Palo Alto Networks - Stallion

Download Report

Transcript Palo Alto Networks - Stallion

Palo Alto Networks security solution
- protection against new cyber-criminal threats
focused on client-side vulnerabilities
Mariusz Stawowski, Ph.D., CISSP
Director of Professional Services, CLICO
email: [email protected]
Agenda
•
Introduction
•
New client-side vulnerabilities used by cybercriminals
•
Next-Generation Firewall – en effective protection
against attacks focused on end users
•
A live demo of Palo Alto Networks security solution unique features in practice
•
Summary
ISO9001:2001
Introduction
90 ties
•
Hackers were showing to the World their knowledge
and achievements
Nowadays
•
Cyber-criminals’ activities are performed in an
invisible way
ISO9001:2001
Introduction
Source: Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation, the National
White Collar Crime Center, and the Bureau of Justice Assistance – http://www.ic3.gov
ISO9001:2001
Introduction
SANS The Top Cyber Security Risks 2009
Executive Summary
Priority One: Client-side software that remains unpatched.
Priority Two: Internet-facing web sites that are vulnerable.
…
Source: SANS Institute - http://www.sans.org/top-cyber-security-risks/
ISO9001:2001
Client-side Hacking
Tutorial: Real Life HTTP
Client-side
Exploitation Example
Step 0: Attacker Places
Content on Trusted Site
Step 1: Client-Side
Exploitation
Step 2: Establish Reverse
Shell Backdoor Using
HTTPS
...
Source: SANS Institute, „The Top Cyber Security Risks 2009” - http://www.sans.org/top-cyber-security-risks/
ISO9001:2001
Client-side Hacking
Are we vulnerable?
Every company can easily conduct the test to verify if their safeguards
are able to protect IT systems against common client-side threats.
ISO9001:2001
Client-side Vulnerability Assessment
Test 1. Control of dangerous applications
The test objective is to verify if the Company’s safeguards properly detect and
block dangerous applications, i.e.:
•
P2P (file sharing),
•
Tor (free access to Internet services, publishing network services),
•
Web conferencing (desktop sharing).
Security assessment should be conducted using real applications, i.e. Skype,
smart P2P (e.g. Azureus) and Web session covered by Tor.
ISO9001:2001
Client-side Vulnerability Assessment
Test 1. Control of dangerous applications
Expected results
ISO9001:2001
Client-side Vulnerability Assessment
Test 2. Client-side attacks in encrypted tunnels
<HTML>
Encryped exploits
and payload
<FRAMESET>
SSL VPN
Backdoor
</FRAMESET>
...
</HTML>
User’s
workstation
Audit station
The test objective is to verify if the Company’s safeguards properly detect and
block the attacks conducted in encrypted HTTPS traffic.
Security assessment can be conducted using the following tools:
•
Web server (e.g. Apache Tomcat) publishing Web page that contains
exploits injected by vulnerabilities exploitation tool (e.g. Metasploit),
•
SSL VPN gateway tunneling the attacks in SSL (e.g. SSL-Explorer).
ISO9001:2001
Client-side Vulnerability Assessment
Test 2. Client-side attacks in encrypted tunnels
Expected results
ISO9001:2001
Client-side Vulnerability Assessment
Test 3. Hijacking user's application sessions
Web site
Modified Web
sessions
Original Web
sessions
User’s
workstation
intercepting
proxy
•Intercepting proxy allows the intruders to change
selected content of HTTP and HTTPS sessions (e.g.
steal money from the user’s bank account, reveal the
user’s credit card number and other confidential data).
Audit station
The test objective is to verify if the Company’s safeguards properly detect and
block unauthorized access to external Web proxy.
Security assessment can be conducted using Burp proxy (or other intercepting
proxy) in the following way:
•
Web browser on internal user’s workstation should have proxy configured
to external IP address where Burp is located.
•
User opens HTTPS session to e-commerce or e-banking system.
ISO9001:2001
Client-side Vulnerability Assessment
Test 3. Hijacking user's application sessions
Expected results
ISO9001:2001
Client-side Vulnerability Assessment
Detailed guidelines
in ISSA Journal,
November 2009
https://issa.org/Members/Journals-Archive/2009.html#November
ISO9001:2001
Next Generation Firewall
ISO9001:2001
Applications operate dynamically
•-
••-
•Port•≠ •Application
•IP address•≠
• User
•Packet data•≠
• Content
•(eg. encrypted)
ISO9001:2001
•
Most of Internet applications communicate
using HTTP and HTTPS protocols; use
dynamically assigned ports and encrypted
tunnels.
•
Network firewalls identify Web browsing on
port 80 or 443, however in reality there are
hundreds of different applications - P2P, IM,
Skype, online games, file sharing, email, etc.
Next Generation Firewall
•Fundamental security policy
principle "Least Privilege" states that
the network safeguards should block
ALL TRAFFIC that was not explicitly
defined by the policy as PERMITTED.
•"Least Privilege„ principle is main
part of IT security standards (ISO
27001, PCI, etc.).
•Compliance with "Least Privilege"
principle requires that the network
safeguards must properly identify all
network applications regardless of
port, protocol, evasive tactic and
encryption (like SSL).
ISO9001:2001
Next Generation Firewall
ISO9001:2001
Effective applications identification and control
More then 60% of applications are hidden from network firewalls
Firewall
Stateful Insp.
Intrusion Prev.,
Web Filtering, etc.
•
Firewalls do not recognize most of the applications.

Some applications and servers can be blocked on IPS (signatures) or Web
Filtering (URL database).

As many applications (e.g. P2P, Skype, Tor) use encryption they cannot be
identified by IPS signatures.
•
There is a need for a firewall that is able to identify applications
(not ports only) and its security policy describes allowed
applications (and all other are denied).
ISO9001:2001
Effective applications identification and control
Palo Alto Networks solution
• Firewall security policy
describes allowed applications
• Profiles activate inspection AV,
IPS, WF, etc. as well as
bandwidth management (QoS)
ISO9001:2001
Effective applications identification and control
• Security Profiles identify malicious use of
allowed applications.
• Firewall protects against network attacks
and malicious code as well as with multigigabit throughput detects and filters illegal
data transferred by applications (e.g. credit
card numbers, specified documents).
Data Filtering - stops sensitive information (e.g. SSN, CC#)
from traversing trusted boundaries.
Data objects defined as regular expressions (regex).
File Filtering - identification and filtering of specified files
sent by applications.
Identification based on MIME type and file header (not extension).
ISO9001:2001
Effective users identification and control
• Firewall policy accurately defines
users’ access to the network
services and it's enforced even
when the users change location and
IP address.
• Firewall transparently verifies user’s
identity (Active Directory, Citrix and
TS integration).
ISO9001:2001
Content inspection of encrypted traffic
Encrypted traffic hides important threats
HTTPS
Exploits for Web browser, Spyware,
Trojans, Bots, etc.
redirect
Web browsing
Web site in
Internet
Firewall
Stateful Insp.
Intrusion Prev.,
Web Filtering, etc.
•
Safeguards (firewall, IPS, etc.) do not analyze encrypted HTTPS
traffic, where intruders and malicious code can easily break into
internal networks.
•
There is a need for the protections that decrypt non-trusted
HTTPS traffic and properly analyze it (IPS, AV, etc.).
ISO9001:2001
Content inspection of encrypted traffic
Palo Alto Networks solution
•SSL content
inspection
•PAN
certificate
•Server
certificate
•Server
•
Firewall protects users surfing Internet against dangerous attacks in
encrypted communication (i.e. malicious code, exploits for Web browser).
PAN decrypts non-trusted HTTPS traffic and properly analyze it (IPS, AV,
etc.).
•
Content inspection of encrypted SSL traffic – outgoing to Internet and also incoming to
company’s servers. PAN maintains internal Certificate Authority for dynamic certificates
generation (root CA or subordinate to company’s root CA).
•
For outgoing traffic the policy of HTTPS inspection accurately defines the servers that are not
trusted and require control. Identification of non-trusted HTTPS servers is performed using predefined Web Filtering categories (e.g. Finanase-and-investment, Shopping) or addresses of
known servers.
ISO9001:2001
Visibility into Applications, Users & Content
• Dedicated graphical tools – the
network visibility and control in
scope of applications, users
and content.
• Monitoring and reporting in
real-time.
Detailed analyze of
users activities
ISO9001:2001
Next Generation Firewall
A live demo
ISO9001:2001
Palo Alto Networks
- technical features
ISO9001:2001
PAN-OS
NETWORK FEATURES
• Interfaces:
Copper GB
- SFP (1 GB)
-
-
XFP (10 GB)
-
802.3ad Link Aggregation
• High availability:
-
Active - Passive
-
Configuration and session
synchronization
-
Status monitoring of devices,
links and communication paths
• Work modes:
L2
- L3 (OSPF i RIP)
- V-wire
- Tap
-
ISO9001:2001
• Virtualization:
-
VLAN (in L2 and L3)
-
Virtual routers
-
Virtual systems
PAN-OS
SECURITY FEATURES
• Firewall - network and
application layers
• SSL traffic inspection
• NAT (ports, addresses)
• Bandwidth management
-
DiffServ
-
QoS
• Security technologies
-
App-ID, User-ID, Content-ID
ISO9001:2001
• Content inspection
- Anti-Virus
- IPS & Anti-Spyware
- Web Filtering
- Data & File Filtering
• Transparent users
authentication and control
• IPSec VPN
-
Route-based VPN (site-to-site)
-
SSL VPN
App-ID: Comprehensive Application Visibility
• Policy-based control more than 800 applications distributed across five
categories and 25 sub-categories
• Definition of customer applications
• Balanced mix of business, internet and networking applications and
networking protocols
• ~ 5 - 10 new applications added weekly
ISO9001:2001
User-ID: Enterprise Directory Integration
• Users no longer defined solely by IP address
-
Leverage existing Active Directory infrastructure
• Understand users application and threat behavior based on
actual AD username, not just IP
• Manage and enforce policy based on user and/or AD group
-
also Citrix and MS TS agent
• Investigate security incidents, generate custom reports
ISO9001:2001
Content-ID: Real-Time Content Scanning
• Detect and block a wide range of threats, limit unauthorized file transfers
and control non-work related web surfing
-
-
-
Stream-based, not file-based, for real-time performance

Uniform signature engine scans for broad range of threats in single pass

Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
Block transfer of sensitive data and file transfers by type

Looks for CC # and SSN patterns

Looks into file to determine type – not extension based
Web filtering enabled via fully integrated URL database
ISO9001:2001
Flexibility of security operations
Networks and threats are changing
WAN Zone
DB Zone
DMZ
WAN
Internal Zones
File
server
Email
server
Web, DNS
server
SQL
servers
Intranet
server
Untrust Zone
VLAN
Trunk
Internet
`
L3 - router
`
sniffer
L2 - transparent
User workstations
•
Appropriate protection of IT systems requires the safeguards controlling
many network segments in different modes – L3, transparent (L2) and
sniffer.
•
Cost effectiveness requires the protections virtualization – VLAN
interfaces, virtual routes, and virtual systems.
ISO9001:2001
Flexibility of security operations
Palo Alto Networks solution
•L2 – VLAN 20
•L2 – VLAN 10
•Vwire •L3 – DMZ •L3 – Internet
•Tap – Core Switch
•
Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic
routing protocols.
•
Protections’ work mode adjusted to the requirements – network interfaces
in one device can work in different modes.
•
Security virtualization – VLAN interfaces in L2 and L3, virtual routers and
virtual systems.
ISO9001:2001
Inspection without performance degradation
Application inspection makes performance degradation
•IPS module
•AV module
•WF module
•FW module
•
Application inspection of the network traffic performed on many
inspection modules (IPS, AV, etc.) makes huge performance
degradation.
•
There is a need for the protections that in one inspection module
working with multi-gigabit performance can identify and
completely analyze an application traffic.
ISO9001:2001
Inspection without performance degradation
Palo Alto Networks solution
•
•
One module for the network
traffic analyze using shared
database of universal
signatures for content
inspection.
Purpose-built, hardware
architecture:
•
protection tasks performed
on dedicated hardware
elements,
•
separation of control and
traffic processing modules.
Policy Engine
Data Filtering
Content-ID
URL Filtering
Threat Prevention
Application Protocol
Decoding
App-ID
Application Protocol
Detection and Decryption
Application Signatures
Heuristics
User-ID
L2/L3 Networking, HA, Config
Management, Reporting
ISO9001:2001
Inspection without performance degradation
•
One module for the network traffic analyze using shared
database of universal signatures for Intrusion
Prevention, Anti-Virus, Anti-Spyware, etc.
Viruses
Spyware
Files
Spyware
“Phone
Home”
Worms
Uniform Signature
Format
Stream-Based
Matching
ISO9001:2001
Vulnerability
Exploits
(Future)
Inspection without performance degradation
•
Purpose-built, hardware architecture:
•
protection tasks performed on dedicated hardware elements (Flash
Matching HW, SSL/IPSec Enc. HW, Network Processor),
•
separation of control and traffic processing modules.
RAM
Flash
Matching
Engine
Control Plane
RAM
Dual-core
CPU
CPU CPU
1
2
SSL
.
IPSec
QoS
ISO9001:2001
CPU
.
3
Route,
ARP,
MAC
lookup
Data Plane
RAM
RAM
RAM
HDD
RAM
CPU
16
RAM
RAM
De-Comp.
NAT
Flash Matching HW
Engine
• Uniform signatures
matching
Multi-Core Security
Processor
• Hardware accelerated
SSL, IPSec,
decompression
10 Gig Network Processor
• Hardware accelerated QoS, route
lookup, MAC lookup and NAT
Security management
• CLI and graphical Web
console
• Central management system -
Panorama
• Role-based administration
enables delegation of tasks to
appropriate person
• Local user database and
RADIUS
• Admin audit
• Syslog, SNMP and Email
reporting
• XML-based API
ISO9001:2001
Security management
•>commit
• Active and candidate configurations
• Rollback, quick comparison of different configurations
ISO9001:2001
Analysis, monitoring and reporting
Page 41 |
ISO9001:2001
© 2008 Palo Alto Networks. Proprietary and Confidential.
Device models
Annual Subscriptions
10Gb z XFPs
• Threats prevention +20%
• URL filtering
+20%
• Support
+16%
Performance
•Seria PA-2000
10Gb
2Gb
•Seria PA-4000
•1Gb
•500Mb
•250Mb
Remote Office/
Medium Enterprise
ISO9001:2001
Large Enterprise
PA-500
-
250 Mbps firewall throughput
-
100 Mbps threat prevention throughput
-
50 Mbps IPSec VPN throughput
-
250 IPSec VPN tunnels and tunnel interfaces
-
7,500 new sessions per second
-
64,000 max sessions
-
(8) 10/100/1000
-
(1) 10/100/1000 out of band management interface
-
(1) 1 RJ-45 console interface
ISO9001:2001
PA-2000 Series
PA-2050
PA-2020
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
•
•
•
•
•
-
1U rack-mountable chassis
-
Single non-modular power supply
-
80GB hard drive (cold swappable)
-
Dedicated out-of-band management port
-
RJ-45 console port, user definable HA port
ISO9001:2001
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
PA-4000 Series
PA-4060
PA-4050
PA-4020
• 10 Gbps FW
• 5 Gbps threat
prevention
• 2,000,000 sessions
• 4 XFP (10 Gig) I/O
• 4 SFP (1 Gig) I/O
• 10 Gbps FW
• 5 Gbps threat
prevention
• 2,000,000 sessions
• 16 copper gigabit
• 8 SFP interfaces
• 2 Gbps FW
• 2 Gbps threat
prevention
• 500,000 sessions
• 16 copper gigabit
• 8 SFP interfaces
-
2U, 19” rack-mountable chassis
-
Dual hot swappable AC power supplies
-
Dedicated out-of-band management port
-
2 dedicated HA ports
-
DB9 console port
ISO9001:2001
Summery
ISO9001:2001
Palo Alto Networks – unique features
1. Identifies applications regardless of port numbers, tunneling and
encryption protocols (including P2P and IM). Firewall policy rules
explicitly define what applications are permitted.
More then 60% of applications are hidden
from network firewalls.
•Control of applications is an essential
requirement of IT security standards (ISO
27001, PCI, etc.) - The Principle of Least
Privilege.
•Common firewall, IPS and UTM are not
able to fulfill this requirement.
ISO9001:2001
ISO 27001, A.11.4.1. Policy on use of
network services. The users should
only be provided with access to the
ser vices that they have been
specifically authorized to use.
Palo Alto Networks – unique features
2. Protects the users surfing Internet against dangerous attacks in
encrypted communication (e.g. malicious code, exploits for Web
browsers). Non-trusted HTTPS traffic is decrypted and properly
inspected (IPS, AV, etc.).
Common safeguards (network firewall, IPS, etc.)
do not analyze encrypted SSL traffic, where
intruders and malicious code can easily break
into internal networks.
HTTPS
Exploits for Web browser, Spyware,
Trojans, Bots, etc.
redirect
Web browsing
Web site
in Internet
ISO9001:2001
Firewall
Stateful Insp.
Intrusion Prev.,
Web Filtering, etc.
Palo Alto Networks – unique features
3. Performs the security tasks on the network interfaces operating in
different work modes (L2, L3, Tap, VLAN in L2 and L3). If needed the
security device in one time can work in different modes.
Appropriate protection of IT systems requires the
safeguards controlling many network segments in
different modes – L3, transparent (L2) and sniffer.
Common network safeguards can work only in one
selected mode.
•L2 – VLAN 20 •L2 – VLAN 10 •Vwire •L3 – DMZ •L3 – Internet •Tap – Core Switch
ISO9001:2001
Palo Alto Networks – unique features
Policy Engine
4. Performs accurate application
inspection (IPS, AV, etc.) without
performance degradation (one
inspection path - shared database
of universal signatures, purposebuilt hardware architecture).
Content-ID
Data Filtering
URL Filtering
Threat
Prevention
App-ID
Application
Protocol
Application
Decoding
Protocol
Detection and
Application
Decryption
Signatures
Heuristics
User-ID
L2/L3 Networking, HA, Config
Management, Reporting
Application inspection in common UTM is performed on many
inspection modules (IPS, AV, WF, etc.) based on products from
different vendors.
•It makes huge performance degradation.
•IPS module
•WF module
•FW module
ISO9001:2001
•AV module
Palo Alto Networks – unique features
5. Manages the network bandwidth with QoS polices that are defined
per applications, users, IP addresses, interfaces, VPN tunnels and
other parameters.
6. Transparently authenticates an identity of users in the network (AD,
TS, Citrix integration). Firewall policy accurately defines user access
permissions to the applications and enforce it even the users
change location and IP address.
7. Provides granular visibility and policy control over applications,
users and content.
ISO9001:2001
Deployment scenarios
Visibility / Monitor
• Connect to span port
• Provides application
visibility without inline
deployment
ISO9001:2001
Firewall Augmentation
• Deploy transparently
behind existing firewall
• Provides application
visibility & control
without networking
changes
Firewall Replacement
• Replace existing firewall
• Provides application and
network-based visibility
and control,
consolidated policy, high
performance