ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Agenda ProCurve Security Framework Network Immunity Solution Overview Network Immunity Features Network Behavioral Anomaly Detection Network Immunity User Interface 2 www.hp-user-society.de 1
Network Security Framework Access Control Prevents security breaches by controlling which users have access to systems and how they connect in a wired/wireless network Secure Infrastructure Protection of network components, prevention of unauthorized overrides of mandated security provisions, and privacy measures Network Immunity Defends the network from malicious attacks, monitors behavior, and applies security information intelligence Access Control ProActive Defense Network Immunity Secure Infrastructure Regulatory Compliance ProActive Defense emphasizes a standards-based foundation Adaptive EDGE Architecture 14 3 ProCurve ProActive Defense The network contains valuable resources which require many types of access...all of which need to be secure Access Control proactively identifies and assesses users and devices connecting to the network Network Immunity provides defense by monitoring sensors throughout the network and responding to threats Uncontrolled Access Integrated Access and Infrastructure Management Business Policy Policy Control Validation Forensics Statistics Alerts Command from the Center provides centralized control for the intelligent edge Authenticated Access COMMAND FROM THE CENTER Trusted Access 4 www.hp-user-society.de 2
ProCurve Security Architecture Before a security breach Prevent/ Protect Mitigate a security breach Respond Centralized Management Detect During a security breach 5 Network Immunity Solution Overview Edge Defense Q uarantine Bandwidth Rate limiting Attacker MAC lockout Attacker Port Shutdown Copy suspicious traffic to IDS Email Alert Notification ProCurve PCM v2.2 Plus w/ni Manager Intrusion Response Intrusion Detection Security Activity Dashboard Location based Policy Enforcement Built-in Network Behavior Anomaly Detection (NBAD) Alert Suppression Offender Tracking Security Heat Map Threat Mitigation Reporting Inline Prevention Passive Detection UTM Suspect Traffic ProCurve Network Edge Third Party Security Devices 6 www.hp-user-society.de 3
Network Immunity Terminology Network Behavioral Anomaly Detection (NBAD): Analysis is performed on traffic metrics such as those from sflow, XRMON, and counters in ProCurve devices to detect internal threats Traffic Metrics: Consists of sflow, XRMON and Port Statistics data complied from the traffic manager from within PCM v2.2 False Positives: Valid network traffic that often looks to a network management product like an anomaly; such as with the activity of a virus or worm. ProCurve False Positive Avoidance (FPA) algorithms within the NBAD engine assist NI Manager in lessening the false positives. Security Heat Map: Displays the number of security alerts for each device in the map 7 Network Immunity Terminology Continued Intrusion Detection System (IDS): An intrusion detection system is used to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. Intrusion Prevention System (IPS): An extension of intrusion detection (IDS) technology but it is actually another form of access control, like an application layer firewall Unified Threat Management (UTM): A term used to describe network firewalls that have many features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall 8 www.hp-user-society.de 4
Network Immunity Manager Overview Continued The core functionalities are Threat Detection, Threat Mitigation and Security Management The Network Immunity Manager requires PCM+ 2.2 Bundled on the PCM+ 2.2 CD, the Network Immunity Manager is enabled with a separately purchased license key NI Manager is available for free with PCM+ 2.2 for 30 day trial period 9 NI Solution Components ProCurve Network Immunity Solution is comprised of the combination of ProCurve products: ProCurve Manger Plus 2.2 ProCurve Network Immunity Manager 1.0 ProCurve switches from the intelligent switch series Implemented together with third party UTM/IPS/IDS devices such as: Cisco IPS 4200 series (supported in May 2007) Fortinet UTM appliances (supported in June 2007) Sonicwall UTM products (supported in July 2007) 10 www.hp-user-society.de 5
NI Manager Features Threat Detection Network Visibility Multiple Intrusion Detection Methods Offender Tracking Remote Monitoring Security Heat Map Threat Mitigation Internal threat detection Group Based Policy Enforcement Multiple Threat Mitigations Reduces False Positives Chain of Actions Wireless Support 11 NI Manager Features Continued Security Management Policy Management Security Event Aggregation and Suppression Security Dashboard Exempt List Configuration Cleanup Security Auditing Group Based Policy Enforcement ProCurve Manager Integration Reports 12 www.hp-user-society.de 6
How NI Manager Works Refine Policy Incident Investigation & Auditing Reports Define Security Policy Security Management Lifecycle Traffic Monitoring & Traffic Alerts Threat Detection Network Discovery & Topology Mapping ProCurve Wired & Wireless Devices Built-in NBAD 3 rd Party Security Devices Security Activity Reporting Threat Mitigation (Edge Defense) Policy Compliance 13 NBAD Overview Network behavior anomaly detection (NBAD) is the continuous monitoring of a network for unusual events or trends NBAD tracks critical network characteristics in real time and generates an alert if a strange event or trend is detected Analysis is performed on traffic metrics from ProCurve switches to detect internal threats Accepts attack alerts from Virus Throttle technology embedded in select ProCurve switches Accepts alerts from select 3 rd party IDS/IPS/UTM security devices 14 www.hp-user-society.de 7
How NBAD Works 15 How NBAD Works Continued 16 www.hp-user-society.de 8
How NBAD Works Continued 17 NBAD Malicious Behavior Table Behavior Name Duplicate IP Spoofed IP Data Points Violation Triggering Condition MAC Address IP Address Time Window MAC Address IP Address Time Window One IP appearing from more than one MAC appearing in the specified time window. One MAC with more than one IP appearing within the specified time window. Sensitivity Time Window 1 O min. 2 15 min. 3 60 min. 4 3 hrs. 5 24 hrs. Sensitivity Time Window 1 O min. 2 15 min. 3 60 min. 4 3 hrs. 5 24 hrs. IP Fan-Out Source IP Address Destination IP Address One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window. Sensitivity Fan-Out Size 1 259 IPs 2 128 3 96 4 32 5 3 18 www.hp-user-society.de 9
NBAD Malicious Behavior Table Continued Behavior Name TCP/UDP Fan- Out Average Packet Size Deviation Protocol Anomaly Data Points Violation Triggering Condition Source IP Address Destination TCP/UDP Ports (Per Destination IP Address) Host IP Address Average Packet Payload Size In Bytes Host IP Address Host Packet Contents One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window. Occurs when the engine detects a statistically unusual change in the average size of sent and/or received packets. Occurs when the host sends traffic containing unusual properties that would not normally be expected to occur on the network. Sensitivity Fan-Out Size 1 259 IPs 2 128 3 10 4 5 5 2 Triggers when the new average packet size is > 3 S.D. units away from the current average packet size. Any packet matching the approx. 30 anomalous behaviors defined for this engine immediately creates an event. 19 What NI Manager Detects The Network Immunity Manager has been tested to detect the following: Protocol Anomalies Port scanning techniques: Xmas Tree Scan Sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set NULL Scan Turns off all flags, creating a lack of TCP flags FIN Scan - The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking Denial of Service: UDP Bomb - An illegal sent User Datagram Protocol (UDP) packet Land Attack An attack involving IP packets where the source and destination address are set to address the same device Ping of Death Sends a malformed or otherwise malicious ping to a computer 20 www.hp-user-society.de 10
What NI Manager Detects Continued Reconnaissance before an attack: Tools: Nessus NMAP Port Scanners and Ping tools Network Based attacks Tested to detect: DNS Tunneling Unauthorized Network Mapping IP Spoofing Various Worm Propagation techniques Anomalous Packet Size Designed to inform NI to: Sample suspicious traffic Detect some covert channels Mis-Configured devices Tested to detect: Duplicate IP s Rogue Routers Rogue Proxies 21 NI Manager Device Support Matrix Switch/AP Detection capabilities Mitigation actions NI can take on a switch/ap Device sflow/ XRMon VT Basic Local Mirror Intel. Remote Mirror Port Shutdown MAC Lockout Rate Limit VLAN Reconfigure Basic Local Mirror 1600/2400/4000/8000 2524, 2512 2510 2626, 2650, 2608 4100, 6100 3400/5300* 2800, 2810 6400 9300/9400 3500/5400/6200 8100 4200 2900 530 Access Point (est. June 2007) 5300 WESM (est. May 2007) 5400 WESM (est. May 2007) 7000 WAN Router 22 www.hp-user-society.de 11
Range of IDM/NI Policy Actions IDM Policy Actions: Network Immunity Policy Actions: Port Shutdown Block User VLAN Rate Limit QoS ACL MAC Lockout VLAN Rate Limit Configuration Rules: 1. Users should configure only one Policy Control (IDM or NI) for any Policy Action 2. If User configures both IDM and NI to control the same Policy Action, IDM Policy takes precedence (NI action will not be taken, but conflict will be logged) 23 Creating A NI Policy 1. 2. Policies Alerts Actions 3. 24 www.hp-user-society.de 12
Configuring Policy Times 25 Configuring Policy Locations 26 www.hp-user-society.de 13
Configuring Policy Targets 27 Creating Policy Alert 28 www.hp-user-society.de 14
Assigning Policy Action 29 Viewing Policies 30 www.hp-user-society.de 15
Viewing Policy History 31 Viewing Events 32 www.hp-user-society.de 16
Viewing Alternate Action 33 Network Immunity Dashboard 34 www.hp-user-society.de 17
NI Security Activity Tab 35 NI Security Activity Tab Offenders 36 www.hp-user-society.de 18
NI Heat Map Mapping by Severity Total Security Alerts by Severity: Critical Major Minor Warning 37 Regulatory Compliance Assistance Built in comprehensive reports provide immediate visibility and assistance with regulatory compliance (available July 2007) ProCurve Manager Plus Reports Device Security History Report Device Access Security Report Port Access Security Report Password Policy Compliance Current credentials Report Network Immunity Manager Reports Security Policy Action Report Security Events History Report Security Heat Map Report Offenders Tracking Report Identity Driven Manager Reports User Unsuccessful Login Report User Session History User MAC address Report For a full list of reports planned for availability in Summer 2007, please refer to the ProCurve Network Immunity Manager Solutions Guide. 38 www.hp-user-society.de 19
Summary of Key Features ProCurve Network Immunity Manager v1.0 provides: An affordable, scalable, and easily manageable solution delivering per port intrusion detection Responses to stop malicious network traffic at the EDGE of both the wired and wireless networks Allows users to define policies, collect security events, monitor threats and automate mitigations 39 www.hp-user-society.de 20