0
ROADMAP FOR CSC & BASIC CITIZEN SERVICES

CHALLENGES, VISION & LESSONS
Puneet Ahuja
puneeta@juniper.net
http://www.wired.com/magazine/2011/01/ff_hackerville_romania/
GOVT SITES HACKED
MTNL claims that only the webpage and server logs-files created
by the server of the activities performe...
INVALUABLE CITIZEN INFORMATION
PAN card records
Financial Profile
Bank Records

Critical personal data
Land records
KNOW THE UNKNOWN
WHAT ARE WE UP AGAINST?
State sponsored
and motivated by
national interest
Groups or individual
security experts
with a co...
THE COST OF AN ATTACK
PONEMON INSTITUTE | AVERAGE BREACH COSTS $214 PER RECORD STOLEN

Sony Stolen Records

100M

Theft
So...
Inconvenient Statistics

70%

of ALL threats are at the
Web application layer.
Gartner

73%

of organizations have been
ha...
SECURITY TRENDS
Notoriety

Profitability

.gov /.com

.me / .you

Threats

Sophisticatio
n (Maturity)

Attacker

Type of A...
START WITH A
SECURITY FOUNDATION
Mobility

Cloud

Easy access

SECURITY
FOUNDATION
Attack prevention

Campus

Easy access
...
Data center security
Mobility

Cloud

Supporting app and network deployments…
• Flexible deployment models

High
performan...
DECEIVE
Juniper
Detection by Deception
JUNOS WEBAPP SECURE – ( JWAS)
ATTACKER TRIPS A TAR TRAP
Tar Traps
Mary13

=

Attacker

Query String Parameters

Network
Pe...
Track.
The Unusual Case of Will(iam) West
Our industry needs to move
beyond IP reputation databases
FINGERPRINT OF AN ATTACKER
Browser version

200+
attributes used to create
the fingerprint.
Fonts

Timezone

~ Real Time
a...
NEXT GENERATION DATACENTER SECURITY:
SPOTLIGHT SECURE ATTACKER DATABASE
WebApp
Secure

DDoS
Secure

Juniper’s Spotlight Se...
Fingerprints are Useless Until Shared
SPOTLIGHT LOOKUP
Global
Name

Local
Name

JWAS
Device

Bob112

Mary13

4X12J8

?
Joe196

JWAS
Customer A

JWAS
Customer B
SPOTLIGHT MATCH
Global
Name

Local
Name

JWAS
Device

Bob112

Mary13

4X12J8

?
Joe196

JWAS
Customer A

JWAS
Customer B
DDoS SECURE – How does it work
• Packet validated against
pre-defined RFC filters
• Malformed and
mis-sequenced
packets dr...
DATACENTER SECURITY: STOPPING THE UNKNOWN
Spotlight Secure

• Global attacker fingerprint system
• Actionable – beyond IP ...
eHaryana 2014 - Roadmap for CSCs & Basic... - Shri Puneet Ahuja, Sr Consultant...
eHaryana 2014 - Roadmap for CSCs & Basic... - Shri Puneet Ahuja, Sr Consultant...
Upcoming SlideShare
Loading in...5
×

eHaryana 2014 - Roadmap for CSCs & Basic... - Shri Puneet Ahuja, Sr Consultant...

254

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
254
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • http://mashable.com/2011/05/22/psn-costs-infographic/
  • The lessons we can take from the incredible Ghost Army underscores the need for new methods to preventing attackers.A recent study tested 40 anti-virus programs, and showed that out of 80 new viruses tested, only 5% were detected. How many of you would feel protected knowing your defense has a 95% failure rate?Perhaps in deception there is a better path forward?
  • As we discussed earlier, each successful exploit has three parts – the attacker, threat type, and target – we continue to see change in each. Attacker - in 2005, we saw a shift starting from attackers wanting notoriety to wanting profitability. Today, cybercrime is fully organized and we see crime syndicates out to profit from attacks. These attackers are now well funded, use sophisticated and purpose built tools and target organizations purely for profit. While this is nothing new, what we are seeing today is a move to not only attack “.gov/.com” but to attack “.me/.you”. Attackers are becoming increasingly sophisticated and are profiling not only companies but also individuals. They understand that we all have online identities but also “phyiscal profiles” or “connection points” where we connect to the internet from a variety of places……work, internet café, airport lounge, home. They have realized that often times our security defenses are down or weak at some of these connection points and penetrating individuals’ devices can work quite well outside of the work place. If you can infect a business user at an internet café and then have them walk that device into the enterprise then you can infiltrate the enterprise infrastructure and bypass many of the defenses that are in place today. Attackers understand this and have adopted their behavior. Threat – The threat landscape is also undergoing a change both in terms of the types of attacks and the sophistication and maturation of existing attacks. As expected, we continue to see new types of attacks to bypass the latest technologies that enterprises deploy.historically, the first large virus outbreak was on the Apple II in 1981. Since then there have been many well documented outbreaks that include the “iLOVEYOU” worm in 2000, SQL Slammer and Blaster worm in 2003 and countless worms, trojans and other forms of malware. Today, DOS has given way to DDOS and newer threats such as rootkits and botnets have taken hold. The most recent threat is APT which is not only a new type of threat but also a new way to profile and attack networks, systems and organizations. While we see new types of attacks we also see the morphing of existing attack types. As an example a few years ago, the majority of malware was in cleartext which could often be detected by AV or IDP solutions. Today over 80% of malware uses encryption, compression or file packing to bypass traditional AV or IDP technologies. Target - Finally, we also see significant changes with attack targets. Over the past few years there has been an explosion in devices that attackers target ranging from smartphones, to tablets to cloud services. What is particularly interesting about these new targets is the variation of the architecture of these platforms that ranges from more secure platforms such as the iphone to more open platforms such as the the Android OS. The other primary change we see is around the types of applications being attacked. Historically, most attacks have been focused on traditional corporate application servers and productivity applications such as office. Today, have seen a significant shift to web 2.0 type applications and social networking apps where attackers take advantage of a trusted relationship that is built amongst online users. They understand that there is a real tendency for online users to trust links that other users send within these applications and have used this vector as a target of malware. Transition: The challenge for enterprises today is how do they address the and new and emerging threats in a way that is both scalable and does not significantly drive up cost.
  • We start with a strong foundational technology combines access control (our policy engine, Junos Pulse Secure Control Service) with advanced protection (perimeter protection, from SRX Series Gateways) These technologies were designed with the same performance and scalability as portfolio of switches and routers. Our heritage as bing a carrier-grade networking company influenced security architecture. This foundation support an extensive ecosystem in a consistent way:First, easy access. A strong policy engine that provides context-aware policies for access and communication. This gives us broad coverage for any kind of device, so we can make automated access decisions based on who, what, where, when and how they are logging on.Integrates with AD/LDAP or other directory storesEndpoint profiling and behavior monitoring offer additional security for unmanaged endpointsSecond, advanced attack protection from modern attacks, that provides consistent policies for physical, virtual, on and off premisesGoes beyond IP or signature based security, which has become too easy for criminals to work aroundWe have a range of capabilities that leverage this central foundation, delivering better economics, and a simpler, integrated approach.
  • Juniper’s data center solution is unique. Not only do we provide an incredible range of high-performance security gateways and firewalls, we provide virtual firewalls, threat intelligence, web app protection and DDoS protection.High performance firewalls:Leading high-end firewall; Proven datacenter scale; Integration with WebApp SecureScales to 200 (soon 300) GB/s, with capacity over 100 million sessionsLinear, incremental scaling: reduces forklift upgradesIn-service scaling: no down time, no business disruption for upgrades or capacity scalingSoftware-based pricing (FY 14)Juniper virtual firewalls are the first purpose-built, designed to minimize performance issues found in vLANs and other virtual solutions. 10x performance of other solutions; tested at around 32GB/s on a VM running 36GB/s. Binds and travels with the workloadProtects each VM instance from others that share the hypervisor (east-west) with micro-perimetersSmart groups ensure that no VMs are deployed without some level of protection. Juniper is the first and only company to provide Intrusion Deception technology, designed to stop an attack at the earliest possible stage – the reconnaissance stage. Earlier I mentioned that most attacks aren’t even noticed until weeks or months after the damage is done. With our technology, we change that dynamic, we get more offensive, and we take the economic incentive away from the attacker. This is our WebApp secure technology. Worth a deep dive session alone.DDoS prevention capabilities also stops attacks earlier, by employing a sophisticated behavioral analysis technology that can detect and divert network and app-level DDoS attack.And across all of this environment, our SIEM capability lets you monitor for emerging threats, to find and correlate events to that you see emerging threats.
  • Similarly in the cloud, where virtualization is de-regour, many of these capabilities are the same. We emphasize that zones and segmentation policies can be shared across physical and virtual environments, and our incredible performance metrics are enabled by the face that we purpose-built our virtual solution – most of the competition has tried to retrofit traditional firewall technology. We wanted to make sure that VM policies had certain characteristics that match the pace and what sometimes is confusing ownership and control over VMs. For example, since you might have a lot of developers spinning up VMs, and they might not otherwise implement security controls, we have a feature called “Smart Groups” that assures VM policy containment, as a default for any VM detected on the network. Our introspection capabilities ensures that policies are appropriate to the workload, because we can see into the workload type and configuration. Policies bind and travel with each VMIntra-VM protection
  • The secondstory I want to share with you is about the challenge of tracking and identifying.
  • In the single greatest battle fought during World War 2, not a single shot was fired.It was 1943, and the war was well under way as American, British and Canadian troops were amassing in the UK in preparation for an attack into Northern Europe.The Germans knew an attack was imminent and began to prepare troops to defend. The intelligence and troop buildups said the attack was likely going to happen at the narrowest point on the English Channel, the Port of Calais.Unfortunately, the English Channel was the site of many failed crossings in history including The Spanish Armada and Napoleon Bonaparte’s navy. The Allies were going to have to be perfect.On June 9th Hitler himself ordered his troops to stay at Calais, and even diverted troops heading for another potential site called Normandy to further reinforce Calais.Why did he send the troops to Calais?
  • They believed there were upwards of 50,000 soldiers on the other side of the Channel about to descend on Calais.What the Germans didn’t realize though, is that they were fighting against a very different enemy.The greatest deception in history.This an M4 Sherman tank, that weighs over 66,000 pounds being carried by four men across the battlefield. No, these are not supermen built in a lab somewhere, these are four artists carrying a 93 pound rubber inflatable tank to the next spot in the “battle”
  • The secondstory I want to share with you is about the challenge of tracking and identifying.
  • You are looking at a picture of what could be described as the very first mug shot.This is Alphonse Bertillon, a Frenchman whose concern for how hard it would be to record and track fingerprints, led him to invent an alternative method. A type of anthropometry, the Bertillon method used 11 measurements of the body including skull diameter, and length of the left arm from elbow to middle finger.It was a bit labor intensive to sift through Bertillon measurements trying to find your bad guy. But… Bertillon’s math claimed an incredible odds of better than 286 million to one in having a duplicate. Remember, in 1878, there were only about 1.5 Billion people in the world, so this was pretty good.Bertillon became famous for successfully identifying criminals using his new method, ended up heading the Paris Police Identification Bureau, and his system began to be used around the world. So why don’t any of you know Bertillon?
  • There, that’s better… because this was a case of two Will Wests.You are looking at two men, Will West and William West who have similar features, are dressed similarly, have nearly the same name… and have IDENTICAL Bertillon measurements. Identical.William West was immediately pulled from his cell, and both men were brought into the same room.That was the beginning of the end of the Bertillon method.In Bertillon, there is a lesson that the IT Security industry has yet to learn. Relying on unspecific data to chase bad actors will never prevent attacks.
  • I can rent a 100,000 botnets located in any country for a few hundred dollars over the Internet. The hackers are so convenient they even take PayPal.Plus, most companies and ISP’s run proxy servers so tens of thousands of users are often behind a single IP address.What’s the point of building databases around an unreliable and unspecific identifier?
  • Los Angeles not only has the worst traffic imaginable, but also has 1.7 Million fingerprints on file. 1.7 million… imagine what it would take to sort through those cards manually trying to match a pair of fingerprints left at a crime scene. It would take roughly sixty seven years to find a single one.If you are looking for a serial killer, they’ll die of natural causes before you find them.
  • Joe98
  • Joe98
  • Joe98
  • Here’s a view into the AppSecure security suite for Branch SRX. As you can see, AppSecure is a security service offering a full range of security capabilities, from application tracking and monitoring to user tailored enforcement, to prioritization (which is a capability that will be available in 2H 2012).The AppSecure modules available with 11.4r1 on branch SRX are AppTrack and AppFW shown in dark blue. IPS as you know is already available on branch SRX and works together with AppTrack and AppFW as we will see in a minute. Shown in light blue is AppQoS planned for release in second half of 2012. Just as we saw in the IPS/IDS market, we’ve seen significant customer demand for visibility into the network – companies want to know what applications are running, who is using them, and what threats they could pose. That’s why we have rolled out AppTrack along with AppFW, a strategy that not only enforces security policies but allows for visibility to help in the planning of those policies. Juniper’s long-term strategy is to continue to deliver AppSecure functionality in a scalable, network-ready way.The AppSecure vision is to deliver these multiple capabilities in one security service that shares intelligence, and is scalable thanks to its integration with underlying Junos and SRX. All of these AppSecure capabilities run on SRX branch platforms, as part of the JUNOS feature set.All of this functionality is made available by a simple upgrade to Junos 11.4. An annual subscription then brings in over 850 application signatures, as well as daily IPS signatures developed by our Juniper Research Lab. As more signatures are available you are provided timely updates. The AppSecure functionality requires the high memory version of the SRX.
  • vGW is purpose-built for the virtual environment. The vGW solution relies on a few simple components that work in conjunction with one another to provide complete security. The entire solution is software-based and doesn’t rely on any other Juniper products, like SRX, STRM, etc. However, those other products can be integrated and we will discuss that shortly. Let’s take a look at the first component of vGW. The first component is the Security Design vGW VM, which is similar to a vCenter. It’s a VM that manages all of the solutions deployed and configured. It integrates heavily with vCenter so the security is as dynamic as the virtualized environment itself. After importing in the OVA for the SD vGW VM, virtual appliance and answering a few simple questions, an administrator can deploy the Security VMs on each of the physical ESX/ESXi hosts. These VMs are very lightweight. They serve a number of roles based on the product deployment type. Examples are IDS, antivirus engine, etc. It is also responsible for load and communicating with the third party components the vGW engine integrates with. The kernel module is integrated directly into the hypervisor and allows you to completely isolate communication flows to and from each VM on a host that has been selected for protection. The firewall, which is logically attached via this engine between the VM NICs and the vSwitching layer, isolates connection information and policy information from all other VMs and unique policies can be attached to each interface, such as per policy vNIC. Let’s examine the integration with vCenter a bit closer, as this is key to a purpose-built solution.
  • In campus, branch, or remote offices, anywhere where people work, we provide our next gen firewall. And it includes things like application visibility and control, IPS and other UTM capabilities. Bandwidth, app and network controls are easily managed. We have solutions that combine routing, switching and security within a single gateway, which is perfect for smaller offices or organizations. We provide DDoS and AppDoS protection, as well as management software to establish and enforce policies, and security information and event management, so within a single pane of glass you can identify potential threats before they become real problemsAnd, as with all of our solution areas, identity and context-based controls are in place through our policy engine.
  • The Branch office today has a plethora of devices, often from multiple vendors, to address the different components of networking, connectivity, and security. All of this adds up to high costs of managing disparate solutions, coupled with the complexity of integrating the different solutions, and making sure they work together to address security concerns.
  • Some of you are more networking-oriented and some may be security-focused. Many are new to SRX…It is a fully capable and yet, highly flexible platform.Firewall/VPN - well-regarded recognized leader and trusted vendorSecure Router – proven routing and switching using the same rock, solid technology used by our M and T series, carrier class routers. Based on Junos and broad (the most extensive in the industry) WAN interfaces, the Branch SRX delivers secure Wired and Wireless LAN and 3D wireless connectivity options.And UTM (unified threat management) which is the consolidation of security features such as anti-virus, anti-spam, web filtering, and content filtering. for branch offices and Small/medium businesses.Leverage each of these highly flexible solution components to meet your customers’ business needs.
  • For mobility and access, our technologies help protect users from the device to the data center. It’s frightening to note that 41% of people use their personal mobile device for business purposes without company support. Downright dangerous, from a security and DLP perspective.BYOD, or any mobilitiy initiative, needs to have access polices at the core of the system. We do this in our foundation technology, which we call the Junos Access Control Service (also know as user access control, UAC). You have to account for different classes of devices, corpoate owned, employee-owned and guest devices. You have to think about deploying client and client-less solutions, coverage across wired and wireless, remote secure connections. And most importantly, the seamless user experience. That’s why our focus is on context based controls… the who, what, where, when, how of every session. Orchestated by policy engine in the foundation; and integration to any directory store you might use, enforcement points like routers, switches and firewalls. We use a protocal called IF-MAP to enable a per-session authentication and context control.We even provide 802.1x device authenticationAnd we offer device profiling and integrations to change management for all of those other devices on your network – lilke printers, fax machines, anything with an IP address. Our mobility and access solutions let youOnboard (and off-board) users/devices quickly and easilyAuthenticate, control access, and secure connectivityProtect sensitive apps and data (malware, loss/theft, misuse, etc.)Manage enterprise user, device, data access and apps
  • Transcript of "eHaryana 2014 - Roadmap for CSCs & Basic... - Shri Puneet Ahuja, Sr Consultant..."

    1. 1. ROADMAP FOR CSC & BASIC CITIZEN SERVICES CHALLENGES, VISION & LESSONS Puneet Ahuja puneeta@juniper.net
    2. 2. http://www.wired.com/magazine/2011/01/ff_hackerville_romania/
    3. 3. GOVT SITES HACKED MTNL claims that only the webpage and server logs-files created by the server of the activities performed by it-were damaged, but cyber experts do not rule out the possibility of hackers having obtained subscribers' addresses, phone numbers and other data "As per the information reported to and tracked by Indian Computer Response Team (CERT-In), a total number of 308, 371 and 78 government websites were hacked during the years 2011, 2012 and 2013 (up to June) respectively http://articles.economictimes.indiatimes.com/2014-02-05/news/47049131_1_huawei-and-zte-bsnl-network-telecom-networks
    4. 4. INVALUABLE CITIZEN INFORMATION PAN card records Financial Profile Bank Records Critical personal data Land records
    5. 5. KNOW THE UNKNOWN
    6. 6. WHAT ARE WE UP AGAINST? State sponsored and motivated by national interest Groups or individual security experts with a common interest Individuals or gangs motivated by monetary rewards
    7. 7. THE COST OF AN ATTACK PONEMON INSTITUTE | AVERAGE BREACH COSTS $214 PER RECORD STOLEN Sony Stolen Records 100M Theft Sony Lawsuits Sony Direct Costs $1-2B $171M Reputation Revenue  23 day network closure  Lost customers  Security improvements
    8. 8. Inconvenient Statistics 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two years through insecure Web apps. Ponemon Institute
    9. 9. SECURITY TRENDS Notoriety Profitability .gov /.com .me / .you Threats Sophisticatio n (Maturity) Attacker Type of Attack APT Botnets Malware DOS Trojans Virus Worms New Devices Target New Applications Internet Information Services ERP
    10. 10. START WITH A SECURITY FOUNDATION Mobility Cloud Easy access SECURITY FOUNDATION Attack prevention Campus Easy access • Context-based access control for virtually any device, any user, any time Who, what, where, when, how Attack protection • Consistent and advanced protection across physical, virtual, on- and off-premises Beyond the IP address Value • Better economics through leveragable foundation; Improved efficiencies through centralized control Data Center Access Apps Networks Mgmt Mobility Campus Data center Cloud Products
    11. 11. Data center security Mobility Cloud Supporting app and network deployments… • Flexible deployment models High performance firewall Access Virtual firewall FOUNDATION Management !!! DDoS and AppDoS prevention Campus Threat intelligence • Policy sharing across virtual and physical …while protecting from targeted attacks • Intrusion Deception stops the attack, with no false positives Protect Analytics • Scale easily, incrementally • DDoS behavioral analysis stops attacks earlier • Security information and event management from a single pane of glass Web App protection Data Center Access Apps Networks Mgmt Mobility Campus Data center Cloud Products
    12. 12. DECEIVE
    13. 13. Juniper Detection by Deception
    14. 14. JUNOS WEBAPP SECURE – ( JWAS) ATTACKER TRIPS A TAR TRAP Tar Traps Mary13 = Attacker Query String Parameters Network Perimeter Hidden Input Fields Client Firewall App Server Server Configuration Database
    15. 15. Track.
    16. 16. The Unusual Case of Will(iam) West
    17. 17. Our industry needs to move beyond IP reputation databases
    18. 18. FINGERPRINT OF AN ATTACKER Browser version 200+ attributes used to create the fingerprint. Fonts Timezone ~ Real Time availability of fingerprints Browser add-ons False Positives IP Address nearly zero
    19. 19. NEXT GENERATION DATACENTER SECURITY: SPOTLIGHT SECURE ATTACKER DATABASE WebApp Secure DDoS Secure Juniper’s Spotlight Secure, a global attacker intelligence service, is a one-of-a-kind, cloud-based security solution that identifies specific attackers and delivers that intelligence to Junos security products Spotlight Attacker Database WebApp Secure Spotlight Attacker Database SRX Series Services Gateways DDoS Secure SRX Series Services Gateways
    20. 20. Fingerprints are Useless Until Shared
    21. 21. SPOTLIGHT LOOKUP Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 ? Joe196 JWAS Customer A JWAS Customer B
    22. 22. SPOTLIGHT MATCH Global Name Local Name JWAS Device Bob112 Mary13 4X12J8 ? Joe196 JWAS Customer A JWAS Customer B
    23. 23. DDoS SECURE – How does it work • Packet validated against pre-defined RFC filters • Malformed and mis-sequenced packets dropped • Individual IP addresses assigned CHARM value • Value assigned based on IP behaviours Mechanistic Traffic Low CHARM Value First Time Traffic Medium CHARM Value Humanistic, Trusted Traffic High CHARM Value
    24. 24. DATACENTER SECURITY: STOPPING THE UNKNOWN Spotlight Secure • Global attacker fingerprint system • Actionable – beyond IP address DDoS Secure WebApp Secure • Low-and-slow and volumetric • Intrusion Deception stops hacking • Signature free: stops new attacks • Near-zero false positives • No tuning or thresholds • No tuning or Web App changes Application Firewall • Leading high-end firewall • Proven datacenter scale • Integration with WebApp Secure
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×