Securing Business-Critical Network and Application ... · IDS (Intrusion Detection Systems) ... Attachments Using Complex Rules – Block Bad E-Mail and Mark Suspected Mail – Score

Jan. 2006 | © 2006 Foundry Networks, Inc.

NET&COM – Feb 2006Gopala Tumuluri

Foundry Networkswww.foundrynet.com

Securing Business-Critical Network and Application

Infrastructure

Jan. 2006 | © 2006 Foundry Networks, Inc. 2

Security Market and Solutions Overview

New Network-Based Security Architecture

Key Features for Network-Wide Security

Summary

Agenda


Security Solutions in the Market –Traditional Firewalls

Stateful Inspection Firewalls (Layer 2 through 4)– Maintain State of Every Flow (L4)– Traffic Only on Pre-Established Flows– Some DoS, NAT, IPSEC VPN

Proxy Firewalls (Layer 2 through 7)– Full Termination with Proxy– Terminate TCP and Re-Establish– Protocol Aware Proxy Layer (HTTP, FTP Etc.)– Slower because of Full Termination

Firewall Inadequacies – Need to Augment and Offload– Very Poor DoS, Application Rate Limiting, Layer 7 Intelligence– Performance Challenged – Especially for NAT and DoS– FWLB for Scalability and HA Still a Key Need


Security Solutions in the Market –Intrusion Prevention and Detection

IDS (Intrusion Detection Systems)– Passive Devices in the Network Observing Traffic– Observe Behavior and Alert or Act on Anomalies– Downsides: False Positives, Slow Responsiveness, Reliance on Magic

IPS (Intrusion Prevention Systems)– Inline Devices Blocking Threats, Vulnerability and Exploits– Signature Based Deep Packet Scan Engines– Deterministic Enforcement against Known Signatures

Weaknesses and Inadequacies – Need for Integration– Overpriced Point Products Solving ONE Security Problem– Not Ideal for Inline Deployment

PC, No Networking, No Robust L2-4 Defenses, L7 Limited to Signatures– IPS Needs to be a Feature on a *Total Solution* Inline Security Device– IDS Must Work Together with Switches and Traffic Monitoring (sFlow)


Security Solutions in the Market –E-Mail and Message SPAM

Full Content SPAM Mitigation and Prevention– Inspect for Keywords, Signatures, Attachments Using Complex Rules– Block Bad E-Mail and Mark Suspected Mail– Score System (1 to 100) – Administrator Set Threshold for Blocking

IP Reputation List Based SPAM Mitigation Solutions– Lists of *Known BAD* IP Addresses and Prefixes (Assigned a Score)– Many Sources for Lists Gathering Reputation Data Worldwide– Lists Customizable on Score (Ex: IPs Ranked 70 or Above)

SPAM Defense in Depth – Need for Network Solutions– Exclusive Content Solutions are Inefficient, Costly, and Inadequate– Exclusive IP Reputation is Ineffective and Inadequate– Using Defense in Depth for Best of Both Approaches

Apply IP Reputation in Network (Real Time Updated)Apply Content-Based Solutions in Server Farm


Security Solutions in the Market –Web and Application Firewalls

Outbound URL Filtering and Web Security– Prevent Enterprise Users from Accessing BAD Websites– Compliance, Etiquette, Corporate Policy, Productivity– Database of Known Bad URLs (Scored) and Applied

Periodically Updated with New URLs

Application Firewall for Web Applications (Data Center)– Goal is to Prevent Hacking and Abuse of Website (Scripting, Malicious Code,

SQL Injection, Forceful Browsing, Cookie Tampering, Cloaking)– Emerging Area – Consolidating into Application Switch/Delivery Platform

Web Filtering – Need to Integrate with Inline Security– Inline Security Device Leverages Offline Database to Enforce Policies– Better Performance, Scalability and Security Beyond URL Enforcement– Opportunity to Offload Firewalls from this Function

Application Firewall on Application Switching and Delivery ClassProducts – Data Center


Security Solutions in the Market –Edge and Desktop Security

Network Admission Control– Enforce Policies on Who can Gain Access to the Network– Enforce Policies Regarding Endpoint Security Updates and OS– Authenticate Users Before They Get into the Network

Anti-Virus Solutions and Appliances– Primarily *On-Desktop* Solutions that Prevent Viruses– New-Generation Appliances Emerging from Leading Vendors to Offload

Some Anti-Virus Function into the Network

Network Access Control– More fine Grained Control of Network and Service Access– Who, When, How, From Where and Why?– Web Authentication and Access


Security Market Needs and Trends

Key Trends to Capitalize for NetworkKey Trends to Capitalize for Network--Wide SecurityWide SecurityNetwork Perimeter as we knew it is Disappearing– Mobility, Convergence, Remote Access, Growing Internal Threats– Need for Security Everywhere in the Network

Well Established and Agreed Role of Network to Deliver Security– Organizations are Gravitating Towards Network-Based Security Solutions– Protection for Infrastructure, Services, Critical Resources

Moving Beyond the Firewall Without Giving Up on Firewalls– Enterprises Endorse the Need for Solutions that Augment Firewalls– Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly

Emerging Vision/Trend of Network-Wide Security is Catching On– Network Integration is Seen as Inevitable and Required– Solutions that Promote Incremental Steps are Needed

Growing Attacks and Threats in Content and Service Provider Infrastructure – These Customers Can’t Rely on Firewalls





Summary

Agenda


Security Traffic Managers and Secure LAN Switches are Key Building Blocks

Traditional Firewalls

WANWAN

Host Protection (Desktop Host Protection (Desktop and Servers)and Servers)L2 Devices with Premium Security Features in Centralized Mgmt. ModuleProtection for Desktops and Servers from Network Attacks, and Vice VersaInitial Applications for High-Value User Desktops and Assets

Secure LAN SwitchesSecure LAN Switches Security Traffic ManagersSecurity Traffic Managers

Network Protection (Internal Network Protection (Internal and Perimeter)and Perimeter)High Performance Security Between Network SegmentsProtection Against internal and External Threats, Including Web and SPAMFirewall Clustering, High Availability, Augmentation and Offload

Direct Desktop Protection Server Farm Protection

Web & Application ServersDesktops


Secure Network Architecture with Two New Product Categories

InternetInternet

Secure LAN Switch(Direct Desktop Protection)

Security Traffic Manager(In-Line Inside LAN Protection)

Security Traffic Manager(Perimeter Security)

Network Admission Control Agents on the Desktops

Network Admission Control Agents on the Desktops

Web & Application ServersAnomaly Based IPS- External Collector, Analyzer- External Closed-Loop Interface

sFlowFrom Switches Edge Port Remediation

Network Manager

sFlow

Secure LAN Switch(Server Farm Protection)

NAC ServerRadius

Web & Application Servers

Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection

Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter

sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation

Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security


Augment with sFlow (RFC3176) Network-Wide Wire-Speed Visibility

Statistical Sampling Delivers Visibility to All Traffic Flows Throughout the Network– Layer 2 through 7 visibility and analysis

Scales with Network Size and Speeds with Zero Performance Impact– No other Technology can Scale to GbE and 10 GbE rates

Embedded implementations available today – Free!

sFlow Collector

sFlow Datagram

Packet Header Analysis Src/Dst MAC addressesSrc/Dst VLAN (802.1q) and 802.1pSrc/Dst IPv4 addresses, including TOS/DSCP, TCP, TCP flags, UDP, and ICMP informationSrc/Dst IPv6 addresses and other informationSrc/Dst IPX addresses and other informationSrc/Dst AppleTalk addresses and other informationMPLS information

Sampling process parameters (rate, pool)Physical input/output portsSrc/Dst prefix bits and next hop subnet, Source AS and source peer ASDestination AS pathCommunities and local preference802.1X user name or RADIUS/TACACS user IDInterface Statistics (SNMP) The captured packet itself

Sampled Packet

Layer 2-7Information

Collection, Analysis and Archival


WireWire--Speed Network ProtectionSpeed Network Protection

DoS and DoS and DDoSDDoS ProtectionProtection

Intrusion ProtectionIntrusion Protection

Deep/Bulk Packet InspectionDeep/Bulk Packet Inspection

Firewall Clustering and HAFirewall Clustering and HA

DNS Proxy and SecurityDNS Proxy and Security

Application Rate LimitingApplication Rate LimitingVoIP SecurityVoIP Security

High Performance IP NATHigh Performance IP NAT

SPAM MitigationSPAM Mitigation

Web SecurityWeb Security

URL FilteringURL Filtering

High Availability with Hitless High Availability with Hitless FailoverFailover

Security OS Security OS FeaturesFeatures

Security OS Total Solution – Must Combines Key Features and Applications


Perimeter Security Front End and Traffic Manager– Firewall Scalability and Performance Bottlenecks– Firewalls Not for L7 and Application Security– Security Traffic Manager Augments and Offloads Firewall

Protects Firewall Investment and Extend Firewall Life

Internal LAN – Security Traffic Management at Distribution Layers– Network Vulnerable to Threats from Within– Internal Abuse a Key Challenge– Security Traffic Manager Provides Perimeter-Like Protection inside LAN

Security Traffic Manager Applications


Secure LAN Switches are Layer 2/3 LAN Switch with Premium Value-Added Security Features– High Density Desktop and Server Connectivity– Small Price Premium over Traditional LAN Switch Port Cost– Security Against DOS, Anomaly, Intrusion and Others

High Value Desktop Protection– Secures Desktops of High Value Users from Network Originated Attacks– 10/100 and Gigabit Copper Connectivity for Desktop Machines

Securing Critical Servers and Associated Applications– Server Aggregation LAN Switch with Premium Security– Protects Servers and Applications from Network Originated Attacks– Prevents Abuse of Resources by Controlling Access

Position of Traditional and Secure LAN Switches– Traditional Layer 2/3 LAN Switching for Connectivity and Wire-Speed– Secure LAN Switching for Value-Added Security to Desktop

Secure LAN Switches Application


Layer 3 was CPU Based – Until Foundry Networks Revolutionized Wire-Speed Layer 3 Technologies in 1997– All Layer 3 Traffic Processed by Centralized CPU Blade @ Slow Performance– Foundry Revolutionized the Industry by Delivering L3 in ASIC @ Wire-Speed

Today, Secure LAN Switches (Industry’s New Category) are CPU Based– Central Security Management Module (With Performance Scalability)– Non-Trusted Flows CPU Processed – Not Wire-Speed on All Ports

Next Generation will Incorporate Wire-Speed on Uplink Ports

In the Future, Advanced (and Economical) Technologies will Help Deliver Security on Every Port @ Wire-Speed

Security Must be Everywhere, and it Must Be Available for a Small Premium over Traditional Layer 2/3 LAN Switches and without Significant Performance Sacrifice

Vision for Secure LAN Switches – Wire-Speed Security Everywhere


Security Feature and Capability Differentiation across Solutions

------------

Secure LAN Switches

--DNS Proxy and Security--Full Featured Layer 3--Firewall Clustering and High Availability--High Availability--High Performance NAT--SPAM Defense--URL and Web Filtering--VoIP Security--Intrusion and Layer 4-7 Signature Blocking--Layer 4 Rate Limiting--DoS and Layer 4

Network Security

Traditional LAN

Switches

Security Traffic

Managers





Summary

Agenda


SYN and Other High-Performance DoSProtection Features

Protect Against TCP SYN/ACK Flood Attacks– Multi-Gigabit Wire-Speed Rate Protection– Firewall Protection when Deployed in Front of Firewalls

Protection Against 30+ Other DoS Signatures, Including– Spoof, Land, SYN, ACK, Smurf, Ping of Death, Connection Open/Close,

ICMP Unreachable, ICMP Redirect, SYN Fragment, Malformed TCP Packets and SYN Messages, Illegal TCP Options, Illegal IP Options, IP Options Filtering, Protocol Enforcement, UDP Flood, TCP Flood, Port Scanning, IP Scanning, Information Tunneling, Signature Scanning and Filtering

Host A

Host B

An

y Intern

al Hosts

TCP SYN

TCP SYN ACK – Special SEQC1

Goo

d C

lien

tB

ad C

lien

t

C2

TCP ACK – Special SEQ

CompleteTCP Connection

TCP SYN

TCP SYN ACK – Special SEQ

BAD TCP ACK – Special SEQ

NOTCP Connection

Secure Traffic Mgr.

Protects Internal Hosts from Attack

123

4

123


Pro-Active Policies to Thwart Attacks from Malicious Hosts

Limits Number of Connections from a Given Host– User-Configurable Limits Based on Application Behavior– Ensures Hosts Cannot Hog Network and Application Resources– Limits Placed based on Source IP or Other Unique Host Identifiers– Granular Control of Limits per Source Host or Sub-network

Sufficient Resources Reserved per Client to Allow Valid Client Transactions– Limits on Connection Rate (per Defined Interval)– Limits on Simultaneous Connections from a Given Host

Rate Limiting of Bandwidth Used by TCP Connections to Prevent Network Abuse

When a Client Exceeds Limits, Further Connections from Same Client are Dropped for a Pre-Configured Duration

Transaction, Connection and Bandwidth Rate Limiting


Application Access Policy Enforcement (Including SPAM)

Solution to Enforce Access Control on Large Pool of IP Addressesand Prefixes– Apply Explicit Permit and/or Deny Policies to Specific Applications– Many Unique Lists of IP Addresses Defined per Application Port– Ensures Enforcement of Access Policies to Specific Applications based on

Host Credentials– Ideal to be Used with IP Reputation Lists for Preventing Mass Abuse (SPAM)

Provides Massive Scalability Compared to Standard ACLs– Support for Many Million IP Addresses and Prefixes– Many Separate Lists of Addresses to be Applied on a Per Application Basis

Network Based Approach Protects Services from Illegal Access Right in the Network at the Edge– Network Based Protection Increases Resource Efficiency and Security– Proactive, Rapid and High-Performance Protection Early (Mail Processing)


SPAM Mitigation Solution – IP Reputation List Support

Security Traffic Manager Prevents SPAM from Known Spammers– Relies on IP Reputation Lists from Many 3rd Parties– Many Millions of IP Address/Prefixes in a Policy List– Dynamic Download of New Lists in Real Time– Permit and Deny of Flows Based on Policy

Augments Content Based SPAM Solutions on the Server Back-End– Co-Exists with Other SPAM Mitigation/Prevention Solutions– Complement PBSLB with Content Based SPAM Solutions

Deep and Bulk Content Scan of E-Mail Traffic to Filter on Easily Identifiable Signatures, Keywords or Large ASCII Text– Configure Signatures or Download them in ASCII/Binary Files– Ability to Scan Attachments E-Mail Attachments (Non Compressed)


Layer 7 Intrusion Prevention with Signature Based Deep Packet Scan

Enforce Layer 7 Security Policies Based on Signatures

Perform Deep Packet Scan on All Traffic in a Flow– Supports this Capability for TCP, UDP and ICMP Flows– Scan May be Performed in Both Directions of the Flow, or Limited to

Direction of the Threat (Example: Only Inbound)

Support for User-Configurable Signatures– Signatures when Defined May be Applied to Flows of Specific Application

Very Long “Bulk” Signatures May be Downloaded to the Device for Security Enforcement– Example: Prevent Threats in E-Mail File Attachments

Provide a Range of Actions upon Signature Match– Log, Count, Reset, Drop, Mirror, Re-Direct


DNS Protection and Proxy

DNS is the Most Critical and Foundation Application for All IP Services

Security Traffic Manager Must Protect DNS using Layer 4 through 7 Mechanisms– Layer 4 DNS Service Protection using Rate Limiting and DoS Features– Layer 7 DNS Protection Using Filtering on Specific Header Fields

Example #1: Disallow Queries to Specific DomainsExample #2: Disallow Queries Other than Type xxxxExample #3: Disallow Recursive Queries

– General-Purpose Layer 7 Signature Scanning and Filtering

DNS Proxy Feature woud be a Good Value Add– Security Traffic Manager Replies to DNS Queries with Healthy IP Addresses– Unique Feature that Combines DNS Intelligence and Health Monitoring– Users Connect to Available Service/Servers


SIP and VoIP Security Features

Communication Services are Rapidly Migrating to IP with the Use of SIP and VoIP Protocols and Applications– Opening Up these Services to Vulnerabilities of an Open Network– Threat of Attacks to Critical Servers is Real

Protect SIP and VoIP Services by Offering a Range of Layer 4 andLayer 7 Security Features– SIP and VoIP Flows May Use Generic UDP Ports for Communication– Need to Validate SIP Packets, Messages and Flows over UDP– Layer 4 Protection using Rate Limiting and DoS Features

Layer 7 Security Features Include– Validate SIP Headers to Ensure UDP Traffic Belong to SIP– Only Permits SIP Packets to Flow over Pre-Defined UDP Ports– Validates SIP Headers, Version and Methods– Ability to Define Valid SIP Methods





Summary

Agenda


Future Security – Integrated High-Performance Network Architectures

Security Traffic Managers and Secure LAN Switches are the Building Blocks of Network-Wide Seven Layer Security

Protection @ Perimeter, Internal LAN, Data Center, Server Farm, and Enterprise Edge

Cost Effective and Scalable Solutions are Required

Firewalls are Here to Stay (At Least For a While)– New Solutions Must Augment and Offload Firewalls– Cap and Protect Firewall Investment

Jan. 2006 | © 2006 Foundry Networks, Inc.

Thank YouThank You

Documents

Securing Business-Critical Network and Application ... · IDS (Intrusion Detection Systems) ... Attachments Using Complex Rules – Block Bad E-Mail and Mark Suspected Mail – Score