Gateway Security at Stateful Inspection/Application Proxy

Transcription

1 Gateway Security at Stateful Inspection/Application Proxy Michael Lai Sales Engineer - Secure Computing Corporation MBA, MSc, BEng(Hons), CISSP, CISA, BS7799 Lead Auditor (BSI)

2 Agenda Who is Secure Computing Corporation Stateful Inspection vs Application Proxy IPS on Application Proxy Firewall Web Page Displacement P2P/IM Control Cross Site Script Q&A

3 Who is Secure Computing Corporation

4 Secure Computing Highlights Who We Are Public company (NASDAQ: SCUR); HQ is San Jose (USA), Worldwide presence; 900+ employees Largest independent enterprise gateway security company Annual billings run rate ~$300M, profitable, strong cash generation Singular focus on enterprise gateway to enable safe, secure and productive use of open networks, including the Internet What We Do Technology Perimeter protection most secure firewalls, Identity & Access Comprehensive messaging & web gateway security Inbound & Outbound protection: Block the bad and guard the good 145 Patents pending/granted Unmatched protection with TrustedSource using global intelligence Purpose-built gateway security appliances Recognized leadership positions by Gartner and IDC Customers 20,000+ Blue-chip customers in 106 countries. 60% of Fortune 500; 56% of DJ Global 50; 8 out of 10 top world banks

5 Enterprise Gateway Security Integrated, Best-of-Breed Appliances Secure your Network Edge Firewall Sidewinder AV IPS Connex Control Secure your Messaging Anti- Communication Virus Anti- IronMail Compliance Spam Intrusions Encryption Data & Users Internet Ensure proper Identity & Access SafeWord Authentication Connex Control Authorization Secure your Web Encryption Communication Anti- Webwasher Compliance Virus Anti- Malware URL Filtering Network Gateway Application Gateway

6 Stateful Inspection vs App Proxy

7 Two Kinds of Firewall - Network layer and packet filters (L4) : - Control based on IP and port - Stateful and stateless - Application-layer (L7): - Intercept all packets traveling to/from an application - Inspecting all packets for improper content

8 Proxy Technology Vs. Packet Filtering Only Trusted Proxies Talk to Your Servers! PROXIES > External clients NEVER DIRECTLY CONNECT with the internal application servers TWO SEPARATE CONNECTIONS are maintained per client-server session ONLY TRUSTED PROXY is allowed to talk directly to the internal application servers Securely processing packets Versus. Just passing packets Stateful Inspection Compromises Security STATEFUL INSPECTION > Stateful Inspection (SI) allows external clients a DIRECT PACKET FLOW WITH SERVERS SI is more like a router than a true firewall COMPROMISING SECURITY to gain performance Helping unknown sources get direct connections with internal servers is a POOR SECURITY DESIGN

9 Application Proxy Technology Client ONLY Sidewinder s trusted proxy is allowed to talk directly to internal application servers Two separate connections are maintained per client-server session Proxy securely processes client requests to the server Proxy automatically strips out attacks trying to introduce malicious commands that violate RFCs Proxy may be further configured to tightly enforce a limited-use policy for the application Client-server communications are configured to only allow needed operations and denies all else! Untrusted TCP/IP Stack HTTP Proxy Layer 7 defenses Full packet assembly RFC compliance Configured to allowed use All else denied Scanning Engines Trusted TCP/IP Stack Server Web Server App Server Oracle SQL Citrix VoIP Etc.

10 Proxy-Based Application Defenses The power of the Positive Model of security POSITIVE MODEL OF SECURITY Deny all methods of communicating with the application unless the methods are explicitly allowed. Proxy configuration selections define the only allowed communications with the protected applications! RFC compliance is automatically enforced. Not just simple signature-based checks that is the negative model of security (allow all traffic while looking for the bad known in the traffic) Positive Model proxies have deep understanding of the applications they protect Proxy GUI treatment allows very granular control over how clients communicate with protected applications Protecting applications this way stops zero-hour unknown attacks

11 Attack Containment & Control Analogy Type Enforcement Master Control SecureOS FTP NTP Sendmail Web SQL Open SSL SNMP Telnet DNS Server VPN Master Control (Type Enforcement in the OS kernel) Nothing happens on any file, directory or executable without real-time permission being granted (Non by-passable) Compartmentalization of functions Software applications running in secure compartments Eliminates attack creep from one application to another Containment of attacks If one software piece fails or is attacked, others keep running unaffected Authorization to board No foreign software can launch on the system because it would lack Type Enforcement (trojans, viruses, attack scripts, etc.)

12 IPS on Application Firewall

13 IPS at Stateful Inspection Firewall Usually, great performance drop if the IPS is turned on. For example, from 2Gbps to 300Mbps It is because the firewall cannot apply protocol enforcement The firewall has no ability to recognize the protocol or ability to scan traffic selectively Hence, all traffic will be scanned with the whole IPS database

14 Customized IPS for Different Attack Sidewinder allows customized signature for each connection Performance enhanced Different response can be set for different attack Default rule sets are built-in for popular protocol

15 Select how you want SIP.SOFTSTONE.REXPLOIT"; content: the firewall to respond " if the signature is hit Look for relevant signature groups for the service VoIP/SIP and add to the rule

16 Signature groups are provided so the firewall is at maximum efficiency in employing signatures only for services and connections you wish to inspect with signatures.

17 Web Page Displacement

18 Secure The Passing Traffic Web Sites Internet The firewall should have ability to handle the traffic passing through it - Mac address (L2) - IP address (L3) and Port (L4) - VPN (L2 L4) - IPS (L3 L7) - Anti-Virus and Anti-Spam (L7) - Protocol anomaly detection and content control (L7) - Proxy function

19 Attack Demo - Identify the Victim The demo will show a hacker change the price of a web site selling book and CD so that he can buy at a very low price

20 Attack Demo Launch an Attack The hacker runs a script to replace the file on the web site

21 Where can the Attacking Traffic be Stopped - By connection (L2 to L4) - Yes if you know where is source IP of the hacker - By connection behavior (L3 to L5) - No because it is not DOS or network probe and the connection is same as from a normal user - By IPS (L3 L7) - Yes provided that the IPS signature includes the particular code such as cgi-bin/foo.bat? dir+c:+>..\htdocs\dir.txt or cgibin/foo.bat? echo+hacked+owned+by+dr0zz+>>+..\htdocs\index2.html - By AV (L7) - No because the file passing through the firewall has text and image only. - By Protocol (L7) - Yes, because most web site attack violate the HTTP protocol RFC standard. See below demo.

22 A Common Solution in HK Secure your Network Edge 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW Central Management - L3/L4 FW cannot scan content - IPS is the only chance to block the attack - Fail to have multiple layer protection

23 Solution From Secure Computing 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW - TrustedSource stops connection from suspicious IP - Two different IPS (Snort + SCC) - Content filtering by protocol control

24 Blocked by Protocol Anomaly Detection This is a sample of injection attack. The injected command violate the HTTP Protocol and it can be stopped by application layer firewall

25 Sample HTTP Attack Stopped by Sidewinder

26 P2P/IM Control

27 Block by Protocol Enforcement - P2P/IM connection uses non-common port will be blocked by default - Only P2P/IM uses port 80/443 can make connection - In Application Awareness firewall, port 80 and 443 can be bound with HTTP and HTTPS respectively. No tunneling - Only P2P/IM uses port 80/443 with standard HTTP/HTTPS can pass through - E.g. Skype will be blocked because it uses non-standard SSL

28 Block by Content Control - Application firewall allows you to control the content within the protocol - Only P2P/IM cannot have identified type within the protocol can pass through. - E.g MSN can be blocked by denying x-msn-message MIME type.

29 Block by URL Filtering - As the P2P/IM uses standard HTTP/HTTPS, a valid URL should be found - All P2P/IM can be blocked provided that the URL control database includes the URL/IP - E.g. FOXY file sharing can be blocked

30 Cross Site Script

31 The Leader in Proactive Protection Largest Reputation Network Feeds from thousands of load balancers, FWs, Msg & Web gateways Highest quality data Over 100 Billion Messages/month Millions of URLs Most Reliable Reputation Score 25 research scientists Sophisticated behavior analysis 450,000+ zombies detected each day Best image spam detection Portland Atlanta Brazil -180 Data Store Bad London Hong Kong Reputation Query Internet Traffic Reputation Score Calculated Suspicious Internal Network +180 Good Be Proactive in Protecting From Next Generation Threats Work with the clear leader in this business!

32 - In the future, all incoming connection will have the TrustedSource screened. - Only trusted IP can make connection to Sidewinder or Snapgear. - The risk of making connection from a hacker or a zombie will be reduced significantly. In the Future

33 A Sample Hacked Site Searched on 30 Apr 2008

34 The Sample Cross-Site Script

35 Client Protected by TrustedSource It may be the hacked site and the final script hosting site AV/IPS can stop the known attack Content control can deny script

36 Server Protected by Sidewinder Trusted Source protected the server from dangerous client such as zombie App proxy can apply URL control to stop injection attack and deny SOAP AV and IPS can kick out known attack

37 Q&A