HP ProCurve Threat Management Services zl Module NPI Technical Training NPI Technical Training Version: 1.00 5 January 2009 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Sample excerpt 1
Use Models 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Operating Modes Routing mode Firewall IPS VPN User authentication NAT Routing High availability (HA) Logging Monitor mode IDS Logging Rev. 1.00 3 The TMS zl Module can operate in one of two modes: routing mode or monitor mode. The module s mode affects its functions on every level, so you must select the correct operating mode for the functions that you want the module to perform. The next several slides will describe how these modes in more detail, focusing on you can use each one to protect your network. 3
TMS zl Module in Routing Mode The TMS zl Module actively controls and secures routed traffic. Rev. 1.00 4 In routing mode, the TMS zl Module routes network traffic, and it actively controls and secures the traffic that it routes. You will learn exactly how the module controls and secures traffic later in this training. First, however, you need to understand some general concepts. 4
Internal Ports in Routing Mode Each of the two internal ports supports 10 Gbps. The host switch references the ports by slot and port number. For example, port E1 and E2. Port 1 handles network and management traffic. Port 2 handles high-availability (HA) traffic. Rev. 1.00 5 The TMS zl Module receives traffic from and transmits traffic to its host switch on these internal ports each of which supports 10 Gbps. In routing mode, the two internal ports operate as follows: Port 1 This port sends and receives all network traffic that is being controlled by the TMS zl Module. It also sends and receives all management traffic. Port 2 This port sends and receives traffic related to a High Availability (HA) cluster. When you add VLANs to the TMS zl Module, the data port is automatically tagged for those VLANs. 5
Routing Mode Concepts TMS VLANs A TMS VLAN is routed and controlled by a TMS zl Module operating in routing mode: The VLAN must exist on the host switch. The module has an IP address on each TMS VLAN; its internal port 1 is tagged for the VLAN. The module is the default gateway for endpoints in the VLAN. On other routers, the module is the next-hop to the VLAN. TMS zl Module supports up to 20 VLANs. Rev. 1.00 6 VLANs that are controlled by the TMS zl Module are called TMS VLANs. To add a TMS VLAN to the module, the VLAN must exist on the host switch. However, the host switch does not require an IP address on the VLAN and indeed, typically should not have an IP address. When you decide that you want a VLAN to become a TMS VLAN, you assign the module an IP address on that VLAN. The host switch automatically tags the module s internal port 1 for that VLAN. The TMS zl Module must route traffic for TMS VLANs. Therefore the module s IP address on each TMS VLAN should be the default gateway for endpoints in that VLAN. If your network has other routers for example, a WAN router that connects to the Internet their route to the TMS VLANs should specify an IP address on the TMS zl Module as the next hop. Note that the TMS zl Module filters all traffic routed out of or in to each TMS VLAN. It does not filter traffic between devices in the same VLAN. The TMS zl Module supports up to 20 VLANs. 6
Routing Mode Concepts Zones Zones allow you to separate the network into logical areas of trust: Define the VLANs in each zone Apply unique access policies to each zone Two types of zones are supported: Self zone any IP address configured on the module 9 access control zones (which contain one or more TMS VLANs):» Internal» External» DMZ» Zone1 to Zone6 Rev. 1.00 7 As mentioned earlier, the TMS zl Module allows you to separate the network into logical areas of trust. You define these zones when you add TMS VLANs to the module: specifically, you must add each VLAN to a particular zone. You can then apply unique access policies to each zone or to certain VLANs or certain IP addresses within a zone. The module has two types of zones. The Self zone includes any IP address configured on the module. It controls traffic that is originated by the module and traffic that is destined to the module itself. (The Self zone does not include traffic that the module is simply routing.) The other nine zones are access control zones, which are used to control traffic that is routed between TMS VLANs. To begin using the zones, you add the TMS VLANs you have defined to a particular zone. The nine access control zones are named Internal, External, DMZ, Zone1, Zone2, Zone3, Zone4, Zone5, and Zone6. The Internal zone is intended for traffic that is internal to your private network. The External zone is intended for external traffic such as Internet traffic. The DMZ zone is intended for servers and security devices placed between the internal and external networks. You can use the six numbered zones to define internal and external traffic in more granular ways. For example, if you installed the TMS zl Module on a university network, you could assign the Student VLAN to Zone1 and the Faculty VLAN to Zone2. Despite the intended uses, access control zones are fully customizable. You can use only the zones that you need for your particular environment, and you can add whatever TMS VLANs you want to a particular access control zone. The only rule is that each TMS VLAN can only be assigned to one zone. 7
Routing Mode Concepts A Packet s Zone Every packet has a source and destination zone: Source zone = the zone of the TMS VLAN on which the packet arrived Destination zone = the zone of the forwarding VLAN in the route to the packet s destination Rev. 1.00 8 The concept of zones is most important for firewall access policies. You will learn more about these policies later in this training. For now, you simply need to understand that each packet the TMS zl Module receives is defined according to its source zone and its destination zone. The packet s source zone is the zone of the TMS VLAN on which the packet arrived. In other words, it is the zone for the source device s VLAN. This VLAN might be the VLAN in which the packet originated, or it might be the VLAN on which another router has routed the packet to the TMS zl Module. The packet s destination zone is the zone of the forwarding VLAN in the route to the packet s destination which might be the VLAN to which the packet is destined or which might be a VLAN on the way to the final destination network (often the case for external traffic). 8
A Packet s Zone Example 1 Rev. 1.00 9 In this example, the TMS zl Module receives a packet. The packet s source IP address is 10.1.10.50, and its destination IP address is 10.1.30.15. The module determines that the source zone is Internal because the source address is in the Faculty VLAN, which is in the Internal zone. The packet s destination IP address is in the Server VLAN, which is a connected VLAN. Because this VLAN is in the Internal zone, the packet s destination zone is also Internal. The TMS zl Module will apply Internal-to-Internal access policies to the packet. 9
A Packet s Zone Example 2 Rev. 1.00 10 In this example, the module receives a packet with source IP address 10.1.20.50 and destination IP address 172.18.5.3. The packet s source zone is Internal because it arrived from a device in the Student VLAN, which is in the Internal zone. This packet is destined to an address in a network that is not connected to the TMS zl Module. However, the module has a default route through 172.16.1.1, which is the IP address of the network s WAN router. The module will forward the packet using the default route. Because the 172.16.1.0/24 network is associated with the External zone, this packet s destination zone is External, and the TMS zl Module will apply Internal-to-External access policies to it. 10
Use Models for Routing Mode Rev. 1.00 11 Let s look at some examples of how you can deploy a TMS zl Module operating in routing mode. You can use the module as a traditional firewall or IPS deployed at the perimeter. In this case, the module filters all traffic sent between the internal and external network. However, the module s primary function is to protect your network from unauthorized uses by authorized, internal users by filtering all internal routed traffic. We ll look at this use model first. 11
Internal Threat Protection The TMS zl Module is the default gateway for internal VLANs. The module controls traffic using one or more of these features: Firewall with optional user authentication IPS VPN NAT Rev. 1.00 12 When the TMS zl Module provides internal threat prevention, it must act as the default gateway for internal VLANs. It can then control internal traffic. The two primary functions of the module are typically its firewall and IPS. The firewall detects and blocks certain DoS attacks and control users access to particular resources. You also have the option to add user authentication to the firewall. The IPS detects a wide array of threats and mitigates them. Another feature that you can use for internal threat prevention is the module s VPN. You might use the VPN to encrypt internal traffic that is destined to certain resources that require high confidentiality. Finally, some networks might require internal NAT. For example, the network might have different segments, some more public than others. You might want to conceal the IP addresses in the more private areas from users in the more public areas. This and the next several slides will guide you through deploying a TMS zl Module for internal threat protection. For now, I will be showing you how to configure VLANs and IP addresses so that traffic passes through the module correctly. You will learn about more detailed use models for particular features later in this training. At that point, you will also learn exact CLI commands and step-by-step instructions for setting up particular module features. 12
Deployment for Internal Threat Protection Existing Network Design Rev. 1.00 13 One last note before we examine the deployment process: because the deployment will involve changes to network addressing, you should complete it after normal business hours and during a scheduled outage. In this example, a ProCurve 8212zl switch acts as the core routing switch for a university. The university s internal network is divided into four VLANs. The Management VLAN (VLAN 2) includes infrastructure devices and the IT staff s workstations. The Faculty VLAN (VLAN 10) includes the faculty s workstations. The Student VLAN (VLAN 20) includes ports in student housing rooms and computer labs. The DataCenter VLAN (VLAN 30) includes all private network resources. The 8212zl switch has an IP address on each of these VLANs and routes all internal traffic. Its own default gateway is the WAN router, a ProCurve Secure Router 7203dl. 13
Deployment for Internal Threat Protection Remove IP Addresses from the Switch Rev. 1.00 14 You will install the new TMS zl Module in this core switch. You should access the module and install the product license. The next step is to remove all IP addresses from the switch except its management IP address. Change the switch s default gateway address to the IP address that you plan to assign to the TMS zl Module on this VLAN. The module is going to be the default gateway for all internal devices. Remember: You remove only the IP addresses from the VLANs. The VLANs themselves must still exist on the switch. 14
Deployment for Internal Threat Protection Add VLANs and Zones to the TMS zl Module Rev. 1.00 15 Next, add all VLANs on the host switch as TMS VLANs. In this example, the Management VLAN is added to Zone1. Zone1 is then enabled for management access on the TMS zl Module, allowing only IT staff in the management VLAN to access the module. In this example, all other internal VLANs (those for faculty, students, and the DataCenter) are assigned to the Internal zone. The VLAN on which the module and host switch connect to the WAN router in this example, VLAN 99 is assigned to the External zone. The next slide shows the IP addresses assigned to the VLANs. 15
Deployment for Internal Threat Protection Assign VLAN IP Addresses on the TMS zl Module Rev. 1.00 16 This slide illustrates the IP addresses assigned to the TMS zl Module on the TMS VLANs. As you see, most of the IP addresses are the IP addresses that you removed from the host switch. In this example, the host switch was the default router for internal endpoints. You can leave all DHCP scopes and static settings intact; the TMS zl Module will now be the router. To allow the module to route traffic out to the Internet, you must configure the default gateway that you removed from the host switch in this example, the module s default gateway is 10.1.99.2 because that is the Ethernet IP address of the WAN router. At this point, you can begin configuring the module s firewall, IDS/IPS, and other features. The module is ready to control traffic. In fact, the TMS zl Module will deny any traffic that is not explicitly granted by the default access policies already in place. (Some routing protocols are allowed by default, and when you set up a management zone, a number of access policies were automatically created for you. To permit other traffic, you must begin to create access policies.) 16
Perimeter Threat Protection The TMS zl Module routes traffic between the internal and external networks. It controls traffic using one or more of these features: Firewall with optional user access control IPS NAT VPN with optional user authentication Rev. 1.00 17 Some companies may want to deploy the TMS zl Module as a perimeter device. This is a valid use model (although perimeter threat protection alone does not protect the network as thoroughly as perimeter threat protection used in combination with internal threat protection). In a perimeter deployment, the TMS zl Module performs all of the functions that we have discussed but controls only traffic routed between the internal and external network rather than also traffic that is routed within the internal network. 17
Deployment for Perimeter Threat Protection Existing Network Design Rev. 1.00 18 The next several slides will guide you through deploying the TMS zl Module at the perimeter. The example network is similar to the network in the internal threat protection example. However, this slide shows all internal VLANs grouped together because the TMS zl Module will not distinguish between them. 18
Deployment for Perimeter Threat Protection Remove the External IP Address from the Switch Rev. 1.00 19 In this example, the TMS zl Module is installed in an 8212zl switch that connects to the WAN router and that is also the core routing switch. In your network, these might be separate switches. You should install the module in the 5400zl switch or 8212zl switch that is closest to the WAN router. After you install the module, you must install its product license. Then you can begin changing IP addresses for the deployment. On the core routing switch (which may or may not be the module s host switch), remove the IP address on the VLAN that connects to the WAN router (and from there to the Internet). Also change the routing switch s default gateway to the IP address that you plan to assign to the TMS zl Module on an internal VLAN. In this way, you assure that all internal traffic destined to the external network is routed through the TMS zl Module. 19
Deployment for Perimeter Threat Protection Add VLANs and Zones to the TMS zl Module Rev. 1.00 20 Access the TMS zl Module CLI (as you will learn how to do a bit later) and add two VLANs. The VLAN that connects to the WAN router is associated with the External zone. (Note that, to add this VLAN to the TMS zl Module, it must be present on the host switch. If necessary, extend the VLAN to the host switch.) You selected an IP address for the TMS zl Module on an internal VLAN when you set up the new default gateway for the core routing switch. Add this VLAN to the TMS zl Module and associate it with the Internal zone. Enable management on the Internal zone. 20
Deployment for Perimeter Threat Protection Assign VLAN IP Addresses on the TMS zl Module Rev. 1.00 21 You already chose an IP address for the TMS zl Module on VLAN associated with the Internal zone. Configure that address now. On the VLAN associated with the External zone, assign the module the IP address that you removed from the core routing switch. Make sure that the WAN router s route to the internal network specifies this IP address as the next-hop, which ensures that all external traffic is routed through the TMS zl Module before it reaches the internal network. 21
Deployment for Perimeter Threat Protection Create a Route to the Internal Network Rev. 1.00 22 If the internal network includes more VLANs than the one that you configured on the TMS zl Module, you must create a route to the rest of the network. The next-hop router should be the internal routing switch. At this point, all traffic between the internal and external network passes through the TMS zl Module. You can now control traffic between the internal and external networks. 22
Feature Interaction for Routing Mode Rev. 1.00 23 The TMS zl Module that operates in routing mode supports multiple features the firewall, the IPS, VPNs, and NAT. As you configure the TMS zl Module, it is important to understand how these features interact. When the TMS zl Module receives a packet, it first checks whether it is an IP security, or IPsec, packet that is part of an active Security Association, or SA. In other words, the modules checks to see if it is an inbound encrypted packet. If it is, the module checks the packet s integrity, decrypts it, and decapsulates it. The module then passes the packet to the firewall. (Packets that fail integrity checks or cannot be decrypted are dropped). Non-IPsec packets are sent directly to the firewall. The firewall filters the traffic with enabled attack checks. Then the firewall looks for the packet s session. If the session does not exist, the firewall checks the packet against its access policies to determine whether it should be allowed. All packets that do not explicitly match an access policy are dropped. If the packet is allowed by an access policy and IPS is enabled for that policy, the module sends it to the IPS for protocol anomaly checks and signature-based threat detection. (When IPS is disabled, this step is skipped). If the IPS detects a threat, it handles the packet based on the action that is configured for threats of that severity. If the packet passes the IPS checks, the firewall once again processes the packet, now checking whether the packet is selected for NAT and, if so, translating the source or destination IP address as specified. Next, the module checks the packet against IPsec policies. If an IPsec traffic selector selects the traffic, the module encrypts and encapsulates the packet as specified in the corresponding IPsec SA. (If such an SA does not exist, the module can establish it.) At this point, the TMS zl Module is ready to forward the packet. It looks up the route to the packet s destination and forwards it accordingly. 23
TMS zl Module in Monitor Mode IDS threat detection and notification only Analyzes traffic that is mirrored to its internal port 1 (does not use zones) Use models: Internal threat detection Perimeter threat detection Rev. 1.00 24 A TMS zl Module that operates in monitor mode analyzes traffic that is mirrored to its internal port 1. The module can use its IDS/IPS signatures to screen the traffic for threats. However, the module acts only as an IDS that is, it detects the threats but does nothing on its own to mitigate them. It does, however, log the threats to its internal log. It can also notify an administrator with an email or send a trap to a syslog or SNMP server. You can use a monitor mode TMS zl Module to detect threats in internal traffic or external traffic destined to the internal network or both. The next slides show how. 24
Internal Ports in Monitor Mode Port 1 is reserved for data; mirror data to this port. Example: If the module is in slot E, mirror traffic to E1. Port 2 is used for management traffic. Rev. 1.00 25 In monitor mode, the two internal ports operate differently than they do in routing mode. Port 1 This port is used for data. When operating in monitor mode, the data that the TMS zl Module receives is mirrored traffic. Port 2 This port is used for management traffic. When you configure the management VLAN for the TMS zl Module, port 2 automatically becomes an untagged member of the management VLAN. For example, if you configure VLAN 2 as the management VLAN and the TMS zl Module is installed in slot C, the internal port C2 is untagged for VLAN 2. 25
Internal Threat Detection with Local Mirroring The TMS zl Module can detect threats in internal traffic that passes through its host switch. Rev. 1.00 26 As you plan your TMS zl Module s deployment, consider whether you will use local mirroring or remote mirroring (or a combination of local and remote mirroring). When you use local mirroring, the switch mirrors traffic on its local ports to the TMS zl Module. The module can only detect threats in traffic that passes through its host switch. Therefore, for internal threat detection, you should install the module in a core switch. You can then mirror uplink ports to the TMS zl Module s internal port, and the module will examine the network traffic. 26
Perimeter Threat Detection with Local Mirroring The TMS zl Module can detect threats in external traffic that passes into the internal network through its host switch. Rev. 1.00 27 For external threat detection, you should install the module in a switch that connects to the WAN router. You can then mirror the traffic arriving from the external network directly to the module. 27
Internal or Perimeter Threat Detection with Remote Mirroring The TMS zl Module can detect threats in traffic throughout the network. Rev. 1.00 28 The 5400zl or 8212zl switch in which you install the module is capable of remote mirroring. If other switches in your network also feature this capability, you can mirror traffic from these switches to the module no matter where the switches are installed. In this way, the module can detect threats in traffic that does not pass through the network core. Note, however, that the more traffic you mirror, the more overhead you add to your network. 28
Network of Choice 29