Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

  1. 1. HP TippingPoint Next Generation Firewall HP Enterprise Security Internal Technical Pre-Sales Training Julian Palmer, NGFW Product Manager, HP TippingPoint Russ Meyers, SMS Product Manager, HP TippingPoint © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  2. 2. Agenda Introducing HP TippingPoint Next Generation Firewall (NGFW) Key attributes, and how HP TippingPoint NGFW achieves them Seven steps to get an NGFW on the network Shared firewall rules with SMS How does NGFW help common problems? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 2 to change without notice.
  3. 3. Introducing the HP TippingPoint Next Generation Firewall © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  4. 4. What is HP NGFW… Simple Easy-to-Use, configure and install with centralized management Next Gen IPS Enterprise © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 4 to change without notice. Reliable Protect the network availability features, IPS, and automatic protection Effective Industry leading security intelligence with weekly DVLabs updates Integrated Policy Firewall DVLabs research and feeds User and app policy
  5. 5. HP NGFW Feature Summary Security • Enterprise class zonal, stateful firewall • Mix and match FW, app, user and IPS policy choices • Full IPS, DV, RepDV, WebAppDV, Zero Day Initiative • Apply IPS inspection profile based on app • Rate limit, quarantine, trap, pcap, email actions © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 5 to change without notice. Certification Plans • ICSA Firewall/VPN Enterprise, USGv6 coming • FIPS-140-2, EAL, NSS on roadmap Management • HTTPS local web GUI, SSH, Full CLI, inband/outband • Role based management, Encrypted Log Storage • SNMPv2/v3 MIB-2, and TP Enterprise MIBs • Integrated FW & IPS management with SMS • ArcSight, HP NNMi and NA integration Deployment • NAT, routed, transparent, segment, one-armed • IPv6 ready everywhere • Static, RIP/RIPng, OSPFv2/v3, BGPv4, multicast • Link aggregation, VLAN translation, Rate limiting • IPSec site-to-site & Client-to-site, GRE/IPSec • Active-Passive 2-node Stateful High Availability • LDAP, Active Directory, RADIUS authentication
  6. 6. HP NGFW Portfolio S1050F S3010F S3020F S8005F S8010F FW only 500Mbps 1Gbps 2Gbps 5Gbps 10Gbps FW + IPS @512 bytes 250Mbps 500Mbps 1Gbps 2.5Gbps 5Gbps New Connections/second 10,000 20,000 20,000 50,000 50,000 Concurrent Connections 250,000 500,000 1M 10M 20M Aggregate VPN Throughput (big 250 Mbps 500Mbps 1Gbps 1.5Gbps 3Gbps pkts) VPN Tunnels 2500 5000 7500 7500 7500 Redundant Power Supply/Fans No Yes Yes Yes Yes Removable Solid State Storage 8GB 8GB 8GB 32GB 32GB Integrated I/O 8xGbE 8xGbE 8xSFP 8xGbE 8xSFP © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 6 to change without notice. 8xGbE 8xSFP 4x SFP+ 8xGbE 8xSFP 4x SFP+ Ordering information: ESP HPN JC850A JC882A US$4,995 JC851A JC883A US$13,995 JC852A JC884A US$18,995 JC853A JC885A US$49,995 JC854A JC886A US$70,995 HPN care pack info will follow… 1 Year of DV must be bought w/HW Premium (DV+24x7) Premium (DV+RepDV+24x7)
  7. 7. Where to Deploy • At all network edges • Security consolidation • Where security needs may change Virtual machines (VMs) © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 7 to change without notice. Campus LAN Edge WLAN Core Tele-workers, partners, and customers Internet Remote offices and branches WAN Data center NGFW NGFW NGFW NGFW IPS IPS NGFW NGFW Branch Regional Hub Data Center S1050F S3010F S3020F S8005F S8010F
  8. 8. S1050F Platform External User Disk Console 115200, 8N1 GbE Data Ports HA MGMTAlert LED © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 8 to change without notice. Status LED Power LED On/Off
  9. 9. S3010F , S3020F, S8005F, S8010F Platforms SFP GbE Data Ports User Disk H MGMT Alert LED Ports A 10G SFP+ (S8000F) © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 9 to change without notice. Console 115200, 8N1 Status LED Redundant hot swap fans Dual Redundant PSUs • Redundan t Fan/PSU • Hot swap fans and PSU
  10. 10. LED Meanings Alert LED Off No power Solid Yellow System booting. After boot this indicates a software failure. Flashing Yellow A Hardware problem has been detected Solid Green Hardware and software are running normally System LED Off No power Flashing Green © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 10 to change without notice. System is booting and traffic is not being processed Solid Green System is running and healthy Solid Yellow System is running but has degraded health (software or hardware issue) Flashing Green/Yellow A software or BIOS upgrade is being performed
  11. 11. HP ESP Field Replacement Parts ESP SKU HPN SKU ESP Description* Ref Price C1J35 A JC901 A HP TippingPoint 750W AC Power Supply US$649 C1J36 A JC903 A HP TippingPoint 32GB CFast Card US$599 C1J34 A JC900 A HP TippingPoint 80mm Fan Module US $190 DC power option not available AC power supply is the same as the NX IPS Comments Supports NGFW and NX; Replaces JC826A Supports NGFW and NX; Replaces JC828A © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 11 to change without notice. * HPN Description is different
  12. 12. Simplicity © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  13. 13. Easy and Powerful Management Best of Breed central management with SMS • Unified management of IPS and NGFW devices • Keep security current with DV active update • Advanced reporting & visualization • SMS 4.0 adds support for NGFW Powerful when you need it • Role Based Access Control • Forensic reporting • ArcSight Logger for universal log management • 3rd Party integrations Easy to Use On-Box web interface • Minimum IE8, Chrome 17, Firefox 10, Safari 5.1 • Optimized for 1440x900 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 13 to change without notice.
  14. 14. Reporting and Visibility Primary reporting tool is SMS • Delivers Application Visibility & Utilization, Troubleshooting, Security Analysis and Capacity Planning • Consolidated reporting from all NGFW/IPS boxes • High performance, detailed event forensics using integrated HP Vertica columnar database • Customizable Dashboard for real-time data on traffic, apps and network behaviour On-box shows summary app, traffic mix • Identify app/traffic patterns • App visibility is on by default Big Data forensics with ArcSight © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 14 to change without notice.
  15. 15. Easy to Deploy in the Network Transparent • Drop in Deployment • Same L2 network on both sides • Forwarded traffic based on destination MAC • Firewall always there… © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 15 to change without notice. Routed • Different L3 network on each side • Traffic is directed via routing table • No asymmetric routing • No L2FB Segment • In/out port • Bump-in-the-wire (no IP address) • Reliability through L2FB and HA modes Bridge • Multiple ports • Bcast domain • IP address • No L2FB Routed • One or more IP addresses One Armed • Single port in/out • VLAN tagged
  16. 16. Easy to Demo Use NGFW to easily demo security & apps: 1. Attach “in” port of segment to a mirror port Leave “out” port unconnected 2. Configure a segment using these ports 3. Set the NGFW IPS policy to “IDS Mode” 4. Create a Firewall Rule to “Permit Any Any” 5. Override IPS Categories to Permit+Notify 6. Leave… • Return later and look at the reports • IPS events, App reports, Traffic Reports • Add an SMS for even better reporting © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 16 to change without notice.
  17. 17. Effective Security Mitigate Today and Tomorrow’s Threats Using Firewall, IPS and Application Control © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  18. 18. Security Elements Integrated Policy Controlling Who Does What to Whom, When… Objects • Zones, action sets, notification contacts, services, address groups, schedules Firewall • Stateful Firewall, with NAT/PAT • Application Groups, selected by category • Mix and Match Stateful and App elements • User ID by captive portal • User authentication by AD, LDAP, RADIUS © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 18 to change without notice. Next Gen IPS • 12 categories with recommended settings • Zero Day, and Best of Breed DV security filters from DVLabs • Reputation to block undesirable IPs • Automatic DV & RepDV update • Shared profiles with IPS devices
  19. 19. Understanding FW Rules Powerful and succinct rules • Source/Destination based on Zone or IP subnets/ranges • Optionally use applications, Users, services and schedules • Block, Rate limit, Trust, trap, email, pcap • Set inspection profile per-rule • Position most specific rules at top Collapse multiple rules into one • Using multiple selectors (like an “or”), where the policy/action is the same • Negation and Exclude constructs Edit Default Block Rule to enable logging No implied rules © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 19 to change without notice.
  20. 20. Controlling Applications • All web apps look the same to old FW’s • True NGFW firewall rules only contain apps/categories, not services IPS w/ Unknown Profile FW Rule Specific Profile Match Stateful FW Rule App Detected – • NGFW will detect apps regardless of TCP port • NGFW keeps looking for a better matching FW rule, until app is definitive or not matched • IPS can be applied during “app detect phase” • NGFW can block encrypted applications, but cannot inspect within them © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 20 to change without notice. Change Matching FW Rule
  21. 21. IPS Profiles Drive Deep Packet Inspection Policy IPS uses security filters from DVLabs • 7,400 filters, 2,650 security researchers • No false positives or negatives IPS Profiles define a combination of IPS settings • Set Profile Deployment Mode to modify “Recommended” • DV defines “Recommended” for all filters/categories • Use Profile settings to override filter settings • Create trust relationships or exclude IPs from IPS • Simple DDOS protection via SYN proxy rate check Use Default Profile or define your own profiles © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 21 to change without notice.
  22. 22. Extended Firewall Rule Configuration in SMS Build a global view Manage policy across entire deployment Leverage your existing IPS policy • IPS Security Profiles • Reputation Filters • Shared Settings • Named Resources The same zone name may be built from different ports on different NGFW devices, but share same policy © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 22 to change without notice. Distribute policy changes when ready
  23. 23. Reliability: Keeping the Network Up © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  24. 24. Segments – TippingPoint Inline Protection Only a Layer 2 mode Protect against hardware or software failure − Layer 2 Fallback (L2FB) and ZPHA bypass − HA mode: Permit/Block, due to health or HA config − Link Down Synchronization mode helps network convergence when one side of the segment fails Notes − No asymmetric mode − A segment can only be a vertical port pair − Firewall always runs − No TippingPoint virtual ports/segments © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 24 to change without notice.
  25. 25. 2-Node High Availability Clusters Protect against single failure, minimum downtime 2-node active/passive cluster, with optional state sync • FW, Routing and IPS sessions sync SMS is required for configuration sync • Operates on a shared MAC Nodes are connected by back-to-back HA connection • Traffic optionally encrypted • Option to allow use of management port for HA traffic if all HA links fail (default:off) Nodes must be the same hardware and software version © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 25 to change without notice.
  26. 26. SMS Cluster Configuration 1. Ensure devices at factory defaults, except for management access 2. Acquire the devices separately into SMS 3. Click “New Cluster” in Devices view 4. Identify the cluster name, members, select settings for State Sync, HA link etc. Cluster will form… Use Shared Settings for networking, routing, VPN… • Immediate commit, and “copied to Start” Use Profiles to create shared FW rules and IPS settings, and distribute to the device © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 26 to change without notice.
  27. 27. Cluster Based SW Upgrade SMS “rolls out” NGFW Software upgrade across the cluster • One device kept active at all times to keep network up • Passive device is upgraded first and rebooted • Active device is forced passive and then upgraded • Session state synchronized at all times © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 27 to change without notice.
  28. 28. Examples… © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  29. 29. Simplicity Example: 7 Steps to Deploying a New Next Generation Firewall… Configuration Example © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  30. 30. 7 Steps to Setup a New HP NGFW What you will need: – Connected Console cable and client – Network connections made for LAN and WAN – Minimum information: • SuperUser account name you want to create • Management port IP address • Interface IP addresses for LAN and WAN For SMS: – An installed SMS, with network access to the NGFW © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 30 to change without notice.
  31. 31. Step 1: Complete Console Setup 1. Connect console – 115200, 8N1 2. Complete OBE prompts: • Define security requirements on SuperUser password • Define SuperUser account name and password 3. Log in to CLI Please enter a user name for the super-user account. Spaces are not allowed. Name: SuperUser Do you wish to accept [SuperUser] <Y,[N]>: y Please enter a password for the super-user account [SuperUser]: Verify password: Saving information...Done Your super-user account has been created. You may continue initial configuration by logging into your device. After logging in, you will be asked for additional information ngfw login: SuperUser © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 31 to change without notice.
  32. 32. Step 2: Get the NGFW on the network 1. Log in to CLI on console 2. Start an CLI edit setting 3. Define the management port: • Set host name (optional) • Set IP information • Set default route 4. Define DNS server to perimeter router 5. Define IP interfaces 6. Make the changes live 7. Ensure the changes will apply on next boot © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 32 to change without notice. edit interface mgmt host name demo_unit1 ipaddress 10.0.0.101/24 route 0.0.0.0/0 10.0.0.100 exit dns name-server 11.0.0.101 exit interface ethernet1 ipaddress 10.0.0.100/24 exit interface ethernet2 ipaddress 11.0.0.100/24 exit commit save-config exit
  33. 33. Step 3: Acquire the Device in SMS 1. Log in to SMS 2. Click Devices > New Device 3. Enter the MGMT IP of the NGFW and the SuperUser account name/password from the console setup © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 33 to change without notice.
  34. 34. Step 4: Define Security Zones 1. Click Profiles > Shared Settings > Security Zones 2. Click New… to create a Zone 3. Enter the name “LAN” 4. Click Add… to add interfaces • Select ethernet1 5. Repeat to create “WAN” zone 6. Confirm zone setup Note: Can create same zone with different interfaces on another device © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 34 to change without notice.
  35. 35. Step 5: Create a New FW Profile 1. Click Profiles > Firewall Profiles in menu 2. Click “New” 3. Give the profile a name 4. Select Inspection Profiles Default = Default IPS Profile © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 35 to change without notice.
  36. 36. Step 6: Create Firewall Rules 1. Expand the new Firewall profile 2. Click “New” to create a rule 3. Define the rule to permit LAN to WAN for any service • Action Set = “Permit+Notify” • Click + on Sources, select LAN • Click + on Destination, select WAN © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 36 to change without notice.
  37. 37. Step 7: Distribute the Firewall Profile 1. Click the profile name and click “Distribute” 2. Select which NGFWs will receive the Firewall Profile 3. Wait for distribution Note: • An NGFW only runs one Firewall Profile at once © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 37 to change without notice.
  38. 38. Verify 1. Using a client on the LAN, try to access the internet via a browser 2. Confirm that the web site loads 3. If it doesn’t work, check for firewall block events in SMS… or easier, “show fwBlock” on console: julian_hpar1{}show log fwBlock tail 2013-08-06 18:50:51.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 47546 64.31.0.235 80 TCP [] pt0 0 0 0 2013-08-06 18:50:52.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2 161.71.1.2 0 212.58.244.66 0 ICMP [] pt0 0 0 0 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 38 to change without notice.
  39. 39. Security Effectiveness Example: SMS Configuration of Shared Firewall Rules Configuration Example © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  40. 40. SMS Shared Firewall Rules Sequence: 1. Define zones 2. Create firewall, NAT or captive portal rule 3. Distribute profile © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 40 to change without notice.
  41. 41. Firewall Profiles: Global Rules 1. Define zones 2. Create firewall, NAT or captive portal rule 3. Distribute profile • Shared across deployment • Assign interfaces from 1 or more NGFW devices © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 41 to change without notice.
  42. 42. Firewall Profiles: Global Rules 1. Define zones 2. Create firewall, NAT or captive portal rule 3. Distribute profile • Source/Destination rule criteria and zone definition determines the devices the rule may be installed on • Restrict location with ‘install-on’ device setting, provides site specific override capability © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 42 to change without notice.
  43. 43. Firewall Profiles: Global Rules 1. Define zones 2. Create firewall, NAT or captive portal rule 3. Distribute profile • Source/Destination rule criteria and zone definition determines the devices the rule may be installed on • Restrict location with ‘install-on’ device setting, provides site specific override capability © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 43 to change without notice.
  44. 44. Firewall Profiles: Global Rules 1. Define zones 2. Create firewall, NAT or captive portal rule 3. Distribute profile • SMS automatically creates snapshot, and displays potential distribution targets • Rules distributed (potentially deleted) based on your selection • SMS will pull in appropriate published IPS profiles © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 44 to change without notice.
  45. 45. In Closing © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  46. 46. HP NGFW Helps Save Time & Protect the Network Problem How HP TippingPoint NGFW can help… I don’t know what applications are being Use Visibility and IPS reports to see apps, used network use and security risks I fear something will break if app is blocked Block is one action – perhaps rate limit it I need to protect network bandwidth and protect business critical apps Block or rate limit undesirable or bandwidth hogging apps. Use Trust rules to avoid impacting critical applications How can I control which users can use an app? User based policy rules I don’t have time to test/patch PCs and infrastructure IPS with Zero Day blocks vulnerabilities, even in default settings, putting you in control of patching How can I disrupt botnets and drive by downloads? RepDV stops access to bad web sites & botnet activity. IPS prevents malware installation through blocking the vulnerability © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 46 to change without notice.
  47. 47. Learn More Public launch on Sept 16 – www.hp.com/go/ngfw • ESP GA Date – 08/30 • HPN GA Date – 9/30 Resources – Published on Sales Portal and Partner Central: • Whitepaper, data sheet, Infographic, How-To-Sell • Training & Customer Deck • Up coming webinars: • Demo (TBD) • Channel Partner Sales training – August 13 • Channel Partner Technical training – August 15 & 16 • Tentative training - September • Future technical deep dives and live demos Questions: NGFW@hp.com © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 47 to change without notice.
  48. 48. Thank You © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

×