To begin managing your HP TippingPoint system from the SMS you must complete the following tasks:
• Add your devices to the SMS.
• Download the latest Digital Vaccine.
• Activate the Digital Vaccine on the SMS.
• Distribute the Digital Vaccine to your devices.
Add a Device to the SMS
1. On the Devices screen, click New Device.
2. In the New Device wizard, do the following:
• Specify an IP address for each device.
• Provide the Username and Password for authentication.
• Select the Device Type for the device(s).
NOTE: When you add multiple devices, all of them must use the same authentication (user name and password), and they must all be part of the same device group. Also, SSL appliances and X-Series devices cannot be added with other devices.
3. You can select the following on the Options screen:
a. Select Synchronize Device Time with SMS to synchronize time on the device with the SMS.
b. Select Configure the Device to launch the Device Configuration wizard immediately after the device(s) are added. You can also select Clone an existing device to copy settings from an existing device.
4. Click OK.
When a device is successfully added to the SMS, the device appears on the Devices screen and in the navigation tree under the All Devices node. If the device is functioning properly, the Health Status indicator is green. When you add a device, the system saves historical data for the device.
After adding devices to the SMS, you need to download, activate, and distribute the latest application-enabled digital vaccine (DV). For more information, refer to the following topics:
• ”Download a Digital Vaccine from the TMC” on page 12
• ”Activate a Digital Vaccine” on page 13
• ”Distribute a Digital Vaccine to one or more devices” on page 13
2 Tools
The Tools menu in the SMS toolbar provides quick and convenient access to a number of tools, utilities, and services that enable you to lookup information for source and destination addresses, diagnose and resolve issues, and help ensure the security of your network.
IP Lookup
The IP Lookup utility enables you to specify an IP address and query a variety of information about the host or domain, including geographical location, domain name server, “who is” information, and so on.
Available lookup services include the following:
• Geo Locator — Performs a lookup in the Geo locator database. For more information about the Geo locator database, see ”Geo Locator Database” on page 307.
• Named Resource — Searches for an IP address in the list of named resources in the SMS. If found, the most specific match will be shown. For more information about named resources, see ”Named Resources” on page 299.
• DNS — Performs a reverse DNS lookup on the specified IP address.
• User Id— Performs a query for the address in the User ID database. If found, results show the user associated with the specified address. For more information, see ”User ID IP Correlation” on page 304.
• Who Is — Displays registration information, based on the American Registry for Internet Numbers (ARIN). Typical information includes that name and address of the entity that registered the domain.
• Reputation — Displays reputation properties for the IP address, based on entries in the reputation database. This service is available whether or not you have a subscription for Reputation DV.
• End Point Attributes — Displays the end point attributes associated with a specified IP address.
You can run these services manually from the SMS client, or you can configure the SMS to run many of these services automatically. For more information, see ”IP Address Identifier” on page 302.
Use the IP Lookup Utility
1. On any screen, click Tools in the top menu bar, and then select IP Lookup and the lookup service entry for the information you want to look up.
NOTE: Select Multiple Lookups to use multiple lookup services for your query. Or you can manually select multiple lookup services in the IP Address/Host Lookup query window.
2. Enter an IP address or host name in the required field.
3. Click Lookup.
Results display in the lower, tabbed section of the window.
4. Click Copy All to Clipboard to copy the contents of the active tab to your clipboard, or click Close to close the query window.
As you review attack events, you may need to locate administrative contacts for domains. The SMS provides a WhoIs utility for finding these contacts through the Events screen. The utility can run while you review events.
In the Events workspace, right-click a table entry, and select IP Lookup > WhoIs, and then select the appropriate menu option for the address you want to lookup: Src Addr, Client Addr, or Dst Addr.
TMC
The Threat Management Center (TMC) is an HP TippingPoint service center that monitors sensors around the world for the latest attack information and builds and distributes attack filters. The TMC Web site also serves as a central repository for product documentation, FAQs, the HP TippingPoint Knowledge Base, and related information.
Access the TMC
1. In any screen, select Tools > TMC from the top menu bar.
2. From the TMC, click the Login tab.
3. Log into the TMC using your username and password.
4. If you are not a register TMC user, click the Register link.
ThreatLinQ
ThreatLinQ works with the TMC to collect and analyze information about the security posture of the Internet. Globally aggregated information about filters, source IP addresses and source/destination ports is displayed and can be used to enhance the security of your network.
Data that ThreatLinQ collects could be sensitive, therefore the ThreatLinQ event sharing option is not enabled in the default SMS configuration. If you enable ThreatLinQ event sharing, you have the option to hide all or some of the IP addresses in the data ThreatLinQ collects. The event sharing option also includes the hit count and filter number. For more information about the ThreatLinQ event sharing option, see
”Configure Security Preferences” on page 9.
When ThreatLinQ is enabled, the SMS uploads the aggregated events during the last calendar day. This shared data helps ThreatLinQ to provide a complete picture of world security and where the attacks originate.
Access ThreatLinQ Do one of the following:
• On any screen, click Tools in the top menu bar, and select ThreatLinQ.
• In the Events workspace, right-click an events entry, and select ThreatLinQ.
• In the Profiles workspace, right-click an entry in one of the filter lists, and select ThreatLinQ > Filter Info.
Diagnostics
Use the SMS Diagnostic Toolkit in connection with HP TippingPoint support staff to help diagnose and resolve issues.
Launch the SMS Diagnostic Toolkit
• On any screen, click Tools in the top menu bar, and select Diagnostics.
IDResolver
The SMS can be configured to retrieve user information from an A10 Networks appliance through an Internet Protocol to Identity service. This service provides information about a user based on a host association entry on the A10 appliance.
To configure integration between the SMS and an A10 Networks appliance, the location and login credentials of the A10 Networks appliance must be identified to the SMS server. The IDResolver service provides access to IP address information for A10 Networks.
Configure and Enable IDResolver
1. Select Admin in the SMS toolbar to open the Admin workspace.
2. Select Server Properties in the navigation pane.
3. On the Server Properties page, select the Integration tab.
4. Click Edit to open the Edit IDResolver Server dialog, and provide the following information:
• Address and Port
• User Name and Password
• Select a value for Password Encryption.
• Specify a numerical value for Timeout.
5. Click OK to close the Edit IDResolver Server dialog and return to the Integration tab.
6. Click Enable to enable IDResolver.
Query IDResolver
1. In the SMS client, select a table entry that displays an IP address that is part of an A10-managed network.
2. Right-click the entry, and select Query IDResolver from the list of options.
3. In the Query IDResolver dialog, select an entry in the Query Results table.
The information is displayed in table form.
3 Dashboard
The SMS dashboard provides at-a-glance insight into your network security status with charts and graphs that continuously update to reflect the health, status, and events related to your system. This overview, composed of configurable color-coded charts and tables, is the starting point for:
• Monitoring application visibility and utilization
• Troubleshooting events and issues on your network
• Monitoring security alerts or issues
• Capacity planning
With the dashboard continuously displayed on a monitor in your Network Operation Center (NOC) or Security Operation Center (SOC), the SMS can alert you when there is an issue on your network, and the dashboard enables you to drill down quickly to view the details.
NOTE: If you are logged in to multiple SMS servers, the client uses a tabbed view to display each SMS dashboard. Click a tab to display the dashboard for that particular SMS.