GX vs XGS: An administrator s comparison of the two products

Transcription

1 : An administrator s comparison of the two products Panelists Bill Klauke IPS Product Lead, Level 2 Support Matthew Elsner XGS Development Yuceer (Banu) Ilgen XGS Development Jeff Dicostanzo AVP Support Engineer Eddie Leisure Level 2 Support Engineer Tin Kam Software Development Engineer, Level 3 Jody Hasten Support Level 3 Manager Thomas Gray Manager, Level 2 Support Reminder: You must dial into the phone conference to listen to the panelists. The web cast does not include audio. USA: Canada: Participant Passcode:

2 : Feature Comparison 2

3 : Feature Comparison CPU Hard Drives Protection Ports Hardware Comparison Mostly single core GX7 uses 2 multi-core, multithreaded CPUs GX4 uses a single HD GX5/7 use a pair of standard HD in RAID 4, 8, & 16 port configurations Copper and SFP ports All processors are multi-core, multithreaded 3100 uses a single HD 4100/5100 use a single SSD 4 built-in copper ports Expansion card slots available on the 4100/5100 Expansion cards available with 2, 4, & 8 ports. Copper, SFP, and fixed fiber avail. Bypass Capabilities GX4 has built-in bypass GX5 & 7 require external bypass Built-in ports have bypass Most expansion cards have built-in bypass 3

4 : Feature Comparison Unique Features Snort engine User-defined Event rules SNMP Health Monitoring Tcpdump Application-based rules IP Reputation Data Integration URL Filtering Geolocation objects available SSL Decryption and Inspection User Authentication for HTTP 4

5 : Accessing the Appliance 5

6 : Accessing the Appliance General Access Access LMI with admin account Access LMI with admin account Access command line with root or admin Remote users can be given admin or read-only access to the LMI and command line Access command line with admin only Browser Requirements Java JRE 1.6 or 1.7 No Java JRE required! Internet Explorer 8,9,10, & 11 Internet Explorer 10 & 11 Firefox ESR 24 Firefox 28 Google Chrome 34 6

7 : Accessing the Appliance Configure Network Settings Configure Passwords Backup and Restore Configure Agent Name Configure Time Unavailable Command-line Interface Menu Configure Network Settings Configure Passwords Backup/swap the appliance partition Unavailable (LMI Only) Regenerate the signing certificate View fixpack info, install, & rollback Show license info, install licenses Show interface info such as speed, duplex, & up/down status View and delete active sessions Work with policy snapshots Work with support files Nslookup, ping, telnet, and traceroute tools View and install FW and XPU updates Rollback Security Updates 7

8 : Administering the Appliance 8

9 : Administering the Appliance SiteProtector Policy Editor Utilizes the built-in JRE in SiteProtector Policy Editing Is dependant on Internet Explorer settings. Mis-configured advanced settings and proxy settings in IE can cause the editor to fail to open. Rule Creation Responses Available Allows direct input of IP addresses, networks, vlans, etc SNMP Quarantine Log Evidence Local logging User-defined Requires use of policy objects When working with Remote Identity objects, LDAP and AD queries are performed by the XGS, even if using the SiteProtector Console. SNMP Quarantine Capture packets Local Logging Remote syslog 9

10 : Administering the Appliance Shared Objects Usage These policies are shared among all appliances using the same policy repository in SiteProtector. Policy Editing Response Objects Protection Domains X-Force Virtual Patch Intrusion Prevention Policy (direct access) Remote Directory Servers (direct access) Address Geolocation Address Group Collection Address Host Address List Address Mask Address Range Application Group Object Domain Certificate Categories Domain Certiifcate Lists IP Reputation Categories IPS Event Filter Service Local Identity Logdb Non-Web Application Packet Capture Quarantine Remote Identity Rsyslog Schedule Objects SNMP URL Categories URL Lists Web Application 10

11 : Administering the Appliance Adapter Policy Configuration Protection Mode Speed & Duplex Report Link Status TCP Reset port Unanalyzed Policy Propagate Link Settings HA Protection Mode Policy Editing Similar options as the GX plus the following: Port Enabled/Disabled MTU Size IPv4/IPv6 address assignment for use with SSL decryption and the User Authentication Portal. Methods to exempt traffic from inspection Use firewall rules with Ignore option Use the pam.report.filterall or pam.report.filter.<issueid> parameter Event Filters Create NAP rules with an Accept Action specified and no inspection object selected. Use the pam.report.filterall or pam.report.filter.<issueid> parameter (causes alpsd restart) Event Filters 11

12 : Administering the Appliance Firewall / Network Access Policy Events Creating Logged Events Provides a log option per rule which writes events to a text file. Events are not sent to SiteProtector Events can be viewed in the LMI Provides a local log option and a remote syslog option Events are sent to SiteProtector Events can be viewed in the LMI Note: Use caution a simple rule could easily flood the events database Intrusion Prevention Events Display setting is used per event to control if events are generated. Events can be forwarded via LEEF logging (syslog) Events are sent to SiteProtector and can be viewed in the LMI. Provides a local log option and a remote syslog option per policy object. Individual events can be configured via Event Filter rules. Events are sent to SiteProtector and can be viewed in the LMI. 12

13 : Administering the Appliance Licenses Available Licensing and Updates Single license for each appliance that enables XPU and firmware updates Firmware and X-Force Content: Enables firmware and XPU updates Application Control: Enables URL Category and Web Application updates Flexible Performance: Enables configuration of appliance performance levels. When the level is increased, it makes more resources available for analysis. IP Reputation: Enables IP Reputation database updates SSL Inspection: Enables the appliance to inspect encrypted connections 13

14 : Administering the Appliance License usage: Licensing and Updates Will consume a single license unit in SiteProtector once registered. The Firmware and X-Force Content license will be pulled from SiteProtector once registered. Application Control license will be consumed if a rule is present with an Application Object or the Application Database Settings policy is set to auto update. Flexible Performance license will be consumed if the Flexible Performance level is increased. IP Reputation license will be consumed if a rule is present with a Geolocation address object or an IP Reputation application object, or if the Application Database Settings policy is configured to auto update. SSL Inspection license will be consumed if a rule with a Decrypt action is present in either of the two SSL Inspection policies. 14

15 : Administering the Appliance Downloading updates Licensing and Updates Can download firmware and security content (XPU) updates from the internet or through SiteProtector Can download firmware and security content (XPU) updates from the internet or through SiteProtector Installing Updates Rolling back updates Firmware and XPU updates can be installed via the LMI or the command line using lumctrl when logged in as root Security content updates can be rolled back via the LMI or the lumctrl command when logged in as root. Fixpacks can be uninstalled via command line only when logged in as root. Rolling back a firmware requires restoring a full system backup. Application Control and IP Reputation updates can only be downloaded through a direct internet connection. Firmware and XPU updates can be installed via the LMI or the command-line interface. Application Control and IP Reputation updates require use of the auto update feature. They cannot be manually updated. Security content updates and fixpacks can be rolled back via the command-line interface only Rolling back a firmware update requires swapping the appliance partitions. IP Reputation and Application Control updates cannot be rolled back. 15

16 : Administering the Appliance Backing up policies Backing up the Appliance SiteProtector will store backups of policies. If not using SiteProtector, only a full system backup can be used. SiteProtector will store backups of policies Snapshots can be created in the LMI that store policy configuration info. Snapshots can be applied to other appliances, but the model and firmware must match. Backing up firmware Appliance is backed up via the command line menu backup option Backup is written to the /restore/0/images folder and can be offloaded The local user database can be backed up via the LMI. The active partition is backed up to the inactive partition via the LMI or command-line interface There is no option to offload the backup partition. 16

17 : Links IBM Knowledge Center IBM developerworks Request for Enhancement Site 17

18 Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others IBM Corporation