utm (unified threat management)

UNIFIED THREAT MANAGEMENT

PRESENTED BY

ANKITA SHARMA

What are the threats today ?

Cyber Attacks

Email viruses / Spams

Internet dependent infrastructure

Software Vulnerability

• Example: Internet download

• Viruses and malicious code infection:• Peer to Peer

• Instant Messaging apps

• Shareware sites

• Compromised servers

• Legitimate corporations

• Web based email

• Threats pass through statefulpacket inspection firewalls

• Once inside the network, others are easily affected

Corporation

Network

File Server

File Based Threats

• Unpatched Servers: Scob

• Servers do not get up to date patches

• Attacker sends malicious code through a buffer overflow

• Executes program instructions to the victims computer for execution

• Can also be used as denial-of-service attack, causing the computer to crash

• Server is infected

• New users who access server get infected

Malicious HackerBuffer Overflow

Application Attacks

Spyware is any software that utilizes a computer’s Internet access without the host’s knowledge or explicit permission.

According to certain experts, approximately 90% of computers have some form of Spyware.

Aids in gathering information:Browsing habits (sites visited, links clicked, etc.)

Data entered into forms (including account names, passwords, text of Web forms and Web-based email, etc.)

Key stokes and work habits

Spyware/ Adware

Server ZoneUser Zone

A - Downloading programs

Kazaa / screensavers / windows utilities

Download managers / file sharing sw / demo software

B - Trojans that are delivered or downloaded in e-mail

C - In free, banner ad-based software - Popups

D - The most notorious enabler of Spyware is Microsoft’s ActiveX module

A

B

C/D

Spyware Infection

Today’s Aging Technology

Stateful Packet Inspection (SPI) is limited protection.

• Provides source / destination / state intelligence.

• Provides network address translation.

• Stateful firewalls cannot protect against threats that are application layer

based, file or email based.

Firewall Technology

1. Typical firewalls are effective for portblocking

2. If a port is open it is assumed any datacan pass

3. Intrusion detection is a “reactive”approach that does not activelyprotect

4. Security must be built upon deeppacket inspection, AV/Spy/Intrusionprevention with dynamic updates

How can we keep up ?

New Standard - UTM

Unified Threat Management

Integration of Firewall

• Deep Packet Inspection

• Intrusion Prevention for blocking network threats

• Anti-Virus for blocking file based threats

• Anti-Spyware for blocking Spyware

Faster updates to the dynamic changing threat environment and elimination of False Positives

Deep Packet Inspection Zone based security

Protect internally

Gateway Anti-VirusScan through unlimited files sizes

Scan through unlimited

connections

Scan over more protocols than

any similar solution

Anti-Spyware for protection

against malicious programs

Blocks the installation of spyware

Blocks Spyware that is emailed

and sent internally

Applications Layer ThreatProtection:

Full protection from Trojan,

worm, blended and polymorphic

threatsServer ZoneUser Zone Dept Zone

DPI DPI

DPI

PRO Series as a

Prevention

Solution

• Full L2-7

signature- based

inspection

• Application

awareness

DPI: Intrusion Prevention/Gateway AV/ Anti-Spy

TechnologyBehind The Scenes

Hidden threats

Firewall Traffic Path

Network

communication, like

email, file transfers

and web sessions

are packetized

Typical User Activity

4 3 2 1

Typical Network Traffic: Email

Our World View

Firewall View

Traffic = multiple packets of information

DATA

HE

A

DE

R

One Packet = Header info and Data


INSPECT

Version | Service | Total Length

ID | Flags | Fragment

TTL | Protocol | IP Checksum

Source IP Address

Destination IP Address

IP Options

SourceUDP Port

DestinationUDP PortChecksum

Source

212.56.32.49

Destination

65.26.42.17

Source Port

823747

Dest Port

80

Sequence

28474

Sequence

2821

Syn state

SYN

IP Option

none

Stateful

Packet

Inspection

Stateful is limited

inspection that can

only block on ports

No Data Inspection!

Stateful Packet Inspection

Deep Packet Inspection


INSPECT




Source IP Address


IP Options

SourceUDP Port


Signature Database

ATTACK-RESPONSES 14BACKDOOR

58BAD-TRAFFIC 15DDOS 33DNS

19DOS 18EXPLOIT >35FINGER

13FTP 50ICMP 115Instant

Messenger 25IMAP 16INFO

7Miscellaneous44MS-SQL 24MS-

SQL/SMB 19MULTIMEDIA 6MYSQL

2NETBIOS 25NNTP 2ORACLE

25P2P 51POLICY 21POP2 4POP3

18RPC 124RSERVICES 13SCAN

25SMTP 23SNMP 17TELNET

14TFTP 9VIRUS 3WEB-ATTACKS

47WEB-CGI 312WEB-CLIENT

INSPECT

Stateful

Packet

Inspection

Deep

Packet

Inspection

Deep Packet Inspection inspects

all traffic moving through a

device


StatefulPacket

Inspection




Source IP Address


IP Options

SourceUDP Port

DestinationUDP Port

UDPLength

UDPChecksum

DATAVersion | Service | Total Length



Source IP Address


IP Options

SourceUDP Port





Source IP Address





Source IP Address





Source IP Address


Signature Database














Comparing…

Application Attack,

Worm or Trojan Found!

DeepPacket

Inspection

Deep Packet Inspection with Intrusion Prevention

can find and block, application vulnerabilities,

worms or Trojans.

Deep Packet Inspection with Intrusion Prevention

Gateway Antivirus and Content Control


StatefulPacket

Inspection




Source IP Address


IP Options

SourceUDP Port





Source IP Address


IP Options

SourceUDP Port


Signature Database














DeepPacket

Inspection

Virus

File!

AuctionSite

GatewayAnti-Virus

Anti-Spyware

ContentInspection


StatefulPacket

Inspection

Signature Database














Anti-Virus

Content

Filtering

Service

DeepPacket

Inspection

AV Database

IPS Database

Spy Database

Content

Filtering

Database

GatewayAnti-Virus

Anti-Spyware

ContentInspection

Security Must Be Updated

Unified Threat Management Appliances

Firewall

VPN

Basic Bandwidth Mgt

Gateway AV, Intrusion Prevention, Anti Spyware

Content Filtering

Reporting

Secure Wireless

ISP Load Balancing / Failover

Central Management

Firewall

VPN

IPS

Web

Filtering

AV/AS

UTM is an alternative to the common approach to perimeter security.

Criteria For Selecting UTM Over Firewall

UTM Benefits

Reduces number of boxes you have to buy.

Reduces amount of un-coordinated management.

Ideally positioned (bottleneck) for Internet Facing Security.

Allows us to incrementally add security without complexity.

UTM Has Benefits and Costs too !

UTM Costs

System performance can be dramatically affected.

Single choice may be wrong choice for OUR network.

Some UTM features are in for check-list purposes and not for security purposes.

Subscription costs need to be budgeted.

Its all about MANAGEMENT !

Intrusion PreventionBad

Content

Control Usage

Bad Activity

Enforce Policy

Antispam

Antivirus

Anti- spyware

Anti- phishing

Dos/ DDos Mitigation

Content Filtering

Application Blocking

Bandwidth Management

Comments / Queries