Views:

What is Quarantine? The Quarantine option enhances your devices' ability to contain or remove offending network users or devices and provides the ability to automate sophisticated responses to security events. By enabling quarantine with a Block action set, you reduce your network's exposure to internal and external threats.

What is Active Response? Active Response is a policy-based service that reacts to its inputs to perform actions. How it reacts, and the actions taken depend on the Active Response policies configured and enabled in the SMS. A policy can be triggered in several ways: thresholding, manually, web service, or escalation of an IPS Quarantine action. Policies can be configured to include and/or exclude a set of IP addresses.

What are Response Actions? Response Actions are the system's instructions when host traffic triggers an Active Response policy. The SMS Active Response system provides pre-defined action types that you can use to create actions that you want to apply in an Active Response policy.

What are Action Sets? Action Sets determine what the IPS does when a packet triggers a filter. An action set can contain more than one action and more than one type of action. You can globally affect all action sets for pillars in the SMS. When you modify or add an action set, the settings change enterprise-wide for all filters using the action set.

 

The steps required to perform an SMS Responder Action with Quarantine are as follows;

  1. Create a new Action Set to quarantine + Email
  2. Create a Response Action
  3. Create an Active Response Policy
  4. Create an Action Set for "Permit"
  5. Link the Action Set to a filter (0633)
  6. Perform a profile distribution

 

Procedure:

Step 1: Create a new Action Set to quarantine + Email

  1. Log in to the SMS from a client.
  2. From the top navigation pane, click Profiles. The Profiles screen displays.
  3. From the navigation pane on the left, click the + sign next to the IPS Profiles to expand the category and select Shared Settings.
  4. To Create an action set, do one of the following:
    • Select the Action Sets tab and click New.
    • On the Menu Bar, select the File > New > Action Set menu item.
    • Right-click an entry and click New.
  5. The Create Action Set wizard displays.
  6. Enter a Name for the action set. (e.g. FTP_Quarantine)
  7. Under Flow Control select Quarantine - Used to quarantine a host IP (source or destination) address that triggers the filter. By selecting Quarantine, two more options become available Quarantine Settings and Quarantine Exceptions.
  8. Click Next or select Notifications from the wizard navigation pane.
    • Management Console: Check Management Console, this option notifies the SMS upon a filter hit and in turn generates an event in the Events area of the SMS.
    • Email: Enter the email address of a contact that will receive the alert.
      • Click Add, the Add Email Contact dialog box displays
      • Click New, the Add Email Contact dialog box displays.
        1. Enter the Name of the contact.
        2. Enter the Email Address of the contact. The limit is 36 characters for email addresses.
        3. Enter the amount of Aggregation in minutes.
        4. Click OK.
  9. Unless you wish to perform a Packet Trace, select Quarantine Settings from the wizard navigation pane.
  10. In Quarantine Settings, enter the following information;
    • Hit Count = 1
    • Period = 1.
    • Note: Web Requests from the quarantined host can be blocked, redirected to a specific web server, or have a template web page displayed. The web page can be customized to include the name and description of the filter causing the quarantine, the description, and/or display customized HTML specified by the user.
  11. If you wish to enter an exception select Quarantine Exceptions from the wizard navigation pane and select the appropriate tab.
    • Restrictions: Limits the quarantine action to specified IP addresses.
    • Exception: Excludes IP addresses from quarantine actions
    • Quarantined Access: Quarantined hosts can be given access to Destination IP Addresses for remediation. Enter the destination IP Address that is allowed to receive connections from quarantined hosts.
  12. After selecting the appropriate exception tab click New.
    • Enter a Name.
    • Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
    • Click OK. Repeat to add multiple IP addresses.
  13. After entering information on the final screen, click Finish to save your entries.

 

Step 2: Create a Response Action

  1. On the SMS toolbar, navigate to the Responder> Actions tab screen.
  2. On the Response Actions section do one of the following:
    • Click New.
    • Right-click and select New.
    • From the SMS toolbar select Action
  3. The Create New Response Action setup wizard displays.
  4. Specify a Name for the action that clearly identifies the action. (e.g. FTP_Quarantine_Action)
  5. From the Action Type drop-down menu select IPS Quarantine.
  6. Click Next or select Action Set from the wizard navigation menu.
  7. From the Action Set drop-down window, select the Action Set created in Step 1. (e.g. FTP_Quarantine)
  8. Click Finish to create the new action.

 

Step 3: Create an Active Response Policy

  1. On the SMS toolbar, navigate to the Responder>Policies tab screen.
  2. To create a new Active Response Policy do one of the following:
    • In the Active Response Policies screen, click New.
    • In the Active Response Policies screen, right-click and select New.
    • From the SMS toolbar select File>New>Policy.
  3. The Create Active Response Policy setup wizard opens.
  4. Select the Initiation and Timeout tab
    • Policy Name - enter the policy name. (e.g. FTP_Response_Policy)
    • Initiation - specify the mechanism used to initiate the policy;
      • Enable Policy - Enabled Automatic Responder via Correlation and Thresholding
      • Allow Manual Responder via this Policy
      • Allow an SNMP Trap or Web Service call to invoke this Policy (Enable this option, only if you want to use the SMS WEB API)
      • Escalate an IPS Quarantine using this Policy. (By unchecking this option, the quarantine will only apply to a particular IPS.)
    • Timeout - If you want to set a timeout option, select the Enable Automatic Timeout check box and enter a time in minutes. Setting an Automatic Timeout here will allow an IP address to have its traffic automatically unblocked after the specified period of time. Otherwise, the quarantined host will remain blocked indefinitely or until it is cleared manually.
  5. Click Next or select the Inclusions and Exclusions tab. In the Inclusions and Exclusions screen enter the required information:
    • Allow Active Response, specify the hosts or networks eligible for this Active Response Action or select Any IP address.
    • Never Respond - specify the hosts or networks excluded from this Active Response Action (e.g. Networking Equipment, File Servers, Storage Farms, Domain Controllers, DNS Servers, etc....).
    • Note: You can use the arrow buttons located at the end of each field to add an existing Named Resource or to create a new Named Resource.
  6. Click Next or select the Correlation and Thresholding tab. For Correlation and Thresholding, enter the required information:
    • Automatic Response Configuration:
      • Qualified filter hits - number of hits to enact the policy.
      • Threshold period - period of time in seconds or minutes for the hit count threshold.
      • Quiet period - Quiet Period begins when automatic response action is initiated. A new Threshold Period won't begin until the Quiet Period is over.
    • Note: You can leave the defaults or adjust these settings to fit your needs. The minimum threshold period is 2 minutes. Quiet Period should match the Automatic Timeout if one was set earlier. A value of 50 in 2 minutes will stop brute force attacks, but allow for normal logins.
    • Qualified Filter Hit Notifications:
      • Send Syslog Notification - unchecked
      • Send SNMP Trap Notification - unchecked
  7. Click Next or select the Actions tab. In the Actions tab, click Add to add a new Response Action. The Response Action screen displays.
  8. From the Action drop-down menu, select the Response Action created in Step 2 (e.g. FTP_Quarantine_Action) and click OK to return to the setup wizard.
  9. Click Next or select the IPS Destinations tab. In the IPS Destinations screen, you can select which devices will receive the Response Policy.
    • To distribute to all IPS devices, select the All Devices check box.
    • To distribute to selected IPS devices, expand the All Devices entry and select one or more IPS devices.
  10. Click Finish to save your settings.

 

Step 4: Create an Action Set for "Permit"

  1. From the top navigation pane, click Profiles. The Profiles screen displays.
  2. From the navigation pane on the left, click the + sign next to the IPS Profiles to expand the category.
  3. From the navigation pane on the left, select Shared Settings.
  4. To Create an action set, do one of the following:
    • Select the Action Sets tab and click New.
    • On the Menu Bar, select the File > New > Action Set menu item.
    • Right-click an entry and click New.
  5. The Create Action Set wizard displays.
  6. Enter a Name for the action set (e.g. FTP_Permit).
  7. Under Flow Control select Permit. We select Permit, so that the first attempt is not blocked.
  8. Click Next or select Notifications from the wizard navigation pane. In the Notifications pane;
    • Check Management Console to have the SMS receive the alert. This option notifies the SMS upon a filter hit and keeps the hit count. This will also generate an event in the Events area of the SMS.
    • Check SMS Response and then choose the Active Response policy created in Step 3 (e.g. FTP_Response_Policy). This option indicates what Active Response Policy is to be associated with the filter hit. The Active Response Policy must have Enable Policy enabled in order to appear in this list.
  9. Click Finish to save your entries.

 

Step 5: Link the Action Set to a filter

Note: If a filter has inherited settings and the base filter is locked, the filter with inherited settings CANNOT be edited.

  1. From the top navigation pane, click Profiles. The Profiles screen displays.
  2. From the navigation pane on the left, click the + sign next to the IPS Profiles to expand the category.
  3. From the navigation pane on the left, locate and expand the Profile you will be working with.
  4. On the profile that you are working with, click Search.
  5. Select the Filter Criteria area if not already selected.
  6. In the Filter Specific Info > Filter Name section enter filter number "0633" or "Bad Login" to perform the search.
  7. Click the Search button to initiate the search.
  8. In the Search Results section, you should see filter 0633: FTP: Bad Login.
  9. Edit the filter by highlighting the filter and pressing Edit. Or by double-clicking the filter.
  10. The Edit Filter (Filter Settings) dialog box will open.
  11. In the Filter Settings tab under the Action section, select Use Filter Specific Settings and the Action Set created in Step 4 (e.g. FTP_Permit) from the drop-down menu.
  12. Click OK to save your entries.

 

Step 6: Perform a profile distribution

  1. Distribute the newly modified profile to the appropriate IPS device.
 
Note: Multiple SMS Responder policies and SMS Responder Action Sets can be created and applied to different filters. For example, you can have a Responder Policy for MS-SQL, a different set for SSH, and another set for FTP to fit your environment.
Keywords: quarantine, sms, sms responder, sms responder action, sms active response system, block action, active response policy, security events