White paper. Cyberoam. Cyberoam s Layer 8 Technology Protecting the weakest link in your security chain the USER!

Transcription

1 White paper Cyberoam Cyberoam s Layer 8 Technology Protecting the weakest link in your security chain the USER!

2 Cyberoam's exclusive Layer 8 technology which treats user identity as the 8th Layer or the human layer in the network protocol stack, enabling organizations to overcome the limitations of conventional UTMs/firewalls which bind security to IP addresses alone. By implementing Layer 8 security in their networks, administrators can gain real-time visibility into the online activity of users while creating security policies based on their usernames. Introduction Imagine an Internet without the facility of domain name servers (DNS) - would you rather keep count of the thousands of machine-readable, numeric IP addresses ( , etc.), or simply recall your favorite domain name: yahoo.com, facebook.com, etc? Now, think about the frustrations of a typical network administrator whose duties include reviewing logs generated by the web and mail activity of several hundred users, retrieving each and every computer name by its unique IP address and managing multiple user accounts. The problem is further compounded by a shared, and dynamically-changing computing environment where administrators have to regularly update Internet access privileges for changing user scenarios: new joinees, leavers, employees in new roles. Furthermore, in dynamic DHCP and Wi-Fi environments, users can often cover their tracks by hiding behind the common IP address or machine to visit inappropriate websites, videos, infected files and more. In the absence of user-centric logs and reports, it is impossible to keep track on which user opened a specific website or application at a particular time. It may get worse due to the rise of insider threats at the database level. Data demands of various users, poor access controls and excess permissions leave systems vulnerable to malicious internal users, especially the ones with technical knowledge of the database systems. Without being traced, they can exploit scripts, programs, toolkits, IP spoofing or unauthorized backdoor accounts, which can lead to fullblown database disclosures. I [email protected]

3 The User: the Weakest Security Link in an Organization In August 2009, DuPont filed a lawsuit against a research scientist for breach of contract and misappropriation of trade secrets for stealing a large number of files. Earlier, another DuPont research scientist was sentenced to prison for 18 months. Some of these attackers use social engineering tactics, where they use persuasion skills on the target victims to create gaping security holes in the network. An ex-employee casually sends a chat message on Yahoo messenger, a standard mode of communication in an organization, asking ex-colleagues to look into his new photos hosted on an unknown URL. The unsuspecting ex-colleagues click on the link which prompts them to enter their Yahoo log-in IDs and passwords. Unknown to them, the log-in information is now captured by the ex-employee. In this way, he has a good repository of corporate passwords. The attacker now has the ability to log on into Yahoo! anytime, under the disguise of his former colleagues, misguide customers and put the organization at risk. As per the traditional perimeter model of security, organizations would be more concerned about outside-in threats where firewalls, IDP etc. detect common phishing frauds, hackers and more. Currently, following such an approach neglects the most critical and weak security component: the human element. In an inside-out threat scenario, human users, either out of sheer ignorance or malicious intent, can become the weakest link in the security chain. As mentioned previously, shared computing environments such as the multiple user-per machine setting are conducive for viruses, Trojans, worms etc. to propagate unchecked in the networks. They also encourage users to freely surf prohibited sites e.g. pornography, proxies etc. by hiding behind the IP address or someone else's machine. Many security architects would admit that their networks often resemble what is known as "Coconut security": hard on the outside, soft in the inside. All the protection and security resources are directed towards the perimeter, trying to keep the bad guy disarmed. However, the soft inside is what the attackers are really after and the security solution is ultimately about getting to the crux of it all i.e. knowing the insider threat source for instantaneous action against security breaches. For instance, many employees use instant messengers, webmail attachments and social networking sites without authorization which can create avenues for malware and data leakage. In another scenario, heavy downloading and online gaming by some users can take its toll on network performance as these are bandwidth-eating applications. Sometimes, even a single user can bring the entire network to a crawl as it gets flooded with unnecessary traffic. The problem gets more serious with malicious insiders. For instance, if a competitor had to gather information about an organization's trade secrets, what would be easier - employing the services of a hacker, or simply targeting an internal employee with access to the organization's confidential information? A study by Ponemon Institute found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure. There are many reasons such users like to hurt the company; it could be a feeling of resentment due to an overlooked promotion or salary raise, or just the desire to use existing knowledge gained in the company with a new employer. I [email protected]

4 Cyberoam Layer 8 (Human Layer) technology; Security built around the User's Identity Cyberoam's Layer 8 security system treats user-identity as the 8th Layer or the HUMAN layer in the network protocol stack, thus, attaching user identity to security. This takes organizations a step ahead of conventional security appliances which bind security to IP-addresses. Most organizations have learned to live with the fact that user online behavior is always unpredictable and there's nothing much that can be done no matter how strict the Internet access policies are made. This limitation can be attributed to existing firewalls/utms which are based on the association of the source IP address and the destination IP address with no visibility into source of attacks the user. They are unable to apply userspecific rules to allow multiple machines to share a single IP address. According to these systems, the user's identity is not part of the rule matching criteria considered by the firewall. Accordingly, Cyberoam's Layer 8 concept was derived out of the need for a more robust network security system capable of considering a user's identity as part of the firewall rule matching criteria. It treats user-identity as the 8th Layer or the HUMAN layer in the network protocol stack (see below figure), thus, attaching user identity to security while authenticating, authorizing and auditing the network. This takes organizations a step ahead of conventional security appliances which bind security to IP-addresses. L8 L7 L6 L5 L4 L3 L2 L1 USER Application Presentation Session Transport Network Data Link Physical ASCII, EBCDIC, ICA L2TP, PPTP TCP, UDP BB-8C-E3-E7 User Identity-based Security Policy Controls Cyberoam's Layer 8 Technology treats User Identity as the 8th Layer in the protocol stack Cyberoam network security appliances (UTM, Next Generation Firewalls) offer security across Layer 2-Layer 8 using Identity-based policies Using Layer 8, the administrator is able to create a permanent profile for the user which makes all future authentication possible based on identitybased decision parameters such as username, IP address, MAC address and session ID. The profile is specific to the user and does not ever change no matter what machine he/she operates from in the organization. Once authenticated, the user may be authorized by the administrator users to gain access to the Internet based on various usage parameters including access time, Internet quota, security policies, web filtering, Application controls, bandwidth restrictions and instant messenger controls. Finally, audit logs and reports including identity information related to the authorized user are created and stored in the system. I [email protected]

5 Practical implications of Layer 8 Who is doing what? Who is the attacker? Who are the likely targets? Which applications are prone to attack who accesses them? Who inside the organization is opening up the network? How? Implementing Layer 8 in their networks enable organizations to align their security decisions based on the actual human identities of users instead of IP addresses alone. This translates into a proactive security approach (instead of a reactive one) where security administrators are able to plan ahead, think through what security issues may come up in the future, and successfully make front end efforts to prevent surprise insider attacks. In view of that, a Layer 8-enabled organization is more capable of foreseeing what it coming down the road, and where the attackers are coming from. Measuring User Threat Quotient (UTQ): In an era of fluidity of network perimeters where employees, customers and partners require access to different levels of sensitive business information, administrators feel the constant need to review the changing threat scenario posed by various users. This is done by measuring their user threat quotient (UTQ). In making the administrator task easy, Layer 8 involves identity-based heuristics. Once, the required information is gathered, administrators can calculate the UTQ by rating various users based on various parameters. For example, the susceptibility of users to attacks may be ascertained by their employee status whenever there's a new joinee or a terminated/expelled employee, the threat incidence will become more pronounced because administrators notice deviations from normal acceptable user behavior. Administrators would also be interested in analyzing who is doing what and when in the network. This would furnish details such as usage of anonymous proxies, downloading hacking tools, accessing data off-hours, and the total amount of data downloaded. Any malicious activity by users would automatically raise the red flag because the administrator would have the entire context of his/her activity repeat wrong password attempts, intrusion/hacking attempt alerts and more. It also enables individualized education for the end user. Adding speed to security: Organizations often go to great lengths in securing their physical infrastructure. They may store highly sensitive information in a special computer room, lock server areas, deploy CCTV cameras and anti-theft alarms and restrict contact access of employees to different departments/zones of a building. What if it were possible to build in similar levels of protection to prevent information theft Layer 8 protects corporate data and servers from unauthorized outside access while granularly preventing chosen internal users from accessing LAN-residing sensitive data such as customer records, tenders and contracts, internal files and applications and more. Since, access control policies can be configured directly based on username rather than through IP addresses alone, administrators can take faster decisions on preventing unauthorized entities (outsiders, malicious insiders etc.) from breaching past the company's perimeter. This automatically adds speed to security. I [email protected]

6 Cyberoam s integrated security built around Layer 8: Cyberoam has incorporated the Layer 8 security paradigm in its Next Generation Firewall (NGFW). The Layer 8 design penetrates through each and every security module of these appliance and enables administrators to apply security, connectivity and productivity policies on users. Wireless WLAN Security! Segmented network for employees and guests! No common pre-shared keys: prevent information theft! Layer 8 authentication and identitybased reports Firewall! Embed user identity in rule-matching criteria! Role-based administration! Granular IM, P2P & Applications control! Prevent IP spoofing attacks! VLAN support: work & profile-based groups Intrusion Prevention System! Identity-based IPS policies for users and groups! Identity-based alerts and reports! Prevent user-targeted blended threats, backdoors etc Cyberoam iview Logging and Reporting! Intrusion events and policy violations! Identity-based reporting: who is doing what! Web surfing trends and search reports! Top unproductive sites and users! Virus and intrusions reporting User Layer 8 Security appliance individual users Content Filtering! Policies on users, groups, departments, hierarchy! Block users from malware-laden sites! Blocking IM, P2P applications & proxies! Know who is surfing what Bandwidth Management! Committed bandwidth for regular users! Traffic routing based on user needs for assured QoS! Establish priorities based on users, categories, applications! Time-based bandwidth allocation for users Instant Messenger controls! Prevent employees from idle chat! Block file transfers, webcams, video! Restrict who can chat with whom! IM audit logs to study user behavior! Keyword-based content filtering on chat window Application Layer 7 Visibility and Controls! Visibility and controls on applications' usage by users! Organization-wide application access policies for individual users! User hierarchy-based applications access control I [email protected]

7 Layer 8 across Cyberoam s entire Security Portfolio The Cyberoam identity-based firewall offers an interface for achieving unified security allowing rules for all features to be configured and managed from the firewall page with complete ease. Layer 8 binds the security features to create a single, consolidated security unit and enabling the administrator to change security policies dynamically while accounting for user movement joiner, leaver, rise in hierarchy etc. Through the Cyberoam Intrusion Prevention System, Layer 8 identity-based policies can be applied for users as well as user groups. Identity-based alerts and reports are generated everytime DoS/DDoS attacks, malicious code transmission, backdoor activity, blended threats occur due to user activities. Cyberoam's identity-based reporting module, Cyberoam iview, pinpoints precise network activity for each and every user. The iview dashboard shows all network attacks on a single screen with third level drill-down reports (1000+ reports) for investigating the attacks, and the users behind them. Wireless WLAN security : Cyberoam network security appliances offers high performance, Layer 8-based security over WLAN networks in order to secure wireless networks to the same extent as wired networks. Cyberoam offers strong user authentication, Internet access controls and reports with identity-based approach and offers separate Guest and Employee Network Access. With this, it has the ability to trace user specific activities while reducing the risk of information theft and liability of cyber terrorism attacks. Meeting regulatory compliance norms : Given the magnitude of threats to employee, customer, and corporate data, compliance regulations such as HIPAA, GLBA, SOX, PCI DSS, and more are forcing organizations to undertake security measures that control the access and activity of users. Faced with penalties in the case of non-compliance with regulations and loss of reputation in the case of data loss, organizations are under growing pressure to implement compliance measures within their network premises. Cyberoam's identity-based content-filtering feature streamlines the management of corporate Internet access by monitors Internet traffic generated by each user, the time one spends on Internet resources and allows setting access limitations based on time and day of the week. In addition, Cyberoam network security appliances offer a user, time and role-based bandwidth management approach which ensures users consuming huge amounts of bandwidth for nonproductive work are prevented at the time of policy-making. Cyberoam Instant Messaging Controls with Layer 8 identitybased approach keeps productivity under check by allowing administrators to control who can chat with whom over all communication mediums like text chat, webcam, file transfer. Cyberoam Product Portfolio CR NG series UTMs CR NG series NGFWs Virtual Security Appliances Cyberoam Central Console (CCC) CR iview (Logging & Reporting) Cyberoam Awards & Certifications VPNC CERTIFIED Portal Exchange Firefox JavaScript Basic Network Extension Advanced Network Extension VPNC CERTIFIED Basic Interop AES Interop BEST BUY PC PRO RECOMMENDED EDITOR S C H O I C E RECOMMENDS Toll Free Numbers USA : India : APAC/MEA : Europe : C o p y r i g h t Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d. Cyberoam & Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. /TM: Registered trade marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective Products/Technologies. Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to change, modify, transfer or otherwise revise the publication without notice. I [email protected]