Upload
luu-tuong
View
99
Download
1
Tags:
Embed Size (px)
Citation preview
IBM Global Technology Services
© 2008 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Security Framework and SolutionsProventia Network IPS
IBM Internet Security Systems
© 2007 IBM Corporation2
Agenda
IBM Security Framework
Proventia Network Intrusion Protection System
Q & A session
IBM Internet Security Systems
© 2007 IBM Corporation3
The information security capability reference model
Enterprise Information Management & Privacy
IBM Information Security Framework
Governance
Privacy
Threat mitigation Transaction and data integrity
Identity and
access managementApplication security
Physical security Personnel security
IBM Internet Security Systems
© 2007 IBM Corporation4
The eight themes are described through a number of capabilities.IBM Information Security Framework
Application developmentenvironment
• Secure coding practices
• Operational application support environment
• Design patterns
Systems development lifecycle (SDLC)
• Security in the SDLC process
Application security
• Employment lifecycle management
Workforce security
• Awareness and training
• Code of conduct
Personnel security
Data, rules and objects
• Privacy data taxonomy and classification
• Privacy business process model • Data usage compliance process
Policy, practices and controls
• Policy taxonomy and glossary• Policy rules definitions• Privacy impact assessment (proactive)• Privacy audit (reactive)• Awareness and training
Privacy and information management strategy
• Define privacy information strategy• Requirements and compliance process• Incident response
Privacy
Secure storage
• Data retrieval
• Data storage protection
• Data destruction
• Archiving
Systems integrity
• Security in systems management
• Security in business continuity planning
Business process transaction security
• Fraud detection
• Data transaction security
Database security
• Database configuration
• Master data control
Message protection
• Public key infrastructure
• Message protection security
Transaction and data integrityVulnerability management
• Standard operating environment
• Patch management
• Vulnerability scanning and assessment
Incident management
• Incident management
• Event correlation
• Forensics
Network segmentation and boundary protection
• Network zone management and boundary security infrastructure
• Remote access infrastructure
• Intrusion defense
• Network security infrastructure
Content checking
• Virus protection
• Content filtering
Threat mitigation
Compliance program• Regulatory compliance• Technical, policy and standards
compliance• Health checking• Internal audit and response
Security risk management framework• Threat risk assessment• Information asset profile• Project risk assessment• Security risk management
Strategy• Information security policy• Enterprise security architecture
Governance framework• Governance structure
Information security advisory• Consulting and advisory services
Governance
Identity lifecycle management
• User provisioning
• Other entity provisioning
• Identity credential management
Identity proofing
• Background screening
• Identity establishment
Access management
• Single sign-on
• Authentication services
• Access control services
Identity and access management
Physical asset management
• Asset management
• Document management
Site security
• Site planning
• Site management
Physical security
IBM Internet Security Systems
© 2007 IBM Corporation5
IBM Security in action – PCI Data Security Standard
Payment Card Industry (PCI) is a
global security standard created by
major credit card brands to reduce
risks and protect consumers’
personal information
PCI as a blueprint to a more secure
enterprise
Delivering security solutions to help
address compliance concerns.
IBM Internet Security Systems
© 2007 IBM Corporation6
IBM Services, Software and Hardware:
Only IBM has solutions to address all 12 PCI requirements
IBM Internet Security Systems
© 2007 IBM Corporation7
Các điểm mạnh của IBM ISS
IBM Internet Security Systems
© 2007 IBM Corporation8
IBM ISS Virtual Patch Technology
Virtual Patch™ technologyfor vulnerabilities
Shields the vulnerability from
being exploited
Eliminates emergency
patching
Removes the risk of patching
Enables patches to be applied
during normal maintenance
windows
Stop malicious attacks before
they impact your business
IBM Internet Security Systems
© 2007 IBM Corporation
Preemptive Protection – An ninh đón đầu
How is it different from “reactive” security and “zero day” protection?
Consider a leaky roof in a rainstorm. The holes in the roof are like
vulnerabilities. “Reactive” security is like examining individual raindrops after
they’ve already come through a hole in your roof.
“Zero day” protection is simply reactive security hurried up. It provides a
patch (often for just a specific type of raindrop) sometime during a 24-hour
period when the chance of rain is virtually 100%.
Preemptive security is a vulnerability-based security approach. Intensive
research is applied to discover the hole in the roof (vulnerabilities in
software). A patch is applied to the hole to protect against any kind of rain –
all while the sun’s still shining (often weeks or months ahead of an attack).
IBM Internet Security Systems
© 2007 IBM Corporation10
Pre-Emption (Đi trước nguy cơ)What’s the Difference?
Protecting against exploits is reactive:
– Too late for many
– Variants undo previous updates
– Typical of antivirus and most IDS/IPS vendors
Protecting against vulnerabilities and behaviors is proactive:
– Stops threat at source
– Requires advanced R&D
IBM Internet Security Systems
© 2007 IBM Corporation11Source: Microsoft Security Center
Vendor Patching is an .. Unmanageable Arms Race
MS02-039
July 24, 2002
SlammerSQLServer, DoS
Jan 25, 2003
MS BlasterDCOM RPC, DoS
Aug 11, 2003
SasserLSASS, Restart
Apr. 30, 2004
Zotob: PnP, TCP 445
Aug. 13, 2005
EXPLOIT
185 Days
26 Days
17 Days
4 DaysMS05-039
Aug. 9, 2005
MS00-078
Apr. 13, 2004
MS03-026
July 16, 2003
Window Between
Vulnerability and Exploit
IBM Internet Security Systems
© 2007 IBM Corporation12
4/13/2005
ISS implements protection for
MS PnP vulnerability into ISS
products. ISS’ Virtual Patch
protection begins.
4/13/2005
Others do not have internal
research to find and
understand vulnerabilities;
therefore, they have no
knowledge of the MS Plug
and Play vulnerability.
8/9/2005
Microsoft publicly
announces
vulnerability and
availability of a
patch.
8/11/2005
Plug and Play
exploits become
public
8/13/2005
Zotob Bot runs rampant
and causes damage to
organizations worldwide.
ISS customers enjoy
protection since 4/13/2005.
8/9/2005
Other claim “preemptive
protection” through
broad blocking and
alerting methods which
are prone to false
positives and false
negatives
8/11/2005
Plug and Play
exploits become
public
8/13/2005
Zotob Bot propagates, some
competition see the bot, but
none of the (many) variants,
resulting in continuous
updates offering little to no
zero day coverage.
8/16/2005
Exploit-based
signatures released
to reactively protect
against the Zotob Bot
MS Plug and Play / Zotob Timeline
IBM Internet Security Systems
© 2007 IBM Corporation13
Effective IPS Technology
IPS Evaluation Criteria
Protection capability
Network performance
Security research and intelligence
Management
IBM Internet Security Systems
© 2007 IBM Corporation
IBM ISS Platform Differentiators
THE POWER TO DELIVER THE MOST advanced internet security IN THE WORLD
THE WORLD’S LEADING
ENTERPRISE SECURITY
R&D ORGANIZATION
GLOBAL SECURITYOPERATIONS CENTER
(INFRASTRUCTURE MONITORING)
ISS X-FORCE™
SECURITYR&D
ISS SECURITY
OPERATIONS
ISS PROTECTIONPLATFORM
END-TO-END PREEMPTIVESECURITY SOLUTIONS
INTEGRATED SECURITY
IBM Internet Security Systems
© 2007 IBM Corporation15
IBM ISS Protecion & Research
IBM ISS IPS superior – Protection
– Phân tích được nhiều giao thức mạng (177 giao thức) phát hiện và
ngặn chặn tấn công đầy đủ và chính xác
– Cung cấp đầy đủ các giải pháp IPS tại Gateway, Network và Host
– Thành phần quản trị hỗ trợ tối đa cho người quản trị.
IBM ISS IPS superior – Research
– X-force R&D
• Ngăn chặn các tấn công trước khi nó xảy ra
• Theo dõi tình hình an ninh trên toàn cầu nhờ dịch vụ quản lý an ninh (MSS)
• www.iss.net
IBM Internet Security Systems
© 2007 IBM Corporation16
X-Force Research - Advisories
Company of the Year
Frost and Sullivan
Company of the Year
IBM Internet Security Systems
© 2007 IBM Corporation17
Leader in IPS Sales
Source: World Intrusion Detection and Prevention
Systems Markets - Frost & Sullivan
IBM Internet Security Systems
© 2007 IBM Corporation
Frost & Sullivan Awards:
– IDS/IPS Market Leadership Award
– Vulnerability Assessment Market Leadership Award
– Manager Security Services Customer Service Innovation Award
– Global Market Leader ship
Market Leadership:2006 -2007 Awards
IBM Global Technology Services
© 2008 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
IBM ISS
Enterprise Security Solution
IBM Internet Security Systems
© 2007 IBM Corporation20
Proventia Network MFS
MX5110, MX5008, MX4006, MX3006,
MX1004, MX0804
“All-in-One” Protection Appliance
- IDS/IPS
- FW / VPN
- AntiVirus (signature & behavioral)
- AntiSpam
- Web Filter
Proventia ADS Series –
“Anomaly/Behavioral” Protection and
Network Visability Appliances
Proventia Desktop
“All-in-One” Protection Agent
- Firewall
- Virus Prevention System
- Intrusion Protection
- VPN Enforcer
- Buffer Overflow Protection
Proventia Network IPS
Preemptive Security for Enterprise Networks
Baby –G, GX4002, GX4004, GX5008, GX5108
GX5208, GX6116
Proventia Server
“Multi-layered” Protection Agent
– Windows
– Linux
RealSecure Server Sensor
– Windows
– Solaris
IBM Global Technology Services
© 2008 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
11/02/2008
Proventia Network Intrusion Protection System
IBM Internet Security Systems
© 2007 IBM Corporation22
Network Security Challenges
Service outages due to denial-of-service attacks
Unauthorized access to network resources
Exponentially increasing number of required software patches
Increasing requirements to demonstrate compliance
Lack of qualified in-house information security specialists
IBM Internet Security Systems
© 2007 IBM Corporation23
Detection vs. Prevention
IBM Internet Security Systems
© 2007 IBM Corporation24
Intrusion Prevention
Intrusion Prevention Systems
Block malicious and unwanted traffic other technologies cannot recognize.
Bots / Trojans / Worms / Spyware / P2P / IM / DoS
Compliment patch management by shielding new vulnerabilities.
IBM Internet Security Systems
© 2007 IBM Corporation2525
Firewall & NIPS comparison
Firewall :
– Like the Immigration at the Airport– Controls WHO & WHEN the entity is
permitted to enter or leave– Based on the Passport
Network Intrusion Prevention Systems :
– Like the Customs at the Airport– Controls WHAT & HOW is permitted to enter or
leave – Based on What you Bring/Carry
The Airport Analogy
IBM Internet Security Systems
© 2007 IBM Corporation26
Ports
GX4002
GX4004
GX5008
GX5108
GX5208
2
4
8
8
8
Model
GX3002 2
GX6116 16
Throughput
200Mbps
200Mbps
400Mbps
1.2Gbps
2Gbps
10Mbps
6Gbps
Block network attacks
Help address patching problems
IBM Internet Security Systems
© 2007 IBM Corporation
Deployment Considerations
* Requires External Bypass Unit
GX3002 GX4002 GX4004 GX5008 GX5108 G5208 G6116
Typical Deployment
Remote Office Remote OfficeNetwork
Perimeter
Network
Perimeter
Network
Core
Network
Core
Network
Core
Form Factor Desktop 1U 1U 2U 2U 2U 2U
Throughput 10Mbps 200Mbps 200Mbps 400Mbps 1.2Gbps 2Gbps 15Gbps
Concurrent Sessions
220000 1.200.000 1.200.000 1.200.000 1.450.000 1.800.000 4.600.000
Redundant Power
Supplies No No No Yes Yes Yes Yes
Redundant Storage No No No Yes Yes Yes Yes
Hardware Level
Bypass Yes Yes Yes Yes* Yes* Yes* Yes*
Inline IPS Segments1 1 2 4 4 4 4
IBM Internet Security Systems
© 2007 IBM Corporation28
Network Protection - Deployment
IBM Internet Security Systems
© 2007 IBM Corporation
IBM Internet Security Systems
© 2007 IBM Corporation30
4/13/2005ISS implements protection for
MS PnP vulnerability into ISS
products. ISS’ Virtual Patch
protection begins.
4/13/2005Others do not have internal
research to find and
understand vulnerabilities;
therefore, they have no
knowledge of the MS Plug
and Play vulnerability.
8/9/2005Microsoft publicly
announces
vulnerability and
availability of a
patch.
8/11/2005Plug and Play
exploits become
public
8/13/2005Zotob Bot runs rampant
and causes damage to
organizations worldwide.
ISS customers enjoy
protection since 4/13/2005.
8/9/2005Other claim “preemptive
protection” through
broad blocking and
alerting methods which
are prone to false
positives and false
negatives
8/11/2005Plug and Play
exploits become
public
8/13/2005Zotob Bot propagates, some
competition see the bot, but
none of the (many) variants,
resulting in continuous
updates offering little to no
zero day coverage.
8/16/2005Exploit-based
signatures released
to reactively protect
against the Zotob Bot
Proventia Network IPS Security
IBM Internet Security Systems
© 2007 IBM Corporation31
Patching is part security management and part system administration
Considering a company that takes half man day to patch a server
– 1000 servers will take them 500 man days
An NIPS will block attacks targeting unpatched servers, while the administrator can schedule patching at a convenient time
– When the patch is available for download
– After the patch had been tested on test servers
– No issues found between the patch and business applications
NIPS provides Administrative Benefits
IBM Internet Security Systems
© 2007 IBM Corporation32
Protocol Analysis Module (PAM)
IBM Internet Security Systems
© 2007 IBM Corporation33
Importance of VoIP security
IBM Internet Security Systems
© 2007 IBM Corporation34
VoIP security solution ?
VoiIP demo
IBM Internet Security Systems
© 2007 IBM Corporation35
Proventia Network IPS Security
Backed by the industry-leading X-Force® research and development team:
Original Vulnerability Research
Public Vulnerability Analysis
Malware Analysis
Threat Landscape Forecasting
Protection Technology Research
IBM Internet Security Systems
© 2007 IBM Corporation36
Proventia Network IPS Ease of Use
Three management interfaces:
– SiteProtector
– Proventia Manager (Web-based)
– Command line interface
“Trust X-Force” Default Blocking
automatically enables new
security content
Granular security policy control (based on device, port, VLAN or IP)
Attack traffic logging support
Integrates with SNMP-
based health monitoring
systems
IBM Internet Security Systems
© 2007 IBM Corporation37
Proventia Network IPS Reliability
Automatic Bypass Operation allows all traffic
to pass in the event of:
– Hardware failure
– Power failure
– Software crash
Redundant components*:
– Hard drives
– Power supplies
– Cooling fans
* Available in GX5008, GX5108, GX5208, and GX6116
IBM Internet Security Systems
© 2007 IBM Corporation38
Internet
Proventia Network IPS Redundancy
SWITCH
High Availability:
Support for
Non - Asymmetric
Routing
SWITCH
IBM Internet Security Systems
© 2007 IBM Corporation39
Proventia Network IPS Redundancy
High Availability:
Support for
Asymmetric Routing
IBM Internet Security Systems
© 2007 IBM Corporation40
Proventia Network IPS Deployment
Three Operating Modes:
IBM Internet Security Systems
© 2007 IBM Corporation41
Proventia Network IPS Management
Browser-based local management interface (LMI)
Central Management through Proventia Management SiteProtector:
– Simple, powerful configuration and control
– Robust reporting, customized event viewing and event correlation
– Comprehensive alerting and response options
– Scheduled data retention to be used for compliance efforts
– Highly scalable to accommodate hundreds of Proventia Network IPS appliances and other ISS solutions
IBM Internet Security Systems
© 2007 IBM Corporation42
IBM Internet Security Systems
© 2007 IBM Corporation43
Pull-down list provides means for user
to change view
Replaces the tabs that are currently
used in SP
IBM Internet Security Systems
© 2007 IBM Corporation44
Right click on any Events for details
IBM Internet Security Systems
© 2007 IBM Corporation45
Increased productivity
Console Consolidation
Lower TCO sets up quicker ROI
Still decentralized command and control
Significantly reduces operational cost
IBM Internet Security Systems
© 2007 IBM Corporation46
Proventia Network IPS Management
Command and Control
– SiteProtector™
– Proventia Manager (LMI)
– Command Line Interface
Policy Management
– Policy per Device
– Policy per Port
– Policy per VLAN Tag
– Policy per IP Address / Range
– Support for Custom / SNORT Rules
Intrusion Responses
– Block
– Ignore
– Log
– Quarantine
– SNMP
– User Defined
Logging
– Attack Packet Logging
IBM Internet Security Systems
© 2007 IBM Corporation47
IBM ISS Awards
IBM Internet Security Systems
© 2007 IBM Corporation48
ISS ProductDate Category Award
Proventia GX6116 V2.2 04/08 IPS Approved
Proventia GX5108 V1.3 08/06 IPS Approved
Proventia GX4004 V1.3 06/06 IPS Approved
Proventia M50 V3.2 10/05 UTM Approved
Proventia A604 03/05 IDS Approved
Proventia G200 RevA 01/04 IPS Approved
RSN Gigabit 7.0 08/03 Gig IDS Approved
Proventia A201 08/03 IDS Approved
RSN 7.0 Gigabit Sensor 12/02 Gig IDS Approved
RSN 7.0 07/02 IDS Approved
RSN 5.0 12/01 IDS Approved
No product or signature updates are allowed during the tests.
http://www.nss.co.uk/certification/tested.htm
ISS Awarded
11 times
NSS Tested and Certified
IBM Internet Security Systems
© 2007 IBM Corporation49
IBM is Leader in IDS/IPS Market for 2007
IBM Internet Security Systems
© 2007 IBM Corporation50
Proventia Network IPS Confidence
“All in all, Proventia continues to be one of the most consistently
accurate IDS/IPS systems we have tested.”
- Bob Walder, Director, The NSS Group (www.nss.co.uk)
“ We have a number of IBM Proventia appliances and have found
them to function flawlessly in terms of performance.”
- John Libbeter, Capita Business Services
“ The Proventia Network Intrusion Prevention System provides the
granularity that is required to protect, without interfering with
business processes.”
- Eric Ayotte, Network Security Solutions Group, M&T Bank Corporation
IBM Internet Security Systems
© 2007 IBM Corporation52
Questions to Consider
Are you able to patch every system in your network every time a new vulnerability is announced?
Is there confidential information stored on computers within your network?
What would be the impact on your firm’s business operations if your network went down?
Does your organization have the security expertise required to defend against attacks, investigate and remediate breaches, and demonstrate compliance?
IBM Internet Security Systems
© 2007 IBM Corporation53
Key Take Aways
IBM Proventia Network IPS
– Block network attacks
– Help address patching problems
PAM – Protocol Analysis Module – vulnerability centric
IBM is Market Leader for IDS/IPS for 2005, 2006, 2007
IBM integrates network and host based solutions to provide a unified solution to customers
IBM end-to-end preemptive protection provides a value proposition that significantly aids deployment and management of security infrastructure.
IBM Global Technology Services
© 2008 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Thank you!