McAfee and Georgia State University---Taking Aim at Network Intruders With Intrushield’s  Intrusion Prevention System Tamm...
Today’s Agenda <ul><ul><li>A Little Background Info </li></ul></ul><ul><ul><li>Bad Guys are Getting Smarter </li></ul></ul...
A Little Background Info <ul><li>GSU’s information security program launched in 2000 w/one staff member (now have three) <...
Bad Guys are Getting Smarter <ul><li>2004  – Phishing </li></ul><ul><li>2008  – Spear Phishing (highly targeted/sophistica...
IntruShield, Not a Panacea (But Close) <ul><li>IntruShield 4000 Appliance Deployed in August  </li></ul><ul><li>of 2004 on...
One Size Does Not Fit All (Child Domains) Copyright GSU, eFortresses, March 2007. Permission is granted for this material ...
Application of Sigs – Not For the Faint of Heart <ul><li>Incremental Approach </li></ul><ul><li>Change Management & Contro...
Leveraging Stateful Firewall Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared ...
Unidirectionaly Blocking P2P Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared ...
Hypercommunicate!  Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-co...
Dealing with: “The Firewall Broke It” Copyright GSU, eFortresses, March 2007. Permission is granted for this material to b...
McAfee IntruShield Architecture Real Events Are Found In  Real-Time Set and Forget Short Learning Curve Easy To Use Networ...
Network Class Hardware Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for no...
Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, education...
McAfee IntruShield Architecture Real Events Are Found In  Real-Time Set and Forget Short Learning Curve Easy To Use Networ...
Powerful Alert Analysis
IntruShield’s Collaborative Security Infrastructure <ul><li>Integration with McAfee NAC </li></ul><ul><li>Behavior-driven ...
ePO Host Details in ISM
ePO Host Details in ISM
Integration with IntruShield =  Risk-Aware  IPS IntruShield Alert Viewer provides alert & risk relevancy, based on Foundst...
Foundstone Integration
McAfee IntruShield Architecture Real Events Are Found In  Real-Time Set and Forget Short Learning Curve Easy To Use Networ...
Questions? <ul><li>Tammy Clark – tlclark@gsu.edu </li></ul><ul><li>Bill Boyle – william_boyle@mcafee.com </li></ul><ul><li...
Upcoming SlideShare
Loading in …5
×

Mc Afee And Georgia State University Taking Aim At Network Intruders With Intrushield’S Intrusion Prevention System

600 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
600
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mc Afee And Georgia State University Taking Aim At Network Intruders With Intrushield’S Intrusion Prevention System

  1. 1. McAfee and Georgia State University---Taking Aim at Network Intruders With Intrushield’s Intrusion Prevention System Tammy Clark , Chief Information Security Officer, William Monahan , Lead Information Security Administrator Bill Boyle , Product Line Executive, Network Security
  2. 2. Today’s Agenda <ul><ul><li>A Little Background Info </li></ul></ul><ul><ul><li>Bad Guys are Getting Smarter </li></ul></ul><ul><ul><li>IntruShield, Not a Panacea (But Close) </li></ul></ul><ul><ul><li>One Size Does Not Fit All (Child Domains) </li></ul></ul><ul><ul><li>Application of Sigs – Not For the Faint of Heart </li></ul></ul><ul><ul><li>Leveraging Stateful Firewall </li></ul></ul><ul><ul><li>Unidirectionaly Blocking P2P </li></ul></ul><ul><ul><li>Hypercommunicate </li></ul></ul><ul><ul><li>Dealing with: “The FW Broke it” </li></ul></ul><ul><ul><li>McAfee IntruShield Architecture </li></ul></ul><ul><ul><li>Network Class Hardware </li></ul></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  3. 3. A Little Background Info <ul><li>GSU’s information security program launched in 2000 w/one staff member (now have three) </li></ul><ul><li>Decentralized information technology environment – success through tools, governance, & cooperation/collaboration w/stakeholders </li></ul><ul><li>Information Security Department & Office of Disbursements recommended for ISO 27001 Certification by BSI in 2008 (incrementally expanding the scope) </li></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  4. 4. Bad Guys are Getting Smarter <ul><li>2004 – Phishing </li></ul><ul><li>2008 – Spear Phishing (highly targeted/sophisticated) </li></ul><ul><li>2004 – BOTs easy to find via monitoring IRC channels </li></ul><ul><li>2008 – Command/control w/common ports & encryption </li></ul><ul><li>2004 – Exploits targeting OS vulnerabilities & some Apps </li></ul><ul><ul><li>2008 – Exponential growth in exploits targeting Apps </li></ul></ul><ul><li>2004 – Users had to click on a link to obtain malware </li></ul><ul><li>2008 – Downloaders via compromised “legitimate” sites are killing us </li></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  5. 5. IntruShield, Not a Panacea (But Close) <ul><li>IntruShield 4000 Appliance Deployed in August </li></ul><ul><li>of 2004 on the Perimeter (a lot of questions/uncertainty) </li></ul><ul><li>Advantages of IPS (Intrusion Prevention System) as Opposed to Traditional FW Technologies </li></ul><ul><li>Lessons Learned & Best Practices </li></ul><ul><ul><li>One size does not fit all (unique policies for different colleges/departments) </li></ul></ul><ul><ul><li>Incremental application of signatures w/change management & change control </li></ul></ul><ul><ul><li>Leveraging stateful firewall in conjunction w/signatures </li></ul></ul><ul><ul><li>Success with unidirectionaly blocking P2P </li></ul></ul><ul><ul><li>Hypercommunicate – reporting , change management & control </li></ul></ul><ul><ul><li>Dealing with: its gotta be the FW </li></ul></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  6. 6. One Size Does Not Fit All (Child Domains) Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  7. 7. Application of Sigs – Not For the Faint of Heart <ul><li>Incremental Approach </li></ul><ul><li>Change Management & Control </li></ul><ul><li>Tie Filtration Back to Policy </li></ul><ul><li>Beware of the Complacency </li></ul><ul><li>No mods after Wednesday @ 3:00 PM </li></ul><ul><li>Which Direction? </li></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  8. 8. Leveraging Stateful Firewall Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. The “Nuclear Option” for Colleges & Departments Protection for System IP(s) that Process “confidential” information (HIPAA, FERPA, Visa PCI…)
  9. 9. Unidirectionaly Blocking P2P Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. February 2006 – wireless networks on verge of collapse due to ubiquitous P2P traffic & inordinate amount of copywrite infringement notifications – referenced Server Registration Policy & blocked outbound traffic Totally blocked for areas that process “confidential” information
  10. 10. Hypercommunicate! Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. <ul><li>Daily Attack Reports to IT Managers – Outbound High & Medium Attacks – Increased Awareness Spawned Filtration Requests & Disciplinary Action </li></ul><ul><li>Monday afternoon change management change control meetings </li></ul><ul><li>Monthly Information Technology Security and Support Subcommittee (ITSSS) meetings </li></ul><ul><li>Email broadcasts – Example: system wide notification for remote access filtration (SSH, IRC, pcAnywhere, Remote Desktop Protocol, VNC…) </li></ul>
  11. 11. Dealing with: “The Firewall Broke It” Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 80% of the “The Firewall Broke It” issues are quickly disproved via VPN session or generating an IntruShield report. Other options include punching a “really big hole” or placing IntruShield in fiber bypass mode.
  12. 12. McAfee IntruShield Architecture Real Events Are Found In Real-Time Set and Forget Short Learning Curve Easy To Use Network Class Accurate Decrease Risk Decrease Exposure Decrease OpEx IntruShield 30,000 to 30
  13. 13. Network Class Hardware Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  14. 14. Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Network Class Hardware SMB & Branch Office Enterprise Perimeter Enterprise Service Providers Enterprise Core Service Providers 100Mbps 1Gbps 600Mbps 200Mbps 5 Gbps 2 Gbps 10Gbps I-1200 I-1400 I-2700 I-4000 I-4010 I-3000 Performance, Scalability and Connectivity M-6050 M-8000
  15. 15. McAfee IntruShield Architecture Real Events Are Found In Real-Time Set and Forget Short Learning Curve Easy To Use Network Class Accurate Decrease Risk Decrease Exposure Decrease OpEx IntruShield 30,000 to 30
  16. 16. Powerful Alert Analysis
  17. 17. IntruShield’s Collaborative Security Infrastructure <ul><li>Integration with McAfee NAC </li></ul><ul><li>Behavior-driven host quarantine and Dynamic NAC for real-time post admission control of managed and un-managed hosts </li></ul><ul><li>Integration with ePO </li></ul><ul><li>Faster time-to-protection/time-to-resolution with real-time visibility of system host details, top Host IPS attacks & AV/spyware events </li></ul><ul><li>Integration with Foundstone </li></ul><ul><li>Real-time Risk-Aware IPS with on-demand threat relevancy and Foundstone ‘scan now’ functionality </li></ul>McAfee IntruShield McAfee ePO McAfee IntruShield McAfee IntruShield McAfee ToPS Enterprise McAfee Foundstone
  18. 18. ePO Host Details in ISM
  19. 19. ePO Host Details in ISM
  20. 20. Integration with IntruShield = Risk-Aware IPS IntruShield Alert Viewer provides alert & risk relevancy, based on Foundstone scan data Risk-Aware Intrusion Prevention
  21. 21. Foundstone Integration
  22. 22. McAfee IntruShield Architecture Real Events Are Found In Real-Time Set and Forget Short Learning Curve Easy To Use Network Class Accurate Decrease Risk Decrease Exposure Decrease OpEx IntruShield 30,000 to 30
  23. 23. Questions? <ul><li>Tammy Clark – tlclark@gsu.edu </li></ul><ul><li>Bill Boyle – william_boyle@mcafee.com </li></ul><ul><li>William Monahan – wmonahan@gsu.edu </li></ul>Copyright GSU, eFortresses, March 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

×