Embed Size (px)
DESCRIPTION
Security Technology Correlation. Proneet Biswas Sr. Security Architect iPolicy Networks [email protected] 510-687-3152. Ray West Director Network Services John Brown University [email protected] 479-524-7188. Agenda. iPolicy Networks Decoding of blended Threats - PowerPoint PPT Presentation
Citation preview
© 2006, iPolicy Networks, Inc. All rights reserved.
Security Technology Correlation
Proneet BiswasSr. Security ArchitectiPolicy [email protected]
Ray WestDirector Network Services
John Brown [email protected]
479-524-7188
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Agenda
iPolicy Networks• Decoding of blended Threats
• Challenges of Point Solutions
• Role of Integrated Security
• Single Pass Architecture – Developing the correlation
John Brown University • Overview of Network Infrastructure
• Security Upgrade Initiative
• Key criteria in evaluation of solutions
• Glimpse of network after deployment
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Blended Threats
Exploit MultipleVulnerabilities
Communicate withControlling Servers
Separate propagation and attack vectors
Upgrade through rogue sites
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Example
Lupii Worm• An infected system would communicate with its
attacker over UDP port 7222. This communication could be used to launch a DoS attack or generate new update commands.
• Exploit Web vulnerabilities on a set of systems it plans to infect and spread.
• Attempt to connect to a rogue site like [http://62.101.193.244/xxxx/lupii] to upgrade itself and avoid detection attempts by IDS systems.
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Challenges for Point Solutions
Takes care of the threat in its current form, not future variants
Technology What it will do Failure
Firewall Block all communication on port 7222
Next update from the rogue site could change the port number
IDS/IPS block a set of exploits being used by the worm infected system
Next update from a rogue site, could use a different set of exploits
Content Filtering Block the rogue site access
Site could change as there is a communication channel through the firewall
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Role of Integrated Security - I
Sandbox the threat
+ + =
IntegratedSecurity
IDS/IPSBlock Attack
FirewallBlock
Communication
URL Filtering
Block Upgrade+ +
Att
ack
Communicate Upgrade
X
X
X
=
• Firewall Rule: Block all communication UDP port 7222
• IDS Rule: Block all Web exploit patterns• URL Filtering Rule: Block all access to
rogue site - http://62.101.193.244/xxxx/lupii
Blended Threat
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Role of Integrated Security - II
Define policies which span across multiple technologies Performance Impact of sequential processing –
throughput and latency. Introduce new Security technologies with negligible
impact Ease of Management
www.ipolicynetworks.comiPolicy Networks Confidential © 2006, iPolicy Networks, Inc. All rights reserved.
Single Pass Architecture
Packets Out Packets In
