Tippingpoint X505 Training - 01 Key Concepts

7/31/2019 Tippingpoint X505 Training - 01 Key Concepts

1/13


2/13

2

Key Features and Concepts Objectives

> Upon completion of this module, you should be familiar with thefollowing:

Key Features of the X505

Device Appearance

Key Concepts and Functional Areas of the X505

> Security Zones and Interfaces

> Firewall

> Content Filtering

> VPN

> IPS

> System Administration

Deployment Modes/Scenario


3/13

3

X505 Key Features

> Stateful Packet Inspection Firewall

> Industry Standards Compliant VPN

> Fully Featured IPS> Flexible security zone deployment

> User Authorization

> Zone Based Rate Limiting> Content Filtering

> Manual URL Filtering

> Application specific rate limiting

> Multicast Routing

> RIP


4/134

Device Appearance

>

No LCD Panel> 2 inches high, slightly taller than 1U (1U=1.75)

> DB9 Console Port (115200BPS-8-None-1)

> (4) 10/100 Ethernet Ports (NO Auto-MDI)> (1) 10/100 Management Port

Unused in most installations

Will go away as of X5/X506 (Management will be in-line) Exists due to sharing of platform (200E)


5/135

Security Zones

> What is a Security Zone

A security zone is a network segment or VLAN where access can bepoliced as traffic passes in and out of a security zone

NOTE: Policed means Firewall, IPS and Content Filtering A user can define multiple security zones, based on their network

security needs

Common security zones are LAN, WAN, DMZ and VPN

Think of Zones as a Layer 2 construct

LAN

WAN

DMZ

LAN2 VPN

> A network with 5 Security Zones

> Traffic (shown in red) passes from onezone to another only if policy permits

> No policy enforcement within a zone!Only between zones

x505


6/136

Network Interfaces

> Network Interfaces define how the X505 integrates with the layer 3network

> A Network Interface can represent multiple security zones.

Example: Internal Network Interface could represent LAN1, LAN2, and VPN

> There is one external Network Interface (i.e. WAN Zone assigned bydefault)

Static DHCP x-Series acts as DHCP Client on by default

PPPoE

PPTP

L2TP

> There can be many internal Network Interfaces

Each with Static IP Addressing for the interface

Clients can be static or DHCP You must enable NAT for internal clients to get NATed to public IP addresses.


7/137

X505 Deployment Modes

LAN WANDMZ

External Interface> Full transparent deployment

LAN WANDMZ

External InterfaceInternal I/F> Transparent DMZ> NAT / Routed LAN

LAN WANDMZ

External I/FInternal I/F Internal I/F> Full routed / NAT deployment


8/138

Firewall

> Firewall Rules enforce policy between zones (i.e. From the WANzone to LAN zone)

> Rules are evaluated from the top down with an implicit deny at theend

> Network and Service Objects define who can access what

> Options:

Rate Limiting

Schedules

Group Authorization

Content Filtering


9/139

Content Filtering

> Subscription Service (requires DV Gold Package)

> Block access to Gambling, Porn, Hate Speech, etc.

> Manual URL Filtering> Custom response page


10/13

10

Virtual Private Networks

> Hardware Accelerated

DES, 3DES, AES-256

>

Keying Modes Manual, IKE + Preshared Key, IKE + X.509 Cert

> Site to Site VPNs

IPSec/L2TP/PPTP

DHCP Relay over VPN

Tunnel on Demand or Static Tunnel

> Client to Site VPNs

IPSec/L2TP/PPTP

RADIUS or Local Authentication

> Termination to VPN Security Zone


11/13

11

Intrusion Prevention System

> The X505 have Virtual IPS Segments as opposed to physical portsas seen on the TippingPoint IPS series

> Virtual IPS Segments must be created before IPS policing takeseffect

> IPS policy is implemented between zones, not within zones

> By default, IPS rules apply to all configured virtual IPS segments

> Order of Packet Inspection

Firewall IPS


12/13

12

System Administration

> Administration

Local Security Manager (LSM) Web GUI

CLI SSH over the network

CLI Direct Terminal Configuration

> Updates

TippingPoint OS (TOS) Upgrades

Manual and Automatic Digital Vaccine (DV) Updates

> System Snapshots

> System Health/Status

> User Administration

Define users for local administration

Define users for VPN access

> Privilege Groups Assign users to privilege groups for authorization

> Logs/Events

System/Audit Logs

Traffic Event Logs IPS Logs


13/13

13

X505 Deployment Scenario

Documents

Tippingpoint X505 Training - 01 Key Concepts