Routing/switching devices, DHCP servers/clients, and mis-configured network devices can generate excessive amounts of broadcasts traffic that end up being sent to all hosts on a segment. The management ports on TippingPoint devices do not discern anything other than they are receiving packets that are not using ports which they consider valid forms of communication (i.e.: 80, 443, 22, 23). Any packets (broadcast or otherwise) that end up being sent to the management IP address of your IPS/SMS/CC devices will be logged as "Invalid" and upon reaching a threshold will cause alerts to be sent to the log files.
In order to prevent these notification from occurring TippingPoint recommends the following:
1) Configure the Management Interface to be on an isolated VLAN or segment or to only be reachable from the internal network.
2) Configure the Management Interface via the CLI to restrict traffic to/from specific hosts.
- to limit management interface access to one host: conf t host ip-filter permit ip <ip address> <mask>
- to restrict a specific IP address from accessing the management interface issue the following command: conf t host ip-filter deny ip <ip address> <mask>
- to remove the filter restriction issue the following command: conf t host ip-filter permit ip any
Note: When configuring the access control list as seen in step 2, always allow the terminal that you are currently logged in from. This is due to the fact that the IPS implements the ACL immediately, and changes the allow-all at the bottom of the list to deny-all by default. Allowing a different terminal first will result in the termination of the SSH session.
