H3c-technologies H3C SecCenter IPS Manager Manual de usuario Pagina 1

H3C SecCenter IPS Manager Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5

4 Figure 4 Uninstall the IPS Manager 3. Restart the operating system. 4. Remove all files and subdirectories under the SecCenter installation dir

5 System management The system management component of the IPS Manager is mainly used to configure IPS devices to be managed by the H3C SecCenter. T

6 Table 2 Fields of the device group list Field Description Device Group Name Name for the device group Description Description of the device group

7 Configuration guide From the navigation tree of the system management component, select Access Template List under Device Management. The access te

8 4. Click Apply. Figure 8 Add a template Table 6 Template configuration items Item Description Template Name Required Type a name for the templa

9 Item Description Telnet Password Optional Specify the password for telneting to the device. IMPORTANT: The strength of the password must meet the

10 Table 7 Device management functions Function Description Device list Allows you to view details about devices, modify the access parameters, exp

11 Adding a device After completing device group and template configuration, you can add devices to be managed. Only after you add devices successful

12 Item Description Device Group Required Select a device group for the device. By default, the device group named default is selected. Time Calibra

13 Item Description Authentication Username Required when SNMP version is SNMPv3. Type the username for authentication. Authentication Protocol Requ

Copyright © 2009-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

14 Figure 12 Event management page Table 11 Event management functions Function Description Device event list Displays detailed information of th

15 Device interface event list On the device interface event management page, you can set the query conditions to query specific interface events, vi

16 4. Click the alarm time points, or drag the cursor to select time periods. The system will raise alarms by the specified means when the specified

17 Configuration guide From the navigation tree of the system management component, select Operators under Operator Management. The operator manageme

18 Figure 16 Add an operator Table 19 Operator configuration items Item Description Login Name Type a name for the operator. The login name can co

19 Figure 17 Operation log management page Table 20 describes the operation log query options. You can use any combination of the options to query

20 Figure 18 Change your login password Table 22 Configuration items for changing your password Item Description Old Password Required Type the cu

21 Figure 19 Service parameter configuration page CAUTION: On the service parameter configuration page, the IPS related configuration items are En

22 Figure 20 Management port configuration page Table 24 Management port configuration items Item Description Stream Logs Port Required Type the p

23 Configuration guide 1. From the navigation tree of the system management component, select Mail Server under System Config. The Configure Mail Se

Preface The H3C SecCenter IPS Manager Configuration Guide describes Installation and uninstallation, System management, IPS management and Configurati

24 Item Description Send to Optional Type an email address and click Test. An email will be sent to the email box for testing. Configuring SMS alarm

25 Configuration guide From the navigation tree of the system management component, select Filter Management under System Config. The filter manageme

26 Figure 24 Add a filter Table 29 Filter configuration items Item Description Filter Name Required Type a name for the filter. The filter name ca

27 Item Description Destination Port Optional Specify the destination ports that you want the system to collect statistics on. Protocol Optional Sel

28 The Residual Disk Monitoring tab page shows the disk usage information during the last 3 and 36 hours, and 36 days, and the remaining disk space p

29 Figure 27 Subsystem management page Table 31 Fields of the subsystem list Field Description Server IP IP address of the subsystem server Port

30 Item Description User Name Required Specify the username for logging in to the subsystem. The username can comprise up to 40 characters and must n

31 IPS management Overview The IPS Manager allows for centralized management of IPS features of the IPS devices in the network and centralized event

32 Function Description Deleting devices Allows you to delete IPS devices. Follow these steps: 1. Select the check box before the IPS devices you wa

33 Field Description Policy Application Details Click the icon to enter the policy application configuration page. For more information, see “Confi

Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a ro

34 Figure 31 Update signature files Return to IPS device management functions. Managing signature files This function allows you to add, delete, an

35 Signature files list From the navigation tree of the IPS management component, select Signature Files under Device Management to enter the signatu

36 Table 39 Configuration items for uploading a signature file Item Description Server for Managed Devices to Access Required Select the IP address o

37 Configuration guide From the navigation tree of the IPS management component, select Device Statistics under Device Management to enter the device

38 Figure 36 Snapshot Table 40 Event snapshot query options Option Description Device Select a device, a device group, or All devices from the Devi

39 Table 41 Fields of the event snapshot lists in snapshot, attack protection, and virus protection tabs Field Description Attack Event/Attack Destin

40 Figure 38 Virus protection event snapshot Figure 39 DDoS attack event snapshot

41 Displaying attack/virus/DDoS snapshot list The system presents attack, virus, and DDoS events not only through graphs but also lists. The attack/v

42 Table 42 Query options of the attack/virus snapshot list Option Description Filter Select a filter from the dropdown list to display specific att

43 Field Description Protocol Name of the protocol used by the DDoS attack Attack name Attack name of a DDOS attack Threshold Threshold of the DDo

i Contents Overview ··································································································································

44 • Event trend analysis during a day, week, month, and a customized period • Top N statistics reports by event, destination IP address, source IP

45 Figure 45 Virus event analysis From the navigation tree of the IPS management component, select DDoS Event Analysis under Event Analysis. The DD

46 Figure 46 DDoS attack event analysis Table 45 Event analysis query options Option Description Device Select a device, a device group, or All dev

47 Figure 47 Top 10 attack events analysis On the page, you can perform the following operations: • Click the link to export all the analysis rep

48 Figure 48 Attack event details Table 46 Attack event details query options Option Description Filter Select a filter from the dropdown list to

49 Table 47 Fields of the attack event details Field Description Time Time when the attack event occurred Src IP/MAC Source IP address Dest IP/MAC

50 NOTE: Logs are aggregated at 3 o’clock in the morning every day. When you query event information of the current month, the system displays only

51 Option Description Device Select a device, a device group, or All devices from the Device dropdown list. The system will display the relevant even

52 NOTE: Logs are aggregated at 3 o’clock in the morning every day. When you query event information of the current month, the system displays only

53 Option Description Duration Select the statistics duration. You can select Day, Week, or Month, or select Customize to specify a duration. Time S

ii Displaying attack signatures ······················································································································

54 Figure 53 Alarming configuration Table 52 Alarming configuration items Item Description Alarm Mode Optional The following alarm modes are availa

55 Item Description Attack Specify the system to raise alarms when detecting attack events. NOTE: You can also specify a filter for attack events so

56 Table 53 Fields of the alarm information list Field Description Time Time when the attack/virus/DDoS event occurred Device IP IP address of the

57 Function Description Authorizing operators Authorizes specific operators to perform the export tasks. Follow these steps: 1. Select the check box

58 Field Description Operation • Click the icon of a task in the Operation column to enter the export task modification page, where you can modify

59 Item Description Template Required Specify the template for the reports. The default is attack analysis report template. File Type Required Select

60 Table 58 Attack policy management functions Function Description Querying policies Allows you to query policies by policy name. Type a policy nam

61 Figure 59 Add an attack protection policy Table 60 Attack protection policy configuration items Item Description Policy Name Required Type a nam

62 Table 61 Query options on the rule management page of an attack protection policy Option Description Event Type or select an event to display the

63 Figure 61 Select a rule for the Event field Figure 62 Rule modification page Return to Attack protection policies management page. Configuring

1 Overview Introduction to H3C SecCenter IPS Manager H3C SecCenter Intrusion Prevention System (IPS) Manager is a powerful system for comprehensive a

64 Figure 63 Anti-virus policies management page Table 63 Anti-virus policy management functions Function Description Querying policies Allows you

65 Adding an anti-virus policy 1. From the navigation tree of the IPS management component, select Anti-Virus Policies under Policy Management to en

66 Figure 65 Rule management for an anti-virus policy Table 66 Query options on the rule management page of an anti-virus policy Option Description

67 Figure 66 Modify an anti-virus rule Return to Anti-virus policy management functions. Configuring policy applications A policy application refer

68 Function Description Redeploying a policy application Allows you to change the policy or change the device for a policy application. Follow these

69 3. Configure a policy application, as described in Table 71. 4. Click OK. Figure 68 Add a policy application Table 71 Policy application confi

70 Item Description Policy Application Required Enable or disable the policy application. NOTE: If you select Disable, the system saves the policy ap

71 Table 73 Fields of the attack signature list Field Description ID Event ID Event Event name CVE CVE number of the event, if any. (CVE: Common Vul

72 Figure 71 Virus category list Table 74 Query option Option Description Virus Type Select a virus type to query the corresponding viruses. Detai

73 • Policy: A policy contains one or more rules. If all rules of a policy are matched during a time period (association interval in the policy), an

2 Installation and uninstallation Installing the IPS Manager The software and hardware requirements of the IPS Manager are as follows: • Hardware: P

74 Function Description Authorizing operators Authorizes specific operators to manage the custom events. Follow these steps: 1. Select the check box

75 Figure 74 Add a custom event Table 77 Configuration items for adding a custom event Item Description Event Name Required Type a name for the cus

76 Item Description Description Required Type the description for the custom event. The string can comprise up to 40 characters. Level Required Selec

77 Figure 75 Configuration items for adding an event rule Table 78 Configuration items for adding an event rule Item Description Threshold Optional

78 Item Description Event Optional Select attack events as the match criteria. Invert selection is supported. Attack event query by event ID, descrip

79 Figure 77 Change event notification method Return to Custom event management functions. Changing the event status 1. On the custom event manage

80 Figure 79 Matched event history On the event history page, click the icon of an archived item to enter the event list page, as shown in Figure

81 Figure 81 Import and export policies Table 79 Policy import and export management functions Functions Description Policy list Allows you to vie

82 Table 81 Policy importing configuration items Item Description Device Required Select a device from which the policy is imported. Policy Type Requ

83 Configuration example Network requirements H3C SecCenter IPS Manager works with IPS devices. The IPS Manager collects logs sent by IPS devices, pr

3 3. Click Download to download the host information file, and save it to a file. Figure 2 Download the host information 4. Visit the website at

84 6. Click Add to enter the page for adding IPS devices, as shown in Figure 84. 7. Select the device, and click Add. After the device is added, th

85 IndexA Adding IPS devices to the IPS Manager 83 D Device management 5 E Event analysis 43 I Installing the IPS Manager 2 Introduction to H3C SecCe