Event - Internet Thailand - Total Security Perimeters

3,731 views
3,574 views

Published on

My 6hrs presentation slide in Internet Thailand customer summit in year 2005.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
3,731
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
2
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Event - Internet Thailand - Total Security Perimeters

    1. 1. Symantec Enterprise Security : Securing your business along network intrusions Somyos Udomnilobon Sales Engineer - Thailand
    2. 2. Symantec Corporation <ul><li>Our promise: </li></ul><ul><li>“ Pure confidence for individuals and </li></ul><ul><li>enterprises in a connected world” </li></ul><ul><li>Over $1 Billion in revenue </li></ul><ul><li>Approx. 4,000 Employees </li></ul><ul><li>37 Countries worldwide </li></ul><ul><li>Over 100 million users </li></ul>Technology Services Response
    3. 4. Symantec Enterprise Security Solution Vulnerability Management Firewall/VPN Intrusion Detection Virus Protection Client Security Managed Security Services Education Services Response and Support Gateway Security Security Infrastructure Management
    4. 5. Agenda <ul><li>Why security is concern with business? </li></ul><ul><li>Security Threats & how to protect… </li></ul><ul><li>Wrap-up </li></ul>
    5. 6. Why security is concern?
    6. 7. Security Challenges <ul><ul><li>Protect information which you must openly share </li></ul></ul><ul><ul><li>Ever changing infrastructure technologies </li></ul></ul><ul><ul><li>Increased connectivity leads to increased complexity </li></ul></ul><ul><ul><li>The need to implement strong controls that are transparent to end users </li></ul></ul><ul><ul><li>Apply security without jeopardizing performance and availability </li></ul></ul><ul><ul><li>Reduced costs </li></ul></ul><ul><ul><li>Increasingly difficult to stay on top of all the new features in applications and operating systems </li></ul></ul><ul><ul><li>More work with less people to do it with </li></ul></ul>
    7. 8. The Business Reasons <ul><li>Two Main Business Drivers </li></ul><ul><ul><li>Increased revenue </li></ul></ul><ul><ul><li>Increased profitability </li></ul></ul><ul><li>Three Main Security Drivers </li></ul><ul><ul><li>Increasingly open and connected architecture leads to an increased vulnerability to attacks </li></ul></ul><ul><ul><li>If an attack happens the results can be catastrophic </li></ul></ul><ul><ul><li>The Damage per Incident is much greater </li></ul></ul>
    8. 9. Security is a Business Issue <ul><li>Availability </li></ul><ul><ul><li>interruption of services </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>disclosure of information </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>corruption of data </li></ul></ul>Aim Point Effect Points
    9. 10. Why the Security Problem is hard to fix Where’s the sweet spot?
    10. 11. The Lifecycle Security Model Key To Success Identify systems and assets on the network and identify critical vulnerability points Define and document an organizational security policy Identify changes to network infrastructure and compliance with policies
    11. 12. Strategic Business Risks Regulatory Action Corporate Liability Indirect Costs Loss of Customer Confidence
    12. 13. Cyber-Security Is Now a Boardroom and a Legislative Concern <ul><li>Estimated 2001 global cost from breaches: Tens to hundreds of billions of dollars </li></ul><ul><li>2001 projected US losses: 2.7% of US GDP </li></ul>Source: Internetweek 2002
    13. 14. Security Critical to e-Business Success Importance of Security in eBusiness Solution Decision Criteria Source: IDC
    14. 15. Source: survey of 538 computer security professionals conducted by the Computer Security Institute (CSI) and the US Federal Bureau of Investigation (FBI) . Soaring Costs and Security Breaches
    15. 16. Evolving Security Threats Will Your Perimeter Security Stop Them?
    16. 17. Threat Evolution Polymorphic Viruses (Tequila) Blended Threats (Code Red, Nimda) Denial-of-Service (Yahoo!, eBay) Mass Mailer Viruses (Love Letter/Melissa) Zombies Source: Symantec Viruses Network Intrusions 70,000 60,000 50,000 40,000 30,000 20,000 10,000 Number of Known Threats
    17. 18. Source: CERT, Carnegie Mellon University http://www.cert.org/stats/ > 99%
    18. 19. Average Reported Losses Unauthorized Insider Access Theft of Proprietary Information Outside System Penetration Financial Fraud Sabotage and Denial of Services 2000 CSI/FBI Computer Crime and Security Survey $1.1 M + $1.0 M + $617,000 $536,000 $172,000
    19. 21. Democratization of Hacking <ul><ul><li>Over 30,000 hacking oriented sites </li></ul></ul><ul><ul><li>Original hacker ethic is dead </li></ul></ul><ul><ul><li>No longer need to be a guru </li></ul></ul><ul><ul><li>Ability to download click-and-hack programs and scripts </li></ul></ul><ul><ul><li>Advent of “hactivism” as a method for social protest </li></ul></ul>
    20. 22. The Hacking Methodology <ul><li>Internet Footprinting </li></ul><ul><li>Scanning and Landscape discovery </li></ul><ul><li>Enumerating </li></ul><ul><li>Penetrating </li></ul><ul><li>Pillage </li></ul><ul><li>Get Interactive </li></ul><ul><li>Expand Influence </li></ul>
    21. 23. Internet Footprinting <ul><li>Review Public Information </li></ul><ul><li>Examples www.asic.com.au or www.netcraft.com </li></ul><ul><li>“ Whois” Enumeration (domain names and networks) </li></ul><ul><li>DNS Interrogation (nslookup) </li></ul><ul><li>Network Reconnaissance (registry and IP block lookup) </li></ul><ul><li>ARIN, APNIC, RIPE </li></ul><ul><li>Traceroute, Ping </li></ul><ul><li>BGP (Border Gateway Protocol) (find more addresses) </li></ul>
    22. 24. Scanning and Landscape Discovery <ul><li>Ping Sweep (what hosts respond) </li></ul><ul><li>Port Scanning (what ports are open) </li></ul><ul><li>Banner Grabbing (what services are running) </li></ul><ul><li>OS Guessing (what OS and vulnerabilities are inherent) </li></ul><ul><li>Build a detailed picture of the target network. </li></ul><ul><li>(Web Servers and other DMZ locals are the most common target) </li></ul>
    23. 25. Half Time. <ul><li>Up to this point everything was pretty much below the radar. </li></ul><ul><li>Mostly public information or normal network operation. </li></ul><ul><li>From this points onwards things get serious! </li></ul>
    24. 26. Host Enumeration <ul><li>The hacker is looking to obtain detailed information. </li></ul><ul><li>User Details and Machine Details. </li></ul><ul><li>Domain Names, Membership and Trust relationships </li></ul><ul><li>SNMP and LDAP (mostly for usernames) </li></ul><ul><li>MAC Addresses </li></ul><ul><li>Special Services or Deamons </li></ul><ul><li>The aim is to get a full understanding of the roles and functions of each host in the target network. </li></ul>
    25. 27. Penetrate (take ownership) <ul><li>Choose the right host to attack. </li></ul><ul><li>Guessing username and password combinations. </li></ul><ul><li>Taking SAM and password files for cracking. (DumpSEC) </li></ul><ul><li>Use known accounts such as ArcServe, Tivoli, BackupExec. </li></ul><ul><li>Default passwords are largely left unchanged. </li></ul>
    26. 28. Escalating your rights <ul><li>Root or Administrator equivalent is the target here. </li></ul><ul><li>Many tools are available for this. </li></ul><ul><li>GetAdmin </li></ul><ul><li>SecHole </li></ul><ul><li>PipeUpAdmin etc… </li></ul><ul><li>Microsoft NT/2000 Resource Kit. (believe it or not!) </li></ul>
    27. 29. Pillage <ul><li>The compromised system becomes a staging point to penetrate the rest of the network. </li></ul><ul><li>Preparations are made for further penetration. </li></ul><ul><li>Multiple entry points are created for later re-entry. </li></ul><ul><li>Tracks are covered. (log files erased or better yet, modified) </li></ul><ul><li>SAM and password files are downloaded. </li></ul>
    28. 30. Get Interactive <ul><li>Gain an interactive command shell on the target machine. </li></ul><ul><li>Move the admin tools (crack tools) onto other system and in inconspicuous places. </li></ul><ul><li>From here the process of footprinting etc.. Starts again. </li></ul>
    29. 31. Expanding Influence <ul><li>Attacking the Internal Network and extend your reach. </li></ul><ul><li>Using the first machine as a staging point </li></ul><ul><li>Preparations are made for future operations </li></ul><ul><li>Trojans, Remote Control apps, Hijacking tools, Streams, Auditpol, </li></ul><ul><li>BO2K, etc…. </li></ul><ul><li>“ Hacking ROOT is a way of life…” </li></ul>
    30. 32. Exploiting Buffer Overflow <ul><li>Common UNIX attack to gain complete access </li></ul><ul><li>Buffer overflows exploits software bugs that cause it to overwrite segments of memory </li></ul><ul><li>New buffer overflows continue to be discovered </li></ul>k Input Buffer Program Area User Input Excess Data Input overflow into program area
    31. 33. Denial of Service (DoS) <ul><li>TCP/IP Exploits </li></ul><ul><ul><li>Ping of death </li></ul></ul><ul><ul><ul><li>Sending oversized (>64k) ICMP echo packets to a vulnerable system </li></ul></ul></ul><ul><ul><li>“ Drop” Attacks </li></ul></ul><ul><ul><ul><li>teardrop </li></ul></ul></ul><ul><ul><ul><li>syndrop </li></ul></ul></ul><ul><ul><ul><li>boink </li></ul></ul></ul><ul><ul><li>SYN Flood </li></ul></ul><ul><ul><li>LAND </li></ul></ul><ul><ul><li>Process table flooding through Network services </li></ul></ul>r
    32. 34. Denial of Service Example: LAND Attack Spoofed IP Packet Packet is sent back to itself Again, again, .. Land Unix-Server CRASH
    33. 35. Distributed DoS The Internet Meltdown <ul><ul><li>The following sites were attacked: </li></ul></ul><ul><ul><ul><li>Yahoo 10:20 a.m. 2/7/00 PST 3.0 hours </li></ul></ul></ul><ul><ul><ul><li>Buy.com 10:50 a.m. 2/8/00 PST 3.0 hours </li></ul></ul></ul><ul><ul><ul><li>eBay 3:20 p.m. 2/8/00 PST 1.5 hours </li></ul></ul></ul><ul><ul><ul><li>CNN.com 4:00 p.m. 2/8/00 PST 1.8 hours </li></ul></ul></ul><ul><ul><ul><li>Amazon.com 5:00 p.m. 2/8/00 PST 1.0 hour </li></ul></ul></ul><ul><ul><ul><li>ZDNet 6:45 a.m. 2/9/00 PST 3.0 hours </li></ul></ul></ul><ul><ul><ul><li>E*Trade 5:00 a.m. 2/9/00 PST 1.5 hours </li></ul></ul></ul><ul><ul><ul><li>Datek 6:35 a.m. 2/9/00 PST 0.5 hours </li></ul></ul></ul><ul><ul><li>Many others sites rumored to have been attacked </li></ul></ul>
    34. 36. Distributed DoS <ul><ul><li>Represents a new level of attack </li></ul></ul><ul><ul><li>Use of multiple, sometimes compromised systems, to launch attacks </li></ul></ul><ul><ul><ul><li>known as “zombies” </li></ul></ul></ul><ul><ul><ul><li>attackers looked for machines with large pipes to the Internet </li></ul></ul></ul><ul><ul><li>Upon receipt of remote command, zombies simultaneously flood target with packets </li></ul></ul><ul><ul><li>Attacks included Trin00, Tribal Flood Network (TFN), and Stacheldraht </li></ul></ul>
    35. 38. The New “Integrated Threats” Internet Nimda Worm Example Workstation A security threat or attack that uses multiple methods to propagate Nimda $500M + Code Red $2.5B Workstation Via Email File Server Workstation Mail Server Firewall Web Server Via Web Page Web Server Mail Gateway
    36. 39. Rapid, Multiple Ways to Spread Internet Nimda Worm Example 1. Worm arrives by email – uses Mime exploit to execute by just reading or previewing file. Infected systems use worm’s own SMTP server to send emails to others. 2. Users visiting compromised Web servers prompted to download infected file containing worm as attachment. Workstation Via Email File Server Workstation Mail Server Firewall Web Server Via Web Page Workstation Web Server Mail Gateway
    37. 40. Just “Any” Firewall Won’t Be Effective Internet Nimda Worm Example Workstation 3. Infected systems scan for unpatched IIS servers, then use Unicode Web Traversal exploit to gain control of the target server. Commands/messages embedded creating non-RFC compliant HTTP protocol packets. Create DOS with outbound traffic. 4. Nimda scans for and attacks hard disks with file sharing enabled, creates an open network share and guest account with admin privileges. File Server Mail Server Firewall Web Server Mail Gateway Workstation Via Email Web Server Via Web Page Workstation
    38. 41. Nimda: 2.2M Systems Infected in 3 Days! <ul><li>1. Infection of web servers via “Code Red-type” attack </li></ul>Web Server Remote User Enterprise File Server Workstation Web Server Mail Server Laptop Firewall
    39. 42. Nimda: 2.2M Systems Infected in 3 Days! <ul><li>2. Infection via email </li></ul>NIMD A Remote User Enterprise File Server Workstation Web Server Mail Server Laptop Firewall
    40. 43. Nimda: 2.2M Systems Infected in 3 Days! <ul><li>3. Infection via Web browsing </li></ul>Remote User Enterprise File Server Workstation Web Server Mail Server Laptop Firewall
    41. 44. Nimda: 2.2M Systems Infected in 3 Days! <ul><li>4. Infection via shared drives </li></ul>Remote User Enterprise File Server Workstation Web Server Mail Server Laptop Firewall
    42. 45. Nimda: 2.2M Systems Infected in 3 Days! <ul><li>5. And infection to other files on each infected computer through traditional viral methods </li></ul>Remote User Enterprise File Server Workstation Web Server Mail Server Laptop Firewall Remote User
    43. 46. Example Blended Threat Incident Blended Threats use worms, email and application vulnerabilities, and network shares to gain control of systems BT BT BT BT BT BT BT BT BT BT BT
    44. 47. A Blended Threat Example – Code Red <ul><li>We’re no longer talking about thousands of machines launching an attack, but potentially tens of millions </li></ul>Code Red Epidemiology
    45. 53.  *
    46. 54. Web Site Defacements Source: attrition.org
    47. 55. Security requires defense in depth Groupware Servers Database Servers File Servers Telecommuters Modems Hacker Customers Partners Branch Office Wireless Device Web Server Firewall
    48. 56. Let’s take a break
    49. 57. Securing your business… How to prevent your network against intrusion?
    50. 58. Vulnerability Management - Scan Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems Firewall Probe for Vulnerabilities Probe for Vulnerabilities
    51. 59. Vulnerability Management If you know where you are vulnerable and the risk these vulnerabilities pose to your organization, efficient steps can be taken to pro-actively close the vulnerabilities and mitigate the risk to an acceptable level.
    52. 60. Vulnerability Management How secure are we?
    53. 61. Host vs. Network <ul><li>Host-Based Assessment </li></ul><ul><ul><li>Inside-in view </li></ul></ul><ul><ul><li>View systems from local privileged account perspective </li></ul></ul><ul><ul><li>High-level summaries to convey status </li></ul></ul><ul><ul><li>Scheduled, safe, minimal impact to network, unobtrusive to end users </li></ul></ul><ul><li>Network-Based Assessment </li></ul><ul><ul><li>Outside-in view </li></ul></ul><ul><ul><li>View network from external “hacker” perspective </li></ul></ul><ul><ul><li>Provide no insight into user activity risks </li></ul></ul><ul><ul><li>Test critical network devices that do not run host software like: routers, switches, printers, appliances, and firewalls </li></ul></ul><ul><li>KEY = Hybrid, integrated approach </li></ul>In/out pix t
    54. 62. ESM - Inside In NetRecon – Outside In ESM
    55. 63. ESM assess and comply Actual Environment ESM COMPLIANCE Policy Standards Procedures, Guidelines & Practices
    56. 64. Firewall - Multi-tier approach Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
    57. 65. Firewall Types <ul><li>Many types and vendors present in the market </li></ul><ul><li>Most commercial firewalls mix characteristics from several firewall technologies </li></ul><ul><li>Four basic types: </li></ul><ul><ul><li>Packet filtering </li></ul></ul><ul><ul><li>Dynamic packet filtering </li></ul></ul><ul><ul><li>Circuit-level gateway </li></ul></ul><ul><ul><li>Stateful inspection (multilayer) </li></ul></ul><ul><ul><li>Application gateway </li></ul></ul><ul><ul><li>Air Gap </li></ul></ul>
    58. 66. Firewall Types: Packet Filtering <ul><li>Very basic firewall approach </li></ul><ul><li>Often employed on simple routers or Layer 3 switches </li></ul><ul><li>Examines incoming/outgoing IP packets and decides to accept/deny based on: </li></ul><ul><ul><li>Source/destination IP address </li></ul></ul><ul><ul><li>Source/destination TCP/UDP port numbers </li></ul></ul><ul><li>Only looks at IP packet header, not data payload </li></ul>
    59. 67. Packet Filtering Rules <ul><li>Below are a few sample rules for telnet, SMTP, FTP, NNTP, HTTP, and SSL </li></ul><ul><li>Packet filters process rules in order </li></ul>
    60. 68. Simple Packet Filter <ul><li>Standard IP router with packet filter rules defined </li></ul><ul><ul><li>Combines routing with packet filtering </li></ul></ul><ul><ul><li>Filter rules based on Data Link, IP, UDP, and TCP headers </li></ul></ul><ul><ul><ul><li>Standard and custom rules </li></ul></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Inspects packets in isolation, does not maintain state information </li></ul></ul><ul><ul><li>Limited handling of complex policies </li></ul></ul><ul><ul><li>Susceptible to Application Layer attacks </li></ul></ul>
    61. 69. Firewall Types – Circuit-level Gateway <ul><li>Looks at TCP handshaking process </li></ul><ul><li>Allows creation of authorized connections, but does not monitor data traffic over those connections </li></ul><ul><li>Keeps records of active authorized connections, and allows network traffic only over those connections </li></ul>
    62. 70. Firewall Types – Stateful Inspection <ul><li>Higher level of security and complexity than packet filter </li></ul><ul><li>Examines IP header and data payload to verify the packet is part of an authorized previous connection </li></ul><ul><li>Can also provide network address translation (NAT) services, or circuit and application-level filtering </li></ul>Present in multilayer stateful inspection
    63. 71. Stateful Packet Filter <ul><li>Stateful packet filter </li></ul><ul><ul><li>Maintains state information on connections </li></ul></ul><ul><ul><li>Tracks open, valid connections without reprocessing rule set </li></ul></ul><ul><ul><li>Scales easily </li></ul></ul><ul><ul><li>Can implement complex policies </li></ul></ul><ul><ul><li>Extensive logging and alarm functions </li></ul></ul><ul><ul><li>Easy-to-use interface </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Susceptibility to Application Layer attacks </li></ul></ul><ul><ul><li>Lacks user authentication control </li></ul></ul>
    64. 72. Firewall types – Application Gateway <ul><li>Screens packets based on whether the application they serve is allowed </li></ul><ul><li>Also acts as an application proxy (no direct connection between host and remote computers) </li></ul><ul><li>Considered by many to be most secure </li></ul>Can also be added
    65. 73. Full Application Inspection <ul><li>Uses a set of application-level proxies </li></ul><ul><ul><li>Protects against common attacks (buffer overflows, back door commands, and information leakage) </li></ul></ul><ul><ul><li>One per application—FTP, SMTP, HTTP, … </li></ul></ul><ul><li>Proxy protection </li></ul><ul><ul><li>Allow or disallow initial connection request </li></ul></ul><ul><ul><li>Enforces strong or weak user authentication </li></ul></ul><ul><ul><li>Acts as an intermediary, maintains dual opposing connections between endpoints </li></ul></ul><ul><ul><li>Inspects entire data stream during the session </li></ul></ul><ul><ul><li>Can rewrite IP addresses—Hides internal network identity </li></ul></ul><ul><ul><li>Detailed logging for analysis and data forensics </li></ul></ul>Client Server Proxy Client Server Logical connection
    66. 74. Hybrid Firewall <ul><li>Driven by the need to combine security, flexibility, and performance , hybrid firewalls provide protection at all the layers of the network stack </li></ul><ul><ul><li>Application proxy protection provides maximum security and granularity by scanning traffic at the application layer! </li></ul></ul><ul><ul><li>Stateful filtering protection provides authentication and maintains session state for performance and ease of management </li></ul></ul><ul><ul><li>Packet filtering protection prevents denied traffic from consuming valuable resources on the system </li></ul></ul>
    67. 75. Number of vulnerabilities Level of security
    68. 76. Firewall Types – Pro and Con <ul><li>Packet filter </li></ul><ul><ul><li>Pro: low performance impact, low-cost </li></ul></ul><ul><ul><li>Con: incomplete security, easy to fool </li></ul></ul><ul><li>Circuit-level gateway </li></ul><ul><ul><li>Pro: higher security than packet filter </li></ul></ul><ul><ul><li>Con: does not evaluate packet data content for established connections </li></ul></ul><ul><li>Stateful inspection </li></ul><ul><ul><li>Pro: combination of speed and security </li></ul></ul><ul><ul><li>Con: does not provide complete protocol analysis of packets – lower security </li></ul></ul><ul><li>Application Gateway </li></ul><ul><ul><li>Pro: highest security </li></ul></ul><ul><ul><li>Con: performance hit if not designed right </li></ul></ul>
    69. 77. Deployment Example Desktops Public Web Servers Telecommuters Customers & Partners Servers VelociRaptor Router Corporate Network Partner Web Servers Branch Office Central Administrator Internet
    70. 78. VPN - Office-to-office and Client Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
    71. 79. Virtual Private Network (VPN) <ul><li>Securely extends the corporate network to branch offices, telecommuters, and partners </li></ul><ul><ul><li>Reduces telecommunication costs associated with leased lines and 800-dialup lines </li></ul></ul><ul><ul><li>Provides data confidentiality, data integrity, and authentication services </li></ul></ul>Partners/ Contractors Remote offices Telecommuters Internet VPN Device VPN Device Private VPN Device
    72. 80. VPN (Cont.) <ul><li>Available as an integrated cross-grade to the firewall, or stand-alone </li></ul><ul><ul><li>Symantec Enterprise Firewall with VPN </li></ul></ul><ul><ul><li>Symantec Enterprise VPN </li></ul></ul><ul><li>Build on-top of the award winning Symantec Enterprise Firewall architecture </li></ul><ul><ul><li>System and network level hardening </li></ul></ul><ul><ul><li>Proxy-Secured Technology </li></ul></ul><ul><ul><ul><li>Extends full inspection protection and user authentication to VPN Tunnel Traffic! </li></ul></ul></ul><ul><li>ICSA Certified for interoperability with other vendors </li></ul><ul><ul><li>Used by ICSA as a standard product to validate new products </li></ul></ul><ul><li>Export classification for 3DES/DES </li></ul><ul><ul><li>Exportable outside North America with proper paperwork </li></ul></ul>
    73. 81. VPN (Cont.) <ul><li>Full support for IPSec standards </li></ul><ul><ul><li>Encapsulation Security Payload (ESP) </li></ul></ul><ul><ul><li>Authentication Header (AH) </li></ul></ul><ul><ul><li>Internet Security Association Key Management Protocol (ISAKMP) </li></ul></ul><ul><ul><li>Internet Key Exchange (IKE) </li></ul></ul><ul><li>Gateway-to-Gateway VPN </li></ul><ul><ul><li>Shared key authentication and PKI support </li></ul></ul><ul><ul><li>Supports DNS names in tunnel definition </li></ul></ul><ul><ul><li>Compatible with Symantec Firewall/VPN and VelociRaptor 1.1 appliances, and MOST IPSec compliant servers </li></ul></ul><ul><ul><li>Active connection display </li></ul></ul><ul><li>Client-to-Gateway VPN </li></ul><ul><ul><li>Includes Symantec Enterprise VPN Client with Personal Firewall </li></ul></ul><ul><ul><li>Supports user authentication using shared secret key </li></ul></ul>
    74. 82. VPN (Cont.) <ul><li>Dynamic Tunnel </li></ul><ul><ul><li>Internet Key Exchange (IKE) </li></ul></ul><ul><ul><li>Main mode, Aggressive mode, and Quick Mode support </li></ul></ul><ul><ul><li>3DES/SHA1, DES/MD5, Shared Secret </li></ul></ul><ul><li>Static Tunnels </li></ul><ul><ul><li>ESP/AH </li></ul></ul><ul><ul><li>3DES/SHA1, DES/MD5 </li></ul></ul><ul><li>Public Key Infrastructure Support </li></ul><ul><ul><li>Entrust-ready! </li></ul></ul><ul><li>VPN Tunnel Wizards for easy administration </li></ul>
    75. 83. VPN Deployment Scenarios Public Servers Symantec Enterprise Firewall Router Symantec Enterprise VPN Public Servers Symantec Enterprise Firewall With VPN Router Internal Network Public Servers Symantec Enterprise Firewall Router Internal Network Symantec Enterprise VPN Internal Network Internet Internet Internet
    76. 84. Personal Firewall with Client VPN Web FTP Telnet SQLNet Other Attacker Internal network VPN User without firewall Internet Personal Firewall Web FTP Telnet SQLNet Other VPN User with firewall
    77. 85. Anti-virus - Multi-tier Approach Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems AV AV AV AV AV AV AV AV AV AV AV
    78. 86. Virus Evolution Mass Mailer Viruses (LoveLetter/Melissa) Remote Control Trojan (NetBus) Polymorphic Viruses (Tequila) PDA Virus (Palm Liberty) Macro Viruses Source: Symantec Number of Known Viruses
    79. 87. Virus Protection <ul><ul><li>Use anti-viral and content scanning software with automated signature updating </li></ul></ul><ul><ul><ul><li>desktop </li></ul></ul></ul><ul><ul><ul><li>e-mail server </li></ul></ul></ul><ul><ul><ul><li>firewall </li></ul></ul></ul><ul><ul><li>Apply latest patches </li></ul></ul><ul><ul><ul><li>e-mail (e.g., Outlook) </li></ul></ul></ul><ul><ul><ul><li>browser </li></ul></ul></ul><ul><ul><ul><li>O/S </li></ul></ul></ul><ul><ul><li>Don’t double click blindly on attachments </li></ul></ul><ul><ul><li>Use higher levels of browser security </li></ul></ul>r
    80. 88. Symantec Multi-tier Virus Protection Gateway/ Firewall Gateways: Solaris Win NT/2000 Firewalls: Solaris Win NT/2000 Server Win NT/2000 NetWare MS Exchange Lotus Notes AIX OS/390 OS/400 OS/2 Desktop Win9x/NT/2000/WinME DOS/Win16 OS/2 Macintosh
    81. 89. Digital Immune System – Automated Response Bloodhound Heuristics <ul><li>Looks for suspicious viral activity </li></ul><ul><li>Local Quarantine </li></ul><ul><li>Alert Administrator </li></ul>Central Quarantine <ul><li>Central virus repository </li></ul><ul><li>Content stripping </li></ul><ul><li>Sample submission (Internet) </li></ul><ul><li>Definition retrieval/deployment </li></ul><ul><li>Real-time status </li></ul>Immune System Gateways <ul><li>Scalable architecture to handle </li></ul><ul><li>flood conditions </li></ul><ul><li>Clearing house </li></ul>Symantec AntiVirus Response Automation <ul><li>Automatic analysis </li></ul><ul><li>Generates cures for </li></ul><ul><li>90% of all submissions </li></ul>Symantec Security Response <ul><li>USA </li></ul><ul><li>Europe </li></ul><ul><li>Japan </li></ul><ul><li>Australia </li></ul>
    82. 90. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    83. 91. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    84. 92. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    85. 93. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    86. 94. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    87. 95. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Network Attached Storage (NAS) Devices </li></ul>
    88. 96. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    89. 97. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    90. 98. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    91. 99. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    92. 100. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    93. 101. Symantec AntiVirus Scan Engine 3.0 <ul><li>Working with Content Caching Devices </li></ul>
    94. 102. Content Filtering - Block unwanted content Firewall CF E-mail servers Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
    95. 103. Detect Intruders Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems Hacker IDS
    96. 104. Definitions <ul><li>Security Assessment </li></ul><ul><ul><li>“ How Secure Are We?” </li></ul></ul><ul><ul><li>Security posture </li></ul></ul><ul><ul><li>Identification of vulnerabilities </li></ul></ul><ul><ul><li>Conformity to policy </li></ul></ul><ul><ul><li>Efficacy of policy </li></ul></ul><ul><li>Intrusion Detection </li></ul><ul><ul><li>“ Are we under attack?” </li></ul></ul><ul><ul><li>Real-time threat detection </li></ul></ul><ul><ul><li>Response Scenarios – Automating Countermeasures </li></ul></ul><ul><ul><li>Updated threat Library </li></ul></ul>Inspecting the Locks Alarm System
    97. 105. Definitions <ul><li>Intrusion Detection </li></ul><ul><ul><li>“ Are we under attack?” </li></ul></ul><ul><ul><li>Real-time threat detection </li></ul></ul><ul><ul><li>Response Scenarios – Automating Countermeasures </li></ul></ul><ul><ul><li>Updated threat Library </li></ul></ul>Alarm System
    98. 106. Why Intrusion Detection? <ul><li>VPN/Firewalls </li></ul><ul><ul><li>provide perimeter access controls </li></ul></ul><ul><ul><li>doesn’t block all traffic </li></ul></ul><ul><ul><li>doesn’t stop social engineering </li></ul></ul><ul><ul><li>doesn’t prevent modem access </li></ul></ul><ul><ul><li>doesn’t monitor once passed </li></ul></ul><ul><ul><li>doesn’t prevent internal attack </li></ul></ul><ul><li>Scanners: Good & Bad </li></ul><ul><ul><li>offer action plan and measurement </li></ul></ul><ul><ul><li>requires resources to fix holes </li></ul></ul><ul><ul><li>holes open while fixing others </li></ul></ul><ul><ul><li>doesn’t address co-specific apps </li></ul></ul><ul><ul><li>impacts network throughput </li></ul></ul>
    99. 107. Consider These Questions <ul><li>Can I Detect? </li></ul><ul><ul><li>an intrusion as it occurs across my entire network? </li></ul></ul><ul><li>Can I React? </li></ul><ul><ul><li>with sufficient speed to minimize loss? </li></ul></ul><ul><li>Can I Identify? </li></ul><ul><ul><li>what systems and data were compromised? </li></ul></ul><ul><li>What is my risk of loss if I can’t? </li></ul>
    100. 108. <ul><li>(Network) Monitors network traffic in real-time </li></ul><ul><ul><li>Able to record and terminate sessions including modifying Firewall policy to prevent subsequent access </li></ul></ul><ul><li>(Host) Continuously monitors servers for misuse, malicious actions or policy abuse </li></ul><ul><ul><li>Analyzes system and application event logs and system calls including the ability to prevent data access and theft </li></ul></ul><ul><li>Attack / breach alerting, response and reporting </li></ul><ul><li>Complements existing countermeasures </li></ul><ul><ul><li>Co-exists Firewalls, scanners, access controls, audit logs </li></ul></ul><ul><ul><li>No impact on network performance </li></ul></ul>Intrusion Detection offers
    101. 109. Network IDS Complements Firewalls <ul><li>While Firewalls and VPNs offer perimeter and access controls - internal, remote and even authenticated users can attempt probing, misuse or malicious acts. </li></ul><ul><li>“ But we have a Firewall….” </li></ul><ul><ul><li>Pass-through traffic... </li></ul></ul><ul><ul><li>Mis-configuration… </li></ul></ul><ul><ul><li>Social engineering… </li></ul></ul><ul><ul><li>Internal abuse… </li></ul></ul><ul><ul><li>Internal sabotage… </li></ul></ul><ul><ul><li>Modem… </li></ul></ul> 
    102. 110. Layered Security - Reduces Network Risk
    103. 111. Login screen or Trojan Horse? G. Mark Hardy
    104. 112. Surprise! G. Mark Hardy
    105. 113. Intruder Alert - Warning!!! NT Logon Replaced
    106. 114. Host vs. Network IDS You Need Both!
    107. 115. Network and Host IDS Partnership Network IDS Host IDS <ul><li>Phase 1 </li></ul><ul><li>Discover & </li></ul><ul><li>Map </li></ul><ul><li>Automated Scanning & Probing </li></ul><ul><li>Phase 2 </li></ul><ul><li>Pentrate </li></ul><ul><li>Perimeter </li></ul><ul><li>Denial of Service </li></ul><ul><li>Spoofing </li></ul><ul><li>Protocol exploits </li></ul><ul><li>Web appl. attack </li></ul><ul><li>Phase 3 </li></ul><ul><li>Attack/Control </li></ul><ul><li>Resources </li></ul><ul><li>Password attacks </li></ul><ul><li>Privilege grabbing </li></ul><ul><li>Theft </li></ul><ul><li>Audit trail tampering </li></ul><ul><li>Admin. changes </li></ul><ul><li>Vandalism </li></ul><ul><li>Trojan horses </li></ul>Internet
    108. 116. IDS Strengths <ul><ul><li>Can be added to existing environment </li></ul></ul><ul><ul><li>Does not require application or heavy system changes </li></ul></ul><ul><ul><li>Detects attacks in real-time </li></ul></ul><ul><ul><li>Responds to attacks </li></ul></ul><ul><ul><li>Alerts you to attacks while they are happening </li></ul></ul><ul><ul><li>Can assist in tracking down culprit </li></ul></ul>
    109. 117. IDS Limitations <ul><ul><li>No better at detecting attacks than the signatures or rules that drive it </li></ul></ul><ul><ul><li>Will not catch everything </li></ul></ul><ul><ul><li>Cannot block all attacks </li></ul></ul><ul><ul><li>Does not replace need for firewall, authentication, or access controls </li></ul></ul><ul><ul><li>Need to be careful that IDS does not cause Denial of Service </li></ul></ul><ul><ul><li>Sometimes difficult to trace back to culprit </li></ul></ul><ul><ul><li>Too many rules can cause performance problems </li></ul></ul><ul><ul><li>Too many alarms can cause real problems to be lost in the noise </li></ul></ul>
    110. 118. Why Traditional Network IDS Products Fall Short <ul><li>Products Focused on Aging Technology </li></ul><ul><ul><li>Standalone, single segment architecture </li></ul></ul><ul><ul><li>Limited capability for high speed network detection </li></ul></ul><ul><ul><li>Resource / time intensive manual event correlation </li></ul></ul><ul><ul><li>Generate high numbers of false positives </li></ul></ul><ul><ul><li>Limited response and attack mitigation capabilities </li></ul></ul>
    111. 119. Backplane options including 4 GigE or 10 10/100Mbps interfaces Behaviour based-IDS Deployment (Symantec ManHunt)
    112. 120. ManHunt Data Flow
    113. 121. Deception based-IDS Deployment (Symantec ManTrap)
    114. 122. Deep Deception Deployment
    115. 123. Web Access Management Firewall E-mail servers Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
    116. 124. Traditional Web Access Management Auth. DB DB Auth. DB DB Secure (Trusted) Network Service Network (DMZ) Web Users & Internet Firewall Web Servers & Content Application Servers Application Servers Hacker
    117. 125. Secure Web Access Management Proxy Server NT Auth Agent Authentication Mechanism(s) Secure (Trusted) Network Service Network (DMZ) Web Users & Internet Firewall LDAPAuth Agent Other Auth Agents Central Management Server Web Servers & Content PKI Auth Agent
    118. 126. Authentication <ul><ul><li>Username/password most common </li></ul></ul><ul><ul><ul><li>can be stolen or frequently cracked </li></ul></ul></ul><ul><ul><ul><li>use SSL or similar web technology </li></ul></ul></ul><ul><ul><li>Two-factor authentication is stronger </li></ul></ul><ul><ul><ul><li>hardware token, smartcard, etc. </li></ul></ul></ul><ul><ul><ul><li>soft token, digital certificate </li></ul></ul></ul><ul><ul><ul><li>biometric </li></ul></ul></ul>
    119. 127. Public Key Infrastructure (PKI) <ul><ul><li>Play critical role in supporting services for </li></ul></ul><ul><ul><ul><li>confidentiality </li></ul></ul></ul><ul><ul><ul><li>integrity </li></ul></ul></ul><ul><ul><ul><li>authentication </li></ul></ul></ul><ul><ul><ul><li>non-repudiation </li></ul></ul></ul><ul><ul><li>PKI has three major elements </li></ul></ul><ul><ul><ul><li>certificate authority (CA) </li></ul></ul></ul><ul><ul><ul><li>repository or directory (X.500, LDAP) </li></ul></ul></ul><ul><ul><ul><li>registration authority (RA) </li></ul></ul></ul><ul><ul><li>PKIX standards define how PKI talks to CA; most vendors implementing </li></ul></ul>
    120. 128. PKI Security <ul><ul><li>Components likely to be hacker targets </li></ul></ul><ul><ul><ul><li>create fraudulent certificates </li></ul></ul></ul><ul><ul><ul><li>steal copies of private keys </li></ul></ul></ul><ul><ul><ul><li>prevent revocation of certificates </li></ul></ul></ul><ul><ul><li>Certificate Practice Statement (CPS) </li></ul></ul><ul><ul><ul><li>defines operational practices to maintain the required level of PKI security </li></ul></ul></ul><ul><ul><ul><li>RFC 2527 draft IETF guidelines for a CPS </li></ul></ul></ul>
    121. 129. PKI Security <ul><ul><li>Secure CA and repository </li></ul></ul><ul><ul><ul><li>Locked, alarmed room </li></ul></ul></ul><ul><ul><ul><li>Run on hardened O/S (e.g., HP VirtualVault) </li></ul></ul></ul><ul><ul><ul><li>Scan with vulnerability assessment tools </li></ul></ul></ul><ul><ul><ul><li>Network segment behind dedicated firewall </li></ul></ul></ul><ul><ul><ul><li>Pass only LDAP and PKIX CMP traffic </li></ul></ul></ul><ul><ul><ul><li>Firewall between CA and repository if digital signatures rather than physical used </li></ul></ul></ul><ul><ul><ul><li>Use IDS on network segment and hosts </li></ul></ul></ul><ul><ul><li>Require two-factor authentication for RA PCs </li></ul></ul>
    122. 130. Enterprise Security Management Anti-Virus Firewall Content Filtering Vulnerability Management Web Access Management Intrusion Detection Web Gateways Mail Gateways Mail Servers File Servers Remote Users Desktops Policy Management Security Management Console Incident Management Logging Reporting Alerting Updates
    123. 131. How to implement in our system?
    124. 132. Client Server Gateway Current State of the Security Market: Multi-Tier; Multi-Vendor
    125. 133. New Category – Integrated Security Client Server Gateway <ul><li>Client Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Server Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Vulnerability Mgmt. </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Gateway Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul>
    126. 134. <ul><li>Achieve preventive security through policy compliance and vulnerability management and reduce business risk!! </li></ul>Gaining the edge
    127. 135. Step 1: Building a Security Policy Mandate to implement security Standard to measure security Basis for all security technology and procedures Policy Standards Procedures, Guidelines & Practices Corporate Security Policy
    128. 136. Build your own security policy ? FFIEC – 12 CFR 364 COPPA FDA C6 HIPAA GLBA EUDPD Government Regulations HIPAA Security & Privacy Rule OCC OTS FFIEC FDIC FRB NCUA SEC – 17 CFR 248 FTC – 16 CFR 313 HIPAA still in progress CC BITS TSSIT Policy Standards Procedures, Guidelines & Practices
    129. 137. Step 2: Implement Security Policy Corporate Security Policy Physical Security Logical Security <ul><li>Physical Access </li></ul><ul><ul><li>Perimeter </li></ul></ul><ul><ul><li>Facility </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Printers etc. </li></ul></ul><ul><li>Business Continuity Planning </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Personnel Background Checks </li></ul><ul><ul><li>Employees </li></ul></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>Vendors etc. </li></ul></ul><ul><li>Due Diligence </li></ul><ul><ul><li>Vendors & Service Providers </li></ul></ul><ul><li>Investigations & Forensics </li></ul><ul><li>… </li></ul><ul><li>Logical Access Administration </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Accountability </li></ul></ul><ul><li>System Configurations </li></ul><ul><ul><li>Auditing </li></ul></ul><ul><ul><li>Event Logs </li></ul></ul><ul><ul><li>Default Rules </li></ul></ul><ul><li>Directory & File System Protections </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Backups </li></ul></ul><ul><li>Change Management </li></ul><ul><li>… </li></ul>
    130. 138. Implementing Logical Security Corporate Security Policy Logical Security Guidelines/ Standards Compliance Checking Bring Systems into Compliance 1 2 3 4 5 6
    131. 139. Certification and/or Attestation BS7799 SAS70 Safe Harbor SysTrust WebTrust ISO17799 Compliance Checking Bring Systems into Compliance HIPAA Security
    132. 140. ESM assess and comply Actual Environment ESM COMPLIANCE Policy Standards Procedures, Guidelines & Practices
    133. 141. How to Stop an Integrated Threat Internet Nimda Worm Example Workstation Anti Virus Blocks known viruses & worms Scan and inspect all SMTP, HTTP and FTP Detects worm infection Repairs infected files Firewalls Full inspection FW to block all non-RFC compliant traffic Full inspection FW to block outbound server initiated traffic Full isnpection FW to block specific exploits & logs activity Intrusion Detection Detects directory traversal exploit traffic Detects probing , specific intrusions & DOS attacks Logs can identify systems compromised Take action – block traffic Vulnerability Management Server software to: Identify patches not installed Identify weak security settings Identify unneeded services running Workstation Via Email File Server Workstation Mail Server Web Server Via Web Page Web Server Mail Gateway
    134. 142. Multiple Defenses Work The Best Internet Nimda Worm Example Workstation Anti Virus Firewalls Intrusion Detection Vulnerability Management Workstation Via Email File Server Workstation Mail Server Web Server Via Web Page Web Server Mail Gateway
    135. 143. Typical Perimeter Threats Internet Probing Back-door attacks DOS attacks IP spoofing attacks Theft, Sabotage Web defacement Macro Virus (WM32) Mobile Code (Melissa) Block specific exploits Direct & inspect traffic AV on gw, servers, ws Block known exploits via SMTP protocol Detect & clean files Network IDS Detect attacks Alert / Log Workstation Via Email File Server Workstation Mail Server Firewall Hacker Cracker Web Server Mail Gateway
    136. 144. Changing the Game: Next – Vertical Integration of Network Tiers Security Applications <ul><li>Gateway Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Vulnerability Mgt. </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Server Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Vulnerability Mgt. </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Client Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Vulnerability Mgt. </li></ul><ul><li>Intrusion Detection </li></ul>Common Management Incident Management Policy Management Security Management
    137. 145. Symantec Security Management System Client <ul><li>Client Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul>Gateway <ul><li>Gateway Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Detection </li></ul>Server <ul><li>Server Security </li></ul><ul><li>Virus Protection </li></ul><ul><li>Content Filtering </li></ul><ul><li>Vulnerability Mgmt. </li></ul><ul><li>Intrusion Detection </li></ul>Security Applications Security Management Event Management Configuration Management Incident Management Third Party Collectors Third Party Relays
    138. 146. Symantec Security Management System <ul><li>Vision Statement: </li></ul><ul><li>Provide the customer with a holistic view of the security posture of their enterprise. </li></ul>
    139. 147. Customer case studies
    140. 149. Symantec is winning at the Gateway!
    141. 150. User SMTP server 1. User sends file to HTML-based e-mail system CarrierScan Servers 3. CSS scans file and finds and cleans virus. Successful Story: CarrierScan Server in Yahoo Environment 5. CGI forwards e-mail to SMTP server Web Server CGI script sends to CSS 2. Passed to CGI script 4. File returned to web server Note: 1M to 1.2M e-mail send/receive per day
    142. 151. Customer Success Stories
    143. 152. Wrap Up
    144. 153. Wrap-up
    145. 154. Thank you Somyos Udomnilobon [email_address] (662)627-9051

    ×