1.71k likes | 4.07k Views
Zscaler Web Security Services. Your Name Contact Info August 2009 Zscaler Proprietary & Confidential. Zscaler: The Leader in Cloud Security. Singular Focus. Secure, fast and policy-based Internet experience from any place, on any device. Zscaler Services. Benefits.
E N D
Zscaler Web Security Services Your Name Contact Info August 2009 Zscaler Proprietary & Confidential
Zscaler: The Leader in Cloud Security Singular Focus Secure, fast and policy-based Internet experience from any place, on any device Zscaler Services Benefits • Twice the functionality at half the price • Mitigate business risk • Improved Resource Utilization
Web 2.0 Challenges: Security, Bandwidth & More… Managed Access Data Leakage Web 2.0 – User created content Social Sites, Streaming, Webmail, IM Web 2.0 Users can send and post content DLP: Blogs, Webmail, IM Web 1.0 Read Only No DLP URL Filtering Static list (almost) Allow or block Traditional URL Filtering is Not Effective Data Leakage Risk Up Enterprise Users Bandwidth Issues Security Threats Botnets , XSS, Active Content, Phishing Can’t be detected with signatures No bandwidth issues: HTML pages Viruses, Worms (signature) Streaming & P2P Bandwidth hungry apps (last mile) Public Internet Web 2.0 is Rendering Traditional Anti-virus Useless New Network QoS Issues Mobile Devices Road Warrior Enterprises are struggling to deal with web-related issues Losing ability to enforce policy
Traditional Appliances: Don’t Help with New Challenges Alreadyinstalled Customers want this and don’t have HQ Users Caching + URL Botnets + Malware Data Leakage Web 2.0 Control Webmail, IM Bandwidth Control AV Directory Consolidated Reporting?? Web Logs Remote Office(s) Road Warrior Bypass appliances & policy (VPN???) Mobile User Buy, install & maintain water cleaning kit in each home? • Acquisition & deployment Cost: X boxes • On-going Management Cost: Multiple UI/policies, log files Current point products are expensive, inefficient and incomplete
Zscaler Service:Secure, Fast & Policy-based Access to Internet Appliances have limited functionality 1 3 4 2 Caching + URL Botnets + Malware Data Leakage Web 2.0 Control Webmail, IM Bandwidth Control Zscaler Utility AV HQ Users • IT admin defines your company policy Manage Comply • Inspect & enforce policy • Forward Internet-bound traffic to Zscaler service Analyze Secure Directory Consolidated Reporting?? Web Logs • CLEAN traffic to user • Inspect web pages being returned for security Remote Office(s) Road Warrior Bypass appliances & policy (VPN???) Mobile User X • No Acquisition Cost, No Deployment Cost, Little on-going management • Annual Subscription Fee Let Utility clean the water Free IT from Operational Security chores: Managing boxes Enable IT to focus on Strategic Security: Policy & Architecture
Functionality:Comprehensive, Integrated, Best-of-Breed Eliminates the need to buy multiple point products; Reduces cost Web 2.0 Applications Web 2.0 Control Web 2.0 Applications Bandwidth Optimization Bandwidth Optimization Bandwidth Optimization URL Filtering URL Filtering URL Filtering Safe Browsing Web Access Controls Web Access Controls Data Loss Prevention Data Loss Prevention Web Access Controls Advanced Threats Protection Advanced Threats Protection Advanced Threats Protection Advanced Threats Protection Forensics & Data Mining Anti-Virus & Anti-Spyware Anti-Virus & Anti-Spyware Anti-Virus & Anti-Spyware Anti-Virus & Anti-Spyware Zscaler Global Network
Zscaler: Five Key Game Changing Technologies • IntelliSpectTM • Ultra fast content (body) scanning • Detect malicious content, Data Leakage, Classify URLs Page Risk Index Dynamically computed Better fraud prevention • NanoLogTM • 50:1 Log reduction • Real-time consolidation • Trans-level drill-down 3 4 5 1 2 10 Gbps Platform - Latency in Micro-secs 64-bit Architecture, Zscaler TCP stack, drivers; SSMATM (Single Scan Multi Action) Distributed Network, Multi-tenant Architecture Deliver ultra-low latency, & High Reliability
Zscaler Global Distributed Network 1 4 2 3 Central Authority Brain/Nervous system, Policy, Updates, Health of the Cloud Logs from all locations go to NanoLog (real-time consolidated reporting) Enforcement Node (EN1) NanoLog NanoLog EN3 Onramps to Internet, Traffic processing, Policy execution When user moves from city A to city B, the policy follows him, her traffic is directed to the nearest EN EN2 Delivers Rapid Response Time (ultra-low latency) & High Reliability
Zscaler Global Network Delivers Rapid Response Time & High Reliability Moscow London Toronto Brussels Beijing Chicago Frankfurt Fremont Paris DC Tokyo Monterey Atlanta Tel Aviv Hong Kong Mumbai Mexico City Dubai Singapore Bogota Sao Paulo Adelaide Johannesburg Buenos Aires Delivers Rapid Response Time & High Reliability Production Coming Shortly
Experts’ Vote of Confidence in Zscaler "Chaudhry has a great track record of anticipating the [emerging, new] market.“ "With data centers distributed worldwide, Zscaler has done an excellent job building a scalable infrastructure to support customers without a noticeable performance hit.” “We are glad to partner with Zscaler to provide comprehensive functionality using their SaaS model to deliver higher value and greater ROI.” Zscaler has received many prestigious awards/recognitions:
Zscaler SummaryIncrease Security & Productivity While Reducing Costs Global Distributed Architecture • SaaS based,highly scalable and reliable model • Global policy – single policy follows user Compliance & Real-Time Reporting • Consolidated reporting and tracking in real-time • Centralized management with application-based policies Cost Savings • No appliance and software related costs • Operational expense vs. Capital expense Simplicity • Eliminates complex point solutions • Easy to deploy and manage policies Security Integrated, Comprehensive & On-demand Web 2.0 threat protection
Key Features of Reporting & Analysis 1. Slice the data by relevant fields 2. Filter the data you want to see Filter by time and type of data displayed Unique ability to analyze from 3 fronts 3. Choose how to view data Cumulative data or Comparative trends Change graph typeor Zoom in Choose what to see & what to hide
Key Features of Reporting & Analysis 1. Slice the data by relevant fields 2. Filter the data you want to see Filter by time and type of data displayed Unique ability to analyze from 3 fronts 3. Choose how to view data Cumulative data or Comparative trends Change graph typeor Zoom in Choose what to see & what to hide 4. Drill down Within a section, see more detail 5. Save Save as a PDF to email or print Save as a Favorite 6. Schedule Reports Schedule regular emailed reports
Zscaler Secure Challenge: Solution: By performing full content inspection with ultra-low latency, Zscaler detects and protects against newer threats & vulnerabilities. “ “ Anti-virus on HTTP gateway is a must but not enough. Inspect for bots, active content threats and more. Malware is found on 60% of the top 100 sites. Allnew malware has a web component. ” ” SECURE • Advanced Threats • Botnets, malicious active content, XSS, etc. • Requires full inspection of content (Request & Response) which traditional proxies can’t do due to latency • Zscaler high-speed scanning enables this unique protection. • Safe Browsing • Browsers are exploited to infect computers • Enforce policies by allowing safe browsers to go to the Internet • Policy by browser version, patch level, plug-in and apps. • Anti-virus/Anti-Spyware • Just like SMTP, AV is needed on HTTP channel • Traditionally, AV adds latency • Zscaler AV solution is fast and comprehensive • Signatures are always up to date (Cloud model) AV/AS solution with ultra-low latency & at low TCO Mitigate security risks caused by newer Web 2.0 threats Mitigate security risks caused by unsafe browsers Reduce security risk with least effort (centrally configured)
Zscaler Manage Challenge: ” “ Solution: Granular control of Web 2.0 applications. Policies by location, user, group, location, time of day, quota “ ” • Internet bound traffic should be inspected for more than URL filtering. Web 2.0 applications require granular policies for control. • URL Filtering is mostly reactionary. It has a fundamental flaw to be an effective security filter; it does not monitor threats in real time. MANAGE • Web 2.0 Control • Action-level control for Social sites, Streaming, Webmail & IM • Allow viewing but block publishing • Allow webmail but not file attachments • Bandwidth Control • 40 – 50% of BW is consumed by streaming • Enforce policies by type of web application • Ensure enough BW to mission critical apps • URL Filtering • URL DB, multiple languages • Enforcement by URL, not domain • Real-time Dynamic Content Classification • 6 classes, 30 super categories, 90 categories • Safe Search Enforce traditional URL policies at low TCO Enable use of Web 2.0 with right access to right users Tangible savings due to proper use of BW (last mile) Right access to right resources to empower users and optimize resource use
Comply - Data Leakage Prevention (DLP) • Challenge Social networks, Blogs, Webmail/IM are easily accessible from any browser and are dangerous backdoors. May lead to accidental or intentional leakage of proprietary and private information. • Solution • Define Policy - IP Leakage • or regulatory compliance • Detect violations - DLP • dictionaries and engines webmail Sales data Users blog IM Credit cards file upload Define Policy Engine Detect Enforce • Enforce by location, user, app • Allow or block. Notify • Rapid deployment. Highly accurate, Ultra-low latency, Complete inline inspection (not a tap node) • Benefits
Solving the Web Log ProblemGet real-time Interactive Analysis; Say Good Bye to Batch Reporting • Challenge • Web logs are huge (50 – 100GB per day for large companies). • Expensive to retrieve logs for a specific incident when needed. • Often takes overnight to run many summary reports. • Almost impossible to drill-down to transaction-level; Resort to batch reporting. 2 hours ” Others: 50GB 2 secs “ Reporting tools for web logs are primitive, especially in handling large logs. Consolidated and real-time reporting is a challenge. • Zscaler’s Nanolog technology, uniquely solves the problem. • Leverages data differential, indexing and compression technologies • Reduced storage by a factor of 50; Optimized data retrieval • Solution Others Zscaler Access Response Time Zscaler: 1GB Web log size for the same traffic • Get timely and accurate information to make right decisions
Proxy Latency Traditional Proxies: Not Designed for Content Inspection Throughput of a Proxy Latency of a Proxy Zscaler Traditional Proxies (10’s of millisecs) 10Gbps Throughput Latency Traditional Proxies 100Mbps 50Mbps Zscaler (10’s of microsecs) 10Mbps URL Filtering AV/AS Header Inspection Body Inspection Header Inspection Body Inspection URL Filtering AV/AS Knowledge of Payload Knowledge of Application Knowledge of Content Knowledge of Destination Zscaler can inspect full content without introducing latency
Solving the Re-routing Latency Problem Re-routing Latency depends on number of data centers & multi-tenant architecture(A true multi-tenant SaaS allows a policy to follow the user (means that a customer is not tied to a data center) Re-routing latency from various locations 61 ms Moscow London 24 ms San Francisco 30 ms Tokyo Rome Hong Kong 72 ms Washington DC 50 ms 68 ms Mexico City Bangalore 30 ms Singapore 136 ms 360 ms 500 ms Rio De Janeiro Cape Town Adelaide Few data centers = Re-routing latency of 100s of milliseconds. Zscaler’s 30+ data centers minimize re-routing latency (less than 20 milliseconds for most markets)
Zscaler’s proprietary TCP Stack and Network Drivers Minimize Proxy Latency Standard Protocol Stack (10 millisecs) Zscaler Protocol Stack (4 microsecs) Proxy App Socket Proxy App TCP TCP IP Ethernet IP Ethernet Optimized TCP Stack to: + Remove all stops and queues + No context switches + Remove un-necessary constructs like sockets+ Zero CopyAdvantages:+ High Performance + DDoS Protection • Packets are stopped and queuedat each protocol junction. • Issues: • Context Switches • Cache thrashing • Memory waste STOP STOP STOP STOP Zscaler delivers 100x the speed of traditional proxies
Zscaler SSMA Technology Delivers Ultra-Low latency Traditional Proxies . . . Anti-spam Phrase Matching URL DB Anti-virus Internet Proxy Data Packet Loosely coupled subsystems require passing data back and forth, introducing latency. Zscaler Proxy Node Botnets XSS DLP URL filtering Packet in Memory DCC Anti-virus Internet Zscaler Proxy with SSMA Data Packet Single Scan Multi-Action (SSMA) ensures full inspection without latency
Multi-tenant Architecture Sets Zscaler Apart from Others Central Authority Gateway Gateway Data Center: East Coast Data Center: West Coast Gateway • Zscaler:Multi-tenant, Distributed • Multiple customers share the same system infrastructure • User goes to the nearest gateway • Legacy SaaS:Single-tenant • A customer is tied to a specific system • Re-routing creates latency
SaaS: Better Security, Lower TCO Natural move to professionally managed services Home water cleaning Water utilities deliver clean water Home power generators Power utilities: Get power as you need Security Industry: Move from a cottage industry to Professionally Managed Services • Reduce deployment cost • High acquisition & management cost Appliances Hosted Apps (MSSP) Software-as-a-Service • Outsourced management of on-premise device • No acquisition cost • Pay-as-you-go • Little administration • Multi-tenant MSSP Pressure to do more with less, Limited IT budget & personnel
IDC Research: SaaS Market Trends & Opportunity Driversin your organization's SaaS investments IT security management challenges to your organization All are drivers for SaaS Web Security SaaS CAGR – 2008 - 2013 Web Security SaaS Forecast 46% CAGR Source IDC 2009
The Crisis of Newer Security Threats Heartland finds malware in bank card payment system Jan. 20, 2009 Malware targets U.S. military computers – Agent.btz Dec. 02, 2008 Network Security Breaches Plague NASA Nov. 20, 2008 U. of Florida discloses patient-record data breach Nov. 12, 2008 Hannaford says malware on its servers stole card data Mar. 28, 2008 TDAmeritrade Breach Affects 6.3 Million Customers Sep. 14, 2007 35
Current Technologies Aren’t Effective and May Give You False Sense of Security • URL Filtering & Web Proxies circumvented by • Dynamic domain names & URLs • Compromised legitimate Web sites (e.g. Super Bowl Miami Dolphins, Samsung Telecom, Google) • Anti-virus bypassed using • Zero-day exploits • Polymorphic malware 64% are stealthy, polymorphic (undetected by conventional security technologies) 64% 36% (and falling) detectable by conventional Anti-virus technologies 36% Antivirus and URL filters have been circumvented by today’s threats
Browser is Exploited to Infect Your PCs Other 2.00% Downloaded Files 9.00% The fastest growing attack vector is your browser 65% of Web-based malware is spread by exploiting browsers OS Exploits 11.00% Email Attachments 13.00% Browser Exploits 65.00% Browser Source: European Network & Information Security Agency Source: IBM
Traditional Detection Technologies No Longer Work • URL Categorization • Domain Control List • Virus • Spyware • Unauthorized Apps • Tunneling Protocols • Malicious Active Content, Botnets, XSS • User generated pages Black Listing Signature Match Header Inspection Content Inspection Knowledge of Destination Knowledge of Payload Knowledge of Application Knowledge of Content (Body) Request Hash Hash Header Body www.google.com Response • Full Content (page) inspection is required to detect today’s threats • “AV signatures or URL filtering is obsolete for newer threats. High-speed scanning of content/pages is needed.” Gartner
Secure -Integrated & Comprehensive Threat Detection • Zscaler uses dynamic page risk index to detect threats accurately Real-Time In-line Analysis Knowledge of Destination Knowledge of Payload SSL SSL Internet Domain /URL Match Destination Reputation Signature Matching Executable Files Users SECURE Content Inspection of each object JavaScript, ActiveX Header Inspection Tunneling Protocols Unauthorized Apps Knowledge of Content Knowledge of Application Page Risk Index New URLs New Signatures New Patterns Based upon # of hits Using multiple engines Anomalous Patterns Offline Data Mining – The Cloud Effect
Zscaler Secure Browsing Challenge: Hackers are exploiting browsers to infect users’ computer. Older and unpatched browsers are vulnerable. ” Solution: Enforce browser policy: browser versions, patches, plug-ins & applications “ There are more browser capabilities to be exploited, more potential for vulnerabilities. Missing patches Zscaler Policy Enforcement IE SECURE Browser Version e.g. IE 6 & Firefox 3.0.10 are vulnerable Browser Patches e.g. Google’s patches to secure Chrome Firefox Safari Plug-in/Extension 3rd party plug-ins are vulnerable Applications Browser becoming an application platform Vulnerable Plug-in Opera • Configurable scans frequently (daily, weekly, monthly, etc) • Warn if outdated or vulnerable • No client-side software or download required Benefit: Reduce security risk with least effort (centrally configured)
Zscaler ManagePolicy-based URL Filtering • Global URL DB for dozens of countries • Fully customizable block pages in multiple languages • International domain name support Global Support Classification • Flexible and granular categories – better analysis & control • User-defined, custom URL classification • Dynamic Content Classification: Uncategorized pages scanned and classified in real time 6 Classes 30 Super Categories 90 Categories MANAGE Safe Search • Enforcement by URL, not by domain (Yahoo, FaceBook, etc.) • Granular policies by user/group, location, time of day, quota • Integration with Active Directory and LDAP Enforcement • Powerful reporting—Real-time consolidated view, Real-time drill-down to transaction level Reporting
Zscaler Manage Policy-based Managed Access to Web 2.0 “ Challenge: • The advances in Web 2.0 technologies require a new generation of Web security tools that go well beyond traditional URL filtering. ” ” Webmail Email Attachment “ Discerning one app from another is far from just a URL recognition game IM Chat File Transfer Solution: • Managed access - Granular policies by action, location, group, etc. Users MANAGE SaaS Service Social Networks, Blogs View Publish Streaming Sites View/Listen Upload Internet Benefits: • Provide right access to right users
Zscaler ManagePolicy-based Bandwidth Optimization 40% - 50% of bandwidth is consumed by streaming applications Challenge: Solution: Bandwidth allocation by application type Zscaler Financial Apps Min.15%, Max 50% General Surfing Min 10%, Max 30% Users MANAGE Streaming Media Min 0%, Max 10% Sales Apps Min 15%, Max 50% Application-Level Bandwidth Control Benefits: Right applications get the right bandwidth; cost saving
Understanding Data Leakage Prevention • “ • Web 2.0 • Users send & post content • DLP: Blogs, Webmail, IM • Intentional or Accidental • With Web 2.0, message boards, blogs, and social networking sites are becoming a pipeline for information leakage and corporate compliance violations. Web 1.0 Read Only No DLP issues • ” who what how where Users Loss of IP Source code, Business Plans, M&A Documents, Customer Records, Technical Docs COMPLY Blog Posting Analyst Competitor HR Webmail Customer IM Sales Spyware Site Regulatory Compliance Credit Cards, Social Security Number, Financial Statements, Patient Info Social Networks Business Partner Legal Benefit Provider impact Loss of data & IP, Liability of non-compliance, Loss of reputation • Web 2.0 has become open backdoor for Data Leakage. All you need is a browser
Is Data Leakage a Real Problem? “ Top Sources of Data Leakage • Data loss prevention (DLP) is a growing concern in the Web 2.0 environment ” “ 46% of data-stealing attacks are conducted over the Web ” COMPLY • Data at rest and end points is handled by storage and end point vendors respectively. Source: IDC, 2008 Former Goldman Employee Accused of Stealing Code July 6, 2009 According to federal charges, Sergey Aleynikov stole a highly sophisticated piece of Goldman's code, uploaded it to a German server, and then tried to hide his trail, wiping the record of his keystrokes. Goldman's network stored a backup, so the company was able to check it after alarm bells were triggered by Aleynikov's 32-megabyte upload. Had his actions gone unnoticed, Aleynikov would have been sitting on 32 megabytes of data worth potentially hundreds of millions of dollars. The federal complaint notes only that Goldman had spent "millions" to develop the program and that it generated "many millions of dollars of profits per year" for the firm.
Multiple and Easy Traffic Forwarding Options Create a GRE tunnel to forward Port 80/443 traffic our SaaS Service Primary Tunnel 1. GRE Tunneling Secondary Tunnel Tertiary Tunnel Forward port 80/443 traffic from Squid, ISA, Bluecoat, etc. 2. Forward Proxy Chaining Web proxy PAC File/Explicit Browser to SaaS Service Browser based PAC file or explicit proxy setting support Road Warriors 3. Proxy / PAC File No device needed on customer premise, no software to deploy. Simply forward the traffic from each location to Zscaler
Zscaler User Authentication & Directory Integration Zscaler service integrates with Active Directory or LDAP for user and group-based policies Hosted Authentication Bridge LDAP/AD Host Auth Agent Directory Server Browser’s request is intercepted by the cloud node and re-directed to Hosted Authentication Bridge. Auth Bridge challenges the browser for user ID and password. Hosted Authentication Bridge verifies the provided credentials with the customers directory server (LDAP, Active Directory). If successful, the Hosted Auth Bridge inserts a cookie and redirects the browser to the original site. Users Web Site Road Warrior Firewall Hosted Directory Cookie Based Authentication 1 2 Browser’s request is intercepted by the cloud node and re-directed to Hosted Authentication Bridge. Auth Bridge challenges the browser for user ID and password. Hosted Authentication Bridge verifies the provided credentials with hosted user database. If successful, the Hosted Auth Bridge inserts a cookie and redirects the browser to the original site. Hosted Directory (Cookie Authentication) Users Web Site Road Warrior Firewall