unified threat management
Download
Skip this Video
Download Presentation
Unified Threat Management

Loading in 2 Seconds...

play fullscreen
1 / 84

Unified Threat Management - PowerPoint PPT Presentation


  • 163 Views
  • Uploaded on

Unified Threat Management. Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005. IIT Kanpur Sys Admin Workshop Quiz. When is “Sys Admin Appreciation Day”?. Sys Admin’s have a tough enough job already. What about Security threats?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Unified Threat Management' - leon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
unified threat management

Unified Threat Management

Peter Theobald

CEO, IT Secure

Presentation at

Sys Admin Workshop, IIT Kanpur

Oct 21, 2005

iit kanpur sys admin workshop quiz
IIT Kanpur Sys Admin Workshop Quiz
  • When is “Sys Admin Appreciation Day”?
sys admin s have a tough enough job already
Sys Admin’s have a tough enough job already..
  • What about Security threats?
  • How serious are they?
  • What is the most effective and cost efficient way to handle them?
current trends
Current Trends
  • Speed & sophistication of cyber-attacks is dramatically increasing
  • Blended threats, hybrid attacks and automated tools have become popular and getting them is easy
  • Critical infrastructure is dependant on Internet, and threats are progressively more unpredictable
  • Security problems cost time, money and pain
slide7

Intruders

Auto Coordinated

Attack Sophistication vs.Intruder Technical Knowledge

Tools

Cross site scripting

“stealth” / advanced scanning techniques

High

Staged

packet spoofing

denial of service

distributed

attack tools

sniffers

Intruder

Knowledge

sweepers

www attacks

automated probes/scans

GUI

back doors

network mgmt. diagnostics

disabling audits

hijacking

sessions

burglaries

Attack

Sophistication

exploiting known vulnerabilities

password cracking

self-replicating code

password guessing

Low

2004

1980

1985

1990

1995

vulnerability in software
Vulnerability in Software
  • “99% of intrusions result from exploitation of known vulnerabilities”

Source: 2001 CERT, Carnegie Mellon University

  • Cause: Software vulnerabilities are caused by programming of source code without proper checks and buffer handling
  • Threat: Facilitated by not applying patches to vulnerable machines, and having those machines exposed on the network to outside threats
  • The recent Slammer Worm exploited a SQL vulnerability for which a patch had been available since July, 2002
e mail viruses
E-mail Viruses
  • E-mail has become the primary means for distributing threats
  • Trojans are easy to deliver and install
  • HTML viruses (no user intervention) with webmail
  • E-mails with attachments containing:
    • Macros, VB scripts, java scripts and html scripts

Corp Network

file based threats
File Based Threats
  • Example: Internet download
  • Viruses and malicious code infection:
    • Peer to Peer
    • Instant Messaging apps
    • Shareware sites
    • Compromised servers
    • Legitimate corporations
    • Web based email
  • Threats pass through stateful packet inspection firewalls
  • Once inside the network, others are easily affected

File Server

Corp Network

Request Download

file based threats1
File Based Threats
  • Example: Netbios file transfers
  • Viruses can be uploaded to network drives
  • Once on the network drive users can be affected
  • Nimda was a virus that attacked file servers and opened up a hole to allow a hacker to obtain control of the server

Corp Network

File Server

application attacks

Buffer Overflow

Application Attacks
  • Unpatched Servers: Scob
  • Servers do not get up to date patches
  • Attacker sends malicious code through a buffer overflow
    • Executes program instructions to the victims computer for execution
    • Can also be used as denial-of-service attack, causing the computer to crash
  • Server is infected
  • New users who access server get infected

Malicious Hacker

Access

Access

Access

software development mistakes
Software Development Mistakes

Double Free

CERT Advisories

Access Validation

Unknown

Error

Format String

Integer Overflow

6%

2%

3%

Boundary Condition

Input Validation

Error

Error

Configuration Error

Others

Buffer Overflows

Failure to Handle

Exceptional

Design Error

Conditions

Security Focus

mytob worm
MyTob Worm
  • Discovered on: February 26, 2005
  • [email protected] is a mass-mailing worm that propagates via network shares and through email
    • Uses its own SMTP engine to send an email to local email addresses
    • Exploits the Microsoft Windows LSASS Remote Buffer Overflow and RPC/DCom
  • Opens a back door into the affected computer
  • Self protects by redirecting AV updates to local computer
step 1 arrives as an email or buffer overflow
Step 1: Arrives as an email or buffer overflow
  • Copies itself as %System%\msnmsgs.exe
  • Adds the value: “MSN” = “msnmsgs.exe” to registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\OLEHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
  • [email protected] runs every time Windows starts

User Zone

Server Zone

step 2 loads itself into memory
Step 2: Loads itself into memory
  • Since the exe is now in start up, “msnmsgs.exe” is loaded into memory
  • “HELLBOT” by Diablo is clearly advertised to show who wrote the program

User Zone

Server Zone

step 3 logs in to an irc channel
Step 3: Logs in to an IRC channel
  • Connects to an IRC channel on the irc.blackcarder.net domain on TCP port 6667
  • Advertises host PC IP address
  • listens for commands that allow the remote attacker to perform the following actions:
    • Download files
    • Execute files
    • Delete files
    • Update itself
    • Get uptime information

IRC Server

IDP

IDP

User Zone

Server Zone

step 4 generate potential targets and attack

Random IPs

Step 4: Generate potential targets and attack
  • Generates random IP addresses
  • Exploits the RPC/DCOM vulnerability
    • Allows the program to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service
  • Exploits the Windows LSASS vulnerability
    • This is a buffer overflow that allows remote code execution and enables a malicious user to gain full control of the affected system

User Zone

Server Zone

step 5 use its own smtp server to send itself

Find Email Addresses

Step 5: Use its own SMTP server to send itself
  • Searches for email addresses on local computer
    • .wab
    • .adb
    • .tbb
    • .dbx
  • From: “Spoofed”Subject:
    • hello
    • hi
    • error
    • status
  • .asp
  • php
  • .sht
  • .htm
  • Mail Transaction Failed
  • Mail Delivery System
  • SERVER REPORT
  • (No Subject)
  • (random alphabets)

User Zone

Server Zone

what is spyware adware
What is Spyware/Adware?
  • Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission
  • According to certain experts, approximately 90% of computers have some form of Spyware
  • Aids in gathering information:
      • Browsing habits (sites visited, links clicked, etc.)
      • Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.)
      • Key stokes and work habits
spyware infection
Spyware Infection
  • A - Downloading programs
    • Kazaa / screensavers / windows utilities
    • Download managers / file sharing sw / demo software
  • B - Trojans that are delivered or downloaded in e-mail
  • C - In free, banner ad-based software - Popups
  • D - The most notorious enabler of Spyware is Microsoft’s ActiveX module

A

B

C/D

Random IPs

User Zone

Server Zone

today s aging technology
Today’s Aging Technology
  • Stateful Packet Inspection (SPI) is limited protection
    • Provides source / destination / state intelligence
    • Provides network address translation
    • Stateful firewalls cannot protect against threats that are application layer based, file or email based
firewall technology
Firewall Technology
  • Typical firewalls are effective for port blocking
  • If a port is open it is assumed any data can pass
  • Intrusion detection is a “reactive” approach that does not actively protect
  • Security must be built upon deep packet inspection, AV/Spy/Intrusion prevention with dynamic updates

User Zone

Server Zone

the new standard utm
The New Standard - UTM
  • Unified Threat Management
  • Integration of Firewall
    • Deep Packet Inspection
    • Intrusion Prevention for blocking network threats
    • Anti-Virus for blocking file based threats
    • Anti-Spyware for blocking Spyware
  • Faster updates to the dynamic changing threat environment and elimination of False Positives
deep packet inspection unified threat mmt
Deep Packet Inspection- Unified Threat Mmt

Zone based security

Protect internally

Gateway Anti-Virus

Scan through unlimited files sizes

Scan through unlimited connections

Scan over more protocols than any similar solution

Anti-Spyware for protection against malicious programs

Blocks the installation of spyware

Blocks Spyware that is emailed and sent internally

Applications Layer Threat Protection:

Full protection from Trojan, worm, blended and polymorphic threats

  • Full L2-7 signature- based inspection
  • Application awareness

PRO Series as a Prevention Solution

SonicWALL IPS/GAV Dynamic Updates

DPI

DPI

DPI

DPI: Intrusion Prevention

/Gateway AV/ Anti-Spy

Dept Zone

Server Zone

User Zone

slide30

4

3

2

1

HEADER

DATA

Hidden threats

Typical User Activity

Typical Network Traffic: Email

Our World View

Firewall View

Network communication, like email, file transfers and web sessions are packetized

Traffic = multiple packets of information

One Packet = Header info and Data

Firewall Traffic Path

slide31

Stateful Packet Inspection

INSPECT

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

SourceUDP Port

Destination

UDP Port

UDP

Length

UDP

Checksum

DATA

Source

212.56.32.49

Destination

65.26.42.17

Stateful is limited inspection that can only block on ports

No Data Inspection!

Source Port

823747

Dest Port

80

Sequence

2821

Sequence

28474

IP Option

none

Syn state

SYN

Stateful

PacketInspection

Firewall Traffic Path

slide32

Deep Packet Inspection

INSPECT

INSPECT

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

SourceUDP Port

Destination

UDP Port

UDP

Length

UDP

Checksum

DATA

Deep Packet Inspection inspects all traffic moving through a device

Deep

PacketInspection

Stateful

PacketInspection

Firewall Traffic Path

slide33

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

DATA

DATA

DATA

DATA

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

DATA

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

DATA

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

DATA

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

Deep Packet Inspection / Prevention

Signature Database

Comparing…

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Application Attack, Worm or Trojan Found!

Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans.

Stateful

PacketInspection

Deep

PacketInspection

Firewall Traffic Path

gateway anti virus and content control

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

SourceUDP Port

Destination

UDP Port

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

UDP

Length

UDP

Checksum

DATA

DATA

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

Gateway

Anti-Virus

Anti-Spyware

Content

Inspection

Gateway Anti-Virus and Content Control

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Virus

File!

AuctionSite

Stateful

PacketInspection

Deep

PacketInspection

Firewall Traffic Path

security must be updated
Security Must Be Updated

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

AV Database

IPS Database

Spy Database

Content

Filtering

Database

Content

Inspection

Stateful

PacketInspection

Deep

PacketInspection

Anti-Virus

Content

Filtering Service

Gateway

Anti-Virus

Anti-Spyware

Firewall Traffic Path

value innovation philosophy
Value Innovation Philosophy
  • Affordable
    • Total Cost of Ownership
  • Simple
    • Easy to Install, Use & Manage
  • Powerful
    • Deep – Dynamic – Distributed
unified threat management appliance
Firewall

VPN

Basic bandwidth Management

Gateway AV, Intrusion Prevention and Anti-spyware

Content Filtering

Reporting

Secure Wireless

High Availability - Appliance

ISP LoadBalancing/Failover

Central Management

Unified Threat Management Appliance
dynamic real time protection
Dynamic Real-Time Protection
  • Dynamic real-time threat scanning engine at the gateway
    • Anti-Virus, Anti-spyware and Intrusion Prevention
    • Protects Against: Viruses, spyware, worms, trojans, app vulnerabilities
    • External and Internal protection
  • Reassembly-free engine
    • Scans & decompresses unlimited number of files & file sizes
  • Supports over 50 protocol types including
    • SMTP, IMAP, POP3 Email, HTTP – Web, FTP – File Transfer
    • Peer to Peer Transfers, NetBios – Intra LAN Transfers, any stream-based protocol
  • Updateable database by an expert signature team
slide40

The TZ Series is the ideal total security platform for small networks, providing a compelling blend of ease of use for basic networks and flexibility for more complex networks.

TZ 170 Wireless

TZ 150

TZ 170

TZ 170 SP

TZ 170 SP Wireless

  • Deep Packet Inspection Firewall
  • Supports up to 10 nodes
  • 4-port MDIX LAN Switch
  • 30 Days of IPS/AV/CFS
  • Deep Packet Inspection Firewall
  • WorkPort
  • 5-port MDIX Switch
  • Upgrade to SonicOS Enhanced
  • 30 Days of IPS/AV/CFS
  • Deep Packet Inspection Firewall
  • Wireless/Wired Security
  • 802.11b/g Radio
  • Upgrade to SonicOS Enhanced
  • 5-port MDIX Switch
  • 30 Days of IPS/AV/CFS
  • Deep Packet Inspection Firewall
  • Failover/Failback
  • Analog Modem
  • Upgrade to SonicOS Enhanced
  • 5-port MDIX Switch
  • 30 Days of IPS/AV/CFS
  • All the best features from each TZ 170
  • SHIPS WITH SonicOS Enhanced!
  • 30 Days of IPS/AV/CFS
slide41

The PRO Series is a multi-service security platform for companies requiring rock solid network protection coupled with fast, secure VPN access for remote employees.

PRO 1260

PRO 2040

PRO 3060

PRO 4060

PRO 5060

  • Small networks up to 25 nodes
  • Deep Packet Inspection Engine
  • 30 Days of IPS/AV/CFS
  • Small-to-medium networks up to 200 nodes
  • Deep Packet Inspection Engine
  • Unlimited Nodes
  • 10 VPN Clients
  • 30 Days of IPS/AV/CFS
  • Businesses with complex networks
  • Deep Packet Inspection Engine
  • 6 User-defined Interfaces
  • Unlimited Nodes
  • 25 VPN Clients
  • 30 Days of IPS/AV/CFS
  • Businesses with complex network and VPN requirements
  • Deep Packet Inspection Engine
  • SonicOS Enhanced
  • 6 User-defined Interfaces
  • Unlimited Nodes
  • 1,000 VPN Clients
  • 1 Year of SonicWALL IPS
  • Medium-to-large enterprise networks requiring Gigabitperformance
  • Copper & Copper/Fiber Versions
  • Deep Packet Inspection Engine
  • SonicOS Enhanced
  • 2,000 VPN Clients
  • 1 Year of SonicWALL IPS

SonicOS Enhanced upgrade provides ISP failover, object-based management,

policy-based NAT, 4+ interface support, and Distributed Wireless

tactical content management
Tactical Content Management
  • Forged email address and Envelope
    • Fools recipient into opening
tactical content management1
Tactical Content Management

Image only mails

  • How will text based filters work?
word and token manipulation
Word and Token Manipulation
  • Manipulate text in email so keyword matching fails
uniqueness generation
Uniqueness Generation
  • Junk words
  • Random words
url obfuscation
URL obfuscation
  • Proxy hides the origin
  • HTML comment tags with random content
token colour manipulation
Token (colour) manipulation
  • Same colour font and background (invisible text)
  • OR
  • Difficult to read text
  • With random characters / junk words
html tag corruption
HTML Tag Corruption
  • Corrupt the tags so parsing is not possible!
heuristic grooming
Heuristic Grooming
  • Negative Rule Bashing
    • Legal disclaimiers, PGP Signature, Forgot passwords
  • Problems for products!
fooling bayesian filters
Fooling Bayesian Filters
  • Populate text with random Words
  • Maybe invisible too!
fooling trainers and collaborative systems
Fooling Trainers and Collaborative Systems
  • Use false tokens
  • Increase the rate of false positives to un-acceptable levels
  • Make the anti-spam solution unviable
web bugs spam beacons
Web bugs/Spam Beacons
  • Outlook mail client grabs images from Spammers website
  • Spammer knows when you have opened the mail and probably knows your mail id as well
metamorphic spam trojans
Metamorphic Spam Trojans
  • Target neglected Always-On PCs
  • Propogate through remote controlled
  • Invisible hosting of Spammers Websites
  • Auto-Installation of STMP server engine
  • Hijacking PC and convert into proxy
spamware
Spamware
  • Atomic Email Hunter
  • Stealth Mail Master
barracuda anti spam solution
Barracuda Anti-spam Solution
  • From Barracuda Networks, USA
barracuda spam firewall family
Barracuda Spam Firewall Family
  • Comprehensive solution
  • Blocks spam and virus
  • Enterprise class
  • Robust and reliable
  • Plug-and-play
  • No per user licensing fees
  • No changes needed to email servers
  • Integrated hardware and software solution
barracuda spam firewall
Barracuda Spam Firewall
  • Eliminates Spam and Virus
  • Protects your email server and your company
architecture 10 defense layers
Architecture: 10 Defense Layers
  • High performance
  • Easily scalable
barracuda spam firewall family1
Barracuda Spam Firewall Family
  • Spam Firewall 100
    • 250 users
    • 500,000 mails/day
  • Spam Firewall 300
    • 1,000 users
    • 4 million messages/day
  • Spam Firewall 400
    • 5000 users
    • 10 million messages/day
  • Spam Firewall 600
    • 10,000 users
    • 25 million messages/day
  • Spam Firewall 800
    • 25,000 users
    • 30 million messages/day

Clustering support

for redundancy and higher

capacity

NEW! Outbound Product!

advice 1
Advice (1)
  • Make sure to save all your MP3 files on your network drive. Sys Admin will back them up for you!
  • Play with all the wires you can find. If you can\'t find enough, open something up to expose them. After you have finished, and nothing works anymore, put it all back together and call Sys Admin. Deny that you touched anything and that it was working perfectly only five minutes ago. Sys Admin just loves a good mystery.
  • Never write down error messages. Just click OK, or restart your computer. Sys Admin likes to guess what the error message was.
advice 2
Advice (2)
  • If you get an EXE file in an email attachment, open it immediately. Sys Admin likes to make sure the anti-virus software is working properly

When Sys Admin sends you an email marked as "Highly Important" or "Action Required", delete it at once. He\'s probably just testing some new-fangled email software.

advice 3
Advice (3)
  • When the photocopier doesn\'t work, call Sys Admin. There\'s electronics in it, so it should be right up his alley.
  • When you\'re getting a NO DIAL TONE message at your home computer, call Sys Admin. He enjoys fixing telephone problems from remote locations. Especially on weekends and holidays
  • When the printer won\'t print, re-send the job 20 times in rapid succession. That should do the trick.
ad