1 / 113

校園網路資訊安全威脅與應用技術探討

校園網路資訊安全威脅與應用技術探討. 陳家慶 (Jacob Chen) 886-2-87860968# 11. Agenda. 網路安全潛在威脅分析 15min ( 網路病毒 , 蠕蟲 , 攻擊 , 垃圾郵件 ,p2p...) 校園網路安全解決方案與管理分析 20min 網路安全應用趨勢與技術探討 15min

pgonzales
Download Presentation

校園網路資訊安全威脅與應用技術探討

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 校園網路資訊安全威脅與應用技術探討 陳家慶 (Jacob Chen) 886-2-87860968# 11

  2. Agenda • 網路安全潛在威脅分析 15min (網路病毒,蠕蟲,攻擊,垃圾郵件,p2p...) • 校園網路安全解決方案與管理分析 20min • 網路安全應用趨勢與技術探討 15min • 個人使用者如何防範網路威脅 15min • Case study 15min • Break 10min • 內容安全管理與展示 60min • Config Practice 20min

  3. 資訊網路潛在威脅之探討分析

  4. Customer Needs Firewalls alone are not enough – users want new, integrated capabilities Source: Infonetics Research

  5. The Nature of Threats Has Evolved… CONTENT-BASED CONNECTION-BASED Major Pain Points for Organizations of all Types PHYSICAL Anti-spam Spam Banned Content Content Filter Worms Anti- virus Trojans SPEED, DAMAGE ($) Viruses IDS VPN Intrusions Firewall Lock & Key Hardware Theft 1970 2000 1990 1980

  6. The “Content Processing Barrier” is the Challenge to Network Protection Virus/Worm Detection Content Filtering Exceeds the capabilities of available network devices Application-Level Services Processing Power Required CONTENT PROCESSING BARRIER IDS Supported by today’s network edge devices Network-Level Services VPN Firewall

  7. Conventional Solutions Can’t Keep Up with Real-Time Communications Conventional Firewall and AV Products Are Behind- A New Approach is Needed • 25%+ of virus infections delivered via Webtraffic* (vs. email) • Software AV scanning is too slow for Web traffic • Need for speed keeps increasing: • Email -> Web -> Instant Messaging -> ??? *Yankee Group

  8. Conventional/Single Point Security Solution Do Not Solve these Problems Do Not Examine The Content of Data Packets – Threats Pass Through Hacker Spam If it is sasser,then Viruses, worms Mail Server Intrusions Banned content www.find_a new job.com www.free music.com www.pornography.com

  9. Many Conventional Products are Needed for a “Complete” Solution Anti-Virus Software Email Filtering Software Hacker Malicious email Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content Web Content Filtering Software www.find_a new job.com www.free music.com www.pornography.com

  10. 校園網路安全解決方案與管理分析

  11. Many Conventional Products are Needed for a “Complete” Solution Anti-Virus Software Email Filtering Software Hacker Malicious email Viruses, worms SPAM IDS/IPS Intrusions VPN Banned content Web Content Filtering Software www.find_a new job.com www.free music.com www.pornography.com

  12. 防火牆 • 防火牆(Firewall),架構在網路層(Network Layer)與傳輸層(Transfer layer),並可依據管理層面來看待封包,也就是傳送的方向。透過Firewall管理,並將網路位置(IP Address)、網路服務(TCP/UDP Port Number)、方向(Direction),三者排列組合成綿密的安全網。 • 高效能 • 擁有ICSA認證 • 提供NAT, Route和 Transparent模式 • 提供H.323 NAT功能 • Policy-based • 提供群組LDAP和Radius認證機制 • 提供WAN failover機制 • 提供超過 40種的標準協定或用戶自行定義的服務管控 • e.g. Telnet, realaudio, FTP, GRE, Oracle*8 etc. • 管理與控制 • DHCP Relay與WINS • 可統一管理防毒防火牆與VPN

  13. Firewalls Don’t Analyze Contents so they Miss Content Attacks STATEFUL INSPECTION FIREWALL Inspects packet headers only – i.e. looks at the envelope, but not at what’s contained inside DATA PACKETS • OK http://www.freesurf.com/downloads/Gettysburg Four score and BAD CONTENTour forefathers brou • OK • OK ght forth upon this continent a new nation, • OK n liberty, and dedicated to the proposition that all Header Source IP Destination IP Mac Address PAYLOAD Protocol Port Not Scanned Packet “payload” (data) Packet “headers” (TO, FROM, TYPE OF DATA, etc.) CONFIDENTIAL

  14. Firewall • Policy for VLAN, Zone and Interfaces/Ports • Zone must contain VLAN and/or Interfaces/Ports before to be used in policy • Must have “Address” assigned to the VLAN, Zone, or Interfaces/Ports before creating policy • Use Content Profiles to provide different restriction to various group of IP Addresses. • Creating Content Profile first before creating policy • Services/ports for VPN • Traffic Shaping – token bucket

  15. Firewall - VLAN • Firewall policy can be applied for Interface, Zone, VLAN, and 2nd IP of the Interface • Must have “address” defined first within the Firewall Section

  16. Firewall – 2nd IP LAN Address

  17. Firewall – VLAN Address

  18. Content Profiles • First enable each profile AV scanning/blocking, quarantining, and Web/Email filtering ..etc. • Then each profile can be assigned with per Firewall Policy basis • Provides flexibility of different requirement and access restriction for various groups. • Can be applied to all supported protocols (HTTP, FTP, SMTP, POP3, IMAP)

  19. 統合政策管理 • 可針對不同User需求機動調整內容作為網路規範

  20. Policy Base Protection Profile • 可針對單一政策制定網路使用規範

  21. Antivirus • 感染管道 • Local Lan (網路芳鄰, 作業系統本身漏洞) • Http, FTP, Imap, Pop3, Smtp • 免費軟體, 檔案分享, 免費註冊碼 • 效能需求 • ASIC-based的防毒解決方案 • ICSA認證通過的硬體式防毒閘道器 • Policy-based • 病毒掃描 • 完整包含世界上的病毒碼資料庫 • 可隔離中毒或已感染的檔案並可針對過大的檔案進行阻擋 • 快速的威脅反制 • 由Threat Response Team 和 FortiResponse提供威脅反制 • 可自動更新病毒碼與入侵偵測的特徵

  22. Msblast • 以疾風病毒(Msblast)的感染為例,Mablast會常駐於受感染的機器的記憶體內,同時病毒會以大約每秒20個IP位址的速度,來隨機找到下一個可能的受害機器,一但受到感染Msblast會打開系統的port 4444和port 69並企圖連接其他機器的TCP port 135一但成功找到目標進入系統之內,他會利用微軟已知在DCOM(Distributed Component Object Model) RPC(Remote Procedure Call)的漏洞,讓駭客得以使用TFTP(trivial ftp)工具下載自己本身到受害的機器上,複製在windows\system32的檔案下面,而受害機器可能會出現RPC服務意外終止的倒數60秒重新啟動的訊息,造成系統不斷的重新開機,而且在16日病毒會發作讓所有受感染的機器在同一天發動DOS(Denial of Service)攻擊微軟的更新網站(windowsupdate.com)企圖癱瘓該網站的運作。 當時全球估計有上百萬台機器受到感染,讓許多資訊人員忙著更新每一台微軟作業系統的修正程式,忙著接聽受害電腦使用者的電話

  23. Some Firewalls Claim to do “Deep Packet Inspection” – But They Still Miss a Lot Undetected DEEP PACKET INSPECTION Performs a packet-by-packet inspection of contents – but can easily miss complex attacks that span multiple packets • OK http://www.freesurf.com/downloads/Gettysburg Four score and BAD CONTENTour forefathers brou ! • OK ght forth upon this continent a new nation, • OK n liberty, and dedicated to the proposition that all CONFIDENTIAL

  24. Network-Level Processing is Not Enough URL FILTER FIREWALL Inspects packet headers only – passes “valid” packets with banned content and attacks Stops blacklisted URLS, but may miss BANNED WORDS embedded in content PACKET-BASED VIRUS SCAN May miss attacks that spam multiple packets DISALLOWED CONTENT Four score and seven years ago our forefathers brought forth upon this BANNED WORDS a new liberty, and dedicated to the proposition that all… BAD CONTENT BANNED WORDS NASTY THINGS NASTIER THINGS ATTACK SIGNATURES NETWORK-LEVEL CONTENT (PACKETS) http://www.freesurf.com/downloads/Gettysburg Four score and seven years ago our forefathers brou ght forth upon this BANNED WORDS a new nation, n liberty, and dedicated to the proposition that all APPLICATION-LEVEL CONTENT PROCESSING 1. Reassemble packets into content 2. Compare against disallowed content and attack lists

  25. Virus Everywhere

  26. WildList • Wild viruses 被定義為在最近與過去幾年內曾經感染散佈電腦病毒,. 當如此的病毒被發現它們都會正式被揭露在”the WildList Organization International” ,同時每個月會發表一份WildList 的報告,揭露自1993年以來曾經感染散佈的電腦病毒 而這些病毒才是真正需要被視為威脅需要被隔離的病毒。 為了能夠全面防毒 ,全球有超過55家具有資格的防毒公司,都是該組織的成員具有通報以及提供病毒樣本的義務,用全球的力量來阻擋病毒的散佈。

  27. Network Anti-Virus • NAV系統應該具有封閉性。安全而不能被病毒或駭客攻擊系統本身。 • NAV 系統提供單一邊際區域的保護, 也就是該區域不會再有任何可能的對外出口。 • NAV 要能阻擋病毒在閘道邊緣,避免主機受到殘留再伺服器主機記憶體的感染風險。 • NAV能夠降低伺服器主機的負載 ,因為病毒阻擋再網路閘道,所以對外的伺服器主機就不必花資源來處理。 • NAV保護因為不同的作業系統而沒有防毒軟體的主機。 • NAV必須要能在硬體ASIC上來解決此一問題。 • 封包處理的引擎: 能夠處理封包的表頭,同時加速辨證應用層的資料流為哪一個封包? • Signature掃描引擎:重組封包的payloads內容流(content streams)在系統記憶體上, 同時載入適當的病毒碼直接比對。

  28. World-Wide based Real time Update Center Ensure Rapid Response to New Threats Fortinet Threat Response Team and Update Distribution Servers FortiProtection Center Web Portal & email Bulletins Automatic Updates Can Reach All FortiGate Units Worldwide in Under 5 Minutes

  29. Virus List

  30. Virus Detection Protocols are handled differently when a virus is detected. • IMAP and POP3 • Attachment removal with customizable message • HTTP • Page replaced with a custom page • FTP and SMTP • In-session error

  31. IMAP FETCH HTTP GET POST FTP RETR PUT SMTP BDAT (but not with multiple chunks) DATA POP3 RETR Command Triggers • Within each protocol, specific commands trigger antivirus inspection

  32. Splicing Session splicing is used when traffic is being scanned for viruses

  33. Quarantining Files • FortiGate units with hard disks can be configured to quarantine blocked or infected files • The quarantined files are removed from the content stream and stored on the FortiGate hard disk • Users receive a message informing them that the removed files have been quarantined

  34. Quarantine List • The quarantine list can be sorted and filtered for ease of use • Suspicious files can be uploaded to Fortinet for analysis

  35. AutoUpload • Suspicious files can be sent to Fortinet automatically for analysis • New files and patterns can be added to the list

  36. Quarantine Options • Configure the FortiGate unit to handle quarantined files

  37. Non-standard Ports • Antivirus scanning can be configured to recognize application traffic on non-standard service ports • This can be used for customized services and is useful with HTTP proxies and caching config antivirus service smtp set port <port_integer> end

  38. File Blocking By default, when file blocking is enabled, the Fortigate unit blocks the following file types: • executables (.bat, .com, .exe) • compressed/archive (.gz, .rar, .tar, .tgz, .zip) • dlls • HTML applications (.hta) • Microsoft Office (.doc) • Microsoft Works (.wps) • Visual basic (.vb?) • screen savers (.scr) • Windows information (.pif) • File blocking is performed before antivirus scanning and is not application-aware

  39. File Block

  40. Oversized File Blocking • The FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email • Files and email that exceed this limit are blocked by the Fortigate unit rather than bypassing antivirus scanning • A replacement message is sent to the HTTP or email proxy client.

  41. Fragmented Email • FortiGate units cannot scan fragmented email for viruses or use pattern blocking to remove restricted files • For security, do not enable Pass Fragmented Emails in protection profiles • For added security, disable the fragmenting of email messages in the client email software

  42. 入侵偵測/預防 • 高效能 • 不影響效能的網路監控 • NIDS 可同時支援多個網段流量 • 提供較完整的攻擊特徵 • 包含 1,400個已知型攻擊特徵 • 支援用戶自行定義的攻擊特徵 • Signature-based attack recognition • 異常流量與協定的預防與主動式阻絕 • 提供34種的攻擊特徵 • 客制化 • 用戶自行定義攻擊名單 • 郵件警示通知

  43. IDS & IPS 入侵偵防系統具備兩項功能,一是入侵偵測(IDS), 另一是入侵防禦(IPS)。 IPS提供下列功能: • 監視與分析使用者及系統行為 • 審視網路系統設定和網路弱點 • 針對重要的系統或是資料進行評估保護 • 統計分析不正常的行為內容 • 對於異常行為者予以追蹤記錄 • 辨識正常行為並拒絕已知攻擊 • 防禦機制: Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session

  44. Internet Message and P2P

  45. 容易設定的IDS • 提供用戶自行定義的攻擊特徵 • 近 1,400種的攻擊特徵 • 可依不同攻擊屬性將特徵分類與易於管理 • 超過34種的攻擊模式 • 客制化 • 紀錄檔與警示

  46. NIPS Signatures

  47. Intrusion Detection - Signature List Group

  48. Intrusion Prevention – Default Setting • Default is disabling “Source Session”, “UDP Source Session”, “ICMP Source Session”, “ICMP Fragment”, “IP record routing”, “IP strict/loose source record routing”, “IP stream/security/timestamp option”, “IP fragment”, “IP Land attack”

  49. Intrusion Prevention – Synflood Setting • Synflood attack, if received SYN request > 200/sec • Send to proxy, if proxy connection > 1024 • Discard SYN request • Each Proxy would only stay in the table for 15 sec.

  50. IPS Signatures

More Related