IBM Security Network Protection v Enhancements

Transcription

1 IBM Security Network Protection v Enhancements IBM SECURITY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: 14 December 2016 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 Disclaimer 2 IBM Security

3 Panelists Eric York Presenter Senior Offering Manager Charles Bill Klauke Level 2 Support Product Lead Craig Finley Technical Enablement Instructor Dan Easley Moderator Level 2 Support Knowledge Leader 3 IBM Security

4 Agenda XGS7100 Stacking Flow Data Enhancement Introducing inspection and flow data collecting modes Satisfaction of TIC Certification Single session logon Add rescue CLI to unlock admin account Quality Improvement Captive portal redesign Hardware bypass redesign Separated cron log file for top and ps history Stats DB (.rrd) auto migration Fixes/Patches Made in IBM Security

5 XGS7100 Stacking

6 XGS7100 Stacking - Cabling and configuration To enable stacking on the primary XGS Use the tuning segment.stack.[0 2](#NIM) = [true false] The enablement of stacking would cause alpsd restart and link-flapping e.g. segment.stack.0=true segment.stack.2=true Primary XGS Gbps+ workload No extra configuration is required for the secondary XGS Support note Support only XGS7100 FPL5 Only verified with 40G NIM Technically worked with 10G NIMs Does not support 1G NIMs Secondary XGS IBM Security

7 XGS7100 Stacking - Inspection flow for offloaded traffic Primary XGS7100 Secondary XGS7100 allowed traffic flow 1.1 primary -> 2.1 primary -> 1.1 secondary -> inspection -> 1.2 secondary -> 2.2 primary -> 1.2 primary blocked traffic flow 1.1 primary -> 2.1 primary -> 1.1 secondary -> inspection -> blocked Reset frames will follow allowed traffic path to sender and receiver 7 IBM Security

8 XGS7100 Stacking - Architecture and statistics Inspection Core Traffic Traffic Forwarding Core Primary XGS 1 core dedicates for offloading 53% incoming traffic to the secondary XGS 15 cores are used for inspecting remaining 47% traffic 53% 47% Regular Inspection Offloaded Inspection # mesa_stats -g packetif 1_1_lb_frames = _2_lb_frames = 1278 Secondary XGS Inspection 8 IBM Security

9 XGS7100 Stacking - Performance highlight Test configuration Primary XGS7100 with 4 x 40G NIM Secondary XGS7100 with 2 x 40G NIM (NIM1 + NIM3) Both XGS7100 set with max FPL (FPL = 5) 20Gbps 20Gbps XGS7100 Pri XGS7100 Sec Stacking Performance Stand-alone XGS7100 Stacked 2 XGS7100 Inspected throughput (Mbps) 28,068 49,800* 100% SSL throughput (Mbps) [Inbound] 10,246 16,498* * Due to limitation of performance test gear, maximum traffic generated for test is 40Gbps for Inspected throughput test 20Gbps for 100% SSL throughput test The result does not mean the MAX throughput of XGS7100 stacking. CPU is not fully utilized in this test. 9 IBM Security

10 Flow data Enhancement

11 Flow Data Enhancement - Architecture review and new stats/counters XGS mesa_statsd /var/iss-db/flowdata.rrd # mesa_stats -g flowdata CreatedRecords = 75 SkippedRecords = 0 update stats /var/iss-db/fdexporter.rrd # mesa_stats -g fdexporter last_export_elapsed = 0 local_failed = 0 remote_failed = 0 update_record = 75 ALPSD PAM fdmeter fdexporter Send as IPFIX Save to local UDP QRadar / IPFIX collectors Traffic Shared Memory /var/iss-db/flowdata.db 11 IBM Security

12 Flow Data Enhancement - Flow data collecting mode & inspection mode Turn XGS into an inspection centric or a flow data collecting centric appliance with a single tuning. To enable flow data collecting mode Use the tuning flowdata.mode.collector=[true false], default false The enablement of flow data mode would cause alpsd restart and link-flapping The performance highlight Test traffic profile: HTTP 89%, DNS 1%, SMTP 5%, FTP 5% In Inspection mode, core metrics stay consistent with previous releases Inspection centric mode XGS 7100 XGS 5100 XGS 4100 XGS 3100 Inspected throughput (Mbps) 28,068 9,645 2,065 1,539 Flow data keep %* 14%(9.3M / 68M) 55%(14.3M / 26M) 100%(5.8M/5.8M) 100%(3.8M/3.8M) In flow collecting centric mode, flow data for traffic through XGS is all captured Flow data centric mode XGS 7100 XGS 5100 XGS 4100 XGS 3100 Inspected throughput (Mbps) 21,819 9,042 2,066 1,542 Flow data keep %* 100%(~68M flows) 100%(~26M flows) 100%(~5.8M flows) 100%(~3.8M flows) 12 IBM Security

13 Satisfaction of TIC Certification

14 Single Session Logon - LMI single logon To allow the administrator to detect if an account has been compromised To prevent resources from becoming overloaded in DoS attack To enable single session logon Use the tuning singlesession.enabled= [true false], default false User logging in to LMI when another user with identical account has already logged in will be asked for confirmation. 2. LMI user being forced to log off will be redirect to login page in next attempt to access LMI resources. 14 IBM Security

15 Single Session Logon - CLI/console single logon 1. User logging in to CLI when another user with identical account has already logged in will be asked for confirmation. 2. CLI user being forced to log off will be closed with a notification User log in to SFTP service implicitly force other SFTP users to be logged off. Note User logging in to CLI/console passed authentication by public key will not receive a confirmation prompt, but implicitly force other CLI/console users with identical account to be logged off IBM Security

16 Single Session Logon - System events GLGAU9011W A user forced other user with identical account to log off. GLGAU9012I A user logged in to an account that has been logged in. 1. B is trying to log in while A has already logged in, and B confirmed to log off A and log in himself. 1 GLGAU9001I (A logged in) GLGAU9012I (single-session limit triggered) GLGAU9011W (B confirmed to log off A) GLGAU9002I (A is logged off) GLGAU9001I (B logged in) Note GLGAU9012I is logged even if user canceled the confirmation prompt. This event is useful to indicate a compromised account. 16 IBM Security

17 Rescue CLI - Unlocking admin account New CLI command rescue helps unlock/reset admin account 1. Go LMI > Manage > SSH Public Key Management to add other admin users 2. SSH logon with added users and send rescue command to unlock admin account 3. System event GLGAU9010W is generated and logged CLI > management > rescue dns Work with the appliance DNS settings. force_heartbeat Force a heartbeat to SiteProtector. hostname Work with the appliance host name. interfaces Work with the management interface settings. rescue Unlock admin account. set_password Set the appliance password. snmp Work with SNMP settings. Global commands: back Return to the previous command mode. exit Log off from the appliance. help Display information for using the specified command. reboot Reboot the appliance. shutdown End system operation and turn off the power. top Return to the top level. XGS5100:management> rescue John reset admin account. 17 IBM Security

18 Quality Improvement

19 Captive Portal Redesign - No Disk I/O in data plane. Architecture comparison Before In Sqlite3 DB DISK I/O fetch /var/iss-db/portaldb.db [{key: UUID1, url: }, {key: UUID2, url: }, {key: UUID3, url: }] DISK I/O update HTTP Redirect LMI ALPSD Traffic Memory update Memory Table IPC fetch In PMRs and support files, we found many alpsd crash logs because of signal 49. Signal 49 means analysis thread cannot respond to monitor thread in 10 secs. The call trace indicates alpsd is blocked in the PortalDB because of file lock. In , the DB for caching user s URLs is moved to alpsd local memory for avoiding disk I/O The caused latency is reduced from millisecond level (Disk) to nanosecond level (Memory) 19 IBM Security

20 Hardware Bypass Redesign - No longer to oversubscribe segment bypass controller Segment bypass controller has proven to be rather fragile and mesa_bypassd is sending too many commands to the controller for refreshing watchdog timer has up to 16 segments so frequently causes controllers to block. This phenomenon has led to unexpected bypass in the field. In 5.3.3, there is a new design for controlling segment hardware bypass. The timer for segment bypass controller are no longer used. mesa_bypassed now cares only system failure, such as kernel panic. alpsd, who manages all traffic inspections, now also has complete control over segment bypass controller. 20 IBM Security

21 Hardware Bypass Redesign - System events Now that alpsd manages bypass controllers and know segment s mode. Two new events are added: GLGSY0047I - Connected GLGSY0048I - Failed 21 IBM Security

22 Separated cron log file for top and ps history - It s enabled by default. Leave traces in this first place. In 5.3.3, we disable keeping top and ps history by default because the continued cron message would cause too much noise in /var/log/messages and bury the real important things. In , cron log would be separately stored in /var/log/cron.log. Because of this, top and ps is turned on by default. procstats.log.enable=true Note /var/log/cron.log would also be applied to logrotate policy as /var/log/messages for avoiding running out of disk space. 22 IBM Security

23 Stats DB (.rrd) auto migration - Adding new stats is not going to impact users Before , when user upgrade XGS firmware and the new firmware includes a new statistic key/value in.rrd XGS detects the rrd missing the new key/value pair Back-up the original.rrd file (move to.rrd.bak) Create a whole new.rrd with new schema This means customer is going to lose their history view in LMI after firmware upgrade. In , when XGS detects the rrd missing new key/value pairs It automatically migrates existing.rrd file with new key/value pairs (to fill them up with zero) User can still keep the history view in LMI after firmware upgrade. 23 IBM Security

24 Fixes/Patches Made in

25 Fixes/Patches Made in Include all fixes & patches done in , Defects deferred from (Details are in in release notes) Covered several PSIRTs related to Openssh, Openssl, Busybox, and IBM HTTP Server Check the security bulletins of for fix details. 25 IBM Security

26 APPENDIX New Technote, Tunings, Events

27 Appendix: New Technotes, Tunings, Events Technote Stacking: Stacking IBM Security Network Protection XGS Appliance 7100 (technote ) Flow data: Configuring IBM Security Network Protection to use flow data collector mode (technote ) Single session logon: Configuring logon session limit for IBM Security Network Protection (technote ) Tuning To enable stacking segment.stack.[0 2](#NIM) = [true false], default false To enable flow data collecting mode flowdata.collector.mode = [true false], default false To enable single session for LMI/CLI/console singlesession.enabled = [true false], default false 27 IBM Security

28 Appendix: New Technotes, Tunings, Events Events Category Event ID Description Rescue GLGAU9007W The user admin has been locked because the maximum amount of login attempts has been exceeded. The number of failed attempts is <times>. GLGAU9010W User <user_name> reset reset account. Single Session GLGAU9011W User <user_name> who logged on to the appliance <interface_name> from <remote_host> has forced the preceding user with the same account to log off. Hardware Bypass GLGSY0047I All hardware bypass controllers have switched to connected mode. GLGSY0048I All hardware bypass controllers have switched to fail mode. 28 IBM Security

29 Questions

30 Questions 1. What is the advantage of stacking 2 XGS 7100s, using 40 Gb NIMs, for throughput? 2. Is it possible to stack XGS 7100's using an FPL below FPL5? 3. When was the 40Gb NIM supported added to the XGS product line? 4. Are the XGS 7100 and NP 7100 the only appliances that support the 40Gb NIMs today? 30 IBM Security

31 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forum: 31 IBM Security

32 Where do you get more information? Questions on this or other topics can be directed to dw Answers in IBM developerworks: More articles you can review: Technote : Readme for v at IBM Knowledge Center: v5.3.3 release notes at es.htm Useful links: Get started with IBM Security Support IBM Support Portal Sign up for My Notifications Follow us: 32 IBM Security

33 THANK YOU FOLLOW US ON: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.