IBM Security XGS and network access control

Explore the who, what, and when aspects of intrusion prevention through an ACL policy

Discover the basics of the IBM Security Next Generation Intrusion Prevention System's (NGIPS) XGS 5100 appliance, and learn how it uses a Network Access Control policy (NAC), a type of Access Control List policy that helps administrators decide what to do when potentially threatening traffic has been detected. Explore NAC rules, deployment parameters, and objects definitions, and examine a simple, conceptual, high-level information flow model that consists of three major elements—who, what, and when.

Share:

Antonio Buffa (abuffa@us.ibm.com), Threat Management Enablement Instructor, IBM

Photo of Antonio buffaAntonio Buffa is a certified industry expert with more than 20 years of experience in full lifecycle network infrastructure planning, deployment, and maintenance. His background as a network engineer affords him extensive knowledge of disparate protocol stacks, from high-level understanding to the functional application of concepts. He currently holds a Technical Enablement Instructor position within IBM Security Systems, developing and delivering training designed for enterprise-grade, infrastructure security products. He is an accomplished speaker and throughout his career has demonstrated a keen ability to foster relationships with all levels of IT operations personnel expertise.



17 September 2013

Figure 1. XGS 5100
XGS 5100 appliance

The IBM Security Next Generation Intrusion Prevention System's (NGIPS) XGS 5100 appliance is a solid answer to two security industry needs:

  • Security products become obsolete because they don't inspect the data payload of network packets.
  • Security products aren't effective because they don't have a fine-grained intelligence to allow them to distinguish different types of traffic and, therefore, are unable to enforce business policies.

Modern network activity is rapidly transitioning to web-based protocols such as Web 2.0 http/https traffic (which includes legitimate business applications, non-business applications, and attacks); this, in turn, accelerates the demand for a product that can deliver a solution to these two security needs.

The core of the XGS appliance contains the most important, all-encompassing function of NGIPS — the Network Access Control policy. NAC is a modern and powerful Access Control List policy (ACL) that administrators and security analysts can use to help determine actions to be taken when "interesting" traffic is detected. By "interesting," I mean potentially dangerous traffic.

NAC rules, their deployment parameters, and objects definitions should be designed following a simple, conceptual, high-level information flow model that consists of three major stages or elements:

  • Who
  • What
  • When

Let's examine these elements more closely.

Who: Objects to distinguish identity

The Who concept defines objects created to distinguish identities. In the past, only traditional TCP/IP socket information would be used to identify endpoint source and destination. The XGS is capable of associating locally and remotely authenticated user accounts with their network traffic properties.

Local authentication is achieved by creating and managing users and groups using the Logical Management Interface. When interesting traffic defined in a NAC rule is correctly identified, the XGS may trigger NAC alert objects such as email, SNMP, or Remote Syslog (with an option that when enabled, will create Log Event Extended Format security alerts that are compatible with IBM Security QRadar SIEM; QRadar is an advanced, essential analysis tool used to combat advanced persistent threats).

Each enabled NAC rule must have one of the following general actions selected:

  • Accept
  • Reject
  • Drop
  • Authenticate Reject

XGS is capable of associating locally and remotely authenticated user accounts with their network traffic properties.

The author

The introduction of the Authenticate Reject action allows the security analyst to redirect the unauthenticated user to a local authentication portal (serviced by the appliance), actively prompting for credentials. When using the Remote Directory Servers policy, the XGS local portal can authenticate using access to LDAP and Active Directory objects.

A new, powerful feature allows existing Active Directory domain controllers with the Tivoli Logon Event Scanner (TLES) product installed to post pre-authenticated (or passive authentication) user account information to the XGS appliance. The TLES is available for free to XGS customers.

I'd like to note here that an unauthenticated user is considered an identity and can be used in NAC rules to identify any source value that has not been predefined or previously authenticated. A machine IP address trying to access the Internet for the first time may fall into this category.


What: Data the application layer payload contains

The next-generation NGIPS capabilities of the XGS are reinforced in the What concept. The appliance has the ability to inspect and interpret the data the application layer payload contains to apply control access decisions.

The XGS employs the proprietary Intrusion Prevention System engine, known as Protocol Analysis Module (PAM), developed and maintained by the X-Force group. The PAM security signature base can be organized in multiple, customized sets of protection policies (IPS Objects) applied to individual NAC rules, giving the security analyst the ability to deploy different signature selections to specific sets of object-determined interesting traffic to be inspected.

Each IPS Objects policy can be configured to trigger a response, creating a security alert when any of the signature-enabled sets within fires. Responses include the same type of alerts defined for NAC rules firing (email, SNMP, and Remote Syslog), with the additional option of creating packet captures for either the single offending packet or the entire connection. Along with generated security and network access alerts, packet captures contain essential information to further assist the security analyst when performing forensic and troubleshooting analysis.

In addition to PAM, when inspecting interesting traffic application data defined in the NAC rules the XGS takes advantage of a proprietary, versatile Deep Content Analysis (DCA) engine that relies on three databases maintained by the IBM Security Kassel group:

  • URL Category to apply web-filtering decision based on URL categorization
  • Web Application for granular application control
  • IP Reputation for anti-spam efforts

XGS can inspect and interpret application layer payload data in order to apply control access decisions.

The author

The DCA engine helps the security analyst make decisions and create NAC rules on What-type application control actions (for example, write, post, or read actions used in a blog application) the identified entity (Who) is allowed to perform. Standard URL filtering methods can also be applied.

Inspected traffic characteristics are captured as flow data using the IPFIX standard (IP Flow Information Export). Information may be stored and graphically represented locally or remotely posted to a flow collector as the IBM Security QRadar SIEM. The IPFIX flow data is posted on the SIEM using UDP transport.

The flow data collected can be used to establish a baseline for acceptable user or group bandwidth consumption to detect traffic anomalies. Extensive charting options are also available to display the flow data stored locally by various combinations of time, identity, and application.

One of the new features that sets the XGS apart from the competition and further enhances the depth of the What concept is the ability to inspect outbound encrypted payloads. Base64 PEM-encoded RSA SSL keys and certificates can be loaded on the appliance to decrypt outbound initiated sessions.

An additional policy is available to provide greater control for optional blocking of connections (separately from a NAC rule action) based on the following certificate properties—validity, expiration, and whether they are self-signed or have been issued by a Certificate Authority listed in a block list.


When: Scheduling to define time boundaries

XGS can associate scheduling objects to NAC rules to define time boundaries or expirations.

The author

The last and simplest conceptual item from the information flow model provides the When capabilities. Scheduling objects can be created and associated to individual NAC rules to define time boundaries or expirations of NAC rule applications. Also, automatic installation of security-content-based X-Force xPress Updates, applied to the PAM engine, can be scheduled using the Scheduled Security Updates policy.


Deploying the appliance

The XGS appliance can be deployed as an Intrusion Prevention System inline device or as a passive monitoring Intrusion Detection System device, doubling the amount of monitored segments through the Protection Interfaces policy. When running in inline protection mode, a built-in bypass feature can be configured to either halt or continue traffic flow during failures.

As an option, multiple appliances can be effectively managed using the SiteProtector Management Console in which policy management is centralized and simplified and NAC rules activity can be recorded.


Specifications and parameters

The following tables show the performance, physical, electrical, and environmental specifications and parameters of the XGS 5100 appliance.

Table 1. Performance characteristics
MeasurementPerformance
Inspected throughputUp to 5GBPS
Inspected throughput (with SSL)Up to 2.5GBPS
Average latency<150 microseconds
Connections per second50,000
Concurrent sessions (max rated)2,200,000

Performance data quoted for the IBM Security Network Intrusion Protection System is based on testing with mixed TCP/UDP traffic that is intended to be reflective of typical live traffic. Environmental factors such as protocol mix and average packet size will vary in each network; measured performance results will vary accordingly. IBM Security Network Protection throughput was determined by pushing mixed-protocol traffic through the appliance and measuring how much throughput was achieved with zero packet loss. For the benchmark testing, XGS series appliances were deployed in default inline protection mode with Trust X-FORCE policy; Spirent Avalanche 3100 testing equipment, firmware 3.50 (or later); traffic mix: HTTP=41%, HTTPS=17%, SMTP=10%, POP3=5%, FTP=9%, DNS=15%, SNMP=3%; HTTP/HTTPS traffic with 44KB object size with standard HTTP/S 1.1 GET requests; DNS standard A record lookup; FTP GET requests of 15,000 bytes in 2ms bursts, POP3 traffic with 100KB objects between two "user" mailboxes, SMTP simple connections with no object transfer, SNMP status query and response.

Table 2. Physical characteristics
SpecificationMeasurement
Form factor1U
Height (in./mm)1.75/44.2
Width (in./mm)16.9/430
Depth (in./mm)19.7/500
Weight (lb/kg)22/10
Management interfaces2 x 1GbE, RJ-45 (IPv6 supported)
Inline protected segmentsUp to 10
Fixed Monitoring interfaces4 x 1GbE (integrated bypass)
Configurable Monitoring interfacesUp to 16 x 1GbE or 4 x 10GbE (dependent on NIMs)
Supported physical media typesDirect Attach Copper, RJ-45, Fiber (SX/LX),10G Fiber (SR/LR), SFP, SFP+
Number of Network Interface Modules (NIMs)Up to 2
Network Interface Modules (NIMs)8 x 1GbE TX (integrated bypass)
4 x 1GbE SX (integrated bypass)
4 x 1GbE LX (integrated bypass)
2 x 10GbE SR (integrated bypass)
2 x 10GbE LR (integrated bypass)
4 x 1GbE SFP
2 x 10GbE SFP+
Redundant power suppliesYes
StorageSolid state drive
Table 3. Electrical and environmental parameters
ParameterMeasurement
AC Input Rating100V-127V@5.6A/
200V-240V@2.8A
Operating Temperature/Relative Humidity0°C-40°C (32°F-104°)/
5%-85%@40°C (104°)
Safety certification/declarationUL 60950-1, CAN/CSA C22.2 no. 60950-1, EN 60950-1 (CE Mark), IEC 60950-1, GB4943, GOST, UL-AR
Electromagnetic compatibility certification/declarationFCC Class A, Industry Canada Class A, AS/NZS CISPR 22 Class A, EN 55022 Class A (CE Mark), EN 61000-3-2 (CE Mark), EN 61000-3-3 (CE Mark), EN 55024 (CE Mark), VCCI Class A, KCC Class A, GOST Class A, GB9254 Class A, GB17625.1
Environmental declarationRestriction of Hazardous Substances (RoHS)

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.

Discuss

  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=945447
ArticleTitle=IBM Security XGS and network access control
publish-date=09172013