1 Network Box Network Security Trends In Asia June 2008
2 An unfortunate reality When Asian organizations plug into the Internet; they often forget the Internet is also plugged into them.
3 Except forget usually means Treating security as a bolt-on item which can be added to the network later. Assuming that, those guys in the IT Department can fix anything, as long as management puts enough pressure on them. Taking any evidence that IT actually did manage to fix a security breach last time, as proof they can do so next time. and things are only getting worse.
4 The need for Asian organizations to secure their networks has never been greater There is an attack attempt every 3 seconds. An intrusion attempt every 20 seconds. An incoming virus threat every 7.5 minutes. An incoming SPAM every 18 seconds. About 67% of all s are infected or are SPAM. At work 58% of web use is non-business. There are over 30 billion web pages to monitor. Source: Network Box Security Operations Center: 2008 Threat Statistics Average Per Customer Site: Year To Date
5 ...particularly from Denial of Service Attacks, Spyware and SPAM; aided by a growing number of new threat vectors. Spyware Identity Theft ENCRYPTION Distributed Denial Of Spoofing Service Attacks Zombies Keyboard Loggers Phishing Open Proxies Pornware
6 Asia ranks #1 on McAfee s threat list this year. Hong Kong (.hk) domain is the world s most dangerous place to surf the Web. 19.2% of all web sites ending in ".hk" pose a security threat to Web users. China (.cn) domain is the world s 2 nd most dangerous place to surf the Web. 11% of all web sites ending in ".cn" pose a security threat to Web users. Overall, the chance of downloading spyware, adware, viruses or other unwanted software from surfing the Web increased 41.5% over Source: McAfee "Mapping the Mal Web Revisited" report 2008 Report released June via PRNewswire
7 Asia ranks #1 on Network Box s Threat Map too. Source:
8 So what should you do? Realizing that a traditional firewall, and some pull-update anti-virus software is not enough anymore, is at least a good start.
9 UTM the next generation firewall Unified Threat Management (UTM) is the next generation of firewall technology; offering combined protection against all types of Internet threats. Hackers, Bots and Automated Attacks Viruses, Worms and Trojans (Backdoors) Phishing, Pharming, Mail Bombs and Hoaxes Spyware, Greyware and Malicious Adware Advertising SPAM, Malicious SPAM and Offensive SPAM Undesirable Content and Company Policy Enforcement
10 Network Box UTM+ Firewall (State-of-the-art Hybrid Design) VPN (Virtual Private Networking) IDP (Intrusion Detection and Prevention) Multi-Layer Anti-Virus Gateway Multi-Layer Anti-SPAM Gateway Multi-Layer Anti-Spyware Gateway Content Filtering Gateway Company Policy Enforcement Gateway Traffic Shaping, Policing and Quality of Service Control Real Time and Weekly Alerts and Reports Generation Network Box E-1000 UTM+
11 Secure networks starting at the gateway. Diagram: Basic Network Box Unified Threat Management Installation Actual configurations and requirements vary site by site
12 UTM Plus Network Box HQ Security Operations Centre Award winning real-time PUSH update technology. World class protection, updates are pushed out within just seconds of new threat signatures becoming available. Professional Managed Security Service, run by experienced teams of highly focused security experts, utilizing over a dozen network operations centers, spanning the globe. Real-time Hardware Monitoring of over 200 important system health metrics, to ensure business continuity. Pushed, managed and monitored. Network Box UTM+ is the way other UTM devices will be in the future. With Network Box, the future of UTM is already here...
13 The number of security updates required each day is growing rapidly, and these updates are critical.. Real-Time Updates Per Day: Security Patches; Malware Signitures; SPAM Signatures; Content Filtering Database Mean Average Updates, Per Day
14 Network Box Global Security Awards Hong Kong Technology Company of the Year 2007, Computerworld SME World Magazine, Best Security Solution 2007 MIS Asia Magazine, Named Rising Star 2007 Silicon Valley Communications, Info Security Hot Company 2006 ZD Net UK Editors Choice 2006, Network Box SME-250 Personal Computer World Five Star Recommended 2006 Winner of the IT Excellence Gold Award 2004 Achieved an Editors Ratings of 8.5 in ZD Net UK Reviews 2006 Security Appliance of the Year 2006, Linux Pilot PC3 Magazine Review: Awarded Editors Choice Award ZD Net Australia Technology & Business Editors Choice Award APICTA (Asia-Pacific ICT Award) 2004 Security PC Best of the Best Award C3 Expo Best of Show 2005 Enterprise Services German IT 2005 Innovation Award IT Security HWCC Emerging Technology Award 2005
15 Taking managed network security global
16 Real-time help from real people Network Box Hong Kong SOC
17 The worst problems this month Spam Storms; NDR Spam Storms; and Syn Flood Denial of Service Attacks are seriously threatening Business Continuity across Asia.
18 Spam Storms Spam Storms have been occurring with greater and greater frequency across Asia. Typically, organizations see SMTP connections rise by a factor of a hundred or more during such events. In some cases a Spam Storm is the result of actual spam s, in some cases the gateway is the target of a DHA (Directory Harvest Attack). The result is the same; the gateway chokes.
19 Spam Storms What you can do. Install Pre-Envelope Scanning at your gateway. This can (and will) massively reduce spam. Ensure you have Threshold Limiting configured at your gateway, so you can monitor and differentiate normal traffic from bot-net traffic. Augment your monitoring system with Tar-Pitting, which will allow you to drastically slow spammers down; helping legitimate s get through.
20 NDR Backscatter NDR (Non Deliverable Receipt) s are usually legitimate s, to let senders know that an was not delivered for whatever reason. Spammers using bot-nets have recently been creating havoc, by sending out huge numbers of spam s with spoofed return addresses on them. If your domain has been chosen by a spammer as a return address, you will typically see hundreds of thousands of NDR s arriving at your gateway.
21 NDR Backscatter What you can do. Digitally sign outgoing s at your gateway. This will allow your gateway to recognize genuine NDRs. Ensure that your gateway will properly recognize and allow your digitally signed s. Install Pre-Envelope Scanning technology, this can dramatically reduce the number of spam s which actually require processing.
22 Pre-Envelope Scanning System Overview envelope pre-scanning, is a new technology which allows Network Box S-M-E systems to make a very sound judgment on whether an is from a spammer or not; without needing to actually download or scan the itself. Pre-scanning is very fast, and relatively simple. By pre-scanning, it is possible to reject s known to be spam, without having to pass it through a full, very resource-intensive scan process. This new technology can: Massively reduce unnecessary system loading from unwanted spam s. Free up valuable Internet bandwidth from being wasted by incoming spam. Significantly lower the stress on Network Box hardware, increasing reliability. In real world usage, pre-envelope scanning has helped Network Box customers reduce their anti-spam scan loading, by between 60% - 80%. On larger sites, this can mean several hundred thousand spam s, not being downloaded, every day. For the remaining spam, this can then be dealt with, using up to twenty-five anti-spam techniques and engines, including state-of-the-art multi-pass OCR (Optical Character Recognition) functionality. The more system resources are freed up by pre-envelope scanning, the more resources there are to deal with the remaining spam.
23 Pre-Envelope Scanning Pre-Envelope Scanning Logic: envelopes are read by the Network Box, recipient addresses are compared against a preexisting list of known recipients. The list of known recipients can either be entered directly; or can (much more efficiently) be gathered in real-time, from an LDAP or Active Directory server. If any of these s are found to be addressed to unknown recipients, they are rejected BEFORE any scanning takes place. Real world testing shows that for most sites, between 60% - 80% of SPAM will have been removed by this stage in the process. The remaining is then scanned by the Network Box system s anti-malware and anti-spam engines, including state-of-the-art multi-pass OCR (Optical Character Recognition) to block virus infected s, policy violations, as well as any remaining spam.
24 Syn Flood Denial of Service Attacks Some VERY significant Syn Flood Denial of Service attacks have been seen in Asia this month. The most extreme case to occur during the last few days, saw more than 450 million spoofed connections occurring in the space of 12 hours. Some of these Syn Flood Denial of Service Attacks are so powerful, that they are actually impacting the target s ISP and resulting in significant packet loss.
25 Syn Flood What you can do. Talk to your ISP. Work out what your ISP is actually willing to do, and who you need to call, BEFORE you are attacked. Install a second non-public line, so that you can monitor and respond, even if your primary Internet connection is under heavy attack. Make sure your equipment and bandwidth is up to the job. If your connectivity is 80% utilized even under normal load, you are starting with a serious disadvantage.
26 On a more positive note It is not ALL bad news however. New technologies, are being developed to make IT Managers lives easier, and computer networks safer, all of the time.
27 Mail Portal System System Overview The Mail Portal system, allows end users in organizations using SMTP servers, to have direct control of their quarantined s for the first time. This means that in the event that an end user sees an which has (in their opinion) been incorrectly blocked as spam; they can with no more effort than ticking a checkbox, and clicking a single button, have that released. Using the same easy to understand report, users can tick an additional checkbox, to request that a sender is white listed in the future; should that user so desire. Mail Portal reports are usually delivered to end users on a daily basis. However, this report is configurable, and can be delivered weekly, daily, twice a day, hourly, or indeed delivered to conform to whatever timeframe suits the customer s organizational requirements. These reports are delivered via , to each of the users in the organization who wish to receive them. Users can immediately see all of the s sent to them which were classified as spam, during the timeframe concerned, just in case any genuine s (called ham, as opposed to spam, by the anti-spam industry) were incorrectly blocked for any reason. Even if a sender is white listed however; it is worth noting that in the event any future from that sender contains company policy violations, or a computer virus, or a computer worm; it will still be quarantined by the Network Box by default.
28 Mail Portal System Mail Portal Example: Summarizes all addresses used by one person for maximum ease of use. Mail statistics are given, showing both top senders and top recipients. Percentages of Clean s, Spam and Malware are shown, as well as percentages of received verses sent . volume for the time period is shown. Spams which have been quarantined by the Network Box are shown, with options for: Viewing Scheduling Release Request White Listing Malware blocked is also shown, (below the visible area shown in the example), but end users are not normally given the option to release malware for obvious reasons.
30 Live Watch System Live Watch Examples: Firewall Status Live Watch Screen Web Proxy Status Live Watch Screen The Firewall Status Live Watch view (example shown), can be used to monitor both incoming and outgoing traffic, time, source, port, destination, protocol and target. Firewall usage, as well as Top Blocks in the last 5 minutes, is also displayed. The Web Portal Status Live Watch view (example shown), shows URLs blocked in realtime; as well as usage and performance statistics. Blocked sites information includes, the time the website was blocked, the name of the site, the category of the site (adult/sexually explicit, gambling etc.), the user who tried to access the blocked site, (if authentication via LDAP or Active Directory is available), and the source IP address. IDP Status Live Watch and Mail Status Live Watch are also available in the system. Recent attacks on all Live Watch screens are shown in red, for enhanced visibility.
31 Adobe PDF Format Reporting System Overview The move to the Adobe PDF format, allows for greatly enhanced document management and printing. In particular for IT Departments using Document Management systems, as these universally support Adobe PDF format documents. Most organizations require weekly reports. However, these reports do not have to be sent out on a weekly basis; and can actually be sent out once a month, week or day; to meet differing requirements. A great amount of detail is required for reports to be genuinely useful. Some examples include overall CPU, Disk and Workload summaries; Network throughput, including Internet, Local and VPN metrics; and Firewall activity, including Hacker protection and Policy Enforcement. Not only should detailed current statistics be shown, but comparisons against previous time-frames should be included. This means that an organization s IT Management will automatically have a comprehensive bird s eye view of their gateway activity; and can therefore make extremely informed decisions about their IT infrastructure, without needing lots of ongoing manual investigation.
32 Adobe PDF Format Reporting Table of Contents Page System Utilization Report Report Network Throughput Report Unit Name, Activity Period Covered and Activity Occurred Number of Protection Level Updates / Direct Maintenance Jobs. System Utilisation CPU Utilisation / Disk Utilisation / Workload Summary Network Throughput Internet / Local / VPN Summary Network Box NOC Services Threat Signature Updates Activity Summary Firewall Hacker Protection Policy Enforcement IPS (Intrusion Protection System) Hacker Protection Policy Enforcement Incoming Number Scanned Malware Blocked / Spam Blocked Outgoing Number Scanned Malware Blocked / Spam Blocked Web Proxy Utilisation Protection Policy Enforcement FTP Protection Virtual Private Network IPSEC Connections PPTP Connections System Utilisation Peak Time Peak Period
33 MDR SPAM Protection System Overview Spam has fast become the Number One Headache, for both IT Managers and end users alike. And increasing numbers of these spams are of a new emerging type. Network Box has named them, "MDR Spam" (Multi-Defence-Resistant spam). While at first glance, many samples of such messages look identical, an in-depth technical analysis of 1,204 identical looking examples of this type of spam, arriving at a single Network Box, showed they came from 600 unique senders (in 41 different countries), with 599 digitally different copies of the GIF image. Without a sender, source IP, message structure, or unique digital fingerprint to lock-on to, it is very difficult to detect and block such spam (without an unacceptably high falsepositive rate). Currently as much as 40% of all spam s are already of this type. Overall, the number of image spams of one form or another, has increased by more than 200% year on year. The approach that many anti-spam vendors have taken, is to be very aggressive against such image and MDR spams. However, this has the (unwelcome) side-effect of an unacceptably high rate of false-positives - legitimate s containing images being inadvertently blocked (the cure in such cases is often worse than the disease). Network Box Security Response has therefore released a set of new anti-spam modules, to extend the heuristic and signature functionality of Network Boxes, facilitating the examination of the content of images (in the same way that textual content is dealt with).
34 MDR SPAM Protection MDR Spam Protection Tools: The Network Box Security Operations Centre Network, which monitors threats worldwide in real-time, is seeing between 78% - 93% of all scanned s being blocked as spam, varying from moment to moment. Image spam currently represents about 40% of this deluge. MDR On-Line Pharmacy Spam. MDR Stock Spam. MDR Phishing Spam (OCR resistant). MDR Stock Spam (OCR resistant). New MDR Spam algorithms has been released: -Multi-pass OCR (Optical Character Recognition) -Adobe PDF Anti-SPAM Heuristic analysis -Enhanced Heuristic analysis -Image structural analysis -Textual content analysis -Pattern matching analysis -Fuzzy signature validation -Object validation Together these are able to properly combat this growing threat of MDR image spam. The new modules released have been tested against the most recent MDR image spam corpuses, and found to be nearly 100% effective in detecting and blocking such spams, with an almost zero false positive rate. But, more importantly, the inclusion of such a suite of techniques allows the Network Box to adapt to emerging variants of these threats. MDR animated GIF spam, first frame blank to fool anti-spam OCR systems.
35 Additional Recent Advancements Network Box S-M-E Features: Solid State Drive Primary Storage Systems Solid state drives have started appearing on more and more computer systems, as diverse as the MacBook Air laptop, and the IBM BladeCenter HS21 XM blade server. These drives minimize downtime and outages associated with hard disk drives. Every Network Box S-M-E system now includes a solid state drive as primary storage. Fully Redundant Internet Connectivity As the price of Internet connections have fallen, there has been a very significant spike in the number of organizations installing second (and even third) lines to ensure business continuity. This is an excellent idea which costs very little to implement. POP3 Acceleration (Patent Pending). The Network Box POP3 Acceleration system, very significantly speeds up the end users downloading experience; in organizations which rely on POP3 . In extreme cases, the speed difference can be a few seconds, as opposed to a few minutes. SSL VPN (Secure Socket Layer Virtual Private Networking) SSL VPN, in addition to PPTP VPN and IPSEC VPN functionality, is now available on all Network Box S-M-E systems. SSL VPN maximizes convenience for Road Warriors, whilst simultaneously ensuring state-of-the-art system security.
36 Question & Answers Network Box S-M-E Features: High Security. Configuration, setup and installation are performed by experts. Monitoring of hardware, system availability and on-site maintenance are included in the standard service level agreement. Low cost. Network Box costs a mere fraction of traditional competing security systems. And does not require the client to hire additional staff to manage IT security. Real-Time Updates. Award winning PUSH technology offers Enterprise Level security for all organizations world-wide. Comprehensive Solution. State-of-the-Art Firewall, Intrusion Detection and Prevention, VPN, Anti-Virus, Anti-SPAM, Anti-Spyware, Anti-Phishing, Content Filtering and Company Policy Enforcement functionality are all available. Additional Functionality. Multiple Internet Connections High Availability / Load Balancing Internet Acceleration Secure VoIP Gatekeeper Secure Video Conferencing Gatekeeper Quality of Service Control, Traffic Policing Denial of Service Protection, Threshold Limiting Hardware Fault Tolerance, clustering possible Live Watch Real-Time Monitoring Adobe PDF Report Generation SSL Virtual Private Networking Anti-SPAM Pre-Scanning, bandwidth protection Enhanced Image SPAM protection, including Optical Character Recognition technology Mail Portal System, End User management including SPAM release and white / black listing Enhanced Network Box Version 3 GUI Complete Local Support