Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation Firewalls: A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation Christian Barnes Materials:Kostas.

Similar presentations


Presentation on theme: "Next Generation Firewalls: A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation Christian Barnes Materials:Kostas."— Presentation transcript:

1 Next Generation Firewalls: A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation Christian Barnes Materials:Kostas Sfakiotakis, FCNSP Manager, Systems Engineering

2 The Threats You Face Continue to Grow Exponential Growth in Malware Threats in thousands U.S. DoD Reported Incidents of Malicious Cyber Activity in thousands  Coordinated and blended attacks are now a common practice  Increased processing power required  Motive and intent has moved from notoriety to financial gain  Cyber security is critical  In the News:  Stuxnet attack on Iranian Nuclear Facility  Flame Virus-10 times more sophisticated than Stuxnet  RSA and Sony APT breaches  Anonymous BART attack  Healthnet’s Medical Records compromised  US banks targeted by Russian cyber-gangster groups  Google & Yahoo targeted DNS attacks  Scada Protocols targeted by Cyber-terrorist groups  Hundreds more…

3 You Have to Do More with Less Increase access to backend data and systems Decrease risk of unauthorized access Increase effectiveness of existing resources and investments Reduce complexity of security infrastructure Lower operating and capital costs

4 You Need to Prepare for the Next Threat Eliminate your blind spots Demonstrate your policy compliance Lower your response time Accelerate adoption of best practices and expert systems Reduce the potential of significant or catastrophic loss to reputation or revenue

5 Evolution of the Threat Landscape Recreation Activism Financial Gain Enterprising

6 Thinking Strategically About Security Future-proof your security infrastructure −Anticipate change in threatscape Look for opportunities to consolidate without compromise −Reduce complexity −Increase protection −Decrease risk −Lower CapEx & OpEx Move beyond tactical responses to threats Magic Quadrant for Unified Threat Management

7 Reducing Complexity Is Critical Source: Navigating IT: Objective & Obstacles Infoworld, May, 2011 Q: What are the top security-related challenges your organization is facing? (base: of those that are involved in Security investments)

8 Solve Everyday Problems Emily, a financial trader, installed Skype on her company laptop to talk with family. Bill works for a Fortune 100 company and shares company details on Facebook. Ed shared a company presentation via his personal Gmail account. Jill is at Starbucks and needs to communicate and be protected as if she was at HQ. Endpoint Control 2-Factor Authentication VPN Tunneling WAN Optimization Identity & Device- Based Policies Data Leak Protection

9 Improve Productivity – Limiting Web Access “Your daily quota for this category of webpage has expired… URL: beach-camera.store.buy.com Category: Shopping and Auction”

10 Overlapping, complementary layers of protection Comprehensive, integrated inspection Allow but don’t trust any application Examine all application content Examine All Applications-Don’t Trust Any

11 Application Inspection and Control Overview

12 Application Security Evolution In the beginning −Apps easily defined ▪Port or Protocol −Policies easily defined and enforced ▪Allow or deny ▪Content and behavior predictable And then came the Web −The world has never been the same

13 Application Security Evolution Traditional Approach: Primary line of defense at the perimeter »One-to-one assignment of port to application usage Web, SNMP, FTP, Telnet »To block the applications, simply close the port Data Center

14 Application Security Evolution Today: Web-centric world Requires new approach for securing applications »How to allow trusted applications, deny untrusted? Threats are application agnostic »Any application can serve as a host to malicious activity

15 What is Application Control? Layer 7 analysis of traffic determines the application regardless of TCP port »Doesn’t just associate a port with an application »Can detect IM/P2P/etc running over port 80 Detects applications inside of applications »Tunneling P2P/IM/etc inside http

16 What is Application Control? Granular control of applications in a network »Allow, block or traffic shape individual applications »Perform above actions based on user identity »Control application commands »Control web applications Allows a new level of application, port and user-based reporting »What does the application look like on the surface Port, Source Address, Country of Origin »What does the application look like under the surface Application, Behavior, Signatures, Reputation

17 Controlling Web Applications Allow Facebook, but block Facebook applications » Farmville, anyone? » Facebook Chat » Facebook Video Allow YouTube, but block YouTube download Allow Google Maps, but block Google Web Talk

18 Proxy Avoidance Web content filtering provides protection against proxy websites Application control provides protection against proxy based applications » Ultrasurf, Gtunnel, dozens of others

19 Rate Shaping Traffic doesn’t have to be just allowed or blocked Now we can rate shape on an application basis instead of just a port number Allow streaming media usage, but limit bandwidth Regain control of your Internet link(s)

20 Controlling Application Commands and Web Applications Allow users to download via FTP (GET) but block uploading (PUT) Block HTTP Resume Can circumvent A/V inspection URL filtering isn’t enough More and more applications on the web Impossible to control via a traditional firewall

21 Business Drivers for Application Control New services and applications »Web 2.0 services over HTTP(S) »IM, P2P and gaming that port-hop Non-business applications can be problematic and expose liability »IM, P2P and anonymous proxy »Non-productive bandwidth usage »Evasion of security or corporate policy »Difficult to detect and stop TCP/UDP port filtering ineffective Next-generation firewall required!

22 Threat Landscape: Malicious Activity within Trusted Applications

23 Security Challenges Blended attacks Application-focused attacks “Oldies but Goodies” still exist −Nothing goes away. Ever. “Survival instinct” of applications much higher than before −Built-in evasion techniques Must assume malicious activity occurs within trusted applications Let’s take a closer look at some examples…

24 Advanced Evasion Techniques (AETs)  Botnets and APTs employ AETs:  Advanced Persistent Threats (Cyber Threats)  Advanced Evasion Techniques  Fast Flux and Proxies  Communication Encryption and Watermarking  IE: Port 443 Custom Protocol Communication  Code Obfuscation and Packing  Data Safe Havens  Metamorphic & Polymorphic Malware

25 Advanced Evasion Techniques (AETs)

26 Threat Landscape-Blended Threat & Botnet Examples The Corporate Botnet - Phishing Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network.. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. ZEUS/ZBOT Email contains link to false domain Credentials entered in to fake site BOT infection sent to user as a “ Facebook Security Update” application User installs BOT and is now infected, all data is compromised Connection is then redirected to real Facebook site so user is not suspicious Prevalent today and sold as a crime kit.

27 Threat Landscape-Blended Threat & Botnet Examples The Corporate Botnet – Legitimate Site Compromised Employee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code.. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. FakeAV Botnet In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement Readers were accessing the NYT site but were provided with the infected advertisement This directed users to a site hosting the exploit code to install fake antivirus software..

28 Threat Landscape-Blended Threat & Botnet Examples Targeted Attack – Spear Phishing Using social engineering to distribute emails with links to malware, the emails are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. Kneber (Zeus) Botnet In 2010 a spear phishing attack on US.mil and.gov employees by a Zeus variant infected 50,000+ end systems Data stolen included: Corporate Login credentials Email and webmail access Online Banking sites Social Network credentials SSL Certificates

29 Threat Landscape-Blended Threat & Botnet Examples Ransomware Once installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted. CIO Fears and Concerns The Corporate Botnet Employee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.. gpCode Ransomware Once installed searches hard drive for document and media files Files are encrypted with a 1024bit key which only the attacker has the decryption key Ransom note is displayed to user, system continues to operate but data is inaccessible Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…

30 Trends: Crimeware & Crime Services  Ransom, Blackmail, Turf Wars  Up to $150k USD Monthly  Crimeware  Weaponized Exploits for Sale ($10k+)  Crime Services  New Horizons: Cloud Processing

31

32 Affiliate Programs (PPI): Earn $140 / 1K Installs (USA) Trends: Crimeware & Crime Services

33 Zeus botnet operators rely heavily on mules …

34 Crimeware: Documents, GUIs, Management

35 Mobile Vulnerabilities  < 2010: iOS Jailbreaks, Public Concept  2011: Rage in the Cage  Android < 2.1/2.2  March 2011 – 21 Apps Pulled  2012: Levitator  Android < 2.3.6  Honeycomb, Ice Cream (3&4)  2012-2013: Galaxy S3  NFC (Near Field Communication) Payload  Drive-By Remote Wipe

36 Mobile Malware  2012-2013:  Tigerbot Auto-Jailbreak [Spy Trojan] Symbian, Blackberry, Android  Zitmo (Zeus in the Mobile) SMS Spy Upgrade  Android/Fakemart (20 Y/O Arrest, 500k Euros Profit)  Cloud To Device Messaging (Google C2DM)  CAPTCHA Cracking (OCR), Uninstall Hooks  Ransomware and APT...

37 Addressing the Threat Landscape: Complete Content Protection

38 LOCK & KEY ANTI-SPYWARE ANTI-SPAM WEB FILTER ANTI-VIRUS VPN IPS FIREWALL APP CONTROL PHYSICAL CONNECTION-BASED HARDWARE THEFT 1980s1990s2000sToday Performance - Damage CONTENT-BASED SPYWARE WORMS SPAM BANNED CONTENT TROJANS VIRUSES INTRUSIONS APP LAYER ATTACKS HARDWARE THEFT Security: Followed The Internet Evolution

39 “I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.” “Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey New York Times 6/22/11 The Result: More Expense, Less Security, Less Control

40 PHYSICAL CONNECTION-BASED CONTENT-BASED ANTI-SPYWARE ANTI-SPAM WEB FILTER ANTI-VIRUS VPN IPS FIREWALL LOCK & KEY SPYWARE WORMS SPAM BANNED CONTENT TROJANS VIRUSES INTRUSIONS HARDWARE THEFT 1980s1990s2000sToday Performance - Damage APP CONTROL APP LAYER ATTACKS Complete Content Protection

41 Consolidated Security with Real Time Updates Intrusion Prevention: Vulnerabilities and Exploits Browser and website attack code crafted by hackers and criminal gangs. Application Control: Unwanted Services and P2P Limiting Botnet command channel, compromised Facebook applications, independent of port or protocol Web Filtering: Multiple categories and Malicious sites Botnet command, phishing, search poisoning, inappropriate content Antispam: Unsolicited messages Phishing, Malware, Social Engineering and Junk Antivirus: All malicious code Documents, macros, scripts, executables Delivered via Web, Email, USB, Instant messaging, social networks, etc Vulnerability Management: Real time exploit updates Multiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan

42 The Zeus Attack vs. Complete Content Protection Email Sent – Contains link to compromised site. Mail message detected as spam (phishing) Phishing site sends BOT infection to user disguised as ‘Security Update’ application Content scanning prevents malicious content from being downloaded End user executes BOT application, is infected and now all their data is compromised Botnet command channel is blocked, no compromised data can be sent. Security administrator is alerted of the infected system. End user accesses phishing site, enters credentials, and criminals now have their details.. Access to phishing website is blocked ANTISPAM WEB FILTER ANTIVIRUS INTRUSION DETECTION

43 Real Threat Protection in Action “Innocent” Video Link: Redirects to malicious Website Integrated Web Filtering Blocks access to malicious Website Network Antivirus Blocks download of virus Intrusion Protection Blocks the spread of the worm Solution: Error message: “ Drops” copy of itself on system and attempts to propagate “Out of date” Flash player error: “Download” malware file Problem:

44 FortiGate Integrated security appliance −Network threat detection −Application-aware content scanning Accelerated performance −Hardware acceleration with custom ASICs Reduce the number of vendors and appliances −No 3rd party software/subscription dependencies −No user count or application licensing FortiGuard Services −Antivirus, IPS, App Controls, Antispam, Web Content Filtering

45 World’s Fastest Firewall Tests Using BreakingPoint™ FireStorm Prove FortiGate-5140B to be the World's Fastest Firewall 559 Gbps of UDP traffic 526 Gbps of real-world application traffic »Facebook, Pandora Radio and AOL Instant Messenger »Up to 10,000 iTunes songs per second »Up to 228,000 Web pages per second Real-World Testing

46 FortiGuard Distribution Network: Global Research, Updates, Services FortiGuard Research: Rootkits: Kernel Hooks Botnets: Dynamic Monitoring, Spambots, New Malware Protocols Malware: Code Techniques-PDF/Flash/Doc Security: Exploits & Vulnerabilities, Zero Day Detection Packer Research: Unpacking, Generic Detection FortiGuard Services: AV Signatures – 4x Daily IPS Signatures – 2x Daily Antispam/Web Content Filtering – Real Time Sample Collection Signature Creation Alerts & Escalation Global Distribution Network: Application Control Vulnerability Management Antispam Web Filtering Intrusion Prevention Antivirus

47 Thank you! Questions?


Download ppt "Next Generation Firewalls: A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation Christian Barnes Materials:Kostas."

Similar presentations


Ads by Google