Security Management System SMS Updates

1
Security Management System (SMS) - Updates

• Mohamed Helmy, CISM , CISSP, ITIL
• Technical Manager - KSA , Egypt and Levant

2

• Agenda
• SMS Overview
• Understanding the Problem
• How SMS Solves the Problem
• SMS New Features.
• SMS Policy.
• SMS High Availability.
• SMS Reports

3
Security Management System

• Easy Installation and on-going Management
• Shipped with recommended settings
• No false positive tuning
• Set and forget policy enforcement
• Extremely Scalable
• Granular, enterprise-wide policy management
• Per segment policy
• Per VLAN policy
• Directional policy (per port)
• Per device policy
• Automated Reports
• Provide compliance audit reporting details

4
Understanding the Problem

• SMS allows customers to control, monitor, and
  report on their enterprise security status in a
  single appliance
• Asset Clarification and Inventory.
• Risks Identification.
• Improve Operational Security
• Vulnerability Remediation and Incident  Response
• Reinforce company configuration policies with owne
  rs
• Segregation of Duties
• Track Record of Improvement

5
How SMS Solves the Problem
6
SMS New Features.

• Dynamic flexible security policy Deployment.
• Quarantine Deployments Ease of Use
• Deeper IPS Management
• API Overview

7
Dynamic Flexible Security Policy Deployment
Now you can decide what policies are active
during times they make sense can also have them
triggered by external systems
8
Quarantine Deployments Ease of Use
RADIUS no longer needed for switch actions,
switch discovery is new, any web API can be
invoked
9
Deeper IPS Management
Detailed graphs with real time update, data copy
for all critical IPS metrics
10
API Implementation

• API allows interaction between the SMS and a 3rd
  party system
• Implemented as servlets
• Accessed via the SMS web server
• Three major functional areas
• Retrieve data tables and event data
• Retrieve, upload and distribute profiles
• Quarantine / unquarantine hosts

11
Data Retrieval Use Cases

• Long term storage of event data
• When 30 million rows are not enough
• Custom reporting
• Combine event information from multiple SMS
• Although progress is being made here
• Integration to SIM tools
• Remote SYSLOG is typically used, but that is a
  push model
• Subject to the strengths and limitations of UDP
• SMS API is a pull model, uses TCP
• Data may be required for other uses
• Dynamic profile creation

12
Profile Management Use Cases

• Sharing profiles between SMS
• May be done manually using the SMS client
• Distributing a profile
• Time of day
• Response to an external event
• Distribute Lockdown Profile in an emergency
• Updating and distributing a profile based on
  vulnerability scan results
• Merging one or more profiles
• MOM functionality
• Specific customer needs

13
Localizing Reports

• Translate the text after the
• Example
• Translate the text Severity to the French
• This entry
• report.severitySeverity
• becomes
• report.severitySévérité

14
SMS Policy
15
Categories
16
Flow of Traffic
17
SMSs POLICY by Direction

• Policy by direction
• SMSs solution Profile by direction
• Each direction of the segment can be in different
  segment groups (or the same)

18
Network Configuration View
Physical Segments with Direction
Virtual Segments with Direction
19
Simplify for the customer

• Any-Any segment in a segment group called Unused
  Segments
• Place the four physical segments in two segment
  groups A?B A?B
• Distribute a noisy profile for IP addresses
  they can control
• Distribute a silent but protective profile to
  the other direction

20
Segment Groups

• Segment Groups are your FRIEND
• Group the segments logically
• One-offs are very hard to manage create a
  separate segment group for those and distribute
  individually to the segments.
• Events are designed to fully use the power of
  Segment Groups

21
SMS and data retention
22
SMS - HA

• High Availability
• Reduce Fail Over conditions
• Greatly increase HA situation awareness
• Give some Synchronization options
• Synchronization Timing
• Failover Awareness techniques.
• - Allow shutdown reboot
• - Conditional Failover.

23
High Availability Reduced Failover

• Reduced failover
• - Allow shutdown reboot
• - Software failures are now detected and
  mitigated, and will not trigger a failover
• - Communications timeouts increased 50

24
HA - Config
25
Solution Ecosystem
SEM / SIM Vendors
Integration by Syslog SNMP eMail API
Remediation
NBA
26
SMS Reports
27
Events Interface
Search conditions shown in pull down menus.
New Aggregation and sort options for events view
28
TP Report Config Options
29
Reports Available
30
Reports
Different Reports Formats PDF. CSV HTML XML
Action sets Block. Block and alert Permit and
alert Permit and Rate Limit. Packet Trace,
and/or email notify.

31
Solving the Problem

• SMS allows customers to control, monitor, and
  report on their enterprise security status in a
  single appliance
• Asset Clarification and Inventory.
• Risks Identification.
• Improve Operational Security
• Vulnerability Remediation and Incident  Response
• Reinforce company configuration policies with owne
  rs
• Segregation of Duties
• Track Record of Improvement

32
Thank you

• Mohamed Helmy, CISM , CISSP, ITIL
• Technical Manager - KSA , Egypt and Levant
• mhelmy_at_tippingpoint.com