Upload
sandra4211
View
354
Download
1
Tags:
Embed Size (px)
Citation preview
Next Generation
Firewalls
Presented by:
Bill Beverley
Security Technology Sales Manager
2
Security at the heart of the network
3
Comprehensive Security?
“Securing access to and delivery of data and
applications.”
Network and Application security are both “well known”
disciplines
4
Application Security: HTTP
Most people associate app security with HTTP
and the Web
Internet traffic is growing at 50%–60% annually*
– In 2006 the US was averaging 450-800 PB / month*
On top of HTTP:
– HTML, XML, AJAX, PHP, JavaScript, etc…
Limitless attack vectors and scope*Andrew Odlyzko: University of Minnesota – Feb 2008
5
The Port 80 Hole: HTTP
DATA
“64% of the 10 million security incidents tracked targeted port 80.”
Information Week
6
Application Vulnerability Statistics
7
What’s Driving Application Attacks?
Secure Networks– Effectiveness of Network Firewalls
Target-rich Application Environments– “Webification”: Fat Browsers
– Feature rich & data rich environments
– Increasingly trusted environments
(SSL offers a False Sense of Security)
– Technology adoption is still running ahead of security appreciation
Profit– Applications deliver data & data delivers $ (or £ or €)
8
Just fix the App!! Easy to say, harder to deliver...
Application
Security
Application
Scalability
Application
Performance
Application
Patching
Add: application availability
Application
Development
9
The Result: A Growing Network Problem
CRM
CRM
SFA
ERP
ERP ERP
SFACRM
SFA
SSL Acceleration
Server Load Balancer
Rate Shaping
DoS Protection
ApplicationFirewall
ContentAcceleration
TrafficCompression
Connection Optimization
Customize
Application
Mobile Phone
PDA
Laptop
Desktop
Co-location
Users Network Point Solutions Applications
10
Application
…And Then Who Owns It?
New Security Hole
High Cost To Scale
Slow Performance
Applications Focus on
Business Logic and
Functionality
Traditional Networks
are Focused on
Connectivity
Network Administrator Application Developer
?
11
…And Then, Who’s Responsible?
View specific application
Control only defined applications
Test only defined applications
Grant limited control
Grant limited views
Grant limited monitoring
High cost of operation
Operations
Network
Guy
Application Architecture
Security
12
Branch Office
HeadquartersCorporate Users
•Application Availability/Performance
•Information Theft
•Unauthorized Access
•Viruses
•Application Availability/Performance
•Equipment/Power Failures
•Maintenance Downtime
•Natural Disaster
•Application Availability/Performance
•Information Theft
•ISP Availability/Bandwidth
•Unauthorized Access
•Viruses
•WAN Availability/Performance
ISP availability
ISP bandwidth
•Application Availability/Performance
•Equipment/Power Failures
•Information Theft
•ISP Availability/Bandwidth
•Maintenance Downtime
•Natural Disaster
•Unauthorized Access
•WAN Availability/Performance
•Viruses
Remote Users
Fix it in the Network?
Applications
Web Servers
Application Servers
Databases
13
Branch Office
HeadquartersCorporate Users
•Application Availability/Performance
•Information Theft
•Unauthorized Access
•Viruses
•Application Availability/Performance
•Equipment/Power Failures
•Maintenance Downtime
•Natural Disaster
•Application Availability/Performance
•Information Theft
•ISP Availability/Bandwidth
•Unauthorized Access
•Viruses
•WAN Availability/Performance
ISP availability
ISP bandwidth
•Application Availability/Performance
•Equipment/Power Failures
•Information Theft
•ISP Availability/Bandwidth
•Maintenance Downtime
•Natural Disaster
•Unauthorized Access
•WAN Availability/Performance
•Viruses
Remote Users
Segment #1: Perimeter Firewalls
Applications
Web Servers
Application Servers
Databases
14
Current Network Solutions
• Network Firewalls
• Perfect Socket Management Devices
• They Live in Layers 3-4
• What about Layers 2, 5, & 7?
• IPS
• Packet Re-assembly Devices
• What about Application Session Awareness?
• What about SSL?
• >70% of Customers Run IPS in Transparent
Mode.
15
Application Solutions: WAFs
• Web Application Firewalls are a great start
• Have insight into the application and
business logic
• Terminate SSL
• Plug the Port 80 Hole
• But…
• What about other Apps?
• What about other Layers?
16
Web Application Firewalls
Stateful inspection of
application traffic in the context
of the application
Bidirectional
Policy-based solution tailored
for each app
– Positive + negative security
Sits inline
New type of device,
spanning operations,
network, and application
personal
Conclusion: The Right Tool for the Job for HTTP
But …
17
Applications Tunnel Through Traditional
Firewalls
18
Next Generation Firewalls
A marriage of Application Intelligence and
Network Control
– Secures Layers 2 – 7
– Secures any port, any protocol, any application
Apply Security at the same point as the rest
of the Application Business Logic
– Provide Security during delivery, not just at
ingress or egress
Application Delivery Security
19
Solution Requirements
Secure Applications With Application-Aware Security
Must be Session Aware
Must be Behavior Policy Bound
Must Understand Business Logic
Let the firewalls do what they do
They’re perfect socket management devices
They’re not perfect session management devices.
Accountability
Audit Trail
Flexibility
Adaptable to Application AND Environmental Changes
Leverage the 3 Ps…
20
Three P’s
PROXY architecture to distinguish a good request and a
bad one by examining all information
POSITIVE security logic (i.e. Business Logic) to give zero
day protection
POLICIES centralised for ease of control, administration &
auditing
21
Secure Policy-Based Delivery
Context
“A”
Server
SideUnique Real-Time Enforcement
Security Optimization Availability New Services
Look At Application Security Holistically
Context
“B”
Only the Services Needed and Allowed are
Used and Available
HTTP Access to Intranet
CIFS Access to File Share
“Public”
HTTP Access to Intranet
22
Enterprise Resources
Internet
Branch Office
`
`
`
PMP, PEP and MS
Remote PEP and MS
Foreign City
Remote PEP and MS
TeleCommuters Mobile Users
EmployeesContractors
Visitors
Local Access
Redundant
PMP, PEP and MS
Separate ALL
Users from
Enterprise
Resources
Dynamically Provide
Optimized Service
based on Context
Stop Bad
Traffic Before it
Uses
Resources
Stop Bad
Traffic Before it
Uses Network
Resources
Optimize Bulk
Remote Traffic to
Centralized
Resources
Provide Single, but
Redundant Management,
Access and Auditing of
Each Unique Access and
Context. Who, What,
When, Why, Where and
How
23
Application Delivery Security
AAA for registration and access control to specific applications
Application Firewall to protect the portal’s web apps
Application Delivery Controllers to secure application transport
and delivery
Network Perimeter Security
(Firewall, Virus Scan, IDS, etc.)
Invalid transaction from a validsystem
Customer
Employee
Partner
Unauthorizeduser from avalid terminal
User/Transaction Validity
Applications & Data Access Authorization
Secure, High Performance Platform
Corporate Applications &
Data
24
7
6
5
4
3
2
1
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link
(MAC) Layer
Physical Layer
SSL, SSH, XML Encryption, Images
Sockets, RPC, NetBIOS Auth, PPtP
Port filters, SYN/ACK Attacks,
Port Scans, MitM
IP Frag, Spoofing, Smurfs, Ping of death,
IPsec, TTL
VLANs, ARP Poisoning
Management Interface Segmentation
XSS, SQL Injection, Data Leaks, Spam,
User Sessions, Cookies, HTML…
Type of communication:
E-mail, file transfer,
client/server.
Encryption, data conversion:
ASCII to EBCDIC,
BCD to binary, etc.
Starts, stops session.
Maintains order.
Ensures delivery of entire
file or message.
Routes data to different
LANs and WANs based on
network address.
Transmits packets from
node to node based on
station address.
Electrical signals and
cabling.
Intelligent Application Controllers
are the Next Generation Firewalls
25
Bill Beverley - Security Technology Sales Manager
Email: [email protected]
Tel: +44 (0)1932 582 000
Mob: +44 (0)7974 678 664