XGS Administration - Post Deployment Tasks

Transcription

1 IBM Security Network Protection Support Open Mic - 18 November 2015 XGS Administration - Post Deployment Tasks Panelists Tanmay Shah XGS Product Lead, L2 Support (Presenter) Thomas Gray L2 Support Manager (Moderator) Craig Knapik Software Architect Jeffrey Dicostanzo Advanced Value Leader Fadly Yahaya - Security Worldwide A-TEAM Arthur Testa Product Lead, L2 Support Maxime Turlot Product Lead, L2 Support Charles W. Klauke Product Lead, L2 Support Lynn Norman Analyst, L2 Support Moazzam Khan L3 Support Engineer Ed Leisure Knowledge Engineer, L2 Support Steven McKinney Team Lead, L2 Support Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Table of contents / Agenda Administrator Settings Appliance SSL Certificate System Backup/Restore Snapshots Static Routes Updates Types & Facts Configuration Best Practices Common Configuration Errors/Considerations Q&A 2

3 Administrator Settings

4 Administrator Settings Allows configuration of password, login and password policies. Manage -> System Settings -> Administrator Settings on the LMI OR Administrator Settings policy on SiteProtector Note: Default value of 0 disables lifetime, history or lockout feature. 4

5 Appliance SSL Certificate

6 Appliance SSL Certificate Allows management of appliance s default self-signed certificate used for appliance s webserver/lmi. Manage -> System Settings -> Appliance SSL Certificate (cannot be managed through SiteProtector) Summary of steps: 1. Generate a signing request for the appliance 2. Download the signing request and submit it to the CA, to receive the certificate. 3. Upload the new certificate along with CA cert using the upload certificates option. 4. Select the certificate and set it to active. Detailed procedure available here: 6

7 Appliance SSL Certificate An active certificate cannot be changed while the device is registered to SiteProtector. In cases where the 3 rd party CA is a subordinate CA Root CA cert MUST be uploaded first before the subordinate CA certs. all the CA certificates in the chain will have to be installed before you can install the appliance certificate. This is not the certificate that is used for Outbound SSL inspection. 7

8 System Backup/Restore

9 System Backup/Restore XGS has a dual partition firmware update model. Disk is divided in two partitions, with one active at a time. Taking a backup mirrors the active partition, that is, the system state at that point, to the inactive one. Backup/Restore can be done through LMI or CLI. How do I take backup? cli> firmware backup How do I restore? cli> firmware swap_active 9

10 Snapshots

11 Snapshots Allows you to take backup of appliance configuration, which can be stored offline on a different computer and can be restored later as required. A tuning parameter can be used to ignore specific policies before applying snapshot. Name: snapshot.apply.ignore.* Value: 1 * should be replaced by the actual policy name. Policy names can be found under \etc\policies\cml\alps once the snapshot file is extracted. Examples: snapshot.apply.ignore.management_network = 1 Used to prevent the snapshot from modifying management IP address. snapshot.apply.ignore.adapter = 1 Used to prevent possible mismatches in the number of interfaces actually present vs. protection interface policy Best Practices You must use the snapshot.apply.ignore.perf_level parameter when using the snapshot to mirror settings to different appliances. Failure to do so may result in the snapshot failing to apply. A snapshot should not be migrated between appliance models and firmware versions. 11

12 Static Routes

13 Static Routes Static routes on the XGS are used to route traffic to different networks from management and/or protection interfaces. Why do you need static routes? Management interface(s): to route management traffic, in most cases update traffic, through different network than what is being used for management interface. Protection Segment(s): to enable network routers to redirect users to block pages or authentication pages. How do I configure static routes? Manage->Network Settings->Static routes or Static Routes policy on SiteProtector. 13

14 Updates

15 Updates Types & Facts Depending upon the features you intend to use and the license installed on the device, XGS appliances should be kept up-to-date for following update types. Firmware: appliance software updates and fixes XPU: PAM security content updates Application Databases: Updates for URL and web application database updates IP Reputation: IP reputation and geolocation database updates Only firmware and XPU updates can be pulled through SiteProtector. For Application and IP Reputation updates, the device will need internet access (direct or through proxy). Only XPU updates can be initiated from SiteProtector. Only Firmware and XPU updates can be installed manually. They are cumulative so only latest version needs to be installed. Firmware update is installed on the inactive partition. After completion, inactive partition is set to active and device boots from updated partition after reboot. Application and IP Reputation updates are separately licensed. 15

16 Updates Types & Facts. XGS contacts various update servers within the IBM Security Infrastructure in order to receive content and product updates. Specific firewall/proxy rules are required to allow this communication. Without these rules, it is likely that updates will not work. Complete list is available in IBM knowledgebase article # Firwmare and XPU updates require proper network access rules to be in place for the SiteProtector X- Press Update Server IP and/or the XGS Management Interface IP. For application and IP reputation database updates, the rules will have to be in place for both for SiteProtector XUS as well as XGS management IP address. XPU update does not require a downtime but firmware update does, as it reboots the device. 16

17 Updates - Configuration 17

18 Updates - Best Practices Ensure that corresponding SiteProtector Database Update (service pack or content) is installed before updating the firmware or XPU. Download the firmware update package from download centre manually and upload it to the device through LMI or usb for updating the firmware to save the upgrade time. The same option can be used to install XPU update manually, if you wish to. When managing remote XGS appliances, it is recommended to use local server to upload the package over network as the package file can be very large and it could time out/ fail over slow network links. Configuration of XPU/content updates depends on your requirement. To ensure that you get the latest protection, it is always advisable to configure device to install this update automatically. Firmware updates do not require system backup because the they are installed on inactive partition. In case of any issues after upgrade, switching to inactive partition will restore the system to previous working state. Ensure that the active partition on the device is the partition which has the version you want to keep as backup. Example: Active partition is , Inactive partition 5.2 FP12. If you want to keep 5.2 FP12 as your backup partition, you will have swap active partition before upgrade to ensure that upgrade process overwrites partition and not 5.2. Though not mandatory, it is always good to monitor the firmware installation (until reboot) by running following command through command line using the command: logs tail F system Application and IP reputation database should always have Auto Update enabled (default configuration). This is important considering the dynamic nature of the information stored in these databases and its impact on the protection provided by the device. 18

19 Common Configuration Errors/Considerations

20 Licenses and Updates Update Server policy under Manage->Updates and Licensing is only applicable for firmware and XPU update. XGS will only use this update server configuration, IBM update server or SiteProtector, to download firmware and XPU updates. For application and IP reputation database updates, the server is not a configuration option. If the device has to go through a proxy to pull these updates, it will have to be separately configured in Application Database Settings policy. XGS does not apply all the licenses after registration to SiteProtector. This is an expected behaviour. Licenses from SiteProtector are only downloaded and applied if the feature controlled by that license is actively configured to be used. 20

21 Flexible Performance License and Network Interface Module If additional flexible performance license(s) has been purchased, it is always recommended to increase the performance level. This allocates more CPU core(s) to the analysis daemon and hence improves the overall performance of the device. If you have an XGS 5100 appliance with additional NIM(s) installed, the protection segments should be connected to NIMs rather than on-board interfaces. The built-in Ethernet ports use the Intel 82574L Gigabit Ethernet Controller. Due to chip limitations compounded by a DPDK driver, which limits packet distribution to a single logical core, almost all packets passing through these ports are handled by a single logical core. Because of the hardware limitation being constrained to single core, the built-in Ethernet ports disregard the flexible performance settings. 21

22 Network Access policy NAP is an ordered set of stateful rules. Avoid Event Log response on Generic NAP rules which have Accept action. Examples of generic rules: There is an invisible Catch-All rule at the end of NAP policy, which applies default IPS object to all the traffic which hasn t matched any of the existing NAP rules. The default NAP policy has visible catch all rule (see screen capture above), so this invisible rule will only be effective if that rule is deleted or disabled. In cases when the traffic matches this rule you would see IPS events on SiteProtector with rule order n+1, where n is the last rule number in NAP policy. PAM has to wait for certain portion of the connection to get complete, before it can accurately identify an application for the traffic. If you have drop/reject rules in the NAP policy which are based on application object, you might see a successful TCP connection on adjacent devices like firewall. This does not mean that XGS is not blocking the traffic. The connection will be blocked within the first few packets of the actual application being seen. Padlock icon next to various objects, in LMI, indicates that the object is in use (regardless of corresponding rule being enabled or not). In-use object must not be deleted as it will cause errors for the policies which are referencing deleted object(s). Note: SiteProtector policy editor does not show this icon, but it still gives the warning and asks for confirmation. 22

23 Network Access policy It is recommended to not have more than 10,000 characters in a single URL list object. This is not a hard-coded limit but the feature is not designed to match so many custom URLs. We have seen performance impact when NAP rules are configured with a URL object with too many URLs. The URL (DCA) database is optimized for device performance and if there are false positives or negatives, it is recommended to submit feedback (through to get the database updated rather creating objects for the URLs in NAP policy. NAP events, by design do not populate IP Reputation score in the events. However, if a score has been recorded in SiteProtector database for an IP address through IPS events, all the NAP events for that IP will also show the reputation score in SiteProtector analysis view. The event log response for a NAP rule is to generate an event for the traffic that is matching the rule condition and it does not apply to IPS events. For IPS events, the IPS object will have to be configured with event log response. Example: Event log response will trigger network access events for traffic from any source destined to URL which are categorized as Anonymous proxies and the traffic will be rejected. But for IPS events for same traffic, it will apply response configuration of the IPS object. In this case, Default IPS. 23

24 Policy Deployment Considerations Deployment for following policies WILL reset protection interfaces along with analysis daemon restart. Flexible Performance Level Protection Interfaces (except hardware bypass configuration) Inbound SSL Certificate (adding or deleting a single certificate; editing a certificate to add a comment does not) 24

25 General tuning to improve the device performance Disable URL Tracking In deployments where URL filtering is not being used, URL classification and Top 10 reporting for the URL should be disabled by setting following tuning parameters to false. tune.url.classification - When you disable this tuning parameter, URL requests are not classified and Web Application Identification is disabled. These features are primarily useful for inspecting outbound client traffic, so disabling them might increase performance in deployments where only inbound server traffic is seen. tune.url.topten.tracking - When you disable this tuning parameter, URLs and URL Categories are not collected for Top Ten displays on the Dashboard, which might increase performance in deployments where only internal assets are being protected. Note: starting firmware version 5.3.1, tune.url.topten.tracking is set to false by default. Disable local flow data collection If the device is configured to forward flow data to a centralized flow collection system (like QRADAR), where the centralized monitoring of the traffic happens, the local flow data could be disabled to save resources on the device. The Top-10 graphs by user and application would not be populated when local flow data collection is disabled. Manage -> Network Settings -> Flow Data OR Flow Data policy on SiteProtector 25

26 Where do you get more information? Questions on this or other topics can be directed to the product forum: More articles you can review: Best practices for firmware upgrades on Security Network Protection sensors Options for settings snapshots on Security Network Protection sensors Packet delay or loss while making changes to XGS policies Increase connections per second (CPS) in deployments protecting only internal assets XGS does not apply all currently entitled licenses after it is registered with SiteProtector Firewall rules necessary to ensure IBM Security Products can update IBM Knowledge Center: Useful links: How to Contact IBM Software Support for IBM Security IBM Support Portal Sign up for My Notifications Follow us: 26

27 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our IBM dw Answers Forum about this topic: OpenMic WebCast Announcement 18 November 2015: XGS: So I just deployed my new IBM Security Network Protection appliance, what do I do next? URL: 27

28 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.