Nortel TPS Remediation Module for Nortel VPN
Gateway—Installation and Configuration
Nortel TPS Remediation Module
for NVG—Installation and
Configuration
(324602-A)
Release 4.7.0.2
Part No. NN47240-103
Copyright © Nortel Networks Limited 2007. All rights reserve d.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users
This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains
“commercial technical data” and “commercial software documentation” as those terms are used in FAR
12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in
accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct
1995), DFARS 227.7202 (Jun 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase
of this product does not convey a license under any patent right s, trademark right s, or any other intellectual
property rights of Nortel Networks, Inc.
Portions of this manual are Copyright © Sourcefire, Inc. All Rights Reserved. Any other trademarks
appearing in this manual are owned by their respective companies.
Export
This product, software and related technology is subject to U.S. export control and may be subject to
export or import regulations in other countries. Purchaser must strictly comply with all such laws and
regulations. A license to export or reexport may be required by the U.S. Department of Commerce.
840712031433
TABLE OF CONTENTS
Chapter 1: Overview ........................................................................ 4
TPS and the Remediation Module............................................................ 4
Defense Center............................................................................. 5
3D Sensor..................................................................................... 5
TPS Remediation Module for NVG........................................................... 5
Overall function............................................................................. 6
Interface between the DC and Perl script..................................... 7
Perl script functionality.................................................................. 7
Chapter 2: Installation ..................................................................... 8
Installing the remediation module............................................................. 9
Chapter 3: Configuration................................................................ 11
NVG configuration for TPS remediation.................................................. 11
Defense Center and 3D Sensor configuration........................................ 12
Creating remediations for the Defense Center and 3D Sensors 13
Instances on the Defense Center and 3D Sensors .................... 13
....................................................Kick the Client–IP remediation 14
......................................Adding a Kick the Client-IP remediation 14
Delete session remediation ........................................................ 14
Adding a delete session remediation.......................................... 14
Appendix A: Configuration Examples............................................. 16
................................NVG TPS module configuration with NVG-TPS 1.4 16
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 3
CHAPTER 1
OVERVIEW
This chapter describes the Nortel Threat Protection System (TPS) Remediation
Module for Nortel VPN Gateway (NVG) and the products in the Nortel TPS that
use it.
TPS and the Remediation Module
The Nortel TPS is a fully integrated security monitoring system that identifies
network threats, network assets, and known vulnerabilities in those assets.
IMPORTANT! Beginning with Release 4.7 software, 3D Sensors refer to both
Intrusion Sensors and RTI Sensors. A 3D Sensor is able to have Intrusion
Sensing (IPS/IDS) and/or RTI capabilities.
The TPS Remediation Module for Nortel VPN Gateway (NVG) is an interface
module supported on the TPS Defense Center and TPS 3D Sensors. It is
available through the Policy and Response fe atu r e.
The Policy and Response feature can be used to build compliance policies.
Compliance policies describe the type of activity that constitutes a policy violatio n.
The TPS Remediation Module for NVG allows creation and uploading of custom
remediation modules to respond to policy violations.
When a rule within a compliance policy is violated, the Defense Center or 3D
Sensor can launch remediations, such as blocking a host at the firewall or router
when it violates a policy, or send any combination of the following responses: email alerts, SNMP alerts, or syslog alerts.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 4
Defense Center
The Nortel TPS 2070 DC, the Defense Center, is the central management po int of
the TPS. The Defense Center provides management of 3D Sensors rem otely and
also allows the following:
• reviewing and evaluating of the data from the sensors
• configuring of settings on the sensors
• distributing of software and rules updates to the sensors
• responding to policy violations by launching remediations
3D Sensor
Nortel Real-time Threat Intelligence Sensors provide understanding of network
topology in the following ways by:
• providing an up-to-the-minute mapping of network infrastructure
• generating events when changes are observed
• responding to suspicious activity by sending alerts and launching
remediations
Chapter 1: Overview
TPS Remediation Module for NVG
3D Sensors passively discover network hosts by continuously monitoring network
traffic to identify the operating system, protocols, and services running on each
host on the network. The process of continuous network discovery maps each
monitored network segment without interacting with any hosts. Information
gathered by 3D Sensors is provided in a network map and table views.
TPS Remediation Module for NVG
The Nortel TPS Remediation Module for NVG is an interface software module
included on the Defense Center and 3D Sensors to communicate with the NVG. It
is the interface between the TPS System and the NVG.
Administrators can configure responses, in the form of remediations, on the
Defense Center and on the 3D Sensor.
Remediations are programs that the Defense Center or 3DSensor run when a
compliance policy is violated. Remediations use information provided in the event
that triggered the violation to perform a specific action.The Policy and Response
Remediation feature can be configured by administrators to pass specific event
information to the NVG.
When creating each instance, specify the configuration information necessary for
the Defense Center to establish a connection with the NVG.
For each configured instance, add remediation s that describe the a ctions required
for the appliance to perform when a policy is violated.
After they are configured, remediations can be added to response groups or
assigned specifically to rules within compliance policies.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 5
Chapter 1: Overview
TPS Remediation Module for NVG
When the system executes these remediations, it logs events to the remediation
event view and provides details about the remediation name, the policy and rule
that triggered it, and the exit status message. The followin g figur e de scr ibe s th e
model setup for TPS Remediation module for NVG.
Figure 1: Model setup for TPS Remediation module for NVG
Overall function
Whenever a Netdirect client connected to NVG server creates unwanted traffic to
the back end (clean side), TPS initiates to kick out (forcefully logout) the user. To
log out the user from the session, there is a "kick" command available in the NVG
CLI.
The kick command requires the following two inputs:
• vpnid
• username
The Perl script installed in the DC opens a CLI session in NVG and executes the
kick command. Since DC is connected to Mapped IP (MIP), the perl script can
establish a telnet or SSH connection to the NVG. The choice of session—telnet or
SSH can be configured while installing the perl script in the DC.
If any unwanted traffic, according to the compliance policy, is sensed by the 3D
sensor, then 3D sends the tunnel IP to DC. DC in turn triggers the perl script for
kicking the tunnel IP. Whenever the policy non-compliance occurs, either tunnel IP
or local IP, the script is triggered.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 6
Snooze time is the time interval between two consecutive executions of perl
script. This can be configured in DC.
Interface between the DC and Perl script
The DC creates a file named as instance.conf before executing the script that
includes the following:
• NVG MIP
• login name
• password
• communicating protocol information
The XML parser file module.template is used to get the preceding information
from the file instance.conf and store that into variables. These variables can be
used by the perl script by including the module.template file.
Perl script functionality
This script uses Perl-Expect module for establishing the telnet or SSH connection
to the NVG. Using the information given by the module.template script to
establish a connection with the NVG. Provide the login name and the password.
Chapter 1: Overview
TPS Remediation Module for NVG
The vpnid and username for the corresponding Netdirect client receives the /info/
users command. Use this information to execut e the kick comman d. V iew the log
messages according to the action performed by the script at the /tmp directory in
the DC.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 7
CHAPTER 2
INSTALLATION
This chapter describes the Nortel TPS Remediation Module for NVG remediat ion
file installation process for the Nortel TPS 2070 DC (Defense Center) and the
Nortel 3D sensors.
The Nortel TPS Remediation Modules for NVG are available for download at
www.nortel.com/support.
Use the following procedure to locate the files on the Nortel Technical Support
page.
1. In your Web browser, navigate to the Nortel Support Web site:
www.nortel.com/support
2. Navigate to the software downloads Web page for the Threat Protection
System 2070 Defense Center.
3. Locate the script file that supports NVG: nvg_tps-1.4 .tgz.
4. Follow the instructions on the software downloads Web page to download the
selected file.
Use the following procedure to install the TPS Remediation module for the NVG.
1. Get the latest Release of the TPS remediation module, for example:
nvg_tps-1.4.tgz
from the Nortel Technical Support using the preceding instructions.
2. Check the compatibility of the module with the NVG.
3. Install the file as mentioned in the section “Installing the remediation module”.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 8
Installing the remediation module
Use the following procedure to install a Nortel TPS Remediation Module for
Application Switch on a Defense Center or RTI Sensor.
1. From the TPS GUI main page for the appliance, open the Policy and
Response page.
2. Select Responses.
3. Select Remediations.
4. Select Modules. The remediation module list page for the Defense Center
appears as shown in the following figure:
Chapter 2: Installation
Installing the remediation module
5. Click Browse to navigate to the location where you saved the file containing
the remediation module.
6. Click Install. The remediation module installation begins. The following figure
describes the module list page after the NVG TPS module is installed.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 9
Chapter 2: Installation
Installing the remediation module
Figure 2: Module List page after the NVG TPS module installed
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 10
CHAPTER 3
CONFIGURATION
This chapter describes configuration of the Nortel TPS Remediation Module for
the Nortel VPN Gateway (NVG).
NVG configuration for TPS remediation
Configuration on the NVG is done through the command line interface (CLI)
allowing the interaction with the TPS remediation module to occur. TPS can be
configured to use either telnet or secure shell (SSH) to communicate with the
NVG.
If telnet is used as the communication protocol, run the following CLI commands
for NVG Configuration.
1. Enable the Telnet option in the NVG CLI (see Figure 3)
2. At the main command line prompt, enter the following command:
/cfg/sys/adm/telnet on
3. At the administrative applications prompt, enter the following command:
apply
The system responds with the message Changes applied successfully.
4. The control then returns to the administrative applications prompt.
If SSH is used as the communication protocol, run the following CLI commands
for NVG Configuration.
1. Enable the SSH option in the NVG CLI.
2. At the main command line prompt, enter the following command:
/cfg/sys/adm/ssh on
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 11
Chapter 3: Configuration
Defense Center and 3D Sensor configuration
3. At the administrative applications prompt, enter the following command:
apply
The system responds with the message Changes applied successfully.
4. The control then returns to the administrative applications prompt.
IMPORTANT! The NVG TPS module WILL NOT fire if the Telnet/SSH option is
not enabled in the NVG CLI.
Figure 3: NVG CLI Configurations
Defense Center and 3D Sensor configuration
Nortel provides the following remediation module for the Nortel VPN Gateway
(NVG):
While configuring the remediations for the TPS NVG module, do not provide any
specific IP entries to the remediation. This is because the DC and 3D sensor
policy detects the policy-violating Client's IP address and this IP is passed onto
the TPS module. The TPS module logs into the NVG and "Kicks-Out" the IP if the
IP has a valid Netdirect session in NVG.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 12
Chapter 3: Configuration
Defense Center and 3D Sensor configuration
The NVG can have a Client machine without Netdirect features (Clientless and
Enhanced clientless). If a policy-violating IP traffic situation occurs from this IP, the
TPS module will not kick out the machine even if the NVG has a session
corresponding to this IP in its session table.
Creating remediations for the Defense Center and 3D Sensors
Use the following procedure to create remediations for the Defense Center and
the 3D sensors.
• On the DC, add a remediation instance for each NVG used with the DC.
• Create specific remediations for each instance, based on the type of
response required on the NVG when compliance policies are violated.
• Once remediations have been created, assign them to specific compliance
policy rules.
Instances on the Defense Center and 3D Sensors
After installing NVG-TPS Module in the DC, add an instance.
If there are multiple NVGs requiring remediations, a separate instance must be
created for each NVG.
Adding a NVG instance
Use the following procedure to add an NVG instance:
1. From the TPS main page, open the Policy & Response menu.
2. Select Response.
3. Select Remediations.
4. Select Instances. The Remediation Instance List page appears.
5. Click Add. The Edit Remediation Instance page appears.
6. Enter a name for the instance in the Instance Name field.
TIP: The name should contain no spaces or special characters and should be
descriptive.
7. Enter the description in the Description field (optional).
8. Enter the NVG Management IP address of the NVG used for the remediation
in the NVG Mapped IP (MIP) field.
9. Enter the administrator username for the NVG in the Username field.
10. Enter the administrator password in the Password entry field and retype to
confirm the password.
TIP: The password entered in both fields must match.
11. Enter the default time out value in seconds for establishing a connection to
the NVG MIP. The default value is 10seconds
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 13
Defense Center and 3D Sensor configuration
12. Click Create. The instance is created and remediations appear in the
Configured Remediations section of the page.
Kick the Client–IP remediation
A Kick IP remediation kicks a Client–IP address from NVG, if any traffic sent to the
destination host that is included in the compliance policy violation event.
Adding a Kick the Client-IP remediation
Use the following procedure to add a kick the client–IP remediation.
1. From the TPS main page, open the Policy & Response menu.
2. Select Responses.
3. Select Remediations.
4. Select Instances.
5. Select an instance from the Configured Instances list.
6. To view the selected instance, under Actions, click View. The Edit
Remediation Instance page appears.
Chapter 3: Configuration
7. In the Configured Remediations section of the page, sele ct click the client IP
in the Add a new remediation of type box.
8. In the Add a New Instance section, click Add. The Edit instance page
appears.
9. Type a name for the remediation in the Remediation Name field. Optionally,
enter a description of the remediation in the Description field.
10. Click Done to return to the Edit Remediation Instance page
11. Click Create. The remediation is created.
12. Click Save. The remediation is saved.
13. Click Done to return to the Edit Remediation Instance page.
Delete session remediation
A delete session remediation issues an operations delete session table entry on
the NVG to delete the existing session. The deletion is based on the combination
of protocol, source IP, source port, destination IP, and destination port parameters
listed in the compliance policy violation event.
Adding a delete session remediation
Use the following procedure to add a delete session remediation.
1. From the TPS main page, open the Policy & Response menu.
2. Select Responses.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 14
Chapter 3: Configuration
Defense Center and 3D Sensor configuration
3. Select Remediations.
4. Select Instances. The Remediation Instance List page appears.
5. Select an instance from the Configured Instances list.
6. To view the selected instance, under Actions, click View. The Edit
Remediation Instance page appears.
7. In the Configured Remediations section of the page, select Delete Session in
the Add a new remediation of type box.
8. In the Add a New Instance section, click Add. The Edit Remediation page
appears.
9. Type a name for the remediation in the Remediation Name field.
As an option, enter a description of the remediation in the Description field.
10. Click Create. The remediation is created.
11. Click Save. The remediation is saved.
12. Click Done to return to the Edit Remediation Instance page.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 15
APPENDIX A
CONFIGURATION EXAMPLES
This appendix provides an example of configuration for the Nortel TPS
remediation Module for Nortel VPN Gateway (NVG).
NVG TPS module configuration with NVG-TPS 1.4
The following section describes a configuration example on a Defense Center for
remediation module NVG-TPS 1.4
After installation is complete, use the following procedure to add a Nortel VPN
Gateway (NVG) instance to kick a Client IP if a non-compliant traffic is generated.
1. Open the Policy & Response page.
2. Select Responses.
3. Select Remediations.
4. The Remediation list page appears as shown in the following figure.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 16
NVG TPS module configuration with NVG-TPS 1.4
Figure 4: Remediation List Page
Appendix A: Configuration Examples
5. Select view NVG Remediation from the Actions list as shown in the
following figure:
Figure 5: NVG TPS Module Details
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 17
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
6. Click Add. The Edit Instances page appears as shown in the following figure.
Figure 6: Edit Instances Page
7. In the Instance Name entry field, enter the name of the instance to add.
8. In the NVG MIP field, enter the IP address of the NVG Management IP.
9. In the Username field, enter the username for the NVG CLI login.
10. In the Password field, enter the user’s password.
11. Enter the password again in the Retype to confirm field.
12. Enter the required Timeout value for establishing the connection. View a
sample filled Instances page as shown in the following figure:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 18
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 7: Sample of Filling Up Instances Page
13. Click Create. The Edit Instances/Configured Remediations page appears as
shown in the figure below:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 19
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 8: Creating an Instance—NVG Remediation
14. From the Add a new remediation of type list, select Kick the Client IP.
15. Click Add. The Edit Remediation Page appears as shown in the following
figure. In the Remediation Name field, type the remediation name, for
example: NVG_remediation.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 20
NVG TPS module configuration with NVG-TPS 1.4
Figure 9: Edit Remediations Page
Appendix A: Configuration Examples
16. Click Create. The created new remediation Nvg_remediation page appears
as shown in the following figure:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 21
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 10: Instance detail page after creating remediation
17. Click Save.
18. Click Done. The follo win g fig ur e de scrib es th e co nfig u re d ins tances for the
NVG TPS module:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 22
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 11 : Configured Instances for NVG TPS module
19. Create a compliance rule as shown in the following figure.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 23
NVG TPS module configuration with NVG-TPS 1.4
Figure 12: Create compliance rule
Appendix A: Configuration Examples
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 24
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
20. Save the compliance rule. A message is displayed on the screen indicating a
successful save as shown in the following figure.
21. Create a compliance policy.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 25
NVG TPS module configuration with NVG-TPS 1.4
Figure 13: Create a compliance policy
Appendix A: Configuration Examples
22. Add the created compliance rule onto the compliance policy.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 26
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 14: Add compliance rule to compliance policy
23. When the compliance rule is successfully added to the compliance policy, it
appears as shown in the following figure:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 27
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 15: Compliance rule successfully added to compliance policy
24. Add rem e dia tio n as re sp on se s to th e comp lia nce po licy.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 28
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 16: Add remediation as responses to compliance policy
25. When the remediation is added as responses to the compliance policy
successfully, it appears as shown in the following figure:
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 29
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 17: Remediation added as Responses to the Compliance Policy
26. Save the compliance policy.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 30
NVG TPS module configuration with NVG-TPS 1.4
Figure 18: Save the compliance policy
Appendix A: Configuration Examples
27. Activate the compliance policy.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 31
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 19: Activate the compliance policy
28. View the remediation status message.
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 32
Appendix A: Configuration Examples
NVG TPS module configuration with NVG-TPS 1.4
Figure 20: View the remediation status message
NORTEL TPS REMEDIATION MODULE FOR NVG—INSTALLATION AND CONFIGURATION RELEASE 4.7.0.2 PAGE 33
Nortel TPS Remediation Module for Nortel VPN Gateway
Installation and Configuration
Copyright © Nortel Networks Limited 2007
All Rights Reserved.
Release 4.7.0.2
Publication: NN47240-103 (324602-A)
Document status: Standard
Document revision: 01.01
Document release date: 3 December, 2007
To provide feedback, or to report a problem in this document, go to
www.nortel.com/documentfeedback.
The information in this document is subject to change without notice. The statements, configurations,
technical data, and recommendations in this document are believed to be accurate and reliable, but are
presented without express or implied warranty. Users must take full responsibility for their applications
of any products specified in this document. The information in this document is proprietary to Nortel
Networks.
Loading...