Check Point Next Generation with Application Intelligence Protection Against Network and Application Attacks

1. Check Point Next Generation with Application IntelligenceProtection Against Network and Application Attacks

2. Agenda • Today’s threat environment • Exposed Applications • What is Application Intelligence? • Application Intelligence R55W • Check Point Next Generation with Application Intelligence Highlights

3. Application Vulnerabilities Today’s Threat Environment • Most organizations have perimeter security • Network-level firewalls enforcing access control • Default protection against network-level attacks • Result  Attacks are becoming more sophisticated: Hackers are targeting applications • Closer to business/user data (the ultimate goal) • Multiple applications create multiple attack vectors • Many known vulnerabilities in common applications According to the FBI and SANS, more than half of the Top 20 Most Critical Internet Vulnerabilities breach networks via applications like Web and email

4. Application Intelligence • Set of technologies that detect and prevent application-level attacks • Deeper understanding of application behavior integrated with network security defenses • The core functions of Application Intelligence are: • Validating compliance to standards • Validating expected usage of protocols • Blocking malicious data • Controlling hazardous application operations

5. Check Point Active Defense Building Blocks • Patented technology (Stateful Inspection) • Check Point FireWall-1 NG with Application Intelligence™ • Multi Layer Stateful Inspection - from the network layer(IP/TCP) to the application layers (HTTP/XML/SOAP etc) • Validates protocol correctness at all layers • IP de-fragmentation • TCP Stream reconstruction • Protocol parsing (HTTP, VoIP, RPC etc) • Content parsing (XML/SOAP, ASN.1 etc) • Restrict protocols to protect application servers from unused options • Open and flexible architecture allows customers to immediately respond to new versions/applications to ensure tight security control

6. Check Point Next Generation with Application Intelligence Defense Strategies Do communications adhere to relevant standards? Ex: No binary data in HTTP headers Validate Compliance toStandards Is protocol being used in an expected or “typical” manner? Ex: Excessive HTTP header length or Directory Traversal Validate Expected Usage of Protocols Is application introducing hazardous data or commands? Ex: Cross Site Scripting or Attack signature detection Block Malicious Data Is application performing unauthorized operations? Ex: FTP commands Control HazardousApplication Operations

7. Application Intelligence Defenses • Selected AttacksDefeated • Code Red • Nimda • Directory Traversal • Malicious URLs • HTTP Encoding Attacks • WebDAV Attacks • FTP Bounce Attack • Bugbear Worm • SQL Slammer Worm • Applications • Web • Peer-to-peer • Instant Messaging • DNS • VoIP • FTP • Email • Microsoft Networking • Applications

8. NetworkFirewalls ApplicationLayerGateways NG withApplicationIntelligence  some  AccessControl Network-level --   Application-level AttackProtection Network-level  some*  Application-level -- some*  A Comparison with Legacy Firewalls * no dedicated means to configure attack protection

9. Application Intelligence - SmartDefense Centralized Control for attack protection Real Time Attack Information Detailed forensics information Response, alerting and configuration tracking

10. Peer-to-Peer Application Control BlockedApplications Tracking

11. Cross-site Scripting Protection Granularprotectionper server

12. Application Intelligence in R55W

13. Architectural Improvements • Product enhancements from architectural changes: • Active Streaming • Web Intelligence • Usability Enhancements • Dynamic updates • Add-On installation • Debugging and Monitoring tools

14. Enhanced Streaming Inspection • Active Streaming • Kernel-based TCP stack • Manipulation of data stream • Advanced security controls • Compliments Passive Streaming • Combined Streaming approach • Passive and Active • Fastest application security processing architecture in the market

15. Passive vs. Active Streaming Methods • Passive Streaming • Analyze request • Reject on detection • Advanced inspection with little overhead • Active Streaming • Analyze request and response header beforesending to server • Manipulate stream • Send error page • Advanced inspection with greater control but more overhead

16. Streaming Uses in R55W • Passive Streaming • Default method • Active Streaming • HTTP header spoofing • Sending error pages • Granular Use • Streaming Decision • per connection • per web server • Highest performance through selective streaming

17. Web Intelligence vs. Application Intelligence • Web Intelligence • SQL Injection • Command Injection • Directory Traversal Attacks • Granular HTTP Format Sizes • Granular Allowed HTTP Methods • HTTP Header Spoofing • Malicious Code Protector

18. Updated Application Intelligence Support • SNMP • Allow only SNMPv3 • Block default community strings for version SNMPv1/2

19. Updated Application Intelligence Support • POP3 / IMAP • Block identical username and password • Username/password length restrictions • NOOP command restrictions

20. Updated Application Intelligence Support • Peer to Peer • Detection on all ports • New Port scan logic • Host scan • Sweep scan

21. Updated Application Intelligence Support • DShield Storm Center Integration • Report activity • Receive automatic block list updates

22. Updated Application Intelligence Support • MSN Messenger over SIP • Block specific operations over SIP • Verify RFC compliance

23. Updated Application Intelligence Support • New VoIP Support • MGCP • Skinny (SCCP) • Support includes : • Dynamic management of RTP sessions • Analysis and enforcement of message states • Verification of call parameters • Keep call state for each call • Enforcement of hand-over domains • Logs call information • Report security vulnerabilities

24. Updated Application Intelligence Support • MS-SQL

25. Updated Application Intelligence Support • DNS Verification and Enforcement • UDP and new TCP enforcement • ID scrambling • Domain “black list” • Prevention of “Birthday attacks” • Prevention of excessive reply flooding Prevents major issue with DNS – Cache Poisoning

26. Check Point Next Generation with Application Intelligence Highlights • VoIP Support • Worm pattern matching for CIFS • High-performance peer-to-peer support • HTTP encoding attack prevention • Network Quota (DoS protection) • Fingerprint Scrambling • VPN Denial of Service Protection

27. Executable Code? Malicious Code? User Input Block/Log yes yes no no Virtual Simulator pass pass Malicious Code Protector™ • Malicious Code Protector • Patent-pending technology • Catches buffer overflow attacks and other malicious code against web servers • 50% of all major security bugs are buffer overflows (CERT) • Blocks code-based attacks by disassembling and analyzing executable code embedded in network traffic • Attack identified based on its simulated behavior, not signatures • Catches known attacks • Catches unknown attacks • HTTP only • Windows and Linux based code disassembly

28. Summary • With Application Intelligence, Check Point delivers the most comprehensive and integrated protection against application and network attacks • Application Intelligence is integrated into Check Point FireWall-1, VPN-1, Express, and InterSpect • Application-level attacks and vulnerabilities pose significant risks to today’s networks, and Application Intelligence provides the security to defend against these threats