securing the adaptive enterprise: hp-ux security features
TRANSCRIPT
Securing theAdaptive Enterprise
page 204/13/23© 2002 -2003 hp
Agenda
•Security – high priority for business today
•Securing the adaptive enterprise
• HP-UX Adaptive Enterprise technologies and solutions
•Building a secure environment: client studies
page 304/13/23© 2002 -2003 hp
today’s
business and IT challenges
page 404/13/23© 2002 -2003 hp
10000
20000
30000
40000
50000
60000
1986
1990
1992
1994
1996
1998
2000
2002
73,359
The number of security incidents is increasing exponentially
The increasing importance of security
time
Inci
den
ts
1988
Your business and customers under threat:
• 85% of large organizations attacked in 2002
• 70% of attacks are internal
• “Love Bug” virus cost businesses $8.75 Bn
• 900,000 victims of identity theft every year
• January, 2003: SQL/Slammer hits the internet
Sources: www.cert.orgCSI – FBI Computer Crime Survey, 2002
page 504/13/23© 2002 -2003 hp
The consequences of an attack can be catastrophic
• Direct losses:– lost orders – loss of immediate revenues– lost IP or confidential info– liabilities from lost employee or
customer data– theft/ fraud
• Indirect losses:– recovery costs– damaged competitiveness– damaged brand image
downtime is a key contributor to business
losses
$- $500,000 $1,000,000 $1,500,000 $2,000,000 $2,500,000 $3,000,000
Energy
Manufacturing
Insurance
Pharmaceuticals
Transportation
Healthcare
Average
Utilities
Banking
Retail
Finance
Teleco
Average of all industries:$1,010,536 per hour, or $16,842 per minute
Source: Network Computing, April 2002 “Downtime Costs Money”
Major security incidents lead to serious business impacts
page 604/13/23© 2002 -2003 hp
HP Adaptive Enterprise
page 704/13/23© 2002 -2003 hp
business agility: the added dimension
increase quality
improve
agility
manage costs
mitigate risk
page 804/13/23© 2002 -2003 hp
building the foundation of an adaptive enterprise
react
to
change
anti
cipate
ch
anges
pro
-act
ively
ch
ange
use
change
to c
om
pete
IT adaptability
busi
ness
agili
ty
stable dynamicmanaged / integrated
manage and integrated resources
•enterprise integration
•IT consolidation•Management
•enterprise integration
•IT consolidation•Management
dynamic and automated
•virtualization•on demand•managed services•integrated support •financing
•virtualization•on demand•managed services•integrated support •financing
provide a stable, extensible foundation•business continuity•security
•business continuity•security
page 904/13/23© 2002 -2003 hp
Enterprise Integration
IT consolidation
Management
Virtualization
Business Continuity
Security
Managed Services
Integrated Support
Financing
Adaptive Infrastructure and Management Solutions
sourcing solutions
cross-industry business solutions
vertical industries
others...CRMsupply chain/ERP
On Demand
HP Adaptive Enterprise Solutions meet today’s challenges, build for tomorrow
page 1004/13/23© 2002 -2003 hp
Hp-ux11i security agility
page 1104/13/23© 2002 -2003 hp
D.H. Brown ranks HP-UX the leading UNIX
ranked #1 in all
five categories
#1 scalability#1 reliability, availability
and serviceability#1 systems management#1 internet and web
application services#1 directory and security
services
page 1204/13/23© 2002 -2003 hp
HP-UX11i Security Infrastructure
Netscape Directory ServerAAA
Server
Mobile AAA Server
Kerberos Server
Database Server
App Server
Host IDS
IPFilter
Security Patch Check
Bastille
LDAP UX Integration
page 1304/13/23© 2002 -2003 hp
Agile LDAP architectures
Netscape Directory Server
Kerberos Server
LDAP UX IntegrationUnified Windows
log-in
Central repository for people, resources
Access ticket based on LDAP rights
Role-based changes for millions of users
Network Security White Paper
AAA Servers
page 1404/13/23© 2002 -2003 hp
Netscape Directory Server 6.1
• Centralizes management of people and resources
• Central repository for user profiles and preferences enabling personalization
• Allows replication of data across the enterprise providing a centralized, consistent data source available to applications
• Enables single sign-on access with a partner solution
• Provides scalability for massive numbers of users
page 1504/13/23© 2002 -2003 hp
LDAP UX Integration
• Integrates with W2K ADS
• Ldap general purpose directory
• Store any type of object info and then query
• NIS stores simple database… limits the query
– Ldap greater security
• SSL communication
• Fine grained access control
– More manageable
• Delegated or central
– Greater application integration
• A strategic direction whitepaper
page 1604/13/23© 2002 -2003 hp
Kerberos Server
• Key Distribution Center (KDC)
Centralized authentication with robust encryption
– A single repository for enterprise authentication information
– Single sign-on capabilities
– GSS API programming
– Built-in support for secure FTP, telnet, and r* commands
– HP-UX Integration support
• Product Brief
page 1704/13/23© 2002 -2003 hp
HP-UX AAA Servers
• Authentication, authorization, and accounting (AAA)
• RADIUS protocol– Authenticates land or
mobile users– Authorizes access from
access point– Provides session control
and billing information • Diameter white paper
supports wireless internet connections
• How to secure wireless LANs
• Solution brochure
page 1804/13/23© 2002 -2003 hp
Accountable Host Security
Host IDS
Security Patch Check
IPFilter
HP-UX Bastille
page 1904/13/23© 2002 -2003 hp
Real-time host intrusion detection
• Detection Template• kernel audit data• high quality detection• not just audit log detection• five patents on technology
• Real-time alerts• agents on hosts• alerts to management
console … or to…• OpenView VPO
management• Management
• GUI browser for configuration
• OpenView reporting• H-IDS presentation available
page 2004/13/23© 2002 -2003 hp
HP-UX IPFilter System Firewall
• Protects hosts on the perimeter such as a web server.
– Stateful packet inspection remembers history and filters IP packets and streaming UDP traffic
– Application proxy firewall against attacks that target the underlying OS.
– Configurable filter, proxy and rules
• Dynamic connection allocation controls number of incoming connections to mitigate a flood of TCP in a DOS attack
– Useful to protect mail servers
– Protect LDAP servers from bogus SSL connections
• IPFilter Solution brief
page 2104/13/23© 2002 -2003 hp
HP-UX Bastille
• Security lockdown tool • Various hardening required
of servers used for web-servers, applications, and databases.
• 70 configurations presented as security/usability tradeoff questions
• Configures or disables: daemons, system settings, and IPFilter, password shadowing, inetd audit
• Turns off unauthenticated services such as pwgrd and printing, rcp, and rlogin
page 2204/13/23© 2002 -2003 hp
Security Patch Check for HP-UX
• Semi-automatic patch administration
• Analyzes installed file sets and patches
• Recommends patches to be added to a system to cover all security defects
• Warns about recalled patches
• From a report Admin downloads patches from HP library
• Integrates with HP ServiceControl Manager
page 2304/13/23© 2002 -2003 hp
HP-UX Core Security Features
HP-UX 11iv2
page 2404/13/23© 2002 -2003 hp
Core HP-UX 11i Security
• Trusted mode is Common Criteria Certified EAL4-CAPP
• Stack buffer overflow protect• Access control-file
permissions• Object reuse- prevention• Managers-SAM,
ServiceControl• Pluggable authentication
(PAM)• Passwords-long, checking
– Shadow-encrypted• Audit –trusted and IDS• Encryption-random number
generator, benchmarks• Secure Shell encrypted log-
on• Install-time security on v2• HP-UX 11iv2 White Paper
page 2504/13/23© 2002 -2003 hp
Customer Solution
page 2604/13/23© 2002 -2003 hp
ABN AMRO Bank – the need
Provide new secure services to the wholesale banking client base through an integrated business-to-business web portal:
• Increase the total customer experience
• Improve daily operational tasks such as retrieving customer information
• Ensure high levels of security in the new environment
One of the Top 20 worldwide banking groups
page 2704/13/23© 2002 -2003 hp
ABN AMRO Bank – the solutionEnable new B2B portal
consulting services• Security Review across multiple sites• Security Architecture Design• Technology Selection• Secure Infrastructure Services• Netegrity SiteMinder customization and integration
education & training• Secure Application Development• User Training for 7,500 employees
technology solutions
• Single Sign-On • HP UNIX Servers• HP High Availability• HP Data Storage Protection Software• Troubleshooting and support services
Access tier
SwitchesGateways Wireless and DNS
ApplicationServers
Disk SystemSAN Solutions
Application tier
PCsNotebooks
PDAsPrinters
Accessdevices
Data-base ServersHigh-end ArraysBackup Solutions
Non-Stop High Activity Solutions
Database tier
VPN/Firewall
Web tier
NASServer Blades
SSL AcceleratorsLoad Balancers
Web ServersSwitches
Firewall
HP UNIX ServersMC/ServiceGuard
MirrorDisk-UX
Single Sign-OnNetegrity SiteMinder
page 2804/13/23© 2002 -2003 hp
ABN AMRO Bank – the benefits
“ABN Amro is now better positionedto react quickly to new developments in the rapidly evolving financialservices industry.”ABN Amro spokesman
Internal and external business applications available through the secure portal, resulting in better customer satisfaction, better customer service and reduced costs.
• 7,500 customer and employees accessing 25 integrated applications
• Reduced transaction costs• Reduced opportunity for
fraud• Reduced administrative
effort
page 2904/13/23© 2002 -2003 hp
HP delivers more
•more accountability
•more agility
•greater return on IT