Gateway Security at Stateful Inspection/Application Proxy

Similar documents
Networking for Caribbean Development

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Stateful Inspection Technology

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 9 Firewalls and Intrusion Prevention Systems

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

INTRODUCTION TO FIREWALL SECURITY

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd

Firewall Firewall August, 2003

Application Firewalls

Zscaler Internet Security Frequently Asked Questions

On-Premises DDoS Mitigation for the Enterprise

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

How To Prevent Hacker Attacks With Network Behavior Analysis

Network Defense Tools

Firewall and UTM Solutions Guide

Firewalls. Chapter 3

Lesson 5: Network perimeter security

Boston Area Windows Server User Group April 2010

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Web Application Security

From Network Security To Content Filtering

Security Technology: Firewalls and VPNs

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Introduction of Intrusion Detection Systems

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Cyberoam Next-Generation Security. 11 de Setembro de 2015

Fortigate Features & Demo

Anti-SPAM Solutions as a Component of Digital Communications Management

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Next Generation Firewall

How To Protect A Web Application From Attack From A Trusted Environment

Introducing IBM s Advanced Threat Protection Platform

Load Balancing Security Gateways WHITE PAPER

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Astaro Gateway Software Applications

74% 96 Action Items. Compliance

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

NGFWs will be most effective when working in conjunction with other layers of security controls.

Huawei Eudemon200E-N Next-Generation Firewall

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

NetDefend Firewall UTM Services

Secure Cloud-Ready Data Centers Juniper Networks

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

The Hillstone and Trend Micro Joint Solution

Evolutionism of Intrusion Detection

IronPort X1000 Security System

Using Palo Alto Networks to Protect the Datacenter

IT Sicherheit im Web 2.0 Zeitalter

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

CMPT 471 Networking II

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Table of Contents. Page 2/13

Chapter 8 Security Pt 2

ISA Server Plugins Setup Guide

Inspection of Encrypted HTTPS Traffic

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

How To Build A Network Security Firewall

Security Administration R77

SafeNet Content Security. esafe SmartSuite - Security that Thinks. Real-time, Smart and Simple Web and Mail Security Solutions.

Network protection and UTM Buyers Guide

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Firewalls, Tunnels, and Network Intrusion Detection

Achieving PCI-Compliance through Cyberoam

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

A Layperson s Guide To DoS Attacks

Barracuda Web Site Firewall Ensures PCI DSS Compliance

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

A Decision Maker s Guide to Securing an IT Infrastructure

Automate your IT Security Services

PART D NETWORK SERVICES

Transcription:

Gateway Security at Stateful Inspection/Application Proxy Michael Lai Sales Engineer - Secure Computing Corporation MBA, MSc, BEng(Hons), CISSP, CISA, BS7799 Lead Auditor (BSI)

Agenda Who is Secure Computing Corporation Stateful Inspection vs Application Proxy IPS on Application Proxy Firewall Web Page Displacement P2P/IM Control Cross Site Script Q&A

Who is Secure Computing Corporation

Secure Computing Highlights Who We Are Public company (NASDAQ: SCUR); HQ is San Jose (USA), Worldwide presence; 900+ employees Largest independent enterprise gateway security company Annual billings run rate ~$300M, profitable, strong cash generation Singular focus on enterprise gateway to enable safe, secure and productive use of open networks, including the Internet What We Do Technology Perimeter protection most secure firewalls, Identity & Access Comprehensive messaging & web gateway security Inbound & Outbound protection: Block the bad and guard the good 145 Patents pending/granted Unmatched protection with TrustedSource using global intelligence Purpose-built gateway security appliances Recognized leadership positions by Gartner and IDC Customers 20,000+ Blue-chip customers in 106 countries. 60% of Fortune 500; 56% of DJ Global 50; 8 out of 10 top world banks

Enterprise Gateway Security Integrated, Best-of-Breed Appliances Secure your Network Edge Firewall Sidewinder AV IPS Connex Control Secure your Messaging Anti- Communication Virus Anti- IronMail Compliance Spam Intrusions Encryption Data & Users Internet Ensure proper Identity & Access SafeWord Authentication Connex Control Authorization Secure your Web Encryption Communication Anti- Webwasher Compliance Virus Anti- Malware URL Filtering Network Gateway Application Gateway

Stateful Inspection vs App Proxy

Two Kinds of Firewall - Network layer and packet filters (L4) : - Control based on IP and port - Stateful and stateless - Application-layer (L7): - Intercept all packets traveling to/from an application - Inspecting all packets for improper content

Proxy Technology Vs. Packet Filtering Only Trusted Proxies Talk to Your Servers! PROXIES > External clients NEVER DIRECTLY CONNECT with the internal application servers TWO SEPARATE CONNECTIONS are maintained per client-server session ONLY TRUSTED PROXY is allowed to talk directly to the internal application servers Securely processing packets Versus. Just passing packets Stateful Inspection Compromises Security STATEFUL INSPECTION > Stateful Inspection (SI) allows external clients a DIRECT PACKET FLOW WITH SERVERS SI is more like a router than a true firewall COMPROMISING SECURITY to gain performance Helping unknown sources get direct connections with internal servers is a POOR SECURITY DESIGN

Application Proxy Technology Client ONLY Sidewinder s trusted proxy is allowed to talk directly to internal application servers Two separate connections are maintained per client-server session Proxy securely processes client requests to the server Proxy automatically strips out attacks trying to introduce malicious commands that violate RFCs Proxy may be further configured to tightly enforce a limited-use policy for the application Client-server communications are configured to only allow needed operations and denies all else! Untrusted TCP/IP Stack HTTP Proxy Layer 7 defenses Full packet assembly RFC compliance Configured to allowed use All else denied Scanning Engines Trusted TCP/IP Stack Server Web Server App Server Oracle SQL Citrix VoIP Etc.

Proxy-Based Application Defenses The power of the Positive Model of security POSITIVE MODEL OF SECURITY Deny all methods of communicating with the application unless the methods are explicitly allowed. Proxy configuration selections define the only allowed communications with the protected applications! RFC compliance is automatically enforced. Not just simple signature-based checks that is the negative model of security (allow all traffic while looking for the bad known in the traffic) Positive Model proxies have deep understanding of the applications they protect Proxy GUI treatment allows very granular control over how clients communicate with protected applications Protecting applications this way stops zero-hour unknown attacks

Attack Containment & Control Analogy Type Enforcement Master Control SecureOS FTP NTP Sendmail Web SQL Open SSL SNMP Telnet DNS Server VPN Master Control (Type Enforcement in the OS kernel) Nothing happens on any file, directory or executable without real-time permission being granted (Non by-passable) Compartmentalization of functions Software applications running in secure compartments Eliminates attack creep from one application to another Containment of attacks If one software piece fails or is attacked, others keep running unaffected Authorization to board No foreign software can launch on the system because it would lack Type Enforcement (trojans, viruses, attack scripts, etc.)

IPS on Application Firewall

IPS at Stateful Inspection Firewall Usually, great performance drop if the IPS is turned on. For example, from 2Gbps to 300Mbps It is because the firewall cannot apply protocol enforcement The firewall has no ability to recognize the protocol or ability to scan traffic selectively Hence, all traffic will be scanned with the whole IPS database

Customized IPS for Different Attack Sidewinder allows customized signature for each connection Performance enhanced Different response can be set for different attack Default rule sets are built-in for popular protocol

Select how you want SIP.SOFTSTONE.REXPLOIT"; content: the firewall to respond " if the signature is hit Look for relevant signature groups for the service VoIP/SIP and add to the rule

Signature groups are provided so the firewall is at maximum efficiency in employing signatures only for services and connections you wish to inspect with signatures.

Web Page Displacement

Secure The Passing Traffic Web Sites Internet The firewall should have ability to handle the traffic passing through it - Mac address (L2) - IP address (L3) and Port (L4) - VPN (L2 L4) - IPS (L3 L7) - Anti-Virus and Anti-Spam (L7) - Protocol anomaly detection and content control (L7) - Proxy function

Attack Demo - Identify the Victim The demo will show a hacker change the price of a web site selling book and CD so that he can buy at a very low price

Attack Demo Launch an Attack The hacker runs a script to replace the file on the web site

Where can the Attacking Traffic be Stopped - By connection (L2 to L4) - Yes if you know where is source IP of the hacker - By connection behavior (L3 to L5) - No because it is not DOS or network probe and the connection is same as from a normal user - By IPS (L3 L7) - Yes provided that the IPS signature includes the particular code such as cgi-bin/foo.bat? dir+c:+>..\htdocs\dir.txt or cgibin/foo.bat? echo+hacked+owned+by+dr0zz+>>+..\htdocs\index2.html - By AV (L7) - No because the file passing through the firewall has text and image only. - By Protocol (L7) - Yes, because most web site attack violate the HTTP protocol RFC standard. See below demo.

A Common Solution in HK Secure your Network Edge 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW Central Management - L3/L4 FW cannot scan content - IPS is the only chance to block the attack - Fail to have multiple layer protection

Solution From Secure Computing 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW - TrustedSource stops connection from suspicious IP - Two different IPS (Snort + SCC) - Content filtering by protocol control

Blocked by Protocol Anomaly Detection This is a sample of injection attack. The injected command violate the HTTP Protocol and it can be stopped by application layer firewall

Sample HTTP Attack Stopped by Sidewinder

P2P/IM Control

Block by Protocol Enforcement - P2P/IM connection uses non-common port will be blocked by default - Only P2P/IM uses port 80/443 can make connection - In Application Awareness firewall, port 80 and 443 can be bound with HTTP and HTTPS respectively. No tunneling - Only P2P/IM uses port 80/443 with standard HTTP/HTTPS can pass through - E.g. Skype will be blocked because it uses non-standard SSL

Block by Content Control - Application firewall allows you to control the content within the protocol - Only P2P/IM cannot have identified type within the protocol can pass through. - E.g MSN can be blocked by denying x-msn-message MIME type.

Block by URL Filtering - As the P2P/IM uses standard HTTP/HTTPS, a valid URL should be found - All P2P/IM can be blocked provided that the URL control database includes the URL/IP - E.g. FOXY file sharing can be blocked

Cross Site Script

The Leader in Proactive Protection Largest Reputation Network Feeds from thousands of load balancers, FWs, Msg & Web gateways Highest quality data Over 100 Billion Messages/month Millions of URLs Most Reliable Reputation Score 25 research scientists Sophisticated behavior analysis 450,000+ zombies detected each day Best image spam detection Portland Atlanta Brazil -180 Data Store Bad London Hong Kong Reputation Query Internet Traffic Reputation Score Calculated Suspicious Internal Network +180 Good Be Proactive in Protecting From Next Generation Threats Work with the clear leader in this business!

- In the future, all incoming connection will have the TrustedSource screened. - Only trusted IP can make connection to Sidewinder or Snapgear. - The risk of making connection from a hacker or a zombie will be reduced significantly. In the Future

A Sample Hacked Site Searched on 30 Apr 2008

The Sample Cross-Site Script

Client Protected by TrustedSource It may be the hacked site and the final script hosting site AV/IPS can stop the known attack Content control can deny script

Server Protected by Sidewinder Trusted Source protected the server from dangerous client such as zombie App proxy can apply URL control to stop injection attack and deny SOAP AV and IPS can kick out known attack

Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information