Upload
logan-norris
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Advanced Intrusion DefenseJoel SnyderOpus One
Traditional perimeter technology is being…
… Supplemented?
A firewall is not just a firewall anymore
Firewalls now have “advanced application intelligence”
• Actually, they had that already, but the marketroids had to keep themselves busy.
Firewalls now are “intrusion prevention systems”
• Isn’t every firewall an intrusion prevention system?
Firewalls now do virus scanning, content scanning, and ironing.
Application-layer firewalls are needed to protect legions of inadequate Web programmers.
A firewall is not just a firewall anymore, II
IDS has been replaced by IPS.
• (No, I don’t believe that, I’m just
repeating awful rumors.)
Worms now outnumber viruses
in your e-mail by a factor of 20
to 1.
Spam represents 50% to 75%
of all e-mail you receive.
Key Question: Do you need this?Do you need to buy (or upgrade) to a
bigger, smarter, faster, more capable
firewall?
Do you need to buy an IPS?
…an application layer firewall?
…a smarter IDS?
…an SSL VPN device?
Do I want an all-in-one thing?
Do I want individual parts?
The answer you’ve been waiting
for… is on the very next slide!
Should I buy a lot of this new security stuff?
And if I do buy this, what kind should I buy?And where should I put it?And which product should I buy?
Answer: 42
I can’t tell you what is right for your network
I can tell you what products
are out there and what they
are doing
I can also tell you what the
trends are in these
products
But the hard work
remains yours
So let’s look at what’s happening in the firewall business
March, 2004: Information Security sponsors research on new firewall technologies
Products from Check Point,
Cyberguard, NetScreen,
Nortel Networks, Symantec,
Secure Computing,
Watchguard
Support from Andy Briney,
Neil Roiter at Information
Security
http://infosecuritymag.techtarget.com/
Firewalls have been around for a very long time“[AT&T’s gateway creates] a sort of crunchy shell around
a soft, chewy center.”
(Bill Cheswick, Design of a Secure Internet Gateway, April,
1990)
1989 1991 1993 1995 1997 1999 2001 2003 2005
First firewalls deployed in Internet-connected organizations
“Firewalls and Internet Security” published
TIS toolkit commonly available
Cisco buys PIX (Network Translation)
CheckPoint revenues cross $100m
WatchGuard introduces 1st FW appliance
Surely firewall makers have been busy since 1999?
Clear market trends
Faster
Cheaper
Smaller
• New Guard: NetScreen
(Juniper), Watchguard,
SonicWALL
• Old Guard: Cisco,
Check Point
Clear product trends
Add VPN features
• Site-to-site
• Remote Access (?)
Add policy-based URL control
• Websense-type
Add interfaces
• No longer just inside,
outside, DMZ
Shirley firewall makers have been busy since 1999?
Clear market trends
Faster
Cheaper
Smaller
• New Guard: NetScreen
(Juniper), Watchguard,
SonicWALL
• Old Guard: Cisco,
Check Point
Clear product trends
Add VPN features
• Site-to-site
• Remote Access (?)
Add policy-based URL control
• Websense-type
Add interfaces
• No longer just inside,
outside, DMZ
Incremental improvements are not very exciting
Smaller, cheaper, faster: that’s great
VPNs, more interfaces: that’s great
But what have you done for me lately?
To answer that, we need to digress to the oldest battle
in all of firewall-dom: proxy versus packet filter!
Arguments between Proxy and Stateful PF continued
Proxy
More secure because
you can look at
application data stream
More secure because
you have independent
TCP stacks
Stateful PF
Faster to write
Faster to adapt
Faster to run
Faster also means
cheaper
Proxy-based firewalls aren’t dead… just slow!
Proxy
Packet Filtering
Src=10.1.1.99Dst=5.6.7.8
TCP/IP
Src=1.2.3.4Dst=5.6.7.8
Kernel
Inside network = 10.1.1.0/24
Outside net = 1.2.3.4
RTL
Process Space
Firewall Landscape: Five years ago
IBM eNetwork
Secure Computing
Altavista Firewall
TIS Gauntlet
Raptor Eagle
Elron
Cyberguard
Ukiah Software
NetGuard
WatchGuard
SonicWALL
Check Point
Livermore Software
Milkyway
Borderware
Global Internet
Stateful Packet Filtering dominates the market
Stateful Packet Filtering
IP
Kernel
Check PointCisco NetScreen SonicWALL
Freeware-based products: Ipchains, IPF, Iptables, IPFW
FW Newcomers:Fortinet, Toshiba, Ingate, ServGate, many others
But, the core argument was never disputed
Proxy-based firewalls do have the possibility
to give you more control because they
maintain application-layer state information
The reality is that proxy-based firewalls
rarely went very far down that path
Why? Market demand, obviously…
Firewall Evolution:What we hoped for…
Additional granular
controls on a wide
variety of
applications
Intrusion detection
and prevention
functionality
Vastly improved
centralized
management
systems
More flexible
deployment options
Firewall Evolution:What we found…
Additional granular
controls on some
a wide variety of
applications
Limited intrusion
detection and
prevention functionality
Vastly improved
centralized management
systems
More flexible deployment
options
Why? Market demand, obviously…
Additional Granular Controls focused on a few applications
Everybody loves
HTTP management
• Header filtering
• File type & MIME type
blocking
• Embedded Data
blocking (Javascript)
• Virus scanning, URL
Filtering
Other applications
are piecemeal
• FTP
• SMTP
• VoIP
• File Sharing
HTTP-oriented features served “pressure points”
HTTP Action Controls
Filename & MIME type blocking
Header Filtering
SOAP controls
URL Translation
Can Block within HTTP…
Virus detection
URL filtering/ blocking
CyberGuardPost/Put/ Delete
Filename; no MIME blocking Full Basic Yes
ActiveX, Java, Javascript, VBScript, XML
Yes, external server WebSense
Netscreen None
Filename .EXE & .ZIP; no MIME blocking No No No ActiveX, Java
Yes, internal or external server
WebSense plus local URL list
WatchGuard Post MIME blocking Limited Set No NoActiveX, Java, Cookies None WebBlocker
SecureComputingAll
Filename & MIME type blocking Full Block/Allow No
ActiveX, Java, Javascript, VBScript
Local scanning, 2 types (signature/heuristic)
Smartfilter and local URL list
SymantecCan block 'upload' only
Filename blocking by extension No No No
WebDAV, DCOM
Local scanning
Rating system and local URL list
Check PointGet/Post/ Put/Head
Filename by wildcard; no MIME blocking Full Basic Yes
ActiveX, Java, Javascript, Vbscript
Yes, external server
OPSEC and local URL list
Advanced Controls are diverse across products
Product FTP H.323 HTTP LDAP NNTP RealAudioSIP SMTP POP DNS IMAP Socks SNMP CIFSCyberGuard • • • • • • • •Netscreen • • • • • •WatchGuard • • •Secure Computing• • • • • • •Symantec • • • • • • •Check Point • • • • • •
•Differentiating between “advanced” controls and “basic” controls was easy to do.
•Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren.
•Vendors appear to be reactive, not proactive.
Virus Scans and Policy Controls are simple, right?
No! Some firewalls
insisted on having virus
and/or URL scanning
happen “off box”
No! Some firewalls can’t
configure where you scan
for viruses
No! Some devices don’t have
virus scanning
No! Some firewalls don’t
support a local list of blocked
URLs
Conclusion: it’s not simple
We’ve learned how to write good GUIs, haven’t we?
Not in the firewall
business, we haven’t
Additional
granularity means
additional thinking
about resources
Products are … disappointing
The firewall people have a lot
to learn from the SSL VPN
people
Centralized management has improved a bit
Folks who had it are
doing slightly better
than they were
Folks who didn’t have
it now generally have
something
We’re still missing a general policy management system for firewalls
Many of the centralized management tools have very rough edges
“Intrusion” is the new buzzword in security
Rate-based IPS
technology
In firewalls, means “SYN
flood protection”
May be smart (NS)
May include shunning
(SecComp, WG, CP)
Content-based IPS
technology
Based on IDS-style
thinking
May have small signature
base (NS, CP)
May be an “IDS with the
IPS bit on” (Symantec)
So what’s going on in the firewall business?
Products are diverging, not converging.
Personalities of products are distinct.
IPS is a step forward, but not challenging the
world of standalone products.
Rate of change of established products is slow
compared to new entries.
What does this mean for me and my firewall?
Products are
diverging
Personalities are
distinct
IPS weaker than
standalone
Change rate slow
Matching firewall to policy is
hard; change in application or
policy may mean changing
product!
Aggressive adoption of new
features unlikely in popular
products; need new blood to
overcome product inertia