1 / 25

BroadWeb IPv6 安全產品發展策略

BroadWeb IPv6 安全產品發展策略. 威播科技 陳鴻彬 hbc@broadweb.com. IPv6 網路上潛在的 安全與管理問題. Redirect attacks Denial-of-service attacks Flooding denial-of-service attacks Application Layer attacks Worm (Slapper) Rogue Devices IPv4/v6 共存問題 P2P. IPv6 L3-L4 Spoofing.

geri
Download Presentation

BroadWeb IPv6 安全產品發展策略

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BroadWeb IPv6 安全產品發展策略 威播科技 陳鴻彬 hbc@broadweb.com

  2. IPv6 網路上潛在的安全與管理問題 • Redirect attacks • Denial-of-service attacks • Flooding denial-of-service attacks • Application Layer attacks • Worm (Slapper) • Rogue Devices • IPv4/v6共存問題 • P2P

  3. IPv6 L3-L4 Spoofing • ==> spoof mitigation at aggregation points easy to deploy • 2001::/16—IPv6 Production • 2002::/16—6to4 Tunneling • 2003::/16—RIPE • 3FFE::/16—6Bone Testing • Unfortunately each subnet (even at the local level) still has a huge range of addresses to spoof • IPv6 Address Are Globally Aggregated 2001::/16 2001:0600::/23 2001:0200::/23 2001:0400::/23

  4. IPv4 Virtual Firewall

  5. IPv4 , IPv6 共存問題 • Attacks on dual stacks:

  6. IPv4 入侵偵測 Attacker Server IPv4SQL Injection 攻擊 192.168.0.254 192.168.0.100 IPv4 IPS IPv6SQL Injection 攻擊 3ffe:501:ffff:100::202 3ffe:501:ffff:100::201 BEMS server 192.168.0.252

  7. IPv4 ,IPv6 入侵偵測 Attacker Server IPv4 SQL Injection 攻擊 192.168.0.254 192.168.0.100 IPv4 ,IPv6 IPS IPv6SQL Injection 攻擊 3ffe:501:ffff:100::202 3ffe:501:ffff:100::201 192.168.0.252 BEMS server

  8. IPv4 , IPv6 共存問題 • Attacks on 6 to 4 tunnels The Internet (IPv4) 6to4 Tunnel Network A Network B

  9. BroadWeb IPv4/v6 IPS • 2006/3/8 ----> NICI • Support 10G interface • Support IPv4/IPv6 Dual Stacks • Support 6 to 4 & 4 to 6 tunnels

  10. NetKeeper過去擁有的功能 • Anti-Intrusion 阻擋駭客入侵 • Anti-DoS/DDoS 阻擋分散式阻斷服務攻擊 • Anti-Worm 阻擋網路蠕蟲 • Anti-Trojan/Back Door 阻擋木馬,後門程式 • Anti-P2P 阻擋P2P分享下載程式 • Anti-IM 阻擋即時聊天程式 • Anti-Tunnel 阻擋Tunnel軟體使用 • Anti-WebMail 阻止經由WebMail洩漏機密文件 • Anti-Web Post 防止網業資料上傳 • H/W S/W bypass 軟硬體旁路設計

  11. 新一代NetKeeper新增特色 • 增強Evasion入侵閃避偵測能力 • 增強Spyware間諜軟體防護能力 • 阻絕間諜軟體模組安裝 • 防止間諜軟體透過網路回報私密資訊 • Virtual Patch虛擬補釘Signature技術,可有效預防零時差攻擊(Zero-Day attack) • 採用BroadWeb專利之BASTA之State Machine Signature技術,可有效解決加密P2P等應用程式之辨識問題

  12. 新一代NetKeeper新增功能 • 多網段保護 (Multi-Segment IPS/IDS) • Virtual IPS • 不同VLAN配置不同Policy • Multiple Rule Sets 多套政策群組 • Rate Limit頻寬限制 • Quota Limit流量管制 • AA/AS HA Support • Mirror Port Support • 可用於搭配內容側錄與Sniffer系統 • Device Utilization Present • CPU/Memory 使用狀況顯示 • 即時頻寬狀態與事件分佈狀態顯示儀表板 • 支援IPv4/IPv6雙軌併行網路環境

  13. IPv6 Support

  14. Virtual IPS 可以設定專屬的反應/限制 128Kbps 64Kbps

  15. 即時監控– 系統儀表板

  16. BroadWeb NetKeeper最主要優勢 • 曾獲ICSA/NSS雙項國際認證 • 全中文化(包括Signature說明) • 與多家SOC整合 • 內建Cooper/Optical光纖HW/SW Bypass及HA功能 • 認識超過300種以上之Application (其中P2P超過150種) • 可處理多種加密P2P及Tunneling • 可辨認Skype • 對於IM,可針對特定功能,如:Chat,File Transfer,Video…等分開管理

  17. BroadWeb NetKeeper最主要優勢 • 具備Virtual Patch Signature能力,可預防Zero Day Attach • 具備FlowBit Signature專利技術可利用State Machine處理加密P2P • 具備最完善的User Define功能 • IPv6 Support • Reporting System不額外收費 • 部份機種具有集中管理功能,可用於大型專案(需搭配SAC集中控管系統,需額外購買SAC License) • 機種最完備 • 國內IPS市佔率最高,客戶群最多,遍及各領域 • 原廠在國內,Support能力最強 • 每月均有訓練課程開課 • 同級產品性價比最好

  18. 三明治 V.S.漢堡方案 三明治方案 Firewall Internet Intranet DMZ 漢堡方案:加量不加價! Firewall/UTM Internet Intranet IPS1 IPS2 DMZ

  19. 區網 華電1G 東森1G NGN 骨幹路由器 FOT 國中/小 L3/L2 Switch or 路由器 L2/L3 Switch 國中/小 Core Switch 共同Server 機房辦公室 電腦教室 教室、辦公室 電腦教室 VoIP 他校WLAN漫遊用戶 WLAN XX縣/市教育網路NGN計劃

  20. 區網 華電1G 東森1G IPv6/v4 IPS (1Gbps) IPv6/v4 IPS (1Gbps) NGN 骨幹路由器 FOT IPv6/v4IPS (1Gbps) • v4/v6 IPS • V4/v6 P2P 管制/限頻 IPv6/v4 IPS (200Mbps) 同一台設備 國中/小 L3/L2 Switch or 路由器 L2/L3 Switch IPv6/v4 IPS (200Mbps) 國中/小 Core Switch 共同Server 機房辦公室 電腦教室 教室、辦公室 電腦教室 VoIP 他校WLAN漫遊用戶 WLAN XX縣/市教育網路NGN計劃

  21. BroadWeb下一階段產品 • IPv4/v6 UTM • IPv4/v6 Qos Device • P2P Management • Qos

  22. Challenge (IPv6 addr.)

  23. Challenge (Home Network)

  24. Further Work in IPv6 Security • Support IPv6 DNS • Home network security model with IPv6 • Peer---Internet---Peer • Security In Cloud ? • BotNet in IPv6

More Related