CHAPTER-2.pdf

Full Transcript

Lesson 2: Portfolio Overview Lesson 2: Portfolio Overview Lesson Objectives: After completing this lesson, participants will be able to: Identify the TippingPoint inspection device platforms Describe the features and functionalities of the SMS Explain the complete TippingPoint solution Discuss common deployment scenarios Inspection Devices Overview Inspection Device Background Threat Protection Systems (TPS) and Intrusion Prevention Systems (IPS) take the “idea” of an IDS and move it into the realm of controlling traffic. Whereas an IDS can only alert on bad or malicious traffic, a TPS (since it is in-line) can block attacks and keep them from ever traversing the inspection device. Because of its in-line nature, it needs to perform with speed, reliability and performance. It’s the ultimate marriage of the traditionally speedy network device and the traditionally slow security device into one fast networking and security device. False positives are considered a negative, because now we are in-line. Whereas an IDS can generate spurious “False-positive” alerts and not block the traffic, we have to be very sure when we block traffic. Flexible Architecture is important so we can continue to leapfrog the security threats and continue to improve our filter set over time. We’ve added VoIP, Spyware, Peer to Peer, and Phishing filters over time by utilizing the flexible engine within the IPS. We have arguably the best management tool and the most comprehensive recommended settings in the industry to allow for ease of setup and ongoing security profile configuration. © 2022 Trend Micro Inc. Education 19 Lesson 2: Portfolio Overview Centralized Management Experience With TippingPoint in the cloud, not only will you save time from learning or configuring a new management console, but you can also protect your existing investment. You’ll get to do IPS in the cloud, the same way you do it on premise today. Here’s how: You can use the same SMS to manage both cloud and on premise protection- one view, one system to learn and manage. Save time by bringing existing IPS profiles to the cloud – we know that you’ve invested a lot of time in designing and deploying your profiles- you can now deploy these to the cloud (avoid reconfiguration!), to enjoy consistency across the network, OR you can choose to modify or create new ones- whatever works best to meet your business needs. TrendMicro will also offer flexible procurement to preserve your investment in existing TippingPoint and hardware licensing, including a Bring Your Own License approach. 8X00TX Platform Front Overview 20 The TippingPoint 8200TX and 8400TX are the newest members of the Threat Protection System family. The 8200TX delivers an unprecedented 40 Gbps of inline inspection throughput in a 1U form factor, making Trend Micro the first to deliver this level of performance in a small physical footprint. The 8200TX can also be stacked to deliver up to 120 Gbps inspection throughput. The 8400TX is available as a 2U device for customers who require higher port density. Both the 8200TX and 8400TX have on-box SSL inspection and now include URL reputation and the enforcement of user-added malicious URL entries. With Advanced Threat Analysis, these solutions further integrate with Deep Discovery to immediately forward suspicious objects, including URLs, to be analyzed and remedied. Both solutions also leverage a flexible licensing model. © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview 8X00TX Platform Rear Overview © 2022 Trend Micro Inc. Education 21 Lesson 2: Portfolio Overview 1100/5500TX Platform Front Overview 1100TX/5500TX Platform Rear Overview 22 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview 2200T Mechanical Overview 440T Mechanical Overview © 2022 Trend Micro Inc. Education 23 Lesson 2: Portfolio Overview NX Platform Mechanical Overview The NX Platform can support up to 24 segments of 1GbE, 16 segments of 10GbE, or 4 segments of 40GbE. NX chassis populated with 4 of the SFP+ NX I/O modules can achieve inspection of up to 16 segments of 10GbE, or a combination of 1GbE, 10GbE, and 40GbE segments. Supports up to 4 hot-swappable I/O modules. Standard I/O Modules Every NX chassis supports up to 4 hot-swappable I/O modules. Supported Transceivers Note: 24 1G SFP LC LX Transceiver Bundle (2 pieces) 1G SFP LC SX Transceiver Bundle (2 pieces) 1G SFP RJ45 T Copper Transceiver 10G SFP+ LC SR Transceiver 10G SFP+ LC LR Transceiver 40G QSFP+ SR4 850nm Transceiver 5500TX devices do not support ANY 40 Gbps modules © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Bypass I/O Modules Bypass I/O modules are zero-power high-availability (ZPHA) modules that permit network traffic and services while bypassing the IPS entirely when the IPS loses power. Bypass Modules Note: 4-Segment Gig-T Copper 2-segment 1G Fiber SR 2-segment 1G Fiber LR 2-segment 10G Fiber SR 2-segment 10G Fiber LR 1-Segment 40G Fiber SR 1-Segment 40G Fiber LR 40G bypass module is only supported in TX devices. vTPS Platform Normal Mode Performance Mode Minimum two vCPUs (Max three vCPUs) Six vCPUs (default) 8 GB Memory 16 GB Memory 16GB Disk Space 250 Mbps/500 Mbps/1 Gbps/2 Gbps SSL Inspection Not Supported Supports SSL Inspection Cloud One Network Security Trend Micro Cloud Network Protection, powered by TippingPoint, is a powerful transparent security solution that allows enterprises to extend their existing TippingPoint network protection to their hybrid cloud environments including: virtual patching vulnerabilities shielding exploit blocking zero-day attacks defense Leverage AWS Transit Gateway without disruption to the network © 2022 Trend Micro Inc. Education 25 Lesson 2: Portfolio Overview SMS Manager Feature Overview Global security device configuration and monitoring 26 Flexible network security policy management shared across TippingPoint devices Simplify and automate advanced and external actions with Active Responder Manage URL reputation feed with support for enforcement of userprovided malicious URL entries with full API management Enterprise Vulnerability Remediation (eVR) maps vulnerabilities to Digital Vaccine threat intelligence and remediates discovered vulnerabilities with a virtual patch Detect and block network traffic bi-directionally based on geographic region or country Centralized certificate repository for the SMS and managed TippingPoint devices with on-box SSL inspection enabled Active Directory (AD) integration provides network user context and reporting Advanced reporting and trend analysis of security events and network usage SMS Threat Insights prioritizes incident response measures and provides visibility into correlated threat data Centralized security feed management for Digital Vaccine® and Threat Digital Vaccine (ThreatDV) service Submit potential threats identified by TippingPoint to a sandbox for advanced threat analysis and automated blocking Visualization of all network traffic when combined with latest generation TippingPoint solutions Integrate with SIEM, breach detection, and other third-party security solutions © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview What’s New in SMS 5.5 Trend Micro Vision One Integration (send Suspicious Objects to SMS) Leverage the security and analytics and intelligence of Vision One - Import Response Actions via Trend Micro’s Service Gateway and automatically responding to discovered Suspicious Objects via the SMS’s existing Reputation feature Licensed throughput utilization visibility Provides graphs, statistics, and alerts that demonstrate how much of the Inspection License is consumed SMB and TLS (non-decrypt) performance improvements TPS appliances can now differentiate between SMB1 and SMB2/3 traffic SMB filters will NOT inspect SMB2/3 traffic, removing the need for SMB Bypass performance mitigations. TPS 8x00TX can now use a Trust Action Set for TLS traffic not being decrypted, removing the need for TLS Bypass performance mitigations. SMS 5.4 Highlighted Features TOS 5.4 - Real-time threat protection for inbound server SSL traffic and outbound client SSL traffic TOS 5.4 - Support for TLS v1.3 Support for six new cipher suites specific to TLS v1.3 SMS 5.4 – Real-time threat protection for outbound SSL traffic SMS 5.4 – Supports TLS v1.3 in FIPS mode Client communication (ports 9003 and 10042) TMC connections Device connections LDAP connections © 2022 Trend Micro Inc. Education 27 Lesson 2: Portfolio Overview SMS 5.3 Highlighted Features The Filters for Review interface of the SMS web management console provides operational, security, and performance contexts so you can make strategic changes to your security policy according to filter factors relevant to the policy. With the Server Name Indication (SNI) protocol extension, the SMS can now accept multiple certificates and keys from a single SSL server. This enables the server to safely host multiple TLS/ SSL certificates (up to 1000 per device) for multiple sites under a single IP. The SMS now supports TLSv1.2 in FIPS mode for the following: SMS Client communication (ports 9003 and 10042) TMC connections Device connections LDAP connections The number of supported ciphers for SSL inspection has increased from 11 to 14. The following three cipher suites are now supported: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 The SMS now sends an SNMP trap to the network management console with information on which profile, DV, or other object had a distribution failure. Recurring DV and profile distribution schedules and history now include a time zone so the time displayed is unambiguous. The time zone displayed matches the SMS client. Prioritizing Vulnerabilities with Policy Workflow 28 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Addressing High Security Risks with Policy Workflow Virtual SMS Download Deployment Scenarios Element Management TippingPoint management is highly-regarded in the industry with one of the strongest features being the easy to use SMS. Let’s look at the TippingPoint solution starting at the bottom and building up. First we have the IPS and/or TPS devices. The devices connect to the network and monitor traffic and take action based on the rules created by the administrator. The devices can be managed via the CLI, LSM, or SMS. We will © 2022 Trend Micro Inc. Education 29 Lesson 2: Portfolio Overview discuss SMS management shortly but for now let’s focus on the CLI and LSM. The CLI is accessed via a Console connection, SSH or Telnet with Telnet being disabled by default. Accessing the device through the CLI requires a keyboard, monitor, and Console cable. The LSM is accessed via HTTP and HTTPS which is the default and is a GUI interface. To do so, open a web browser and point it to the IP address of the IPS and log in. Management for both CLI and Web allows for 1 to 1 management. A SMS device is not required but is recommended for managing devices. Initial setup of the SMS will be discussed in a later. A java based client can be downloaded from the SMS to a computer for management which then allows for device management once logged in. An IPS device can then be imported into the SMS and managed through the SMS client. It is recommended that you configure the DNS and Gateway so that updates can be simplified from the Threat Management Center (TMC). The TMC (Threat Management Center) is how you stay up to date with the latest security for your device(s). New filters are continuously fed to the device to keep it up-to-date against the latest vulnerabilities. Each filter can be thought of as a Virtual Software Patch that is created within the network to protect downstream hosts from attack. Any malicious traffic intended to exploit a particular vulnerability is immediately detected and blocked. The solution is highly scalable in that the intrusion prevention system can protect thousands of unpatched systems with a single virtual patch. TippingPoint's expertise is recognized worldwide: 300,000 administrators, executives, and security professionals subscribe to the SANS @RISK report, which is authored by TippingPoint security analysts. The same analysis feeds our Digital Vaccine filter developers to prioritize how best to protect our customers. New Digital Vaccines are typically released on a weekly basis, but are turned in a matter of hours in emergency situations. The speed with which we deliver new filters makes this a powerful weapon in the patch race. TMC provides updates to SMS, TOS, DV and ThreatDV. These may be downloaded by the SMS and pushed down to IPS devices. 30 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Basic Deployment Scenario Common Deployments Hands-on Labs Lab 2: Access the Lab Environment Estimated time to complete this lab: 30 minutes © 2022 Trend Micro Inc. Education 31 Lesson 2: Portfolio Overview 32 © 2022 Trend Micro Inc. Education