Click here to load reader
Upload
techexpert
View
436
Download
7
Embed Size (px)
DESCRIPTION
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW
Citation preview
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP TippingPoint Next Generation FirewallHP Enterprise Security Internal Technical Pre-Sales Training
Julian Palmer, NGFW Product Manager, HP TippingPointRuss Meyers, SMS Product Manager, HP TippingPoint
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Agenda
Introducing HP TippingPoint Next Generation Firewall (NGFW)
Key attributes, and how HP TippingPoint NGFW achieves them
Seven steps to get an NGFW on the networkShared firewall rules with SMS
How does NGFW help common problems?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Introducing the HP TippingPoint Next Generation Firewall
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
What is HP NGFW…Simple
Easy-to-Use, configure and
install with centralized
management
Reliable
Protect the network
availability features, IPS, and
automatic protection
Effective
Industry leading security
intelligence with weekly
DVLabs updates
IntegratedPolicy
Next Gen IPS
Enterprise Firewall
DVLabs researchand feeds
User and apppolicy
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
HP NGFW Feature SummarySecurity
• Enterprise class zonal, stateful firewall
• Mix and match FW, app, user and IPS policy choices
• Full IPS, DV, RepDV, WebAppDV, Zero Day Initiative
• Apply IPS inspection profile based on app
• Rate limit, quarantine, trap, pcap, email actions
Certification Plans
• ICSA Firewall/VPN Enterprise, USGv6 coming
• FIPS-140-2, EAL, NSS on roadmap
Management
• HTTPS local web GUI, SSH, Full CLI, inband/outband
• Role based management, Encrypted Log Storage
• SNMPv2/v3 MIB-2, and TP Enterprise MIBs
• Integrated FW & IPS management with SMS
• ArcSight, HP NNMi and NA integration
Deployment
• NAT, routed, transparent, segment, one-armed
• IPv6 ready everywhere
• Static, RIP/RIPng, OSPFv2/v3, BGPv4, multicast
• Link aggregation, VLAN translation, Rate limiting
• IPSec site-to-site & Client-to-site, GRE/IPSec
• Active-Passive 2-node Stateful High Availability
• LDAP, Active Directory, RADIUS authentication
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
HP NGFW Portfolio
S1050F S3010F S3020F S8005F S8010FFW only 500Mbps 1Gbps 2Gbps 5Gbps 10GbpsFW + IPS @512 bytes 250Mbps 500Mbps 1Gbps 2.5Gbps 5GbpsNew Connections/second 10,000 20,000 20,000 50,000 50,000Concurrent Connections 250,000 500,000 1M 10M 20MAggregate VPN Throughput (big pkts)
250 Mbps 500Mbps 1Gbps 1.5Gbps 3Gbps
VPN Tunnels 2500 5000 7500 7500 7500 Redundant Power Supply/Fans
No Yes Yes Yes Yes
Removable Solid State Storage
8GB 8GB 8GB 32GB 32GB
Integrated I/O 8xGbE 8xGbE8xSFP
8xGbE8xSFP
8xGbE8xSFP
4x SFP+
8xGbE8xSFP
4x SFP+Ordering information: ESP HPN HW Reference Price
JC850AJC882A
US$4,995
JC851AJC883A
US$13,995
JC852AJC884A
US$18,995
JC853AJC885A
US$49,995
JC854AJC886A
US$70,995
HPN care pack info will follow…1 Year of DV must be bought w/HW
Premium (DV+24x7)Premium (DV+RepDV+24x7)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Where to Deploy
• At all network edges• Security
consolidation• Where security needs
may change
CampusLAN
Edge
WLAN
Core
Tele-workers, partners, and
customers
Internet
Remote offices and branches
WAN
Data center
Virtual machines (VMs)
NGFW
NGFW
NGFW
NGFW
IPS
IPS
NGFW
NGFW
Branch Regional Hub
Data Center
S1050F
S3010F
S3020F
S8005F
S8010F
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
S1050F Platform
External User Disk
GbE Data Ports HA Alert LED
MGMT
Console 115200, 8N1
Power LED
Status LED
On/Off
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
S3010F , S3020F, S8005F, S8010F Platforms
User DiskGbE Data Ports HA
Alert LED
MGMTSFP Ports
10G SFP+(S8000F)
Console 115200, 8N1
Status LED
Dual Redundant PSUsRedundant hot swap fans
• Redundant Fan/PSU
• Hot swap fans and PSU
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
LED Meanings
Alert LED
Off No power
Solid Yellow
System booting. After boot this indicates a software failure.
Flashing Yellow
A Hardware problem has been detected
Solid Green
Hardware and software are running normally
System LED
Off No power
Flashing Green
System is booting and traffic is not being processed
Solid Green System is running and healthy
Solid Yellow System is running but has degraded health (software or hardware issue)
Flashing Green/Yellow
A software or BIOS upgrade is being performed
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
HP ESP Field Replacement Parts
DC power option not availableAC power supply is the same as the NX IPS
ESP SKU
HPN SKU
ESP Description*Ref
Price Comments
C1J35A
JC901A
HP TippingPoint 750W AC Power Supply
US$649 Supports NGFW and NX; Replaces JC826A
C1J36A
JC903A
HP TippingPoint 32GB CFast Card
US$599 Supports NGFW and NX; Replaces JC828A
C1J34A
JC900A
HP TippingPoint 80mm Fan Module
US $190
* HPN Description is different
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Simplicity
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Easy and Powerful ManagementBest of Breed central management with SMS• Unified management of IPS and NGFW devices• Keep security current with DV active update• Advanced reporting & visualization• SMS 4.0 adds support for NGFW
Powerful when you need it• Role Based Access Control• Forensic reporting• ArcSight Logger for universal log management• 3rd Party integrations
Easy to Use On-Box web interface• Minimum IE8, Chrome 17, Firefox 10, Safari 5.1• Optimized for 1440x900
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Reporting and VisibilityPrimary reporting tool is SMS• Delivers Application Visibility & Utilization,
Troubleshooting, Security Analysis and Capacity Planning
• Consolidated reporting from all NGFW/IPS boxes• High performance, detailed event forensics
using integrated HP Vertica columnar database • Customizable Dashboard for real-time data
on traffic, apps and network behaviour
On-box shows summary app, traffic mix• Identify app/traffic patterns• App visibility is on by default
Big Data forensics with ArcSight
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Easy to Deploy in the Network
Transparent• Drop in Deployment• Same L2 network on both sides• Forwarded traffic based on
destination MAC• Firewall always there…
Routed• Different L3 network on each side • Traffic is directed via routing table• No asymmetric routing• No L2FB
Segment• In/out port• Bump-in-the-wire
(no IP address)• Reliability
through L2FB and HA modes
Bridge• Multiple ports• Bcast domain• IP address• No L2FB
Routed• One or more IP
addresses
One Armed• Single port
in/out• VLAN tagged
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Easy to Demo
Use NGFW to easily demo security & apps:1. Attach “in” port of segment to a mirror port
Leave “out” port unconnected2. Configure a segment using these ports3. Set the NGFW IPS policy to “IDS Mode”4. Create a Firewall Rule to “Permit Any Any”5. Override IPS Categories to Permit+Notify6. Leave…
• Return later and look at the reports• IPS events, App reports, Traffic Reports• Add an SMS for even better reporting
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Effective Security Mitigate Today and Tomorrow’s Threats Using Firewall, IPS and Application Control
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Security Elements
Objects• Zones, action sets,
notification contacts, services, address groups, schedules
Firewall• Stateful Firewall,
with NAT/PAT• Application
Groups, selected by category
• Mix and Match Stateful and App elements
• User ID by captive portal
• User authentication by AD, LDAP, RADIUS
Next Gen IPS• 12 categories with
recommended settings
• Zero Day, and Best of Breed DV security filters from DVLabs
• Reputation to block undesirable IPs
• Automatic DV & RepDV update
• Shared profiles with IPS devices
Integrated Policy Controlling Who Does What to Whom, When…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
Understanding FW RulesPowerful and succinct rules• Source/Destination based on Zone
or IP subnets/ranges• Optionally use applications, Users,
services and schedules• Block, Rate limit, Trust, trap, email, pcap• Set inspection profile per-rule• Position most specific rules at top
Collapse multiple rules into one• Using multiple selectors (like an “or”),
where the policy/action is the same• Negation and Exclude constructs
Edit Default Block Rule to enable loggingNo implied rules
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Controlling Applications
• All web apps look the same to old FW’s• True NGFW firewall rules only contain
apps/categories, not services• NGFW will detect apps regardless of TCP port• NGFW keeps looking for a better matching
FW rule, until app is definitive or not matched• IPS can be applied during “app detect phase”• NGFW can block encrypted applications,
but cannot inspect within them
Match Stateful FW Rule
App Detected – Change Matching
FW Rule
IPS w/ Unknown Profile
FW Rule Specific Profile
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
IPS Profiles Drive Deep Packet Inspection PolicyIPS uses security filters from DVLabs• 7,400 filters, 2,650 security researchers• No false positives or negatives
IPS Profiles define a combination of IPS settings• Set Profile Deployment Mode to modify
“Recommended”• DV defines “Recommended” for all filters/categories• Use Profile settings to override filter settings• Create trust relationships or exclude IPs from IPS• Simple DDOS protection via SYN proxy rate check
Use Default Profile or define your own profiles
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
Extended Firewall Rule Configuration in SMSBuild a global viewManage policy across entire deploymentLeverage your existing IPS policy• IPS Security Profiles• Reputation Filters• Shared Settings• Named Resources
The same zone name may be builtfrom different ports on different NGFW devices, but share same policy
Distribute policy changes when ready
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reliability:Keeping the Network Up
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Segments – TippingPoint Inline ProtectionOnly a Layer 2 modeProtect against hardware or software failure
− Layer 2 Fallback (L2FB) and ZPHA bypass− HA mode: Permit/Block, due to health or HA config− Link Down Synchronization mode helps network
convergence when one side of the segment failsNotes
− No asymmetric mode− A segment can only be a vertical port pair − Firewall always runs− No TippingPoint virtual ports/segments
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
2-Node High Availability Clusters
Protect against single failure, minimum downtime2-node active/passive cluster, with optional state sync• FW, Routing and IPS sessions sync
SMS is required for configuration sync• Operates on a shared MAC
Nodes are connected by back-to-back HA connection• Traffic optionally encrypted• Option to allow use of management port for HA traffic if all HA links fail
(default:off)
Nodes must be the same hardware and software version
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
SMS Cluster Configuration1. Ensure devices at factory defaults, except
for management access2. Acquire the devices separately into SMS3. Click “New Cluster” in Devices view4. Identify the cluster name, members, select
settings for State Sync, HA link etc.Cluster will form…
Use Shared Settings for networking, routing, VPN…• Immediate commit, and “copied to Start”
Use Profiles to create shared FW rules andIPS settings, and distribute to the device
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Cluster Based SW Upgrade
SMS “rolls out” NGFW Software upgrade across the cluster• One device kept active at all times
to keep network up• Passive device is upgraded first and
rebooted• Active device is forced passive and
then upgraded• Session state synchronized at all times
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Examples…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Simplicity Example:7 Steps to Deploying a New Next Generation Firewall…
Configuration Example
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
7 Steps to Setup a New HP NGFW
What you will need:– Connected Console cable and client– Network connections made for LAN and WAN– Minimum information:• SuperUser account name you want to create• Management port IP address• Interface IP addresses for LAN and WAN
For SMS:– An installed SMS, with network access to
the NGFW
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
Step 1: Complete Console Setup
1. Connect console – 115200, 8N12. Complete OBE prompts:• Define security requirements on SuperUser password• Define SuperUser account name and password
3. Log in to CLI
Please enter a user name for the super-user account.
Spaces are not allowed.
Name: SuperUser
Do you wish to accept [SuperUser] <Y,[N]>: y
Please enter a password for the super-user account [SuperUser]:
Verify password:
Saving information...Done
Your super-user account has been created.
You may continue initial configuration by logging into your device.
After logging in, you will be asked for additional information
ngfw
login: SuperUser
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
Step 2: Get the NGFW on the network
1. Log in to CLI on console2. Start an CLI edit setting3. Define the management port:• Set host name (optional)• Set IP information• Set default route
4. Define DNS server to perimeter router5. Define IP interfaces6. Make the changes live7. Ensure the changes will apply on next boot
editinterface mgmthost name demo_unit1ipaddress 10.0.0.101/24route 0.0.0.0/0 10.0.0.100exitdnsname-server 11.0.0.101exitinterface ethernet1ipaddress 10.0.0.100/24exitinterface ethernet2ipaddress 11.0.0.100/24exitcommitsave-configexit
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
Step 3: Acquire the Device in SMS
1. Log in to SMS2. Click Devices > New Device3. Enter the MGMT IP of the NGFW and the
SuperUser account name/password from the console setup
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Step 4: Define Security Zones
1. Click Profiles > Shared Settings> Security Zones
2. Click New… to create a Zone3. Enter the name “LAN”4. Click Add… to add interfaces• Select ethernet1
5. Repeat to create “WAN” zone6. Confirm zone setup
Note: Can create same zone withdifferent interfaces on anotherdevice
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35
Step 5: Create a New FW Profile
1. Click Profiles > Firewall Profiles in menu
2. Click “New”3. Give the profile a name4. Select Inspection Profiles
Default = Default IPS Profile
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36
Step 6: Create Firewall Rules
1. Expand the new Firewall profile2. Click “New” to create a rule3. Define the rule to permit LAN
to WAN for any service• Action Set = “Permit+Notify”• Click + on Sources, select LAN• Click + on Destination, select WAN
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37
Step 7: Distribute the Firewall Profile
1. Click the profile nameand click “Distribute”
2. Select which NGFWs will receivethe Firewall Profile
3. Wait for distribution
Note:• An NGFW only runs one
Firewall Profile at once
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.38
Verify
1. Using a client on the LAN, try to accessthe internet via a browser
2. Confirm that the web site loads3. If it doesn’t work, check for firewall block
events in SMS…
or easier, “show fwBlock” on console:
julian_hpar1{}show log fwBlock tail2013-08-06 18:50:51.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 47546 64.31.0.235 80 TCP [] pt0 0 0 02013-08-06 18:50:52.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 0 212.58.244.66 0 ICMP [] pt0 0 0 0
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Effectiveness Example:SMS Configuration of Shared Firewall Rules
Configuration Example
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40
SMS Shared Firewall Rules
Sequence:1. Define zones2. Create firewall, NAT or captive portal rule3. Distribute profile
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41
Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Shared across deployment
• Assign interfaces from 1 or more NGFW devices
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42
Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Source/Destination rule criteria and zone definition determines the devices the rule may be installed on
• Restrict location with ‘install-on’ device setting, provides site specific override capability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Source/Destination rule criteria and zone definition determines the devices the rule may be installed on
• Restrict location with ‘install-on’ device setting, provides site specific override capability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• SMS automatically creates snapshot, and displays potential distribution targets
• Rules distributed (potentially deleted) based on your selection
• SMS will pull in appropriate published IPS profiles
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
In Closing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
HP NGFW Helps Save Time & Protect the NetworkProblem How HP TippingPoint NGFW can help…
I don’t know what applications are being used
Use Visibility and IPS reports to see apps, network use and security risks
I fear something will break if app is blocked
Block is one action – perhaps rate limit it
I need to protect network bandwidth and protect business critical apps
Block or rate limit undesirable or bandwidth hogging apps. Use Trust rules to avoid impacting critical applications
How can I control which users can use an app?
User based policy rules
I don’t have time to test/patch PCs and infrastructure
IPS with Zero Day blocks vulnerabilities, even in default settings, putting you in control of patching
How can I disrupt botnets and drive by downloads?
RepDV stops access to bad web sites & botnet activity.IPS prevents malware installation through blocking the vulnerability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47
Learn More
Public launch on Sept 16 – www.hp.com/go/ngfw• ESP GA Date – 08/30• HPN GA Date – 9/30Resources – Published on Sales Portal and Partner Central:• Whitepaper, data sheet, Infographic, How-To-Sell• Training & Customer Deck
• Up coming webinars: • Demo (TBD)• Channel Partner Sales training – August 13 • Channel Partner Technical training – August 15
& 16• Tentative training - September
• Future technical deep dives and live demosQuestions: [email protected]
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You