1 / 37

James Oryszczyn President, TBJ Consulting LLC

Break-1520 - Next Generation Firewall's. James Oryszczyn President, TBJ Consulting LLC. My Credential’s CISSP SANS GIAC Audit and Windows Certified I have been in the security business for over 15 years Have implement Firewall’s and security in numerous education environments

cara
Download Presentation

James Oryszczyn President, TBJ Consulting LLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Break-1520 - Next Generation Firewall's James Oryszczyn President, TBJ Consulting LLC

  2. My Credential’s CISSP SANS GIAC Audit and Windows Certified I have been in the security business for over 15 years Have implement Firewall’s and security in numerous education environments I am President of TBJ Consulting LLC

  3. Agenda Discuss problems traditional firewall’s Discuss modern malware Discuss URL filtering Discuss User Authentication Discuss Threat Prevention Discuss Logging Open Discussion, if you have a question ask…

  4. At the End of the Presentation I will discuss a survey you can take to if you have a next generation firewall

  5. Tradition Firewall’s • Only Filter ports, real just a port filter • Has limited capabilities for user identification, source/destination IP address only • Logging is ok to poor. Can see what is dropped/allowed • No Directory integration • Traditionally no spyware/anti-virus/malware protection • NO Intrusion Prevention (IPS) or Detection (IDS)

  6. Tradition Firewall’s Continued • Usually need a third party URL Filter • Typically, much more difficult to mange • Difficult to apply updates • Does not prevent attacks • Turning on IPS/IDS features kills the firewall

  7. Next Generation Firewall’s Industry Analysts Recommend a Change Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two. -Gartner …we anticipate a consolidation of firewalls and IPS to create an even more advanced multifunction security gateway. -Forrester

  8. The Early Days Performance / Damage VPN Connection-Based Firewall Physical Hardware Theft Lock & Key 1980s 1990s 2000s Today

  9. Vendors Followed The Threats Performance / Damage Spyware Anti-Spyware Worms Antispam Spam Banned Content Web Filter Trojans Antivirus Viruses IPS Intrusions Content-Based VPN Connection-Based Firewall Lock & Key Hardware Theft Physical

  10. Result: Multiple Devices, Consoles, Vendors • Problems Created • Stand-alone, non-integrated security • Created gaps in security strategy • Mix of off-the-shelf systems and applications • Difficult to deploy / manage / use • High cost of ownership

  11. A Better Approach to Threat Prevention • Integrating IPS and threat prevention into the firewall is NOT simply about convenience…it’s a necessity • True integration of IPS with the NGFW solves problems that traditional security products can’t • Controls threats on non-standard ports • Proactively reduces the attack surface • Controls the methods attackers use to hide • Integrates multiple threat prevention disciplines • Provides visibility and control of unknown threats

  12. The Evolution of Next GEN Firewalls • Applications Became Evasive • Needed to traverse the firewall • Would look for commonly open ports • Port 80, 443, 53 • Or look for any available port • Open high ports FTP HTTP SSH Telnet IM Port 20 Port 22 Port 23 Port 80 Port 531 Evasive applications fundamentally break the port-based model

  13. Non-Standard…Is the New Standard • 67% of the apps use port 80, port 443, or hop ports • 190 of them are client/server • 177 can tunnel other applications, a feature no longer reserved for SSL or SSH

  14. Impact of Port Evasion on Threat Prevention Firewall • IPS solutions are also port-based • typically only look for exploits on the “typical” ports • If the FW can’t control traffic… • IPS will miss threat on unexpected ports or… • IPS must run all signatures on all ports SSH Telnet IM FTP HTTP Port 20 Port 22 Port 23 Port 80 Port 531 IPS + Port 20 Port 22 Port 23 Port 80 Port 531

  15. NGFW Fixes the Firewall…and the IPS • Rebuilt the firewall from the ground up • Identifies traffic at application level • Always on • Always the 1st action • On all ports • Positive control is regained, regardless of the port the traffic travels on • The firewall does what it was originally designed to do SSH Telnet IM FTP HTTP App-ID Port 20 Port 22 Port 23 Port 80 Port 531 Ports No Longer Matter! • IPS is enforced consistently • Evasive applications do not evade the IPS or the firewall

  16. Control the Attack Surface of the Network Only allow the apps you need Clean the allowed traffic of all threats in a single pass • Traffic limited to approved business use cases based on App and User • Attack surface reduced by orders of magnitude • Complete threat library with no blind spots • Bi-directional inspection • Scans inside of SSL • Scans inside compressed files • Scans inside proxies and tunnels • The ever-expanding universe of applications, services and threats

  17. Block Unneeded and High-Risk Applications • Block (or limit) peer-to-peer applications • Block unneeded applications that can tunnel other applications • Review the need for applications known to be used by malware • Block anonymizerssuch as Tor • Block encrypted tunnel applications such as UltraSurf • Limit use to approved proxies • Limit use of remote desktop

  18. Control the Methods Threats Use to Hide • Encrypted Traffic • Inspect within SSL • Proxies • Common user-driven evasion • Remote Desktop • Increasingly popular tool for end-users • Compressed Content • ZIP files and compressed HTTP (GZIP) • Encrypted Tunnels • Hamachi, Ultrasurf, Tor • Purpose-built to avoid security Circumventors and Tunnels Encryption (e.g. SSL) Proxies (e.g CGIProxy) Compression (e.g. GZIP)  Outbound C&C Traffic

  19. Unknown Threats: Learn to See Traffic That Doesn’t Belong • NGFW classifies all known traffic • Custom App-IDs for internal or custom developed applications • Any remaining “unknown” traffic can be tracked and investigated • Used in the field to find botnets and unknown threats • Behavioral Botnet Report • Automatically correlates end-user behavior to find clients that are likely infected by a bot • Unknown TCP and UDP, Dynamic DNS, Repeated file downloads/attempts, Contact with recently registered domains, etc Find specific users that are potentially compromised by a bot 10.1.1.101 10.0.0.24 192.168.1.5 10.1.1.16 192.168.124.5 10.1.1.56 10.1.1.34 10.1.1.277 192.168.1.4 192.168.1.47 Jeff.Martin

  20. Directory Integration • Use Active Directory To Authenticate users • If part of the Domain, it will be pass-threw • Will work with Apple devices • Can restrict users to certain applications • Can disallow guest from getting to the Internet or greatly restrict them • Can easily see users in firewall logs, not just IP addresses • Allows you to take advantage of existing active directory groups • Gives you the ability to become granular in URL filtering • Can trace threats down to the user • Can also identify Citrix and Terminal server users

  21. URL Filtering • URL Filtering on Next Generation Firewall’s • Integrates with Security Policy, one place to manage your security • Faster than a proxy server, only one appliance to access • Databases update hourly/nightly • Make sure you have the ability to block unknown categories • Do not have to pay extra for spyware/malware categories • Database is updated automatically • Have the ability to also dynamically look up URL’s • Some products URL filtering is cloud based • Millions of URL’s rated • Easy ability to create bypass and override categories • Block Ad’s, they contain malware and junk ware

  22. Fortinet URL Filter

  23. Palo Alto URL Filter

  24. Application Control • Application Control on Next Generation Firewall’s • Ability to use applications instead of ports for firewall rules • Ability to allow Facebook, but block Facebook chat (Fore Example) • Can control what applications run over port 80 • Can block proxy based applications (Good combined with a URL Filter) • Can block file sharing and peer to peer applications • Works very well along with a strong URL filter

  25. Palo Alto Application Control

  26. Fortinet Application Control

  27. Anti-Virus/Malware Spyware • Anti-Virus/Malware Spyware • Adds another layer of defense at the Gateway • Still need desktop Anti-virus (No, you can not get away from it) • Updates Daily/hourly • Uses a network to analyze the most current treats • Scans all downloads for Anti-virus • Can block certain file types such as .exe, .dll, etc. (This is on of the best ways to prevent virus..) • Can scan inside a VPN tunnel • Integrates with the firewall rulebase Traditional firewall’s are blind to Viruses

  28. Fortinet Anti-Virus

  29. Palo Alto Anti-Virus

  30. Threat Prevention • Threat Prevention • Updates daily with the most current threats • Can help stop zero day and attacks against unpatched systems • Integrates with the Firewall to create a complete solution. • Prevents the attack from reaching the network • Also checks on all ports and applications, unlike a traditional IPS • Have the ability to track a threat to a user, not just an IP address Traditional firewall’s are unable to stop Threat’s or the threat prevention is outdated

  31. Logging and Reporting • Logging • Logs contain usernames • Can run threat reports, URL Filtering reports and application reports • Can also run how much bandwidth someone is taking up • Can log what countries are being accessed • Can be a very useful tool for troubleshooting Traditional firewall’s logging is ok, but does not provide enough detail

  32. Logs By Application and Bytes

  33. Logs By User

  34. Log what countries have been visited

  35. How can a Next Generation Firewall Help you? • Provide one product to manage instead of many. • Protect your network’s and Students from attacks and from themselves • Protect Students from using evasive ways to access websites • Provide Students the applications they need with ease • Use your directory service to authenticate users • Provide various level of access to application and websites. Teachers can have a higher level of access • Cost savings by consolidating products and cutting down on bandwidth hogging users. • Reports can be emailed to you daily if needed • Flexible deployment options • Easy to manage and use Web UI • Easy code Upgrade

  36. SurveyIf you give me your Business Card I will provide you an assessment about your current Firewall/Security Environment

  37. Questions?????Thank You…………You can contact me at James@tbjconsulting.com

More Related