Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation Firewalls:

Similar presentations

Presentation on theme: "Next Generation Firewalls:"— Presentation transcript:

1 Next Generation Firewalls:
A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation Christian Barnes Materials:Kostas Sfakiotakis, FCNSP Manager, Systems Engineering

2 The Threats You Face Continue to Grow
Motive and intent has moved from notoriety to financial gain Cyber security is critical In the News: Stuxnet attack on Iranian Nuclear Facility Flame Virus-10 times more sophisticated than Stuxnet RSA and Sony APT breaches Anonymous BART attack Healthnet’s Medical Records compromised US banks targeted by Russian cyber-gangster groups Google & Yahoo targeted DNS attacks Scada Protocols targeted by Cyber-terrorist groups Hundreds more… Exponential Growth in Malware Threats in thousands Coordinated and blended attacks are now a common practice Increased processing power required U.S. DoD Reported Incidents of Malicious Cyber Activity in thousands Enough about Fortinet. Let’s talk about the challenges you're dealing with. You know that threats are increasing in volume, severity, and complexity. You see this every day in and day out. Our FortiGuard Global Threat Research Team identified more malware in 2008 than in the years through 2007 combined In addition, we saw the number of malware incidences jump eight-fold in 2008 from 2005 levels The headlines you read are filled with examples of attackers successfully breaching network security systems for financial or political gain. You have also seen the evolution of attacks from fairly simple network-based threats to sophisticated content level attacks. Seemingly innocuous data traffic now transmits spam, malware, viruses and other types of IT threats.

3 You Have to Do More with Less
Increase access to backend data and systems Decrease risk of unauthorized access Increase effectiveness of existing resources and investments Reduce complexity of security infrastructure Lower operating and capital costs We know that on a daily basis, you’re having make hard choices on how to do more without spending more. You are under pressure to open up more of your data to employees, customers, partners, and vendors; at the same time you’re expected to reduce the potential of unauthorized access to your data and backend systems. You’re also expected to make your existing staff and security technologies more effective, and to do it while spending less And, we now you’re expected to lower your expenses

4 You Need to Prepare for the Next Threat
Eliminate your blind spots Demonstrate your policy compliance Lower your response time Accelerate adoption of best practices and expert systems Reduce the potential of significant or catastrophic loss to reputation or revenue And that’s just part of what you have to deal with; we also realize that you’re looking ahead, when you have time to stop being reactive and so tactically focused. You also need to make sure you’re prepared for what’s coming next month or next year. You are looking into the future: Identify and close the gaps in your security strategy Measure the positive change in your security posture Ensure that you can respond quickly to changes in the threatscape or actual attacks Leverage the expertise of your vendors Last but not least, ensure that the worst case scenario doesn’t happen.

5 Evolution of the Threat Landscape
Enterprising Financial Gain Activism Recreation

6 Thinking Strategically About Security
Magic Quadrant for Unified Threat Management Future-proof your security infrastructure Anticipate change in threatscape Look for opportunities to consolidate without compromise Reduce complexity Increase protection Decrease risk Lower CapEx & OpEx Move beyond tactical responses to threats We believe the way to deal with the changing threatscape and demanding business requirements is to take a more strategic approach to your application, data, and network security. What this means is that you develop a security infrastructure that is able to adapt to changes in threats while also keeping up with changes in the business environment. An infrastructure that reduces complexity while increasing your ability to detect and block new threats; one that reduces risk while reducing costs.

7 Reducing Complexity Is Critical
Q: What are the top security-related challenges your organization is facing? (base: of those that are involved in Security investments) The traditional approach of having different devices for different security functions is adding to the problem – not solving it. Reducing complexity is CRITICAL. According to this survey done by Infoworld, the complexity of security solutions is a bigger problem than mobile clients, regulatory issues, bandwidth or employee misuse of data. Source: Navigating IT: Objective & Obstacles Infoworld, May, 2011

8 Solve Everyday Problems
Emily, a financial trader, installed Skype on her company laptop to talk with family. Endpoint Control Bill works for a Fortune 100 company and shares company details on Facebook. Identity & Device-Based Policies 2-Factor Authentication VPN Tunneling WAN Optimization Jill is at Starbucks and needs to communicate and be protected as if she was at HQ. Here are some real world examples of how a variety of Fortinet technologies can solve everyday problems. Again, the breadth of our solution offers you the customer the most complete approach. Emily – application policy checking via FortiClient Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance. Ed: Detect content with sensitive data Ed shared a company presentation via his personal Gmail account. Data Leak Protection 8

9 Improve Productivity – Limiting Web Access
Here’s an example of how Fortinet technologies allows precise control of how people use your IT infrastructure. Of course, this type of control can be modified for different classes of users. For instances at a hospital, nurses might be limited in how much time they can spend on non-work related sites – while Doctors would have no limits. “Your daily quota for this category of webpage has expired… URL: Category: Shopping and Auction”

10 Examine All Applications-Don’t Trust Any
Overlapping, complementary layers of protection Comprehensive, integrated inspection Allow but don’t trust any application Examine all application content An integrated approach enables you to keep up with the changing threatscape without having to purchase more technology. The criminals are using sophisticated techniques to evade traditional countermeasures. By relying on a single platform with multiple technologies, you get the benefit of layers of security without the performance penalty. You also get the benefit of our global threat research team’s expertise, which means less reliance on your IT staff’s ability to configure the technology to anticipate new threats. Fortinet continuously updates our inspection engines to ensure that our customers are fully protected against the latest threats automatically.

11 Application Inspection and Control Overview

12 Application Security Evolution
In the beginning Apps easily defined Port or Protocol Policies easily defined and enforced Allow or deny Content and behavior predictable And then came the Web The world has never been the same

13 Application Security Evolution
Traditional Approach: Primary line of defense at the perimeter One-to-one assignment of port to application usage Web, SNMP, FTP, Telnet To block the applications, simply close the port Web Telnet SNMP FTP Data Center

14 Application Security Evolution
Today: Web-centric world Requires new approach for securing applications How to allow trusted applications, deny untrusted? Threats are application agnostic Any application can serve as a host to malicious activity PORT 80 salesforce WL Messenger Google facebook twitter YAHOO! MAIL

15 What is Application Control?
Layer 7 analysis of traffic determines the application regardless of TCP port Doesn’t just associate a port with an application Can detect IM/P2P/etc running over port 80 Detects applications inside of applications Tunneling P2P/IM/etc inside http

16 What is Application Control?
Granular control of applications in a network Allow, block or traffic shape individual applications Perform above actions based on user identity Control application commands Control web applications Allows a new level of application, port and user-based reporting What does the application look like on the surface Port, Source Address, Country of Origin What does the application look like under the surface Application, Behavior, Signatures, Reputation

17 Controlling Web Applications
Allow Facebook, but block Facebook applications Farmville, anyone? Facebook Chat Facebook Video Allow YouTube, but block YouTube download Allow Google Maps, but block Google Web Talk

18 Proxy Avoidance Web content filtering provides protection against proxy websites Application control provides protection against proxy based applications Ultrasurf, Gtunnel, dozens of others

19 Rate Shaping Traffic doesn’t have to be just allowed or blocked
Now we can rate shape on an application basis instead of just a port number Allow streaming media usage, but limit bandwidth Regain control of your Internet link(s)

20 Controlling Application Commands and Web Applications
Allow users to download via FTP (GET) but block uploading (PUT) Block HTTP Resume Can circumvent A/V inspection URL filtering isn’t enough More and more applications on the web Impossible to control via a traditional firewall

21 Business Drivers for Application Control
New services and applications Web 2.0 services over HTTP(S) IM, P2P and gaming that port-hop Non-business applications can be problematic and expose liability IM, P2P and anonymous proxy Non-productive bandwidth usage Evasion of security or corporate policy Difficult to detect and stop TCP/UDP port filtering ineffective Next-generation firewall required!

22 Threat Landscape: Malicious Activity within Trusted Applications

23 Security Challenges Blended attacks Application-focused attacks
“Oldies but Goodies” still exist Nothing goes away. Ever. “Survival instinct” of applications much higher than before Built-in evasion techniques Must assume malicious activity occurs within trusted applications Let’s take a closer look at some examples…

24 Advanced Evasion Techniques (AETs)
Botnets and APTs employ AETs: Advanced Persistent Threats (Cyber Threats) Advanced Evasion Techniques Fast Flux and Proxies Communication Encryption and Watermarking IE: Port 443 Custom Protocol Communication Code Obfuscation and Packing Data Safe Havens Metamorphic & Polymorphic Malware

25 Advanced Evasion Techniques (AETs)

26 Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns The Corporate Botnet - Phishing Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network. . ZEUS/ZBOT The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . contains link to false domain Credentials entered in to fake site BOT infection sent to user as a “ Facebook Security Update” application User installs BOT and is now infected, all data is compromised Connection is then redirected to real Facebook site so user is not suspicious Prevalent today and sold as a crime kit.

27 Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns The Corporate Botnet – Legitimate Site Compromised Employee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code. . FakeAV Botnet The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement Readers were accessing the NYT site but were provided with the infected advertisement This directed users to a site hosting the exploit code to install fake antivirus software. .

28 Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns Targeted Attack – Spear Phishing Using social engineering to distribute s with links to malware, the s are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems . Kneber (Zeus) Botnet The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systems Data stolen included: Corporate Login credentials and webmail access Online Banking sites Social Network credentials SSL Certificates

29 Threat Landscape-Blended Threat & Botnet Examples
CIO Fears and Concerns Ransomware Once installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted. gpCode Ransomware The Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . Once installed searches hard drive for document and media files Files are encrypted with a 1024bit key which only the attacker has the decryption key Ransom note is displayed to user, system continues to operate but data is inaccessible Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…

30 Trends: Crimeware & Crime Services
Ransom, Blackmail, Turf Wars Up to $150k USD Monthly Crimeware Weaponized Exploits for Sale ($10k+) Crime Services New Horizons: Cloud Processing

31 31

32 Trends: Crimeware & Crime Services
Affiliate Programs (PPI): Earn $140 / 1K Installs (USA) 32

33 Zeus botnet operators rely heavily on mules …

34 Crimeware: Documents, GUIs, Management

35 Mobile Vulnerabilities
< 2010: iOS Jailbreaks, Public Concept 2011: Rage in the Cage Android < 2.1/2.2 March 2011 – 21 Apps Pulled 2012: Levitator Android < 2.3.6 Honeycomb, Ice Cream (3&4) : Galaxy S3 NFC (Near Field Communication) Payload Drive-By Remote Wipe

36 Mobile Malware Zitmo (Zeus in the Mobile) SMS Spy Upgrade 2012-2013:
Tigerbot Auto-Jailbreak [Spy Trojan] Symbian, Blackberry, Android Zitmo (Zeus in the Mobile) SMS Spy Upgrade Android/Fakemart (20 Y/O Arrest, 500k Euros Profit) Cloud To Device Messaging (Google C2DM) CAPTCHA Cracking (OCR), Uninstall Hooks Ransomware and APT...

37 Addressing the Threat Landscape: Complete Content Protection

38 Followed The Internet Evolution
Security: Followed The Internet Evolution APP LAYER ATTACKS APP CONTROL SPYWARE ANTI-SPYWARE WORMS ANTI-SPAM SPAM Performance - Damage BANNED CONTENT WEB FILTER TROJANS ANTI-VIRUS VIRUSES INTRUSIONS IPS CONTENT-BASED VPN Many new companies have come up with point security solutions to address each new application and attack as the threat landscape has evolved, and the network vendor players like Cisco and Juniper keep buying more point products to add on top of their firewall and VPN, resulting in more and more complex, costly deployments for customers. CONNECTION-BASED FIREWALL HARDWARE THEFT HARDWARE THEFT HARDWARE THEFT LOCK & KEY PHYSICAL 1980s 1990s 2000s Today

39 More Expense, Less Security, Less Control
The Result: More Expense, Less Security, Less Control “I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.” “Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey New York Times 6/22/11 Your network might look something like this… It’s too complicated. And – it leads to security holes. Expensive, complex, lack of control, chase new box in months Are you really more secure?? Here’s what was said in a recent NY Times article….. “I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.” “Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey - New York Times 6/22/11

40 Complete Content Protection
APP LAYER ATTACKS APP CONTROL SPYWARE ANTI-SPYWARE WORMS ANTI-SPAM SPAM Performance - Damage BANNED CONTENT WEB FILTER TROJANS ANTI-VIRUS VIRUSES INTRUSIONS IPS CONTENT-BASED VPN Fortinet’s approach was to create Unified Threat Management. The UTM solution, which tightly integrates many functions and point products together into a single platform. UTM is defined as a device that “Unifies” multiple security features, including firewall/VPN, Intrusion Detection/Prevention and gateway antivirus, at a minimum, Fortinet offer s all these plus much more features. We also leverage our FortiASIC to accelerate performance, and, as we discussed, we utilize our FortiGuard Labs for real-time global update service, this solution effectively protects our customers in today’s challenging network environment CONNECTION-BASED FIREWALL HARDWARE THEFT LOCK & KEY PHYSICAL 1980s 1990s 2000s Today

41 Consolidated Security with Real Time Updates
Application Control: Unwanted Services and P2P Limiting Botnet command channel, compromised Facebook applications, independent of port or protocol Intrusion Prevention: Vulnerabilities and Exploits Browser and website attack code crafted by hackers and criminal gangs. Web Filtering: Multiple categories and Malicious sites Botnet command, phishing, search poisoning, inappropriate content Vulnerability Management: Real time exploit updates Multiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan Antispam: Unsolicited messages Phishing, Malware, Social Engineering and Junk Antivirus: All malicious code Documents, macros, scripts, executables Delivered via Web, , USB, Instant messaging, social networks, etc

42 The Zeus Attack vs. Complete Content Protection
Sent – Contains link to compromised site . Mail message detected as spam (phishing) End user accesses phishing site, enters credentials, and criminals now have their details .. Access to phishing website is blocked ANTISPAM WEB FILTER Phishing site sends BOT infection to user disguised as ‘Security Update’ application Content scanning prevents malicious content from being downloaded ANTIVIRUS End user executes BOT application, is infected and now all their data is compromised Botnet command channel is blocked, no compromised data can be sent. Security administrator is alerted of the infected system. INTRUSION DETECTION

43 Real Threat Protection in Action
Problem: Error message: “Drops” copy of itself on system and attempts to propagate “Innocent” Video Link: Redirects to malicious Website “Out of date” Flash player error: “Download” malware file Solution: Integrated Web Filtering Blocks access to malicious Website Here is an example of our approach in action. This is the Koobface attack, that starts as a link to a non-existent video on a malicious site sent via IM, , or webmail. The first layer of protection is web filtering to block access to the site. If the user clicks on the link, he would receive a phony alert telling him his player is not working, and to download a non-existent new version on a malicious site. By clicking on the “OK” button on the phony Error message, the user is actually instructing his system to install the virus. Antivirus protection would detect the file that the user is trying to install, and block it Once installed, the worm would try to propagate. The IPS technology would detect the propagation effort, and block it before it could succeed. Network Antivirus Blocks download of virus Intrusion Protection Blocks the spread of the worm

44 FortiGate Integrated security appliance Accelerated performance
Network threat detection Application-aware content scanning Accelerated performance Hardware acceleration with custom ASICs Reduce the number of vendors and appliances No 3rd party software/subscription dependencies No user count or application licensing FortiGuard Services Antivirus, IPS, App Controls, Antispam, Web Content Filtering

45 World’s Fastest Firewall
Tests Using BreakingPoint™ FireStorm Prove FortiGate-5140B to be the World's Fastest Firewall 559 Gbps of UDP traffic 526 Gbps of real-world application traffic Facebook, Pandora Radio and AOL Instant Messenger Up to 10,000 iTunes songs per second Up to 228,000 Web pages per second Real-World Testing

46 FortiGuard Distribution Network: Global Research, Updates, Services
FortiGuard Research: Rootkits: Kernel Hooks Botnets: Dynamic Monitoring, Spambots, New Malware Protocols Malware: Code Techniques-PDF/Flash/Doc Security: Exploits & Vulnerabilities, Zero Day Detection Packer Research: Unpacking, Generic Detection FortiGuard Services: AV Signatures – 4x Daily IPS Signatures – 2x Daily Antispam/Web Content Filtering – Real Time Sample Collection Signature Creation Alerts & Escalation Our FortiGuard labs operate around the clock and around the world. Over 200 professionals are constantly tracking the threat landscape and provide continuous updates. AND, the fact the we don’t rely on third parties for our updates ensures that these updates are current and will work seamlessly on our devices. Global Distribution Network: Application Control Vulnerability Management Antispam Web Filtering Intrusion Prevention Antivirus

47 Thank you! Questions?

Download ppt "Next Generation Firewalls:"

Similar presentations

Ads by Google