Download IBM® Security Network Protection XGS Initial Setup and Deployment

IBM Security
Network Protection XGS Open Mic webcast #5 – May 20, 2015
IBM® Security Network Protection XGS Initial Setup and Deployment
Panelists
• Carlos Caballero – SWAT Security Consultant
• Jeff DiCostanzo - Team Lead Accelerated Value Program Support Engineer
• Danitza Villaran-Rokovich – Level 2 Technical Support Senior Engineer
• Edward Leisure – Level 2 Technical Support Engineer
• Eric York – XGS, Sales Representative
• Paul Ermerins – Network Protection XGS Quality Assurance
• Moazzam Khan – Intrusion Prevention Software Engineer
• Steven McKinney – Level 2 Technical Support Team Lead
• Paul Griswold – XGS, Program Manager
• Thomas Gray – Level 2 Technical Support Senior Manager
Reminder: You must dial-in to the phone conference to listen
to the panelists. The web cast does not include audio.
• USA: 866-803-2145
• USA toll: 1-210-795-1099
• Participant passcode: 1322112
• Slides & additional dial-in numbers: http://bit.ly/ibm-openmic-XGS_20150520-doc
NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any
statements that you may make during the call, as well as to IBM's use of such recording in any and
all media, including for video postings on YouTube. If you object, please do not connect to this call.
©1 2015 IBM Corporation
© 2015 IBM Corporation
IBM Security
To provide guidance and avoid pitfalls when setting up
and deploying the XGS appliance
2
© 2015 IBM Corporation
IBM Security
Agenda
 Initial Setup
 Overview of Security Policies
 Deployment Scenarios
 Questions
3
© 2015 IBM Corporation
Initial Setup
4
© 2015 IBM Corporation
IBM Security
Pre-requisites
License keys (KeyLib6)
Management IP Address, Subnet Mask, Default Gateway and DNS Servers
TCP Port 3995 to Agent Manager
TCP Port 443 to XGS from SiteProtector Console
Access to the Internet
http://www.ibm.com/support/doc/view.wss?uid=swg21437057
5
© 2015 IBM Corporation
IBM Security
Configuration Wizard
Use the Local Management Interface or a Terminal Emulator program to perform
the following steps:
6
1
Login as admin and password password
2
Accept the Software License Agreement
3
Optionally: Enable FIPS
4
Change default password
5
Change Hostname
6
Configure the Management Interface
7
Configure DNS
8
Configure the Date and Time
© 2015 IBM Corporation
IBM Security
Modules and Features
Firmware
XPU
Web Application
IP Reputation
URL Category
Application DB
IP Reputation DB
Base FPL
FPL1
FPL2
FPL3
FPL4
2.5
4.0
5.5
7.0
Gb/s Inspected
Traffic
Gb/s Inspected
Traffic
Gb/s Inspected
Traffic
Gb/s Inspected
Traffic
Flexible Performance Licensing (XGS5100)
7
SSL Inspection
© 2015 IBM Corporation
IBM Security
Uploading Licenses
 Uploading Licenses
 Navigate to Manage System Settings->Licensing and Performance
 Upload KeyLib6 License for each required feature
Each license is uploaded
individually
8
© 2015 IBM Corporation
IBM Security
Update Status
 Navigate to Manage System Settings->Overview
Shows current Firmware and
available updates
Uploading a license triggers the
update process for the
corresponding database.
Status are:
• Not Licensed
• Waiting – Licensed but no
Internet connection
• Downloading – Updating DB
• Ready – Update completed
9
Shows current X-Force Content
and available updates
Shows status of all licenses and
performance levels
© 2015 IBM Corporation
IBM Security
Databases Configuration
 Application Database settings
 Navigate to Manage System Settings->Manage Application Databases
Updates are downloaded automatically for
both Application and IP Reputation
databases
Allows direct feedback to X-Force on
incorrect categorization of URL, Web
Applications or IP Reputation data
Includes IP Reputation info in the form of
Categorization (spam, malware, etc) and
Score as part of the Security Event
payload
Proxy credentials for internet access
10
© 2015 IBM Corporation
IBM Security
Firmware Upgrade & Partitions
 Navigate to Manage System Settings->Available Updates
Firmware updates are installed
in Partition 2 (Not Active). After
reboot this becomes the Active
partition
Partition 2
Partition 1
(Active)
Customers can select which
partition will be active at any
given time
11
© 2015 IBM Corporation
IBM Security
Agent Manager Communication
 Registration with IBM SiteProtector through Agent Manager
-By default, communication is encrypted using SSL
-Authentication can be added as another security level
-Uses port TCP 3995 to:
• Post Security Events
• Apply Security Policies
-Can communicate with multiple Agent Managers (redundancy)
TCP 3995
Agent Manager
12
© 2015 IBM Corporation
IBM Security
Groups
 Preparing a Grouping Hierarchy
- Groups can be defined by functional areas, networks, location, customers, etc.
- Groups are defined in the Agent View
- To add a new group Right Click on a parent group and select New->Group
- Security Policies can be applied at a parent or child level.
Grouping hierarchy benefits:
•
•
•
Allows granular control for
Security Policies
Facilitates Analysis of
Security Events
Facilitates Reporting
Agent Manager 1
XGS
13
Group 2
Group 1
XGS
XGS
XGS
© 2015 IBM Corporation
IBM Security
Group Settings
 Configuring a Group
- Right Click on the Group and select Manage Policy
- In the Agent Type section select IBM Security Network Protection
- Select the Default Repository
- Right Click on the Group Settings policy
- Select Open Latest Version…
14
© 2015 IBM Corporation
IBM Security
Group Settings
 Configuring a Group Settings Policy
Select the corresponding
Agent Manager for this group
Add an authentication account
for an extra level of security
Enter Proxy settings if behind a
Proxy
15
© 2015 IBM Corporation
IBM Security
Deploying a Group Settings Policy
 Deploying the Group Settings Policy
2
Check this box to deploy the
new version of this policy
1
Use the Targets tab to specify
which groups the new policy
will be applied to
3
16
© 2015 IBM Corporation
IBM Security
XGS Registration with IBM SiteProtector
 Registering the XGS through the LMI
 Navigate to Manage System Settings->System Settings->SiteProtector
Management
Specify SiteProtector
Group Name
Specify Agent
Manager settings
Enter authentication account
for an extra level of security
17
© 2015 IBM Corporation
IBM Security
Registration with IBM SiteProtector – Agent View
 Viewing the XGS Agent in IBM SiteProtector Console
XGS agent displayed under
corresponding group
Health Status reports state for
System, Security and Network
Status reports state for agent communication and policy configurations
• Active – Communication and policy configuration OK
• Active with Errors – Policy configuration errors or netengine and
analysis disabled
• Offline– No communication with Agent Manager
• Not Responding – N/A
18
Reports the last contact time of
the agent
Version reports the
current XForce Content
and Firmware version
Update Status reports if there
are available updates
Performance reports the
licensed performance level
© 2015 IBM Corporation
Overview of Security Policies
19
© 2015 IBM Corporation
IBM Security
Policy Comparison
 XGS vs GX Policies comparison by functionality
Functionality
Segmentation, granularity
Inspection
X-Force Protection Levels
Blocking
Monitoring services
Tuning
20
GX Policy
XGS Policy
Protection Domains
Network Access (Network Objects)
Security Events
Intrusion Prevention (IPS Objects)
Virtual Patch
Intrusion Prevention (IPS Objects)
Firewall
Network Access
Connection Events
Network Access
Response Filters
IPS Event Filters
© 2015 IBM Corporation
IBM Security
GX - Protection Domains
 Located under Shared Objects
Protection Domain
• Provide more granular control over how policies affect
different network segments
• Several virtual appliances monitoring the network
Default Global Protection Domain matching “ANY”
always enabled
Additional Protection Domains can be created
• Protection Interface
• VLANs
• IP Addresses (Single, Range, List, CIDR)
21
© 2015 IBM Corporation
IBM Security
GX - Virtual Patch
 Located under Shared Objects
 Applies to all Security Event policies in the actual repository
Virtual Patch Controls the
Protection Threat Level of
the Security Events policies
deployed in the actual
Repository
Controls the Protection Level for all the
Security Events policies for the current
repository. There are 3 types:
• Moderate (Default)
• Aggressive
• Paranoid
Controls X-Force
recommended blocking
based on XPUs
22
© 2015 IBM Corporation
IBM Security
Threat Protection Levels
Moderate: Enables most attack events for a good level of security protection with minimal chance of false
alarms. The moderate policy is designed for users who intermittently monitor security events and minimally
manage the IPS configuration
Aggressive: Enables a high percentage of attack events for a high level of security protection with a chance
of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS
deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration
Paranoid: Enables almost all attack events (including events from the latest XPUs) for a very high level of
security protection with significant chance of false alarms. The paranoid policy is designed for users who
perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security
events and frequently fine-tune the IPS configuration
Sample summary for XPU 34.040
23
XPU 34.040
Moderate
Aggressive
Paranoid
Total Security Events
5303
5303
5303
Security Events (Attacks)
4801
4801
4801
Security Events (Audits)
502
502
502
Security Events (Enabled)
3319
4278
4754
Security Events (Enabled and Block)
3308
4274
4752
© 2015 IBM Corporation
IBM Security
GX - Security Events
 Part of the Default Repository
 Protection Domains allows for creation of custom Security Event policies
Default Protection Domain: Global
• Matches ANY traffic
• Uses all Security Events as defined
by X-Force.
• Applies blocking responses as
defined in Virtual Patch Policy
24
Custom Protection Domain: Demo
• Matches traffic for specific addresses
• Contains a subset of Security Events
• Security Events responses may differ from X-Force
© 2015 IBM Corporation
IBM Security
XGS - Intrusion Prevention
 Located under Shared Objects
 Available for multiple NAP policies across multiple Groups in the current Repository
IPS Objects are used to enable
a set of the Security Events
Intrusion Prevention
• Latest version always
deployed
• Only edited from here
• Contains multiple IPS Objects
• Can be used across multiple
NAP rules
25
“Default IPS” objects contains
all the Security Events as
defined by X-Force with their
corresponding responses. Used
by the default NAP rule.
Other predefined IPS Objects
are derived from categorizations
found in PAM Help file.
© 2015 IBM Corporation
IBM Security
IPS Objects Settings
 Trust X-Force Defaults section contains:
 Protection Level Signatures
 Protection Level Blocking
By default Security Events are stored locally. When
registered with SiteProtector all events are sent to
Agent Manager
Protection Level
• None
• Moderate
• Aggressive (Default)
• Paranoid
Additional Response Objects include:
• SNMP
• Email
• Remote Syslog (SIEM)
Content Update Trust Level - defines
recommended X-Force responses for a specific
XPU
26
© 2015 IBM Corporation
IBM Security
IPS Objects Content
 Select the IPS Object in the left pane. Security Events are displayed in right pane
Available IPS Objects
27
Enhanced Filtering
© 2015 IBM Corporation
IBM Security
Security Events Configuration
 Security Events Configuration
28
© 2015 IBM Corporation
IBM Security
XGS – Network Access Policy
 Configuring a Network Access Policy (NAP)
- Open the SiteProtector Console in the Policy View
- In the Agent Type section select IBM Security Network Protection
- Select the Default Repository
- Right Click on the Network Access policy
- Select Open Latest Version…
29
© 2015 IBM Corporation
IBM Security
Network Access Policy – Network Objects
Network Objects – Used to match specific traffic type
•
•
•
•
•
30
•
Address
 Address Host, Range, List or Subnet (Similar to
Protection Domain)
 Geolocation
Applications
 Web Application such Facebook, YouTube, etc. and their
actions (post, chat, etc.)
 Non-Web Applications (LDAP, Kerberos, DHCP, etc.)
 IP Reputation (malware, spam, C&C, anonymous
proxies, dynamic IPs)
 URL Categories (Lists)
Inspection
 IPS Objects
Identity
• Local
• Remote Directory
Responses
• SNMP, Email, Log (Local or Remote)
Schedule
© 2015 IBM Corporation
IBM Security
Network Access Policy - Rules
Source and
Destination based
on Address Objects
Application can be based on
Web or Non-Web, URL
Category or list, IP Reputation
Action can be:
• Accept
• Reject
• Drop
• Authenticate
Response defines what
to do when a match is
done:
• SNMP
• Email
• Log (Local or SIEM)
• Pcap
Inspection defines the IPS
Object to be applied for
inspection of the matched
(Accepted) traffic
Order defines
the priority of
the rule.
Processing
Only rule available accepts all traffic by default and
applies the Default IPS policy object for inspection
31
By default Network Access events
are not logged (No Response)
© 2015 IBM Corporation
IBM Security
Overview of Security Policies – Deploying NAP
 Deploying the Network Access Policy
2
Check this box to deploy the
new version of this policy
1
Use the Targets tab to specify
which groups the new policy
will be applied to
3
XGS reporting to the ATLANTA Group will inspect
all traffic using a Default policy
32
© 2015 IBM Corporation
Deployment Scenarios and Use Cases
33
© 2015 IBM Corporation
IBM Security
Deployment Scenarios – Use Cases
 The following slides provide guidance in deployment and configuration scenarios
 Monitoring vs Inline mode
 Network Interface Modules (NIMs)
 Blocking traffic
 Monitoring Services
 Excluding traffic from inspection
 Filtering Security Events
 Custom IPS Objects
 Monitoring Malicious Activity
 One Policy Multiple Environments
34
© 2015 IBM Corporation
IBM Security
Deployment Scenarios – Monitoring vs Inline Mode
From Policy View go to Agent-Specific-Policies->Protection Interfaces
Inspection Mode determines
how the XGS will inspect traffic
in a pair of ports
Protection Pair – Both ports are
configured as Monitoring. Same
inspection capabilities as in other
modes
Passive Monitoring
35
Protection Pair – Ports connect to upstream and
downstream devices. Simulation mode is the
recommended setting for a new deployment
Inline (Simulation or Protection)
© 2015 IBM Corporation
IBM Security
Deployment Scenarios – Network Interface Modules (NIMs)
 Install appropriate NIM before power up. Do not remove while on.
 From Policy View go to Agent-Specific-Policies->Protection Interfaces
8-port RJ-45 copper
w/ built-bypass
4-port Fixed fiber (SX)
w/ built-bypass
4-port Fixed fiber (LX)
w/ built-bypass
2-port 10GbE (SR)
w/ built-bypass
Software Bypass (XPU Updates) – Events
are forwarded unanalyzed
Hardware Bypass (Firmware Upgrade,
power failure) – Can be configured to:
• Fail-Open
• Fail-Close
• Auto (defaults to Fail-Open)
36
2-port 10GbE (LR)
w/ built-bypass
4-port SFP
(requires transcievers)
2-port 10GbE SFP+
(requires transcievers)
© 2015 IBM Corporation
IBM Security
Use Cases – Blocking Traffic
Scenario 1 – Block Access to a Server from a specific Host
SRV1
PC1
10.10.10.1
XGS
IP Address:
Service:
URL:
10.10.10.10
SSH
www.app1.com
2
1
Create 2 Host
Address Objects
PC1 and SERV1
Create a NAP Rule
with higher priority
(lower Order) than
the default rule and
with Source PC1
and Destination
SRV1.
Log packet if
match against
Rule#10
No Schedule
object equals
ALWAYS
3
37
All other traffic use default rule
Action Rule = Reject.
(Block + RST)
© 2015 IBM Corporation
IBM Security
Use Cases – Monitoring Access to a Service
Scenario 2 – Monitor Access to a Service during business hours
SRV1
PC1
10.10.10.1
Create a NAP Rule with higher priority
(lower Order) than the previous rule
Note that Order number for
existing rules adjust automatically
38
XGS
IP Address:
Service:
URL:
Uses a predefined Non-Web
Application Object for SSH
Log packet if match
against Rule#10
Action Rule = Accept and process
for inspection
10.10.10.10
SSH
www.app1.com
Use Business Hours
Schedule Object to define
when the rule is valid
Traffic still monitored using
Default IPS Object
© 2015 IBM Corporation
IBM Security
Use Case – Excluding Traffic from Inspection
Scenario 3 – Filtering Traffic from a Vulnerability Scanner
Scanner
10.10.10.2
SRV1
XGS
IP Address:
Service:
URL:
1
10.10.10.10
SSH
www.app1.com
2
Changes
applied
automatically
Create an IPS Object with Protection Level None
NAP Rule with higher
priority (lower Order) than
the default rule
39
Action = Accept
3
Inspection
Object is Blank
Policy
© 2015 IBM Corporation
IBM Security
Use Case – IPS Event Filters
Scenario 4 – Filtering a Security Event
SRV1
SMB_Empty_Password
IP Address:
Service:
URL:
XGS
Internal Network
192.168.1.0/24
10.10.10.10
SMB
www.app1.com
2
Create a Network
object of type
Address Subnet
1
Select Security
Events to be
Ignored from
inspection
IPS Event Filter
Rule with Ignore
action
Apply to any type of traffic
3
40
© 2015 IBM Corporation
IBM Security
Use Case – Custom IPS Objects
Scenario 5 – Managing Custom IPS Objects
SRV1
XGS
Internal Network
192.168.1.0/24
IP Address:
Service:
URL:
10.10.10.10
SMB
www.app1.com
3rd Party Network
10.10.100.0/24
Create a Network
object of type
Address Subnet
2
1
1
Create a NAP Rule with higher priority
than the default rule and with an
inspection object Paranoid
Create an IPS Object with Protection Level Paranoid
3
41
© 2015 IBM Corporation
IBM Security
Use Case – Monitoring Malicious Activity
Scenario 6 – Monitoring malware activity
Malware
XGS
Internal Network
192.168.1.0/24
1
Adjust the Threshold. X-Force
score should be 80% or more for
the rule to match.
Create an IP Reputation
Object with Category
Malware
Apply a Paranoid
inspection policy
NAP Rule with higher
priority (lower Order) than
the default rule
2
42
Action Rule = Accept and process
for inspection
Log packet if match
against Rule#10
© 2015 IBM Corporation
IBM Security
Deployment Scenarios – One Policy Multiple Environments
Scenario 6 – One Global IPS Policy across multiple environments
Customer
Network 2
XGS
Customer
Network 1
SiteProtector
XGS
NEW YORK
Create a Custom IPS Object
policy to use across all
environments
Create a Network Access
policy tat the top level to
accept all traffic and inspect
using the Custom (or
Default) IPS Object
43
Create Custom IPS Event Filter polices
for tuning based on the requirements
of each environment using the same
Custom (or Default) IPS Object
© 2015 IBM Corporation
IBM Security
Questions for the panel?
Now is your opportunity to ask questions of our
panelists.
To ask a question now:
Press
*1 to ask a question over the phone
or
Type your question into the SmartCloud Meetings chat
To ask a question after this presentation:
You are encouraged to participate in our dW Answers XGS forum topic,
How do I deploy and configure the XGS?
URL: https://developer.ibm.com/answers/questions/190147/how-do-i-deploy-andconfigure-the-xgs.html
44
© 2015 IBM Corporation
IBM Security
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
45
© 2015 IBM Corporation