HPConsulting Israel Jacob Shaaltiel HP UX 11 Security Products July 15, 2001
HP UX 11i Security Features PAM And CDSA hp-UX intrusion detection J5083AA IPSec 9000 J4255AA IPFilter9000 B9901AA HPConsulting Services Trusted System (C2) CIFS 9000 J5083AA Kerberos 5.0 J5844AA
The server is the final line of defense HP-UX 11 Is The Most Secure Commercial Unix Server Industry standard security easily integrates in end-to-end security solutions • IPSec • Kerberos • C2 Compliance • CDSA • LDAP High Performance Security • HP Praesideum Speedcard • HP-UX software encryption acceleration Broad portfolio of security products and solutions to meet the demanding requirements of integrated OS, network and application security • Virtual Vault • DomainGuard • Node Sentry • Extranet VPN • e-Firewall • Intrusion Detection
HP-UX 11.x Intrusion Detection Architecture Misuse/Intrusion Alerts Control/Status Security Administration Security Management OpenView IT/O Configuration IDS Agent Notification Reporting Analysis Response Detection Pattern - Kernel - Application IDS Applications Etc. Kernel Audit Data Syslog Data Other Data
Real-Time Detection and Alerts • Intrusions detected as they occur • System performance not degraded • Three alert levels color coded • Attacker identified • Attack type identified
System Management • Multiple hosts across the enterprise • Surveillance groups for easy administration • Surveillance schedules for maintenance, test
HP UX 11i Security IP Filter 9000
IP Filter 9000 • IPFilter/9000 is the same as the IP Filter Version 3.5 Alpha 5 from the public domain (authored by Darren Reed) with stronger quality. It contains all functionality in the public domain code including the unsupported perimeter firewall features, such as NAT and firewall stealth. The customers using the unsupported features may request for support from the public domain, at the URL: http://caligula.anu.edu.au/~avalon/ • IPFilter/9000 is not supported in an MC/SG environment. • IPFilter is offered for free on the application disk HP has positioned IP Filter/9000 as a system firewall and does not support the perimeter firewall features in the product.
IP Filter 9000 • IP Filter/9000 provides the following benefits: · Protect an individual host in intranet against internal attacks · Protect a host in intranet against external attacks that breach perimeter defenses · Protect a bastion host on the perimeter (e.g. web server) · Protect a bastion host in the DMZ (e.g. web server) · Protect an application proxy firewall against attacks that target the underlying OS · Stop the security hole created by remote access workstation connected to Internet and having VPN access to intranet · Provide restricted configuration of internet services
IP Filter 9000 Example Filtering by Port Number object = addr [ port-comp | port-range ] port-comp = "port" compare port-num port-range = "port" port-num range port-num Only applicable with the TCP and UDP IP Protocols. Example: pass in quick proto tcp from any to 188.8.131.52/32 port = 23
HP UX 11i Security IPSec 9000
Host-to-Host • End-to-End security to protect sensitive data for intra- or inter-network communications • Site-to-Site • Replace expensive dedicated leased line WAN charges for site-to-site data connectivity • Extranet VPN • Quick set-up of business-to-business WAN connectivity • Remote Access • Replace expensive modem pools, ISDN per-minute charges Types of VPNs HP Solution • IPSec/9000 • E-Firewall/VPN • E-Firewall/VPN • E-Firewall/VPN
HP IPSEC VPN Solutions Praesidium E-Firewall can function as VPN gateway for network-to- network IPSEC traffic and/or firewall filter to allow IPSEC through to the VPN Secure App Server Corporate Intranet Vendor X Firewall Legacy App Server DMZ E-Firewall Web Server E-Firewall VPN Secure App Server Praesidium IPSEC/9000 Web server with IPSEC provides transparent network-level security allowing secure transfer of credit card numbers and other sensitive data. Praesidium IPSEC/9000 Secure Application Server provides transparent end-to-end network- level security for legacy applications Encrypted IPSEC Unencrypted Data
Easy to adopt - allows existing applications to take advantage of • IPSec services without modifications. • Flexible rule-based security attribute and access control policy configurations • - Allow combinations of IP addresses, subnet mask, ports, protocols and • connection-based keying, security attribute configuration and packet • filtering • - Can be configured to filter both IPSec and clear-text packets HP-UX IPSec/9000 Product Overview • IPSec-based standard solutions to provide interoperability and to protect • customer’s investment. • Scalable and flexible key management (IKE) for authentication • Easy Integration with existing infrastructure- Pre-shared key support • ScalablePublic-key based authentication with PKI - automated certificate and CRL retrieval process • Industry leading high-performance IPSec/VPN • Crypto performance is optimized for PA-RISC architecture.
Secure and ease-of-use Administration Tools • GUI based IPSec Policy Configuration Console • IPSec Policy Defaults • Diagnostic and Monitoring Tool HP-UX IPSec/9000 Product Overview (Continue) • End-to-end IPSec to distribute cryptographic computation cycles among • multiple end systems. • Logging and audit trail for accountability and intrusion alerts • Demonstrated multi-vendor interoperability at the ANX and IPSec standards • bakeoffs. • Both transport mode and tunnel mode are supported to facilitate flexible • VPN scenarios. • No cost.
HP UX 11i Security Trusted Mode(C2)
Trusted Mode (C2) Extensions to Security beyond Standard UNIX The Protected Password Database enables: · System Boot Authentication · Denial of encrypted password access by non-root users · Extending maximum password length beyond eight characters · Forcing all passwords to conform to minimum complexity requirements · Preventing reuse of password once they’ve expired · Establishing minimum and maximum password length requirements · Creation of a unique Audit ID for every user · Automatic user account expiration · Account login restrictions (time of day, day of week) · Account disabling after a number of failed login attempts · Login device restrictions (by tty) Trusted Mode also has a C2-compliant auditing system which audits system activity at a low ‘system call’ level.