Raritan Computer COMMANDCENTER NOC User Manual

C

HAPTER

3:

CONFIGURING INTRUSION DETECTION

49

Determining which ports are open on a target machine is often the first step towards a successful
attack on a network system. Attackers generally use port scanning utilities to probe a target
system and make a list of all open ports on the device. After they have this list, they will send
specific attacks to the open ports with the hope of exploiting a vulnerability on the target. The
port scanning process is often detectable by monitoring traffic to the target machine. However,
the normal activity of some services such as DNS and NFS often resembles the activity of an
attacker executing a portscan against a target system.
5. To exclude an entire subnet from portscan analysis, use the Add Addresses box. Type in the

network address and select the subnet mask from the list that is provided.

6. To include single hosts or ranges of host IP addresses, use the input boxes in the bottom half

of the panel. Please note that you can only add a maximum of 50 "stray" IP addresses that are
not a part of subnet. This includes individual addresses and all addresses within your ranges.

7. To prevent detection of portscans originating from the home network of the appliance, check

the Exclude all traffic originating from your home network... check box. This can prevent
some types of false-positives, such as the traffic generated by a host on your network that is
simultaneously accessing several services on a remote host.

8. To exclude all DNS and SMB traffic on your network from portscan analysis, use the check

boxes in the bottom exclusion pane.

9. Click finish configuration.

Enable/Disable Signature Types via Signature Profiler

With the Intrusion Detection Signature Profiler

,

it is possible to enable and disable types of

intrusion detection on the CC-NOC. A properly configured CC-NOC will detect patterns in
network traffic that identify a potential threat. By tuning the set of signature rules that the CC-
NOC reacts to, the intrusion detection can be configured to detect attacks affecting the specific
devices and services on your network.
Once you’ve created the signature rules, the CC-NOC will then use these rules to dynamically
select which signatures apply to your environment, relieving you of the burden of ongoing
signature administration.
1. Click on the Admin

tab in the top navigation bar.

2. Click Intrusion Detection Configuration.
3. Click Intrusion Detection Signature Profiler.