IBM Security XGS and network access control
Explore the who, what, and when aspects of intrusion prevention through an ACL policy
Figure 1. XGS 5100
The IBM Security Next Generation Intrusion Prevention System's (NGIPS) XGS 5100 appliance is a solid answer to two security industry needs:
- Security products become obsolete because they don't inspect the data payload of network packets.
- Security products aren't effective because they don't have a fine-grained intelligence to allow them to distinguish different types of traffic and, therefore, are unable to enforce business policies.
Modern network activity is rapidly transitioning to web-based protocols such as Web 2.0 http/https traffic (which includes legitimate business applications, non-business applications, and attacks); this, in turn, accelerates the demand for a product that can deliver a solution to these two security needs.
The core of the XGS appliance contains the most important, all-encompassing function of NGIPS — the Network Access Control policy. NAC is a modern and powerful Access Control List policy (ACL) that administrators and security analysts can use to help determine actions to be taken when "interesting" traffic is detected. By "interesting," I mean potentially dangerous traffic.
NAC rules, their deployment parameters, and objects definitions should be designed following a simple, conceptual, high-level information flow model that consists of three major stages or elements:
Let's examine these elements more closely.
Who: Objects to distinguish identity
The Who concept defines objects created to distinguish identities. In the past, only traditional TCP/IP socket information would be used to identify endpoint source and destination. The XGS is capable of associating locally and remotely authenticated user accounts with their network traffic properties.
Local authentication is achieved by creating and managing users and groups using the Logical Management Interface. When interesting traffic defined in a NAC rule is correctly identified, the XGS may trigger NAC alert objects such as email, SNMP, or Remote Syslog (with an option that when enabled, will create Log Event Extended Format security alerts that are compatible with IBM Security QRadar SIEM; QRadar is an advanced, essential analysis tool used to combat advanced persistent threats).
Each enabled NAC rule must have one of the following general actions selected:
- Authenticate Reject
“XGS is capable of associating locally and remotely authenticated user accounts with their network traffic properties.”
The introduction of the Authenticate Reject action allows the security analyst to redirect the unauthenticated user to a local authentication portal (serviced by the appliance), actively prompting for credentials. When using the Remote Directory Servers policy, the XGS local portal can authenticate using access to LDAP and Active Directory objects.
A new, powerful feature allows existing Active Directory domain controllers with the Tivoli Logon Event Scanner (TLES) product installed to post pre-authenticated (or passive authentication) user account information to the XGS appliance. The TLES is available for free to XGS customers.
I'd like to note here that an unauthenticated user is considered an identity and can be used in NAC rules to identify any source value that has not been predefined or previously authenticated. A machine IP address trying to access the Internet for the first time may fall into this category.
What: Data the application layer payload contains
The next-generation NGIPS capabilities of the XGS are reinforced in the What concept. The appliance has the ability to inspect and interpret the data the application layer payload contains to apply control access decisions.
The XGS employs the proprietary Intrusion Prevention System engine, known as Protocol Analysis Module (PAM), developed and maintained by the X-Force group. The PAM security signature base can be organized in multiple, customized sets of protection policies (IPS Objects) applied to individual NAC rules, giving the security analyst the ability to deploy different signature selections to specific sets of object-determined interesting traffic to be inspected.
Each IPS Objects policy can be configured to trigger a response, creating a security alert when any of the signature-enabled sets within fires. Responses include the same type of alerts defined for NAC rules firing (email, SNMP, and Remote Syslog), with the additional option of creating packet captures for either the single offending packet or the entire connection. Along with generated security and network access alerts, packet captures contain essential information to further assist the security analyst when performing forensic and troubleshooting analysis.
In addition to PAM, when inspecting interesting traffic application data defined in the NAC rules the XGS takes advantage of a proprietary, versatile Deep Content Analysis (DCA) engine that relies on three databases maintained by the IBM Security Kassel group:
- URL Category to apply web-filtering decision based on URL categorization
- Web Application for granular application control
- IP Reputation for anti-spam efforts
“XGS can inspect and interpret application layer payload data in order to apply control access decisions.”
The DCA engine helps the security analyst make decisions and create NAC rules on What-type application control actions (for example, write, post, or read actions used in a blog application) the identified entity (Who) is allowed to perform. Standard URL filtering methods can also be applied.
Inspected traffic characteristics are captured as flow data using the IPFIX standard (IP Flow Information Export). Information may be stored and graphically represented locally or remotely posted to a flow collector as the IBM Security QRadar SIEM. The IPFIX flow data is posted on the SIEM using UDP transport.
The flow data collected can be used to establish a baseline for acceptable user or group bandwidth consumption to detect traffic anomalies. Extensive charting options are also available to display the flow data stored locally by various combinations of time, identity, and application.
One of the new features that sets the XGS apart from the competition and further enhances the depth of the What concept is the ability to inspect outbound encrypted payloads. Base64 PEM-encoded RSA SSL keys and certificates can be loaded on the appliance to decrypt outbound initiated sessions.
An additional policy is available to provide greater control for optional blocking of connections (separately from a NAC rule action) based on the following certificate properties—validity, expiration, and whether they are self-signed or have been issued by a Certificate Authority listed in a block list.
When: Scheduling to define time boundaries
“XGS can associate scheduling objects to NAC rules to define time boundaries or expirations.”
The last and simplest conceptual item from the information flow model provides the When capabilities. Scheduling objects can be created and associated to individual NAC rules to define time boundaries or expirations of NAC rule applications. Also, automatic installation of security-content-based X-Force xPress Updates, applied to the PAM engine, can be scheduled using the Scheduled Security Updates policy.
Deploying the appliance
The XGS appliance can be deployed as an Intrusion Prevention System inline device or as a passive monitoring Intrusion Detection System device, doubling the amount of monitored segments through the Protection Interfaces policy. When running in inline protection mode, a built-in bypass feature can be configured to either halt or continue traffic flow during failures.
As an option, multiple appliances can be effectively managed using the SiteProtector Management Console in which policy management is centralized and simplified and NAC rules activity can be recorded.
Specifications and parameters
The following tables show the performance, physical, electrical, and environmental specifications and parameters of the XGS 5100 appliance.
Table 1. Performance characteristics
|Inspected throughput||Up to 5GBPS|
|Inspected throughput (with SSL)||Up to 2.5GBPS|
|Average latency||<150 microseconds|
|Connections per second||50,000|
|Concurrent sessions (max rated)||2,200,000|
Performance data quoted for the IBM Security Network Intrusion Protection System is based on testing with mixed TCP/UDP traffic that is intended to be reflective of typical live traffic. Environmental factors such as protocol mix and average packet size will vary in each network; measured performance results will vary accordingly. IBM Security Network Protection throughput was determined by pushing mixed-protocol traffic through the appliance and measuring how much throughput was achieved with zero packet loss. For the benchmark testing, XGS series appliances were deployed in default inline protection mode with Trust X-FORCE policy; Spirent Avalanche 3100 testing equipment, firmware 3.50 (or later); traffic mix: HTTP=41%, HTTPS=17%, SMTP=10%, POP3=5%, FTP=9%, DNS=15%, SNMP=3%; HTTP/HTTPS traffic with 44KB object size with standard HTTP/S 1.1 GET requests; DNS standard A record lookup; FTP GET requests of 15,000 bytes in 2ms bursts, POP3 traffic with 100KB objects between two "user" mailboxes, SMTP simple connections with no object transfer, SNMP status query and response.
Table 2. Physical characteristics
|Management interfaces||2 x 1GbE, RJ-45 (IPv6 supported)|
|Inline protected segments||Up to 10|
|Fixed Monitoring interfaces||4 x 1GbE (integrated bypass)|
|Configurable Monitoring interfaces||Up to 16 x 1GbE or 4 x 10GbE (dependent on NIMs)|
|Supported physical media types||Direct Attach Copper, RJ-45, Fiber (SX/LX),10G Fiber (SR/LR), SFP, SFP+|
|Number of Network Interface Modules (NIMs)||Up to 2|
|Network Interface Modules (NIMs)||8 x 1GbE TX (integrated bypass)|
4 x 1GbE SX (integrated bypass)
4 x 1GbE LX (integrated bypass)
2 x 10GbE SR (integrated bypass)
2 x 10GbE LR (integrated bypass)
4 x 1GbE SFP
2 x 10GbE SFP+
|Redundant power supplies||Yes|
|Storage||Solid state drive|
Table 3. Electrical and environmental parameters
|AC Input Rating||100V-127V@5.6A/|
|Operating Temperature/Relative Humidity||0°C-40°C (32°F-104°)/|
|Safety certification/declaration||UL 60950-1, CAN/CSA C22.2 no. 60950-1, EN 60950-1 (CE Mark), IEC 60950-1, GB4943, GOST, UL-AR|
|Electromagnetic compatibility certification/declaration||FCC Class A, Industry Canada Class A, AS/NZS CISPR 22 Class A, EN 55022 Class A (CE Mark), EN 61000-3-2 (CE Mark), EN 61000-3-3 (CE Mark), EN 55024 (CE Mark), VCCI Class A, KCC Class A, GOST Class A, GB9254 Class A, GB17625.1|
|Environmental declaration||Restriction of Hazardous Substances (RoHS)|
- Explore the topics in this article: