IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Similar documents
XGS Administration - Post Deployment Tasks

XGS: Making use of Logs and Captures

Security Support Open Mic: ISNP High Availability and Bypass

IBM Threat Protection System: XGS - QRadar Integration

IBM SECURITY NETWORK PROTECTION (XGS)

XGS & QRadar Integration

GX vs XGS: An administrator s comparison of the two products

Disk Space Management of ISAM Appliance

IBM Security Network Protection

Security Support Open Mic Build Your Own POC Setup

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

How to properly deploy, configure and upgrade the NAB

Understanding scan coverage in AppScan Standard

Security Support Open Mic Client Certificate Authentication

IBM Security Access Manager v8.x Kerberos Part 2

Introduction to IBM Security Network Protection Manager

IBM Security Network Protection Solutions

Junction SSL Debugging With Wireshark

ISAM Advanced Access Control

IBM MaaS360 Kiosk Mode Settings

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

IBM Security Directory Server: Utilizing the Audit.log

What's new in AppScan Standard/Enterprise/Source version

Deploying BigFix Patches for Red Hat

IBM BigFix Relays Part 2

How AppScan explores applications with ABE and RBE

Let s Talk About Threat Intelligence

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

How to Secure Your Cloud with...a Cloud?

What's new in AppScan Standard version

Remote Syslog Shipping IBM Security Guardium

Analyzing Hardware Inventory report and hardware scan files

Configuring zsecure To Send Data to QRadar

Predators are lurking in the Dark Web - is your network vulnerable?

Configuring your policy to prevent appliance problems

More on relevance checks in ILMT and BFI

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

IBM Security Network Protection v Enhancements

HTTP Transformation Rules with IBM Security Access Manager

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

IBM Next Generation Intrusion Prevention System

BigFix Query Unleashed!

Optimizing IBM QRadar Advisor with Watson

IBM Security Support Open Mic

May the (IBM) X-Force Be With You

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

IBM Security Identity Manager New Features in 6.0 and 7.0

QRadar Open Mic: Custom Properties

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

Security Update PCI Compliance

IBM BigFix Relays Part 1

Interpreting relevance conditions in commonly used ILMT/BFI fixlets

IBM Security Guardium: Troubleshooting No Traffic Issues

Let s talk about QRadar 7.2.5

Integrated, Intelligence driven Cyber Threat Hunting

Ponemon Institute s 2018 Cost of a Data Breach Study

IBM Lotus Notes in XenApp Environments

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

InfoSphere Guardium 9.1 TechTalk Reporting 101

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

IBM Security Access Manager Single Sign-on with Federation

Introducing IBM Lotus Sametime 7.5 software.

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

Fabrizio Patriarca. Come creare valore dalla GDPR

IBM Security Access Manager

The New Era of Cognitive Security

The McGill University Health Centre (MUHC)

SOLUTION MANAGEMENT GROUP

Cisco s Appliance-based Content Security: IronPort and Web Security

Symantec Endpoint Protection Family Feature Comparison

Deploying Lookout with IBM MaaS360

Value of managing and running automated functional tests with Rational Quality Manager

Product Guide. McAfee Web Gateway Cloud Service

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

BigFix 101- Server Pricing

Open Mic Webcast: Troubleshooting freetime (busytime) issues in Lotus Notes

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

ForeScout Extended Module for Carbon Black

McAfee Network Security Platform 9.1

IBM Security Identity Governance and Intelligence Clustering and High Availability

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

How to Configure ATP in the HTTP Proxy

Mobile Admin GETTING STARTED GUIDE. Version 8.2. Last Updated: Thursday, May 25, 2017

Securing global enterprise with innovation

20 years of Lotus Notes and a look into the next 20 years Lotusphere Comes To You

Transparency report. Examining the AV-TEST January-February 2018 Results. Prepared by. Windows Defender Research team

Product Guide. McAfee Web Gateway Cloud Service

IBM Security Network Protection Solutions

IBM MaaS360 with Watson Evaluator s Guide. Version 2.2

IBM Social Rendering Templates for Digital Data Connector

IBM Security QRadar Version Architecture and Deployment Guide IBM

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Service Description. IBM Aspera Files. 1. Cloud Service. 1.1 IBM Aspera Files Personal Edition. 1.2 IBM Aspera Files Business Edition

GETTING STARTED GUIDE. Mobile Admin. Version 8.2

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Transcription:

IBM Security Network Protection Open Mic - Thursday, 31 March 2016 Application Control and IP Reputation on the XGS Demystified Panelists Tanmay Shah, Presenter IPS/Network Protection Product Lead Bill Klauke - IPS/Network Protection Product Lead Jeffrey DiCostanzo AVP Leader Moazzam Khan L3 Engineer Satishchandra Bhandurge L2 and AVP Edward Leisure L2 Knowledge Leader Thomas Gray, Moderator Level 2 Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The webcast does not include audio. USA toll-free: 866-803-2145 USA toll: 1-210-795-1099 Participant passcode: 1322112 Slides and additional dial in numbers: http://bit.ly/ibmopenmicxgs3-31-2016doc NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

Agenda Application Control Overview and Configuration Use Cases Things to remember IP Reputation Overview and Configuration Use Cases Things to remember IBM X-Force Exchange/AppLoupe 2

Application Control Overview and Configuration

Application Control Overview and Configuration Application control feature allows security administrators to achieve visibility into web applications and non-web applications being used in their environments. Using network access policy, an administrator can have a granular control of identified applications for specific groups, individuals or network segments. Application control also includes ability to filter/whitelist http/https URLs. This is a licensed feature. A valid license allows the appliance to update the application and URL category database. The following types of application objects, when used in network access policy, allow controlling the applications and websites being accessed in a network: Web Applications: various web-based applications grouped in different categories Non-Web Applications: desktop applications / specific ports-protocols URL Categories: http websites grouped in different categories URL Lists: custom http URL list Domain Certificate Categories: https websites grouped in different categories Domain Certificate Lists: custom https URL list IP Reputation: public IP address reputation classification 4

Application Control Overview and Configuration continued Configuration for Application Database (as well as IP reputation database) is controlled through Manage Application Database policy on SiteProtector and Application Database Settings under Manage -> Updates and Licensing on LMI 5

Application Control Overview and Configuration continued The update server for application database updates is NOT configurable. The configuration only allows to enable Auto Update, Feedback and proxy configuration. XGS s management interface will need internet access, direct or via proxy, to download application and/or IP reputation databases. The following tables lists the domain name and port combinations that should be allowed through the firewall/proxy XGS will submit statistical data from the device to IBM to make IP reputation classification more accurate. If enabled, IP reputation information will be included in IPS events ONLY. Ref Technote: 1964486 6

Application Control Overview and Configuration continued Application object creation, modification or deletion is done through Network Access policy. License status and update version/date information can be verified from Manage -> Updates and Licensing -> Overview 7

Application Control Use cases

Application Control: Use Case-1 Requirement: Allow access to social networking website (http and https) to only Marketing users and blocked for all the other users. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 1- Create URL category, Domain Category & Identity objects in the Network Access Policy 9

Application Control: Use Case-1 continued Requirement: Allow access to social networking website (http and https) to only Marketing users and blocked for all the other users. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 2 - Create outbound ssl inspection rule for domain category object in the Outbound SSL Inspection policy 3 - Create access rules to allow/block access using the objects in the Network Access Policy 10

Application Control: Use Case-2 Requirement: Identify and block users and IP addresses using in-secure file transfer protocols like ftp/tftp. Report it as an exception and send email to the security admin to take follow up action. 1 - Create a non-web application object for ftp/tftp traffic through the Network Access Policy 2 - Create an email alert object through the Network Access Policy 3 - Create an access rule in the Network Access Policy to drop the traffic 11

Application Control: Use Case-3 Requirement: Create a whitelist for specific URLs, for specific group of users (C-level), to ensure that those users are able to access certain websites all the time without any IPS inspection for those websites. Note: These configuration steps assume that a remote active directory server is already integrated with XGS for identity information. 1- Create URL List, Domain List & Identity objects in the Network Access Policy 12

Application Control: Use Case-3 continued Requirement: Create a whitelist for specific URLs, for specific group of users (C-level), to ensure that those users are able to access certain websites all the time without any IPS inspection for those websites. 2 - Create an outbound ssl inspection rule for the https websites added in the domain list object 3 Create an access rule in Network Access Policy to whitelist the websites 13

Application Control Things to remember

Application Control: Things to remember XGS will only identify applications if the network access policy has at least one rule based on application object(s). The update server configuration in Manage -> Updates and Licensing -> Update servers is irrelevant to application database updates. That also means that application database can not be updated through SiteProtector XUS. The use of large URL Lists can cause latency. To minimize the latency, limit the URL Lists to 10,000 characters or less AND use no more than one of these large URL Lists in a single NAP rule. Ref Technote# 1683772 Identifying the application that is in use requires that the sensor allow some packets to pass so that a successful connection can be established. After the connection is established, the XGS can begin analyzing Application Layer traffic. So, for application objects based drop/reject rules, the adjacent devices like firewall may see those initial connection packets. Ref Technote# 1968101 If the appliance is not able to submit the unknown URLs to IBM, when Enable Feedback option for Application Database is enabled, it may result in higher disk utilization. This, in turn, could have an impact on the appliance memory utilization. This happens because the feedback information is stored in many small files on the appliance. Though we recommend to not enable this option, if you still want to keep it enabled, ensure to monitor disk utilization. If you observe an abnormal increase, please disable the option immediately and get in touch with IBM support to receive and install a patch, which will clear those temporary files and make the disk space available. 15

IP Reputation Overview and Configuration

IP Reputation Overview and Configuration Depending upon the activity a malicious public IP address inflicts, IBM X-Force team classifies them as Spam, Anonymous Proxies, Dynamic IPs and/or Malware (described below) and assigns a score in the range of 1 to 100, where the higher value represents bad reputation. The geographical location (country) of the IP address is also identified and recorded. Anonymous Proxies - This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration). Botnet Command and Control Server - This category contains IP addresses that host a botnet command and control server. Dynamic IPs This category contains IP addresses of dialup hosts and DSL lines. Malware This category lists IP addresses of malicious websites or malware-hosting websites. Scanning IPs These IP addresses that have been identified as illegally scanning networks for vulnerabilities. Spam This category lists IP addresses that have been observed sending out spam. 17

IP Reputation Overview and Configuration continued It allows configuring threshold for these categories to control policy enforcement for the related traffic. It is a licensed feature. XGS appliance maintains a database of such malicious IP addresses, their location, the classification and the score. This database must be updated continuously, to ensure that the device has the latest and most accurate information. IP reputation feature on the XGS appliance is controlled by Application Database Settings policy on the LMI under Manage System Settings -> Updates and Licensing OR Manage Application Databases policy through SiteProtector (already discussed in previous section). 18

IP Reputation Overview and Configuration continued IP Reputation/Geo location object creation, modification or deletion is done through Network Access policy. License status and update version/date information can be verified from Manage -> Updates and Licensing -> Overview 19

IP Reputation Use cases

IP Reputation/Geo location: Use Case-1 Requirement: After enabling IP reputation, based on monthly reporting it was identified that there has been a significant increase in number of attacks from Sudan. We have some resellers there so we cannot block the traffic completely but we would like to have a stricter IPS policy configuration for all the traffic originating from Sudan. 1 Create a new Inspection object with protection level paranoid through IPS policy or Network Access Policy 2 Create a geolocation object through Network Access Policy 3 Create a NAP rule to apply the IPS policy to traffic originating from Sudan 21

IP Reputation/Geo location: Use Case-2 Requirement: Internal network users in the network should not be able to access any known anonymous proxies or IP addresses which are known/unknown anonymizers. 1 Open Network Access Policy 2 Create an IP Reputation object 3 Create a NAP rule to drop all the traffic destined to IP addresses having score of 95 or above for Anonymous Services 22

IP Reputation/Geo location: Use Case-3 Requirement: Ensure that no known malware IP addresses are able to target our network by exploiting any known or unknown vulnerabilities. 1 Create a new Inspection object with protection level paranoid through IPS policy or Network Access Policy 2 Create an IP Reputation object through Network Access Policy 3 Create a NAP rule to apply paranoid policy to or from known malware IP addresses in Network Access Policy 23

IP Reputation Things to Remember

IP Reputation: Things to remember IP Reputation information is only populated for IPS events. If an IP address has reputation information populated in SiteProtector database through IPS events, network access events, in that case, will have that information available as well. Ref Technote# 1961506 If a lower score threshold is configured in an IP reputation object, as a best practice, always start with detection rule (with action accept and response event log). Monitor events after the rule is created. After verifying the events, either fine tune the rule to increase the score OR change the action to drop/reject. Identifying the application that is in use requires that the sensor allow some packets to pass so that a successful connection can be established. After the connection is established, the XGS can begin analyzing Application Layer traffic. So, for application objects based drop/reject rules, the adjacent devices like firewall may see those initial connection packets. Ref Technote# 1968101 25

IBM X-Force Exchange/AppLoupe

IBM X-Force Exchange/AppLoupe IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest global security threats, aggregate actionable intelligence and collaborate with peers. It allows administrators to verify the current and historical IP classification reputation score for public IP addresses. You can also verify the latest URL classification for a URL. To report a false positive or false negative applications, URLs or IP addresses, visit https://www.xforce-security.com/apploupe/ and click Feedback then Give Feedback on AppLoupe 27

Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum topic about this: https://developer.ibm.com/answers/questions/254153/openmic-webcastannouncement-for-31-march-2016-app/ 28

Where do you get more information? Questions on this or other topics can be directed to the product forum: https://developer.ibm.com/answers/topics/xgs/ More articles you can review: IBM developerworks article on XGS IP Reputation Use Cases: https://ibm.biz/bdhncq IBM Knowledge Center: http://www.ibm.com/support/knowledgecenter/sshlhv/welcome Useful link: How to Contact IBM Software Support for IBM Security IBM Support Portal Sign up for My Notifications Follow us: 29

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback