More Related Content Similar to Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW (20) More from TechExpert (20) Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW1. HP TippingPoint
Next Generation Firewall
HP Enterprise Security Internal Technical Pre-Sales Training
Julian Palmer, NGFW Product Manager, HP TippingPoint
Russ Meyers, SMS Product Manager, HP TippingPoint
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2. Agenda
Introducing HP TippingPoint Next Generation Firewall (NGFW)
Key attributes, and how HP TippingPoint NGFW achieves them
Seven steps to get an NGFW on the network
Shared firewall rules with SMS
How does NGFW help common problems?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 2 to change without notice.
3. Introducing the HP
TippingPoint Next
Generation Firewall
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
4. What is HP NGFW…
Simple
Easy-to-Use,
configure and
install with
centralized
management
Next Gen IPS Enterprise
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 4 to change without notice.
Reliable
Protect the
network
availability
features, IPS,
and automatic
protection
Effective
Industry
leading
security
intelligence
with weekly
DVLabs
updates
Integrated
Policy
Firewall
DVLabs
research
and feeds
User and app
policy
5. HP NGFW Feature Summary
Security
• Enterprise class zonal, stateful firewall
• Mix and match FW, app, user and IPS policy
choices
• Full IPS, DV, RepDV, WebAppDV, Zero Day
Initiative
• Apply IPS inspection profile based on app
• Rate limit, quarantine, trap, pcap, email actions
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 5 to change without notice.
Certification Plans
• ICSA Firewall/VPN Enterprise, USGv6 coming
• FIPS-140-2, EAL, NSS on roadmap
Management
• HTTPS local web GUI, SSH, Full CLI,
inband/outband
• Role based management, Encrypted Log
Storage
• SNMPv2/v3 MIB-2, and TP Enterprise MIBs
• Integrated FW & IPS management with SMS
• ArcSight, HP NNMi and NA integration
Deployment
• NAT, routed, transparent, segment, one-armed
• IPv6 ready everywhere
• Static, RIP/RIPng, OSPFv2/v3, BGPv4,
multicast
• Link aggregation, VLAN translation, Rate
limiting
• IPSec site-to-site & Client-to-site, GRE/IPSec
• Active-Passive 2-node Stateful High Availability
• LDAP, Active Directory, RADIUS authentication
6. HP NGFW Portfolio
S1050F S3010F S3020F S8005F S8010F
FW only 500Mbps 1Gbps 2Gbps 5Gbps 10Gbps
FW + IPS @512 bytes 250Mbps 500Mbps 1Gbps 2.5Gbps 5Gbps
New Connections/second 10,000 20,000 20,000 50,000 50,000
Concurrent Connections 250,000 500,000 1M 10M 20M
Aggregate VPN Throughput (big
250 Mbps 500Mbps 1Gbps 1.5Gbps 3Gbps
pkts)
VPN Tunnels 2500 5000 7500 7500 7500
Redundant Power Supply/Fans No Yes Yes Yes Yes
Removable Solid State Storage 8GB 8GB 8GB 32GB 32GB
Integrated I/O 8xGbE 8xGbE
8xSFP
8xGbE
8xSFP
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 6 to change without notice.
8xGbE
8xSFP
4x SFP+
8xGbE
8xSFP
4x SFP+
Ordering information:
ESP
HPN
JC850A
JC882A
US$4,995
JC851A
JC883A
US$13,995
JC852A
JC884A
US$18,995
JC853A
JC885A
US$49,995
JC854A
JC886A
US$70,995
HPN care pack info will follow…
1 Year of DV must be bought w/HW
Premium (DV+24x7)
Premium (DV+RepDV+24x7)
7. Where to Deploy
• At all network edges
• Security consolidation
• Where security needs
may change
Virtual machines (VMs)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 7 to change without notice.
Campus
LAN
Edge
WLAN
Core
Tele-workers,
partners, and
customers
Internet
Remote
offices and
branches
WAN
Data
center
NGFW
NGFW
NGFW
NGFW
IPS
IPS
NGFW
NGFW
Branch Regional
Hub
Data
Center
S1050F
S3010F
S3020F
S8005F
S8010F
8. S1050F Platform
External User
Disk
Console 115200, 8N1
GbE Data Ports HA MGMTAlert LED
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 8 to change without notice.
Status
LED
Power LED
On/Off
9. S3010F , S3020F, S8005F, S8010F Platforms
SFP GbE Data Ports User Disk H
MGMT Alert LED
Ports
A
10G
SFP+
(S8000F)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 9 to change without notice.
Console 115200, 8N1
Status
LED
Redundant hot swap fans Dual Redundant PSUs
• Redundan
t Fan/PSU
• Hot swap
fans and
PSU
10. LED Meanings
Alert LED
Off No power
Solid
Yellow
System booting. After boot
this indicates a software
failure.
Flashing
Yellow
A Hardware problem has
been detected
Solid
Green
Hardware and software are
running normally
System LED
Off No power
Flashing
Green
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 10 to change without notice.
System is booting and traffic is
not being processed
Solid Green System is running and healthy
Solid Yellow System is running but has
degraded health (software or
hardware issue)
Flashing
Green/Yellow
A software or BIOS upgrade is
being performed
11. HP ESP Field Replacement Parts
ESP
SKU
HPN
SKU
ESP Description*
Ref
Price
C1J35
A
JC901
A
HP TippingPoint 750W AC Power
Supply
US$649
C1J36
A
JC903
A
HP TippingPoint 32GB CFast
Card
US$599
C1J34
A
JC900
A
HP TippingPoint 80mm Fan
Module
US $190
DC power option not available
AC power supply is the same as the NX IPS
Comments
Supports NGFW and NX; Replaces
JC826A
Supports NGFW and NX; Replaces
JC828A
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 11 to change without notice.
* HPN Description is different
12. Simplicity
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
13. Easy and Powerful Management
Best of Breed central management with SMS
• Unified management of IPS and NGFW devices
• Keep security current with DV active update
• Advanced reporting & visualization
• SMS 4.0 adds support for NGFW
Powerful when you need it
• Role Based Access Control
• Forensic reporting
• ArcSight Logger for universal log management
• 3rd Party integrations
Easy to Use On-Box web interface
• Minimum IE8, Chrome 17, Firefox 10, Safari 5.1
• Optimized for 1440x900
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 13 to change without notice.
14. Reporting and Visibility
Primary reporting tool is SMS
• Delivers Application Visibility & Utilization,
Troubleshooting, Security Analysis and
Capacity Planning
• Consolidated reporting from all NGFW/IPS boxes
• High performance, detailed event forensics
using integrated HP Vertica columnar database
• Customizable Dashboard for real-time data
on traffic, apps and network behaviour
On-box shows summary app, traffic mix
• Identify app/traffic patterns
• App visibility is on by default
Big Data forensics with ArcSight
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 14 to change without notice.
15. Easy to Deploy in the Network
Transparent
• Drop in Deployment
• Same L2 network on both sides
• Forwarded traffic based on destination
MAC
• Firewall always there…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 15 to change without notice.
Routed
• Different L3 network on each side
• Traffic is directed via routing table
• No asymmetric routing
• No L2FB
Segment
• In/out port
• Bump-in-the-wire
(no IP address)
• Reliability through
L2FB and HA
modes
Bridge
• Multiple ports
• Bcast domain
• IP address
• No L2FB
Routed
• One or more IP
addresses
One Armed
• Single port in/out
• VLAN tagged
16. Easy to Demo
Use NGFW to easily demo security & apps:
1. Attach “in” port of segment to a mirror port
Leave “out” port unconnected
2. Configure a segment using these ports
3. Set the NGFW IPS policy to “IDS Mode”
4. Create a Firewall Rule to “Permit Any Any”
5. Override IPS Categories to Permit+Notify
6. Leave…
• Return later and look at the reports
• IPS events, App reports, Traffic Reports
• Add an SMS for even better reporting
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 16 to change without notice.
17. Effective Security
Mitigate Today and Tomorrow’s
Threats Using Firewall, IPS and
Application Control
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
18. Security Elements
Integrated Policy Controlling Who Does What to Whom, When…
Objects
• Zones, action sets,
notification contacts,
services, address
groups, schedules
Firewall
• Stateful Firewall, with
NAT/PAT
• Application Groups,
selected by category
• Mix and Match
Stateful and App
elements
• User ID by captive
portal
• User authentication
by AD, LDAP,
RADIUS
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 18 to change without notice.
Next Gen IPS
• 12 categories with
recommended settings
• Zero Day, and Best of
Breed DV security filters
from DVLabs
• Reputation to block
undesirable IPs
• Automatic DV & RepDV
update
• Shared profiles with IPS
devices
19. Understanding FW Rules
Powerful and succinct rules
• Source/Destination based on Zone
or IP subnets/ranges
• Optionally use applications, Users,
services and schedules
• Block, Rate limit, Trust, trap, email, pcap
• Set inspection profile per-rule
• Position most specific rules at top
Collapse multiple rules into one
• Using multiple selectors (like an “or”),
where the policy/action is the same
• Negation and Exclude constructs
Edit Default Block Rule to enable logging
No implied rules
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 19 to change without notice.
20. Controlling Applications
• All web apps look the same to old FW’s
• True NGFW firewall rules only contain
apps/categories, not services
IPS w/ Unknown Profile FW Rule Specific
Profile
Match Stateful FW Rule App Detected –
• NGFW will detect apps regardless of TCP port
• NGFW keeps looking for a better matching
FW rule, until app is definitive or not matched
• IPS can be applied during “app detect phase”
• NGFW can block encrypted applications,
but cannot inspect within them
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 20 to change without notice.
Change Matching FW
Rule
21. IPS Profiles Drive Deep Packet Inspection
Policy
IPS uses security filters from DVLabs
• 7,400 filters, 2,650 security researchers
• No false positives or negatives
IPS Profiles define a combination of IPS settings
• Set Profile Deployment Mode to modify
“Recommended”
• DV defines “Recommended” for all filters/categories
• Use Profile settings to override filter settings
• Create trust relationships or exclude IPs from IPS
• Simple DDOS protection via SYN proxy rate check
Use Default Profile or define your own profiles
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 21 to change without notice.
22. Extended Firewall Rule Configuration in SMS
Build a global view
Manage policy across entire
deployment
Leverage your existing IPS policy
• IPS Security Profiles
• Reputation Filters
• Shared Settings
• Named Resources
The same zone name may be built
from different ports on different
NGFW devices, but share same
policy
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 22 to change without notice.
Distribute policy changes when
ready
23. Reliability:
Keeping the Network Up
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
24. Segments – TippingPoint Inline Protection
Only a Layer 2 mode
Protect against hardware or software failure
− Layer 2 Fallback (L2FB) and ZPHA bypass
− HA mode: Permit/Block, due to health or HA config
− Link Down Synchronization mode helps network
convergence when one side of the segment fails
Notes
− No asymmetric mode
− A segment can only be a vertical port pair
− Firewall always runs
− No TippingPoint virtual ports/segments
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 24 to change without notice.
25. 2-Node High Availability Clusters
Protect against single failure, minimum downtime
2-node active/passive cluster, with optional state sync
• FW, Routing and IPS sessions sync
SMS is required for configuration sync
• Operates on a shared MAC
Nodes are connected by back-to-back HA connection
• Traffic optionally encrypted
• Option to allow use of management port for HA traffic if all HA links fail (default:off)
Nodes must be the same hardware and software version
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 25 to change without notice.
26. SMS Cluster Configuration
1. Ensure devices at factory defaults, except
for management access
2. Acquire the devices separately into SMS
3. Click “New Cluster” in Devices view
4. Identify the cluster name, members, select
settings for State Sync, HA link etc.
Cluster will form…
Use Shared Settings for networking, routing, VPN…
• Immediate commit, and “copied to Start”
Use Profiles to create shared FW rules and
IPS settings, and distribute to the device
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 26 to change without notice.
27. Cluster Based SW Upgrade
SMS “rolls out” NGFW Software
upgrade across the cluster
• One device kept active at all times
to keep network up
• Passive device is upgraded first and
rebooted
• Active device is forced passive and
then upgraded
• Session state synchronized at all times
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 27 to change without notice.
28. Examples…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
29. Simplicity Example:
7 Steps to Deploying a New Next Generation
Firewall…
Configuration Example
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
30. 7 Steps to Setup a New HP NGFW
What you will need:
– Connected Console cable and client
– Network connections made for LAN and WAN
– Minimum information:
• SuperUser account name you want to create
• Management port IP address
• Interface IP addresses for LAN and WAN
For SMS:
– An installed SMS, with network access to the
NGFW
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 30 to change without notice.
31. Step 1: Complete Console Setup
1. Connect console – 115200, 8N1
2. Complete OBE prompts:
• Define security requirements on SuperUser password
• Define SuperUser account name and password
3. Log in to CLI
Please enter a user name for the super-user
account.
Spaces are not allowed.
Name: SuperUser
Do you wish to accept [SuperUser] <Y,[N]>: y
Please enter a password for the super-user
account [SuperUser]:
Verify password:
Saving information...Done
Your super-user account has been created.
You may continue initial configuration by logging
into your device.
After logging in, you will be asked for
additional information
ngfw
login: SuperUser
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 31 to change without notice.
32. Step 2: Get the NGFW on the network
1. Log in to CLI on console
2. Start an CLI edit setting
3. Define the management port:
• Set host name (optional)
• Set IP information
• Set default route
4. Define DNS server to perimeter router
5. Define IP interfaces
6. Make the changes live
7. Ensure the changes will apply on next boot
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 32 to change without notice.
edit
interface mgmt
host name demo_unit1
ipaddress 10.0.0.101/24
route 0.0.0.0/0 10.0.0.100
exit
dns
name-server 11.0.0.101
exit
interface ethernet1
ipaddress 10.0.0.100/24
exit
interface ethernet2
ipaddress 11.0.0.100/24
exit
commit
save-config
exit
33. Step 3: Acquire the Device in SMS
1. Log in to SMS
2. Click Devices > New Device
3. Enter the MGMT IP of the NGFW and the
SuperUser account name/password from
the console setup
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 33 to change without notice.
34. Step 4: Define Security Zones
1. Click Profiles > Shared Settings
> Security Zones
2. Click New… to create a Zone
3. Enter the name “LAN”
4. Click Add… to add interfaces
• Select ethernet1
5. Repeat to create “WAN” zone
6. Confirm zone setup
Note: Can create same zone with
different interfaces on another
device
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 34 to change without notice.
35. Step 5: Create a New FW Profile
1. Click Profiles >
Firewall Profiles in menu
2. Click “New”
3. Give the profile a name
4. Select Inspection Profiles
Default = Default IPS Profile
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 35 to change without notice.
36. Step 6: Create Firewall Rules
1. Expand the new Firewall profile
2. Click “New” to create a rule
3. Define the rule to permit LAN
to WAN for any service
• Action Set = “Permit+Notify”
• Click + on Sources, select LAN
• Click + on Destination, select WAN
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 36 to change without notice.
37. Step 7: Distribute the Firewall Profile
1. Click the profile name
and click “Distribute”
2. Select which NGFWs will receive
the Firewall Profile
3. Wait for distribution
Note:
• An NGFW only runs one
Firewall Profile at once
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 37 to change without notice.
38. Verify
1. Using a client on the LAN, try to access
the internet via a browser
2. Confirm that the web site loads
3. If it doesn’t work, check for firewall block
events in SMS…
or easier, “show fwBlock” on console:
julian_hpar1{}show log fwBlock tail
2013-08-06 18:50:51.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2
161.71.1.2 47546 64.31.0.235 80 TCP [] pt0 0 0 0
2013-08-06 18:50:52.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2
161.71.1.2 0 212.58.244.66 0 ICMP [] pt0 0 0 0
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 38 to change without notice.
39. Security Effectiveness
Example:
SMS Configuration of Shared Firewall Rules
Configuration Example
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
40. SMS Shared Firewall Rules
Sequence:
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 40 to change without notice.
41. Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Shared across deployment
• Assign interfaces from 1 or more NGFW devices
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 41 to change without notice.
42. Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Source/Destination rule criteria and zone definition determines the devices the rule may be
installed on
• Restrict location with ‘install-on’ device setting, provides site specific override capability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 42 to change without notice.
43. Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• Source/Destination rule criteria and zone definition determines the devices the rule may be
installed on
• Restrict location with ‘install-on’ device setting, provides site specific override capability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 43 to change without notice.
44. Firewall Profiles: Global Rules
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile
• SMS automatically creates snapshot, and displays potential distribution targets
• Rules distributed (potentially deleted) based on your selection
• SMS will pull in appropriate published IPS profiles
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 44 to change without notice.
45. In Closing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
46. HP NGFW Helps Save Time & Protect the
Network Problem How HP TippingPoint NGFW can help…
I don’t know what applications are being
Use Visibility and IPS reports to see apps,
used
network use and security risks
I fear something will break if app is blocked Block is one action – perhaps rate limit it
I need to protect network bandwidth and
protect business critical apps
Block or rate limit undesirable or bandwidth
hogging apps. Use Trust rules to avoid impacting
critical applications
How can I control which users can use an
app?
User based policy rules
I don’t have time to test/patch PCs and
infrastructure
IPS with Zero Day blocks vulnerabilities, even in
default settings, putting you in control of patching
How can I disrupt botnets and drive by
downloads?
RepDV stops access to bad web sites & botnet
activity.
IPS prevents malware installation through
blocking the vulnerability
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 46 to change without notice.
47. Learn More
Public launch on Sept 16 – www.hp.com/go/ngfw
• ESP GA Date – 08/30
• HPN GA Date – 9/30
Resources – Published on Sales Portal and Partner Central:
• Whitepaper, data sheet, Infographic, How-To-Sell
• Training & Customer Deck
• Up coming webinars:
• Demo (TBD)
• Channel Partner Sales training – August 13
• Channel Partner Technical training – August 15 & 16
• Tentative training - September
• Future technical deep dives and live demos
Questions: NGFW@hp.com
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 47 to change without notice.
48. Thank You
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Editor's Notes Industry leading security intelligence with weekly DVLabs updates
Easy to use, configure and install with centralized management
NGFW built on 99.99999% network uptime track record
Easy and Powerful Management
Effective Reporting and Traffic Visualization
Easy Deployment
Easy to Demonstrate
Talk about the ability to drill down and create any of these network objects directly from the rule editor panels
Talk about the shared services integrated with non-standard IPS ports
User based policy – SMS will use a number of means at it’s disposal to assist with user /group selection; AD query, view existing logs, view previous requests
Shares from existing named resources on the SMS Zones are ‘shared’ objects that are included in SMS distribution
Can actually write rules without managing a single device and manage your zone-interface / deployment definition later Comments on the rule: the “St -> State” field: this shows if the rule is enabled / disabled; or also if a change has been made requiring a distribution for the rule to be added, changed or removed to a device
- SMS distribution will warn you if the device has changes that are not what the SMS is expecting: i.e. you made a change on the local device Expect to get questions around deal registration, I8 standard process (VBD, NBO, express pricing) (invite liz carter) and promotional conflict.