Wireless Network Security Palo Alto Networks / Aruba Networks Integration
 

Like this? Share it with your network

Share

Wireless Network Security Palo Alto Networks / Aruba Networks Integration

on

  • 1,950 views

Wireless Network Security Palo Alto Networks / Aruba Networks Integration ...

Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Topics Include:
The Backdrop for Mobile Security
Changes in the application landscape
State of the art in mobile threats
Issues with the current approaches to enterprise security
Aruba Networks / Palo Alto Networks Integration
Introduction to the Palo Alto Networks Network Security Platform
Integration points with Aruba Networks ClearPass Guest

Statistics

Views

Total Views
1,950
Views on SlideShare
1,582
Embed Views
368

Actions

Likes
1
Downloads
226
Comments
0

5 Embeds 368

http://community.arubanetworks.com 360
http://www.airheads.eu 3
http://192.168.6.184 2
https://twitter.com 2
https://drive.jolicloud.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Wireless Network Security Palo Alto Networks / Aruba Networks Integration Document Transcript

  • 1. 15/11/13   Wireless Network Security Palo Alto Networks / Aruba Networks Integration Today’s Agenda The Backdrop for Mobile Security §  Changes in the application landscape §  State of the art in mobile threats §  Issues with the current approaches to enterprise security Aruba Networks / Palo Alto Networks Integration §  Introduction to the Palo Alto Networks Network Security Platform §  Integration points with Aruba Networks ClearPass Guest Resources 2 | ©2012, Palo Alto Networks. Confidential and Proprietary. 1  
  • 2. 15/11/13   Mobile Climate and Challenges Todays  Challenge:     Once  a  user’s  on  the  network,  IT  can’t   control  what  they  can  do  or  access.   Most  organiza<ons  do  not  have  the   security  within  the  infrastructure  to   control  granular  applica<on  level   access  based  on  user  and  device  type.       Need  to  Control:   •  Who  gets  on  the  network   •  What  devices  get  on  the  network   •  What  applica<ons  and  content   those  users  and  devices  can  access     • Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential. Challenge: Redefining the IT Service Model PRE-BYOD Engineering   Opera0ons   Help  Desk   POST-BYOD Design desktop, voice, network Build & deploy Self-selected devices, apps & services User-defined infrastructure Support Self-provision Self-support 2  
  • 3. 15/11/13   Securing Applications Today’s Typical Network Applications everyone needs… Applications everyone wants to hate… Applications everyone tends to ignore… custom tcp pop3 telnet custom udp SMB ftp VNC SSL snmp LDAP Active Directory VPN RDP encrypted tunnel dns 3  
  • 4. 15/11/13   Complexity Influencers APT1 Poison IVY Aurora   Complexity and Risk SQL Slammer SMTP Applications   Users   Threats   7 | ©2012, Palo Alto Networks. Confidential and Proprietary. SSL: Security or Evasion? 26% (356) of the applications found can use SSL 8 | ©2012 Palo Alto Networks. Confidential and Proprietary. Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013. 4  
  • 5. 15/11/13   SSL/Port 443: The Universal Firewall Bypass Gozi   Freegate Rustock Citadel   TDL-4 Aurora   Ramnit Bot tcp/443 Poison IVY APT1 Challenge: Is SSL used to protect data and privacy, or to mask malicious actions? 9 | ©2013 Palo Alto Networks. Confidential and Proprietary. Port Hopping: Ease of Access or Evading Control? 18% (255) of the applications found can hop ports 10 | ©2012 Palo Alto Networks. Confidential and Proprietary. 5  
  • 6. 15/11/13   Managing Ports: A Bad Way to Control Applications Lync ports to open as recommended by Microsoft Random, non-contiguous communication ports and protocols …… accessed by distributed workforce with different security risk profiles 11 | ©2012, Palo Alto Networks. Confidential and Proprietary. Threats to Wireless Networks 6  
  • 7. 15/11/13   The Basics on Threat Prevention Threat   What  it  is   What  it  does   Exploit   Bad  applica<on  input   usually  in  the  form   of  network  traffic.     Targets  a   vulnerability  to   hijack  control  of  the   target  applica<on  or   machine.   Malware   Malicious  applica<on   Anything  –   or  code.   Downloads,  hacks,     explores,  steals…   Command  and   Control  (C2)   Network  traffic   generated  by   malware.   Keeps  the  remote   aVacker  in  control   ands  coordinates  the   aVack.     Modern Attacks Are Coordinated 1 Bait  the   end-­‐user   End-­‐user   lured  to  a   dangerous   applica<on  or   website   containing   malicious   content   2 3 4 5 Exploit   Download   Backdoor   Establish   Back-­‐Channel   Explore   &  Steal   Infected   content   exploits  the   end-­‐user,   oYen  without   their   knowledge   Secondary   payload  is   downloaded   in  the   background.   Malware   installed   Malware   establishes  an   outbound   connec<on  to   the  aVacker   for  ongoing   control   Remote   aVacker  has   control  inside   the  network   and  escalates   the  aVack   14 | ©2012, Palo Alto Networks. Confidential and Proprietary. 7  
  • 8. 15/11/13   Mobile Malware: DPlug TTPod App in Google Play Vic0m   In-App Purchase Dplug Malware Sends IMSI / IMEI via SMS Confirm? Accept Premium SMS Billing Premium  SMS   DPlug     Forged Subscribe AVacker   Hidden within SSL New domain has no reputation Payload designed to avoid AV Non-standard port use evades detection Exploit Kit Malware From New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload RDP & FTP allowed on the network Custom malware = no AV signature Internal traffic is not monitored Custom protocol avoids C2 signatures 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. 8  
  • 9. 15/11/13   Palo Alto Networks Network Security Platform Enabling Applications, Users and Content 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. 9  
  • 10. 15/11/13   Applications Have Changed, Firewalls Haven’t Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access Traditional firewalls don’t work any more 19 | ©2012, Palo Alto Networks. Confidential and Proprietary. Applications: Threat Vector and a Target Threats target applications •  •  Used as a delivery mechanism Application specific exploits 20 | ©2012, Palo Alto Networks. Confidential and Proprietary. 10  
  • 11. 15/11/13   Applications: Payload Delivery/Command & Control Applications provide exfiltration •  •  Confidential data Threat communication 21 | ©2012, Palo Alto Networks. Confidential and Proprietary. Encrypted Applications: Unseen by Firewalls What happens traffic is encrypted? •  •  SSL Proprietary encryption 22 | ©2012, Palo Alto Networks. Confidential and Proprietary. 11  
  • 12. 15/11/13   Technology Sprawl and Creep Aren’t the Answer •  “More stuff” doesn’t solve the problem •  Firewall “helpers” have limited view of traffic •  Complex and costly to buy and maintain •  Doesn’t address application control challenges UTM   Internet   IPS DLP IM AV URL Proxy Enterprise Network 23 | ©2012, Palo Alto Networks. Confidential and Proprietary. Making the Firewall a Business Enablement Tool §  Applications: Safe enablement begins with application classification by App-ID. §  Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. §  Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire. 24 | ©2012, Palo Alto Networks. Confidential and Proprietary. 12  
  • 13. 15/11/13   •  Network   segmenta0on   •  Based  on   applica<on  and   user,  not  port/IP   •  Simple,  flexible   network  security   •  Integra<on  into   all  DC  designs   •  Highly  available,   high   performance   •  Prevent  threats   Distributed  Enterprise   •  App  visibility  and   control  in  the   firewall   •  All  apps,  all   ports,  all  the   <me   •  Prevent  threats   •  Known  threats   •  Unknown/ targeted   malware   •  Simplify  security   infrastructure   Data  Center   Perimeter   NGFW in The Enterprise Network •  Consistent   network  security   everywhere   •  HQ/branch   offices/remote   and  mobile   users   •  Logical  perimeter   •  Policy  follows   applica<ons  and   users,  not   physical  loca<on   •  Centrally   managed   25 | ©2012, Palo Alto Networks. Confidential and Proprietary. Strategy for Protecting the Network Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns •  HTTP or all protocols? •  20% of traffic encrypted by SSL" •  Non-standard ports and tunneled traffic Investigate and cleanup 26 | ©2012, Palo Alto Networks. Confidential and Proprietary. 13  
  • 14. 15/11/13   Strategy for Protecting the Network Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns •  High risk applications and features" •  Block files from unknown domains" •  Find and control custom traffic Investigate and cleanup 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. Strategy for Protecting the Network Everything must go in the funnel Reduce the attack surface •  Exploits, malware, C2 •  Variants and polymorphism Block everything you can Test and adapt to unknowns •  DNS, URLs, malicious clusters Investigate and cleanup 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. 14  
  • 15. 15/11/13   Strategy for Protecting the Network Everything must go in the funnel Reduce the attack surface Block everything you can Test and adapt to unknowns •  Behavioral and anomaly analysis" •  Automatically create and deliver protections" •  Share globally Investigate and cleanup 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. Strategy for Protecting the Network Everything must go in the funnel Reduce the attack surface •  Events in app and user context" Block everything you can •  Share indicators of compromise" Test and adapt to unknowns •  Integrate with end-point security" •  Feed the SIEM Investigate and cleanup 30 | ©2012, Palo Alto Networks. Confidential and Proprietary. 15  
  • 16. 15/11/13   An Integrated Approach to Threat Prevention Bait  the  end-­‐user   Apps   Exploit   Download  Backdoor   Command/Control  (C2)   Block high-risk apps Block known malware sites URL   Block C2 on open ports Block fast-flux, bad domains IPS   Block the exploit Spyware   Block spyware, C2 traffic AV   Block malware Files   Prevent driveby-downloads Modern   Malware   Detect 0-day malware Block new C2 traffic 31 | ©2012, Palo Alto Networks. Confidential and Proprietary. Mobile App Analysis App Collection App Analysis Protection and Enforcement App Stores WildFire GlobalProtect Gateway Malware Signatures URL and DNS usage Manual Submission Integration with SIEM API 32 | ©2013, Palo Alto Networks. Confidential and Proprietary. 16  
  • 17. 15/11/13   Integration Points Integration with wireless infrastructure Iden<fy  and   authen<cate  who   and  what  gets  on  the   network   Protect  network   based  on   applica<on,  user  and   content   17  
  • 18. 15/11/13   ClearPass and Palo Alto Networks Palo  Alto  Networks   Aruba  MOVE  &   ClearPass   Context:     Mobility  Network   Services     •  Core  AAA,  NAC   •  Device  Profiling   •  Guest  +  BYOD   •  Exchange  rich   endpoint  context   •  Trigger  real-­‐<me,   intelligent   network  policies   •  Extendable   architecture   Next  Genera0on  Firewall     •  L7+  Applica<on  FW   •  Content  Security   •  Threat  Protec<on   Securing the Wireless with Palo Alto Networks Guests Employee Asset Next-­‐Genera0on   Firewall   Contractor 36 | ©2012, Palo Alto Networks. Confidential and Proprietary. 18  
  • 19. 15/11/13   Aruba Integration §  Feed User-ID Data §  Centralized Username to IP address mapping §  No software agents required, support multiple identity stores §  Rich visibility and reporting for compliance §  Endpoint/Device Context §  Feed device context to PAN eg. iPad, Android Phone §  Enable policy enforcement based on new device context §  Extensible schema allows adding more context to endpoint data §  Centralized Identity Store §  FW admin authentication using Radius §  Provide services for VPN authentication XML   ClearPass  Policy  Manager   AAA   Palo  Alto  Networks   User-ID Architecture 19  
  • 20. 15/11/13   Integration Points 39 | ©2012, Palo Alto Networks. Confidential and Proprietary. ClearPass Configuration 20  
  • 21. 15/11/13   Assigning Security Policies Based on Device Type §  ClearPass Guest Fingerprints devices as they authenticate to the wireless environment §  Palo Alto Networks integration shares the device fingerprint §  Palo Alto Networks maps the device to a dynamic address object §  Network security policy follows the device 41 | ©2013, Palo Alto Networks. Confidential and Proprietary. How the Integration Works – From ClearPass 42 | ©2012, Palo Alto Networks. Confidential and Proprietary. 21  
  • 22. 15/11/13   How the Integration Works – To Palo Alto Networks To Palo Alto Networks 43 | ©2012, Palo Alto Networks. Confidential and Proprietary. Resources 22  
  • 23. 15/11/13   Collateral – Tech Note hVp://www.arubanetworks.com/aruba-­‐partners/ecosystem-­‐partners/   45 | ©2012, Palo Alto Networks. Confidential and Proprietary. 23