Corporate Security Issues and countering them using Unified Threat Management Systems and SSL VPN

Training on
Unified Threat Management Systems
& SSL VPN (SaaS)
By -
Amarjit Singh & RishabhDangwal
Tulip Telecom Ltd.

Objectives
Security awareness
Latest trends in security
Device Awareness
Saving the world before bedtime, without worries :P
The notion of providing Security as a Service

We as an ISP have a tough enough job already..But..
What about Security threats?
How serious are they?
Hackers are there..where are We ?
What is the most effective and cost efficient way to handle them?

Current Trends
Cyber-attacks are increasing in speed and sophistication exponentially
Blended threats, hybrid attacks and APT’s..
Getting automated tools is easy, increase in skid culture
Security costs money, Security problems cost money, time and lots of pain.

Intruders
Attack Sophistication vs. Intruder Technical Knowledge
Courtesy Emil on security
Auto Coordinated
Cross site scripting
“stealth” / advanced scanning techniques
High
Staged
packet spoofing
denial of service
distributed
attack tools
sniffers
Intruder
Knowledge
sweepers
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking
sessions
burglaries
Attack
Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
2011
1980
1985
1990
1995

Software Vulnerabilities
“99% of intrusions result from exploitation of known vulnerabilities”
Source: 2001 CERT, Carnegie Mellon University
Cause: programming bugs, bad testers, short sighted development
Threat: lack of patches for the above
LizamoonSQLi exploited 1.5 million + hosts

E-mail Viruses
Primary medium for distributing threats
Trojans – Easy to create, quick to deliver, easy to install
HTML viruses on email
Innocent sounding Emails having malicious attachments containing:
Macros, VB scripts, java scripts and html scripts

File Based Threats
Example: Internet download
Viruses and malicious code infection:
P2P/Torrent
IM applications
Free software/shareware sites
Infected servers
Email
Threats bypass statefulpacket inspection firewalls
Once inside the network, others are easily affected

Further..
Unpatched servers are ticking bombs
Viruses uploaded to network drives
Remote exploitation possible
Nimda virus

And we have got Spyware..
Program that uses Internet without the User’s knowledge
Approximately 80% of computers have some form of Spyware (including corporate ones)
Spread using shareware, pop ups,p2p,shareware..the usual suspects
Gathering information:
Browsing habits (sites visited, links clicked, etc.)
Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.)
Key stokes and work habits

Spam
Unsolicited Email
Multiple techniques to send mails
Spoof email address
Image only mail
Random text
Text merging
Token Manipulation
URL hiding
HTML Tag corruption
Increase False positives
Parse corruption
Metamorphic Spam Trojans
And much much more..
Leads to low productivity and server outages.

Network woes
Label spoofing
Core hiding
Replay attacks
Compromise of LIB
Access to LER
And other MPLS security issues..

Router abuse
TACACS+ forced session_id collisions
Sophisticated Packet body DOS
Boot iosmanipulation
Improper tcl scripts (if present)
External factors
SNMP compromise

And its just the Tip of Iceberg…(a.k.a Raising the Attack Standards by a Notch)
Sophisticated DOS (Network, application)
Advanced Persistent Threats
Smartphone Abuse
Certificate abuse (DigiNotar - PKIOverheid..)
Key abuse (RSA, anyone ?)
Kernel Rootkits/Bootkits

Obsolete Defenses
Firewalls work on port blocking strategy
Reactive approach
Stateful Packet Inspection (SPI) :
Provides source / destination / state intelligence
Provides NAT
Stateful firewalls cannot protect against multilayer threats
Is limited in nature

How TULIP can provide security ?
SaaS – Security as a Service
SSL-VPN
Unified Threat Management

What is SSL VPN TECHNOLOGY?
Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization’s resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks.
Concept - SSL VPN

The Landscape with SSL VPN

Why SSL VPN
SSL VPN solutions offer a flexible and highly secure way to extend network resources to virtually any remote user with access to the Internet and a web browser. Organizations can customize access and extend the reach of their corporate network to individuals based on their role, including the teleworker, contractor, or business partner.

Business challenge for EMS

The Landscape with Tulip Managed SSL

Complete Client-side Cleanup
Cleanup of end users system at end of session.
Configurable options of cache cleanup includes.
Cookies
Temporary Internet Files
Browser History
Visited URL’s
Downloaded Program Files
Cleanup all traces of users access and data downloaded at the end of session.

Authentication Mechanisms
Vast range of Authentication mechanisms to choose from
Supported Authentication mechanisms
Local Database
RADIUS
Active Directory (AD)
LDAP
RSA Secure ID
Certificate based Authentication.
Biometrics.
SMS
Two-Factor or Multi-Factor Authentication
Support for One Time Password (OTP) and Public Key Infrastructure (PKI) Tokens

End-point compliance
SSL VPN End-point security service
Check devices before & during session
Ensure device compliance with corporate policy
Remediate devices when needed
Cross platform support
Virus
No anti-virus installed
No personal firewall
User granted minimal access
No Anti-Virus Installed
Personal Firewall enabled
User remediated  install anti-virus
Once installed, user granted access
Airport Kiosk Mobile User
Home PC User
AV Real-Time Protection running
Personal Firewall Enabled
Virus Definitions Up To Date
User granted full access
Managed PC User

End Point Security & DLP

There are Three different access options with SSL VPN
PHAT : Private Hyper Access Transport
QAT : Quick Access Terminal
WAT : Web Access Terminal
Access options with SSL VPN

What is WAT
Web Access Terminal (WAT) is clientless access modes where user needs just a browser to establish SSL VPN connection. Using WAT user can access web applications such as Outlook Web Access (OWA), Intranet, Share Point, web-based databases, etc from any location like Airport kiosk, Cyber Café, etc.

What is PHAT
Private Hyper Access Transport (PHAT) is one of the modes to access the Virtual Private Network (VPN). It’s small footprint web deployed software that gets installed on user’s machine. PHAT client provide IPSec like functionality to give full access to network.

What is QAT
Quick Access Terminal (QAT) is an intermediate client between the PHAT Client and the WAT Client. The users can access TCP based client applications without installing PHAT on their machines. Once configured by the Administrator for a particular group, QAT is started from the web portal.
Access options with SSL VPN

Tunneling modes
Split tunnel: Application traffic targeted specifically for VPN subnets is routed over SSL VPN tunnel to SSL VPN-Plus Gateway. Rest of the traffic flows follows normal LAN path.
Full tunnel:All Application traffic is sent to SSL VPN-Plus Gateway over SSL VPN tunnel for routing. In this case, complete data from user’s machine can be monitored on SSL VPN-Plus Gateway. If local subnets are not excluded for user, the user won’t be able to access local LAN also.

Scenario 1Alternate Backup Link
SSL
Server
www
ADSL
Link
X
Primary
Link
Tulip IDC
Remote
Location
Tulip Connect
MPLS Backbone
ERP
Servers
Central Location

Scenario 2Instant Connectivity
Remote Customer
Location
Tulip Connect
Not yet Installed
Or getting delayed
(TNF)
SSL
Server
www
ADSL
Link
Primary
Link
Tulip IDC
Remote
Location
Tulip Connect
MPLS Backbone
Customer
Location Ready
ERP
Servers
Central Location
30

Scenario 3Extranet Connectivity
SSL
Server
www
Tulip IDC
Dealer
Locations
Primary
Link
Tulip Connect
MPLS Backbone
Remote
Location
ERP
Servers
Central Location
31

Scenario 4Enterprise Mobility
SSL
Server
www
Roaming Executives
Tulip IDC
User Moves
Out
Cyber Cafe
Primary
Link
Tulip Connect
MPLS Backbone
Remote
Location
User
ERP
Servers
Central Location
32

The New Standard - UTM
Unified Threat Management / eXtensible Threat Management
Integration of Firewall
Deep Packet Inspection
Intrusion Prevention for blocking network threats
Anti-Virus for blocking file based threats
Anti-Spyware for blocking Spyware
Faster updates to the dynamic changing threat environment and elimination of False Positives
Multilayered security
Inhouse / Multivendor Approach

Spans Through 6 layers of OSI model
QOS and ACL implementation
Application Specific Integrated Circuits (ASIC’s) Network and Coprocessors for dedicated tasks
Evolved security

Deep Packet Inspection- Unified Threat Mgt.
Zone based security
Protect internally
Gateway Anti-Virus
Scan through unlimited files sizes
Scan through unlimited connections
Scan over more protocols than any similar solution
Anti-Spyware for protection against malicious programs
Blocks the installation of spyware
Blocks Spyware that is emailed and sent internally
Applications Layer Threat Protection:
Full protection from Trojan, worm, blended and polymorphic threats
Full L2-7 signature- based inspection
Application awareness
PRO Series as a Prevention Solution
PS/GAV Dynamic Updates
DPI
DPI
DPI
DPI: Intrusion Prevention
/Gateway AV/ Anti-Spy
Server Zone
Dept Zone
User Zone
Diagram courtesy Sonicwall

Security Must Be Updated
Signature Database
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT
AV Database
IPS Database
Spy Database
Content
Filtering
Database
Stateful inspection deals with only port scanning, no data is examined.
Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans.
Content
Inspection
Stateful
PacketInspection
Anti-Virus
Content
Filtering Service
Deep
PacketInspection
Gateway
Anti-Virus
Anti-Spyware
Firewall Traffic Path
Diagram courtesy Sonicwall

The 10 Defense Layers to Fight Spam
High performance
Easily scalable
Image courtesy Sonicwall

Unified Threat Management Appliance
Content Filtering
Reporting & Reverse monitoring
Secure Wireless
High Availability - Appliance
ISP Load Balancing/Failover
Central Management
Secured MPLS by MSSP (and link termination)
Firewall
VPN
Basic bandwidth Management
Gateway AV, Intrusion Prevention and Anti-spyware
Modified for Router monitoring by combining with MSSP
Trusted Certificate Management

Deep , Dynamic, Real-Time Protection
Real time threat scanning engine at the gateway
AV/AS/IDS/IPS
Protection from: Viruses, spyware, worms, trojans, app vulnerabilities
External and Internal protection
Reassembly-free engine
Scans & decompresses unlimited number of files & file sizes
Supports over 80 protocol types including
SMTP, IMAP, POP3 Email, HTTP – Web, FTP – File Transfer
Peer to Peer Transfers, NetBios – Intra LAN Transfers, any stream-based protocol
Updateable database by an expert signature team
DOS protection from 22 types of DOS attacks
Application DOS prevention using EPS monitoring
MSSP convergenace

Value Innovation Philosophy
Affordable
Reduces the Total cost of ownership
Simple
Unified AIO solution and easy to manage
Powerful
Integrated-Realitime-Dynamic

Thank You.

Questions ?

http://www.theprohack.com	237
http://www.amarjit.info	229
http://feeds.feedburner.com	43
http://www.bonenjeu.com	31
http://www.feedblitz.com	5
http://translate.googleusercontent.com	3
http://dtunnel.com	3
https://polysolve.com	2
http://cache.baidu.com	2
http://www.fnsecure.in	1
http://anonymouse.org	1
http://unblockbypass.com	1
http://fnsecure.blogspot.com	1
http://fnsecure.blogspot.com	1
https://schoolfreezone.com	1
https://schoolfreezone.com	1
http://centralcomputing.blogspot.com	1
http://webcache.googleusercontent.com	1

Corporate Security Issues and countering them using Unified Threat Management Systems and SSL VPN

by Rishabh Dangwal on Sep 09, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

18 Embeds 564

Statistics

Corporate Security Issues and countering them using Unified Threat Management Systems and SSL VPN — Presentation Transcript