Cloud-Based Content Security Service (CSS)

Whitepaper Cloud-Based Content Security Service (CSS) A Technical Overview September 2010

Table of Contents Cloud-Based Content Security Service (CSS) A Technical Overview 1 Introduction...2 2 Aruba Content Security Service (CSS) Solution Overview...3 3 How CSS Works...5 4 CSS Features...6 4.1 URL filtering with dynamic classification and enforcement...6 4.2 Limit access to social media sites, streaming media and blogs...7 4.3 Anti-virus and anti-spyware...8 4.4 Advanced Threats...9 4.5 Control over browser type, version and plug-ins... 11 4.6 Monitor IM sessions and web-based email applications... 11 4.7 Control user bandwidth by application... 13 4.8 Advanced data loss prevention (DLP) tools... 14 5 Conclusion... 15 Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 1

1 Introduction By some measures, as many as 90% of the workforce is now situated away from headquarters sites, often telecommuting from home or working from small branch locations. IT teams have been making this possible by evolving the distributed enterprise network, the communications fabric that drives the productivity of far-flung global teams. Email, instant messaging, video and voice are all now readily available with just a few clicks over the distributed network, so working from home is as productive as coming to the office. However, much of the traffic at these remote sites is destined for the Internet, making tunneling over the corporate connections slow and cumbersome. Splittunneling has been introduced as a means to improve remote access to Internet-bound destinations, but this approach presents significant security challenges to both endpoints and corporate resources. As offices become smaller, IT must provide seamless access to corporate communications and data services to enable high productivity, while the network must also be cost-effective and secure. Aruba s Virtual Branch Network (VBN) architecture represents a breakthrough in remote and mobile worker productivity. On-site, it uses simple remote access points (RAPs), projecting corporate services from the data center, so the remote equipment is minimized and consequently cost and support requirements are very low. Since the RAPs download their code and configurations at power-up, they provide superior security, implementing an 802.1X framework where all devices and users are authenticated by corporate RADIUS servers. And because it is multimedia capable, with full quality of service (QoS) capabilities, it is ready for toll-grade voice and HD-quality video services out of the box. The Aruba VBN solution also supports split-tunneling, which offloads Internet-bound traffic to improve performance and user productivity At the same time, Internet-born attacks and attacker behavior continue to evolve. Once a source of curiosity and notoriety, attacks have shifted to stealthy exploits motivated by profit being perpetrated by highly organized criminals. Modern attacks are designed to remain hidden while extorting valuable information from unsuspecting users or unpatched servers. What s more, the vectors used to launch an attack have evolved as well, moving away from strictly targeting servers and other network peripherals to exploiting vulnerabilities in applications and web browsers. Attacks originating from the Internet target any unprotected site or location, including branch offices and remote employees or teleworkers. Traditional approaches to mitigating these risks often involve deploying complex point solutions at each location. However, this approach is not cost effective and often introduces unnecessary latency and poor user experiences. Aruba Networks Content Security Service (CSS) enhances the native firewall and wireless intrusion prevention capabilities of the VBN product portfolio by providing cloud-based security for branch offices and teleworkers. CSS is a key part of the Aruba VBN solution and seamlessly integrates with the Aruba RAP, Virtual Intranet Access (VIA) agent, and branch office controller product families to provide high-throughput, low-latency content security with centralized reporting and management. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 2

Remote Office and teleworker security with CSS Leveraging cloud-based security centers around the world, CSS provides comprehensive protection including advanced URL filtering, peer-to-peer control, anti-virus/anti-malware, botnet detection, data loss prevention (DLP), and more. The logging and reporting provided by CSS offer organizations a flexible and powerful tool to view network/application trends, broad threat classification and analysis, as well as per-user drill downs of Internet activity. Aruba VBN with CSS delivers advanced cloud-based threat protection against Internet attacks designed for remote sites and teleworkers. 2 Aruba Content Security Service (CSS) Solution Overview Organizations that are looking to provide content security in their branch deployments with traditional security solutions are faced with an expensive choice: Bring all traffic back to the central site and filter there, which increases WAN costs and introduces latency. Deploy security appliances at every site, with a cost per site for equipment, maintenance, configuration, power and cooling. Companies demand rich security services at all locations, but given that both of these solutions are cost prohibitive, a better approach calls for using a cloud based multi-tenant architecture. Unlike traditional hosted, single-tenant architectures that require all traffic to pass through a single appliance in a specific data center, Aruba s CSS uses the nearest policy-enforcement center to the user. Each user is routed to the closest geographically situated data center. This eliminates latency that can be caused by backhauling with traditional threat-management appliances and maintains a consistent security policy no matter where the user travels. CSS works with any Aruba RAP, VIA agent or branch office controller; there are no additional appliances to deploy on site, no client dependencies and no additional software. The Aruba CSS requires the following components: RAP A lightweight, low-cost network access device that is installed in branch offices and teleworker homes. RAPs provide network access through traditional wired Ethernet connections or through secure wireless LAN Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 3

(WLAN), and are centrally controlled and managed by Aruba Mobility Controllers. The RAP automatically diverts Internet destined content to the CSS cloud-based enforcement point. VIA A software agent that provides IPSec or SSL VPN connectivity for Windows -based laptops. The VIA agent automatically delivers network access to road warriors who need to securely connect to corporate resources while away from their home office or branch site. VIA integrates with and is managed by Aruba Mobility Controllers, providing consistent policy enforcement for local and remote network access. And, like Aruba RAPs, VIA supports the ability to divert Internet-bound traffic to CSS cloud-based enforcement points for comprehensive mobile worker security. Aruba Mobility Controller Network infrastructure hardware in the enterprise data center or network core that is responsible for control, configuration, and management of all Aruba RAPs. All communication between RAPs and the Mobility Controller is secured through IPsec tunnels. Content Security Service A network of cloud-based policy enforcement points that provide scanning of Internet-bound traffic. Each user logs into the service the first time, and their organization s individual policy is applied. Acting as an invisible proxy, the CSS enforcement points scan requests and returned content for appropriateness. CSS and VBN provide the following benefits: Works from any location No additional hardware at the remote site and no load on the corporate WAN link. Simplified deployment and security The administrator configures and deploys from a central location, applying consistent policies worldwide, which reduces management and maintenance costs. Regulatory compliance All requests and traffic are scanned for content in both directions using multiple techniques simultaneously. Compliance-based reporting is applied across the entire system. Control over all devices Controls Internet traffic on devices that are outside the administrative control of the organization and applies the same policy to these users. Security without additional appliances Unlike other vendors solutions, no additional physical equipment is required. Visibility, reporting and compliance Enterprise-wide logging and compliance reporting provide visibility into all user activity in one consolidated view. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 4

CSS and VBN components. 3 How CSS Works Aruba CSS takes advantage of the split-tunneling capabilities of the VBN portfolio to effectively manage and secure all Internet-bound traffic, including the following functions: Traffic that is bound for the Internet is re-routed to the nearest CSS enforcement point for inspection. Outbound and inbound traffic requests and content are scanned per established policies. Responses are then returned to users with the content they requested or a violation response page. Each customer is given their own domain in the Aruba CSS cloud, which allows them to manage their network independently from all other CSS domains. Within each individual domain, policies are unique for each customer and no customer has access to any other customer domain policies or reports. VBN integration with CSS Each VBN device is configured with user policies that perform destination network address translation (NAT) on all traffic bound for the Internet. The device selects the nearest CSS enforcement point via domain name server (DNS) lookup. This traffic is sent directly to the CSS service, which validates that the traffic has been sent from an authorized Aruba user with an authentication page and cookie. The CSS performs the scanning and returns the results. User authentication When a user first launches a web session, they are greeted with a captive portal requesting their credentials. The CSS cloud connects on the backend to the LDAP server at the corporate site. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 5

Once authenticated, a cookie is set on the local user s machine and all subsequent traffic is passed through the filters. 1 Client makes an Internet bound request RAP matches CSS policy and DST-NAT is performed on the traffic 3 Traffic is forwarded to the local CSS enforcement node 4 Inspect request & enforce policy 5 Forward to Internet host 9 Traffic/policy page returned to the user 8 Inspected traffic/policy page sent to the RAP 7 Inspect content being returned & policy enforced 6 Request returned from Internet Host CSS content inspection and enforcement flow. 4 CSS Features 4.1 URL filtering with dynamic classification and enforcement URL filtering can effectively reduce risks posed by spyware, worms and other malicious code, as well as help organizations comply with regulatory mandates or adhere to corporate policies. URL filtering is designed to permit or deny access to a web site by categorizing its content and comparing that categorization to a blacklist of content and sites. Traditional URL blacklisting is no longer sufficient today where content is dynamic and user-generated. CSS provides dynamic scanning of content, which allows rapid, automatic classification and policy enforcement. Safe search technology filters in the Aruba CSS scans content on web sites, images and videos. Enforcement levels include allow, deny and user warnings. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 6

Aruba CSS dynamically scans content, which allows rapid automatic classification and policy enforcement. 4.2 Limit access to social media sites, streaming media and blogs Social media, streaming media and blog sites can be useful in helping organizations reach new customers or identify untapped market opportunities. However, they can also introduce unwanted risks and vulnerabilities as well as impact overall network performance. CSS allows organizations to set limits on when or if social media can be used, and can differentiate this access by group. For example, marketing teams may be allowed to access twitter or other social media for marketing efforts while other users may be limited to occasional use on break times or not at all. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 7

Granular policy creation can allow, deny or provide limited access to specific social networking sites and web blogs. 4.3 Anti-virus and anti-spyware The web contains a plethora of documents, videos and executable files that could contain malicious code and infect an unprotected system. While anti-virus and anti-spyware solutions have long been an accepted practice on desktops, they are costly, complex and rarely deployed as in-line solutions in branch offices and remote locations. CSS complements desktop anti-virus/anti-spyware solutions by providing network multi-tier scanning for malicious content with a two-pronged detection approach at branch and remote sites. CSS leverages a combination of internal research and partnerships with leading anti-virus/anti-spyware providers for advanced detection of threats using data mining, offline scans, pattern matching and malicious content examination. The result is an enhanced level of anti-virus/anti-spyware protection for remote locations and teleworkers. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 8

Aruba CSS provides network multi-tier scanning for malicious content at branch and remote sites. 4.4 Advanced Threats Botnets, phishing schemes and malicious content represent a new breed of advanced threats, targeting specific users as well as unknown vulnerabilities in web browsers and web-based applications. The sophistication and subtle nature of these new attack vectors demands better analysis of not only the destination and content payload but also behavioral characteristics that could be telltale signs of malicious activity. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 9

CSS monitors suspicious activity such as botnet control traffic, key loggers and malicious content from suspicious URLs, and then uses data feeds and page characteristics to prevent phishing. Additionally, proper management or elimination of point-to-point traffic not only saves bandwidth, but can also prevent accidental leakage of sensitive data or sharing of confidential corporate information. CSS includes powerful tools that allow organizations to better manage their point-to-point traffic to reduce risks and help prevent sophisticated threats. Improved management and control of point-to-point traffic reduces risks and helps prevent sophisticated threats. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 10

4.5 Control over browser type, version and plug-ins Patching systems and ensuring proper endpoint configurations are especially challenging in remote locations or with remote employees. An unpatched system or poor browser security can allow hackers to easily infiltrate an endpoint and start attacking a corporate network. Consequently, strong enforcement of endpoint policies is essential in reducing risks from modern threats. CSS ensures that only secure, up-to-date browsers are being used throughout the organization. Policies can be configured based on acceptable browser software, required patch levels, allowed plug-ins/extensions, and allowed browser-based applications. CSS can also be scheduled to perform weekly scans and warn users if browser vulnerabilities are detected, without requiring any additional client software. To prevent endpoint attacks, Aruba CSS ensures that only secure, up-to-date browsers are used. 4.6 Monitor IM sessions and web-based email applications Instant messaging (IM) services and web-based email applications offer a flexible, cost-effective way to communicate and are often used to enhance workforce productivity. However, without strict adherence and enforcement of usage policies, IM and webmail can be a cause of malicious activity. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 11

Internet-based IM services and web-based email allow users to bypass logging and control of corporate security systems. This can result in data leakage and affect employee productivity. CSS allows organizations to set policies, control access, and secure these systems to the same standard as internal corporate networks. Aruba CSS allows organizations to set policies, control access and secure IM and webmail systems to the same standard as internal corporate networks. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 12

4.7 Control user bandwidth by application Traffic shaping is a technique that can lead to better utilization of available bandwidth. It makes sure that business-critical applications are always prioritized while preventing non-essential applications from consuming too much bandwidth. Traffic shaping also reduces risk and enhances user productivity by restricting the amount of bandwidth that is available for less desirable applications. CSS can limit traffic to particular applications and can even lift those restrictions during specific times of day. It can also limit traffic to video sharing sites during work hours, while allowing streaming of web conferencing tools to pass through unaffected. This granularity of control can even be extended to lift limits on video sharing sites after hours or at break time. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 13

Aruba CSS supports the creation of very granular bandwidth control policies and classifications. 4.8 Advanced data loss prevention (DLP) tools Failure to prevent leakages of confidential information outside of an organization can have a devastating impact, with financial, regulatory and legal repercussions. CSS uses proprietary tools to detect and prevent data loss. Sophisticated algorithms detect the leakage of credit card and social security numbers without false positives. Additionally, advanced self-learning algorithms create dictionaries for the leakage of source code, financial statements and Protected Health Information (PHI). Pattern matching engines evaluate data based on the weighted scores of various phrases. All of this combines to help organization meet legal and regulatory requirements, while protecting sensitive customer data and the intellectual property. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 14

Aruba CSS uses sophisticated algorithms to detect the leakage of credit card and social security numbers. 5 Conclusion Aruba s VBN architecture offers a cost-effective approach to providing secure access to small offices and home workers. But not all traffic from these sites needs to transit the data center. Often times it is destined for Internet endpoints and hosted services. With the split-tunnel feature, VBN allows traffic to take a direct route to its destination, which offloads the central site network while improving response times and end-user productivity. This creates a need to protect users PCs and other corporate assets from Internet-borne malware, a need that is answered by the Aruba CSS. Aruba CSS delivers comprehensive protection against the latest threats for branch offices and teleworker environments. Seamlessly integrated with the VBN portfolio, Aruba makes it easy to deploy rich in-line content security services to any remote location without incurring the additional costs and complexity of purchasing and maintaining multiple solutions at each location. All traffic on the split tunnel is automatically re-directed by the branch office RAP or VIA agent to the nearest CSS server in the cloud, without requiring special client software, PC configurations or web browser dependencies. Leveraging cloud-based centers around the world, CSS combines high-throughput, low-latency performance with the ease and convenience of central management and reporting. Greatly enhancing the native security services of Aruba s VBN solution, CSS brings comprehensive and secure connectivity to the mobile workforce, protecting any employee on any device, anywhere they work. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 15

About Aruba Networks Aruba is the global leader in distributed enterprise networks. Its award-winning portfolio of campus, branch/teleworker, and mobile solutions simplify operations and secure access to all corporate applications and services - regardless of the user's device, location, or network. This dramatically improves productivity and lowers capital and operational costs. Listed on the NASDAQ and Russell 2000 Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, and Asia Pacific regions. To learn more, visit Aruba at http://www.arubanetworks.com. For realtime news updates follow Aruba on Twitter, Facebook, or the Green Island News Blog. Aruba Networks Cloud-Based Content Security Service (CSS) A Technical Overview 16

1344 Crossman Ave. Sunnyvale, CA 94089-1113 Tel. 408.227.4500 Fax. 408.227.4550 1-866-55-ARUBA info@arubanetworks.com http://www.arubanetworks.com 2010 Aruba Networks, Inc. AirWave, Aruba Networks, Aruba Mobility Management System, Bluescanner, For Wireless That Works, Mobile Edge Architecture, People Move. Networks Must Follow, RFprotect, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company are trademarks of Aruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba will assume no responsibility for any errors or omissions. Note: All scaling metrics outlined in this document are maximum supported values. The scale may vary depending upon the deployment scenario and features enabled. WP_ CSS_100927