1

How to develop an Internet Security System Product for the Global Market Place

Present to HKIE

By Cell Technology 2010-12-17

Content

• Current Trends and Security Protection• Network Security Products• Network Security Deployments • MSSP/SOC Security Service • New Network Security Technologies

2

Current Trends & Security Protection

New Threats

• Why so many enterprises and service providers are still facing network threats?– IP broadband technology– Content, application and usage

• IT IS BECAUSE :– Backdoor, DoS, Trojan's virus & worm, Spyware,

and hacker’s exploit attack from outside networks.

– Difficult to manage Internet usage (e.g. IM, P2P, and social networking applications) inside internal networks

3

Virus• Virus is the most common computer attack nowadays. Due to

its popularity, the term "virus“ often is used to represent all the malwares.

• A virus is a small piece of executable code. Depend on its nature, virus commonly:– Corrupt or delete data on local computer– Eat up the computer resource– Interfere normal operation of the system

• In most time, virus needs to attach itself to a document or program to infect other computers and programs. For example:– Binary executable files, Boot records– Script files (e.g.MS-DOS btach file, VBScript file, media Autorun file)– Documents (e.g.: Office document with macros)

Spyware• Computer program that hijacks your browsers

– Pop-up undesired advertisement– Secretly collect your browsing behavior, username/password, credit

information and send back to spyware server– Create unwanted CPU activity, disk usage, and network traffic

• Difficult to remove– Hidden from the user, and difficult to detect– Auto-upgrade without your consensus– Lock your browser configuration– Some might come with keystroke loggers and Trojan program

• Installed via various methods– Trick user to install the browser plug-ins– Installed as Browser Helper Object (BHO)– Via browser vulnerability and configuration weakness

4

Worms• Unlike traditional virus, it copies and propagate itself automatically

via various format– Exploits other system vulnerability like a hacker– Spread it by email, network share and security hole– Without user intervention, if your desktop/server is vulnerable, it will be

infected when the worm reaches it

• Consumes system resources and network bandwidth– Eat up all memory and disk space– Flooding the network to spread, e.g. Nimda and Code Red

• In a worm outbreak scenario, networks are flooded with worms andmost systems will be affected

– Very difficult to fix in a short time– Almost all systems in the network needs to be reviewed

Exploit Attack • Exploit attack is a specific network attack focus on the bug,

glitch or vulnerability of the corresponding servers, workstation, and programs.

• Hackers continues find the vulnerability in the common network applications, and send a sequence of network packets (Exploit) to break vulnerable system. Exploit may cause:– Unauthorized data access– Arbitrary code execution– Denial of service

• Traditional Antivirus program on desktop and server could not prevent those attacks, even there are some exploit attacks focus on the vulnerability on the Antivirus program.

5

Web Application

• Unlike traditional network attack, most of the web applications are not malware. But unmanaged usage will expose the security holes of the network.

• Web applications: IM program, P2P program, Social Website App, Media Streaming, etc.

• In the beginning of the Internet blooming in 1998, the main applications for corporate or enterprise network :

– email communication– Simple web access – FTP file sharing.

Current Internet Applications

• In recent years, various types of web applications became more dominant due to the high speed of broadband networks provided for people to link up outside very easily to enjoy their social networking or communication at any places :

– Instant Message (IM), P2P applications– web conference, video streaming and etc

• In a corporate Internet network, it is required to secure, control and manage well to maintain the proper network usage and performance from the business perspective.

6

IM & P2P• What is IM (Instant Message) ?

– It is a real-time person-to-person interactions based on typed text over a network such as the Internet.

– Example of IM Clients:• AIM, eBuddy, ICQ, Skype, Tencent QQ• Window Live Messenger, Yahoo! Messenger

• What is P2P (Peer to Peer)– It is a type of network communication that allows data (e.g. file,

voice, video) sharing between the Peer (e.g. PC) without passing through the services of a server.

– Applications Example:• File Sharing: Bitorrent, eDonkey, Voice Talk: Skype• Streaming Media: P2PTV, PPLive

Social Networking• Rapid growth of the Social Networking Service in the Internet• Through a Social Networking Website, people can build and

reflect of social relations among Internet user over the world• Social Websites Example:

– Facebook, Twitter, MySpace

• Social Website connects the people over the world by the Web browser.

• People share the Photo / file, broadcast the messages, discuss the hot issues, create and join the community, etc.

7

Corporate Risks from Internet Applications• Risk of Unmanaged IM:

– Viruses and worms over IM– Identity theft/authentication spoofing– Data/Information security leakage– IM Spam

• Risk of unmanaged P2P:– Exposing your computer to unwanted software – Creating enormous bandwidth drains on corporate networks– Increase the network cost of corporate but lower resource,

efficiency and productivity• Risk of Unmanaged Social Networking Service:

– Creating enormous bandwidth drains on corporate networks– Increase the network cost of corporate but lower resource,

efficiency and productivity– Data/Information security leakage

Benefit of Managed Internet Application• Enhance security level of the corporate network

– Prevent the Network Attack from hacker, virus and spyware

• Enhance information security– Prevent exposing the internal resource to unwanted P2P

software– Prevent the leakage of the confidential information – Prevent the copyright violations

• Enhance the network usage– Prevent the P2P traffic overloading the corporate

network– Prevent too much personal use and enhance the

productivity

8

Network Security Products

Network Security Products

• Network security products in the market :– Firewall– Intrusion Detection System (IDS)– Intrusion Prevention System (IPS)– Gateway Antivirus (AV)– Gateway Anti-Spam– Web Content Filtering– Unified threat management (UTM)

9

Traditional Stateful Inspection Firewall

• Provide good access control• State-checking for IP protocols• Very limited application level attacks blocking

Intrusion Detection System (IDS)• IDS monitors all inbound and outbound network traffic

across the network segment.• IDS can detect suspicious activity and alerts the system.• In some cases, IDS can response the attack by sending TCP

reset, block the source / destination address, etc.

Internet

IDS

Intrusion Detection System (IDS)•Allow multiple of network segments monitoring•Monitoring and Detecting misuse•Cons: Attacks can still reach the destination

The network attack is detected when the attack packets are passing through. IDS then:•Close offending connection •The further attack is blocked•Session and Packet Logging

10

Intrusion Prevention System (IPS)• IPS scans and filters all inbound and outbound network

traffic across the network segment.• IPS can identify malicious activity, log activity information,

attempt to block/stop activity, and alerts the system.

Internet

IPS

Intrusion Prevention System (IPS)•Inline bridging•Actively scan and block attack traffic•Unfragment packet streams•Prevent TCP sequencing issues•Clean up unwanted transport and network layer options

IPS proactively blocks the attacking packets. Hacker’s attack cannot reach the destination:•Block / Reject attack packets •Session and Packet Logging

Gateway Antivirus (AV)• Gateway AV provides virus scanning at the edge of the

network. • Gateway AV checks the files in mail and web traffic to

block malicious threats from entering the network.• Real-time protection: viruses & worms, spyware, backdoors,

Trojans, keyloggers, etc.

Internet

Gateway AV

Gateway Antivirus (Gateway AV)•Inline bridging•Actively virus scans inbound & outbound traffic

Gateway AV proactively blocks the attacking packets. Infected file cannot reach the network:•Block / Reject attack packets •Session and Packet Logging

11

Gateway Anti-Spam• Spam is a unsolicited message in the email, Instant

Message (IM), advertising, etc.• Spam contains unwanted e-mail messages, frequently with

commercial content, and sometime comes with malware.• Anti-Spam is responsible to scans inward and outward mails,

filter the unwanted content, and protect against Email / Messaging attacks.

Gateway Anti-Spam•Inline bridging•Filter the Spam message (e.g. Email)•Typically comes with AV / IPS, to block malicious file attachment•Scan the message content to prevent information leakage•Restrict the message header, message size, etc.Gateway Anti-Spam proactively

scans the Spam across network segment:•Mark/Redirect the Spam mail•Filter the infected content•Logging and reporting

Email Server

Anti-Spam

Workstation

InternetEmail / Message

Web Content Filter• Traditional Web filters support to block access to harmful

and dangerous websites• Nowadays, Web Filtering / Web Content Filtering devices

provide varied Internet usage management service, to restrict the Internet access of the internal network other than security purpose.

Web Content Filtering•Inline bridging•URL categorized restriction (e.g.: Parental control)•In some cases, the filtering comes with IM, P2P, & web application restriction:•Data loss prevention•File sharing restriction•Media streaming restriction•Social Website App restriction•Online gaming restriction

Web Content Filter proactively scans all Web traffic across the device:•Destroy/Replace inappropriate content of the web page•Block inappropriate network traffic•Log the web/message content

Web Content Filter Workstation

Internet

Inappropriate Web access Internet usage

12

Unified Threat Management (UTM)

• Unified Threat Management (UTM), is a comprehensive (all-in-one) security product that includes protection against multiple threats.

• An UTM product typically includes a firewall, IPS, Gateway AV, content filtering and a Spam filter in a single network appliance.

• The market mainly focus on the SMEs and SOHO customers

UTM Device

Network Security Deployments

13

Network Security Deployment Applications - Enterprise

In enterprise, the internal network maybe separate in different segments: Server Farm, offices, etc. Since Internet usages of the segments are different, every segment will have its own security deployment.

In general, the IPS and Gateway AV is necessary for every segment, but they still have variations between.For server farm, since there are application servers behind, the performance requirement of the IPS/AV is higher than in the office. Also, the protection is more focus on the vulnerability of the server application. In the offices, a simple IPS is required with balance protection.

Network Security Deployment Applications - Enterprise

For the offices, there are necessary to have Web Control Filter to provide:•Message/Content filtering to prevent data leakage•Website access restriction to prevent malicious/non-working site access and improve employee productivity•IM & P2P application management to control the network resource usage

For service farm, there is necessary to have Web Control Filter to provide:•Message/Content filtering to prevent data leakage•IPW/AV to avoid the backdoorThe additional Gateway Anti-Spam to provide:•Email server protection to filter the spam/harmful mail from the server

14

MSSP/SOC Security Services

MSSP/SOC Security ServicesCurrent Challenge• Why the security devices require the managed?

• IT IS BECAUSE :– For the enterprise, bulk of the security devices are required to protect

against varied network attacks. Each of them has its maintenance, updates, logs and so forth.

– Unmanaged infrastructure increasing the administration effort, operational complexities, and maintenance costs

15

MSSP/SOC Security ServicesSignatures Update Process

• Daily, Weekly or Monthly Update

• CERT Centre Alerts

• Customer Request

• Ad-hoc Incidents

• SOC for SU/KB Update

• Distribute SU Automatically and Centrally

MSSP/SOC Security Services Applications – Managed Security Service

16

MSSP/SOC Security Services Centralize Security Management• [Centralized Alert Storage]

It can backup all the alert/Security Events from all the security devices for further analysis (e.g. correlation);

• [Centralized Security Reporting]It can generate the security report of the device throughout the network. The report can give the complete view of the attack scenario, and the overall vulnerability of the network;

• [Remote device configuration, software update & Monitoring]It can remote monitor the security devices operation status. In some cases, the centralize management platforms are able to perform simple remote device management and even software update.

New Network Security Technologies

17

Latest Network Security Trend• Mobile computing, and cloud computing become

dominant in today’s Internet, with an increased risk.

• Risk of Mobile computing: – New malware specific to the mobile system– Exposure of the wireless connection

• Cloud computing:– Allow users access to powerful computers and software

applications hosted by remote groups of servers in the Internet– Data leakage between user client and remote servers

New Network Security Technology

• Focus on the network trend, new security technology is struggling to keep up:– The growth of the wireless security – The growth of unified threat management (UTM)– Cloud security development

• Wireless Intrusion Prevention Systems:– Locate & block unauthorized Wi-Fi devices– Detect & prevent rogue access points– Prevents multiple threats, such as “Man in the Middle Attack”,

“Mac-Spoofing”, “Evil Twin Attack ” & DoS attack

• Unified threat management (UTM), comprehensive multiple security functions in one single appliance, it is not a new category in the market since 2004. – With the growth of the ASIC, it is enabled to run multiple security

functions on a single appliance without significant impeding network performance, and open the enterprise-market

18

Thank YouQuestion & Answer