Solida systems SL-2000, User Manual

Page 1: ...USER MANUAL Version 2 1 October 2017 WWW SOLIDASYSTEMS COM SL 2000 SL 4000 SL 6000 Security Appliances ...

Page 2: ...tation Based Detection 13 4 1 Overview 13 4 2 DGA List 13 4 3 List Updates 14 5 Reputation Threat List Updates 16 5 1 About Tor Exit Nodes 17 6 Deep Packet Inspection Configuration 18 7 User Black and White Listing 19 7 1 Overview 19 7 2 Blacklisting Domain Names 19 7 3 Blacklisting IP Addresses 20 7 4 Whitelisting IP Addresses 20 7 5 Uploading a Blacklist File 20 8 Intrusion Detection and Prevent...

Page 3: ...s 35 14 2 Event Notification Emails 35 15 Data Logging 36 15 1 Packet Logging 36 15 2 Dropped Packet Logging 36 15 3 Event Logging 37 15 4 IP Address Logging 37 15 5 HTTP Logging 37 15 6 Downloading Log Files 38 15 7 Deleting Log Files 38 16 System Software Updates 39 17 Support Bundle Generation 41 17 1 Generating a support bundle 41 17 2 Downloading a support bundle 41 18 Report Generation 43 Ap...

Page 4: ...ion Solida Systems provides reputational threat intelligence in the form of a data feed hosted in the cloud This threat feed is updated hourly and includes malicious URLs domain names and IP addresses These are harvested from various international threat intelligence sources The threat feed includes information about current threats such as ransomware phishing sites trojans and many other threat c...

Page 5: ...environment Figure 2 1 Typical Installation For networks with high availability requirements it is possible to install two identical appliances next to each other and configure them in a high availability mode Please refer to the chapter Multi Appliance High Availability for instructions on how to configure the appliances in this mode In some rare cases the main switch in the network might use PPP...

Page 6: ... SL 4000 back view Figure 2 3 SL 6000 back view Located in the upper row of the Ethernet ports are the ports used for high speed network traffic The bottom left Ethernet port on the SL 2000 and SL 4000 is used for device management The bottom right port is currently unused The bottom left port on the SL 6000 High speed ports Port1 Port0 High speed ports Port0 Port1 Management Port Management Port ...

Page 7: ...ake sure the LAN side is connected to the sub partitioned network 2 3 Management Port The management port is used for two purposes Accessing the configuration utility and the monitoring utility is done through this port The management port is also used for updating the threat list data and for communicating with other appliances in a high availability configuration It is very important that the ma...

Page 8: ...threat list updates configuration window includes a button labeled Test Connection When pressing this button the appliance will try to connect with Solida s cloud server the exact same way it would do for an update of the threat intelligence If this test fails the installation must be checked to identify the cause of the failure This test must complete successfully for the appliance to be able to ...

Page 9: ...mmunication also takes place on either outgoing port 22 or port 443 towards the Internet 2 5 Powering On The Appliance The appliance is powered on by pushing the button at the front of the appliance To do this it is necessary to first remove the security bezel Once powered on it will take up to 4 minutes or more for the appliance to become fully operational 2 6 Powering Off The Appliance To power ...

Page 10: ...32 x x If this is the case it will be required to change the management port s IP address before the appliance is connected to the LAN side switch To change the default IP address directly connect a computer with the appliance through an Ethernet cable Make sure the computer s IP address is set manually since direct connecting bypasses any DHCP server Start the configuration utility by entering th...

Page 11: ...rnet If no response to this ping is detected the management port does not have the required access to the Internet In this case it will be necessary to troubleshoot the installation and retry this test until a proper connection is made 3 2 Managing Users The first time the user logs into either Web application a default factory username and password will be used After the first login it is recomme...

Page 12: ...fields The drop down menu at the top of the Add New User window contains two options Monitoring Only and Configuration Monitoring Select Monitoring Only for users that are only allowed to log into the monitoring application The monitoring application does not allow for changing any configuration parameters or modifying the detection rules ...

Page 13: ...t have been cleaned up and the maintainers of the reputation lists might not yet have registered this 4 2 DGA List The most important data in the threat feed is the list of Domain Generation Algorithm DGA generated domain names Many ransomware and other serious malware use DGAs to generate a large number of domain names These domain names are used to try and connect with their command and control ...

Page 14: ...cloud based threat feed offered by Solida The appliance automatically connects with this cloud service once every hour to download new updated versions of the lists This guarantees that the appliance always contains information about the latest threats seen in the wild To monitor the list update process and the list sizes start the configuration application and navigate to Threat Intelligence Thre...

Page 15: ...uded The above threat lists are not user modifiable The window titled My Domain Name Blacklist Entries contains a button called Upload File This button allows for uploading user created lists to the blacklist engine Currently it is only possible to upload a file containing a VoIP style telephone number which is being used for the VoIP caller blocking feature Please refer to the appendix in this do...

Page 16: ... to Configuration Locate the block titled Reputation Threat List Updates It will look as shown in the picture below Figure 5 1 Reputation threat list updates window The following settings are available Domain Reputation Blacklist Enabled update once per hour default Disabled IP Reputation Blacklist Enabled update once per hour default Disabled Tor Exit Nodes Enabled update once per hour default Di...

Page 17: ... hackers to use Tor exit nodes for their attack traffic to mask its origin In some rare cases the use of the Tor network is valid Examples would be in countries that censor their citizens Internet traffic In those circumstances the Tor network can be used to circumvent such censorship Then it is recommended to disable the inclusion of Tor endpoints in the IP blacklist ...

Page 18: ...nfiguration Locate the block titled Deep Packet Inspection Configuration It will look as shown in the picture below Figure 6 1 Deep packet inspection configuration window The following settings are available Packets from the Internet Inspect all packets Factory default Disable Inspection Packets from the LAN Inspect all packets Factory default Disable Inspection Malformed Packets Drop all malforme...

Page 19: ... the blacklist engine to skip checking DNS lookup packets Checking DNS queries against the blacklists is an essential part of the scanning process Bypassing this will allow malicious packets to flow freely in and out of the appliance without being noticed or blocked 7 2 Blacklisting Domain Names The user can enter any domain name into the user managed blacklist entry table The picture below shows ...

Page 20: ... server Doing so will cause the blacklist engine to skip checking DNS lookup packets Checking DNS queries against the blacklists is an essential part of the scanning process Bypassing this will allow malicious packets to flow freely in and out of the appliance without being noticed or blocked Whitelisting of IP addresses should only be done in very specific situations Solida Systems strongly sugge...

Page 21: ...ion to take if a pattern match is detected Solida provides a set of system rules that includes protection from many types of penetration attempts An expert user can also create custom rules Writing custom rules requires detailed knowledge of rule writing and the different types of packets flowing over a network Such custom rules can be created using the rule editor in the Solida configuration appl...

Page 22: ...ules Note that it is not possible to import system rules System rules are those rules with the category field showing system and the rule id in the 1xxyyyzzz range If system rules are part of the imported rules they will be overwritten by the current system rules received by the regular threat intelligence downloads from the cloud host 8 5 Rule Sets A rule set is a collection of rules Multiple rul...

Page 23: ...ling a new rule set it is possible to set the appliance to monitor mode The rule set page contains a drop down menu where the desired operating mode can be selected In monitor mode all network packets are scanned using the rules as well as the reputation detection lists but no packets will be dropped Alerts will still be generated the same way as in normal operation mode This allows the user to ch...

Page 24: ... For a detailed description of each rule option please press the help button located in the lower left corner of the pop up window 8 9 Rule Id The most important parameter of each rule is the Rule Id Each rule must have a unique rule id that identifies the rule The rule id consists of 9 numbers It is common practice to group rules into categories As an example the first three numbers identify the ...

Page 25: ...asily be downloaded from the appliance through the GUI These event files can then be correlated with other downloadable packet log files so that a security analyst can investigate the root cause of the event Events can be monitored using the built in monitoring application Figure 9 1 Event summary view in the GUI monitoring application Located in the right side of the Packet Events bar is a drop d...

Page 26: ... the cause of the event 9 2 1 Low severity colored green in the GUI These events are typically generated by trying to visit known phishing sites or sites containing various types of malware The appliance will automatically drop these network packets This will prevent malware from infecting the protected network These events require no further action from the user 9 2 2 Medium severity colored oran...

Page 27: ...ws for prompt identification of the infected computer on the network The user will be required to remove the malware from the infected computer using a suitable removal tool All events can be viewed using the monitor application included with the appliances Optionally emails containing the event count and severity can be automatically generated and sent out A mobile phone application is also avail...

Page 28: ...ortant to remove the infected computer from the rest of the network Some advanced ransomware are capable of propagating through the network and infecting additional computers The critical events will be listed with the source and destination IP addresses visible Use the destination IP address from the event and match it with a computer in the LAN that uses this IP address This is the computer that...

Page 29: ...for the security appliances to connect with it and share security events and log files For an appliance to connect with a Solida Multi server enter the domain name or IP address of the server followed by a login name and password Once the monitoring is activated the appliance will automatically connect with the Solida Multi server and start sharing its security events and log files The button labe...

Page 30: ...ng server would run software typically some type of SIEM tool that collects Netflow data from the appliances and presents it in a graphical way The Netflow collector server expects UDP packets to be passed to it To enable the Solida appliance to perform Netflow logging enter the connection information for the collector server and activate the feature Collector IP address This is the IP address of ...

Page 31: ...17 selected IP address Any new entries in the syslog file will immediately show up in the syslog server to make sure the two sides are in sync For more information about this feature please contact Solida Systems for further information ...

Page 32: ...Figure 12 1 High Availability Port Configuration The top pull down menu labeled Operating Mode contains three options To enable this HA mode select the option labeled Single LAN Multiple WAN HA The second step is to select the WAN ports that will connect to the two Internet routers A WAN port is assigned to be either the primary or the secondary WAN port The primary WAN port will become the master...

Page 33: ...ndby unit activated only if the primary unit fails Pair IP Address The IP address of the other unit s management port Both appliances must be able to communicate with the other appliance management port to determine the status of the unit HA Poll Freq How often a unit checks the other unit s functional status Three seconds is the default value and should be appropriate for most installs Activation...

Page 34: ...il Notifications The box will look as follows Figure 14 1 Email notification setup box 14 1 1 Email Notification This dropdown box contains four options Disabled Email notification disabled Enabled once per day Generates one email per day with event information Enabled once per 6 hours Generates four emails per day with event information Enabled once per hour Generates one email per hour with even...

Page 35: ...the above fields have been filled in press the Activate button This will activate the new configuration 14 2 Event Notification Emails The event notification emails are short but contain vital information a user will need Figure 14 2 Example of an event notification email The most recent events for the past hour and the past 6 hours are shown separately to give a clearer overview of the current st...

Page 36: ...ogging will log every single packet passing through the appliance This mode is typically only used during troubleshooting of the network The resulting log files can become very large so it is important to select an appropriate rollover option to avoid filling up the disk space in the appliance Packet logging should be disabled during normal usage The configuration window for packet logging looks a...

Page 37: ...n about all events occurring in the appliance The default settings are as shown in the picture below Figure 15 3 Event logging configuration window 15 4 IP Address Logging This option is currently not supported 15 5 HTTP Logging This option allows for logging all domain names that are being accessed through browsers in the network Each domain entry is tagged with a time stamp and the IP address th...

Page 38: ...dow will ask for a final confirmation before the file download starts 15 7 Deleting Log Files The log files can easily be deleted if needed Navigate into a log file directory To delete a file within the directory right click on the file and select Delete The file will be permanently deleted from the appliance It is also possible to rename a log file Right click on the file to rename it Even though...

Page 39: ...m an update start the configuration application and navigate to Software Updates in the menu side bar This will present the following window Figure 16 1 Software update GUI window The upper System Control Center box contains the following Firmware version Displays the currently active internal firmware version number JSOSD version Displays the version of the current security OS daemon The button n...

Page 40: ...complete During this time no network traffic will be able to flow through the appliance After the update has completed please reset the browser history to guarantee the browser will display the latest version of the web utilities The button labeled Upload License File starts a file upload popup window This is where a new threat intelligence license file should be uploaded to the appliance ...

Page 41: ...n the appliance experiencing a problem Navigate to Software Updates This will display a window that contains a blue button with the text Generate Support Bundle Pressing this button and answering Yes in the confirmation box will start generating a support bundle Note that it might take up to 5 minutes or more for the bundle generation to complete 17 2 Downloading a support bundle Once a support bu...

Page 42: ...42 SOLIDA SYSTEMS INTERNATIONAL 2017 available support bundles that are ready to be downloaded Please note it will take up to 5 minutes for a new support bundle to appear in this directory ...

Page 43: ...be displayed Figure 18 1 Report generation A report file will be generated when the Generate Report button is pressed Generating a report can take up to several minutes When done the report can be downloaded from the report directory in the Log File Management window Note It is recommended the report file is opened and further processed in an original Microsoft Excel application Use of similar non...

Page 44: ...nternet router and main switch install the appliance in front of the firewall just behind the Internet router The appliance will be invisible to the firewall since it requires no IP or MAC addresses for its ports A 2 Blocked Numbers List The user must provide a list containing the phone numbers that are to be blocked The list must be a simple ASCII text file created with a text editor tool The nam...

Page 45: ...ol in the appliance and navigate to the page called Threat Lists This page has a file upload button marked Upload file Figure A 2 File upload button Press this button and upload the sip txt text file The list will immediately become active and replace the previous list if present as soon as the upload completes A 3 System VoIP Rules The VoIP number blocking feature also requires two packet inspect...

Page 46: ...r rules will not have any impact on the VoIP functionality A 4 Event Generation Each time an incoming call has been blocked a security event will be generated These events are readable from the monitoring utility together will all other events in the appliance All VoIP events will be written to the event log file and the corresponding dropped packets will be written to the drop log file ...

Page 47: ...itive The IP address is the same address as used in general for logging into the management port This default IP address can be changed If so please use the IP current active IP address for this login B 2 Copying Out Log Files Log files should be copied out from the appliance using the rsync command from a Linux computer A typical command sequence for copying over the event files will be rsync av ...

Page 48: ...the server uses Windows then Solida Multi must be installed as a virtual instance under Windows C 2 Configuring The Appliance for Solida Multi It is straightforward to configure the appliance so that it starts communication with the remote computer hosting Solida Multi The IP address of the server hosting Solida Multi must be provided together with a user name and password for a remote login conne...

Page 49: ... 2017 SOLIDA SYSTEMS INTERNATIONAL CO LTD 1000 19 20 Liberty Plaza Building Floor 12A Thonglor Sukhumvit Soi 55 Klongtan Nua Wattana Bangkok Thailand 10110 Tel 66 2 714 8900 Email info solidasystems com Website www solidasystems com ...