Embed Size (px)
Citation preview
Next Generation Firewalls:A Discussion on Consolidated Security, Application Inspection and Blended Threat Mitigation
Christian Barnes
Materials:Kostas Sfakiotakis, FCNSPManager, Systems Engineering
The Threats You Face Continue to Grow
Exponential Growth in Malware Threatsin thousands
U.S. DoD Reported Incidents of Malicious Cyber Activityin thousands
Coordinated and blended attacks are now a common practice
Increased processing power required
Motive and intent has moved from notoriety to financial gain
Cyber security is critical
In the News:
Stuxnet attack on Iranian Nuclear Facility
Flame Virus-10 times more sophisticated than Stuxnet
RSA and Sony APT breaches
Anonymous BART attack
Healthnet’s Medical Records compromised
US banks targeted by Russian cyber-gangster groups
Google & Yahoo targeted DNS attacks
Scada Protocols targeted by Cyber-terrorist groups
Hundreds more…
You Have to Do More with Less
• Increase access to backend data and systems• Decrease risk of unauthorized access• Increase effectiveness of existing resources and investments• Reduce complexity of security infrastructure• Lower operating and capital costs
You Need to Prepare for the Next Threat
• Eliminate your blind spots • Demonstrate your policy compliance• Lower your response time• Accelerate adoption of best practices and
expert systems• Reduce the potential of significant or
catastrophic loss to reputation or revenue
Evolution of the Threat Landscape
Recreation
Activism
Financial Gain
Enterprising
Thinking Strategically About Security
• Future-proof your security infrastructure
− Anticipate change in threatscape• Look for opportunities to
consolidate without compromise− Reduce complexity− Increase protection− Decrease risk− Lower CapEx & OpEx
• Move beyond tactical responses to threats
Magic Quadrant for Unified Threat Management
Reducing Complexity Is Critical
•Source: Navigating IT: Objective & ObstaclesInfoworld, May, 2011
Q: What are the top security-related challenges your organization is facing? (base: of those that are involved in Security investments)
Solve Everyday Problems
Emily, a financial trader, installed Skype on her company laptop to talk with family.
Bill works for a Fortune 100 company and shares company details on Facebook.
Ed shared a company presentation via his personal Gmail account.
Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
Endpoint Control
2-Factor Authentication
VPN TunnelingWAN Optimization
Identity & Device-Based Policies
Data Leak Protection
Improve Productivity – Limiting Web Access
“Your daily quota for this category of webpage has expired…URL: beach-camera.store.buy.com
Category: Shopping and Auction”
• Overlapping, complementary layers of protection• Comprehensive, integrated inspection• Allow but don’t trust any application• Examine all application content
Examine All Applications-Don’t Trust Any
Application Inspection and Control Overview
Application Security Evolution
• In the beginning − Apps easily defined
▪ Port or Protocol− Policies easily defined and enforced
▪ Allow or deny▪ Content and behavior predictable
• And then came the Web− The world has never been the same
Application Security Evolution
• Traditional Approach: Primary line of defense at the perimeter » One-to-one assignment of port to
application usage• Web, SNMP, FTP, Telnet
» To block the applications, simply close the port
Web
SNMP
FTP
Telnet
Data Center
PORT 80
Application Security Evolution
• Today: Web-centric world • Requires new approach for securing
applications» How to allow trusted applications, deny
untrusted?• Threats are application agnostic
» Any application can serve as a host to malicious activity
twitterfacebook
YAHOO! MAIL
salesforceWL MessengerGoogle
What is Application Control?
• Layer 7 analysis of traffic determines the application regardless of TCP port»Doesn’t just associate a port with an
application»Can detect IM/P2P/etc running over port
80
• Detects applications inside of applications»Tunneling P2P/IM/etc inside http
What is Application Control?
• Granular control of applications in a network»Allow, block or traffic shape individual applications»Perform above actions based on user identity»Control application commands»Control web applications
• Allows a new level of application, port and user-based reporting»What does the application look like on the surface
• Port, Source Address, Country of Origin
»What does the application look like under the surface• Application, Behavior, Signatures, Reputation
Controlling Web Applications
• Allow Facebook, but block Facebook applications» Farmville, anyone?
» Facebook Chat
» Facebook Video
• Allow YouTube, but block YouTube download• Allow Google Maps, but block Google Web Talk
Proxy Avoidance
• Web content filtering provides protection against proxy websites
• Application control provides protection against proxy based applications»Ultrasurf, Gtunnel, dozens of others
Rate Shaping
• Traffic doesn’t have to be just allowed or blocked• Now we can rate shape on an application basis instead of just a port number
• Allow streaming media usage, but limit bandwidth• Regain control of your Internet link(s)
Controlling Application Commands and Web Applications
• Allow users to download via FTP (GET) but block uploading (PUT)
• Block HTTP Resume• Can circumvent A/V inspection
• URL filtering isn’t enough• More and more applications on the web
• Impossible to control via a traditional firewall
Business Drivers for Application Control
• New services and applications»Web 2.0 services over HTTP(S)» IM, P2P and gaming that port-hop
• Non-business applications can be problematic and expose liability» IM, P2P and anonymous proxy»Non-productive bandwidth usage»Evasion of security or corporate policy»Difficult to detect and stop
• TCP/UDP port filtering ineffective• Next-generation firewall required!
Threat Landscape:Malicious Activity within Trusted Applications
Security Challenges
• Blended attacks• Application-focused attacks• “Oldies but Goodies” still exist
− Nothing goes away. Ever.
• “Survival instinct” of applications much higher than before− Built-in evasion techniques
• Must assume malicious activity occurs within trusted applications
• Let’s take a closer look at some examples…
Advanced Evasion Techniques (AETs)
Botnets and APTs employ AETs: Advanced Persistent Threats (Cyber Threats) Advanced Evasion Techniques Fast Flux and Proxies Communication Encryption and Watermarking
IE: Port 443 Custom Protocol Communication
Code Obfuscation and Packing Data Safe Havens Metamorphic & Polymorphic Malware
Advanced Evasion Techniques (AETs)
Threat Landscape-Blended Threat & Botnet Examples
• The Corporate Botnet - PhishingEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the compromise of the integrity of the entire network.
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
ZEUS/ZBOT
• Email contains link to false domain• Credentials entered in to fake site• BOT infection sent to user as a “ Facebook
Security Update” application• User installs BOT and is now infected, all data
is compromised• Connection is then redirected to real
Facebook site so user is not suspicious• Prevalent today and sold as a crime kit.
Threat Landscape-Blended Threat & Botnet Examples
• The Corporate Botnet – Legitimate Site CompromisedEmployee access a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code.
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
FakeAV Botnet
• In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement
• Readers were accessing the NYT site but were provided with the infected advertisement
• This directed users to a site hosting the exploit code to install fake antivirus software.
.
Threat Landscape-Blended Threat & Botnet Examples
• Targeted Attack – Spear PhishingUsing social engineering to distribute emails with links to malware, the emails are relevant to the corporation being targeted. Infected documents (PDF, DOC, XLS) can use software exploits to infect systems
.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
Kneber (Zeus) Botnet
• In 2010 a spear phishing attack on US .mil and .gov employees by a Zeus variant infected 50,000+ end systems
• Data stolen included: Corporate Login credentials Email and webmail access Online Banking sites Social Network credentials SSL Certificates
Threat Landscape-Blended Threat & Botnet Examples
• RansomwareOnce installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted.
CIO Fears and Concerns
• The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised.
.
gpCode Ransomware
• Once installed searches hard drive for document and media files
• Files are encrypted with a 1024bit key which only the attacker has the decryption key
• Ransom note is displayed to user, system continues to operate but data is inaccessible
• Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…
Trends: Crimeware & Crime Services
Ransom, Blackmail, Turf Wars Up to $150k USD Monthly
Crimeware Weaponized Exploits for Sale
($10k+) Crime Services
New Horizons: Cloud Processing
Affiliate Programs (PPI):Earn $140 / 1K Installs (USA)
Trends: Crimeware & Crime Services
• Zeus botnet operators rely heavily on mules …
Crimeware: Documents, GUIs, Management
Mobile Vulnerabilities
< 2010: iOS Jailbreaks, Public Concept
2011: Rage in the Cage Android < 2.1/2.2 March 2011 – 21 Apps Pulled
2012: Levitator Android < 2.3.6 Honeycomb, Ice Cream (3&4)
2012-2013: Galaxy S3
NFC (Near Field Communication) Payload Drive-By Remote Wipe
Mobile Malware
2012-2013: Tigerbot Auto-Jailbreak [Spy Trojan]• Symbian, Blackberry, AndroidZitmo (Zeus in the Mobile) SMS Spy Upgrade Android/Fakemart (20 Y/O Arrest, 500k Euros Profit) Cloud To Device Messaging (Google C2DM) CAPTCHA Cracking (OCR), Uninstall Hooks Ransomware and APT...
Addressing the Threat Landscape:Complete Content Protection
LOCK & KEY
ANTI-SPYWARE
ANTI-SPAM
WEB FILTER
ANTI-VIRUS
VPN
IPS
FIREWALL
APP CONTROL
PHYSICAL
CONNECTION-BASED
HARDWARE THEFT
1980s 1990s 2000s Today
Pe
rfo
rma
nc
e
- D
am
ag
e
CONTENT-BASED
SPYWARE
WORMS
SPAM
BANNED CONTENT
TROJANS
VIRUSES
INTRUSIONS
APP LAYER ATTACKS
HARDWARE THEFTHARDWARE THEFT
Security:Followed The Internet Evolution
“I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.”“Security Professionals Say Network Breaches Are Rampant” Ponemon Institute Survey New York Times 6/22/11
The Result:More Expense, Less Security, Less Control
PHYSICAL
CONNECTION-BASED
CONTENT-BASED
ANTI-SPYWARE
ANTI-SPAM
WEB FILTER
ANTI-VIRUS
VPN
IPS
FIREWALL
LOCK & KEY
SPYWARE
WORMS
SPAM
BANNED CONTENT
TROJANS
VIRUSES
INTRUSIONS
HARDWARE THEFT
1980s 1990s 2000s Today
Pe
rfo
rma
nc
e
- D
am
ag
e
APP CONTROLAPP LAYER ATTACKS
Complete Content Protection
Consolidated Security with Real Time Updates
• Intrusion Prevention: Vulnerabilities and ExploitsBrowser and website attack code crafted by hackers and criminal gangs.
• Application Control: Unwanted Services and P2P LimitingBotnet command channel, compromised Facebook applications, independent of port or protocol
• Web Filtering: Multiple categories and Malicious sitesBotnet command, phishing, search poisoning, inappropriate content
• Antispam: Unsolicited messagesPhishing, Malware, Social Engineering and Junk
• Antivirus: All malicious codeDocuments, macros, scripts, executablesDelivered via Web, Email, USB, Instant messaging, social networks, etc
• Vulnerability Management: Real time exploit updatesMultiple scanning points FortiGate, FortiAnalyzer, FortiWeb, FortiDB, and FortiScan
The Zeus Attack vs. Complete Content Protection
• Email Sent – Contains link to compromised site.
Mail message detected as spam (phishing)
• Phishing site sends BOT infection to user disguised as ‘Security Update’ application
Content scanning prevents malicious content from being downloaded
• End user executes BOT application, is infected and now all their data is compromised
Botnet command channel is blocked, no compromised data can be sent.Security administrator is alerted of the infected system.
• End user accesses phishing site, enters credentials, and criminals now have their details .. Access to phishing website is blocked
ANTISPAM
WEB FILTER
ANTIVIRUS
INTRUSIONDETECTION
Real Threat Protection in Action
“Innocent” Video Link:Redirects to malicious Website
Integrated Web FilteringBlocks access to malicious Website
Network AntivirusBlocks download of virus
Intrusion ProtectionBlocks the spread of the worm
Solution:
Error message:
“Drops” copy of itself on system and attempts to propagate
“Out of date” Flash player error:“Download” malware file
Problem:
FortiGate
• Integrated security appliance− Network threat detection− Application-aware content scanning
• Accelerated performance− Hardware acceleration with custom ASICs
• Reduce the number of vendors and appliances
− No 3rd party software/subscription dependencies− No user count or application licensing
• FortiGuard Services− Antivirus, IPS, App Controls, Antispam, Web
Content Filtering
World’s Fastest Firewall
Tests Using BreakingPoint™ FireStorm Prove FortiGate-5140B to be the World's Fastest Firewall
• 559 Gbps of UDP traffic • 526 Gbps of real-world application traffic
» Facebook, Pandora Radio and AOL Instant Messenger» Up to 10,000 iTunes songs per second» Up to 228,000 Web pages per second
Real-World Testing
FortiGuard Distribution Network:Global Research, Updates, Services
FortiGuard Research:• Rootkits: Kernel Hooks• Botnets: Dynamic Monitoring, Spambots,
New Malware Protocols• Malware: Code Techniques-PDF/Flash/Doc• Security: Exploits & Vulnerabilities, Zero Day Detection• Packer Research: Unpacking, Generic Detection
FortiGuard Services:• AV Signatures – 4x Daily• IPS Signatures – 2x Daily• Antispam/Web Content Filtering – Real Time• Sample Collection• Signature Creation• Alerts & Escalation
Global Distribution Network:• Application Control• Vulnerability Management• Antispam• Web Filtering• Intrusion Prevention• Antivirus
Thank you!
Questions?
