Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Jan. 2006 | © 2006 Foundry Networks, Inc.
NET&COM – Feb 2006Gopala Tumuluri
Foundry Networkswww.foundrynet.com
Securing Business-Critical Network and Application
Infrastructure
Jan. 2006 | © 2006 Foundry Networks, Inc. 2
Security Market and Solutions Overview
New Network-Based Security Architecture
Key Features for Network-Wide Security
Summary
Agenda
Jan. 2006 | © 2006 Foundry Networks, Inc. 3
Security Solutions in the Market –Traditional Firewalls
Stateful Inspection Firewalls (Layer 2 through 4)– Maintain State of Every Flow (L4)– Traffic Only on Pre-Established Flows– Some DoS, NAT, IPSEC VPN
Proxy Firewalls (Layer 2 through 7)– Full Termination with Proxy– Terminate TCP and Re-Establish– Protocol Aware Proxy Layer (HTTP, FTP Etc.)– Slower because of Full Termination
Firewall Inadequacies – Need to Augment and Offload– Very Poor DoS, Application Rate Limiting, Layer 7 Intelligence– Performance Challenged – Especially for NAT and DoS– FWLB for Scalability and HA Still a Key Need
Jan. 2006 | © 2006 Foundry Networks, Inc. 4
Security Solutions in the Market –Intrusion Prevention and Detection
IDS (Intrusion Detection Systems)– Passive Devices in the Network Observing Traffic– Observe Behavior and Alert or Act on Anomalies– Downsides: False Positives, Slow Responsiveness, Reliance on Magic
IPS (Intrusion Prevention Systems)– Inline Devices Blocking Threats, Vulnerability and Exploits– Signature Based Deep Packet Scan Engines– Deterministic Enforcement against Known Signatures
Weaknesses and Inadequacies – Need for Integration– Overpriced Point Products Solving ONE Security Problem– Not Ideal for Inline Deployment
PC, No Networking, No Robust L2-4 Defenses, L7 Limited to Signatures– IPS Needs to be a Feature on a *Total Solution* Inline Security Device– IDS Must Work Together with Switches and Traffic Monitoring (sFlow)
Jan. 2006 | © 2006 Foundry Networks, Inc. 5
Security Solutions in the Market –E-Mail and Message SPAM
Full Content SPAM Mitigation and Prevention– Inspect for Keywords, Signatures, Attachments Using Complex Rules– Block Bad E-Mail and Mark Suspected Mail– Score System (1 to 100) – Administrator Set Threshold for Blocking
IP Reputation List Based SPAM Mitigation Solutions– Lists of *Known BAD* IP Addresses and Prefixes (Assigned a Score)– Many Sources for Lists Gathering Reputation Data Worldwide– Lists Customizable on Score (Ex: IPs Ranked 70 or Above)
SPAM Defense in Depth – Need for Network Solutions– Exclusive Content Solutions are Inefficient, Costly, and Inadequate– Exclusive IP Reputation is Ineffective and Inadequate– Using Defense in Depth for Best of Both Approaches
Apply IP Reputation in Network (Real Time Updated)Apply Content-Based Solutions in Server Farm
Jan. 2006 | © 2006 Foundry Networks, Inc. 6
Security Solutions in the Market –Web and Application Firewalls
Outbound URL Filtering and Web Security– Prevent Enterprise Users from Accessing BAD Websites– Compliance, Etiquette, Corporate Policy, Productivity– Database of Known Bad URLs (Scored) and Applied
Periodically Updated with New URLs
Application Firewall for Web Applications (Data Center)– Goal is to Prevent Hacking and Abuse of Website (Scripting, Malicious Code,
SQL Injection, Forceful Browsing, Cookie Tampering, Cloaking)– Emerging Area – Consolidating into Application Switch/Delivery Platform
Web Filtering – Need to Integrate with Inline Security– Inline Security Device Leverages Offline Database to Enforce Policies– Better Performance, Scalability and Security Beyond URL Enforcement– Opportunity to Offload Firewalls from this Function
Application Firewall on Application Switching and Delivery ClassProducts – Data Center
Jan. 2006 | © 2006 Foundry Networks, Inc. 7
Security Solutions in the Market –Edge and Desktop Security
Network Admission Control– Enforce Policies on Who can Gain Access to the Network– Enforce Policies Regarding Endpoint Security Updates and OS– Authenticate Users Before They Get into the Network
Anti-Virus Solutions and Appliances– Primarily *On-Desktop* Solutions that Prevent Viruses– New-Generation Appliances Emerging from Leading Vendors to Offload
Some Anti-Virus Function into the Network
Network Access Control– More fine Grained Control of Network and Service Access– Who, When, How, From Where and Why?– Web Authentication and Access
Jan. 2006 | © 2006 Foundry Networks, Inc. 8
Security Market Needs and Trends
Key Trends to Capitalize for NetworkKey Trends to Capitalize for Network--Wide SecurityWide SecurityNetwork Perimeter as we knew it is Disappearing– Mobility, Convergence, Remote Access, Growing Internal Threats– Need for Security Everywhere in the Network
Well Established and Agreed Role of Network to Deliver Security– Organizations are Gravitating Towards Network-Based Security Solutions– Protection for Infrastructure, Services, Critical Resources
Moving Beyond the Firewall Without Giving Up on Firewalls– Enterprises Endorse the Need for Solutions that Augment Firewalls– Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly
Emerging Vision/Trend of Network-Wide Security is Catching On– Network Integration is Seen as Inevitable and Required– Solutions that Promote Incremental Steps are Needed
Growing Attacks and Threats in Content and Service Provider Infrastructure – These Customers Can’t Rely on Firewalls
Jan. 2006 | © 2006 Foundry Networks, Inc. 9
Security Market and Solutions Overview
New Network-Based Security Architecture
Key Features for Network-Wide Security
Summary
Agenda
Jan. 2006 | © 2006 Foundry Networks, Inc. 10
Security Traffic Managers and Secure LAN Switches are Key Building Blocks
Traditional Firewalls
WANWAN
Host Protection (Desktop Host Protection (Desktop and Servers)and Servers)L2 Devices with Premium Security Features in Centralized Mgmt. ModuleProtection for Desktops and Servers from Network Attacks, and Vice VersaInitial Applications for High-Value User Desktops and Assets
Secure LAN SwitchesSecure LAN Switches Security Traffic ManagersSecurity Traffic Managers
Network Protection (Internal Network Protection (Internal and Perimeter)and Perimeter)High Performance Security Between Network SegmentsProtection Against internal and External Threats, Including Web and SPAMFirewall Clustering, High Availability, Augmentation and Offload
Direct Desktop Protection Server Farm Protection
Web & Application ServersDesktops
Jan. 2006 | © 2006 Foundry Networks, Inc. 11
Secure Network Architecture with Two New Product Categories
InternetInternet
Secure LAN Switch(Direct Desktop Protection)
Security Traffic Manager(In-Line Inside LAN Protection)
Security Traffic Manager(Perimeter Security)
Network Admission Control Agents on the Desktops
Network Admission Control Agents on the Desktops
Web & Application ServersAnomaly Based IPS- External Collector, Analyzer- External Closed-Loop Interface
sFlowFrom Switches Edge Port Remediation
Network Manager
sFlow
Secure LAN Switch(Server Farm Protection)
NAC ServerRadius
Web & Application Servers
Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection
Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter
sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation
Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security
Jan. 2006 | © 2006 Foundry Networks, Inc. 12
Augment with sFlow (RFC3176) Network-Wide Wire-Speed Visibility
Statistical Sampling Delivers Visibility to All Traffic Flows Throughout the Network– Layer 2 through 7 visibility and analysis
Scales with Network Size and Speeds with Zero Performance Impact– No other Technology can Scale to GbE and 10 GbE rates
Embedded implementations available today – Free!
sFlow Collector
sFlow Datagram
Packet Header Analysis Src/Dst MAC addressesSrc/Dst VLAN (802.1q) and 802.1pSrc/Dst IPv4 addresses, including TOS/DSCP, TCP, TCP flags, UDP, and ICMP informationSrc/Dst IPv6 addresses and other informationSrc/Dst IPX addresses and other informationSrc/Dst AppleTalk addresses and other informationMPLS information
Sampling process parameters (rate, pool)Physical input/output portsSrc/Dst prefix bits and next hop subnet, Source AS and source peer ASDestination AS pathCommunities and local preference802.1X user name or RADIUS/TACACS user IDInterface Statistics (SNMP) The captured packet itself
Sampled Packet
Layer 2-7Information
Collection, Analysis and Archival
Jan. 2006 | © 2006 Foundry Networks, Inc. 13
WireWire--Speed Network ProtectionSpeed Network Protection
DoS and DoS and DDoSDDoS ProtectionProtection
Intrusion ProtectionIntrusion Protection
Deep/Bulk Packet InspectionDeep/Bulk Packet Inspection
Firewall Clustering and HAFirewall Clustering and HA
DNS Proxy and SecurityDNS Proxy and Security
Application Rate LimitingApplication Rate LimitingVoIP SecurityVoIP Security
High Performance IP NATHigh Performance IP NAT
SPAM MitigationSPAM Mitigation
Web SecurityWeb Security
URL FilteringURL Filtering
High Availability with Hitless High Availability with Hitless FailoverFailover
Security OS Security OS FeaturesFeatures
Security OS Total Solution – Must Combines Key Features and Applications
Jan. 2006 | © 2006 Foundry Networks, Inc. 14
Perimeter Security Front End and Traffic Manager– Firewall Scalability and Performance Bottlenecks– Firewalls Not for L7 and Application Security– Security Traffic Manager Augments and Offloads Firewall
Protects Firewall Investment and Extend Firewall Life
Internal LAN – Security Traffic Management at Distribution Layers– Network Vulnerable to Threats from Within– Internal Abuse a Key Challenge– Security Traffic Manager Provides Perimeter-Like Protection inside LAN
Security Traffic Manager Applications
Jan. 2006 | © 2006 Foundry Networks, Inc. 15
Secure LAN Switches are Layer 2/3 LAN Switch with Premium Value-Added Security Features– High Density Desktop and Server Connectivity– Small Price Premium over Traditional LAN Switch Port Cost– Security Against DOS, Anomaly, Intrusion and Others
High Value Desktop Protection– Secures Desktops of High Value Users from Network Originated Attacks– 10/100 and Gigabit Copper Connectivity for Desktop Machines
Securing Critical Servers and Associated Applications– Server Aggregation LAN Switch with Premium Security– Protects Servers and Applications from Network Originated Attacks– Prevents Abuse of Resources by Controlling Access
Position of Traditional and Secure LAN Switches– Traditional Layer 2/3 LAN Switching for Connectivity and Wire-Speed– Secure LAN Switching for Value-Added Security to Desktop
Secure LAN Switches Application
Jan. 2006 | © 2006 Foundry Networks, Inc. 16
Layer 3 was CPU Based – Until Foundry Networks Revolutionized Wire-Speed Layer 3 Technologies in 1997– All Layer 3 Traffic Processed by Centralized CPU Blade @ Slow Performance– Foundry Revolutionized the Industry by Delivering L3 in ASIC @ Wire-Speed
Today, Secure LAN Switches (Industry’s New Category) are CPU Based– Central Security Management Module (With Performance Scalability)– Non-Trusted Flows CPU Processed – Not Wire-Speed on All Ports
Next Generation will Incorporate Wire-Speed on Uplink Ports
In the Future, Advanced (and Economical) Technologies will Help Deliver Security on Every Port @ Wire-Speed
Security Must be Everywhere, and it Must Be Available for a Small Premium over Traditional Layer 2/3 LAN Switches and without Significant Performance Sacrifice
Vision for Secure LAN Switches – Wire-Speed Security Everywhere
Jan. 2006 | © 2006 Foundry Networks, Inc. 17
Security Feature and Capability Differentiation across Solutions
------------
Secure LAN Switches
--DNS Proxy and Security--Full Featured Layer 3--Firewall Clustering and High Availability--High Availability--High Performance NAT--SPAM Defense--URL and Web Filtering--VoIP Security--Intrusion and Layer 4-7 Signature Blocking--Layer 4 Rate Limiting--DoS and Layer 4
Network Security
Traditional LAN
Switches
Security Traffic
Managers
Jan. 2006 | © 2006 Foundry Networks, Inc. 18
Security Market and Solutions Overview
New Network-Based Security Architecture
Key Features for Network-Wide Security
Summary
Agenda
Jan. 2006 | © 2006 Foundry Networks, Inc. 19
SYN and Other High-Performance DoSProtection Features
Protect Against TCP SYN/ACK Flood Attacks– Multi-Gigabit Wire-Speed Rate Protection– Firewall Protection when Deployed in Front of Firewalls
Protection Against 30+ Other DoS Signatures, Including– Spoof, Land, SYN, ACK, Smurf, Ping of Death, Connection Open/Close,
ICMP Unreachable, ICMP Redirect, SYN Fragment, Malformed TCP Packets and SYN Messages, Illegal TCP Options, Illegal IP Options, IP Options Filtering, Protocol Enforcement, UDP Flood, TCP Flood, Port Scanning, IP Scanning, Information Tunneling, Signature Scanning and Filtering
Host A
Host B
An
y Intern
al Hosts
TCP SYN
TCP SYN ACK – Special SEQC1
Goo
d C
lien
tB
ad C
lien
t
C2
TCP ACK – Special SEQ
CompleteTCP Connection
TCP SYN
TCP SYN ACK – Special SEQ
BAD TCP ACK – Special SEQ
NOTCP Connection
Secure Traffic Mgr.
Protects Internal Hosts from Attack
123
4
123
Jan. 2006 | © 2006 Foundry Networks, Inc. 20
Pro-Active Policies to Thwart Attacks from Malicious Hosts
Limits Number of Connections from a Given Host– User-Configurable Limits Based on Application Behavior– Ensures Hosts Cannot Hog Network and Application Resources– Limits Placed based on Source IP or Other Unique Host Identifiers– Granular Control of Limits per Source Host or Sub-network
Sufficient Resources Reserved per Client to Allow Valid Client Transactions– Limits on Connection Rate (per Defined Interval)– Limits on Simultaneous Connections from a Given Host
Rate Limiting of Bandwidth Used by TCP Connections to Prevent Network Abuse
When a Client Exceeds Limits, Further Connections from Same Client are Dropped for a Pre-Configured Duration
Transaction, Connection and Bandwidth Rate Limiting
Jan. 2006 | © 2006 Foundry Networks, Inc. 21
Application Access Policy Enforcement (Including SPAM)
Solution to Enforce Access Control on Large Pool of IP Addressesand Prefixes– Apply Explicit Permit and/or Deny Policies to Specific Applications– Many Unique Lists of IP Addresses Defined per Application Port– Ensures Enforcement of Access Policies to Specific Applications based on
Host Credentials– Ideal to be Used with IP Reputation Lists for Preventing Mass Abuse (SPAM)
Provides Massive Scalability Compared to Standard ACLs– Support for Many Million IP Addresses and Prefixes– Many Separate Lists of Addresses to be Applied on a Per Application Basis
Network Based Approach Protects Services from Illegal Access Right in the Network at the Edge– Network Based Protection Increases Resource Efficiency and Security– Proactive, Rapid and High-Performance Protection Early (Mail Processing)
Jan. 2006 | © 2006 Foundry Networks, Inc. 22
SPAM Mitigation Solution – IP Reputation List Support
Security Traffic Manager Prevents SPAM from Known Spammers– Relies on IP Reputation Lists from Many 3rd Parties– Many Millions of IP Address/Prefixes in a Policy List– Dynamic Download of New Lists in Real Time– Permit and Deny of Flows Based on Policy
Augments Content Based SPAM Solutions on the Server Back-End– Co-Exists with Other SPAM Mitigation/Prevention Solutions– Complement PBSLB with Content Based SPAM Solutions
Deep and Bulk Content Scan of E-Mail Traffic to Filter on Easily Identifiable Signatures, Keywords or Large ASCII Text– Configure Signatures or Download them in ASCII/Binary Files– Ability to Scan Attachments E-Mail Attachments (Non Compressed)
Jan. 2006 | © 2006 Foundry Networks, Inc. 23
Layer 7 Intrusion Prevention with Signature Based Deep Packet Scan
Enforce Layer 7 Security Policies Based on Signatures
Perform Deep Packet Scan on All Traffic in a Flow– Supports this Capability for TCP, UDP and ICMP Flows– Scan May be Performed in Both Directions of the Flow, or Limited to
Direction of the Threat (Example: Only Inbound)
Support for User-Configurable Signatures– Signatures when Defined May be Applied to Flows of Specific Application
Very Long “Bulk” Signatures May be Downloaded to the Device for Security Enforcement– Example: Prevent Threats in E-Mail File Attachments
Provide a Range of Actions upon Signature Match– Log, Count, Reset, Drop, Mirror, Re-Direct
Jan. 2006 | © 2006 Foundry Networks, Inc. 24
DNS Protection and Proxy
DNS is the Most Critical and Foundation Application for All IP Services
Security Traffic Manager Must Protect DNS using Layer 4 through 7 Mechanisms– Layer 4 DNS Service Protection using Rate Limiting and DoS Features– Layer 7 DNS Protection Using Filtering on Specific Header Fields
Example #1: Disallow Queries to Specific DomainsExample #2: Disallow Queries Other than Type xxxxExample #3: Disallow Recursive Queries
– General-Purpose Layer 7 Signature Scanning and Filtering
DNS Proxy Feature woud be a Good Value Add– Security Traffic Manager Replies to DNS Queries with Healthy IP Addresses– Unique Feature that Combines DNS Intelligence and Health Monitoring– Users Connect to Available Service/Servers
Jan. 2006 | © 2006 Foundry Networks, Inc. 25
SIP and VoIP Security Features
Communication Services are Rapidly Migrating to IP with the Use of SIP and VoIP Protocols and Applications– Opening Up these Services to Vulnerabilities of an Open Network– Threat of Attacks to Critical Servers is Real
Protect SIP and VoIP Services by Offering a Range of Layer 4 andLayer 7 Security Features– SIP and VoIP Flows May Use Generic UDP Ports for Communication– Need to Validate SIP Packets, Messages and Flows over UDP– Layer 4 Protection using Rate Limiting and DoS Features
Layer 7 Security Features Include– Validate SIP Headers to Ensure UDP Traffic Belong to SIP– Only Permits SIP Packets to Flow over Pre-Defined UDP Ports– Validates SIP Headers, Version and Methods– Ability to Define Valid SIP Methods
Jan. 2006 | © 2006 Foundry Networks, Inc. 26
Security Market and Solutions Overview
New Network-Based Security Architecture
Key Features for Network-Wide Security
Summary
Agenda
Jan. 2006 | © 2006 Foundry Networks, Inc. 27
Future Security – Integrated High-Performance Network Architectures
Security Traffic Managers and Secure LAN Switches are the Building Blocks of Network-Wide Seven Layer Security
Protection @ Perimeter, Internal LAN, Data Center, Server Farm, and Enterprise Edge
Cost Effective and Scalable Solutions are Required
Firewalls are Here to Stay (At Least For a While)– New Solutions Must Augment and Offload Firewalls– Cap and Protect Firewall Investment
Jan. 2006 | © 2006 Foundry Networks, Inc.
Thank YouThank You