10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 1

Persistent LAN Security

Ajit Shelat

CEO

Nevis Networks

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 2

Top Network Attacks

0 20 40 60

Bar 1

Trojans, viruses, worms

Insider Abuse

Unauthorized Access

Denial of service attacks

BOTS

Abuse of wireless

Systems Penetration

Password Sniffing

DNS Attacks

Sabotage

%%% %

2008 CSI Survey Results of 522 Worldwide Respondents

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 3

Modern Day Complex Threats

Typical Blended Attack

• Designed to maximize damage

• Fast spreading network-based threat with multiple attack vectors:

• Combination of virus, spam, worm, and with vulnerabilities exploits

• Leverages p2p, IM and email to spread with a malicious payload attachment

• Can self replicate acting as a hybrid virus/worm

• Remote execution, DoS, Backdoor applications

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 4

Virus/Worm internals –Understanding Conficker

Disables all Security on

the PC

Starts Peer to Peer Communication

Carries out Internet rendezvous

Tries to spread

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 5

Hacking made easy

•Stealth

Mode

•Keystroke

capture

•Screen

shots

•Password

capture

•No

detection

by AV +AS

software

•Mail

including

Webmail

capture

10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 6

Security mechanisms today

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 7

Perimeter Security

» Gateway Firewall

» IDS/IPS

» Gateway AV

» VPN

» Content filtering

Issues

»Ineffective against attacks from inside the network

» Non-malicious, careless Users with ‘tainted’ Laptops, USB devices, or who inject attacks directly into the LAN by careless internet access

» Malicious Insiders who can launch targeted attacks

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 8

Network Access Control - End Point Security» OS Patch Management

» Anti Virus / Anti Spyware

» Personal Firewall

» HIPS

Issues

» OS patches and AV/AS updates can take weeks to be deployed

» AV, AS protection typically provide coverage of about 85-95%

» AV, AS coverage for new attacks is lower in the few hours after a new attack is launched

» Zero day and targeted attacks can bypass end-point protection mechanisms

» Malicious Users can disable/evade endpoint security checks

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 9

Network Access Control -Authentication

»Access control

» Issues

»Does not provide for persistent security – mainly aimed at pre-connect authentication

» Does not protect against a determined, malicious User attack

» No threat detection and prevention

»No support for detailed logging of network activity – inability to generate compliance reports and support forensic analysis

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 10

End-to-End Application Security

» Application security

» Client to Server Secure pipe

» Clean, Trusted End-Point

Issues

»End to end encryption does not prevent malicious traffic being exchanged between the client and server

»Endpoints cannot be assumed to be clean since

» They can be attacked using other protocols, e.g. L2 protocols on LAN, DoSattacks

•Protocols such as SSL can be broken using man-in-the-middle type attacks

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 11

Internet

Gateway End PointLAN

• Security Focus has been on

• Perimeter

• End-point, i.e. PC/Laptop

• With increasing usage of Laptops, Handheld devices & Wireless, the well

defined Perimeter has dissolved

• No focused, specific Security mechanisms for the LAN

• Internal networks are flat, a good playground for Worms & Hackers.

• Hard to manage thousands of internal users based on IP/MAC

addresses and/or access level security at App Servers

LAN Security – Weak Link in the Chain

LAN Security Should be @ LAN Speeds

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 12

Forrester View

• The Problem: Managing all endpoint risks to the network

• Proactive Endpoint Risk Management (PERM)*:– Policy-based technology

– Identity-based enforcement

– Integrated security services

• Endpoint verification

• Identity-based Access control

• Threat prevention

• Monitoring and reporting

• “PERM goes beyond NAC’s limited endpoint policy view”*.

* Source: Forrester Research, Client 2.0, March, 2007, Robert Whiteley and Natalie Lambert

10/21/2009 © 2005 Nevis Networks – Proprietary and Confidential 13

Comprehensive LAN Security Solution

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 14

It’s All About Knowing…

• Who is on your network?

• Where are they going?

• Can you control their behavior?

• What traffic are they sending?

• What are they doing?

• What would you like to do?

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 15

Characteristics of Comprehensive LAN Security Solution

• Comprehensive LAN Security

– Involves Endpoint Authentication, compliance checks ensuring valid users with clean endpoints can access certain resources on the network

– Blocking or quarantining the user if any intended or unintended malicious activity detected

– Notifying admin of any deviations to organizational policies or malicious activities enabling auditing, drill down and forensic analysis

– Control endpoints connected to managed switches restricting malicious endpoint as close to the source as possible

– Control compromised endpoints from infecting other endpoints connected to unmanaged switches

– Gives a complete view of the network health to the admin

– Encompasses security right from the endpoint, user identity, network access privileges/control, audit capability and blocking malicious traffic

– Ensures high network uptime, clean networks without any malicious or unwanted traffic and improve network bandwidth utilization

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 16

An Integrated Policy Approach

Identity-based Enforcement

NACThreat

Prevention

Network Traffic

Visibility

ApplicationUse

Controls

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 17

The Identity-Aware Network

Mission-critical Applications

Employees Guests

Contractors

Partners

Subset of

Applications

Guest

Network

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 1810/21/2009

18

Multi-layer Defense Model

Fir

ewall/ A

ccess C

on

trol

En

dp

oin

t integ

rity S

yste

m

Sig

natu

re Dete

ctio

n

Pro

toco

l An

om

aly

L2 S

ecurity

Tra

ffic An

om

aly

•Unauthorized

access

•Plundering system

for data

•Reconnaissance

and Scanning

•Worm and

Viruses

•BOTs

•Spyware

•Backdoors and

RATs

•Anomalous traffic

•Remote Execution

•Detect Pswd

Cracking

•Denial of service

•Bandwidth

consumption

•MAC spoofing

•ARP spoofing

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 19

Desktops

Enterprise

Servers

Access

Distribution

Internet

Edge Firewall

Router

Wireless

Access Point

Laptop

Comprehensive Security – Integrated Perimeter, LAN & End point security

VPN

Departmental

Firewall

Workgroup

Servers

Secured Workgroup

Firewall

IDSIDS

Wireless

Security

Gateway

Wireless Users

Extended Perimeter

Network access control

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 20

One Stop Comprehensive LAN Security Status

10/21/2009 © 2006 Nevis Networks – Proprietary and Confidential 21

Thank You