InstantScan產品介紹 - L7 Networks Inc.

Download Report

Transcript InstantScan產品介紹 - L7 Networks Inc. 

InstantScan
Content Manager
L7 Networks
[email protected]
L7 Networks Inc.
Agenda
Company Profile
• L7 Missions
• L7 Investors
Layer-7 Content Manager
• Part-I Market Demand
• Part-II Solutions
• Part-III Successful Cases
• Appendix-I Layer-7 App.
• Appendix-II Product Spec.
• Appendix-III Patents
Missions: Internal Network Security
InstantLock Co-Defender
Defending Internal Attacks:
Isolate virus-infected PCs
InstantScan Content Mgr.
Catching Internal Thieves:
Employee internet content /
behavior management
Internal Threats
InstantBlock Application Firewall
Preventing External Attacks/Thieves:
Unified threat management
External
Threats
InstantQos Bandwidth Mgr.
Shaping Internal Traffic:
Manage P2P / streaming / VoIP / … by
layer-7 in-depth classification
L7 Investors
InstantScan
Content Manager
L7 Networks Inc.
Part-I
Market Demands
Catching the Internal Thieves
What are your employees doing at work?
Outlook for
emails
Internet
Explorer for web
sites
Looking for info for work?
Check out stock price first!
employee productivity killer
MSN for
chats
Communicating for work?
Speak to lovers first!
BT, ED2K, Xunlei
network performance
killer
Download a movie back
home for fun!!
Survey & Studies
• Heavy Usage
– Gartner: >30% enterprise, <1% control (2005)
– Radicati Group: >80% enterprise (2008)
• Security Theats
– WORM_KELVIR.A
– WORM_FATSO.A
–…
1. Employees with low productivity
2. Information Leakage or Virus
Price
Book
3. Bandwidth stealers for downloads
P2P downloads
•Illegal music
•Illegal movies
•……
• ……
Bandwidth inadequate for
• HTTP
• Email
• ERP
• ……
Plug & Play
2005/03/25: NBL Editor’s Choice
Beat Facetime, Akonix
2005/12/01: National Innovation
Awards
switch
Firewall
L7
Content Manager
(stealth mode)
5-Step Content Management
Step.1
Discovery
Step.2
Normalization
Step.3
Behavior Mgmt.
MSN file transfer
Step.4
Step.5
Content Mgmt. Report Analysis
Anti-Virus
File Recording
IM Game
IM Chat
Chat Recording
IM Streaming
Keyword block
P2P Bandwidth
Mgmt.
35 Mbps
20 Mbps
10 Mbps
Real-time
Learning
Layer-7 to Layer-4
Interactive
Normalization
Behavior Mgmt.
Deep Content
Inspection
Offline Report
/ Analysis
1. Employees with low productivity
Instantly respond
to employees in
Chat windows even
IS doesn’t have an
IP address
2. Information Leakage or Virus
Price
Book
Instant
Warning
3. Bandwidth stealers for downloads
After installing InstantScan
P2P downloads
•Illegal music
•Illegal movies
•……
• ……
Mission critical app.
• HTTP
• Email
• ERP
• ……
Part-II
Solutions
Solutions
manage / filter / record / audit
employee’s IM & Web
behaviors and contents to
increase their productivity
built-in backend reports for
3-level analysis: (1) index for
productivity, performance,
security; (2) dashboards for
summary; (3) detailed
reports for inspection
understand the real
applications running
by your employees
Employee
Productivity
highspeed UTM hardware
platform with intelligent 3tier arch. for performance,
availability, and reports
Layer-7
Visibility
Network
Performance
limit P2P / P2SP traffic
and guarantee mission
critical traffic such as
ERP, VoIP, Web traffic
Internal
Security
prevent internal network
users from virus/worm or
information leakage by P2P /
tunnel software, spyware,
WebMail, WebIM, etc.
Painless Installation?
WebSense / BlueCoat /
FaceTime / IM Logic /
Akonix require to setup
every client to connect to
the IM Proxy
Spam Wall
Virus Wall
Inline-IDP
Firewall/VPN
Content Mgmt.
Check website
for comparison
IM
Proxy
Web
Proxy
What if IM
behaves like
Web Proxy?
What if IM is
tunneled in
WebMSN/Mail
/HTTP/…?
Step 0. No Modification of Networks
IM in port-80, proxy, socks4/5 can still be managed
Even in wireless/dhcp env, still can be managed by AD
Firewall/Router
Management
Server
DHCP
Server
switch
IS
switch
Proxy
AD
Server
3-Tier Architecture
Friendly user
interfaces
Powerful
reporting
and alerts
Plug & play
installation
without
modifying
network arch.
5-Step Content Management
Step.1
Discovery
Step.2
Normalization
Step.3
Behavior Mgmt.
MSN file transfer
Step.4
Step.5
Content Mgmt. Report Analysis
Anti-Virus
File Recording
IM Game
IM Chat
Chat Recording
IM Streaming
Keyword block
P2P Bandwidth
Mgmt.
35 Mbps
20 Mbps
10 Mbps
Real-time
Learning
Layer-7 to Layer-4
Interactive
Normalization
Behavior Mgmt.
Deep Content
Inspection
Offline Report
/ Analysis
Step 1. Discovery (App. View)
Watch applications’ sessions and
highlight tunneled IM sessions
Step 2. Setup L7 Policy
Scheduled updates to Application
Patterns to manage application
usage by defined time schedules
Step 3.1 Setup IM Policy for Individuals
IM management for individuals by (1) specific IM
accounts, (2) learning, (3) registration, (4) AD
name, (5) AD group
Step 3.2 Setup IM Behavior Mgmt.
Define permission levels to facilitate individual
IM policy deployment
Step 3.3 Setup IM Peers
Limit the peer for chat by individuals or groups
Step 3.4 Self-Defined Policy
Violation Warning Messages
Multi-language support for all
languages
Step 3.4 Setup Bandwidth Pipes
Divide outbound bandwidth pipes
by mouse drags
Divide inbound bandwidth pipes
by mouse drags
Step 4.1 Setup IM Chat
Content Management
Right click to define your own
chatting keywords / groups
Step 4.2 Setup IM File Transfer
Content Management
Right click to define your
own filename
keywords/groups
Step 4.3 Setup IM File Transfer Anti-Virus
Anyone who is infected
with virus will be notified
the name of the virus
Step 5.1 Multi-level Auditing Levels
3-levels: admin/mis/audit to
separate operating and auditing
parties
Step 5.2 Ranking by app. usage
Step 5.3 Ranking by traffic volume
Step 5.4 Scheduled Reports in
HTML/PDF/XLS Formats
Step 5.4 Scheduled Reports in
HTML/PDF/XLS Formats
Part-III
Successful Cases
Accounting & Auditing
Anyone who is auditing others
should have themselves
well-audited so as to assist
customers to be compliant to
various regulations.
Manufacturing
Confidential information should be kept
as private as possible. InstantScan is
able to detect varieties of tunneled
software which may cause a lot of
security holes for information leakage.
Semiconductor
Confidential design sheet is the core
technology of IC design and must be kept
as private as possible. Anyone who use
IM to transfer confidential files can be
caught with strong evidence.
IC Design
Confidential design sheet is the core
technology of IC design and must be kept
as private as possible. Anyone who use
IM to transfer confidential files can be
caught with strong evidence.
Banking & Stocks
With a heavy usage of IM across the stock
transactions, they do need a tool to log and
record what the customers have issued to
the brokers, and what the brokers have
spoken to the internal dealers.
Photodiode
Confidential design sheet is the core
technology of Photodiode and must be
kept as private as possible. Anyone who
use IM to transfer confidential files can be
caught with strong evidence.
Electronics
Confidential price book is the core
value of us to sale the chips and must be
kept as private as possible. Anyone who
use IM to transfer confidential files can be
caught with strong evidence.
Media
Confidential news are invaluable if they are kept in secret.
However, journalists communicate largely with IM so they
can share the resources. What is worse, internal staffs
may also use IM to tell other staffs in other companies.
However, IM is extremely convenient for communications
among internal staffs. We need L7 to control them.
Spin-off from the D-Link corporation, Alpha continued to
sue VIA Technology for the stolen confidential designs. In
the mean time, Alpha Networks put 4 InstantScan boxes
at the outbound links to control the use of IM so as to
gather the information of IM usage.
As the largest multi-level company in the world, Amway
continued to make itself conform to the toughest
regulations in order to keep its electrical communications
as secure as possible, just like what it had done to web
and emails.
Confidential patents are invaluable if they are kept in
secret. Biochemistry has become the most emergent
Industry that can boost revenue in the century. Just like
what health-care industry has emphasized, the data of the
patient or people under experiments is extremely
proprietary and never be leaked to anyone else. L7’s
InstantScan helps to control the usage of IM.
Benefits for Deploying InstantScan
• Discovery
– See who is actually using the network for what, especially in multiculture environments which mix a huge number of applications.
• L7 Firewall: IM / P2P / Tunnel / Streaming / VoIP / File-Transfer / …
– Effective control the applications in your networks, either blocking or
shaping
• Content Manager: IM & Web
– Selectively log/record employees' activities and contents for regulations
and compliance.
– Actively control the activities/contents instead of just logging/recording
to prevent confidential information leakage while improving productivity.
• Report & Analysis
– log and archive for potential legal discovery needs or other purposes
– Indication of employees' policy violations or productivity.
Layer-7
Content Manager
Appendix-I
FAQ
1. L7 support what applications?
• Check Appendix II or L7 Web Portal
2. Target customers and competitors
Actively
mgmt. +
auditing
Competitor: Facetime/Akonix/ImLogic
Installation: Win
Function: Even
Price: win (no need to have 2 devices)
UTM-oriented market. Need
passive sniffing instead of
active management. So L7
integrates IS+IB+IQ to
penetrate this market
IS-5000
IS-1000
IS-100
IS-50
IS-10
Competitor BlueCoat has
dominated the proxy market by
huge number of deployed
proxies. Emphasize L7’s IM/P2P
advantage while unneeded to
change their proxy architecture
Passive
auditing
Tiny
(<30)
Small
(<70)
Medium
(< 150)
Large
(<1000)
Huge
(<3000 people)
Appendix-II
L7 Applications
Normalization: Step 1~Step 2
Step.1
Monitor
Step.2
Normalization
Step.3
Behavior Mgmt.
MSN file transfer
Step.4
Step.5
Content Mgmt. Report Analysis
Anti-Virus
File Recording
IM Game
IM Chat
Chat Recording
IM Streaming
Keyword block
P2P Bandwidth
Mgmt.
35 Mbps
20 Mbps
10 Mbps
Real-time
Learning
Layer-7 to Layer-4
Interactive
Normalization
Behavior Mgmt.
Deep Content
Inspection
Offline Report
/ Analysis
General Applications
• No mater which port they use
– HTTP
– SMTP
– POP3
– IMAP
– FTP
Instant Messenger (IM)
•
•
•
•
•
MSN: 6.2, 7.0, 7.5, 8.0 beta, Windows Live Messenger 8.0
Yahoo Messenger: 5.5, 6.0, 7.0, 8.0 beta, 8.0
ICQ: 2003pro, 4.14lite, 5.0
AIM: 5.9
QQ:
–
–
–
–
•
•
•
•
•
YamQQ-2003II, QQ-2003II, QQ-2003III, YamQQ-2004III, QQ-2004 formal edition,
YamQQ 2005 Formal Edition, QQ 2005 Beta2,
QQ 2005 Simplified Chinese Formal edition (include 珊瑚蟲增強包v4.0 Formal Edition)
qqfile: QQ2006Beta2, qqshare: QQ2006Beta2
Miranda: v0.4
Gaim: v1.30
Trillian: Basic 3.0
Google talk beta
Webim: include web-msn, web-aol, web-yahoo, web-icq
–
–
–
–
–
http://www.e-messenger.net/, http://e-messenger.net/, http://vweb.e-messenger.net/,
http://start.e-messenger.net/, http://hanoi.e-messenger.net, http://www.meebo.com/,
http://www.iloveim.com/, http://x??.iloveim.com/, http://hanoi.e-messenger.net,
http://webmessenger.msn.com/, http://www.icq.com/icq2go/, http://aimexpress.aim.com/
http://www.ebuddy.com
Peer-to-Peer (P2P)
•
Bittorrent:
–
•
•
Kuro: m6, 2005 5.18
Edonkey:
–
•
•
•
•
•
•
•
poco 2005
pp point (pp奌奌通) v2006
Fasttrack:
–
–
–
•
Emule 0.42b/0.44d/0.45b, edonkey2000 V1.0, Overnet tested-version, utorrent v1.5, azureus
v2.4
ezPeer+ v1.0beta
Directconnect: directconnect 2.205, dc++ 0.668
OpenFT: crazaa v3.55, Kceasy v0.14
Pigo: pigo v3.1, 100bao v1.2.0a
Kugoo: v2.03, v2.055, v3.10
Ares: 1.04
poco:
–
–
•
BitComet 0.54 / 0.6 / 0.67, Bitspirit 2.7, Mxie 0.6.0.2, utorrent 1.5, azureus 2.4
kazaa 2.7 / 3.0 / 3.2
grokster 2.6/2.6.5
iMesh 4.5 build 151 / 5.20 / 6.5
Gnutella:
–
–
ezpeer: 1999A6, 1999A10, BearShare Pro 4.6.2, Shareaza 2.1.0.0, Morpheus 4.6.1/ 4.7.1
Gnucleus 1.55, 2.0.9.0, Mxie 0.6.0.2, Foxy 1.8.6
Voice Over IP (VoIP)
• Skype:
– 1.0, 1.1, 1.2, 1.3, 1.4, 2.0, 2.5beta, 2.5.0.113
• SkypeOut:
– 1.4, 2.0
• SIP:
– TelTel 0.8.5.3, Wagaly TelTel 0.8.4, MSN Voice 7.5 , Yahoo Voice
7.0
• H323:
– NetMeeting: 3.01
Tunnel Ware
•
•
•
•
•
•
•
•
hopster: Release 17
Httptunnel: v3.2, 3.4
Realtunnel: v0.9.9, 1.0.1
VNN: 2.1, 3.0
Softether: 1.0, 2.0
Tor: v0.1.0.1X, v0.1.1.22
JAP 00.05.022
YourFreedom 20060725-01
Remote Access
• Windows remote desktop
• VNC (Virtual Network Computing)
– vnc, Ultra VNC 1.0.1, Win v3.3.7
• Symantec pcAnywhere 10.5 / 11
• NetOP Remote Control v9.00
• Remote Administrator 2.2
Streaming
•
RTSP:
–
–
–
–
http://www.haody99.com/, MediaPlayer 10.0, RealPlayer 10.5
QuickTime 6.5, 7.0, KKBox: v1.0, v2.0, v2.2, RealOne 1.0, 2.0
MMS(Multimedia Messaging Service),
Yahoo music
•
•
- Shoutcast:
–
–
–
•
•
•
•
•
•
•
•
•
•
(http://music.yahoo.com/, http://tw.music.yahoo.com/, http://music.yahoo.com.cn/)
winamp 5.111 / 5.24
JetAudio 6.2
Icecast 2.3
Live365: Radio365 1.11 build17
Google Video(http://video.google.com/)
AOL Radio(http://music.aol.com/radioguide/bb.adp)
iTunes 6.0
TVAnts 1.0
PeerCast 0.1217
Napster (www.napster.com)
qqtv (qq直播; tv.qq.com) 3.2
ppstream 1.0
Webs-tv (http://www.webs-tv.net)
Appendix-III
Product Comparison
L7 vs. Facetime vs. Akonix vs. IM Logic
Facetime’s Solution
Limited solution.
Cannot control P2P
bandwidth. Can
block Skype
Require clients
to assign proxy
to IM Auditor
What if not set
the proxy?
Akonix’s Solution (I)
Limited solution.
Cannot control P2P
bandwidth.
Cannot manage
Skype
Require clients to
assign proxy to IM
Auditor
What if not set the
proxy?
Akonix’s Solution (II)
Limited solution.
Cannot control P2P
bandwidth.
Cannot manage
Skype
Cannot manage
MSN / Yahoo / AOL /
ICQ over random
ports
IMLogic’s Solution
L7 Networks’ Solution
Award-winning test report
NBL Test Report (2005/2/23)
Test item 3.1: IM to be managed
Facetime
Akonix
L7 Networks
Abocom
MSN
○
○
○
○
AOL
○
○
○
○
QQ
╳
╳
○
○
ICQ
○
○
○
○
Yahoo
○
○
○
○
Skype
╳
╳
○
○
NBL Test Report (2005/2/23)
Test item 3.1.1: MSN Management
Facetime
Akonix
L7 Networks
Abocom
Message
OK
OK
OK
N/A
File transfer
OK
FP
OK
N/A
Voice
OK
FN
OK
N/A
Image
FP
OK
OK
N/A
Game
FP
OK
OK
N/A
FP: False positive, FN: False negative, N/A: Not available
NBL Test Report (2005/2/23)
Test item 3.1.2: Yahoo! Management
Facetime
Akonix
L7 Networks
Abocom
Message
OK
OK
OK
N/A
File transfer
OK
OK
OK
N/A
Voice
FP
FP
OK
N/A
Image
OK
OK
OK
N/A
Game
FP
FP
OK
N/A
FP: False positive, FN: False negative, N/A: Not available
NBL Test Report (2005/2/23)
Test item 3.1.3: QQ Management
Facetime
Akonix
L7 Networks
Abocom
Message
N/A
N/A
N/A
N/A
File transfer
N/A
N/A
N/A
N/A
Voice
N/A
N/A
N/A
N/A
Image
N/A
N/A
N/A
N/A
Game
N/A
N/A
N/A
N/A
FP: False positive, FN: False negative, N/A: Not available
NBL Test Report (2005/2/23)
Test item 3.1.4: ICQ Management
Facetime
Akonix
L7 Networks
Abocom
Message
OK
OK
OK
N/A
File transfer
FP
FP
OK
N/A
Voice
OK
FN
OK
N/A
Image
OK
FN
OK
N/A
Game
OK
FN
OK
N/A
FP: False positive, FN: False negative, N/A: Not available
NBL Test Report (2005/2/23)
Test item 3.1.5: AOL Management
Facetime
Akonix
L7 Networks
Abocom
Message
OK
OK
OK
N/A
File transfer
FP
OK
OK
N/A
Voice
OK
FP
OK
N/A
Image
OK
OK
OK
N/A
Game
OK
FN
OK
N/A
FP: False positive, FN: False negative, N/A: Not available
NBL Test Report (2005/2/23)
Test item 3.1: Action to be taken
Facetime
Akonix
L7 Networks
Abocom
Blocking
○
○
○
○
Filtering
○
○
○
╳
Intervening
○
○
○
╳
Recording
○
○
○
╳
Bandwidth Control
╳
╳
○
╳
Virus Detection
○
○
╳
╳
Virus scanning is supported in advanced version
NBL Test Report (2005/2/23)
Test item 3.1: Object to be managed
Facetime
Akonix
L7 Networks
Abocom
IP address
╳
○
○
○
IM user account
○
○
○
╳
Appendix-IV
Patents
Patent-1: PostACK TCP BW. Mgmt.(1)
• Contributed to IEEE
– IEEE Transactions on Computers, Vol.53, No.3, March 2004:
Assessing and Improving TCP Rate Shaping over Enterprise
Edges
– IEEE Communications Surveys and Tutorials, Vol.5, No.2,
2003: A Measurement-Based Survey and Evaluation of
Bandwidth Management Systems
– IEEE Global Telecommunications Conference 2004 (IEEE
Globecom 2004), Dallas, Texas USA, Nov. 2004: On Shaping
TCP Traffic at Edge Gateways
– IEEE Symposium on Computers and Communications (IEEE
ISCC 2003), Kemer - Antalya, Turkey, Jun. 2003: Co-DRR: An
Integrated Uplink and Downlink Scheduler for Bandwidth
Management over Wireless LANs
Patent-1: PostACK TCP BW. Mgmt.(2)
• Packeteer
– TCP Rate Control
• Window sizing
• L7
– PostACK
• Delaying the
reverse ACK
Step 1. Reassembly
Step 3. Cut-Thr
Forwarding
pattern matching
Patent-2: SoftASIC® Classification
……..
Yahoo app. pattern
AOL app. pattern
MSN app. pattern
BT app. pattern
………
Step 2. Match!!
P2P/BT@HTTP
BT
At most first 10 pkts can judge if this HTTP is
(average case: first 3 pkts can finish the process)
Patent-3: Multi-Stage Inspection(1)
•Standard@Any
•HTTP
•Proxy@HTTP@Any
•Socks4@Any
•Socks5@Any
•….
Spam Wall
Virus Wall
Inline-IDP
Firewall/VPN
Content Mgmt.
IM
Proxy
Web
Proxy
Patent-3: Multi-Stage Inspection(2)
IM Content Mgmt.
Engine
Step 1. Strip Headers
(socks4/5)
pattern matching
Step 3. Redirect
……..
Yahoo app. pattern
AOL app. pattern
MSN app. pattern Step 2. Match!!
BT app. pattern
………
MSN@Socks@Any
Patent-4: Inline-Proxy Stack(2)
Benefits:
• True inline plug & play proxy stack
• Stable user-space programming
• Easy for SMP parallel processing
IM/Web Content Mgmt.
Engine
Inline-Proxy TCP Stack
Queue
Emulate original
IP/port while swapping sequence #
MSN@Socks@Any
Layer-7
Content Mgmt.
Expert