OpenMic XGS Setup Deployment 2015-05-20

IBM Security
Network Protection XGS Open Mic webcast #5 – May 20, 2015
IBM® Security Network Protection XGS Initial Setup and Deployment
Panelists
• Carlos Caballero – SWAT Security Consultant
• Jeff DiCostanzo - Team Lead Accelerated Value Program Support Engineer
• Danitza Villaran-Rokovich – Level 2 Technical Support Senior Engineer
• Edward Leisure – Level 2 Technical Support Engineer
• Eric York – XGS, Sales Representative
• Paul Ermerins – Network Protection XGS Quality Assurance
• Moazzam Khan – Intrusion Prevention Software Engineer
• Steven McKinney – Level 2 Technical Support Team Lead
• Paul Griswold – XGS, Program Manager
• Thomas Gray – Level 2 Technical Support Senior Manager
Reminder: You must dial-in to the phone conference to listen

to the panelists. The web cast does not include audio.
• USA: 866-803-2145
• USA toll: 1-210-795-1099
• Participant passcode: 1322112
• Slides & additional dial-in numbers: http://bit.ly/ibm-openmic-XGS_20150520-doc
NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any
statements that you may make during the call, as well as to IBM's use of such recording in any and
all media, including for video postings on YouTube. If you object, please do not connect to this call.
©1 2015 IBM Corporation © 2015 IBM Corporation
IBM Security
To provide guidance and avoid pitfalls when setting up

and deploying the XGS appliance
2 © 2015 IBM Corporation

IBM Security
Agenda
 Initial Setup
 Overview of Security Policies
 Deployment Scenarios
 Questions

Initial Setup

IBM Security
Pre-requisites
License keys (KeyLib6)

Management IP Address, Subnet Mask, Default Gateway and DNS Servers
TCP Port 3995 to Agent Manager
TCP Port 443 to XGS from SiteProtector Console
Access to the Internet
http://www.ibm.com/support/doc/view.wss?uid=swg21437057

IBM Security
Configuration Wizard
Use the Local Management Interface or a Terminal Emulator program to perform

the following steps:
1 Login as admin and password password
2 Accept the Software License Agreement
3 Optionally: Enable FIPS
4 Change default password
5 Change Hostname
6 Configure the Management Interface
7 Configure DNS
8 Configure the Date and Time

IBM Security
Modules and Features
XPU IP Reputation Web Application URL Category

Firmware
IP Reputation DB Application DB
Base FPL
FPL1 FPL2 FPL3 FPL4
2.5 4.0 5.5 7.0

Gb/s Inspected Gb/s Inspected Gb/s Inspected Gb/s Inspected
Traffic Traffic Traffic Traffic
SSL Inspection
Flexible Performance Licensing (XGS5100)
IBM Security
Uploading Licenses
 Uploading Licenses
 Navigate to Manage System Settings->Licensing and Performance
 Upload KeyLib6 License for each required feature
Each license is uploaded

individually

IBM Security
Update Status
 Navigate to Manage System Settings->Overview
Shows current Firmware and Shows current X-Force Content

available updates and available updates
Uploading a license triggers the

update process for the
corresponding database.
Status are:
• Not Licensed
• Waiting – Licensed but no
Internet connection Shows status of all licenses and
• Downloading – Updating DB performance levels
• Ready – Update completed

IBM Security
Databases Configuration
 Application Database settings

 Navigate to Manage System Settings->Manage Application Databases
Updates are downloaded automatically for

both Application and IP Reputation
databases
Allows direct feedback to X-Force on

incorrect categorization of URL, Web
Applications or IP Reputation data
Includes IP Reputation info in the form of

Categorization (spam, malware, etc) and
Score as part of the Security Event
payload
Proxy credentials for internet access

IBM Security
Firmware Upgrade & Partitions
 Navigate to Manage System Settings->Available Updates
Firmware updates are installed

in Partition 2 (Not Active). After
reboot this becomes the Active
partition
Partition 2 Partition 1
(Active)
Customers can select which

partition will be active at any
given time

IBM Security
Agent Manager Communication
 Registration with IBM SiteProtector through Agent Manager

-By default, communication is encrypted using SSL
-Authentication can be added as another security level
-Uses port TCP 3995 to:
• Post Security Events
• Apply Security Policies
-Can communicate with multiple Agent Managers (redundancy)
TCP 3995
Agent Manager

IBM Security
Groups
 Preparing a Grouping Hierarchy

- Groups can be defined by functional areas, networks, location, customers, etc.
- Groups are defined in the Agent View
- To add a new group Right Click on a parent group and select New->Group
- Security Policies can be applied at a parent or child level.
Grouping hierarchy benefits:
• Allows granular control for

Security Policies Agent Manager 1
• Facilitates Analysis of
Security Events
• Facilitates Reporting
Group 1 Group 2
XGS XGS XGS XGS

IBM Security
Group Settings
 Configuring a Group
- Right Click on the Group and select Manage Policy
- In the Agent Type section select IBM Security Network Protection
- Select the Default Repository

- Right Click on the Group Settings policy
- Select Open Latest Version…

IBM Security
Group Settings
 Configuring a Group Settings Policy Select the corresponding

Agent Manager for this group
Add an authentication account

for an extra level of security
Enter Proxy settings if behind a

Proxy

IBM Security
Deploying a Group Settings Policy
 Deploying the Group Settings Policy
Check this box to deploy the

2
new version of this policy
Use the Targets tab to specify

which groups the new policy
will be applied to

IBM Security
XGS Registration with IBM SiteProtector
 Registering the XGS through the LMI

 Navigate to Manage System Settings->System Settings->SiteProtector
Management
Specify Agent
Specify SiteProtector Manager settings
Group Name
Enter authentication account

for an extra level of security

IBM Security
Registration with IBM SiteProtector – Agent View
 Viewing the XGS Agent in IBM SiteProtector Console
XGS agent displayed under Health Status reports state for Reports the last contact time of Update Status reports if there
corresponding group System, Security and Network the agent are available updates
Status reports state for agent communication and policy configurations

• Active – Communication and policy configuration OK Version reports the Performance reports the
• Active with Errors – Policy configuration errors or netengine and current XForce Content licensed performance level
analysis disabled and Firmware version
• Offline– No communication with Agent Manager
• Not Responding – N/A

Overview of Security Policies

IBM Security
Policy Comparison
 XGS vs GX Policies comparison by functionality
Functionality GX Policy XGS Policy

Segmentation, granularity Protection Domains Network Access (Network Objects)
Inspection Security Events Intrusion Prevention (IPS Objects)
X-Force Protection Levels Virtual Patch Intrusion Prevention (IPS Objects)
Blocking Firewall Network Access
Monitoring services Connection Events Network Access
Tuning Response Filters IPS Event Filters

IBM Security
GX - Protection Domains
 Located under Shared Objects
Protection Domain
• Provide more granular control over how policies affect
different network segments
• Several virtual appliances monitoring the network
Default Global Protection Domain matching “ANY”

always enabled
Additional Protection Domains can be created

• Protection Interface
• VLANs
• IP Addresses (Single, Range, List, CIDR)

IBM Security
GX - Virtual Patch

 Applies to all Security Event policies in the actual repository
Virtual Patch Controls the

Protection Threat Level of
the Security Events policies
deployed in the actual
Repository
Controls the Protection Level for all the
Security Events policies for the current
repository. There are 3 types:
• Moderate (Default)
• Aggressive
• Paranoid
Controls X-Force
recommended blocking
based on XPUs

IBM Security
Threat Protection Levels
Moderate: Enables most attack events for a good level of security protection with minimal chance of false
alarms. The moderate policy is designed for users who intermittently monitor security events and minimally
manage the IPS configuration
Aggressive: Enables a high percentage of attack events for a high level of security protection with a chance
of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS
deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration
Paranoid: Enables almost all attack events (including events from the latest XPUs) for a very high level of
security protection with significant chance of false alarms. The paranoid policy is designed for users who
perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security
events and frequently fine-tune the IPS configuration
Sample summary for XPU 34.040

XPU 34.040 Moderate Aggressive Paranoid
Total Security Events 5303 5303 5303
Security Events (Attacks) 4801 4801 4801
Security Events (Audits) 502 502 502
Security Events (Enabled) 3319 4278 4754
Security Events (Enabled and Block) 3308 4274 4752

IBM Security
GX - Security Events
 Part of the Default Repository

 Protection Domains allows for creation of custom Security Event policies
Custom Protection Domain: Demo

• Matches traffic for specific addresses
• Contains a subset of Security Events
Default Protection Domain: Global • Security Events responses may differ from X-Force
• Matches ANY traffic
• Uses all Security Events as defined
by X-Force.
• Applies blocking responses as
defined in Virtual Patch Policy

IBM Security
XGS - Intrusion Prevention

 Available for multiple NAP policies across multiple Groups in the current Repository
IPS Objects are used to enable
a set of the Security Events
“Default IPS” objects contains

Intrusion Prevention all the Security Events as
• Latest version always defined by X-Force with their
deployed corresponding responses. Used
• Only edited from here by the default NAP rule.
• Contains multiple IPS Objects
• Can be used across multiple
NAP rules Other predefined IPS Objects
are derived from categorizations
found in PAM Help file.

IBM Security
IPS Objects Settings
 Trust X-Force Defaults section contains:

 Protection Level Signatures By default Security Events are stored locally. When
 Protection Level Blocking registered with SiteProtector all events are sent to
Agent Manager
Protection Level
• None
• Moderate
• Aggressive (Default)
• Paranoid
Additional Response Objects include:

• SNMP
• Email
• Remote Syslog (SIEM)
Content Update Trust Level - defines

recommended X-Force responses for a specific
XPU

IBM Security
IPS Objects Content
 Select the IPS Object in the left pane. Security Events are displayed in right pane
Available IPS Objects Enhanced Filtering

IBM Security
Security Events Configuration
 Security Events Configuration

IBM Security
XGS – Network Access Policy
 Configuring a Network Access Policy (NAP)

- Open the SiteProtector Console in the Policy View
- In the Agent Type section select IBM Security Network Protection
- Select the Default Repository

- Right Click on the Network Access policy
- Select Open Latest Version…

IBM Security
Network Access Policy – Network Objects
Network Objects – Used to match specific traffic type
• Address
 Address Host, Range, List or Subnet (Similar to
Protection Domain)
 Geolocation
• Applications
 Web Application such Facebook, YouTube, etc. and their
actions (post, chat, etc.)
 Non-Web Applications (LDAP, Kerberos, DHCP, etc.)
 IP Reputation (malware, spam, C&C, anonymous
proxies, dynamic IPs)
 URL Categories (Lists)
• Inspection
 IPS Objects
• Identity
• Local
• Remote Directory
• Responses
• SNMP, Email, Log (Local or Remote)
30
• Schedule © 2015 IBM Corporation
IBM Security
Network Access Policy - Rules
Response defines what

to do when a match is
done:
• SNMP Inspection defines the IPS
Source and Application can be based on Action can be: • Email Object to be applied for
Destination based Web or Non-Web, URL • Accept • Log (Local or SIEM) inspection of the matched
on Address Objects Category or list, IP Reputation • Reject • Pcap (Accepted) traffic
• Drop
• Authenticate
Order defines
the priority of
the rule.
Processing
Only rule available accepts all traffic by default and By default Network Access events
applies the Default IPS policy object for inspection are not logged (No Response)

IBM Security
Overview of Security Policies – Deploying NAP
 Deploying the Network Access Policy
Check this box to deploy the

2
new version of this policy
Use the Targets tab to specify

which groups the new policy
will be applied to
XGS reporting to the ATLANTA Group will inspect

all traffic using a Default policy
Deployment Scenarios and Use Cases

IBM Security
Deployment Scenarios – Use Cases
 The following slides provide guidance in deployment and configuration scenarios

 Monitoring vs Inline mode
 Network Interface Modules (NIMs)
 Blocking traffic
 Monitoring Services
 Excluding traffic from inspection
 Filtering Security Events
 Custom IPS Objects
 Monitoring Malicious Activity
 One Policy Multiple Environments

IBM Security
Deployment Scenarios – Monitoring vs Inline Mode
From Policy View go to Agent-Specific-Policies->Protection Interfaces

Inspection Mode determines
how the XGS will inspect traffic
Protection Pair – Both ports are Protection Pair – Ports connect to upstream and
in a pair of ports
configured as Monitoring. Same downstream devices. Simulation mode is the
inspection capabilities as in other recommended setting for a new deployment
modes
Passive Monitoring Inline (Simulation or Protection)

IBM Security
Deployment Scenarios – Network Interface Modules (NIMs)
 Install appropriate NIM before power up. Do not remove while on.
 From Policy View go to Agent-Specific-Policies->Protection Interfaces
8-port RJ-45 copper

w/ built-bypass
4-port Fixed fiber (SX)

w/ built-bypass
4-port Fixed fiber (LX)

w/ built-bypass
2-port 10GbE (SR)

w/ built-bypass
Software Bypass (XPU Updates) – Events
are forwarded unanalyzed
2-port 10GbE (LR)
w/ built-bypass
4-port SFP
(requires transcievers)
Hardware Bypass (Firmware Upgrade,
power failure) – Can be configured to:
• Fail-Open 2-port 10GbE SFP+
• Fail-Close (requires transcievers)
• Auto (defaults to Fail-Open)

IBM Security
Use Cases – Blocking Traffic
Scenario 1 – Block Access to a Server from a specific Host

SRV1
XGS
PC1 IP Address: 10.10.10.10
10.10.10.1 Service: SSH
URL: www.app1.com
1 2
Create 2 Host
Address Objects
PC1 and SERV1
Create a NAP Rule

with higher priority
(lower Order) than Log packet if No Schedule
the default rule and match against object equals
with Source PC1 Rule#10 ALWAYS
and Destination
SRV1.
Action Rule = Reject.

37 All other traffic use default rule (Block + RST) © 2015 IBM Corporation
IBM Security
Use Cases – Monitoring Access to a Service
Scenario 2 – Monitor Access to a Service during business hours

SRV1
XGS
PC1 IP Address: 10.10.10.10
10.10.10.1 Service: SSH
URL: www.app1.com
Create a NAP Rule with higher priority Uses a predefined Non-Web Log packet if match Use Business Hours
(lower Order) than the previous rule Application Object for SSH against Rule#10 Schedule Object to define
when the rule is valid
Note that Order number for Action Rule = Accept and process Traffic still monitored using
existing rules adjust automatically for inspection Default IPS Object

IBM Security
Use Case – Excluding Traffic from Inspection
Scenario 3 – Filtering Traffic from a Vulnerability Scanner

SRV1
Scanner XGS
10.10.10.2 IP Address: 10.10.10.10
Service: SSH
URL: www.app1.com
1 2
Changes
applied
automatically
Create an IPS Object with Protection Level None 3
NAP Rule with higher

priority (lower Order) than
the default rule Action = Accept
Inspection
Object is Blank
Policy

IBM Security
Use Case – IPS Event Filters
Scenario 4 – Filtering a Security Event

SRV1
SMB_Empty_Password
XGS IP Address: 10.10.10.10
Internal Network Service: SMB
192.168.1.0/24 URL: www.app1.com
2
Create a Network 1
object of type
Address Subnet
Select Security
Events to be
Ignored from
inspection
IPS Event Filter

Rule with Ignore
action
Apply to any type of traffic

3

IBM Security
Use Case – Custom IPS Objects
Scenario 5 – Managing Custom IPS Objects

SRV1
Internal Network XGS
192.168.1.0/24 IP Address: 10.10.10.10
Service: SMB
URL: www.app1.com
3rd Party Network
10.10.100.0/24
1 2
Create a Network 1
object of type
Address Subnet
Create a NAP Rule with higher priority

than the default rule and with an
inspection object Paranoid Create an IPS Object with Protection Level Paranoid

IBM Security
Use Case – Monitoring Malicious Activity
Scenario 6 – Monitoring malware activity

Malware
XGS
Internal Network
192.168.1.0/24
1
Adjust the Threshold. X-Force
score should be 80% or more for
Create an IP Reputation the rule to match.
Object with Category
Malware
Apply a Paranoid
inspection policy
NAP Rule with higher
priority (lower Order) than
the default rule
Action Rule = Accept and process Log packet if match

42 for inspection against Rule#10 © 2015 IBM Corporation
IBM Security
Deployment Scenarios – One Policy Multiple Environments
Scenario 6 – One Global IPS Policy across multiple environments
Customer
Network 2
XGS
Customer
Network 1 SiteProtector
XGS NEW YORK
Create a Custom IPS Object

policy to use across all
environments
Create a Network Access Create Custom IPS Event Filter polices

policy tat the top level to for tuning based on the requirements
accept all traffic and inspect of each environment using the same
using the Custom (or Custom (or Default) IPS Object
Default) IPS Object

IBM Security
Questions for the panel?
Now is your opportunity to ask questions of our

panelists.
To ask a question now:
Press *1 to ask a question over the phone
or
Type your question into the SmartCloud Meetings chat
To ask a question after this presentation:

You are encouraged to participate in our dW Answers XGS forum topic,
How do I deploy and configure the XGS?
URL: https://developer.ibm.com/answers/questions/190147/how-do-i-deploy-and-
configure-the-xgs.html
IBM Security
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

OpenMic XGS Setup Deployment 2015-05-20

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

OpenMic XGS Setup Deployment 2015-05-20

Caricato da

Copyright:

Formati disponibili

IBM Security

Network Protection XGS Open Mic webcast #5 – May 20, 2015

IBM® Security Network Protection XGS Initial Setup and Deployment

Reminder: You must dial-in to the phone conference to listen

To provide guidance and avoid pitfalls when setting up

2 © 2015 IBM Corporation

 Overview of Security Policies

3 © 2015 IBM Corporation

4 © 2015 IBM Corporation

License keys (KeyLib6)

5 © 2015 IBM Corporation

Use the Local Management Interface or a Terminal Emulator program to perform

1 Login as admin and password password

2 Accept the Software License Agreement

3 Optionally: Enable FIPS

4 Change default password

6 Configure the Management Interface

8 Configure the Date and Time

6 © 2015 IBM Corporation

Modules and Features

XPU IP Reputation Web Application URL Category

FPL1 FPL2 FPL3 FPL4

2.5 4.0 5.5 7.0

Each license is uploaded

8 © 2015 IBM Corporation

 Navigate to Manage System Settings->Overview

Shows current Firmware and Shows current X-Force Content

Uploading a license triggers the

9 © 2015 IBM Corporation

 Application Database settings

Updates are downloaded automatically for

Allows direct feedback to X-Force on

Includes IP Reputation info in the form of

Proxy credentials for internet access

10 © 2015 IBM Corporation

Firmware Upgrade & Partitions

 Navigate to Manage System Settings->Available Updates

Firmware updates are installed

Customers can select which

11 © 2015 IBM Corporation

Agent Manager Communication

 Registration with IBM SiteProtector through Agent Manager

12 © 2015 IBM Corporation

 Preparing a Grouping Hierarchy

Grouping hierarchy benefits:

• Allows granular control for

XGS XGS XGS XGS

13 © 2015 IBM Corporation

- Select the Default Repository

14 © 2015 IBM Corporation

 Configuring a Group Settings Policy Select the corresponding

Add an authentication account

Enter Proxy settings if behind a

15 © 2015 IBM Corporation

Deploying a Group Settings Policy

 Deploying the Group Settings Policy

Check this box to deploy the

Use the Targets tab to specify

16 © 2015 IBM Corporation

XGS Registration with IBM SiteProtector

 Registering the XGS through the LMI

Enter authentication account

17 © 2015 IBM Corporation

Registration with IBM SiteProtector – Agent View