hp aruba 2013 _ wireless network security palo alto networks - aruba networks integration
Post on 09-Mar-2016
216 Views
Preview:
DESCRIPTION
TRANSCRIPT
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 1/23
!"#!!#!$
!
Wireless Network SecurityPalo Alto Networks / Aruba Networks Integration
Today’s Agenda
The Backdrop for Mobile Security
! Changes in the application landscape
! State of the art in mobile threats
! Issues with the current approaches to enterprise security
Aruba Networks / Palo Alto Networks Integration
!
Introduction to the Palo Alto Networks Network Security Platform
!
Integration points with Aruba Networks ClearPass Guest
Resources
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 2/23
!"#!!#!$
&
Mobile Climate and Challenges
• Page 3 | © 2013 Palo Alto Networks. Proprietary and Confidential.
'(() *+ ,+-*.+/0• 12+ 3(*4 +- *2( -(*5+.6
• 127* )(89:(4 3(* +- *2( -(*5+.6
• 127* 7;;/9:7<+-4 7-) :+-*(-*
*2+4( =4(.4 7-) )(89:(4 :7- 7::(44
>+)7?4 ,27//(-3(0
@-:( 7 =4(.A4 +- *2( -(*5+.6B C> :7-A*
:+-*.+/ 527* *2(? :7- )+ +. 7::(44D
E+4* +.37-9F7<+-4 )+ -+* 278( *2(
4(:=.9*? 59*29- *2( 9-G.74*.=:*=.( *+
:+-*.+/ 3.7-=/7. 7;;/9:7<+- /(8(/
7::(44 H74() +- =4(. 7-) )(89:( *?;(D
!"#$ &"'()*+,*""-,*+ .$"-/01*'
Challenge: Redefining the IT Service Model
Self-selecteddevices, apps
& services
Build & deploy
Designdesktop, voice,
network
User-definedinfrastructure
Self-provisionSelf-support
Support
PRE-BYOD
POST-BYOD
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 3/23
!"#!!#!$
$
Securing Applications
Today’s Typical Network
Applications everyonewants to hate!
Applications everyoneneeds!
ActiveDirectory
SMB
pop3
snmp
dns
Applications everyonetends to ignore!
telnet
LDAP
ftp SSL
custom tcp
custom udp
RDP
VNC
VPNencrypted
tunnel
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 4/23
!"#!!#!$
I
Complexity Influencers
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Complexity
and Risk
SMTP
Applications Users
SQLSlammer
PoisonIVY
APT1
Aurora
Threats
SSL: Security or Evasion?
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.8 | ©2012 Palo Alto Networks. Confidential and Proprietary.
26% (356) of the applications found can use SSL
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 5/23
!"#!!#!$
"
Freegate
SSL/Port 443: The Universal Firewall Bypass
9 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Challenge: Is SSL used to protect data and privacy, or to mask malicious actions?
TDL-4
Poison IVY
Rustock
APT1Ramnit
Bot
Citadel
Aurora
Gozi
tcp/443
Port Hopping: Ease of Access or Evading Control?
10 | ©2012 Palo Alto Networks. Confidential and Proprietary.
18% (255) of the applications found can hop ports
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 6/23
!"#!!#!$
J
Managing Ports: A Bad Way to Control Applications
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Lync ports to open as recommended by Microsoft
Random, non-contiguous communication ports and protocols!! accessed by distributed workforce with different security risk profiles
Threats to Wireless Networks
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 7/23
!"#!!#!$
K
The Basics on Threat Prevention
23-"/4 53/4 ,4 ,' 53/4 ,4 61"'
)7$#1,4 L7) 7;;/9:7<+- 9-;=*
=4=7//? 9- *2( G+.M
+G -(*5+.6 *.7N:D
>7.3(*4 7
8=/-(.7H9/9*? *+
29O7:6 :+-*.+/ +G *2(
*7.3(* 7;;/9:7<+- +.
M7:29-(D
8/#9/-" E7/9:9+=4 7;;/9:7<+-
+. :+)(D
P-?*29-3 Q
R+5-/+7)4B 27:64B
(S;/+.(4B 4*(7/4T
:1;;/*6 /*6
:1*4-1# <:=>
'(*5+.6 *.7N:
3(-(.7*() H?
M7/57.(D
U((;4 *2( .(M+*(
7V7:6(. 9- :+-*.+/
7-)4 :++.)9-7*(4 *2(
7V7:6D
Modern Attacks Are Coordinated
?/,4 43"
"*6@A'"-
1
W-)X=4(.
/=.() *+ 7)7-3(.+=4
7;;/9:7<+- +.
5(H49*(
:+-*79-9-3
M7/9:9+=4
:+-*(-*
)7$#1,4
=
C-G(:*()
:+-*(-*(S;/+9*4 *2(
(-)X=4(.B
+Y(- 59*2+=*
*2(9.
6-+5/()3(
&19*#1/6
?/B(611-
C
Z(:+-)7.?
;7?/+7) 94)+5-/+7)()
9- *2(
H7:63.+=-)D
E7/57.(
9-4*7//()
)'4/D#,'3
?/B(@:3/**"#
E
E7/57.(
(4*7H/942(4 7-+=*H+=-)
:+--(:<+- *+
*2( 7V7:6(.
G+. +-3+9-3
:+-*.+/
)7$#1-"
F G4"/#
H
[(M+*(
7V7:6(. 274:+-*.+/ 9-49)(
*2( -(*5+.6
7-) (4:7/7*(4
*2( 7V7:6
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 8/23
!"#!!#!$
\
Mobile Malware: DPlug TTPod App in Google Play
In-App Purchase
PV7:6(.
Dplug Malware
R]/=3
Sends IMSI / IMEI via SMS
] . ( M 9 = M Z
E Z
Forged
SubscribeConfirm?
I,B0;
Accept
Premium SMS Billing
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SecondaryPayload
SpreadLaterally
Custom C2& Hacking
Data Stolen
Exploit Kit Malware FromNew Domain
ZeroAccessDelivered
C2Established
Hiddenwithin SSL
New domainhas no
reputation
Payloaddesigned to
avoid AV
Non-standardport use evades
detection
Custommalware = no
AV signature
Internal traffic isnot monitored
Custom protocolavoids C2
signatures
RDP & FTPallowed on the
network
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 9/23
!"#!!#!$
^
Palo Alto Networks
Network Security Platform
Enabling Applications, Users and Content
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 10/23
!"#!!#!$
!_
Applications Have Changed, Firewalls Haven’t
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforcedat the firewall
• Sees all traffic
•
Defines boundary
• Enables access
Traditional firewalls don’t work anymore
Applications: Threat Vector and a Target
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threats target applications•
Used as a delivery mechanism
• Application specific exploits
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 11/23
!"#!!#!$
!!
Applications: Payload Delivery/Command & Control
Applications provide exfiltration•
Confidential data
• Threat communication
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?•
SSL
• Proprietary encryption
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 12/23
!"#!!#!$
!&
Technology Sprawl and Creep Aren’t the Answer
EnterpriseNetwork
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application control challenges
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURL AV
J28
K*4"-*"4
Making the Firewall a Business Enablement Tool
! Applications: Safe enablement begins with
application classification by App-ID.
! Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
! Content: Scanning content and protecting
against all threats – both known and unknown;
with Content-ID and WildFire.
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 13/23
!"#!!#!$
!$
NGFW in The Enterprise Network
] ( . 9 M ( * ( . `
L$$ M,',D,#,4N /*6B1*4-1# ,* 43"O-"9/##
` P// 7;;4B 7//
;+.*4B 7// *2(<M(
`
P-"M"*4 43-"/4'
` U-+5- *2.(7*4
`
a-6-+5-#*7.3(*()M7/57.(
`
G,;$#,QN '"BA-,4N,*Q-/'4-AB4A-"
R 7 * 7 , ( - * ( . `
R"491-('"+;"*4/01*
` L74() +-7;;/9:7<+- 7-)=4(.B -+* ;+.*#C]
` G,;$#"S T"7,D#"*"491-( '"BA-,4N
` C-*(3.7<+- 9-*+7// R, )(493-4
` b932/? 7879/7H/(B2932;(.G+.M7-:(
` P-"M"*4 43-"/4'
R 9 4 * . 9 H = *
( ) W - * ( . ; . 9 4 ( `
:1*','4"*4*"491-( '"BA-,4N"M"-N93"-"
` bc#H.7-:2
+N:(4#.(M+*(7-) M+H9/(=4(.4
` U1+,B/# $"-,;"4"-
` ]+/9:? G+//+547;;/9:7<+-4 7-)=4(.4B -+*;2?49:7/ /+:7<+-
`
:"*4-/##N
;/*/+"6
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Strategy for Protecting the Network
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• HTTP or all
protocols?
• 20% of traffic
encrypted by
SSL
• Non-standardports and
tunneled traffic
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 14/23
!"#!!#!$
!I
Strategy for Protecting the Network
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• High risk
applications
and features
• Block files
from unknowndomains
•
Find and
control custom
traffic
Strategy for Protecting the Network
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Exploits,
malware, C2
• Variants and
polymorphism
• DNS, URLs,
maliciousclusters
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 15/23
!"#!!#!$
!"
Strategy for Protecting the Network
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Behavioral and
anomaly
analysis
• Automatically
create anddeliver
protections
• Share globally
Strategy for Protecting the Network
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Everything must go in the funnel
Reduce the attack surface
Block everything you can
Test and adapt to unknowns
Investigate and cleanup
• Events in app
and user
context
• Share
indicators ofcompromise
• Integrate with
end-point
security
• Feed the SIEM
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 16/23
!"#!!#!$
!J
An Integrated Approach to Threat Prevention
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
P;;4
a[d
C]Z
Z;?57.(
Pe
f9/(4
E+)(.-
E7/57.(
!"#$ $&' '()*+,'- ./012#$ 324(12") !"56)22- 7288"()972($-21 :7;<
Block high-riskapps
Block knownmalware sites
Block theexploit
Block malware
Prevent drive-by-downloads
Detect 0-daymalware
Block new C2traffic
Block spyware,C2 traffic
Block fast-flux,bad domains
Block C2 onopen ports
Mobile App Analysis
32 | ©2013, Palo Alto Networks. Confidential and Proprietary.
WildFire
App Collection
App Stores
ManualSubmission
API
GlobalProtectGateway
Protection andEnforcement
MalwareSignatures
URL and DNS
usage
Integration withSIEM
App Analysis
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 17/23
!"#!!#!$
!K
Integration Points
Integration with wireless infrastructure
C)(-<G? 7-)7=*2(-<:7*( 52+
7-) 527* 3(*4 +- *2(
-(*5+.6
].+*(:* -(*5+.6H74() +-
7;;/9:7<+-B =4(. 7-)
:+-*(-*
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 18/23
!"#!!#!$
!\
ClearPass and Palo Alto Networks
81D,#,4N R"491-(
G"-M,B"'
•
,+.( PPPB 'P,
•
R(89:( ].+g/9-3
•
h=(4* i Lj@R
L-AD/ 8.I) F
:#"/-P/''
P/#1 L#41 R"491-('
R"74 V"*"-/01* W,-"9/##
•
dKi P;;/9:7<+- f1
•
,+-*(-* Z(:=.9*?
•
>2.(7* ].+*(:<+-
,+-*(S*0
•
WS:27-3( .9:2
(-);+9-* :+-*(S*
•
>.933(. .(7/X<M(B
9-*(//93(-*-(*5+.6 ;+/9:9(4
•
WS*(-)7H/(
7.:29*(:*=.(
Securing the Wireless with Palo Alto Networks
36 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Guests
Employee Asset
Contractor
R"74@V"*"-/01*
W,-"9/##
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 19/23
!"#!!#!$
!^
Aruba Integration
! Feed User-ID Data
! Centralized Username to IP address mapping
! No software agents required, support multiple identity stores
!
Rich visibility and reporting for compliance
! Endpoint/Device Context
!
Feed device context to PAN eg. iPad, Android Phone
! Enable policy enforcement based on new device context
!
Extensible schema allows adding more context to endpoint data
!
Centralized Identity Store!
FW admin authentication using Radius
! Provide services for VPN authentication
,/(7.]744 ]+/9:? E7-73(. ]7/+ P/*+ '(*5+.64
kEd
PPP
User-ID Architecture
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 20/23
!"#!!#!$
&_
Integration Points
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
ClearPass Configuration
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 21/23
!"#!!#!$
&!
Assigning Security Policies Based on Device Type
! ClearPass Guest Fingerprints devices as theyauthenticate to the wireless environment
! Palo Alto Networks integration shares the devicefingerprint
! Palo Alto Networks maps the device to a dynamic
address object
!
Network security policy follows the device
41 | ©2013, Palo Alto Networks. Confidential and Proprietary.
How the Integration Works – From ClearPass
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 22/23
!"#!!#!$
&&
How the Integration Works – To Palo Alto Networks
43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
To Palo AltoNetworks
Resources
7/21/2019 HP Aruba 2013 _ Wireless Network Security Palo Alto Networks - Aruba Networks Integration
http://slidepdf.com/reader/full/hp-aruba-2013-wireless-network-security-palo-alto-networks-aruba-networks 23/23
!"#!!#!$
&$
Collateral – Tech Note
45 | ©2012, Palo Alto Networks. Confidential and Proprietary.
2V;0##555D7.=H7-(*5+.64D:+M#7.=H7X;7.*-(.4#(:+4?4*(MX;7.*-(.4#
top related