IT-Symposium 2007 18.04.2007

www.hp-user-society.de 1

© 2007 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

ProCurve Network Immunity

Hans-Jörg Elias

Key Account Manager

hans-joerg.elias@hp.com

2

Agenda

• ProCurve Security Framework

• Network Immunity Solution Overview

• Network Immunity Features

• Network Behavioral Anomaly Detection

• Network Immunity User Interface

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 2

3

Network Security Framework

14

• Access Control—Prevents security breaches by controlling which users have access to systems and how they connect in a wired/wireless network

• Secure Infrastructure—Protection of network components, prevention of unauthorized overrides of mandated security provisions, and privacy measures

• Network Immunity—Defends the network from malicious attacks, monitors behavior, and applies security information intelligence

ProActive Defense

Adaptive EDGE Architecture

Regulatory Compliance

Access

ControlNetwork

Immunity

Secure

Infrastructure

ProActive Defense emphasizes a standards-based foundation

4

ProCurve ProActive Defense

The network contains valuable resources which require many types of access...all of which need to be secure

•Access Control proactively identifies and assesses users and devices connecting to the network

•Network Immunity provides defense by monitoring sensors throughout the network and responding to threats

•Command from the Centerprovides centralized control for the intelligent edge

Uncontrolled

Access

Authenticated

Access

Trusted

Access

COMMANDFROM THECENTER

Integrated Access andInfrastructure Management

Policy

ControlStatistics

Alerts

Business

Policy

Validation

Forensics

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 3

5

ProCurve Security Architecture

Prevent/Protect

DetectRespond

Before asecuritybreach

During asecuritybreach

Mitigate asecuritybreach

Centralized Centralized

ManagementManagement

6

Network Immunity Solution

Overview

Suspect Traffic

Intrusion

Response

Third PartySecurity Devices

ProCurve PCM v2.2 Plus w/NI Manager

• Security Activity Dashboard

• Location based Policy Enforcement

• Built-in Network Behavior Anomaly

Detection (NBAD)

• Alert Suppression

• O ffender Tracking

• Security Heat Map

• Threat M itigation

• Reporting

• Inline Prevention

• Passive Detection

• UTM

• Q uarantine

• Bandwidth Rate limiting

• Attacker MAC lockout

• Attacker Port Shutdown

• C opy suspicious traffic to IDS

• Email Alert

• Notification

ProCurveNetwork Edge

Intrusion

Detection

Edge Defense

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 4

7

Network Immunity Terminology

• Network Behavioral Anomaly Detection (NBAD):

– Analysis is performed on traffic metrics such as those from sFlow, XRMON, and counters in ProCurve devices to detect internal threats

• Traffic Metrics:

– Consists of sFlow, XRMON and Port Statistics data complied from the traffic manager from within PCM v2.2

• False Positives:

– Valid network traffic that often looks to a network management product like an anomaly; such as with the activity of a virus or worm. ProCurve False Positive Avoidance (FPA) algorithms within the NBAD engine assist NI Manager in lessening the false positives.

• Security Heat Map:

– Displays the number of security alerts for each device in the map

8

Network Immunity TerminologyContinued

• Intrusion Detection System (IDS):– An intrusion detection system is used to detect all types of

malicious network traffic and computer usage that can't be detected by a conventional firewall.

• Intrusion Prevention System (IPS):– An extension of intrusion detection (IDS) technology but it is

actually another form of access control, like an application layer firewall

• Unified Threat Management (UTM): – A term used to describe network firewalls that have many

features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 5

9

Network Immunity ManagerOverview Continued

• The core functionalities are Threat Detection, Threat Mitigation and Security Management

• The Network Immunity Manager requires PCM+ 2.2

• Bundled on the PCM+ 2.2 CD, the Network Immunity Manager is enabled with a separately purchased license key

• NI Manager is available for free with PCM+ 2.2 for 30 day trial period

10

NI Solution Components

ProCurve Network Immunity Solution is comprised of the combination of ProCurve products:

• ProCurve Manger Plus 2.2

• ProCurve Network Immunity Manager 1.0

• ProCurve switches from the intelligent switch series

Implemented together with third party UTM/IPS/IDS devices such as:

• Cisco IPS 4200 series (supported in May 2007)

• Fortinet UTM appliances (supported in June 2007)

• Sonicwall UTM products (supported in July 2007)

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 6

11

NI Manager Features

• Threat Detection

– Network Visibility

– Multiple Intrusion Detection Methods

– Offender Tracking

– Remote Monitoring

– Security Heat Map

• Threat Mitigation

– Internal threat detection

– Group Based Policy Enforcement

– Multiple Threat Mitigations

– Reduces False Positives

– Chain of Actions

– Wireless Support

12

NI Manager FeaturesContinued

• Security Management

– Policy Management

– Security Event Aggregation and Suppression

– Security Dashboard

– Exempt List

– Configuration Cleanup

– Security Auditing

– Group Based Policy Enforcement

– ProCurve Manager Integration

– Reports

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 7

13

ProCurve Wired & Wireless Devices

Built-in NBAD

3rd Party Security Devices

Threat Detection

Security Activity Reporting

Incident Investigation & Auditing

Define Security Policy

Threat Mitigation(Edge Defense)

SecurityManagementLifecycle

Policy Compliance

Reports

Refine Policy

Traffic Monitoring & Traffic Alerts

Network Discovery & Topology Mapping

How NI Manager Works

14

NBAD Overview

• Network behavior anomaly detection (NBAD) is the continuous monitoring of a network for unusual events or trends

• NBAD tracks critical network characteristics in real time and generates an alert if a strange event or trend is detected

– Analysis is performed on traffic metrics from ProCurve switches to detect internal threats

– Accepts attack alerts from Virus Throttle™ technology embedded in select ProCurve switches

– Accepts alerts from select 3rd party IDS/IPS/UTM security devices

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 8

15

How NBAD Works

16

How NBAD WorksContinued

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 9

17

How NBAD WorksContinued

18

NBAD Malicious Behavior TableBehavior Name

Data Points Violation Triggering Condition

Duplicate IP MAC Address

IP Address

Time Window

One IP appearing from more than one MAC appearing in the specified time window.

Sensitivity Time Window

1 O min.2 15 min.3 60 min.4 3 hrs.5 24 hrs.

Spoofed IP MAC Address

IP Address

Time Window

One MAC with more than one IP appearing within the specified time window.

Sensitivity Time Window1 O min.2 15 min.3 60 min.4 3 hrs.5 24 hrs.

IP Fan-Out Source IP Address

Destination IP Address

One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window.

Sensitivity Fan-Out Size1 259 IPs2 1283 964 325 3

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 10

19

NBAD Malicious Behavior TableContinued

Behavior Name

Data Points Violation Triggering Condition

TCP/UDP Fan-Out

Source IP Address

Destination TCP/UDP Ports(Per Destination IP Address)

One source IP communicating with X other ports on a given destination IP and/or one source IP communicating with a statistically unusual number of destination ports on a given destination IP in the specified time window.

Sensitivity Fan-Out Size

1 259 IPs2 1283 104 55 2

Average Packet Size Deviation

Host IP Address

Average Packet Payload Size In Bytes

Occurs when the engine detects a statistically unusual change in the average size of sent and/or received packets.

Triggers when the new average packet size is > 3 S.D. units away from the current average packet size.

Protocol Anomaly

Host IP Address

Host Packet Contents

Occurs when the host sends traffic containing unusual properties that would not normally be expected to occur on the network.

Any packet matching the approx. 30 anomalous behaviors defined for this engine immediately creates an event.

20

What NI Manager Detects

The Network Immunity Manager has been tested to detect the following:

• Protocol Anomalies– Port scanning techniques:

• Xmas Tree Scan – Sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set

• NULL Scan – Turns off all flags, creating a lack of TCP flags

• FIN Scan - The FIN scan's "stealth" frames are unusual because they are sent to a device without first going through the normal TCP handshaking

– Denial of Service:• UDP Bomb - An illegal sent User Datagram Protocol (UDP) packet

• Land Attack – An attack involving IP packets where the source and destination address are set to address the same device

• Ping of Death – Sends a malformed or otherwise malicious ping to a computer

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 11

21

What NI Manager DetectsContinued • Reconnaissance before an attack:

– Tools: • Nessus• NMAP• Port Scanners and Ping tools

• Network Based attacks– Tested to detect:

• DNS Tunneling• Unauthorized Network Mapping• IP Spoofing• Various Worm Propagation techniques

• Anomalous Packet Size– Designed to inform NI to:

• Sample suspicious traffic• Detect some covert channels

• Mis-Configured devices– Tested to detect:

• Duplicate IP’s• Rogue Routers• Rogue Proxies

22

NI Manager Device Support MatrixMitigation actions NI can take on a switch/APSwitch/AP Detection capabilities

√√5400 WESM (est. May 2007)

√√5300 WESM (est. May 2007)

√√√√√2510

√

√

√

√

√

√

√

√

√

√

√

√

Basic Local

Mirror

√530 Access Point (est. June 2007)

√√√√√2900

√√8100

√√√√√√6400

√√√√√2800, 2810

√√√√√√√3400/5300

√√√1600/2400/4000/8000

√√√4100, 6100

√√√√2626, 2650, 2608

√√√√2524, 2512

√√√9300/9400

√√√√√√√√3500/5400/6200

Reconfigure Basic Local

Mirror

VLANRate Limit

MAC Lockout

Port Shutdown

Intel. Remote

Mirror

VTsFlow/

XRMon

Device

√7000 WAN Router

√√√√√4200

√√5400 WESM (est. May 2007)

√√5300 WESM (est. May 2007)

√√√√√2510

√

√

√

√

√

√

√

√

√

√

√

√

Basic Local

Mirror

√530 Access Point (est. June 2007)

√√√√√2900

√√8100

√√√√√√6400

√√√√√2800, 2810

√√√√√√√3400/5300

√√√1600/2400/4000/8000

√√√4100, 6100

√√√√2626, 2650, 2608

√√√√2524, 2512

√√√9300/9400

√√√√√√√√3500/5400/6200

Reconfigure Basic Local

Mirror

VLANRate Limit

MAC Lockout

Port Shutdown

Intel. Remote

Mirror

VTsFlow/

XRMon

Device

√7000 WAN Router

√√√√√4200

*

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 12

23

Configuration Rules:

1. Users should configure only one Policy Control (IDM or NI) for any Policy Action

2. If User configures both IDM and NI to control the same Policy Action, IDM Policy takes precedence (NI action will not be taken, but conflict will be logged)

BlockUser

VLAN

Rate Limit

QoS

ACL

Range of IDM/NI Policy Actions

IDM Policy Actions:

Network Immunity Policy Actions:

Port Shutdown

MAC Lockout

VLAN

Rate Limit

24

Creating A NI Policy

Actions

Alerts

1. 2.

3.

Policies

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 13

25

Configuring Policy Times

26

Configuring Policy Locations

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 14

27

Configuring Policy Targets

28

Creating Policy Alert

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 15

29

Assigning Policy Action

30

Viewing Policies

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 16

31

Viewing Policy History

32

Viewing Events

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 17

33

Viewing Alternate Action

34

Network Immunity Dashboard

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 18

35

NI Security Activity Tab

36

NI Security Activity Tab Offenders

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 19

37

NI Heat Map

Mapping by Severity

Total Security Alerts by Severity:• Critical• Major• Minor• Warning

38

Regulatory Compliance Assistance

• Built in comprehensive reports provide immediate visibility and assistance with regulatory compliance (available July 2007)

• ProCurve Manager Plus Reports– Device Security History Report – Device Access Security Report – Port Access Security Report – Password Policy Compliance– Current credentials Report

• Network Immunity Manager Reports– Security Policy Action Report– Security Events History Report– Security Heat Map Report– Offenders Tracking Report

• Identity Driven Manager Reports– User Unsuccessful Login Report– User Session History– User MAC address Report

• For a full list of reports planned for availability in Summer 2007, please refer to the ProCurve Network Immunity Manager Solutions Guide.

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 20

39

Summary of Key Features

• ProCurve Network Immunity Manager v1.0 provides:

– An affordable, scalable, and easily manageable solution delivering per port intrusion detection

– Responses to stop malicious network traffic at the EDGE of both the wired and wireless networks

– Allows users to define policies, collect security events, monitor threats and automate mitigations