Persistent LAN Security
Ajit Shelat
CEO
Nevis Networks
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 1

Top Network Attacks
Sabotage
DNS Attacks
Password Sniffing
Systems Penetration
Abuse of wireless
BOTS Bar 1
Denial of service attacks
Unauthorized Access
Insider Abuse
Trojans, viruses, worms
0% 20% 40% 60%
2008 CSI Survey Results of 522 Worldwide Respondents
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 2

Modern Day Complex Threats
Typical Blended Attack
• Designed to maximize damage
• Fast spreading network-based threat with
multiple attack vectors:
•Combination of virus, spam, worm,
and with vulnerabilities exploits
• Leverages p2p, IM and email to spread
with a malicious payload attachment
• Can self replicate acting as a hybrid
virus/worm
• Remote execution, DoS, Backdoor
applications
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 3

Virus/Worm internals –
Understanding Conficker
Disables all
Security on Tries to spread
the PC
Starts Peer to Peer Carries out Internet
Communication rendezvous
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 4

Hacking made easy
•Stealth
Mode
•Keystroke
capture
•Screen
shots
•Password
capture
•No
detection
by AV +AS
software
•Mail
including
Webmail
capture
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 5

Security mechanisms
today
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 6

Perimeter Security
» Gateway Firewall
» IDS/IPS
» Gateway AV
» VPN
» Content filtering
Issues
»Ineffective against attacks from inside the network
» Non-malicious, careless Users with ‘tainted’ Laptops, USB devices, or
who inject attacks directly into the LAN by careless internet access
» Malicious Insiders who can launch targeted attacks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 7

Network Access Control - End
Point Security
» OS Patch Management
» Anti Virus / Anti Spyware
» Personal Firewall
» HIPS
Issues
» OS patches and AV/AS updates can take weeks to be deployed
» AV, AS protection typically provide coverage of about 85-95%
» AV, AS coverage for new attacks is lower in the few hours after a new attack is
launched
» Zero day and targeted attacks can bypass end-point protection mechanisms
» Malicious Users can disable/evade endpoint security checks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 8

Network Access Control -
Authentication
»Access control
»Issues
»Does not provide for persistent security – mainly aimed at pre-connect authentication
» Does not protect against a determined, malicious User attack
» No threat detection and prevention
»No support for detailed logging of network activity – inability to generate compliance
reports and support forensic analysis
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 9

End-to-End Application Security
» Application security
» Client to Server Secure
pipe
» Clean, Trusted End-Point
Issues
»End to end encryption does not prevent malicious traffic being exchanged between
the client and server
»Endpoints cannot be assumed to be clean since
» They can be attacked using other protocols, e.g. L2 protocols on LAN, DoS
attacks
•Protocols such as SSL can be broken using man-in-the-middle type attacks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 10

LAN Security – Weak Link in the
Chain
Internet
Gateway LAN End Point
• Security Focus has been on
• Perimeter
• End-point, i.e. PC/Laptop
• With increasing usage of Laptops, Handheld devices & Wireless, the well
defined Perimeter has dissolved
• No focused, specific Security mechanisms for the LAN
• Internal networks are flat, a good playground for Worms & Hackers.
• Hard to manage thousands of internal users based on IP/MAC
addresses and/or access level security at App Servers
LAN Security Should be @ LAN Speeds
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 11

Forrester View
• The Problem: Managing all endpoint risks to the network
• Proactive Endpoint Risk Management (PERM)*:
– Policy-based technology
– Identity-based enforcement
– Integrated security services
• Endpoint verification
• Identity-based Access control
• Threat prevention
• Monitoring and reporting
• “PERM goes beyond NAC’s limited endpoint policy view”*.
* Source: Forrester Research, Client 2.0, March, 2007, Robert Whiteley and Natalie Lambert
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 12

Comprehensive LAN
Security Solution
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 13

It’s All About Knowing…
• Who is on your
network?
• Where are they going?
• Can you control their
behavior?
• What traffic are they
sending?
• What are they doing?
• What would you like to
do?
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 14

Characteristics of Comprehensive
LAN Security Solution
• Comprehensive LAN Security
– Involves Endpoint Authentication, compliance checks ensuring valid
users with clean endpoints can access certain resources on the
network
– Blocking or quarantining the user if any intended or unintended
malicious activity detected
– Notifying admin of any deviations to organizational policies or
malicious activities enabling auditing, drill down and forensic analysis
– Control endpoints connected to managed switches restricting
malicious endpoint as close to the source as possible
– Control compromised endpoints from infecting other endpoints
connected to unmanaged switches
– Gives a complete view of the network health to the admin
– Encompasses security right from the endpoint, user identity, network
access privileges/control, audit capability and blocking malicious
traffic
– Ensures high network uptime, clean networks without any malicious
or unwanted traffic and improve network bandwidth utilization
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 15

An Integrated Policy Approach
Threat Network Application
NAC Prevention Traffic Use
Visibility Controls
Identity-based Enforcement
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 16

The Identity-Aware Network
Mission-critical Applications
Subset of
Applications
Guest
Network
Contractors
Partners Employees Guests
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 17

Multi-layer Defense Model
•Unauthorized
access
•Plundering system
for data
•Reconnaissance
and Scanning
•Worm and
Viruses
•BOTs
Endpoint integrity System
Firewall/ Access Control
Signature Detection
•Spyware
Protocol Anomaly
Traffic Anomaly
L2 Security
•Backdoors and
RATs
•Anomalous traffic
•Remote Execution
•Detect Pswd
Cracking
•Denial of service
•Bandwidth
consumption
•MAC spoofing
•ARP spoofing
18
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential
10/21/2009 18

Comprehensive Security – Integrated
Perimeter, LAN & End point security
VPN IDS
IDS
Router
Internet
Edge Firewall Firewall
Enterprise
Servers
Departmental
Firewall
Distribution Workgroup
Servers
Network access control
Wireless
Security
Gateway
Access
Wireless
Access Point
Extended
Perimeter
Secured Workgroup
Desktops Laptop
Wireless Users
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 19

One Stop Comprehensive LAN Security
Status
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 20

Thank You
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 21