Securing theAdaptive Enterprise

page 204/13/23© 2002 -2003 hp

Agenda

•Security – high priority for business today

•Securing the adaptive enterprise

• HP-UX Adaptive Enterprise technologies and solutions

•Building a secure environment: client studies

page 304/13/23© 2002 -2003 hp

today’s

business and IT challenges

page 404/13/23© 2002 -2003 hp

10000

20000

30000

40000

50000

60000

1986

1990

1992

1994

1996

1998

2000

2002

73,359

The number of security incidents is increasing exponentially

The increasing importance of security

time

Inci

den

ts

1988

Your business and customers under threat:

• 85% of large organizations attacked in 2002

• 70% of attacks are internal

• “Love Bug” virus cost businesses $8.75 Bn

• 900,000 victims of identity theft every year

• January, 2003: SQL/Slammer hits the internet

Sources: www.cert.orgCSI – FBI Computer Crime Survey, 2002

page 504/13/23© 2002 -2003 hp

The consequences of an attack can be catastrophic

• Direct losses:– lost orders – loss of immediate revenues– lost IP or confidential info– liabilities from lost employee or

customer data– theft/ fraud

• Indirect losses:– recovery costs– damaged competitiveness– damaged brand image

downtime is a key contributor to business

losses

$- $500,000 $1,000,000 $1,500,000 $2,000,000 $2,500,000 $3,000,000

Energy

Manufacturing

Insurance

Pharmaceuticals

Transportation

Healthcare

Average

Utilities

Banking

Retail

Finance

Teleco

Average of all industries:$1,010,536 per hour, or $16,842 per minute

Source: Network Computing, April 2002 “Downtime Costs Money”

Major security incidents lead to serious business impacts

page 604/13/23© 2002 -2003 hp

HP Adaptive Enterprise

page 704/13/23© 2002 -2003 hp

business agility: the added dimension

increase quality

improve

agility

manage costs

mitigate risk

page 804/13/23© 2002 -2003 hp

building the foundation of an adaptive enterprise

react

to

change

anti

cipate

ch

anges

pro

-act

ively

ch

ange

use

change

to c

om

pete

IT adaptability

busi

ness

agili

ty

stable dynamicmanaged / integrated

manage and integrated resources

•enterprise integration

•IT consolidation•Management

•enterprise integration

•IT consolidation•Management

dynamic and automated

•virtualization•on demand•managed services•integrated support •financing

•virtualization•on demand•managed services•integrated support •financing

provide a stable, extensible foundation•business continuity•security

•business continuity•security

page 904/13/23© 2002 -2003 hp

Enterprise Integration

IT consolidation

Management

Virtualization

Business Continuity

Security

Managed Services

Integrated Support

Financing

Adaptive Infrastructure and Management Solutions

sourcing solutions

cross-industry business solutions

vertical industries

others...CRMsupply chain/ERP

On Demand

HP Adaptive Enterprise Solutions meet today’s challenges, build for tomorrow

page 1004/13/23© 2002 -2003 hp

Hp-ux11i security agility

page 1104/13/23© 2002 -2003 hp

D.H. Brown ranks HP-UX the leading UNIX

ranked #1 in all

five categories

#1 scalability#1 reliability, availability

and serviceability#1 systems management#1 internet and web

application services#1 directory and security

services

page 1204/13/23© 2002 -2003 hp

HP-UX11i Security Infrastructure

Netscape Directory ServerAAA

Server

Mobile AAA Server

Kerberos Server

Database Server

App Server

Host IDS

IPFilter

Security Patch Check

Bastille

LDAP UX Integration

page 1304/13/23© 2002 -2003 hp

Agile LDAP architectures

Netscape Directory Server

Kerberos Server

LDAP UX IntegrationUnified Windows

log-in

Central repository for people, resources

Access ticket based on LDAP rights

Role-based changes for millions of users

Network Security White Paper

AAA Servers

page 1404/13/23© 2002 -2003 hp

Netscape Directory Server 6.1

• Centralizes management of people and resources

• Central repository for user profiles and preferences enabling personalization

• Allows replication of data across the enterprise providing a centralized, consistent data source available to applications

• Enables single sign-on access with a partner solution

• Provides scalability for massive numbers of users

page 1504/13/23© 2002 -2003 hp

LDAP UX Integration

• Integrates with W2K ADS

• Ldap general purpose directory

• Store any type of object info and then query

• NIS stores simple database… limits the query

– Ldap greater security

• SSL communication

• Fine grained access control

– More manageable

• Delegated or central

– Greater application integration

• A strategic direction whitepaper

page 1604/13/23© 2002 -2003 hp

Kerberos Server

• Key Distribution Center (KDC)

Centralized authentication with robust encryption

– A single repository for enterprise authentication information

– Single sign-on capabilities

– GSS API programming

– Built-in support for secure FTP, telnet, and r* commands

– HP-UX Integration support

• Product Brief

page 1704/13/23© 2002 -2003 hp

HP-UX AAA Servers

• Authentication, authorization, and accounting (AAA)

• RADIUS protocol– Authenticates land or

mobile users– Authorizes access from

access point– Provides session control

and billing information • Diameter white paper

supports wireless internet connections

• How to secure wireless LANs

• Solution brochure

page 1804/13/23© 2002 -2003 hp

Accountable Host Security

Host IDS

Security Patch Check

IPFilter

HP-UX Bastille

page 1904/13/23© 2002 -2003 hp

Real-time host intrusion detection

• Detection Template• kernel audit data• high quality detection• not just audit log detection• five patents on technology

• Real-time alerts• agents on hosts• alerts to management

console … or to…• OpenView VPO

management• Management

• GUI browser for configuration

• OpenView reporting• H-IDS presentation available

page 2004/13/23© 2002 -2003 hp

HP-UX IPFilter System Firewall

• Protects hosts on the perimeter such as a web server.

– Stateful packet inspection remembers history and filters IP packets and streaming UDP traffic

– Application proxy firewall against attacks that target the underlying OS.

– Configurable filter, proxy and rules

• Dynamic connection allocation controls number of incoming connections to mitigate a flood of TCP in a DOS attack

– Useful to protect mail servers

– Protect LDAP servers from bogus SSL connections

• IPFilter Solution brief

page 2104/13/23© 2002 -2003 hp

HP-UX Bastille

• Security lockdown tool • Various hardening required

of servers used for web-servers, applications, and databases.

• 70 configurations presented as security/usability tradeoff questions

• Configures or disables: daemons, system settings, and IPFilter, password shadowing, inetd audit

• Turns off unauthenticated services such as pwgrd and printing, rcp, and rlogin

page 2204/13/23© 2002 -2003 hp

Security Patch Check for HP-UX

• Semi-automatic patch administration

• Analyzes installed file sets and patches

• Recommends patches to be added to a system to cover all security defects

• Warns about recalled patches

• From a report Admin downloads patches from HP library

• Integrates with HP ServiceControl Manager

page 2304/13/23© 2002 -2003 hp

HP-UX Core Security Features

HP-UX 11iv2

page 2404/13/23© 2002 -2003 hp

Core HP-UX 11i Security

• Trusted mode is Common Criteria Certified EAL4-CAPP

• Stack buffer overflow protect• Access control-file

permissions• Object reuse- prevention• Managers-SAM,

ServiceControl• Pluggable authentication

(PAM)• Passwords-long, checking

– Shadow-encrypted• Audit –trusted and IDS• Encryption-random number

generator, benchmarks• Secure Shell encrypted log-

on• Install-time security on v2• HP-UX 11iv2 White Paper

page 2504/13/23© 2002 -2003 hp

Customer Solution

page 2604/13/23© 2002 -2003 hp

ABN AMRO Bank – the need

Provide new secure services to the wholesale banking client base through an integrated business-to-business web portal:

• Increase the total customer experience

• Improve daily operational tasks such as retrieving customer information

• Ensure high levels of security in the new environment

One of the Top 20 worldwide banking groups

page 2704/13/23© 2002 -2003 hp

ABN AMRO Bank – the solutionEnable new B2B portal

consulting services• Security Review across multiple sites• Security Architecture Design• Technology Selection• Secure Infrastructure Services• Netegrity SiteMinder customization and integration

education & training• Secure Application Development• User Training for 7,500 employees

technology solutions

• Single Sign-On • HP UNIX Servers• HP High Availability• HP Data Storage Protection Software• Troubleshooting and support services

Access tier

SwitchesGateways Wireless and DNS

ApplicationServers

Disk SystemSAN Solutions

Application tier

PCsNotebooks

PDAsPrinters

Accessdevices

Data-base ServersHigh-end ArraysBackup Solutions

Non-Stop High Activity Solutions

Database tier

VPN/Firewall

Web tier

NASServer Blades

SSL AcceleratorsLoad Balancers

Web ServersSwitches

Firewall

HP UNIX ServersMC/ServiceGuard

MirrorDisk-UX

Single Sign-OnNetegrity SiteMinder

page 2804/13/23© 2002 -2003 hp

ABN AMRO Bank – the benefits

“ABN Amro is now better positionedto react quickly to new developments in the rapidly evolving financialservices industry.”ABN Amro spokesman

Internal and external business applications available through the secure portal, resulting in better customer satisfaction, better customer service and reduced costs.

• 7,500 customer and employees accessing 25 integrated applications

• Reduced transaction costs• Reduced opportunity for

fraud• Reduced administrative

effort

page 2904/13/23© 2002 -2003 hp

HP delivers more

•more accountability

•more agility

•greater return on IT