Defining Sensors and Analyzers

This chapter contains the steps needed to complete the Sensor and Analyzer

configuration procedure necessary for a StoneGate IPS installation. For instructions on how to install the Sensors and Analyzers, please refer to their respective chapters.

This chapter includes the following sections:

• Starting the StoneGate Management Center, on page 60

• Defining an Analyzer, on page 63

• Defining Logical Interfaces, on page 66

• Defining a Sensor Cluster, on page 67

• Defining a Single Sensor, on page 73

• Defining a Combined Sensor/Analyzer, on page 77

• Configuring Routing, on page 81

• Configuring IP Addressing for NAT, on page 83

• Saving the Initial Configuration, on page 89.

Chapter 5: Defining Sensors and Analyzers

60 S t a r t i n g t h e S t o n e G a t e M a n a g e m e n t C e n t e r

When starting the StoneGate Management Center for the first time, the following steps need to be completed:

1. Start the Management Server as instructed in Starting the Management Server, on page 60.

2. Activate the StoneGate IPS licenses in the GUI client as instructed in Starting the GUI Client, on page 60 and Installing StoneGate IPS Licenses, on page 62.

3. Start the Log Server as instructed in Starting the Log Server, on page 62.

Starting the Management Server

If the Management Server has been installed as a service, the server is started during the operating system boot process. In Windows, the StoneGate Management Server service can be started and stopped manually from Control Panel→Services in Windows NT or Control Panel→Administrative Tools→Services in Windows 2000.

▼ To start the Management Server manually

♦ In Windows, start the Management Server by selecting Start→Programs

→StoneGate→Management Server . The management database is started automatically by the Management Server.

♦ In Linux and Solaris, start the Management Server by running the script

SG_HOME/bin/sgStartMgtSrv.sh

. The management database is started automatically by the Management Server.

Starting the GUI Client

For configuring StoneGate IPS, the GUI client is used for connecting to the Management Center.

▼ To start the GUI client 1. Start the GUI client:

• In Windows, select Start→Programs→StoneGate→Administration Client .

• In Linux and Solaris, run the script

SG_HOME/bin/sgClient.sh

.

Starting the StoneGate Management Center

ILLUSTRATION 5.1 GUI Client Login

2. Log in using a Superuser level administrator account specified during the installation and connect to the Management Server’s IP address.

ILLUSTRATION 5.2 Checking the CA Certificate Fingerprint

3. During the first login, the Management Server is authenticated with a certificate.

Compare the presented certificate fingerprint of the Certificate Authority to the certificate’s fingerprint on the Management Server. To check the certificate fingerprint of the Certificate Authority:

• In Windows, select Start→Programs→StoneGate→Show Fingerprint on the

Management Server.

Chapter 5: Defining Sensors and Analyzers

62 Installing StoneGate IPS Licenses

To configure StoneGate IPS, the licenses need to be installed and activated. After receiving the license ID and the proof-of-license from your StoneGate reseller, the StoneGate IPS licenses can be obtained from Stonesoft Web site at http://

www.stonesoft.com/licenses/. Evaluation licenses can also be requested from this Web site.

▼ To install StoneGate IPS licenses

1. In the StoneGate Control Panel, open the Admin Tools by selecting

Manage ^→ Admin Tools from the menu or clicking on the Admin Tools icon in the toolbar.

ILLUSTRATION 5.3 Admin Tools

2. Import the licenses from a .jar license file by selecting File ^→ Import Licence(s) from the menu or by clicking the Import Licence(s) icon on the toolbar.

3. Check the displayed license information.

4. Right-click on a licence to open a contextual menu and select Activate.

Starting the Log Server

If the Log Server has been installed as a service, the server is started during the operating system boot process. In Windows, the StoneGate Log Server service can be started and stopped manually from Control Panel→Services .

Import License(s)

button

Defining an Analyzer

Note – Running the Log Server requires a valid license. First, install the license as explained in Installing StoneGate IPS Licenses, on page 62.

▼ To start the Log Server manually

♦ In Windows, select Start→Programs→StoneGate→Log Server .

♦ In Linux and Solaris, run the

SG_HOME/bin/sgStartLogSrv.sh

script.

D e f i n i n g a n A na l y z e r

Before creating Sensor elements, an Analyzer element needs to be created. This section covers the basic configuration of an Analyzer element. For complete instructions on configuring Analyzer properties, please see the StoneGate IPS Administrator’s Guide.

In the following tasks, we will refer to the example network’s Headquarters Analyzer settings to exemplify how to configure an Analyzer. Please refer to the Example Network Scenario, on page 33.

! To configure a combined Sensor/Analyzer, please see Defining a Combined Sensor/Analyzer, on page 77.

▼ To define an Analyzer element

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Network Element→Analyzer from the contextual menu that opens (or follow the corresponding path in the

File→New menu). The Analyzer Properties dialog opens.

Chapter 5: Defining Sensors and Analyzers

64 ILLUSTRATION 5.4 Analyzer Properties

3. In the Name field, enter a name for the Analyzer.

4. Select the Log Server for the Analyzer from the drop-down menu.

5. Continue defining the network interfaces as explained below.

Defining the Network Interfaces

▼ To define a network interface for an Analyzer

1. In the Analyzer Properties window, select the Single Node tab and click Add

Interface .

Defining an Analyzer

ILLUSTRATION 5.5 Network Interface Properties

2. To use the interface for the Management Server initiated control connections, select Control IP Address .

• To define the primary control IP address, select Primary . Only one IP address can be selected as primary for the control connections.

• To define the IP address used for control connections if the primary address is unavailable, select Backup . There can be multiple backup control IP addresses defined for different interfaces.

3. To use the interface for communication with the Log Server, select Log/Analyzer communication source IP address.

4. Select the NIC ID from the drop-down menu. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Analyzer

installation.

5. Enter the IP address for this interface.

6. Enter the appropriate Netmask .

7. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Analyzer or between the Sensors and the Analyzer.

See Configuring IP Addressing for NAT, on page 83.

Chapter 5: Defining Sensors and Analyzers

66 10. Click OK to apply the changes or continue with the Analyzer element configuration.

! Configuring Routing, on page 81

! Configuring IP Addressing for NAT, on page 83

! Saving the Initial Configuration, on page 89

For detailed instructions on configuring the Analyzer, please see StoneGate IPS Administrator’s Guide.

D e f i n i n g L o g i c a l I n t e r f a c e s

The captured traffic is directed from the Capture Interfaces to Logical Interfaces. The Logical Interface is then used in the Sensor rule base as an entry point for the traffic to be inspected. Each Capture Interface has a defined Logical Interface:

• for SPAN port mode, each Capture Interface has its own Logical Interface.

• for wire TAP mode, the two related Capture Interfaces have the same Logical Interface.

With Capture Interfaces in network TAP mode, the two directions of the network traffic is divided to separate wires. For this reason, the two Capture Interfaces are defined for a network TAP: one Capture Interface for each direction of the traffic. The two related Capture Interfaces are handled as one Logical Interface that combines the traffic of these two interfaces for inspection.

Before being able to define Capture Interfaces for Sensor elements, you first need to define Logical Interfaces for them.

▼ To define a Logical Interface

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Intrusion Detection→Logical

Interface from the contextual menu that opens (or follow the corresponding path

in the File→New menu). The Logical Interface Properties dialog opens.

Defining a Sensor Cluster

ILLUSTRATION 5.6 Logical Interface Properties

3. In the Name field, enter a name for the logical interface (e.g., “HQ DMZ”).

4. Click OK to accept the changes.

This defined Logical Interface can now be used for defining the Sensors’ Capture Interfaces. The Logical Interface is then used as an entry point for the inspected traffic in the Sensor policy.

D e f i n i n g a S e n s o r C l u s t e r

This section covers the basic configuration of a Sensor cluster element. For complete instructions on configuring the Sensor cluster, please see StoneGate IPS Administrator’s Guide.

In the following tasks, we will refer to the example network’s Headquarters Sensor cluster settings to illustrate how to configure a Sensor cluster. Please refer to the Example Network Scenario, on page 33.

▼ To define a Sensor Cluster

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Network Element→Sensor

Cluster from the contextual menu that opens (or follow the corresponding path

Chapter 5: Defining Sensors and Analyzers

68 ILLUSTRATION 5.7 Sensor Cluster Properties

3. In the Name field, enter a name for the Sensor cluster.

4. Select Analyzer for the Sensor cluster from the list.

5. Continue with the network interface configuration as explained below.

Defining the Cluster Network Interfaces

▼ To define an NDI for a Sensor cluster

1. In the Cluster tab, click Add Interface .

Defining a Sensor Cluster

ILLUSTRATION 5.8 Cluster-Level Properties of a Node Dedicated Interface

2. For the Type , select Node Dedicated Interface .

3. For the NDI Mode , there are three optional settings. To use the NDI for heartbeat, select Heartbeat .

• If the NDI is used as the primary heartbeat interface, select Primary .

• If the NDI is used for backing up the primary heartbeat interface, select Backup . Note – Heartbeat and state synchronization (which takes place on the same interface) are time-critical communications, and network latency from other traffic may interfere with them. Therefore, it is recommended that the heartbeat network is dedicated only for this purpose.

4. To use the interface for Management Server initiated control connections, select Control IP Address .

• To define the primary control IP address, select Primary . Only one interface can be selected as primary for the control connections.

• To define the IP address used for control connections if the primary address is

unavailable, select Backup . There can be multiple backup control IP addresses

defined for different interfaces.

Chapter 5: Defining Sensors and Analyzers

70 ▼ To define Capture Interfaces for a Sensor cluster

1. In the Sensor Cluster Properties window, select Cluster tab and click Add Interface .

Note – Logical Interfaces need to be defined before being able to define Capture Interfaces: see Defining Logical Interfaces, on page 66.

ILLUSTRATION 5.9 Capture Interface Properties

2. For the Type , select Capture Interface .

3. Select the Capture Interface Mode according to your network environment as follows (see Checking the Surrounding Network Environment, on page 31):

3.1 For Capture Interface mode, select either SPAN port or Wire TAP, according to the corresponding network connection of the interface.

Note – For Wire TAP mode, two Capture Interfaces need to be defined for the same Logical Interface: one Capture Interface for each direction of the traffic.

3.2 For Logical Interface, link the Capture Interface to the selected Logical Interface.

3.3 Optionally, define which Reset Interface this capture interface uses for TCP connection termination, if any.

4. Select the NIC ID for the Capture Interface. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation.

The IP address, Netmask, and MAC address for an NDI are defined on the node specific

properties of each node as described below.

Defining a Sensor Cluster

Defining the Node Specific Properties

After defining your network interfaces at the cluster level, continue the Sensor cluster configuration by defining the node specific properties. By default, the Cluster Properties window displays two nodes in the Nodes tab. In case you have more than two nodes in your cluster, you need to add more nodes to the cluster properties as described Adding a Node to the Cluster, on page 73.

▼ To define an NDI for a node

1. In the Sensor Cluster Properties window, select the Nodes tab.

ILLUSTRATION 5.10 Sensor Cluster Node Properties

2. On the Nodes list, click on the row of the node to be configured.

3. Define a name for the node by clicking on the cell in the Name column (Node 1 and Node 2 by default).

4. After selecting the node from the Nodes list, double-click on the line of the

Chapter 5: Defining Sensors and Analyzers

72 ILLUSTRATION 5.11 Node Dedicated Interface Properties

5. In the Interface Properties window, define the IP Address for the interface.

6. Define the corresponding Netmask for the interface.

7. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Sensor. See Configuring IP Addressing for NAT, on page 83.

8. Complete the above steps for all NDIs in each of the nodes.

9. After configuring the network interfaces, write down the networks to which each NIC ID is connected. This information is needed during the Sensor installation when mapping the actual physical network interfaces to NIC IDs.

• You can use the Installation Worksheet, on page 109 for writing down the NIC ID configuration.

10. Click OK to validate the cluster’s interface configuration.

11. Continue in Configuring Routing , on page 81.

! Configuring Routing, on page 81

! Configuring IP Addressing for NAT, on page 83

! Saving the Initial Configuration, on page 89

For instructions on configuring other necessary settings such as the Sensor policy, please

see the StoneGate IPS Administrator’s Guide.

Defining a Single Sensor

Adding a Node to the Cluster

By default, the Cluster Properties window displays two nodes in the Nodes tab. In case you have more than two nodes in your cluster, you need to add more nodes to the cluster properties as described below. StoneGate IPS supports up to 16 nodes in one Sensor cluster. After adding the required nodes, you can define the node specific properties as described in Defining the Node Specific Properties, on page 71.

▼ To add a node to the cluster

1. In the Sensor Cluster Properties window, select the Nodes tab.

2. To add a node to the cluster, click Add Node .

3. Define a name for the node by clicking on the cell in the Name column.

4. Define the node specific properties as described in Defining the Node Specific Properties, on page 71.

D e f i n i n g a S i n g l e S e n s o r

This section covers the basic configuration of the Single Sensor element. A single Sensor does not have the load balancing and high availability features of a Sensor cluster. For complete instructions on configuring the single Sensor, please see the StoneGate IPS Administrator’s Guide.

In the following tasks, we will refer to the example network’s Headquarters DMZ Sensor settings to illustrate how to configure a single Sensor. Please refer to the Example Network Scenario, on page 33.

▼ To define a single Sensor

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Network Element→Single Sensor

from the contextual menu that opens (or follow the corresponding path in the

File→New menu). The Single Sensor Properties dialog opens.

Chapter 5: Defining Sensors and Analyzers

74 ILLUSTRATION 5.12 Single Sensor Properties

3. In the Name field, enter a name for the Sensor (e.g., “HQ DMZ Sensor”).

4. Select the Analyzer for the Sensor from the list (e.g., “HQ Analyzer”).

5. Continue defining the network interfaces as explained below.

Defining the Network Interfaces

Note – Logical Interfaces need to be defined before being able to define Capture Interfaces: see Defining Logical Interfaces, on page 66.

▼ To define an NDI for a single Sensor

1. In the Single Sensor Properties window, select the Single Node tab and click Add

Interface .

Defining a Single Sensor

ILLUSTRATION 5.13 Network Interface Properties

2. In the Type drop-down menu, select Node Dedicated Interface.

3. To use the interface for Management Server initiated control connections, select Control IP Address .

• To define the primary control IP address, select Primary . Only one IP address can be selected as primary for the control connections.

• To define the IP address used for control connections if the primary address is unavailable, select Backup . There can be multiple backup control IP addresses defined for different interfaces.

4. To use the interface for communication with the Analyzer, select Log/Analyzer communication source IP address.

5. Select the NIC ID from the drop-down menu. The NIC ID is used for mapping physical interfaces to the StoneGate IPS interfaces during the Sensor installation.

6. Enter the unicast IP address for this interface.

7. Enter the appropriate Netmask .

8. A Contact Address needs to be defined only if there is a NAT device between the Management Server and the Sensor. See Configuring IP Addressing for NAT, on page 83.

9. After configuring the network interfaces, write down the networks to which each

Chapter 5: Defining Sensors and Analyzers

76 ▼ To define Capture Interfaces for a single Sensor

1. In the Single Sensor Properties window, select the Single Node tab and click Add Interface .

ILLUSTRATION 5.14 Capture Interface Properties

2. For the Type , select Capture Interface .

3. Select the Capture Interface Mode according to your network environment as follows (see Checking the Surrounding Network Environment, on page 31):

3.1 For Capture Interface mode, select either SPAN port or Wire TAP, according to the corresponding network connection of the interface.

Note – For Wire TAP mode, two Capture Interfaces need to be defined for the same Logical Interface: one Capture Interface for each direction of the traffic.

3.2 For Logical Interface, link the Capture Interface to the selected Logical Interface.

3.3 Optionally, define which Reset Interface this capture interface uses for TCP connection termination, if any.

4. Select the NIC ID for the Capture Interface. The NIC ID is used for mapping

physical interfaces to the StoneGate IPS interfaces during the Sensor installation.

Defining a Combined Sensor/Analyzer

5. Continue in Configuring Routing , on page 81.

! Configuring Routing, on page 81

! Configuring IP Addressing for NAT, on page 83

! Saving the Initial Configuration, on page 89

For instructions on configuring other necessary settings such as the rule base, please see the StoneGate IPS Administrator’s Guide.

D e f i n i n g a C o m b i n e d S e n s o r / A n a l y z e r

A combined Sensor/Analyzer is a special case of StoneGate IPS installation for small network environments, where the Sensor and Analyzer are located on the same machine.

This section covers the basic configuration of the element. For complete instructions on configuring the combined Sensor/Analyzer, please see the StoneGate IPS Administrator’s Guide.

In the following tasks, we will refer to the example network’s Branch Office Sensor/Analyzer settings to exemplify how to configure a combined Sensor/Analyzer. Please refer to the Example Network Scenario, on page 33.

▼ To define a combined Sensor/Analyzer

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Network Element→Combined Sensor-Analyzer from the contextual menu that opens (or follow the

This chapter contains the steps needed to complete the Sensor and Analyzer

configuration procedure necessary for a StoneGate IPS installation. For instructions on how to install the Sensors and Analyzers, please refer to their respective chapters.

This chapter includes the following sections:

• Starting the StoneGate Management Center, on page 60

• Defining an Analyzer, on page 63

• Defining Logical Interfaces, on page 66

• Defining a Sensor Cluster, on page 67

• Defining a Single Sensor, on page 73

• Defining a Combined Sensor/Analyzer, on page 77

• Configuring Routing, on page 81

• Configuring IP Addressing for NAT, on page 83

• Saving the Initial Configuration, on page 89.

60

S t a r t i n g t h e S t o n e G a t e M a n a g e m e n t C e n t e r

When starting the StoneGate Management Center for the first time, the following steps need to be completed:

1. Start the Management Server as instructed in Starting the Management Server, on page 60.

2. Activate the StoneGate IPS licenses in the GUI client as instructed in Starting the GUI Client, on page 60 and Installing StoneGate IPS Licenses, on page 62.

3. Start the Log Server as instructed in Starting the Log Server, on page 62.

Starting the Management Server

▼ To start the Management Server manually

♦ In Windows, start the Management Server by selecting Start→Programs

→StoneGate→Management Server . The management database is started automatically by the Management Server.

♦ In Linux and Solaris, start the Management Server by running the script

. The management database is started automatically by the Management Server.

Starting the GUI Client

For configuring StoneGate IPS, the GUI client is used for connecting to the Management Center.

▼ To start the GUI client 1. Start the GUI client:

• In Windows, select Start→Programs→StoneGate→Administration Client .

• In Linux and Solaris, run the script

.

ILLUSTRATION 5.1 GUI Client Login

2. Log in using a Superuser level administrator account specified during the installation and connect to the Management Server’s IP address.

ILLUSTRATION 5.2 Checking the CA Certificate Fingerprint

3. During the first login, the Management Server is authenticated with a certificate.

Compare the presented certificate fingerprint of the Certificate Authority to the certificate’s fingerprint on the Management Server. To check the certificate fingerprint of the Certificate Authority:

• In Windows, select Start→Programs→StoneGate→Show Fingerprint on the

Management Server.

62

Installing StoneGate IPS Licenses

To configure StoneGate IPS, the licenses need to be installed and activated. After receiving the license ID and the proof-of-license from your StoneGate reseller, the StoneGate IPS licenses can be obtained from Stonesoft Web site at http://

www.stonesoft.com/licenses/. Evaluation licenses can also be requested from this Web site.

▼ To install StoneGate IPS licenses

1. In the StoneGate Control Panel, open the Admin Tools by selecting

Manage → Admin Tools from the menu or clicking on the Admin Tools icon in the toolbar.

ILLUSTRATION 5.3 Admin Tools

2. Import the licenses from a .jar license file by selecting File → Import Licence(s) from the menu or by clicking the Import Licence(s) icon on the toolbar.

3. Check the displayed license information.

4. Right-click on a licence to open a contextual menu and select Activate.

Starting the Log Server

If the Log Server has been installed as a service, the server is started during the operating system boot process. In Windows, the StoneGate Log Server service can be started and stopped manually from Control Panel→Services .

Import License(s)

button

Note – Running the Log Server requires a valid license. First, install the license as explained in Installing StoneGate IPS Licenses, on page 62.

▼ To start the Log Server manually

♦ In Windows, select Start→Programs→StoneGate→Log Server .

♦ In Linux and Solaris, run the

script.

D e f i n i n g a n A na l y z e r

Before creating Sensor elements, an Analyzer element needs to be created. This section covers the basic configuration of an Analyzer element. For complete instructions on configuring Analyzer properties, please see the StoneGate IPS Administrator’s Guide.

In the following tasks, we will refer to the example network’s Headquarters Analyzer settings to exemplify how to configure an Analyzer. Please refer to the Example Network Scenario, on page 33.

Related Topics

! To configure a combined Sensor/Analyzer, please see Defining a Combined Sensor/Analyzer, on page 77.

▼ To define an Analyzer element

1. In the GUI client, open the Resource Manager from Manage→Resource Manager or by clicking its icon in the toolbar.

2. Click the New icon in the toolbar and select Network Element→Analyzer from the contextual menu that opens (or follow the corresponding path in the

File→New menu). The Analyzer Properties dialog opens.

64

ILLUSTRATION 5.4 Analyzer Properties

3. In the Name field, enter a name for the Analyzer.

4. Select the Log Server for the Analyzer from the drop-down menu.

5. Continue defining the network interfaces as explained below.

Defining the Network Interfaces

▼ To define a network interface for an Analyzer

1. In the Analyzer Properties window, select the Single Node tab and click Add

Interface .

ILLUSTRATION 5.5 Network Interface Properties

2. To use the interface for the Management Server initiated control connections, select Control IP Address .

• To define the primary control IP address, select Primary . Only one IP address can be selected as primary for the control connections.

• To define the IP address used for control connections if the primary address is unavailable, select Backup . There can be multiple backup control IP addresses defined for different interfaces.

Manage ^→ Admin Tools from the menu or clicking on the Admin Tools icon in the toolbar.

2. Import the licenses from a .jar license file by selecting File ^→ Import Licence(s) from the menu or by clicking the Import Licence(s) icon on the toolbar.