Proventia Security solution

20 Maj, 2009

Proventia® Security PlatformSecure VirtualiSecure Virtualizzationation

IBM Global Technology Services

IBM Internet Security SystemsAhead of the threat.™

© 1994, 2008 IBM Corporation

Footer Field

Footer Field

Ondrej KOVÁČ

Proventia® Secure Virtualization

© 2009 IBM Corporation

Agenda

• Web “application” security• Virtualization • Life demo• Mail security overview



Web SecurityWeb Security



Block attacks in real-time with Proventia Web application security

Intrusion prevention just got smarter with web application

protection backed by the power of X-Force

Virtual Patch

What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach

Why Important:At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability

Threat Detection & Prevention

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

Content Analysis

What It Does:Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy

Web Protection

What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

Network Policy Enforcement

What It Does:Manages security policy and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

Why Important:Enforces network application and service access based on corporate policy and governance.



Changing security landscape creates complex threats

New Applications are increasing the attack surface

Complex Web applications create complex security risks

Making applications more available to “good” users, makes them more available to “bad” users

Web attacks are evolving to blended attacks (i.e. planting of malware on legitimate web sites)

Web Applications

Web-enabled Applications Drive the Need for Security



Hackers Continue to Focus on Web Applications

Vulnerabilities & Attacks54.9% of all vulnerabilities are Web

application vulnerabilities74% of Web application vulnerabilities in

2008 had no patch by year endSQL injection attacks increased by 30x

within the last six months

… because it’s an easy point of entry and there’s valuable of data exchanged in the business processes run by the applications

Compliance DemandsCompliance drives new Web security

requirements (PCI DSS)PCI DSS non-compliance costs clients

hundreds of thousands in fines a month



Traditional point solutions throw money at the problem and can’t address all web security requirements

Vulnerability ScannersTraditional vulnerability scanners don’t

cover web applicationsPenetration Testing

Effective at finding vulnerabilities but not scalable for ongoing tests

Not focused on remediationNetwork firewall

Generic Web application protections (if any) so most custom web apps not covered

Web application firewallExpensive point product to deploy and

manageCan be effective, but difficult to deploy, tune

and manageBuilding policies can be as time consuming

as remediating the vulnerability



The Solution: IBM Web Security for a Smarter Planet

Best Practices: Integrate secure development, vulnerability management, network protection and host protectionDevelop secure web appsIdentify vulnerabilities in existing

appsProtect web applications, Web

2.0 & databases at the network and server

Remediate: Apply patches and correct the code

End-to-end web security from your trusted security advisor

Web Applications & Databases

AppScanVulnerability identification &

Secure development

ProventiaNetwork and server protection

Event tracking

DataPowerXML Security, SSL termination & acceleration, application auditing



Block attacks in real-time with Proventia Web application security

Intrusion prevention just got smarter with web application

protection backed by the power of X-Force

Virtual Patch

What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach

Why Important:At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability

Threat Detection & Prevention

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

Content Analysis

What It Does:Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy

Web Protection

What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

Network Policy Enforcement

What It Does:Manages security policy and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

Why Important:Enforces network application and service access based on corporate policy and governance.



RE

MO

TE O

FFIC

E

BR

AN

CH

OFF

ICE

SE

RV

ER

S A

ND

WE

B F

AR

MS

PE

RIM

ETE

R

Host Intrusion Prevention (HIPS) w/ SSL Inspection for IIS and Apache

UTM with P2P VPN w/ Web 2.0 Protection

Physical and Virtual Network Intrusion Prevention (NIPS) w/

Web 2.0 Protection

1

2

3

SSL Decryption, Load Balancing, and XML

Security

DataPow er

Proventia MXProventia MX

Proventia GX

Intrusion Prevention & Protection for: • Web 2.0: JSON (java script object notation) blocking• Database: SQL injection, LDAP, XPath injection• Web application protection: shell command, server side include, XSS and directory traversal

X-Force protection across all Proventia products:1. Network Protection: IBM Proventia Network IPS2. Remote / Branch Office: IBM Proventia Multifunction Security3. Host Protection: IBM Proventia Server IPS

Benefits• Consolidated security products reduce the cost & complexity of deploying and maintaining multiple point products• Achieve PCI compliance for DSS 6.6 (June 30 2008)• Multiple features that span a portfolio of centrally managed products.

Integrate web application protection from network to host



IBM Proventia Web security

Proventia Server IPS

SSL Decryption, Load Balancing, and XML

Security

DataPower

Physical and Virtual Network Intrusion

Prevention (NIPS) w/ Web Application Protection

Proventia Network IPS

1 2

UTM with P2P VPN w/ Web App Protection

Proventia MX

3High bandwidth web protection for large enterprise with web server farms

All-in-One Remote office / Branch office protection w/ P2P VPN

Small offices without Network IPS or VPNs can utilize Proventia Server IPS to decrypt and inspect SSL-encrypted traffic

Proventia Server IPS



Comprehensive Web Services & XML Security:WebSphere DataPower Appliances

`

Encryption of transport layer – HTTP, HTTPS, SSLXML/SOAP Firewall – Filter on any content, metadata or network variablesData Validation – Enforce incoming/outgoing XML schema, well-formednessField Level Security – WS-Security, encrypt & sign individual fields, non-repudiationAccess Control (AAA) – Authentication, Authorization, Accountability enforces access policy stored in an Identity

Management Solution Message Enrichment – Insert header info, SAML token, Kerberos token, transaction ID…Anti Virus Protection – integrates with corporate virus checking through ICAP protocolSecurity standards – WS-Security, WS-Policy, SAML, XACML, WS-Trust, WS-Addressing…

Web Services / XML Messages

Authentication & Authorization

Insert SAML Token, Transaction ID, etc.

SOAP

SOAP

MQ Appl

Service Providers

Web Services Requestor

Identity mgmt system (Tivoli, LDAP…)



Together Proventia Web Application Security and Websphere DataPower Provide Full Web Application Firewall (WAF) Functionality

• Proventia Web Application Security Features– Buffer overflow exploits– CGI-BIN parameter

manipulation– Form/hidden field

manipulation– Forceful browsing– Cross-site scripting (XSS)– Command injection– SQL injection – Web site defacement– Well-known platform

vulnerabilities– Zero-day exploits

• DataPower Features– Cookie watermarking (sign and/or

encrypt)– Customizable error handling– SSL Acceleration & Termination

(Link)– Dynamic routing and load balancing– Session handling policies– Rate limiting and traffic throttling/

shaping– General name-value criteria boundary

profiles for: Query string and form parameters HTTP headers Cookies

Eliminate the Need to Purchase a Stand-Alone WAF





Network, Server, and End Point

Physical Infrastructure

People and Identity

Data and Information

Application and Process

Rational AppScan

Identify vulnerabilities in web applications

Secure code development

Provide actionable info to correct

vulnerabilitiesBlock attacks against

web app vulnerabilities

Block databases attacks Oracle, MySQL, MS SQL

Block DoS attacks

Build custom policies for web apps

Security content updates for new threats

Block attacks against the web server OS

Block attacks targeted at the web browser

SSL decryption to inspect encrypted traffic

SOA-enabled security

Proventia Web app protection

WebSphere DataPower

Web app firewall



Securing VirtualisationSecuring Virtualisation



Pre-Virtualization and Post-Virtualization Eras

Pre-Virtualization Post Virtualization

Existing Vulnerabilities

New Vulnerabilities

More Components = More Exposure

New Vulnerabilities

Virtual workloads (OS & application) are no more or no less secure in virtual environments

Management stack to control the virtual environment introduce potential exposure

Attackers will go after the low-hanging fruit

Hyper-jacking and VM escapes are the least of your worries

HardwareManagementApplicationsOperating System HardwareHypervisor/VMMManagementHardware VirtualizationService Partition(Dom0, Svc Console)Application/ServiceApplication/ServiceOperating SystemApplication/ServiceApplication/ServiceOperating SystemApplication/ServiceApplication/Service



What new fun does virtualization bring me?

Server sprawl on steroids Enterprise management options are not

where they need to be Compliance and Patching

New layers to patch - virtualization software and management stack

Maintaining security posture of VMs in a dynamic environment

Hypervisor

Hardware

VM VM

OS

Applications

Kernel

VM

OS

Applications

Kernel

Management

OS

Applications

Kernel

OS

Kernel

Applications

Hypervisor

Hardware

VM VM

OS

Applications

Kernel

VM

OS

Applications

Kernel

Management

OS

Applications

Kernel

OS

Kernel

Applications

Mobility Are VMs moving to less

secure machines, networks, datacenters, etc?

Static security policies no longer apply

Virtual Machine StealingEntire servers are now files



Physical-to-Virtual

Separation of Duties

Server OwnersNetwork Owners

Technical

Organizational

Does virtualization impact existing separation of duties?What process documentation (e.g. compliance controls) is invalidated by the

migration?Do existing technical security controls (intrusion prevention, firewall, security

configuration management) support the virtual environment?What net new exposures (vulnerabilities in applications/operating systems,

network segmentation) are introduced by moving to virtualization?

What is the impact to security posture?

ManagementApplication/ServiceApplication/ServiceApplication/ServiceApplication/ServiceApplication/ServiceApplication/Service ManagementHypervisorApplication/ServiceApplication/ServiceApplication/ServiceApplication/ServiceApplication/ServiceApplication/Service



Server and Network Convergence

Physical Network Virtual Network

Who’s Watching?Traditional Security

Management VM

Virtual Switch

Virtual Switch

Virtual Switch

Physical N

ICs

ProcessServiceProcess

VM

ApplicationOSProcessService

Process

VM


Process

VM


Process

VM

ApplicationOS


VM


Process

VM


Process

VM


Process

VM

ApplicationOS


VM


Process

VM


Process

VM


Process

VM

ApplicationOS

Security “blind spots” are created as portions of the network becomes part of the server

Who owns the virtual network?

Physical network IDP devices do not provide coverage for inter-VM communication

Routing virtual network traffic to an external physical device is not practical

VM sprawl riskswhat you cannot see will

hurt you



Threat Landscape: Operating Systems & Application

Traditional threats remain as long as VMs communicate with the network, virtual or physical

WormsRootkitsTrojansDoSSQL Injection Cross Site Scripting

Virtual machine state changes (online, offline, snapshots) and cloning can obsolete patching processes

OS and application vulnerabilities and exposures do not change in the virtual world



Mobility

Workloads are no longer tied to physical serversExisting controls do not ensure that security posture remains constant in a dynamic

environmentTarget server may not be protected or may have an inappropriate security policy in placeUnprotected workloads put workloads on the target system at risk

Hypervisor

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

Hypervisor

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice

App

licat

ion/

Ser

vice



Virtualizing Security vs. Securing Virtualization

Virtualization Security can be classified in two ways:

IBM ISS is targeting solutions in both areas…

A mix of security "within a VM" (Proventia Server), "as a VM" (Virtual Security Appliances) and "within the platform" (Integrated security solution).

Virtualizing Security

SecuringVirtualization

• Existing Solutions• Virtual Appliances

• Integrated Security• Professional Services



24

Template Documentation

What new fun does virtualization bring me? VM Hopping

• Hopping from one VM system to another bypassing isolation controls

VM Escape

• Hopping out of the VM isolation to the primary Hypervisor OS

Hyper-jacking

• Attacks targeting the Hypervisor OS itself



25

What is an Intrusion Prevention System?

IPS evolved from IDS - IDS identifies threats and sends alerts, IPS blocks attacks targeted at your network.

For accurate, preemptive protection, IPS products use multiple techniques to:– Recognize and identify protocols– Analyze traffic

No single intrusion prevention technique can offer acceptable protection



Proventia Network Security ControllerScaleable, flexible, resilient 10GbE network protection

Investment Protection: Provides existing clients the ability to use GX6116, GX5000 and G2000’s on 10G network upgrades

Product Specifications

10 GbE network connectivity

Supports long/short range fiber

10 GbE Bypass

2x GX6116 will provide 12Gbps full protected inspect rate

Same industry-leading preemptive protectionon the backend

10GbE

GX6116

Controller

Roadmap Q1 2009



Provides 10 Gbps connectivity for Proventia Network IPS GX6116 and GX5208

Aggregates/segregates four 10 Gbps ports to 24 1 Gbps ports with configurable mapping

Active bypass/switching prevents network disruption should the IPS appliance fail

Passive bypass and power loss fail safe

Supports multiple 10 Gbps interfaces: SR and LR

Multiple intrusion prevention techniques provide superior attack detection accuracy

10 Gbps NetworkSegments

6-15 Gbpsprotection per

GX6116

Proventia Network Security Controller



Protect High Speed Networks: IBM Proventia Network Security Controller

10 Gbps Network Protection4 x 10 Gbps ports to protect 2 x 10 Gbps

network segments24 x 1 Gbps ports to balance traffic across

multiple GX appliances

Scalable protectionStart with existing IPS appliancesAdd IPS appliances as needed

Long range and short range fiber optionsFlexible deployment options

Supports GX6116 and GX5208 models

Integrated bypass Active bypassPassive bypassPower loss failsafe


© 2009 IBM Corporation29

Protocol and Content Analysis as the FoundationPAM is the engine behind the preemptive protection afforded by many of the solutions in the IBM Proventia product family.



IBM Proventia Content Analyzer – At a Glance

Inspects unencrypted data using up to 16 different signatures8 pre-defined signatures8 custom signatures defined by the user (following deterministic

finite automaton (DFA) expression guidelines)

Create compound data-set search string inspection (e.g., name AND social_security_number AND User defined)

Supports inline and passive bi-directional inspection modesSupports 10 protocols and can inspect content compound documents

including PDFs, ZIP and GZIP files



IBM Proventia Content Analyzer – At a Glance

*Provides for inline inspection of attached files.



Proventia Content Analyzer – How it works

Proventia Content Analyzer can inspect both inbound and outbound unencrypted data, either generating alerts when flagged data are found, blocking the traffic from being transmitted, or both.



Proventia Content Analyzer(Static Demonstration)



Proventia Content Analyzer(Enabling)



Proventia Content Analyzer (Configuring)



Proventia Content Analyzer (Alerting)



Proventia Content Analyzer (Alert Details)

SSN=225-43-9879



38

Just a new addition to the existing line



39

Operational Modes

In addition to the standard NIPS Bridge modes (Inline Simulation, Protection and Passive Monitoring) the GV1000 gives you the flexibility of several deployment scenarios for those three modes.

•Conventional Inline IPS Network Deployment

•Partially Virtualized Inline IPS Network Deployment

•Fully Virtualized Inline IPS Network Deployment



40

Conventional Inline IPS Network DeploymentIn this deployment the PVNSP is used as a bump in the wire exactly as an IPS appliance would be deployed. The only difference is that PVNSP is running in a virtualized environment, and uses the physical network interfaces of the virtual server as its in-line monitoring interfaces



41

Partially Virtualized Inline IPS Network DeploymentThis deployment uses the PVNSP in-line running inside the virtual environment, but with one interface connected to the physical LAN. In this deployment it will protect the virtual machines deployed in the same virtual environment by using the virtual interfaces on the VMware server.



42

Fully Virtualized Inline IPS Network DeploymentThis deployment uses the PVNSP in-line running inside the virtual environment. In this deployment it will protect the virtual machines deployed in the same virtual environment by using the virtual interfaces on the VMware server.



43

PortsEth0 – RST port (disabled)Eth1 – Management Eth2 – A Eth3 – B

All interfaces can be deployed in either Bridged or Host-only mode.

Do not use the same Virtual Networks (VMNet1, VMNet2, etc) for eth1, eth2, or eth3. This may result in a network loop causing network failure.

The Reset Kill Port is undefined. Later in the installation procedure, you will be asked to enable the virtual interfaces, we simply will not enable the Kill Port.



44

Initial configuration

Initial configuration proceeds in the same fashion as connecting to the physical NIPS with a console cable. The default user account is:

uid:adminpwd:admin



45

Continuing ConfigurationAfter the initial settings, configuration continues with Proventia Manager. You can manage the virtual appliance with just the Proventia Manager interface or use the Proventia Manager to register the virtual appliance with SiteProtector.

SiteProtector Centralized

Management



46

PerformancePerformance benchmarks were performed in Conventional Inline Mode.

Virtual Appliance Specs:1 GB of RAM10 GB of HDThe host system had 2xQuad Core Xeon 2.83GHzVMWare ESX 3.5

Throughput: 700 Mbps (up to 1.5 Gbps with packet sizes above 1024)Inspected Throughput: 700 Mbps (up to 1.5 Gbps with packet sizes above 1024)Latency: 350 microseconds (average using IMIX UDP)Connections per Second: 19,000Concurrent Sessions: 600,000

Please keep in mind that quantifying and describing the load tests is a difficult task because it was impossible to identify, CPU usage, bus usage, memory usage, network usage of the other virtual machines on the ESX server.



IBM ISS Virtualization Solutions: Past, Present and Future

Current Solution protects the Virtual Systems using our current HIPS portfolio

The Virtual Proventia NIPS gives you the flexibility to protect traffic inside the virtual environment

Hypervisor HIPS brings perimeter protection to the virtual environment



Virtual environment - unprotected



Virtual environment - Protected


Management




MS09_039_pnp add_user


Management




MS09_039_pnp

add_userfailed


Management



Email SecurityEmail SecurityProventia Mail Security System PNMSS MS3004N

Proventia Mail Security System PNMSS MS1002-VM



Deployment options

Minimum hardware:2GB RAM (512MB min for each virtual instance, 1MB recommended) 100GB drive (30GB for each virtual instance) Tw o netw ork interfaces:

One host-only interfaceOne bridged netw ork interface

VMware versions:VMware Server 1.0.2 or later VMware Workstation 5.5 or later VMware Player 1.0.3 or later VMware ESX 3.x or later

1st year maintenancemaint

2UIntel Xeon 2.00GHz/1333MHz, mem 2GB, 6 hot-swap 3.5" SATA/SAS. 4x80GB + 2x250GB(RAID 1), 4x 10/100/1000 G-bit Ethernet, dual fans & power supplies

MS3004N

RackDescriptionPart No.

Dedicated Appliance

Customer / IBM provides hardware

Specialized hardware

MS3004N Appliance from IBM ISS

Virtual Appliance

111

222Appliance throughput:

36,000mails/hr

VMware throughput:

10,500mails/hr



The IBM Internet Security Systems Solution: IBM Proventia Network Mail Security System

Precise combination of preemptive protection and spam controlPreemptive Protection

Patented Virus Prevention SystemIndustry-leading Intrusion Prevention

Spam controlMulti-level message analysis10 + analysis modulesSophisticated ruled-based policy management

Supports internal security mandates, compliance initiativesOut-of-the-box protection & scalabilityEnhanced reporting & SiteProtector integration



Multi-level Spam Analysis



Multi-layered Email Protection



• Web-based LMI• SiteProtector

Centralized Management

• Clustering / High Availability – Multiple boxes

managed through one appliance

Management Options



PNMSS MS1200VM - Overview



Virtualization drives cloud-based service delivery models and virtual appliances enable client segmented security

Virtual appliances enable security to be delivered in the cloud

Virtualization platforms provide flexible deployments

Virtual SOC allows end user to monitor and manage security policies and events

Infrastructure as a ServiceMulti-tenant environmentsDifferentiate service based on securityAdd new revenue streams

BenefitsScalable CapacityConsolidated and EfficientEasy to recoverTestableRapid Deployment



Thank you for attention

[email protected]+421 918 541975



© Copyright IBM Corporation 2009

IBM Global ServicesRoute 100Somers, NY 10589U.S.A.

Produced in the United States of AmericaFebruary 2009All Rights Reserved

IBM, the IBM logo, Internet Security Systems, Proventia, SiteProtector, Virtual Patch, Rational AppScann, DataPower and X-Force are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

Use of the information herein is at the recipient's own risk. Information herein may be changed or updated without notice. IBM may also make improvements and/or changes in the products and/or the programs described herein at any time without notice.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

Copyright information

SEJ03003-USEN-00

Documents

Proventia Security solution