1 / 18

Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu

Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu. Michal Zlesák Area Sales Manager - Eastern EMEA michal.zlesak @enterasys.com. Securing the Network starts with the Questions to Ask…. Do you have a corporate IT security policy?

berny
Download Presentation

Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu Michal Zlesák Area Sales Manager - Eastern EMEA michal.zlesak@enterasys.com

  2. Securing the Network starts with the Questions to Ask… • Do you have a corporate IT security policy? • How do you enforce your security policy? • Can you identify a security breach occurring within the corporate infrastructure? • How long does it take to identify an internal security breach? • How long does it take to patch your entire environment on the discovery of a security breach? • Do you have mobile users that connect to the corporate infrastructure, but also connect to the Internet through non-trusted and possibly non-secure locations (home, coffee shop, etc.)? • Can your IT organization remove or quarantine anything on the network in a moment’s notice? • What would a complete system meltdown cost your organization?

  3. Establish and Enforce Policy for users and devices to protect the enterprise Advanced Security Application Proactive Preventionof attacks & compromises—everywhere, all the time Access Controlof users and devices on the network CentralizedCommand and Control edge data center Security Enabled Infrastructure distribution wireless core Respond & Remediateidentified security breaches Detect & Locate security intrusions and anomalous behavior The Capabilities of Secure Networks™

  4. Secure Networks – Visibility & Awareness • Detect & Assess End Device DMZ Internet DATA CENTER DISTRIBUTION & CORE 1 ACCESS Voice VLAN VLAN Finance Sales Ops User/Device Port 1

  5. 1 Detect and Assess End Device Assessing Security Posture of connecting device • Device Detection • Identify when a device attempts to connect to the network • Device Assessment • Determine if the device complies with corporate security requirements • “Device Health” e.g. OS patch revision levels, antivirus signatures definition • Other security compliance requirements e.g. physical location, time of day • Device / User Authentication • Verify the identity of the user or device connected to the network • Identify location of end device.

  6. Secure Networks – Visibility & Awareness • Detect & Assess End Device • Monitor network and application flow behavior DMZ Internet DATA CENTER 2 DISTRIBUTION & CORE 1 ACCESS Voice VLAN VLAN Finance Sales Ops User/Device Port 1

  7. 2 Granular Control of Network Traffic Policy Administration • Leveraging the full capabilities of policy architecture • Central policy configuration and distribution • Distributed policy enforcement points at the infrastructure access and distribution layer • Per user / per device controls at the aggregation of non-policy enabled access layer • Flow-based threat isolation and mitigation Core • Policy Enforcement • User/Device Access Control • Protocol Filtering • Undesirable Traffic Filtering • Application QoS • Per User Quarantine Distribution Layer Access Layer • Rate limiting – Prioritizing - Limiting resources

  8. 2 Monitor Network and Application Flow Behavior • Security Information & Event Management Traditional Network Performance Optimization • Monitor network bandwidth behaviors • Detailed application level flow collection with packet data • All flows captured • QFlow, NETFLOW, sflow, cflowd, Jflow

  9. Secure Networks – Visibility & Awareness • Detect & Assess End Device • Monitor network and application flow behavior • Monitor for threats in the infrastructure DMZ Internet 3 3 DATA CENTER 3 2 DISTRIBUTION & CORE ACCESS Voice VLAN VLAN Finance Sales Ops User/Device Port 1

  10. Signature Analysis • Complex Signature analysis • Case sensitive/insensitive searching with support for wildcarding of and character types Application Anomaly Analysis • Protocol Decoding Analysis • Specific application security event analysis • Generic Denial of Service testing IP Session Analysis • Pattern Matching in the IP Headers of IP TCP/UDP/ICMP Layer 4(UDP/TCP/ ICMP) • TCP • Analyze and Store header variables • TCP Checksum verification • TCP options verification and logging • TCP flags verification and logging • UDP • Analyze and Store header variables • ICMP • ICMP Logging • Backdoor Checks • Data Collection for out of band processing • Stream Reassembly • Port Scan and Sweep Detection Layer 3 • IP Options Logging • IP Protocol Logging • Header Verification and Analysis • IDS Evasion Checking • IP Fragment Reassembly & Event Logging • IP Address Checks • IP Header Values Retrieved/Checked/Stored Layer 2 • Frame Filtering • Basic security checks Layer 1 • Frame Capture 3 Threat & Compliance Methods • Signature Based Pattern Matching • IDS/IPS looks for known patterns of malicious activity • robust threat signature libraries • Behavioral Anomaly Detection • “suspicious or out of the ordinary” events • Protocol Decoding • IDS/IPS monitors for protocol anomalies and violations • All common, Including VoIP protocols

  11. Monitor for Threats in Infrastructure 3 Forensics POLICY CORRELATION COMPLIANCE Day Zero Attacks Day Zero Attacks Forensics Signature Based Monitoring Behavior Based Monitoring • Pattern Matching • NIDS, HIDS • IPS • Protocol • Analysis & Anomaly • NIDS, HIDS • IPS • Anomaly Detection • NetFlow • J-Flow • SFlow • cFlowd • QFlow • Packeteer Flow Data Record , FLOW

  12. Behavioral Flow Context Analysis 3 • Detailed Network Performance information • Applications, Latency, Traffic flows • Detailed view of attack before, during, and after the incident from a network flow perspective. • Example: • Backdoor • SIM detects backdoor event • Tells classification engine to monitor • Attacker is <SRC> • Target is <DST> • Port is new • And found after <event time> • And Flow is <bi-directional> • Offenses are annotated with evidence • Flow Context analysis has detected that attack successfully installed backdoor on target • Flows Tagged and Correlated to Offenses

  13. Secure Networks – Visibility & Awareness • Detect & Assess End Device • Monitor network and application flow behavior • Monitor for threats in the infrastructure • Manage Security Information DMZ Internet 3 3 DATA CENTER 3 DISTRIBUTION & CORE 4 ACCESS Voice VLAN VLAN Finance Sales Ops User/Device Port 1

  14. 4 Manage Security Information Security Information & Event Manager (SIEM) • Provides a shared view of the infrastructure • Extensive 3rd party Device Support • Correlates seemingly disparate network and security events • Links network behavior with security posture for compliance • Satisfies IT’s convergence objective

  15. 4 Reporting – For Operations & Compliance Manage Security Information • The value of reporting is that it enhances your businesses compliance posture • Executive Level Reports • High Level Enterprise wide or departmental Summary Reports • Operational Reports • Detailed Enterprise wide or departmental reports • Wizard Driven • Easy to use • Build, edit, schedule and distribute reports Variety of Outputs and Graph Types • XML, HTML, PDF, CSV • Bar, Delta, baselines, Pie, Line, Stacked Bar…….

  16. Network Defense System Response Operations Center Dashboard (Human Response) Automated Security Manager (Automated Response) Automated Security Reports Policies Applied to Network Equipment (SIEM - Security Information & Event Manager) Analytics Security Event Data External Threat Data EFP SEG Flow Data EFP EFP SEG Surveillance and Front Line Prevention Threatening subnet range, blacknet IP addresses, spyware sites, etc. Events from 3rd Party Firewall, VoIP Gateway, IDS/IPS, SIM, Vulnerability Assessment, Syslog, Application, Database, etc. J-Flow S-Flow Netflow Network Behavioral Anomaly Detection Host IDS/IPS Network IDS/IPS

  17. Secure Networks – The Power of Visibility and Control • User Assessed and Authenticated through NAC • User attempts directed attack at critical server • IDS/IPS detects and drops lethal packets • IDS/ IPS forwards detected event to ASM • ASM Locates threat • ASM turns off access to port • NAC blacklists User from authenticating DMZ Internet 3 DATA CENTER 2 7 4 DISTRIBUTION & CORE 1 5 ACCESS 6 Phone VLAN VLAN VLAN 1 VLAN 2 PORT Port 1

  18. Thank You

More Related