Force10 Networks 100-00055-01 User Manual
P-Series Installation and
Operation Guide
Version 2.3.1.2 May 27, 2008 PN: 100-00055-01
Copyright 2008 Force10 Networks®
All rights reserved. Printed in the USA. January 2008.
Force10 Networks® reserves the r
Trademarks
Force10 Networks® and E-Series® are registered trademarks of Force10 Networks, Inc. Force10, the Force10 logo, and P-Series are
trademarks of Force10 Networks, Inc. All other brand and product names are registered trademarks or trademarks of their respectiv e holder s.
Statement of Conditions
In the interest of improving internal design, opera
products described in this document without notice. Force10 Networks does not assume any liability that may occur due to the use or
application of the product(s) described herein.
USA Federal Communications Commission
This equipment has been tested and found to comp
limits are designated to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio frequency energy. If it is not installed and used in accordance to the
instructions, it may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause
harmful interference, in which case users will be required to take whatever measures necessary to correct the interference at their own
expense.
Properly shielded and grounded cables
responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized
changes or modifications in the equipment. Unauthorized changes or modification could void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject
harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
Canadian Department of Communication Statement
The digital apparatus does not
Regulations of the Canadian Department of Communi cations.
Attention: Le present ap
numeriques de la Class A prescrites dans le Reglement sur les interferences radioelectriques etabli par le ministere des Communications du
Canada.
European Union EMC Directive C
This product is in conformity with the pr
Member States relating to electromagnetic compatibility. Force 10 Networks can not accept responsibility for any failure to satisfy the
protection requirements resulting from a non-recommended modification of this product, including the fitting of non-Force10 option cards.
This product has been tested and found to comply
European Standard EN 55022. The limits for Class A equipment were derived for commercial and industrial environments to provide
reasonable protection against interference with licensed communication equipment.
pareil numerique n’ emet pa
ight to change, modify, revise this publication without notice.
tional function, and/or reliability, Force10 Networks reserves the right to make changes to
(FCC) Statement
ly with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These
and connectors
exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference
onformance Statement
otection requirements of EU Council Directive 89/336/EEC on the approximation of the laws of the
must be used in order to meet FCC emission limits. Force10 Networks is not
to the following two conditions: (1) this device may not cause
s de perturbations radioelectriques depassant les normes applicables aux appareils
with the limits for Class A Information Technology Equipment according to CISPR 22/
Warning: This device is a Class A product. In a domestic environment, this device can cause radio interference , in
which case, the user may be required to take appropriate measures.
VCCI Compliance for Class A Equipment (Japan)
This is Class A product based on the standard
(VCCI). If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be
required to take corrective actions.
Danger: AC Po
cords with any unauthorized hardware.
wer cords are for use with Force10 Networks equipment only, do not use Force10 Networks AC Power
of the Voluntary Control Council For Interference by Information Technology Equipment
Content s
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Preface
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Information Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
System Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Physical Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Booting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2
Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Returning to the Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Hardware Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Types of Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Sample Rules and Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Deploying the P-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Inline Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Fail-safe Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Highly-available Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Passive Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Capturing Matched Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Capturing to a Host CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
P-Series Installation and Operation Guide, version 2.3.1.2 3
Mirroring to Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 4
Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
GUI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Managing Rules, Policies, and Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Editing Dynamic Rules with the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Managing Capture/Forward Policies with the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Selecting Firmware with the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Runtime Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Reloading Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 5
Web-based Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Launching the P-Series Node Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Web-browser Security Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Managing the P-Series using Node Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Monitoring System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Managing Firmware Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing the Network Interface Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 6
Network Security Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Installing the Sguil System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installing the Sguil Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installing the Sguil Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installing the Sguil Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Running the Sguil System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Running the Sguil Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Running the Sguil Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Running the Sguil Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 7
Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Editing Dynamic Rules with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
MAC Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Removing VLAN Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4 Contents
Chapter 8
Compiling Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Creating Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Rules Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Compiling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Starting and Stopping the pnic-Compiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuration and Generated Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Firmware Filenames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Compiler Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 9
Writing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Snort Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Snort Rule Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Snort Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
P-Series Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
P-Series Supported Snort Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Writing Stateful Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Stateful Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Stateful Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
The meta.rules File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Support for Snort's flow Keyword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Handling Segmentation Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Support for Snort's within Keyword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Anomalous TCP Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 10
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deploying the P-Series as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Enabling the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Allowing Traffic through the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Writing Rules for a Firewall Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Appendix A
Command Line Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Appendix B
Snort Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Appendix C
Meta and Evasion Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Appendix D
Basic Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
P-Series Installation and Operation Guide, version 2.3.1.2 5
Unix Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
vi Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Appendix E
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Appendix F
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Manual Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
The iSupport Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Accessing iSupport Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Contacting the Technical Assistance Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Locating P-Series Serial Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Requesting a Hardware Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6 Contents
Preface About this Guide
Objectives
This document provides installation and operation instructions for the P-Series P10 appliance.
Audience
This guide is intended to be used by network engineers. The P10 is a Unix-based product that runs rule
management software based on Linux and FreeBSD. As such, understanding how to operate the appliance
requires a basic knowledge of Unix, including the vi editor.
Conventions
This document uses the following conventions to describe command syntax:
Convention Description
keyword Keywords are in bold and should be entered at the command prompt as listed.
parameter Parameters are in italics and require a number or word to be enter ed at th e com ma nd pro m pt .
{X} Keywords and parameters within braces must be entered at the command prompt.
[X] Keywords and parameters within brackets are optional.
x|y Keywords and parameters separated by a bar require you to choose one.
P-Series Installation and Operation Guide, version 2.3.1.2 7
Information Symbols
Symbol Warning Description
Danger This symbol warns you that improper handling and installation could result in bodily injury.
Before you work on this equipment, be aware of electrical hazards, and take appropriate
safety precautions.
Caution This symbol informs you that improper handling and installation could result in equipment
damage or loss of data.
Warning This symbol informs you that improper handling could reduce your component or system
performance.
Note This symbol informs you of important operational information.
Related Documents
Additional P-Series documentation is available on the software CD that came with the appliance and in the
documentation section of the Force10 website, www.force10networks.com.
• P-Series Release Notes
Additional Resources
• Cox, Kerry and Gerg, Christopher. 2004. Managing Security with Snort and IDS Tools. Sebastopol,
California: O’reilly Media, Inc.
•Snort.org. http://www.snort.org/
8 About this Guide
IDENTIFY
LAN 2
LAN 1
VGA
SERIAL
USB x2KEYBOARD
MOUSE
POWER
RJ-45 SERIAL
E0 & E1 IP ADDRESS
MANAGEMENT
PORTS
LEDs
POWER
DISPLAY
(E0)(E1)
MIRROR
PORT 1
(P1)
PORT 0
(P0)
PORT 0 (M0)
MIRROR
PORT 1 (M1)
HARD
DISK
fn9000007
AC POWER RECEPTACLE
MAIN POWER
fn9000009
01234567
SERIAL NUMBER
Chapter 1 Inst allation
Figure 1 P-Series P10 Appliance (Front View)
Figure 2 P-Series P10 Appliance (Rear View)
Label Description
(LCD screen) The LCD screen displays the IP address of the appliance next to either “e0:” or “e1:”,
Port 1, Port 0 These two ports are sensing ports through which traffic is forwarded. They accept 10G
(unlabeled RJ-45 serial
port next to IDENTIFY)
IDENTIFY This LED is not used.
HDD This LED is blue when the hard disk is accessed.
PWR This LED is green when the power is on.
P-Series Installation and Operation Guide, version 2.3.1.2 9
which represent LAN ports 1 and 2, respectively.
XFP modules.
This port is not used.
Label Description
FN00048A
(Power Button) This button turns the appliance on and off. Press and hold the button to turn off the
appliance.
(Laser Warning) This label in the bottom right corner of the appliance indicates that the appliance is a
Class 1 laser product that emits invisible laser radiation. This product complies with
CDRH, 21 CFR 1040.
System Specifications
The specifications in Table 1 apply to the P-Series P10 appliance, Force10 catalog number
PB-10GE-2P.
Table 1 System Specifications
Power AC Power Supply Power Consumption: 400W maximum, 260W nominal
Current: 3.6 A @ 120V, 2.0 A @ 240V
Voltage: 100-240V, 47-63Hz, 8A maximum input current
Heat Dissipation: 1360 BTU/hr maximum, 888 BTU/hr nominal
Battery 3V CR2032 coin cell
Physical Dimensions Height: 1.75 in
Width: 17.6 in
Depth: 15.5 in (1RU half depth)
Weight 20 lbs (9.07 kg)
Environmental Temperature Operating: 41° to 104°F (5° to 40°C)
Storage: -40° to 149°F (-40° to 65°C)
Relative humidity: 20-80% (non-condensing)
Altitude Operating:-50 to 10,000 ft (-16 to 3048 m)
Storage: -50 to 35,000 ft (-16 to 10,600 m)
Physical Connections
Note: Connections to the sensing, mirroring, and management ports require straig ht-throu gh CAT5 cables.
Warning: Do not hot-swap XFPs. If they are accident ally removed, turn off the appliance, replace the
XFPs, and then turn the appliance back on.
10 Installation
Step Task
1 Review the system specifications and ensure that your operating and storage conditions meet the
stated requirements.
2 Connect the power cable, a keyboard, and a monitor to the appliance.
3 Connect the LAN 1 port on the appliance to the local area network where DHCP is available. If a
DHCP server is not available, an IP address can be assigned manually; see “Configuration” on
page 12.
4 Install XFPs in the ports that will be used.
5 Connect the sensing ports to the devices from which the appliance will receive traffic.
• Traffic originating from the device connected to Port 0 has Channel 0’s rules applied to it.
• Traffic originating from the device connected to Port 1 has Channel 1’s rules applied to it.
6 (Optional) Connect the mirroring ports to the devices that will receive mirrored traffic.
• Mirror Port 0 mirrors matched traffic from Channel 0.
• Mirror Port 1 mirrors matched traffic from Channel 1.
7 Connect the power cable to a power source, and switch on the main power on the back of the
appliance.
8 Press the power button on the front of the appliance to turn on the device.
P-Series Installation and Operation Guide, version 2.3.1.2 11
Booting
During booting you can select the OS of your choice.
The management ports are configured for DHCP and probe for an IP address, gateway, and name server.
The IP address is displayed on the LCD screen.
When the appliance is powered up, all packets are forwarded between its ports by default until the
firmware and device drivers are loaded. Once they have been loaded, the DPI generates interrupts to the
host processor and offers the captured packets in the same way as a standard network interface card in
promiscuous mode.
Configuration
Once the appliance is booted:
Step Task
1 Log in as root with the password plogin.
2 Change the password, if desired, with the command passwd.
3 Set the clock for the appropriate timezone using the command tzsetup. This command calls a
graphical user interface that instructs you on how to select the appropriate timezone.
Security Check
The P10 is remotely accessible only via Secure Shell Daemon (SSHv1 or SSHv2). However, inspect the
configuration, and make sure it meets the security policy requirements of your network before deploying
the appliance.
Upgrading Software
Upgrading software requires a boot firmware (PROM) upgrade. This upgrade must be done during a
maintenance window. During this period, stop all traffic from flowing through the appliance, and
disconnect all cables from the XFPs.
Note: You must be logged in as root to upgrade software.
12 Installation
Warning: Stop all traffic from flowing through the appliance, and disconnect all cables from the XFPs
before proceeding.
Step Task Command
1 Save earlier configuration files and firmware by
copying the directory /usr/local/pnic to the home
directory.
2 Create a new sub-directory in the home directory for
the upgrade package.
3 From the root directory, secure copy the file filename
from a server to the upgrade directory you created.
Note: In Unix, the tilde symbolizes the home directory,
and can be used in place of the absolute path to the
home directory. The upgrade file is a Unix tarball, the
file extension of which is .tar.gz.
4 Change directory to upgrade directory you created. cd upgrade_directory
5 Untar the file PTPS-P_MAIN. tar xvzf PTPS-P_MAIN
6 Change directory to SW. cd SW
7 Enter the command gmake erase followed by
gmake.
8 Enter the command gmake install. gmake install
9 Verify that the new software version is installed. pnic cardstatus
cp -Rf /usr/local/pnic/ /home
mkdir ~/upgrade_directory
scp username@server:absolute_path/
filename ~/upgrade_directory
gmake erase
gmake
Warning: The remainder of this procedure is for upgrading the boot firmware. The boot firmware
upgrade process takes up to 30 minutes and must not be interrupted
boot firmware must be reloaded via JTAG, which requires an RMA.
10 Enter the command pnic loadeproms to upgrade the
boot firmware. Answer “yes” to the confirmation
question.
Note: This process takes up to 30 minutes.
11 Reboot the appliance.
Note: Reboot the appliance only after pnic
loadeproms has successfully finished.
12 Log into the ap plia nc e an d en te r th e com m a nd pnic
cardstatus. Verify that there is an output for this
command. This indicates that the upgrade process has
been completed successfully.
Note: See Appendix A , on page 79 for an example
output for this command.
P-Series Installation and Operation Guide, version 2.3.1.2 13
pnic loadeproms
shutdown -r now
pnic cardstatus
. If the process is interrupted, the
Step Task Command
13 Re-compile all rules firmware with the new compiler
located in the directory pnic-compiler.
14 Install pre-compiled firmware if needed. cd upgrade_directory/firmware
cd upgrade_directory/pnic-compiler
gmake
gmake install
14 Installation
Chapter 2 Getting Started
To begin inspecting and filtering traffic you must:
1. Select firmware and dynamic rules
2. Set capture/forward policies
3. Check for proper operation by generating traffic across the appliance.
Step Task
1 As root, enter the command pn
interface (GUI).
2 Enter the command m fr
3 Select Ma
The sample firmware and rules files are te sting example s only. Force 10 recommends
the sample firmware for production IDS/IPS use.
4 Select Edit Rules from
5 Uncomment the rule aler
symbol before the rule.
• Enter the command i to
• Navigate to the character using the arro w keys , an d de let e th e cha r act er.
6 Enter the command :wq to
7 Confirm to reload the Forward/Block settings.
8 Run a packet sniffer such as tcp
9 Generate some ICMP traffic to be exchanged between endpoi nts.
• End
those nodes passes through the appliance.
• For example, enter pi
the opposite end of the appliance.
nage Firmware from the Rule Management GUI, then select “null” firmware and confirm.
points are two network nodes on opposite sides of the appliance such that traffic between
om the GUI command line.
the Rule Management GUI.
ic gui from the Unix command line to invoke a graphical user
t on all icmp any any -> any any (msg:"@icmp";) by removing the #
enter insert mode.
exit the vi editor, and confirm your changes.
dump on the network interface associated with the appliance.
ng destaddress, where destaddress is the IP address of the endpoint on
not employing
10 If you are using tc
• This prints to standard output all of the packets captured by the DPI.
• If the appliance is operating correctly, you will see the ICMP packets.
pdump, enter the command tcpdump -i pnic0 -n from the Unix command line.
Returning to the Default Configuration
Return to the factory default settings using the command pnic resetconf. See the Command Line
Reference, on page 79.
P-Series Installation and Operation Guide, version 2.3.1.2 15
16 Getting Started
Chapter 3 Introduction
The P-Series P10 Intrusion Detection and Prevention System (IDS/IPS) appliance employs Dynamic
Parallel Inspection (DPI) technology. It uses a Multiple Instruction Single Data (MISD) massively parallel
processor that executes thousands of security policies or traffic capture operations on the same data stream
at the same time.
DPI synthesizes individual security policies and packet analysis algorithms and maps them directly into
silicon hardware "gates." Through this design it is able to deliver full packet inspection and protection at
line rate for 1-Gigabit and 10-Gigabit links whether the traffic load or security policy is 1% or 100%.
The policies can be derived from public domain signatures, or they can be completely user-defined. For
each policy, you can direct the DPI to:
• Capture packets for the host (capture is defined as both DMA to host and copying to the mirror port)
• Forward packets (with negligible delay)
• Block packets
As a result, the P10 can be used as both an IDS accelerator and a stateful content filter for IPS applications.
In an active configuration, it can be inserted inline into the network; this alleviates the need for a SPAN
port or tap and enables filtering applications. In passive configurations, it can merely listen to the network
via a mirroring port or tap.
Hardware Architecture Overview
The P10 is a 1-RU appliance provisioned with one DPI processing system, and has at minimum: an AMD
Dual Core Opteron 280 processor, a 400-GB hard drive, 8 GB of RAM.
Figure 3 shows packet flow in the DPI, which is a two-port device. Packets are forwarded from the receive
side of the first port (Rx0) to the transmit side of the second port (Tx1). Likewise, Rx1 forwards packets to
Tx0 of the first port.
As the packets are being forwarded they are also processed in real time by two independent processing
channels, each with its own set of policies. If there is a match in a processing channel, the DPI can block
the packet, capture it, and send it to the host through the PCI-X bus. The two processing channels are
completely independent, and thus they can be used to process two asymmetric links, or both directions of a
full-duplex connection.
In addition to two sensing interfaces, the P10 includes two 1-Gigabit Ethernet mirroring ports. These ports
can copy and forward matched traffic to another device. It is also possible to disable the PCI-X DMA
capture, and let the matched traffic bypass the host entirely for applications in which host capture is not
desired.
P-Series Installation and Operation Guide, version 2.3.1.2 17
Figure 3 illustrates how all matched packets are copied and transmitted by mirror ports.
Forwarding Engine
Detection Engine
Packet Data
PCI-X Module
Packet Data
Device Access
Config Commands
Packet Data
State Table
Rx1
Tx1
Rx0
Tx0
Mirror 1
Mirror 0
Match Result
figindex 006
Note: Mirroring is automatically enabled when the mirroring port is connected to another network device.
Mirroring is not controlled through the CLI.
Figure 3
Logic Diagram of Traffic Flow in the P10 DPI
Types of Rules
Two types of rules can be uploaded to the FPGA:
atic rules : Static rules are compiled to become part of the firmware and are mapped directly into
• St
logic gates. Static rules can be set to capture/not capture and block/not block individually, but they
cannot be changed once they have been loaded into the FPGA.
• Dynam
ic rules: Dynamic rules are programmed at runtime in the DPI hardware registers and can be
configured without changing the firmware. These rules (like static rules) can be disabled/enabled
individually.
Sample Rules and Firmware
The P10 includes sample rules files in the pnic-compiler/rules directory. You can browse these files in
order to become more familiar with Snort syntax or creating rules files; you can also generate firmware
from these files at your discretion.
18 Introduction
Firmware is a set of rules that has been transformed—using a compiler—from Snort syntax into a form
suitable for uploading to the FPGA. Two sets of sample rules files have been compiled into firmware and
are available to be uploaded to the FPGA using either of two firmware management methods (see “Rule
Management” on page 19). Table 2 desc ribes each sample rules file.
Table 2 Sample Rules Files
Rule Set Description
evasion.rules The rules in this file help detect attacks which are using strategic TCP segmentation to avoid
detection.
fw.rules This file contains rules written in Snort syntax for a firewall application (see “Writing Rules for a
Firewall Deployment” on page 77).
meta.rules The rules in this file report on flow information and provide compatibility with Snort.
null.rules This file contains no rules; the firmware created from these files are empty images that maximize
the dynamic rule capacity (see “Rules Capacity” on page 55).
sample.rules This file contains rules written in Snort syntax that were derived from publicly available IDS rules.
The firmware based on the sample rules files follow the naming convention described in “Selecting
Firmware with the GUI” on page 30.
Note: Force 10 recommends not using the sample firmware for production IDS/IPS use. The sample
firmware requires considerable site-specific customization in order to be effective; they are included only
for you to become more familiar with the functionality of the appliance.
Rule Management
The P-Series software provides three methods by which you can manage the rules and functionality of the
appliance:
• Graphical User Interface: The graphical user interface (GUI) is a menu-based method for managing
the appliance.
• Web-based GUI: Manage the appliance and graphically plot performance online.
• Command Line Interface: The command line interface (CLI) uses a script called pnic through which
you can manually perform the same management tasks as the GUI by entering commands at the
command prompt.
Force10 recommends using the GUI or web-based GUI if no programmatic interface is required.
Deploying the P-Series
The flexible architecture of the P-Series lends itself to various deployments.
P-Series Installation and Operation Guide, version 2.3.1.2 19
Inline Deployment
p
P-Series P10
p
Use the P-Series for inline traffic inspection in IPS or firewall applications at 10-Gigabit line rate
(Figure 4).
• For IPS deployment, no special configuration is needed;
the P-Series is in inline IPS mode by default.
• For a firewall deployment, enable drop mode (see Command Line Reference on page 79).
Figure 4
P-Series Inline Deployment
Internet
Campus Core/
Backbone
10-Gigabit
10-Gigabit
P-Series P10
PB-10GE-2P
10Gig
10Gig
Data Center
PB-10GE-2P
P-Series P10
10-Gigabit
10-Gigabit
LAN Core
Data Center
fn90029m
Fail-safe Deployment
The P-Series hardware is fail-safe. In the event of a software exception or reboot, the card continues to
function as it did before the event. In the event of a power failure, the hardware stops functioning, and
traffic is dropped. When the appliance powers up again, all the traffic is allowed by default, and the card
functions as before. Use an optical bypass switch in an inline deployment so that traffic continues to flow
in the event of a power failure, as shown in Figure 5.
Figure 5
Fail-safe Behavior with Optical Bypass
10-Gigabit
Optical Bypass
10-Gigabit
P0
20 Introduction
P1
fn90030m
Highly-available Deployment
Optical Bypass
10-Gigabit
P0
P1
P-Series P10
10-Gigabit
P0
P1
fn90031mp
Network Tap
P-Series P10
fn90032mp
P0 P1
10-Gigabit
10-Gigabit
Use optical bypass switches with the P-Series for a highly-available, redundant deployment, as shown in
Figure 6. Both the appliances have the same configuration so that in the event of a power failure on one
device, the other continues to operate, and the detection engine remains intact. In the event that both
devices experience a power failure, the traffic continues to flow through the bypass switches.
Figure 6
Highly-available Redundant Deployment
Passive Deployment
Enable passive mode (see Command Line Reference on page 79) with fiber taps in line for IDS
deployments.
• Send traffic from one side of the tap to port P0 and traf
Figure 7.
• Aggregate traffic from both sides of the link to one port, as show
• Aggregate traffic from both sides of the link to one port using a SPAN port, as shown in Figure 9.
fic from the other side to port P1, as shown in
n in Figure 8.
P-Series Installation and Operation Guide, version 2.3.1.2 21
Figure 7
Passive Deployment using a Network Tap
Figure 8
Network Tap
P-Series P10
fn90033mp
P0
10-Gigabit
10-Gigabit
Network Switch with SPAN port
P-Series P10
fn90034mp
P0
Port to Monitor
10-Gigabit
SPAN Port
Passive Deployment with Aggregation using a Network Tap
Figure 9
Passive Deployment with Aggregation using a SPAN port
Capturing Matched Traffic
P-Series supports capturing matched traffic for analysis.
22 Introduction
Capturing to a Host CPU
fn90035mp
p
Captured traffic can be sent to a host CPU through a libpcap library interface, where it can be made
available to applications for analysis. A typical implementation provides IDS/Snort acceleration because
of the hardware assist.
Figure 10 Capturing Matched Traffic via the libpcap Interface
PB-10GE-2P
tcpdum p Snort Cust om app
libpcap
SW
Matched Traffic
HW
M1 P1 P0 M0
Traffic to
monitor
Use the P-Series in an integrated security monitoring solution through the management port. The P-Series
comes with support for Sguil NSM (see Network Security Monitoring on page 43).
Figure 11 Creating a Network Monitoring Solution with the P-Series
PB-10GE-2P
Cus tom app
libpcap
SW
Matched Traffic
HW
M1 P1 P0 M0
Traffic to
monitor
Mgmt
Port
Custom
security
monitoring
application
fn90036m
P-Series Installation and Operation Guide, version 2.3.1.2 23
Mirroring to Another Device
Mirror captured traffic out of the 1-Gigabit mirroring ports to use the P-Series as an IDS accelerator or as
part of an integrated security monitoring solution.
Figure 12
Creating an IDS Accelerator with the P-Series
PB-10GE-2P
HW
M1 P1 P0 M0
Traffic to Monitor
Matched Traffic
1-Gigabit/IDS Security
Monitoring Application
fn90037mp
24 Introduction
Chapter 4 Graphical User Interface
The GUI can be used to:
• Start and stop the DPI
• Load firmware
• Compile and load dynamic rules
• Manage the runtime parameters
• Manage the capture/forward policies for rules
Note: Using the GUI requires the super user privilege.
To invoke the GUI:
Step Task
Invoke the GUI by entering the command pnic gui.
1
Note: The OS environment variables are set such that the pnic gui command can be executed from any
path.
Runtime statistics are displayed after the
display appears as shown in Figure 13. If firmware is loaded, the display appears as in Figure 19.
pnic gui command is executed. If the FPGA is not loaded, the
P-Series Installation and Operation Guide, version 2.3.1.2 25
GUI Commands
fn9000010
N/A/1 FlowTimeout=16 Packets/flow=0 Truncation=0 Irq period=5ms
CPU(s): 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
From the Runtime Statistics display, you can enter commands to control the DPI (see Table 3, or enter the
h command from the GUI command line).
Figure 13
Runtime Statistics - FPGA Unloaded
Note: GUI commands that require a subsequent value entry have the current value displayed in
parentheses at the prompt.
Table 3 GUI Commands
Command Description
a Establishes the IRQ period (measured in milliseconds), which moderates DPI access to the PCI-X
bus. Va lid values are 1 to 255, where 1 is no throttling, and 255 is maximum throttling.
c This command is not supported.
d Brings the OS network interface down and disables matching.
f Establishes the maximum number of p acket s to be captured for each flo w (Packet s/Flow). A valu e of
0 specifies all packets.
h Displays help information about the commands.
i Establishes the display refresh interval (measured in seconds).
m Invokes a dialog menu through which dynamic rules ca n be defined, cap ture /forw ar ding p olicies can
be set for each individual rule, and the firmware can be selected and loaded.(see Figure 14).
q Exits the graphical user interface.
r Reset all the OS counters.
s Starts or restarts the drivers and reloads the firmware.
t Establishes the number of seconds after which a flow is considered expired (Flow Timeout).
26 Graphical User Interface
fn9000011
PNIC0 Not Active
Table 3 GUI Commands
Command Description
u Brings the OS network interface up and enables matching. This is similar to the command s, but it
does not load/reload the driver. It is only valid after the command s has been executed.
x Toggles the direct memory access (DMA) off and on to enable or disable capturing to the host,
respectively.
z Disables the DMA and brings the interface down, in succession. This is equivalent to issuing the
commands pnic down and pnic off, in succession.
Note: Commands 1, 2, 3, 4, and 5 are for engineering use only. If you enter a command 1 through 5 by
mistake, enter 0 to return to the runtime statistics screen.
Managing Rules, Policies, and Firmware
Enter the m command from the GUI command line (see “GUI Commands” on page 26) to invoke a menu
that enables you to manage dynamic rules, capture/forward policies, and firmware. Three options are
available; they are shown in Figure 14 and described in Table 4.
Figure 14 Rule Management GUI
P-Series Installation and Operation Guide, version 2.3.1.2 27
Table 4 Managing Rules Using the GUI
Option Description
Edit Rules This option invokes the vi editor on the file rules.custom in the /user/local/pnic/0
directory (see “Editing Dynamic Rules with the GUI” on page 28).
• You can add, delete, or modify dynamic rules for either of the processing
channels (see Appendix D , on page 125 for informa tion on vi).
• The rules are automatically compiled and loaded into the appliance; you are
prompted to confirm these actions.
Manage Rules This option instructs the DPI on handling matching packets.
• It displays a list of all the rules contai ned in the FPGA and the policy setting for
each.
• There are four policies available, and they are described in Table 5.
• Rules configured to ignore a packet—that is, the policy setting is permit or
deny—take precedence over rules that have a policy setting of alert or divert.
Therefore, a permit or deny rule disables the capturing for all other rules that
match the same packet.
• To modify policy settings, see “Managing Capture/Forward Policies with the
GUI” on page 29.
Note: The Capture toggle is not used. Capture/forward settings can only be
modified through the graphical user inte rfa c e.
Manage Firmware It displays the firmware files in /usr/local/pnic/firmware and allows you to select
one to be uploaded to the FPGA. Selecting firmware restarts and reloads the
FPGA.
To manage firmware, see “Selecting Firmware with the GUI” on page 30.
Table 5 describes the four possible combinations of capture/forward policies.
Table 5 Capture/Forward Policies
Policy Capture Forward
Permit
Deny
Alert
Divert
33
3
Editing Dynamic Rules with the GUI
Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory. The GUI provides a
quick way to access and modify these rules by invoking the vi editor on this file.
3
28 Graphical User Interface
To modify dynamic rules:
fn90000012
pnic
Step Task
Enter the m command from the GUI command line (see “GUI Commands” on page 26) to access the
1
main rule management GUI (see Figure 14).
2Select Edit Rules to invoke the vi editor (see Figure 15).
3 Add, delete, alter, or uncomment rules using vi commands (see Appendix D , on p age 125).
4 You are prompted to confirm your changes upon exiting the editor.
Figure 15 Editing Dynamic Rules in vi
Managing Capture/Forward Policies with the GUI
Upon compiling static and dynamic rules, default capture/forward policies are assigned to each rule.
To change capture/forward policies:
Step Task
Enter the m command from the GUI command line (see “GUI Commands” on p a ge 26) to access the rule
1
management GUI (see Figure 14).
2Select Manage Rules to access the policy management menu (see Figure 16).
3 Use the arrow keys to highlight a rule and the Select option, and press the Enter key.
4Select alert, permit, divert or deny, based on the descriptions in Table 5 (also see Figure 17).
5 Exit the menu by selecting Done, and repeat Steps 3 through 5 for other rules, if desired.
6Select Done; you are prompted to confirm your changes.
P-Series Installation and Operation Guide, version 2.3.1.2 29
Figure 16
fn9000013
fn9000014
Managing Capture/Forward Policies GUI
Figure 17
Capture/Forward Policies GUI
Selecting Firmware with the GUI
Firmware is a set of rules that has been transformed—using a compiler—from Snort syntax into a form
suitable for uploading to the FPGA.
30 Graphical User Interface
Loading...