PowerSC AIX VUG. Stephen Dominguez June 2018

Transcription

1 PowerSC AIX VUG Stephen Dominguez June 2018

2 Agenda 1. Introduction to PowerSC 2. What s new in PowerSC Demo 4. Closing 2

3 Introduction to PowerSC 1.2

4 Are We Losing The Battle? Ed Skoudis (Renown Network Penetration Expert) In my last 25 years in information security: (In response to this question) We are a lot more secure in absolute terms than we were 25 years ago, but here s the problem, the bad guys have also been getting better. The industry, relative to the bad guys, is not keeping up. SANS Webcast 1/9/2018 Rate of improvement of the capabilities of attackers Rate of improvement of defenses in the industry

5 Center for Internet Security (CIS) 20 Critical Security Controls CIS 20 Critical Security Controls 1. Inventory of Authorized & Unauthorized Devices 11. Secure Configuration for Network Devices 2. Inventory of Authorized & Unauthorized Software 12. Boundary Defense 3. Secure Configuration for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers 13. Data Protection 4. Continuous Vulnerability Assessment & Remediation 14. Controlled Access Base on the Need to Know 5. Controlled Use of Administrative Privileges 15. Wireless Access & Control 6. Maintenance, Monitoring, & Analysis of Audit Logs 16. Account Monitoring & Control 7. and Web Browser Protections 17. Security Skills Assessment & Appropriate Training to Fill Gaps 8. Malware Defenses 18. Application Software Security 9. Limitation and Control of Network Ports, Protocols, and Services 19. Incident Response Management 10. Data Recover Capability 20. Penetration Tests & Red Team Exercises 5

6 What is PowerSC Graphical User Interface? Web-based interface for centralized security monitoring & administration for AIX, RHEL, and SLES endpoints Releases: , , and Initial release only provides security hardening Subsequent releases have been adding additional features It is completely and fully relevant to all AIX organizations, including traditional data centers and all Cloud environments IMHO, It is the most important security functionality ever released for AIX 6

7 Additional PowerSC Components 7

8 PowerSC GUI Terms Deep integration Base product Compatibility Check Security Control PSCXPERT 8

9 9

10 What Does it Look Like? 10

11 What does it do? Apply, check, and remove a configurable set of security controls for one or more partitions Organize partitions with user-defined groups Provides separation of duties via administrative access control Provides a configuration editor for customizing security profiles Provides highly granular configuration options to handle simple to extremely complex AIX environments Provides deep integration with AIX Trusted Execution & PowerSC Real Time Compliance Provides extensive reporting options 11

12 Compliance Failure 12

13 Profile Editor 13

14 Group Editor 14

15 Scalability Scalability is EXCELLENT Excellent performance for up to 500 endpoints Performance possible with 1000 endpoints when using small groups Subsequent releases are providing performance improvements Lab Services can provide specialized services to assist with tuning UI Server performance 15

16 Dashboard 16

17 What s New in PowerSC 1.2

18 Extended Platform Support Centrally manage Security and Compliance on Linux on Power endpoints. Support for endpoints running SUSE Linux Enterprise Server 12 SP3 and Red Hat Enterprise Linux Server 7.4. Monitoring of Auditd on SLES and RHEL endpoints 18

19 New Compliance Profile Support for the new European standard General Data Protection Regulation (GDPR) for AIX and Linux endpoints. With this a PowerSC Administrator can help support the GDPR compliance standard from an infrastructure standpoint, providing streamlined data governance and compliance related to processing of personal data. 19

20 PowerSC GUI PowerSC GUI supports communication between all PowerSC GUI agents and the PowerSC GUI server through a single channel by using a SOCKS proxy server. Communication by using a SOCKS proxy server makes it easier to control your security configuration. Support added to optionally encrypt s generated by the PowerSC GUI server providing additional security. Support added for viewing the date that a security keystore certificate for an endpoint expires. With the ability to track this expiration date, administrators can ensure continuous monitoring of endpoints. Expanded support for custom profiles. You can now view the details of a rule and change one or more of the rule arguments, including rule names and description values. Enhancements to the Security page of the PowerSC GUI streamline and improve your ability to monitor endpoints in real time. 20

21 Reporting Added a new interactive timeline report of security, compliance, and patch status events for endpoints. A Power System administrator can better support compliance audits with the new interactive timeline report that gives detailed current and historical information. 21

22 Trusted Network Connect & Patch Management (TNC) Support for TNC verify and update processes has been added to the PowerSC GUI. This integration enables more visible monitoring and streamlined patch management. Added Interim Fix (ifix) support for VIOS systems. TNC can patch VIOS servers with ifixes as soon as they are published. Added the ability to patch systems with a group of interim fixes and APARs specified in an ifix or APAR group. In addition to applying Service Pack (SP) updates, you can now apply Technology Level (TL) updates on TNC clients. Extended support for policy based updates. TNC can now update clients based on what is defined in the policy on the TNC server. Improved the psconf command so that now you can pull information from the TNC Patch Management repository from the TNC server. 22

23 REST APIs Added support for REST APIs improving the ability to integrate PowerSC into existing automation processes.. 23

24 Scalability Scalability for more endpoints per PowerSC GUI server including leveraging the REST APIs. Scalability for multiple TNC servers (support multiple NIM servers).. 24

25 Demo

26 Closing

27 Additional IBM Lab Services AIX Security Services 27

28 IBM Systems Lab Services & Training - Power Systems Services for AIX, i5os, and Linux on Power PowerCare Eligible SLES Security Assessment for SAP HANA Database systems are by nature very lucrative targets for hackers and must therefore be protected. In December 2017, SUSE released their SLES security hardening guide for SAP HANA. This service is a security health check to ensure that you are utilizing these security hardening recommendations. The security of the underlying operating system is at least as important as the security of the SAP HANA database. Many hackers target the operating system in order to gain access to attack the running database application. These are the main features of this service: At least one SLES partition is assessed A set of documents detail the results of the assessment The assessment only reads existing security settings i.e. no settings are altered on the assessment partition(s) In addition to security settings recommended by SUSE specifically for SAP HANA, additional settings assessed include, but are not limited to: 1) General SUSE security recommendations for SLES 2) US National Security Agency recommendations for Linux No sensitive data is collected in the security assessment Great way to verify your existing security tooling is truly comprehensive Customer runs a data collection script on a SLES partition; data is encrypted and sent to consultant for analysis and report generation An excel spread sheet will be provided that will indicate th e re su lt o f e a ch se cu rity se ttin g b e in g a sse sse d.

29 Security Assessment Findings The primary deliverable for this service is the SLES Security Assessment Findings document. Close to one hundred security settings are detailed in this report. Many customers utilize this document as a security build guide for their SLES partitions running HANA. Each setting is detailed with the following: 1. Description describes the setting. Provides an explanation of why the setting is important. 2. Finding Indicates whether or not a particular setting is being utilized. If a setting is not utilized a security risk rating will be indicated to describe the degree of security risk related to not using the recommended setting. 3. Recommendation Details how to remediate the setting if the setting is not being utilized. Deliverables The following documents are provided in this service: 1. Security Assessment Findings this PDF details the results of the assessment. Close to 100 settings are detailed in this document. 2. Heat Map provides a one page view of the results of the assessment. The heat map includes a risk rating indicating the results of each setting being assessed. 3. Executive Summary OPTIONAL a short summary of the results of the assessment designed to be presented to your executive management W hitelist w ith at.allow is an exam ple of one of the settings that gets assessed. For each setting, a description, finding and recommendation is provided. Service Options These are the three standard delivery options, listed in order of customer preference: 1. Findings Delivered Locally all data collection and generation of deliverables is done remotely by the consultant; however, the consultant will travel to the customer site to spend a day discussing the findings with the customer. 2. Fully Remote all data collection, generation of deliverables and delivery of findings via WEBEX is done remotely by the consultant 3. Fully Local all data collection, generation of deliverables and delivery of findings are done locally at the customer site Please contact Stephen Dominguez, sdoming@us.ibm.com, to arrange a conference call to discuss arrangement of services Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature. IB M S y s te m s L a b S e rv ic e s & T ra in in g - Power Systems Services for AIX, i5os, and Linux on Power PowerCare Eligible Erin M. Hansen - PowerCare Opportunity Manager erinh@us.ibm.com Linda Hoben Opportunity Manager hoben@us.ibm.com Stephen Brandenburg Opportunity Manager sbranden@us.ibm.com

30 Thank You! Feel free to contact me in the future: Stephen Dominguez blog: You can find full descriptions of our services at: 30