Next Generation Security


Published on

Understanding and insight on the next-generation security technology.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Next Generation Security

  1. 1. Next Generation Security 2013.02, By Claude Conrad
  2. 2. Part I. Understanding Next-Gen. SecurityPart II. The Direction of FutureSystems’ NGFW (…this part is private!)
  3. 3. Evolution of Network Security [Acronym] • SPI : Stateful Packet Inspection • DPI : Deep Packet Inspection • OC : Outbound Control • FCI : Full Content Inspection 1984 1988 1991 1993 2001 2002 2004 2009 2011 Boom of Network Security Signature Packet Application SPI Application/User ContextTechnology DPI OC FCI detection filtering proxy awareness awareness IDS IPS NGIPS Next Anti-DDoS Generation Security!!Product Firewall Firewall UTM NGFW URL filtering DLP Web-FW SWG
  4. 4. Market Segmentation • 2011 : $1.19 Billion IPS/NGIPS ~ 2016 : 2.5% CAGR Divergence McAfee IPS HP Sourcefire • 2011 : $1.28 Billion ~ 2017 : CAGR 15% FW+IPS UTM Check Point Palo Alto Fortinet Check PointFW+IPS+Other SonicWall Enterprise Firewall /NGFW • 2011 : $6.3 Billion WatchGuard ~ 2017 : 7.3% CAGRConvergence Small Midsize Enterprise Large User ~100 ~1,000 ~20,000 +20,000 Throughput ~1G ~10G +10G
  5. 5. UTM  UTM is multifunction network security products used by small or midsize businesses(SMBs). AdvancedNow App. awareness User awareness Content awareness UTM WLAN controller WAN optimization VoIP Gateway …. Web-FW SSL Proxy DLP NAC Extended UTM URL filtering SSL VPN Anti-spam Anti-malware Firewall IPsec VPN IPS Anti-virus Basic2004 UTM Defined by IDC, 2004
  6. 6. NGFW Next-generation Firewall provides multiple protection mechanisms and features designed to prevent threats/attacks from network to application layers. Support in-line Bump-in-the-wire config. Minimum features; Standard first-generation firewall capabilities Integrated rather than merely colocated network IPS Application awareness and full stack visibility Extrafirewall intelligence : User ID directory, URL/IP DB Support upgrade paths to address future threats Defined by Gartner, 2009
  7. 7. NGFW - Application awareness Role Application Application detection control Regardless of the port, protocol, and Application access control (SSL) encrypted traffic! and action control! Composition Application Decryption (SSL, SSH) Application Protocol Decoding (Detect HTTP tunneling, individual function, etc.) Application Signature Application Heuristics (App. anomaly detection)
  8. 8. NGFW - Security Policy of NGFW Existing FW NGFW Allow SOURCE to DESTINATION Allow Application SOURCE to DESTINATION SOURCE : IP addresses, Port #  SOURCE : IP addresses, Port #, Users DESTINATION : IP addresses, Port #  DESTINATION : IP addresses, Port # Allow 80 to any 80 Allow Facebook any any manager to any any Allow the use of 80-port for designated IP.  Allow the access of “Facebook” for designated user group. (regardless of the port, protocol, and encrypted traffic!)
  9. 9. NGFW vs. UTM #1 Range ofSecurity features UTM NGFW Throughput NGFW (FW+IPS+AV) UTM Market SMB Enterprise
  10. 10. NGFW vs. UTM #2 UTM NGFW App. ID as a IPS pattern! Port App. ID Port Traffic Classification Engine Traffic Classification Engine See applications only default port, See applications on every port, not just default port Identify potentially malicious traffic by port Identify potentially malicious traffic by application type
  11. 11. NGIPS Next-generation IPS builds on typical IPS solutions by providing application & contextual awareness to promptly assess threats, ensure a consistent and appropriate response, and reduce an organization’s security expenditures. Support in-line Bump-in-the-wire config. Minimum features; Standard first-generation IPS capabilities Application awareness and full stack visibility information sources ; user identities, vulnerability, Context awareness : patching state and geo-location information, etc. Content awareness Agile engine : Support upgrade paths to address future threats Defined by Gartner, 2011
  12. 12. NGIPS - Context awareness (Definition) Context awareness(External intelligence, situational awareness) is the ability to deliver additional, relevant information to the FW & IPS engine to enable more accurate decisions to allow, alert, or block more quickly, accurately, and securely with fewer false positives.  Context is the complex set of network circumstances.  Context awareness is understanding the entire environment. Mgmt. system Devices Application (host profile (client side) with OS) Information Context Appliance awareness Configuration Service Vulnerabilities Context Security policy (server side (historical information! application) patching state) Special event detected! Network User ID Behaviors (NBA) How to respond?
  13. 13. NGIPS - Context awareness (Example) Context awareness provides “Actionable Intelligent”!!! [Automated Tuning] [Incident Prioritization] Unknown devise detection Linux-based Alerting exploit detection (if Detection mode) Needless action! Abnormal traffic detection Target server No Dismissing/Logging Provided? Unexpected App./User detection Impact level low! Yes … Target server No New vulnerability Blocking patched? reported Impact level high! Yes Dismissing/Logging Recommend related policy Impact level middle!
  14. 14. NGIPS vs. NGFW #1 Context awarenessNGFW-v2 User Other Content awareness NGFW Application awareness NGIPS Existing Firewall Existing IPS
  15. 15. NGIPS vs. NGFW #2 Element Typical FW NGFW Typical IPS NGIPS NGFW v2 Attack signature O O O O Application Applications O O O awareness User Users (Identity) O O O awareness Vulnerabilities O ODITECT Host profiles O O Context Client applications/ awareness Mobile devices O O O Virtual machines O O O NW Behavior anomaly △ O O O NBA Network access O O O O O URLCONTROL Site access O O O filtering User User access O O awareness Application Lauer 7 access O O awareness PaloAlto SourceFire Vendors CheckPoint McAfee SourceFire
  16. 16. The Meaning of Next-gen. Security #1 Evolution of Convergence Awareness NGFW TCP/IP Layer IPS UTM Application Transport Internet • Network-centric • Application-centric Link Convergence Convergence • Colocated security • Closely integrated feature security feature
  17. 17. The Meaning of Next-gen. Security #2 Age of Awareness (Expansion of DPI)All of awareness NGIPS for security Context Awareness NGFW Application User awareness awareness • Full content DLP, Anti-malware, inspection URL filtering Content awareness Pattern awareness • Pattern matching IPS (Basic awareness) for attack detection Anti-DDoS Deep Packet Inspection
  18. 18. The Meaning of Next-gen. Security #3 Hardened Security Management Hardened Configuration features!! Policy setting Automation Information Mgmt. Appliance Monitoring Configuration system Security policy Visualization Reporting Detection Context Analysis Blocking awareness Context awareness is base of Active Control!
  19. 19. The Future of Security Industry  Product 2 Modulization 4 6Product 8 4  ESM 3  SIEMMgmt. 1system 1  Consulting 3 4Service 1 3  MSS 1990~ 2000~ 2010~ 2020~ Virus DB IPS DB Application DB Context DB
  20. 20. The most important thing for strategy is "Information", The most important thing for planning is "Insight", The most important thing for development is "Practical ability", The most important thing for business is "Timing", The most important thing for service is "Executive ability“. The most important thing for outdoor activities is "Network",The most important thing for business practice is "Political power"! 2013.02, By Claude Conrad