Network: Proventia Intrusion Prevention & Proventia Anomaly Detection

IBM Global Technology Services

© Copyright IBM Corporation 2007

IBM Internet Security SystemsAhead of the threat.™

Network: ProventiaNetwork: Proventia Intrusion PreventionIntrusion Prevention & Proventia& Proventia Anomaly DetectionAnomaly Detection

Ondrej Kovac Technical Sales Specialist

Michael Clark Sr. Solution Expert

IBM Internet Security Systems



Network: Proventia IPS & Proventia ADS - Agenda

Proventia IPS – Ondrej Kovac– Prehľad trhu– Proventia Network IPS: Čo je nové?– High Speed IPS –

Predstavenie Proventia GX6116 NIPS– Site Protector

Proventia ADS – Michael Clark

Proventia Network Roadmap – Čo je nové?



Security Market Overview

Security Concerns Sabotage of business information systems Theft of information or IT assets Viruses causing productivity slowdowns Installation of unauthorized hardware and software System vulnerabilities, including unauthorized access Compliance Considerations Cost and legal exposure of non-compliance Poorly established compliance policies, processes and procedures Lack of effective policy monitoring and compliance reporting

Companies face sophisticated threats and vulnerabilities, and the pressure to achieve and maintain compliance – all with limited resources, time and budgetlimited resources, time and budget.



The State of Evolving Threats Expanding e-crime

– Big business driven by profit

– Innovation to capture new

markets (victims)

– Victim segmentation and

focus

– Stealth is the new “black”

– Rate of attacks is accelerating

– Form of attack is more

malicious

– Attacks are “designer” in

Nature


© 2007 IBM CorporationIBM Internet Security Systems Proprietary and Confidential Information - 2007 © 2007 IBM CorporationIBM Internet Security Systems Proprietary and Confidential Information - 2007

Uncompromising Protection…Because Not All IPS Products Are Alike

3



Proventia Network IPS Continuum:The Most Complete Portfolio Available

How a customer benefits from an integrated portfolio:

Better Protection• Protect each segment of

the network• Consistent Naming for Attacks• Simple Reporting – 1 System• Automated Updates – XPU’s

EZ Implementation• Same GUI throughout• Single System to Manage• Deployment Services• Managed Security Services• Certified Technical Support

Lower Cost• Fewer Resources for a Single Management

System to handle all devices• Automation (Updates, Trust X-Force)• Single Reporting System• Single process to manage security alerts

4



Protection for Every Layer of Your Network



Network Architecture(Deployment)

Architecture Requirements

– Asymmetric/Symmetric

– High Availability

– Passive or Inline

Performance Requirements

– Bandwidth

– Connections Per Second

– Latency

Interfaces Requirements

– Segments

– Copper/Fiber (Fixed or SFP)



3. Beyond the Perimeter – look to the network core



Proventia Network IPS Deployment

Three Operating Modes:



Proventia Network IPS Spoľahlivosť

High Availability: Support for multiple

configurations:– Active - Active– Active - Passive

Full State Maintenance on Failover



Proventia Network IPS Reliability

Active – Active HA– Requires active-active network infrastructure– Maintains your “HA” network design– Supports asymmetrical routing

Will not miss split attacks

Active – Passive HA– Requires active-passive infrastructure– Primary appliance is active and inspecting traffic– If primary is Interrupted secondary appliance becomes active link



What’s new?

Proventia GX3002– Desktop form factor– 1 protected segment, 10/100 copper ethernet,

Integrated bypass– 10 mbps, sub-microsecond latency

Proventia GX5008 / GX5108 SFP– Expansion to existing GX5 product line– 4 protected segments, all SFP interfaces

TX copper, SX / LX fiber

Proventia GX6116– NPU powered high speed network IPS– 8 protected segments, all SFP interfaces– 15 gbps throughput, 6 gbps full inspection– Configurable guaranteed maximum latency



Helping Enterprises Secure Their Networks

IBM Proventia Network Intrusion Prevention System (IPS)

–Transparent, in-line network appliances block attacks while allowing legitimate traffic to flow unhindered

–Comprehensive line of models available:10 Mbps - 15 Gbps throughput

capacityUp to eight protected network

segments

IBM Managed Protection Services for Networks

–Deployment–Maintenance–Monitoring –Incident response



Because All “High Speed” IPS’ are Not Equal

Introducing Protection Capacity – the ability to stop threats at high speeds

100%

0%

3GbpsNetwork Throughput

Pro

tect

ion

6Gbps 15Gbps

IBM ISS

competition

ProtectedRate

MaximumThroughput



100%

0%

3GbpsNetwork Throughput

Pro

tect

ion

6Gbps 15Gbps

Because All “High Speed” IPS’ are Not Equal

Introducing Protection Capacity – the ability to stop threats at high speeds

GX6116Additional

Protection Capacity

IBM ISS

CompetitiveProtection Capacity



Proventia Network IPS Management

Command and Control

– SiteProtector™

– Proventia Manager (LMI)

– Command Line Interface

Policy Management – Do it yourself / Do it for me

– Policy per Device

– Policy per Port

– Policy per VLAN Tag

– Policy per IP Address / Range

– Support for Custom / SNORT Rules TRONS sign.

Intrusion Responses

– Block

– Ignore– Log & Log Evidence– Email– Quarantine– SNMP– User Defined

Logging

– Attack Packet Logging

– TCP-Dump













The GX6116: Because Your Job Depends Upon the Availability and Reliability of the Network!

Maximum Network Reliability

– Configurable maximum latency

– Passive Bypass

– Active Bypass

– High-Availability pairs

– IDS and simulation mode

– Prioritized network availability

Design for

The Security Team ANDThe Network Administrator

7



GX6116 – Availability and Reliability

Through Protection Design

– 15 Gbps throughput performance

– Configurable maximum latency

Through Network Compatibility

– Network protocols

• (Tagging, trunking, VoIP, streaming, jumbo)– Network topology

• 16 SFP ports (TX, LX, SX)– HA designs

• Active–active & active-passive– In-line or out-of-band

• Protection / simulation IPS, IDS, mixed

Through Hardware Design

– Redundant storage, power, cooling

Through Hardware Bypass

– Active* & Passive bypass unit



GX6116 – Availability and Reliability

Through Protection Technology

– IBM ISS’ Protocol Analysis Module identifies & analyzes more than 173 protocols & data formats

– Provide vulnerability-based protection with more than 2,000 algorithms

– Enable Virtual Patching…



User-DefinedXPUPAM

IBM ISS Proventia Network IPSFramework

Proventia Network Intrusion Prevention System

Performance Interfaces

Network ArchitectureDeployment

CustomContent Monitoring

System ProtectionVulnerabilities/Exploits



Reality check – Data Loss Prevention (DLP )

Employees will transfer data to do their jobs

– Whether IT likes it or not

– Email / Gmail / IM / YouSendIt.com…

Enterprise IT complexity grows

– Planned or unplanned

– Wireless routers / notebooks / Starbucks hotspots

Playing “catch up” with security can have devastating results



Protocol Analysis Module (PAM)(System Protection & Data Awareness)

Compound Document Inspection

Decompressiongzip, zip & rar

XPU’sSecurity Content Updates

IBM Global Services

© 2007 IBM Corporation


®

© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.

www.iss.net

Static DemonstrationPAM Content Analysis



DLP Content Enforcement(Enabling)



DLP Content Enforcement(Configuring)



DoS protection from IPSDoS protection from IPS

SYN Flood attacks are handled by the Protocol Analysis Module (PAM) and controlled by advanced parameters. Here is the description:

The SYNFlood signature detects a TCP SYN flood attack by monitoring the number and rate of SYN packets that a server receives that do not result in an do not result in an established connectionestablished connection. You control the triggering

rate using two tuning parameters to specify the number of new connection requests and measurement interval. Enabling this signature on Proventia G appliances running in IPS mode will enable SYNFlood protection.

In addition to SYN Floods, we also protect against other forms of DoS. We also currently have 76 security events related to DoS76 security events related to DoS.

SYNFlood

Stream_DoS

DNS_Malformed_Flood

ICMP_Flood Malformed_Packet_Storm



MPLS ? Multiprotocol Label Switching (MPLS) is a data-carrying mechanism

which emulates some properties of a circuit-switched network over a packet-switched network.

Our Protocol Analysis ModuleProtocol Analysis Module (PAMPAM) can parse MPLS packets as defined by RFC 3031 and RFC 3032. The MPLS labels are ignoredMPLS labels are ignored and if the underlying protocols are supported by PAM (such as Ipv4, IPv6, etc.) the attack will be detectet and can be blockedthe attack will be detectet and can be blocked.



Does PAM CE replace the need for me to purchase an Enterprise DLP Solution?– No, PAM CE and Network IPS for that matter is a complimentary component of any data

security architecture

Does PAM CE index/cache data i.e.; entire files?– No, we perform packet based inspection targeted for specific Pii and user-defined

expressions. However, this type of capability is available in an Enterprise DLP System that is offered by Fidelis (Industry DLP vendor).

Does PAM CE allow inspection for con-joined data-sets i.e.; User name and SSN?– Yes, we can look for single expressions and con-joined data-sets

Does PAM CE impact performance when enabled?– Yes, there is a cost to running PAM CE and you should expect 15% loss.

Does PAM CE allow me to only monitor for content in HTTP traffic only?– Yes, the interface provides you the capability to target the protocols, content and signatures

of your choice.

Does PAM CE provide the capability to inspect attachments that are sent over Yahoo instant messenger?

– Yes, PAM CE can inspect the content of the attachment and chat conversation

Does PAM CE provide the capability to alert based on number of signature hits?– Yes, PAM CE provides you the capability to set a minimum match count i.e.; If I see 8

consecutive SSN then fire an alert

PAM Content Enforcement/Analysis(Frequently Asked Questions)



GX6116 – Availability and reliability

Through Research & Development



The GX6116: The Task at Hand – Create the Fastest IPS without Compromising Protection

8



The ISS roadmaps drive towards the unification of system security and data security, with full coverage spanning the network, server, and endpoint strategic control points ahead of the threat

Network Protection (IPS, ADS) Multifunction (UTM) Security Vulnerability Management Endpoint and Server Protection Data and Content Protection

…. enabled and enhanced by Enterprise Services

“Comprehensive system security and data security delivered and managed through world class services”



Network Protection Business Line…. providing world class network protection

Client Value– Pre-emptive network security protecting client assets, applications and data

Current Product line– Proventia G

IDS/IPS protecting from SMB to Large Enterprise to Carrier class networks– ADS

Network behavioral analysis to protect against data leakage and the insider threat Integration with IBM products & services

– Integrated with ISS suite of products, services and solutions– SiteProtector management console, Managed Security Services, Tivoli Security

Operations Manager (TSOM)– In-process integration – IPS and ADS on BladeCenter

Solutions / Strategy– Data Leakage Protection – ADS to stop the insider threat, IPS with content analysis to

stop malicious and accidental compromise – Compliance and Reporting – advanced reporting and business intelligence tools – Carrier and Telco services – products and services geared to enable in the cloud

protection



Network Protection Roadmap4Q07

Anomaly Detection Appliance

1H08

Appliances

3Q07 2H08

ConceptUnderway

Project Key

2Q071Q07

(GX Series announced 07/07)

MSS ServicesNetwork IDS / IPS

Proventia GX on Crossbeam

G/GX Series: MCP Non NPU 1.6

GX Series: GX6116 Firmware

Proventia G IPS on BladeCenter

(10G interface)

• Network optimization• Increased deployability• ADS integration• DLP (PII)

• Network optimization• SSL decryption• Carrier feature set• Increased deployability• ADS integration• DLP (PII)

GX Series: GX6116 release

5gb / 2.0

Proventia

ADS 4.0

Continued vendor and platform expansion: Sourcefire, Netscreen IDP, Cisco ISR / ASA, etc.

Non-NPU 1.6(Firmware update for GX3000,

4000, 5000 & GX6000 series)

Proventia GX on Crossbeam

Proventia G Support for all new Proventia G platforms

• Enhanced reporting and visualization

• Application identification

• Support for 10G interface• Checkpoint integration• Current GX feature set

• Proventia GX on IBM BladeCenter



Client Value– Ahead of the threat protection for Endpoints and Servers, protecting against attacks that can lead to

data theft and lost system usage

Current Product line– Proventia Server / Sensor (Windows, Linux, HP-UX, AIX, Solaris)

Broad platform coverage to protect servers from malicious attacks Compliance and intrusion prevention

– Proventia Desktop Multi-layered threat and data protection Behavioral threat protection, antivirus, antispyware, intrusion prevention

Integration with IBM products & services– Server for AIX and System P– Server for Windows and System X– Blue Business Platform– Proventia Desktop-Lenovo: Secure Security PC initiative– TPM with Proventia Desktop and Server– TAM and Server

Solutions / Strategy – Proventia Desktop: Deliver market leading system and data protection via an extensible framework to

meet the needs of customers today and tomorrow– Proventia Server/Sensor: Deliver comprehensive system protection and market leading compliance.

Deliver comprehensive virtualized server protection

Endpoint and Server Protection Business Line… Endpoint is the new perimeter



Endpoint and Server Protection Roadmap

4Q07

Proventia Server

1H08

Products

3Q07

Virtualization

2H08

ConceptUnderway

Project Key

2Q071Q07

Proventia Desktop

MSS Services

Proventia Desktop 10.0

Proventia Server Windows 2.0

Proventia Server Linux 2.0

•9.0 patch rollup

Proventia Server / Server Sensor

Proventia Desktop Continued support for latest product releases and features.

Continued support for latest product releases and features.

• Vista OS support• Hierarchical policy management• Mini-filter and UAC support• Advanced protection via Shell Code Heuristics• Granular policy control

• Compliance focus• OS audit log monitoring• File integrity monitoring• 64-bit OS support

• Compliance focus• OS audit log monitoring• File integrity monitoring • Red Hat and Novell, 64-bit

• VMware Virtual Infrastructure 3.x environments• AV, VPS, IPS, compliance auditing• Auto virtual OS discovery and provisioning• Open management: Tivoli, IBM Director, etc.

VMware Virtualization



Multifunction (UTM) Security Business Line…. managing your network needs for remote office branch office

Client Value– All-in-one security appliance ensures maximum network uptime and workforce productivity by blocking viruses, worms,

hackers, spam and unwanted Web content.– Proventia MFS stands as a key enforcement point for enterprises and small businesses alike to ensure compliance and

protection with a consistently managed and comprehensive security policy, even for small, remote offices. Current Product line

– Proventia MX – Three core UTM models with scalable enterprise management features targeted at enterprises with distributed operations such as remote office/branch office.

MX1004, MX3006, MX5010

Integration with IBM Products & services– Proventia MFS can be managed locally, through SiteProtector– Direct integration with other Network Management systems, including Tivoli Security Operations Manager (TSOM).

Compliance– Helps satisfy 10 of the 12 PCI requirements, especially for remote offices and retail stores– Helps meet protection and access control requirements of regulations like HIPAA and SOX

Solutions/Strategy– Complete the product line: appliances to support from 25 to 3,000 user – Enhance firewall to meet competitive pressures in the area of Enterprise firewall features– Extend easy client connectivity offering with SSL VPN and enter adjacent VPN market at the low end– Leadership role in UTM market by extending security modules so that they will be feature competitive with stand-alone

security products in Antispam and URL filtering, allowing sales to sell into adjacent security markets– Support layered security approach by enforcing usage of Proventia Desktop– Blue Business Platform for small and medium business



Multi-Function (UTM) Security Roadmap

4Q07 1H08

Appliances

3Q07 Concept2H08

ConceptUnderway

Project Key

2Q071Q07

Proventia MFS

MSS Services

MSS for UTM

M Series: Product Line Expansion Release 3.13

M Series: Firmware 4.1

M Series: Firmware 4.X or 5

Managed Security Services for Unified Threat Management release and continued platform support.

Continued support for Proventia M releases, features, reports, etc.MPS for Networks

Update to Managed Security Services for Firewalls

• New MX0804 for 25 to 50 users• New MX4006 for up to 1000 users• New MX5008 for up to 2500 users• New MX5110 for up to 3000 users

• SSL/VPN Technology• Dual WAN• QoS, Value Reporting

• Active/Active HA

• VLAN

• Desktop Enforcement

• Security Module Policy Granularity



Vulnerability Management Business Line…. managing your network vulnerability needs Client Value

– Ensure the availability of IT services, while protecting corporate data by identifying where risk exists, prioritizing and assigning protection activities, and reporting on results.

Current Product line– Internet Scanner (IS) – Software-based network vulnerability assessment product servicing the Audit and

Vulnerability Management markets– Enterprise Scanner (ES) – Appliance-based network vulnerability assessment product servicing the

Vulnerability Management Markets ES 750 (Sept 07) ES 1500 (3Q06)

Integration with IBM products & services– Interface to Site Protector which in turn interfaces to Tivoli Security Operations Manager (TSOM)

Strategy / Solutions– Competitive enhancements to ES

Added functionality PCI certification (security checks and reports)

– Expansion of assessment capabilities to include application and database vulnerability scanners– Integration of network, application and database scans to facilitate Overall Risk Management



Vulnerability Management Roadmap

4Q07

Enterprise Scanner ES750

1H08

Products

3Q07 Concept

PCI enablementES1500

Enterprise ScannerSecurity Risk & Reg. Compl.

2H08

Usability, performance & compliance reporting

Security Risk & Compliance

ConceptUnderway

Project Key

2Q071Q07

Internet Scanner

MSS Services

Database Vulnerability Scanner

Internet Scanner MSS

Enterprise Scanner MSS

Database Vulnerability Scanning MSS

Enterprise ScannerSecurity Risk & Reg. Compl. MSS

Enterprise Scanner Security Risk & Reg.

Compl. MSS

Vulnerability Management 2.0

Managed Security Services for Vulnerability Management

Added functionality

Content parity

• Security content specific to PCI vulnerability assessments

• PCI compliance reporting

• 5 port scanning, usability improvements



Data Security and Content Business Line … enabling collaboration while mitigating risk

Client Value– Safeguarding data across the enterprise, facilitating content awareness, enabling Security & Privacy compliance,

monitoring data flows, optimizing control, leveraging industry expertise & best practices to ensure access while preventing data loss

Current Product & Services Line– Proventia Network Mail

MS3004 Appliance (launched August 2006) MS1002-VM Virtual Appliance (launched August 2007)

– Proventia Mail Filter software (July 2004) Formerly Cobion OrangeBox Mail software (March 2003)

– Proventia Web Filter software (July 2004) Formerly Cobion OrangeBox Web software (2002)

– OEM Business – 30 Active Email and Web content security partners Includes 5 of the 20 vendors on 2007 Gartner Secure Web Gateway MQ including market leader Mail Security and UTM vendors also represented in OEM relationships

Integration with other IBM products & services Solutions/ Strategy

– Hardware Line Expansion for Mail Security Appliance line – 2008– Secure Browsing – securing transactions regardless of system state – Content Protection Appliance – 2008 (HTTP, HTTPS, FTP, IM, P2P content gateway inspection)– Content Scanning Services and Risk Assessments– Brand / Logo Identification Service– DLP (Data Loss Prevention Services) including granular controls based on content & context and integration with

other components of Enterprise Content Protection such as desktop agents and gateway filters for holistic protection



Data & Content Protection Roadmap

4Q07 1H08

Products

3Q07 Concept2H08

ConceptUnderway

Project Key

2Q071Q07

Proventia Mail Appliance (announced 10/06)

Services

Proventia Mail Appliance 2.1

Mail Security Firmware 1.4 Anti-spam effectiveness and Accuracy

Content Protection Appliance

Email Client Encryption

Data Security: Integrated DLP

Solutions (Proventia Desktop, IPS & Mgt

Platform

Hosted e-mail

encryption

Firmware R1.2 & Follow on Maint. Releases for 1.0

Virtual Appliance Firmware 1.3

Data Loss Prevention

Data Loss Prevention(to be announced 11/07)

Endpoint Protection(to be announced 11/07)

Activity Compliance Monitoring & Reporting(to be announced 11/07)

Multiple Data Protection Solutions: Includes Network and Endpoint Data Loss

Prevention, Database Monitoring, and Endpoint Encryption

Data Loss Prevention Services:PSS - Discovery Assessment; MSS - Monitoring & Reporting

Endpoint Protection Services:PSS – Endpoint Encryption

Activity Compliance Monitoring & Reporting

Services

MSS Incubation lab

(announced 08/07



Enterprise Services Business Line…solving business problems through flexible service delivery

Client Value– Comprehensive, adaptable services designed to reduce operational overhead, demonstrate compliance, improve

security posture, and guarantee protection at the network, server, and desktop level.

Current Offerings – Managed Protection Services (MPS) – Guaranteed protection offerings based on industry leading IBM ISS

technology at the Network, Server, and Desktop.– Managed Security Services (MSS) – From fully managed to fully monitored, support for best of breed Firewall,

VPS, IPS, AV, AS, from leading vendors – ISS, Cisco, Checkpoint, Juniper, 3Com, McAfee, Fortinet, Sourcefire, etc. – Security Enablement Services – Turn-key solutions delivering on-demand protection when you need it without the

need for additional hardware or software deployment. Includes SELM, VMS, and XFTAS.– Professional Security Services (PSS) – In depth Professional Services designed to provide regulatory

certification, security assessment / implementation, and full scale penetration testing. – Education and Training Services – Comprehensive instructor led training and e-learning offerings designed

around IBM ISS technology and security best practices.– Emergency Response Services – 24x7 emergency response capabilities for forensic analysis and investigation,

evidence preservation, and expert witnessing. – Proventia Management SiteProtector – Provides the industry’s most comprehensive centralized security

management tool, designed to simplify management functions while expanding visibility into critical security issues.

Strategy– Service Provider offering portfolio expansion.– On-Demand services launch – after hours monitoring for the Security Event and Log Management offering.– Security Event and Log Management enhancements for extended regulatory compliance capabilities.– Improved Vulnerability Management service with support for Ent. Scanner, PCI compliance, and enhanced usability.– Data protection services – Data Loss Prevention, database monitoring, encryption, etc.– Enhanced SiteProtector release to include world class business intelligence capabilities.– Introduction of new e-learning capabilities delivering IBM ISS education in an always-on, online classroom.



Enterprise Services Roadmap4Q07 1H08

Products

3Q07 Concept2H08

ConceptUnderway

Project Key

2Q071Q07

SiteProtector

MSS Services

3rd Party Enablement 3rd Party Enablement: Message Labs transfer from

IEMS

On Demand: Advance Purchase of SELM

On Demand: No Advance Purchase (monitoring occurs

before billing)

Regulatory Compliance

Security Event and Log Mgt: Regulatory

Enhancement

Multiple Data Protection Solutions: Includes Network and Endpoint Data Loss Prevention,

Database Monitoring, and Endpoint Encryption

6.1 Update increased supported

configurations

On Demand

Security Event & Log Mgt

Service Provider Portfolio

e-Learning

Firewall, IPS, and

Desktop in the Cloud

Multiple e-Learning intro’s –

SiteProtector, IPS, etc.

SP 7.0

• On Demand Service, policy mgt, enhanced reporting



More information

Visit us at www.ibm.com Solutions by business need: Security Internet Security Systems (http://www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1025846)



SiteProtector 2.0

AdministratorOperator Analyst

ProventiaServer

ProventiaDesktop

ProventiaNetwork IPS

Active DirectoryAudit Logs

ProventiaEnterprise Scanner

ProventiaNetwork ADS



RealSecure SiteProtector



Useful Vulnerability Information



Security Fusion Module



Integrated Failover System

Phase 2: Disaster State

Phase 3: Recovering

from Disaster

Phase 1: Readying for

Disaster

SiteProtector™ SecureSyncIntegrated Failover System

SecureSync failover

Redundant Setups

Data preserved upon recovery



SecureSync - Failover





Enterprise Security Management

Built-in ticketing system and API

Active Directory import and query, ex. user logged on

Forensics – event details, packet capture, and TCPdump

Event Filters – based source and destination IP addresses

Event Throttling – limit to one event every X seconds

Central Responses – based on multi-sensor thresholds

Asset orientation – value, owner, department, etc.

Customizable Analysis Views can be saved and shared

Virtually all operations can be scheduled



Report Scheduling



Top Attacks Report



Asset Orientation



Ticketing System



User Permissions



User Permissions



SiteProtector Appliance

Embedded Windows software

LCD for initial setup and configuration

Microsoft updates delivered as firmware XPUs

Full remote system administration

IBM Global Services



®


www.iss.net

Proventia Proventia OneTrust OverviewOneTrust Overview



Proventia Licensing: OneTrust

The problem:

"Licensing terms and complexity affect us. We have to have an internal person focusing on licensing, so simplification is huge“

"If they can simplify licensing, it will make it easier for customers to buy software through partners.“

Proventia OneTrustProventia OneTrust reduces the TCO - total cost of ownership for Internet Security Systems’ products by accelerating security deployment and minimizing license management by enabling all ISS products to run using a single tokenusing a single token.



Proventia Licensing: OneTrust

Customer

Proventia G

Provenita Desktop

Server Sensor

Proventia M

Keylib6 Key 1

Keylib6 Key 2

Keylib6 Key 3

Keylib6 Key

Keylib6 Key

Keylib6 Key

Keylib5

Keylib5

Keylib5

Keylib6

Keylib6

Keylib6

Credential

Proventia Desktop

Proventia G

Proventia Server

Proventia M

Proventia OneTrust System Current LicensingOneTrust Advantages

Simplified Key Management – one versus many !

Minimized impact to normal business processes

Less set-up for faster deployments and roll-outs



OneTrust Process



Management RoadmapManagement Roadmap

2007 Products SiteProtector SP 6.1:

– Scalable Enterprise mgmt, command and control, workflow, user roles, reporting, active directory, central alerting, asset centric

SiteProtector Appliance SP1001– Proventia Server protection

– Fusion Licenses

Fusion 2.0: Event correlation engine– Included in system packages

SiteProtector Secure Sync: failover solution



SiteProtector SP 6.1 enhancements

– Extended risk reporting

– PCI reporting (available with ES update)

– Platform Support (Vista, VMWare, IE 7, Remedy 7.0, TPM-CheckPoint NGX and Cisco PIX 6.3)

SiteProtector Appliance (tentative)

– 1U appliance

– EventCollector / Agent Manager appliance

Management 2007



Management 2008 - SiteProtector SP 7

Business Intelligence Reporting interface extension

• Includes drag and drop custom reporting functions

• Extended filtering options

• Customizable report based dashboards

Policy management enhancements

• Extensive usability studies driving next generation of policy management

• Designed to flow with customers usage

• Provides key integrations with other parts of systems (ticketing, audit)

• Policy versioning

Platform advancement

• Extend collaboration between agents - Event based policy changes



Management

SecurityFusion Module

– Must achieve:

• Custom correlations developed by user

• Correlations based on rules

• Multi vendor event correlations

– Consider Integration of Network Anomaly system

• Network anomaly information with security event



SiteProtector research and design

Enhanced web based interface to SiteProtector

Services based on-demand management

Risk Management perspective

Visualization of network and risk exposures

Ticketing integrations

Asset system integrations

IBM product integrations

– Tivoli

– Lotus



TSOM & SiteProtector – Complementary Solutions

Tivoli Security Operations Manager (TSOM)

– Full featured, multi-vendor Security Information and Event Management (SIEM) platform

– Functions• Event aggregation from over 200 unique products & sources• Multi-vendor event correlation engine

– 4 correlation techniques, including statistical, across all event types

– Pre-built threat & policy correlation rules• Security threat dashboard, visualizations• Incident management ticketing & Investigation tools• Cross product reporting, including compliance focused reports

– TSOM not a replacement for SiteProtector• No command and control or configuration for any products



TSOM CMS(Central Management System)

Access & Identity Mgmt

Windows & Unix & other Servers

& ApplicationsProventia IDS/IPSFirewalls

Router/ Switch

`

TSOM ConsoleWeb Browser / J ava

TSOM EAM(Event Aggregation Module)

Metro Node`

ISS SiteProtector `

Proventia Server, Desktop

Metro Node

Metro Node

TSOM & SiteProtector – Complementary Solutions



SiteProtector

Many large ISS shops will have SiteProtector installed. From the TSOM perspective, SiteProtector is an event aggregatorevent aggregator that allows us to easily collect events from hundreds or thousands of devices. To collect these events we install an agent called the UCM UCM (Universal Collection Module) on the SiteProtector computer. This agent reads from the MSSql databasereads from the MSSql database that stores the events and send them to the TSOM EAM as they are received by SiteProtector.

IBM Global Technology Services



Ďakujem!

Po prestPo prestávke pokračujemeávke pokračujeme:: ProventiaProventia Anomaly DetectionAnomaly Detection

IBM Global Services



®


www.iss.net

Thank you!

Ondrej KOVAC,

[email protected]

+421-918-541975

Michael Clark,

[email protected]

Documents

Network: Proventia Intrusion Prevention & Proventia Anomaly Detection