Technology Blueprint. Protect the Network Perimeter. Controlling what gets through into and out of your organization

Transcription

1 Technology Blueprint Protect the Network Perimeter Controlling what gets through into and out of your organization

2 LEVEL SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL Security Connected The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for SECURITY CONNECTED centralized, efficient, and REFERENCE ARCHITECTURE effective risk mitigation. Built on LEVEL more than two 1decades 2 3 of 4 5 proven security practices, the Security Connected approach helps organizations of all sizes and segments across all geographies improve security postures, optimize security for greater cost effectiveness, and align security strategically SECURITY with business CONNECTED initiatives. The REFERENCE Security Connected ARCHITECTURE Reference Architecture provides a concrete LEVEL path from 1 ideas 2 3 to 4 5 implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe. Controlling what gets through into and out of your organization The Situation Network perimeter protection practices have not changed significantly in the last decade. Most perimeters rely for protection on stateful inspection firewalls with holes liberally poked through them, backed up by noisy and largely ignored intrusion prevention or detection systems. Although perimeter protections have not changed, business and collaboration requirements have driven the use of Internet applications and inter-organization connectivity skyward. These services, located in the demilitarized zone at the perimeter, often traverse the network perimeter with little to no oversight or control. Regulatory compliance has mandated many IT teams bolt on certain controls such as data loss prevention and encryption. From encrypt everything strategies to check box implementations of these solutions, many organizations are still left blind to what gets through the network perimeter. Driving Concerns The external border of the network is the face of your organization. The traffic you permit to flow through your perimeter, both good and bad, can determine the success or potential collapse of your organization. The challenge is to maximize the network s utility and accountability, while minimizing its vulnerability. Most perimeter security needs a facelift. The network perimeter bears the brunt of inbound attacks. Every day, encrypted and polymorphic malware, distributed denial of service (DDOS) attacks, and deliberate, targeted exploitation attempts challenge the availability and security of network perimeters designed for generic problems like static nuisance viruses and standard denial-of-service attacks. Simple port/protocol parity checking is primitive today. When 80 percent of traffic is HTTP over port 80, firewalls must look beyond ports and protocols to the applications inside to determine which traffic is safe. Data loss and regulation also necessitate some new controls at the network edge. The network perimeter is the last control point for traffic leaving an organization. It represents your final opportunity to identify and appropriately handle sensitive information, as well as control the type of traffic flowing out. Consequently, it is the final opportunity to shape external reputation. Finally, the network perimeter is not only your Internet point of presence, but also the hub of connections to business partners, VPN access from remote workers, and inter-organizational connectivity. For business to function, these connections must be secure and reliable. Securing the network perimeter today means modernizing defenses to handle: Management of aging firewall policies. Firewall policies contain rules of uncertain origin, business requirement, and active use. Important rules may not be active, while unimportant rules may be cluttering up and slowing down perimeter defenses. Most organizations have poor visibility into how well rules implement the policies that regulations and governance committees define. Automated attacks. Public-facing services are at risk from distributed denial of service (DDoS) campaigns that threaten business continuity Targeted attacks. Perimeter system vulnerabilities (such as an unpatched web server) must be identified and mitigated to prevent their exploitation Identification of who is doing what and where. To decrease undesirable and risky traffic, the network should help identify and control outbound communications by internal users, protecting against interactions with known villains and risky geographies 2 Protecting the Network Perimeter

3 Noisy intrusion prevention systems (IPS). Being on the network perimeter, IPSs see every packet of traffic the firewall allows through or users send out. Many times, the overwhelming volume of alerts means they are only referred to for post-event forensics. During forensics, the volume also makes it difficult to normalize data when correlating events against disparate data sources. Management of tunneling applications. Tunneled communications can provide unfiltered command and control communication for malware and botnets. Plus, tunneling applications such as Skype can allow invisible data leakage. Blind spots created with encryption. Many organizations either do not have technology in place to allow scanning of encrypted traffic, or have not enabled this facility where appropriate on their perimeters. A high percentage of malicious traffic is encrypted to take advantage of this limitation. Also, determined insiders may encrypt sensitive information to send it outside the company. Solution Description An effective network perimeter architecture enhances your organization s security posture, as well as your visibility. Instead of a hodgepodge of point products that keep critical threat intelligence in silos, the effective network perimeter will build an accountable and complete picture of communications that permits you to easily, effectively, and securely manage traffic flow. Reputation- aware perimeter devices. Perimeter devices should have the ability to review an external host s history of behavior before accepting a connection. This function is most prevalent in gateways for spam and malware detection, but is also a feature of some other perimeter protection devices. Vulnerability management and exploit prevention. Perimeter devices (such as and web servers) should be scanned on a regular basis for known and new vulnerabilities. Since patch management schedules revolve around maintenance windows, business uptime requirements, and threat severity, the network security systems must mitigate vulnerabilities until patches can be installed. Finally, a full data correlation and reporting system should aggregate the current status of these systems. Application discovery and control. Many applications seek outbound connectivity over the communications paths and ports that are commonly open. This traffic includes both critical business applications and malicious traffic. The solution should reliably identify and exert policies over applications including those within HTTP and HTTPS traffic. Detection of tunneling applications. Complete solutions should include traffic flow analysis to perform additional validation of protocols and applications regardless of the channel of communication. Additionally, systems that present external services should be aware of and force compliance to the protocols on which their services are offered. This should also include command and control communication. Appropriate and pervasive encryption management. The solution must be able to decrypt, inspect, and re-encrypt both inbound and outbound traffic to ensure it complies with policies and does not contain malware. However, the system must be flexible enough to recognize and allow certain traffic to pass without decryption as appropriate. This traffic might include sensitive or protected traffic, such as personal health information (PHI). Systems, policy, and event management. The solution must provide practical visibility into events and the systems that are affected, as well as report on the applicability and effectiveness of policy as enforced by active rules. By leveraging an in-depth reporting function, the solution should provide realtime as well as historical situational awareness. Decision Elements These factors could influence your architecture: Is your organization directly connected to business partners and other organizations outside your control (typically via VPN, MPLS, or other direct connection)? What industry or government regulations do you need to comply with (such as HIPAA, NERC, and PCI)? Do you operate in countries where privacy regulations would restrict the level of filtering or SSL decryption that can be performed? Do you already have a DLP solution today? Does it support ICAP? Protecting the Network Perimeter 3

4 Technologies Used in the McAfee Solution The fully integrated McAfee solution includes McAfee Firewall Enterprise and McAfee Network Security Platform, as well as McAfee Vulnerability Manager and its Web Application Assessment Module. Each of these products relies on real-time updates by McAfee Global Threat Intelligence for analysis of breaking threats and subtle risks. McAfee epolicy Orchestrator (McAfee epo ) correlates data between the products and connects network defenses with other security and compliance management and reporting. In the optimal solution configuration, McAfee Firewall Enterprise and McAfee Network Security Platform (NSP) inspect inbound traffic at the network perimeter, leveraging real-time file and network connection reputation from the McAfee Global Threat Intelligence service. The Firewall applies antivirus and antispam; decrypts, inspects, and re-encrypts traffic; and enforces policies (such as geo-location) for blocked and permitted traffic. The NSP then inspects for attacks, leveraging heuristics as well as McAfee GTI file reputations to protect against emerging malware, zero-day attacks, botnets, denial-of-service (DoS) attempts, and advanced targeted attacks. Working with McAfee Vulnerability Manager, the NSP can also shield internal, unpatched assets from attacks against known vulnerabilities according to risk-based assessments of each asset. McAfee Vulnerability Manager with the Web Application Assessment Module will discover and scan networked assets, including perimeter assets such as servers, collaboration servers, and web servers. It will identify vulnerabilities in the applications, the servers, and the operating systems underlying the servers to help you protect these assets before an attacker can exploit them. McAfee epo collects this data and correlates it with countermeasures in place on that host. The IPS analyst can use this data to write riskbased policies for McAfee NSP to enforce. For example, if McAfee NSP detects an exploit for a known vulnerability on the Exchange server, it can block that traffic. Policies can also reduce the volume of unnecessary or unwanted traffic entering and leaving the organization. As a next-generation firewall, in addition to blocking malicious traffic, the McAfee Firewall Enterprise can apply rules based on user roles and the applications that are permitted for each role. Policies: A. MVM with WAAM scans internal hosts for vulnerabilities and sends results to epo B. McAfee epo correlates MVM vulnerability data with NSP threat data and host countermeasure data C. The admin assigns risk, defines NSP policy, and sets policies for Firewall rules based on users and application usage permitted by the organization McAfee Global Threat Intelligence (GTI) File reputation Network connection reputation 4 DMZ 1 2 McAfee Firewall Enterprise 8 C 3 9 Inspection in action: 1. Firewall blocks risky inbound traffic based on GTI network connection reputation and geo-location 2. Firewall scans traffic (IPS, A/V, De/re-encryption) 3. NSP inspects for attacks 4. NSP queries GTI for file reputation to detect new malware 5. Clean inbound traffic delivered to server, web server, and other perimeter-facing services 6. Outbound traffic sent from client systems 7. NSP inspects outbound traffic for malicious activities and content 8. Firewall inspects outbound traffic for IPS, A/V, De/re-encryption, user ID, and destination reputation and enforces user and application policies 9. McAfee systems communicate with McAfee epo for dashboards, data correlation, and reporting McAfee Network Security Platform 7 B McAfee epo A 5 6 McAfee Vulnerability Manager (MVM) With Web Application Assessment Module (WAAM) Collaboration Server Mail Server Web Server User Clients generate outbound traffic McAfee systems inspect and enforce policies on inbound and outbound traffic to protect against attacks and malicious activities. 4 Protecting the Network Perimeter

5 McAfee Global Threat Intelligence (GTI) McAfee products use real-time and historical data to recognize and block connections to and from known malicious and suspicious hosts and content. McAfee Global Threat Intelligence network connection reputation is the comprehensive, real-time, cloud-based GTI service that combines IP address, network port, communications protocol, URL, and file reputation to determine granular risk intelligence. This service enables McAfee products to protect customers against both known and emerging network threats. McAfee collects data from billions of IP addresses and network ports, providing hundreds of trillions of unique views, and calculates a reputation score based on network traffic, including port, destination, protocol, and inbound and outbound connection requests. The score reflects the likelihood that a network connection poses a threat, such as a connection associated with botnet control. The score is based not only on the collective intelligence from sensors querying the McAfee cloud and analysis performed by McAfee Labs researchers and automated tools, but also on the correlation of cross-vector intelligence from file, , web, and network threat data. McAfee products, including McAfee Firewall Enterprise and McAfee Network Security Platform, use the score to determine action based on local policy. This perpetually updated reputation service: Protects endpoints from distributed denial-of-service (DDoS) attacks, botnets, command and control activity, advanced persistent threats, and risky mail and web connections Reduces system and network burden by blocking threats at the network edge Decreases downtime and remediation costs associated with network-based attacks Similarly, the McAfee file reputation service uses the McAfee GTI sensor, analysis, and correlation system to identify malicious content (such as worms, Trojans, or viruses) before signatures become available. The McAfee antimalware engine whether deployed as part of an endpoint antimalware, gateway, or other solution uses the score to determine action (such as block or quarantine) based on local policy. McAfee Global Threat Intelligence is included in the cost of McAfee products that incorporate this service. In some products, McAfee Global Threat Intelligence is enabled by default. If not, you may enable it easily in your McAfee product administrative interface. McAfee Firewall Enterprise McAfee Firewall Enterprise allows you to protect your network from unauthorized users and attackers, and to protect internal users as they access the Internet. McAfee Firewall Enterprise combines an application-layer firewall, user-based policy, IPsec VPN capabilities, SSL decryption and re-encryption, URL filtering, and McAfee Global Threat Intelligence into one security appliance for centralized perimeter security. These features provide powerful configuration options that allow you to control your users access to almost any publicly available service on the Internet, while mitigating threats to your organization. A true next-generation firewall, it integrates advanced capabilities, such as application visualization, reputation-based global intelligence, automated threat feeds, encrypted traffic inspection, intrusion prevention, antivirus, and content filtering, to block attacks before they occur. For example, integrated geo-location in the McAfee Firewall Enterprise allows you to defend against attacks by restricting traffic based on geography. You can formally allow or deny both inbound and outbound traffic based on country. This tactic is especially effective when you also restrict communications with countries where your company does not do business. Finally, when combined with reputation, you are able to assign varying acceptability of risks based on country. Another level of protection integrates the McAfee Global Threat Intelligence (GTI) service to analyze the behavior of millions of hosts connected to the Internet. The Firewall Enterprise can leverage the GTI reputation information to block traffic from any host with a bad reputation. Selective decryption and re-encryption provides intelligent application of visibility on a per-rule basis. By judiciously identifying which criteria to use for decryption perhaps ports, source and destination endpoints, source users and groups, or security zones you can examine risky or sensitive traffic where needed and still maintain end-to-end encryption integrity where legally or technically mandated. The Firewall Enterprise helps you reduce overlapping and conflicting rules and fine-tune rules to ensure Protecting the Network Perimeter 5

6 they take appropriate effect. An intuitive interface immediately identifies firewall rule optimizations as you modify or construct rules. The included McAfee Firewall Profiler helps you instantly analyze network traffic and firewall rules to provide insight into how effectively your firewall configuration is enforcing your corporate security policy. Firewall Profiler reduces the time needed to solve firewall-related network or application outages from hours to minutes, turning substantial manual efforts into a few simple clicks. To assist with compliance, the McAfee Firewall Reporter turns audit streams into actionable information. This award-winning security event management (SEM) tool delivers central monitoring plus correlated alerting and reporting to help meet all major regulatory requirements, including PCI DSS, GLBA, HIPAA, SOX, and FISMA. For maximum scalability and performance, the McAfee Firewall Enterprise can be run on the Crossbeam X-Series. McAfee Firewall Enterprise for Crossbeam delivers carrier-class security performance with speeds up to 40 Gbps of inspected traffic throughput as well as scalability and built-in redundancy. It s designed to meet the growing demand for high-availability security against web threats while reducing the cost and complexity of security infrastructures. McAfee Network Security Platform The McAfee Network Security Platform (NSP) is a purpose built, industry leading IPS system that provides best in class protection. As traffic arrives in the system, the NSP quickly decodes the traffic and interprets the traffic as the client and the server would. Then the NSP uses multiple detection methods to identify if an attack is underway. In addition, the NSP correlates data from McAfee GTI to protect systems against threats among all vectors: file, web, message, and network. By leveraging McAfee GTI, security operations can quickly correlate attacks against threat data to make decisions such as quarantine and blocking that prevent subsequent communications to high-risk networks, senders, and websites. McAfee Network Security Platform combines a single-pass, protocol-based inspection architecture with purpose-built, carrier-class hardware to achieve real-world inspection of more than 10 Gbps in a single device. This high performance is coupled with versatile inspection and enforcement to allow it to be used throughout your network, in addition to the perimeter. For example, an IPS sensor might be placed around the boundary of a datacenter for additional protections against unwanted traffic or be used to inspect virtualized environments and quarantine malicious VMs. The included McAfee Network Security Manager provides dozens of predefined IPS security policy templates to help you get started quickly. In addition to the integrations with McAfee Vulnerability Manager and McAfee epo, optional integrations are available for McAfee Network Access Control, McAfee Network Threat Behavior Analysis, and McAfee Host Intrusion Prevention. These integrations help you achieve complete and seamless control over network activities. McAfee Vulnerability Manager and the Web Application Assessment Module (WAAM) McAfee Vulnerability Manager (MVM) is a highly scalable solution for host discovery, asset management, vulnerability assessment, and reporting on any network-connected device. To help you secure your perimeter, MVM will test each perimeter-accessible system s operating system (Linux, UNIX, or Windows) against multiple checks and return results that administrators can use to fix or mitigate vulnerabilities. The Web Application Assessment Module (WAAM) will probe and test web server software, such as IIS or Apache, as well as any web application for vulnerabilities, such as code executions or injections, and warn of any unpatched or vulnerable web servers. The Web Application scanner can take advantage of pre-built templates to perform a deep scan based on the required checks for PCI, the OWASP Top 10, or CWE/SANS Top 25, or zero in on specific checks such as Cross Site Scripting or path traversals. Both MVM and WAAM will help IT security administrators proactively monitor web servers to discover vulnerabilities or unpatched systems. The Web Application Assessment Module is a completely integrated (user interface, reporting, engine, ticketing) module of McAfee Vulnerability Manager. MVM pulls the data together to give you actionable data so that risk can be calculated and mitigated. 6 Protecting the Network Perimeter

7 Results from MVM and WAAM scans are reported to and accessible on and through McAfee epo providing threat relevancy, attack validation, and workflow simplification. McAfee epolicy Orchestrator (McAfee epo) McAfee epo serves as a central repository for asset management and reporting across this combined perimeter security solution. McAfee epo collects information about assets via multiple discovery techniques, including active scanning from McAfee Vulnerability Manager and passive sensing via McAfee epo Rogue System Detection. Discovered assets are then grouped, tagged, and managed via McAfee epo for use in IPS and firewall event correlation and forensics. McAfee epo correlations can allow IPS analysts to implement NSP policies to protect vulnerable systems until patches are installed. McAfee epo also collects and collates information from all parts of the McAfee framework, providing centralized dashboards, reporting, and automated workflow for dealing with enterprise-wide event remediation. Impact of the Solution Threats at the network perimeter merit a refreshed set of protections to ensure that you can understand and control the traffic that is getting through both into and out of your business. Deploying McAfee Network Perimeter protection will help you significantly improve your risk posture and shrink your attack surface. By limiting communications to and by known high-risk hosts, in many cases before they are able to connect, this solution reduces an attacker s ability to exploit systems through the perimeter. Real-time reputation assessments help your protections keep up with dynamic and evolving botnets, DDoS attacks, targeted attacks, and malicious content. As more traffic travels through HTTP and HTTPS, this solution gives you complete visibility into these and other, often obfuscated, network communications from a risk and requirements perspective. By leveraging both decryption and application discovery and control, malicious and sensitive traffic can be fully inspected, even when encrypted or otherwise disguised, eliminating blind spots. The solution permits granular application of decryption to traffic that is suspicious, high risk, or not subjected to privacy laws. The range of McAfee deployment platforms, including hardened and virtual appliances, helps meets your network infrastructure and budgetary requirements. For example, you can install McAfee firewall and security features to Riverbed Steelhead equipment, adding network and application visibility to Riverbed s WAN optimization and server consolidation capabilities. Integrations with management systems and third parties like Riverbed and Crossbeam speed incident response and simplify compliance reporting while streamlining operations. Q&A Why is decryption of outbound traffic important? Decryption allows identification and control of sensitive information and helps detect and block encrypted malicious traffic. Should I decrypt everything that traverses my network perimeter? No, there are certain things that should not be decrypted for technical or regulatory (privacy) reasons. Other than knowing my vulnerabilities, how does McAfee Vulnerability Manager help me with perimeter protection? McAfee Vulnerability Manager integrates with McAfee Network Security Platform and McAfee epo to provide better visibility and stronger enforcement. On demand, you can see critical host details to understand the relevance of threats to your hosts. For example, if you know what versions of the operating system and its patches are running, and which countermeasures are in force, you can determine if a system is truly vulnerable to a new threat. Protecting the Network Perimeter 7

8 Additional Resources Scanning Web Applications for Vulnerabilities Solution Brief For more information about the Security Connected Reference Architecture, visit: About the Author Joe Brown, CISSP, is a senior sales engineer for McAfee. Joe has over 15 years of information systems security experience. Prior to joining McAfee, Joe led the network security team at Walmart Stores. Joe was the founding chapter president and four-year chapter officer for the Northwest Arkansas Information Systems Security Association (ISSA). Joe is an eight-year veteran of the U.S. Air Force, where he held a number of positions from battlefield management and intelligence functions to network engineering and security. Joe is a graduate of Stephen F. Austin State University, with a Bachelors of Business Administration. Additionally, Joe has done graduate work toward his Masters of Business Administration at the University of Phoenix. The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance Mission College Boulevard Santa Clara, CA McAfee, McAfee epolicy Orchestrator, McAfee epo, McAfee Firewall Enterprise, McAfee Global Threat Intelligence, McAfee Labs, McAfee Network Security Platform, McAfee Vulnerability Manager, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2011 McAfee, Inc bp_protecting-net-perimeter-L3_1111