IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Transcription

1 IBM Security Network Protection Open Mic - Thursday, 31 March 2016 Application Control and IP Reputation on the XGS Demystified Panelists Tanmay Shah, Presenter IPS/Network Protection Product Lead Bill Klauke - IPS/Network Protection Product Lead Jeffrey DiCostanzo AVP Leader Moazzam Khan L3 Engineer Satishchandra Bhandurge L2 and AVP Edward Leisure L2 Knowledge Leader Thomas Gray, Moderator Level 2 Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The webcast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Agenda Application Control Overview and Configuration Use Cases Things to remember IP Reputation Overview and Configuration Use Cases Things to remember IBM X-Force Exchange/AppLoupe 2

3 Application Control Overview and Configuration

4 Application Control Overview and Configuration Application control feature allows security administrators to achieve visibility into web applications and non-web applications being used in their environments. Using network access policy, an administrator can have a granular control of identified applications for specific groups, individuals or network segments. Application control also includes ability to filter/whitelist http/https URLs. This is a licensed feature. A valid license allows the appliance to update the application and URL category database. The following types of application objects, when used in network access policy, allow controlling the applications and websites being accessed in a network: Web Applications: various web-based applications grouped in different categories Non-Web Applications: desktop applications / specific ports-protocols URL Categories: http websites grouped in different categories URL Lists: custom http URL list Domain Certificate Categories: https websites grouped in different categories Domain Certificate Lists: custom https URL list IP Reputation: public IP address reputation classification 4

5 Application Control Overview and Configuration continued Configuration for Application Database (as well as IP reputation database) is controlled through Manage Application Database policy on SiteProtector and Application Database Settings under Manage -> Updates and Licensing on LMI 5

6 Application Control Overview and Configuration continued The update server for application database updates is NOT configurable. The configuration only allows to enable Auto Update, Feedback and proxy configuration. XGS s management interface will need internet access, direct or via proxy, to download application and/or IP reputation databases. The following tables lists the domain name and port combinations that should be allowed through the firewall/proxy XGS will submit statistical data from the device to IBM to make IP reputation classification more accurate. If enabled, IP reputation information will be included in IPS events ONLY. Ref Technote:

7 Application Control Overview and Configuration continued Application object creation, modification or deletion is done through Network Access policy. License status and update version/date information can be verified from Manage -> Updates and Licensing -> Overview 7

8 Application Control Use cases

9 Application Control: Use Case-1 Requirement: Allow access to social networking website (http and https) to only Marketing users and blocked for all the other users. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 1- Create URL category, Domain Category & Identity objects in the Network Access Policy 9

10 Application Control: Use Case-1 continued Requirement: Allow access to social networking website (http and https) to only Marketing users and blocked for all the other users. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 2 - Create outbound ssl inspection rule for domain category object in the Outbound SSL Inspection policy 3 - Create access rules to allow/block access using the objects in the Network Access Policy 10

11 Application Control: Use Case-2 Requirement: Identify and block users and IP addresses using in-secure file transfer protocols like ftp/tftp. Report it as an exception and send to the security admin to take follow up action. 1 - Create a non-web application object for ftp/tftp traffic through the Network Access Policy 2 - Create an alert object through the Network Access Policy 3 - Create an access rule in the Network Access Policy to drop the traffic 11

12 Application Control: Use Case-3 Requirement: Create a whitelist for specific URLs, for specific group of users (C-level), to ensure that those users are able to access certain websites all the time without any IPS inspection for those websites. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 1- Create URL List, Domain List & Identity objects in the Network Access Policy 12

13 Application Control: Use Case-3 continued Requirement: Create a whitelist for specific URLs, for specific group of users (C-level), to ensure that those users are able to access certain websites all the time without any IPS inspection for those websites. 2 - Create an outbound ssl inspection rule for the https websites added in the domain list object 3 Create an access rule in Network Access Policy to whitelist the websites 13

14 Application Control Things to remember

15 Application Control: Things to remember XGS will only identify applications if the network access policy has at least one rule based on application object(s). The update server configuration in Manage -> Updates and Licensing -> Update servers is irrelevant to application database updates. That also means that application database can not be updated through SiteProtector XUS. The use of large URL Lists can cause latency. To minimize the latency, limit the URL Lists to 10,000 characters or less AND use no more than one of these large URL Lists in a single NAP rule. Ref Technote# Identifying the application that is in use requires that the sensor allow some packets to pass so that a successful connection can be established. After the connection is established, the XGS can begin analyzing Application Layer traffic. So, for application objects based drop/reject rules, the adjacent devices like firewall may see those initial connection packets. Ref Technote# If the appliance is not able to submit the unknown URLs to IBM, when Enable Feedback option for Application Database is enabled, it may result in higher disk utilization. This, in turn, could have an impact on the appliance memory utilization. This happens because the feedback information is stored in many small files on the appliance. Though we recommend to not enable this option, if you still want to keep it enabled, ensure to monitor disk utilization. If you observe an abnormal increase, please disable the option immediately and get in touch with IBM support to receive and install a patch, which will clear those temporary files and make the disk space available. 15

16 IP Reputation Overview and Configuration

17 IP Reputation Overview and Configuration Depending upon the activity a malicious public IP address inflicts, IBM X-Force team classifies them as Spam, Anonymous Proxies, Dynamic IPs and/or Malware (described below) and assigns a score in the range of 1 to 100, where the higher value represents bad reputation. The geographical location (country) of the IP address is also identified and recorded. Anonymous Proxies - This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration). Botnet Command and Control Server - This category contains IP addresses that host a botnet command and control server. Dynamic IPs This category contains IP addresses of dialup hosts and DSL lines. Malware This category lists IP addresses of malicious websites or malware-hosting websites. Scanning IPs These IP addresses that have been identified as illegally scanning networks for vulnerabilities. Spam This category lists IP addresses that have been observed sending out spam. 17

18 IP Reputation Overview and Configuration continued It allows configuring threshold for these categories to control policy enforcement for the related traffic. It is a licensed feature. XGS appliance maintains a database of such malicious IP addresses, their location, the classification and the score. This database must be updated continuously, to ensure that the device has the latest and most accurate information. IP reputation feature on the XGS appliance is controlled by Application Database Settings policy on the LMI under Manage System Settings -> Updates and Licensing OR Manage Application Databases policy through SiteProtector (already discussed in previous section). 18

19 IP Reputation Overview and Configuration continued IP Reputation/Geo location object creation, modification or deletion is done through Network Access policy. License status and update version/date information can be verified from Manage -> Updates and Licensing -> Overview 19

20 IP Reputation Use cases

21 IP Reputation/Geo location: Use Case-1 Requirement: After enabling IP reputation, based on monthly reporting it was identified that there has been a significant increase in number of attacks from Sudan. We have some resellers there so we cannot block the traffic completely but we would like to have a stricter IPS policy configuration for all the traffic originating from Sudan. 1 Create a new Inspection object with protection level paranoid through IPS policy or Network Access Policy 2 Create a geolocation object through Network Access Policy 3 Create a NAP rule to apply the IPS policy to traffic originating from Sudan 21

22 IP Reputation/Geo location: Use Case-2 Requirement: Internal network users in the network should not be able to access any known anonymous proxies or IP addresses which are known/unknown anonymizers. 1 Open Network Access Policy 2 Create an IP Reputation object 3 Create a NAP rule to drop all the traffic destined to IP addresses having score of 95 or above for Anonymous Services 22

23 IP Reputation/Geo location: Use Case-3 Requirement: Ensure that no known malware IP addresses are able to target our network by exploiting any known or unknown vulnerabilities. 1 Create a new Inspection object with protection level paranoid through IPS policy or Network Access Policy 2 Create an IP Reputation object through Network Access Policy 3 Create a NAP rule to apply paranoid policy to or from known malware IP addresses in Network Access Policy 23

24 IP Reputation Things to Remember

25 IP Reputation: Things to remember IP Reputation information is only populated for IPS events. If an IP address has reputation information populated in SiteProtector database through IPS events, network access events, in that case, will have that information available as well. Ref Technote# If a lower score threshold is configured in an IP reputation object, as a best practice, always start with detection rule (with action accept and response event log). Monitor events after the rule is created. After verifying the events, either fine tune the rule to increase the score OR change the action to drop/reject. Identifying the application that is in use requires that the sensor allow some packets to pass so that a successful connection can be established. After the connection is established, the XGS can begin analyzing Application Layer traffic. So, for application objects based drop/reject rules, the adjacent devices like firewall may see those initial connection packets. Ref Technote#

26 IBM X-Force Exchange/AppLoupe

27 IBM X-Force Exchange/AppLoupe IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest global security threats, aggregate actionable intelligence and collaborate with peers. It allows administrators to verify the current and historical IP classification reputation score for public IP addresses. You can also verify the latest URL classification for a URL. To report a false positive or false negative applications, URLs or IP addresses, visit and click Feedback then Give Feedback on AppLoupe 27

28 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum topic about this: 28

29 Where do you get more information? Questions on this or other topics can be directed to the product forum: More articles you can review: IBM developerworks article on XGS IP Reputation Use Cases: IBM Knowledge Center: Useful link: How to Contact IBM Software Support for IBM Security IBM Support Portal Sign up for My Notifications Follow us: 29

30 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.