220 likes | 1.06k Views
HP TippingPoint Module 4 : PoC 2 - NGFW v1.0. Angelo Brancato , CISSP, CISM Principal Solution Architect angelo.brancato@hp.com Mobile: +49 174 1502278. Why HP TippingPoint NGFW?. Stateful Firewalls. NGFW. NGIPS & NGFW. UTM. HP TippingPoint NGIPS. 2001. Today. Why HP TippingPoint NGFW?.
E N D
HP TippingPointModule 4:PoC2 - NGFWv1.0 Angelo Brancato, CISSP, CISM Principal Solution Architectangelo.brancato@hp.com Mobile: +49 174 1502278
Why HP TippingPoint NGFW? Stateful Firewalls NGFW NGIPS & NGFW UTM HP TippingPoint NGIPS 2001 Today
Why HP TippingPoint NGFW? Reliable NGIPS with 99.99999% network uptime track record Simple Easy-to-use, configure and install with centralized management Effective Industry leading security intelligence with weekly DVLabs updates Next Gen IPS IntegratedPolicy Next GenFirewall Security ResearchDVLabs, Reputation and feeds User and Apppolicy
5 NGFW HP TippingPoint Models on Day 1 TippingPoint S8010F 10.000 5.000 NGFW: 10.000 Mbps NGFW+NGIPS: 5.000 Mbps TippingPoint S8005F NGFW: 5.000 Mbps NGFW+NGIPS: 2.500 Mbps TippingPoint S3020F IPS InspectionThroughput [Mbps] NGFW Throughput [Mbps] NGFW: 2.000 Mbps NGFW+NGIPS: 1.000 Mbps TippingPoint S3010F NGFW: 1.000 Mbps NGFW+NGIPS: 500 Mbps TippingPoint S1050F 500 250 NGFW: 500 Mbps NGFW+NGIPS: 250 Mbps 8 16 18 20 20 Firewall/IPS Ports
Easy to Deploy in the Network • Transparent • Drop in Deployment • Same L2 network on both sides • Forwarded traffic based on destination MAC • Firewall always there… • Routed • Different L3 network on each side • Traffic is directed via routing table • No asymmetric routing • No L2FB Segment In/out port Bump-in-the-wire (no IP address) Reliability through L2FB and HA modes Routed One or more IP addresses One Armed Single port in/out VLAN tagged Bridge Multiple ports Broadcast domain IP address No L2FB
Easy to Deploy in the Network Bridge 1 e.g. Zone 3 Zone 1 • Transparent • Routed Segment 1 Zone 4 etc… Zone 2 Segment In/out port Bump-in-the-wire (no IP address) Reliability through L2FB and HA modes Routed One or more IP addresses One Armed Single port in/out VLAN tagged Bridge Multiple ports Broadcast domain IP address No L2FB
HP TippingPoint’s flow-based, policy-driven architecture 3 4 2 1 Traffic Classification Firewall Rules Inspection Profiles Action Sets Block Security Zone Rule 1 Network Traffic IPS Policy 1 Permit IP Address Rule 2 100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010110100101 IPS Policy n Trust Service … Rep Policy 1 Rate Limit Application Rule n Rep Policy n Quarantine User DefaultRule
Simple Use Case #1 Internet Remote Support Analytics Admin User: Bob HTTPMpg4 VideoStream WebServerFarm DMZ LAN Allow Any
Notes NGFW Policy – Empty Policy Notes Action Stateful NG Internet Source Destination Remote Support Service App User IPS … IP Zone IP Zone Analytics HTTPMpg4 VideoStream AdminUser: Bob WebServerFarm DMZ LAN DV Allow Any Default Any Any Any Any Any Any Any n/a
Notes NGFW Policy – Use Case #1 Notes Action Stateful NG Internet Source Destination Remote Support Service App User IPS … IP Zone IP Zone Analytics HTTPMpg4 VideoStream Any Any Perim. AdminUser: Bob Any Any Perim. Any Any WebServerFarm DMZ LAN DV Perim. Any Any Any Allow Any Tunneling:GoToMyPC HTTP: Ggl.Analytics HTTP: Mpg4 Streaming INET LAN DMZ LAN INET DMZ DMZ INET Bob Core Any Any Any Any Any DV DV DV DV WWWServers WWWServers Default Any Any Any Any Any Any Any n/a
Simple Use Case #2 Internet Internet Accessvia HTTP/S Yahoo Games www Marketing User: Alice LAN WLAN(BYOD) Remote
Notes NGFW Policy – Use Case #2 Notes Action Stateful NG Source Destination Service App User IPS … IP Zone IP Zone DV Perim. Any Any Any Any Any Any n/a YahooGames Perim. WLAN WLAN Perim. INET LAN Alice Alice INET LAN HTTP, HTTPS DV Default Any Any Any Any Any Any Any n/a
NGFW Policy – Use Case #2 www Traffic Classification Firewall Rules Inspection Profiles Action Sets Block Security Zone „YahooGames“ Potential Match IPS Policy 1 Permit IP address 100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010110100101 IPS Policy n Trust Service Rep Policy 1 “HTTP/S”AbsoluteMatch Rate Limit Application Rep Policy n Quarantine User
NGFW Policy – Use Case #2 Traffic Classification Firewall Rules Inspection Profiles Action Sets Block Security Zone „YahooGames“ Absolute Match IPS Policy 1 Permit IP address 100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010100100100000110101001010010010000011010100101001001000001101010010110100101 IPS Policy n Trust Service Rep Policy 1 Rate Limit Application Rep Policy n Quarantine User
NGFW Sec.-Zone1 PoC 2 Inet DMZ Perimeter Firewalls NGFW Sec.-Zone2 Branch NGFW Sec.-Zone3 Core/Distribution IPS Sec.-Zone 1-3 Access
PoC 2 1Gbps 1000BASE-SX 1Gbps 1000BASE-SX Inet DMZ NGFW Model ? NGFW Model ? NGFW Model ? 100Mbps 100BASE-TX Branch 100Mbps 100BASE-TX NGFW Model ? 10Gbps 10GBASE-SR
HP TippingPoint – NGFW Appliance Matrix TippingPointS8010F 10.000 5.000 NGFW: 10.000 Mbps NGFW+NGIPS: 5.000 Mbps TippingPointS8005F NGFW: 5.000 Mbps NGFW+NGIPS: 2.500 Mbps TippingPointS3020F NGFW ThrougHPut[Mbps] IPS InspectionThrougHPut[Mbps] NGFW: 2.000 Mbps NGFW+NGIPS: 1.000 Mbps TippingPointS3010F NGFW: 1.000 Mbps NGFW+NGIPS: 500 Mbps TippingPointS1050F 500 250 NGFW: 500 Mbps NGFW+NGIPS: 250 Mbps 8 16 18 20 20 Firewall/IPS Ports
PoC 2 1Gbps 1000BASE-SX 1Gbps 1000BASE-SX Inet DMZ NGFW1 S8010F NGFW2 S8010F 100Mbps 100BASE-TX 100Mbps 100BASE-TX 10Gbps 10GBASE-SR NGFW2 S1050F SMS Cluster(SMS v2)
Build a BOM HPN Online Configurator 3. add service… 1. add devices… 2. configure devices… 4. Bill-of-Material with list pricing.
Pricing – HP TippingPoint NGFW HW/License – Discount = Net Price Net Price + Support (% of List)= Total • Please find the pricelists @HP ESP Partner Central: www.hp.com/partners/tippingpoint Pricing Guides Pricing and Configuration Guides • *Offered in 1, 3, 4, and 5 year increments
Thank you Angelo Brancato, CISSP, CISM Principal Solution Architectangelo.brancato@hp.com Mobile: +49 174 1502278