Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Panelists
• Carlos Caballero – SWAT Security Consultant
• Jeff DiCostanzo - Team Lead Accelerated Value Program Support Engineer
• Danitza Villaran-Rokovich – Level 2 Technical Support Senior Engineer
• Edward Leisure – Level 2 Technical Support Engineer
• Eric York – XGS, Sales Representative
• Paul Ermerins – Network Protection XGS Quality Assurance
• Moazzam Khan – Intrusion Prevention Software Engineer
• Steven McKinney – Level 2 Technical Support Team Lead
• Paul Griswold – XGS, Program Manager
• Thomas Gray – Level 2 Technical Support Senior Manager
Agenda
Initial Setup
Deployment Scenarios
Questions
Pre-requisites
http://www.ibm.com/support/doc/view.wss?uid=swg21437057
Configuration Wizard
5 Change Hostname
7 Configure DNS
SSL Inspection
Flexible Performance Licensing (XGS5100)
7 © 2015 IBM Corporation
IBM Security
Uploading Licenses
Uploading Licenses
Navigate to Manage System Settings->Licensing and Performance
Upload KeyLib6 License for each required feature
Update Status
Databases Configuration
TCP 3995
Agent Manager
Groups
Group Settings
Configuring a Group
- Right Click on the Group and select Manage Policy
- In the Agent Type section select IBM Security Network Protection
Group Settings
Specify Agent
Specify SiteProtector Manager settings
Group Name
XGS agent displayed under Health Status reports state for Reports the last contact time of Update Status reports if there
corresponding group System, Security and Network the agent are available updates
Policy Comparison
GX - Protection Domains
Protection Domain
• Provide more granular control over how policies affect
different network segments
• Several virtual appliances monitoring the network
GX - Virtual Patch
Controls X-Force
recommended blocking
based on XPUs
Moderate: Enables most attack events for a good level of security protection with minimal chance of false
alarms. The moderate policy is designed for users who intermittently monitor security events and minimally
manage the IPS configuration
Aggressive: Enables a high percentage of attack events for a high level of security protection with a chance
of false alarms. The aggressive policy is designed for users who perform testing and tuning before IPS
deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration
Paranoid: Enables almost all attack events (including events from the latest XPUs) for a very high level of
security protection with significant chance of false alarms. The paranoid policy is designed for users who
perform considerable testing and tuning before IPS or XPU deployment, and who closely monitor security
events and frequently fine-tune the IPS configuration
GX - Security Events
Protection Level
• None
• Moderate
• Aggressive (Default)
• Paranoid
Select the IPS Object in the left pane. Security Events are displayed in right pane
• Address
Address Host, Range, List or Subnet (Similar to
Protection Domain)
Geolocation
• Applications
Web Application such Facebook, YouTube, etc. and their
actions (post, chat, etc.)
Non-Web Applications (LDAP, Kerberos, DHCP, etc.)
IP Reputation (malware, spam, C&C, anonymous
proxies, dynamic IPs)
URL Categories (Lists)
• Inspection
IPS Objects
• Identity
• Local
• Remote Directory
• Responses
• SNMP, Email, Log (Local or Remote)
30
• Schedule © 2015 IBM Corporation
IBM Security
Order defines
the priority of
the rule.
Processing
Only rule available accepts all traffic by default and By default Network Access events
applies the Default IPS policy object for inspection are not logged (No Response)
Install appropriate NIM before power up. Do not remove while on.
From Policy View go to Agent-Specific-Policies->Protection Interfaces
4-port SFP
(requires transcievers)
Hardware Bypass (Firmware Upgrade,
power failure) – Can be configured to:
• Fail-Open 2-port 10GbE SFP+
• Fail-Close (requires transcievers)
• Auto (defaults to Fail-Open)
1 2
Create 2 Host
Address Objects
PC1 and SERV1
Create a NAP Rule with higher priority Uses a predefined Non-Web Log packet if match Use Business Hours
(lower Order) than the previous rule Application Object for SSH against Rule#10 Schedule Object to define
when the rule is valid
Note that Order number for Action Rule = Accept and process Traffic still monitored using
existing rules adjust automatically for inspection Default IPS Object
1 2
Changes
applied
automatically
2
Create a Network 1
object of type
Address Subnet
Select Security
Events to be
Ignored from
inspection
1 2
Create a Network 1
object of type
Address Subnet
Internal Network
192.168.1.0/24
1
Adjust the Threshold. X-Force
score should be 80% or more for
Create an IP Reputation the rule to match.
Object with Category
Malware
Apply a Paranoid
inspection policy
NAP Rule with higher
priority (lower Order) than
the default rule
Customer
Network 2
XGS
Customer
Network 1 SiteProtector
XGS NEW YORK
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
45 © 2015 IBM Corporation