Virus Protection Across The Enterprise

Transcription

1 White Paper Virus Protection Across The Enterprise How Firewall, VPN and /Content Security Work Together Juan Pablo Pereira Sr. Technical Marketing Manager Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA or 888 JUNIPER Part Number:

2 Contents Introduction...3 Background...3 Multi-layered Security Approach...4 Virus Protection Overview...6 Network-based Virus Protection Gateway...8 Non-Embedded Gateway...9 An Integrated Technology Approach--Embedded Gateway...9 Enterprise Solution for Virus Protection...11 Benefits of the Integrated Solution for End-to-End Virus Protection...12 Enterprise Security from Juniper and Trend Micro...13 Summary...14 About Trend Micro...14 Copyright 2004, Juniper Networks, Inc.

3 Introduction Juniper Networks and Trend Micro are working together to provide comprehensive end-toend security solutions that address the complex connectivity and security requirements of today s global, distributed enterprise. The Juniper Trend Micro relationship is designed to combine the innovations of Juniper s integrated firewall, Virtual Private Network (VPN), and Deep Inspection technologies with Trend Micro s advanced antivirus and content security capabilities. Working together, Juniper and Trend Micro deliver comprehensive, cost-effective security solutions to meet enterprise requirements. Background In today s highly connected business environment, companies are struggling with how to ensure that critical resources are both available to authorized users and protected from unauthorized access. Threats to enterprises assets are real, as their networks and systems are continuously confronted with increasingly sophisticated attacks and viruses. As shown in Figure 1, the worldwide cost of the recent Slammer worm and SoBig.F virus exceeded $2 billion. Analysis by Incident $18.0 Worldwide Economic Impact of Malicious Code $17.1 Year Worldwide Malicious Economic Code Name Impact 2003 SoBig.F $1.1 billions 2003 Nachi $500 millions 2003 Blaster $400 millions 2003 Slammer $1.25 billions 2001 Nimda $635 millions 2001 Code Red $2.62 billions Source: Computer Economics, Billions of Dollars $16.0 $14.0 $12.0 $10.0 $8.0 $6.0 $4.0 $2.0 $0.0 $0.5 $1.8 $3.3 $6.1 $12.1 $ Figure 1. Worldwide Impact of Malicious Code. Computer Economics, 2002 and 2003 In recent years, mixed-threats have caused substantial harm to enterprises worldwide. Mixed-threats, such as the recent MSBlast (or Blaster), SQL Slammer, Code Red and Nimda attacks, use multiple methods and techniques to propagate and inflict damage, spread very rapidly, and cause significant productivity disruptions. For example, Computer Economics estimated that the impact of the mixed-threat Code Red was $2.62 billion and the cost of Slammer was estimated at $1.25 billion (see table in Figure 1) Copyright 2004, Juniper Networks, Inc. 3

4 These malicious attacks have demonstrated how quickly network performance and enterprise productivity can be compromised on a worldwide scale. The emergence of these increasingly sophisticated attacks has drawn attention to many of the limitations with current security approaches, forcing enterprises to completely re-evaluate their IT security strategies. Enterprises are realizing that their existing security mechanisms address only a subset of the security requirements needed to protect critical IT resources. Not only must IT managers try to protect IT resources from global outbreaks, they also have to keep out those attackers who specifically target their organization. These targeted attacks aim at decreasing network availability; destroying, stealing or manipulating data; or seizing control of corporate resources. Today s enterprise networks now extend to remote sites, retail outlets, remote workers, home offices, and business partners. With this ubiquitous interconnectivity, one host compromised by a malicious code in a remote site can easily affect the rest of the network, causing significant damage. A single remote user who takes an infected laptop back to the office will likely affect many other computers inside the network. For example, during the SQL Slammer outbreak, a single laptop, infected by the worm while connected at home, affected many servers and completely brought down the wide area network of a large multinational company. With expanding network boundaries, the highly connected nature of the network and the ever-increasing complexity of threats, it is easy to see how IT managers can become overwhelmed by the task of managing enterprise security. It is their job to lock down their network to eliminate weaknesses, control access, ensure proper authorization and prevent the exploitation of vulnerabilities. As a result, IT managers are looking for solutions that can effectively protect against today s complex, mixed-threat attacks. Multi-layered Security Approach IT managers recognize that a comprehensive security strategy requires deployment of multiple layers of defense throughout the network. As illustrated on Figure 2, enterprises can deploy multiple security technologies, including Virtual Private Networks (VPNs), firewalls with Deep Inspection, Denial of Service (DoS) protection, and antivirus to protect their critical assets. Enterprises realize that they need to implement multiple layers of security, as no single security layer is able to fully protect them against these sophisticated threats. By implementing multiple layers of security, enterprises are able to significantly increase the security of their infrastructure, as a hole in one layer is covered by the other security layers. The security technologies may incorporate overlapping defenses against specific threats. However, organizations need to implement a number of security layers to obtain the comprehensive security they need to protect their critical assets against sophisticated attacks. 4 Copyright 2004, Juniper Networks, Inc.

5 IT managers have also learned that they need to implement the same layers of security throughout their network, from remote to central sites. Having bulletproof security deployed solely at central sites has not proven sufficient, as one of the most vulnerable entry points for viruses and other attacks includes remote sites or remote workers. To help prevent the rapid spread of network attacks, enterprise security policies and procedures for remote users and branch offices must incorporate the same rules and policies as those within the central site. Multi-Layered Security Approach Critical Assets Threats Attacks Viruses VPN Firewall Deep Inspection DoS Protection Intrusions Figure 2. Multi-Layered Security Approach Virtual Private Networks: create a secure communication channel across a shared or public network by encrypting the packets before they are sent out onto the network and decrypting them at the destination after they come out of the network. VPNs allow enterprises to extend their network service over the Internet to branch offices, retail outlets and remote users, creating a private Wide Area Network (WAN) via the Internet. With VPNs, communication links can be established securely, quickly, and cost-effectively throughout the world. Firewalls: enforce security policies by controlling what type of traffic is allowed to go in and out of a network. A firewall tracks the communication sessions and denies traffic that is not explicitly allowed by a security policy. A firewall can also perform user authentication to ensure that only authorized users access the appropriate network resources. A firewall defends networks against attacks ranging from unauthorized access, address spoofing, session hijacking, and rerouting of traffic. Many firewalls also work in-concert with gateway antivirus, vectoring network traffic to a separate system for virus scanning. Deep Inspection firewalls: enforce attack prevention policy by looking for attack patterns within traffic allowed by the firewall and dropping the packet or connection associated with an attack. A Deep Inspection firewall system can control what traffic is allowed based not only on the source or destination addresses or application, but also on the particular application control and data fields. Deep Inspection firewalls can defend networks against various types of attacks, including worms, buffer overflows, and protocol violations. Copyright 2004, Juniper Networks, Inc. 5

6 Denial of Service Protection: mitigates attacks designed to overwhelm a network or a host with useless traffic in order to block legitimate access. For instance, a SYN flood attack can initiate an overwhelming number of connection requests, and consume all system resources, so there are not enough resources to handle legitimate requests. DoS protection can alleviate these threats by using a variety of mechanisms to ensure that requests for system services are legitimate before sending to the appropriate network or host resource. : scans for viruses, trojans and other malicious code in files on end systems, file servers, servers and on network gateways. technology scans and inspects content for malicious code. In the next sections, we present a comprehensive security approach for virus protection across the enterprise. Virus Protection Overview A computer virus is an executable code that infects or attaches itself to other executable code in a computer in order to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems. Others present a problem merely in the act of infecting other files, as their propagation may overwhelm networks and systems with bogus data. Initially, viruses were transmitted via diskettes. Consequently, virus propagation was slow, and few systems were affected. However, viruses now use networks as a medium for transmission, affecting many more systems and at a much faster rate. According the ICSA Computer Virus Prevalence Survey, in % of viruses were transmitted via and 11% were transmitted via Internet downloads. The trend of virus transmission via networks is likely to continue. Figure 3. Virus Encounter Vector from the ICSA Computer Virus Prevalence Survey Note that respondents could indicate more than one avenue of infection, and totals may exceed 100 percent. 6 Copyright 2004, Juniper Networks, Inc.

7 Enterprises have traditionally defended their systems against viruses using desktop antivirus software. However, the majority of viruses use the network for transmission, which cannot be completely prevented by desktop antivirus. Even enterprises with antivirus installed in all desktops still experience virus infections. In addition, many mixedthreats such as the recent SQL Slammer attacks, could not be stopped by the traditional means of a pattern file or virus definition because it resided in system memory and contained no file counterparts. Faced with increasingly sophisticated viruses, mixed-threats and other complex attack types, enterprises recognize that desktop security addresses only a subset of the security requirements. Many have recognized that deploying multiple layers of defense, for any given technology, can improve overall security and help reduce the risk of compromise. Consequently, many enterprises are employing a multi-tiered approach to antivirus to protect their networks and systems against viruses and malicious code (see Figure 4). Firewall Gateway File / Mail Server Desktop Figure 4. Multi-tier Approach for Virus Protection A cost-effective, best practice approach to deploying layered security for virus protection across a network should incorporate the following elements: Resourceful, elegant solutions designed to protect different environments, from large central sites to small offices and remote workers Ease-of-configuration, monitoring and management capabilities for the complete security infrastructure Capabilities that scan multiple content types and enable IT managers to enforce security policies across the network Low cost to maintain the security infrastructure without sacrificing security Tight integration with the firewall and VPN solutions Standardization of security policies from the core to the edge of the network Copyright 2004, Juniper Networks, Inc. 7

8 Network-based Virus Protection Gateway Gateway antivirus running at network access points has gained popularity for its ability to scan for viruses and contain them before they can spread across network boundaries, such as from the Internet to corporate networks, from remote sites to other sites, or even from segment to segment on a large network. Gateway antivirus scans network traffic for viruses including content such as mail, web and file transfers as it crosses the network perimeter and can rapidly detect and stop viruses before they spread and infect desktops. Gateway antivirus products are also very cost-effective, as one single license can protect all end systems in the network segment. Gateway antivirus protection is commonly deployed in concert with desktop antivirus, as many IT managers recognize that effective protection requires both mechanisms. Many of today s new viruses infect other systems via the network and remain resident in memory on the infected systems, without writing files to disk, thus avoiding the desktop antivirus engine. Gateway antivirus can detect and stop these network-transmitted viruses before they reach end systems and cause damage. Gateway antivirus enables enterprises to respond rapidly to virus outbreaks by enabling IT managers to implement virus pattern files at the gateway first. By implementing measures to stop outbreaks from spreading at the gateway level, IT managers can stop viruses from spreading across protected network boundaries and provide protection to internal desktops. The desktop antivirus can then be updated, but IT managers have the additional confidence that a new virus can be stopped before it enters the enterprise network. Gateway antivirus can be configured to run as a stand-alone system in the network. For mail traffic, the gateway antivirus listens on port 25 (SMTP) for new connections, scans the SMTP traffic it receives, and routes scanned traffic to the original SMTP server for delivery to mail clients. For web traffic, the gateway antivirus listens for HTTP requests, sends the requests to the remote Web server, and then scans the HTTP traffic it receives in response before passing it on to the requesting host. To facilitate the deployment of virus protection in a network, gateway antivirus can also be integrated with firewalls. There are two types of integration: non-embedded and embedded gateway antivirus. A non-embedded deployment allows the firewall to vector traffic, typically via a protocol, to a separate system for virus scanning, while an embedded gateway antivirus deployment does virus scanning inside the firewall system. 8 Copyright 2004, Juniper Networks, Inc.

9 Non-Embedded Gateway Non-embedded gateway antivirus deployments use firewalls to redirect relevant traffic to dedicated gateway antivirus systems for scanning and, if necessary, cleaning. The firewall inspects all traffic and only redirects the traffic that needs to be scanned (see Figure 5). To increase bandwidth capacity, firewalls are able to redirect traffic to multiple gateway antivirus systems, and the gateway antivirus with the smallest load is chosen for the next scanning connection. Non-embedded gateway antivirus solutions scale to meet the requirements of central and regional sites. The configuration and deployment of these types of solutions require technical expertise and IT resources that are typically available in central and regional sites. Gateway Firewall Desktops Desktops Desktops Figure 5. Non-embedded gateway antivirus deployment, with the firewall redirecting the traffic to dedicated gateway antivirus systems for virus scanning An Integrated Technology Approach--Embedded Gateway Embedding gateway antivirus inside the firewall can simplify deployment and management, as enterprises only have to control and monitor a single device. Embedded gateway antivirus solutions offer flexible, cost-effective options for points in the enterprise such as remote sites, small offices, retail outlets and remote workers, which must comply with security policies deployed at their main offices, possess minimal onsite IT resources and require comprehensive security and virus protection. Deploying firewalls with embedded gateway antivirus offers remote sites control of the security functions for their individual sites, while still enabling these sites to easily and consistently implement changes to security policies. Copyright 2004, Juniper Networks, Inc. 9

10 To address the requirements for today s enterprise security and virus protection, embedded gateway antivirus solutions should combine best-of-breed firewall features with best-ofbreed gateway antivirus and content security features. It is advisable for organizations to evaluate the level of integration between the firewall and antivirus features to make certain that all security functions in the device are controlled by a single security policy. Enterprises shouldn t have to compromise on security to enjoy the benefits of deploying embedded gateway antivirus in remote sites. The combination of embedded and non-embedded gateway antivirus deployments can be used to protect network entry points in distributed enterprises. Remote sites and remote workers, like central sites, usually have access to the Internet and can be affected by virus outbreaks. IT managers recognize the benefits of having gateway antivirus deployed throughout their networks and are looking for cost-effective solutions to provide end-toend virus protection. To summarize, enterprises are now realizing that having multiple tiers of antivirus protection is required for protecting systems and networks against viruses and other malicious code. However, a major challenge facing IT managers today is finding comprehensive security solutions that are cost-effective and that protect networks across the enterprise, from remote to central sites. 10 Copyright 2004, Juniper Networks, Inc.

11 Enterprise Solution for Virus Protection Implementing a multi-tier antivirus and content security approach is critical for effective protection against viruses and malicious code. A multi-tier approach incorporates antivirus and content security at the desktop, mail server, file server, and gateway. Organizations are realizing that they need to deploy gateway antivirus and content security throughout the enterprise network, from remote sites and remote workers to regional and central sites. In addition, the security infrastructure needs to be controlled and monitored using a centralized management platform, so that security policies are centrally configured and enforced across the network. As illustrated on Figure 6, a virus protection strategy involves firewalls with non-embedded gateway antivirus (redirect) for central and regional sites, firewalls with embedded gateway antivirus for remote sites, and centralized management to control the complete security infrastructure. Central Site Regional Site Gateway Firewall Firewall Gateway Remote Site Firewall Central Management Embedded Gateway Figure 6. End-to-end security and virus protection solution for distributed enterprises For central and regional sites, enterprises can take advantage of security solutions that integrate firewall, VPN, and DoS mitigation. The firewall can then redirect the traffic that requires scanning to a dedicated gateway antivirus for virus protection. By using firewalls and non-embedded gateway antivirus, enterprises have the flexibility and scalability they need to meet their security needs. For remote sites, small offices and remote worker environments, an integrated device with embedded gateway antivirus makes security both affordable and manageable. Having integrated security functionality in remote sites significantly reduces network complexity and simplifies management, while delivering the strong security that enterprises require. The ideal solution for remote sites enables management and enforcement of global security policies at remote enterprise sites, and combines best-of-breed security functionality into a single appliance. Copyright 2004, Juniper Networks, Inc. 11

12 The central management system allows enterprises to control the security and virus protection throughout the enterprise. Security policies can be centrally configured and pushed to all security devices in the network. In addition, IT managers gain total visibility of the network state and are able to rapidly react to virus outbreaks and other security threats. Integrated end-to-end firewall, VPN, and gateway antivirus solutions allow widely distributed enterprises to cost-effectively implement security and protect critical assets against viruses and other malicious code, while maintaining central control and management of security infrastructure. It is important to note that the effectiveness of an antivirus and content security solution is directly linked to the amount of resources the vendor spends on virus and outbreak research. Enterprises require antivirus and content security solutions that not only use advanced technology to detect viruses but also timely incorporate updates for new viruses. Best-of-breed antivirus and content security vendors have large teams of engineers and researchers constantly monitoring the environment and ready to respond to new virus outbreaks. By using best-of-breed antivirus technology, enterprises can detect known viruses and rapidly respond to and contain new viruses. Benefits of the Integrated Solution for End-to-End Virus Protection With an integrated security solution that includes firewall, VPN and gateway antivirus, enterprises can effectively implement layered security without compromising performance, while reducing the total cost of ownership (TCO). With virus protection enabled in all relevant network segments, IT managers can easily identify, prevent and contain virus outbreaks. Network security devices can give IT managers superior visibility of a wide range of security issues, including virus outbreaks, that would be too time consuming to identify at the host level. Enabling gateway antivirus at multiple entry points in the network enables enterprises to block viruses before they reach internal hosts. If an attack has reached an internal desktop, it might already be too late. Once malicious code hits a desktop, the attack has already achieved a measure of success, since the security incident needs to be investigated to assess damages. The overall goal with virus protection is to prevent malicious code from having any impact on networks and systems, and to achieve this goal, enterprises must implement security solutions that block viruses and other attacks before they can reach vulnerable hosts. With virus protection deployed across the network, IT managers can reduce their dependency on desktop antivirus and gain efficiencies in terms of deployment, management and upgrade. IT managers can use a single integrated security device to protect against new virus outbreaks that could affect a large number of systems, without having to immediately update the virus pattern file in each and every desktop. This will speed up the organizations reaction and save time, bandwidth and resources. It also enables administrators to update individual desktops on their own schedule, knowing that desktops are protected by gateway antivirus functionality. 12 Copyright 2004, Juniper Networks, Inc.

13 Enterprise Security from Juniper and Trend Micro Traditionally, IT managers have used discrete, best-of-breed solutions to protect their networks and systems. By combining two best-of-breed solutions Juniper for integrated firewall, IPSec VPN, and DoS protection, and Trend Micro for antivirus and content security enterprises will be able to deploy best-of-breed security solutions without compromising security and while keeping total costs down. Juniper is a leader in network security, providing integrated firewall, Deep Inspection and IPSec VPN systems and appliances and Intrusion Detection and Prevention solutions to deliver solid security and predictable performance at a lower cost. Juniper provides a broad range of integrated products to provide enterprises with powerful, easy-to-manage solutions to protect their critical resources. Trend Micro is a global leader in antivirus and content security software and services. The company led the migration of virus protection from the desktop to the network server and the Internet gateway, gaining a reputation for vision and technological innovation. Trend Micro offers a large, dedicated security team for fast response to new attacks and viruses. TrendLabs SM, Trend Micro s global network of security service centers, includes over 250 engineers who operate around the clock to monitor virus activity, develop information on new threats, and deliver prompt, effective protection strategies. TrendLabs comprehensive body of security research, expertise and knowledge on virus protection provides enterprises with timely updates and attack-specific policy recommendations during critical stages of the outbreak lifecycle to help manage the time, costs, and system damage associated with outbreaks. Juniper and Trend Micro offer security appliances that integrate firewall, VPN and embedded gateway antivirus using best-of-breed technologies from Juniper and Trend Micro. The Juniper Networks NetScreen-5GT platform is a high performance network security appliance designed to secure small or remote offices, including home offices, sales offices, and retail outlets. It features five 10/100 Ethernet ports and two serial ports, one as a console port and one modem port for automatic dial backup. Integrated security appliances allow enterprises to deploy a single device for firewall, VPN and antivirus, thus significantly decreasing the total cost of security infrastructure. Juniper and Trend Micro continue to work together to meet the enterprise security requirements of protection against viruses and other malicious code. Both companies offer the joint solution to provide enterprises with the integrated functionality they need to keep their remote network resources safe. Copyright 2004, Juniper Networks, Inc. 13

14 Summary Enterprises need a comprehensive security strategy to protect systems and networks against the outbreaks of viruses and blended threats. By using multi-layer security strategies, enterprises can now protect their critical assets against these threats. Enterprises are looking for integrated end-to-end security solutions, as they have learned that discrete solutions cannot completely satisfy their security needs. Juniper and Trend Micro have collaborated to provide enterprises with comprehensive, remote enterprise security solutions. Juniper and Trend Micro intend to cooperate on a variety of products and product features to offer enterprises solutions that encompass firewalls, VPN, and antivirus functionality. About Trend Micro Trend Micro, Inc. is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate and value-added resellers. For additional information and evaluation copies of all Trend Micro products, visit Copyright 2004 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc N. Mathilda Ave.Sunnyvale, CA ATTN: General Counsel 14 Copyright 2004, Juniper Networks, Inc.