IBM SECURITY NETWORK PROTECTION (XGS)

Transcription

1 IBM SECURITY NETWORK PROTECTION (XGS) IP Reputation Use cases and more Tanmay Shah Product Lead IBM Security Network Protection

2 Contents Introduction... 2 Audience... 2 IP Reputation Feature in XGS... 2 Basic Configuration... 3 Use cases... 7 IPS policy based on the geolocation Blocking traffic based on the geolocation... 9 Blocking traffic based on the reputation score... 9 IPS policy based on the reputation score How to verify the IP reputation score or geolocation? How to submit feedback if a false positive or a false negative is identified? Recommendations & Facts References

3 Introduction Data breaches are becoming more common than ever before. Sony Pictures Entertainment and JP Morgan Chase & Co. are just a few examples of the most publicized data breaches in According to a recent study by IBM and Ponemon Institute, the average total cost of a data breach is $3.52 to $3.79 million. Apart from the cost, the damage to reputation is another major factor which is driving the security discussion at board level. Attacks are becoming more sophisticated and traditional security technologies including detection/prevention approaches are really struggling. IBM Security Network Protection (XGS) appliances are the next generation IPS appliances - part of IBM s threat prevention strategy which focuses on threat detection, prevention and response against today s most complex attacks. One of the cutting edge technologies that are included with the XGS appliances is IP REPUTATION feature. This addresses the following issues, How to identify that the outside hosts, communicating to most critical assets inside a network through the Internet are safe? How to evaluate all these incoming requests? How to ensure that outbound connections from a network are connecting to a trusted good websites and IP addresses? IBM s XForce team categorizes 800K+ suspect IP addresses in different categories, such as Malware hosts, Spam sources, Anonymous proxies and Dynamic IP addresses along with their geographical location. This document intends to describe the IP reputation feature in IBM Security Network Protection appliances and some of the common use cases it addresses. Audience The target audience for this document are the Security Administrators/Security Analysts in a SOC (Security Operations Centre) / NOC (Network Operating Centre) environments, responsible for monitoring and protecting the network against malicious attacks using IBM Network Security Protection. IP Reputation Feature in XGS This is a separately licensed feature and hence a valid licenses will have to be purchased and installed on the device. Depending upon the activity a malicious public IP address inflicts, IBM X-Force team classifies them as Spam, Anonymous Proxies, Dynamic IPs and/or Malware (described below) and assigns a score in the range of 1 to 100, where the higher value represents bad reputation. The geographical location (country) of the IP address is also identified and recorded. Anonymous Proxies - This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration). 2

4 Botnet Command and Control Server - This category contains IP addresses that host a botnet command and control server. Dynamic IPs This category contains IP addresses of dialup hosts and DSL lines. Malware This category lists IP addresses of malicious websites or malware-hosting websites. Scanning IPs These IP addresses that have been identified as illegally scanning networks for vulnerabilities. Spam This category lists IP addresses that have been observed sending out spam. This feature allows configuring threshold for these categories to control the policy enforcement for the related traffic. The policy will only be applicable when the source or destination IP address in the traffic has been categorized in one of the IP Reputation categories and the score is equal to or greater than the specified threshold. XGS appliance maintains a database of such malicious IP addresses, their location, the classification and the score. This database must be updated continuously to ensure that the device has the latest and most accurate information. Basic Configuration How to enable or disable the feature? IP reputation feature on the XGS appliance is controlled by Application Database Settings policy on the LMI under Manage System Settings -> Updates and Licensing OR Manage Application Databases policy through SiteProtector. 3

5 IP reputation database updates are by default set to Auto Update. The updates will only work if a valid IP reputation license is installed. Enable Feedback option, if enabled, will submit statistical data from the device to IBM to make IP reputation classification more accurate. This data does not have any personal or confidential information about the network in which device is running. Include IP Reputation Info option, if enabled, will include IP reputation information in IPS Events. How to ensure that IP reputation information is always accurate to minimize false positives or false negatives? To keep the IP reputation database up to date, the device s management interface will need internet access, either direct or via proxy. It connects to following URL/IPs on port 443 to pull updates. Domain name IP Address Port update.xforce-security.com , , license.xforce-security.com , , Refer IBM Knowledgebase article

6 How to identify that my IP reputation database is up to date? Update overview page under Manage -> Updates and Licensing shows the status of the IP reputation database update as shown below. To control the traffic based on either geolocation or reputation of an IP address, an object of either type has to be created and used in a rule in network access policy. How to create an object? The object creation, modification or deletion is done through Network Access Policy (NAP) under Secure Policy Configuration -> Policies on LMI or SiteProtector. In network access policy, under network objects, click on New-> Address -> Geolocation and New-> Application-> IP Reputation Category to create a geolocation and reputation object respectively. 5

7 Geolocation object configuration Provide a name and select a country or multiple countries. 6

8 IP Reputation Object Configuration Provide a name and enable the categories along with the score for that category. The reputation score represents the probability percentage that an IP address belongs to certain category. By default, a negative IP reputation rating is one greater than 50%. Use cases IPS policy based on the geolocation. Example Scenario: We forward all our IPS events with reputation information to our SIEM. Location based reporting suggests that there has been a significant increase in number of attacks from Sudan. We have some resellers there so we cannot block the traffic completely but we would like to have a stricter IPS policy configuration for all the traffic originating from Sudan. Configuration: Step-1: Create an IPS object with x-force protection level set to Paranoid 7

9 Step-2: Create a geolocation object (as discussed in previous section Basic Configuration) and use that object in NAP rule to allow the traffic but inspect it against the IPS object we created in Step-1. Step-3: Deploy all the policy changes. 8

10 Blocking traffic based on the geolocation Example Scenario: According to x-force s recent quarterly threat report, the TOP 5 countries from where attacks are originating are Afghanistan, Algeria, Angola, Bahamas and Bangladesh. We do not do any business in these countries. We would like to block all the traffic initiated from these countries to our organization network and we also do not want our users to access any websites or servers hosted in these countries. Configuration: Step-1: Create a geolocation object (as discussed in previous section Basic Configuration) and use that object in NAP rule to block the traffic originating from these countries. Step-2: Deploy all the policy changes. Blocking traffic based on the reputation score Example Scenario: Internal network users in my network should not be able to access any known anonymous proxies or IP addresses which are known to provide anonymization services. 9

11 Configuration: Step-1: Create an IP reputation object (as discussed in previous section Basic Configuration) and use that object in NAP rule to block the traffic destined to anonymization service providers. Note: The source and Destination network objects can be any or created based on the subnets, address ranges or adapters. Step-2: Deploy all the policy changes. IPS policy based on the reputation score Example Scenario: We want to ensure that no known malware IP addresses are able to target our network by exploiting any known or unknown vulnerabilities. Configuration: Step-1: Create an IPS object with x-force protection level set to Paranoid 10

12 Step-2: Create an IP reputation object (as discussed in previous section Basic Configuration) and use that object in NAP rule to allow the traffic but inspect it against the IPS object we created in Step-1. 11

13 How to verify the IP reputation score or geolocation? Visit OR specify the IP address and click on search. Example: How to submit feedback if a false positive or a false negative is identified? Visit and click on Give Feedback option at the top. Click on Submit a New IP link and it will bring up following screen. Provide all the details and submit. Once submitted, our IP reputation database team with provides the feedback on the given address. 12

14 Recommendations & Facts How to go about configuring some or all of the use cases discussed above? 1. Ensure that a valid IP reputation license is installed. 2. Enable the IP Reputation feature as explained in Basic Configuration. 3. Depending upon your centralized monitoring/reporting application (SIEM or SiteProtector), analyze the reputation information in IPS events and identify patterns like, What were the source countries from where maximum IPS attacks were seen? What classification of source/destination IP addresses are seen in IPS attack events? How to do this using SiteProtector? Step-1: Login to SiteProtector console and open Analysis tab. The events in Event Analysis Detail view will look like this. Note that reputation columns will have to be added in the analysis view by clicking Add or Remove Columns button. Step-2: Click on at the top and select either of the following views: 13

15 Step-3: Edit any other filters as required, like time or IP location is not private network and click Apply. The results will look something like this. 4. Analyze the data collected in Step-3 and apply any of the use cases discussed in Use cases to configure the device. - A block NAP rule based on IP reputation threshold should have a value which is as close to 100 as possible, to ensure that false positives due to lower score do not cause any business impact. - If a lower score is configured, as a best practice, always start with detection rule (with action accept and response event log). Monitor events after the rule is created. After verifying the events, either fine tune the rule to increase the score OR change the action to drop/reject. - It is recommended to not disable Auto Update option. - IP reputation feature is only designed to populate reputation score and geolocation information in IPS events. So, though a NAP rule can be created based on this feature, the corresponding NAP events will not have either of the information populated when the events are being analysed on SiteProtector OR LMI. Note: reputation and geolocation information can be seen for IP addresses in NAP events where the score for those IP addresses is already available in SiteProtector database through IPS events. Refer IBM Knowledgebase article IP reputation and geolocation information is collected from number of sources like, IBM s own infrastructure including honeynets, spam traps, and web crawlers; open source threat intelligence; strategic agreements we have with organizations that provide threat intelligence. While we continue to evaluate additional sources, internal and external to IBM, it is not possible to integrate any additional data source to this feature. References IBM Knowledge Center: IBM Security Network Protection Support Videos: IBM Security Support Open Mics: IBM Security Network Protection Discussion Forum: IBM Software Support: 14