3 proventia network ips

IBM Global Technology Services

© 2008 IBM Corporation

IBM Internet Security SystemsAhead of the threat.™

Security Framework and SolutionsProventia Network IPS

IBM Internet Security Systems

© 2007 IBM Corporation2

Agenda

IBM Security Framework

Proventia Network Intrusion Protection System

Q & A session



The information security capability reference model

Enterprise Information Management & Privacy

IBM Information Security Framework

Governance

Privacy

Threat mitigation Transaction and data integrity

Identity and

access managementApplication security

Physical security Personnel security



The eight themes are described through a number of capabilities.IBM Information Security Framework

Application developmentenvironment

• Secure coding practices

• Operational application support environment

• Design patterns

Systems development lifecycle (SDLC)

• Security in the SDLC process

Application security

• Employment lifecycle management

Workforce security

• Awareness and training

• Code of conduct

Personnel security

Data, rules and objects

• Privacy data taxonomy and classification

• Privacy business process model • Data usage compliance process

Policy, practices and controls

• Policy taxonomy and glossary• Policy rules definitions• Privacy impact assessment (proactive)• Privacy audit (reactive)• Awareness and training

Privacy and information management strategy

• Define privacy information strategy• Requirements and compliance process• Incident response

Privacy

Secure storage

• Data retrieval

• Data storage protection

• Data destruction

• Archiving

Systems integrity

• Security in systems management

• Security in business continuity planning

Business process transaction security

• Fraud detection

• Data transaction security

Database security

• Database configuration

• Master data control

Message protection

• Public key infrastructure

• Message protection security

Transaction and data integrityVulnerability management

• Standard operating environment

• Patch management

• Vulnerability scanning and assessment

Incident management

• Incident management

• Event correlation

• Forensics

Network segmentation and boundary protection

• Network zone management and boundary security infrastructure

• Remote access infrastructure

• Intrusion defense

• Network security infrastructure

Content checking

• Virus protection

• Content filtering

Threat mitigation

Compliance program• Regulatory compliance• Technical, policy and standards

compliance• Health checking• Internal audit and response

Security risk management framework• Threat risk assessment• Information asset profile• Project risk assessment• Security risk management

Strategy• Information security policy• Enterprise security architecture

Governance framework• Governance structure

Information security advisory• Consulting and advisory services

Governance

Identity lifecycle management

• User provisioning

• Other entity provisioning

• Identity credential management

Identity proofing

• Background screening

• Identity establishment

Access management

• Single sign-on

• Authentication services

• Access control services

Identity and access management

Physical asset management

• Asset management

• Document management

Site security

• Site planning

• Site management

Physical security



IBM Security in action – PCI Data Security Standard

Payment Card Industry (PCI) is a

global security standard created by

major credit card brands to reduce

risks and protect consumers’

personal information

PCI as a blueprint to a more secure

enterprise

Delivering security solutions to help

address compliance concerns.



IBM Services, Software and Hardware:

Only IBM has solutions to address all 12 PCI requirements



Các điểm mạnh của IBM ISS



IBM ISS Virtual Patch Technology

Virtual Patch™ technologyfor vulnerabilities

Shields the vulnerability from

being exploited

Eliminates emergency

patching

Removes the risk of patching

Enables patches to be applied

during normal maintenance

windows

Stop malicious attacks before

they impact your business



Preemptive Protection – An ninh đón đầu

How is it different from “reactive” security and “zero day” protection?

Consider a leaky roof in a rainstorm. The holes in the roof are like

vulnerabilities. “Reactive” security is like examining individual raindrops after

they’ve already come through a hole in your roof.

“Zero day” protection is simply reactive security hurried up. It provides a

patch (often for just a specific type of raindrop) sometime during a 24-hour

period when the chance of rain is virtually 100%.

Preemptive security is a vulnerability-based security approach. Intensive

research is applied to discover the hole in the roof (vulnerabilities in

software). A patch is applied to the hole to protect against any kind of rain –

all while the sun’s still shining (often weeks or months ahead of an attack).



Pre-Emption (Đi trước nguy cơ)What’s the Difference?

Protecting against exploits is reactive:

– Too late for many

– Variants undo previous updates

– Typical of antivirus and most IDS/IPS vendors

Protecting against vulnerabilities and behaviors is proactive:

– Stops threat at source

– Requires advanced R&D


© 2007 IBM Corporation11Source: Microsoft Security Center

Vendor Patching is an .. Unmanageable Arms Race

MS02-039

July 24, 2002

SlammerSQLServer, DoS

Jan 25, 2003

MS BlasterDCOM RPC, DoS

Aug 11, 2003

SasserLSASS, Restart

Apr. 30, 2004

Zotob: PnP, TCP 445

Aug. 13, 2005

EXPLOIT

185 Days

26 Days

17 Days

4 DaysMS05-039

Aug. 9, 2005

MS00-078

Apr. 13, 2004

MS03-026

July 16, 2003

Window Between

Vulnerability and Exploit



4/13/2005

ISS implements protection for

MS PnP vulnerability into ISS

products. ISS’ Virtual Patch

protection begins.

4/13/2005

Others do not have internal

research to find and

understand vulnerabilities;

therefore, they have no

knowledge of the MS Plug

and Play vulnerability.

8/9/2005

Microsoft publicly

announces

vulnerability and

availability of a

patch.

8/11/2005

Plug and Play

exploits become

public

8/13/2005

Zotob Bot runs rampant

and causes damage to

organizations worldwide.

ISS customers enjoy

protection since 4/13/2005.

8/9/2005

Other claim “preemptive

protection” through

broad blocking and

alerting methods which

are prone to false

positives and false

negatives

8/11/2005

Plug and Play

exploits become

public

8/13/2005

Zotob Bot propagates, some

competition see the bot, but

none of the (many) variants,

resulting in continuous

updates offering little to no

zero day coverage.

8/16/2005

Exploit-based

signatures released

to reactively protect

against the Zotob Bot

MS Plug and Play / Zotob Timeline



Effective IPS Technology

IPS Evaluation Criteria

Protection capability

Network performance

Security research and intelligence

Management



IBM ISS Platform Differentiators

THE POWER TO DELIVER THE MOST advanced internet security IN THE WORLD

THE WORLD’S LEADING

ENTERPRISE SECURITY

R&D ORGANIZATION

GLOBAL SECURITYOPERATIONS CENTER

(INFRASTRUCTURE MONITORING)

ISS X-FORCE™

SECURITYR&D

ISS SECURITY

OPERATIONS

ISS PROTECTIONPLATFORM

END-TO-END PREEMPTIVESECURITY SOLUTIONS

INTEGRATED SECURITY



IBM ISS Protecion & Research

IBM ISS IPS superior – Protection

– Phân tích được nhiều giao thức mạng (177 giao thức) phát hiện và

ngặn chặn tấn công đầy đủ và chính xác

– Cung cấp đầy đủ các giải pháp IPS tại Gateway, Network và Host

– Thành phần quản trị hỗ trợ tối đa cho người quản trị.

IBM ISS IPS superior – Research

– X-force R&D

• Ngăn chặn các tấn công trước khi nó xảy ra

• Theo dõi tình hình an ninh trên toàn cầu nhờ dịch vụ quản lý an ninh (MSS)

• www.iss.net

http://www.iss.net/



X-Force Research - Advisories

Company of the Year

Frost and Sullivan

Company of the Year



Leader in IPS Sales

Source: World Intrusion Detection and Prevention

Systems Markets - Frost & Sullivan



Frost & Sullivan Awards:

– IDS/IPS Market Leadership Award

– Vulnerability Assessment Market Leadership Award

– Manager Security Services Customer Service Innovation Award

– Global Market Leader ship

Market Leadership:2006 -2007 Awards




IBM ISS

Enterprise Security Solution



Proventia Network MFS

MX5110, MX5008, MX4006, MX3006,

MX1004, MX0804

“All-in-One” Protection Appliance

- IDS/IPS

- FW / VPN

- AntiVirus (signature & behavioral)

- AntiSpam

- Web Filter

Proventia ADS Series –

“Anomaly/Behavioral” Protection and

Network Visability Appliances

Proventia Desktop

“All-in-One” Protection Agent

- Firewall

- Virus Prevention System

- Intrusion Protection

- VPN Enforcer

- Buffer Overflow Protection

Proventia Network IPS

Preemptive Security for Enterprise Networks

Baby –G, GX4002, GX4004, GX5008, GX5108

GX5208, GX6116

Proventia Server

“Multi-layered” Protection Agent

– Windows

– Linux

RealSecure Server Sensor

– Windows

– Solaris




11/02/2008

Proventia Network Intrusion Protection System



Network Security Challenges

Service outages due to denial-of-service attacks

Unauthorized access to network resources

Exponentially increasing number of required software patches

Increasing requirements to demonstrate compliance

Lack of qualified in-house information security specialists



Detection vs. Prevention



Intrusion Prevention

Intrusion Prevention Systems

Block malicious and unwanted traffic other technologies cannot recognize.

Bots / Trojans / Worms / Spyware / P2P / IM / DoS

Compliment patch management by shielding new vulnerabilities.



Firewall & NIPS comparison

Firewall :

– Like the Immigration at the Airport– Controls WHO & WHEN the entity is

permitted to enter or leave– Based on the Passport

Network Intrusion Prevention Systems :

– Like the Customs at the Airport– Controls WHAT & HOW is permitted to enter or

leave – Based on What you Bring/Carry

The Airport Analogy



Ports

GX4002

GX4004

GX5008

GX5108

GX5208

2

4

8

8

8

Model

GX3002 2

GX6116 16

Throughput

200Mbps

200Mbps

400Mbps

1.2Gbps

2Gbps

10Mbps

6Gbps

Block network attacks

Help address patching problems



Deployment Considerations

* Requires External Bypass Unit

GX3002 GX4002 GX4004 GX5008 GX5108 G5208 G6116

Typical Deployment

Remote Office Remote OfficeNetwork

Perimeter

Network

Perimeter

Network

Core

Network

Core

Network

Core

Form Factor Desktop 1U 1U 2U 2U 2U 2U

Throughput 10Mbps 200Mbps 200Mbps 400Mbps 1.2Gbps 2Gbps 15Gbps

Concurrent Sessions

220000 1.200.000 1.200.000 1.200.000 1.450.000 1.800.000 4.600.000

Redundant Power

Supplies No No No Yes Yes Yes Yes

Redundant Storage No No No Yes Yes Yes Yes

Hardware Level

Bypass Yes Yes Yes Yes* Yes* Yes* Yes*

Inline IPS Segments1 1 2 4 4 4 4



Network Protection - Deployment



4/13/2005ISS implements protection for

MS PnP vulnerability into ISS

products. ISS’ Virtual Patch

protection begins.

4/13/2005Others do not have internal

research to find and

understand vulnerabilities;

therefore, they have no

knowledge of the MS Plug

and Play vulnerability.

8/9/2005Microsoft publicly

announces

vulnerability and

availability of a

patch.

8/11/2005Plug and Play

exploits become

public

8/13/2005Zotob Bot runs rampant

and causes damage to

organizations worldwide.

ISS customers enjoy

protection since 4/13/2005.

8/9/2005Other claim “preemptive

protection” through

broad blocking and

alerting methods which

are prone to false

positives and false

negatives

8/11/2005Plug and Play

exploits become

public

8/13/2005Zotob Bot propagates, some

competition see the bot, but

none of the (many) variants,

resulting in continuous

updates offering little to no

zero day coverage.

8/16/2005Exploit-based

signatures released

to reactively protect

against the Zotob Bot

Proventia Network IPS Security



Patching is part security management and part system administration

Considering a company that takes half man day to patch a server

– 1000 servers will take them 500 man days

An NIPS will block attacks targeting unpatched servers, while the administrator can schedule patching at a convenient time

– When the patch is available for download

– After the patch had been tested on test servers

– No issues found between the patch and business applications

NIPS provides Administrative Benefits



Protocol Analysis Module (PAM)



Importance of VoIP security



VoIP security solution ?

VoiIP demo



Proventia Network IPS Security

Backed by the industry-leading X-Force® research and development team:

Original Vulnerability Research

Public Vulnerability Analysis

Malware Analysis

Threat Landscape Forecasting

Protection Technology Research



Proventia Network IPS Ease of Use

Three management interfaces:

– SiteProtector

– Proventia Manager (Web-based)

– Command line interface

“Trust X-Force” Default Blocking

automatically enables new

security content

Granular security policy control (based on device, port, VLAN or IP)

Attack traffic logging support

Integrates with SNMP-

based health monitoring

systems



Proventia Network IPS Reliability

Automatic Bypass Operation allows all traffic

to pass in the event of:

– Hardware failure

– Power failure

– Software crash

Redundant components*:

– Hard drives

– Power supplies

– Cooling fans

* Available in GX5008, GX5108, GX5208, and GX6116



Internet

Proventia Network IPS Redundancy

SWITCH

High Availability:

Support for

Non - Asymmetric

Routing

SWITCH



Proventia Network IPS Redundancy

High Availability:

Support for

Asymmetric Routing



Proventia Network IPS Deployment

Three Operating Modes:



Proventia Network IPS Management

Browser-based local management interface (LMI)

Central Management through Proventia Management SiteProtector:

– Simple, powerful configuration and control

– Robust reporting, customized event viewing and event correlation

– Comprehensive alerting and response options

– Scheduled data retention to be used for compliance efforts

– Highly scalable to accommodate hundreds of Proventia Network IPS appliances and other ISS solutions



Pull-down list provides means for user

to change view

Replaces the tabs that are currently

used in SP



Right click on any Events for details



Increased productivity

Console Consolidation

Lower TCO sets up quicker ROI

Still decentralized command and control

Significantly reduces operational cost



Proventia Network IPS Management

Command and Control

– SiteProtector™

– Proventia Manager (LMI)

– Command Line Interface

Policy Management

– Policy per Device

– Policy per Port

– Policy per VLAN Tag

– Policy per IP Address / Range

– Support for Custom / SNORT Rules

Intrusion Responses

– Block

– Ignore

– Log

– Email

– Quarantine

– SNMP

– User Defined

Logging

– Attack Packet Logging



IBM ISS Awards



ISS ProductDate Category Award

Proventia GX6116 V2.2 04/08 IPS Approved



Proventia M50 V3.2 10/05 UTM Approved

Proventia A604 03/05 IDS Approved

Proventia G200 RevA 01/04 IPS Approved

RSN Gigabit 7.0 08/03 Gig IDS Approved

Proventia A201 08/03 IDS Approved

RSN 7.0 Gigabit Sensor 12/02 Gig IDS Approved

RSN 7.0 07/02 IDS Approved

RSN 5.0 12/01 IDS Approved

No product or signature updates are allowed during the tests.

http://www.nss.co.uk/certification/tested.htm

ISS Awarded

11 times

NSS Tested and Certified



IBM is Leader in IDS/IPS Market for 2007



Proventia Network IPS Confidence

“All in all, Proventia continues to be one of the most consistently

accurate IDS/IPS systems we have tested.”

- Bob Walder, Director, The NSS Group (www.nss.co.uk)

“ We have a number of IBM Proventia appliances and have found

them to function flawlessly in terms of performance.”

- John Libbeter, Capita Business Services

“ The Proventia Network Intrusion Prevention System provides the

granularity that is required to protect, without interfering with

business processes.”

- Eric Ayotte, Network Security Solutions Group, M&T Bank Corporation

http://www.nss.co.uk/



Questions to Consider

Are you able to patch every system in your network every time a new vulnerability is announced?

Is there confidential information stored on computers within your network?

What would be the impact on your firm’s business operations if your network went down?

Does your organization have the security expertise required to defend against attacks, investigate and remediate breaches, and demonstrate compliance?



Key Take Aways

[email protected]

IBM Proventia Network IPS

– Block network attacks

– Help address patching problems

PAM – Protocol Analysis Module – vulnerability centric

IBM is Market Leader for IDS/IPS for 2005, 2006, 2007

IBM integrates network and host based solutions to provide a unified solution to customers

IBM end-to-end preemptive protection provides a value proposition that significantly aids deployment and management of security infrastructure.




Thank you!

3 proventia network ips

Documents

reactive security

systems management security

security solutions

preemptive security

global security standard

ibm services

ibm global technology

day protection