860 likes | 1.1k Views
Unified Threat Management. Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005. IIT Kanpur Sys Admin Workshop Quiz. When is “Sys Admin Appreciation Day”?. Sys Admin’s have a tough enough job already. What about Security threats?
E N D
Unified Threat Management Peter Theobald CEO, IT Secure Presentation at Sys Admin Workshop, IIT Kanpur Oct 21, 2005
IIT Kanpur Sys Admin Workshop Quiz • When is “Sys Admin Appreciation Day”?
Sys Admin’s have a tough enough job already.. • What about Security threats? • How serious are they? • What is the most effective and cost efficient way to handle them?
Current Trends • Speed & sophistication of cyber-attacks is dramatically increasing • Blended threats, hybrid attacks and automated tools have become popular and getting them is easy • Critical infrastructure is dependant on Internet, and threats are progressively more unpredictable • Security problems cost time, money and pain
Intruders Auto Coordinated Attack Sophistication vs.Intruder Technical Knowledge Tools Cross site scripting “stealth” / advanced scanning techniques High Staged packet spoofing denial of service distributed attack tools sniffers Intruder Knowledge sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code password guessing Low 2004 1980 1985 1990 1995
Vulnerability in Software • “99% of intrusions result from exploitation of known vulnerabilities” Source: 2001 CERT, Carnegie Mellon University • Cause: Software vulnerabilities are caused by programming of source code without proper checks and buffer handling • Threat: Facilitated by not applying patches to vulnerable machines, and having those machines exposed on the network to outside threats • The recent Slammer Worm exploited a SQL vulnerability for which a patch had been available since July, 2002
E-mail Viruses • E-mail has become the primary means for distributing threats • Trojans are easy to deliver and install • HTML viruses (no user intervention) with webmail • E-mails with attachments containing: • Macros, VB scripts, java scripts and html scripts Corp Network
File Based Threats • Example: Internet download • Viruses and malicious code infection: • Peer to Peer • Instant Messaging apps • Shareware sites • Compromised servers • Legitimate corporations • Web based email • Threats pass through stateful packet inspection firewalls • Once inside the network, others are easily affected File Server Corp Network Request Download
File Based Threats • Example: Netbios file transfers • Viruses can be uploaded to network drives • Once on the network drive users can be affected • Nimda was a virus that attacked file servers and opened up a hole to allow a hacker to obtain control of the server Corp Network File Server
Buffer Overflow Application Attacks • Unpatched Servers: Scob • Servers do not get up to date patches • Attacker sends malicious code through a buffer overflow • Executes program instructions to the victims computer for execution • Can also be used as denial-of-service attack, causing the computer to crash • Server is infected • New users who access server get infected Malicious Hacker Access Access Access
Software Development Mistakes Double Free CERT Advisories Access Validation Unknown Error Format String Integer Overflow 6% 2% 3% Boundary Condition Input Validation Error Error Configuration Error Others Buffer Overflows Failure to Handle Exceptional Design Error Conditions Security Focus
MyTob Worm • Discovered on: February 26, 2005 • W32.Mytob.@mm is a mass-mailing worm that propagates via network shares and through email • Uses its own SMTP engine to send an email to local email addresses • Exploits the Microsoft Windows LSASS Remote Buffer Overflow and RPC/DCom • Opens a back door into the affected computer • Self protects by redirecting AV updates to local computer
Step 1: Arrives as an email or buffer overflow • Copies itself as %System%\msnmsgs.exe • Adds the value: “MSN” = “msnmsgs.exe” to registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\OLEHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa • W32.Mytob@mm runs every time Windows starts User Zone Server Zone
Step 2: Loads itself into memory • Since the exe is now in start up, “msnmsgs.exe” is loaded into memory • “HELLBOT” by Diablo is clearly advertised to show who wrote the program User Zone Server Zone
Step 3: Logs in to an IRC channel • Connects to an IRC channel on the irc.blackcarder.net domain on TCP port 6667 • Advertises host PC IP address • listens for commands that allow the remote attacker to perform the following actions: • Download files • Execute files • Delete files • Update itself • Get uptime information IRC Server IDP IDP User Zone Server Zone
Random IPs Step 4: Generate potential targets and attack • Generates random IP addresses • Exploits the RPC/DCOM vulnerability • Allows the program to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service • Exploits the Windows LSASS vulnerability • This is a buffer overflow that allows remote code execution and enables a malicious user to gain full control of the affected system User Zone Server Zone
Find Email Addresses Step 5: Use its own SMTP server to send itself • Searches for email addresses on local computer • .wab • .adb • .tbb • .dbx • From: “Spoofed”Subject: • hello • hi • error • status • .asp • php • .sht • .htm • Mail Transaction Failed • Mail Delivery System • SERVER REPORT • (No Subject) • (random alphabets) User Zone Server Zone
What is Spyware/Adware? • Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission • According to certain experts, approximately 90% of computers have some form of Spyware • Aids in gathering information: • Browsing habits (sites visited, links clicked, etc.) • Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.) • Key stokes and work habits
Spyware Infection • A - Downloading programs • Kazaa / screensavers / windows utilities • Download managers / file sharing sw / demo software • B - Trojans that are delivered or downloaded in e-mail • C - In free, banner ad-based software - Popups • D - The most notorious enabler of Spyware is Microsoft’s ActiveX module A B C/D Random IPs User Zone Server Zone
Today’s Aging Technology • Stateful Packet Inspection (SPI) is limited protection • Provides source / destination / state intelligence • Provides network address translation • Stateful firewalls cannot protect against threats that are application layer based, file or email based
Firewall Technology • Typical firewalls are effective for port blocking • If a port is open it is assumed any data can pass • Intrusion detection is a “reactive” approach that does not actively protect • Security must be built upon deep packet inspection, AV/Spy/Intrusion prevention with dynamic updates User Zone Server Zone
The New Standard - UTM • Unified Threat Management • Integration of Firewall • Deep Packet Inspection • Intrusion Prevention for blocking network threats • Anti-Virus for blocking file based threats • Anti-Spyware for blocking Spyware • Faster updates to the dynamic changing threat environment and elimination of False Positives
Deep Packet Inspection- Unified Threat Mmt Zone based security Protect internally Gateway Anti-Virus Scan through unlimited files sizes Scan through unlimited connections Scan over more protocols than any similar solution Anti-Spyware for protection against malicious programs Blocks the installation of spyware Blocks Spyware that is emailed and sent internally Applications Layer Threat Protection: Full protection from Trojan, worm, blended and polymorphic threats • Full L2-7 signature- based inspection • Application awareness PRO Series as a Prevention Solution SonicWALL IPS/GAV Dynamic Updates DPI DPI DPI DPI: Intrusion Prevention /Gateway AV/ Anti-Spy Dept Zone Server Zone User Zone
4 3 2 1 HEADER DATA Hidden threats Typical User Activity Typical Network Traffic: Email Our World View Firewall View Network communication, like email, file transfers and web sessions are packetized Traffic = multiple packets of information One Packet = Header info and Data Firewall Traffic Path
Stateful Packet Inspection INSPECT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options SourceUDP Port Destination UDP Port UDP Length UDP Checksum DATA Source 212.56.32.49 Destination 65.26.42.17 Stateful is limited inspection that can only block on ports No Data Inspection! Source Port 823747 Dest Port 80 Sequence 2821 Sequence 28474 IP Option none Syn state SYN Stateful PacketInspection Firewall Traffic Path
Deep Packet Inspection INSPECT INSPECT Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options SourceUDP Port Destination UDP Port UDP Length UDP Checksum DATA Deep Packet Inspection inspects all traffic moving through a device Deep PacketInspection Stateful PacketInspection Firewall Traffic Path
SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port UDP Length UDP Checksum UDP Length UDP Checksum UDP Length UDP Checksum UDP Length UDP Checksum DATA DATA DATA DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address Deep Packet Inspection / Prevention Signature Database Comparing… ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Application Attack, Worm or Trojan Found! Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities, worms or Trojans. Stateful PacketInspection Deep PacketInspection Firewall Traffic Path
SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port SourceUDP Port Destination UDP Port UDP Length UDP Checksum UDP Length UDP Checksum UDP Length UDP Checksum UDP Length UDP Checksum DATA DATA Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Version | Service | Total Length ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address IP Options Gateway Anti-Virus Anti-Spyware Content Inspection Gateway Anti-Virus and Content Control Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT Virus File! AuctionSite Stateful PacketInspection Deep PacketInspection Firewall Traffic Path
Security Must Be Updated Signature Database ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT AV Database IPS Database Spy Database Content Filtering Database Content Inspection Stateful PacketInspection Deep PacketInspection Anti-Virus Content Filtering Service Gateway Anti-Virus Anti-Spyware Firewall Traffic Path
Value Innovation Philosophy • Affordable • Total Cost of Ownership • Simple • Easy to Install, Use & Manage • Powerful • Deep – Dynamic – Distributed
Firewall VPN Basic bandwidth Management Gateway AV, Intrusion Prevention and Anti-spyware Content Filtering Reporting Secure Wireless High Availability - Appliance ISP LoadBalancing/Failover Central Management Unified Threat Management Appliance
Dynamic Real-Time Protection • Dynamic real-time threat scanning engine at the gateway • Anti-Virus, Anti-spyware and Intrusion Prevention • Protects Against: Viruses, spyware, worms, trojans, app vulnerabilities • External and Internal protection • Reassembly-free engine • Scans & decompresses unlimited number of files & file sizes • Supports over 50 protocol types including • SMTP, IMAP, POP3 Email, HTTP – Web, FTP – File Transfer • Peer to Peer Transfers, NetBios – Intra LAN Transfers, any stream-based protocol • Updateable database by an expert signature team
The TZ Series is the ideal total security platform for small networks, providing a compelling blend of ease of use for basic networks and flexibility for more complex networks. TZ 170 Wireless TZ 150 TZ 170 TZ 170 SP TZ 170 SP Wireless • Deep Packet Inspection Firewall • Supports up to 10 nodes • 4-port MDIX LAN Switch • 30 Days of IPS/AV/CFS • Deep Packet Inspection Firewall • WorkPort • 5-port MDIX Switch • Upgrade to SonicOS Enhanced • 30 Days of IPS/AV/CFS • Deep Packet Inspection Firewall • Wireless/Wired Security • 802.11b/g Radio • Upgrade to SonicOS Enhanced • 5-port MDIX Switch • 30 Days of IPS/AV/CFS • Deep Packet Inspection Firewall • Failover/Failback • Analog Modem • Upgrade to SonicOS Enhanced • 5-port MDIX Switch • 30 Days of IPS/AV/CFS • All the best features from each TZ 170 • SHIPS WITH SonicOS Enhanced! • 30 Days of IPS/AV/CFS
The PRO Series is a multi-service security platform for companies requiring rock solid network protection coupled with fast, secure VPN access for remote employees. PRO 1260 PRO 2040 PRO 3060 PRO 4060 PRO 5060 • Small networks up to 25 nodes • Deep Packet Inspection Engine • 30 Days of IPS/AV/CFS • Small-to-medium networks up to 200 nodes • Deep Packet Inspection Engine • Unlimited Nodes • 10 VPN Clients • 30 Days of IPS/AV/CFS • Businesses with complex networks • Deep Packet Inspection Engine • 6 User-defined Interfaces • Unlimited Nodes • 25 VPN Clients • 30 Days of IPS/AV/CFS • Businesses with complex network and VPN requirements • Deep Packet Inspection Engine • SonicOS Enhanced • 6 User-defined Interfaces • Unlimited Nodes • 1,000 VPN Clients • 1 Year of SonicWALL IPS • Medium-to-large enterprise networks requiring Gigabitperformance • Copper & Copper/Fiber Versions • Deep Packet Inspection Engine • SonicOS Enhanced • 2,000 VPN Clients • 1 Year of SonicWALL IPS SonicOS Enhanced upgrade provides ISP failover, object-based management, policy-based NAT, 4+ interface support, and Distributed Wireless
Tactical Content Management • Forged email address and Envelope • Fools recipient into opening
Tactical Content Management Image only mails • How will text based filters work?
Word and Token Manipulation • Manipulate text in email so keyword matching fails
Uniqueness Generation • Junk words • Random words