hp consulting israel jacob shaaltiel july 15, 2001 hp ux 11 security products
TRANSCRIPT
HP Consulting Israel
Jacob Shaaltiel
July 15, 2001
HP UX 11 Security Products
IP Filter 9000
B9901AA
IPSec9000
J4255AA
hp-UX intrusion detection
J5083AA
Kerberos
5.0J5844AA
CIFS9000
J5083AA
HP Consultin
g Services
HP UX 11i Security Features
PAMAnd
CDSA
TrustedSystem
(C2)
The server is the final line of defense
HP-UX 11 Is The Most Secure Commercial Unix Server
Industry standard security easily integrates in end-to-end security solutions
High Performance Security
• Kerberos• LDAP• CDSA
• IPSec
• HP Praesideum Speedcard • HP-UX software encryption acceleration
Broad portfolio of security products and solutionsto meet the demanding requirements of integratedOS, network and application security
• C2 Compliance
• Virtual Vault
• DomainGuard• e-Firewall• Extranet VPN
• Node Sentry• Intrusion Detection
HP UX 11i
Kernel Level intrusion detection
HP-UX 11.x Intrusion Detection Architecture
SecurityAdministration
Kernel Audit Data Syslog Data Other Data
IDS Agent
Security ManagementOpenView IT/O
NotificationReportingAnalysisResponse
Misuse/IntrusionAlertsControl/Status
Configuration
IDSApplicationsEtc.
Detection Pattern - Kernel - Application
Real-Time Detection and Alerts
• Intrusions detected as they occur
• System performance not degraded
• Three alert levels color coded
• Attacker identified
• Attack type identified
System Management
• Multiple hosts across the enterprise
• Surveillance groups for easy administration
• Surveillance schedules for maintenance, test
HP UX 11i Security IP Filter 9000
IP Filter 9000
• IPFilter/9000 is the same as the IP Filter Version 3.5 Alpha 5 from the public domain (authored by Darren Reed) with stronger quality. It contains all functionality in the public domain code including the unsupported perimeter firewall features, such as NAT and firewall stealth. The customers using the unsupported features may request for support from the public domain, at the URL: http://caligula.anu.edu.au/~avalon/
• IPFilter/9000 is not supported in an MC/SG environment.
• IPFilter is offered for free on the application disk
HP has positioned IP Filter/9000 as a system firewall and doesnot support the perimeter firewall features in the product.
IP Filter 9000
• IP Filter/9000 provides the following benefits:Protect an individual host in intranet against
internal attacks· Protect a host in intranet against external attacks
that breach perimeter defenses· Protect a bastion host on the perimeter (e.g. web
server)· Protect a bastion host in the DMZ (e.g. web server)· Protect an application proxy firewall against attacks
that target the underlying OS· Stop the security hole created by remote access
workstation connected to Internet and having VPN access to intranet
· Provide restricted configuration of internet services
IP Filter 9000 Example
Filtering by Port Numberobject = addr [ port-comp | port-range ]port-comp = "port" compare port-numport-range = "port" port-num range port-numOnly applicable with the TCP and UDP IP Protocols.
Example:pass in quick proto tcp from any to 20.20.20.1/32 port
= 23
HP UX 11i Security IPSec 9000
Types of VPNs
• Host-to-Host– End-to-End security to protect sensitive
data for intra- or inter-network communications
• Site-to-Site– Replace expensive dedicated leased line
WAN charges for site-to-site data connectivity
• Extranet VPN– Quick set-up of business-to-business
WAN connectivity
• Remote Access– Replace expensive modem pools, ISDN
per-minute charges
HP Solution
•E-Firewall/VPN
•IPSec/9000
•E-Firewall/VPN
•E-Firewall/VPN
HP IPSEC VPN Solutions
Public Internet
BusinessPartner
BranchOffice
E-Firewall
Vendor XFirewall
Corporate Intranet
Encrypted IPSECUnencrypted Data
DMZ
Legacy App Server
Praesidium E-Firewall can function as VPN gateway for network-to-network IPSEC traffic and/or firewall filter to allow IPSECthrough to the VPN Secure App Server
Web Server
Praesidium IPSEC/9000 Web server with IPSEC providestransparent network-level security allowing securetransfer of credit card numbersand other sensitive data.
E-Firewall
VPN SecureApp Server
Praesidium IPSEC/9000 SecureApplication Server providestransparent end-to-end network-level security for legacy applications
HP-UX IPSec/9000 Product Overview
•IPSec-based standard solutions to provide interoperability and to protect customer’s investment.
•Scalable and flexible key management (IKE) for authentication•Easy Integration with existing infrastructure- Pre-shared key support•Scalable Public-key based authentication with PKI - automated certificate and CRL retrieval process
•Easy to adopt - allows existing applications to take advantage of IPSec services without modifications.
•Flexible rule-based security attribute and access control policy configurations - Allow combinations of IP addresses, subnet mask, ports, protocols and connection-based keying, security attribute configuration and packet filtering - Can be configured to filter both IPSec and clear-text packets
•Industry leading high-performance IPSec/VPN Crypto performance is optimized for PA-RISC architecture.
•End-to-end IPSec to distribute cryptographic computation cycles among multiple end systems. •Secure and ease-of-use Administration Tools
•GUI based IPSec Policy Configuration Console
•IPSec Policy Defaults•Diagnostic and Monitoring Tool
•Logging and audit trail for accountability and intrusion alerts
HP-UX IPSec/9000 Product Overview (Continue)
•Demonstrated multi-vendor interoperability at the ANX and IPSec standards bakeoffs.
•Both transport mode and tunnel mode are supported to facilitate flexible VPN scenarios.
•No cost.
HP UX 11i Security Trusted Mode
(C2)
The Protected Password Database enables:
System Boot Authentication
Denial of encrypted password access by non-root users
Extending maximum password length beyond eight characters
Forcing all passwords to conform to minimum complexity requirements
Preventing reuse of password once they’ve expired
Establishing minimum and maximum password length requirements
Creation of a unique Audit ID for every user
Automatic user account expiration
Account login restrictions (time of day, day of week)
Account disabling after a number of failed login attempts
Login device restrictions (by tty)
Trusted Mode also has a C2-compliant auditing system which audits system activity at a low ‘system call’ level.
Trusted Mode (C2) Extensions to Security beyond Standard UNIX
Common Data Security Architecture
Thank You