Transcript 講義1 - 台中區網中心

校園網路資訊安全威脅與應用技術探討
陳家慶 (Jacob Chen)
886-2-87860968# 11
Agenda
•
•
•
•
•
•
•
•
網路安全潛在威脅分析
(網路病毒,蠕蟲,攻擊,垃圾郵件,p2p...)
校園網路安全解決方案與管理分析
網路安全應用趨勢與技術探討
個人使用者如何防範網路威脅
Case study
Break
內容安全管理與展示
Config Practice
15min
20min
15min
15min
15min
10min
60min
20min
資訊網路潛在威脅之探討分析
Customer Needs
Integrated intrusion
detection
72%
Integrated virus
scanning
68%
Stateful inspection
engine
58%
53%
Content filtering
Features
Ability to repel
DoS/DDoS
52%
50%
Integrated VPN
50%
100M performance
41%
Fail-over capability
35%
Appliance-based
Load balancing/QoS/
traffic shaping
31%
20%
1G performance
14%
MPLS support
0%
20%
Firewalls alone are not enough
– users want new, integrated
capabilities
40%
60%
Percent of Firewall Respondents Rating 6 or 7
Source: Infonetics Research
The Nature of Threats Has Evolved…
Major Pain Points for
Organizations of all Types
SPEED, DAMAGE ($)
Antispam
Content
Filter
Lock & Key
VPN
Firewall
IDS
1980
Banned
Content
Worms
AntiTrojans
virus CONTENTViruses
BASED
Intrusions
CONNECTION-BASED
Hardware
Theft
PHYSICAL
1970
Spam
1990
2000
The “Content Processing Barrier” is the
Challenge to Network Protection
Processing Power Required
Virus/Worm
Detection
ApplicationLevel
Services
Content
Filtering
Exceeds the
capabilities of
available
network devices
CONTENT PROCESSING BARRIER
IDS
NetworkLevel
Services
VPN
Firewall
Supported by
today’s
network edge
devices
Conventional Solutions Can’t Keep Up with
Real-Time Communications
• 25%+ of virus
infections delivered via
Web traffic* (vs. email)
• Software AV scanning
is too slow for Web
traffic
• Need for speed keeps increasing:
 Email -> Web -> Instant Messaging -> ???
Conventional Firewall and AV Products Are Behind- A
New Approach is Needed
*Yankee Group
Conventional/Single Point Security Solution Do Not
Solve these Problems
Hacker
If it is sasser,then
Spam
Viruses,
worms
Mail
Server
Intrusions
Banned
content
www.find_a new job.com
www.free music.com
www.pornography.com
Do Not Examine The Content of Data
Packets – Threats Pass Through
Many Conventional Products are
Needed for a “Complete” Solution
Hacker
Malicious
Email
email
Filtering Software
Viruses,
worms
SPAM
IDS/IPS
VPN
Intrusions
Banned
content
Web Content
Filtering Software
www.find_a new job.com
www.free music.com
www.pornography.com
Anti-Virus
Software
校園網路安全解決方案與管理分析
Many Conventional Products are
Needed for a “Complete” Solution
Hacker
Malicious
Email
email
Filtering Software
Viruses,
worms
SPAM
IDS/IPS
VPN
Intrusions
Banned
content
Web Content
Filtering Software
www.find_a new job.com
www.free music.com
www.pornography.com
Anti-Virus
Software
防火牆
•
防火牆(Firewall)，架構在網路層（Network Layer）與傳輸層（Transfer layer）
，並可依據管理層面來看待封包，也就是傳送的方向。透過Firewall管理，並將
網路位置（IP Address）、網路服務（TCP/UDP Port Number）、方向（
Direction），三者排列組合成綿密的安全網。
•
高效能
– 擁有ICSA認證
– 提供NAT, Route和 Transparent模式
– 提供H.323 NAT功能
•
Policy-based
– 提供群組LDAP和Radius認證機制
– 提供WAN failover機制
– 提供超過 40種的標準協定或用戶自行定義的服務管控
• e.g. Telnet, realaudio, FTP, GRE, Oracle*8 etc.
•
管理與控制
– DHCP Relay與WINS
– 可統一管理防毒防火牆與VPN
Firewalls Don’t Analyze Contents so they Miss
Content Attacks
DATA PACKETS
STATEFUL
INSPECTION
FIREWALL
Inspects packet
headers only – i.e.
looks at the
envelope, but not at
what’s contained
inside
http://www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou
ght forth upon this continent a new nation,
n liberty, and dedicated to the proposition that all
OK
OK
OK
OK
Header
Source
Mac
IP
Address
Destination
IP
Protocol
Packet “headers”
(TO, FROM, TYPE
OF DATA, etc.)
CONFIDENTIAL
Port
PAYLOAD
Packet “payload” Not Scanned
(data)
Firewall
• Policy for VLAN, Zone and Interfaces/Ports
• Zone must contain VLAN and/or Interfaces/Ports
before to be used in policy
• Must have “Address” assigned to the VLAN, Zone,
or Interfaces/Ports before creating policy
• Use Content Profiles to provide different restriction
to various group of IP Addresses.
• Creating Content Profile first before creating policy
• Services/ports for VPN
• Traffic Shaping – token bucket
Firewall - VLAN
• Firewall policy can be applied for Interface,
Zone, VLAN, and 2nd IP of the Interface
• Must have “address” defined first within the
Firewall Section
Firewall – 2nd IP LAN Address
Firewall – VLAN Address
Content Profiles
• First enable each profile AV scanning/blocking,
quarantining, and Web/Email filtering ..etc.
• Then each profile can be assigned with per Firewall
Policy basis
• Provides flexibility of different requirement and
access restriction for various groups.
• Can be applied to all supported protocols (HTTP,
FTP, SMTP, POP3, IMAP)
統合政策管理
• 可針對不同User
需求機動調整內
容作為網路規範
Policy Base Protection Profile
• 可針對單一政策制定
網路使用規範
Antivirus
• 感染管道
– Local Lan (網路芳鄰, 作業系統本身漏洞)
– Http, FTP, Imap, Pop3, Smtp
– 免費軟體, 檔案分享, 免費註冊碼
• 效能需求
– ASIC-based的防毒解決方案
– ICSA認證通過的硬體式防毒閘道器
• Policy-based
– 病毒掃描
– 完整包含世界上的病毒碼資料庫
– 可隔離中毒或已感染的檔案並可針對過大的檔案進行阻擋
• 快速的威脅反制
– 由Threat Response Team 和 FortiResponse提供威脅反制
– 可自動更新病毒碼與入侵偵測的特徵
Msblast
• 以疾風病毒(Msblast)的感染為例，Mablast會常駐於受感染
的機器的記憶體內，同時病毒會以大約每秒20個IP位址的
速度，來隨機找到下一個可能的受害機器，一但受到感染
Msblast會打開系統的port 4444和port 69並企圖連接其他
機器的TCP port 135一但成功找到目標進入系統之內，他
會利用微軟已知在DCOM(Distributed Component Object
Model) RPC(Remote Procedure Call)的漏洞，讓駭客得以
使用TFTP(trivial ftp)工具下載自己本身到受害的機器上，
複製在windows\system32的檔案下面，而受害機器可能會
出現RPC服務意外終止的倒數60秒重新啟動的訊息，造成
系統不斷的重新開機，而且在16日病毒會發作讓所有受感
染的機器在同一天發動DOS(Denial of Service)攻擊微軟的
更新網站(windowsupdate.com)企圖癱瘓該網站的運作。
當時全球估計有上百萬台機器受到感染，讓許多資訊人員
忙著更新每一台微軟作業系統的修正程式，忙著接聽受害
電腦使用者的電話
Some Firewalls Claim to do “Deep Packet
Inspection” – But They Still Miss a Lot
DEEP PACKET INSPECTION
Performs a packet-by-packet inspection of contents
– but can easily miss complex attacks that span
multiple packets
Undetected
http://www.freesurf.com/downloads/Gettysburg
OK
Four score and BAD CONTENT our forefathers brou
!
ght forth upon this continent a new nation,
OK
n liberty, and dedicated to the proposition that all
CONFIDENTIAL
OK
Network-Level Processing is Not Enough
URL FILTER
FIREWALL
NETWORK-LEVEL CONTENT
(PACKETS)
Inspects packet
headers only –
passes “valid”
packets with
banned content
and attacks
http://www.freesurf.com/downloads/Gettysburg
Stops blacklisted
URLS, but may miss
BANNED WORDS
embedded in content
Four score and seven years ago our forefathers brou
ght forth upon this BANNED WORDS a new nation,
n liberty, and dedicated to the proposition that all
PACKET-BASED
VIRUS SCAN
May miss attacks that
spam multiple packets
APPLICATION-LEVEL CONTENT PROCESSING
DISALLOWED
CONTENT
1. Reassemble packets into content
2. Compare against disallowed content and attack lists
Four score and seven years ago our
BAD CONTENT
forefathers brought forth upon this
BANNED WORDS
NASTY THINGS
NASTIER THINGS

BANNED WORDS a new
liberty, and dedicated to the proposition
that all…

ATTACK
SIGNATURES
Virus Everywhere
WildList
• Wild viruses 被定義為在最近與過去幾年內曾經感染
散佈電腦病毒，. 當如此的病毒被發現它們都會正式
被揭露在”the WildList Organization International”
，同時每個月會發表一份WildList 的報告，揭露自
1993年以來曾經感染散佈的電腦病毒 而這些病毒才
是真正需要被視為威脅需要被隔離的病毒。 為了能
夠全面防毒 ，全球有超過55家具有資格的防毒公司
，都是該組織的成員具有通報以及提供病毒樣本的義
務，用全球的力量來阻擋病毒的散佈。
Network Anti-Virus
• NAV系統應該具有封閉性。安全而不能被病毒或駭客攻
擊系統本身。
• NAV 系統提供單一邊際區域的保護， 也就是該區域不
會再有任何可能的對外出口。
• NAV 要能阻擋病毒在閘道邊緣，避免主機受到殘留再伺
服器主機記憶體的感染風險。
• NAV能夠降低伺服器主機的負載 ，因為病毒阻擋再網路
閘道，所以對外的伺服器主機就不必花資源來處理。
• NAV保護因為不同的作業系統而沒有防毒軟體的主機。
• NAV必須要能在硬體ASIC上來解決此一問題。
– 封包處理的引擎: 能夠處理封包的表頭，同時加速辨證應用層的
資料流為哪一個封包?
– Signature掃描引擎:重組封包的payloads內容流(content streams)
在系統記憶體上， 同時載入適當的病毒碼直接比對。
World-Wide based Real time Update Center
Ensure Rapid Response to New Threats
Fortinet Threat Response
Team and Update
Distribution Servers
FortiProtection Center
Web Portal & email Bulletins
Automatic Updates Can Reach All
FortiGate Units Worldwide in Under
5 Minutes
Virus List
Virus Detection
Protocols are handled differently when a virus
is detected.
• IMAP and POP3
– Attachment removal with customizable message
• HTTP
– Page replaced with a custom page
• FTP and SMTP
– In-session error
Command Triggers
Within each protocol, specific commands trigger antivirus
inspection
• IMAP
– FETCH
• HTTP
– GET
– POST
• FTP
– RETR
– PUT
• SMTP
– BDAT (but not with
multiple chunks)
– DATA
• POP3
– RETR
Splicing
Session splicing is used when traffic is being
scanned for viruses
Virus
Detected
Splicing Enabled
Splicing Disabled
SMTP
Stops SMTP transfer
Error message to sender
Attachment removed
Message to recipient
FTP Upload
Buffers file for scanning
and uploads to FTP
server
Stops FTP transfer
Attempts to delete
partially uploaded file
Buffers file for
scanning before
upload
If “clean,” uploads to
server
Quarantining Files
• FortiGate units with hard disks can be
configured to quarantine blocked or infected
files
• The quarantined files are removed from the
content stream and stored on the FortiGate
hard disk
• Users receive a message informing them
that the removed files have been
quarantined
Quarantine List
• The quarantine list can be sorted and filtered
for ease of use
• Suspicious files can be uploaded to Fortinet
for analysis
AutoUpload
• Suspicious files can be sent to Fortinet
automatically for analysis
• New files and patterns can be added to the
list
Quarantine Options
• Configure the FortiGate unit to handle
quarantined files
Non-standard Ports
• Antivirus scanning can be configured to
recognize application traffic on non-standard
service ports
• This can be used for customized services
and is useful with HTTP proxies and caching
config antivirus service smtp
set port <port_integer>
end
File Blocking
By default, when file blocking is enabled, the Fortigate unit
blocks the following file types:
•
•
•
•
•
•
•
•
•
executables (.bat, .com, .exe)
compressed/archive (.gz, .rar, .tar, .tgz, .zip)
dlls
HTML applications (.hta)
Microsoft Office (.doc)
Microsoft Works (.wps)
Visual basic (.vb?)
screen savers (.scr)
Windows information (.pif)
• File blocking is performed before antivirus scanning and
is not application-aware
File Block
Oversized File Blocking
• The FortiGate unit to buffer 1 to 15 percent of
available memory to store oversized files and email
• Files and email that exceed this limit are blocked by
the Fortigate unit rather than bypassing antivirus
scanning
• A replacement message is sent to the HTTP or
email proxy client.
Fragmented Email
• FortiGate units cannot scan fragmented
email for viruses or use pattern blocking to
remove restricted files
• For security, do not enable Pass
Fragmented Emails in protection profiles
• For added security, disable the fragmenting
of email messages in the client email
software
入侵偵測/預防
• 高效能
– 不影響效能的網路監控
– NIDS 可同時支援多個網段流量
• 提供較完整的攻擊特徵
– 包含 1,400個已知型攻擊特徵
– 支援用戶自行定義的攻擊特徵
– Signature-based attack recognition
• 異常流量與協定的預防與主動式阻絕
– 提供34種的攻擊特徵
• 客制化
– 用戶自行定義攻擊名單
– 郵件警示通知
IDS & IPS
入侵偵防系統具備兩項功能，一是入侵偵測（IDS），
另一是入侵防禦（IPS）。
IPS提供下列功能：
•
•
•
•
•
•
•
監視與分析使用者及系統行為
審視網路系統設定和網路弱點
針對重要的系統或是資料進行評估保護
統計分析不正常的行為內容
對於異常行為者予以追蹤記錄
辨識正常行為並拒絕已知攻擊
防禦機制: Pass, Drop, Reset, Reset Client, Reset Server, Drop
Session, Pass Session, Clear Session
Internet Message and P2P
容易設定的IDS
• 提供用戶自行定義的攻擊
特徵
• 近 1,400種的攻擊特徵
• 可依不同攻擊屬性將特
徵分類與易於管理
• 超過34種的攻擊模
式
• 客制化
• 紀錄檔與警示
NIPS Signatures
Intrusion Detection - Signature List Group
Intrusion Prevention – Default Setting
•
Default is disabling “Source Session”, “UDP Source Session”, “ICMP
Source Session”, “ICMP Fragment”, “IP record routing”, “IP
strict/loose source record routing”, “IP stream/security/timestamp
option”, “IP fragment”, “IP Land attack”
Intrusion Prevention – Synflood Setting
1.
2.
3.
Synflood attack, if received SYN request > 200/sec
Send to proxy, if proxy connection > 1024
Discard SYN request
4.
Each Proxy would only stay in the table for 15 sec.
IPS Signatures
內容過濾
• 內容過濾產品大致可區分成網頁過濾、電子郵
件過濾及即時傳訊等3大塊。
• 提供自然語言過濾機制
– URL Blocking, 關鍵字與句子過濾
– 阻絕惡意ActiveX, Java applets, cookies
– 郵件過濾
• 可支援其他廠牌的黑名單
Web Content Filter
URL Blocking, 關鍵字與句子過濾
阻絕惡意ActiveX, Java applets, cookies
垃圾郵件
• 垃圾郵件的防範和管理，已然成為網路資訊
安全的一個新興且重要的課題。根據Ferris
Research.的市場研究調查指出：垃圾郵件不
僅僅造成每年歐、美企業分別造成８９億及
２５億美元的損失，同時也讓電信服務供應
商耗損5億美元的資源。結果超過74%的受訪
者認為”處理垃圾郵件很浪費時間”，另外
受訪者之中也有高達66.6%深怕經由垃圾郵件
的傳遞導致電腦中毒，經由這些數據顯示垃
圾郵件已成為企業、員工以及MIS人員的夢魘
。
郵件表頭分析檢查-越來越多的電子郵件是以HTML的形式呈現
• 一. 陷阱的 HTML電子郵件寄存在網站，然後引誘其
他使用者瀏覽他的網站，網頁上的鈙述語言程式便可
開啟電子郵件和執行附件檔案。
• 二，他會直接寄出設有陷阱的 HTML 電子郵件，利用
收件者電腦上的IE執行附件檔案，直接感染使用者的
電腦。而最具知名度的就是Win32.Nimda（又名
W32/Nimda@MM）是一種利用已知Internet
Explorer和IIS系統的漏洞來進行傳播的Internet 蠕蟲
。它也像檔案型病毒那樣可以感染Win32可執行檔和
以html, htm, asp 為副檔名的文件。
人工智慧型 與 圖形識別技術
• 人工智慧型比對及分類，目前市面上的專業級的產品
，也相繼的利用近年來相當熱門的資料採礦 （Data
Mining）技術，運用多樣化機率統計的智慧分類模型
，例如：貝氏機率(Bayesian)、模糊邏輯（Fuzzy
Logic）、類神經網路 (Neuro Network)等等技術
• 圖形識別技術，既然已談到人工智慧的方法，我們再
提另外一個。由於以上的方法均僅止於文字模式的辨
識 或分類，但近來垃圾郵件為了因應以上幾種常用的
防堵方式，並且可輕易的逃過傳統的過濾條件。越來
越多的垃圾郵件將文字以圖檔的方式呈現，因此坊間
一些產品便標榜可透過OCR方式找出文字經由特徴值
比對，垃圾郵件一樣無所遁形。更有的甚至強調利用
人工智慧的圖形識別理論可利用色澤追踪，發現色情
圖片的夾檔。
垃圾郵件
• Uses a wide variety of local and network
tests to identify spam signatures
–
–
–
–
–
IP address
RBL & ORDBL
Email address
MIME headers
Banned word
• Once identified, the mail can then be:
– Tagged as spam for later filtering using the user's
own mail user-agent application
• Enables easy sorting by any email client
– Or rejected (SMTP)
Spam Filter
Email Filter
QoS
• 頻寬管理
– 有效利用與分配網路頻寬
– Policy-based頻寬管理
– 保障頻寬(Kbyte/每秒)
– 最大頻寬(Kbyte/每秒)與優先權
Traffic Shaping
• Guaranteed Bandwidth
– You can use traffic shaping to guarantee the amount of
bandwidth available through the firewall for a policy.
Guarantee bandwidth (in Kbytes) to make sure that there is
enough bandwidth available for a high-priority service.
• Maximum Bandwidth
– You can also use traffic shaping to limit the amount of
bandwidth available through the firewall for a policy. Limit
bandwidth to keep less important services from using
bandwidth needed for more important services.
• Traffic Priority
– Select High, Medium, or Low. Select Traffic Priority so that the
FortiWiFi unit manages the relative priorities of different types
of traffic. For example, a policy for connecting to a secure web
server needed to support e-commerce traffic should be
assigned a high traffic priority. Less important services should
be assigned a low priority. The firewall provides bandwidth to
low-priority connections only when bandwidth is not needed
for high-priority connections.
VPN
•VPN支援
•支援加密方式DES，3DES，AES
•通道PPTP、L2TP、IPSec
•IKE Certificate Authentication(X.509)
•IPSec NAT Traversal
•Dynamic DNS host names for VPN tunnels
•IPSec in Transparent mode
•DHCP over IPSec
•AntiVirus for VPN tunnel
VPN
• Can now select individual service/port via “Encrypt”
within Firewall Policy
• IPSec now supports AES encryption with 128, 196,
or 256 bit strength
• Provide certificate support for all IPSec, PPTP, &
L2TP tunnels
• Can import certificates from a CA or can generate
internally
• New advanced features in IPSec with Xauth, Dead
Peer Detection, and Peer ID options
• HA support for VPN fail-over
IPSec VPN Services
IPSec VPN Advanced Options
VPN Services selection
網路安全應用趨勢與技術探討
Confidential
Best of Breed Gateway Antivirus,
And a Compelling All-In-One Solution
Mobile Worker
Remote VPN Client
Or Wireless Users
MSSP
Small Office/
Telecommuter
Enterprise
HQ/Data Center
IDS
VPN
•Antivirus*
*”Transparent Mode”
•All-in-One Solution
•Antivirus
•Content Filtering
•Firewall
•VPN
•NIDS/IDP
•Best of Breed Content
Security Gateway
•Antivirus
•Content Filtering
Branch Office
網路安全架構圖
Internet
45 Mb
10 Mb
Administrative System
Server Farm
網安閘道-HA
骨幹高速網安閘道器- HA
Internet Routers
Server Farm
• Campus Email Servers
• FTP Servers
•DNS Servers
DMZ
Networked PC
Networked PC w/
IP Phone
Second Computer Room
DHCP Client
Departmental VLAN
ISDN
Core
Network
Modem Pool
部門網安閘道器
IP Phone System
Videoconferencing
Dormitory
PSTN
High-Availability Solution For Mission
Critical Applications
Router
Users
Switch
Firewall
Switch
Internet/
Intranet
• No single point of failure
• Ideal for mission-critical application
• Identifies failed servers and applications and redirects
around them
FORTINET–高可靠網路安全建議架構圖
High Availability Network Archietecture
Router 1
Router 2
GE Trunk
Switch A1
Switch A2
H.A.
FGT 3000
DMZ
(server farm)
FGT 3000
GE Trunk
Switch B1
Switch B2
V1~V10
v1
Group1
v10
V1~V10
v1
………………….
.
v10
Group10
A Complete Solution
for the Educational Network
Intranet / Extranet
Internet
2
Backbone
1
分校
3
FG5020X2, HA adds Antivirus &
IDS/IDP protection at Internet as
transparent mode behind existing
firewall
FG3600, provides Antivirus,
IDS/IDP and Firewall protection,
and traffic shaping functionality for
dorms
2
DMZ
TS
1
系所
FG3600X2, HA adds Antivirus,
IDS/IDP protection to exisiting
firewall for OA services
3
Labs
宿網
5
5
Core Network
FG5020X2 HA add Antivirus, IDS/IDP
as transparent mode behind existing Firewall
4
4
6
FortiClient Protect User PC and
workstation
Data Center
FG3000X2, HA provides in-line
firewall, Antivirus, IDS/IDP ,
Firewall functionality to data
center
Differentiated Technology Solution
Fortinet provides the only complete solution to effectively
address the new enterprise security threats
Virtual Systems
Traffic Shaping
Anti-Spam
 Prevents blended threats
Content Filtering
Intrusion Prevention
Antivirus
VPN
Firewall
 Blocks all common attacks
 Components integrated for
maximum protection
 Optimizes network behavior
and security
 Secure, fault-tolerant
FortiOS Operating System
FortiASIC Content Processor
 Architecture allows easy addition
of further capabilities
 Hardware optimized for security
and performance
Centralized Management
Centralized Management
• Security Service Management - Central Management
– Complete turnkey management solution
• Policy Manager
– Create Policies for multiple devices and groups
– Create Content Profiles for multiple devices
• Realtime Monitor
– System Health, Device Status, Session Monitor, Traffic Flow, AntiVirus, Attack, Alert Notification
• Device Manager
– Model – create offline devices and configs, check differences
•
•
•
•
Log Viewer
Object Manager
Admin Manager - Role Based Administration
Server Manager
FortiManager System Supports Large
Deployments
FortiManager
Admin
Consoles
FortiManager
Server
(Appliance)
FortiGate AV
Firewalls
under Mgmt.
• Java based admin
console(s)
• Powerful, easy to use
• Multiple administrators
with role-based privileges
• Security hardened, plug &
play appliance
• Scale to thousands of
FortiGate units
• Centralized configuration,
logging, monitoring
• Corba interface for
OSS/BSS integration
• Independent management
domains
• Supports departmental
and/or regional
management
FortiManager 2.80 Components
• FortiManager
SMS Security Management System
NMS Network Management System
EMS Element Management System
Log Monitor
Policy Manager
Real time System
Device
Real time Log
AV + NID
Configuration Historical Log
Access System NIDS
Monitor
Rule config
Schedule Log back up
Device Manager
Policy Manager
FortiManager 2.8 Architecture
Relational
DB
• Central Management
Platform
– Rack Mountable
– Easy deployment
• Management Console
– Java app
– Multiple Administers
• Database Hooks
– Historical storage
FortiGate Antivirus Firewalls
Multiple platforms
Multiple functionalities
Reporter
Without FirewallAnalyzer
Good news is that Firewalls stream all activity in Syslog
Messages. Syslog Servers capture this info into log files.
But finding valuable information in Firewall log files which
contain huge amounts of cryptic information is not easy.
FortirReporter
•
FortiReporter
–
–
–
–
–
–
–
–
–
–
–
–
圖表化報表介面
專業Fortinet全系列Firewall Log解析
簡易圖形化Web遠端管理介面
多樣化網路流量報表
入侵偵測分析報表
防毒報表
網站過濾報表
郵件過濾報表
報表配送
多台Fortinet Firewall Log支援
可轉存Raw Log
自由報表查詢區間模式
FirewallAnalyzer – Instant Reporting
FirewallAnalyzer – Drill Down
FirewallAnalyzer –
Top Viruses Blocked by Day
FirewallAnalyzer - Features
Auto-discovery of Firewalls – FirewallAnalyzer automatically
recognizes all configured firewalls.
Advanced Log Data Collection, Data Update and Management –
Automatically recognizes & Collects log data; Saves significant disk
space and network bandwidth.
Policy-Based Data Update – Allows for automatic transfer of delta
log files and updates the data into a central repository.
Scalable and Comprehensive Data Management - Patent
pending FScale™ data management allows efficient processing,
management and optimal storing of large amounts of current and
historical log data from 100s of firewalls.
Intelligent Data Correlation – Combines and Correlates variety of
data from all firewalls.
Rules-Based Alerts – Automatically sends alerts based
on user defined thresholds.
Executive Dash Board – Provides summary of
activity across firewalls, while giving the drill down
option.
Role Based Access – Limits what each user can
view based on their role and firewalls.
Managed Security Service Providers (MSSP)
Support – offer value-added reporting service to
using Reporting Portal, and allows each customer to
view only their firewall data.
FirewallAnalyzer - Features
Easy to Understand Reports – generates easy to
understand and interpret graphical, tabular reports.
Automated Report Generation & Distribution –
generates over 300 reports with an easy mechanism to email reports automatically to multiple recipient.
Multiple Report Formats – reports in Instant Reports,
HTML, MS Word, MS Excel, Text and PDF
Automated Syslog Collection – from Firewall and VPN
appliances.
Multiple Firewall Vendor Support – supports all leading
firewalls appliances and servers
Instant Reports with Powerful Drill Down – generates
reports in real time without having to wait for the
processing of log files. Powerful drill down feature displays
2nd and 3rd level details with a single click.
Reduced Network Traffic – reduces network traffic
between syslog server and FirewallAnalyzer by using delta
log files in compressed format.
Archiving – save disk space by archiving processed log
files.
High-Availability
高可用性High Availability
• HA模式
– Active-Active
– Active Passive
• 透通(transparent mode)模式下提供HA機制
• 封包導送方式:
None, Hub, Least-Connection, Round-Robin,
Weighted-RoundRobin, Random, IP, IP Port
• FW與VPN可於3秒內提供轉換
• HA 警示
– Failover啟動後將會主動透過SNMP機制發訊息給MIS並會進
行紀錄
Firewall Management
內建的管理功能
• SNMP – Simple Network Management Protocol
• SSH – Secure Shell
• CLI – Command-line Interface
• Web GUI – Web
Graphical User Interface
• A “killer app”!
• Security through SSL
即時監控畫面
個人使用者如何防範網路威脅
Confidential
個人電腦防護需求
• AV protection
 Anti-virus/Anti-spam
 Anti-spyware/Anti-Trojan
•
•
•
•
•
•
Personal Firewall
Host IDS
Windows Registry alerts
Large scale policy management
Centralized policy management
VPN IPSec client for secure connectivity
Active Port
Case Study
Confidential
Data Center Security Option 1:
Conventional Point Solutions
Check Point Firewall-1
on Nokia IP 740
Firewall
Intrusion Detection
Server
Server
Data Center
Server
Server
Tipping Point UnityOne-400
Trend Micro antivirus software
(10,000 user license) on 4 Dell servers
Data Center Security Option 2:
FortiGate 3600 System
FortiGate 3600 extends existing
perimeter security architecture for
one or more of the following
functions
Firewall
Gateway Antivirus
Transparent-mode Firewall
Intrusion Detection and Prevention
VPN connectivity
Content Filtering
Traffic Shaping
Data Center
Acquisition / First Year Costs
Technology
FortiGate 3600
Point Solutions
Firewall
$30,000
$70,000
Antivirus
Included
$70,000
NIDS/IDP
Included
$43,000
Acquisition Cost
$30,000
$183,000
$15,000 (est.)
$50,000 (est.)
1 @ $75,000
2 @ $75,000
$2,000
$7,500 (est.)
Services (Maintenance,
Subscriptions, Support)
Personnel cost per year
Training
Three Year Cost Comparison
Cost
Category
FG3600
Point Solution
3 Yr Cost Est. 3 Yr Cost Est.
$
Difference
%
Difference
Acquisition
$30,000
$183,000
($153,000)
(84%)
Services
$45,000
$150,000 ($105,000)
(70%)
$225,000
$450,000
($225,000)
(50%)
$6,000
$22,500
($16,500)
(73%)
$306,000
$805,500
($499,500)
(62%)
Personnel
Training
TCO
TANet
Cisco 355012G
Cisco 4700
ASCC
D
a
a
t
D
a
t
a
D
a
t
a
Internet Server Farm
D
X
D
X
D
X
P
o
w
e
r
TANet II
Extreme24e
2
Fortigate
3000
Accton Hub
r2206
mail2
Extreme24e
2
Extreme24e
2
Extreme24e2 2208
CHT
Cisco 6509
Ascen600
CITY_4_Building_5
5
C2924-XL
(2-Building-2-130)
第二大樓
Ascen600
C3548-XL
(2-Building-3-4)
第四大樓
C3524-XL
第二大樓 2F
Cisco3660
Novell
C2924XL
(2B2316_1)
C2924XL
(2B2316_2)
C3524-XL
(4-Building-3F-3524)
第四大樓 3F
Extrem48si
三大樓 3F
Extreme24e2
三大樓 3F
Extreme24e2 Extreme24e2
三大樓 3F
三大樓 3F
Extreme24e2
三大樓 3F
Extreme24e2
三大樓 3F
C2924XL
(2B2316_3)
C2924XL
(2B2316_4)
C2924XL
(2B2315_1)
C2924XL
(2B2315_2)
C2924XL
(2B2315_3)
C2924XL
(2B2315_4)
Convert
or
C3524-XL
(1-Building-1F法學院
3524)
第一大樓 1F
Downtown Campus
C2950G-48-EI
第六大樓
C4908G-L3
FSW4802
C3548-XL
(2B-r2219-1)
第二大樓 2F
C2924M-XL
C2916M-XL
C3550-24EMI
(2-Building2-3)
C3524-XL
五大樓 B1
C3524-XL
第二大樓 5F
C2916M-XL
(IT_1_2916)
C3512-XL
五大樓
5F
C3548-XL
(2B-r2219-2)
第一大樓 1F
崇基樓
C2924-XL
(MBA_2924_1)
Foundry
FSW4802
C2950-24
(CC-21.3)
C2916M-XL
C2924-XL
(MBA_2924_2)
C3524-XL
五大樓
3F
181.12
SCU01
181.13
CacheFlow 6000
C2916M-XL
第三大樓 3F
C2916M-XL
第二大樓 6F
Mail
Hinet Seednet
C3524-XL
五大樓 2F
Fortigate
1000
Waishuanghsi Campus
Computer Lab
(B509)
C2950G-48
Computer Lab
(B610)
C2924M-XL
Cisco 6509
C2950-24
(CC-21.5)
Administration & Academic System
DNS
EDU02
HPOV
187.10
Housenet
187.28
Netflow
Server
Computer Lab
C3550-24-EMI(B515)
Computer lab
(B502)
C2950G-48
SCU-LIB-5500
教研大樓
Cisco3524
C3524-XL
Cisco3548-XL
Cisco3524-XL
FastEthernet
FX or Fiber
Giga SX
Giga LX
C2950-24
電算中心
C2950-24
Cisco1924
松逸齋
圖書館4F
C3524XL
圖書館4F
C2916M-XL
C3548電算中心
XL
綜合大樓2F
C2950G-EI
文化大樓
C3524-XL
C3524XL
C2924M-XL
C3550-24-EMI
C3548-XL
C2916MXL數研所
Cisco191
2 日研所
C3548-XL
音樂館
C2916M-XL
SCU-SCIENCE5500
C3512-XL
安素堂
C3524-XL(2)+
C2950-24(4)
C2924M-XL
寵惠堂
C2924MXL
寵惠堂
C3548-XL
語言中
心
Cisco191
2 心理系
C3548-XL
Cisco191
2 光道聽
超庸館
Vod.scu.edu.t
w
C2950G(1)+C3524XL(1)+C2950-24(6)
163.14.137.3
C3548-XL
哲生樓
Key Security Considerations
• Malware
– Hard to control outbreaks
– Rogue notebooks
• Unauthorized access
– Internal / external threats
• Bandwidth use
– Need to regulate
• Wireless
– Increasingly prevalent
Security Requirements
• Enhance security
– Previously lacked formal security policy
– Want to keep network open
• Secure perimeter
– Need to secure from threats outside / threats
from within
• Limit virus threat
– Secure at core network gateway
– Secure at sub-net gateways
Previous Security Architecture
• Layer 3 switch/Router
– Packet filtering based on access lists
• No Firewall
• No IDS
• Antivirus for mail server
– Software solution
– Recommended use of client AV to students &
staff
Vendor Selection
• Criteria
–
–
–
–
Hardware
Price
Performance
Manageability
• Evaluated
–
–
–
–
–
Fortinet
NetScreen
SonicWall
Nokia (Check Point)
Cisco PIX
Virus Log
Attack Log
Chose Fortinet!
• Broad functionality
– Especially for antivirus
• High-performance
– Gigabit-level real time protection
• Technical support from SI and Fortinet
– Hewitt-Packard Taiwan
• Business relationship
– Trust Fortinet and HP teams
– Long-term relationship with Fortinet AM, Paul Huang
Products Selected
• FG3000
– Perimeter security on core network
– Firewall, Antivirus, NIDS
• FG1000
– Perimeter security on sub-net to student records
– Firewall, Antivirus, NIDS
• FG60
– NPAT between FG3000 and server farm
– Will add NIDS and AV functions
Network Design
TANET
II
TANET
Intermost
Network
1000 Mbps
Layer 3 switch
FG3000
VPN tunnel 1000 Mbps
100 Mbps
Server Farm
1000 Mbps
VPN tunnel
Waishuanghsi
Campus
Cisco 6509
Public Servers
1000 Mbps
Downtown
Campus
Cisco 6509
Internal User PC
L2 Switch
FG1000
L3 switch
Administration &
Academic System
Internal User PC
Public Servers
Benefits
• Vastly improved security
–
–
–
–
Secure perimeter
Alleviated malware threat
DoS protection
Virus protection
• Ease of management
– Automated push updates
– Improved reporting with eIQ
– MIS can have more time to manage rest of
networking events
Future Plans
• Considering adding additional units
– For two campus gigabit gateways
– For Different schools
• Looking at FG60 for sub-nets
– For different departments (LAN)
– Appears to fulfill requirements
– Cost-effective
Q& A
Thank you