configuration
    • Accessed through Database tab under Event Collector Properties
  • Console Database
    • Used for 5.x sensor data
    • Configuration accessed by selecting ViewOptions on the Console menu bar and clicking the Console Database tab
  • Asset Database
    • Used for information on network assets
    • Configuration accessed by selecting ViewOptions on the Console menu bar and clicking the Asset Database tab

RealSecure 6.0

determining size limit of enterprise db
Determining Size Limit of Enterprise DB
  • Use osql command interpreter from command prompt
  • Found in one of the following locations:
    • \Program Files\Microsoft SQL Server\80\Tools\Binn for MSDE/SQL 2000
    • \MSSQL7\Binn for MSDE/SQL 7
  • Start up osql:
    • osql -E (logs into MSDE via NT trusted authentication)
    • osql -U <username> (where <username> is a valid SQL user)

RealSecure 6.0

commands used to determine db size
Commands Used to Determine DB Size
  • To get maximum size of database plus other statistics about ISSDATA and ISSLOG, type from command prompt after starting osql:
    • use ISSED
    • go
    • sp_helpfile
    • go

RealSecure 6.0

changing size limit of enterprise db
Changing Size Limit of Enterprise DB
  • To increase size limit of Enterprise DB, use the following osql command from command prompt after starting osql:
    • alter database ISSED modify file (name=ISSDATA, maxsize=<new size>MB/GB)
    • go

RealSecure 6.0

determining if enterprise db is full
Determining if Enterprise DB is Full
  • Can’t tell from size of DB files
  • Figure out using osql commands
  • Start osql
  • Type the following:
    • use ISSED
    • go
    • sp_spaceused
    • go

RealSecure 6.0

deleting event data from enterprise db
Deleting Event Data from Enterprise DB
  • For small range of events:
    • Navigate to ViewOptionsEnterprise Database Maintain, choose a date range, and click Clear Date Range
  • For large number of events to be deleted:
    • Stop ALL Event Collectors. (Note: If you do not stop all Event Collectors first, you could corrupt your database and require a complete reinstall!)
    • Start osql and type use ISSED, iss_truncateevents, go.

RealSecure 6.0

report formats
Report Formats

RealSecure reports come in the following formats:

  • Text
    • All information on events
  • Text with ports
    • All information on events, including source and destination port information
  • Graph
    • Summary count of events in bar-chart format
  • Custom
    • You are the author

RealSecure 6.0

common reports
Common Reports

Common reports are:

  • Event Name
  • Event Priority
  • Destination IP
  • Top 20 Events
  • Top 20 Destinations
  • Event Priority Frequency Graph

RealSecure 6.0

system only reports
System Only Reports
  • Login/Logout History
  • NT Admin Activity
  • Unix Syslog Monitoring
  • User Activity
  • Suspect Connections Graph

RealSecure 6.0

network only reports
Network Only Reports

Network Sensor reports are:

  • Destination IP with Ports
  • Event Name with Ports
  • Event Priority with Ports
  • Source IP
  • Source IP with Ports
  • Top 20 Sources Graph

RealSecure 6.0

custom reports
Custom Reports
  • Must be created using Crystal Reports and must have .rpt extension
  • Store them in Custom Reports directory:
    • C:\Program Files\ISS\RealSecure 6.0 Console\Reports\Custom
  • Console displays stored custom reports in Reporting window

RealSecure 6.0

reports filtering criteria
Reports Filtering Criteria
  • Accessed via Available Criteria tab in Reports window
  • Criteria tree displays a folder for each criteria category available
  • Criteria items can be created, edited, saved, and deleted
  • Criteria syntax field lets you specify the Crystal Reports syntax you want to use in generating the report

RealSecure 6.0

report criteria descriptions
Report Criteria Descriptions
  • Date/Time: Specify start date/time and end date/time
  • Event Name: Specify event name or choose logged events from list
  • Destination IP: Specify destination IP address or IP address range, or choose logged IP addresses from list
  • Source IP: Specify source IP address or IP address range, or choose logged IP addresses from list
  • Response Taken: Specify response taken from list of responses, or choose logged responses from list
  • Sensor Identity: Specify daemon IP address and sensor name, or choose logged sensors from list
  • Severity: Choose Low, Medium, and/or High severity of events

RealSecure 6.0

specifying saving deleting criteria
Specifying, Saving, & Deleting Criteria
  • Specify (add or edit criteria) via Available Criteria tab in Reports window.
  • Save criteria by naming it in the Saved Criteria text box and clicking “Save.”
  • Remove criteria item by selecting it in the Current Criteria Tree and clicking “Remove.”
  • To delete ALL criteria items in any folder for that Saved Criteria Set, plus ALL Crystal Reports criteria syntax, click “Reset.”

RealSecure 6.0

missed events reporting
Missed Events Reporting
  • Allows you to view events that are “missed” (not displayed in the Console) while a sensor is not being monitored
  • Event information is stored in sensor queue file and automatically sent to Event Collector when Console reestablishes communication with sensor
  • Access Missed Events Report by selecting Missed Events from the Console’s View menu or by clicking the Console window’s Missed Events icon
  • Reports window appears with Missed Events selected in the Available Criteria field

RealSecure 6.0

generating viewing standard reports
Generating & Viewing Standard Reports
  • In Reports window, click Available Reports tab and select report type to generate
  • Saved criteria set to use can be specified via Saved Criteria Set text box
  • Display report on screen by clicking “Preview”
  • Use toolbar at top of Reports Viewer window to navigate through viewer

RealSecure 6.0

module exercises2
Module Exercises
  • Specify and save report criteria
  • Generate and view a report

RealSecure 6.0

module review14
Module Review

You should be able to:

  • Describe how sensor data transfer occurs.
  • Determine and change size limits of the Enterprise Database; determine if the Enterprise Database is full; and delete event data from the Enterprise Database.
  • Identify and describe the standard reports provided with RealSecure.
  • Specify, save, and remove or reset report criteria.
  • Generate and view a standard report.

RealSecure 6.0

course review
Course Review

You should be able to:

  • Explain how to deploy RealSecure components in various network environments
  • Install and configure RealSecure components and

X-Press Updates

  • Use the Workgroup Manager components to manage and monitor RealSecure assets
  • Configure and customize policies
  • Configure events and their responses
  • Display and inspect event information
  • Generate and view RealSecure Standard reports

RealSecure 6.0