TP IPS配置指导书

1、附录G：XX工业集团数据/网络安全项目TippingPoint 入侵防御产品配置指导书目 录、XX集团IPS设备登陆密码相关22、IPS初始化配置：23、WEB方式管理114、IPS对于P2P流量的限制115、系统OS与数字疫苗DV升级简介166、IPS入侵产品的注册指南187、其它相关文档24、XX集团IPS设备登陆密码相关登陆IPS网管接口地址、用户名称、密码等登陆用户名称： xx登陆用户密码： xx网管接口地址： （主面板会显示）可以在管理界面里面增加用户、更改密码、更改网管地址等登陆TMC网站用户名称、密码等登陆用户名称： xx登陆用户密码： xx2、IPS初始化配置：2.1 打开电源

2、开关，按POWER键开机：  ²        双电源设备，如果只使用一个电源，设备会发出告警声。按电源旁边的红色按钮，可以消除告警声  ²        100E在打开电源开关后，可能并不能启动设备，这个时候需要长按面板上绿色的勾5秒。2.2 使用配置线与PC相连：²        这里采用的波特率是115200;² 

3、;       配置线两端都是DB9的母头。2.3 启动过程。 ²        在启动过程中不要随意敲键盘，如果无意输入任意键会使启动中断，需要输入来继续启动。TippingPoint OSBootrom Version: 14Creation date: Dec 6 2004, 14:02:01Press any key to stop auto-boot. 7 6 5 4 3 2 1 0auto-booting.boot device :

4、ata=0,0unit number : 0 processor number : 0 host name : NDSfile name : autoflags (f) : 0x0 Attaching to ATA disk device. done.Boot Count: 144, v14, /boot/.6324/vxWorks 798a09445a4926a2a6976837683ed4e1Loading /boot/.6324/vxWorks.10662264 + 966376 + 13404276Starting at 0x108000.Attaching interface lo0

5、.doneAdding 27893 symbols for standalone.-> RTC CMOS Clock: 2006-09-21 12:44:30 UTC /boot/ - Volume is OK /opt/ - Volume is OK /usr/ - Volume is OK /log/ - Volume is OK _ _ _ |_ _|_ _ _ _ _ _ _ _ _ _| _ _ _ _ _ | |_ | | | | '_ | '_ | | '_ / _ | |_) / _ | | '_ | _| | | | | |_) | |_

6、) | | | | | (_| | _/ (_) | | | | | |_ |_| |_| ._/| ._/|_|_| |_|_, |_| _/|_|_| |_|_| |_| |_| |_/ a division of 3Com TippingPoint - Austin, Texas, USA TOS Version : .6519 Build Date: Jun 21 2006, 17:04:48 Digital Vaccine : .6825 Serial: U1200CF-3053-4206 Hardware Rev : Loading-快速输入mkey然后回车，设置用户名密码（忘记密

7、码也可以如此处理）Autoflash FPGAs: FPGA is up to date for MZDMWelcome to the TippingPoint Technologies Initial Setup wizard.Press any key to begin the Initial Setup Wizard or use the LCD panel.按任意建You will be presented with some questions along with default valuesin brackets. Please update any empty fields o

8、r modify them to matchyour requirements. You may press the ENTER key to keep the currentdefault value. After each group of entries, you will have a chance toconfirm your settings, so don't worry if you make a mistake.There are three security levels for specifying user names and passwords:这里有三个安全

9、级别，为了加强安全性，建议选择为2级 Level 0: User names and passwords are unrestricted. Level 1: Names must be at least 6 characters long; passwords at least 8. Level 2: In addition to level 1 restrictions, passwords must contain: - at least 2 alpha characters - at least 1 numeric character - at least 1 non-alphanum

10、eric character如果选择为2级，则密码至少包含大小写字母、数字、非数字的三种，并且不少于8个字符Please specify a security level to be used for initial super-user name and password creation. As super-user, you can modify the security level later on via Command Line Interface (CLI) or Local Security Manager (LSM).选择2Security level 2: 2创建用户名和密

11、码Please enter a user name that we will use to create your super-useraccount. Spaces are not allowed.Name: xxDo you wish to accept XX <Y,N>:yPlease enter your super-user account password: Verify password: Saving information .DoneXX集团这里初始密码设置为xxYour super-user account has been created.You may co

12、ntinue initial configuration by logging into your device.After logging in, you will be asked for additional information.The login prompt should appear in approximately 90 seconds.重启后，输入用户名登录：Login: XXPassword: Entering Setup wizard.配置初始化，配置管理口：The host management port is used to configure and monito

13、r this device viaa network connection (e.g., a web browser).设置管理接口的IP地址等Enter Management IP Address 5.250Enter Host Name myhostname: xxEnter Host Location room/rack: xx 5.250 Host Name: xx Host Location: xxEnter Accept, Change, or Exit without saving C: The default gateway is a router that enables t

14、his device to communicate withother devices on the management network outside of the local subnet.Do you require a default gateway? <Y,N>:nTimekeeping options allow you to set the time zone, enable or disable daylight saving time, and configure or disable SNTP.配置管理方式，默认只是启用HTTPSWould you like

15、to modify timekeeping options? <Y,N>:nServer options allow you to enable or disable each of the following servers:SSH, Telnet, HTTPS, HTTP, and SNMP.Would you like to modify the server options? <Y,N>:y Enable the SSH server? Yes: nEnable the Telnet server? Yes: nEnable the HTTPS server (

16、'No' disables SMS access)? Yes: yEnable the HTTP server? Yes: nEnable the SNMP agent ('No' disables SMS and NMS access)? No: n SSH: NoTelnet: No HTTPS: Yes HTTP: No SNMP: No (SMS and NMS access disabled)Enter Accept, Change, or Exit without saving C: aBased on your configuration of t

17、he CLI and Web servers, you can configureor monitor this device via the management port or the serial port.If you wish to run this wizard again, use the 'setup' command.查看配置：xx# dis configuration interface mgmtEthernet5.250 exitinterface ethernet 3 1 negotiate duplex full linespeed 1000 no s

18、hutdown exitinterface ethernet 3 2 negotiate duplex full linespeed 1000 no shutdown exitinterface ethernet 3 3 negotiate duplex full linespeed 1000 no shutdown exitinterface ethernet 3 4 negotiate -More- duplex full linespeed 1000 no shutdown exitinterface ethernet 3 5 negotiate duplex full linespee

19、d 1000 no shutdown exitinterface ethernet 3 6 negotiate duplex full linespeed 1000 no shutdown exitinterface ethernet 3 7 negotiate duplex full linespeed 1000 no shutdown exitinterface ethernet 3 8 negotiate -More- duplex full linespeed 1000 no shutdown exitinterface vnam 3 1 no ip shutdown exitinte

20、rface vnam 3 2 no ip shutdown exitinterface vnam 3 3 no ip shutdown exitinterface vnam 3 4 no ip shutdown exit -More- interface vnam 3 5 no ip shutdown exitinterface vnam 3 6 no ip shutdown exitinterface vnam 3 7 no ip shutdown exitinterface vnam 3 8 no ip shutdown exitinterface settings poll-interv

21、al 2000interface settings detect-mdi enablehost name "xx"host location "xx" -More- host ip-filter permit any icmphost ip-filter permit any ipdefault-gateway .0sntp duration 60sntp offset 1sntp port 123sntp timeout 1sntp retries 3no sntpuser options max-attempts 5user options expi

22、re-period 90user options expire-action expireuser options lockout-period 5user options attempt-action lockoutuser options security-level 2segment 3 1 name "Segment 1"segment 3 1 high-availability permitsegment 3 1 link-down hubsegment 3 2 name "Segment 2"segment 3 2 high-availabi

23、lity permitsegment 3 2 link-down hubsegment 3 3 name "Segment 3" -More- segment 3 3 high-availability permitsegment 3 3 link-down hubsegment 3 4 name "Segment 4"segment 3 4 high-availability permitsegment 3 4 link-down hubhigh-availability no iphigh-availability disableclock time

24、zone GMTclock dstlog audit select generallog audit select loginlog audit select logoutlog audit select userlog audit select timelog audit select policylog audit select updatelog audit select bootlog audit select reportlog audit select hostlog audit select configurationlog audit select oamlog audit s

25、elect smslog audit select cvalog audit select server -More- log audit select segmentlog audit select high-availabilitylog audit select monitorlog audit select ip-filterlog audit select conn-tablelog audit select host-communicationlog audit select tsecategory-settings attack-protection enable -action

26、-set "Recommended"category-settings reconnaissance enable -action-set "Recommended"category-settings security-policy enable -action-set "Recommended"category-settings informational enable -action-set "Recommended"category-settings network-equipment enable -act

27、ion-set "Recommended"category-settings traffic-normal enable -action-set "Recommended"category-settings misuse-abuse enable -action-set "Recommended"notify-contact "SMS" 1notify-contact "Remote System Log" 1notify-contact "Management Console&quo

28、t; 1notify-contact "LSM" 1default-alert-sink period 1discovery age 0server no sshserver no telnetserver no httpserver https -More- server browser-checkmonitor threshold memory -major 90 -critical 95monitor threshold disk -major 90 -critical 95monitor threshold temperature -major 73 -critic

29、al 75no service-accesstse adaptive-filter mode automatictse afc-severity warningtse asymmetric-network enabletse connection-table timeout 1800tse logging-mode conditional -threshold 1.0 -period 600email-rate-limit 10lcd-keypad enablelcd-keypad backlight 50lcd-keypad contrast 16no nmsramdisk sync-int

30、erval block -1ramdisk sync-interval alert -1ramdisk sync-interval peer -1sms no v2 sms no v3 sms no must-be-ipno smssession timeout 20 -persist此时可以通过web方式https5.250进行管理。3、WEB方式管理除了使用串口方式对设备进行管理之外，还可以采用web方式进行管理。在浏览器地址栏里面键入管理接口地址https5.250，即可通过web方式进行管理。注意：对于IPS，如果没有什么特别的需求，我们可以采用系统默认的规则抵御攻击。如果有其它需求，

31、则可以自己手动编辑抵御动作、抵御规则，这里我们以限制P2P流量、OS的升级、DV的升级来说明。4、IPS对于P2P流量的限制4.1 组网需求：TippingPoint IPS限制P2P流量功能配置4.2 组网图 TippingPoint 100E：TOS Version：.6519，Digital Vaccine：885； PC1：BT 服务器； PC2：BT客户端。4.3 配置步骤1.     TippingPoint 100E的主要配置首先，创建一个限流的动作。从导航栏选择IPS->Filters->Action Sets，

32、创建一个限流700kbps的Action Set：BT_Limit其次，找寻规则，关联动作。从导航选择IPS->Filters，在Search框输入BitTorrent后单击<Search>按钮，选中2270和4106这两个用于检测建立Bit下载通道的过滤器，并进行限流，单击<Edit Selected>进行限流动作设置：使能选中的过滤器，并更改响应动作为BT_Limit（限流为700K），单击<Save>：可以看到刚才设置的过滤器在列表中的状态已经为“Enabled”：2.      

33、60; PC2的验证结果从PC1上下载种子并建立连接： 应用过滤器前，下载速度非常快： 应用过滤器规则后，BT流量得到了限制： 5、系统OS与数字疫苗DV升级简介升级OS、DV的操作步骤是一样的，也就是说升级方法是相同的，只不过选择的文件不一样。OS的文件是NDS开头，DV的文件是SIG开头。为了主机的安全性，建议采用本地主机手动升级，不建议自动到网上升级。本地主机升级方法：点击System>Update>Tos and DV Update，可以看到页面上有升级的详细步骤说明：首先按照页面上的五步操作步骤进行操作，到最好一步操作时候，选择你下载到你PC上面的DV，然后点击install，则安装自动完成。按照失败处理：如果操作失败，不要惊慌，我们可以再次升级。如出现如下界面：点击OK，进入如下页面：请点击reset status后，再进行升级。6、 IPS入侵产品的注册指南 购买了TippingPoint IPS产品和服务的客户将获得入侵防御系统（IPS）的系统软件（TippingPoint OS TOS和SMS网管软件），以及数字疫苗（Digital Vaccine - DV）升级的技术支持，得益于该