Its time to Fix the Firewall


Published on

The advent of Web 2.0 has spawned a new generation of Internet applications that muddy the waters between work and play, causing serious headaches for security conscious IT depts. Traditional firewalls and other security tools no longer cut the mustard.

Security threats have evolved to target specific applications in order to breach a company’s defenses. What’s more, Internet-savvy employees are easily outsmarting many of the security controls currently in play.

Simon Richardson, Managing Partner, ITogether, looks at what’s needed to help IT Directors keep the hoards in check, protect their IP, shore up their defenses and claw back some control.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Its time to Fix the Firewall

  2. 2. AgendaIntroductionsThe TalkQuestions invited during the talk towards the end live cast polls throughout | presentation
  3. 3. Introductions Simon Richardson Founder & Managing Partner ITogether | presentation
  4. 4. It’s time to fix the firewall | presentation
  5. 5. About ITogether A forward thinking Integrator founded in November 2005 A partnership based in Leeds, Yorkshire Corporate & Government and SME customer base Nationwide and Worldwide customer base Our staff have backgrounds at, O2, Orange, BT, KCOM, DLA Piper, Integralis, Sopra, Gaz De France, Netscape, WS Atkins, Provident, Legend Communications | presentation
  6. 6. Introduction• One of information security’s oldest devices• Many firewalls today due for renewal (ageing hardware or can’t keep up with throughput demands)• Recession has meant that renewal and improvement has been significantly retarded in the last 2 years.• The firewall’s mandate increases to cater for web 2.0 and other drivers• Should I upgrade this model to a faster one from the same vendor, switch vendors, or upgrade to NG FW ?• Gartner coined the term NG FW (Next Generation Firewalls) | presentation
  7. 7. History Lesson• Around 20 years old• Developed from early packet and circuit firewalls, to application layer and dynamic packet firewall today• The goal has been to provide a protective barrier for the internal network, from the external network, whilst allowing productive comms to pass.• Today with new web applications (particularly in the last 2-3 years) and evolving security threats, firewalls need to evolve to meet and beat those threats. | presentation
  8. 8. What Problems Are We Trying to Solve ?1. Applications - Web 2.0 - a new generation of business and personal Internet applications2. Threats - Web 2.0 threats targeting applications, sensitive data and IT resources Users - Internet-savvy employees have taken control of the network – confidence of new technologies and apps at home and on the smartphone continue to drive this. Data Loss - Risk of sensitive and confidential data leaving the network Security - Traditional firewalls and security devices can’t see or control any of the above | presentation
  9. 9. What’s Happening on Enterprise Networks? | presentation
  10. 10. IT Has Lost Control and Needs Help Risks Work Life Rewards Internet Enterprise Home Life1. Driven by new generation of addicted Internet users – smarter than IT ?2. Full, unrestricted access to everything on the Internet is a right3. They’re creating a giant social system - collaboration, group knowledge4. Not waiting around for IT support or endorsement – IT is irrelevant5. Result - a “social enterprise” full of potential risks and rewards | presentation
  11. 11. Real Word Data from Enterprise Networks• Application Usage and Risk Report • Published by Palo Alto Spring/Autumn each year • 200+ large enterprises; 1,000,000+ users • 650+ different Internet applications • 255 Enterprise 2.0/collaboration apps (38% of total) • 70% of Enterprise 2.0 apps are “high risk”• All of these organizations have firewalls; most haveIPS, proxies, URL filtering, etc | presentation
  12. 12. Employees are Creating Web 2.0 Bottom line: all hadfirewalls, most had IPS,proxies, & URL filtering –but none of theseorganisations could controlwhat applications ran ontheir networks | presentation
  13. 13. And Use of These Applications is Accelerating Grow t i W ebm ai Applcatons h n l i i Grow t i Soci N et orki Applcatons h n al w ng i i100 10080 8060 6040 4020 20- - ai -m ai f m l acebook- yahoo- gm ai l hot ai m l plaxo i eem m m yspace lnkedi f i n acebook m ai l m ai l Grow t i I antM essagi Applcatons h n nst ng i i 100 80 60 40 20 - m eebo facebook- m sn gm ai-chat l t it w t er chat Spri 2009 ng Fal 2009 l | presentation
  14. 14. Information Could Be Leaking Everywhere Applcatons ThatCan Lead t Dat Loss i i o a I antM essagi nst ng 96% W eb M ai ( l non-corporate) 96% Soci Net orki al w ng 95% Brow ser-based Fieshari l ng 91% P2P Fieshari l ng 87% Googl Docs e 82% W eb Postng i 79%Clent i -Server Em ai ( l non-corporate) 66% 0% 25% 50% 75% 100% | presentation
  15. 15. Use of These Applications is Also Accelerating Bl and W i Edii Applcaton Usage og ki tng i i75% 58% 51% 48%50% 26% 24% 22%25% 16% 11% 5% 2%00% Yahoo-Finance- M edi i - aw ki Bl og-Postng i Blogger-Blog- VBuletn- l i Postng i Edii tng Postng i Postng i Spri 2009 ng Fal 2009 l | presentation
  16. 16. SharePoint Uni que Threat Found I SharePoi Depl s n nt oym ents IS ( I 18) SQL (15) ASP (1) SP (1) 0 2 4 6 8 10 12 14 16 18 Crii ( tcal 7) Hi ( gh 8) M edi ( um 20)In total, more than 220,000 SharePoint threat instances were found! | presentation
  17. 17. Employees Are Out of Control – IT is Helpless• Employee attitudes and behaviors • 64% - understand some apps can result in data leakage • 33% - experienced security issues when using an app • 45% - did nothing when confronted with a security breach • 61% - feel more productive using internet apps• IT perspectives on the problem • 59% - admit these apps are completely uncontrolled • 48% - don’t know what apps are used by employees | presentation
  18. 18. IT is Experiencing Risks Without the Employees Are Out of Control – Rewards IT is Helpless• Non-compliance • Unapproved applications – IM, web mail in financial services• Data loss • Unauthorised employee file transfer, data sharing• Employee productivity loss • Uncontrolled, excessive use of personal applications• Excessive operational costs • Excessive bandwidth consumption, desktop cleanup• Business dis-continuity • Malware or application vulnerability induced downtime | presentation
  19. 19. Why Has IT Been Unable to Regain Control ? | presentation
  20. 20. The Problem Begins at the Firewall, which is why we need to fix it !• Firewalls should provide visibility and control of applications, users, and content . .. . . . but they only show you ports, protocols, packets, and IP addresses – all meaningless! | presentation
  21. 21. Customers Don’t Know What They Don’t Know! • User Port Protocol Application • Port 80 is much more than Web browsing. . . • 80 HTTP Web Browsing? • Mary Jones 80 IM Yahoo-IM • Port 443 is an encrypted mystery . . . • 443 HTTPs Secure banking? • Paul King 443 email Google gMail Other ports are being exploited . . . • 315.44.29.603 5060 SIP VOIP? • John Smith many Gnutella Limewire P2P | presentation
  22. 22. Customers Don’t Know What They Don’t Know! • Cyber criminals have targeted, and used, legitimate websites. No need for your users to ‘enter’ the dark areas of the Internet • Compromised sites include, The Wall St Journal, the New York Times, ESPN, NASDAQ. • Most of the SANS Top 20 threats are application based | presentation
  23. 23. Device Sprawl and UTM Do Not Solve the Problem Internet • Complexity and cost increase • Performance decreases - latency • Still no visibility or control of the Enterprise 2.0• Some vendors will tell you that UTM is the answer. UTM is not the answer, even for SMB. | presentation
  24. 24. More Devices = Good News, Bad News• Intrusion Prevention Systems • Good: Looks for threats and “bad” applications • Bad: No control; just stop limited number of apps, slow performance• URL Filtering • Good: Stops users from surfing porn, gambling, etc. • Bad: Can’t stop growing number of evasive apps (P2P, Skype, etc.)• Proxies: • Good: Terminate connections, control access to sensitive data • Bad: Supports limited number of apps, and often breaks them | presentation
  25. 25. How to Solve This Problem? | presentation
  26. 26. Fix The FirewallFive Essential Requirements of an NG firewall1. Identify applications regardless of port, protocol, evasive tactic or SSL2. Identify users regardless of IP address3. Protect in real-time against threats embedded across applications4. Granular visibility and policy control over application access / functionality5. Multi-gigabit, in-line deployment with no performance degradation | presentation
  27. 27. NGFW Requirements In “Defining the Next-Generation Firewall,” Gartner provide the best defintion Application Awareness and Full Stack VisibilityApp-ID Identifies and controls 900+ applications Integrated Rather Than Co-Located IPSContent-ID includes full IPS, without compromising performance Extra-Firewall Intelligence to Identify UsersUser-ID brings AD users and groups into firewall policy Standard First-Generation Firewall CapabilitiesPacket filtering, state, flexible NAT, IPSec, SSL VPNs, etc. Support “bump in the wire” DeploymentsMultiple options for transparent deployment behind existing firewalls | presentation
  28. 28. Transform the FirewallApp-IDIdentify the applicationUser-IDIdentify the userContent-IDScan the content | presentation
  29. 29. Single-Pass Parallel Processing Architecture Single Pass • Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, confidential data • One policy Parallel Processing • Function-specific parallel processing hardware engines • Separate data/control planes Up to 10Gbps, Low Latency | presentation
  30. 30. Applications Require Fine-Grained Control Applications use any port, evade, and encrypt - Must see all traffic - Must decrypt where appropriate - Block or Allow inadequate to meet business requirements - Keeping pace with 2.0 updates can be sometime very difficult, for example in one week alone there were 231 individual changes to Linkedin, Facebook and Twitter !Applications require a fine-grained response Network Control - Deny – even unknown applications - Allow - Allow but scan - Allow certain users Low High - Allow certain functions - Shape (QoS) - and various combinations of the above | presentation
  31. 31. Full Visibility into Applications, Users, ContentFilter onSkype What else is Harris using Filter on Skype and user Harris | presentation
  32. 32. Executive and Detail Reports on What’s HappeningPage 32 | © 2009 Palo Alto Networks. Proprietary and Confidential. 2008 | presentation
  33. 33. Essential Firewall Features we expect today and in NG firewalls• Strong networking foundation • High Availability • Dynamic routing (OSPF, RIPv2) • Active / passive • Tap mode – connect to SPAN port • Highly stable • Virtual wire (“Layer 1”) for true • Configuration and session transparent in-line deployment synchronization • L2/L3 switching foundation • Path, link, and HA monitoring (traditional routing L3 and bump in • Virtual Systems the wire L2)• VPN • multiple virtual firewalls in a single device • Site-to-site IPSec VPN • Simple, flexible management • SSL VPN • CLI, Web, SNMP, Syslog• Zone-based architecture • All interfaces assigned to security zones for policy enforcement • NAT • Application awareness/control • User/group controls | presentation
  34. 34. Solutions Driving Change Replace the Firewall Replace the IPS Simplify Infrastructure• Problem • Problem • Problem • Can’t see or • Apps are conduit control for new threats • Security too Enterprise 2.0 complex; costs too apps • IPS kills apps, high can’t control them • Users in charge, • Solution policies ignored • Solution • Fix the firewall –• Solution • Control apps to that’s why cost and reduce attack complexity is high • Visibility of 900+ surface applications • Consolidate other • Stop threats, features into • Identification of w/integrated IPS integrated platform application users • Stop leaks of • Redeploy cost • Fine-grained confidential data savings to other control over products in your applications • Stream-based portfolio engine ensures high performance | presentation
  35. 35. The Application Landscape Has Changed •Organisations •Users •Hackers•Increased •Risk • IT driven Exploits • Explicit risk analysis Trojans P2P • Predictable behavior IM Spyware PC Remote Social • Primarily end user driven Web Server Control Networking • Little regard for risks Personal • Unpredictable/evasive Web Browser behavior E-Mail VoIP Web Mail Enterprise Cookies Media VoIP Adware ERP Games Office Productivity •Decreased •Life is •Control •Good | presentation
  36. 36. The IPS Market Will Eventually DisappearApplication Awareness and Full Stack VisibilityExtra-Firewall Intelligence to Identify UsersIntegrated Rather Than Co-Located IPS IDC: Market for IPS decreased 22% in 2009 | presentation
  37. 37. Why Traditional IPS is Ineffective• Traditional IPS has a negative security model – can only “find it and kill it”• Traditional IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content• Next-generation firewalls +IPS enable “allow application, but scan for threats”• Gartner’s Recommendations: • Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two. | presentation
  38. 38. Best Practices• First, identify and block all “bad” applications • Could include P2P, gaming, TOR, UltraSurf, software proxies • App-ID identifies 900+ applications• Second, safely enable all “good” applications • Content-ID prevents threats from piggybacking on “good” applications • Scan HTTP, SSL, and compressed content • Block exploits, viruses, spyware downloads and phone home• Solid research and support – fast deployment of new protections • Member of MAPP; credited with more Microsoft vulnerability discoveries in the last 6 months than any other IPS vendor research team• Sustained high performance Firewall + IPS platform • Simplified policy control • Multi-Gbps, low latency - even when scanning both client and server traffic | presentation
  39. 39. Other Security and Networking Budgets• Budgeted technologies • URL filtering • Proxy appliances • Anti-virus appliances • DLP solutions / PCI compliance • Use these maintenance budgets to replace firewalls with NG ones | presentation
  40. 40. Segmentation to Isolate Cardholder Data• Only Finance users in Active Cardholder Directory can access Finance Servers cardholder zone (rule 1) Users• Oracle is the only application Palo Alto Networks allowed (rule 1) Infrastructure Servers• Block inbound threats (rule 1)• Monitor/block outbound Development cardholder data transfer (rule 1) Servers WAN and Users• Deny and log all else (rule 2) Internet Page 40 | © 2009 Palo Alto Networks. Proprietary and Confidential. | presentation
  41. 41. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement• Application, user and content • IPS with app visibility & control • Firewall replacement with app visibility without inline • Consolidation of IPS & URL visibility & control deployment filtering • Firewall + IPS • Firewall + IPS + URL filtering | presentation
  42. 42. “I’m fine, No Problems Here” My proxy gives me I’m protected by I have no issues with application control IPS and URL app visibility, control filtering• Proxy/Caches are great for bandwidth reduction • Blocking is not always • You don’t know what you best solution don’t know• Proxies slow and break applications • IPS stops limited set of • AVR report shows users “bad applications” have taken control• Proxies control limited set of applications (~15) • URL filtering control is • Do a POC of an NG limited to web surfing firewall and prove it!• Adding new applications is long and painful • 54% of HTTP traffic are C/S applications – URL• Only identify based on filtering can’t control URL string and IP addresses | presentation
  43. 43. Take Home Thoughts Ask your Network Security team to produce a report of Web 2.0 activity ‘today’ and then ask them what levels of control you have today – you will be concerned. Re-evaluate your corporate Web 2.0 user policy/AUP through research and identify how that will be audited through technology (NG firewall) It is unlikely your current firewall technology will give you Web 2.0 protection. Start planning now to find one that will. Consider using budgets for IPS/URL/Gateway AV to fund firewall replacement projects with NG firewalls | presentation
  44. 44. THANK YOU& QUESTIONS | presentation
  45. 45. Contact DetailsSimon RichardsonManaging PartnerITogetherSecurity 341 0126 | presentation
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.