Embed Size (px)
Citation preview
ONE WORD THAT WILL DEFINE NETWORK SECURITY
STARTING SOON
ONE WORD THAT WILL DEFINE NETWORK SECURITY
FRANCESCO TRAMA
1. The Problem
2. How did we get here?
3. Getting a different perspective
4. Introducing Advanced IP Filtering Solution
AGENDA
VOLUMEThe volume of traffic which is entering the security environment is unprecedented. We have and are accepting this volume as a part of doing business.
TRAFFIC
Limits Visibility, Accuracy, Dependability
Increases Latency
Increases Logging, Alerting, False Positives
Increase costs
Adds Complexity, Management time
VOLUMETRAFFIC
ITS EFFECT TO NETWORK SECURITY
TODAY’S VOLUMEFTP
WWW
VPN
SSH
TELN
IMAP
FTP
WWW
VPN
SSH
TELN
IMAP
FIREWALL
FTP
WWW
VPN
SSH
TELN
IMAP
FTP
WWW
VPN
SSH
TELN
IMAP
FIREWALLJan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
LOG
LOGGING THE VOLUME
10/23/2008 17:57:12 name/radius/1 Error Server 0 Remote server dave-ultra (171.69.237.99:1645) is DOWN!
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote server dave-ultra (209.165.200.224:1645) is being reactivated for later use.
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote Server dave-ultra (171.69.237.99:1645) is UP!
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100- >/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system' Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
FTP
WWW
VPN
SSH
TELN
IMAP
FTP
WWW
VPN
SSH
TELN
IMAP
FIREWALLJan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
LOG
LOG OBSCURITY
10/23/2008 17:57:12 name/radius/1 Error Server 0 Remote server dave-ultra (171.69.237.99:1645) is DOWN!
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote server dave-ultra (209.165.200.224:1645) is being reactivated for later use.
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote Server dave-ultra (171.69.237.99:1645) is UP!
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100- >/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system' Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
IDENTIFY, ANALYZE, REMEDIATE THREATS
Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0 <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
THREAT VISIBILITY
10/23/2008 17:57:12 name/radius/1 Error Server 0 Remote server dave-ultra (171.69.237.99:1645) is DOWN!
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote server dave-ultra (209.165.200.224:1645) is being reactivated for later use.10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote Server dave-ultra (171.69.237.99:1645) is UP!
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 010/23/2008 17:57:12 name/radius/1 Error Server 0 Remote server dave-ultra (171.69.237.99:1645) is DOWN!
10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote server dave-ultra (209.165.200.224:1645) is being reactivated for later use.10/23/2008 17:56:32 name/radius/1 Error Server 0 Remote Server dave-ultra (171.69.237.99:1645) is UP!
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0 <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
** Alert 1339699918.65814: mail - syslog,adduser 2012 Jun 14 18:51:58 (CentOSHost) 192.168.100.100->/var/log/secure Rule: 5902 (level 8) -> 'New user added to the system'Src IP: (none) User: (none) Jun 14 18:41:23 localhost useradd[19265]: new user: name=ftpuser, UID=510, GID=501, home=/var/ftp, shell=/bin/bash
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
EVENT MANAGEMENT
VOLUME
PROBLEM NOT ADDRESSED
‣ Forced to open ports for sensitive portals
‣ Increasing restrictions becomes an administrative challenge or could introduces latency
‣ Difficult to understand who or what is using port or if the port is needed.
‣ We accept the Logging, Alerting, Reporting as the solution
‣ Difficult to determine“good” from “bad”
‣ We do not have a good understanding the global economy
WHY
ATTACKER ACCESSIBILITY: Today there are large pools (millions and millions) of compromised hosts sitting in homes, schools, businesses, and governments around the world provide the ability for attackers to stay small, nimble, and are challenging to track.
GLOBAL ECONOMY: Today’s global economy makes it extremely challenging when placing geographical restriction. It forces security teams to permit most traffic to secure portals
PORTS: Open ports are the doorways to your secure perimeter. Behind open ports, there are applications and services listening for inbound packets, waiting for connections from the outside.
CHALLENGES
BOTNETS AND PROXY
‣ Zombies, bots, and proxies are located everywhere around in the world.
‣ The power of the attacker is their ability to stay small through the security environment.
‣ Hackers are using this ability to distract and destruct in mass amounts by using a bot army.
BOTNETS AND PROXY
RECENT NEWS
HOW WE ADDRESS THE PROBLEM TODAY
FTP
WWW
VPN
SSH
TELN
IMAP
F W
I D S / I P S
S PA M /W E B F / W
S I E M
U T M
NEXT GENERATION GEO-IP FILTER
FRANCESCO TRAMA - CO-FOUNDER
PACKETVIPER - BASED IN PITTSBURGH PA
▸ Advanced IP-Filtering Solution
▸ Address traffic at the perimeter before it enters the security environment
▸ Inline device that replaces nothing, no latency
▸ 5 min install
▸ Patented granular Geo-IP filtering that addresses the country, company, and threats bi-directionally by network port
WHAT IS PACKETVIPER?
Geo Location Data
Rules Management
Logging & Reporting Engine
WHERE DOES IT FIT?
DMZ
PACKETVIPER
ANY FIREWALL
PROTECTED LAN
COUNTRY / COMPANY / NETWORK / IP / PORT
COUNTRY / COMPANY / NETWORK / IP / PORT
HOW DOES IT WORK?
REDUCES LOADS THROUGH ENTIRE SECURITY PROCESS
FTP
WWW
VPN
SSH
TELN
IMAP
FIREWALL
FTP
WWW
VPN
SSH
TELN
IMAP
PACKETVIPER
5min
10days
25% Load, volume & threats reduction
Installation
Free use and audit
Try our FREE 5*10*25 Program
http://go.packetviper.com/5-10-25
www.packetviper.com
855-758-4737
