La Sicurezza è Nulla Senza Controllo

Transcription

1 Milano 18 Marzo 2008 La Sicurezza è Nulla Senza Controllo Marco Bonfà Business Development - EPS datacom In collaborazione con: Un Senso di Sicurezza Controlli aeroportuali 25/03/2008 EPS Datacom Srl 2 1

2 Un Senso di Sicurezza Controlli in ambito Automobilistico ABS, ESP, DTC, etc. 25/03/2008 EPS Datacom Srl 3 Un Senso di Sicurezza Controlli in ambito urbano e privato Sistemi di video sorveglianza 25/03/2008 EPS Datacom Srl 4 2

3 Un Senso di Sicurezza Controlli in ambito urbano e privato Sistemi di video sorveglianza 25/03/2008 EPS Datacom Srl 5 Firewalls, AV, IPS, etc. Controllo del Perimetro Estensione del Perimetro Il Controllo nella Sicurezza IT Wi-Fi Mobile workforce Consulenti/Partner/Ospiti esterni Compliances SOX, Basel, PCI 25/03/2008 EPS Datacom Srl 6 3

4 Autenticazione / Verifica Il Controllo nella Sicurezza IT Device/Utente Controllo Accessi alle risorse Finance group Finance Apps Controllo delle minacce Visibilità. 25/03/2008 EPS Datacom Srl 7 Firewall: la prima barriera Il Controllo nella Sicurezza IT Ottimizzato per garantire performance Gestito da più amminstratori Difficoltà nel razionalizzare la rule-base Impatto delle policies nuove ed esistenti 25/03/2008 EPS Datacom Srl 8 4

5 25/03/2008 EPS Datacom Srl 9 Control without Compromise Consentry Simplify NAC Ismet Geri, Regional Director igeri@consentry.com Julien Camino, Technical Manager jcamino@consentry.com ConSentry Networks CONFIDENTIAL 5

6 Market Analysis» Infonetics Network access control device type evolution $700.0 $600.0 $500.0 $400.0 $300.0 NAC Enforcement Appliances $200.0 SSL VPN for NAC use $100.0 $ » Key Figures» 7% of ports are ports in the visitor area, 25% of LAN ports are used by non-employees (contractors, consultants, )» 50% of Enterprises consider employees to be un-trusted (from an IT security stand point) ConSentry Networks CONFIDENTIAL Do You Know These Answers?» WHO or WHAT is on your network?» Guests? Contractors? Technicians? Printers?» WHAT are they accessing?» Design files? Customer records? Financial data?» CAN you control them?» By identity? By role? By app? By destination? ConSentry Networks CONFIDENTIAL 6

7 Why is LAN Security so Hard So far 1 Determine corporate policy for access rights 3 Update switches to interoperate with NAC appliance 4 Distribute new VLANs across network core routing switch 5 Reconfigure ACLs on routers, add IDS blade Oracle database 6 Deploy agent 2 Deploy out-of-band NAC appliance and policy server ConSentry Networks CONFIDENTIAL ConSentry Secure Switching Control every user, secure every port. LANShield Switch LANShield Controller ConSentry InSight Internet Integrated security and switching for the access layer Access Switch Embedded security for the existing LAN infrastructure Firewall Core Switch Router GUI-based LAN tracking, incident reports, and policy setting Access Switch Access Switch WLAN Switch AD, RADIUS, database Data Center ConSentry Networks CONFIDENTIAL 7

8 What s Needed to Secure the LAN Corporate LAN Postadmission controls Pre-admission controls Visibility/Audit Threat Control User Control Posture Check Authenticate Monitor users check for infractions Continuously watch for 0-day attacks Control user based on their role Check systems for compliance Only valid users are allowed on the network ConSentry Networks CONFIDENTIAL ConSentry in Action User and application control Transparent to users Supports non-user devices Windows login to AD from VPN Spans wired/wireless, local/remote remote employee Internet IBM finance server guest Active Directory finance server Windows login to AD role=finance employee jsmith ` Windows login to AD ConSentry InSight Command Center Windows login to AD role=ibm IBM contractor djones Bootup role=printer printer VoIP phone wireless employee policy = SIP only on Port ConSentry Networks CONFIDENTIAL 8

9 Posture Check Dissolvable Agent 1 After authentication, client initiates network request via HTTP 2 ConSentry triggers host posture verification and downloads dissolvable Active X or Java agent onto the hosts LANShield Switch 3 Agent scan supports: Network access granted spyware adware 5 security scans signature updates or denied, restricted policy enforcement anti-virus compliance Windows Service Packs compliance Firewall Windows Registry Scan remediation help IDS/IPS 4 Core Switch Router Internet AD Server RADIUS Server LDAP Server ` User Alice ` User Contractor ` User Bob ` User Guest ` ` ` User Admin LANShield Controller Access Switch ConSentry Insight Command Center ConSentry Networks CONFIDENTIAL Dissolvable Agent User View» Example: Machines fails AV scan User engagement and remediation ConSentry Networks CONFIDENTIAL 9

10 Global Awareness and User Identity ConSentry Networks CONFIDENTIAL Layer 7 App Visibility File Access ConSentry Networks CONFIDENTIAL 10

11 Profile View for Users and Roles Greatly simplified understanding of user activity Three levels of data summarization Deployment Role (new) User (new) Per user or role Dashboard Top applications Top URLs Top Files Bandwidth Violated Policies ConSentry Networks CONFIDENTIAL File Based View (Global or Per user) Answers questions such as: What files are being accessed in the last hour? User Joe accessed what files last week? What files were sent through IM? Access Frequency ConSentry Networks CONFIDENTIAL 11

12 Malware Control in Action Internet 4 Good applications are still able to traverse the network 5 IT can set policy to shut down all traffic from infected user core switch server edge switch ConSentry 2 3 ConSentry sends incident to InSight ConSentry detects malware, blocks only infected app ConSentry InSight Command Center ` 1 Connection attempt rate spikes or Connection failure rate spikes ConSentry Networks CONFIDENTIAL Resiliency and High Availability» Resiliency» Dual power supplies (AC/AC and AC/DC)» Dual fans» Failure options» Fail pass-through» Fail block HA» High availability» Automatic fail-over via STP» User authentication state preserved ConSentry Networks CONFIDENTIAL 12

13 ConSentry s Secure Switching Only valid people and clean systems get on the LAN» Authentication and posture check» No changes to user login procedure Anomaly detection» Zero-day malware containment» Application protection User behavior analysis» Who s on the LAN?» What are they doing?» Everything tied to user» Faster incident response Control access to resources and applications» Control where people can go by their role» Only allow them access to applications relevant to their job ConSentry Networks CONFIDENTIAL LANShield Products, Silicon LANShield Controller ConSentry InSight CS uplinks, 800 users CS uplinks, 2000 users LANShield Switch Policy manager, LAN visibility LANShield Silicon CS40xx 24/48-port gigabit Ethernet switch 128-core CPU, programmable ASICs ConSentry Networks CONFIDENTIAL 13

14 ConSentry LANShield Switches Wire-speed packet processing» Mapping of user/app/role» Detailed L7 visibility» Dynamic policy enforcement» Patented technology + Enterprise-class switching» Mature switch silicon» Full software suite» Standard and interoperable Intelligent Switching CS4024 CS4048X ConSentry InSight ConSentry Networks CONFIDENTIAL Hardware Overview CS4048» 44 10/100/1000 copper ports with optional PoE» 4 10/100/1000 SFPs» 2 10 Gbps uplinks» 10 Gbps deep packet inspection» Hot-swappable dual power supplies and fans» Cable management tools ConSentry Networks CONFIDENTIAL 14

15 Key LANShield Switch Attributes» Unique ConSentry features» Deep packet inspection on every flow» All traffic tied to user identity» Full AAA authorization and accounting» Performance» Switching capacity of 101 million pps» Secure switching rate of 10 Gbps» L2/L3 switching performance» Centralized management ConSentry Networks CONFIDENTIAL Enterprise-Class Switching» 802.1D Spanning Tree» 802.1Q/p VLAN tagging and priority» 802.1w Rapid Spanning Tree» 802.1X Port-based authentication» 802.3af Power over Ethernet (on 4048 PoE)» 4,096 VLANs» 16,000 MAC Addresses» Protocol VLAN (802.1v)» Port Security (MAC address locking)» Mirror/monitor ports» IGMP v1/v2 snooping ConSentry Networks CONFIDENTIAL 15

16 Validation from Gartner» From the Campus LAN Magic Quadrant (10/06):» We expect network access control to be a standard feature of switches in the future.» Embedded security will expand to include technologies such as post admission control, threat containment and content security.» The best example of these new vendors is ConSentry Networks ConSentry Networks CONFIDENTIAL ConSentry Market Leadership The best example of these new [embedded security] vendors is ConSentry Networks. --Mark Fabbi, Gartner Select Customers Recognition ConSentry Networks CONFIDENTIAL 16

17 Thank you ConSentry Networks CONFIDENTIAL Tufin SecureTrack 35 Tufin Technologies is Making Security Manageable 17

18 Firewall Operations Challenges Security Manager Security Administrator Broker Bank Database Credit Card info Internet Customer Wire Services Hacker 36 Firewall Operations Challenges In large organizations, there are multiple firewalls and several administrators at various locations Firewalls are governed by complex rule bases Dozens of configuration changes are made daily Tickets opened by users are translated to configuration changes in firewall Process is manual and prone to potential errors Result possible downtime and security breaches 37 18

19 Additional Firewall Challenges The best firewall will not fix a weak rule base Security threats start with the rule base itself Human errors, failure to follow procedure, fraud Rule bases are growing large and complex Typically hundreds of rules, thousands of objects Very difficult to understand the rule base Are my networks vulnerable to new threats? Policies & procedures not enforced Quarterly rule base audit - best case 38 Tufin SecureTrack Firewall Operations Management A Comprehensive Approach Improves security and uptime Increases operational efficiency Optimizes resource utilization Reduces risk and assures business continuity Enables compliance with regulations and standards 39 19

20 Main Benefits Complete, real-time Change Management Full accountability know who made which changes, and when Test every firewall change against corporate policy Rule Base Optimization & Cleanup Tighten your rule base remove expired & unused rules Business Continuity Management Evaluate business impact of changes to avoid network downtime Risk Management Reduce firewall complexity by simulating the rule base Analyze rules for threats and mis-configurations Auditing & Compliance with regulations and standards Audit configuration against Best Practices and Corporate Policy Comply with SOX, PCI-DSS, HIPAA, ISO 17799, Basel II 40 Network Diagram 41 20

21 Key Customers 42 How SecureTrack Works Check Point - Tracks all Policy changes via OPSEC Save Policy, Install Policy, and other policy changes OPSEC-certified including NGX Check Point SecurePlatform monitor OS-level changes via SNMP Cisco and Juniper / Netscreen monitors configuration changes via SSH Stores every change in SecureTrack s database Calculates Effective Rule Base for analysis Tests rule changes for policy compliance Sends real-time and scheduled reports 43 21

22 Product Specs and Solution Platform General specs Pure Web GUI Revisions stored on a local DB - Postgresql High storage capacity Solution Platform Offering - Software or Appliance SecureTrack Software solution Requires a server-class PC, Redhat / CentOS Linux, and the SecureTrack software package Good match for organizations that prefer to manage their own Linux servers SecureTrack Appliance solution One-stop shop appliance, with Linux-based TufinOS and SecureTrack pre-loaded Good match for organizations that prefer vendors to manage the OS on their behalf 44 SecureTrack Appliance SecureTrack Appliance - Industry s First Appliance-Based Firewall Operations Management Solution Simplifies installation and maintenance Single point of contact for support Mid-size and High-end models T-500: Medium to large organizations (~100 Firewalls) T-1000: Large organizations (~500 Firewalls) T-1000 XL: Super-sites (~750 Firewalls) True network appliance look & feel 2 NICs, RAID, Dual Power Supply, Console port Shallow depth (=<20 ) USB Disk-on-key for recovery Included with every shipping Tufin appliance 45 22

23 GUI - Main page List of Monitored Management Servers and Devices 46 GUI - Policy Revisions Each Save or Policy Install creates a separate Policy Revision in SecureTrack 47 23

24 GUI - Policy Comparison Select any pair of revisions and click on Compare to view the graphical diff Modified Rule Deleted Rule New Rule 48 Rule Base Optimization & Cleanup Rule bases grow large over time Rule life cycle: users request new services, use them for a while, and sometimes stop using those services Result: many of the rules and objects are completely unused, yet the firewall operations team does not know which ones Impact: the rule base enables services which are no longer needed by users, and is more exposed than it needs to be Identifying unused rules is very difficult, because rule numbers keep changing Rule Usage Analysis identifies unused rules and objects Tighten your rule base by removing unused rules and objects Achieved through real-time log analysis & correlation against rules installed on each firewall 49 24

25 Rule Usage Report Most used rules - may be moved higher to optimize firewall performance Least used rules - may be moved lower to optimize firewall performance Un-used rules - can be removed from the policy 50 Policy Analysis Risk management Determine whether a vulnerability on a certain port is exploitable Business continuity Determine whether business-critical connections are blocked or allowed through your rules base Analyze the firewall rule base for the effective policy What traffic will be accepted by this policy? Supports complex rule features Disabled rules, negated object, groups with exclusion 51 25

26 Policy Analysis 2 SecureTrack s Policy Analysis queries the effective rule base using the source, destination or service. The analysis result is a list of rules that accept the chosen traffic pattern. Policy Analysis can be performed against historical revisions as well (forensics) 52 Compliance Alerts Corporate guidelines describe business critical services and unauthorized traffic Changes might violate security guidelines SecureTrack Compliance Alerts Define guidelines as traffic patterns Receive real-time alerts when a change creates a potential risk or affects Business Continuity What guidelines did the change violate? What new traffic is allowed? blocked? 53 26

27 Compliance Alerts 54 Firewall OS Monitoring Firewall OS Monitoring Check Point FireWall-1 SecurePlatform (Nokia planned for Q1 2008) Configuration management for OS-level changes Route changes, interface changes, etc. Performance Monitoring ( MRTG for Firewalls ) Health-checking and threshold monitoring Risk Management for OS level changes Business Continuity for the Firewall hardware and OS Easy analysis of potential down-time causes OS Performance Monitoring OS-level Configuration Change Monitoring 55 27

28 Change Control / Ticketing Large organizations have a workflow-based Change Request process Every request must be processed and approved Change Request ID usually placed in comment field Integration with Remedy and other systems Ability to launch Ticket s details directly from SecureTrack s reports and web-interface 56 Security Audit - Best Practices Firewall Configuration Best Practice Checks Are Implied Rules open? Does each rule have a comment? Do objects conform to naming conventions? Is Anti-spoofing enabled on all interfaces? Are Firewalls properly protected? Is there an explicit cleanup rule? And much more over 50 individual audit checks 57 28

29 Reporting Detailed reports enable tight policy control Support manual or scheduled generation Recurring reports (daily, weekly, monthly) Customizable recipients (per report) Integrated support for scheduled reports Report profiles saved per-user Different formats Embedded HTML, PDF or MHT 58 New Revision Report The New Revision Report is sent via - it contains all changes in graphical format. Can be sent to multiple recipients, on different events (Install Policy, Save Policy, etc)

30 Rule Change Report Displays rules changes over time Useful for determining how inconsistent rules were modified (step-by-step) up to the current version. Accountability - clearly displays the Firewall administrator responsible for each change. 60 Additional Reports Advanced Change Report Displays changes made under certain criteria: Which Management Servers / CMA s Which administrators When the changes occurred Business Ownership Change Report Analyze changes for defined network segments Schedule reports for specific stakeholders Firewall Module Change Report Different modules may have different policies Examine Policy Installations on specific modules Track policy changes on each module 61 30

31 Case Study: TransUnion Business Drivers Firewall change management to ensure correct configuration Automation of rule base assessment to eliminate human error and increase efficiency Compliance with security standards Why Tufin Real-time change management and policy analysis Intuitive user interface Results Improved network security and uptime Risk management and business continuity Proactive security enforcement Regulatory compliance 62 Case Study: AXPO Group Business Drivers Automate the audit process for firewall configurations Policy optimization to minimize unnecessary exposure Need to analyze firewall policies for potential vulnerabilities and configuration errors Why Tufin Real-time tracking and reporting Intuitive and easy to use Fanatical technical support Results Lower operating expenses Improved performance Enforcement of corporate security policies Implementation without additional manpower 63 31

32 Tufin Technologies is Making Security Manageable Thank You 64 Persone e Idee nell I&CT dal 1990 Company Overview Marco Maccari Sales Manager La Sicurezza è Nulla Senza Controllo Milano 18 marzo 2008 Harbour Club 32

33 La Nostra Missione Fornire al mercato soluzioni... Affidabili Innovative Personalizzate...in ambito Networking e Sicurezza ICT... attraverso competenze tecnico/commerciali e partnership con players leader di mercato EPS Datacom Srl 66 Chi Siamo Fondata nel 1990 con sede a Roma. 50% staff tecnico Approccio cross del mercato. Difesa, PAC/PAL, Telcos, Utilities, Enterprise. Team di specialisti Commerciali e Tecnici entrati in organico nel Settembre 2007: Inizio delle attività nel Nord-Italia (Milano). EPS Datacom Srl 67 33

34 ISO 9001 : 2000 SOA cat. OS 19 e OS 30 Certificazioni e Qualificazioni Autorizzazione di 1 Grado, per impianti di TLC, del Ministero delle Comunicazioni (D.M.n 314/92) Abilitazione ad operare in ambienti militari. Certificatore per installazioni secondo la legge 46/90. EPS Datacom Srl 68 I Nostri Ambiti e le Nostre Attività Consulenza Progettazione Sicurezza Cablaggio Post-Vendita Networking Delivery EPS Datacom Srl 69 34

35 Progettazione Cablaggio Strutturato Infrastrutture di Networking. LAN, WAN, Wi-Fi, Videoconferenza su IP QoS Controllo, Ottimizzazione e Accelerazione della WAN. Sicurezza del Perimetro Firewall, VPN, IPS Sicurezza della Mail e del Web Sicurezza dell Accesso Strong Authentication Password Management NAC Sicurezza dei Dati Encryption EPS Datacom Srl 70 Delivery,Post Vendita, Consulenza Per le soluzioni che progettiamo siamo in grado di fornire Installazione, Configurazione, Tuning Personale specializzato con diverse certificazioni tecniche in diversi ambienti operativi. Network Assessment Security Assessment Vulnerability Assessment Penetration Test Body Renting Sviluppo software a task Servizi di manutenzione (8x5-24x7) Help Desk Supporto On-Site Hardware Advanced Replacement Servizi di supporto qualificato On-site Applicativo e/o Sistemistico EPS Datacom Srl 71 35

36 Le Nostre Partnerships CABLAGGIO EPS Datacom Srl 72 Le Nostre Partnerships NETWORKING EPS Datacom Srl 73 36

37 Le Nostre Partnerships SICUREZZA EPS Datacom Srl 74 Grazie. EPS Datacom Srl 75 37