Presentation on theme: "Next Generation Firewalls:"— Presentation transcript:
1Next Generation Firewalls: A Discussion on Consolidated Security, Application Inspection and Blended Threat MitigationChristian BarnesMaterials:Kostas Sfakiotakis, FCNSP Manager, Systems Engineering
2The Threats You Face Continue to Grow Motive and intent has moved from notoriety to financial gainCyber security is criticalIn the News:Stuxnet attack on Iranian Nuclear FacilityFlame Virus-10 times more sophisticated than StuxnetRSA and Sony APT breachesAnonymous BART attackHealthnet’s Medical Records compromisedUS banks targeted by Russian cyber-gangster groupsGoogle & Yahoo targeted DNS attacksScada Protocols targeted by Cyber-terrorist groupsHundreds more…Exponential Growth in Malware Threatsin thousandsCoordinated and blended attacks are now a common practiceIncreased processing power requiredU.S. DoD Reported Incidents of Malicious Cyber Activityin thousandsEnough about Fortinet. Let’s talk about the challenges you're dealing with.You know that threats are increasing in volume, severity, and complexity. You see this every day in and day out.Our FortiGuard Global Threat Research Team identified more malware in 2008 than in the years through 2007 combinedIn addition, we saw the number of malware incidences jump eight-fold in 2008 from 2005 levelsThe headlines you read are filled with examples of attackers successfully breaching network security systems for financial or political gain.You have also seen the evolution of attacks from fairly simple network-based threats to sophisticated content level attacks.Seemingly innocuous data traffic now transmits spam, malware, viruses and other types of IT threats.
3You Have to Do More with Less Increase access to backend data and systemsDecrease risk of unauthorized accessIncrease effectiveness of existing resources and investmentsReduce complexity of security infrastructureLower operating and capital costsWe know that on a daily basis, you’re having make hard choices on how to do more without spending more.You are under pressure to open up more of your data to employees, customers, partners, and vendors; at the same time you’re expected to reduce the potential of unauthorized access to your data and backend systems.You’re also expected to make your existing staff and security technologies more effective, and to do it while spending lessAnd, we now you’re expected to lower your expenses
4You Need to Prepare for the Next Threat Eliminate your blind spotsDemonstrate your policy complianceLower your response timeAccelerate adoption of best practices and expert systemsReduce the potential of significant or catastrophic loss to reputation or revenueAnd that’s just part of what you have to deal with; we also realize that you’re looking ahead, when you have time to stop being reactive and so tactically focused.You also need to make sure you’re prepared for what’s coming next month or next year.You are looking into the future:Identify and close the gaps in your security strategyMeasure the positive change in your security postureEnsure that you can respond quickly to changes in the threatscape or actual attacksLeverage the expertise of your vendorsLast but not least, ensure that the worst case scenario doesn’t happen.
5Evolution of the Threat Landscape EnterprisingFinancial GainActivismRecreation
6Thinking Strategically About Security Magic Quadrant forUnified Threat ManagementFuture-proof your security infrastructureAnticipate change in threatscapeLook for opportunities to consolidate without compromiseReduce complexityIncrease protectionDecrease riskLower CapEx & OpExMove beyond tactical responses to threatsWe believe the way to deal with the changing threatscape and demanding business requirements is to take a more strategic approach to your application, data, and network security.What this means is that you develop a security infrastructure that is able to adapt to changes in threats while also keeping up with changes in the business environment.An infrastructure that reduces complexity while increasing your ability to detect and block new threats; one that reduces risk while reducing costs.
7Reducing Complexity Is Critical Q: What are the top security-related challenges your organization is facing? (base: of those that are involved in Security investments)The traditional approach of having different devices for different security functions is adding to the problem – not solving it.Reducing complexity is CRITICAL. According to this survey done by Infoworld, the complexity of security solutions is a bigger problem than mobile clients, regulatory issues, bandwidth or employee misuse of data.Source: Navigating IT: Objective & ObstaclesInfoworld, May, 2011
8Solve Everyday Problems Emily, a financial trader, installed Skype on her company laptop to talk with family.Endpoint ControlBill works for a Fortune 100 company and shares company details on Facebook.Identity & Device-Based Policies2-Factor AuthenticationVPN TunnelingWAN OptimizationJill is at Starbucks and needs to communicate and be protected as if she was at HQ.Here are some real world examples of how a variety of Fortinet technologies can solve everyday problems. Again, the breadth of our solution offers you the customer the most complete approach.Emily – application policy checking via FortiClientBill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might notJill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance.Ed: Detect content with sensitive dataEd shared a company presentation via his personal Gmail account.Data Leak Protection8
9Improve Productivity – Limiting Web Access Here’s an example of how Fortinet technologies allows precise control of how people use your IT infrastructure. Of course, this type of control can be modified for different classes of users. For instances at a hospital, nurses might be limited in how much time they can spend on non-work related sites – while Doctors would have no limits.“Your daily quota for this category of webpage has expired… URL: beach-camera.store.buy.comCategory: Shopping and Auction”
10Examine All Applications-Don’t Trust Any Overlapping, complementary layers of protectionComprehensive, integrated inspectionAllow but don’t trust any applicationExamine all application contentAn integrated approach enables you to keep up with the changing threatscape without having to purchase more technology.The criminals are using sophisticated techniques to evade traditional countermeasures. By relying on a single platform with multiple technologies, you get the benefit of layers of security without the performance penalty.You also get the benefit of our global threat research team’s expertise, which means less reliance on your IT staff’s ability to configure the technology to anticipate new threats.Fortinet continuously updates our inspection engines to ensure that our customers are fully protected against the latest threats automatically.
12Application Security Evolution In the beginningApps easily definedPort or ProtocolPolicies easily defined and enforcedAllow or denyContent and behavior predictableAnd then came the WebThe world has never been the same
13Application Security Evolution Traditional Approach: Primary line of defense at the perimeterOne-to-one assignment of port to application usageWeb, SNMP, FTP, TelnetTo block the applications, simply close the portWebTelnetSNMPFTPData Center
14Application Security Evolution Today: Web-centric worldRequires new approach for securing applicationsHow to allow trusted applications, deny untrusted?Threats are application agnosticAny application can serve as a host to malicious activityPORT 80salesforceWL MessengerGooglefacebooktwitterYAHOO! MAIL
15What is Application Control? Layer 7 analysis of traffic determines the application regardless of TCP portDoesn’t just associate a port with an applicationCan detect IM/P2P/etc running over port 80Detects applications inside of applicationsTunneling P2P/IM/etc inside http
16What is Application Control? Granular control of applications in a networkAllow, block or traffic shape individual applicationsPerform above actions based on user identityControl application commandsControl web applicationsAllows a new level of application, port and user-based reportingWhat does the application look like on the surfacePort, Source Address, Country of OriginWhat does the application look like under the surfaceApplication, Behavior, Signatures, Reputation
17Controlling Web Applications Allow Facebook, but block Facebook applicationsFarmville, anyone?Facebook ChatFacebook VideoAllow YouTube, but block YouTube downloadAllow Google Maps, but block Google Web Talk
18Proxy AvoidanceWeb content filtering provides protection against proxy websitesApplication control provides protection against proxy based applicationsUltrasurf, Gtunnel, dozens of others
19Rate Shaping Traffic doesn’t have to be just allowed or blocked Now we can rate shape on an application basis instead of just a port numberAllow streaming media usage, but limit bandwidthRegain control of your Internet link(s)
20Controlling Application Commands and Web Applications Allow users to download via FTP (GET) but block uploading (PUT)Block HTTP ResumeCan circumvent A/V inspectionURL filtering isn’t enoughMore and more applications on the webImpossible to control via a traditional firewall
21Business Drivers for Application Control New services and applicationsWeb 2.0 services over HTTP(S)IM, P2P and gaming that port-hopNon-business applications can be problematic and expose liabilityIM, P2P and anonymous proxyNon-productive bandwidth usageEvasion of security or corporate policyDifficult to detect and stopTCP/UDP port filtering ineffectiveNext-generation firewall required!
22Threat Landscape: Malicious Activity within Trusted Applications
23Security Challenges Blended attacks Application-focused attacks “Oldies but Goodies” still existNothing goes away. Ever.“Survival instinct” of applications much higher than beforeBuilt-in evasion techniquesMust assume malicious activity occurs within trusted applicationsLet’s take a closer look at some examples…
24Advanced Evasion Techniques (AETs) Botnets and APTs employ AETs:Advanced Persistent Threats (Cyber Threats)Advanced Evasion TechniquesFast Flux and ProxiesCommunication Encryption and WatermarkingIE: Port 443 Custom Protocol CommunicationCode Obfuscation and PackingData Safe HavensMetamorphic & Polymorphic Malware
26Threat Landscape-Blended Threat & Botnet Examples CIO Fears and ConcernsThe Corporate Botnet - Phishing Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network..ZEUS/ZBOTThe Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised..contains link to false domainCredentials entered in to fake siteBOT infection sent to user as a “ Facebook Security Update” applicationUser installs BOT and is now infected, all data is compromisedConnection is then redirected to real Facebook site so user is not suspiciousPrevalent today and sold as a crime kit.
27Threat Landscape-Blended Threat & Botnet Examples CIO Fears and ConcernsThe Corporate Botnet – Legitimate Site Compromised Employee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code..FakeAV BotnetThe Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised..In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisementReaders were accessing the NYT site but were provided with the infected advertisementThis directed users to a site hosting the exploit code to install fake antivirus software..
28Threat Landscape-Blended Threat & Botnet Examples CIO Fears and ConcernsTargeted Attack – Spear Phishing Using social engineering to distribute s with links to malware, the s are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems.Kneber (Zeus) BotnetThe Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised..In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systemsData stolen included: Corporate Login credentials and webmail access Online Banking sites Social Network credentials SSL Certificates
29Threat Landscape-Blended Threat & Botnet Examples CIO Fears and ConcernsRansomware Once installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted.gpCode RansomwareThe Corporate Botnet Employee has clicked a link in a spam and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised..Once installed searches hard drive for document and media filesFiles are encrypted with a 1024bit key which only the attacker has the decryption keyRansom note is displayed to user, system continues to operate but data is inaccessibleWill encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…
30Trends: Crimeware & Crime Services Ransom, Blackmail, Turf WarsUp to $150k USD MonthlyCrimewareWeaponized Exploits for Sale ($10k+)Crime ServicesNew Horizons: Cloud Processing
35Mobile Vulnerabilities < 2010: iOS Jailbreaks, Public Concept2011: Rage in the CageAndroid < 2.1/2.2March 2011 – 21 Apps Pulled2012: LevitatorAndroid < 2.3.6Honeycomb, Ice Cream (3&4): Galaxy S3NFC (Near Field Communication) PayloadDrive-By Remote Wipe
36Mobile Malware Zitmo (Zeus in the Mobile) SMS Spy Upgrade 2012-2013: Tigerbot Auto-Jailbreak [Spy Trojan]Symbian, Blackberry, AndroidZitmo (Zeus in the Mobile) SMS Spy UpgradeAndroid/Fakemart (20 Y/O Arrest, 500k Euros Profit)Cloud To Device Messaging (Google C2DM)CAPTCHA Cracking (OCR), Uninstall HooksRansomware and APT...
37Addressing the Threat Landscape: Complete Content Protection
38Followed The Internet Evolution Security:Followed The Internet EvolutionAPP LAYER ATTACKSAPP CONTROLSPYWAREANTI-SPYWAREWORMSANTI-SPAMSPAMPerformance - DamageBANNED CONTENTWEB FILTERTROJANSANTI-VIRUSVIRUSESINTRUSIONSIPSCONTENT-BASEDVPNMany new companies have come up with point security solutions to address each new application and attack as the threat landscape has evolved, and the network vendor players like Cisco and Juniper keep buying more point products to add on top of their firewall and VPN, resulting in more and more complex, costly deployments for customers.CONNECTION-BASEDFIREWALLHARDWARE THEFTHARDWARE THEFTHARDWARE THEFTLOCK & KEYPHYSICAL1980s1990s2000sToday
39More Expense, Less Security, Less Control The Result:More Expense, Less Security, Less Control“I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.”“Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey New York Times 6/22/11Your network might look something like this…It’s too complicated.And – it leads to security holes.Expensive, complex, lack of control, chase new box in monthsAre you really more secure??Here’s what was said in a recent NY Times article…..“I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.”“Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey - New York Times 6/22/11
40Complete Content Protection APP LAYER ATTACKSAPP CONTROLSPYWAREANTI-SPYWAREWORMSANTI-SPAMSPAMPerformance - DamageBANNED CONTENTWEB FILTERTROJANSANTI-VIRUSVIRUSESINTRUSIONSIPSCONTENT-BASEDVPNFortinet’s approach was to create Unified Threat Management. The UTM solution, which tightly integrates many functions and point products together into a single platform.UTM is defined as a device that “Unifies” multiple security features, including firewall/VPN, Intrusion Detection/Prevention and gateway antivirus, at a minimum, Fortinet offer s all these plus much more features.We also leverage our FortiASIC to accelerate performance, and, as we discussed, we utilize our FortiGuard Labs for real-time global update service, this solution effectively protects our customers in today’s challenging network environmentCONNECTION-BASEDFIREWALLHARDWARE THEFTLOCK & KEYPHYSICAL1980s1990s2000sToday
41Consolidated Security with Real Time Updates Application Control: Unwanted Services and P2P Limiting Botnet command channel, compromised Facebook applications, independent of port or protocolIntrusion Prevention: Vulnerabilities and Exploits Browser and website attack code crafted by hackers and criminal gangs.Web Filtering: Multiple categories and Malicious sites Botnet command, phishing, search poisoning, inappropriate contentVulnerability Management: Real time exploit updates Multiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScanAntispam: Unsolicited messages Phishing, Malware, Social Engineering and JunkAntivirus: All malicious code Documents, macros, scripts, executables Delivered via Web, , USB, Instant messaging, social networks, etc
42The Zeus Attack vs. Complete Content Protection Sent – Contains link to compromised site .Mail message detected as spam (phishing)End user accesses phishing site, enters credentials, and criminals now have their details ..Access to phishing website is blockedANTISPAMWEB FILTERPhishing site sends BOT infection to user disguised as ‘Security Update’ applicationContent scanning prevents malicious content from being downloadedANTIVIRUSEnd user executes BOT application, is infected and now all their data is compromisedBotnet command channel is blocked, no compromised data can be sent. Security administrator is alerted of the infected system.INTRUSION DETECTION
43Real Threat Protection in Action Problem:Error message:“Drops” copy of itself on system and attempts to propagate“Innocent” Video Link:Redirects to malicious Website“Out of date” Flash player error:“Download” malware fileSolution:Integrated Web FilteringBlocks access to malicious WebsiteHere is an example of our approach in action. This is the Koobface attack, that starts as a link to a non-existent video on a malicious site sent via IM, , or webmail.The first layer of protection is web filtering to block access to the site.If the user clicks on the link, he would receive a phony alert telling him his player is not working, and to download a non-existent new version on a malicious site.By clicking on the “OK” button on the phony Error message, the user is actually instructing his system to install the virus.Antivirus protection would detect the file that the user is trying to install, and block itOnce installed, the worm would try to propagate. The IPS technology would detect the propagation effort, and block it before it could succeed.Network AntivirusBlocks download of virusIntrusion ProtectionBlocks the spread of the worm
44FortiGate Integrated security appliance Accelerated performance Network threat detectionApplication-aware content scanningAccelerated performanceHardware acceleration with custom ASICsReduce the number of vendors and appliancesNo 3rd party software/subscription dependenciesNo user count or application licensingFortiGuard ServicesAntivirus, IPS, App Controls, Antispam, Web Content Filtering
45World’s Fastest Firewall Tests Using BreakingPoint™ FireStorm Prove FortiGate-5140B to be the World's Fastest Firewall559 Gbps of UDP traffic526 Gbps of real-world application trafficFacebook, Pandora Radio and AOL Instant MessengerUp to 10,000 iTunes songs per secondUp to 228,000 Web pages per secondReal-World Testing
46FortiGuard Distribution Network: Global Research, Updates, Services FortiGuard Research:Rootkits: Kernel HooksBotnets: Dynamic Monitoring, Spambots, New Malware ProtocolsMalware: Code Techniques-PDF/Flash/DocSecurity: Exploits & Vulnerabilities, Zero Day DetectionPacker Research: Unpacking, Generic DetectionFortiGuard Services:AV Signatures – 4x DailyIPS Signatures – 2x DailyAntispam/Web Content Filtering – Real TimeSample CollectionSignature CreationAlerts & EscalationOur FortiGuard labs operate around the clock and around the world. Over 200 professionals are constantly tracking the threat landscape and provide continuous updates. AND, the fact the we don’t rely on third parties for our updates ensures that these updates are current and will work seamlessly on our devices.Global Distribution Network:Application ControlVulnerability ManagementAntispamWeb FilteringIntrusion PreventionAntivirus