ajit shelat - persistent lan security - interop mumbai 2009
DESCRIPTION
In a growing electronic economy, cyber attacks are now being used with greater intensity for political, financial and military reasons. Many countries are also using cyber attacks to extract critical information about strategic developments to gain an edge. Simultaneously, hackers are creating millions of zombies, and are using them effectively to launch coordinated attacks. The epidemic growth of malware is reducing the effectiveness of current signature-based technologies. As a result, the world is moving towards alternative technologies, namely reputation or anomalies based detection and prevention. This presentation will explore how targeted attacks are being executed, and how organizations can neutralize these attacks by adopting the right techniques. Shelat will also highlight how a multi-layered security technologies approach can be deployed to protect critical infrastructure from attacks.TRANSCRIPT
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 1
Persistent LAN Security
Ajit Shelat
CEO
Nevis Networks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 2
Top Network Attacks
0 20 40 60
Bar 1
Trojans, viruses, worms
Insider Abuse
Unauthorized Access
Denial of service attacks
BOTS
Abuse of wireless
Systems Penetration
Password Sniffing
DNS Attacks
Sabotage
%%% %
2008 CSI Survey Results of 522 Worldwide Respondents
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 3
Modern Day Complex Threats
Typical Blended Attack
• Designed to maximize damage
• Fast spreading network-based threat with multiple attack vectors:
• Combination of virus, spam, worm, and with vulnerabilities exploits
• Leverages p2p, IM and email to spread with a malicious payload attachment
• Can self replicate acting as a hybrid virus/worm
• Remote execution, DoS, Backdoor applications
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 4
Virus/Worm internals –Understanding Conficker
Disables all Security on
the PC
Starts Peer to Peer Communication
Carries out Internet rendezvous
Tries to spread
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 5
Hacking made easy
•Stealth
Mode
•Keystroke
capture
•Screen
shots
•Password
capture
•No
detection
by AV +AS
software
including
Webmail
capture
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 6
Security mechanisms today
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 7
Perimeter Security
» Gateway Firewall
» IDS/IPS
» Gateway AV
» VPN
» Content filtering
Issues
»Ineffective against attacks from inside the network
» Non-malicious, careless Users with ‘tainted’ Laptops, USB devices, or who inject attacks directly into the LAN by careless internet access
» Malicious Insiders who can launch targeted attacks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 8
Network Access Control - End Point Security» OS Patch Management
» Anti Virus / Anti Spyware
» Personal Firewall
» HIPS
Issues
» OS patches and AV/AS updates can take weeks to be deployed
» AV, AS protection typically provide coverage of about 85-95%
» AV, AS coverage for new attacks is lower in the few hours after a new attack is launched
» Zero day and targeted attacks can bypass end-point protection mechanisms
» Malicious Users can disable/evade endpoint security checks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 9
Network Access Control -Authentication
»Access control
» Issues
»Does not provide for persistent security – mainly aimed at pre-connect authentication
» Does not protect against a determined, malicious User attack
» No threat detection and prevention
»No support for detailed logging of network activity – inability to generate compliance reports and support forensic analysis
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 10
End-to-End Application Security
» Application security
» Client to Server Secure pipe
» Clean, Trusted End-Point
Issues
»End to end encryption does not prevent malicious traffic being exchanged between the client and server
»Endpoints cannot be assumed to be clean since
» They can be attacked using other protocols, e.g. L2 protocols on LAN, DoSattacks
•Protocols such as SSL can be broken using man-in-the-middle type attacks
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 11
Internet
Gateway End PointLAN
• Security Focus has been on
• Perimeter
• End-point, i.e. PC/Laptop
• With increasing usage of Laptops, Handheld devices & Wireless, the well
defined Perimeter has dissolved
• No focused, specific Security mechanisms for the LAN
• Internal networks are flat, a good playground for Worms & Hackers.
• Hard to manage thousands of internal users based on IP/MAC
addresses and/or access level security at App Servers
LAN Security – Weak Link in the Chain
LAN Security Should be @ LAN Speeds
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 12
Forrester View
• The Problem: Managing all endpoint risks to the network
• Proactive Endpoint Risk Management (PERM)*:– Policy-based technology
– Identity-based enforcement
– Integrated security services
• Endpoint verification
• Identity-based Access control
• Threat prevention
• Monitoring and reporting
• “PERM goes beyond NAC’s limited endpoint policy view”*.
* Source: Forrester Research, Client 2.0, March, 2007, Robert Whiteley and Natalie Lambert
10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 13
Comprehensive LAN Security Solution
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 14
It’s All About Knowing…
• Who is on your network?
• Where are they going?
• Can you control their behavior?
• What traffic are they sending?
• What are they doing?
• What would you like to do?
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 15
Characteristics of Comprehensive LAN Security Solution
• Comprehensive LAN Security
– Involves Endpoint Authentication, compliance checks ensuring valid users with clean endpoints can access certain resources on the network
– Blocking or quarantining the user if any intended or unintended malicious activity detected
– Notifying admin of any deviations to organizational policies or malicious activities enabling auditing, drill down and forensic analysis
– Control endpoints connected to managed switches restricting malicious endpoint as close to the source as possible
– Control compromised endpoints from infecting other endpoints connected to unmanaged switches
– Gives a complete view of the network health to the admin
– Encompasses security right from the endpoint, user identity, network access privileges/control, audit capability and blocking malicious traffic
– Ensures high network uptime, clean networks without any malicious or unwanted traffic and improve network bandwidth utilization
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 16
An Integrated Policy Approach
Identity-based Enforcement
NACThreat
Prevention
Network Traffic
Visibility
ApplicationUse
Controls
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 17
The Identity-Aware Network
Mission-critical Applications
Employees Guests
Contractors
Partners
Subset of
Applications
Guest
Network
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 1810/21/2009
18
Multi-layer Defense Model
Fir
ewall/ A
ccess C
on
trol
En
dp
oin
t integ
rity S
yste
m
Sig
natu
re Dete
ctio
n
Pro
toco
l An
om
aly
L2 S
ecurity
Tra
ffic An
om
aly
•Unauthorized
access
•Plundering system
for data
•Reconnaissance
and Scanning
•Worm and
Viruses
•BOTs
•Spyware
•Backdoors and
RATs
•Anomalous traffic
•Remote Execution
•Detect Pswd
Cracking
•Denial of service
•Bandwidth
consumption
•MAC spoofing
•ARP spoofing
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 19
Desktops
Enterprise
Servers
Access
Distribution
Internet
Edge Firewall
Router
Wireless
Access Point
Laptop
Comprehensive Security – Integrated Perimeter, LAN & End point security
VPN
Departmental
Firewall
Workgroup
Servers
Secured Workgroup
Firewall
IDSIDS
Wireless
Security
Gateway
Wireless Users
Extended Perimeter
Network access control
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 20
One Stop Comprehensive LAN Security Status
10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 21
Thank You