ICT Security 2010: Le minacce delle nuove tecnologie

Alessio L.R. [email protected]

twitter: mayhemsppFaceBook: alessio.pennasilico

Phone/Fax +39 045 8271202Via Roveggia 43, VeronaVia Doria 3, Milanohttp://www.aisgroup.it/[email protected]

Cristiano [email protected]

BDM & SE Italia e Grecia

La tecnologia intorno a me,la sicurezza dentro di me

Friday, 29 October, 2010

mailto:[email protected]








Alessio L.R. Pennasilico


Board of Directors: Associazione Informatici Professionisti, CLUSIT

Associazione Italiana Professionisti Sicurezza Informatica

Italian Linux Society, LUGVR, Sikurezza.org

Hacker’s Profiling Project

2

!

Security Evangelist @



Rischi della Virtualizzazione

accesso all’interfaccia amministrativa

test reachability per HA

vMotion

iSCSI, NFS

3



Proteggere le VM

Segmentare la rete

Applicare filtri

IDS

Antivirus

4


Today’s Network Security Requirements

Situational Visibility & Awareness Application Intelligence, Control with Visualization Scanning of all out-going and in-coming traffic

Protection & Risk Management Security effectiveness for maximum catch rates Zero-day protection

Secure Access and ManageabilityFlexible, yet granular controlsMulti-vendor interoperability

ScalabilityTechnology and SolutionsNetwork Performance/ Policy & Administration

ComplianceRegulations and StandardsProof

Physical and virtualized assets

Distributed networks Users and Applications Mobile devices Embedded sensors

2 Copyright 2010 SonicWALL Inc. All Right Reserved.


Vulnerabilities in the software everyoneuses everyday …

It’s Human Nature …Programmers make mistakesMalware exploits mistakes

Malware propaga+ng at Applica+on Layer




VoIP Risks

I telefoni IP, per funzionare, possono eseguire diverse azioni preliminari, vulnerabili a diversi attacchi:

✓ottengono l'indirizzo IP da un server DHCP✓ottengono dal DHCP l'indirizzo di un TFTP server➡ io sono il server DHCP, ti indirizzo al mio TFTP✓scaricano il firmware dal TFTP server➡ io sono il TFTP e ti do il mio firmware/configurazione✓scaricano la configurazione dal TFTP server➡ io leggo la configurazione dal server TFTP✓si autenticano sul server VoIP➡ sniffo, o mi fingo il PBX e forzo auth plain text

7



Attenzione

Il VoIP può essere più sicuro della telefonia tradizionale. Questo tuttavia si ottiene attraverso una corretta progettazione, implementazione e verifica, seguendo alcune best practice, sia dal

punto di vista tecnico che dal punto di vista della formazione.

8



VoIP

Segmentare la rete

Applicare filtri

IDS/Antivirus

QoS

Managed WiFi

9


Challenges in a Web 2.0 Environment

Allow use of Social Networking… but protect it… and control who’s using it

Allow use of Streaming Video… but control its usage

At the same time … Restrict P2P Applications … Restrict File Sharing … Restrict Gaming … Prioritize VoIP

Copyright 2010 SonicWALL Inc. All Right Reserved.14


Streaming Video


Recreational UseBusiness Use


Application ChaosIT Controls Challenged

Unacceptable Apps Acceptable Apps

Identify, Manage and Control Application Chaos

CONFIDENTIAL All Rights Reserved11


http://www.oracle.com/index.html



http://en.wikipedia.org/wiki/Image:BitTorrentLogo.gif








Rischi del Wireless

Perchè proprio io?

...Wardriving...

13



Device

14



Antenne

15



Mezzi alternativi

16



Molto alternativi...

17



Personalizzazioni

18



Coordinate GPS

19



Cracca al Tesoro

Caccia al Tesoro “Geek”

www.wardriving.it

20



Misure Inutili

Nascondere il nome della rete non serve

Filtrare i mac-address non serve

WEP da un falso senso di sicurezza

21



Proteggere il WiFi

WPA2 a casa è una soluzione adatta

In azienda è possibile fare IPSec su WiFi oppure WPA2/Enterprise

22



Proteggere le reti SCADA

Segmentare la rete

Applicare filtri

IDS

Antivirus

Encryption

23


Application Intelligence & Control


Identify

Categorize

Control

By Application By User/GroupBy Content Inspection

By ApplicationBy Application CategoryBy DestinationBy ContentBy User/Group

PrioritizeManageBlock Prevent MalwarePrevent Intrusion Attempts

Next Generation Firewall Platform


Example: Prioritize Application Bandwidth

GoalPrioritize mission critical applications, such as SAP, Salesforce.com and SharePoint.

Ensuring these applications have priority to get the network bandwidth they need to operate can improve business productivity.

Solution:App: SAP, Sharepoint, SFDC

Action: Bandwidth Prioritize

Schedule: Always

Users: AllApplication priority can be date based

(think end-of-quarter priority for sales applications)Copyright 2010 SonicWALL Inc. All Right Reserved.29


Visualize - Attacks



Visualize - Applications




Minacce “esterne”

IDS

Antivirus

Antispam

28


Identify – By Users



Categorize



Malware loves Social Networking Too

Set-up: Create bogus celebrity LinkedIn profiles Lure: Place link to celebrity “videos” in profile Attack: Download of “codec” required to view video Infect: Codec is actually Malware Result: System compromised

(Gregg Keizer, Computerworld Jan 7, 2009)



http://www.linkedin.com/home?trk=hb_logo







http

://w

ww

.ais

grou

p.it/

Conclusioni


http://www.aisgroup.it

http://www.aisgroup.it

SonicWALL Application Control Appliances

Copyright 2010 SonicWALL Inc. All Right Reserved.

NSA E7500/8500

NSA E6500

NSA E5500

TZ 210 Series

NSA 3500

NSA 2400

NSA 240

NSA 4500

NSA 2400MX

31


http://images.google.com/imgres?imgurl=http://www.deerfield.com/products/winroute-firewall/images/ICSALabs_CertLOGO_DLpage.gif&imgrefurl=http://www.deerfield.com/Products/winroute-firewall/software-firewall/&h=154&w=120&sz=8&hl=en&start=3&um=1&tbnid=GTMveFCePx1YyM:&tbnh=96&tbnw=75&prev=/images?q=icsa+labs+logo&um=1&hl=en&rlz=1T4GFRG_enUS219US219&sa=N











http://images.google.com/imgres?imgurl=http://www.phaos.com/images/nav/fips_logo.gif&imgrefurl=http://www.phaos.com/products/crypto_fips/crypto_fips.html&h=687&w=688&sz=46&hl=en&start=13&um=1&tbnid=UFPwGYEx7zzPRM:&tbnh=139&tbnw=139&prev=/images?q=FIPS+140+logo&um=1&hl=en&rlz=1T4GFRG_enUS219US219&sa=N













http://www.pcmag.com/article2/0,1895,2159541,00.asp












http://www.itpro.co.uk/reviews/101039/sonicwall-pro-4100.html










http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1257125_idx1,00.html











SonicWALL Next Generation Firewalls feature:

Multi-Function Security Integration Complete Threat Protection with Intrusion Prevention & Anti-Malware/

Virus/Spyware Content Control & URL Filtering Full “Enterprise” quality Integrated Anti-SPAM Protect whole infrastructures such as StoneWare Access

Application Visibility Integrated Application Firewall Policy control over Applications, Application use & File Types

Ultimate Connectivity “Clean VPN” Secure IPSec Site-to-Site VPN Connectivity, Clean

Wireless, Wireless Switch / Controller Exceptional User Policy Control and Access to Resources Integrated Wireless Switch offer “Clean Wireless”

Reliability, Optimization & Flexibility Highly Redundant Hardware – Power/Fans Business Application Prioritization & QoS Integrated Server Load Balancing Feature-set Flexible Deployments branch office, corporate & department network

Applications Award winning: Deployment & Management

Deep Packet Firewall

Clean VPN

Intrusion Prevention

Anti-Malware

Content Filtering

Bandwidth Management

Application Firewall

Full Anti-SPAM

Clean Wireless



Prodotto sviluppato per

rispondere integralmente

alle esigenze del decreto

“amministratori di sistema”

35



VoIP

Web Interface di gestione

Interfaccia utente via web

Multisede

Integrazione di:

fax/sms/skype/device “esotici”

36



La sicurezza

Non è un prodotto

E’ un processo

37



Budget?

81% delle intrusioni avvengono su reti che non

sodisfano i requirement delle più diffuse

norme/best practice / guidelines

Gartner

38


Alessio L.R. [email protected]

twitter: mayhemsppFaceBook: alessio.pennasilico

Phone/Fax +39 045 8271202Via Roveggia 43, VeronaVia Doria 3, Milanohttp://www.aisgroup.it/[email protected]

Cristiano [email protected]

BDM & SE Italia e Grecia

Grazie!T h e s e s l i d e s a r e written by Alessio L.R. P e n n a s i l i c o a k a mayhem. They are subjected to Creative Commons Attribution-S h a r e A l i k e - 2 . 5 version; you can copy, modify, or sell them. “Please” ci te your source and use the same licence :)








