Securing Business-Critical Network and Application ... IDS (Intrusion Detection Systems) ... Attachments

  • View
    0

  • Download
    0

Embed Size (px)

Text of Securing Business-Critical Network and Application ... IDS (Intrusion Detection Systems) ......

  • Jan. 2006 | © 2006 Foundry Networks, Inc.

    NET&COM – Feb 2006 Gopala Tumuluri

    Foundry Networks www.foundrynet.com

    Securing Business-Critical Network and Application

    Infrastructure

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 2

    Security Market and Solutions Overview

    New Network-Based Security Architecture

    Key Features for Network-Wide Security

    Summary

    Agenda

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 3

    Security Solutions in the Market – Traditional Firewalls

    Stateful Inspection Firewalls (Layer 2 through 4) – Maintain State of Every Flow (L4) – Traffic Only on Pre-Established Flows – Some DoS, NAT, IPSEC VPN

    Proxy Firewalls (Layer 2 through 7) – Full Termination with Proxy – Terminate TCP and Re-Establish – Protocol Aware Proxy Layer (HTTP, FTP Etc.) – Slower because of Full Termination

    Firewall Inadequacies – Need to Augment and Offload – Very Poor DoS, Application Rate Limiting, Layer 7 Intelligence – Performance Challenged – Especially for NAT and DoS – FWLB for Scalability and HA Still a Key Need

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 4

    Security Solutions in the Market – Intrusion Prevention and Detection

    IDS (Intrusion Detection Systems) – Passive Devices in the Network Observing Traffic – Observe Behavior and Alert or Act on Anomalies – Downsides: False Positives, Slow Responsiveness, Reliance on Magic

    IPS (Intrusion Prevention Systems) – Inline Devices Blocking Threats, Vulnerability and Exploits – Signature Based Deep Packet Scan Engines – Deterministic Enforcement against Known Signatures

    Weaknesses and Inadequacies – Need for Integration – Overpriced Point Products Solving ONE Security Problem – Not Ideal for Inline Deployment

    PC, No Networking, No Robust L2-4 Defenses, L7 Limited to Signatures – IPS Needs to be a Feature on a *Total Solution* Inline Security Device – IDS Must Work Together with Switches and Traffic Monitoring (sFlow)

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 5

    Security Solutions in the Market – E-Mail and Message SPAM

    Full Content SPAM Mitigation and Prevention – Inspect for Keywords, Signatures, Attachments Using Complex Rules – Block Bad E-Mail and Mark Suspected Mail – Score System (1 to 100) – Administrator Set Threshold for Blocking

    IP Reputation List Based SPAM Mitigation Solutions – Lists of *Known BAD* IP Addresses and Prefixes (Assigned a Score) – Many Sources for Lists Gathering Reputation Data Worldwide – Lists Customizable on Score (Ex: IPs Ranked 70 or Above)

    SPAM Defense in Depth – Need for Network Solutions – Exclusive Content Solutions are Inefficient, Costly, and Inadequate – Exclusive IP Reputation is Ineffective and Inadequate – Using Defense in Depth for Best of Both Approaches

    Apply IP Reputation in Network (Real Time Updated) Apply Content-Based Solutions in Server Farm

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 6

    Security Solutions in the Market – Web and Application Firewalls

    Outbound URL Filtering and Web Security – Prevent Enterprise Users from Accessing BAD Websites – Compliance, Etiquette, Corporate Policy, Productivity – Database of Known Bad URLs (Scored) and Applied

    Periodically Updated with New URLs

    Application Firewall for Web Applications (Data Center) – Goal is to Prevent Hacking and Abuse of Website (Scripting, Malicious Code,

    SQL Injection, Forceful Browsing, Cookie Tampering, Cloaking) – Emerging Area – Consolidating into Application Switch/Delivery Platform

    Web Filtering – Need to Integrate with Inline Security – Inline Security Device Leverages Offline Database to Enforce Policies – Better Performance, Scalability and Security Beyond URL Enforcement – Opportunity to Offload Firewalls from this Function

    Application Firewall on Application Switching and Delivery Class Products – Data Center

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 7

    Security Solutions in the Market – Edge and Desktop Security

    Network Admission Control – Enforce Policies on Who can Gain Access to the Network – Enforce Policies Regarding Endpoint Security Updates and OS – Authenticate Users Before They Get into the Network

    Anti-Virus Solutions and Appliances – Primarily *On-Desktop* Solutions that Prevent Viruses – New-Generation Appliances Emerging from Leading Vendors to Offload

    Some Anti-Virus Function into the Network

    Network Access Control – More fine Grained Control of Network and Service Access – Who, When, How, From Where and Why? – Web Authentication and Access

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 8

    Security Market Needs and Trends

    Key Trends to Capitalize for NetworkKey Trends to Capitalize for Network--Wide SecurityWide Security Network Perimeter as we knew it is Disappearing – Mobility, Convergence, Remote Access, Growing Internal Threats – Need for Security Everywhere in the Network

    Well Established and Agreed Role of Network to Deliver Security – Organizations are Gravitating Towards Network-Based Security Solutions – Protection for Infrastructure, Services, Critical Resources

    Moving Beyond the Firewall Without Giving Up on Firewalls – Enterprises Endorse the Need for Solutions that Augment Firewalls – Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly

    Emerging Vision/Trend of Network-Wide Security is Catching On – Network Integration is Seen as Inevitable and Required – Solutions that Promote Incremental Steps are Needed

    Growing Attacks and Threats in Content and Service Provider Infrastructure – These Customers Can’t Rely on Firewalls

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 9

    Security Market and Solutions Overview

    New Network-Based Security Architecture

    Key Features for Network-Wide Security

    Summary

    Agenda

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 10

    Security Traffic Managers and Secure LAN Switches are Key Building Blocks

    Traditional Firew alls

    WANWAN

    Host Protection (Desktop Host Protection (Desktop and Servers)and Servers) L2 Devices with Premium Security Features in Centralized Mgmt. Module Protection for Desktops and Servers from Network Attacks, and Vice Versa Initial Applications for High-Value User Desktops and Assets

    Secure LAN SwitchesSecure LAN Switches Security Traffic ManagersSecurity Traffic Managers

    Network Protection (Internal Network Protection (Internal and Perimeter)and Perimeter) High Performance Security Between Network Segments Protection Against internal and External Threats, Including Web and SPAM Firewall Clustering, High Availability, Augmentation and Offload

    Direct Desktop Protection Server Farm Protection

    Web & Application ServersDesktops

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 11

    Secure Network Architecture with Two New Product Categories

    InternetInternet

    Secure LAN Switch (Direct Desktop Protection)

    Security Traffic Manager (In-Line Inside LAN Protection)

    Security Traffic Manager (Perimeter Security)

    Network Admission Control Agents on the Desktops

    Network Admission Control Agents on the Desktops

    Web & Application Servers Anomaly Based IPS - External Collector, Analyzer - External Closed-Loop Interface

    sFlow From Switches Edge Port Remediation

    Network Manager

    sFlow

    Secure LAN Switch (Server Farm Protection)

    NAC Server Radius

    Web & Application Servers

    Wire Speed LAN Switching Security -L2/L4 DoS Attack Prevention -Port, CPU, VLAN, & Rogue Protection

    Security Traffic Mgr. and LAN Switch -Signature based IPS and More -Edge, Aggregation, and Perimeter

    sFlow based Anomaly IPS Solution -Zero-Day Solution -Interface to Network Mgmt. for Remediation

    Application Security and Protection -Web and URL Security -Network-based SPAM, DNS and VoIP Security

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 12

    Augment with sFlow (RFC3176) Network-Wide Wire-Speed Visibility

    Statistical Sampling Delivers Visibility to All Traffic Flows Throughout the Network – Layer 2 through 7 visibility and analysis

    Scales with Network Size and Speeds with Zero Performance Impact – No other Technology can Scale to GbE and 10 GbE rates

    Embedded implementations available today – Free!

    sFlow Collector

    sFlow Datagram

    Packet Header Analysis Src/Dst MAC addresses Src/Dst VLAN (802.1q) and 802.1p Src/Dst IPv4 addresses, including TOS/DSCP, TCP, TCP flags, UDP, and ICMP information Src/Dst IPv6 addresses and other information Src/Dst IPX addresses and other information Src/Dst AppleTalk addresses and other information MPLS information

    Sampling process parameters (rate, pool) Physical input/output ports Src/Dst prefix bits and next hop subnet, Source AS and source peer AS Destination AS path Communities and local preference 802.1X user name or RADIUS/TACACS user ID Interface Statistics (SNMP) The captured packet itself

    Sampled Packet

    Layer 2-7 Information

    Collection, Analysis and Archival

  • Jan. 2006 | © 2006 Foundry Networks, Inc. 13

    WireWire--Speed Network ProtectionSpeed Network Protection

    DoS and DoS and DDoSDDoS ProtectionProtection

    Intrusion ProtectionIntrusi