Nortel Secure Network Access Remediation Module for …

Nortel Secure Network Access Remediation Module for Threat Protection System


Release 4.7Part No. NN47240-102

(323909-B)

Copyright © Nortel Networks Limited 2007. All rights reserved.

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

Trademarks

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks and registered trademarks are the property of their respective owners.

U.S. Government End Users

This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

840712030610

REMEDIATION MODULE FOR APPLICATION SWITCH, INSTALLATION & CONFIGURATION GUIDERELEASE 4.7 PAGE 3

Table of Contents

TABLE OF CONTENTS

Chapter 1: Overview ........................................................................ 4TPS and the Remediation Module............................................................ 4

Defense Center............................................................................. 4Real-time Threat Intelligence........................................................ 5

TPS Remediation Module for NSNAS ...................................................... 5

Chapter 2: Installation ..................................................................... 6Installing the Remediation Module ........................................................... 6

Chapter 3: Configuration................................................................. 9NSNAS configuration for TPS remediation............................................... 9

Defense Center and RTI Sensor configuration........................... 10Creating remediations for the Defense Center and RTI Sensors 11

Appendix A: Configuration Examples............................................. 13Nortel SNAS TPS module configurations with NSNAS-1.5.1 and NSNAS-TPS v1.4................................................................................................. 13

Chapter 1: OverviewTPS and the Remediation Module

CHAPTER 1

OVERVIEW

This chapter describes the Nortel Threat Protection System (TPS) Remediation Module for Nortel Secure Network Access Switch (NSNAS) and the products in the Nortel TPS that use it.

IMPORTANT! Beginning with Release 4.7 software, 3D Sensors refer to both Intrusion Sensors and RTI Sensors. A 3D Sensor is able to have Intrusion Sensing (IPS/IDS) and/or RTI capabilities.

TPS and the Remediation ModuleThe Nortel TPS is a fully integrated security monitoring system that identifies network threats, network assets, and known vulnerabilities in those assets. The TPS Remediation Module for NSNAS (Nortel Secure Network Access Switch) is an application-programming interface (API) module supported on the TPS Defense Center (DC) and TPS Real-time Threat Intelligence (RTI) Sensors, and it is available through the Policy and Response feature.

You can use the Policy and Response feature to build compliance policies. The compliance policies describe the type of activity that constitutes a policy violation. Using the TPS Remediation Module for NSNAS, you can create and upload custom remediation modules to respond to policy violations. When a rule within a compliance policy is violated, the Defense Center or RTI Sensor can launch remediations, such as blocking a host at the firewall or router when it violates a policy, or sending any combination of the following responses: email alerts, Simple Network Management Protocol (SNMP) alerts, or syslog alerts.

Defense CenterThe Nortel TPS 2070 DC is the central management point of the TPS. The DC provides management of Intrusion Sensors (IS) and RTI Sensors remotely and also allows the following:

• Review and evaluation of the data from the sensors• Configuration of settings on the sensors• Distribution of software and rules updates to the sensors• Response to policy violations by launching remediations

NORTEL SECURE NETWORK ACCESS REMEDIATION MODULE FOR THREAT PROTECTION SYSTEM RELEASE 4.7 PAGE 4

Chapter 1: OverviewTPS Remediation Module for NSNAS

Real-time Threat IntelligenceNortel RTI Sensors provide understanding of network topology by:

• providing an up-to-the-minute mapping of network infrastructure• generating events when changes are observed• responding to suspicious activity by sending alerts and launching

remediations

The RTI Sensors passively discover network hosts by continuously monitoring network traffic to identify the operating system, protocols, and services running on each host on the network. The process of continuous network discovery maps each monitored network segment without interacting with any hosts. Information gathered by RTI Sensors is provided in a network map and table views.

TPS Remediation Module for NSNAS The Nortel TPS Remediation Module for NSNAS is an application programming interface (API) software module included on the Defense Center and RTI Sensors.

The administrators can configure responses in the form of remediations on the Defense Center and the RTI Sensors.

Remediations are programs that the Defense Center or RTI Sensor run when a compliance policy is violated. To perform a specific action, Remediations use information provided in the event that triggers the violation. The administrators configure the Policy and Response Remediation feature to pass specific event information to the NSNAS.

The Nortel TPS Remediation Module for NSNAS provides dynamic kick out of a Client IP address that violates a compliance policy. You can create multiple instances for the remediation module, each of which represents a connection to a specific appliance.

When creating each instance, specify the configuration information necessary for the DC to establish a connection with the NSNAS. For each configured instance, add remediations that describe the action required for the appliance to perform when a policy is violated. After you configure remediations, they can be added to response groups or assigned specifically to rules within compliance policies. When the system executes these remediations, it logs events to the remediation event view and provides details about the remediation name, the policy and rule that triggers it, and the exit status message.

NORTEL SECURE NETWORK ACCESS REMEDIATION MODULE FOR THREAT PROTECTION SYSTEM RELEASE 4.7 PAGE 5

Chapter 2: InstallationInstalling the Remediation Module

CHAPTER 2

INSTALLATION

This chapter describes the Nortel Threat Protection System (TPS) Remediation Module for the Nortel Secure Network Access Switch (NSNAS) remediation file installation process for the Nortel TPS 2070 Defense Center (DC) and the Nortel Real-time Threat Intelligence (RTI) Sensors.

Prerequisites to installing the TPS remediation module for NSNAS:• Upgrade the TPS 2070 DC to release 4.6 and the RTI sensor to release 4.0.• Obtain the latest version of the TPS remediation module such as perlkick-

1.4.tgz from the Nortel Technical Support.• Check the compatibility of the module with the NSNAS version. For

example, the perlkick-1.4 only works with NSNAS version 1.5.1 and earlier.• To install the file, see ““Installing the Remediation Module.””

Installing the Remediation ModuleUse the following procedure to install a Nortel TPS Remediation Module for NSNAS on a Defense Center:

1. From the TPS main page, open the Policy & Response page.

2. Select Responses.

3. Select Remediations.

4. Select Modules.

5. The Module List page appears (see Figure 1).

NORTEL SECURE NETWORK ACCESS REMEDIATION MODULE FOR THREAT PROTECTION SYSTEMRELEASE 4.7 PAGE 6


Figure 1 Remediation Module List page for a Defense Center

6. Click Browse to navigate to the location where you saved the file containing the remediation module.

7. Click Install.

8. The remediation module installation begins (see Figure 2).



Figure 2 Module List page after the NSNAS TPS module is installed


Chapter 3: ConfigurationNSNAS configuration for TPS remediation

CHAPTER 3

CONFIGURATION

This chapter describes the configuration of the Nortel Threat Protection System (TPS) Remediation Module for Nortel Secure Network Access Switch (NSNAS).

NSNAS configuration for TPS remediationDifferent configuration prerequisites for the NSNAS exist, depending on which NSNAS version you use with TPS remediation.

NSNAS Configuration for v1.5.1 and older versions

For the NSNAS TPS module to work with NSNAS-1.5.1, the following configuration changes need to be made at the NSNAS command line interface (CLI).

1. Check the NSNAS version in the NSNAS CLI, for example:

Alteon iSD NSNAS

Hardware platform: 4050

Software version: 1.5.1

IMPORTANT! Nortel recommends you to use NSNAS version 1.5.1 with the NSNAS PS module v1.4.

2. Enable the Telnet option in the NSNAS CLI (see Figure 3).

>>Main # /cfg/sys/adm/telnet on

>>Adminstrative applications# apply

Changes applied successfully.

>>Adminstrative applications#

IMPORTANT! The NSNAS TPS module will not fire if the Telnet option is not enabled in the NSNAS CLI.



Figure 3 NSNAS CLI Configurations

Defense Center and RTI Sensor configurationNortel provides the following remediation module for the NSNAS:

• NSNAS TPS v1.4 (for example, perlkick-1.4.tgz) for NSNAS version 1.5.1• TPS version 4.6 and RTI 4.0

While configuring the remediations for the NSNAS-TPS module, you do not need to provide any specific IP entries for the remediation. The defense center (DC) and IS policy detect the policy violating IP address of the client and pass this address on to the TPS module. The TPS module then logs on to the NSNAS and kicks-out the IP if the IP has a valid green/yellow session in the NSNAS cluster.

Since the NSNAS can also have a client machine with red IP (restricted privileges), if policy-violating IP traffic occurs from this IP, the TPS module does not kick out this machine as the NSNAS don’t have a session that corresponds to this IP in its session table.

*In an NSNAS setup, a DHCP enabled PC is initially put in a RED VLAN and if he is policy compliant, it is moved to a GREEN VLAN. So an IP in either YELLOW/GREEN VLAN can ONLY be blocked if non-policy traffic is generated. More information on the NSNAS VLANs can be get from the “NSNAS User Manual”



Creating remediations for the Defense Center and RTI SensorsOn the Defense Center, add a remediation instance for each NSNAS used with the Defence Center. Create specific remediations for each instance, based on the type of response required on the NSNAS when compliance policies are violated. Once remediations have been created, they can be assigned to specific compliance policy rules.

Instances and the Defense Center and RTI Sensors

After installing NSNAS-TPS Module in the DC, an instance can be added. If there are multiple NSNAS requiring remediations, a separate instance must be created for each NSNAS.

Adding an NSNAS instance

Use the following procedure to add an NAS instance.

1. From the TPS main page, open the Policy & Response menu.

2. Select Response.


4. Select Instances. The Remediation Instance List page appears.

5. Click Add. The Edit Remediation Instance page appears.

6. Type a name for the instance in the Instance Name field.

7. Add a description in the Description filed (Optional)

8. Add the SNAS Management IP in the SNAS MIP filed

9. Add the administrator Username/Password in the Username Password fields

10. Enter the default time out value in seconds for establishing a connection to the SNAS MIP. Default is 10secs.

11. Click Create. The instance is created and remediations appear in the Configured Remediations section of the page.

Kick the Client-IP remediation

A Kick IP remediation kicks a Client IP address from NSNAS if any traffic sent to the destination host included in the compliance policy violation event.



Adding a Kick the Client-IP remediation

From the TPS main page, open the Policy & Response menu.



3. Select Instances. The Remediation Instance List page appears.

4. Select an instance from the Configured Instances list.

5. To view the selected instance, under Actions, click View. The Edit Remediation Instance page appears.

6. In the Configured Remediations section of the page, select Kick the Client IP in the Add a new remediation of type box.

7. In the Add a New Instance section, click Add. The Edit Instance page appears.

8. Type a name for the remediation in the Remediation Name field. As an option, enter a description of the remediation in the Description field.

9. Click Create. The remediation is created.

10. Click Save. The remediation is saved.

11. Click Done to return to the Edit Remediation Instance page


Appendix A: Configuration ExamplesNortel SNAS TPS module configurations with NSNAS-1.5.1 and NSNAS-TPS v1.4

APPENDIX A

CONFIGURATION EXAMPLES

This appendix provides two examples of configuration for the Nortel TPS Remediation Module for NSNAS

Nortel SNAS TPS module configurations with NSNAS-1.5.1 and NSNAS-TPS v1.4

Following is a configuration example on a Defense Center for remediation module, NSNAS TPS module on NSNAS-1.5.1 and using the NSNAS-TPS 1.4 module.

After installation is complete, use the following procedure to add a NSNAS instance to Kick a Client IP if a non-compliant traffic is generated

1. Open the Policy & Response page.



4. The Remediation List page appears (see Figure 4).

5. Select view Nortel SNAS from the Actions list (see Figure 5).

6. Click Add. The Edit Instances page appears (see Figure 6).

7. In the Instance Name entry field, type the name of the instance to add.

8. In the SNAS MIP field, type the IP address of the SNAS Management IP

9. In the Username field, type the username for the NSNAS CLI login

10. In the Password field, type the user’s password.

11. Type the password in the Retype to confirm field.

12. Enter the required Timeout value for establishing the connection.

13. Click Create. The Edit Instances/Configured Remediations page appears (see Figure 8).

14. From the Add a new remediation of type list, select Kick the Client IP.



15. Click Add. The Edit Remediation page appears (see Figure 8).

16. In the Remediation Name field, type the remediation name, for example my_rem1 (see Figure 9).

17. Click Create. The created new remediation my_rem1 page appears (see Figure 10).

18. Click Save.

19. Click Done.

20. Select Instances from the main menu. The Edit Instance/Configured Remediations page appears (see Figure 12).

Figure 4 Remediation List Page



Figure 5 NSNAS TPS Module details

Figure 6 Edit Instances Page



Figure 7 Filling up the Instances page.

Figure 8 Creating an Instance “my_inst1”



Figure 9 Edit Remediations Page

Figure 10 Adding remediation “my_reml”



Figure 11 Instance detail page after creating a remediation

Figure 12 Configured Instances for NSNAS TPS module



Copyright © Nortel Networks Limited 2007All Rights Reserved.

k.

res et-

Release 4.7

Publication: NN47240-102 (320909-B)Document status: StandardDocument revision: 01.01Document release date: 3 December, 2007

To provide feedback, or to report a problem in this document, go to www.nortel.com/documentfeedbac

The information in this document is subject to change without notice. The statements, configurations,technical data, and recommendations in this document are believed to be accurate and reliable, but apresented without express or implied warranty. Users must take full responsibility for their applicationof any products specified in this document. The information in this document is proprietary to Nortel Nworks.

http://www.nortel.com/documentfeedback.

Nortel Secure Network Access Remediation Module for …

Documents

Transcript of Nortel Secure Network Access Remediation Module for …