Upload
ams-ajaxneth
View
320
Download
0
Embed Size (px)
Citation preview
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
AhnLab TrusGuard Standard Proposal
“The Best of Network Security solutions, AhnLab TrusGuard”
July, 2010
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Table of Contents
Recent Trend in Security Threats
Product Overview
Special Advantages of AhnLab TrusGuard
Customer Benefits
Detailed Functions
Specifications
Main UI View
Implementation Case
Appendix.
Network Security Trend
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Recent Trend in Security Threats
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
The latest trend in anti-virus protection can be described as “Diversification, Complexity,
Systemization.”
Pro
fes
sio
na
l,
Org
an
ize
d C
rim
eS
cri
pt
Kid
Pure curiosity Profit gainAttack
motivation
The Hack
The Virus
The Bot• Malware (Virus, Worm, Trojan, Bot) is still a big threat.
• Complexity of SPAM + Trojan + Phishing + Pharming
• Spread of DDoS & attack on web applications
• Limitation in patch management
• Change of target from unspecified general public to a
specified target
• Emergence of profit-motivated cyber crimes
Att
ac
ke
r
Recent Trend in Security Threats: Overview
Injection,XS
S
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Following 2008, Trojan horses that steal internal and account information are still prevailing andthe infection by worms, usually spreading malicious attacks on internal networks and the emergence of new worms are increasingly reported.
• Trojan horses for stealing internal & account information still take up a large part in threats to enterprises
(39%)
[Infection by Malware Types, 2009] [Infection by New Malware Types, 2009]
Recent Trend in Malware
• Reports on infection by “spreading worms”, which severely hinder the availability of internal network and
systems and their new variants is increasing
- Infection by worms through USB mobile storage devices is still happening
Source: AhnLab ASEC Report (Dec., 2009)
트로이잔
바이러스
애드웨어
웜
Script
Dropper
기타
Trojans
39%
Virus
12%
Adware
12%
Worm
10%
Script
7%
Dropper
5%
Others
15% 트로이잔
애드웨어
다운로더
웜
Script
기타
Source : AhnLab ASEC Report (Dec., 2009)
Trojans
55%
Adware
27%
Downloader
7%
Worm 5%
Script 2%
- Together with the popularization of the wireless LAN, infection by worms through unauthorized PCs connecting to the internal
network is increasing
Trojan
Virus
Adware
Worm
Others
Trojan
Adware
Downloader
Worm
Others
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
The major threat in recent network-based attack trend is DDoS.
Trend during a DDoS Attack (1)
[Incoming threat types to network in Korea, as of Nov., 2009]
[Monthly trend of infection by malicious Bots, in Korea
○ The analysis of incoming threat types to ISP network revealed…
- UDP Flooding, a variety of DDoS attack, was the major threat.
- The most common DDoS attack, TCP SYN Flooding, is occurring
consistently.
○ Bot is a malicious code that produces large numbers of zombie
PCs used for DDoS attacks.
○ When the number of Bot-infected PCs increases, the threat by a
DDoS attack also increases.
○ The infection rate by Bot in Korea has decreased greatly from
2008.
(Average 10% in 2008 Average 1% in 2009)
Percentage of infected PCs in Korea among
worldwide PCs infected by Bot
Source : KISA monthly bulletin of Internet incident trend & analysis
(July)
Source : KISA monthly bulletin of Internet incident trend & analysis
(Nov., 2009)
UDP Flooding
TCP SYN
Flooding
ISPs: Threat trend
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
DDoS Attack Trends (2)
DDoS attacks have shifted from attacks that drain bandwidth to attacks that drain system resources and target application weaknesses.
Early to mid 2000s 2006 ~ 2007 2008 ~
Network resource
Draining attacks
TCP/Application
weakness attacks
Complex / Intelligent
attacks
• Flooding attacks
- ICMP Flood attack
- UDP Flood attack
• Amplification attacks
- Smurf attack
- Fraggle attack
• TCP 3-hands-shaking attacks
targeting weaknesses
- SYN Flooding attack
- ACK Flooding attack
- SYN+ACK Flooding attack
1st stage DDoS 2nd stage DDoS 3rd stage DDoS
Network draining attacks
Traffic inducing attacks
Simple attacks
7
• Flooding attacks + Weakness
attacks
. HTTP Get Flooding
. ICMP Flooding
. TCP SYN Flooding
. UDP Flooding
Complicated & Intelligent Attack
All citizens, organizing, and political
purposes, financial gain
Automatically
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
DDoS attacks are targeting every type of business regardless of size.
Any company that uses the internet to provide services is vulnerable to DDoS attacks.
DDoS Attack Trends (3)
DD
oS
att
ack
s
Increase in money-stealing
DDoS attacks
DDoS attacks from viruses
IRC Bot DDoS attacks
Mirae Asset
Rapid
increase in
DDoS attacks
Amazon, eBay,
Yahoo DDoS
attacks
Early
DDoS
attacks
2000 2006 2008 2010
○ 2009.7 : 7.7 DDoS Crisis
○ 2008.8 : Game rating board‟s homepage shut down for 9 hours
○ 2008. 6 : Grand National Party‟s homepage shut down due to
DDoS attack
○ 2008. 3 : Mirae Asset‟s homepage shut down for 1 hour,
money demanded
○ 2007.9~10 : Game item trading site was attacked and money
demanded
○ 2007. 6~8 : Money demanded from travel and pension
reservation sites, etc.
○ 2007.5 : Estonian government and parliament sites paralyzed
for 3 weeks
○ 2007.1 : DDoS attack on domain registration proxy company
[Recent Attacks]
[Attack Method]
○ Omnidirectional attacks using various protocols such as
TCP/ UDP/ ICMP/ HTTP
○ Flooding attacks using malicious IRC Bots are the
mainstream
○ Attacks send from 500M ~ 1G (small attack) to 40~50G
(large attack) of traffic to shut down systems or paralyze
service
Various companies in the financial industry, public sector,
small online service companies, etc, are exposed to the
threat of DDoS attacks.
8
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Threats that exploit vulnerabilities in web applications
The most prevalent threat types in web application attacks are XSS (Cross-site Scripting) and SQL injection. They exploit vulnerabilities to leak private information, steal account privileges and alter/destroy data.
SQL Injection
XSS
Buffer error
접근제어
입력검증오류
자원관리오류
디렉토리 검색
정보유출
기타
18.3%
13.7%
Others
SQL Injection
XSS
[Major threat types exploiting web
vulnerabilities, 2008]
○ SQL injection, XSS (Cross-site Scripting) and
buffer error ranked 1, 2 and 3 in major web
vulnerability threat types in 2008.
Source : KISA monthly bulletin of Internet incident trend &
analysis (Dec., 2008)
9.8%
Buffer error
○ The SQL injection attack increased rapidly due
to the wide distribution of an automatic mass-
SQL injection tool like „Jeopard in a hole.‟
○ SQL injection attack type is changing…
- from stealing data inside the DB
- to infecting/spreading the malicious code on
connected users by deploying the malicious
code inside the DB.
Access control
Input authentication error
Asset management error
Directory search
Information leakage
Others
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Diversified Attack Routes (1)
File downloadWireless
Vulnerabilities in OS and
commercial programs
Client‟s system
Mobile storage
devices
P2P programs
Instant messaging
programs
Internet surfing
As various IT devices and applications emerge rapidly due to advancement of Internet business, the client‟s system is becoming overexposed to numerous attack routes.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Diversified Attack Routes (2)
Among the attack routes of viruses and worms in Korean companies with 5 or more employees, “infection
through downloading from Internet” ranked highest with a rate of 85.0%.
By industry, manufacturing (89.1%), wholesale (87.7%) and construction (87.6%) showed relatively higher rate of
“infection through downloading from Internet” and even in banking and insurance, the rate was 80.8%.
85.0%
54.5%
50.8%
42.4%
34.1%
17.5%
2.4%
Download from Internet
By visiting certain websites
Shared folder, internal networks
Storage devices (CD, USB, etc.)
By external hacking
OthersSource : Survey on information security in enterprises, 2008
Indeed, downloading of spreading worms and zombie malware during web surfing is rapidly increasing.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Network Security Trend
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Performance & Scalability, All at Once!!
Single-core
based hardware
Network
Processor
/ ASIC
Multi-core
based hardware
• Pentium or Xeon base
• Low-end H/W platform
• Limited performance
• Specialized chipset base
• Exclusive packet-handling
processor
• High-performance packet
handling & delivery
• Difficult to add functions
- Customization not allowed.
- Difficulty in time-to-market
• Multi-core process base
• High-end H/W platform
• Linear performance
enhancement when an
additional core is added.
• Easy to add functions &
excellent at combating fast-
changing security threats.
Technology in network security appliance is progressing toward the multi-core based, high-
performance platform.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
From Single-Purpose to Integrated Multi-Purpose…
Practical
integration
Combined
functions
Single-
purpose
~ Mid. 2000s Mid. 2000s ~
Current
2010 ~
• Firewall only, VPN only
approach
• Low-end H/W environment
- Limited performance
• Integrated Security
- Combination of functions
• Firewall+VPN+IPS+AV+AS
• High-end H/W
- Overcoming performance
limitation of multi-functions
• Lack of elaborate functions
• Green IT in Security
• Overcoming performance
limitations
- Advance of multi-core H/W
- 16 Cores 32 Cores or more
- Continuous expansion of
performance
• Elaborate functions enabled.
With rapid advance in H/W technology and a tendency toward Green IT, “integration of practical
security functions” is the new direction in network security appliance.
- Integration of Firewall & IPS
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Product Overview
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Product Overview
AhnLab TrusGuard is an “Integrated Network Security System” that combines “Firewall/VPN-based, high-performance network security” with strong “Security Threat Response Technology.”
Internet
Firewall/ Networking
Network
security
functions
Contents
security
functions
VPN DDoS defense
I(D)PSAnti-Virus Anti-Spam/ Web Filtering
- Stateful inspection filtering
- Route/Transparent mode
- Dynamic routing/ QoS function
- IPv6 support (as of 5.2010.)
- SSL VPN function
- IPSec VPN function
(G-to-G, G-to-C VPN)
- Equipped with an exclusive engine
for DDoS defense
- 6-phase response
-Protection against attacks of various
types
(Flooding, Draining of application)
- Signature-based detection & prevention
of attacks
- Behavior-based detection & prevention of
attacks
- More than 6 thousand rules for detecting
attacks
- 3-phase mechanism for preventing
attacks
- NAC function (synched with end-point V3)
-Prevention of intrusion by virus,
worm, spyware, phishing, etc.
-Supports HTTP/SMTP/POP3/FTP
-Equipped with V3 engine.
-365*24 ASEC service/ CDN
- Black list-based spam
filtering
- Spam engine-based filtering
- Keyword-based filtering
- Spam quarantine & storing
- Access filtering of harmful
sites
- Log analysis & real-time display
- Correlation analysis of threat data
-50 types of security analysis reports
- Integrated policy management of
many appliances
Integrated management
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Special Advantages of
AhnLab TrusGuard
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features: Overview
AhnLab TrusGuard distinguishes itself by creating synergies that combine an organic combination of “high-performance, high-quality network security technology” with “proactive, comprehensive integrated security technology.”
Network
Security
Integrated
Security
Manage
High Performance & Flexibility
• High-performance platform & optimized design for multi-core
• Intuitive & graphical information display
• Embedded, real-time monitoring information
Proactive & Comprehensive
Simple & Graphical
• Security response to „zero-day &
emergent‟ attacks
• Specialized DDoS engine (overseas
patent-pending)
• V3-synched NAC function
• External log server/ manager
• Competitive IPS function
• Powerful anti-virus/ anti-spam
• Flexible network security (IPv4 & IPv6)
• Flexible VPN with enhanced security
• High-quality firewall technology
• Prevents zombie malicious codes by
linking with ACCESS.
• No.1 security response technology
• Largest security response infra.
* ACCESS (AhnLab Cloud Computing E-Security System)
- A centralized, real-time threat monitoring & analysis system based on cloud-computing technology
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – High-Quality Firewall
TrusGuard is based on elaborate and reliable high-quality firewall technology.
The design of TrusGuard is based on “Suhoshin Absolute”, the best firewall solution in Korea.
“Suhoshin Absolute” was the first commercial firewall in Korea and it has proven its technical reliability
and performance in the market by acquiring more than 3,000 client references during the last 10 years.
High Availability• Fail-over function (Active-Active, Active-Standby)
• Can back-up without a separate L4 switch (Session/ Rule synch)
• Full-mesh structure
Port Aggregation
• Uses 2 or more physical ports as a single logical port.
• Can process the traffic equal to Bandwidth * No. of port(s).
• Handles the large traffic easily and provides fail-over function
among ports.
Quality of Service
• Can set/limit maximum traffic volume when setting security
policy.
• QoS setting can be established by policies/IPs/ports.
• Supports policy-based & schedule-based QoS.
Routing• Static/Dynamic routing (RIP, RIPv2, OSPF)
• Supports multicasting / source routing.
VoIP support • Supports SIP, H.323 communication.
Authentication • Internal OTP, External RADIUS synch
Others• Supports 802.1Q VLAN.
• Supports DHCP server & DHCP relay.
NAT• Static (1:1)/ Dynamic NAT (1:N, M:N), Twice NAT
• Excluded NAT, NAT Traversal, Load-Sharing NAT
Server farm
Internet
HA setting
Active-Active
Active-Standby
Stateful
Inspection
• Provides independent performance regardless of number of rules.
• Based on black list/ white list.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – High-Performance
Core 1
Core 2
Core 3
Core 4
AhnLab
TrusGuard
○ Optimal distribution technology of packets to
multi-core applied.
○ When running a single function, the multi-core
utilization provides the “maximum performance.”
Firewall
VPN
IPS/
DDoS
Anti-
Virus
Anti-
Spam
○ Multi-core platform in all models (TrusGuard 50
excluded.)
○ When running multiple functions, the multi-
core utilization provides the “optimal
performance.”
ClassificationFirewall
only
Simultaneous running of firewall & IPS
(Signature 6,000 on)Test condition
Throughput (1024 byte) 6G 2G • Performance value of TrusGuard 1000 model with 6 ports
※ Throughput Test Result
* Performance test condition
- Used IXIA test equipment. - Used GET Request 10K, 1G * 6ports.
TrusGuard is based on high-performance hardware platform and the S/W architecture design
optimized for the specific platform.
To achieve high-performance when running multiple functions, every model of TrusGuard (except the
SOHO model) is configured with a multi-core platform and optimized architecture design.
* The above performance can vary depending on the client‟s individual network environment.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
IPS
ec V
PN
Tu
nn
el
TrusGuard Features – IPSec VPN
With TrusGuard, you can establish VPN network with enhanced security response capability in
HQ-branch and PC-office.
Using IPSec VPN as the default function, TrusGuard provides a secure way of communicating through the
public network. Also, when the firewall/IPS function is synched for traffic inside the VPN tunnel, it can
prevent the internal spread of malicious codes.
Support for
IPSec standard
• Supports tunnel mode, ESP, AH, ESP+AH.
• Can be synched with IPSec standard products.
• Supports encryption algorithm like 3DES, AES, SEED, ARIA.
• IKEv1, IKEv2, manual support
• Supports hub & spoke, star, mesh structure.
NAT Traversal • Supports IPSec in NAT environment that uses private IP.
Dual Line • Supports VPN Line Take Over via ADSL (2 lines or more)
DPD • Real-time automatic transfer by detecting host status
Firewall/
IPS synch• Firewall/IPS policy can be synched for VPN packets.
- Prevents spread of malware through VPN tunnel.
Bypass of other
IPSec packets
• Can bypass IPSec packets for other appliances.
- Provides flexible response for enterprises that use various
security appliances.
Scalability• Supports the synch with L4 for expanded throughput.
• Supports bridge over IPSec.
VPN Accelerator• Provides high-performance VPN through the equipped
hardware accelerator. (TrusGuard 1000 model)
HQ
Branch
Remote
connection
Connects SSL VPN
High-performance VPN communication through hardware acceleration
Other functions• Supports split tunnel function.
• Prevents replay attack.
• Standard PKI synchronization (X.509)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – SSL VPN
Internet
DMZ
Server farm
University department network
Backbone Network
Department A Department B Department C
TrusGuard
Branch Z
SSL VPN Tunnel
IPSec VPN Tunnel
TrusGuard provides a flexible VPN network with enhanced security that meets the client‟s
environment.
TrusGuard allows the flexible setup of VPN network as both IPSec VPN and SSL VPN are supported in the
same appliance.
- When connecting SSL VPN, AhnLab Online Security (PC firewall/ Anti-Key logger Program) is automatically
installed, then, the security status of the connected PC is checked to strengthen the internal security of the
enterprise.
AhnLab Online
Security
installation
TrusGuard effectively prevents the spread of worm/Bot infected from the branch to the HQ system through
powerful IPS-synch function.
Malicious
traffic in
VPN Tunnel
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – IPv6 (to be provided in May, 2010)
TrusGuard supports IPv4 & IPv6 dual-stack security setting in real network environment.
Server farm
Internet
TrusGuard
HQ
IPv6
network
IPv6 network
IPv6 web
server
Tunneling
over IPv4
IPv4
Internet
TrusGuard provides full security for various network environments where IPv6 is applied.
TrusGuard
IPv6 packet
filtering
algorithm
Fully supports
many IPv6-related
routing/transitions.
Fully supports
both IPv6 & IPv4
combined
network.
IPv6
Stateful Inspection
Transition technology(tunneling, translation)
IPv4 & IPv6
dual-stack support
NAT & Logging
DHCPv6, RA
IPv6 routing
(Ripv6, OSPFv6)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – Integrated Security Infrastructure
TrusGuard can “create/maintain/deliver” the differentiated security response contents.
ASEC
• Malware collection & analysis of trend• Analysis of NW attack trend• Proactive Prevention• Writing/Distribution of signature
CERT
• No. 1 managed security provider in Korea• Provides managed security service to major clients. • Real-time response to NW attack
Outbreak PreventionZero-Day Attack Prevention Up-to-date & Accurate
• Prevents vulnerability estimation.
- Pre-distribution of signature for
predicted ‘vulnerability attack.’
• Microsoft MAPP Partnership- A program for pre-sharing security patch
info.
• Early prevention of malicious codes/attacks
- Distributes signature for preventing
early spreading.
• 2~3 signature updates per day
- Maintains up-to-date signatures.
• Collaboration with internal CERT (Managed Security Center)
- Can detect & respond to the real-time attack occurring in the client’s sites.
• 24*7*365 support - When emergency arises, rapid response
is provided.
* ASEC : AhnLab Security E-response Center * CERT : Computer Emergency Response Center
The core competence of TrusGuard lies in the security infrastructure like ASEC/CERT/ACCESS that provides an effective respond to increasingly diverse and malignant security threats.
Collaboration
Acquire & respond to the real-time attack/threat information.
ACCESS (AhnLab Cloud Computing E-Security System)“A centralized, real-time threat monitoring & analysis
system based on cloud-Computing technology”
마스터 제목 스타일 편집
마스터 부제목 스타일 편집[Zero-day Attack Prevention Examples]
Phase 1 : Pattern estimation and
distribution of the prevention policy
Phase 2 : Distribution of the
early-prevention policy
Phase 3 : Distribution of the
prevention policy for network worm
Vulnerability reported. Attack emerged. IPS Signature distributed.
AST & CDN service
Sample collected.
Zero-day PreventionOutbreak
Prevention
Example #3. Attack on server service vulnerability (RPC
vulnerability attack)
2008/10/23 : MMPC reported the emergence of a worm.
2008/10/23 : MS announced the emergency security
patch.
2008/10/23 : TrusGuard signature was distributed.
Example #1. Attack on IE memory corrupt vulnerability2009/02/10 : Vulnerability reported.
2009/02/10 : TrusGuard signature for estimated attack was
distributed.
2009/02/11 : Microsoft announced the security patch. 2009/02/18 :
Public disclosure of the executable attack code.
[3-Phase Defense Mechanism]
Example #2. Microsoft Access Active X remote exploit
2008/07/18 : First discovery of the vulnerability (Chinese
community website)
2008/10/23 : TrusGuard signature for estimated attack was
distributed.
2008/10/28 : A website that spreads the malicious code
exploiting the vulnerability was sighted.
TrusGuard Features – Integrated Security Infrastructure
TrusGuard, using its 3-phase defense system for various security threats, can provide powerful protection
against zero-day attacks and emergent attacks to your system.
TrusGuard can “create/maintain/deliver” the differentiated security response contents.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features - IPS
TrusGuard is very powerful combating various vulnerability attacks and malicious codes.
TrusGuard possesses more than 6,000 security response rules, the largest of any worldwide IPS and,
through ASEC, provides 24*365 monitoring/analysis service, daily 2~3 update service and emergency
response service.
TrusGuard
IPS function
• World‟s largest security response signature (6,000)
• 2~3 signature updates per day
- Up-to-date & accurate signatures
- Reliable update environment through CDN
• Prevention of various network-base attacks/malwares
- Please refer to the IPS response list below.
• MSPP partnership with Microsoft
• Real-time monitoring/analysis system for various
security threatsTrusGuard IPS – rules that are internally
monitored/written.
▶ Prevention of vulnerability
attacks ◀
• Application vulnerability
- OS/ IE/ ARP Spoofing, etc.
- Shell Code
• Web vulnerability (OWASP
vulnerability
- SQL injection, XSS vulnerability, etc.
- CGI/ IIS/ MISC vulnerability, etc.
▶ Prevention of network-
based attacks ◀
• Scanning attack
• NetBios/ RPC attack
• DoS attack/ Backdoor
• P2P/ Instant messaging
• Protocol anomaly
• Others
▶ Blocking of malware
source ◀
• Web monitoring system
• Use of SiteGuard DB
• Operation of active honey
pot
▶ Prevention of malware
attacks ◀
• Worm
• Bot/ BotNet
• Trojan
• Spyware/ Downloader
• Mass mailer
• Dropper
Analysis of VRS
vulnerability
BotNet management
system
WebMon
system
DDoS monitoring
system
Managed security service
Intrusion log analysis system
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – Prevention of Web/Application Vulnerability
Attacks
TrusGuard provides superb protection against ever-increasing attacks that exploit web &
application vulnerabilities.
TrusGuard provides the phased defense mechanism against popular web attacks like SQL Injection,
XSS(Cross Sites Scripts), etc.
* ASEC (AhnLab Security E-response Center) : A specialized unit in AhnLab that provides monitoring/analysis of malwares/attacks, response service and signature writing.
[Phased response mechanism against web
vulnerability attack][Example of phased prevention of web vulnerability
attack] Prevention 1 : Prevent vulnerability
attack on web server.
• Prevents attacks that exploit vulnerabilities in web server
like SQL/ PHP Injection, XSS, CSRF, etc.
• Blocks access to the malware passing point server by
internal clients PCs.
Prevention 2 : Block access to the sever
in malware passing point.
• Prevents access to the server in malware spreading
points by internal client PCs.
Prevention 3 : Block access to the
server in malware spreading point.
• If connected to the server in spreading points, TrusGuard
blocks the downloading of the vulnerable attack code to the
internal client PCs.
Prevention 4 : Block downloading of the
vulnerability attack code.
Vulnerability #1
Vulnerability #2
Vulnerability #3
Vulnerability #n
•••
Passing point
Spreading
point server
Attacker
Prevent 1
Prevent 4
Prevent 3Prevent 2
TrusGuard
Attack target
Web server
Infect
Redirection
TrusGuard is equipped with signatures that effectively protect 10 vulnerability attacks on web application
selected by OWASP and these signatures are updated 2~3 times per day through ASEC.
Internet
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – Detection/Block of Zombie Malware
Block malware
spreading point.
Block spreading of Bot.
Prevent malware attack.
Prevent vulnerability attack.
Block internal infection
by Bot.
Prevent internal
infection by Bot.
BotNet
Block C&C
communication.
Block external
spreading of Bot.
Prevent external
spreading of Bot.
TrusGuard detects zombie malware and prevents infection and spread of zombie malwares.
TrusGuard not only prevents DDoS using Bot but prevents the infection of internal PCs by Bot as well.
Also, even if internal PCs are infected by Bot, TrusGuard protects client‟s network by performing various
operations to prevent the running of Bot.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – ACCESS-synched Removal of Zombie Malware
TrusGuard provides the real-time detection/prevention of active zombie malware (Bot) through synch with ACCESS system based on cloud-computing technology.
Prevents spreading of zombie PCs.
Program info.
Reputation system
File activity trend
Behavior-based aactivity
Relations among files
Malware distribution route
① Detects abnormal network behavior of a certain file.
Threat Info-Gathering System
② Monitoring of the same behavior
③ Real-time analysis
④ Apply the analysis result in real time.
Enterprise
TrusGuard
Block zombie malwares.
The ACCESS-based DDoS monitoring system is AhnLab’s unique monitoring and analysis system for zombie malwares. With information gathered from 10 million sensors for detecting zombie malwares, it provides real-time analysis & response service.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
ACCESS
(DDoS
Monitoring
System)
ASEC
Sensor
DDoS monitoring system
Bot malware activity info.
Applied to TrusGuard
Sensor
Sensor
• Prevention of zombie malware
- Provides block signature for accessing the server in spreading point.
- Provides block signature for accessing C&C server.
- Provides block signature for infection/downloading of zombie malware.
- Provides block signature for synched update among malwares.
Bot malware file
TrusGuard Features – ACCESS-synched Prevention of Zombie Malware
TrusGuard provides real-time detection/prevention of active zombie malware (Bot) through synching with our ACCESS system based on cloud-computing technology.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
DMZ
Server FarmTrusGuard 1000
TrusGuard 500
Distribution NetworkBranch
TrusGuard 100
Internet
Core Network
② PC quarantine & automatic
repair
② PC quarantine & automatic
repair
VPN Tunnel
Headquarter
TrusGuard Features - NAC
TrusGuard provides NAC function through synching with end-point security solutions.
TrusGuard is synchronized with V3, an anti-virus product by the same company to…
① prevent access by PCs without APC Agent that performs „V3 installation & up-to-date V3 update.‟
② quarantine infected PCs from internal network and to perform automatic repair. (when using IPS
license)
V3 V3 V3 V3 V3 V3 V3 V3
① Network access control & redirection
to APC agent installation page
PC without APC agent
Though this, TrusGuard prevents the infected PCs from spreading to internal networks and above all, it
strongly blocks the activity of zombie malware through synch with DDoS monitoring system.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Feature – Defense against DDoS Attack
TrusGuard provides strong protection from DDoS attack, a major type of network attack.
TrusGuard is equipped with a special DDoS defense engine, that is delicately phased and currently in
overseas patent-pending.
1st Phase : Runs DDoS detection engine.
- When the certain threshold session is reached, it is judged as a DDoS attack.
2nd Phase : Runs anti-spoofing protection.
- Performs filtering of packets that are spoofed through virtual response to TCP connection attempts under attack situation.
3rd Phase : Runs dynamic protection.
- For packets decided as attacks after real-time analysis of packets under attack situation, the rate-limit is applied.
4th Phase : Runs segment protection .
- Performs self-learning of session statistics on connections per source IP segments during the normal time.
- Blocks the IP segment with abnormal session connection after deciding it as attack under attack situation.
5th Phase : Runs HTTP BotNet protection.
- Blocks large volume of HTTP BotNet attacks that occur after connecting to TCP session.
Overseas patent
No. 2007-114875
*Financial Supervisory Service (FSS): Korea‟s government agency which monitors and audits all financial institutions operating in Korea, and impose sanctions
against those which violate the financial regulations of the nation.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Feature – Defense against DDoS Attack
TrusGuard is equipped with protection functions against a DDoS attack of various sorts like the list below.
TrusGuard provides strong protection from a DDoS attack, a major type of network attack.
Direction Attack Category Attack Type Prevention Type
Inbound DDoS Attack
TCP Flooding Attack
• TCP SYN Flooding • TCP SYN Flooding Spoofing• TCP ACK Flooding • TCP ACK Flooding Spoofing• TCP NULL Flooding • TCP NULL Flooding Spoofing• SYN-ACK Flooding• RST Flooding• IP Random Fragment Flag
• Filtering by the special DDoSengine
UDP Flooding Attack• UDP Flooding• UDP Flooding Spoofing• IP Random Fragment Flag
ICMP Flooding Attack
• ICMP Echo Flooding• ICMP Echo Flooding (Spoofing)• ICMP Echo Reply Flooding• ICMP Echo Reply Flooding (Spoofing)
HTTP Attack• BotNet Attack• CC (Cache-Control) Attack
Other Attacks• Confuse TCP/UDP/ICMP Flooding• Confuse TCP/UDP/ICMP Flooding Spoofing
OutboundDDoS Attack
Internal zombie PCs• Download zombie program from malwarespreading websites
• IPS signature-based filteringExternal attack by internal
PCs
• Attack on external target servers by internal zombie PCs
Preventable attack patterns are constantly updated by AhnLab ASEC & the DDoS Special Unit.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – Anti-Virus
TrusGuard uses V3 engine that is proven in worldwide for its superiority in virus filtering.
TrusGuard fully blocks the intrusion of malware to the internal network by utilizing 20 years of virus analysis technology and DB of V3.
TrusGuard has a powerful advantage in preventing malware that change in real-time because it uses a proprietary internal AV engine.
V3 is an internationally acclaimed anti-virus engine which won several international certificates like „VB 100‟ and „Check Mark.‟
INTERNET
AhnLab
CDNASEC
Virus/Malware
V3 engine
update
(Regular/Freque
nt/Emergency)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – Anti-Spam
TrusGuard uses a powerful, world-class spam engine for spam filtering.
Detection of spam from
130 nations
• Distribution Pattern Base
• Structure Pattern Base
Detects spam mail.
Detects E-mail virus
outbreak.
“97% spam filtering rate”
“False-positive rate of 1
in 1.5 million”
TrusGuard uses a Global Anti-Spam Engine that is used by more than 100 customers worldwide.
TrusGuard features superb spam filtering rate of 97% and a very small false-positive rate of 1 in 1.5 million.
TrusGuard also provides preemptive filtering function against the “unknown virus” that is distributed via E-mail.
Spam Detection
Engine
• Powerful spam filtering
• Preemptive filtering of
unknown E-mail viruses
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Feature – Total Web Access Filtering
TrusGuard can prevent intrusion by malware to the internal network though blocking access to
not only non-work related websites but malware distribution sites/phishing sites as well. (to be
provided in May, 2010.)
DMZ
Server farm
TrusGuard
Internet
Non-work
related sites
DB
Blocks synch.
SiteGuard
DBBlocks synch.
Blocks access to non-work
related websites.
Blocks access to malware
distribution URLs.
Blocks access to phishing
sites.
* TrusGuard-SiteGuard synch service is planned to be
provided in May, 2010.
TrusGuard is equipped with its own DB on malware distribution sites that have become major sources of
malware distribution. This DB is updated in real-time to provide up-to-date protection.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
12. Analyzing various security threat events and monitoring & reporting should be available.
TrusGuard UTM provides detection, prevention, and analysis of security events including firewall, IPS,
anti-virus, and anti-spam through a “Single Interface.”
Firewall
Log
VPN Log
Anti-Spam
Log
Anti-Virus
Log
IPS Log UTM
Log Server
• Log collection/storage
• Security threat analysis and graphical display
• 50 types of security reporting
- User-defined integration report configuration
[UTM Log Server Functions] [Log Server UI Sample]
▪ Real-time Monitoring
- Real-time display of attacks
- Top 10 Information: By user, attack type, or service type
- Real-time session monitoring
▪ Various analysis tools
- Attack patterns & trend analysis
- Tracing details through Monitoring UIs (Drill-down)
- Event IP monitoring
▪ Administrator Alerting
- Threshold setting and event alerting (E-mail )
Special Advantages of AhnLab TrusGuard UTM - LogServer
26
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
TrusGuard Features – AhnLab TrusGuard Manager
TrusGuard provides the management tool for efficient control of many appliances.
TrusGuard Manager is a management tool for controlling many TrusGuard appliances. Chief among its
major advantages are “user-oriented simple & dynamic UI” and “powerful monitoring function of
management appliances.”
○ Powerful monitoring environment
- System status information of the entire
management appliances
- Network usage status of the entire
management appliances
- Interface error status of the management
appliance
- Health check of the management
appliance
- VPN connection status of the
management appliance
○ Integrated policy profiling technique
○ Easy setting of IPSec VPN
○ Drag & drop group configuration
○ LogServer Single Sign-on
○ Supports DB2 (freeware
version).
○ AST synch function
* To be provided by end of 2009.
○ Differentiated look & feel
○ Dynamic & simple UI
○ User-oriented low depth structure
○ Graphical monitoring
Specialized
visualization
Simple policy
setting/manag
ement
Powerful
monitoring
Many value-
added
functions
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Real-time monitoring of the
entire management
appliances
TrusGuard Features - Manager
TrusGuard provides the management tool for efficient control of many appliances.
Manager Overview
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Customer Benefits
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Customer Benefits
1. You can build a reliable and flexible high-performance network security environment.
Internet
③
① ②
②
① Reliable and flexible high-performance
firewall.
- Can configure H4 without L4 equipment. (A-A, A-S)
- Can control HA separately for VLAN trunking port and
VLAN port.
② Flexible VPN with enhanced security
- Prevents intrusion by malware into internal networks by
strengthening the network perimeter security among
branches. (IPS/AV function is on.)
- Effectively prevents spreading of internally-infected
malware like worm/Bot to the entire internal network
through VPN.
Filtering by synching with IPS/AV
NAC by synching with V3
- The use of IPSec VPN and SSL VPN can be mixed to
meet the customer‟s environment.
③ Detection of zombie PCs & Prevention of
malware spread - System and knowhow to detect & analyze malwares
. BotNet information management system / WebMon
system
. DDoS monitoring system (with 1 million sensors)
-Detects and prevents spread of zombie malware in
real-time.
- . NAC by synching with V3
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
- Prevention of threats in branches : Prevents infection by worm/virus.
Customer Benefits
2. The spread of malware to entire networks can be prevented by detecting and blocking
malware/Bots.
• “Enhancing security of branch VPN traffic” that is flowing into HQ via VPN
- Applying of security policy to VPN traffic that flows from branched to HQ & synching with IPS
• “Prevention of malware spreading among distribution networks” in HQ
- By implementing TrusGuard in the front area of segment network, internal spread and
external attack of worm/zombie can be prevented.
DMZ
Server FarmTrusGuard 1000
TrusGuard 400TrusGuard 500
Distribution Network Branch
TrusGuard 100
TrusGuard 100
AST
Internet
Core Network
Headquarter
③ ①
②
①②
③
. Prevention of branch-infected malware from spreading to HQs and attacking server systems.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Customer Benefits
3. You can build a network environment that is free from external security threats.
INTERNET
Worm
Bot
DDoS
Trojan
Spyware
Virus
Phishing
•••
• Security Threats are getting
“Complicated, Varied & Intelligent”
Unauthorized
User
Data
Sniffing
• AhnLab TrusGuard provides clean network environment through…
“firewall function based on stateful inspection”
“IPS & AV function for protection against external attacks”
“IPSec/SSL VPN function for safe communication with branches or
remote offices.
TrusGuard
• General firewall/VPN provides
“access control/anti-data sniffing”
functions only.
HQ
Branch Remote
Web vulnerability
OS/IE
vulnerability
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
INTERNET
Customer Benefits
1. Establishment of the network environment free from external security threats is possible.
(Continued)• Three-phased blocking method protects the network from “unknown network attacks.”
• 24*7 updates of blocking rule and signature through ASEC to prevent threats of “latest attacks.” KT
DACOM
Hanaro 1/2 Center
AhnLabAST Server
ASEC
AhnLabCDN
Service
* ASEC (AhnLab Security E-response Center)
Signature Update
Phase 1: Update the predictive prevention of blocking rules before the advent of the worms
Phase 2: Initial spread blocking rule
Phase 3: Signature update through sample analysis
- Distribution of predictive prevention rules for potential worms and attacks through OS vulnerability analysis.
- Proactive measures against worm variable patterns
- Application of the email filtering rule in the initial spread of the worms
- Sample collection and application of the signature made by ASEC
[three-phased Blocking]
ASEC‟s rich experiences in dealing with malicious code for the past 18 years ensures real-time monitoring and analysis of worms and viruses worldwide, and provides accurate and prompt signature updates.
29
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
High costs for Adopting the
Solution
Trouble Shooting Issue
Issue of Securing
Necessary Operation Workforce
Customer Benefits
2. Reduction of Total Cost of Operation (TCO)
Point SolutionMulti vender
solutions of differentservice levels
Firewall/VPN IPS/IDS Anti-Spam Viruswall Web Filtering
Point Solution
Risks
TrusGuard
Benefit
All in One Box
Simple
Maintenance
Efficient manpower
allocation
“With the cost of a firewall,
IPS and virus/spam
solutions can be built”
• Easy Trouble
Shooting
• Service continuity
can be guaranteed
with the provision of
bypass functions.
• Used not only for
security but also for
other operations.
•Greater productivity.
30
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Customer Benefits
3. Removal of garbage traffic increases productivity and network efficiency.
[Firewall Only]
[After adopting TrusGuard UTM]
P2PSpamMalicious Code
Work Traffic
Websurfing
MessengerHarmful site- Securities/Gambling
Work Traffic
Websurfing
Work Traffic
Work Traffic
Websurfing
Websurfing
• Traffic filtering unavailable
• Wide-spread garbage traffic
• Compromised network resource efficiency
• Control by traffic type
- Spam blocking
- P2P Messenger control
- Harmful site access control
- Malicious code prevention
• Network cost reduction through traffic optimization
• Greater concentration and productivity
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 City Hall (Firewall only)
Internet
1) Multi-core, high-performance TrusGuard allowed throughput.
- Flexible handling of volume increase of multimedia & Internet
contents.
2) Double-stack configuration of TrusGuard enabled high network
availability.
- Configuration of session synchronization and policy synchronization
3) Powerful access control based on stateful inspection method
○ Improved security configuration
- Single-core firewalls were removed and TrusGuard 1000 were
double-stacked.
- Active - Active High Availability setting
- Automatic backup by configuring OSPF setting in redundant router-
security appliance area
○ Benefits
• OSPF setting
• A-A HA setting
○ Weakness in old configuration
- Redundant configuration of single-core based low-end firewalls
couldn‟t handle the increase in traffic.
router
router
TrusGuar
d
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 Education Office (Firewall + SSL)
Internet
TrusGuard (Firewall)
1) Multi-core, high-performance TrusGuard allowed throughput.
- Flexible handling of volume increase of multimedia & Internet
contents.
2) Double-stack configuration of TrusGuard enabled high network
availability.
- Configuration of session synchronization and policy
synchronization
3) Security and availability in remote access by SSL VPN of TrusGuard
4) Enhanced security by connecting to SSL VPN
- Provides PC firewall and anti-keylogging to connected PCs by
installing AhnLab AOS.
- Deletes remaining cookies in PCs after connection is terminated.
○ Improved security configuration- The single-core firewall was removed and TrusGuard 1000 were
double-stacked.
- Active - Standby High Availability setting
- SSL VPN of TrusGuard were provided for remote/telecommuting
workers.
○ Benefits
○ Weakness in old configuration- Performance issue from using single-core based, low-end firewall
- Use of IPSec VPN Client for remote/telecommuting workers
Usability reduced due to many problems by disaster, maintenance,
installation problems, etc.
DMZ server
network
Internal server
network
TrusGuard
(SSL)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 Newspaper (Firewall + IPS)
Internet
Image server Web server DB server
TrusGuard
(Firewall+IPS)
Web
firewall
1) By simultaneously running firewall and IPS,
- large volume of harmful traffic targeting web servers and
DB server can be filtered.
ex) web vulnerability attack (SQL Injection/ XSS attack)
- large volume of harmful traffic in web servers are first
filtered,
which results in reducing the performance overloading in
web firewall in the back.
○ Improved security configuration
- Removed simple firewall and TrusGuard 1000 were double-
stacked.
- Simultaneous running of firewall + IPS
- Active- Active setting through L4 switch
○ Benefits
○ Weakness in old configuration
- Many vulnerabilities due to simple firewall configuration in gateway
- Performance issue in web firewall due to a large volume of
unfiltered incoming traffic in web firewall
L4 switch
L4 switch
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 000 Political Party (DDoS)
○ Weakness in old configuration
- Service error due to DDoS attack occurred.
- Firewall was down due to instant overloading of sessions.
- Vulnerable to various hackings, network attacks and malware that
bypass firewall policy.
(Web/Application vulnerability attack, Worm, Bot, Trojan, etc.)
Internet
Web server
○ Benefits
1) Effective prevention of DDoS attacks
- Normal working of firewall due to prevention of DDoS attacks
- Prevention of DDoS attacks like tcp-syn, icmp, tcp-ack flooding,
etc.
- Internal service availability was guaranteed due to normal
working of firewall.
2) Blocking of many malware or attacks that cannot be prevented
by the firewall
- Worms, Bot, Trojan, Downloader, etc.
- Application vulnerability attack, DoS/ DDoS attack, etc.
3) Effective protection against attacks that exploit web
vulnerabilities
- Web application vulnerability attack (SQL Injection, XSS, etc.)
OS/IE vulnerability attack, etc.
Web server
C&C server
Attacke
r
Zombies
ControlControl DDoS
○ Improved security configuration
- TrusGuard was deployed as an exclusive DDoS protection
appliance in front of firewall in Internet gateway.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 Dotcom (VPN Network)
Server farm
Internet
TrusGuard Center
TrusGuard TrusGuard
IDCBranch
Headquarter
IPSec VPN Tunnel
1) Security in branches was heightened to the level of HQ.
- Firewall, VPN, IPS, Anti-Virus, Contents Filtering, etc.
2) Blocks malware that coming through traffic in VPN tunnel.
- Firewall policy application for VPN traffic &
detection/prevention of malware by IPS
3) Redundant configuration of security appliances in HQ through
High Availability (Active-Active, Active-Standby) setting
- Can set up redundant configuration without session synch
technique & L4 switch.
4) Secure VPN channel between HQ and branches
5) Flexible SSL VPN setting for telecommuting/mobile workers
○ Weakness in old configuration- Because of simple VPN setting between HQ and branches that
provides encrypted communication method only, the malware infection
in data or unauthorized access could not be detected.
- Errors were frequent in IPSec VPN client in PCs of telecommuting
workers.
○ Benefits
Telecommuting/Mobile
workers
SSL VPN Tunnel
○ Improved security configuration- TrusGuard provided safe VPN channel between HQ and branches.
Runs firewall + IPSec VPN + IPS function simultaneously.
- TrusGuard allowed safe VPN channel between HQ and
DataCenter.
- SSL VPN channel for telecommuting/mobile workers
ATM
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 Gas Station (VPN Network) (1)
TrusGuard 50
Branch
Standby
Link Aggregation
Active
<Internet>
ATM(Integrated management)
C2950
Trunk
VPN Local network
Internet
TrusGuard 1000
TrusGuard 1000 TrusGuard 50
Branch
TrusGuard 50
Branch
TrusGuard 50
Branch
ㆍㆍㆍㆍ
Integrated policy setting
Center
DB
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 Gas Station (VPN Network) (2)
○ Weakness in old configuration
- Used an exclusive 256K data line for connection between HQ and gas stations under direct control.
Too expensive when using the exclusive data line.
- No additional system that can respond to security threats were present except the firewall in HQ.
Very vulnerable to worms and malware that are infected from the gas station, then, spread to the entire network
○ Improved security configuration
- Using IPSec VPN of TrusGuard, the connection between HQ and stations was configured in gateway-gateway setting.
- On a deployed TrusGuard, the entire functions of firewall, VPN, IPS, AV, anti-spam and website filtering were implemented.
○ Benefits
- The expensive fee for using the exclusive data line was reduced to the level of high-speed Internet broadband lines. Cost-
saving while maintaining security level.
- By running various security functions of TrusGuard, (IPS, Anti-virus, Anti-spam, Blocking harmful website, etc.)
The availability of the station network was ensured by blocking incoming threats at the network level.
By preventing the malware like worm and Bot infected in the station from spreading to internal network through
VPN tunnel,
1) The availability of VPN network between HQ and branches were ensured.
2) The major server systems in HQ can be protected from various security threats.
The synch with the DDoS monitoring system effectively prevents zombie malware from intruding and spreading
to internal network.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 University (End-point Synch Security)
Internet
DMZ
Server farm
TrusGuard
School department network
Backbone Network
Dept. A Dept. B Dept. C
2) Prevention of malware in school departments from spreading to
the entire backbone network
- Minimizes the security threat (limited to department network)
3) Can provide NAC environment when synching with V3 in
PC/server.
- Synched security of TrusGuard-V3
- Quarantine of infected PCs from network and automatic repair
○ Improved security configuration
- By implementing firewall and IPS in the point of connection with Internet, unauthorized accesses or attacks from outside were
blocked.
- In school departments (distribution network), “TrusGuard” was deployed to partition the relevant security domain.
○ Weakness in old configuration
- Only a simple firewall was deployed in the Internet gateway, the network was vulnerable to attacks and malware from outside.
- It was impossible to prevent malwares/network attacks by internal PCs or by external authorized/unauthorized PCs that connect
to the internal network from spreading to the entire internal network.
○ Benefits
1) Security domains per school departments were
established.
- Different security policies per school departments (FW, IPS,
AV, etc.)
* NAC (Network Access Control)
ATM
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Implementation Case: 00 City Hall (IPv6 Pilot Network)
IPv6 network
In 000 district office
IPv6 connected
network
6to4 relay router
Internet
AhhLab TrusGuard
AhnLab TrusGuard
IPv6 network
in 00 city hall6to4 Tunneling
6KANet
IPv6 connected
network
6to4
tunneling
IPv6
Firewall
RA
IPv6
PCs
IPv4 commercial
network
IPv6 client
network
IPv6 client
network
(Router Advertisement)
IPv6
PCs
IPv6
Server
TrusGuard is “Korea‟s only network security solution” that is implemented in the IPv6 pilot
network.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Detailed Functions
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Specifications of Major Functions(1/6)
Firewall
Stateful Packet Inspection Type
Black & White list-Based Filtering
Guaranteed performance independent of policy and sessions
Various NAT functions : Static/ Dynamic NAT, Excluded NAT, NAT Traversal, Load-Sharing NAT, Twice NAT
IP/Port/ Firewall Policy-based QoS (Quality of Service)
Object-based intuitive set-up and easy-to-use management functions
Schedule-based policy setting(One-time, daily, weekly, monthly, yearly, a certain period)
Guaranteed availability: Active-Active, Active-Standby HA (without L4 switch)
Full-Mesh network configuration (without L2 switch), By-pass support
Password-based authentication, Internal OTP (One-Time Password) authentication, RADIUS linkage authentication
VoIP (SIP, H.323) Protocol Supported
Exporting Firewall policy function
Secure OS (ANOS)
40
Network
Route & Transparent Mode supported
Static & Dynamic Routing supported (RIPv1, RIPv2, OSPF)
Source Routing supported
Multicast Routing Protocol (PIM-SM)
802.1Q Vlan, 802.3ad Port Aggregation
DHCP Server/ DHCP Relay (in Bridge mode), DNS/ Split DNS
By-pass function supported
SNMP v1/ v2 supported
NTP supported
SIMS linkage supported
마스터 제목 스타일 편집
마스터 부제목 스타일 편집IPSec VPN
Manual Key, IKE, IKEv2
Gateway-to-Gateway / Client-to-Gateway VPN
Bridge mode over IPSec
3DES, AES(128, 192, 256), SEED, ARIA Encryption Algorithm
SHA 1, SHA 2(256, 384, 512), HAS 160-certified Algorithm
Hub & Spoke/ Star/ Mesh Architecture
NAT Traversal supported
Dead Peer Detection supported
PFS (Perfect Forward Secrecy) supported
Prevent Replay Attack
Split Tunnel
PKI Standard synch (X.509 standard synch)
other IPSec Traffic Bypass
Firewall/ IPS interface
Multi-line Load-balancing supported (More 2 Lines)
Supports encryption accelerator
VPN Traffic QoS supported
Supports powerful monitoring of the entire VPN networks / appliances
IPv6 지원(2010. 5
통합지원예정)
IPv4/IPv6 Dual Stack supported
- IPv4 & IPv6 simultaneous Processing
IPv6 Networking/ Routing/ Packet Filtering supported
- IPv6 Static/ Dynamic Routing (RIPv6, OSPFv6)
- IPv6 Tunneling (6to4, ISATAP) & Translation (NAT-TP)
- IPv6 Stateful Inspection-based Packet Filtering
- Static NAT, Dynamic NAT, Excluded NAT
- IPv6 Log Collection and analysis
Specifications of Major Functions(2/6)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집Intrusion
Prevention
Packet-based network attack detection & prevention
Signature-based Intrusion prevention : Approximately 5,000~6,000 Signatures
- Signature regular updates(1~2 times per a day)
Behavior-based intrusion prevention
- Anti-Scanning, Anomaly detection, DoS/ DDoS prevention
User Defined Rules/ Signatures
- Configures exceptions to IP/port-based, or starting point/destination-based rules
Three-phased blocking method protects the 'Zero-Day' attacks
- Zero-Day Attacks Prevention (predict and vulnerability attacks)
- Outbreak Prevention (Prevent a spread of initial attack)
- Known Attacks Prevention
A capacity which provider makes owns Signature has its attack response
- A capacity to operate an organization which handle with viruses for 24 hours Provide a report of analysis.
Automatic and regular updates using AST(AhnLab Security Tower) and CDN(Contents Delivery Network)
MAPP(Microsoft Active Protections Program) partnership with Microsoft
Specifications of Major Functions (3/6)
SSL VPN
Gateway to Client VPN, User Level Access Control
IPSec VPN client level service
Stronger end-point security
- Keyboard stroke detection and firewall function upon initial access
Automatic installation of AOS(AhnLab Online Security) Firewall & AOS Anti-keyboard, and automatic deletion
- Deletion of HTTP cache and cookie data after usage
SSL VPN Dead Peer Detection
SSL VPN Client System Requirements: Window 2000/ Window XP/ Window Vista, higher than IE 6.0
SSL VPN Active-Stand by HA supported
Supports SSL accelerator(Optional)
Synchronization of internal DNS, WINS
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Specifications of Major Functions (4/6)
41
IntrusionPrevention
Threat responses (Includes 5000~6000 IPS Signatures)
- Worms, Spyware, Trojan, Downloader, Dropper, Mass-mailer, Phishing, Bot/ BotNet Prevention
- Backdoor Prevention - TCP Reassembly, IP Defragmentation Prevention
- NetBios attack - RPC attack
- Application/ Web attack Prevention (10 weakness of OWASP)
. SQL/PHP Injection, Cross Site Script (XSS), Cross Site Request Forgery (CSRF) etc.
. Attack through an weakness of IIS/ CGI/ MISC/ PHP
. Attacking through an weakness of OS/ an weakness of Internet Explorer, etc.
. . ARP Spoofing, Botnet control, etc, Shell Code, Script, Web Monitoring
- DoS, DDoS, Scan Prevention - Exploit Attack Prevention
- E-mail Attack Prevention - DNS Attack Prevention - Anomaly Prevention
- Prediction and blocking of unknown attacks
- Block a P2P / Instant Messenger
- Signature update history management, Help provide signature
DDoSProtection
Contains dedicated engine to defend against DDoS attacks
TCP Flooding Prevention
- TCP SYN Flooding (Spoofing), TCP ACK Flooding (Spoofing), TCN NULL Flooding (Spoofing)
- Defends against SYN-ACK Flooding , IP Random Fragment Flag, RST Flooding attacks
UDP Flooding Prevention
- Defends against UDP Flooding (Spoofing), IP Random Fragment Flag attacks
ICMP Flooding Prevention
- ICMP Echo Flooding (Spoofing), ICMP Echo Reply Flooding (Spoofing)
HTTP BotNet Attack Prevention
- Defends against HTTP BotNet Attack
- Defends against CC (Cache-Control) Attack
Prevents other attacks
- Defends against Confuse TCP/UDP/ICMP Flooding attacks
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Specifications of Major Functions (5/6)
Anti-Virus
File-based virus, malicious code detection & prevention
Threats: Virus, Trojan, worm, spyware, adware, phishing, spam, and malicious sites
e-mail Virus in advance (Outbreak Prevention)
Supporting protocols: HTTP, SMTP, POP3, FTP, Oracle, and General TCP
Scan a zipped file (Enable to scan it maximum 5 times), File extension
24-hour monitoring & analyzing various threats in ASEC
24/7 real-time update through CDN (Contents Delivery Network)
Performance optimization through load sharing
Quarantine through detection of infected systems
Anti-Spam/Web Filtering
Spam Mail Blocking: Scan SMTP, POP3
RBL (Real-time Black List) & RPD (Recurrent Pattern Detection) engine-based spam detection
User-defined keyword-based spam blocking
- Keyword(title, content), Regular/ Wildcard
Support an allowed Mail List (IP Address from sender/ E-mail address)
Spam Mail in Quarantine: Certain Mail account forwarding and Saving
Website Filtering
- Interface with the database of the Korea Communications Standards Commission and blocking of user-
defined URLs
- User-defined websites filtering supported (wildcard supported)
- Configures exceptions to starting point/destination-based websites filtering
42
Proxy
supported proxies : HTTP, POP3, SMTP, FTP, Oracle, DNS, UDP, General TCP
Active-X, JAVA Script, Applet, VB Script, Textrea tag, other tag blocked
Block a command (FTP, SMTP)
Block a Mail Relay (SMTP)
Block showing internal IP information to outside
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Specifications of Major Functions (6/6)
NAC
Network access control by linking with APC, the V3 anti-virus solution management program
- PCs that do not have APC installed have their internet access controlled and be redirected to an installation page
- PCs infected with malicious code are quarantined from the network and forcibly repaired by APC
43
Log Server
External Log Server (Separate S/W installation)
Real Monitoring of System/Firewall/IPS/Anti-Virus/Anti-Spam
Security Log Store/Collect/Analysis & Display
- More than 50 various analysis report
IntegratedManager
External Integrated Manager (Separate S/W installation)
- Manages multiple appliance
- Policy setting in a multiple appliances
- Real-time Monitoring of management appliance.
Monitoring Real time Monitoring of Log Data(System/Network/Firewall/IPS/Anti-Virus/Anti-Spam)
A statics of various analysis information
TrafficManagement
(QoS)
Traffic bandwidth guaranteed for the entire traffic, by IP and by port
Supporting manual set-up and automatic set-up based on filtering results
QoS for each policy for traffic control
Policy/Schedule-based QoS support
Traffic shaping and policing support
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Specifications
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Category TrusGuard 50 TrusGuard 70 TrusGuard 100P TrusGuard 400 TrusGuard 500TrusGuard
1000
TrusGuard
10000
Line-up
Operation
Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
Route Mode /
Transparent Mode
CPU Single Dual Dual Dual Quad Quad Exclusive Multi Core
10/100 Switch 4 4 - - - - -
Giga Port
(Copper) 4 4 6 4 4 4 8
Giga Port
(Fiber)- - - 2 4 8 8
10G Port - - - - - -2
(4 ports for expansion, Copper 1G * 8, except)
BypassSupport Bypass
(Copper
Support Bypass
(Copper
Support Bypass
(Copper)
Support Bypass
(Copper/ SFP)
Support Bypass
(Copper/ SFP)
Support Bypass
(Copper/ SFP)
Support Bypass
(10G/ SFP)
Firewall
Throughput150Mbps 300Mbps 600Mbps 1.2Gbps 2Gbps 4Gbps 20G
Firewall+IPS 80Mbps 240Mbps 400Mbps 800Mbps 1.2Gbps 2Gbps -
Max Session 300,000 500,000 1,000,000 1,300,000 1,500,000 2,000,000 5,000,000
Sessions /
second6,000 6,000 10,000 15,000 20,000 27,000 100,000
VPN Tunnels 500 1,000 5,000 8,000 12,000 20,000 -
Size
(W×D×H mm) 428x44x300 428x44x300 431x44.4x361 mm 424x88x530 426x88.8x584 426x88.8x584 431.8x88x580
Environment
Operating
temperature :
0~40 deg C
Storage temperature :
-20~75 deg C
Operating
temperature :
0~40 deg C
Storage temperature :
-20~75 deg C
Operating
temperature :
0~60
Storage temperature :
-20~70
Operating
temperature :
0~40oC
Storage temperature
:
-20~80oC
Operating
temperature :
0~40
Storage
temperature :
-20~70
Operating
temperature :
0~40
Storage
temperature :
-20~70
Operating
temperature :
5~35
Storage
temperature :
0~70
Power 150W Single Power 150W Single Power 1U ATX SPS / 180WRedundant
460W/each
Redundant
600W/each
Redundant
600W/each
Redundant
500W
H/W Specification
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Summary
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Price/Performance
Small &
Branch
Middle Sized Enterprise Data Center
TrusGuard 50
TrusGuard 70
TrusGuard 100
TrusGuard 400
TrusGuard 500
TrusGuard 10000
TrusGuard 1000
Firewall
DDoS
IPSec & SSL VPN
IPS/ AV/ AS/ Web
IPv6CCLog
Server
Integrated
manager
Features
TrusGuard: High-Performance/High-Quality Network Security
TrusGuard fully protects your assets through a high-performance firewall/VPN & provides high-quality security response capability.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Appendix. Main UI View
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Prevention of Major Attacks: Sample
1. Defense against DDoS attack
Blocked DDoS attacks
- ICMP Flooding/Trinoo, etc.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Prevention of Major Attacks: Sample
2. Defense against SQL injection attack
Blocked SQL injection attacks
- WEB-MISC Demarc, etc.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Prevention of Major Attacks: Sample
3. Defense against worm attack (1)
Blocked worm attacks
- Exploit, Active X attack, etc.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Blocked worm attacks
- BAD-TRAFFIC data, etc.
Prevention of Major Attacks: Sample
3. Defense against worm attack (2)
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Prevention of Major Attacks: Sample
4. Defense against spyware attack
Blocked spyware attacks
- Win32-Trojan
- Win-Spyware, etc.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Main UI View
1. Detailed monitoring screen (1)
“Graphical display” of network statistics
Monitor type
Network
usage
Usage by
protocol
Usage by
service
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Main UI View
1. Detailed monitoring screen (2)
Monitor type
Statistics by
perceived risk
level of attack
IPS
detection/block
log
Top 10 attacks
“Graphical display” of threat detection/block statistics by IPS
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Monitor type
Virus
statistics by
protocol
Virus
detection/block
log
Top 10 viruses
Main UI View
1. Detailed monitoring screen (3)
“Graphical display” of detection/block statistics of virus attack
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Main UI View
1. Detailed monitoring screen (4)
“Graphical display” of detection/block statistics of spam mail
Monitor type
Spam mail
block
statistics by
filter
Spam mail
detection/block
log
Top 10
Spam mail
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Monitor type
Website
filtering
statistics by
filter
Harmful website
detection/block
log
Top 10
Filtered
websites
Main UI View
1. Detailed monitoring screen (5)
“Graphical display” of detection/block statistics of harmful websites
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Appendix.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Appendix. ASEC – Overview
24*365 service
• ASEC monitors, analyzes and responds
to new threats from around the world 24
hours a day.
• ASEC provides integrated signature for
various threats occurring in networks, PCs,
servers, mobile devices, etc.
Integrated signature for
network & end-point
Regular analysis
information
• ASEC provides detailed information on
malware and vulnerabilities. Through ASEC
reports, trend on security threats is
provided.
Monitoring/analysis
systems for various threats
• ASEC Intelligence NetworkTM
• BotNetTM : BotNet information management system
• WebMonTM : Website monitoring system
• BlueBoxTM : Malware packet gathering system
• Competence analysis system for vulnerability
signature (planned.)
ASEC (AhnLab Security E-response Center) is a global security response unit by AhnLab consisting of the best malware analysts and security experts.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Malware
outbreak
Sample
analysis
Sample
collection
Emergency
response
decision
Detailed
sample
analysis
End of
emergency
response
Distributes
analysis info. Writes engineQA
test
Engine
upload
Appendix. ASEC – ASEC Response Process
ASEC (AhnLab Security E-response Center) has been providing powerful security service
through „malware & vulnerability analysis and response process‟ for more than 15 years.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
File analysisSymptom
analysis
Information
analysis
Code
analysis
Writes
engine
1. System analysis
2. Process
analysis
3. Registry
analysis
4. Network
analysis
5. Other analyses
1. Additional
analysis of
symptoms
2. Gathering of
various
information
3. Check relevant
matters.
1. Dis-assembling
2. Debugging
1. Malicious code
decision
2. Produces
diagnosis
signature &
function.
3. Writes analysis
info.
1. File form
analysis
2. In-use API
analysis
3. String analysis
• Vulnerability exploitation
• Use of executable compression technique
• Use of rootkit
• Sophistication of concealment technique (file, process)
• Use of polymorphic technique• Leakage of private information• Spyware + Trojan horse• Various infection methods
Dynamic Analysis Static Analysis
Appendix. ASEC – Security Threat Analysis Methodology
ASEC‟s security threat analysis methods are as listed below.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Through organic synch of „ASEC-CERT‟, AhnLab provides effective responses to active
malicious codes and attacks.
INTERNET
KT
DACOM
SK
AhnLab
AST Server
AhnLab
CDN
CDN/AST
ASEC CERT
ClientsSignature
Update
AhnLab Security E-response Center Computer Emergency Response Team
Threat monitoring & response
Real-time response to threat/attack report from
CERT
Security response prior to security patch though
MAPP partnership with Microsoft
Real-time attack/threat information gathering
through managed security clients
Delivery of real-time attack/threat information
to ASEC
By applying the threat monitoring & analysis information by ASEC-CERT in real time, AhnLab provides
effective protection against zero-day attack.
Appendix. ASEC – Synch with CERT
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Security partners
(Government/Overseas)
SMBs
V3 MSS
SiteGuard
V3 IS 8.0
SiteGuard
APC 4.0
SiteGuardSecurity
Center
TrusGuard
Large enterprises
Game/
Banking
AOS
HackShield
Comprehensive threat
analysis system
N/W threat info.Malicious codes
Dangerous URLs
CERT ASEC
Monitoring / Response
Smart
Defense
SiteGuard
Heuristic
Managed
security
center
Security management infrastructure
V3 EngineTrusGuard
Signature
Individual users
V3 365
SiteGuard
Mobile Security
Data center/service provider New
SiteGuard
DatabaseSmart Defense
Database
Appendix. ACCESS system diagram(AhnLab Cloud Computing E-Security System)
ACCESS, a comprehensive threat analysis system by AhnLab based on clouding computing
technology, provides prompt and effective response to fast-changing security threats.
마스터 제목 스타일 편집
마스터 부제목 스타일 편집
Beyond Security, More than Security
AhnLab TrusGuard
Thank you.