Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Tipping Point Intrusion Prevention System

 

The Tipping Point Intrusion Prevention System (IPS) DSM for JSA accepts Tipping Point events by using syslog.

JSA records all relevant events from either a Local Security Management (LMS) device or multiple devices with a Security Management System (SMS).

Before you configure JSA to integrate with Tipping Point, you must configure your device based on type:

Configure Remote Syslog for SMS

To configure Tipping Point for SMS, you must enable and configure your appliance to forward events to a remote host using syslog.

To configure your Tipping Point SMS:

  1. Log in to the Tipping Point system.
  2. On the Admin Navigation menu, select Server Properties.
  3. Select the Management tab.
  4. Click Add.

    The Edit Syslog Notification window is displayed.

  5. Select the Enable check box.
  6. Configure the following values:
    1. Syslog Server Type the IP address of the JSA to receive syslog event messages.

    2. Port Type 514 as the port address.

    3. Log Type Select SMS 2.0 / 2.1 Syslog format from the list.

    4. Facility Select Log Audit from the list.

    5. Severity Select Severity in Event from the list.

    6. Delimiter Select TAB as the delimiter for the generated logs.

    7. Include Timestamp in Header Select Use original event timestamp.

    8. Select the Include SMS Hostname in Header check box.

    9. Click OK.

    10. You are now ready to configure the log source in JSA.

  7. To configure JSA to receive events from a Tipping Point device: From the Log Source Type list, select the Tipping Point Intrusion Prevention System (IPS) option.

    For more information about your Tipping Point device, see your vendor documentation.

Configuring Notification Contacts for LSM

You can configure LSM notification contacts.

  1. Log in to the Tipping Point system.
  2. From the LSM menu, select IPS >Action Sets.

    The IPS Profile - Action Sets window is displayed.

  3. Click the Notification Contacts tab.
  4. In the Contacts List, click Remote System Log.

    The Edit Notification Contact page is displayed.

  5. Configure the following values:
    1. Syslog Server Type the IP address of the JSA to receive syslog event messages.

    2. Port - Type 514 as the port address.

    3. Alert Facility Select none or a numeric value 0-31 from the list. Syslog uses these numbers to identify the message source.

    4. Block Facility Select none or a numeric value 0-31 from the list. Syslog uses these numbers to identify the message source.

    5. Delimiter Select TAB from the list.

    6. Click Add to table below.

    7. Configure a Remote system log aggregation period in minutes.

  6. Click Save.Note

    If your JSA is in a different subnet than your Tipping Point device, you might have to add static routes. For more information, see your vendor documentation.

You are now ready to configure the action set for your LSM, see Configuring an Action Set for LSMYou can configure an action set for your LSM..

Configuring an Action Set for LSM

You can configure an action set for your LSM.

  1. Log in to the Tipping Point system.
  2. From the LSM menu, select IPS Action Sets.

    The IPS Profile - Action Sets window is displayed.

  3. Click Create Action Set.

    The Create/Edit Action Set window is displayed.

  4. Type the Action Set Name.
  5. For Actions, select a flow control action setting:
    • Permit Allows traffic.

    • Rate Limit Limits the speed of traffic. If you select Rate Limit, you must also select the desired rate.

    • Block Does not permit traffic.

    • TCP Reset When this is used with the Block action, it resets the source, destination, or both IP addresses of an attack. This option resets blocked TCP flows.

    • Quarantine When this is used with the Block action, it blocks an IP address (source or destination) that triggers the filter.

  6. Select the Remote System Log check box for each action you that you select.
  7. Click Create.

    You are now ready to configure the log source in JSA.

  8. To configure JSA to receive events from a Tipping Point device: From the Log Source Type list, select the Tipping Point Intrusion Prevention System (IPS) option.

    For more information about your Tipping Point device, see your vendor documentation.