Force10 Networks PSeries 100-00055-01 Bedienungsanleitung Seite 1

P-Series Installation andOperation GuideVersion 2.3.1.2 May 27, 2008 PN: 100-00055-01

10 InstallationSystem SpecificationsThe specifications in Table 1 apply to the P-Series P10 appliance, Force10 catalog number PB-10GE-2P.Physical Conn

100 Appendix AParametersDefaultMAC rewrite is disabled by default. The default value for the LSB is the system-assigned hash index value.Command Histo

P-Series Installation and Operation Guide, version 2.3.1.2 101ExampleFigure 64 root@# pnic macrewrite-on 0No channel number specified. Assuming chan

102 Appendix Apnic paramsDisplay the card interface name, device ID, and contents of the register on the PCI-X and Master FPGAs.Syntaxpnic params [num

P-Series Installation and Operation Guide, version 2.3.1.2 103Command HistoryExampleFigure 67 pnic passive-mode-disable Command Example[root@localho

104 Appendix Apnic resetconfReset the system configuration back to the default settings, which are located in <installation_directory>/SW/misc/p

P-Series Installation and Operation Guide, version 2.3.1.2 105• Load the rule firmware• Load the capture/block configuration• Load the runtime paramet

106 Appendix ASyntaxpnic sguil-sensor-start [-f]Stop the Sguil sensor using the command pnic sguil-sensor-stop.ParametersCommand HistoryExampleFigure

P-Series Installation and Operation Guide, version 2.3.1.2 107pnic sguil-sensor-stopStop the Sguil sensor.Syntaxpnic sguil-sensor-stop [-f]Start the S

108 Appendix Apnic showconfDisplay configuration parameters of the card.Syntaxpnic showconf [number] Parameters Command HistoryExampleFigure 74 [roo

P-Series Installation and Operation Guide, version 2.3.1.2 109Command HistoryExampleFigure 75 [root@localhost SW]# pnic show-firmwaresNo card number

P-Series Installation and Operation Guide, version 2.3.1.2 11Step Task1 Review the system specifications and ensure that your operating and storage co

110 Appendix AExampleFigure 76 [root@localhost pnic]# pnic showtech | moreNo card number specified. Assuming card 0 **************

P-Series Installation and Operation Guide, version 2.3.1.2 111ExampleFigure 77 [root@localhost SW]# pnic startNo card number specified. Assuming car

112 Appendix Apnic temp-mem-disableDisable temporary memory.Syntaxpnic temp-mem-disable [number]Enable temporary memory using the command pnic temp-me

P-Series Installation and Operation Guide, version 2.3.1.2 113ExampleFigure 80 [root@localhost SW]# pnic temp-mem-enableNo card number specified. As

114 Appendix Apnic vlan-remove-disableDisable the VLAN Tag Remove feature.Syntaxpnic vlan-remove-disableDefaultThe VLAN Tag Remove feature is disabled

P-Series Installation and Operation Guide, version 2.3.1.2 115pnic versionDisplay the driver version.Syntaxpnic versionCommand HistoryExampleFigure 84

116 Appendix AExampleFigure 85 pnic web-gui-start Command Example[root@localhost pnic]# pnic web-gui-start INFO: Generating SSL certificate fo

P-Series Installation and Operation Guide, version 2.3.1.2 117ExampleFigure 86 pnic web-gui-stop Command Example[root@localhost pnic]# pnic web-gui-

118 Appendix A

P-Series Installation and Operation Guide, version 2.3.1.2 119Table 28 describes briefly the valid Snort keywords supported on the P-Series. For a mor

12 InstallationBootingDuring booting you can select the OS of your choice.The management ports are configured for DHCP and probe for an IP address, ga

120 Appendix Bflow This keyword applies the rule to a specific traffic flow direction.The flow can be in one of two states:• established: Trigger only

P-Series Installation and Operation Guide, version 2.3.1.2 121ttl This keyword checks for the specified IP time-to-live value.ttl: [number {>|<|

122 Appendix B

P-Series Installation and Operation Guide, version 2.3.1.2 123The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in

124 Appendix C

P-Series Installation and Operation Guide, version 2.3.1.2 125Unix CommandsAppendix D Basic Unix CommandsTable 31 Basic Unix CommandsCommand Descrip

126 Appendix Dvi Commandsvi has two modes:• Command Mode: In command mode, commands can be entered which allow you to jump to points in a file, search

P-Series Installation and Operation Guide, version 2.3.1.2 127Appendix E GlossaryACK An Acknowledgment packet (ACK) is a packet that is sent from the

128Snort Snort is an open source network intrusion detection and prevention system that uses rules created with a special syntax to examine and contro

P-Series Installation and Operation Guide, version 2.3.1.2 129Manual PagesInformation on operating the appliance can be accessed through manual pages

P-Series Installation and Operation Guide, version 2.3.1.2 13Warning: Stop all traffic from flowing through the appliance, and disconnect all cables f

130 Technical SupportContacting the Technical Assistance CenterLocating P-Series Serial NumbersThe P10 serial number is located on a sticker on the ba

P-Series Installation and Operation Guide, version 2.3.1.2 131Requesting a Hardware ReplacementTo request replacement hardware, follow these steps:Ste

132 Technical Support

14 Installation13 Re-compile all rules firmware with the new compiler located in the directory pnic-compiler.cd upgrade_directory/pnic-compilergmake14

P-Series Installation and Operation Guide, version 2.3.1.2 15To begin inspecting and filtering traffic you must:1. Select firmware and dynamic rules2.

16 Getting Started

P-Series Installation and Operation Guide, version 2.3.1.2 17The P-Series P10 Intrusion Detection and Prevention System (IDS/IPS) appliance employs Dy

18 IntroductionFigure 3 illustrates how all matched packets are copied and transmitted by mirror ports. Figure 3 Forwarding EngineDetection EnginePa

P-Series Installation and Operation Guide, version 2.3.1.2 19Firmware is a set of rules that has been transformed—using a compiler—from Snort syntax i

Copyright 2008 Force10 Networks®All rights reserved. Printed in the USA. January 2008.Force10 Networks® reserves the right to change, modify, revise t

20 IntroductionInline DeploymentUse the P-Series for inline traffic inspection in IPS or firewall applications at 10-Gigabit line rate (Figure 4).• Fo

P-Series Installation and Operation Guide, version 2.3.1.2 21Highly-available DeploymentUse optical bypass switches with the P-Series for a highly-ava

22 IntroductionFigure 8 Network Tap P-Series P10fn90033mpP010-Gigabit10-GigabitPassive Deployment with Aggregation using a Network TapFigure 9 Net

P-Series Installation and Operation Guide, version 2.3.1.2 23Capturing to a Host CPUCaptured traffic can be sent to a host CPU through a libpcap libra

24 IntroductionMirroring to Another DeviceMirror captured traffic out of the 1-Gigabit mirroring ports to use the P-Series as an IDS accelerator or as

P-Series Installation and Operation Guide, version 2.3.1.2 25The GUI can be used to:• Start and stop the DPI • Load firmware• Compile and load dynamic

26 Graphical User InterfaceGUI CommandsFrom the Runtime Statistics display, you can enter commands to control the DPI (see Table 3, or enter the h com

P-Series Installation and Operation Guide, version 2.3.1.2 27Managing Rules, Policies, and FirmwareEnter the m command from the GUI command line (see

28 Graphical User InterfaceTable 5 describes the four possible combinations of capture/forward policies.Editing Dynamic Rules with the GUIDynamic rule

P-Series Installation and Operation Guide, version 2.3.1.2 29To modify dynamic rules:Figure 15 Editing Dynamic Rules in vifn90000012pnicManaging Cap

P-Series Installation and Operation Guide, version 2.3.1.2 3Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30 Graphical User InterfaceFigure 16 fn9000013Managing Capture/Forward Policies GUIFigure 17 fn9000014Capture/Forward Policies GUISelecting Firmwa

P-Series Installation and Operation Guide, version 2.3.1.2 31To select firmware:Figure 18 Manage Firmware GUIfn9000015Runtime StatisticsRuntime stat

32 Graphical User InterfaceThe remaining lines report the cumulative number of events and the rate of those events. A description of each line is give

P-Series Installation and Operation Guide, version 2.3.1.2 33Reloading FirmwareDuring firmware reloading, all packets flow regardless of capture/forwa

34 Graphical User Interface

P-Series Installation and Operation Guide, version 2.3.1.2 35You can manage and monitor the P-Series on the web using the Force10 Networks P-Series No

36 Web-based ManagementFigure 21 Lauching the P-Series Node ManagerNote: Stop the secure HTTP service using the command pnic web-gui-stop (see Appen

P-Series Installation and Operation Guide, version 2.3.1.2 37Web-browser Security CertificatesThe P-Series Node Manager client and the server communic

38 Web-based ManagementMonitoring System PerformanceMonitor system performance from the Home panel (Figure 23). The Home panel is displayed after logg

P-Series Installation and Operation Guide, version 2.3.1.2 39Managing Firmware ImagesManage the software image from the Image Management panel (Figure

4 ContentsMirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Cha

40 Web-based ManagementFigure 25 P-Series Node Manager: Card Management Panel

P-Series Installation and Operation Guide, version 2.3.1.2 41Managing PoliciesManage policies from the Policy Management panel (Figure 26). The Policy

42 Web-based ManagementFigure 26 P-Series Node Manager: Policy Managment Panel

P-Series Installation and Operation Guide, version 2.3.1.2 43A key aspect of network security deployment is the ability to monitor the network for sec

44 Network Security MonitoringInstalling the Sguil SystemTo employ Sguil you must:1. Install the sensor. See page 44.2. Install the server. See page 4

P-Series Installation and Operation Guide, version 2.3.1.2 45Uninstalling the Sguil ServerTo uninstall the server:Installing the Sguil ClientYou must

46 Network Security MonitoringInstallation FilesTable 7 lists the files and directories created during installation that are relevant to running the S

P-Series Installation and Operation Guide, version 2.3.1.2 47Running the Sguil SystemRunning the Sguil SensorStart the Sguil sensor using the command

48 Network Security Monitoring• The rule file you are using should be mentioned in snort.conf file. A sample rule file under rules directory is alread

P-Series Installation and Operation Guide, version 2.3.1.2 49Running the Sguil ClientTo run the Sguil Client:Figure 31 Running the Sguil ClientStep

P-Series Installation and Operation Guide, version 2.3.1.2 5Chapter 8Compiling Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50 Network Security MonitoringFigure 32 fn90027mpSelecting the Sensor to MonitorWhen the Sguil client starts and the client is properly connected to

P-Series Installation and Operation Guide, version 2.3.1.2 51The command line interface (CLI) is an alternative to the GUI for managing the appliance.

52 Command Line InterfaceThis feature can be enabled per channel. When MAC rewrite is enabled, the P10 appliance classifies the incoming traffic into

P-Series Installation and Operation Guide, version 2.3.1.2 53Removing VLAN TagsThe P-Series can strip the VLAN tag from incoming packets before they e

54 Command Line Interface

P-Series Installation and Operation Guide, version 2.3.1.2 55The P-Series Network Interface Card Compiler (pnic-Compiler) produces user-defined firmwa

56 Compiling RulesTable 8 Compiler Configuration OptionsCompilation Option Description 1 Target Device Choose the model of your appliance. • The P10

P-Series Installation and Operation Guide, version 2.3.1.2 57 7 Segmentation Evasion Rules The pnic-Compiler prepends a set of fixed rules—called evas

58 Compiling RulesFigure 35 pnic-Compiler Option 1-6root@# gmakeMakefile:2: mtp_configuration: No such file or directorybin/getparams2.shPlease choo

P-Series Installation and Operation Guide, version 2.3.1.2 59Figure 36 Channel 1 Dynamic rulesPlease choose how many dynamic rules (5-20 recommended

6 ContentsUnix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

60 Compiling RulesFigure 37 pnic-Compiler Option 8-9Please choose the maximum number of bytes per signature (1024 recommended).Selecting a small num

P-Series Installation and Operation Guide, version 2.3.1.2 61Configuration and Generated FilesTable 9 describes the files that are used or generated b

62 Compiling RulesFirmware FilenamesThe pnic-Compiler creates new firmware — in the /usr/local/pnic/firmware directory — consisting of four .bit files

P-Series Installation and Operation Guide, version 2.3.1.2 63P-Series rule syntax is based on Snort. Both rule structures are described in this chapte

64 Writing Rules• pass directs Snort to ignore the packet. • activate directs Snort to generate an alert and activate another specified rule.• dynamic

P-Series Installation and Operation Guide, version 2.3.1.2 65PortsPort numbers may be specified by the keyword any, a single port number, ranges, and

66 Writing RulesDestination Address and PortThe destination address and port follow the direction operator. The syntax of these parameters are the sam

P-Series Installation and Operation Guide, version 2.3.1.2 67depth No Nodsize Yes Noflags Yes Yes, no wild cardflow Yes Nofragbits Yes Nofragoffset Ye

68 Writing RulesWriting Stateful RulesStateful matching improves the accuracy of detection because it adds ordering when specifying behaviors across m

P-Series Installation and Operation Guide, version 2.3.1.2 69Pre-match Condition — the S ValueThe value in register Cf is presented to all the signatu

P-Series Installation and Operation Guide, version 2.3.1.2 7ObjectivesThis document provides installation and operation instructions for the P-Series

70 Writing RulesWhen a packet is stored in either Temporary Memory or Match Memory, a pointer to the previously stored packet in the same flow (contai

P-Series Installation and Operation Guide, version 2.3.1.2 71You can inspect Signatures 4, 5, and 6, and verify that they trigger a match and place a

72 Writing RulesThe start of the state machine is prompted by a SYN; state 1 is reached if a packet of length greater than 0 but less than 20 is detec

P-Series Installation and Operation Guide, version 2.3.1.2 73Anomalous TCP FlagsSome TCP packets with anomalous flags are captured by default to provi

74 Writing Rules

P-Series Installation and Operation Guide, version 2.3.1.2 75Deploying the P-Series as a FirewallBy default the P-Series is an IDS/IPS system; the P-S

76 FirewallEnabling the FirewallEnable Drop mode using the command pnic default-drop-enable. Disable Drop mode using the command pnic default-drop-dis

P-Series Installation and Operation Guide, version 2.3.1.2 77Allowing Traffic through the FirewallTo allow packets through the firewall you must write

78 FirewallTable 25 Sample Firewall Rules#permit: let through and do not log to the host#alert: let through and log to the host#deny: DO NOT let thr

P-Series Installation and Operation Guide, version 2.3.1.2 79The command line interface (CLI) is an alternative to the GUI for managing the appliance.

8 About this GuideInformation SymbolsRelated Documents Additional P-Series documentation is available on the software CD that came with the appliance

80 Appendix A• pnic showconf on page 108• pnic show-firmwares on page 108• pnic showtech on page 109• pnic start on page 110• pnic stop on page 111• p

P-Series Installation and Operation Guide, version 2.3.1.2 81Related Commands pnic aggregate-mode-enableReceive both client-to-server and server-to-cl

82 Appendix AParameters Command HistoryExampleFigure 42 [root@localhost SW]# pnic apply-firmwareNo card number specified. Assuming card 0 Do you

P-Series Installation and Operation Guide, version 2.3.1.2 83pnic capture-offDisable the capturing of packets via direct memory access (DMA).Syntaxpni

84 Appendix AExampleFigure 45 pnic capture-on Command Exampleroot@# pnic macrewrite-on 0No channel number specified. Assuming channel 0*** Enabling

P-Series Installation and Operation Guide, version 2.3.1.2 85pnic compilerulesTransform the dynamic Snort rules contained in /usr/local/pnic/0/rules.c

86 Appendix AExampleFigure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Pac

P-Series Installation and Operation Guide, version 2.3.1.2 87Parameters Command HistoryExampleFigure 50 [root@localhost pnic]# pnic diagNo card numb

88 Appendix Apnic flow-teardown-disableConfigure the appliance to reset the state of the flow only upon a timeout. This is the default behavior.Syntax

P-Series Installation and Operation Guide, version 2.3.1.2 89ExampleFigure 53 [root@localhost SW]# pnic flow-teardown-enableNo card number specified

P-Series Installation and Operation Guide, version 2.3.1.2 9Figure 1 P-Series P10 Appliance (Front View)IDENTIFYLAN 2LAN 1VGASERIALUSB x2KEYBOARDMOU

90 Appendix ARelated Commandspnic guiLaunch the graphical user interface.Syntaxpnic guiCommand Historypnic macrewrite-on Enable MAC rewriting.pnic mac

P-Series Installation and Operation Guide, version 2.3.1.2 91ExampleFigure 55 [root@localhost SW]# pnic guiCPU(s): 0.0% user, 0.0% system, 0.

92 Appendix Apnic helpDisplay a list of all available commands, their syntax, and descriptions.Syntaxpnic helpCommand HistoryExampleFigure 56 [root@

P-Series Installation and Operation Guide, version 2.3.1.2 93pnic linkdownDisable the physical link.Syntaxpnic linkdown [number] [channel]Enable a phy

94 Appendix AParameters Command HistoryExampleFigure 58 [root@localhost SW]# pnic linkupNo card number specified. Assuming card 0 No channel numb

P-Series Installation and Operation Guide, version 2.3.1.2 95ExampleFigure 59 [root@localhost ~]# pnic loadconfNo card number specified. Assuming ca

96 Appendix Apnic loadepromsLoad the PCI-X and front-end EEPROMs.Syntaxpnic loadeproms [number]ParametersCommand HistoryUsage InformationUse this comm

P-Series Installation and Operation Guide, version 2.3.1.2 97ExampleFigure 60 [root@localhost ~]# pnic loadparamsNo card number specified. Assuming

98 Appendix Apnic loadrulesUpload to the FPGA the dynamic rules for both channels encoded in the files /usr/local/pnic/0/pnic_{0|1}.bin.Syntaxpnic loa

P-Series Installation and Operation Guide, version 2.3.1.2 99pnic macrewrite-offDisable MAC rewriting. This is the default behavior.Syntaxpnic macrewr