Be up against the UTM Dedicated Content Security solutions from Cisco

Transcription

1

2 Be up against the UTM Dedicated Content from Cisco Istvan Segyik Systems Engineer CCIE Security #47531 Cisco Global Virtual Engineering (GVE)

3 Topics threats A few things to do for safer with no $$ investment Cisco Security Appliance (ESA) Web threats Cisco Web Security Appliance (WSA)

4 security

5 Threats SPAM - unsolicited , usually advertising: Causes employee productivity issues; May cause Denial of Service issues in the infrastructure; Can be used to spread malware. SCAM unsolicited with forged sender address: Usually used for advertising; Many times spreads malware; Many times used for Phishing attack = Phishing SCAM; The victim is not the recipient only but the legal owner of the sender address (domain). Malware in (doesn t have to be SPAM or SCAM). Confidential data leakage. Targeted attack (DoS, Privilege escalation, data theft).

6 Phishing SCAM Starts with a forged Sender identity has been forged; Internal content resembles to a company s brand (typically banks or governmental organizations). Forging senders: Simply changing sender addresses and using open SMTP relay servers that don t check source addresses; Compromising the servers of the real owner of the sending domain. The goal of the attack is to ask the addressee to visit a portal (e.g. forged banking portal) and hand over login credentials or credit card data. The legal owner of the sender usually suffers serious loss of reputation so becomes secondary victim.

7 SCAM example: the

8 SCAM example: the alleged sender Memfus Wong Surveyors Limited: mwsl.com.hk Property agency in Hong Kong

9 SCAM Example: the apparent issue

10 SCAM Example: the real bad thing

11 SCAM example: who are the victims? In this example: The person who lost its credit card details. The property agency in Hong Kong whose system was compromised. The clothing company whose web site was compromised. Worldwide: Manufacturing: 8% Other industry: 8% Design and development agencies: 8% Utility (e.g. energy): 19% Financial industry: 27%

12 What can we do? Educate users. Apply industry s best practices to secure our infrastructure: SPF, DKIM, DMARC; Upgrading, patching systems; IPS/IDS systems. Use advanced security solutions such as Cisco Security Appliance (ESA).

13 SPF, DKIM, DMARC

14 DKIM, SPF, DMARC in general With these techniques configured on both sender and receiver sides, sender forging can be prevented. The recipient server can verify the sender server s identity and authority. Verified SIGNED Your Company DNS Server SIGNED Trusted_Partner.com Recipient server Imposter Drop/Quarantine Trusted_Partner.com

15 Sender Policy Framework - SPF RFC7208 The sender makes the recipient able to verify if a certain SMTP server is authorized to send s from a domain or not. The recipient server can verify the HELO and MAIL FROM addresses. The sender can instruct the recipient how to interpret and what to react in case of a violation. Example (cisco.com): "v=spf1 ip4: /27 ip4: /26 ip4: /27 ip4: /24 ip4: /14 ip4: /27 ip4: /24 ip4: /16 ip4: /20 ip4: /24 ip4: /24 ip4: /27 ip4: /26 ip4: /27 ip4: /26 ip4: /24 mx:res.cisco.com mx:sco.cisco.com ~all"

16 Question: what does it mean? sub-domain.domain.com. IN TXT "v=spf1 -all"

17 SPF shortcomings Doesn t protect against intra-domain forgery. Doesn t inspect inner header. Doesn t check the integrity of the .

18 Domain Key Identified - DKIM RFC5585, RFC6376, RFC5863, RFC5617 (ADSP) The sender SMTP host creates an SHA-1 or SHA-256 hash of the message and signs the hash with a private key. The public key is stored in a DNS record. DNS record example: c3po._domainkey.altn.com text = "v=dkim1; k=rsa; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcjvrk3kpx17dwax uya/66/qgzu/r/7325hxqhg8poaqmn3jzpagh9gdaocdzxbtnbqkknojmkkczr41xb4h3u5reinbbq8g rfynp3n6s2kz2lwwwpssavdgtotcuxqt+pwesda7c0z5v2axgg76ygyh8b504gv+yhaxurqxnbzqwida QAB"

19 DKIM shortcomings Requires significant processing power. Can be optimized but that reduces security: Header and content simplification; Use of SHA-1 instead of SHA-256. If an was not signed, its verification would be ignored. Author Domain Signing Practices (ADSP) could mitigate the problem above, but rarely implemented, because: Can handle DKIM only; Doesn t ensure feedback channel to the sending party. _adsp._domainkey.example.com IN TXT "dkim=unknown all discardable"

20 Domain-based Message Authentication, Reporting & Conformance The DMARC protocol: Unifies the instructions for SPF and DKIM verifications at the recipient side; The sender can sign to the recipient what to do with SPF and DKIM errors; The following actions can be requested by the sender: none reject quarantine; Provides feedback channels: for every single error message OR for aggregate error reports. Not surprisingly uses a DNS record. More complicated than ADSP but there are on-line tools that help you, e.g.: A DNS record example: v=dmarc1; p=quarantine; pct=100; rua=mailto:dmarc-reports@bounces.amazon.com; ruf=mailto:dmarc-reports@bounces.amazon.com

21 DMARC visualized DNS Server DMARC p=reject SIGNED Verified SIGNED Trusted_Partner.com Cisco ESA Report Imposter Drop/Quarantine Trusted_Partner.com

22 Cisco Security Appliance - ESA

23 Cisco Ironport Security Appliance ESA Virtual (on Cisco UCS hardware + VMware) and hardware appliance. Main features: traffic normalization; SPF, DKIM, DMARC verification, DKIM signing; Sender reputation filtering; Anti-SPAM; Anti-malware engines (Sophos, McAfee, FireAMP); Integrated RSA DLP engine; Outbreak Filter (automatically enforced Cisco Talos rules); Real-time URL analysis; Local or off-box (Management Appliance) quarantine; encryption (Cisco Secure Envelope Services or S/MIME). Can be managed over its embedded GUI or through a Content Security Management Appliance.

24 Simplified incoming mail verification flow Normalization, SFP/DKIM/ DMARC, recipient identity checks Drop/Quarantine SenderBase Reputation Filtering Drop Anti-Spam Drop/Quarantine Cisco Talos Anti-Virus Drop/Quarantine Advanced Malware Protection AMP Drop/Quarantine Outbreak Filters Quarantine/Re-write Real-time URL Analysis cws Deliver Quarantine Re-write URLs Drop

25 Cisco Senderbase reputation filtering Big-big data: More than 1.6 million sensors; Covers approximately 35% of the World s traffic; Inspects over 13 billion Web requests per day; More than 200 web and parameters are analysed for hosts and domains. The result is a reputation score between -10 and +10 for SMTP servers and web sites which is used as a condition in rules. It is inspected for incoming mails only. The reputation score in Senderbase cannot be modified manually. The owner of the domain or host must comply! Public website for Senderbase:

26 Anti-SPAM ESA has two Anti-SPAM engines. You may run both using Intelligent Multi-Scan. It can be applied on both outgoing and incoming s. ESA may put suspected SPAM messages into quarantine, drop or just mark them. There is an approximate 99% catch rate. The categories into which an may fall into: Not SPAM; Unwanted marketing from a legitimate source; Suspected SPAM; Positively identified SPAM. The system gives integrated feedback channel to Cisco in case of false positive or false negative classification events.

27 Anti-virus on ESA There are two traditional A/V engines on ESA: Sophos and McAfee. One or both can be run in the same time on the same message. Both engines can do traditional pattern matching and heuristic analysis. Infected messages can be disinfected or quarantined. Messages with attachments that cannot be inspected can be quarantined or tagged. Can be used on both incoming and outgoing s.

28 FireAMP on ESA Called File Reputation and File Analysis engine in ESA. Can be used to inspect incoming messages only. Requires continuous access to Sourcefire cloud. At the moment it uses cloud Sandboxing (Threat Grid in AMP cloud). Integrated Sandboxing is on roadmap. Comprehensive reporting and audit functionality. File tracking with alerting and reporting on false negatives (initially missed malware).

29 Mail Flow Pipeline File Reputation update FireAMP on ESA To Content Filters AMP Cloud AMP Client Local Cache File Reputation Query Sha256 checksum +SPERO fingerprint for WinPE files Verdict Unknown File Upload for Sandboxing VRT Sandboxing From Anti-Virus

30 Outbreak Filter Automated intervention point for Cisco Talos. Can be used on both incoming and outgoing s. Virus, Malware and Phishing SCAM protection. Ways of intervention: May quarantine or drop harmful messages; Suspected messages can be hold back until an anti-virus system declares it clean; Modification of the message, e.g.: Tagging the URL, delete or rewrite the URL, redirect to Cisco Cloud Web Security (CWS) proxy. End users cannot write custom rules for the Outbreak Filter engine. The default poll time is 5 minutes.

31 Real-time URL analysis in ESA The embedded URLs in an can be analysed automatically. This may be used for both incoming and outgoing s. The category and the web reputation score of the URL (host) can be verified. Above message drop and quarantine, the following actions can be done: Tag the URL (so they are not parsed as valid URL); Replace the URL (can even redirect to Cisco Cloud Web Security (CWS) proxy); Overwrite the URL with any text. Note: many such phishing URLs point to new web sites with currently neutral (0) reputation. See our previous example! So this function doesn t prevent you having sufficient web security measures.

32 Real-time URL analysis in ESA Contains URL Rewrite Send to Cloud Tag BLOCKEDwww.playboy.comBLOCKED BLOCKEDwww.proxy.orgBLOCKED Cisco Talos Replace This URL is blocked by policy URL Categorization

33 Inspection of outgoing s The previously mentioned bi-directional inspection functions are: Normalization; Anti-SPAM; Legacy anti-virus; Outbreak filter; URL analysis. One not yet mentioned bi-directional function: decryption with S/MIME. Above the above-mentioned: RSA DLP engine; encryption using either Cisco Registered Envelope Service (CRES) or S/MIME; DKIM signature.

34 Cisco Registered Envelope Service (CRES) Cisco Security Appliance Message Key Sender Controls Recipient Automated key management on a local server or in cloud. The content is never processed in the cloud, encrypted on ESA. Policy driven encryption, can be transparent at the sender side. Alternative solution #1: TLS encrypted SMTP between servers. Supported on ESA. Alternative solution #2: S/MIME. End-to-end or encryption done on ESA. FAQ:

35 S/MIME on ESA NEW in version 9.0 Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard based method for integrity checking (signing) and encryption. RFCs: 3369, 3370, 3850, 3851, 5750 and The ESA can (on gateway level with common key materials): Sign, encrypt, or sign and encrypt messages using S/MIME; Verify, decrypt, or decrypt and verify messages using S/MIME. May work together with CRES. ESA can generate self-signed or use imported certificates for signing and decryption.

36 S/MIME on ESA NEW in version 9.0 Encryption requires ESA having the public key of the recipient: It can be added manually; ESA can try to harvest them. Public key harvesting: ESA can automatically collect the public keys from incoming s; The maximum storage size for that purpose is 512 Mbytes per appliance; Oldest keys are deleted when the storage space fills up; The HAT (Host Access Table) can be fine tuned to allow/disallow harvesting for certain categories. Outgoing S/MIME signing and encryption can be controlled in policy. S/MIME challenges: Requires PKI; Some webmail systems have difficulties to handle it.

37 Some deployment considerations ESA should be connected into the DMZ. Logically ESA must be in front of the Groupware/ server. Redundancy and load-balancing can be achieved via: Multiple MX records in the DNS zone; Load-balancer. Please ask Cisco or a certified Cisco partner to size the ESA deployment!

38 Dedicated security vs. UTM/NGFW Dedicated security solutions offer: More controls; Defense in depth (e.g. Multiple anti-virus/malware engines); More processing power for features like DKIM, S/MIME, etc.. Better reporting on related data; Think about ACI, it is easy to separate applications traffic.

39 Web security

40 Common Web Threats #1 Malware Visiting phishing sites. Productivity issues: employees spending time with visiting non-productive web sites. Bandwidth issues: employees downloading large files (bad files or good files but big size and bad timing).

41 Malware Web Malware related attack vectors: Browser exploit; Browser plugin exploit; Downloaded file hides malware; Harmful web applications; Etc. The attack vector is increasingly sophisticated: The web site that hosts the harmful code is many times accessed via multiple redirections and hidden links; The initially run code downloads and/or creates other files it can be the fourth, fifth, etc. level that implements the real harmful activity; SSL/TLS encrypted channels can be used. Web surfing is the hardest to protect attack surface today.

42 Cisco Ironport Web Security Appliance WSA Virtual (Cisco UCS + VMware or KVM) or hardware appliance formats. Features: HTTP(S), FTP(S) proxy, caching and TCP optimization; TLS decryption and re-encryption (MITM); Dynamic URL category and reputation filtering; Content filtering (file type); Simple in-box DLP engine, ICAP interface for external engines; Web Application Visibility and Control (AVC) engine; Anti-malware engines (Sophos, McAfee, Webroot and FireAMP); Botnet Activity Filtering (L4TM) inspection over the whole TCP/UDP port range; User Authentication, quota control, user-based reporting. Can be managed over its embedded GUI and CLI or over the centrally through a Content Security Management Appliance.

43 WSA TLS Proxy The SSL/TLS encryption blinds the content analysis engines. URL Filtering can still work. How? WSA supports Man In The Middle (MITM) style SSL/TLS decryption and reencryption. It can be transparent to the end user: The proxy (e.g. WSA) receives the request; The proxy opens a new encrypted session towards the web server; The proxy generates and signs a new certificate which is very similar to the original certificate of the server; If the proxy s certificate comes from a Trusted CA, the client browser won t raise any alert. For effective use of this function a signing certificate must be installed on the WSA that comes from a Trusted Root CA server.

44 WSA TLS Proxy - certificates An example for a decrypted session. The banking site in the example is 100% safe and used by the author daily.

45 Latest additions to WSA FireAMP anti-malware (File reputation and analysis): May block file download; Has extensive file tracking and reporting; Retrospective analysis and alerting; Approximately 6-16% extra load. Cisco Identity Services Engine (ISE) pxgrid API integration: An additional transparent user authentication method (in addition to the CDA method for AD); Maps the username and the Security Group Tag to the source IP address; The SGT is used in the Web Access Policy as a condition; Can identify non-ad users and non-user endpoints; At the moment unidirectional but automated remediation initiated by the WSA over ISE is on roadmap. Time and volume quotas.

46 Some WSA deployment considerations WSA fully inspects HTTP(s) and FTP(s) only. The rest of the traffic can be inspected by the Botnet Traffic Filter function over different in-line or promiscuous ports only. The (selective) traffic redirection can be done in the following ways: Explicit Proxy settings in the OS or in the browser (manual or PAC file); Transparent (to end user) redirection: WCCP; Policy Based Routing (PBR); Destination NAT (breaks SSL/TLS proxy). Normally WSA uses its proxy IP address as the source IP for sending traffic out to the Internet. It can be changed to preserve the source IP address.

47 Some WSA deployment considerations The L4TM (Botnet Traffic Filter) is working on separate interfaces (in-line or promiscuous). The Load-balancing and redundancy options are: WCCP; Multiple proxies configured in the PAC file; Load-balancer. Web Cache Communication Protocol (WCCP) Content routing protocol developed by Cisco; Redirects traffic AND provides: fail-open, redundancy, load-balancing and signalling; There are Layer 2 and Layer 3 (GRE) redirection methods; Redirection is supported on Cisco switches, IOS routers, ASA firewalls and 3rd party devices; Read more:

48 Dedicated Web proxy vs. UTM/NGFW Pros: Do caching as well, ideal for low-bandwidth connections; The deployment requires no- or minimal change in the existing firewall system; Has enough processing power for defense in depth kind of processing (e.g. multiple anti-virus/malware engines). Cons: There are no IPS functions; Fully inspects HTTP(s) and FTP(s) only; Separate device to manage.

49 Dedicated Web proxy customer scenario The customer: Multinational pathological microscope and x-ray developer; Low bandwidth Internet uplink (20 Mbps for 300 employees); Existing corporate standard 3rd party Firewall with IPS license; The existing firewall s web security features didn t satisfy the needs but has PBR functionality. Requirements: #1 Malware filtering even in SSL/TLS encrypted traffic; Authenticated user access primarily for reporting; URL filtering to increase productivity and decrease the load on the Internet uplink; Caching would be a nice to have feature. They have bought WSA on Cisco appliance after evaluating it on VMware.

50 THANK YOU!

51