Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

HP TippingPoint
Next Generation Firewall
HP Enterprise Security Internal Technical Pre-Sales Training
Julian Palmer, NGFW Product Manager, HP TippingPoint
Russ Meyers, SMS Product Manager, HP TippingPoint
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda
Introducing HP TippingPoint Next Generation Firewall (NGFW)
Key attributes, and how HP TippingPoint NGFW achieves them
Seven steps to get an NGFW on the network
Shared firewall rules with SMS
How does NGFW help common problems?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 2 to change without notice.

Introducing the HP
TippingPoint Next
Generation Firewall

What is HP NGFW…
Simple
Easy-to-Use,
configure and
install with
centralized
management
Next Gen IPS Enterprise
Reliable
Protect the
network
availability
features, IPS,
and automatic
protection
Effective
Industry
leading
security
intelligence
with weekly
DVLabs
updates
Integrated
Policy
Firewall
DVLabs
research
and feeds
User and app
policy

HP NGFW Feature Summary
Security
• Enterprise class zonal, stateful firewall
• Mix and match FW, app, user and IPS policy
choices
• Full IPS, DV, RepDV, WebAppDV, Zero Day
Initiative
• Apply IPS inspection profile based on app
• Rate limit, quarantine, trap, pcap, email actions
Certification Plans
• ICSA Firewall/VPN Enterprise, USGv6 coming
• FIPS-140-2, EAL, NSS on roadmap
Management
• HTTPS local web GUI, SSH, Full CLI,
inband/outband
• Role based management, Encrypted Log
Storage
• SNMPv2/v3 MIB-2, and TP Enterprise MIBs
• Integrated FW & IPS management with SMS
• ArcSight, HP NNMi and NA integration
Deployment
• NAT, routed, transparent, segment, one-armed
• IPv6 ready everywhere
• Static, RIP/RIPng, OSPFv2/v3, BGPv4,
multicast
• Link aggregation, VLAN translation, Rate
limiting
• IPSec site-to-site & Client-to-site, GRE/IPSec
• Active-Passive 2-node Stateful High Availability
• LDAP, Active Directory, RADIUS authentication

HP NGFW Portfolio
S1050F S3010F S3020F S8005F S8010F
FW only 500Mbps 1Gbps 2Gbps 5Gbps 10Gbps
FW + IPS @512 bytes 250Mbps 500Mbps 1Gbps 2.5Gbps 5Gbps
New Connections/second 10,000 20,000 20,000 50,000 50,000
Concurrent Connections 250,000 500,000 1M 10M 20M
Aggregate VPN Throughput (big
250 Mbps 500Mbps 1Gbps 1.5Gbps 3Gbps
pkts)
VPN Tunnels 2500 5000 7500 7500 7500
Redundant Power Supply/Fans No Yes Yes Yes Yes
Removable Solid State Storage 8GB 8GB 8GB 32GB 32GB
Integrated I/O 8xGbE 8xGbE
8xSFP
8xGbE
8xSFP
8xGbE
8xSFP
4x SFP+
8xGbE
8xSFP
4x SFP+
Ordering information:
ESP
HPN
JC850A
JC882A
US$4,995
JC851A
JC883A
US$13,995
JC852A
JC884A
US$18,995
JC853A
JC885A
US$49,995
JC854A
JC886A
US$70,995
HPN care pack info will follow…
1 Year of DV must be bought w/HW
Premium (DV+24x7)
Premium (DV+RepDV+24x7)

Where to Deploy
• At all network edges
• Security consolidation
• Where security needs
may change
Virtual machines (VMs)
Campus
LAN
Edge
WLAN
Core
Tele-workers,
partners, and
customers
Internet
Remote
offices and
branches
WAN
Data
center
NGFW
NGFW
NGFW
NGFW
IPS
IPS
NGFW
NGFW
Branch Regional
Hub
Data
Center
S1050F
S3010F
S3020F
S8005F
S8010F

S1050F Platform
External User
Disk
Console 115200, 8N1
GbE Data Ports HA MGMTAlert LED
Status
LED
Power LED
On/Off

S3010F , S3020F, S8005F, S8010F Platforms
SFP GbE Data Ports User Disk H
MGMT Alert LED
Ports
A
10G
SFP+
(S8000F)
Console 115200, 8N1
Status
LED
Redundant hot swap fans Dual Redundant PSUs
• Redundan
t Fan/PSU
• Hot swap
fans and
PSU

LED Meanings
Alert LED
Off No power
Solid
Yellow
System booting. After boot
this indicates a software
failure.
Flashing
Yellow
A Hardware problem has
been detected
Solid
Green
Hardware and software are
running normally
System LED
Off No power
Flashing
Green
System is booting and traffic is
not being processed
Solid Green System is running and healthy
Solid Yellow System is running but has
degraded health (software or
hardware issue)
Flashing
Green/Yellow
A software or BIOS upgrade is
being performed

HP ESP Field Replacement Parts
ESP
SKU
HPN
SKU
ESP Description*
Ref
Price
C1J35
A
JC901
A
HP TippingPoint 750W AC Power
Supply
US$649
C1J36
A
JC903
A
HP TippingPoint 32GB CFast
Card
US$599
C1J34
A
JC900
A
HP TippingPoint 80mm Fan
Module
US $190
DC power option not available
AC power supply is the same as the NX IPS
Comments
Supports NGFW and NX; Replaces
JC826A
Supports NGFW and NX; Replaces
JC828A
* HPN Description is different

Simplicity

Easy and Powerful Management
Best of Breed central management with SMS
• Unified management of IPS and NGFW devices
• Keep security current with DV active update
• Advanced reporting & visualization
• SMS 4.0 adds support for NGFW
Powerful when you need it
• Role Based Access Control
• Forensic reporting
• ArcSight Logger for universal log management
• 3rd Party integrations
Easy to Use On-Box web interface
• Minimum IE8, Chrome 17, Firefox 10, Safari 5.1
• Optimized for 1440x900

Reporting and Visibility
Primary reporting tool is SMS
• Delivers Application Visibility & Utilization,
Troubleshooting, Security Analysis and
Capacity Planning
• Consolidated reporting from all NGFW/IPS boxes
• High performance, detailed event forensics
using integrated HP Vertica columnar database
• Customizable Dashboard for real-time data
on traffic, apps and network behaviour
On-box shows summary app, traffic mix
• Identify app/traffic patterns
• App visibility is on by default
Big Data forensics with ArcSight

Easy to Deploy in the Network
Transparent
• Drop in Deployment
• Same L2 network on both sides
• Forwarded traffic based on destination
MAC
• Firewall always there…
Routed
• Different L3 network on each side
• Traffic is directed via routing table
• No asymmetric routing
• No L2FB
Segment
• In/out port
• Bump-in-the-wire
(no IP address)
• Reliability through
L2FB and HA
modes
Bridge
• Multiple ports
• Bcast domain
• IP address
• No L2FB
Routed
• One or more IP
addresses
One Armed
• Single port in/out
• VLAN tagged

Easy to Demo
Use NGFW to easily demo security & apps:
1. Attach “in” port of segment to a mirror port
Leave “out” port unconnected
2. Configure a segment using these ports
3. Set the NGFW IPS policy to “IDS Mode”
4. Create a Firewall Rule to “Permit Any Any”
5. Override IPS Categories to Permit+Notify
6. Leave…
• Return later and look at the reports
• IPS events, App reports, Traffic Reports
• Add an SMS for even better reporting

Effective Security
Mitigate Today and Tomorrow’s
Threats Using Firewall, IPS and
Application Control

Security Elements
Integrated Policy Controlling Who Does What to Whom, When…
Objects
• Zones, action sets,
notification contacts,
services, address
groups, schedules
Firewall
• Stateful Firewall, with
NAT/PAT
• Application Groups,
selected by category
• Mix and Match
Stateful and App
elements
• User ID by captive
portal
• User authentication
by AD, LDAP,
RADIUS
Next Gen IPS
• 12 categories with
recommended settings
• Zero Day, and Best of
Breed DV security filters
from DVLabs
• Reputation to block
undesirable IPs
• Automatic DV & RepDV
update
• Shared profiles with IPS
devices

Understanding FW Rules
Powerful and succinct rules
• Source/Destination based on Zone
or IP subnets/ranges
• Optionally use applications, Users,
services and schedules
• Block, Rate limit, Trust, trap, email, pcap
• Set inspection profile per-rule
• Position most specific rules at top
Collapse multiple rules into one
• Using multiple selectors (like an “or”),
where the policy/action is the same
• Negation and Exclude constructs
Edit Default Block Rule to enable logging
No implied rules

Controlling Applications
• All web apps look the same to old FW’s
• True NGFW firewall rules only contain
apps/categories, not services
IPS w/ Unknown Profile FW Rule Specific
Profile
Match Stateful FW Rule App Detected –
• NGFW will detect apps regardless of TCP port
• NGFW keeps looking for a better matching
FW rule, until app is definitive or not matched
• IPS can be applied during “app detect phase”
• NGFW can block encrypted applications,
but cannot inspect within them
Change Matching FW
Rule

IPS Profiles Drive Deep Packet Inspection
Policy
IPS uses security filters from DVLabs
• 7,400 filters, 2,650 security researchers
• No false positives or negatives
IPS Profiles define a combination of IPS settings
• Set Profile Deployment Mode to modify
“Recommended”
• DV defines “Recommended” for all filters/categories
• Use Profile settings to override filter settings
• Create trust relationships or exclude IPs from IPS
• Simple DDOS protection via SYN proxy rate check
Use Default Profile or define your own profiles

Extended Firewall Rule Configuration in SMS
Build a global view
Manage policy across entire
deployment
Leverage your existing IPS policy
• IPS Security Profiles
• Reputation Filters
• Shared Settings
• Named Resources
The same zone name may be built
from different ports on different
NGFW devices, but share same
policy
Distribute policy changes when
ready

Reliability:
Keeping the Network Up

Segments – TippingPoint Inline Protection
Only a Layer 2 mode
Protect against hardware or software failure
− Layer 2 Fallback (L2FB) and ZPHA bypass
− HA mode: Permit/Block, due to health or HA config
− Link Down Synchronization mode helps network
convergence when one side of the segment fails
Notes
− No asymmetric mode
− A segment can only be a vertical port pair
− Firewall always runs
− No TippingPoint virtual ports/segments

2-Node High Availability Clusters
Protect against single failure, minimum downtime
2-node active/passive cluster, with optional state sync
• FW, Routing and IPS sessions sync
SMS is required for configuration sync
• Operates on a shared MAC
Nodes are connected by back-to-back HA connection
• Traffic optionally encrypted
• Option to allow use of management port for HA traffic if all HA links fail (default:off)
Nodes must be the same hardware and software version

SMS Cluster Configuration
1. Ensure devices at factory defaults, except
for management access
2. Acquire the devices separately into SMS
3. Click “New Cluster” in Devices view
4. Identify the cluster name, members, select
settings for State Sync, HA link etc.
Cluster will form…
Use Shared Settings for networking, routing, VPN…
• Immediate commit, and “copied to Start”
Use Profiles to create shared FW rules and
IPS settings, and distribute to the device

Cluster Based SW Upgrade
SMS “rolls out” NGFW Software
upgrade across the cluster
• One device kept active at all times
to keep network up
• Passive device is upgraded first and
rebooted
• Active device is forced passive and
then upgraded
• Session state synchronized at all times

Examples…

Simplicity Example:
7 Steps to Deploying a New Next Generation
Firewall…
Configuration Example

7 Steps to Setup a New HP NGFW
What you will need:
– Connected Console cable and client
– Network connections made for LAN and WAN
– Minimum information:
• SuperUser account name you want to create
• Management port IP address
• Interface IP addresses for LAN and WAN
For SMS:
– An installed SMS, with network access to the
NGFW

Step 1: Complete Console Setup
1. Connect console – 115200, 8N1
2. Complete OBE prompts:
• Define security requirements on SuperUser password
• Define SuperUser account name and password
3. Log in to CLI
Please enter a user name for the super-user
account.
Spaces are not allowed.
Name: SuperUser
Do you wish to accept [SuperUser] <Y,[N]>: y
Please enter a password for the super-user
account [SuperUser]:
Verify password:
Saving information...Done
Your super-user account has been created.
You may continue initial configuration by logging
into your device.
After logging in, you will be asked for
additional information
ngfw
login: SuperUser

Step 2: Get the NGFW on the network
1. Log in to CLI on console
2. Start an CLI edit setting
3. Define the management port:
• Set host name (optional)
• Set IP information
• Set default route
4. Define DNS server to perimeter router
5. Define IP interfaces
6. Make the changes live
7. Ensure the changes will apply on next boot
edit
interface mgmt
host name demo_unit1
ipaddress 10.0.0.101/24
route 0.0.0.0/0 10.0.0.100
exit
dns
name-server 11.0.0.101
exit
interface ethernet1
ipaddress 10.0.0.100/24
exit
interface ethernet2
ipaddress 11.0.0.100/24
exit
commit
save-config
exit

Step 3: Acquire the Device in SMS
1. Log in to SMS
2. Click Devices > New Device
3. Enter the MGMT IP of the NGFW and the
SuperUser account name/password from
the console setup

Step 4: Define Security Zones
1. Click Profiles > Shared Settings
> Security Zones
2. Click New… to create a Zone
3. Enter the name “LAN”
4. Click Add… to add interfaces
• Select ethernet1
5. Repeat to create “WAN” zone
6. Confirm zone setup
Note: Can create same zone with
different interfaces on another
device

Step 5: Create a New FW Profile
1. Click Profiles >
Firewall Profiles in menu
2. Click “New”
3. Give the profile a name
4. Select Inspection Profiles
Default = Default IPS Profile

Step 6: Create Firewall Rules
1. Expand the new Firewall profile
2. Click “New” to create a rule
3. Define the rule to permit LAN
to WAN for any service
• Action Set = “Permit+Notify”
• Click + on Sources, select LAN
• Click + on Destination, select WAN

Step 7: Distribute the Firewall Profile
1. Click the profile name
and click “Distribute”
2. Select which NGFWs will receive
the Firewall Profile
3. Wait for distribution
Note:
• An NGFW only runs one
Firewall Profile at once

Verify
1. Using a client on the LAN, try to access
the internet via a browser
2. Confirm that the web site loads
3. If it doesn’t work, check for firewall block
events in SMS…
or easier, “show fwBlock” on console:
julian_hpar1{}show log fwBlock tail
2013-08-06 18:50:51.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2
161.71.1.2 47546 64.31.0.235 80 TCP [] pt0 0 0 0
2013-08-06 18:50:52.665 demo_unit1 1 "Blocked by Firewall" Major [Block + Notify] [DEFAULT-BLOCK] ethernet1 ethernet2
161.71.1.2 0 212.58.244.66 0 ICMP [] pt0 0 0 0

Security Effectiveness
Example:
SMS Configuration of Shared Firewall Rules
Configuration Example

SMS Shared Firewall Rules
Sequence:
1. Define zones
2. Create firewall, NAT or captive portal rule
3. Distribute profile

Firewall Profiles: Global Rules
1. Define zones
• Shared across deployment
• Assign interfaces from 1 or more NGFW devices

1. Define zones
• Source/Destination rule criteria and zone definition determines the devices the rule may be
installed on
• Restrict location with ‘install-on’ device setting, provides site specific override capability

1. Define zones
• SMS automatically creates snapshot, and displays potential distribution targets
• Rules distributed (potentially deleted) based on your selection
• SMS will pull in appropriate published IPS profiles

In Closing

HP NGFW Helps Save Time & Protect the
Network Problem How HP TippingPoint NGFW can help…
I don’t know what applications are being
Use Visibility and IPS reports to see apps,
used
network use and security risks
I fear something will break if app is blocked Block is one action – perhaps rate limit it
I need to protect network bandwidth and
protect business critical apps
Block or rate limit undesirable or bandwidth
hogging apps. Use Trust rules to avoid impacting
critical applications
How can I control which users can use an
app?
User based policy rules
I don’t have time to test/patch PCs and
infrastructure
IPS with Zero Day blocks vulnerabilities, even in
default settings, putting you in control of patching
How can I disrupt botnets and drive by
downloads?
RepDV stops access to bad web sites & botnet
activity.
IPS prevents malware installation through
blocking the vulnerability

Learn More
Public launch on Sept 16 – www.hp.com/go/ngfw
• ESP GA Date – 08/30
• HPN GA Date – 9/30
Resources – Published on Sales Portal and Partner Central:
• Whitepaper, data sheet, Infographic, How-To-Sell
• Training & Customer Deck
• Up coming webinars:
• Demo (TBD)
• Channel Partner Sales training – August 13
• Channel Partner Technical training – August 15 & 16
• Tentative training - September
• Future technical deep dives and live demos
Questions: NGFW@hp.com

Thank You

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

Similar to Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW (20)

More from TechExpert

More from TechExpert (20)

Recently uploaded

Recently uploaded (20)

Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсетевого экрана нового поколения NGFW

Editor's Notes