Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 1
© 2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
ProCurve Network Immunity
Hans-Jörg Elias
Key Account Manager
2
Agenda
• ProCurve Security Framework
• Network Immunity Solution Overview
• Network Immunity Features
• Network Behavioral Anomaly Detection
• Network Immunity User Interface
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 2
3
Network Security Framework
14
• Access Control—Prevents security breaches by controlling which users have access to systems and how they connect in a wired/wireless network
• Secure Infrastructure—Protection of network components, prevention of unauthorized overrides of mandated security provisions, and privacy measures
• Network Immunity—Defends the network from malicious attacks, monitors behavior, and applies security information intelligence
ProActive Defense
Adaptive EDGE Architecture
Regulatory Compliance
Access
ControlNetwork
Immunity
Secure
Infrastructure
ProActive Defense emphasizes a standards-based foundation
4
ProCurve ProActive Defense
The network contains valuable resources which require many types of access...all of which need to be secure
•Access Control proactively identifies and assesses users and devices connecting to the network
•Network Immunity provides defense by monitoring sensors throughout the network and responding to threats
•Command from the Centerprovides centralized control for the intelligent edge
Uncontrolled
Access
Authenticated
Access
Trusted
Access
COMMANDFROM THECENTER
Integrated Access andInfrastructure Management
Policy
ControlStatistics
Alerts
Business
Policy
Validation
Forensics
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 3
5
ProCurve Security Architecture
Prevent/Protect
DetectRespond
Before asecuritybreach
During asecuritybreach
Mitigate asecuritybreach
Centralized Centralized
ManagementManagement
6
Network Immunity Solution
Overview
Suspect Traffic
Intrusion
Response
Third PartySecurity Devices
ProCurve PCM v2.2 Plus w/NI Manager
• Security Activity Dashboard
• Location based Policy Enforcement
• Built-in Network Behavior Anomaly
Detection (NBAD)
• Alert Suppression
• O ffender Tracking
• Security Heat Map
• Threat M itigation
• Reporting
• Inline Prevention
• Passive Detection
• UTM
• Q uarantine
• Bandwidth Rate limiting
• Attacker MAC lockout
• Attacker Port Shutdown
• C opy suspicious traffic to IDS
• Email Alert
• Notification
ProCurveNetwork Edge
Intrusion
Detection
Edge Defense
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 4
7
Network Immunity Terminology
• Network Behavioral Anomaly Detection (NBAD):
– Analysis is performed on traffic metrics such as those from sFlow, XRMON, and counters in ProCurve devices to detect internal threats
• Traffic Metrics:
– Consists of sFlow, XRMON and Port Statistics data complied from the traffic manager from within PCM v2.2
• False Positives:
– Valid network traffic that often looks to a network management product like an anomaly; such as with the activity of a virus or worm. ProCurve False Positive Avoidance (FPA) algorithms within the NBAD engine assist NI Manager in lessening the false positives.
• Security Heat Map:
– Displays the number of security alerts for each device in the map
8
Network Immunity TerminologyContinued
• Intrusion Detection System (IDS):– An intrusion detection system is used to detect all types of
malicious network traffic and computer usage that can't be detected by a conventional firewall.
• Intrusion Prevention System (IPS):– An extension of intrusion detection (IDS) technology but it is
actually another form of access control, like an application layer firewall
• Unified Threat Management (UTM): – A term used to describe network firewalls that have many
features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 5
9
Network Immunity ManagerOverview Continued
• The core functionalities are Threat Detection, Threat Mitigation and Security Management
• The Network Immunity Manager requires PCM+ 2.2
• Bundled on the PCM+ 2.2 CD, the Network Immunity Manager is enabled with a separately purchased license key
• NI Manager is available for free with PCM+ 2.2 for 30 day trial period
10
NI Solution Components
ProCurve Network Immunity Solution is comprised of the combination of ProCurve products:
• ProCurve Manger Plus 2.2
• ProCurve Network Immunity Manager 1.0
• ProCurve switches from the intelligent switch series
Implemented together with third party UTM/IPS/IDS devices such as:
• Cisco IPS 4200 series (supported in May 2007)
• Fortinet UTM appliances (supported in June 2007)
• Sonicwall UTM products (supported in July 2007)
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 6
11
NI Manager Features
• Threat Detection
– Network Visibility
– Multiple Intrusion Detection Methods
– Offender Tracking
– Remote Monitoring
– Security Heat Map
• Threat Mitigation
– Internal threat detection
– Group Based Policy Enforcement
– Multiple Threat Mitigations
– Reduces False Positives
– Chain of Actions
– Wireless Support
12
NI Manager FeaturesContinued
• Security Management
– Policy Management
– Security Event Aggregation and Suppression
– Security Dashboard
– Exempt List
– Configuration Cleanup
– Security Auditing
– Group Based Policy Enforcement
– ProCurve Manager Integration
– Reports
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 7
13
ProCurve Wired & Wireless Devices
Built-in NBAD
3rd Party Security Devices
Threat Detection
Security Activity Reporting
Incident Investigation & Auditing
Define Security Policy
Threat Mitigation(Edge Defense)
SecurityManagementLifecycle
Policy Compliance
Reports
Refine Policy
Traffic Monitoring & Traffic Alerts
Network Discovery & Topology Mapping
How NI Manager Works
14
NBAD Overview
• Network behavior anomaly detection (NBAD) is the continuous monitoring of a network for unusual events or trends
• NBAD tracks critical network characteristics in real time and generates an alert if a strange event or trend is detected
– Analysis is performed on traffic metrics from ProCurve switches to detect internal threats
– Accepts attack alerts from Virus Throttle™ technology embedded in select ProCurve switches
– Accepts alerts from select 3rd party IDS/IPS/UTM security devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 9
17
How NBAD WorksContinued
18
NBAD Malicious Behavior TableBehavior Name
Data Points Violation Triggering Condition
Duplicate IP MAC Address
IP Address
Time Window
One IP appearing from more than one MAC appearing in the specified time window.
Sensitivity Time Window
1 O min.2 15 min.3 60 min.4 3 hrs.5 24 hrs.
Spoofed IP MAC Address
IP Address
Time Window
One MAC with more than one IP appearing within the specified time window.
Sensitivity Time Window1 O min.2 15 min.3 60 min.4 3 hrs.5 24 hrs.
IP Fan-Out Source IP Address
Destination IP Address
One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window.
Sensitivity Fan-Out Size1 259 IPs2 1283 964 325 3
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 10
19
NBAD Malicious Behavior TableContinued
Behavior Name
Data Points Violation Triggering Condition
TCP/UDP Fan-Out
Source IP Address
Destination TCP/UDP Ports(Per Destination IP Address)
One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window.
Sensitivity Fan-Out Size
1 259 IPs2 1283 104 55 2
Average Packet Size Deviation
Host IP Address
Average Packet Payload Size In Bytes
Occurs when the engine detects a statistically unusual change in the average size of sent and/or received packets.
Triggers when the new average packet size is > 3 S.D. units away from the current average packet size.
Protocol Anomaly
Host IP Address
Host Packet Contents
Occurs when the host sends traffic containing unusual properties that would not normally be expected to occur on the network.
Any packet matching the approx. 30 anomalous behaviors defined for this engine immediately creates an event.
20
What NI Manager Detects
The Network Immunity Manager has been tested to detect the following:
• Protocol Anomalies– Port scanning techniques:
• Xmas Tree Scan – Sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set
• NULL Scan – Turns off all flags, creating a lack of TCP flags
• FIN Scan - The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking
– Denial of Service:• UDP Bomb - An illegal sent User Datagram Protocol (UDP) packet
• Land Attack – An attack involving IP packets where the source and destination address are set to address the same device
• Ping of Death – Sends a malformed or otherwise malicious ping to a computer
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 11
21
What NI Manager DetectsContinued • Reconnaissance before an attack:
– Tools: • Nessus• NMAP• Port Scanners and Ping tools
• Network Based attacks– Tested to detect:
• DNS Tunneling• Unauthorized Network Mapping• IP Spoofing• Various Worm Propagation techniques
• Anomalous Packet Size– Designed to inform NI to:
• Sample suspicious traffic• Detect some covert channels
• Mis-Configured devices– Tested to detect:
• Duplicate IP’s• Rogue Routers• Rogue Proxies
22
NI Manager Device Support MatrixMitigation actions NI can take on a switch/APSwitch/AP Detection capabilities
√√5400 WESM (est. May 2007)
√√5300 WESM (est. May 2007)
√√√√√2510
√
√
√
√
√
√
√
√
√
√
√
√
Basic Local
Mirror
√530 Access Point (est. June 2007)
√√√√√2900
√√8100
√√√√√√6400
√√√√√2800, 2810
√√√√√√√3400/5300
√√√1600/2400/4000/8000
√√√4100, 6100
√√√√2626, 2650, 2608
√√√√2524, 2512
√√√9300/9400
√√√√√√√√3500/5400/6200
Reconfigure Basic Local
Mirror
VLANRate Limit
MAC Lockout
Port Shutdown
Intel. Remote
Mirror
VTsFlow/
XRMon
Device
√7000 WAN Router
√√√√√4200
√√5400 WESM (est. May 2007)
√√5300 WESM (est. May 2007)
√√√√√2510
√
√
√
√
√
√
√
√
√
√
√
√
Basic Local
Mirror
√530 Access Point (est. June 2007)
√√√√√2900
√√8100
√√√√√√6400
√√√√√2800, 2810
√√√√√√√3400/5300
√√√1600/2400/4000/8000
√√√4100, 6100
√√√√2626, 2650, 2608
√√√√2524, 2512
√√√9300/9400
√√√√√√√√3500/5400/6200
Reconfigure Basic Local
Mirror
VLANRate Limit
MAC Lockout
Port Shutdown
Intel. Remote
Mirror
VTsFlow/
XRMon
Device
√7000 WAN Router
√√√√√4200
*
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 12
23
Configuration Rules:
1. Users should configure only one Policy Control (IDM or NI) for any Policy Action
2. If User configures both IDM and NI to control the same Policy Action, IDM Policy takes precedence (NI action will not be taken, but conflict will be logged)
BlockUser
VLAN
Rate Limit
QoS
ACL
Range of IDM/NI Policy Actions
IDM Policy Actions:
Network Immunity Policy Actions:
Port Shutdown
MAC Lockout
VLAN
Rate Limit
24
Creating A NI Policy
Actions
Alerts
1. 2.
3.
Policies
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 13
25
Configuring Policy Times
26
Configuring Policy Locations
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 14
27
Configuring Policy Targets
28
Creating Policy Alert
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 15
29
Assigning Policy Action
30
Viewing Policies
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 17
33
Viewing Alternate Action
34
Network Immunity Dashboard
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 18
35
NI Security Activity Tab
36
NI Security Activity Tab Offenders
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 19
37
NI Heat Map
Mapping by Severity
Total Security Alerts by Severity:• Critical• Major• Minor• Warning
38
Regulatory Compliance Assistance
• Built in comprehensive reports provide immediate visibility and assistance with regulatory compliance (available July 2007)
• ProCurve Manager Plus Reports– Device Security History Report – Device Access Security Report – Port Access Security Report – Password Policy Compliance– Current credentials Report
• Network Immunity Manager Reports– Security Policy Action Report– Security Events History Report– Security Heat Map Report– Offenders Tracking Report
• Identity Driven Manager Reports– User Unsuccessful Login Report– User Session History– User MAC address Report
• For a full list of reports planned for availability in Summer 2007, please refer to the ProCurve Network Immunity Manager Solutions Guide.
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 20
39
Summary of Key Features
• ProCurve Network Immunity Manager v1.0 provides:
– An affordable, scalable, and easily manageable solution delivering per port intrusion detection
– Responses to stop malicious network traffic at the EDGE of both the wired and wireless networks
– Allows users to define policies, collect security events, monitor threats and automate mitigations