ProCurve Network Immunity

Similar documents
HP0-Y16. ProCurve Network Immunity Solutions. Download Full Version :

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Introduction to sflow

9. Security. Safeguard Engine. Safeguard Engine Settings

Release Notes: ProCurve Manager Version 2.2/2.2.1, Update 5

ProCurve Manager Plus 2.3

Wireless Network Security

Detecting Specific Threats

Compare Security Analytics Solutions

Configuring attack detection and prevention 1

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM

CIH

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Managing Networks for Successful VoIP Implementations

A Unified Threat Defense: The Need for Security Convergence

Configuring Flood Protection

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

CSE 565 Computer Security Fall 2018

Port Mirroring in CounterACT. CounterACT Technical Note

Configuring attack detection and prevention 1

Cisco Security Monitoring, Analysis and Response System 4.2

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Monitoring and Threat Detection

Introduction to Network Discovery and Identity

Basic Concepts in Intrusion Detection

2. INTRUDER DETECTION SYSTEMS

1. Intrusion Detection and Prevention Systems

Introduction to Network Discovery and Identity

Activating Intrusion Prevention Service

HP Identity Driven Manager Software Series

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

QuickSpecs HP ProCurve Manager Plus 3.1

Cisco Intrusion Prevention Solutions

intelop Stealth IPS false Positive

Security Assessment Checklist

CyberArk Privileged Threat Analytics

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Chapter 4. Network Security. Part I

Index. Numerics. Index 1

Seceon s Open Threat Management software

ISO/IEC Controls

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Snort: The World s Most Widely Deployed IPS Technology

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

IBM Security QRadar Version Architecture and Deployment Guide IBM

Network Security: Firewall, VPN, IDS/IPS, SIEM

HP ProCurve Manager Plus 3.0

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

HP IMC Smart Connect Virtual Appliance Software

What s New in Netwrix Auditor 9.7

ProCurve ProActive Defense: A Comprehensive Network Security Strategy

NETWORK THREATS DEMAN

CS System Security 2nd-Half Semester Review

Corrigendum 3. Tender Number: 10/ dated

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Forescout. Configuration Guide. Version 8.1

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

CSE 565 Computer Security Fall 2018

Chapter 8 roadmap. Network Security

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

Wireless and Network Security Integration Solution Overview

CIS Controls Measures and Metrics for Version 7

IBM Security QRadar SIEM Version Getting Started Guide

PCI DSS Requirements. and Netwrix Auditor Mapping. Toll-free:

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Firewalls, Tunnels, and Network Intrusion Detection

CIS Controls Measures and Metrics for Version 7

McAfee Network Security Platform Administration Course

Overview. Information About wips CHAPTER

Digital forensics Technical Fundamentals. Saurabh Singh

HP E-PCM Plus Network Management Software Series Overview

Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Education Network Security

RSA IT Security Risk Management

OSSIM Fast Guide

2. Firewall Management Tools used to monitor and control the Firewall Environment.

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

ITSM SERVICES. Delivering Technology Solutions With Passion

ProCurve Identity Driven Manager

QuickSpecs ProCurve Identity Driven Manager 2.2

Cisco Network Admission Control (NAC) Solution

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Exam: : VPN/Security. Ver :

securing your network perimeter with SIEM

Enterasys. Design Guide. Network Access Control P/N

Wireless Clients and Users Monitoring Overview

Cisco Self Defending Network

4 Ways Your Organization Can Be Hacked

CINBAD. CERN/HP ProCurve Joint Project on Networking. Post-C5 meeting, 12 June 2009 (hepix, 26 May 2009)

Unlocking the Power of the Cloud

A Security Admin's Survival Guide to the GDPR.

Firewalls for Secure Unified Communications

Transcription:

ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Agenda ProCurve Security Framework Network Immunity Solution Overview Network Immunity Features Network Behavioral Anomaly Detection Network Immunity User Interface 2 www.hp-user-society.de 1

Network Security Framework Access Control Prevents security breaches by controlling which users have access to systems and how they connect in a wired/wireless network Secure Infrastructure Protection of network components, prevention of unauthorized overrides of mandated security provisions, and privacy measures Network Immunity Defends the network from malicious attacks, monitors behavior, and applies security information intelligence Access Control ProActive Defense Network Immunity Secure Infrastructure Regulatory Compliance ProActive Defense emphasizes a standards-based foundation Adaptive EDGE Architecture 14 3 ProCurve ProActive Defense The network contains valuable resources which require many types of access...all of which need to be secure Access Control proactively identifies and assesses users and devices connecting to the network Network Immunity provides defense by monitoring sensors throughout the network and responding to threats Uncontrolled Access Integrated Access and Infrastructure Management Business Policy Policy Control Validation Forensics Statistics Alerts Command from the Center provides centralized control for the intelligent edge Authenticated Access COMMAND FROM THE CENTER Trusted Access 4 www.hp-user-society.de 2

ProCurve Security Architecture Before a security breach Prevent/ Protect Mitigate a security breach Respond Centralized Management Detect During a security breach 5 Network Immunity Solution Overview Edge Defense Q uarantine Bandwidth Rate limiting Attacker MAC lockout Attacker Port Shutdown Copy suspicious traffic to IDS Email Alert Notification ProCurve PCM v2.2 Plus w/ni Manager Intrusion Response Intrusion Detection Security Activity Dashboard Location based Policy Enforcement Built-in Network Behavior Anomaly Detection (NBAD) Alert Suppression Offender Tracking Security Heat Map Threat Mitigation Reporting Inline Prevention Passive Detection UTM Suspect Traffic ProCurve Network Edge Third Party Security Devices 6 www.hp-user-society.de 3

Network Immunity Terminology Network Behavioral Anomaly Detection (NBAD): Analysis is performed on traffic metrics such as those from sflow, XRMON, and counters in ProCurve devices to detect internal threats Traffic Metrics: Consists of sflow, XRMON and Port Statistics data complied from the traffic manager from within PCM v2.2 False Positives: Valid network traffic that often looks to a network management product like an anomaly; such as with the activity of a virus or worm. ProCurve False Positive Avoidance (FPA) algorithms within the NBAD engine assist NI Manager in lessening the false positives. Security Heat Map: Displays the number of security alerts for each device in the map 7 Network Immunity Terminology Continued Intrusion Detection System (IDS): An intrusion detection system is used to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. Intrusion Prevention System (IPS): An extension of intrusion detection (IDS) technology but it is actually another form of access control, like an application layer firewall Unified Threat Management (UTM): A term used to describe network firewalls that have many features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall 8 www.hp-user-society.de 4

Network Immunity Manager Overview Continued The core functionalities are Threat Detection, Threat Mitigation and Security Management The Network Immunity Manager requires PCM+ 2.2 Bundled on the PCM+ 2.2 CD, the Network Immunity Manager is enabled with a separately purchased license key NI Manager is available for free with PCM+ 2.2 for 30 day trial period 9 NI Solution Components ProCurve Network Immunity Solution is comprised of the combination of ProCurve products: ProCurve Manger Plus 2.2 ProCurve Network Immunity Manager 1.0 ProCurve switches from the intelligent switch series Implemented together with third party UTM/IPS/IDS devices such as: Cisco IPS 4200 series (supported in May 2007) Fortinet UTM appliances (supported in June 2007) Sonicwall UTM products (supported in July 2007) 10 www.hp-user-society.de 5

NI Manager Features Threat Detection Network Visibility Multiple Intrusion Detection Methods Offender Tracking Remote Monitoring Security Heat Map Threat Mitigation Internal threat detection Group Based Policy Enforcement Multiple Threat Mitigations Reduces False Positives Chain of Actions Wireless Support 11 NI Manager Features Continued Security Management Policy Management Security Event Aggregation and Suppression Security Dashboard Exempt List Configuration Cleanup Security Auditing Group Based Policy Enforcement ProCurve Manager Integration Reports 12 www.hp-user-society.de 6

How NI Manager Works Refine Policy Incident Investigation & Auditing Reports Define Security Policy Security Management Lifecycle Traffic Monitoring & Traffic Alerts Threat Detection Network Discovery & Topology Mapping ProCurve Wired & Wireless Devices Built-in NBAD 3 rd Party Security Devices Security Activity Reporting Threat Mitigation (Edge Defense) Policy Compliance 13 NBAD Overview Network behavior anomaly detection (NBAD) is the continuous monitoring of a network for unusual events or trends NBAD tracks critical network characteristics in real time and generates an alert if a strange event or trend is detected Analysis is performed on traffic metrics from ProCurve switches to detect internal threats Accepts attack alerts from Virus Throttle technology embedded in select ProCurve switches Accepts alerts from select 3 rd party IDS/IPS/UTM security devices 14 www.hp-user-society.de 7

How NBAD Works 15 How NBAD Works Continued 16 www.hp-user-society.de 8

How NBAD Works Continued 17 NBAD Malicious Behavior Table Behavior Name Duplicate IP Spoofed IP Data Points Violation Triggering Condition MAC Address IP Address Time Window MAC Address IP Address Time Window One IP appearing from more than one MAC appearing in the specified time window. One MAC with more than one IP appearing within the specified time window. Sensitivity Time Window 1 O min. 2 15 min. 3 60 min. 4 3 hrs. 5 24 hrs. Sensitivity Time Window 1 O min. 2 15 min. 3 60 min. 4 3 hrs. 5 24 hrs. IP Fan-Out Source IP Address Destination IP Address One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window. Sensitivity Fan-Out Size 1 259 IPs 2 128 3 96 4 32 5 3 18 www.hp-user-society.de 9

NBAD Malicious Behavior Table Continued Behavior Name TCP/UDP Fan- Out Average Packet Size Deviation Protocol Anomaly Data Points Violation Triggering Condition Source IP Address Destination TCP/UDP Ports (Per Destination IP Address) Host IP Address Average Packet Payload Size In Bytes Host IP Address Host Packet Contents One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window. Occurs when the engine detects a statistically unusual change in the average size of sent and/or received packets. Occurs when the host sends traffic containing unusual properties that would not normally be expected to occur on the network. Sensitivity Fan-Out Size 1 259 IPs 2 128 3 10 4 5 5 2 Triggers when the new average packet size is > 3 S.D. units away from the current average packet size. Any packet matching the approx. 30 anomalous behaviors defined for this engine immediately creates an event. 19 What NI Manager Detects The Network Immunity Manager has been tested to detect the following: Protocol Anomalies Port scanning techniques: Xmas Tree Scan Sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set NULL Scan Turns off all flags, creating a lack of TCP flags FIN Scan - The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking Denial of Service: UDP Bomb - An illegal sent User Datagram Protocol (UDP) packet Land Attack An attack involving IP packets where the source and destination address are set to address the same device Ping of Death Sends a malformed or otherwise malicious ping to a computer 20 www.hp-user-society.de 10

What NI Manager Detects Continued Reconnaissance before an attack: Tools: Nessus NMAP Port Scanners and Ping tools Network Based attacks Tested to detect: DNS Tunneling Unauthorized Network Mapping IP Spoofing Various Worm Propagation techniques Anomalous Packet Size Designed to inform NI to: Sample suspicious traffic Detect some covert channels Mis-Configured devices Tested to detect: Duplicate IP s Rogue Routers Rogue Proxies 21 NI Manager Device Support Matrix Switch/AP Detection capabilities Mitigation actions NI can take on a switch/ap Device sflow/ XRMon VT Basic Local Mirror Intel. Remote Mirror Port Shutdown MAC Lockout Rate Limit VLAN Reconfigure Basic Local Mirror 1600/2400/4000/8000 2524, 2512 2510 2626, 2650, 2608 4100, 6100 3400/5300* 2800, 2810 6400 9300/9400 3500/5400/6200 8100 4200 2900 530 Access Point (est. June 2007) 5300 WESM (est. May 2007) 5400 WESM (est. May 2007) 7000 WAN Router 22 www.hp-user-society.de 11

Range of IDM/NI Policy Actions IDM Policy Actions: Network Immunity Policy Actions: Port Shutdown Block User VLAN Rate Limit QoS ACL MAC Lockout VLAN Rate Limit Configuration Rules: 1. Users should configure only one Policy Control (IDM or NI) for any Policy Action 2. If User configures both IDM and NI to control the same Policy Action, IDM Policy takes precedence (NI action will not be taken, but conflict will be logged) 23 Creating A NI Policy 1. 2. Policies Alerts Actions 3. 24 www.hp-user-society.de 12

Configuring Policy Times 25 Configuring Policy Locations 26 www.hp-user-society.de 13

Configuring Policy Targets 27 Creating Policy Alert 28 www.hp-user-society.de 14

Assigning Policy Action 29 Viewing Policies 30 www.hp-user-society.de 15

Viewing Policy History 31 Viewing Events 32 www.hp-user-society.de 16

Viewing Alternate Action 33 Network Immunity Dashboard 34 www.hp-user-society.de 17

NI Security Activity Tab 35 NI Security Activity Tab Offenders 36 www.hp-user-society.de 18

NI Heat Map Mapping by Severity Total Security Alerts by Severity: Critical Major Minor Warning 37 Regulatory Compliance Assistance Built in comprehensive reports provide immediate visibility and assistance with regulatory compliance (available July 2007) ProCurve Manager Plus Reports Device Security History Report Device Access Security Report Port Access Security Report Password Policy Compliance Current credentials Report Network Immunity Manager Reports Security Policy Action Report Security Events History Report Security Heat Map Report Offenders Tracking Report Identity Driven Manager Reports User Unsuccessful Login Report User Session History User MAC address Report For a full list of reports planned for availability in Summer 2007, please refer to the ProCurve Network Immunity Manager Solutions Guide. 38 www.hp-user-society.de 19

Summary of Key Features ProCurve Network Immunity Manager v1.0 provides: An affordable, scalable, and easily manageable solution delivering per port intrusion detection Responses to stop malicious network traffic at the EDGE of both the wired and wireless networks Allows users to define policies, collect security events, monitor threats and automate mitigations 39 www.hp-user-society.de 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback