Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP TippingPoint Next Generation FirewallHP Enterprise Security Internal Technical Pre-Sales Training

Julian Palmer, NGFW Product Manager, HP TippingPointRuss Meyers, SMS Product Manager, HP TippingPoint

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

Agenda

Introducing HP TippingPoint Next Generation Firewall (NGFW)

Key attributes, and how HP TippingPoint NGFW achieves them

Seven steps to get an NGFW on the networkShared firewall rules with SMS

How does NGFW help common problems?


Introducing the HP TippingPoint Next Generation Firewall


What is HP NGFW…Simple

Easy-to-Use, configure and

install with centralized

management

Reliable

Protect the network

availability features, IPS, and

automatic protection

Effective

Industry leading security

intelligence with weekly

DVLabs updates

IntegratedPolicy

Next Gen IPS

Enterprise Firewall

DVLabs researchand feeds

User and apppolicy


HP NGFW Feature SummarySecurity

• Enterprise class zonal, stateful firewall

• Mix and match FW, app, user and IPS policy choices

• Full IPS, DV, RepDV, WebAppDV, Zero Day Initiative

• Apply IPS inspection profile based on app

• Rate limit, quarantine, trap, pcap, email actions

Certification Plans

• ICSA Firewall/VPN Enterprise, USGv6 coming

• FIPS-140-2, EAL, NSS on roadmap

Management

• HTTPS local web GUI, SSH, Full CLI, inband/outband

• Role based management, Encrypted Log Storage

• SNMPv2/v3 MIB-2, and TP Enterprise MIBs

• Integrated FW & IPS management with SMS

• ArcSight, HP NNMi and NA integration

Deployment

• NAT, routed, transparent, segment, one-armed

• IPv6 ready everywhere

• Static, RIP/RIPng, OSPFv2/v3, BGPv4, multicast

• Link aggregation, VLAN translation, Rate limiting

• IPSec site-to-site & Client-to-site, GRE/IPSec

• Active-Passive 2-node Stateful High Availability

• LDAP, Active Directory, RADIUS authentication


HP NGFW Portfolio

S1050F S3010F S3020F S8005F S8010FFW only 500Mbps 1Gbps 2Gbps 5Gbps 10GbpsFW + IPS @512 bytes 250Mbps 500Mbps 1Gbps 2.5Gbps 5GbpsNew Connections/second 10,000 20,000 20,000 50,000 50,000Concurrent Connections 250,000 500,000 1M 10M 20MAggregate VPN Throughput (big pkts)

250 Mbps 500Mbps 1Gbps 1.5Gbps 3Gbps

VPN Tunnels 2500 5000 7500 7500 7500 Redundant Power Supply/Fans

No Yes Yes Yes Yes

Removable Solid State Storage

8GB 8GB 8GB 32GB 32GB

Integrated I/O 8xGbE 8xGbE8xSFP

8xGbE8xSFP

8xGbE8xSFP

4x SFP+

8xGbE8xSFP

4x SFP+Ordering information: ESP HPN HW Reference Price

JC850AJC882A

US$4,995

JC851AJC883A

US$13,995

JC852AJC884A

US$18,995

JC853AJC885A

US$49,995

JC854AJC886A

US$70,995

HPN care pack info will follow…1 Year of DV must be bought w/HW

Premium (DV+24x7)Premium (DV+RepDV+24x7)


Where to Deploy

• At all network edges• Security

consolidation• Where security needs

may change

CampusLAN

Edge

WLAN

Core

Tele-workers, partners, and

customers

Internet

Remote offices and branches

WAN

Data center

Virtual machines (VMs)

NGFW

NGFW

NGFW

NGFW

IPS

IPS

NGFW

NGFW

Branch Regional Hub

Data Center

S1050F

S3010F

S3020F

S8005F

S8010F


S1050F Platform

External User Disk

GbE Data Ports HA Alert LED

MGMT

Console 115200, 8N1

Power LED

Status LED

On/Off


S3010F , S3020F, S8005F, S8010F Platforms

User DiskGbE Data Ports HA

Alert LED

MGMTSFP Ports

10G SFP+(S8000F)

Console 115200, 8N1

Status LED

Dual Redundant PSUsRedundant hot swap fans

• Redundant Fan/PSU

• Hot swap fans and PSU


LED Meanings

Alert LED

Off No power

Solid Yellow

System booting. After boot this indicates a software failure.

Flashing Yellow

A Hardware problem has been detected

Solid Green

Hardware and software are running normally

System LED

Off No power

Flashing Green

System is booting and traffic is not being processed

Solid Green System is running and healthy

Solid Yellow System is running but has degraded health (software or hardware issue)

Flashing Green/Yellow

A software or BIOS upgrade is being performed


HP ESP Field Replacement Parts

DC power option not availableAC power supply is the same as the NX IPS

ESP SKU

HPN SKU

ESP Description*Ref

Price Comments

C1J35A

JC901A

HP TippingPoint 750W AC Power Supply

US$649 Supports NGFW and NX; Replaces JC826A

C1J36A

JC903A

HP TippingPoint 32GB CFast Card

US$599 Supports NGFW and NX; Replaces JC828A

C1J34A

JC900A

HP TippingPoint 80mm Fan Module

US $190

* HPN Description is different


Simplicity


Easy and Powerful ManagementBest of Breed central management with SMS• Unified management of IPS and NGFW devices• Keep security current with DV active update• Advanced reporting & visualization• SMS 4.0 adds support for NGFW

Powerful when you need it• Role Based Access Control• Forensic reporting• ArcSight Logger for universal log management• 3rd Party integrations

Easy to Use On-Box web interface• Minimum IE8, Chrome 17, Firefox 10, Safari 5.1• Optimized for 1440x900


Reporting and VisibilityPrimary reporting tool is SMS• Delivers Application Visibility & Utilization,

Troubleshooting, Security Analysis and Capacity Planning

• Consolidated reporting from all NGFW/IPS boxes• High performance, detailed event forensics

using integrated HP Vertica columnar database • Customizable Dashboard for real-time data

on traffic, apps and network behaviour

On-box shows summary app, traffic mix• Identify app/traffic patterns• App visibility is on by default

Big Data forensics with ArcSight


Easy to Deploy in the Network

Transparent• Drop in Deployment• Same L2 network on both sides• Forwarded traffic based on

destination MAC• Firewall always there…

Routed• Different L3 network on each side • Traffic is directed via routing table• No asymmetric routing• No L2FB

Segment• In/out port• Bump-in-the-wire

(no IP address)• Reliability

through L2FB and HA modes

Bridge• Multiple ports• Bcast domain• IP address• No L2FB

Routed• One or more IP

addresses

One Armed• Single port

in/out• VLAN tagged


Easy to Demo

Use NGFW to easily demo security & apps:1. Attach “in” port of segment to a mirror port

Leave “out” port unconnected2. Configure a segment using these ports3. Set the NGFW IPS policy to “IDS Mode”4. Create a Firewall Rule to “Permit Any Any”5. Override IPS Categories to Permit+Notify6. Leave…

• Return later and look at the reports• IPS events, App reports, Traffic Reports• Add an SMS for even better reporting


Effective Security Mitigate Today and Tomorrow’s Threats Using Firewall, IPS and Application Control


Security Elements

Objects• Zones, action sets,

notification contacts, services, address groups, schedules

Firewall• Stateful Firewall,

with NAT/PAT• Application

Groups, selected by category

• Mix and Match Stateful and App elements

• User ID by captive portal

• User authentication by AD, LDAP, RADIUS

Next Gen IPS• 12 categories with

recommended settings

• Zero Day, and Best of Breed DV security filters from DVLabs

• Reputation to block undesirable IPs

• Automatic DV & RepDV update

• Shared profiles with IPS devices

Integrated Policy Controlling Who Does What to Whom, When…


Understanding FW RulesPowerful and succinct rules• Source/Destination based on Zone

or IP subnets/ranges• Optionally use applications, Users,

services and schedules• Block, Rate limit, Trust, trap, email, pcap• Set inspection profile per-rule• Position most specific rules at top

Collapse multiple rules into one• Using multiple selectors (like an “or”),

where the policy/action is the same• Negation and Exclude constructs

Edit Default Block Rule to enable loggingNo implied rules


Controlling Applications

• All web apps look the same to old FW’s• True NGFW firewall rules only contain

apps/categories, not services• NGFW will detect apps regardless of TCP port• NGFW keeps looking for a better matching

FW rule, until app is definitive or not matched• IPS can be applied during “app detect phase”• NGFW can block encrypted applications,

but cannot inspect within them

Match Stateful FW Rule

App Detected – Change Matching

FW Rule

IPS w/ Unknown Profile

FW Rule Specific Profile


IPS Profiles Drive Deep Packet Inspection PolicyIPS uses security filters from DVLabs• 7,400 filters, 2,650 security researchers• No false positives or negatives

IPS Profiles define a combination of IPS settings• Set Profile Deployment Mode to modify

“Recommended”• DV defines “Recommended” for all filters/categories• Use Profile settings to override filter settings• Create trust relationships or exclude IPs from IPS• Simple DDOS protection via SYN proxy rate check

Use Default Profile or define your own profiles


Extended Firewall Rule Configuration in SMSBuild a global viewManage policy across entire deploymentLeverage your existing IPS policy• IPS Security Profiles• Reputation Filters• Shared Settings• Named Resources

The same zone name may be builtfrom different ports on different NGFW devices, but share same policy

Distribute policy changes when ready


Reliability:Keeping the Network Up


Segments – TippingPoint Inline ProtectionOnly a Layer 2 modeProtect against hardware or software failure

− Layer 2 Fallback (L2FB) and ZPHA bypass− HA mode: Permit/Block, due to health or HA config− Link Down Synchronization mode helps network

convergence when one side of the segment failsNotes

− No asymmetric mode− A segment can only be a vertical port pair − Firewall always runs− No TippingPoint virtual ports/segments


2-Node High Availability Clusters

Protect against single failure, minimum downtime2-node active/passive cluster, with optional state sync• FW, Routing and IPS sessions sync

SMS is required for configuration sync• Operates on a shared MAC

Nodes are connected by back-to-back HA connection• Traffic optionally encrypted• Option to allow use of management port for HA traffic if all HA links fail

(default:off)

Nodes must be the same hardware and software version


SMS Cluster Configuration1. Ensure devices at factory defaults, except

for management access2. Acquire the devices separately into SMS3. Click “New Cluster” in Devices view4. Identify the cluster name, members, select

settings for State Sync, HA link etc.Cluster will form…

Use Shared Settings for networking, routing, VPN…• Immediate commit, and “copied to Start”

Use Profiles to create shared FW rules andIPS settings, and distribute to the device


Cluster Based SW Upgrade

SMS “rolls out” NGFW Software upgrade across the cluster• One device kept active at all times

to keep network up• Passive device is upgraded first and

rebooted• Active device is forced passive and

then upgraded• Session state synchronized at all times


Examples…


Simplicity Example:7 Steps to Deploying a New Next Generation Firewall…

Configuration Example


7 Steps to Setup a New HP NGFW

What you will need:– Connected Console cable and client– Network connections made for LAN and WAN– Minimum information:• SuperUser account name you want to create• Management port IP address• Interface IP addresses for LAN and WAN

For SMS:– An installed SMS, with network access to

the NGFW


Step 1: Complete Console Setup

1. Connect console – 115200, 8N12. Complete OBE prompts:• Define security requirements on SuperUser password• Define SuperUser account name and password

3. Log in to CLI

Please enter a user name for the super-user account.

Spaces are not allowed.

Name: SuperUser

Do you wish to accept [SuperUser] <Y,[N]>: y

Please enter a password for the super-user account [SuperUser]:

Verify password:

Saving information...Done

Your super-user account has been created.

You may continue initial configuration by logging into your device.

After logging in, you will be asked for additional information

ngfw

login: SuperUser


Step 2: Get the NGFW on the network

1. Log in to CLI on console2. Start an CLI edit setting3. Define the management port:• Set host name (optional)• Set IP information• Set default route

4. Define DNS server to perimeter router5. Define IP interfaces6. Make the changes live7. Ensure the changes will apply on next boot

editinterface mgmthost name demo_unit1ipaddress 10.0.0.101/24route 0.0.0.0/0 10.0.0.100exitdnsname-server 11.0.0.101exitinterface ethernet1ipaddress 10.0.0.100/24exitinterface ethernet2ipaddress 11.0.0.100/24exitcommitsave-configexit


Step 3: Acquire the Device in SMS

1. Log in to SMS2. Click Devices > New Device3. Enter the MGMT IP of the NGFW and the

SuperUser account name/password from the console setup


Step 4: Define Security Zones

1. Click Profiles > Shared Settings> Security Zones

2. Click New… to create a Zone3. Enter the name “LAN”4. Click Add… to add interfaces• Select ethernet1

5. Repeat to create “WAN” zone6. Confirm zone setup

Note: Can create same zone withdifferent interfaces on anotherdevice


Step 5: Create a New FW Profile

1. Click Profiles > Firewall Profiles in menu

2. Click “New”3. Give the profile a name4. Select Inspection Profiles

Default = Default IPS Profile


Step 6: Create Firewall Rules

1. Expand the new Firewall profile2. Click “New” to create a rule3. Define the rule to permit LAN

to WAN for any service• Action Set = “Permit+Notify”• Click + on Sources, select LAN• Click + on Destination, select WAN


Step 7: Distribute the Firewall Profile

1. Click the profile nameand click “Distribute”

2. Select which NGFWs will receivethe Firewall Profile

3. Wait for distribution

Note:• An NGFW only runs one

Firewall Profile at once


Verify

1. Using a client on the LAN, try to accessthe internet via a browser

2. Confirm that the web site loads3. If it doesn’t work, check for firewall block

events in SMS…

or easier, “show fwBlock” on console:

julian_hpar1{}show log fwBlock tail2013-08-06 18:50:51.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 47546 64.31.0.235 80 TCP [] pt0 0 0 02013-08-06 18:50:52.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 0 212.58.244.66 0 ICMP [] pt0 0 0 0


Security Effectiveness Example:SMS Configuration of Shared Firewall Rules

Configuration Example


SMS Shared Firewall Rules

Sequence:1. Define zones2. Create firewall, NAT or captive portal rule3. Distribute profile


Firewall Profiles: Global Rules

1. Define zones

2. Create firewall, NAT or captive portal rule

3. Distribute profile

• Shared across deployment

• Assign interfaces from 1 or more NGFW devices



1. Define zones



• Source/Destination rule criteria and zone definition determines the devices the rule may be installed on

• Restrict location with ‘install-on’ device setting, provides site specific override capability



1. Define zones



• Source/Destination rule criteria and zone definition determines the devices the rule may be installed on

• Restrict location with ‘install-on’ device setting, provides site specific override capability



1. Define zones



• SMS automatically creates snapshot, and displays potential distribution targets

• Rules distributed (potentially deleted) based on your selection

• SMS will pull in appropriate published IPS profiles


In Closing


HP NGFW Helps Save Time & Protect the NetworkProblem How HP TippingPoint NGFW can help…

I don’t know what applications are being used

Use Visibility and IPS reports to see apps, network use and security risks

I fear something will break if app is blocked

Block is one action – perhaps rate limit it

I need to protect network bandwidth and protect business critical apps

Block or rate limit undesirable or bandwidth hogging apps. Use Trust rules to avoid impacting critical applications

How can I control which users can use an app?

User based policy rules

I don’t have time to test/patch PCs and infrastructure

IPS with Zero Day blocks vulnerabilities, even in default settings, putting you in control of patching

How can I disrupt botnets and drive by downloads?

RepDV stops access to bad web sites & botnet activity.IPS prevents malware installation through blocking the vulnerability


Learn More

Public launch on Sept 16 – www.hp.com/go/ngfw• ESP GA Date – 08/30• HPN GA Date – 9/30Resources – Published on Sales Portal and Partner Central:• Whitepaper, data sheet, Infographic, How-To-Sell• Training & Customer Deck

• Up coming webinars: • Demo (TBD)• Channel Partner Sales training – August 13 • Channel Partner Technical training – August 15

& 16• Tentative training - September

• Future technical deep dives and live demosQuestions: [email protected]

http://www.hp.com/go/ngfw

mailto:[email protected]


Thank You

Technology

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового