“There is nothing more important than our customers”

Jak zabezpečit sítě proti útokům zevnitř a přitom maximálně využít stávající infrastrukturu

Michal ZlesákMichal ZlesákArea Sales ManagerArea Sales Manager - - Eastern EMEAEastern EMEA

michal.zlesakmichal.zlesak@enterasys.com@enterasys.com

© 2006 Enterasys Networks, Inc. All rights reserved.

Securing the Network starts with the Questions to Ask…• Do you have a corporate IT security policy?

• How do you enforce your security policy?

• Can you identify a security breach occurring within the corporate infrastructure?

• How long does it take to identify an internal security breach?

• How long does it take to patch your entire environment on the discovery of a security breach?

• Do you have mobile users that connect to the corporate infrastructure, but also connect to the Internet through non-trusted and possibly non-secure locations (home, coffee shop, etc.)?

• Can your IT organization remove or quarantine anything on the network in a moment’s notice?

• What would a complete system meltdown cost your organization?

© 2006 Enterasys Networks, Inc. All rights reserved.

The Capabilities of Secure Networks™

Access Controlof users and devices on the network

Establish and Enforce Policy for users and devices to protect the enterprise

Detect & Locate security intrusions and anomalous behavior

Centralized Command

and Control

Security Enabled Infrastructuredistribution

core

data

cen

ter

wireless

edge

Advanced Security

ApplicationProactive Preventionof attacks & compromises—everywhere, all the time

Respond & Remediate identified security breaches

© 2006 Enterasys Networks, Inc. All rights reserved.

Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness

1. Detect & Assess End Device

DMZ

DATA CENTER

DISTRIBUTION & CORE

ACCESS

VLAN

User/Device

Finance Voice VLAN

Sales Ops

Internet

1

Port 1

© 2006 Enterasys Networks, Inc. All rights reserved.

Assessing Security Posture of connecting device

1. Device Detection

Identify when a device attempts to connect to the network

2. Device Assessment

Determine if the device complies with corporate security requirements

› “Device Health” e.g. OS patch revision levels, antivirus signatures definition

› Other security compliance requirements e.g. physical location, time of day

3. Device / User Authentication

Verify the identity of the user or device connected to the network

Identify location of end device.

Detect and Assess End DeviceDetect and Assess End Device1

© 2006 Enterasys Networks, Inc. All rights reserved.

Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness

1. Detect & Assess End Device

2. Monitor network and application flow behavior

DMZ

DATA CENTER

DISTRIBUTION & CORE

ACCESS

VLAN

User/Device

Finance Voice VLAN

Sales Ops

Internet

1

Port 1

2

© 2006 Enterasys Networks, Inc. All rights reserved.

Granular Control of Network TrafficGranular Control of Network Traffic

Distribution Layer

Access Layer

• Leveraging the full capabilities of policy architecture

Central policy configuration and distribution

Distributed policy enforcement points at the infrastructure access and distribution layer

Per user / per device controls at the aggregation of non-policy enabled access layer

Flow-based threat isolation and mitigation

Core

Policy Administration

Policy Enforcement• User/Device Access Control• Protocol Filtering• Undesirable Traffic Filtering• Application QoS• Per User Quarantine

2

Rate limiting – Prioritizing - Limiting

resources

© 2006 Enterasys Networks, Inc. All rights reserved.

Monitor Network and Application Flow BehaviorMonitor Network and Application Flow Behavior

• Security Information & Event Management

Traditional Network Performance Optimization

Monitor network bandwidth behaviors

Detailed application level flow collection with packet data

All flows captured

› QFlow, NETFLOW, sflow, cflowd, Jflow

2

© 2006 Enterasys Networks, Inc. All rights reserved.

Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness

1. Detect & Assess End Device

2. Monitor network and application flow behavior

3. Monitor for threats in the infrastructure

DMZ

DATA CENTER

DISTRIBUTION & CORE

ACCESS

VLAN

User/Device

Finance Voice VLAN

Sales Ops

Internet

3

Port 1

3

3

2

© 2006 Enterasys Networks, Inc. All rights reserved.

Threat & Compliance MethodsThreat & Compliance Methods

Signature Based Pattern Matching

› IDS/IPS looks for known patterns of malicious activity

› robust threat signature libraries

Behavioral Anomaly Detection

› “suspicious or out of the ordinary” events

Protocol Decoding

› IDS/IPS monitors for protocol anomalies and violations

All common, Including VoIP protocols

Layer 1

Layer 2

Layer 3

Layer 4 (UDP/TCP/

ICMP)

IP Session Analysis

Application Anomaly Analysis

Signature Analysis

•Frame Capture

•Frame Filtering•Basic security checks

•IP Options Logging•IP Protocol Logging•Header Verification and Analysis•IDS Evasion Checking•IP Fragment Reassembly & Event Logging•IP Address Checks•IP Header Values Retrieved/Checked/Stored

•TCP•Analyze and Store header variables•TCP Checksum verification•TCP options verification and logging•TCP flags verification and logging

•UDP•Analyze and Store header variables

•ICMP• ICMP Logging•Backdoor Checks

•Data Collection for out of band processing•Stream Reassembly•Port Scan and Sweep Detection

•Pattern Matching in the IP Headers of IP TCP/UDP/ICMP

•Protocol Decoding Analysis•Specific application security event analysis•Generic Denial of Service testing

•Complex Signature analysis•Case sensitive/insensitive searching with support for wildcarding of and character types

3

© 2006 Enterasys Networks, Inc. All rights reserved.

Day Zero Attacks

Forensics

Protocol Analysis & Anomaly

•NIDS, HIDS•IPS

Anomaly Detection

•NetFlow•J-Flow•SFlow•cFlowd•QFlow•Packeteer Flow Data Record

Behavior Based Monitoring

Pattern Matching•NIDS, HIDS

•IPS

Signature Based Monitoring

Forensics Day Zero Attacks

CORRELATIONCOMPLIANCE POLICY

, FLOW

Monitor for Threats in InfrastructureMonitor for Threats in Infrastructure3

© 2006 Enterasys Networks, Inc. All rights reserved.

Behavioral Flow Context Analysis Behavioral Flow Context Analysis

• Detailed Network Performance information

Applications, Latency, Traffic flows

• Detailed view of attack before, during, and after the incident from a network flow perspective.

Example:

› Backdoor SIM detects backdoor event Tells classification engine to monitor

- Attacker is <SRC>- Target is <DST>- Port is new- And found after <event time>- And Flow is <bi-directional>

• Offenses are annotated with evidence

Flow Context analysis has detected that attack successfully installed backdoor on target

• Flows Tagged and Correlated to Offenses

3

© 2006 Enterasys Networks, Inc. All rights reserved.

Secure Networks – Visibility & AwarenessSecure Networks – Visibility & Awareness

1. Detect & Assess End Device

2. Monitor network and application flow behavior

3. Monitor for threats in the infrastructure

4. Manage Security Information

DMZ

DATA CENTER

DISTRIBUTION & CORE

ACCESS

VLAN

User/Device

Finance Voice VLAN

Sales Ops

Internet

3

Port 1

3

3

4

© 2006 Enterasys Networks, Inc. All rights reserved.

Manage Security InformationManage Security Information

Security Information & Event Manager (SIEM)

Provides a shared view of the infrastructure

Extensive 3rd party Device Support

Correlates seemingly disparate network and security events

Links network behavior with security posture for compliance

Satisfies IT’s convergence objective

4

© 2006 Enterasys Networks, Inc. All rights reserved.

Reporting – For Operations & Compliance

• The value of reporting is that it enhances your businesses compliance posture

• Executive Level Reports High Level Enterprise wide or

departmental Summary Reports

• Operational Reports Detailed Enterprise wide or departmental

reports

• Wizard Driven Easy to use

Build, edit, schedule and distribute reports Variety of Outputs and Graph Types

XML, HTML, PDF, CSV

Bar, Delta, baselines, Pie, Line, Stacked Bar…….

Manage Security InformationManage Security Information4

© 2006 Enterasys Networks, Inc. All rights reserved.

Network Defense SystemNetwork Defense System

HostIDS/IPS

NetworkIDS/IPS

NetworkBehavioral Anomaly Detection

Events from 3rd Party Firewall, VoIP Gateway, IDS/IPS, SIM, Vulnerability Assessment, Syslog, Application, Database, etc.

J-Flow

S-Flow

Netflow

Threatening subnet range, blacknet IP addresses, spyware sites, etc.

Surveillance and

Front Line Prevention

Analytics

ResponseOperations Center

Dashboard

(Human Response)

Automated Security Manager

(Automated Response)

(SIEM - Security Information & Event Manager)

Automated Security Reports

Security Event Data

External Threat Data Flow Data

Policies Applied to Network Equipment

EFPEFPEFPEFP

EFPEFPSEGSEG

SEGSEG

© 2006 Enterasys Networks, Inc. All rights reserved.

Secure Networks – The Power of Visibility Secure Networks – The Power of Visibility and Controland Control

1. User Assessed and Authenticated through NAC

2. User attempts directed attack at critical server

3. IDS/IPS detects and drops lethal packets

4. IDS/ IPS forwards detected event to ASM

5. ASM Locates threat

6. ASM turns off access to port

7. NAC blacklists User from authenticating

DMZ

DATA CENTER

DISTRIBUTION & CORE

ACCESS

VLAN

PORT

VLAN 1 Phone VLAN

VLAN 2

Internet

Port 1

1

2

3

4

5

6

7

“There is nothing more important than our customers”

Thank You