Taking Control of Network SecurityIn a Web-Centric World Dataconnectors Seattle Brian McLean January 12th 2012
Application Security Evolution • Traditional Approach: Primary line of defense at the perimeter • One-to-one assignment of port to application usage • Web, SNMP, FTP, Telnet • To block the applications, simply close the port Web Telnet SNMP FTP Data Center 2
Application Security Evolution • Today: Web-centric world • Requires new approach for securing applications • How to allow trusted applications, deny untrusted? • Threats are application agnostic • Any application can serve as a host to malicious activity PORT 80 salesforce WL Messenger Google facebook twitter YAHOO! MAIL 3
What is Application Control? • Layer 7 analysis of traffic determines the application regardless of TCP port • Doesn’t just associate a port with an application • Can detect IM/P2P/etc running over port 80 • Detects applications inside of applications • Tunneling P2P/IM/etc inside http
Business Drivers for Application Control • New services and applications • Web 2.0 services over HTTP(S) • IM, P2P and gaming that port-hop • Non-business applications can be problematic and expose liability • IM, P2P and anonymous proxy • Non-productive bandwidth usage • Evasion of security or corporate policy • Difficult to detect and stop • TCP/UDP port filtering ineffective • Next-generation firewall required
What are the Risks? • Lack of visibility and control • Many businesses are limited in their control of social networking. They use URL filters to either allow complete access or to restrict the entire application. • Widening attack surface • Malicious code “is not just coming from the dark corners of the web,” like pornography, gaming and pharmaceutical sites. It is estimated that 77 percent is coming from legitimate sites. • Data loss potential • Social networking sites are all about collaboration and sharing—potentially even of sensitive data. Today, there is little control over data loss in social media arenas because policies do not typically cover what users contribute.
Controlling Web Applications • Allow Facebook, but block Facebook applications • Farmville • Facebook Chat • Facebook Video • Allow YouTube, but block YouTube download • Allow Google Maps, but block Google Web Talk
The Reach of Facebook Facebook alone touts over 500 million active users that spend in excess of 700 billion minutes per month on the site and share 30 billion pieces of content Facebook platform houses over 550,000 active applications and is integrated with more than one million websites Facebook’s total site visits in December 2010 eclipsed Google’s Over 20 million applications are installed per day and over 250 million people interact with Facebook from outside the official website on a monthly basis, across 2 million websites
Threat Landscape Overview: Malicious Activity within Trusted Applications
Security Challenges • Blended attacks • Application-focused attacks • “Oldies but Goodies” still exist • Nothing goes away. Ever. • “Survival instinct” of applications much higher than before • Built-in evasion techniques • Must assume malicious activity occurs within trusted applications • Let’s take a closer look at some examples…
Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • The Corporate Botnet - PhishingEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to compromise the integrity of the entire network. . ZEUS/ZBOT • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • Email contains link to false domain • Credentials entered in to fake site • BOT infection sent to user as a “ Facebook Security Update” application • User installs BOT and is now infected, all data is compromised • Connection is then redirected to real Facebook site so user is not suspicious • Prevalent today and sold as a crime kit.
Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • The Corporate Botnet – Legitimate Site CompromisedEmployee accesses a legitimate site, but it or one of its content providers has been compromised and is now hosting malicious code. • . FakeAV Botnet • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • In 2009 the advertising network used by the New York Times was infected by a malicious flash advertisement • Readers were accessing the NYT site but were provided with the infected advertisement • This directed users to a site hosting the exploit code to install fake antivirus software. .
Threat Landscape-Blended Threat & Botnet Examples CIO Fears and Concerns • RansomwareOnce installed is very difficult to reverse, files are encrypted, this isn’t just based on the fear that something might happen, once you are reading the ransom note your data has already been encrypted. gpCode Ransomware • The Corporate BotnetEmployee has clicked a link in a spam email and accessed a phishing site. The subsequent infection links their laptop to a Botnet, opening the door to the integrity of the entire network being compromised. . • Once installed searches hard drive for document and media files • Files are encrypted with a 1024bit key and only the attacker has the decryption key • Ransom note is displayed to user, system continues to operate but data is inaccessible • Will encrypt xls, doc, pdf, txt, rar, zip, avi, jpg, mov, etc…
Addressing the Threat Landscape • Complete Content Protection Requires • Identification • Thousands of applications with more being added all the time • Multiple Technologies: • DLP (Data Leakage Protection) • AV (Anti Virus) • AS (Anti Spam) • SSL Inspection
Addressing the Threat Landscape (Continued) • Complete Content Protection Requires • Monitoring • See what’s in your network
Addressing the Threat Landscape (Continued) • Complete Content Protection Requires • Control • Granular control of behavior • Apps & features within apps • In Facebook, for example, you can control which users get access to what features by source, username, usergroup, or even time of day. • Users • Tight integration with Active Directory and Novell’s eDirectory bring transparent authentication and authorization by specific usernames or groups for any UTM feature you wish to enable. • Traffic • You can rate limit any specific information you’d like in order to both provide functionality and conserve bandwidth
Integrated Web Filtering Blocks access to malicious Website Intrusion Protection Blocks the spread of the worm Network Antivirus Blocks download of virus Real Threat Protection in Action Problem: Error message: “Drops” copy of itself on system and attempts to propagate “Innocent” Video Link: Redirects to malicious Website “Out of date” Flash player error: “Download” malware file Solution: Fortinet Confidential
The Zeus Attack vs. Complete Content Protection • Email Sent – Contains link to compromised site. Mail message detected as spam (phishing) ANTISPAM • End user accesses phishing site, enters credentials, and criminals now have their details .. Access to phishing website is blocked • Phishing site sends BOT infection to user disguised as ‘Security Update’ application WEB FILTER Content scanning prevents malicious content from being downloaded ANTIVIRUS • End user executes BOT application, is infected and now all their data is compromised Botnet command channel is blocked, no compromised data can be sent.Security administrator is alerted to existence of an infected system. INTRUSIONDETECTION
Unified Threat Management CAGR 2007-2012 50% 25% 0% -25% In 2008, UTM surpassed Firewall market $3.5B • IDS • IPS • Firewall • VPN • Antispam • Antivirus • Antispyware • Web Filtering Unified Threat Management UTM $1.3B $2.0B $1.2B • IDS • IPS Intrusion Detection & Prevention 2007 2008 2009 2010 2011 $1.5B • Firewall • VPN Firewall & VPN $1.3B Source: IDC • IDC definition: UTM security appliance products which provide multiple security features integrated into one device • By 2011 UTM will be the largest single market, with a CAGR of 26.2% • UTM has already surpassed firewall market