Upload
networkmagazine-taiwan
View
230
Download
9
Embed Size (px)
DESCRIPTION
【以全新思維打造資安防護基礎】 Palo Alto Networks 技術經理 藍博彥
Citation preview
Bruce Lan
Technical Manager , TaiwanPalo alto Networks
Page 2 |
Agenda
------
Paloalto Networks
2010 Palo Alto Networks. Proprietary and Confidential.Page 3 |
2008 Palo Alto Networks. Proprietary and Confidential.Page 4 |
Internet
Internal
Remote site
Server farm
2010 Palo Alto Networks. Proprietary and Confidential.Page 5 |
Internet
Server farm
2009 Palo Alto Networks. Proprietary and Confidential.Page 6 |
Ultrasurf
Freegate
Applications!!!
:
?
2009 Palo Alto Networks. Proprietary and Confidential.Page 7 |
P2P P2P
TEAMVIEWER FACEBOOKEmail/
! 2009 Palo Alto Networks. Proprietary and Confidential.Page 8 |
Client PC
2009 Palo Alto Networks. Proprietary and Confidential.Page 9 |
P2P
2009 Palo Alto Networks. Proprietary and Confidential.Page 10 |
TEAMVIEWER
ITTEAMVIEWER
2009 Palo Alto Networks. Proprietary and Confidential.Page 11 |
webmail
FacebookFacebook Mail , Posting
2009 Palo Alto Networks. Proprietary and Confidential.Page 12 |
2009 Palo Alto Networks. Proprietary and Confidential.Page 13 |
Internet
Traditional Applications DNS Gopher SMTP HTTP
Traditional Applications DNS Gopher SMTP HTTP
Dynamic Applications FTP RPC Java/RMI Multimedia
Dynamic Applications FTP RPC Java/RMI Multimedia
Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crime ware
Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crime ware
Layer 4 FirewallStateful Inspection
2008 Palo Alto Networks. Proprietary and Confidential.
Enterprise 2.0
Easy to pass-through Firewall
What traffic in network?
Comment SourceIP DestinationIP Service/port Action
HTTP,HTTPSOnly 192.168.10.0/24 Any 80,443 Allow
.. X.X.X.X X.X.X.X 5001 Allow
Others Any Any Any Deny
Internet
2010 Palo Alto Networks. Proprietary and Confidential.Page 15 |
Applications Became Evasive- Needed to traverse the
firewall
- Would look for commonly open ports
Port 80, 443, 53
- Or look for any available port
Open high ports
Port 22
Port 23
Port 531
F
T
P
S
S
H
T
e
l
n
e
t
H
T
T
P
I
M
Port 20
Port 80
Evasive applications fundamentally break the
port-based model
Non-StandardIs the New Standard
67% of the apps use port 80, port 443, or hop ports
190 of them are client/server
177 can tunnel other applications, a feature no longer reserved for SSL or SSH
83%78% 77% 73%
60% 60%55% 54% 51%
42%
0%
20%
40%
60%
80%
100%
Sharepoint iTunes MS RPC Skype BitTorrent MSN Voice Ooyla Mediafire eMule Teamviewer
M ost Frequently Detected "Dynam ic" Applications
10 4 1
6 7 4
8 12 13
18 25 12
36 18 17 2
0 25 50 75
Networking (73)
Collaboration (46)
Media (24)
General-Internet (17)
Business-Systems (15)
Applications That are Capable of Tunneling
Client-server (78) Browser-based (66)
Network-protocol (19) Peer-to-peer (12)
Source: Palo Alto Networks Application Usage and Risk Report, Spring 2010
Ma
l
w
a
r
e
U
R
L
s
W
o
r
m
s
E
x
p
l
o
i
t
s
P
2
P
X
S
S
B
o
t
n
e
t
s
I
M
s
Broadening Threats
2010 Palo Alto Networks. Proprietary and Confidential.Page 17 |
IDP/IPS
A
p
p
l
i
c
a
t
i
o
n
s
Encryption (e.g. SSL)
Compression (e.g. GZIP)Proxies (e.g UltraSurf)
Tunneled Apps (e.g. Facebook)
?!?
Outbound Phone Home Traffic
2010 Palo Alto Networks. Proprietary and Confidential.Page 18 |
Ultrasurf
IDP/IPS
Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted.
More then 60% of applications are hidden from network firewalls.
ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use.
Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement.
2010 Palo Alto Networks. Proprietary and Confidential.Page 19 |
ISO 27001, PCI
Least Privilege (Need to Know)
-
Separation of Duties
-
Best Effort
-
2009 Palo Alto Networks. Proprietary and Confidential.Page 20 |
- CISSP
1. Proactively reduce the attack surface
1. Proactively reduce the attack surface
2. Control the application-enabled vectors
2. Control the application-enabled vectors
3. Protect against all threats in theory and in practice
3. Protect against all threats in theory and in practice
4. Shift to user-aware enforcement and reporting
4. Shift to user-aware enforcement and reporting
Gartners Recommendation:Move to next-generation firewalls at the next refresh opportunity whether for firewall, IPS, or the combination of the two
Read the full Gartner report here
Gartners Recommendation:Move to next-generation firewalls at the next refresh opportunity whether for firewall, IPS, or the combination of the two
Read the full Gartner report here
To truly protect the network, enterprises need capabilities beyond what traditional IPS solutions provide
2010 Palo Alto Networks. Proprietary and Confidential.Page 21 |
- Gartner
2010 Palo Alto Networks. Proprietary and Confidential.
Next-Generation Threat Prevention
Actively reduce the attack surface
Control application enabled threats
User-aware enforcement and reporting
Actively reduce the attack surface
Control application enabled threats
User-aware enforcement and reporting
Traditional IPS Requirements
Proven IPS Accuracy Anti-Virus / Spyware Performance Research
Proven IPS Accuracy Anti-Virus / Spyware Performance Research
Palo Alto Networks Next-Generation Firewall
Traffic limited to approved business use cases based on App and User
Attack surface reduced by orders of magnitude
Complete threat library with no blind spotsBi-directional inspectionScans inside of SSLScans inside
compressed filesScans inside proxies
and tunnels
2010 Palo Alto Networks. Proprietary and Confidential.Page 23 |
Identify traffic(App-ID)
Is User Allowed?(User ID)
What Threats?(Content ID)
P
o
r
t
N
u
m
b
e
r
-
T
C
P
S
S
L
H
T
T
P
G
M
a
i
l
G
o
o
g
l
e
T
a
l
k
Inbound
Outbound
Full cycle threat preventionIntrusion preventionMalware blockingAnti-virus controlURL site blockingEncrypted & compressed files
Data leakage controlCredit card numbersCustom data stringsDocument file types
2010 Palo Alto Networks. Proprietary and Confidential.Page 26 |
2010 Palo Alto Networks. Proprietary and Confidential.Page 27 |
PORT 80
2010 Palo Alto Networks. Proprietary and Confidential.Page 28 |
Who use P2P
2010 Palo Alto Networks. Proprietary and Confidential.Page 29 |
2010 Palo Alto Networks. Proprietary and Confidential.Page 30 |
2010 Palo Alto Networks. Proprietary and Confidential.Page 31 |
For Accounting allow web-browsing
For Marketing Allow web-browsing & facebook-chat
2008 Palo Alto Networks. Proprietary and Confidential.Page 32 |
2008 Palo Alto Networks. Proprietary and Confidential.Page 33 |
Who Access it What Application
Where ?
Which secure rule
What threat is detected
2011 Palo Alto Networks. Proprietary and Confidential.Page 34 |
Effective Security- By application- By user- Content scanning
Flexible Integration- L1/L2/L3/mixed mode- VLAN trunking, link
aggregation
Example: Network Segmentation (PCI)
Example: Safe Enablement- Developers stand up SQL instances
on any port
- Only Oracle, SQL Server, MySQL, and DB/2 traffic allowed access to the databases segment
2009 Palo Alto Networks. Proprietary and Confidential.Page 35 |
WAN and Internet
Users
DomainUsers
Development Servers
InfrastructureServers
Exchange OWAServers
Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes L3, transparent (L2) and sniffer.
Cost effectiveness requires the protections virtualization VLAN interfaces, virtual routes, and virtual systems.
Networks and threats are changing
Palo Alto Networks solution
L2 VLAN 10L2 VLAN 20
L3 DMZ L3 InternetVwire
Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.
Protections work mode adjusted to the requirements network interfaces in one device can work in different modes.
Security virtualization VLAN interfaces in L2 and L3, virtual routers and virtual systems.
Tap Core Switch
2010 Palo Alto Networks. Proprietary and Confidential.Page 37 |
2008 Palo Alto Networks. Proprietary and Confidential.Page 38 |
Visibility Transparent In-Line Firewall Replacement
Application, user and content visibility without inline deployment
IPS with app visibility & control Consolidation of IPS & URL
filtering
Firewall replacement with app visibility & control
Firewall + IPS Firewall + IPS + URL filtering
Founded in 2005 by Nir Zuk, inventor of stateful inspection technology20052007Next-Generation Firewalls (NGFW) Check Point, NetScreen, McAfee, Juniper Networks, Blue Coat, And Cisco.60+ 3500+ (Until 2010,Q4
Nir Zuk
1994-1999Check Point CTOStateful Inspection
2000-2002 CTO at OneSecure2002-2005CTO at Netscreen / Juniper 2005Founder & CTO at Paloalto Networks
2010 Palo Alto Networks. Proprietary and Confidential.Page 39 |
Palo alto Networks
2010 Palo Alto Networks. Proprietary and Confidential.Page 40 |