SRC Release 1.0.x Application Library Guide > Providing Threat Mitigation Services with the Threat Mitigation Application > Managing Threats with the SRC-TMP

Managing Threats with the SRC-TMP

The SRC-TMP provided with the SRC software is designed to be used with the sample data for the Threat Mitigation Application. The SRC-TMP is a Web application that lets you use a Web browser to manage threats.

Once you have configured and deployed the Threat Mitigation Application, you can use the SRC-TMP to manage attack events. See Installing and Initially Configuring the Threat Mitigation Application.

Overview of the SRC-TMP

When the NetScreen-Security Manager reports incidents to the SRC-TMP, the SRC-TMP:

• Provides a description of the incident, including source IP address, destination IP address, attack type, severity, time of first received record, time of last received record, count of repeated attacks, and possible actions.
• Allows the administrator to choose how to handle the threat in the appropriate manner by taking action, activating or deactivating a service, or managing an action already taken.
• Displays general information if the SRC software cannot collect information about an attack type because it is not defined in the ATTACK_TYPE table.

About the Record Servlet

The record servlet receives messages from the SRC thm.py script that runs in NetScreen-Security Manager. The thm.py script posts messages to a specified URL. The default pathname in the URL is /thmp/record. For information about changing the default pathname, see Configuring the SRC-TMP.

NetScreen-Security Manager sends the following information from its XML schema to the record servlet for display in the SRC-TMP.

• dayId—Date of the record as displayed in the Attack ID column to the left of the colon.
• recordId—Identifier for the record as displayed in the Attack ID column to the right of the colon.
• timeReceived—Time the attack event is received as displayed in the First Received Time and Last Received Time columns.
• subCategory—Subcategory of the attack as displayed in the Attack Type column.
• srcAddr—Source address of the attack as displayed in the Source column.
• dstAddr—Destination address of the attack as displayed in the Destination column.
• severity—Severity of the attack as displayed in the Severity column.
• repeatCount—Number of occurrences of the attack as displayed in the Repeat Count field.

The record servlet maps an attack ID with an attack type and its defining attributes (including protocol, source address, source port, destination address, destination port, user, application, uri). If the servlet receives more than one record for the same attack type with the same defining attribute values, the servlet stores the record with that attack ID once and increases the value of Repeat Count for that attack ID by one for each subsequent occurrence. The record servlet also records the highest severity of all attacks with the same defining attribute values and updates the last received timestamp.

If applicable, the SRC-TMP displays the following information in the Attack Details page.

• category—Category of the attack; displayed in the Attack Type field.
• subCategory—Subcategory of the attack; displayed in the Attack Type field.
• srcAddr—Source address of the attack; displayed in the Source field.
• srcDns—The result of a reverse DNS lookup on the source address of the attack; displayed in the Source DNS field as a comma-separated list.
• srcPort—Source port of the attack; displayed in the Source Port field.
• dstAddr—Destination address of the attack; displayed in the Destination field.
• dstDns—The result of a reverse DNS lookup on the destination address of the attack; displayed in the Destination DNS field as a comma-separated list.
• dstPort—Destination port of the attack; displayed in the Destination Port field.
• protocol—Protocol of the attack; displayed in the Protocol field.

For information about the SRC thm.py script that runs in NetScreen-Security Manager, see Enabling Actions from NetScreen-Security Manager.

Configuring and Deploying the SRC-TMP

The SRC-TMP provided with the SRC software is designed to be used with the threat mitigation implementation in the sample data. To configure the SRC-TMP, see Configuring the SRC-TMP. To deploy the SRC-TMP, see Deploying the Threat Mitigation Application.

Using the NIC Resolver for the SRC-TMP

The Threat Mitigation Application pushes policies to the interfaces from which the problem traffic enters the network. To do so, the SRC-TMP must be able to map from a given attack source IP address to the SAEs managing the interfaces on the routers where that traffic enters the network. The Threat Mitigation Application uses the network information collector (NIC) to perform this mapping. Each service activation interface uses a different NIC configuration.

For information about the NIC configuration for each interface, see:

• JUNOS provider edge interface—Configuring the NIC for Provider Edge Interfaces
• JUNOS forwarding interface—Configuring the NIC for Forwarding Interfaces
• JUNOSe subscriber interface—Configuring the NIC for Subscriber Interfaces

For more information about configuring the service activation interface, see Configuring the SRC-TMP.

Configuring the NIC for Provider Edge Interfaces

To configure the NIC to map the source IP address for a given attack to the SAEs managing the JUNOS subscriber-facing interfaces, use the OnePopStaticRouteIp configuration scenario and restart the NIC host. The OnePopStaticRouteIp configuration scenario resolves an assigned IP address for a subscriber whose traffic enters the network through an interface on a JUNOS routing platform to a reference for the SAE that manages the interface. The realm for this configuration accommodates the situation in which the network publisher component gathers interface information for the JUNOS routing platforms. The resolution process takes a subscriber's IP address as a key and returns a reference to the SAE that manages the interface. For information about configuring the NIC, see SRC-PE Network Guide, Chapter 11, Configuring NIC on a Solaris Platform.

If you associate an existing address pool with an interface and you do not want to wait for this new information to be propagated based on the Cache Entry Age property of the NIC proxy or the Event Life Expectancy property of the agents, then you must manually clear the NIC proxy cache. To clear the NIC proxy cache when the application is deployed in a J2EE container that supports Java Management Extension (JMX) software, use the NicProxyMgmt MBean. Otherwise, you must restart the application or the application server. For information about modifying the NIC proxy cache properties, see SRC-PE Network Guide, Chapter 13, Configuring Applications to Communicate with an SAE. For information about modifying the event life expectancy for agents, see SRC-PE Network Guide, Chapter 20, Reviewing the NIC Configuration.

Configuring the NIC for Forwarding Interfaces

To configure the NIC to map the source IP address for a given attack to the SAEs managing the JUNOS forwarding interfaces, use the OnePop configuration scenario and restart the NIC host. The realm for the OnePop configuration scenario accommodates the situation in which IP address pools are configured locally on each VR. The resolution process takes a subscriber's IP address as the key and returns a reference to the SAE managing this subscriber as the value. For information about configuring the NIC, see SRC-PE Network Guide, Chapter 11, Configuring NIC on a Solaris Platform.

Configuring the NIC for Subscriber Interfaces

To configure the NIC to map the source IP address for a given attack to the SAEs managing the JUNOSe subscriber interfaces, use the OnePopAllRealms configuration scenario and restart the NIC host. The realm for the OnePopAllRealms configuration scenario accommodates the situations in which IP address pools are configured locally on each VR or IP address pools are shared by VRs in the same POP. The resolution process takes a subscriber's IP address as the key and returns a reference to the SAE managing this subscriber as the value. For information about configuring the NIC, see SRC-PE Network Guide, Chapter 11, Configuring NIC on a Solaris Platform.

If the IP address pools are shared across multiple VRs, you must also configure an external plug-in for the SAE plug-in agent in the NIC host as follows:

Plugin.nic.objectref=corbaname::<host>:<port>/NameService#nicsae/saePort

• <host> is the name or IP address of the COS name server
• <port> is the TCP port

For information about configuring the SAE for external plug-ins, see SRC-PE Subscribers and Subscriptions Guide, Chapter 10, Overview of Configuring Plug-Ins for Solaris Platforms.

Accessing the SRC-TMP

To access the SRC-TMP:

1. In your Web browser, enter the name or IP address of the host and the port number on which you installed the Threat Mitigation Application in the format:

http(s)://<host>:<port>/thmp

A Connect to dialog box appears.

2. In the Connect to dialog box, enter your username and password, and click OK. The default values are:

User name—admin

Password—secret

The Threat Mitigation Portal appears.

3. To modify the number of attacks displayed on each page from 20, enter the number in the Display attacks per page field.
4. To modify the page refresh rate, select the Page refreshes every 30 seconds check box, and enter the number of seconds in the text box.

You can manage the attacks that fall into these categories:

• Action Required—This page displays information about the attacks that require some action to be taken. See Managing Attacks Requiring Action.
• Start Pending—This page displays the attacks that are pending service activation. See Managing Attacks Pending Service Activation.
• Stop Pending—This page displays the attacks that are pending service deactivation. See Managing Attacks Pending Service Deactivation.
• Action Taken—This page displays the attacks for which some action was taken. See Managing Attacks with Activated Services.

The information provided about the attacks include attack ID, source and destination addresses, attack type, severity, first and last time the event was received, action that can be taken or action that was taken, and the time that the action was taken.

Managing Attacks Requiring Action

To manage attacks that require action to be taken:

1. In the Threat Mitigation Portal navigation pane, click Action Required.

The Action Required page displays all attacks that require action.

The Attack ID is linked to the Attack Details page, which displays more information about the attack record.

The help button provides information about the possible actions that can be taken in response to an attack. For example, the Help could recommend blocking the attack, blocking the attacker, or slowing the attacker.

2. To sort the attacks by a different category, select another category from the Sorted By drop-down list, and click Sort.
3. To sort the attacks in a different order, select the order from the Ordered By drop-down list, and click Sort.
4. To take action, select the action from the Action drop-down list, and click Take Action to update the state of the attack in that row and activate the service that represents the action to be taken.

If the attack is no longer in the same state as when you clicked Take Action, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is activated.

• If a service is activated, the attack is moved to the Action Taken page.
• If a service is waiting to be activated, the attack is placed in a pending state and appears in the Start Pending page.

5. To delete the attack, click Delete in the row for the attack.

Managing Attacks Pending Service Activation

To manage attacks waiting for service activation:

1. In the Threat Mitigation Portal navigation pane, click Start Pending.

The Start Pending page displays all attacks whose status is pending due to service activation.

The Attack ID is linked to the Attack Details page, which displays more information about the attack record.

The help button provides information about the possible actions that can be taken in response to an attack. For example, the Help could recommend blocking the attack, blocking the attacker, or slowing the attacker.

2. To sort the attacks by a different category, select another category from the Sorted By drop-down list, and click Sort.
3. To sort the attacks in a different order, select the order from the Ordered By drop-down list, and click Sort.
4. In the Service Start Pending Attacks table, you have the following options:

• Click Cancel in a row to remove the attack from the Start Pending page and deactivate the service.

If the attack is no longer in the same state as when you clicked Cancel, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is deactivated.

• If the service is deactivated, the attack is moved to the Action Required page.
• If the service is waiting to be deactivated, the attack is placed in a pending state and appears in the Stop Pending page. The Last Failure Time column indicates the time when the service deactivation was triggered.

• Click Force Cleanup in a row to delete the attack from the database.

You are responsible for ensuring that the service is deactivated. The SRC-TMP does not try to deactivate the service in this case.

• Click Retry in a row to manually reactivate the service.

If the attack is no longer in the same state as when you clicked Retry, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is activated.

• If the service is activated, the attack is moved to the Action Taken page.
• If the service is waiting to be activated, the attack stays in the same state and continues to appear in the Start Pending page. The Last Failure Time column indicates the time when the service activation was triggered.

The SRC-TMP automatically tries to reactivate the service according to the configuration properties (see Configuring the SRC-TMP).

Managing Attacks Pending Service Deactivation

To manage attacks waiting for service deactivation:

1. In the Threat Mitigation Portal navigation pane, click Stop Pending.

The Stop Pending page displays all attacks whose status is pending due to service deactivation.

The Attack ID is linked to the Attack Details page, which displays more information about the attack record.

The help button provides information about the possible actions that can be taken in response to an attack. For example, the Help could recommend blocking the attack, blocking the attacker, or slowing the attacker.

2. To sort the attacks by a different category, select another category from the Sorted By drop-down list, and click Sort.
3. To sort the attacks in a different order, select the order from the Ordered By drop-down list, and click Sort.
4. In the Service Stop Pending Attacks table, you have these options.

• Click Cancel in a row to remove the attack from the Stop Pending page and activate the service.

If the attack is no longer in the same state as when you clicked Cancel, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is activated.

• If the service is activated, the attack is moved to the Actions Taken page.
• If the service is waiting to be activated, the attack record is placed in a pending state and appears in the Start Pending page. The Last Failure Time column indicates the time when the service activation was triggered.

• Click Force Cleanup in a row to delete the attack from the database.

You are responsible for ensuring that the service is deactivated. The SRC-TMP does not try to deactivate the service in this case.

• Click Retry in a row to try to manually deactivate the service again.

If the attack is no longer in the same state as when you clicked Retry, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is deactivated.

• If the service is deactivated, the attack is moved to the Action Required page.
• If the service is waiting to be deactivated, the attack record stays in the same state and continues to appears in the Stop Pending page. The Last Failure Time column indicates the time when the service deactivation was triggered.

The SRC-TMP automatically tries to deactivate the service again according to the configuration properties (see Configuring the SRC-TMP).

Managing Attacks with Activated Services

To manage attacks for which some action was taken:

1. In the Threat Mitigation Portal navigation pane, click Action Taken.

The Action Taken page displays all attack records whose status is action taken.

The Attack ID is linked to the Attack Details page, which displays more information about the attack record.

The help button provides information about the possible actions that can be taken in response to an attack. For example, the Help could recommend blocking the attack, blocking the attacker, or slowing the attacker.

2. To sort the attacks by a different category, select another category from the Sorted By drop-down list, and click Sort.
3. To sort the attacks in a different order, select the order from the Ordered By drop-down list, and click Sort.
4. To cancel the action, click Stop in that row to update the state and deactivate the service that represents the action that was taken.

If the attack is no longer in the same state as when you clicked Stop, the action is aborted, and a message explains that the attack has been handled. Otherwise, the result depends on whether the service is deactivated.

• If a service is deactivated, the attack is moved to the Action Required page.
• If a service is waiting to be deactivated, the attack record is placed in a pending state and appears in the Stop Pending page.

5. To delete the attack, click Force Cleanup in the row for the attack.

You are responsible for ensuring that the service is deactivated. The SRC-TMP does not try to deactivate the service in this case.