Gonz Guzman

Zscaler Administration and Reporting

Andy Groome

Agenda

n  What is the Zscaler Web Security Service?

n  How is it deployed?

n  Zscaler Administration

n  Zscaler Reporting

n  Zscaler Malware Prevention/Reporting

2 10/3/12

Zscaler

n  Zscaler provides content !ltering and anti-virus/malware protection via a cloud base service.

n  Zscaler enforcement nodes (ZENs) are deployed in two of MCNC / NCREN’s egress points to the commodity internet. •  Traffic redirection is accomplished via the NCREN

router at your location or a proxy auto-con!guration !le (PAC)

3 10/3/12

Zscaler Administration

n  Zscaler Administration UI Demonstration

4 10/3/12

Zscaler Malware Prevention/Reporting

Zscaler lines of defense

n  Manage > URL policies

n  Secure > Advanced threats

n  Secure > Anti-virus & anti-spyware

n  Secure > File type control

5 10/3/12

Zscaler Malware Prevention/Reporting

Virus Test Files

n  eicar.org

n  European Expert Group for IT-Security

n  http://www.eicar.org/85-0-Download.html 

n  8 !les of 'pseudo-malware' containing virus-like strings

n  Not harmful to device downloading

n  Zscaler will block these downloads

6 10/3/12

Zscaler Malware Prevention/Reporting

Malware Sites

n  Site devoted to cataloging malware sites:

http://www.malwaredomainlist.com/forums/index.php?topic=3270.0

n  Zeus botnet tracker to see current Zeus C&C servers on a map

n  mdlcsv.php - known malware sites

n  Dates 1/1/2009-present

n  85,926 listings in the !le

7 10/3/12

Zscaler Malware Prevention/Reporting

Lab Testing – Malware vs. Zscaler

n  Automated script on Linux

n  60 hours

n  44,684/85,926 or ~52% of the malwaredomainlist.com sites did resolve

n  If a site resolved, the script attempted to download the page/!le

n  5,914 !les downloaded

n  386 different !le extensions

8 10/3/12

Zscaler Malware Prevention/Reporting

n  Files with asterisks can also be blocked by Zscaler based on !le-type extension

n  Other downloaded !les included 3 .msi, 3 .scr, 7 .dll, 2 .dmg, but no Linux viruses!

And the top 20 !le-type extensions downloaded…:

9 10/3/12

Zscaler Malware Prevention/Reporting

L.

10 10/3/12

Frequency   Number !les  

Extension  

1   1901   php  

2   1839   html  3   724   exe*  

4   381   txt  5   220   bin  

6   96   jpg  

7   60   htm  

8   40   js*  

9   39   gif  10   39   swf*  

11   38   pdf*  

12   32   jar*  

13   31   png  

14   17   avi*  

15   16   com*  

16   13   psd*  

17   11   asp  

18   10   Ico  

19   10   aspx  

20   9   zip*  

Zscaler Malware Prevention/Reporting

n  Manage > URL categories

n  Secure > Anti-virus & anti-spyware policy

n  Secure > Advanced threats:

Strict vs. permissive slider bar – 33%:

Strict – may block legitimate sites such as update.microsoft.com (due to !le extensions, fact that downloads are attempted, etc.)

Permissive – allow questionable websites

11 10/3/12

Zscaler Malware Prevention/Reporting

Reporting & malware

n  Analytics > Web Insights

!lter for Threat Class > Advanced Threats

n  Users typically see these reasons for block:

“Not allowed to browse this malicious url.’

“Detected possible botnet command.”

n  Analytics > Interactive Reports > Security Threats > Which advance threats were detected?

12 10/3/12

Initial Assessment – What is happening?

n  A page is blocked •  Security threat •  Policy rule

n  A page is broken •  Page does not load •  Page not displayed correctly

n  Other issues •  Server or browser errors

13 3/24/14

Questions to ask…

n  What is the scope? •  This user? •  Other browsers? •  Other locations?

n  What are the logs telling me?

n  HTTPS involved?

n  Another manifestation of a common issue?

14 3/24/14

Common Issues – PAC file logic

n  On premise traffic reported as Road Warrior

n  SSL and Authentication bypass not applied

n  GRE bypass not applied

n  Why? •  TCP/9443 not routed across GRE •  Location aware logic dictates behavior

15 3/24/14

Common Issues – Custom Categories

n  Custom Category issues •  Entry not associated with original category •  Duplicate category entries are BAD •  Category lookup not accurate, trust the logs

16 3/24/14

Common Issues – Auth / SSL Bypass

n  Authentication •  Bypass required? •  Bypass unexpected (unknown user-agent)?

n  SSL bypass required? •  Transparent and explicit proxy?

n  Service bypass required?

17 3/24/14

Diagnostic Mantra

n  Mantra: •  “The logs are my friend” •  “The logs tell the truth” •  “The logs will show the way”

18 3/24/14

Diagnostic Mantra

n  Any Questions?

19 3/24/14