Getting Started with ASM

---

This Getting Started help topic takes you through the basic steps needed to configure the Extreme Networks Intrusion Prevention System (IPS) to recognize a specific event and provide notification to ASM. It also provides steps for creating an ASM rule that responds to the events sent from Extreme Networks IPS.

Before you begin:

• Populate the Console database. Refer to the Console Help to Discover, Import, or manually Add network elements that you want to protect with ASM.

  	TIP:	Spend some time creating Device Groups that are meaningful for your network. Although Console provides pre-defined folders, you'll find that creating your own unique device groups makes it easier to define ASM Search Scopes later. For example, create new groups for your network elements organized by geographic region, data center, building, floor, etc., then drag and drop devices into these new groups.

• Define an SNMPv3 Credential with AuthPriv access. Refer to the Authorization/Device Access help topic for more information.
• You should know:
  • The IP Address or hostname of the system on which you are running Extreme Networks IPS .
  • The username and password with administrator access to Extreme Networks IPS.
  • The IP Address or hostname of the system on which you are running ASM.

The Getting Started exercise consists of the following tasks:

• Configure NetSight's SNMPTrap Service - Configure user credentials used with SNMPv3 trap messages.
  
  
• Configure the Extreme Networks IPS - Create a simple event trigger and configure notification to ASM.
  
  
• Configure Automated Security Manager - Create a rule to recognize a trap from the Extreme Networks IPS host device and record an event in the ASM Activity log.
  
  
• Trigger a Test Trap - Trigger a trap by attempting to access the Extreme Networks IPS host using the community name PRIVATE and verify an event is recorded in the ASM Activity log.

Configure the SNMP Trap Service

Extreme Networks IPS uses Inform messages to notify ASM of a threat, which means that the NetSight SNMPTrap Service (snmptrapd) must know the user credentials of the sending agent (on the Extreme Networks IPS device) before the SNMPTrap Service can receive the message. If this information is not provided, the SNMPTrap Service drops the trap messages. To learn more about Traps and Informs, read the Traps and Informs help topic. The user credentials configured here must match the user credentials configured on Extreme Networks IPS.

You can configure SNMPTrap information by adding user information to the snmptrapd.conf file using a text editor.

1. Launch NetSight ASM.
2. From the Tools menu, select Modify snmptrapd.conf.
3. The snmptrapd.conf file opens.
4. Add an SNMPv3 user credential using the following format:

   createUser myUser MD5 myauthpassword DES myprivpassword

   	Where:
   	myUser		security user name.
   	myauthpassword		MD5 or SHA - authentication type and authentication password (optional parameter - do not use when authentication is not used).
   	myprivpassword		DES - encryption type and encryption password - (optional parameter - do not use when encryption is not used or leave the encryption password blank if it is the same as the authentication password).

5. Save the snmptrapd.conf file before closing.
6. Any time the snmptrapd.conf file is changed, the SNMPTrap Server must be restarted.
   
   

   Windows	Linux
   Go to the Taskbar Notification Area of your desktop (on the lower right of your screen, unless you've relocated your Taskbar). Right-click the Services Manager icon ( ). Select SNMP Trap  >  Restart.	Navigate to the etc/init.d directory. Type the command: nssnmptrapd stop Press Enter. Type the command: nssnmptrapd start Press Enter.

Configuring the Intrusion Prevention System

In its simplest form, IPS configuration consists of triggering events related to specific threats, constructing messages sent to ASM whenever one of these threats is detected, and then configuring the notification to ASM.

For this exercise, we are setting up an event to test the connection from the IPS to ASM. The following steps create a very simple event trigger (access the Extreme Networks IPS host with the Community Name PRIVATE), then configure notification to ASM using the SNMPv3 Credential added earlier to snmptrapd.conf file.

The following steps provide examples and instructions for configuring Extreme Networks IPS with this test message. (If you are using a different IPS, refer to that product's documentation to configure the corresponding features.) You must have an EMS management client application installed on your machine to perform these steps. (Refer to the Extreme Networks IPS Installation Guide for installation instructions.)

1. Open the EMS management client application using the normal start method for your operating system. For example, on Windows, click Start > EMS Client > EMSClientWindow. A login window appears.
2. Enter your username and password.
3. Click on the Alarm Tool Policy View icon. The Alarm Tool lets you create Event Groups that describe specific network threats and how the system responds when those threats are detected.
4. Expand the Custom Policies folder to view the custom policies.
5. Click on any existing custom policy.
6. Click on the right-panel Event Groups tab.
7. Create a new Event Group.
   1. Click New to open the Event Group Editor.
   2. In the left column, expand the Vulnerability category and select SNMP:PRIVATE. Click on Add to move it to Event Group in the right column.
   3. Enter an Event Group Name and click OK.
   4. Click on Commit. The new Event Group is displayed in the table under Event Group.
8. Click the right-panel Notification Rules tab.
9. Create a new Notification Rule.
   1. Click New in the left pane of the window. Give the notification a name, specify a Time Period of None, and click OK. The new notification rule is listed under Notification Rules.
   2. Click on the new notification rule to highlight it.
   3. Click on the NetSight ASM sub-tab in the right pane. (If the NetSight ASM tab is not visible, use the arrows to locate it.)
   4. Click New in the right pane to open the NetSight ASM Editor.
   5. Enter or select the following:
      • Server - Enter the ASM host IP address. (Do not use the IP address of a NetSight ASM client-only PC.)
      • Security Name - Enter the SNMPv3 Credential - User Name you configured in the snmptrapd.conf file.
      • Auth Password -  Enter the SNMPv3 Credential - Auth Password you configured in the snmptrapd.conf file.
      • Priv Password - Enter the SNMPv3 Credential - Priv Password you configured in the snmptrapd.conf file.
      • ASM Category - Select ASM_ATTACKS.
   6. Click OK.
10. Click the right-panel Global Options tab and then select the SNMP sub-tab.
11. Enter the IP address of the EMS server sending the SNMP traps.
12. Click on the right-panel Alarms tab.
13. Create a new Alarm.
    1. Click New to open the Alarm Editor.
    2. Enter a Name for your new Alarm.
    3. Select Real Time from the drop-down menu in the Type field.
    4. Leave the Summary Interval set to its default value (3600 milliseconds).
    5. Select the name of your new Event Group from the drop-down menu in the Event Group field.
    6. Leave Filter set to None.
    7. Leave Threshold set to None.
    8. Select the name of your new Notification Rule from the list in the Notification Rules field.
    9. Click OK.
14. Click on Commit.
15. Deploy your new trap configuration.
    1. Click on the Enterprise View icon.
    2. Right-click on the Alarm Tool: notification name that you created and select Associate Alarm Tool Policy.
    3. Select the new policy and click OK.
    4. Right-click on the Alarm Tool: notification name that you created again and select Deploy from the drop-down menu.

Configuring Automated Security Manager

The following steps create an action rule to recognize any trap from the Extreme Networks IPS host device and record the event in the ASM Activity Log.

1. In ASM, select Tools > ASM Configuration from the menu bar.
2. Click on the Edit radio button, located in the top left section of the window.
3. In the Groups and Devices tree, select My Network and click Include. Click Continue.
4. Click Continue in the Excluded Port Types view.
5. Click Continue in the Exclude Specific Ports view.
6. Click Create in the Rule Definitions view. The Create Rule window opens.
7. Enter a Name for the new rule and click Apply, then Close.
8. Leave the remaining settings set to their default values. This allows matching any event category, recording the event in the ASM Activity Monitor, but no action will be taken.
9. Click Save and then Close in the ASM Configuration window.
10. Leave the ASM Activity Monitor window open so you can view the log while triggering a test trap message.

Trigger a Test Trap

To test the connection between Extreme Networks IPS and ASM, we will use MIB Tools to attempt to access the Extreme Networks IPS host using the community name PRIVATE.

1. In the ASM Activity Monitor window, make sure that the Operation Mode is set to either Search and Respond or Search Only.
2. In the Console main window, right-click on the Extreme Networks IPS device in the left-panel tree and select MIB Tools from the menu.
3. Select Use SNMPv1 from the Select Protocol drop-down menu in the upper right of the MIB Tools window and enter PRIVATE as the Community Name. Click Contact.

You now see one or more traps recorded in the ASM Activity Monitor. If this does not occur, review the preceding steps, checking for errors.

What's Next

If you successfully triggered and recorded a trap in ASM, you're ready to configure additional Extreme Networks IPS events and enable ASM to provide responses to protect the integrity of your network.

In the preceding exercise we triggered a trap message to ASM for a specific event (logging on using the community name, PRIVATE). ASM recognized the trap because it matched the character string defined by the Enterasys Networks' Threat Notification MIB object, etsysThreatNotificationThreatCategory, in this case ASM_ATTACKS, with a corresponding Event Category defined in ASM. To be recognized by ASM, the text string in the event messages sent by an IPS must match exactly with an Event Category name defined in ASM. (Event categories are defined in ASM Configuration - Rule Variables.)

Extreme Networks IPS has four default notification rules: netsight-atlas-asm-attacks, netsight-atlas-asm-compromise, netsight-atlas-asm-informational, and netsight-atlas-asm-misuse. Each of the Extreme Networks IPS default notification rules has a corresponding default event category in ASM: ASM_ATTACKS, ASM_COMPROMISE, ASM_INFORMATIONAL, and ASM_MISUSE. ASM uses Rules to compare incoming trap messages with specific event categories, then determines where and what action to apply as a response.

For ASM's response to a serious threat to be timely and effective, it is important that ASM only be notified of serious threats. The following table lists the Extreme Networks IPS events for which notification to ASM is recommended:

BACKDOOR:PHATBOT COMP:MS-DIR COMP:ROOT-ICMP COMP:ROOT-TCP COMP:ROOT-UDP COMP:SDBOT-LOGIN COMP:SDBOT-NETINFO COMP:SPYBOT-DOWNLOAD COMP:SPYBOT-INFO COMP:SPYBOT-KEYLOG COMP:WIN-2000 COMP:WIN-XP GENERIC:UPX-EXE MS-BACKDOOR MS-BACKDOOR2 MS-BACKDOOR3 MS-SQL:HAXOR-TABLE MS-SQL:PWDUMP MS-SQL:WORM-SAPPHIRE MS:BACKDOOR-BADCMD MS:BACKDOOR-DIR SMB:SAMBAL-SUCCESS SSH:HIGHPORT SSH:X2-CHRIS SSH:X2-CHRIS-REPLY

Read the Extreme Networks IPS Configuration Guide (accessed from the EMS client Help menu) to learn more about events, alarms, traps, and inform configuration in Extreme Networks IPS.

---

Related Information

For information on related windows:

• Automated Security Manager Configuration Window
• Automated Security Manager Options
• Create/Edit Rule Window
• Incident Test Tool

For information on related tasks:

• How to Set ASM Options
• How to Create/Edit Rule Window
• Using the Incident Test Tool