SNMP Traps - APPLICATION NOTES High-Availability Load Balancing with the Brocade ServerIron ADX

When the firewall is added to the network, traps can be enabled:

Fw1 Dashboard -> Monitor -> IPS Attack Responses

For this configuration, the following traps were enabled for SNMP.

Firewall 2: Interfaces

The procedure used to configure Firewall 2 is the same as the procedure for Firewall 1, but with different parameters. Configure the external and internal interfaces of Fw2:

Fw2 Dashboard > Network > Interfaces > + (New)

For this configuration, the following IP addresses are added:

em0 is external 10.10.1.2 em1 is internal 10.10.2.2

Firewall 2: Routing

Configure the network routes and use the VRRP-e addresses configured on the NetIron ADX devices as the gateways for Fw2:

Fw2 Dashboard > Network > Routing > Static Routing > + (New) For this configuration, the following routes are added:

Network Destination 10.10.8.0 Mask 255.255.255.0 Gateway 10.10.2.120 Network Destination 20.20.1.0 Mask 255.255.255.0 Gateway 10.10.1.120

Firewall 2: Rules

Configure the required policy rules under Administration for Fw2:

Fw2 Dashboard > Policy > Rules > + (New)

For this configuration, the following rules are added:

HTTP Proxy_Rev (provides the reverse direction of the http proxy) SNMP

ICMP Packet Filter

ICMP Packet Filter_Rev (provides the reverse direction for the ICMP ping) HTTP Proxy

If any of the required services are not listed when the rules are configured, they can be created and modified under the Rule Element first, and then added to the Rules:

Fw2 Dashboard > Policy > Rule Element > Service > + (New) Fw2 Dashboard > Policy > Rules > + (New)

Configure the SNMP Agent (snmpd) for SNMP v2c and v3. Add the SNMP management station where the TRAP will be sent:

Fw2 Dashboard > Policy > Rule Elements > Services > snmpd > Properties For this configuration, the following parameters are added:

Host: 10.10.2.99 User: root1234 Community: public

Configure the SNMP filter for SNMP v2c traffic:

Fw2 Dashboard -> Policy -> Application Defenses -> Defenses -> SNMP

This is the configuration after the required rules are added under Administration:

Fw2 Dashboard -> Policy -> Rules

Firewall 2: SNMP Traps

When the firewall is added to the network, traps can be enabled:

Fw2 Dashboard > Monitor > IPS Attack Responses

For this configuration, the following traps were enabled for SNMP.

N

ETWORK

M

ANAGEMENT

Brocade IronView Network Management (INM) can be used to alert the network operator when an issue occurs in the network. Brocade INM acts in response to the alert to protect the network and the hosts connected to the network. Brocade INM can monitor, notify, and act on alerts provided by McAfee Firewall and IPS using MIBs provided by McAfee, which are added to existing MIBs.

Loading MIBs into Brocade INM

Create new folders for the McAfee MIBs in this INM folder:

C:\ironview\htdocs\mibs Two new folders were added:

mcafee_ips mcafee_snmp_mibs

Compiling the MIBs

Modify the mibs_to_compile.txt file to include the McAfee MIBs, including the folder containing the MIBs:

C:\ironview\htdocs\mibs

Open mibs_to_compile.txt, change all the extensions from .txt to .mib (example circled in red below), and save and close the file. Saving and closing the file compiles the MIBs.

Registering and Customizing MIBs

Once the MIBs are compiled, they are located in the Event reception under the Trap Configuration, Not Registered section (one example circled in red below):

Administration > Event Reception > Trap Configuration > Not Registered

Select a trap to register and customize. Customizing the trap means that when the message is displayed, it contains the severity and a specified message. The message is the information that the network operator sees in the description field when the alert is displayed. You also need to customize the trap to display the varbind (a variable that is predefined and captured at run time) data.

The message field configuration is the set up with the name of the data and the pointer to the varbind it belongs to. An example: Host Sweep Alert $1, $5

In this example, the alert message for Host Sweep Alert with varbind data from the first ($1) and fifth ($5) variable.

NOTE: This message field has a limit of 512 bytes and if the message exceeds the limit, it will be truncated. So think carefully about what you want to display and be sure not to exceed the limit.

All registered MIBs can be found in Brocade INM:

Administration > Event Reception > Trap Configuration >Registered

Event Log

All registered triggered events can be logged in the Event Log.

Event Manager -> Event Log -> Search This is an example of a failed login.

N

ETWORK

S

ECURITY

M

ANAGER

The McAfee Network Security Manager (NSM) is required to manage IPS and provide traps.

A separate NSM server is required to be configured for SNMP and to forward traps to Brocade INM.

On the NSM server, make sure that you:

Start the SNMP Service if is it is not started Stop the SNMP Trap Service if it is started

Display the Services window. Select the SNMP Service and if it is not started, click Restart the service.

Select the SNMP Trap Service and if it is started, click Stop the service.

SNMP Fault Notification

Add the SNMP server IP address to which the traps will be forwarded:

My computer > Fault Notification > SNMP > add

The server IP address added for this configuration is 20.20.1.99.

Sensor Access

Add the NMS Sensor Access IP address:

My computer > Device List > Sensor Access > NMS IP > add The NMS IP address added for this configuration is 10.66.16.249.

IPS Settings

Add the SNMP server IP address for Alert Forwarding:

My computer -> IPS Setting -> Alert Notification -> SNMP -> add The SNMP IP address added for this configuration is 20.20.1.99.

A

PPENDIX

A: U

C

ASES

Use Case 1: Host Sweep Attack

When host sweep attacks occur:

1. McAfee IPS detects the attack and alerts Brocade INM.

2. Brocade INM receives the IPS attack alert and sends an Access Control List (ACL) to the Brocade switch to block the attacker and a Security Assessment (SA, an e-mail notification) to the network operator.

The assessment type is: Compromised network infrastructure equipment.

NOTE: IPS automatically alerts for host sweep attacks. The NSM must be configured to send alerts to INM (described earlier in this document).

Figure 2 illustrates the process.

Figure 2. Response to a host sweep attack

Note that before you configure an alert, you need to create it. In the Event Processor window, shown in Step 1, click New at the top of the list and follow the onscreen instructions to create the alert. In this solution, the alert is IPS_HOSTSweepAlert.

The stealthiest attacks are detected and

thwarted by McAfee IPS Attack alerts are relayed from IPS via Security Assessment message to INM, which then executes an ACL to the Brocade Switch to block the Attacker and sends an event message to the Network Operator

1. In Brocade INM, select the host sweep alert and double-click:

Event Manager > Event Processor > IPS_HOSTSweepAlert

2. The Edit Event Action dialog box appears, in which you can enter a name and description. Click Next.

3. The Events window shows the currently selected traps from the all available traps. Configure Varbind filters to Yes and click Next.

4. Configure senders for the alert (Brocade devices that can send alerts):

Event Manger > Event Processor > Event Actions > Edit Event Action > Senders

5. Configure the policy for the alert (under what conditions to send the alert):

Event Manger > Event Processor > Event Actions > Edit Event Action > Policy

6. Configure the actions to take when a trap is received. Select Deploy CLI Config, and click More.

Event Manger > Event Processor > Event Actions > Edit Event Action > Action Group > Actions

If you want to send an e-mail notification to the network operator when an alert is triggered, you can configure it at this point. See the product documentation for instructions on how to set up a Security Assessment (SA) e-mail alert.

7. Click the Global Configuration tab in the CLI Configuration Manager (note that Demo CLI, shown in the window below, was created for this solution testing), select the CLI option to configure. Whatever you configure in the CLI Configuration Manager is sent to the global configuration mode of the Brocade device you’ll be selecting to act upon.

8. Select the CLI Commands tab to configure the CLI commands that will be executed on the Brocade switch in response to an alert. Enter the CLI parameter, select the type of variable from the drop-down menu, and click Insert and then Save.

Saving the CLI commands takes you back to the CLI Configuration Manager. Closing that window takes you back to the Actions window, shown in Step 6. But now the CLI parameter you configured appears in the Parameters list. Then you can map the parameter to the Varbind of the trap.

You can find these procedures explained in greater detail in the Brocade INM product documentation.

Use Case 2: Port Scan Attack

When port scan attacks occur:

1. McAfee IPS detects the attack and alerts Brocade INM.

The assessment type is: Compromised network infrastructure equipment.

NOTE: IPS automatically alerts for port scan attacks. The NSM must be configured to send alerts to INM (described earlier in this document).

Figure 3 illustrates the process.

Figure 3. Response to a port scan attack

Note that before you configure an alert, you need to create it. In the Event Processor window, shown in Step 1 on page 31, click New at the top of the list and follow the onscreen instructions to create the alert. In this solution, the alert is IPS_PortScanAlert.

1. In Brocade INM, select the port scan alert and double-click:

Event Manager > Event Processor > Event Actions > IPS_PortScanAlert

2. Follow the same steps as described in the previous use case, “Host Sweep Attack.” Finish by selecting the CLI Commands tab and enter configuration commands that will be executed on the Brocade switch in response to an alert issued from Brocade INM.

The stealthiest attacks are detected and

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, and TurboIron are registered trademarks, and Brocade Assurance, DCFM, Extraordinary Networks, and Brocade NET Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.

Export of technical data contained in this document may require an export license from the United States government.

In document APPLICATION NOTES High-Availability Load Balancing with the Brocade ServerIron ADX and McAfee Firewall Enterprise (Sidewinder) (Page 24-40)