Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IBM Security Network Protection XGS Open Mic webcast #5 – May 20, 2015 IBM® Security Network Protection XGS Initial Setup and Deployment Panelists • Carlos Caballero – SWAT Security Consultant • Jeff DiCostanzo - Team Lead Accelerated Value Program Support Engineer • Danitza Villaran-Rokovich – Level 2 Technical Support Senior Engineer • Edward Leisure – Level 2 Technical Support Engineer • Eric York – XGS, Sales Representative • Paul Ermerins – Network Protection XGS Quality Assurance • Moazzam Khan – Intrusion Prevention Software Engineer • Steven McKinney – Level 2 Technical Support Team Lead • Paul Griswold – XGS, Program Manager • Thomas Gray – Level 2 Technical Support Senior Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. • USA: 866-803-2145 • USA toll: 1-210-795-1099 • Participant passcode: 1322112 • Slides & additional dial-in numbers: http://bit.ly/ibm-openmic-XGS_20150520-doc NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call. ©1 2015 IBM Corporation © 2015 IBM Corporation IBM Security To provide guidance and avoid pitfalls when setting up and deploying the XGS appliance 2 © 2015 IBM Corporation IBM Security Agenda Initial Setup Overview of Security Policies Deployment Scenarios Questions 3 © 2015 IBM Corporation Initial Setup 4 © 2015 IBM Corporation IBM Security Pre-requisites License keys (KeyLib6) Management IP Address, Subnet Mask, Default Gateway and DNS Servers TCP Port 3995 to Agent Manager TCP Port 443 to XGS from SiteProtector Console Access to the Internet http://www.ibm.com/support/doc/view.wss?uid=swg21437057 5 © 2015 IBM Corporation IBM Security Configuration Wizard Use the Local Management Interface or a Terminal Emulator program to perform the following steps: 6 1 Login as admin and password password 2 Accept the Software License Agreement 3 Optionally: Enable FIPS 4 Change default password 5 Change Hostname 6 Configure the Management Interface 7 Configure DNS 8 Configure the Date and Time © 2015 IBM Corporation IBM Security Modules and Features Firmware XPU Web Application IP Reputation URL Category Application DB IP Reputation DB Base FPL FPL1 FPL2 FPL3 FPL4 2.5 4.0 5.5 7.0 Gb/s Inspected Traffic Gb/s Inspected Traffic Gb/s Inspected Traffic Gb/s Inspected Traffic Flexible Performance Licensing (XGS5100) 7 SSL Inspection © 2015 IBM Corporation IBM Security Uploading Licenses Uploading Licenses Navigate to Manage System Settings->Licensing and Performance Upload KeyLib6 License for each required feature Each license is uploaded individually 8 © 2015 IBM Corporation IBM Security Update Status Navigate to Manage System Settings->Overview Shows current Firmware and available updates Uploading a license triggers the update process for the corresponding database. Status are: • Not Licensed • Waiting – Licensed but no Internet connection • Downloading – Updating DB • Ready – Update completed 9 Shows current X-Force Content and available updates Shows status of all licenses and performance levels © 2015 IBM Corporation IBM Security Databases Configuration Application Database settings Navigate to Manage System Settings->Manage Application Databases Updates are downloaded automatically for both Application and IP Reputation databases Allows direct feedback to X-Force on incorrect categorization of URL, Web Applications or IP Reputation data Includes IP Reputation info in the form of Categorization (spam, malware, etc) and Score as part of the Security Event payload Proxy credentials for internet access 10 © 2015 IBM Corporation IBM Security Firmware Upgrade & Partitions Navigate to Manage System Settings->Available Updates Firmware updates are installed in Partition 2 (Not Active). After reboot this becomes the Active partition Partition 2 Partition 1 (Active) Customers can select which partition will be active at any given time 11 © 2015 IBM Corporation IBM Security Agent Manager Communication Registration with IBM SiteProtector through Agent Manager -By default, communication is encrypted using SSL -Authentication can be added as another security level -Uses port TCP 3995 to: • Post Security Events • Apply Security Policies -Can communicate with multiple Agent Managers (redundancy) TCP 3995 Agent Manager 12 © 2015 IBM Corporation IBM Security Groups Preparing a Grouping Hierarchy - Groups can be defined by functional areas, networks, location, customers, etc. - Groups are defined in the Agent View - To add a new group Right Click on a parent group and select New->Group - Security Policies can be applied at a parent or child level. Grouping hierarchy benefits: • • • Allows granular control for Security Policies Facilitates Analysis of Security Events Facilitates Reporting Agent Manager 1 XGS 13 Group 2 Group 1 XGS XGS XGS © 2015 IBM Corporation IBM Security Group Settings Configuring a Group - Right Click on the Group and select Manage Policy - In the Agent Type section select IBM Security Network Protection - Select the Default Repository - Right Click on the Group Settings policy - Select Open Latest Version… 14 © 2015 IBM Corporation IBM Security Group Settings Configuring a Group Settings Policy Select the corresponding Agent Manager for this group Add an authentication account for an extra level of security Enter Proxy settings if behind a Proxy 15 © 2015 IBM Corporation IBM Security Deploying a Group Settings Policy Deploying the Group Settings Policy 2 Check this box to deploy the new version of this policy 1 Use the Targets tab to specify which groups the new policy will be applied to 3 16 © 2015 IBM Corporation IBM Security XGS Registration with IBM SiteProtector Registering the XGS through the LMI Navigate to Manage System Settings->System Settings->SiteProtector Management Specify SiteProtector Group Name Specify Agent Manager settings Enter authentication account for an extra level of security 17 © 2015 IBM Corporation IBM Security Registration with IBM SiteProtector – Agent View Viewing the XGS Agent in IBM SiteProtector Console XGS agent displayed under corresponding group Health Status reports state for System, Security and Network Status reports state for agent communication and policy configurations • Active – Communication and policy configuration OK • Active with Errors – Policy configuration errors or netengine and analysis disabled • Offline– No communication with Agent Manager • Not Responding – N/A 18 Reports the last contact time of the agent Version reports the current XForce Content and Firmware version Update Status reports if there are available updates Performance reports the licensed performance level © 2015 IBM Corporation Overview of Security Policies 19 © 2015 IBM Corporation IBM Security Policy Comparison XGS vs GX Policies comparison by functionality Functionality Segmentation, granularity Inspection X-Force Protection Levels Blocking Monitoring services Tuning 20 GX Policy XGS Policy Protection Domains Network Access (Network Objects) Security Events Intrusion Prevention (IPS Objects) Virtual Patch Intrusion Prevention (IPS Objects) Firewall Network Access Connection Events Network Access Response Filters IPS Event Filters © 2015 IBM Corporation IBM Security GX - Protection Domains Located under Shared Objects Protection Domain • Provide more granular control over how policies affect different network segments • Several virtual appliances monitoring the network Default Global Protection Domain matching “ANY” always enabled Additional Protection Domains can be created • Protection Interface • VLANs • IP Addresses (Single, Range, List, CIDR) 21 © 2015 IBM Corporation IBM Security GX - Virtual Patch Located under Shared Objects Applies to all Security Event policies in the actual repository Virtual Patch Controls the Protection Threat Level of the Security Events policies deployed in the actual Repository Controls the Protection Level for all the Security Events policies for the current repository. There are 3 types: • Moderate (Default) • Aggressive • Paranoid Controls X-Force recommended blocking based on XPUs 22 © 2015 IBM Corporation IBM Security Threat Protection Levels Moderate: Enables most attack events for a good level of security protection with minimal chance of false alarms. The moderate policy is designed for users who intermittently monitor security events and minimally manage the IPS configuration Aggressive: Enables a high percentage of attack events for a high level of security protection with a chance of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration Paranoid: Enables almost all attack events (including events from the latest XPUs) for a very high level of security protection with significant chance of false alarms. The paranoid policy is designed for users who perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security events and frequently fine-tune the IPS configuration Sample summary for XPU 34.040 23 XPU 34.040 Moderate Aggressive Paranoid Total Security Events 5303 5303 5303 Security Events (Attacks) 4801 4801 4801 Security Events (Audits) 502 502 502 Security Events (Enabled) 3319 4278 4754 Security Events (Enabled and Block) 3308 4274 4752 © 2015 IBM Corporation IBM Security GX - Security Events Part of the Default Repository Protection Domains allows for creation of custom Security Event policies Default Protection Domain: Global • Matches ANY traffic • Uses all Security Events as defined by X-Force. • Applies blocking responses as defined in Virtual Patch Policy 24 Custom Protection Domain: Demo • Matches traffic for specific addresses • Contains a subset of Security Events • Security Events responses may differ from X-Force © 2015 IBM Corporation IBM Security XGS - Intrusion Prevention Located under Shared Objects Available for multiple NAP policies across multiple Groups in the current Repository IPS Objects are used to enable a set of the Security Events Intrusion Prevention • Latest version always deployed • Only edited from here • Contains multiple IPS Objects • Can be used across multiple NAP rules 25 “Default IPS” objects contains all the Security Events as defined by X-Force with their corresponding responses. Used by the default NAP rule. Other predefined IPS Objects are derived from categorizations found in PAM Help file. © 2015 IBM Corporation IBM Security IPS Objects Settings Trust X-Force Defaults section contains: Protection Level Signatures Protection Level Blocking By default Security Events are stored locally. When registered with SiteProtector all events are sent to Agent Manager Protection Level • None • Moderate • Aggressive (Default) • Paranoid Additional Response Objects include: • SNMP • Email • Remote Syslog (SIEM) Content Update Trust Level - defines recommended X-Force responses for a specific XPU 26 © 2015 IBM Corporation IBM Security IPS Objects Content Select the IPS Object in the left pane. Security Events are displayed in right pane Available IPS Objects 27 Enhanced Filtering © 2015 IBM Corporation IBM Security Security Events Configuration Security Events Configuration 28 © 2015 IBM Corporation IBM Security XGS – Network Access Policy Configuring a Network Access Policy (NAP) - Open the SiteProtector Console in the Policy View - In the Agent Type section select IBM Security Network Protection - Select the Default Repository - Right Click on the Network Access policy - Select Open Latest Version… 29 © 2015 IBM Corporation IBM Security Network Access Policy – Network Objects Network Objects – Used to match specific traffic type • • • • • 30 • Address Address Host, Range, List or Subnet (Similar to Protection Domain) Geolocation Applications Web Application such Facebook, YouTube, etc. and their actions (post, chat, etc.) Non-Web Applications (LDAP, Kerberos, DHCP, etc.) IP Reputation (malware, spam, C&C, anonymous proxies, dynamic IPs) URL Categories (Lists) Inspection IPS Objects Identity • Local • Remote Directory Responses • SNMP, Email, Log (Local or Remote) Schedule © 2015 IBM Corporation IBM Security Network Access Policy - Rules Source and Destination based on Address Objects Application can be based on Web or Non-Web, URL Category or list, IP Reputation Action can be: • Accept • Reject • Drop • Authenticate Response defines what to do when a match is done: • SNMP • Email • Log (Local or SIEM) • Pcap Inspection defines the IPS Object to be applied for inspection of the matched (Accepted) traffic Order defines the priority of the rule. Processing Only rule available accepts all traffic by default and applies the Default IPS policy object for inspection 31 By default Network Access events are not logged (No Response) © 2015 IBM Corporation IBM Security Overview of Security Policies – Deploying NAP Deploying the Network Access Policy 2 Check this box to deploy the new version of this policy 1 Use the Targets tab to specify which groups the new policy will be applied to 3 XGS reporting to the ATLANTA Group will inspect all traffic using a Default policy 32 © 2015 IBM Corporation Deployment Scenarios and Use Cases 33 © 2015 IBM Corporation IBM Security Deployment Scenarios – Use Cases The following slides provide guidance in deployment and configuration scenarios Monitoring vs Inline mode Network Interface Modules (NIMs) Blocking traffic Monitoring Services Excluding traffic from inspection Filtering Security Events Custom IPS Objects Monitoring Malicious Activity One Policy Multiple Environments 34 © 2015 IBM Corporation IBM Security Deployment Scenarios – Monitoring vs Inline Mode From Policy View go to Agent-Specific-Policies->Protection Interfaces Inspection Mode determines how the XGS will inspect traffic in a pair of ports Protection Pair – Both ports are configured as Monitoring. Same inspection capabilities as in other modes Passive Monitoring 35 Protection Pair – Ports connect to upstream and downstream devices. Simulation mode is the recommended setting for a new deployment Inline (Simulation or Protection) © 2015 IBM Corporation IBM Security Deployment Scenarios – Network Interface Modules (NIMs) Install appropriate NIM before power up. Do not remove while on. From Policy View go to Agent-Specific-Policies->Protection Interfaces 8-port RJ-45 copper w/ built-bypass 4-port Fixed fiber (SX) w/ built-bypass 4-port Fixed fiber (LX) w/ built-bypass 2-port 10GbE (SR) w/ built-bypass Software Bypass (XPU Updates) – Events are forwarded unanalyzed Hardware Bypass (Firmware Upgrade, power failure) – Can be configured to: • Fail-Open • Fail-Close • Auto (defaults to Fail-Open) 36 2-port 10GbE (LR) w/ built-bypass 4-port SFP (requires transcievers) 2-port 10GbE SFP+ (requires transcievers) © 2015 IBM Corporation IBM Security Use Cases – Blocking Traffic Scenario 1 – Block Access to a Server from a specific Host SRV1 PC1 10.10.10.1 XGS IP Address: Service: URL: 10.10.10.10 SSH www.app1.com 2 1 Create 2 Host Address Objects PC1 and SERV1 Create a NAP Rule with higher priority (lower Order) than the default rule and with Source PC1 and Destination SRV1. Log packet if match against Rule#10 No Schedule object equals ALWAYS 3 37 All other traffic use default rule Action Rule = Reject. (Block + RST) © 2015 IBM Corporation IBM Security Use Cases – Monitoring Access to a Service Scenario 2 – Monitor Access to a Service during business hours SRV1 PC1 10.10.10.1 Create a NAP Rule with higher priority (lower Order) than the previous rule Note that Order number for existing rules adjust automatically 38 XGS IP Address: Service: URL: Uses a predefined Non-Web Application Object for SSH Log packet if match against Rule#10 Action Rule = Accept and process for inspection 10.10.10.10 SSH www.app1.com Use Business Hours Schedule Object to define when the rule is valid Traffic still monitored using Default IPS Object © 2015 IBM Corporation IBM Security Use Case – Excluding Traffic from Inspection Scenario 3 – Filtering Traffic from a Vulnerability Scanner Scanner 10.10.10.2 SRV1 XGS IP Address: Service: URL: 1 10.10.10.10 SSH www.app1.com 2 Changes applied automatically Create an IPS Object with Protection Level None NAP Rule with higher priority (lower Order) than the default rule 39 Action = Accept 3 Inspection Object is Blank Policy © 2015 IBM Corporation IBM Security Use Case – IPS Event Filters Scenario 4 – Filtering a Security Event SRV1 SMB_Empty_Password IP Address: Service: URL: XGS Internal Network 192.168.1.0/24 10.10.10.10 SMB www.app1.com 2 Create a Network object of type Address Subnet 1 Select Security Events to be Ignored from inspection IPS Event Filter Rule with Ignore action Apply to any type of traffic 3 40 © 2015 IBM Corporation IBM Security Use Case – Custom IPS Objects Scenario 5 – Managing Custom IPS Objects SRV1 XGS Internal Network 192.168.1.0/24 IP Address: Service: URL: 10.10.10.10 SMB www.app1.com 3rd Party Network 10.10.100.0/24 Create a Network object of type Address Subnet 2 1 1 Create a NAP Rule with higher priority than the default rule and with an inspection object Paranoid Create an IPS Object with Protection Level Paranoid 3 41 © 2015 IBM Corporation IBM Security Use Case – Monitoring Malicious Activity Scenario 6 – Monitoring malware activity Malware XGS Internal Network 192.168.1.0/24 1 Adjust the Threshold. X-Force score should be 80% or more for the rule to match. Create an IP Reputation Object with Category Malware Apply a Paranoid inspection policy NAP Rule with higher priority (lower Order) than the default rule 2 42 Action Rule = Accept and process for inspection Log packet if match against Rule#10 © 2015 IBM Corporation IBM Security Deployment Scenarios – One Policy Multiple Environments Scenario 6 – One Global IPS Policy across multiple environments Customer Network 2 XGS Customer Network 1 SiteProtector XGS NEW YORK Create a Custom IPS Object policy to use across all environments Create a Network Access policy tat the top level to accept all traffic and inspect using the Custom (or Default) IPS Object 43 Create Custom IPS Event Filter polices for tuning based on the requirements of each environment using the same Custom (or Default) IPS Object © 2015 IBM Corporation IBM Security Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in our dW Answers XGS forum topic, How do I deploy and configure the XGS? URL: https://developer.ibm.com/answers/questions/190147/how-do-i-deploy-andconfigure-the-xgs.html 44 © 2015 IBM Corporation IBM Security Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 45 © 2015 IBM Corporation