utm (unified threat management)
TRANSCRIPT
• Example: Internet download
• Viruses and malicious code infection:• Peer to Peer
• Instant Messaging apps
• Shareware sites
• Compromised servers
• Legitimate corporations
• Web based email
• Threats pass through statefulpacket inspection firewalls
• Once inside the network, others are easily affected
Corporation
Network
File Server
File Based Threats
• Unpatched Servers: Scob
• Servers do not get up to date patches
• Attacker sends malicious code through a buffer overflow
• Executes program instructions to the victims computer for execution
• Can also be used as denial-of-service attack, causing the computer to crash
• Server is infected
• New users who access server get infected
Malicious HackerBuffer Overflow
Application Attacks
Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission.
According to certain experts, approximately 90% of computers have some form of Spyware.
Aids in gathering information:Browsing habits (sites visited, links clicked, etc.)
Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.)
Key stokes and work habits
Spyware/ Adware
Server ZoneUser Zone
A - Downloading programs
Kazaa / screensavers / windows utilities
Download managers / file sharing sw / demo software
B - Trojans that are delivered or downloaded in e-mail
C - In free, banner ad-based software - Popups
D - The most notorious enabler of Spyware is Microsoft’s ActiveX module
A
B
C/D
Spyware Infection
Today’s Aging Technology
Stateful Packet Inspection (SPI) is limited protection.
• Provides source / destination / state intelligence.
• Provides network address translation.
• Stateful firewalls cannot protect against threats that are application layer
based, file or email based.
Firewall Technology
1. Typical firewalls are effective for portblocking
2. If a port is open it is assumed any datacan pass
3. Intrusion detection is a “reactive”approach that does not activelyprotect
4. Security must be built upon deeppacket inspection, AV/Spy/Intrusionprevention with dynamic updates
New Standard - UTM
Unified Threat Management
Integration of Firewall
• Deep Packet Inspection
• Intrusion Prevention for blocking network threats
• Anti-Virus for blocking file based threats
• Anti-Spyware for blocking Spyware
Faster updates to the dynamic changing threat environment and elimination of False Positives
Deep Packet Inspection Zone based security
Protect internally
Gateway Anti-VirusScan through unlimited files sizes
Scan through unlimited
connections
Scan over more protocols than
any similar solution
Anti-Spyware for protection
against malicious programs
Blocks the installation of spyware
Blocks Spyware that is emailed
and sent internally
Applications Layer ThreatProtection:
Full protection from Trojan,
worm, blended and polymorphic
threatsServer ZoneUser Zone Dept Zone
DPI DPI
DPI
PRO Series as a
Prevention
Solution
• Full L2-7
signature- based
inspection
• Application
awareness
DPI: Intrusion Prevention/Gateway AV/ Anti-Spy
Hidden threats
Firewall Traffic Path
Network
communication, like
email, file transfers
and web sessions
are packetized
Typical User Activity
4 3 2 1
Typical Network Traffic: Email
Our World View
Firewall View
Traffic = multiple packets of information
DATA
HE
A
DE
R
One Packet = Header info and Data
Firewall Traffic Path
INSPECT
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP PortChecksum
Source
212.56.32.49
Destination
65.26.42.17
Source Port
823747
Dest Port
80
Sequence
28474
Sequence
2821
Syn state
SYN
IP Option
none
Stateful
Packet
Inspection
Stateful is limited
inspection that can
only block on ports
No Data Inspection!
Stateful Packet Inspection
Deep Packet Inspection
Firewall Traffic Path
INSPECT
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP PortChecksum
Signature Database
ATTACK-RESPONSES 14BACKDOOR
58BAD-TRAFFIC 15DDOS 33DNS
19DOS 18EXPLOIT >35FINGER
13FTP 50ICMP 115Instant
Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-
SQL/SMB 19MULTIMEDIA 6MYSQL
2NETBIOS 25NNTP 2ORACLE
25P2P 51POLICY 21POP2 4POP3
18RPC 124RSERVICES 13SCAN
25SMTP 23SNMP 17TELNET
14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
INSPECT
Stateful
Packet
Inspection
Deep
Packet
Inspection
Deep Packet Inspection inspects
all traffic moving through a
device
Firewall Traffic Path
StatefulPacket
Inspection
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP Port
UDPLength
UDPChecksum
DATAVersion | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP PortChecksum
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
Signature Database
ATTACK-RESPONSES 14BACKDOOR
58BAD-TRAFFIC 15DDOS 33DNS
19DOS 18EXPLOIT >35FINGER
13FTP 50ICMP 115Instant
Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-
SQL/SMB 19MULTIMEDIA 6MYSQL
2NETBIOS 25NNTP 2ORACLE
25P2P 51POLICY 21POP2 4POP3
18RPC 124RSERVICES 13SCAN
25SMTP 23SNMP 17TELNET
14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
Comparing…
Application Attack,
Worm or Trojan Found!
DeepPacket
Inspection
Deep Packet Inspection with Intrusion Prevention
can find and block, application vulnerabilities,
worms or Trojans.
Deep Packet Inspection with Intrusion Prevention
Gateway Antivirus and Content Control
Firewall Traffic Path
StatefulPacket
Inspection
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP PortChecksum
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP Checksum
Source IP Address
Destination IP Address
IP Options
SourceUDP Port
DestinationUDP PortChecksum
Signature Database
ATTACK-RESPONSES 14BACKDOOR
58BAD-TRAFFIC 15DDOS 33DNS
19DOS 18EXPLOIT >35FINGER
13FTP 50ICMP 115Instant
Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-
SQL/SMB 19MULTIMEDIA 6MYSQL
2NETBIOS 25NNTP 2ORACLE
25P2P 51POLICY 21POP2 4POP3
18RPC 124RSERVICES 13SCAN
25SMTP 23SNMP 17TELNET
14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
DeepPacket
Inspection
Virus
File!
AuctionSite
GatewayAnti-Virus
Anti-Spyware
ContentInspection
Firewall Traffic Path
StatefulPacket
Inspection
Signature Database
ATTACK-RESPONSES 14BACKDOOR
58BAD-TRAFFIC 15DDOS 33DNS
19DOS 18EXPLOIT >35FINGER
13FTP 50ICMP 115Instant
Messenger 25IMAP 16INFO
7Miscellaneous44MS-SQL 24MS-
SQL/SMB 19MULTIMEDIA 6MYSQL
2NETBIOS 25NNTP 2ORACLE
25P2P 51POLICY 21POP2 4POP3
18RPC 124RSERVICES 13SCAN
25SMTP 23SNMP 17TELNET
14TFTP 9VIRUS 3WEB-ATTACKS
47WEB-CGI 312WEB-CLIENT
Anti-Virus
Content
Filtering
Service
DeepPacket
Inspection
AV Database
IPS Database
Spy Database
Content
Filtering
Database
GatewayAnti-Virus
Anti-Spyware
ContentInspection
Security Must Be Updated
Unified Threat Management Appliances
Firewall
VPN
Basic Bandwidth Mgt
Gateway AV, Intrusion Prevention, Anti Spyware
Content Filtering
Reporting
Secure Wireless
ISP Load Balancing / Failover
Central Management
Firewall
VPN
IPS
Web
Filtering
AV/AS
UTM Benefits
Reduces number of boxes you have to buy.
Reduces amount of un-coordinated management.
Ideally positioned (bottleneck) for Internet Facing Security.
Allows us to incrementally add security without complexity.
UTM Has Benefits and Costs too !
UTM Costs
System performance can be dramatically affected.
Single choice may be wrong choice for OUR network.
Some UTM features are in for check-list purposes and not for security purposes.
Subscription costs need to be budgeted.
Intrusion PreventionBad
Content
Control Usage
Bad Activity
Enforce Policy
Antispam
Antivirus
Anti- spyware
Anti- phishing
Dos/ DDos Mitigation
Content Filtering
Application Blocking
Bandwidth Management