1. Next Generation Firewalls:
A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation
Christian Barnes
Materials:Kostas Sfakiotakis, FCNSP Manager, Systems Engineering

2. The Threats You Face Continue to Grow
Motive and intent has moved from notoriety to financial gain
Cyber security is critical
In the News:
Stuxnet attack on Iranian Nuclear Facility
Flame Virus-10 times more sophisticated than Stuxnet
RSA and Sony APT breaches
Anonymous BART attack
Healthnet’s Medical Records compromised
US banks targeted by Russian cyber-gangster groups
Google & Yahoo targeted DNS attacks
Scada Protocols targeted by Cyber-terrorist groups
Hundreds more…
Exponential Growth in Malware Threats
in thousands
Coordinated and blended attacks are now a common practice
Increased processing power required
U.S. DoD Reported Incidents of Malicious Cyber Activity
in thousands
Enough about Fortinet. Let’s talk about the challenges you're dealing with.
You know that threats are increasing in volume, severity, and complexity. You see this every day in and day out.
Our FortiGuard Global Threat Research Team identified more malware in 2008 than in the years through 2007 combined
In addition, we saw the number of malware incidences jump eight-fold in 2008 from 2005 levels
The headlines you read are filled with examples of attackers successfully breaching network security systems for financial or political gain.
You have also seen the evolution of attacks from fairly simple network-based threats to sophisticated content level attacks.
Seemingly innocuous data traffic now transmits spam, malware, viruses and other types of IT threats.

3. You Have to Do More with Less
Increase access to backend data and systems
Decrease risk of unauthorized access
Increase effectiveness of existing resources and investments
Reduce complexity of security infrastructure
Lower operating and capital costs
We know that on a daily basis, you’re having make hard choices on how to do more without spending more.
You are under pressure to open up more of your data to employees, customers, partners, and vendors; at the same time you’re expected to reduce the potential of unauthorized access to your data and backend systems.
You’re also expected to make your existing staff and security technologies more effective, and to do it while spending less
And, we now you’re expected to lower your expenses

4. You Need to Prepare for the Next Threat
Eliminate your blind spots
Demonstrate your policy compliance
Lower your response time
Accelerate adoption of best practices and expert systems
Reduce the potential of significant or catastrophic loss to reputation or revenue
And that’s just part of what you have to deal with; we also realize that you’re looking ahead, when you have time to stop being reactive and so tactically focused.
You also need to make sure you’re prepared for what’s coming next month or next year.
You are looking into the future:
Identify and close the gaps in your security strategy
Measure the positive change in your security posture
Ensure that you can respond quickly to changes in the threatscape or actual attacks
Leverage the expertise of your vendors
Last but not least, ensure that the worst case scenario doesn’t happen.

5. Evolution of the Threat Landscape
Enterprising
Financial Gain
Activism
Recreation

6. Thinking Strategically About Security
Magic Quadrant for
Unified Threat Management
Future-proof your security infrastructure
Anticipate change in threatscape
Look for opportunities to consolidate without compromise
Reduce complexity
Increase protection
Decrease risk
Lower CapEx & OpEx
Move beyond tactical responses to threats
We believe the way to deal with the changing threatscape and demanding business requirements is to take a more strategic approach to your application, data, and network security.
What this means is that you develop a security infrastructure that is able to adapt to changes in threats while also keeping up with changes in the business environment.
An infrastructure that reduces complexity while increasing your ability to detect and block new threats; one that reduces risk while reducing costs.

7. Reducing Complexity Is Critical
Q: What are the top security-related challenges your organization is facing? (base: of those that are involved in Security investments)
The traditional approach of having different devices for different security functions is adding to the problem – not solving it.
Reducing complexity is CRITICAL. According to this survey done by Infoworld, the complexity of security solutions is a bigger problem than mobile clients, regulatory issues, bandwidth or employee misuse of data.
Source: Navigating IT: Objective & Obstacles
Infoworld, May, 2011

8. Solve Everyday Problems
Emily, a financial trader, installed Skype on her company laptop to talk with family.
Endpoint Control
Bill works for a Fortune 100 company and shares company details on Facebook.
Identity & Device-Based Policies
2-Factor Authentication
VPN Tunneling
WAN Optimization
Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
Here are some real world examples of how a variety of Fortinet technologies can solve everyday problems. Again, the breadth of our solution offers you the customer the most complete approach.
Emily – application policy checking via FortiClient
Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not
Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance.
Ed: Detect content with sensitive data
Ed shared a company presentation via his personal Gmail account.
Data Leak Protection 8

9. Improve Productivity – Limiting Web Access
Here’s an example of how Fortinet technologies allows precise control of how people use your IT infrastructure. Of course, this type of control can be modified for different classes of users. For instances at a hospital, nurses might be limited in how much time they can spend on non-work related sites – while Doctors would have no limits.
“Your daily quota for this category of webpage has expired… URL: beach-camera.store.buy.com
Category: Shopping and Auction”

10. Examine All Applications-Don’t Trust Any
Overlapping, complementary layers of protection
Comprehensive, integrated inspection
Allow but don’t trust any application
Examine all application content
An integrated approach enables you to keep up with the changing threatscape without having to purchase more technology.
The criminals are using sophisticated techniques to evade traditional countermeasures. By relying on a single platform with multiple technologies, you get the benefit of layers of security without the performance penalty.
You also get the benefit of our global threat research team’s expertise, which means less reliance on your IT staff’s ability to configure the technology to anticipate new threats.
Fortinet continuously updates our inspection engines to ensure that our customers are fully protected against the latest threats automatically.

11. Application Inspection and Control Overview

12. Application Security Evolution
In the beginning
Apps easily defined
Port or Protocol
Policies easily defined and enforced
Allow or deny
Content and behavior predictable
And then came the Web
The world has never been the same

13. Application Security Evolution
Traditional Approach: Primary line of defense at the perimeter
One-to-one assignment of port to application usage
Web, SNMP, FTP, Telnet
To block the applications, simply close the port
Web
Telnet
SNMP
FTP
Data Center

14. Application Security Evolution
Today: Web-centric world
Requires new approach for securing applications
How to allow trusted applications, deny untrusted?
Threats are application agnostic
Any application can serve as a host to malicious activity
PORT 80
salesforce
WL Messenger
Google
facebook
twitter
YAHOO! MAIL

15. What is Application Control?
Layer 7 analysis of traffic determines the application regardless of TCP port
Doesn’t just associate a port with an application
Can detect IM/P2P/etc running over port 80
Detects applications inside of applications
Tunneling P2P/IM/etc inside http

16. What is Application Control?
Granular control of applications in a network
Allow, block or traffic shape individual applications
Perform above actions based on user identity
Control application commands
Control web applications
Allows a new level of application, port and user-based reporting
What does the application look like on the surface
Port, Source Address, Country of Origin
What does the application look like under the surface
Application, Behavior, Signatures, Reputation

17. Controlling Web Applications
Allow Facebook, but block Facebook applications
Farmville, anyone?
Facebook Chat
Facebook Video
Allow YouTube, but block YouTube download
Allow Google Maps, but block Google Web Talk

18. Proxy Avoidance
Web content filtering provides protection against proxy websites
Application control provides protection against proxy based applications
Ultrasurf, Gtunnel, dozens of others

19. Rate Shaping Traffic doesn’t have to be just allowed or blocked
Now we can rate shape on an application basis instead of just a port number
Allow streaming media usage, but limit bandwidth
Regain control of your Internet link(s)

20. Controlling Application Commands and Web Applications
Allow users to download via FTP (GET) but block uploading (PUT)
Block HTTP Resume
Can circumvent A/V inspection
URL filtering isn’t enough
More and more applications on the web
Impossible to control via a traditional firewall

21. Business Drivers for Application Control
New services and applications
Web 2.0 services over HTTP(S)
IM, P2P and gaming that port-hop
Non-business applications can be problematic and expose liability
IM, P2P and anonymous proxy
Non-productive bandwidth usage
Evasion of security or corporate policy
Difficult to detect and stop
TCP/UDP port filtering ineffective
Next-generation firewall required!

22. Threat Landscape: Malicious Activity within Trusted Applications

23. Security Challenges Blended attacks Application-focused attacks
“Oldies but Goodies” still exist
Nothing goes away. Ever.
“Survival instinct” of applications much higher than before
Built-in evasion techniques
Must assume malicious activity occurs within trusted applications
Let’s take a closer look at some examples…

24. Advanced Evasion Techniques (AETs)
Botnets and APTs employ AETs:
Advanced Persistent Threats (Cyber Threats)
Advanced Evasion Techniques
Fast Flux and Proxies
Communication Encryption and Watermarking
IE: Port 443 Custom Protocol Communication
Code Obfuscation and Packing
Data Safe Havens
Metamorphic & Polymorphic Malware

25. Advanced Evasion Techniques (AETs)

26. Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns
The Corporate Botnet - Phishing Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network. .
ZEUS/ZBOT
The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. .
contains link to false domain
Credentials entered in to fake site
BOT infection sent to user as a “ Facebook Security Update” application
User installs BOT and is now infected, all data is compromised
Connection is then redirected to real Facebook site so user is not suspicious
Prevalent today and sold as a crime kit.

27. Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns
The Corporate Botnet – Legitimate Site Compromised Employee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code. .
FakeAV Botnet
The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. .
In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement
Readers were accessing the NYT site but were provided with the infected advertisement
This directed users to a site hosting the exploit code to install fake antivirus software. .

28. Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns
Targeted Attack – Spear Phishing Using social engineering to distribute s with links to malware, the s are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems .
Kneber (Zeus) Botnet
The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. .
In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systems
Data stolen included: Corporate Login credentials and webmail access Online Banking sites Social Network credentials SSL Certificates

29. Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns
Ransomware Once installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted.
gpCode Ransomware
The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. .
Once installed searches hard drive for document and media files
Files are encrypted with a 1024bit key which only the attacker has the decryption key
Ransom note is displayed to user, system continues to operate but data is inaccessible
Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…

30. Trends: Crimeware & Crime Services
Ransom, Blackmail, Turf Wars
Up to $150k USD Monthly
Crimeware
Weaponized Exploits for Sale ($10k+)
Crime Services
New Horizons: Cloud Processing

31. 31

32. Trends: Crimeware & Crime Services
Affiliate Programs (PPI):
Earn $140 / 1K Installs (USA) 32

33. Zeus botnet operators rely heavily on mules …33

34. Crimeware: Documents, GUIs, Management34

35. Mobile Vulnerabilities
< 2010: iOS Jailbreaks, Public Concept
2011: Rage in the Cage
Android < 2.1/2.2
March 2011 – 21 Apps Pulled
2012: Levitator
Android < 2.3.6
Honeycomb, Ice Cream (3&4)
: Galaxy S3
NFC (Near Field Communication) Payload
Drive-By Remote Wipe

36. Mobile Malware Zitmo (Zeus in the Mobile) SMS Spy Upgrade 2012-2013:
Tigerbot Auto-Jailbreak [Spy Trojan]
Symbian, Blackberry, Android
Zitmo (Zeus in the Mobile) SMS Spy Upgrade
Android/Fakemart (20 Y/O Arrest, 500k Euros Profit)
Cloud To Device Messaging (Google C2DM)
CAPTCHA Cracking (OCR), Uninstall Hooks
Ransomware and APT...

37. Addressing the Threat Landscape: Complete Content Protection

38. Followed The Internet Evolution
Security:
Followed The Internet Evolution
APP LAYER ATTACKS
APP CONTROL
SPYWARE
ANTI-SPYWARE
WORMS
ANTI-SPAM
SPAM
Performance - Damage
BANNED CONTENT
WEB FILTER
TROJANS
ANTI-VIRUS
VIRUSES
INTRUSIONS
IPS
CONTENT-BASED
VPN
Many new companies have come up with point security solutions to address each new application and attack as the threat landscape has evolved, and the network vendor players like Cisco and Juniper keep buying more point products to add on top of their firewall and VPN, resulting in more and more complex, costly deployments for customers.
CONNECTION-BASED
FIREWALL
HARDWARE THEFT
HARDWARE THEFT
HARDWARE THEFT
LOCK & KEY
PHYSICAL
1980s
1990s
2000s
Today

39. More Expense, Less Security, Less Control
The Result:
More Expense, Less Security, Less Control
“I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.”
“Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey New York Times 6/22/11
Your network might look something like this…
It’s too complicated.
And – it leads to security holes.
Expensive, complex, lack of control, chase new box in months
Are you really more secure??
Here’s what was said in a recent NY Times article…..
“I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.”
“Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey - New York Times 6/22/11

40. Complete Content Protection
APP LAYER ATTACKS
APP CONTROL
SPYWARE
ANTI-SPYWARE
WORMS
ANTI-SPAM
SPAM
Performance - Damage
BANNED CONTENT
WEB FILTER
TROJANS
ANTI-VIRUS
VIRUSES
INTRUSIONS
IPS
CONTENT-BASED
VPN
Fortinet’s approach was to create Unified Threat Management. The UTM solution, which tightly integrates many functions and point products together into a single platform.
UTM is defined as a device that “Unifies” multiple security features, including firewall/VPN, Intrusion Detection/Prevention and gateway antivirus, at a minimum, Fortinet offer s all these plus much more features.
We also leverage our FortiASIC to accelerate performance, and, as we discussed, we utilize our FortiGuard Labs for real-time global update service, this solution effectively protects our customers in today’s challenging network environment
CONNECTION-BASED
FIREWALL
HARDWARE THEFT
LOCK & KEY
PHYSICAL
1980s
1990s
2000s
Today

41. Consolidated Security with Real Time Updates
Application Control: Unwanted Services and P2P Limiting Botnet command channel, compromised Facebook applications, independent of port or protocol
Intrusion Prevention: Vulnerabilities and Exploits Browser and website attack code crafted by hackers and criminal gangs.
Web Filtering: Multiple categories and Malicious sites Botnet command, phishing, search poisoning, inappropriate content
Vulnerability Management: Real time exploit updates Multiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan
Antispam: Unsolicited messages Phishing, Malware, Social Engineering and Junk
Antivirus: All malicious code Documents, macros, scripts, executables Delivered via Web, , USB, Instant messaging, social networks, etc

42. The Zeus Attack vs. Complete Content Protection
Sent – Contains link to compromised site .
Mail message detected as spam (phishing)
End user accesses phishing site, enters credentials, and criminals now have their details ..
Access to phishing website is blocked
ANTISPAM
WEB FILTER
Phishing site sends BOT infection to user disguised as ‘Security Update’ application
Content scanning prevents malicious content from being downloaded
ANTIVIRUS
End user executes BOT application, is infected and now all their data is compromised
Botnet command channel is blocked, no compromised data can be sent. Security administrator is alerted of the infected system.
INTRUSION DETECTION

43. Real Threat Protection in Action
Problem:
Error message:
“Drops” copy of itself on system and attempts to propagate
“Innocent” Video Link:
Redirects to malicious Website
“Out of date” Flash player error:
“Download” malware file
Solution:
Integrated Web Filtering
Blocks access to malicious Website
Here is an example of our approach in action. This is the Koobface attack, that starts as a link to a non-existent video on a malicious site sent via IM, , or webmail.
The first layer of protection is web filtering to block access to the site.
If the user clicks on the link, he would receive a phony alert telling him his player is not working, and to download a non-existent new version on a malicious site.
By clicking on the “OK” button on the phony Error message, the user is actually instructing his system to install the virus.
Antivirus protection would detect the file that the user is trying to install, and block it
Once installed, the worm would try to propagate. The IPS technology would detect the propagation effort, and block it before it could succeed.
Network Antivirus
Blocks download of virus
Intrusion Protection
Blocks the spread of the worm

44. FortiGate Integrated security appliance Accelerated performance
Network threat detection
Application-aware content scanning
Accelerated performance
Hardware acceleration with custom ASICs
Reduce the number of vendors and appliances
No 3rd party software/subscription dependencies
No user count or application licensing
FortiGuard Services
Antivirus, IPS, App Controls, Antispam, Web Content Filtering

45. World’s Fastest Firewall
Tests Using BreakingPoint™ FireStorm Prove FortiGate-5140B to be the World's Fastest Firewall
559 Gbps of UDP traffic
526 Gbps of real-world application traffic
Facebook, Pandora Radio and AOL Instant Messenger
Up to 10,000 iTunes songs per second
Up to 228,000 Web pages per second
Real-World Testing

46. FortiGuard Distribution Network: Global Research, Updates, Services
FortiGuard Research:
Rootkits: Kernel Hooks
Botnets: Dynamic Monitoring, Spambots, New Malware Protocols
Malware: Code Techniques-PDF/Flash/Doc
Security: Exploits & Vulnerabilities, Zero Day Detection
Packer Research: Unpacking, Generic Detection
FortiGuard Services:
AV Signatures – 4x Daily
IPS Signatures – 2x Daily
Antispam/Web Content Filtering – Real Time
Sample Collection
Signature Creation
Alerts & Escalation
Our FortiGuard labs operate around the clock and around the world. Over 200 professionals are constantly tracking the threat landscape and provide continuous updates. AND, the fact the we don’t rely on third parties for our updates ensures that these updates are current and will work seamlessly on our devices.
Global Distribution Network:
Application Control
Vulnerability Management
Antispam
Web Filtering
Intrusion Prevention
Antivirus

47. Thank you!
Questions?